2 # Configuration for the SQL module, when using MySQL.
4 # The database schema is available at:
6 # doc/examples/mysql.sql
8 # If you are using PostgreSQL, please use 'postgresql.conf', instead.
9 # If you are using Oracle, please use 'oracle.conf', instead.
10 # If you are using MS-SQL, please use 'mssql.conf', instead.
16 # Current supported are: rlm_sql_mysql, rlm_sql_postgresql,
17 # rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds
18 driver = "rlm_sql_mysql"
25 # Database table configuration
28 # If you want both stop and start records logged to the
29 # same SQL table, leave this as is. If you want them in
30 # different tables, put the start table in acct_table1
31 # and stop table in acct_table2
32 acct_table1 = "radacct"
33 acct_table2 = "radacct"
35 # Allow for storing data after authentication
36 postauth_table = "radpostauth"
38 authcheck_table = "radcheck"
39 authreply_table = "radreply"
41 groupcheck_table = "radgroupcheck"
42 groupreply_table = "radgroupreply"
44 usergroup_table = "usergroup"
46 # Table to keep radius client info
49 # Remove stale session if checkrad does not see a double login
50 deletestalesessions = yes
52 # Print all SQL statements when in debug mode (-x)
54 sqltracefile = ${logdir}/sqltrace.sql
56 # number of sql connections to make to server
59 # number of seconds to dely retrying on a failed database
60 # connection (per_socket)
61 connect_failure_retry_delay = 60
63 # Safe characters list for sql queries. Everything else is replaced
64 # with their mime-encoded equivalents.
65 # The default list should be ok
66 #safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
68 #######################################################################
69 # Query config: Username
70 #######################################################################
71 # This is the username that will get substituted, escaped, and added
72 # as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below
73 # everywhere a username substitution is needed so you you can be sure
74 # the username passed from the client is escaped properly.
76 # Uncomment the next line, if you want the sql_user_name to mean:
78 # Use Stripped-User-Name, if it's there.
79 # Else use User-Name, if it's there,
80 # Else use hard-coded string "DEFAULT" as the user name.
81 #sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"
83 sql_user_name = "%{User-Name}"
85 #######################################################################
87 #######################################################################
88 # This is the default profile. It is found in SQL by group membership.
89 # That means that this profile must be a member of at least one group
90 # which will contain the corresponding check and reply items.
91 # This profile will be queried in the authorize section for every user.
92 # The point is to assign all users a default profile without having to
93 # manually add each one to a group that will contain the profile.
94 # The SQL module will also honor the User-Profile attribute. This
95 # attribute can be set anywhere in the authorize section (ie the users
96 # file). It is found exactly as the default profile is found.
97 # If it is set then it will *overwrite* the default profile setting.
98 # The idea is to select profiles based on checks on the incoming packets,
99 # not on user group membership. For example:
101 # DEFAULT Service-Type == Outbound-User, User-Profile := "outbound"
102 # DEFAULT Service-Type == Framed-User, User-Profile := "framed"
104 # By default the default_user_profile is not set
106 #default_user_profile = "DEFAULT"
108 # Determines if we will query the default_user_profile or the User-Profile
109 # if the user is not found. If the profile is found then we consider the user
110 # found. By default this is set to 'no'.
112 #query_on_not_found = no
114 #######################################################################
115 # Authorization Queries
116 #######################################################################
117 # These queries compare the check items for the user
118 # in ${authcheck_table} and setup the reply items in
119 # ${authreply_table}. You can use any query/tables
120 # you want, but the return data for each row MUST
121 # be in the following order:
123 # 0. Row ID (currently unused)
124 # 1. UserName/GroupName
127 # 4. Item Attr Operation
128 #######################################################################
129 # Use these for case sensitive usernames.
130 # authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
131 # FROM ${authcheck_table} \
132 # WHERE Username = BINARY '%{SQL-User-Name}' \
134 # authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
135 # FROM ${authreply_table} \
136 # WHERE Username = BINARY '%{SQL-User-Name}' \
139 # The default queries are case insensitive. (for compatibility with
140 # older versions of FreeRADIUS)
141 authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
142 FROM ${authcheck_table} \
143 WHERE Username = '%{SQL-User-Name}' \
145 authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
146 FROM ${authreply_table} \
147 WHERE Username = '%{SQL-User-Name}' \
150 # Use these for case sensitive usernames.
151 # authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = BINARY '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id"
152 # authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = BINARY '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id"
154 authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id"
155 authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id"
157 #######################################################################
159 #######################################################################
160 # accounting_onoff_query - query for Accounting On/Off packets
161 # accounting_update_query - query for Accounting update packets
162 # accounting_update_query_alt - query for Accounting update packets
163 # (alternate in case first query fails)
164 # accounting_start_query - query for Accounting start packets
165 # accounting_start_query_alt - query for Accounting start packets
166 # (alternate in case first query fails)
167 # accounting_stop_query - query for Accounting stop packets
168 # accounting_stop_query_alt - query for Accounting start packets
169 # (alternate in case first query doesn't
170 # affect any existing rows in the table)
171 #######################################################################
172 accounting_onoff_query = "UPDATE ${acct_table1} SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
174 accounting_update_query = " \
175 UPDATE ${acct_table1} \
177 FramedIPAddress = '%{Framed-IP-Address}', \
178 AcctSessionTime = '%{Acct-Session-Time}', \
179 AcctInputOctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | \
180 '%{%{Acct-Input-Octets}:-0}', \
181 AcctOutputOctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | \
182 '%{%{Acct-Output-Octets}:-0}' \
183 WHERE AcctSessionId = '%{Acct-Session-Id}' \
184 AND UserName = '%{SQL-User-Name}' \
185 AND NASIPAddress = '%{NAS-IP-Address}'"
188 accounting_update_query_alt = " \
189 INSERT INTO ${acct_table1} \
190 (AcctSessionId, AcctUniqueId, UserName, \
191 Realm, NASIPAddress, NASPortId, \
192 NASPortType, AcctStartTime, AcctSessionTime, \
193 AcctAuthentic, ConnectInfo_start, AcctInputOctets, \
194 AcctOutputOctets, CalledStationId, CallingStationId, \
195 ServiceType, FramedProtocol, FramedIPAddress, \
196 AcctStartDelay, XAscendSessionSvrKey) \
198 ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \
199 '%{SQL-User-Name}', \
200 '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \
201 '%{NAS-Port-Type}', \
203 INTERVAL (%{%{Acct-Session-Time}:-0} + \
204 %{%{Acct-Delay-Time}:-0}) SECOND), \
205 '%{Acct-Session-Time}', \
206 '%{Acct-Authentic}', '', \
207 '%{%{Acct-Input-Gigawords}:-0}' << 32 | \
208 '%{%{Acct-Input-Octets}:-0}', \
209 '%{%{Acct-Output-Gigawords}:-0}' << 32 | \
210 '%{%{Acct-Output-Octets}:-0}', \
211 '%{Called-Station-Id}', '%{Calling-Station-Id}', \
212 '%{Service-Type}', '%{Framed-Protocol}', \
213 '%{Framed-IP-Address}', \
214 '0', '%{X-Ascend-Session-Svr-Key}')"
217 accounting_start_query = " \
218 INSERT INTO ${acct_table1} \
219 (AcctSessionId, AcctUniqueId, UserName, \
220 Realm, NASIPAddress, NASPortId, \
221 NASPortType, AcctStartTime, AcctStopTime, \
222 AcctSessionTime, AcctAuthentic, ConnectInfo_start, \
223 ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, \
224 CalledStationId, CallingStationId, AcctTerminateCause, \
225 ServiceType, FramedProtocol, FramedIPAddress, \
226 AcctStartDelay, AcctStopDelay, XAscendSessionSvrKey) \
228 ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \
229 '%{SQL-User-Name}', \
230 '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \
231 '%{NAS-Port-Type}', '%S', '0', \
232 '0', '%{Acct-Authentic}', '%{Connect-Info}', \
234 '%{Called-Station-Id}', '%{Calling-Station-Id}', '', \
235 '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \
236 '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
238 accounting_start_query_alt = "UPDATE ${acct_table1} SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
241 accounting_stop_query = " \
242 UPDATE ${acct_table2} SET \
243 AcctStopTime = '%S', \
244 AcctSessionTime = '%{Acct-Session-Time}', \
245 AcctInputOctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | \
246 '%{%{Acct-Input-Octets}:-0}', \
247 AcctOutputOctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | \
248 '%{%{Acct-Output-Octets}:-0}', \
249 AcctTerminateCause = '%{Acct-Terminate-Cause}', \
250 AcctStopDelay = '%{%{Acct-Delay-Time}:-0}', \
251 ConnectInfo_stop = '%{Connect-Info}' \
252 WHERE AcctSessionId = '%{Acct-Session-Id}' \
253 AND UserName = '%{SQL-User-Name}' \
254 AND NASIPAddress = '%{NAS-IP-Address}'"
257 accounting_stop_query_alt = " \
258 INSERT INTO ${acct_table2} \
259 (AcctSessionId, AcctUniqueId, UserName, \
260 Realm, NASIPAddress, NASPortId, \
261 NASPortType, AcctStartTime, AcctStopTime, \
262 AcctSessionTime, AcctAuthentic, ConnectInfo_start, \
263 ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, \
264 CalledStationId, CallingStationId, AcctTerminateCause, \
265 ServiceType, FramedProtocol, FramedIPAddress, \
266 AcctStartDelay, AcctStopDelay) \
268 ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \
269 '%{SQL-User-Name}', \
270 '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \
271 '%{NAS-Port-Type}', \
273 INTERVAL (%{%{Acct-Session-Time}:-0} + \
274 %{%{Acct-Delay-Time}:-0}) SECOND), \
275 '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', \
277 '%{%{Acct-Input-Gigawords}:-0}' << 32 | \
278 '%{%{Acct-Input-Octets}:-0}', \
279 '%{%{Acct-Output-Gigawords}:-0}' << 32 | \
280 '%{%{Acct-Output-Octets}:-0}', \
281 '%{Called-Station-Id}', '%{Calling-Station-Id}', \
282 '%{Acct-Terminate-Cause}', \
283 '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \
284 '0', '%{%{Acct-Delay-Time}:-0}')"
287 #######################################################################
288 # Simultaneous Use Checking Queries
289 #######################################################################
290 # simul_count_query - query for the number of current connections
291 # - If this is not defined, no simultaneouls use checking
292 # - will be performed by this module instance
293 # simul_verify_query - query to return details of current connections for verification
294 # - Leave blank or commented out to disable verification step
295 # - Note that the returned field order should not be changed.
296 #######################################################################
298 # Uncomment simul_count_query to enable simultaneous use checking
299 #simul_count_query = "SELECT COUNT(*) \
300 #FROM ${acct_table1} \
301 #WHERE UserName='%{SQL-User-Name}' \
302 #AND AcctStopTime = 0"
304 simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, \
305 NASIPAddress, NASPortId, FramedIPAddress, \
306 CallingStationId, FramedProtocol \
307 FROM ${acct_table1} \
308 WHERE UserName='%{SQL-User-Name}' \
309 AND AcctStopTime = 0"
311 #######################################################################
312 # Group Membership Queries
313 #######################################################################
314 # group_membership_query - Check user group membership
315 #######################################################################
317 group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}'"
319 #######################################################################
320 # Authentication Logging Queries
321 #######################################################################
322 # postauth_query - Insert some info after authentication
323 #######################################################################
325 postauth_query = "INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())"
328 # Set to 'yes' to read radius clients from the database ('nas' table)