4 # Configuration for the SQL module, when using Postgresql.
6 # The database schema is available at:
8 # raddb/sql/postgresql/schema.sql
12 # Safe characters list for sql queries. Everything else is replaced
13 # with their mime-encoded equivalents.
14 # The default list should be ok
15 # safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
17 #######################################################################
18 # Query config: Username
19 #######################################################################
20 # This is the username that will get substituted, escaped, and added
21 # as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used
22 # below everywhere a username substitution is needed so you you can
23 # be sure the username passed from the client is escaped properly.
25 # Uncomment the next line, if you want the sql_user_name to mean:
27 # Use Stripped-User-Name, if it's there.
28 # Else use User-Name, if it's there,
29 # Else use hard-coded string "none" as the user name.
31 #sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}"
33 sql_user_name = "%{User-Name}"
35 #######################################################################
37 #######################################################################
38 # This is the default profile. It is found in SQL by group membership.
39 # That means that this profile must be a member of at least one group
40 # which will contain the corresponding check and reply items.
41 # This profile will be queried in the authorize section for every user.
42 # The point is to assign all users a default profile without having to
43 # manually add each one to a group that will contain the profile.
44 # The SQL module will also honor the User-Profile attribute. This
45 # attribute can be set anywhere in the authorize section (ie the users
46 # file). It is found exactly as the default profile is found.
47 # If it is set then it will *overwrite* the default profile setting.
48 # The idea is to select profiles based on checks on the incoming
49 # packets, not on user group membership. For example:
51 # DEFAULT Service-Type == Outbound-User, User-Profile := "outbound"
52 # DEFAULT Service-Type == Framed-User, User-Profile := "framed"
54 # By default the default_user_profile is not set
56 # default_user_profile = "DEFAULT"
58 #######################################################################
60 #######################################################################
61 # This query retrieves the radius clients
63 # 0. Row ID (currently unused)
64 # 1. Name (or IP address)
68 #######################################################################
70 nas_query = "SELECT id, nasname, shortname, type, secret FROM ${nas_table}"
72 #######################################################################
73 # Authorization Queries
74 #######################################################################
75 # These queries compare the check items for the user
76 # in ${authcheck_table} and setup the reply items in
77 # ${authreply_table}. You can use any query/tables
78 # you want, but the return data for each row MUST
79 # be in the following order:
81 # 0. Row ID (currently unused)
82 # 1. UserName/GroupName
85 # 4. Item Attr Operation
86 #######################################################################
88 # Use these for case insensitive usernames. WARNING: Slower queries!
89 # authorize_check_query = "SELECT id, UserName, Attribute, Value, Op \
90 # FROM ${authcheck_table} \
91 # WHERE LOWER(UserName) = LOWER('%{SQL-User-Name}') \
93 # authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op \
94 # FROM ${authreply_table} \
95 # WHERE LOWER(UserName) = LOWER('%{SQL-User-Name}') \
98 authorize_check_query = "SELECT id, UserName, Attribute, Value, Op \
99 FROM ${authcheck_table} \
100 WHERE Username = '%{SQL-User-Name}' \
103 authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op \
104 FROM ${authreply_table} \
105 WHERE Username = '%{SQL-User-Name}' \
108 # Use these for case insensitive usernames. WARNING: Slower queries!
109 # authorize_group_check_query = "SELECT ${groupcheck_table}.id, ${groupcheck_table}.GroupName, \
110 # ${groupcheck_table}.Attribute, ${groupcheck_table}.Value, ${groupcheck_table}.Op \
111 # FROM ${groupcheck_table}, ${usergroup_table} \
112 # WHERE LOWER(${usergroup_table}.UserName) = LOWER('%{SQL-User-Name}') AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName \
113 # ORDER BY ${groupcheck_table}.id"
114 # authorize_group_reply_query = "SELECT ${groupreply_table}.id, ${groupreply_table}.GroupName, \
115 # ${groupreply_table}.Attribute, ${groupreply_table}.Value, ${groupreply_table}.Op \
116 # FROM ${groupreply_table}, ${usergroup_table} \
117 # WHERE LOWER(${usergroup_table}.UserName) = LOWER('%{SQL-User-Name}') AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName \
118 # ORDER BY ${groupreply_table}.id"
120 authorize_group_check_query = "SELECT id, GroupName, Attribute, Value, op \
121 FROM ${groupcheck_table} \
122 WHERE GroupName = '%{Sql-Group}' \
125 authorize_group_reply_query = "SELECT id, GroupName, Attribute, Value, op \
126 FROM ${groupreply_table} \
127 WHERE GroupName = '%{Sql-Group}' \
130 #######################################################################
131 # Simultaneous Use Checking Queries
132 #######################################################################
133 # simul_count_query - query for the number of current connections
134 # - If this is not defined, no simultaneous use checking
135 # - will be performed by this module instance
136 # simul_verify_query - query to return details of current connections for verification
137 # - Leave blank or commented out to disable verification step
138 # - Note that the returned field order should not be changed.
139 #######################################################################
141 # Uncomment simul_count_query to enable simultaneous use checking
142 # simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL"
143 # simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL"
147 #######################################################################
149 #######################################################################
150 # accounting_onoff_query - query for Accounting On/Off packets
151 # accounting_update_query - query for Accounting update packets
152 # accounting_update_query_alt - query for Accounting update packets
153 # (alternate in case first query fails)
154 # accounting_start_query - query for Accounting start packets
155 # accounting_start_query_alt - query for Accounting start packets
156 # (alternate in case first query fails)
157 # accounting_stop_query - query for Accounting stop packets
158 # accounting_stop_query_alt - query for Accounting start packets
159 # (alternate in case first query doesn't
160 # affect any existing rows in the table)
161 #######################################################################
163 accounting_onoff_query = "UPDATE ${acct_table1} \
164 SET AcctStopTime = ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \
165 AcctSessionTime = (EXTRACT(EPOCH FROM ('%S'::timestamp with time zone - AcctStartTime::timestamp with time zone \
166 - '%{%{Acct-Delay-Time}:-0}'::interval)))::BIGINT, \
167 AcctTerminateCause = '%{Acct-Terminate-Cause}', \
169 WHERE AcctSessionTime IS NULL \
170 AND AcctStopTime IS NULL \
171 AND NASIPAddress= '%{NAS-IP-Address}' \
172 AND AcctStartTime <= '%S'::timestamp"
174 accounting_update_query = "UPDATE ${acct_table1} \
175 SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \
176 AcctSessionTime = '%{Acct-Session-Time}', \
177 AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), \
178 AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint) \
179 WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' \
180 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime IS NULL"
182 accounting_update_query_alt = "INSERT INTO ${acct_table1} \
183 (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, \
184 NASPortId, NASPortType, AcctStartTime, \
185 AcctSessionTime, AcctAuthentic, AcctInputOctets, \
186 AcctOutputOctets, CalledStationId, CallingStationId, \
187 ServiceType, FramedProtocol, FramedIPAddress, XAscendSessionSvrKey) \
188 VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \
189 '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{NAS-IP-Address}', \
190 %{%{NAS-Port}:-NULL}::integer, '%{NAS-Port-Type}', \
191 ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval - '%{%{Acct-Session-Time}:-0}'::interval), \
192 '%{Acct-Session-Time}', '%{Acct-Authentic}', \
193 (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), \
194 (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), \
195 '%{Called-Station-Id}', \
196 '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', \
197 NULLIF('%{Framed-IP-Address}', '')::inet, '%{X-Ascend-Session-Svr-Key}')"
199 accounting_start_query = "INSERT INTO ${acct_table1} \
200 (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, \
201 NASPortId, NASPortType, AcctStartTime, AcctAuthentic, \
202 ConnectInfo_start, CalledStationId, CallingStationId, ServiceType, \
203 FramedProtocol, FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey) \
204 VALUES('%{Acct-Session-Id}', \
205 '%{Acct-Unique-Session-Id}', \
206 '%{SQL-User-Name}', \
207 NULLIF('%{Realm}', ''), \
208 '%{NAS-IP-Address}', \
209 %{%{NAS-Port}:-NULL}::integer, \
210 '%{NAS-Port-Type}', \
211 ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \
212 '%{Acct-Authentic}', \
214 '%{Called-Station-Id}', \
215 '%{Calling-Station-Id}', \
217 '%{Framed-Protocol}', \
218 NULLIF('%{Framed-IP-Address}', '')::inet, \
220 '%{X-Ascend-Session-Svr-Key}')"
222 accounting_start_query_alt = "UPDATE ${acct_table1} \
223 SET AcctStartTime = ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \
224 AcctStartDelay = 0, \
225 ConnectInfo_start = '%{Connect-Info}' \
226 WHERE AcctSessionId = '%{Acct-Session-Id}' \
227 AND UserName = '%{SQL-User-Name}' \
228 AND NASIPAddress = '%{NAS-IP-Address}' \
229 AND AcctStopTime IS NULL"
231 accounting_stop_query = "UPDATE ${acct_table2} \
232 SET AcctStopTime = ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \
233 AcctSessionTime = CASE WHEN '%{Acct-Session-Time}' = '' THEN \
234 (EXTRACT(EPOCH FROM ('%S'::TIMESTAMP WITH TIME ZONE - AcctStartTime::TIMESTAMP WITH TIME ZONE \
235 - '%{%{Acct-Delay-Time}:-0}'::INTERVAL)))::BIGINT ELSE '%{Acct-Session-Time}' END, \
236 AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), \
237 AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), \
238 AcctTerminateCause = '%{Acct-Terminate-Cause}', \
240 FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \
241 ConnectInfo_stop = '%{Connect-Info}' \
242 WHERE AcctSessionId = '%{Acct-Session-Id}' \
243 AND UserName = '%{SQL-User-Name}' \
244 AND NASIPAddress = '%{NAS-IP-Address}' \
245 AND AcctStopTime IS NULL"
247 accounting_stop_query_alt = "INSERT INTO ${acct_table2} \
248 (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, \
249 AcctSessionTime, AcctAuthentic, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, \
250 CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStopDelay) \
251 values('%{Acct-Session-Id}', \
252 '%{Acct-Unique-Session-Id}', \
253 '%{SQL-User-Name}', \
254 NULLIF('%{Realm}', ''), \
255 '%{NAS-IP-Address}', \
256 %{%{NAS-Port}:-NULL}::integer, \
257 '%{NAS-Port-Type}', \
258 ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval - '%{%{Acct-Session-Time}:-0}'::interval), \
259 ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \
260 NULLIF('%{Acct-Session-Time}', '')::bigint, '%{Acct-Authentic}', \
262 (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), \
263 (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), \
264 '%{Called-Station-Id}', \
265 '%{Calling-Station-Id}', \
266 '%{Acct-Terminate-Cause}', \
268 '%{Framed-Protocol}', \
269 NULLIF('%{Framed-IP-Address}', '')::inet, 0)"
271 #######################################################################
272 # Group Membership Queries
273 #######################################################################
274 # group_membership_query - Check user group membership
275 #######################################################################
277 # Use these for case insensitive usernames. WARNING: Slower queries!
278 # group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE LOWER(UserName) = LOWER('%{SQL-User-Name}') ORDER BY priority"
280 group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}' ORDER BY priority"
282 #######################################################################
283 # Authentication Logging Queries
284 #######################################################################
285 # postauth_query - Insert some info after authentication
286 #######################################################################
287 postauth_query = "INSERT INTO ${postauth_table} (username, pass, reply, authdate) \
288 VALUES ('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW())"