| 1279 |
richard |
1 |
# -*- text -*-
|
|
|
2 |
##
|
| 2438 |
richard |
3 |
## query.conf -- MySQL configuration for default schema (schema.sql)
|
| 1279 |
richard |
4 |
##
|
|
|
5 |
|
|
|
6 |
# Safe characters list for sql queries. Everything else is replaced
|
|
|
7 |
# with their mime-encoded equivalents.
|
| 2438 |
richard |
8 |
# The default list should be ok (define in 'expr' module
|
| 1279 |
richard |
9 |
#safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
|
|
|
10 |
|
|
|
11 |
#######################################################################
|
|
|
12 |
# Query config: Username
|
|
|
13 |
#######################################################################
|
|
|
14 |
# This is the username that will get substituted, escaped, and added
|
|
|
15 |
# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below
|
|
|
16 |
# everywhere a username substitution is needed so you you can be sure
|
|
|
17 |
# the username passed from the client is escaped properly.
|
|
|
18 |
#
|
|
|
19 |
# Uncomment the next line, if you want the sql_user_name to mean:
|
|
|
20 |
#
|
|
|
21 |
# Use Stripped-User-Name, if it's there.
|
|
|
22 |
# Else use User-Name, if it's there,
|
|
|
23 |
# Else use hard-coded string "DEFAULT" as the user name.
|
|
|
24 |
#sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"
|
|
|
25 |
#
|
|
|
26 |
sql_user_name = "%{User-Name}"
|
|
|
27 |
|
|
|
28 |
#######################################################################
|
|
|
29 |
# Default profile
|
|
|
30 |
#######################################################################
|
|
|
31 |
# This is the default profile. It is found in SQL by group membership.
|
|
|
32 |
# That means that this profile must be a member of at least one group
|
|
|
33 |
# which will contain the corresponding check and reply items.
|
|
|
34 |
# This profile will be queried in the authorize section for every user.
|
|
|
35 |
# The point is to assign all users a default profile without having to
|
|
|
36 |
# manually add each one to a group that will contain the profile.
|
|
|
37 |
# The SQL module will also honor the User-Profile attribute. This
|
|
|
38 |
# attribute can be set anywhere in the authorize section (ie the users
|
|
|
39 |
# file). It is found exactly as the default profile is found.
|
|
|
40 |
# If it is set then it will *overwrite* the default profile setting.
|
|
|
41 |
# The idea is to select profiles based on checks on the incoming packets,
|
|
|
42 |
# not on user group membership. For example:
|
|
|
43 |
# -- users file --
|
|
|
44 |
# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound"
|
|
|
45 |
# DEFAULT Service-Type == Framed-User, User-Profile := "framed"
|
|
|
46 |
#
|
|
|
47 |
# By default the default_user_profile is not set
|
|
|
48 |
#
|
| 2706 |
tom.houday |
49 |
#default_user_profile = "DEFAULT"
|
| 1279 |
richard |
50 |
|
|
|
51 |
#######################################################################
|
|
|
52 |
# NAS Query
|
|
|
53 |
#######################################################################
|
|
|
54 |
# This query retrieves the radius clients
|
|
|
55 |
#
|
|
|
56 |
# 0. Row ID (currently unused)
|
|
|
57 |
# 1. Name (or IP address)
|
|
|
58 |
# 2. Shortname
|
|
|
59 |
# 3. Type
|
|
|
60 |
# 4. Secret
|
|
|
61 |
#######################################################################
|
|
|
62 |
|
| 2422 |
richard |
63 |
# nas_query = "SELECT id, nasname, shortname, type, secret FROM ${nas_table}"
|
| 1279 |
richard |
64 |
|
|
|
65 |
#######################################################################
|
|
|
66 |
# Authorization Queries
|
|
|
67 |
#######################################################################
|
|
|
68 |
# These queries compare the check items for the user
|
|
|
69 |
# in ${authcheck_table} and setup the reply items in
|
|
|
70 |
# ${authreply_table}. You can use any query/tables
|
|
|
71 |
# you want, but the return data for each row MUST
|
|
|
72 |
# be in the following order:
|
|
|
73 |
#
|
|
|
74 |
# 0. Row ID (currently unused)
|
|
|
75 |
# 1. UserName/GroupName
|
|
|
76 |
# 2. Item Attr Name
|
|
|
77 |
# 3. Item Attr Value
|
|
|
78 |
# 4. Item Attr Operation
|
|
|
79 |
#######################################################################
|
|
|
80 |
# Use these for case sensitive usernames.
|
|
|
81 |
authorize_check_query = "SELECT id, username, attribute, value, op \
|
|
|
82 |
FROM ${authcheck_table} \
|
|
|
83 |
WHERE username = BINARY '%{SQL-User-Name}' \
|
|
|
84 |
ORDER BY id"
|
|
|
85 |
authorize_reply_query = "SELECT id, username, attribute, value, op \
|
|
|
86 |
FROM ${authreply_table} \
|
|
|
87 |
WHERE username = BINARY '%{SQL-User-Name}' \
|
|
|
88 |
ORDER BY id"
|
|
|
89 |
|
|
|
90 |
# The default queries are case insensitive. (for compatibility with
|
|
|
91 |
# older versions of FreeRADIUS)
|
|
|
92 |
# authorize_check_query = "SELECT id, username, attribute, value, op \
|
|
|
93 |
# FROM ${authcheck_table} \
|
|
|
94 |
# WHERE username = '%{SQL-User-Name}' \
|
|
|
95 |
# ORDER BY id"
|
|
|
96 |
# authorize_reply_query = "SELECT id, username, attribute, value, op \
|
|
|
97 |
# FROM ${authreply_table} \
|
|
|
98 |
# WHERE username = '%{SQL-User-Name}' \
|
|
|
99 |
# ORDER BY id"
|
|
|
100 |
|
|
|
101 |
# Use these for case sensitive usernames.
|
| 2706 |
tom.houday |
102 |
# group_membership_query = "SELECT groupname \
|
|
|
103 |
# FROM ${usergroup_table} \
|
|
|
104 |
# WHERE username = BINARY '%{SQL-User-Name}' \
|
|
|
105 |
# ORDER BY priority"
|
| 1279 |
richard |
106 |
|
|
|
107 |
# group_membership_query = "SELECT groupname \
|
|
|
108 |
# FROM ${usergroup_table} \
|
|
|
109 |
# WHERE username = '%{SQL-User-Name}' \
|
|
|
110 |
# ORDER BY priority"
|
|
|
111 |
|
| 2706 |
tom.houday |
112 |
group_membership_query = "SELECT '%{SQL-User-Name}'"
|
| 1279 |
richard |
113 |
|
| 2706 |
tom.houday |
114 |
# authorize_group_check_query = "SELECT id, groupname, attribute, \
|
|
|
115 |
# Value, op \
|
|
|
116 |
# FROM ${groupcheck_table} \
|
|
|
117 |
# WHERE groupname = '%{Sql-Group}' \
|
|
|
118 |
# ORDER BY id"
|
|
|
119 |
# authorize_group_reply_query = "SELECT id, groupname, attribute, \
|
|
|
120 |
# value, op \
|
|
|
121 |
# FROM ${groupreply_table} \
|
|
|
122 |
# WHERE groupname = '%{Sql-Group}' \
|
|
|
123 |
# ORDER BY id"
|
|
|
124 |
authorize_group_check_query = "SELECT id, '%{SQL-User-Name}', attribute, value, op FROM ( \
|
|
|
125 |
( SELECT id, attribute, value, op FROM ${groupcheck_table} gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '%{SQL-User-Name}' ORDER BY ug.priority) UNION \
|
|
|
126 |
( SELECT id, attribute, value, op FROM ${groupcheck_table} WHERE groupname = '%{control:Tmp-String-0}') UNION \
|
|
|
127 |
( SELECT id, attribute, value, op FROM ${groupcheck_table} WHERE groupname = 'default') \
|
|
|
128 |
) attrs GROUP BY attribute"
|
|
|
129 |
authorize_group_reply_query = "SELECT id, '%{SQL-User-Name}', attribute, value, op FROM ( \
|
|
|
130 |
( SELECT id, attribute, value, op FROM ${groupreply_table} gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '%{SQL-User-Name}' ORDER BY ug.priority) UNION \
|
|
|
131 |
( SELECT id, attribute, value, op FROM ${groupreply_table} WHERE groupname = '%{control:Tmp-String-0}') UNION \
|
|
|
132 |
( SELECT id, attribute, value, op FROM ${groupreply_table} WHERE groupname = 'default') \
|
|
|
133 |
) attrs GROUP BY attribute"
|
|
|
134 |
|
| 1279 |
richard |
135 |
#######################################################################
|
|
|
136 |
# Accounting Queries
|
|
|
137 |
#######################################################################
|
|
|
138 |
# accounting_onoff_query - query for Accounting On/Off packets
|
|
|
139 |
# accounting_update_query - query for Accounting update packets
|
|
|
140 |
# accounting_update_query_alt - query for Accounting update packets
|
|
|
141 |
# (alternate in case first query fails)
|
|
|
142 |
# accounting_start_query - query for Accounting start packets
|
|
|
143 |
# accounting_start_query_alt - query for Accounting start packets
|
|
|
144 |
# (alternate in case first query fails)
|
|
|
145 |
# accounting_stop_query - query for Accounting stop packets
|
|
|
146 |
# accounting_stop_query_alt - query for Accounting start packets
|
|
|
147 |
# (alternate in case first query doesn't
|
|
|
148 |
# affect any existing rows in the table)
|
|
|
149 |
#######################################################################
|
|
|
150 |
accounting_onoff_query = "\
|
|
|
151 |
UPDATE ${acct_table1} \
|
|
|
152 |
SET \
|
|
|
153 |
acctstoptime = '%S', \
|
|
|
154 |
acctsessiontime = unix_timestamp('%S') - \
|
|
|
155 |
unix_timestamp(acctstarttime), \
|
|
|
156 |
acctterminatecause = '%{Acct-Terminate-Cause}', \
|
|
|
157 |
acctstopdelay = %{%{Acct-Delay-Time}:-0} \
|
|
|
158 |
WHERE acctstoptime IS NULL \
|
|
|
159 |
AND nasipaddress = '%{NAS-IP-Address}' \
|
|
|
160 |
AND acctstarttime <= '%S'"
|
|
|
161 |
|
|
|
162 |
accounting_update_query = " \
|
|
|
163 |
UPDATE ${acct_table1} \
|
|
|
164 |
SET \
|
|
|
165 |
framedipaddress = '%{Framed-IP-Address}', \
|
|
|
166 |
acctsessiontime = '%{Acct-Session-Time}', \
|
|
|
167 |
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | \
|
|
|
168 |
'%{%{Acct-Input-Octets}:-0}', \
|
|
|
169 |
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | \
|
|
|
170 |
'%{%{Acct-Output-Octets}:-0}' \
|
|
|
171 |
WHERE acctsessionid = '%{Acct-Session-Id}' \
|
| 2476 |
tom.houday |
172 |
AND username = BINARY '%{SQL-User-Name}' \
|
| 1279 |
richard |
173 |
AND nasipaddress = '%{NAS-IP-Address}'"
|
|
|
174 |
|
|
|
175 |
accounting_update_query_alt = " \
|
|
|
176 |
INSERT INTO ${acct_table1} \
|
|
|
177 |
(acctsessionid, acctuniqueid, username, \
|
|
|
178 |
realm, nasipaddress, nasportid, \
|
|
|
179 |
nasporttype, acctstarttime, acctsessiontime, \
|
|
|
180 |
acctauthentic, connectinfo_start, acctinputoctets, \
|
|
|
181 |
acctoutputoctets, calledstationid, callingstationid, \
|
|
|
182 |
servicetype, framedprotocol, framedipaddress, \
|
|
|
183 |
acctstartdelay, xascendsessionsvrkey) \
|
|
|
184 |
VALUES \
|
|
|
185 |
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \
|
| 2476 |
tom.houday |
186 |
BINARY '%{SQL-User-Name}', \
|
| 1279 |
richard |
187 |
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \
|
|
|
188 |
'%{NAS-Port-Type}', \
|
|
|
189 |
DATE_SUB('%S', \
|
|
|
190 |
INTERVAL (%{%{Acct-Session-Time}:-0} + \
|
|
|
191 |
%{%{Acct-Delay-Time}:-0}) SECOND), \
|
|
|
192 |
'%{Acct-Session-Time}', \
|
|
|
193 |
'%{Acct-Authentic}', '', \
|
|
|
194 |
'%{%{Acct-Input-Gigawords}:-0}' << 32 | \
|
|
|
195 |
'%{%{Acct-Input-Octets}:-0}', \
|
|
|
196 |
'%{%{Acct-Output-Gigawords}:-0}' << 32 | \
|
|
|
197 |
'%{%{Acct-Output-Octets}:-0}', \
|
|
|
198 |
'%{Called-Station-Id}', '%{Calling-Station-Id}', \
|
|
|
199 |
'%{Service-Type}', '%{Framed-Protocol}', \
|
|
|
200 |
'%{Framed-IP-Address}', \
|
|
|
201 |
'0', '%{X-Ascend-Session-Svr-Key}')"
|
|
|
202 |
|
|
|
203 |
accounting_start_query = " \
|
|
|
204 |
INSERT INTO ${acct_table1} \
|
|
|
205 |
(acctsessionid, acctuniqueid, username, \
|
|
|
206 |
realm, nasipaddress, nasportid, \
|
|
|
207 |
nasporttype, acctstarttime, acctstoptime, \
|
|
|
208 |
acctsessiontime, acctauthentic, connectinfo_start, \
|
|
|
209 |
connectinfo_stop, acctinputoctets, acctoutputoctets, \
|
|
|
210 |
calledstationid, callingstationid, acctterminatecause, \
|
|
|
211 |
servicetype, framedprotocol, framedipaddress, \
|
|
|
212 |
acctstartdelay, acctstopdelay, xascendsessionsvrkey) \
|
|
|
213 |
VALUES \
|
|
|
214 |
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \
|
| 2476 |
tom.houday |
215 |
BINARY '%{SQL-User-Name}', \
|
| 1279 |
richard |
216 |
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \
|
|
|
217 |
'%{NAS-Port-Type}', '%S', NULL, \
|
|
|
218 |
'0', '%{Acct-Authentic}', '%{Connect-Info}', \
|
|
|
219 |
'', '0', '0', \
|
|
|
220 |
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', \
|
|
|
221 |
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \
|
|
|
222 |
'%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
|
|
|
223 |
|
|
|
224 |
accounting_start_query_alt = " \
|
|
|
225 |
UPDATE ${acct_table1} SET \
|
|
|
226 |
acctstarttime = '%S', \
|
|
|
227 |
acctstartdelay = '%{%{Acct-Delay-Time}:-0}', \
|
|
|
228 |
connectinfo_start = '%{Connect-Info}' \
|
|
|
229 |
WHERE acctsessionid = '%{Acct-Session-Id}' \
|
| 2476 |
tom.houday |
230 |
AND username = BINARY '%{SQL-User-Name}' \
|
| 1279 |
richard |
231 |
AND nasipaddress = '%{NAS-IP-Address}'"
|
|
|
232 |
|
|
|
233 |
accounting_stop_query = " \
|
|
|
234 |
UPDATE ${acct_table2} SET \
|
|
|
235 |
acctstoptime = '%S', \
|
|
|
236 |
acctsessiontime = '%{Acct-Session-Time}', \
|
|
|
237 |
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | \
|
|
|
238 |
'%{%{Acct-Input-Octets}:-0}', \
|
|
|
239 |
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | \
|
|
|
240 |
'%{%{Acct-Output-Octets}:-0}', \
|
|
|
241 |
acctterminatecause = '%{Acct-Terminate-Cause}', \
|
|
|
242 |
acctstopdelay = '%{%{Acct-Delay-Time}:-0}', \
|
|
|
243 |
connectinfo_stop = '%{Connect-Info}' \
|
|
|
244 |
WHERE acctsessionid = '%{Acct-Session-Id}' \
|
| 2476 |
tom.houday |
245 |
AND username = BINARY '%{SQL-User-Name}' \
|
| 1279 |
richard |
246 |
AND nasipaddress = '%{NAS-IP-Address}'"
|
|
|
247 |
|
|
|
248 |
accounting_stop_query_alt = " \
|
|
|
249 |
INSERT INTO ${acct_table2} \
|
|
|
250 |
(acctsessionid, acctuniqueid, username, \
|
|
|
251 |
realm, nasipaddress, nasportid, \
|
|
|
252 |
nasporttype, acctstarttime, acctstoptime, \
|
|
|
253 |
acctsessiontime, acctauthentic, connectinfo_start, \
|
|
|
254 |
connectinfo_stop, acctinputoctets, acctoutputoctets, \
|
|
|
255 |
calledstationid, callingstationid, acctterminatecause, \
|
|
|
256 |
servicetype, framedprotocol, framedipaddress, \
|
|
|
257 |
acctstartdelay, acctstopdelay) \
|
|
|
258 |
VALUES \
|
|
|
259 |
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \
|
| 2476 |
tom.houday |
260 |
BINARY '%{SQL-User-Name}', \
|
| 1279 |
richard |
261 |
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \
|
|
|
262 |
'%{NAS-Port-Type}', \
|
|
|
263 |
DATE_SUB('%S', \
|
|
|
264 |
INTERVAL (%{%{Acct-Session-Time}:-0} + \
|
|
|
265 |
%{%{Acct-Delay-Time}:-0}) SECOND), \
|
|
|
266 |
'%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', \
|
|
|
267 |
'%{Connect-Info}', \
|
|
|
268 |
'%{%{Acct-Input-Gigawords}:-0}' << 32 | \
|
|
|
269 |
'%{%{Acct-Input-Octets}:-0}', \
|
|
|
270 |
'%{%{Acct-Output-Gigawords}:-0}' << 32 | \
|
|
|
271 |
'%{%{Acct-Output-Octets}:-0}', \
|
|
|
272 |
'%{Called-Station-Id}', '%{Calling-Station-Id}', \
|
|
|
273 |
'%{Acct-Terminate-Cause}', \
|
|
|
274 |
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \
|
|
|
275 |
'0', '%{%{Acct-Delay-Time}:-0}')"
|
| 2438 |
richard |
276 |
# We add the following patch (freeradius V2 to V3) in order ALCASAR works
|
|
|
277 |
# be carefull : 'tolower' need now the 'expr' module
|
|
|
278 |
accounting {
|
|
|
279 |
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
|
|
|
280 |
type {
|
|
|
281 |
accounting-on {
|
|
|
282 |
query = "${....accounting_onoff_query}"
|
|
|
283 |
}
|
|
|
284 |
accounting-off {
|
|
|
285 |
query = "${....accounting_onoff_query}"
|
|
|
286 |
}
|
|
|
287 |
start {
|
|
|
288 |
query = "${....accounting_start_query}"
|
|
|
289 |
query = "${....accounting_start_query_alt}"
|
|
|
290 |
}
|
|
|
291 |
interim-update {
|
|
|
292 |
query = "${....accounting_update_query}"
|
|
|
293 |
query = "${....accounting_update_query_alt}"
|
|
|
294 |
}
|
|
|
295 |
stop {
|
|
|
296 |
query = "${....accounting_stop_query}"
|
|
|
297 |
query = "${....accounting_stop_query_alt}"
|
|
|
298 |
}
|
|
|
299 |
}
|
|
|
300 |
}
|
| 1279 |
richard |
301 |
#######################################################################
|
|
|
302 |
# Simultaneous Use Checking Queries
|
|
|
303 |
#######################################################################
|
|
|
304 |
# simul_count_query - query for the number of current connections
|
|
|
305 |
# - If this is not defined, no simultaneouls use checking
|
|
|
306 |
# - will be performed by this module instance
|
|
|
307 |
# simul_verify_query - query to return details of current connections for verification
|
|
|
308 |
# - Leave blank or commented out to disable verification step
|
|
|
309 |
# - Note that the returned field order should not be changed.
|
|
|
310 |
#######################################################################
|
|
|
311 |
|
|
|
312 |
# Uncomment simul_count_query to enable simultaneous use checking
|
|
|
313 |
simul_count_query = "SELECT COUNT(*) \
|
|
|
314 |
FROM ${acct_table1} \
|
| 2476 |
tom.houday |
315 |
WHERE username = BINARY '%{SQL-User-Name}' \
|
| 1279 |
richard |
316 |
AND acctstoptime IS NULL"
|
|
|
317 |
|
|
|
318 |
#simul_verify_query = "SELECT radacctid, acctsessionid, username, \
|
|
|
319 |
#nasipaddress, nasportid, framedipaddress, \
|
|
|
320 |
#callingstationid, framedprotocol \
|
|
|
321 |
#FROM ${acct_table1} \
|
|
|
322 |
#WHERE username = '%{SQL-User-Name}' \
|
|
|
323 |
#AND acctstoptime IS NULL"
|
|
|
324 |
|
|
|
325 |
#######################################################################
|
|
|
326 |
# Authentication Logging Queries
|
|
|
327 |
#######################################################################
|
|
|
328 |
# postauth_query - Insert some info after authentication
|
|
|
329 |
#######################################################################
|
|
|
330 |
# (username, pass, reply, authdate) \
|
|
|
331 |
# '%{%{User-Password}:-%{Chap-Password}}', \
|
|
|
332 |
|
|
|
333 |
postauth_query = "INSERT INTO ${postauth_table} \
|
|
|
334 |
(username, reply, authdate) \
|
|
|
335 |
VALUES ( \
|
| 2476 |
tom.houday |
336 |
BINARY '%{User-Name}', \
|
| 1279 |
richard |
337 |
'%{reply:Packet-Type}', '%S')"
|
| 2438 |
richard |
338 |
# We add the following patch (freeradius V2 to V3) in order ALCASAR works
|
|
|
339 |
post-auth {
|
|
|
340 |
query = "${..postauth_query}"
|
|
|
341 |
}
|