As of RADACUA v1.0, all configuration for RADACUA, including any templates used for automated E-Mails and the like, can be found in /etc/radacua
Here is an ASCII table that shows the basic directory structure of /etc/radacua
/etc/radacua
|----- acua.config - Main RADACUA Configuration.
|----- clean_proc.config - User Process Control Configuration.
|----- clean_tmp.config - Configuration for /tmp Cleaner.
|
|----- nas - Terminal Server Configuration.
|----- notices - Automated E-Mail Templates.
`----- templates - RADACUA Script Templates.
The first thing you need to do is modify /etc/radacua/acua.config to suit you and the system you run or are wanting to run. This file (acua.config) has enough information about configuration in there so it does not warrant any further documentation here.
You may skip over clean_proc.config and clean_tmp.config as you don't need to configure that stuff to get a RADACUA system running. Also the clean_proc and clean_tmp commands that come with RADACUA are potentially dangerous if not configured correctly.
As of version 1.0, RADACUA supports an unlimited amount of Terminal Servers, and they can be either in the same room as the server or on the other side of the planet.
Take this hypothetical network for example:
(VPN, Virtual Private Network)
. . . . . . . . . . . . . . . . . . . .
| |
[INTERNET] ----- [Router] -----. [INTERNET] ----- [Router] -----.
| |
.-------.-------.---------| .-------.-----------------'
| | | | | |
TS1 TS2 TS3 | RTS1 RTS2
.---------------.---------'
| |
RADACUA Mail
Server Server
TS1 = PortMaster 3 (192.168.1.1)
TS2 = PortMaster 3 (192.168.2.1)
TS3 = PortMaster 3 (192.168.3.1)
RTS1 = Linux Portslave Box. (192.168.4.1, Remote Network)
RTS2 = Linux Portslave Box. (192.168.5.1, Remote Network)
Setting up this ISP would be pretty simple. You will find that in your /etc/radacua/nas/templates directory you will have a couple of scripts for handling different terminal servers.
To set up the above ISP, you would need to run the following commands:
cd /etc/radacua/nas
cp templates/portmaster3 192.168.1.1
cp templates/portmaster3 192.168.2.1
cp templates/portmaster3 192.168.3.1
cp templates/portslave 192.168.4.1
cp templates/portslave 192.168.5.1
You then need to modify each file in /etc/radacua/nas, there should be 5 files there now (named 192.168.*.1). At the top of each of these files you need to set the username and password that RADACUA should use to log into the Terminal Servers and issue commands to disconnect users. In most cases you will only need to change the LOGIN_PASS="password" line, as the LOGIN_NAME is probably already correct.
RADACUA uses the "radutmp" file that is written by Cistron RADIUS and FreeRADIUS servers. When RADACUA wants to hang up a user, it looks in the radutmp file to see what the IP Address of the Terminal Server is that the user is currently connected to.
Once RADACUA has determined what Terminal Server the user is logged into (For example, say the user is logged into RTS2), it will then attempt to execute /etc/radacua/nas/192.168.5.1 on the local machine. This script is executed with some command-line options that are used to tell the Terminal Server which user to kick off.
Currently, only Livingston/Lucent PortMasters, Portslave boxes and Shiva LanRover Terminal Servers are supported.
If your terminal server isn't supported, it's usually very easy to make it supported. If you know how to write a bit of shell script you shouldn't have too much trouble. Otherwise it may be best to contact me, the programmer of RADACUA via e-mail on acua@acua.ebbs.com.au for some help.
The supported Terminal Servers are the only ones I've had access to so far. The Shiva LanRover Terminal Server support has not been tested and may not work.
RADACUA is capable of doing data accountancy and it seems to work pretty well. There is another program that handles data accounting called acua_radacctd.
To enable data accountancy you need to run an accountancy daemon for each Terminal Server. Still working from the above ISP network as an example, we'll set up the data accountancy.
Add the following lines to the end of /etc/inittab:
a1:23:respawn:/usr/sbin/acua_radacctd -d /var/log/radacct/ts1/detail
a2:23:respawn:/usr/sbin/acua_radacctd -d /var/log/radacct/ts2/detail
a1:23:respawn:/usr/sbin/acua_radacctd -d /var/log/radacct/ts3/detail
a2:23:respawn:/usr/sbin/acua_radacctd -d /var/log/radacct/rts1/detail
a2:23:respawn:/usr/sbin/acua_radacctd -d /var/log/radacct/rts2/detail
Take note of the -d /var/log/radacct/____/detail stuff. In the above example ts1, ts2, ts3, rts1, and rts2 are the short names of the terminal servers.
It has been my personal experiance that you will need to create the following directorys as the RADIUS server won't do it, and if the directorys don't exist then the data accountancy will not work.
mkdir /var/log/radacct/ts1
mkdir /var/log/radacct/ts2
mkdir /var/log/radacct/ts3
mkdir /var/log/radacct/rts1
mkdir /var/log/radacct/rts2
Now restart your RADIUS server, and check for some logs in the above directorys. An entry will be added to the appropriate log when a user either logs into or out of one of the Terminal Servers. Once you have got this part working you can start up the accountancy daemons by running the following command as root at the shell prompt:
init q
The acua_radupdated daemon is the most important one that there is. This is the daemon that kicks off users when their time limit has been reached, it sends out warning e-mails, and keeps track of when accounts expire and need to be deleted. It does nightly maintenance (at about 3:00am) as well, and probably even more. This program is like the heart of RADACUA, without it running, RADACUA is fairly useless.
This daemon is also going to be started from /etc/inittab. The reason for this is that if the daemon has some problem and dies, the 'init' program will restart it again immediately.
Add the following line to your /etc/inittab. You only need to run one of these daemons, reguardless of how many Terminal Servers you are running with RADACUA. Running more than one of these daemons will result in angry users, because they won't like getting 2 minutes deducted from their remaining time left every 1 minute!
ac:23:respawn:/usr/sbin/acua_radupdated -d
The -d option on acua_radupdated tells the program that it is not to put itself in the background, otherwise the 'init' program would keep on spawning new processes, until eventually your system will run out of memory and will become unusable (it will take a while, but it will happen!).
Now start up the acua_radupdated daemon by typing the following command as root at the shell prompt:
init q
RADACUA needs to be told when a user has logged into the system. RADACUA, however, does not need to know when a user logs out of the system as it will detect this automatically.
Below is an example /etc/raddb/users file, which we currently use with the Cistron RADIUS server:
# Framed-IP-Address is set by acua_radlogin.
DEFAULT Auth-Type = System,
NAS-Port-Type = Async,
Service-Type = Framed-User,
Framed-Protocol = PPP,
Idle-Timeout = 0,
Exec-Program-Wait = "/usr/sbin/acua_radlogin %u",
Framed-IP-Netmask = 255.255.255.255,
Fall-Through = No
The acua_radlogin program is called with the %u argument, which translates into the username of the user who is logging in. When acua_radlogin is ran, it checks if the user has a valid subscription and that the user has enough time left for the day, then it will allow the user to connect if everything is fine. It also makes sure that the user can only have (by default) one login at a time, but this can be changed on a per-user basis using the acua modRec command.
There are a few shell scripts that you must modify to suit your system. These scripts are as follows:
/usr/sbin/acua_adduser - Script to add users to RADACUA and the system.
/usr/sbin/acua_deluser - Script to delete users from RADACUA and the system.
/usr/sbin/acua_unsubscribe - Script to unsubscribe a user on the system.
/usr/sbin/acua_nounsub - This script is executed when a user account in
RADACUA is going to be unsubscribed and the
NOUNSUB flag has been set on the users account.
This feature allows for accounts that never
expire, such as perminant business connections.
If you see something like below, then you either didn't install RADACUA properley, or you've made a typing mistake in /etc/inittab.
INIT: cannot execute "/usr/sbin/acua_radacctd"
INIT: Id "a1" respawning too fast: disabled for 5 minutes
Now have a read of this extra information. It's older than the information in this document but it is still valid and explains some more things in more detail. Click here for Additional Information