2,59 → 2,57 |
# |
# $Id$ |
# |
# alcasar-macup.sh |
# |
# This script is distributed under the Gnu General Public License (GPL) |
# Le script 'macup' est appelé par coovachilli lorsqu'il attribut une @IP à une @MAC. |
# Depuis la version 3.1 de ALCASAR, le système d'interception a changé. On doit traiter les authorisations par adresse MAC en amont |
# Pour une adresse mac authorisée, nous stockons sont @IP dans l'ipset 'not_filtered' |
|
PASSWD_FILE="/root/ALCASAR-passwords.txt" |
|
if [ -z "$CALLING_STATION_ID" ]; then |
if [ -z $CALLING_STATION_ID ]; then |
exit 1 |
fi |
|
dbRootPass=$(grep ^db_root= $PASSWD_FILE | cut -d'=' -f2-) |
chilli_current_mac=$(chilli_query list | grep $CALLING_STATION_ID) |
is_connected=$(echo $chilli_current_mac | cut -d' ' -f5) |
current_mac=$(echo $chilli_current_mac | cut -d' ' -f1) |
current_name=$(echo $chilli_current_mac | cut -d' ' -f6) |
current_ip=$(echo $chilli_current_mac | cut -d' ' -f2) |
|
chilli_query_res=$(chilli_query list mac $CALLING_STATION_ID) |
[ -z "$chilli_query_res" ] && exit |
|
is_connected=$(echo "$chilli_query_res" | awk '{ print $5 }') |
current_mac=$CALLING_STATION_ID |
if [ $is_connected == "1" ] && [ $current_mac == $current_name ]; then |
#Lecture du filter-id dans la DB radius afin de placer l'équipement réseau dans le bon ipset |
#Un équipement autorisé "à chaud" sera placé dans l'ipset 'not_filtered' + pas de filtrage de protocole (proto_0) |
PASSWD_FILE="/root/ALCASAR-passwords.txt" |
QUERY="SELECT value FROM radreply WHERE attribute='Filter-Id' AND username='$current_mac';" |
FILTER_ID=$(mysql -D radius -u root -p$(cat $PASSWD_FILE | grep "root /" | rev | cut -d' ' -f1 | rev) -e "$QUERY" -Ns) |
|
if [ $is_connected == '0' ]; then |
db_query="SELECT username, IFNULL((UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(acctstoptime)), 0) AS timeout, acctterminatecause FROM radacct WHERE callingstationid='$current_mac' ORDER BY acctstarttime DESC LIMIT 1;" |
db_res=$(mysql -u root -p"$dbRootPass" -D radius -e "$db_query" -Bs) |
# FilterID Byte N°0 to 7 |
# 0: profile_1 (WEB) |
# 1: profile_2 (WEB + Mail + Remote access) |
# 2: profile_3 (Custom) |
# 3: warn_user (if imputability report has been generated) |
# 5: WL |
# 6: BL |
# 7: HAVP |
|
if [ -n "$db_res" ]; then |
username=$(echo "$db_res" | cut -f1) |
timeout=$(echo "$db_res" | cut -f2) |
acctterminatecause=$(echo "$db_res" | cut -f3) |
if [ ${FILTER_ID:5:1} == '1' ]; then # HAVP_WL |
set_filter="havp_wl" |
elif [ ${FILTER_ID:6:1} == '1' ]; then # HAVP_BL |
set_filter="havp_bl" |
elif [ ${FILTER_ID:7:1} == '1' ]; then # HAVP |
set_filter="havp" |
else # NOT_FILTERED |
set_filter="not_filtered" |
fi |
|
if [ "$acctterminatecause" != "User-Request" ]; then |
db_query_additionalGroups='' |
[ -n "$FILTER_ID" ] && db_query_additionalGroups="( SELECT attribute, value FROM radgroupreply WHERE groupname = '$FILTER_ID' AND (attribute='Alcasar-Reconnect-Timeout') ) UNION " |
db_query="SELECT attribute, value FROM ( \ |
( SELECT attribute, value FROM radreply WHERE username = '$USER_NAME' AND (attribute='Alcasar-Reconnect-Timeout') ) UNION \ |
( SELECT attribute, value FROM radgroupreply gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' AND (attribute='Alcasar-Reconnect-Timeout') ORDER BY ug.priority ) UNION \ |
$db_query_additionalGroups \ |
( SELECT attribute, value FROM radgroupreply WHERE groupname = 'default' AND (attribute='Alcasar-Reconnect-Timeout') ) \ |
) attrs GROUP BY attribute;" |
db_res=$(mysql -u root -p"$dbRootPass" -D radius -e "$db_query" -Bs) |
if [ ${FILTER_ID:2:1} == '1' ]; then # PROFILE 3 (Custom) |
set_proto="proto_3"; |
elif [ ${FILTER_ID:1:1} == '1' ]; then # PROFILE 2 (WEB + Mail + Remote access) |
set_proto="proto_2"; |
elif [ ${FILTER_ID:0:1} == '1' ]; then # PROFILE 1 (WEB) |
set_proto="proto_1"; |
else # PROFILE 0 (Not filtered) |
set_proto="proto_0"; |
fi |
|
reconnectTimeout=$(echo "$db_res" | awk '$1 == "Alcasar-Reconnect-Timeout" { print $2 }') |
|
if [ -n "$reconnectTimeout" ] && [ $timeout -le $reconnectTimeout ]; then |
for i in {1..10}; do |
sleep 1 |
chilli_query authorize mac $current_mac username "$username" |
chilli_query_res=$(chilli_query list mac $current_mac) |
isPassing=$(echo "$chilli_query_res" | awk '{ print $3 }') |
is_connected=$(echo "$chilli_query_res" | awk '{ print $5 }') |
if [ "$is_connected" == '1' ] && [ "$isPassing" == 'pass' ]; then |
logger -t alcasar-macup "The MAC address \"$current_mac\" is reconnected with user \"$username\"." |
break |
fi |
done |
fi |
fi |
fi |
ipset add $set_filter $current_ip |
ipset add $set_proto $current_ip |
fi |