2 # Configuration for the SQL module, when using MySQL.
4 # The database schema is available at:
6 # src/radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql
8 # If you are using PostgreSQL, please use 'postgresql.conf', instead.
9 # If you are using Oracle, please use 'oracle.conf', instead.
10 # If you are using MS-SQL, please use 'mssql.conf', instead.
17 # Current supported are: rlm_sql_mysql, rlm_sql_postgresql,
18 # rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds
19 driver = "rlm_sql_mysql"
26 # Database table configuration
29 # If you want both stop and start records logged to the
30 # same SQL table, leave this as is. If you want them in
31 # different tables, put the start table in acct_table1
32 # and stop table in acct_table2
33 acct_table1 = "radacct"
34 acct_table2 = "radacct"
36 # Allow for storing data after authentication
37 postauth_table = "radpostauth"
39 authcheck_table = "radcheck"
40 authreply_table = "radreply"
42 groupcheck_table = "radgroupcheck"
43 groupreply_table = "radgroupreply"
45 usergroup_table = "usergroup"
47 # Table to keep radius client info
50 # Remove stale session if checkrad does not see a double login
51 deletestalesessions = yes
53 # Print all SQL statements when in debug mode (-x)
55 sqltracefile = ${logdir}/sqltrace.sql
57 # number of sql connections to make to server
60 # number of seconds to dely retrying on a failed database
61 # connection (per_socket)
62 connect_failure_retry_delay = 60
64 # Safe characters list for sql queries. Everything else is replaced
65 # with their mime-encoded equivalents.
66 # The default list should be ok
67 #safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
69 #######################################################################
70 # Query config: Username
71 #######################################################################
72 # This is the username that will get substituted, escaped, and added
73 # as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below
74 # everywhere a username substitution is needed so you you can be sure
75 # the username passed from the client is escaped properly.
77 # Uncomment the next line, if you want the sql_user_name to mean:
79 # Use Stripped-User-Name, if it's there.
80 # Else use User-Name, if it's there,
81 # Else use hard-coded string "DEFAULT" as the user name.
82 #sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"
84 sql_user_name = "%{User-Name}"
86 #######################################################################
88 #######################################################################
89 # This is the default profile. It is found in SQL by group membership.
90 # That means that this profile must be a member of at least one group
91 # which will contain the corresponding check and reply items.
92 # This profile will be queried in the authorize section for every user.
93 # The point is to assign all users a default profile without having to
94 # manually add each one to a group that will contain the profile.
95 # The SQL module will also honor the User-Profile attribute. This
96 # attribute can be set anywhere in the authorize section (ie the users
97 # file). It is found exactly as the default profile is found.
98 # If it is set then it will *overwrite* the default profile setting.
99 # The idea is to select profiles based on checks on the incoming packets,
100 # not on user group membership. For example:
102 # DEFAULT Service-Type == Outbound-User, User-Profile := "outbound"
103 # DEFAULT Service-Type == Framed-User, User-Profile := "framed"
105 # By default the default_user_profile is not set
107 #default_user_profile = "DEFAULT"
110 #######################################################################
112 #######################################################################
113 # This query retrieves the radius clients
115 # 0. Row ID (currently unused)
116 # 1. Name (or IP address)
120 #######################################################################
122 nas_query = "SELECT id, nasname, shortname, type, secret FROM ${nas_table}"
124 #######################################################################
125 # Authorization Queries
126 #######################################################################
127 # These queries compare the check items for the user
128 # in ${authcheck_table} and setup the reply items in
129 # ${authreply_table}. You can use any query/tables
130 # you want, but the return data for each row MUST
131 # be in the following order:
133 # 0. Row ID (currently unused)
134 # 1. UserName/GroupName
137 # 4. Item Attr Operation
138 #######################################################################
139 # Use these for case sensitive usernames. WARNING: Slower queries!
140 # authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE STRCMP(Username, '%{SQL-User-Name}') = 0 ORDER BY id"
141 # authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE STRCMP(Username, '%{SQL-User-Name}') = 0 ORDER BY id"
143 authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
144 authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
146 # Use these for case sensitive usernames. WANRING: Slower queries!
147 # authorize_group_check_query = "SELECT id,GroupName,Attribute,Value,op FROM ${groupcheck_table} WHERE STRCMP(GroupName, '%{Sql-Group}') = 0 ORDER BY id"
148 # authorize_group_reply_query = "SELECT id,GroupName,Attribute,Value,op FROM ${groupreply_table} WHERE STRCMP(GroupName, '%{Sql-Group}') = 0 ORDER BY id"
150 authorize_group_check_query = "SELECT id,GroupName,Attribute,Value,op FROM ${groupcheck_table} WHERE GroupName = '%{Sql-Group}' ORDER BY id"
151 authorize_group_reply_query = "SELECT id,GroupName,Attribute,Value,op FROM ${groupreply_table} WHERE GroupName = '%{Sql-Group}' ORDER BY id"
154 #######################################################################
156 #######################################################################
157 # accounting_onoff_query - query for Accounting On/Off packets
158 # accounting_update_query - query for Accounting update packets
159 # accounting_update_query_alt - query for Accounting update packets
160 # (alternate in case first query fails)
161 # accounting_start_query - query for Accounting start packets
162 # accounting_start_query_alt - query for Accounting start packets
163 # (alternate in case first query fails)
164 # accounting_stop_query - query for Accounting stop packets
165 # accounting_stop_query_alt - query for Accounting start packets
166 # (alternate in case first query doesn't
167 # affect any existing rows in the table)
168 #######################################################################
169 accounting_onoff_query = "UPDATE ${acct_table1} SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = %{Acct-Delay-Time} WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
171 accounting_update_query = "UPDATE ${acct_table1} \
172 SET FramedIPAddress = '%{Framed-IP-Address}', \
173 AcctSessionTime = '%{Acct-Session-Time}', \
174 AcctInputOctets = '%{Acct-Input-Octets}', \
175 AcctOutputOctets = '%{Acct-Output-Octets}' \
176 WHERE AcctSessionId = '%{Acct-Session-Id}' \
177 AND UserName = '%{SQL-User-Name}' \
178 AND NASIPAddress= '%{NAS-IP-Address}'"
180 accounting_update_query_alt = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')"
182 accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
184 accounting_start_query_alt = "UPDATE ${acct_table1} SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
186 accounting_stop_query = "UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
188 accounting_stop_query_alt = "INSERT into ${acct_table2} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
190 #######################################################################
191 # Simultaneous Use Checking Queries
192 #######################################################################
193 # simul_count_query - query for the number of current connections
194 # - If this is not defined, no simultaneouls use checking
195 # - will be performed by this module instance
196 # simul_verify_query - query to return details of current connections for verification
197 # - Leave blank or commented out to disable verification step
198 # - Note that the returned field order should not be changed.
199 #######################################################################
201 # Uncomment simul_count_query to enable simultaneous use checking
202 # simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
203 simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
205 #######################################################################
206 # Group Membership Queries
207 #######################################################################
208 # group_membership_query - Check user group membership
209 #######################################################################
211 group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}' ORDER BY priority"
214 # If set to 'yes' (default) we read the group tables
215 # If set to 'no' the user MUST have Fall-Through = Yes in the radreply table
218 #######################################################################
219 # Authentication Logging Queries
220 #######################################################################
221 # postauth_query - Insert some info after authentication
222 #######################################################################
224 postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())"
227 # Set to 'yes' to read radius clients from the database ('nas' table)