现在IBM和NOKIA都在用这个写脚本,语法很好,学习学习,学会了好找工作
引用:
#!/usr/bin/ipstcl
########################################################## # Access Controller page for IPSO 3.6 # # $Id: azc.tcl,v 1.27.2.33 2002/11/26 14:55:39 vgupta Exp $ ##########################################################
ipso
source /web/cgi-bin/validate.tcl source /web/cgi-bin/show_result.tcl
set method [get_Method] set UP "main" set TOP "main" set DOC "/opt/azc/doc/access_c.htm"
set err_list [list] set war_list [list] set set_list [list] set result 0 set val_arg_proxyport "" set val_arg "" set val_heartbeat_period "" set val_heartbeat_type "" set val_akey "" set myDb [libdb init -local -user $USER] set I [ipsctl init]
set flag_routed true set flag_snmp true set flag_rad true set flag_realm true
set sprefix {package:azc}
# This portion of code is checking for the activation key. # # And find out the licenses user is entitled for . # # Depending on the license , only concerned features are # # shown to user. # set licence_key 111111111111 set err [catch { set result [exec "/opt/azc/bin/hscaad" -L ] } errmessage ] set licence_key [split $errmessage " "] set len_ele [llength $licence_key] set list_of_features [split [lindex $licence_key [ expr $len_ele - 1 ]] {}] set len [llength $list_of_features] if { [ expr $len == 12 ] } { if { [ expr [lindex $list_of_features 11] != 1 ] } { set flag_routed false } if { [ expr [lindex $list_of_features 10] != 1 ] } { set flag_snmp false } if { [ expr [lindex $list_of_features 9] != 1 ] } { set flag_rad false } if { [ expr [lindex $list_of_features 8] != 1 ] } { set flag_realm false } }
if {[string equal [get_Method] "POST"]} { if { $apply == 1} { set emptycase 0 set addedvar 0 foreach var $Q_Names { set val "[getVal $var]" if { [regexp {^tmp:package:azc:server:ClientSharedSecret:(.)+:bool$} $var] } { set state [getVal $var]; if {$state == ""} { set loc1 [string first "package" $var] set newvar [string range $var $loc1 end]; set loc [string first ":bool" $newvar] set actual [string range $newvar 0 [expr $loc - 1]] lappend set_list "$actual" "" } } elseif {[regexp {^new_ap_l$} $var]} { set ip [getVal $var]; set new_sec $new_ap_s; if { $new_sec == "" } { set new_sec [libdb get $myDb "package:azc:server:ClientSharedSecret"]; } lappend set_list "$sprefix:server:ClientSharedSecret:$ip" "$new_sec"; } elseif {[regexp {^tmp:package:azc:server:RealmList:([^:]*):bool$} $var mtch realm] } { set state [getVal $var]; if {$state == ""} { set loc1 [string first "package" $var] set newvar [string range $var $loc1 end]; set loc [string first ":bool" $newvar] set actual [string range $var 0 [expr $loc - 1]] lappend set_list "$actual" "" set rad_srv_list [libdb iterate children $myDb "${sprefix}:server:RadProxyRealm:$realm"] foreach srv $rad_srv_list { lappend set_list "${sprefix}:server:RadProxyRealm:$realm:$srv" "" } lappend set_list "${sprefix}:server:ZZProxyRealm:$realm:PriSrv" "" lappend set_list "${sprefix}:server:RealmList:$realm" ""; } } elseif {[regexp {^([^:]*):PriSrv:(.)+$} $var mtch rlm data] } { set state [getVal $var]; if {$state != ""} { lappend set_list "${sprefix}:server:ZZProxyRealm:$rlm:PriSrv" $state } } elseif {[regexp {^tmp:package:azc:server:RadProxyRealm:(.)+:(.)+:bool$} $var] } { set state [getVal $var]; if {$state == ""} { set loc1 [string first "package" $var] set newvar [string range $var $loc1 end]; set loc [string first ":bool" $newvar] set actual [string range $newvar 0 [expr $loc - 1]] lappend set_list "$actual" "" } } elseif {[regexp {^new_realm_l$} $var]} { set state [getVal $var]; if {$state != ""} { lappend set_list "${sprefix}:server:RealmList:$new_realm_l" "t"; lappend set_list "${sprefix}:server:RadProxyRealm:$new_realm_l:$new_srv_l" "$new_sec_l" if { $new_pri_srv_l == "t" } { lappend set_list "${sprefix}:server:ZZProxyRealm:$new_realm_l:PriSrv" $new_srv_l } } } elseif { [ string match newinterface $var] == 1 } { if { [ string match Non* $val ] != 1} { set addedvar [expr $addedvar+1] set nargs $addedvar set arg_lname [libdb iterate children ${myDb} "interface"] foreach argentry_lname $arg_lname { set lname_interface [libdb get ${myDb} "interface:$argentry_lname:lname"] if { [ string compare $lname_interface $val ] == 0 } { set add_int_name $argentry_lname break } } lappend set_list "package:azc:server:IntInterface:$nargs" "${add_int_name}" } } elseif { [ string match package:azc:server:IntInterface:* $var] == 1 } { if {${val} == ""} { set emptycase [expr $emptycase+1] } elseif {$emptycase >= 1} { set finalvar [string index $var [expr [string last ":" $var]+1 ] ] set finalvar [expr $finalvar-$emptycase] set varstring "package:azc:server:IntInterface:" append varstring $finalvar set arg_lname [libdb iterate children ${myDb} "interface"] foreach argentry_lname $arg_lname { set lname_interface [libdb get ${myDb} "interface:$argentry_lname:lname"] if { [ string compare $lname_interface [getVal $var] ] == 0 } { set int_name $argentry_lname break } } lappend set_list $varstring $int_name set addedvar [expr $addedvar+1] } else { set arg_lname [libdb iterate children ${myDb} "interface"] foreach argentry_lname $arg_lname { set lname_interface [libdb get ${myDb} "interface:$argentry_lname:lname"] if { [ string compare $lname_interface "[getVal $var]" ] == 0 } { set int_name $argentry_lname break } } lappend set_list $var "$int_name" set addedvar [expr $addedvar+1] } } elseif { [ string match package:azc:server:IntInterface $var] == 1 } { set arg_lname [libdb iterate children ${myDb} "interface"] foreach argentry_lname $arg_lname { set lname_interface [libdb get ${myDb} "interface:$argentry_lname:lname"] if { [ string compare $lname_interface [getVal $var] ] == 0 } { set int_name $argentry_lname break } } lappend set_list $var "$int_name" } elseif { [ string match package:azc:server:ExtInterface $var] == 1 } { set arg_lname [libdb iterate children ${myDb} "interface"] foreach argentry_lname $arg_lname { set lname_interface [libdb get ${myDb} "interface:$argentry_lname:lname"] if { [ string compare $lname_interface [getVal $var] ] == 0 } { set int_name $argentry_lname break } } lappend set_list $var "$int_name" } elseif { [ string match package:azc:server:ProxyPorts $var] == 1 } { set val_arg_proxyport [getVal $var]; lappend set_list $var "[getVal $var]" } elseif { [ string match package:azc:server:HeartbeatType $var] == 1 } { set val_heartbeat_type [getVal $var]; lappend set_list $var "[getVal $var]" } elseif { [ string match package:azc:server:HeartbeatPeriod $var] == 1 } { set val_heartbeat_period [getVal $var]; lappend set_list $var "[getVal $var]" } elseif { [ string match package:azc:server:ApProxyPort $var] == 1 } { set val_arg [getVal $var]; lappend set_list $var "[getVal $var]" } elseif { [ string match package:azc:server:ActivationKey $var] == 1 } { set val_akey [getVal $var]; lappend set_list $var "[getVal $var]" if {[string match "8719u501mgwu" $val_akey] != 1} { HTML_Image /images/errorbar.gif "-- Error ----" HTML_BR TEXT "AC Activation key ERROR!" HTML_BR HTML_Image /images/redbar.gif "-------------" HTML_BR} } elseif { [ string match package:azc* $var] == 1 } { lappend set_list $var "[getVal $var]" } while {$emptycase > 0} { set addedvar [expr $addedvar+1] set varstring "package:azc:server:IntInterface:" append varstring $addedvar lappend set_list $varstring "" set emptycase [expr $emptycase-1] } } } if { [ string compare $val_arg "" ] != 0 } { set list_proxy_ports [split $val_arg_proxyport ","] set len [llength $list_proxy_ports] if { [ expr $val_arg == 9080] || [ expr $val_arg == 80 ] } { lappend err_list " AP Proxy port matches with the Proxy port 9080 or 80 " } else { for { set i 0 } { [expr $i < $len ] } { incr i } { if { [ expr $val_arg == [lindex $list_proxy_ports $i] ] || [ expr $val_arg == [ expr [lindex $list_proxy_ports $i] + 9000]] } { lappend err_list " AP Proxy port matches with the Proxy port [lindex $list_proxy_ports $i] or [expr [lindex $list_proxy_ports $i] + 9000 ] " break } } } } if { $save == 1 } { lappend set_list ":save" "" } # This portion of code is checking for the activation key. # # And find out the licenses user is entitled for . # # Depending on the license , only concerned features are # # shown to user. #
# Initalise the flags again # set flag_routed true set flag_snmp true set flag_rad true set flag_realm true set licence_key 111111111111 set err [catch { set result [exec "/opt/azc/bin/hscaad" -L $val_akey ] } errmessage ] set licence_key [split $errmessage " "] set len_ele [llength $licence_key] set list_of_features [split [lindex $licence_key [ expr $len_ele - 1 ]] {}] set len [llength $list_of_features] if { [ expr $len == 12 ] } { if { [ expr [lindex $list_of_features 11] != 1 ] } { set flag_routed false } if { [ expr [lindex $list_of_features 10] != 1 ] } { set flag_snmp false } if { [ expr [lindex $list_of_features 9] != 1 ] } { set flag_rad false } if { [ expr [lindex $list_of_features 8] != 1 ] } { set flag_realm false } }
# Check if routed network license is enabled # # and arp is selected as heartbeat type # # and connection keepalive is != 0 # # then show a warning that arp can not be # # used if client is behind a router # # Still allow him to set it . # if { [ string compare $flag_routed true ] == 0 } { if { [ expr [ string compare $val_heartbeat_period 0 ] != 0 ] && [ expr [ string compare $val_heartbeat_period ""] != 0 ] } { if { [ string compare $val_heartbeat_type 0 ] == 0 } { lappend war_list " ARP can not be used if client is behind a router" } } } # If an error has already been detected, display it. # Otherwise, send the changes to the configuration daemon. if {[llength $err_list] > 0} { HTML_Image /images/errorbar.gif "-- Error ----" HTML_BR foreach err_str $err_list { TEXT "$err_str" HTML_BR } HTML_Image /images/redbar.gif "-------------" HTML_BR } else { set cmd "libdb set $myDb -list $set_list" if { [eval "catch {$cmd} err_list"] == 1} { HTML_Image /images/errorbar.gif "-- Error ----" HTML_BR foreach err_str $err_list { TEXT "$err_str" HTML_BR } HTML_Image /images/redbar.gif "-------------" HTML_BR } elseif {[llength $err_list] || [llength $war_list] } { HTML_Image /images/msgbar.gif "-- Notice ----" HTML_BR if { [llength $err_list] } { foreach err_str $err_list { TEXT "$err_str" HTML_BR } } if { [llength $war_list] } { foreach err_str $war_list { TEXT "$err_str" HTML_BR } } HTML_Image /images/bluebar.gif "--------------" HTML_BR } elseif { $save == 1} { HTML_Image /images/apply.gif "-- Success ----" HTML_BR TEXT "Save successful" HTML_BR HTML_Image /images/greenbar.gif "---------------" HTML_BR } elseif { $apply == 1} { HTML_Image /images/apply.gif "-- Success ----" HTML_BR TEXT "Apply successful" HTML_BR HTML_Image /images/greenbar.gif "---------------" HTML_BR } } HTML_HR HTML_BR }
HTML_Start "Access Controller" azc.tcl
HTML "<B>" TEXT "AC Global Settings:" HTML "</B>" HELP "<b>Enable AC Daemon:</b> To enable the activation of AC software at system startup select \\'Yes\\', and to disable AC software at startup, select \\'No\\'."
HTML_Table "" HTML_Row HTML_Col TEXT "Enable AC daemon:" HTML_Col set state [libdb get $myDb "package:azc:process:hscaad"] HTML_Boolean "" not $sprefix:process:hscaad $state HTML_EndTable
HTML_BR
HTML "<B>" TEXT "AC Server Settings:" HTML "</B>" HELP "<b>Activation key: </b>This is the AC software activation key. The activation key is provided by Nokia."
HTML_Table "" HTML_Row HTML_Col TEXT "Activation key" HTML_Col set var_temp [libdb get $myDb "package:azc:server:ActivationKey"] get_String "" "$sprefix:server:ActivationKey" "$var_temp" 1 HTML_Link /cgi-bin/azc_hostid.tcl "Display AC Host ID" HTML_EndTable
HTML_BR
HTML "<B>" TEXT "AC Interface Settings:" HTML "</B>" HELP "<B>External Interface:</B> This is the name of the external interface, for example the interface to the Internet. By default, it is the first interface of P022. <p><B>Management IP address:</B> At this IP address and also at IP address 127.0.0.1 HTTP and HTTPS requests are associated with Voyager management interface. Any other IP address HTTP and HTTPS requests are associated for WLAN clients.<P><B>WLAN Interface:</B> This is the name of the Wireless LAN interface, for example the interface to which WLAN access points are connected. By default, it is the second interface of P022.<p><B>Additional WLAN Interfaces: </B>You can select whether earlier configured WLAN interfaces are on or off as WLAN interface.<p><B>Add new WLAN interface: </B>You can append any logical interface as new WLAN interface.<p><B>Enable NAT: </B>Network Address Translation may be enabled for packets coming in from WLAN Interface, or from all other interfaces than the External Interface.<p><B>Translate only private addresses: </B>To enable NAT<b> only </b>to private (non-routable) addresses, select \\'on\\' and to translate all IP addresses, select \\'off\\'. Private addresses are defined in RFC1918 (networks 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16).<p>"
HTML_Table ""
HTML_Row HTML_Col TEXT "External interface name" HTML_Col foreach ifphys [libdb iterate -c on $myDb ifphys] { set lname [libdb get $myDb interface:${ifphys}c0:lname] if {$lname == ""} { set lname $ifphys } if { ![string equal $lname loop0c0] == 1 } { lappend if_choices $lname $lname } } set mydefault [libdb get $myDb "${sprefix}:server:ExtInterface"] set int_name_highlight [libdb get $myDb "interface:$mydefault:lname"] eval HTML_Selection {""} ${sprefix}:server:ExtInterface 1 $if_choices ${int_name_highlight} HTML_Link /cgi-bin/interfaces.tcl "Interfaces"
HTML_Row HTML_Col TEXT "Management interface IP address" HTML_Col set interfaces [libdb iterate children $myDb "interface"] set lastipa "" foreach intf $interfaces { set ifname "interface:$intf" set lname [libdb get $myDb "interface:$intf:lname"] set ipaddresses [libdb iterate children $myDb "interface:$intf:ipaddr"] foreach ipaddr $ipaddresses { if { [string compare $ipaddr "127.0.0.1"] != 0} { lappend ipa_choices $ipaddr $ipaddr } } }
# Setting blank as the default value if no management IP address has been set set lastipa "" lappend ipa_choices "" ""
set mydefault2 [libdb get $myDb "${sprefix}:server:ExtIPAddr"] if { [info exists mydefault2] == 1 } { if { [string length $mydefault2] > 6 } { set lastipa $mydefault2 } } eval HTML_Selection {""} ${sprefix}:server:ExtIPAddr 1 $ipa_choices ${lastipa}
HTML_Row HTML_Col TEXT "WLAN interface name" HTML_Col set e_int_name [libdb get $myDb "${sprefix}:server:ExtInterface"] set ext_int_name [libdb get $myDb "interface:$e_int_name:lname"] foreach entry $if_choices { if { [ string compare $ext_int_name $entry ] != 0 } { lappend new_if_choices $entry } }
set mydefault [libdb get $myDb "${sprefix}:server:IntInterface"] set int_name_highlight [libdb get $myDb "interface:$mydefault:lname"] eval HTML_Selection {""} ${sprefix}:server:IntInterface 1 $new_if_choices ${int_name_highlight} HTML_Link /cgi-bin/interfaces.tcl "Interfaces"
HTML_EndTable
set args [libdb iterate children $myDb "package:azc:server:IntInterface"] foreach argentry $args { set argval [libdb get $myDb "package:azc:server:IntInterface:$argentry"] set add_int_name [libdb get $myDb "interface:$argval:lname"] if { [string compare $add_int_name "None" ] != 0} { lappend allargs $add_int_name if { [string first "/" $add_int_name] == -1 } { #Code for converting physical name to logical name if { [info exists IntInterfaces] == 1 } { if { [lsearch -exact $IntInterfaces $add_int_name] == -1 } { lappend IntInterfaces $add_int_name } else { lappend doubles $add_int_name } } else { lappend IntInterfaces $add_int_name } } } }
if { [info exists IntInterfaces] == 1 } { # Code moved from above so that Additional wlan interfaces Table is only # Shown when there are some additional wlan interfaces TEXT "Additional WLAN interfaces:" HTML_Table "" HTML_Row HTML_Col TEXT "Interface" HTML_Col TEXT "on/off" foreach IntIf $IntInterfaces { set argidx [lsearch -exact $allargs $IntIf] set argidx [incr argidx] HTML_Row HTML_Col TEXT "$IntIf" HTML_Col HTML_RadioSet "" package:azc:server:IntInterface:$argidx "$IntIf" "on " "$IntIf" "off" "" } } if { [info exists doubles] == 1 } { set argstotal [llength $args] foreach a $doubles { libdb set $myDb "package:azc:server:IntInterface:$argstotal" "" incr argstotal -1 } }
HTML_Row HTML_EndTable
TEXT "Add new WLAN interface:" HTML_Table "" HTML_Row HTML_Col TEXT "Interface:" HTML_Col set interfaces [libdb iterate children $myDb "interface"] set extIfValue [libdb get $myDb "${sprefix}:server:ExtInterface"] set intIfValue [libdb get $myDb "${sprefix}:server:IntInterface"] set extIfValue [libdb get $myDb "interface:$extIfValue:lname"] set intIfValue [libdb get $myDb "interface:$intIfValue:lname"]
set if_choices "" foreach intf $interfaces { set ifname "interface:$intf" set lname [libdb get $myDb "interface:$intf:lname"] if { ![string equal $lname $extIfValue] ==1} { if { ![string equal $lname $intIfValue] ==1} { if { ![string equal $lname loop0c0] == 1 } { if { [info exists if_choices] == 1 } { if { [lsearch -exact $if_choices $lname] == -1 } { if { [info exists IntInterfaces] == 1 } { if { [lsearch -exact $IntInterfaces $lname] == -1 } { lappend if_choices $lname } } else { lappend if_choices $lname } } } else { # make sure we dont have entries already configured if { [info exists IntInterfaces] == 1 } { if { [lsearch -exact $IntInterfaces $lname] == -1 } { lappend if_choices $lname } } else { lappend if_choices $lname } } } } } }
if { [info exists if_choices] == 1 } { set numofchoises [llength $if_choices] } else { set numofchoises 0 } if { $numofchoises > 0 } { HTML_List "Add new interface" newinterface 1 HTML_Item "None" "None" Selected foreach interfacea $if_choices { HTML_Item "$interfacea" "$interfacea" } HTML_EndList }
HTML_EndTable
TEXT "NAT settings:" HTML_Table "" HTML_Row HTML_Col TEXT "Enable NAT:" HTML_Col set state [libdb get $myDb "package:azc:server:EnableNAT"] if {$state==""} {set state 0} HTML_RadioSet "" ${sprefix}:server:EnableNAT $state "OFF " 0 "On WLAN interface " 1 "On all interfaces " 2
HTML_Row HTML_Col HTML_Col TEXT "Translate only private addresses" HTML_Col set state [libdb get $myDb "package:azc:server:PrivateNAT"] HTML_Boolean "" $sprefix:server:PrivateNAT $state HTML_EndTable
HTML_BR
HTML "<B>" TEXT "Authentication Settings: " HTML "</B><p>" TEXT "RADIUS parameters:" HELP "<b>Enable RADIUS:</b> To enable RADIUS authentication and accounting, select \\'on\\', to disable RADIUS, select \\'off\\'. If RADIUS is used, please enter correct values for the settings below.<br>For more information, see <a href=/opt/azc/doc/access19.htm>RADIUS Infrastructure </a> and <a href=/opt/azc/doc/access20.htm>RADIUS Parameters</a> documentation.<p><b>Alive interval: </b>This defines (in seconds) the sending interval of RADIUS accounting alive packets. Value 0 (or an empty field) means that alive packets are not sent at all. Value -1 means that accounting is not used at all.<p><b>Alive Traffic Trigger: </b>If not zero, this defines how many bytes must be sent and received before the first alive packet is sent. Note that in this case the value of Alive Interval defines how often the amount of bytes sent/received is checked.<p><b>Allow MAC authentication: </b>Defines whether a MAC address can be used for logging in to the RADIUS server. The MAC address (in string format) is sent as a user name. If \\'on\\' is selected, enter the correct values also to MAC Password and MAC Realm fields.<p><b>MAC password: </b>The password sent to the RADIUS server along with the MAC address.<p><b>MAC Realm: </b>The \"realm\" string appended to the MAC address to form a user name. For example, if the realm is @hotel.com, the user name sent to the RADIUS server could be 00:e0:34:9c:70:00@hotel.com<br>The MAC Realm string can also be used to define the format of the MAC address if formatter is added at the beginning of the string. The formatter has the following syntax:<br>%Separator,Characters,Truncate,Prefix%<br>\"Separator\" is the character between the MAC address octets.<br>\"Characters\" is <b>1</b> if the octet is printed with one hexadecimal character and if the octet value is less than 10,<br><b>2</b> if two characters are always used (adds a leading zero).<br>\"Truncate\" defines whether null octets at the beginning of the MAC address are ignored and whether the hexadecimal characters are uppercased. The following values can be entered: <b>t</b> if small caps are used and nulls are ignored; <b>T</b> if uppercased characters are used and nulls are ignored; <b>f</b> if small caps are used and nulls are not ignored; <b>F</b> if uppercased characters are used and nulls are not ignored.<br>Examples (MAC address is 00:ef:cd:ab:89:00):<br><b>MAC Realm Result</b><br><b>%-,2,T,MAC %@domain </b>MAC EF-CD-AB-89-00@domain<br><b>%:,1,t,% </b>ef:cd:ab:89:0<br><b>%-,2,F,% </b>00-EF-CD-AB-89-00<br><b>%:,1,f,% </b>0:ef:cd:ab:89:0<br><b>%,1,f,% </b>0efcdab890<br><b>%-,2,f,% </b>00-ef-cd-ab-89-00<br><b>%:,2,f,% </b>00:ef:cd:ab:89:00<p><b>RADIUS return address: </b>This the address RADIUS server sees at RADIUS parameter NAS-IP-Address. Manual setting may be needed if there some network element in between Access Controller and RADIUS server is configured to make NAT for Access Controller.<p><b>RADIUS server address: </b>If RADIUS is enabled, up to two RADIUS server addresses can be defined. These are the IP addresses (and ports) of RADIUS hosts. (Use notation IPaddress:port.)<p><b>Password: </b>The password - \"shared secret\" - used with the RADIUS server.<p><b>RADIUS timeout: </b>The amount of time RADIUS reply is waited for before it is resent.<br>Default timeout is 6 seconds. It is not recommended to use longer timeout values than 20 seconds.<p><b>RADIUS retries: </b>The amount of times the RADIUS messages are resent if the server does not reply.<p><b>Switch primary server on failure: </b>This defines the order RADIUS servers are used if the primary server fails to answer the query.<br>If the \"No\" option is selected, the primary server is always queried first even if it is not able to answer. After timeouts and retries, thesecondary server is queried. <br> If \"Stay with the authenticated\" is selected, the primary RADIUS server for each user session is the one that answered to the first RADIUS query. Each new authentication starts by using the system default primary server.<br>If \"Switch for all\" is selected, the RADIUS server that was able to answer the query will be queried first in the next RADIUS event (any RADIUS event) - even if that server was defined to be the secondary server. If \"Switch for all\" is selected, load-balancing cannot be used. In load-balancing half of the machines use one server as a primary server and another server as a secondary server. After a server failure, however, all Access Controllers use the answering one.<p><b>AutoStop threshold: </b>Used if one wishes to send RADIUS accounting stop packets upon the Access Controller start-up, <b>0</b> if the feature is not desired. The STOP packets are sent for the sessions that were open when an unexpected failure (like power failure) occurred thus preventing the Access Controller from terminating the session accounting correctly. The interval defines the amount of time that the Access Controller will wait after reboot before sending any STOP packets. The time should be approximately the time it takes after reboot to initialize the whole system. Usually this time is ~40 seconds. The data in the STOP packet is the same as in the latest Alive (or Start) packet."
HTML_Table "" HTML_Row HTML_Col TEXT "Enable RADIUS" HTML_Col set state [libdb get $myDb "package:azc:server:RADIUS"] HTML_Boolean "" $sprefix:server:RADIUS $state
HTML_Row HTML_Col TEXT "Alive interval" HTML_Col set state [libdb get $myDb "package:azc:server:RADIUSAlivePerioid"] get_String_with_Len "" $sprefix:server:RADIUSAlivePerioid $state 10 1 TEXT "seconds"
HTML_Row HTML_Col TEXT "Alive traffic trigger" HTML_Col set state [libdb get $myDb "package:azc:server:RADIUSAliveBytes"] get_Int "" $sprefix:server:RADIUSAliveBytes $state 1 TEXT "KB"
HTML_Row HTML_Col TEXT "Allow MAC authentication" HTML_Col set state [libdb get $myDb "package:azc:server:MACAuthentication"] HTML_Boolean "" $sprefix:server:MACAuthentication $state
HTML_Row HTML_Col TEXT " MAC password" HTML_Col set state [libdb get $myDb "package:azc:server:MACPSW"] get_String "" $sprefix:server:MACPSW $state 1
HTML_Row HTML_Col TEXT " MAC realm" HTML_Col set state [libdb get $myDb "package:azc:server:MACREALM"] get_String "" $sprefix:server:MACREALM $state 1
HTML_Row HTML_Col TEXT "RADIUS return address" HTML "<BR>(NASIPAddress)" HTML_Col set state [libdb get $myDb "package:azc:server:NASIPAddr"] get_String "" $sprefix:server:NASIPAddr $state 1
HTML_Row HTML_Col TEXT "RADIUS server address" HTML_Col set state [libdb get $myDb "package:azc:server:RADIUS1"] get_String "" $sprefix:server:RADIUS1 $state 1
HTML_Row HTML_Col TEXT " Password" HTML_Col set state [libdb get $myDb "package:azc:server:RADIUS1PSW"] get_String "" $sprefix:server:RADIUS1PSW $state 1
HTML_Row HTML_Col TEXT "Secondary RADIUS server address" HTML_Col set state [libdb get $myDb "package:azc:server:RADIUS2"] get_String "" $sprefix:server:RADIUS2 $state 1
HTML_Row HTML_Col TEXT " Password" HTML_Col set state [libdb get $myDb "package:azc:server:RADIUS2PSW"] get_String "" $sprefix:server:RADIUS2PSW $state 1
HTML_Row HTML_Col TEXT "RADIUS timeout" HTML_Col set state [libdb get $myDb "package:azc:server:RADIUSTimeout"] get_Int "" $sprefix:server:RADIUSTimeout $state 1 TEXT "seconds"
HTML_Row HTML_Col TEXT "RADIUS retries" HTML_Col set state [libdb get $myDb "package:azc:server:RADIUSRetries"] get_Int "" $sprefix:server:RADIUSRetries $state 1
HTML_Row HTML_Col TEXT "Switch primary server on failure:" HTML_Col set state [libdb get $myDb "package:azc:server:switchRADIUS"] if {$state==""} {set state 0} HTML_RadioSet "" ${sprefix}:server:switchRADIUS $state "No<BR>" 0 "Stay with authenticated<BR>" 1 "Switch for all" 2
HTML_Row HTML_Col TEXT "AutoStop threshold" HTML_Col set state [libdb get $myDb "package:azc:server:RADIUSAutostop"] get_Int "" $sprefix:server:RADIUSAutostop $state 1 TEXT "seconds"
HTML_EndTable
# RADIUS proxy
if { [ string compare $flag_rad true ] == 0 } { HTML "<p>" TEXT "RADIUS proxy settings:" HELP "<b>Enable RADIUS proxying: </b> To enable RADIUS proxy service on Access Controller select \"on\", to disable RADIUS proxy, select \\'off\\'.<p><b>Enable RADIUS accounting proxying: </b>If RADIUS proxy for accounting is enabled select \"on\". This will work only if previosly RADIUS proxy is turned \"on\". By default this is off and the Access Controller generates accounting messages.<p><b>Enable realm stripping: </b>To enable stripping of realm names from the user name select \"on\". If this option is selected then realm names will be stripped from the user name. Eg. user with name \"scott@ganga.com\" will be forwarded as \"scott\". If the stripping is disabled the whole name is forwarded to RADIUS server.<p><b>RADIUS proxy authorization port on WLAN: </b>This is the port number on which RADIUS proxy, if enabled, will listen for the client authentication requests on the WLAN interface. It has a default value of 1812.<p><b>RADIUS proxy accounting port on WLAN: </b>This is the port number on which RADIUS proxy, if both RADIUS proxy and accounting proxy are enabled, will listen for the client accounting requests on the WLAN interface. It has a default value of 1813.<p><b>RADIUS proxy NAS port on WAN: </b>This is the port number which RADIUS proxy, if enabled, will open for communication with the RADIUS servers. It has a default value of 5600<p><b>Forced first page for RADIUS proxy: </b>Define the URL where the first HTTP connection of RADIUS proxy authenticated client is redirected. The default value is empty (= no redirection).<p><b>Default RADIUS client shared secret: </b>This is the default shared secret which any RADIUS client, not known to the Access Controller, can use to send RADIUS requests to the Access Controller.<p><b>RADIUS clients using RADIUS Proxy: </b>This shows currently configured RADIUS clients and it is also used for adding new RADIUS clients which will be using Access Controller as RADIUS proxy. The mandatory fields are \\'<i>IP address</i>\\' and \\'<i>shared secret</i>\\'.<p> <b> RADIUS client IP address</b> The IP address RADIUS client will use for communcating with Access Controller.<p><b>Shared secret for the RADIUS client: </b> The shared secret for the RADIUS link between Access Controller and the RADIUS client.<p> <b>Realms for RADIUS proxy:</b> This shows currently configured realms for RADIUS proxy. It is also used for adding new realms and their RADIUS servers to which all the authentication and accounting requests for the realm will be forwarded. Required fields are \\'<i>Realm</i>\\', \\'<i>RADIUS server</i>\\', \\'<i>Shared secret</i>\\' and selection of \\'<i>Primary server</i>\\'. If RADIUS proxy receives authentication request without realm, the request is forwarded to the RADIUS server configured in section \\'Radius parameters\\' item \\'RADIUS server address\\'<p><b>Realm:</b> When this realm is regocnized by Access Controller in the user name all authentication and accounting requests are relayed toassosiated RADIUS sevrer <p><b>RADIUS server for the realm:</b> The RADIUS server to be used with the realm.<p> <b>Shared secret for the RADIUS link</b> The shared secret to be used with the RADIUS link between Access Controller and the RADIUS server. <p><b>Primary server for the Realm.</b> The primary server is used first for the authentication and accounting. If primary server fails then switching to secondary server is done based on setting in the section \\'Radius parameters\\' item \\'Switch primary server on failure\\'<p>" TEXT "" HTML_Table "" HTML_Row HTML_Col TEXT "Enable RADIUS proxying:" HTML_Col set state [libdb get $myDb "package:azc:server:RadForward"] HTML_Boolean "" $sprefix:server:RadForward $state
HTML_Row HTML_Col TEXT "Enable RADIUS accounting proxying:" HTML_Col set state [libdb get $myDb "package:azc:server:RadAcctForward"] HTML_Boolean "" $sprefix:server:RadAcctForward $state
HTML_Row HTML_Col TEXT "Enable realm stripping:" HTML_Col set state [libdb get $myDb "package:azc:server:StripRealmName"] HTML_Boolean "" $sprefix:server:StripRealmName $state
HTML_Row HTML_Col TEXT "RADIUS proxy authorization port on WLAN:" HTML_Col set state [libdb get $myDb "package:azc:server:RadProxyAuthPort"] get_String "" $sprefix:server:RadProxyAuthPort $state 1
HTML_Row HTML_Col TEXT "RADIUS proxy accounting port on WLAN:" HTML_Col set state [libdb get $myDb "package:azc:server:RadProxyAcctPort"] get_String "" $sprefix:server:RadProxyAcctPort $state 1
HTML_Row HTML_Col TEXT "RADIUS proxy NAS port on WAN:" HTML_Col set state [libdb get $myDb "package:azc:server:ProxyNasPort"] get_String "" $sprefix:server:ProxyNasPort $state 1
HTML_Row HTML_Col TEXT "Default shared secret RADIUS clients:" HTML_Col set state [libdb get $myDb "package:azc:server:ClientSharedSecret"] get_String "" $sprefix:server:ClientSharedSecret $state 1
HTML_Row HTML_Col TEXT "Forced first page:" HTML_Col set state [libdb get $myDb "package:azc:server:RadProxyRedirect"] get_String "" $sprefix:server:RadProxyRedirect $state 1
HTML_EndTable
set ap_count [libdb get $myDb "${sprefix}:server:APSharedSecretCount"] if { $ap_count == ""} { set ap_count 0; }
HTML "<BR>"
TEXT "Current RADIUS clients: " set ap_list [libdb iterate children $myDb "${sprefix}:server:ClientSharedSecret"] HTML_Table "" HTML_Row HTML_Col TEXT "IP address" HTML_Col TEXT "Shared secret" HTML_Col TEXT "Delete client" foreach ap $ap_list { set ap_secret "" set ap_secret [libdb get $myDb "${sprefix}:server:ClientSharedSecret:$ap"] HTML_Row HTML_Col TEXT "$ap" HTML_Col get_String "" ${sprefix}:server:ClientSharedSecret:$ap $ap_secret 1 HTML_Col HTML_CheckBox "" "tmp:package:azc:server:ClientSharedSecret:$ap:bool" "" } HTML_EndTable
HTML "<BR>"
TEXT "Add RADIUS client for RADIUS proxy" HTML_Table "" HTML_Row HTML_Col get_IPv4_Unicast "IP address" "new_ap_l" "" "Enter IP address \ of new RADIUS client which will be using RADIUS proxy" 1 HTML_Col get_String "Shared secret" "new_ap_s" "" "Enter shared secret for the new RADIUS client" 1 HTML_EndTable
} # Added this line so that this portion will not be shown whenever the radius proxy is not licensed
if { [ string compare $flag_realm true ] == 0 } { HTML "<BR>"
TEXT "Realms for RADIUS proxy:" #Get the list of all the Existing Realms and Associated RADIUS Servers set realm_list [libdb iterate children $myDb "${sprefix}:server:RealmList"] HTML_Table "" HTML_Row HTML_Col TEXT "Realm" HTML_Col TEXT "Server" HTML_Col TEXT "Shared secret" HTML_Col TEXT "Primary server" HTML_Col TEXT "Delete realm" HTML_Col TEXT "Delete server from this realm"
foreach realm $realm_list { if { [libdb get $myDb "${sprefix}:server:RealmList:$realm"] == "t" } { set rad_srv_list [libdb iterate children $myDb "${sprefix}:server:RadProxyRealm:$realm"] set pri_srv [libdb get $myDb "${sprefix}:server:ZZProxyRealm:$realm:PriSrv"] set local_pri_srv "" foreach srv $rad_srv_list { set srv_secret "" set srv_secret [libdb get $myDb "${sprefix}:server:RadProxyRealm:$realm:$srv"] HTML_Row HTML_Col TEXT "$realm" HTML_Col TEXT "$srv" HTML_Col #TEXT "$srv_secret" get_String "" ${sprefix}:server:RadProxyRealm:$realm:$srv $srv_secret 1 HTML_Col set local_pri_srv $srv if { $srv == $pri_srv } { HTML_Radio "" "$realm:PriSrv:data" "$srv" checked } else { HTML_Radio "" "$realm:PriSrv:data" "$local_pri_srv" } HTML_Col HTML_CheckBox "" "tmp:package:azc:server:RealmList:$realm:bool" "" HTML_Col HTML_CheckBox "" "tmp:package:azc:server:RadProxyRealm:$realm:$srv:bool" "" HTML_Col } } } HTML_EndTable ######################################3
HTML "<BR>"
TEXT "Add new realm or RADIUS server for existing realm:" HTML_Table "" HTML_Row HTML_Col TEXT "Realm" HTML_Col TEXT "RADIUS server" HTML_Col TEXT "Shared secret" HTML_Col TEXT "Will this be primary server?" HTML_Row HTML_Col
get_String "" "new_realm_l" "" "Enter Name of new Realm which will be using RADIUS Proxy" 1 HTML_Col get_IPv4_Unicast "" "new_srv_l" "" \ "Enter IP address of RADIUS Server" 1 HTML_Col get_String "" "new_sec_l" "" "Enter Shared Secret for the RADIUS Server" 1 HTML_Col HTML_RadioSet "" "new_pri_srv_l" "t" "Yes" "t" "No" ""
HTML_EndTable
}
HTML "<p>" TEXT "Other authentication parameters:" HELP "<b>Demo Accounts: </b>This is a list of accounts used when RADIUS is disabled and MAC authentication is not allowed. The accounts are separated with a comma \",\". Each account is defined with syntax \"UserName/Password/Welcome Message/QoSClass\".<br>For example (two accounts):<br>Demo/Nokia/Welcome to Nokia Access Zone/Premium,Test/Password<p><b>Free Trial time: </b>Give the AC-controlled free trial time in minutes. Value 0 or an empty field means that a trial is not possible. Note that /opt/azc/htdocs/login_user.html must be edited to enable/disable the feature. Look for the string \"trial\" in the file and follow the instructions.<p><b>Trial lock-time: </b>Once the trial time has been used, the trial account is locked for the time defined. Value zero (or an empty field) defaults to 24 hours. Note that the lock time is measured starting from the time the trial was started. For example: the trial time is 15 minutes, the lock time is 24 hours (1440 minutes) and the trial starts at 17:00. The user is logged off at 17:15 and a new trial can start the next day at 17:00 earliest.<p><b>Login Text: </b>Defines the text that is shown to users when they try to access services before they have been authenticated. If the field contains an URL with <b>http</b> or <b>https</b> protocol, all http connections are automatically redirected there.<br>The string <b>%s</b> is replaced by the IP address of the Access Point, if it is known (the information is updated by AP daemon, so it needs to be activated before Access Point address is known).<br>A question mark (<b>?</b>) character is supplemented by a server encoded information about the IP address of the client. It is needed if the authentication forms for end users reside on some other machine. For details, please refer to <b>Access Zone Configuration guide</b>.<br>The string <b>%s</b> and a question mark <b>?</b> can only be used in the URL of the Login text field. The string <b>%c</b> is replaced with the client IP address and <br><b>%W</b> with the IP address of the Access Controller interface that the client is connected to. The default value of login text is<br><b>Please login at http://%W/login_user.html</b>. If one wishes to use SSL for login, please change <b>http</b> to <b>https</b> in the URL.<p><b>Login host ping interval: </b>The ping interval in seconds to host of Login Text URL. Set to 0 if using local login page or ping cannot be used for connection monitoring. This can occur if a firewall exists between login host and Access Controller. The connection status to host referred in Login Text can be monitored using ping. If host cannot be reached login page is redirected to wlan interface to /login_user.html.<p><b>Whitelist Hosts: </b>A list of host IP addresses that are always open, for example accessible without AC login. Separate the IP addresses with a comma \",\". A netmask can also be used. For example: 172.21.212.0/24 means that all hosts that have IP addresses between 172.21.212.0 and 172.21.212.255 are open. Only a specific port in a named host can be opened by using the notation IPaddress:Port, for example 172.21.212.1:80.<br>Netmask and port can be combined; define the port before mask length. For example: 172.21.212.0:80/24 opens HTTP-port (and only HTTP port) for all hosts that have IP addresses between 172.21.212.0 and 172.21.212.255.<br>DNS names can be used (solved at configuration load time), but then DNS must be configured in P022.<p><b>Blacklist hosts: </b>A list of host IP addresses that are never accessible. Separate the IP addresses with a comma \",\". A netmask can also be used. For example: 172.21.212.0/24 means that all hosts that have IP addresses between 172.21.212.0 and 172.21.212.255 are always inaccessible.<br>Netmask and port can be combined; define the port before mask length. For example: 172.21.212.0:25/24 blocks SMTP-port (and only SMTP port) for all hosts that have IP addresses between 172.21.212.0 and 172.21.212.255.<br>DNS names can be used (solved at configuration load time), but then DNS must be configured in P022.<p><b>Block all UDP: </b>If UDP is totally blocked before the user is logged in, select \"Yes\".<br>If DHCP and DNS services are available for the users without logging in, select \"No\".<br>If UDP is blocked, at least the DNS should be opened with a Whitelist. Otherwise the users might not get the AC login page."
HTML_Table ""
HTML_Row HTML_Col TEXT "Demo accounts" HTML_Col set state [libdb get $myDb "package:azc:server:DemoAccounts"] get_String "" $sprefix:server:DemoAccounts $state 1
HTML_Row HTML_Col TEXT "Free trial time" HTML_Col set state [libdb get $myDb "package:azc:server:TrialTime"] get_Int "" $sprefix:server:TrialTime $state 1 TEXT "minutes"
HTML_Row HTML_Col TEXT "Trial lock-time" HTML_Col set state [libdb get $myDb "package:azc:server:TrialLockTime"] get_Int "" $sprefix:server:TrialLockTime $state 1 TEXT "minutes"
HTML_Row HTML_Col TEXT "Login text" HTML_Col set state [libdb get $myDb "package:azc:server:LoginText"] get_String "" $sprefix:server:LoginText $state 1
HTML_Row HTML_Col TEXT "Login host ping interval" HTML_Col set dbkey "$sprefix:server:PingInterval" set state [libdb get $myDb $dbkey] get_Int "" $dbkey $state 1 TEXT "seconds"
HTML_Row HTML_Col TEXT "Whitelist hosts" HTML_Col set state [libdb get $myDb "package:azc:server:WhiteLst"] get_String "" $sprefix:server:WhiteLst $state 1
HTML_Row HTML_Col TEXT "Blacklist hosts" HTML_Col set state [libdb get $myDb "package:azc:server:BlackLst"] get_String "" $sprefix:server:BlackLst $state 1
HTML_Row HTML_Col TEXT "Block all UDP:" HTML_Col set state [libdb get $myDb "package:azc:server:UDP"] HTML_Boolean "" $sprefix:server:UDP $state
HTML_EndTable HTML_BR
HTML "<B>" TEXT "Nokia Authentication:" HTML "</B>" HELP "<b>Enable Nokia Authentication: </b>If Nokia authentication is enabled, select \"on\".<p><b>Minimum Registration Time: </b>Advertised minimum NAAP registration lifetime.<p><b>Maximum Registration Time: </b>Advertised maximum NAAP registration lifetime.<p><b>Timestamp Tolerance: </b>The amount of time (in seconds) the timestamp from NAAP client is allowed to be different from the current timestamp of the AC.<p><b>Client Timeout: </b>The amount of time AC waits for the client to reply before ending the authentication sequence.<p><b>Failure Timeout: </b>The amount of time AC remembers a failure has occured.<p><b>Forced first page: </b>Define the URL where the <b>first</b> HTTP connection of Nokia-authenticated client is redirected.<br>The default value is empty (= no redirection)."
HTML_Table ""
HTML_Row HTML_Col TEXT "Enable Nokia Authentication:" HTML_Col set state [libdb get $myDb "package:azc:server:SimAuth"] HTML_Boolean "" $sprefix:server:SimAuth $state
HTML_Row HTML_Col TEXT "Nokia Authentication parameters:" HTML_Col TEXT "Minimum registration time:" HTML_Col set state [libdb get $myDb "package:azc:server:MinRegLifetime"] if {$state==""} {set state 120} get_Int "" $sprefix:server:MinRegLifetime $state 1 TEXT "seconds"
HTML_Row HTML_Col HTML_Col TEXT "Maximum registration time:" HTML_Col set state [libdb get $myDb "package:azc:server:MaxRegLifetime"] if {$state==""} {set state 14400} get_Int "" $sprefix:server:MaxRegLifetime $state 1 TEXT "seconds"
HTML_Row HTML_Col HTML_Col TEXT "Timestamp tolerance:" HTML_Col set state [libdb get $myDb "package:azc:server:TimestampTolerance"] if {$state==""} {set state 30} get_Int "" $sprefix:server:TimestampTolerance $state 1 TEXT "seconds"
HTML_Row HTML_Col HTML_Col TEXT "Client timeout:" HTML_Col set state [libdb get $myDb "package:azc:server:ClientTimeout"] if {$state==""} {set state 48} get_Int "" $sprefix:server:ClientTimeout $state 1 TEXT "seconds"
HTML_Row HTML_Col HTML_Col TEXT "Failure timeout:" HTML_Col set state [libdb get $myDb "package:azc:server:FailureTimeout"] if {$state==""} {set state 48} get_Int "" $sprefix:server:FailureTimeout $state 1 TEXT "seconds"
HTML_Row HTML_Col TEXT "Forced first page" HTML_Col set state [libdb get $myDb "package:azc:server:SimRedirect"] get_String "" $sprefix:server:SimRedirect $state 1
HTML_EndTable
|