3 # FreeRADIUS "dialup" SQL Queries for the MySQL Dialect
5 # Safe characters list for sql queries. Everything else is replaced
6 # with their mime-encoded equivalents.
7 # The default list should be ok
8 #safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
10 #######################################################################
11 # Query config: Username
12 #######################################################################
13 # This is the username that will get substituted, escaped, and added
14 # as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below
15 # everywhere a username substitution is needed so you you can be sure
16 # the username passed from the client is escaped properly.
18 # Uncomment the next line, if you want the sql_user_name to mean:
20 # Use Stripped-User-Name, if it's there.
21 # Else use User-Name, if it's there,
22 # Else use hard-coded string "DEFAULT" as the user name.
23 #sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"
25 sql_user_name = "%{User-Name}"
27 #######################################################################
29 #######################################################################
30 # This is the default profile. It is found in SQL by group membership.
31 # That means that this profile must be a member of at least one group
32 # which will contain the corresponding check and reply items.
33 # This profile will be queried in the authorize section for every user.
34 # The point is to assign all users a default profile without having to
35 # manually add each one to a group that will contain the profile.
36 # The SQL module will also honor the User-Profile attribute. This
37 # attribute can be set anywhere in the authorize section (ie the users
38 # file). It is found exactly as the default profile is found.
39 # If it is set then it will *overwrite* the default profile setting.
40 # The idea is to select profiles based on checks on the incoming packets,
41 # not on user group membership. For example:
43 # DEFAULT Service-Type == Outbound-User, User-Profile := "outbound"
44 # DEFAULT Service-Type == Framed-User, User-Profile := "framed"
46 # By default the default_user_profile is not set
48 #default_user_profile = "DEFAULT"
50 #######################################################################
52 #######################################################################
53 # This query retrieves the radius clients
55 # 0. Row ID (currently unused)
56 # 1. Name (or IP address)
60 #######################################################################
62 nas_query = "SELECT id, nasname, shortname, type, secret FROM ${nas_table}"
64 #######################################################################
65 # Authorization Queries
66 #######################################################################
67 # These queries compare the check items for the user
68 # in ${authcheck_table} and setup the reply items in
69 # ${authreply_table}. You can use any query/tables
70 # you want, but the return data for each row MUST
71 # be in the following order:
73 # 0. Row ID (currently unused)
74 # 1. UserName/GroupName
77 # 4. Item Attr Operation
78 #######################################################################
79 # Use these for case sensitive usernames.
80 # authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
81 # FROM ${authcheck_table} \
82 # WHERE Username = BINARY '%{SQL-User-Name}' \
84 # authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
85 # FROM ${authreply_table} \
86 # WHERE Username = BINARY '%{SQL-User-Name}' \
89 # The default queries are case insensitive. (for compatibility with
90 # older versions of FreeRADIUS)
91 authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
92 FROM ${authcheck_table} \
93 WHERE Username = '%{SQL-User-Name}' \
95 authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
96 FROM ${authreply_table} \
97 WHERE Username = '%{SQL-User-Name}' \
100 # Use these for case sensitive usernames.
101 # group_membership_query = "SELECT GroupName \
102 # FROM ${usergroup_table} \
103 # WHERE UserName = BINARY '%{SQL-User-Name}' \
106 group_membership_query = "SELECT GroupName \
107 FROM ${usergroup_table} \
108 WHERE UserName = '%{SQL-User-Name}' \
111 authorize_group_check_query = "SELECT id, GroupName, Attribute, Value, op \
112 FROM ${groupcheck_table} \
113 WHERE GroupName = '%{Sql-Group}' \
115 authorize_group_reply_query = "SELECT id, GroupName, Attribute, Value, op \
116 FROM ${groupreply_table} \
117 WHERE GroupName = '%{Sql-Group}' \
120 #######################################################################
122 #######################################################################
123 # accounting_onoff_query - query for Accounting On/Off packets
124 # accounting_update_query - query for Accounting update packets
125 # accounting_update_query_alt - query for Accounting update packets
126 # (alternate in case first query fails)
127 # accounting_start_query - query for Accounting start packets
128 # accounting_start_query_alt - query for Accounting start packets
129 # (alternate in case first query fails)
130 # accounting_stop_query - query for Accounting stop packets
131 # accounting_stop_query_alt - query for Accounting start packets
132 # (alternate in case first query doesn't
133 # affect any existing rows in the table)
134 #######################################################################
135 accounting_onoff_query = "\
136 UPDATE ${acct_table1} \
138 AcctStopTime = '%S', \
139 AcctSessionTime = unix_timestamp('%S') - unix_timestamp(AcctStartTime), \
140 AcctTerminateCause = '%{Acct-Terminate-Cause}', \
141 AcctStopDelay = %{Acct-Delay-Time:-0} \
142 WHERE AcctSessionTime = 0 \
143 AND AcctStopTime = 0 \
144 AND NASIPAddress = '%{NAS-IP-Address}' \
145 AND AcctStartTime <= '%S'"
147 accounting_update_query = " \
148 UPDATE ${acct_table1} \
150 FramedIPAddress = '%{Framed-IP-Address}', \
151 AcctSessionTime = '%{Acct-Session-Time}', \
152 AcctInputOctets = '%{Acct-Input-Gigawords:-0}' << 32 | '%{Acct-Input-Octets:-0}', \
153 AcctOutputOctets = '%{Acct-Output-Gigawords:-0}' << 32 | '%{Acct-Output-Octets:-0}' \
154 WHERE AcctSessionId = '%{Acct-Session-Id}' \
155 AND UserName = '%{SQL-User-Name}' \
156 AND NASIPAddress = '%{NAS-IP-Address}'"
158 accounting_update_query_alt = " \
159 INSERT INTO ${acct_table1} \
160 (AcctSessionId, AcctUniqueId, UserName, \
161 Realm, NASIPAddress, NASPortId, \
162 NASPortType, AcctStartTime, AcctSessionTime, \
163 AcctAuthentic, ConnectInfo_start, AcctInputOctets, \
164 AcctOutputOctets, CalledStationId, CallingStationId, \
165 ServiceType, FramedProtocol, FramedIPAddress, \
168 ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', \
169 '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \
170 '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', \
171 '%{Acct-Authentic}', '', '%{Acct-Input-Gigawords:-0}' << 32 | '%{Acct-Input-Octets:-0}', \
172 '%{Acct-Output-Gigawords:-0}' << 32 | '%{Acct-Output-Octets:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', \
173 '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \
176 accounting_start_query = " \
177 INSERT INTO ${acct_table1} \
178 (AcctSessionId, AcctUniqueId, UserName, \
179 Realm, NASIPAddress, NASPortId, \
180 NASPortType, AcctStartTime, AcctStopTime, \
181 AcctSessionTime, AcctAuthentic, ConnectInfo_start, \
182 ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, \
183 CalledStationId, CallingStationId, AcctTerminateCause, \
184 ServiceType, FramedProtocol, FramedIPAddress, \
185 AcctStartDelay, AcctStopDelay) \
187 ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', \
188 '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \
189 '%{NAS-Port-Type}', '%S', '0', \
190 '0', '%{Acct-Authentic}', '%{Connect-Info}', \
192 '%{Called-Station-Id}', '%{Calling-Station-Id}', '', \
193 '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \
194 '%{Acct-Delay-Time:-0}', '0')"
196 accounting_start_query_alt = " \
197 UPDATE ${acct_table1} SET \
198 AcctStartTime = '%S', \
199 AcctStartDelay = '%{Acct-Delay-Time:-0}', \
200 ConnectInfo_start = '%{Connect-Info}' \
201 WHERE AcctSessionId = '%{Acct-Session-Id}' \
202 AND UserName = '%{SQL-User-Name}' \
203 AND NASIPAddress = '%{NAS-IP-Address}'"
205 accounting_stop_query = " \
206 UPDATE ${acct_table2} SET \
207 AcctStopTime = '%S', \
208 AcctSessionTime = '%{Acct-Session-Time}', \
209 AcctInputOctets = '%{Acct-Input-Gigawords:-0}' << 32 | '%{Acct-Input-Octets:-0}', \
210 AcctOutputOctets = '%{Acct-Output-Gigawords:-0}' << 32 | '%{Acct-Output-Octets:-0}', \
211 AcctTerminateCause = '%{Acct-Terminate-Cause}', \
212 AcctStopDelay = '%{Acct-Delay-Time:-0}', \
213 ConnectInfo_stop = '%{Connect-Info}' \
214 WHERE AcctSessionId = '%{Acct-Session-Id}' \
215 AND UserName = '%{SQL-User-Name}' \
216 AND NASIPAddress = '%{NAS-IP-Address}'"
218 accounting_stop_query_alt = " \
219 INSERT INTO ${acct_table2} \
220 (AcctSessionId, AcctUniqueId, UserName, \
221 Realm, NASIPAddress, NASPortId, \
222 NASPortType, AcctStartTime, AcctStopTime, \
223 AcctSessionTime, AcctAuthentic, ConnectInfo_start, \
224 ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, \
225 CalledStationId, CallingStationId, AcctTerminateCause, \
226 ServiceType, FramedProtocol, FramedIPAddress, \
227 AcctStartDelay, AcctStopDelay) \
229 ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', \
230 '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \
231 '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', \
232 '%{Acct-Session-Time}', '%{Acct-Authentic}', '', \
233 '%{Connect-Info}', '%{Acct-Input-Gigawords:-0}' << 32 | '%{Acct-Input-Octets:-0}', '%{Acct-Output-Gigawords:-0}' << 32 | '%{Acct-Output-Octets:-0}', \
234 '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', \
235 '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \
236 '0', '%{Acct-Delay-Time:-0}')"
238 #######################################################################
239 # Simultaneous Use Checking Queries
240 #######################################################################
241 # simul_count_query - query for the number of current connections
242 # - If this is not defined, no simultaneouls use checking
243 # - will be performed by this module instance
244 # simul_verify_query - query to return details of current connections for verification
245 # - Leave blank or commented out to disable verification step
246 # - Note that the returned field order should not be changed.
247 #######################################################################
249 # Uncomment simul_count_query to enable simultaneous use checking
250 # simul_count_query = "SELECT COUNT(*) \
251 # FROM ${acct_table1} \
252 # WHERE UserName='%{SQL-User-Name}' \
253 # AND AcctStopTime = 0"
255 simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol \
256 FROM ${acct_table1} \
257 WHERE UserName='%{SQL-User-Name}' \
258 AND AcctStopTime = 0"
260 #######################################################################
261 # Authentication Logging Queries
262 #######################################################################
263 # postauth_query - Insert some info after authentication
264 #######################################################################
266 postauth_query = "INSERT INTO ${postauth_table} (id, user, pass, reply, date) \
267 VALUES ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', '%S')"