RADWATCH(8) Yard Radius Manual RADWATCH(8)
NAME
radwatch - A watchdog for RADIUS users
SYNOPSIS
radwatch [ -mhx ] [ -a acct_dir ] [ -d db_dir ]
DESCRIPTION
radwatch reads its configuration file /usr/conf/radwatch.conf and uses the radlast and user-stats information to verify that users listed
in configuration file are not exceeding their time quota limit.
For each user logged into user-stats database radwatch will try to match a restriction line from its configuration file and will compute
the user's online time for the time interval coresponding to the restriction. If the online time is bigger than the restriction, the user
name is printed to the standard output AND it is added to the list of the 'stopped' users contained in /usr/conf/stopuser.
OPTIONS
-a acct_dir
Sets the accounting directory instead of the builtin default. The default is choosen at configuration time and it is generally
/usr/logs
-d db_dir
Sets the database directory instead of the builtin default one. The default is choosen at configuration time and it is generally
/usr/logs.
-h Prints out usage of the command.
-m Use monthly/yearly hierarchy structure for radlast logging files. You should always use this argument with YARD RADIUS.
FILES
radiusd requires a group of configuration files under /usr/conf in order to properly work. Examples of those working files are provided
with sources and should be present under the same directory, with extension .example. All files are well commented and it should be easy
to customize them. The work files are the following ones:
/usr/conf/users
This file contains the human readable information for users' accounting and authorization. See radius_attributes(5) for details
about its syntax.
/usr/conf/users.db
The same of the previous one as compiled in by builddbm in GDBM format. It needs to be compiled again every time you make changes to
the previous one and without restarting radiusd .
/usr/conf/stopuser
This text file is created by radwatch to deny access to users, when certain conditions are reached (as selected in the radwatch con-
figuration file). The authentication daemon radiusd consults that file along with `denyuser' in order to grant access or not. It
has an entry per line, which should be a valid system or `users' username.
/usr/conf/radwatch.conf
This is the configuration file for radwatch. It is a text files each line of which is of the form: user_list:restriction:time_list
where `user_list' is a comma-separated list of usernames for which this line apply. You can use @group syntax to denote the standard
UNIX user groups. The field `restriction' is the value in seconds of the maximum permitted online time within the `time_list'. This
one is the third colon separated field and is a list of days of the week and times during which this restriction apply to this user.
The valid days are 'Su', 'Mo', 'Tu', 'We', 'Th', 'Fr', and 'Sa'. In addition, the value 'Al' represents all 7 days, and 'Wk' repre-
sents the 5 weekdays. Times are given as HHMM-HHMM. The ending time may be before the starting time. Days are presumed to wrap at
0000.
SEE ALSO
radiusd(8)
AUTHORS
Cristian Gafton <gafton@sorosis.ro>.
Francesco Paolo Lovergine <francesco@yardradius.org>.
A complete list of contributors is contained in CREDITS file. You should get that file among other ones within your distribution and pos-
sibly installed under /usr/docs directory
COPYRIGHT
Copyright (C) 1997 Cristian Gafton. All rights reserved. Copyright (C) 1999-2004 Francesco Paolo Lovergine. All rights reserved.
See the LICENSE file enclosed within this software for conditions of use and distribution. This is a pure ISO BSD Open Source License .
BUGS
The parser for the configuration file is quite fragile, please DO NOT use spaces in the configuration lines. The maximum length of a con-
figuration line in /etc/raddb/radwatch.conf is set at 1024 byts, if you need more group your users in UNIX groups and abuse @group syntax.
NOTES
In order to use this program you need also a script or a program to stop user sessions on your access server(s). There is not a unique
product to do this. Sometimes you can use a SNMP oid to do this; often the only way is opening a telnet admin session to issue a suitable
clear/reset line command. It depends on the specific access server and it is not easy to support this kind of feature. You are defini-
tively on your own with this.
1.1 Aug 28, 2004 RADWATCH(8)