3 ## dialup.conf -- PostgreSQL configuration for default schema (schema.sql)
7 # Safe characters list for sql queries. Everything else is replaced
8 # with their mime-encoded equivalents.
9 # The default list should be ok
10 # safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
12 #######################################################################
13 # Query config: Username
14 #######################################################################
15 # This is the username that will get substituted, escaped, and added
16 # as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used
17 # below everywhere a username substitution is needed so you you can
18 # be sure the username passed from the client is escaped properly.
20 # Uncomment the next line, if you want the sql_user_name to mean:
22 # Use Stripped-User-Name, if it's there.
23 # Else use User-Name, if it's there,
24 # Else use hard-coded string "none" as the user name.
26 #sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}"
28 sql_user_name = "%{User-Name}"
30 #######################################################################
32 #######################################################################
33 # This is the default profile. It is found in SQL by group membership.
34 # That means that this profile must be a member of at least one group
35 # which will contain the corresponding check and reply items.
36 # This profile will be queried in the authorize section for every user.
37 # The point is to assign all users a default profile without having to
38 # manually add each one to a group that will contain the profile.
39 # The SQL module will also honor the User-Profile attribute. This
40 # attribute can be set anywhere in the authorize section (ie the users
41 # file). It is found exactly as the default profile is found.
42 # If it is set then it will *overwrite* the default profile setting.
43 # The idea is to select profiles based on checks on the incoming
44 # packets, not on user group membership. For example:
46 # DEFAULT Service-Type == Outbound-User, User-Profile := "outbound"
47 # DEFAULT Service-Type == Framed-User, User-Profile := "framed"
49 # By default the default_user_profile is not set
51 # default_user_profile = "DEFAULT"
53 #######################################################################
55 #######################################################################
56 # This query retrieves the radius clients
58 # 0. Row ID (currently unused)
59 # 1. Name (or IP address)
64 #######################################################################
66 nas_query = "SELECT id, nasname, shortname, type, secret, server FROM ${nas_table}"
68 #######################################################################
69 # Authorization Queries
70 #######################################################################
71 # These queries compare the check items for the user
72 # in ${authcheck_table} and setup the reply items in
73 # ${authreply_table}. You can use any query/tables
74 # you want, but the return data for each row MUST
75 # be in the following order:
77 # 0. Row ID (currently unused)
78 # 1. UserName/GroupName
81 # 4. Item Attr Operation
82 #######################################################################
84 # Use these for case insensitive usernames. WARNING: Slower queries!
85 # authorize_check_query = "SELECT id, UserName, Attribute, Value, Op \
86 # FROM ${authcheck_table} \
87 # WHERE LOWER(UserName) = LOWER('%{SQL-User-Name}') \
89 # authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op \
90 # FROM ${authreply_table} \
91 # WHERE LOWER(UserName) = LOWER('%{SQL-User-Name}') \
94 authorize_check_query = "SELECT id, UserName, Attribute, Value, Op \
95 FROM ${authcheck_table} \
96 WHERE Username = '%{SQL-User-Name}' \
99 authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op \
100 FROM ${authreply_table} \
101 WHERE Username = '%{SQL-User-Name}' \
104 # Use these for case insensitive usernames. WARNING: Slower queries!
105 # authorize_group_check_query = "SELECT ${groupcheck_table}.id, ${groupcheck_table}.GroupName, \
106 # ${groupcheck_table}.Attribute, ${groupcheck_table}.Value, ${groupcheck_table}.Op \
107 # FROM ${groupcheck_table}, ${usergroup_table} \
108 # WHERE LOWER(${usergroup_table}.UserName) = LOWER('%{SQL-User-Name}') AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName \
109 # ORDER BY ${groupcheck_table}.id"
110 # authorize_group_reply_query = "SELECT ${groupreply_table}.id, ${groupreply_table}.GroupName, \
111 # ${groupreply_table}.Attribute, ${groupreply_table}.Value, ${groupreply_table}.Op \
112 # FROM ${groupreply_table}, ${usergroup_table} \
113 # WHERE LOWER(${usergroup_table}.UserName) = LOWER('%{SQL-User-Name}') AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName \
114 # ORDER BY ${groupreply_table}.id"
116 authorize_group_check_query = "SELECT id, GroupName, Attribute, Value, op \
117 FROM ${groupcheck_table} \
118 WHERE GroupName = '%{Sql-Group}' \
121 authorize_group_reply_query = "SELECT id, GroupName, Attribute, Value, op \
122 FROM ${groupreply_table} \
123 WHERE GroupName = '%{Sql-Group}' \
126 #######################################################################
127 # Simultaneous Use Checking Queries
128 #######################################################################
129 # simul_count_query - query for the number of current connections
130 # - If this is not defined, no simultaneous use checking
131 # - will be performed by this module instance
132 # simul_verify_query - query to return details of current connections for verification
133 # - Leave blank or commented out to disable verification step
134 # - Note that the returned field order should not be changed.
135 #######################################################################
137 # Uncomment simul_count_query to enable simultaneous use checking
138 # simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL"
139 # simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL"
143 #######################################################################
145 #######################################################################
146 # accounting_onoff_query - query for Accounting On/Off packets
147 # accounting_update_query - query for Accounting update packets
148 # accounting_update_query_alt - query for Accounting update packets
149 # (alternate in case first query fails)
150 # accounting_start_query - query for Accounting start packets
151 # accounting_start_query_alt - query for Accounting start packets
152 # (alternate in case first query fails)
153 # accounting_stop_query - query for Accounting stop packets
154 # accounting_stop_query_alt - query for Accounting start packets
155 # (alternate in case first query doesn't
156 # affect any existing rows in the table)
157 #######################################################################
159 accounting_onoff_query = "UPDATE ${acct_table1} \
160 SET AcctStopTime = ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \
161 AcctSessionTime = (EXTRACT(EPOCH FROM ('%S'::timestamp with time zone - AcctStartTime::timestamp with time zone \
162 - '%{%{Acct-Delay-Time}:-0}'::interval)))::BIGINT, \
163 AcctTerminateCause = '%{Acct-Terminate-Cause}', \
165 WHERE AcctStopTime IS NULL \
166 AND NASIPAddress= '%{NAS-IP-Address}' \
167 AND AcctStartTime <= '%S'::timestamp"
169 accounting_update_query = "UPDATE ${acct_table1} \
170 SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \
171 AcctSessionTime = '%{Acct-Session-Time}', \
172 AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), \
173 AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint) \
174 WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' \
175 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime IS NULL"
177 accounting_update_query_alt = "INSERT INTO ${acct_table1} \
178 (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, \
179 NASPortId, NASPortType, AcctStartTime, \
180 AcctSessionTime, AcctAuthentic, AcctInputOctets, \
181 AcctOutputOctets, CalledStationId, CallingStationId, \
182 ServiceType, FramedProtocol, FramedIPAddress, XAscendSessionSvrKey) \
183 VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \
184 '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{NAS-IP-Address}', \
185 %{%{NAS-Port}:-NULL}, '%{NAS-Port-Type}', \
186 ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval - '%{%{Acct-Session-Time}:-0}'::interval), \
187 '%{Acct-Session-Time}', '%{Acct-Authentic}', \
188 (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), \
189 (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), \
190 '%{Called-Station-Id}', \
191 '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', \
192 NULLIF('%{Framed-IP-Address}', '')::inet, '%{X-Ascend-Session-Svr-Key}')"
194 accounting_start_query = "INSERT INTO ${acct_table1} \
195 (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, \
196 NASPortId, NASPortType, AcctStartTime, AcctAuthentic, \
197 ConnectInfo_start, CalledStationId, CallingStationId, ServiceType, \
198 FramedProtocol, FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey) \
199 VALUES('%{Acct-Session-Id}', \
200 '%{Acct-Unique-Session-Id}', \
201 '%{SQL-User-Name}', \
202 NULLIF('%{Realm}', ''), \
203 '%{NAS-IP-Address}', \
204 %{%{NAS-Port}:-NULL}, \
205 '%{NAS-Port-Type}', \
206 ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \
207 '%{Acct-Authentic}', \
209 '%{Called-Station-Id}', \
210 '%{Calling-Station-Id}', \
212 '%{Framed-Protocol}', \
213 NULLIF('%{Framed-IP-Address}', '')::inet, \
215 '%{X-Ascend-Session-Svr-Key}')"
217 accounting_start_query_alt = "UPDATE ${acct_table1} \
218 SET AcctStartTime = ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \
219 AcctStartDelay = 0, \
220 ConnectInfo_start = '%{Connect-Info}' \
221 WHERE AcctSessionId = '%{Acct-Session-Id}' \
222 AND UserName = '%{SQL-User-Name}' \
223 AND NASIPAddress = '%{NAS-IP-Address}' \
224 AND AcctStopTime IS NULL"
226 accounting_stop_query = "UPDATE ${acct_table2} \
227 SET AcctStopTime = ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \
228 AcctSessionTime = CASE WHEN '%{Acct-Session-Time}' = '' THEN \
229 (EXTRACT(EPOCH FROM ('%S'::TIMESTAMP WITH TIME ZONE - AcctStartTime::TIMESTAMP WITH TIME ZONE \
230 - '%{%{Acct-Delay-Time}:-0}'::INTERVAL)))::BIGINT \
231 ELSE NULLIF('%{Acct-Session-Time}','')::BIGINT END, \
232 AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), \
233 AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), \
234 AcctTerminateCause = '%{Acct-Terminate-Cause}', \
236 FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \
237 ConnectInfo_stop = '%{Connect-Info}' \
238 WHERE AcctSessionId = '%{Acct-Session-Id}' \
239 AND UserName = '%{SQL-User-Name}' \
240 AND NASIPAddress = '%{NAS-IP-Address}' \
241 AND AcctStopTime IS NULL"
243 accounting_stop_query_alt = "INSERT INTO ${acct_table2} \
244 (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, \
245 AcctSessionTime, AcctAuthentic, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, \
246 CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStopDelay) \
247 values('%{Acct-Session-Id}', \
248 '%{Acct-Unique-Session-Id}', \
249 '%{SQL-User-Name}', \
250 NULLIF('%{Realm}', ''), \
251 '%{NAS-IP-Address}', \
252 %{%{NAS-Port}:-NULL}, \
253 '%{NAS-Port-Type}', \
254 ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval - '%{%{Acct-Session-Time}:-0}'::interval), \
255 ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \
256 NULLIF('%{Acct-Session-Time}', '')::bigint, '%{Acct-Authentic}', \
258 (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), \
259 (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), \
260 '%{Called-Station-Id}', \
261 '%{Calling-Station-Id}', \
262 '%{Acct-Terminate-Cause}', \
264 '%{Framed-Protocol}', \
265 NULLIF('%{Framed-IP-Address}', '')::inet, 0)"
267 #######################################################################
268 # Group Membership Queries
269 #######################################################################
270 # group_membership_query - Check user group membership
271 #######################################################################
273 # Use these for case insensitive usernames. WARNING: Slower queries!
274 # group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE LOWER(UserName) = LOWER('%{SQL-User-Name}') ORDER BY priority"
276 group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}' ORDER BY priority"
278 #######################################################################
279 # Authentication Logging Queries
280 #######################################################################
281 # postauth_query - Insert some info after authentication
282 #######################################################################
283 postauth_query = "INSERT INTO ${postauth_table} (username, pass, reply, authdate) \
284 VALUES ('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW())"