1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
|
Using Radius with ocserv
========================
For radius support the [radcli library](http://radcli.github.io/radcli/)
is required. The minimum requirement is version 1.2.0. Alternatively
the freeradius-client library can be used (1.1.7 is the minimum
requirement), but not all radius features may be available.
radcli uses a configuration file to setup the
server configuration. That is typically found at:
/etc/radcli/radiusclient.conf
and is best to copy the default installed as radiusclient-ocserv.conf
and edit it accordingly.
The important options for ocserv usage are the following:
```
dictionary /etc/radcli/dictionary
servers /etc/radcli/servers
```
The dictionary should contain at least the attributes shown below,
and the servers file should contain the radius server to use.
---
**NOTE**
Note, that ocserv since 1.0.0 does not provide the 'NAS-Port' attribute
to server. In the previous versions the NAS-Port value was corresponding
to the worker process ID (PID), which changed on client reconnect (e.g.,
due to roaming). That caused accounting problems, and as there is no
notion of ports in ocserv, it is no longer sent.
This breaks the default configuration of freeradius servers which
assumes that the NAS-Port is sent. To make ocserv authentication
and accounting work with freeradius, you must configure the server
not to account NAS-Port by removing the NAS-Port attribute from the
acct_unique section.
---
Ocserv configuration
====================
For authentication the following line should be enabled.
```
auth = "radius[config=/etc/radcli/radiusclient.conf,groupconfig=true]"
```
Check the ocserv manpage for the meaning of the various options
such as groupconfig.
To enable accounting, use
```
acct = "radius[config=/etc/radcli/radiusclient.conf]"
```
and modify the following option to the time (in
seconds), that accounting information should be reported.
```
stats-report-time = 360
```
That value will be overridden by Acct-Interim-Interval if sent
by the server.
Note that the accounting session is reported as terminated as soon as
possible when the user disconnects explicitly. When the disconnection
is due to timeout or other network reasons, the users have their connection
remain valid until the `cookie-timeout` value expires.
Dictionary
==========
Ocserv supports the following radius attributes.
```
# Standard attributes
ATTRIBUTE User-Name 1 string
ATTRIBUTE Password 2 string
ATTRIBUTE NAS-Port 5 integer
ATTRIBUTE Framed-Protocol 7 integer
ATTRIBUTE NAS-Identifier 32 string
ATTRIBUTE Acct-Input-Octets 42 integer
ATTRIBUTE Acct-Output-Octets 43 integer
ATTRIBUTE Acct-Session-Id 44 string
ATTRIBUTE Acct-Input-Gigawords 52 integer
ATTRIBUTE Acct-Output-Gigawords 53 integer
ATTRIBUTE Acct-Interim-Interval 85 integer
ATTRIBUTE Connect-Info 77 string
###########################
# IPv4 attributes #
###########################
# sets local IPv4 address in link:
ATTRIBUTE NAS-IP-Address 4 ipaddr
# sets remote IPv4 address in link:
ATTRIBUTE Framed-IP-Address 8 ipaddr
ATTRIBUTE Framed-IP-Netmask 9 ipaddr
# sets routes (quite a kludge as it requires to have
# a CIDR string)
ATTRIBUTE Framed-Route 22 string
# There are two ways to set a group, either in the
# format "OU=group1;group2" or by a single group name
# in the attribute. It is possible to specify multiple
# groups in separate class attributes.
# Note that this works only when groupconfig is set to
# true, and if the groups sent by the server are made known
# to ocserv, via the select-group config variable.
ATTRIBUTE Class 25 string
# sets DNS servers
VENDOR Microsoft 311
BEGIN-VENDOR Microsoft
ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr
ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr
END-VENDOR Microsoft
############################
# IPv6 attributes #
############################
# sets local IPv6 address in link:
ATTRIBUTE NAS-IPv6-Address 95 string
# sets remote IPv6 subnet in link:
ATTRIBUTE Delegated-IPv6-Prefix 123 ipv6prefix
# sets remote IPv6 address in link:
ATTRIBUTE Framed-IPv6-Address 168 ipv6addr
# sets DNS servers
ATTRIBUTE DNS-Server-IPv6-Address 169 ipv6addr
# Sets IPv6 routes
ATTRIBUTE Framed-IPv6-Prefix 97 ipv6prefix
ATTRIBUTE Route-IPv6-Information 170 ipv6prefix
############################
# Traffic shaping #
############################
VENDOR Roaring-Penguin 10055
BEGIN-VENDOR Roaring-Penguin
# tx speed limit in kb/s
ATTRIBUTE RP-Upstream-Speed-Limit 1 integer
# rx speed limit in kb/s
ATTRIBUTE RP-Downstream-Speed-Limit 2 integer
END-VENDOR Roaring-Penguin
```
|
