man radwatch (Administration système) - A watchdog for RADIUS users

NAME

radwatch - A watchdog for RADIUS users

SYNOPSIS

radwatch [ -mhx ] [ -a acct_dir ] [ -d db_dir ]

DESCRIPTION

radwatch reads its configuration file /usr/conf/radwatch.conf and uses the radlast and user-stats information to verify that users listed in configuration file are not exceeding their time quota limit.

For each user logged into user-stats database radwatch will try to match a restriction line from its configuration file and will compute the user's online time for the time interval coresponding to the restriction. If the online time is bigger than the restriction, the user name is printed to the standard output AND it is added to the list of the 'stopped' users contained in /usr/conf/stopuser.

OPTIONS

-a acct_dir
Sets the accounting directory instead of the builtin default. The default is choosen at configuration time and it is generally /usr/logs
-d db_dir
Sets the database directory instead of the builtin default one. The default is choosen at configuration time and it is generally /usr/logs.
-h
Prints out usage of the command.
-m
Use monthly/yearly hierarchy structure for radlast logging files. You should always use this argument with YARD RADIUS.

FILES

radiusd requires a group of configuration files under /usr/conf in order to properly work. Examples of those working files are provided with sources and should be present under the same directory, with extension .example. All files are well commented and it should be easy to customize them. The work files are the following ones:

/usr/conf/users
This file contains the human readable information for users' accounting and authorization. See radius_attributes(5) for details about its syntax.
/usr/conf/users.db
The same of the previous one as compiled in by builddbm in GDBM format. It needs to be compiled again every time you make changes to the previous one and without restarting radiusd .
/usr/conf/stopuser
This text file is created by radwatch to deny access to users, when certain conditions are reached (as selected in the radwatch configuration file). The authentication daemon radiusd consults that file along with `denyuser' in order to grant access or not. It has an entry per line, which should be a valid system or `users' username.
/usr/conf/radwatch.conf
This is the configuration file for radwatch. It is a text files each line of which is of the form: user_list:restriction:time_list where `user_list' is a comma-separated list of usernames for which this line apply. You can use @group syntax to denote the standard UNIX user groups. The field `restriction' is the value in seconds of the maximum permitted online time within the `time_list'. This one is the third colon separated field and is a list of days of the week and times during which this restriction apply to this user. The valid days are 'Su', 'Mo', 'Tu', 'We', 'Th', 'Fr', and 'Sa'. In addition, the value 'Al' represents all 7 days, and 'Wk' represents the 5 weekdays. Times are given as HHMM-HHMM. The ending time may be before the starting time. Days are presumed to wrap at 0000.

SEE ALSO

AUTHORS

Cristian Gafton <gafton@sorosis.ro>.

Francesco Paolo Lovergine <francesco@yardradius.org>.

A complete list of contributors is contained in CREDITS file. You should get that file among other ones within your distribution and possibly installed under /usr/docs directory

COPYRIGHT

Copyright (C) 1997 Cristian Gafton. All rights reserved. Copyright (C) 1999-2001 Francesco Paolo Lovergine. All rights reserved.

See the LICENSE file enclosed within this software for conditions of use and distribution. This is a pure ISO BSD Open Source License .

BUGS

The parser for the configuration file is quite fragile, please DO NOT use spaces in the configuration lines. The maximum length of a configuration line in /etc/raddb/radwatch.conf is set at 1024 byts, if you need more group your users in UNIX groups and abuse @group syntax.

NOTES

In order to use this program you need also a script or a program to stop user sessions on your access server(s). There is not a unique product to do this. Sometimes you can use a SNMP oid to do this; often the only way is opening a telnet admin session to issue a suitable clear/reset line command. It depends on the specific access server and it is not easy to support this kind of feature. You are definitively on your own with this.