Section: Yard Radius Manual (8)Updated: Aug 28, 2004Local indexUp
NAME
radwatch - A watchdog for RADIUS users
SYNOPSIS
radwatch [
-mhx ] [
-a acct_dir ] [
-d db_dir ]
DESCRIPTION
radwatch
reads its configuration file
/usr/conf/radwatch.conf
and uses the radlast and user-stats information to verify that users
listed in configuration file are not exceeding their time quota limit.
For each user logged into user-stats database radwatch will try to match a
restriction line from its configuration file and will compute the user's
online time for the time interval coresponding to the restriction. If the
online time is bigger than the restriction, the user name is printed to the
standard output AND it is added to the list of the 'stopped' users
contained in
/usr/conf/stopuser.
OPTIONS
-a acct_dir
Sets the accounting directory instead of the builtin default.
The default is choosen at configuration time and it is
generally
/usr/logs
-d db_dir
Sets the database directory instead of the builtin default one.
The default is choosen at configuration time and it is
generally
/usr/logs.
-h
Prints out usage of the command.
-m
Use monthly/yearly hierarchy structure for radlast logging files.
You should always use this argument with YARD RADIUS.
FILES
radiusd
requires a group of configuration files under
/usr/conf
in order to properly work.
Examples of those
working files are provided with sources and should be present
under the same directory, with extension
.example.
All files are well commented and it should be easy to customize them.
The work files are the following ones:
/usr/conf/users
This file contains the human readable information for users' accounting
and authorization. See
radius_attributes(5)
for details about its syntax.
/usr/conf/users.db
The same of the previous one as compiled in by
builddbm
in GDBM format. It needs to be compiled again every time you make
changes to the previous one and without restarting
radiusd .
/usr/conf/stopuser
This text file is created by
radwatch
to deny access to users,
when certain conditions are reached (as selected in the radwatch
configuration file). The authentication daemon
radiusd
consults
that file along with `denyuser' in order to grant access or not.
It has an entry per line, which should be a valid system or `users'
username.
/usr/conf/radwatch.conf
This is the configuration file for
radwatch.
It is a text files each line of which is of the form:
user_list:restriction:time_list
where `user_list' is a comma-separated list of usernames for which
this line apply. You can use @group syntax to denote the standard
UNIX user groups. The field `restriction' is the value in seconds of the
maximum permitted online time within the `time_list'. This one is the
third colon separated field
and is a list of days of the week and times during which this
restriction apply to this user. The valid days are 'Su', 'Mo', 'Tu', 'We', 'Th', 'Fr', and 'Sa'.
In addition, the value 'Al'
represents all 7 days, and 'Wk' represents the 5 weekdays.
Times are given as HHMM-HHMM. The ending time may be before
the starting time. Days are presumed to wrap at 0000.
A complete list of contributors is contained in CREDITS file.
You should get that file among other ones within your distribution
and possibly installed under
/usr/docs directory
COPYRIGHT
Copyright (C) 1997 Cristian Gafton. All rights reserved.
Copyright (C) 1999-2004 Francesco Paolo Lovergine. All rights reserved.
See the LICENSE file enclosed within this software for conditions of
use and distribution. This is a pure
ISO BSD Open Source License .
BUGS
The parser for the configuration file is quite fragile, please DO NOT use
spaces in the configuration lines. The maximum length of a configuration
line in /etc/raddb/radwatch.conf is set at 1024 byts, if you need more group
your users in UNIX groups and abuse @group syntax.
NOTES
In order to use this program you need also a script or a program to
stop user sessions on your access server(s). There is not a unique
product to do this. Sometimes you can use a SNMP oid to do this; often
the only way is opening a telnet admin session to issue a suitable
clear/reset line command.
It depends on the specific access server and it is not easy
to support this kind of feature. You are definitively on your own
with this.