| 1 |
#!/bin/sh
|
1 |
#!/bin/sh
|
| 2 |
#
|
2 |
#
|
| 3 |
# $Id: alcasar-macup.sh 2262 2017-05-29 20:19:03Z tom.houdayer $
|
3 |
# $Id: alcasar-macup.sh 2274 2017-06-06 06:12:50Z richard $
|
| 4 |
#
|
4 |
#
|
| 5 |
# Le script 'macup' est appelé par coovachilli lorsqu'il attribut une @IP à une @MAC.
|
5 |
# Le script 'macup' est appelé par coovachilli lorsqu'il attribut une @IP à une @MAC.
|
| 6 |
# Depuis la version 3.1 de ALCASAR, le système d'interception a changé. On doit traiter les authorisations par adresse MAC en amont
|
- |
|
| 7 |
# Pour une adresse mac authorisée, nous stockons sont @IP dans l'ipset 'not_filtered'
|
6 |
# Il permet d'affecter le bon ipset aux @MAC authorisées
|
| 8 |
|
7 |
|
| 9 |
if [ -z $CALLING_STATION_ID ]; then
|
8 |
if [ -z $CALLING_STATION_ID ]; then
|
| 10 |
exit 1
|
9 |
exit 1
|
| 11 |
fi
|
10 |
fi
|
| 12 |
|
11 |
|
| 13 |
chilli_current_mac=$(chilli_query list | grep $CALLING_STATION_ID)
|
12 |
chilli_current_mac=$(chilli_query list | grep $CALLING_STATION_ID)
|
| 14 |
is_connected=$(echo $chilli_current_mac | cut -d' ' -f5)
|
13 |
is_connected=$(echo $chilli_current_mac | cut -d' ' -f5)
|
| 15 |
current_mac=$(echo $chilli_current_mac | cut -d' ' -f1)
|
14 |
current_mac=$(echo $chilli_current_mac | cut -d' ' -f1)
|
| 16 |
current_name=$(echo $chilli_current_mac | cut -d' ' -f6)
|
15 |
current_name=$(echo $chilli_current_mac | cut -d' ' -f6)
|
| 17 |
current_ip=$(echo $chilli_current_mac | cut -d' ' -f2)
|
16 |
current_ip=$(echo $chilli_current_mac | cut -d' ' -f2)
|
| 18 |
|
17 |
|
| 19 |
|
18 |
|
| 20 |
if [ $is_connected == "1" ] && [ $current_mac == $current_name ]; then
|
19 |
if [ $is_connected == "1" ] && [ $current_mac == $current_name ]; then # only for authenticated MAC
|
| 21 |
#Lecture du filter-id dans la DB radius afin de placer l'équipement réseau dans le bon ipset
|
20 |
#Lecture du filter-id dans la DB radius afin de placer l'équipement réseau dans le bon ipset
|
| 22 |
#Un équipement autorisé "à chaud" sera placé dans l'ipset 'not_filtered' + pas de filtrage de protocole (proto_0)
|
21 |
#Un équipement autorisé "à chaud" sera placé dans l'ipset 'not_filtered' + pas de filtrage de protocole (proto_0)
|
| 23 |
PASSWD_FILE="/root/ALCASAR-passwords.txt"
|
22 |
PASSWD_FILE="/root/ALCASAR-passwords.txt"
|
| 24 |
QUERY="SELECT value FROM radreply WHERE attribute='Filter-Id' AND username='$current_mac';"
|
23 |
QUERY="SELECT value FROM radreply WHERE attribute='Filter-Id' AND username='$current_mac';"
|
| 25 |
FILTER_ID=$(mysql -D radius -u root -p$(cat $PASSWD_FILE | grep "root /" | rev | cut -d' ' -f1 | rev) -e "$QUERY" -Ns)
|
24 |
FILTER_ID=$(mysql -D radius -u root -p$(cat $PASSWD_FILE | grep "root /" | rev | cut -d' ' -f1 | rev) -e "$QUERY" -Ns)
|
| 26 |
|
25 |
|
| 27 |
# FilterID Byte N°0 to 7
|
26 |
# FilterID Byte N°0 to 7
|
| 28 |
# 0: profile_1 (WEB)
|
27 |
# 0: profile_1 (WEB)
|
| 29 |
# 1: profile_2 (WEB + Mail + Remote access)
|
28 |
# 1: profile_2 (WEB + Mail + Remote access)
|
| 30 |
# 2: profile_3 (Custom)
|
29 |
# 2: profile_3 (Custom)
|
| 31 |
# 3: warn_user (if imputability report has been generated)
|
30 |
# 3: warn_user (if imputability report has been generated)
|
| 32 |
# 5: WL
|
31 |
# 5: WL
|
| 33 |
# 6: BL
|
32 |
# 6: BL
|
| 34 |
# 7: HAVP
|
33 |
# 7: HAVP
|
| 35 |
|
34 |
|
| 36 |
if [ ${FILTER_ID:5:1} == '1' ]; then # HAVP_WL
|
35 |
if [ ${FILTER_ID:5:1} == '1' ]; then # HAVP_WL
|
| 37 |
set_filter="havp_wl"
|
36 |
set_filter="havp_wl"
|
| 38 |
elif [ ${FILTER_ID:6:1} == '1' ]; then # HAVP_BL
|
37 |
elif [ ${FILTER_ID:6:1} == '1' ]; then # HAVP_BL
|
| 39 |
set_filter="havp_bl"
|
38 |
set_filter="havp_bl"
|
| 40 |
elif [ ${FILTER_ID:7:1} == '1' ]; then # HAVP
|
39 |
elif [ ${FILTER_ID:7:1} == '1' ]; then # HAVP
|
| 41 |
set_filter="havp"
|
40 |
set_filter="havp"
|
| 42 |
else # NOT_FILTERED
|
41 |
else # NOT_FILTERED
|
| 43 |
set_filter="not_filtered"
|
42 |
set_filter="not_filtered"
|
| 44 |
fi
|
43 |
fi
|
| 45 |
|
44 |
|
| 46 |
if [ ${FILTER_ID:2:1} == '1' ]; then # PROFILE 3 (Custom)
|
45 |
if [ ${FILTER_ID:2:1} == '1' ]; then # PROFILE 3 (Custom)
|
| 47 |
set_proto="proto_3";
|
46 |
set_proto="proto_3";
|
| 48 |
elif [ ${FILTER_ID:1:1} == '1' ]; then # PROFILE 2 (WEB + Mail + Remote access)
|
47 |
elif [ ${FILTER_ID:1:1} == '1' ]; then # PROFILE 2 (WEB + Mail + Remote access)
|
| 49 |
set_proto="proto_2";
|
48 |
set_proto="proto_2";
|
| 50 |
elif [ ${FILTER_ID:0:1} == '1' ]; then # PROFILE 1 (WEB)
|
49 |
elif [ ${FILTER_ID:0:1} == '1' ]; then # PROFILE 1 (WEB)
|
| 51 |
set_proto="proto_1";
|
50 |
set_proto="proto_1";
|
| 52 |
else # PROFILE 0 (Not filtered)
|
51 |
else # PROFILE 0 (Not filtered)
|
| 53 |
set_proto="proto_0";
|
52 |
set_proto="proto_0";
|
| 54 |
fi
|
53 |
fi
|
| 55 |
|
54 |
|
| 56 |
ipset add $set_filter $current_ip
|
55 |
ipset add $set_filter $current_ip
|
| 57 |
ipset add $set_proto $current_ip
|
56 |
ipset add $set_proto $current_ip
|
| 58 |
fi
|
57 |
fi
|
| 59 |
|
58 |
|