This chapter describes the configuration files used by GNU Radius package.
These files are normally found in /usr/local/etc/raddb directory, which is defined at configuration time, although their location can be specified at runtime. In the discussion below we will refer to this directory by `raddb'. See section Naming Conventions.
radiusd uses the configuration values from the following
sources (in order of increasing precedence):
This order of precedence applies only on startup. When re-reading of
the configuration is initiated either by SIGHUP signal or by
SNMP channel any changes in the config file take
precedence over command line arguments, since `raddb/config' is
the only way to change configuration of the running program.
This chapter discusses the `raddb/config' file in detail.
The `raddb/config' consists of statements and comments. Statements end with a semicolon. Many statements contain a block of sub-statements which also terminate with a semicolon.
Comments can be written in shell, C, or C++ constructs, i.e. any of the following represent a valid comment:
# A shell comment
/* A C-style
* multi-line comment
*/
// A C++-style comment
These are the basic statements:
Option block: set the global program options.
option block
option {
[ source-ip number ; ]
[ max-requests number ; ]
[ exec-program-user string ; ]
[ username-chars string ; ]
[ log-dir string ; ]
[ acct-dir string ; ]
} ;
The option block defines the global options to be used by radiusd.
source-ip
max-requests
exec-program-user
Exec-Program and Exec-Program-Wait. The effective
group id will be retrieved from the `/etc/passwd' entry
for the given user.
username-chars
log-dir
acct-dir
logging block
logging {
[ category category_spec {
[ channel channel_name ; ]
[ print-auth bool ; ]
[ print-pass bool ; ]
[ print-failed-pass bool ; ]
[ level debug_level ; ]
} ; ]
[ channel channel_name {
( file string ;
| syslog facility . priority ; )
[ print-pid bool ; ]
[ print-category bool ; ]
[ print-cons bool ; ]
[ print-level bool ; ]
[ print-priority bool ; ]
}; ]
} ;
The logging statement describes the course followed by
radiusd's logging information.
category statement.
channel statement.
logging statement.
category statement
Each line of logging information generated by radiusd has an
associated category. The logging statement allows each
category of output to be controlled independently of the others.
The logging category is defined by category name and a
severity. category name determines what part of radiusd
daemon is allowed to send its logging information to this channel.
It can be any of main, auth, acct, proxy,
snmp. priority determines the minimum priority of
the messages displayed by this channel. The priorities in ascending
order are: debug, info, notice, warn,
err, crit, alert, emerg.
The full category specification, category_spec, can take any of the following three forms:
Additional category options valid for auth category are:
print-auth
print-pass
print-failed-pass
channel statement
Channels represent methods for recording logging information. Each
channel has a unique name, and any categories which specify that name in
a channel statement will use that channel.
radiusd can write logging information to files or send it to
syslog. The file statement sends the channel's output to the
named file (see section Naming Conventions). The syslog statement
sends the channel's output to syslog with the specified facility and
severity.
Channel options modify the data flowing through the channel:
print-pid
print-cons
print-category
print-priority
print-level
logging statement
logging {
channel default {
file "radius.log";
print-category yes;
print-priority yes;
};
channel info {
file "radius.info";
print-pid yes;
print-cons yes;
print-priority yes;
};
channel notice {
syslog auth.notice;
};
category auth {
print-auth yes;
print-failed-pass yes;
};
category notice {
channel notice;
};
category info {
channel info;
};
category debug {
channel info;
level radiusd=1,files;
};
category *.!debug {
channel default;
};
};
auth statementSyntax:
auth {
[ listen addr-list ; ]
[ port number ; ]
[ spawn bool ; ]
[ max-requests number ; ]
[ time-to-live number ; ]
[ request-cleanup-delay number ; ]
[ detail bool ; ]
[ strip-names bool ; ]
[ checkrad-assume-logged bool ; ]
[ password-expire-warning number ; ]
} ;
The auth statement configures the parameters of the authentication
service.
This statement determines on which addresses radiusd will listen for incoming authentication requests. Its argument is a comma-separated list of items in the form ip:port-number. ip can be either an IP address in familiar "dotted-quad" notation or a hostname. :port-number part may be omitted, in which case the default authentication port is assumed.
If the listen statement is omitted, radiusd will accept incoming
requests from any interface on the machine.
port
max-requests
time-to-live
request-cleanup-delay
password-expire-warning
spawn
radiusd should spawn a child to process the request.
detail
radiusd will produce the detailed log of each
received packet in the file `radacct/NASNAME/detail.auth'.
(see section Naming Conventions).
strip-names
radiusd should strip any prefixes/suffixes
off the username before logging.
checkrad-assume-logged
radiusd consults the value of this variable when the NAS
does not responds to checkrad queries (see section Checking Simultaneous Logins).
If this variable is set to yes, the daemon will proceed as if
the NAS returned "yes", i.e. it will assume the user is logged in.
Otherwise radiusd assumes the user is not logged in.
acct statement
acct {
[ listen addr-list ; ]
[ port number ; ]
[ spawn bool ; ]
[ detail bool; ]
[ max-requests number ; ]
[ time-to-live number ; ]
[ request-cleanup-delay number ; ]
} ;
The acct statement configures the parameters of the accounting
service.
This statement determines on which addresses radiusd will listen for incoming accounting requests. Its argument is a comma-separated list of items in the form ip:port-number. ip can be either an IP address in familiar "dotted-quad" notation or a hostname. :port-number part may be omitted, in which case the default accounting port is assumed.
If the listen statement is omitted, radiusd will accept incoming
requests from any interface on the machine.
port
max-requests
time-to-live
request-cleanup-delay
spawn
radiusd should spawn a child to process the request.
detail
false, disables detailed accounting
(see section Detailed Request Accounting).
proxy statement
proxy {
[ max-requests number ; ]
[ request-cleanup-delay number ; ]
} ;
The proxy statement configures the parameters of the proxy service.
max-requests
request-cleanup-delay
usedbm statement
usedbm ( yes | no ) ;
The usedbm statement determines whether the DBM support should
be enabled.
no
yes
snmp statement
snmp {
[ port portno ; ]
[ spawn bool ; ]
[ max-requests number ; ]
[ time-to-live number ; ]
[ request-cleanup-delay number ; ]
[ ident string ; ]
[ community name ( rw | ro ) ; ]
[ network name network [ network ... ] ; ]
[ acl {
[ allow network_name community_name ; ]
[ deny network_name ; ]
} ; ]
};
The snmp statement configures the SNMP service.
port
max-requests
time-to-live
request-cleanup-delay
spawn
radiusd should spawn a child to process the SNMP
request.
ident
community name ( rw | ro )
rw) or read-only
(ro).
network name network [ network ... ]
allow network_name community_name
deny NETWORK_NAME
guile statement
The guile statement allows to configure server interface with
Guile.
guile {
[ debug bool ; ]
[ load-path string ; ]
[ load string ; ]
};
debug
load-path
%load-path variable.
load
For the detailed description of Guile extensions interface, See section Guile.
message statement
The message statement allows to set up the messages that are
returned to the user with authentication-response packets.
message {
[ account-closed string ; ]
[ password-expired string ; ]
[ password-expire-warning string ; ]
[ access-denied string ; ]
[ realm-quota string ; ]
[ multiple-login string ; ]
[ second-login string ; ]
[ timespan-violation string ; ]
};
All variables in message block take a string argument. In
string you can use the usual C backslash notation to represent
non-printable characters. The use of %C{} and %R{} sequences
is also allowed (see section Macro Substitution).
account-closed
password-expired
password-expire-warning
password-expire-warning variable in auth block.
See section auth statement. In this string, you can use the %R{Password-Expire-Days}
substitution, to represent the actual number of days left
to the expiration date. The default is
Password Will Expire in %R{Password-Expire-Days} Days\r\n
access-denied
realm-quota
multiple-login
second-login
multiple-login, which is used when
the user's login limit is 1.
timespan-violation
The dictionary file `raddb/dictionary' defines the symbolic names for radius attributes and their values (see section Attributes). The file consists of a series of statements. Each statement occupies one line.
In the detailed discussion below we use the following meta-syntactic characters:
string
integer
ipaddr
date
There are following kinds of statements:
Comments are introduced by a pound sign (`#'). Everything starting from the first occurrence of `#' up to the end of line is ignored.
$INCLUDE `filename'
The $INCLUDE statement causes the contents of the file `filename'
to be read in and processed. The file is looked up in the Radius database
directory. See section Radius Configuration Files.
VENDOR Vendor-Name number
A VENDOR statement defines the symbolic name for a Vendor-Id.
This name can subsequently be used in ATTRIBUTE statements
to define Vendor-Specific attribute translations. See section Vendor-Specific.
VENDOR Livingston 307
Syntax
ATTRIBUTE name number type [vendor [flags]]
The ATTRIBUTE statement defines the translation for an attribute.
Its parts have the following meaning:
The attribute property flags consist of a sequence of letters, whose meaning is determined by the following rules: (2)
[L--RLR]
means that the attribute may be used in LHS of a rule in `raddb/users',
in RHS of a rule in `raddb/hints', and in both sides of a rule
in `raddb/huntgroups'.
ATTRIBUTE Service-Type 6 integer - [LR-RLR]=P
This statement assigns the translation string `Service-Type' to the
attribute number 6. It allows the use of this attribute in any part
of matching rules, except in LHS of a `raddb/hints' rule. The
additivity of Service-Type is set to `Replace'. The
attribute will be propagated through the proxy chain.
VALUE Attribute-Translation Value-Translation number
The VALUE statement assigns a translation string to a given
value of an integer attribute. Attribute-Translation specifies
the attribute and the Value-Translation specifies the name
assigned to the value number of this attribute.
The following assigns the translation string `Login-User' to the value 1 of the attribute `Service-Type'.
VALUE Service-Type Login-User 1
The `raddb/clients' lists NASes which are allowed to make authentication requests. As usual, the `#' character introduces a comment. Each record in the file consists of two fields, separated by whitespace. The fields are:
# This is a list of clients which are allowed to make authentication
# requests.
# Each record consists of two fields:
# i. Valid hostname.
# ii. The shared encryption key for this hostname.
#
#Client Name Key
#---------------- -------------------
myhost.dom.ain guessme
merlin emrys
11.10.10.10 secRet
The `raddb/naslist' file contains a list of NASes known to the Radius server. Each record in the file consist of three fields:
radiusd determines
the way to query NAS about the presence of a given user on it
(see section Checking Simultaneous Logins).
The two special types: `true' and `false', can be used to disable NAS
querying. When the type field contains `true', radiusd assumes the
user is logged in to the NAS, when it contains `false', radiusd
assumes the user is not logged in. Otherwise, the type
is used as a link to `nastypes' entry (see section NAS Types -- `raddb/nastypes').
There are two groups of nas arguments: nas-specific arguments and
nas-querying arguments. Nas-specific arguments are used to
modify a behavior of radiusd when sending or receiving the
information to or from a particular NAS.
Nas-querying arguments control the way radiusd queries
a NAS for confirmation of a user's session (see section Checking Simultaneous Logins). These arguments override the ones specified in
`nastypes' and can thus be used to override the default
values.
The nas-specific arguments currently implemented are:
radiusd uses
method specified by RFC 2865. However some NASes, most notably
MAX Ascend series, implement a broken method of encoding long
passwords. This flag instructs radiusd to use broken method
of password encryption for the given NAS.
For the list of nas-querying arguments, See section NAS Types -- `raddb/nastypes'.
# raddb/naslist: contains a list of Network Access Servers
#
# Each record consists of following fields:
#
# i. A valid hostname or IP address for the client.
# ii. The short name to use in the logfiles for this NAS.
# iii. Type of device. Valid values are `true', `false' and
# those defined in raddb/nastypes file.
# NAS Name Short Name Type
#---------------- ---------- ----
myhost.dom.ain myhost unix
merlin merlin max
11.10.10.10 arthur livingston
The `raddb/nastypes' file describes the ways to query NASes about active user sessions.
Each record consists of three fields separated by any amount of whitespace. The fields are:
Version 0.96 of GNU Radius supports two querying methods: finger and snmp.
In the discussion below n means numeric and s string value.
The following arguments are predefined:
The following macro-variables are recognized and substituted when encountered in the value pair of an argument:
Please note, that in the following example the long lines are broken into several lines for readability.
# Type Method Args
# ---- ------ ----
unix finger function=check_unix
max-f finger function=check_max_finger
max snmp oid=.1.3.6.1.4.1.529.12.3.1.4.%d,
function=check_snmp_u
as5300-f finger function=check_as5300_finger
as5300 snmp oid=.1.3.6.1.4.1.9.9.150.1.1.3.1.2.%d,
function=check_snmp_u
livingston snmp oid=.1.3.6.1.4.1.307.3.2.1.1.1.5.%P,
function=check_snmp_s
The `nastypes' shipped with version 0.96 of GNU Radius defines following NAS types:
#Hostname Shortname Type
#-------- --------- ----
nas.name T unix
#Hostname Shortname Type Flags
#-------- --------- ---- -----
nas.name T max-f broken_pass
Please note the use of broken_pass flag. It is needed
for most MAX Ascend servers (see section NAS List -- `raddb/naslist').
#Hostname Shortname Type Flags
#-------- --------- ---- -----
nas.name T max-f broken_pass,community=comm
Replace comm with your actual SNMP community name.
livingston queries portmaster using SNMP.
The `raddb/hints' file is used to modify the contents of the incoming request depending on the username. For a detailed description of this, See section Hints.
The file contains data in Matching Rule format (see section Matching Rule).
The only attributes that can be used in the check list are:
Suffix
Prefix
Group
User-ID
## If the username starts with `U', append the UUCP hint
DEFAULT Prefix = "U", Strip-User-Name = No
Hint = "UUCP"
## If the username ends with `.slip', append the SLIP service data
## and remove the suffix from the user name.
DEFAULT Suffix = ".slip",
Strip-User-Name = Yes
Hint = "SLIP",
Service-Type = Framed-User,
Framed-Protocol = SLIP
The `raddb/huntgroups' contains the definitions of the huntgroups. For a detailed description of huntgroup concept, See section Huntgroups.
The file contains data in Matching Rule format (see section Matching Rule).
## This defines the packet rewriting function for the server 11.10.10.11
DEFAULT NAS-IP-Address = 11.10.10.11, Rewrite-Function = "max_fixup"
NULL
The `raddb/realms' file lists remote Radius servers that are allowed to communicate with the local Radius server (see section Proxying).
Each record consists of up to three fields, separated by whitespace. Two of them are mandatory. The fields are:
servername[:auth-port[:acct-port]]
Optional auth-port and acct-port are the authentication and
accounting port numbers. If acct-port is omitted, it is computed
as auth-port + 1. If auth-port is omitted, the default
authentication port number is used.
The flags meaningful in `raddb/realms' are
strip enables stripping, setting nostrip disables
it. Default is to always strip user names.
# Realm Remote server[:port] flags
#---------------- --------------------- --------
that.net radius.that.net nostrip
dom.ain server.dom.ain:3000 strip,quota=20
# Realm Remote server[:port] flags
#---------------- --------------------- --------
NOREALM radius.server.net
that.net radius.that.net nostrip
dom.ain server.dom.ain:3000 strip,quota=20
File `raddb/users' contains the list of User Profiles. For a description of its purpose, See section User Profiles.
## The following entry is matched when the user appends ``.ppp'' to his
## username when logging in.
## The suffix is removed from the user name, then the password is
## looked up in the SQL database.
## Users may log in at any time. They get PPP service.
DEFAULT Suffix = ".ppp",
Auth-Type = SQL,
Login-Time = "Al",
Simultaneous-Use = 1,
Strip-User-Name = Yes
Service-Type = Framed-User,
Framed-Protocol = PPP
## This is for SLIP users.
## This entry is matched when the auth request matches ``SLIP'' hint
DEFAULT Hint = "SLIP",
Auth-Type = Mysql
Service-Type = Framed-User
Framed-Protocol = SLIP
## The following authenticates users using system passwd files.
## The users are allowed to log in from 7:55 to 23:05 on any weekday,
## except the weekend, and from 07:55 to 12:00 on Sunday.
## Only one login is allowed per user.
## The program telauth is used to further check the authentication
## information and provide the reply pairs
## Note the use of backslashes to split a long line.
DEFAULT Auth-Type = System,
Login-Time = "Wk0755-2305,Su0755-1200",
Simultaneous-Use = 1
Exec-Program-Wait = "/usr/local/sbin/telauth \
%C{User-Name} \
%C{Calling-Station-Id} \
%C{NAS-IP-Address} \
%C{NAS-Port-Id}"
## This particular user is authenticated via PAM. He is presented a
## choice from `raddb/menus/menu1' file.
gray Auth-Type = Pam
Menu = menu1
The `raddb/access.deny' file contains a list of user names which are not allowed to log in via Radius. Each user name is listed on a separate line. As usual, the `#' character introduces an end-of-line comment.
The `raddb/sqlserver' file configures the connection to SQL server.
The file uses simple line-oriented `keyword -- value' format. Comments are introduced by `#' character.
The `sqlserver' statements can logically be subdivided into following groups: SQL Client Parameters, configuring the connection between SQL client and the server, Authentication Server Parameters, Authorization Parameters, and Accounting server parameters.
These parameters configure various aspects of connection between SQL client and the server.
interface iface-type
mysql and postgres. Depending
on this, the default communication port number is set: it is 3306 for
interface mysql and 5432 for interface postgres. Use of
this statement is only meaningful when the package was configured with
both --with-mysql and --with-postgres option.
server string
port number
login string
password password
keepopen bool
radiusd should try to keep the connection open.
When set to no (the default), radiusd will open new connection
before the transaction and close it right after finishing it.
We recommend setting keepopen to yes for heavily loaded
servers, since opening the new connection can take a substantial amount
of time and slow down the operation considerably.
idle_timeout number
These parameters configure the SQL authentication. The general syntax is:
doauth bool
yes, enables authentication via SQL. All auth_
keywords are ignored if doauth is set to no.
auth_max_connections bool
keepopen is set to no.
auth_db string
auth_query string
group_query string
Group or Group-Name
attribute appears in the LHS of a user's or hint's profile.
Let's suppose the authentication information is kept in the tables
passwd and groups.
The passwd table contains user passwords. A user is allowed
to have different passwords for different services. The table structure
is:
CREATE TABLE passwd (
user_name varchar(32) binary default '' not null,
service char(16) default 'Framed-PPP' not null,
password char(64)
);
Additionally, the table groups contains information about
user groups a particular user belongs to. Its structure is:
CREATE TABLE groups (
user_name char(32) binary default '' not null,
user_group char(32)
);
The queries used to retrieve the information from these tables will then look like:
auth_query SELECT password
FROM passwd
WHERE user_name = '%C{User-Name}'
AND service = '%C{Auth-Data}'
group_query SELECT user_group
FROM groups
WHERE user_name = '%C{User-Name}'
It is supposed, that the information about the particular service a
user is wishing to obtain, will be kept in Auth-Data attribute
in LHS of a user's profile.
These parameters define queries used to retrieve the authorization information from the SQL database. All the queries refer to the authentication database.
check_attr_query string
attr-name, attr-value, opcode
The query is executed before comparing the request with the profile
entry. The values returned by the query are added to LHS of the
entry. opcode here means one of valid operation codes:
`=', `!=', `<', `>', `<=',
`>='.
reply_attr_query string
attr-name, attr-value
The query is executed after a successful match, the values it
returns are added to the RHS list of the matched entry, and are
therefore returned to the NAS in the reply packet.
Suppose your attribute information is stored in a SQL table of the following structure:
CREATE TABLE attrib (
user_name varchar(32) default '' not null,
attr char(32) default '' not null,
value char(128),
op enum("=", "!=", "<", ">", "<=", ">=") default null
);
Each row of the table contains the attribute-value pair for a given
user. If op field is NULL, the row describes LHS
(check) pair. Otherwise, it describes a RHS (reply) pair. The
authorization queries for this table will look as follows:
check_attr_query SELECT attr,value,op \
FROM attrib \
WHERE user_name='%u' \
AND op IS NOT NULL
reply_attr_query SELECT attr,value \
FROM attrib \
WHERE user_name='%u' \
AND op IS NULL
Now, let's suppose the `raddb/users' contains only one entry:
DEFAULT Auth-Type = SQL
Service-Type = Framed-User
And the attrib table contains following rows:
| user_name | attr | value | op |
jsmith |
NAS-IP-Address |
10.10.10.1 |
|
jsmith |
NAS-Port-Id |
20 |
<=
|
jsmith |
Framed-Protocol |
PPP |
NULL
|
jsmith |
Framed-IP-Address |
Then, when the user jsmith is trying to authenticate, the
following happens:
DEFAULT) in the
`raddb/users'.
check_attr_query. The
triplets it returns are then added to the LHS of the profile
entry. Thus, the LHS will contain:
Auth-Type = SQL,
NAS-IP-Address = 10.10.10.1,
NAS-Port-Id <= 20
Auth-Type attributes itself
triggers execution of auth_query, described in the previous
section.
reply_attr_query, and adds its return to the list
of RHS pairs. The RHS pairs will then be:
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 10.10.10.11
This list is returned to the NAS along with the authentication
accept packet.
Thus, this configuration allows the user jsmith to use only
NAS 10.10.10.1, ports from 1 to 20 inclusive. If the user meets
these conditions, he is allowed to use PPP service, and is
assigned IP address 10.10.10.11.
To perform the SQL accounting radiusd needs to know the
database where it is to store the accounting information. This
information is supplied by the following statements:
doacct bool
yes enables SQL accounting. All acct_
keywords are ignored if doacct is set to no.
acct_db string
acct_max_connections number
keepopen is set to no.
Further, radiusd needs to know which information it is
to store into the database and when. Each of five accounting request
types (see section Accounting Requests) has a SQL query associated with
it. Thus, when radius receives an accounting request, it determines
the query to use by the value of Acct-Status-Type attribute.
Following statemens define the accounting queries:
acct_start_query string
INSERT statement
(see section Writing SQL Accounting Query Templates).
acct_stop_query string
UPDATE statement.
acct_stop_query string
UPDATE statement.
acct_nasup_query string
acct_nasdown_query string
None of these queries should return any values.
Let's suppose you have an accounting table of the following structure:
CREATE TABLE calls (
status int(3),
user_name char(32),
event_date_time datetime DEFAULT '0000-00-00 00:00:00' NOT NULL,
nas_ip_address char(17),
nas_port_id int(6),
acct_session_id char(16) DEFAULT '' NOT NULL,
acct_session_time int(11),
acct_input_octets int(11),
acct_output_octets int(11),
connect_term_reason int(4),
framed_ip_address char(17),
called_station_id char(32),
calling_station_id char(32)
);
On receiving the Session Start Packet we would insert a record into this
table with status set to 1. At this point the columns
acct_session_time, acct_input_octets,
acct_output_octets as well as connect_term_reason are
unknown, so we will set them to 0:
# Query to be used on session start
acct_start_query INSERT INTO calls \
VALUES(%C{Acct-Status-Type},\
'%u',\
'%G',\
'%C{NAS-IP-Address}',\
%C{NAS-Port-Id},\
'%C{Acct-Session-Id}',\
0,\
0,\
0,\
0,\
'%C{Framed-IP-Address}',\
'%C{Called-Station-Id}',\
'%C{Calling-Station-Id}')
Then, when the Session Stop Packet request arrives we will look up
the record having status = 1, user_name matching the
value of User-Name attribute, and acct_session_id matching
that of Acct-Session-Id attribute. Once the record is found,
we will update it, setting
status = 2
acct_session_time = value of Acct-Session-Time attribute
acct_input_octets = value of Acct-Input-Octets attribute
acct_output_octets = value of Acct-Output-Octets attribute
connect_term_reason = value of Acct-Terminate-Cause attribute
Thus, every record with status = 1 will represent the active
session and every record with status = 2 will represent
the finished and correctly closed record. The constructed
acct_stop_query is then:
# Query to be used on session end
acct_stop_query UPDATE calls \
SET status=%C{Acct-Status-Type},\
acct_session_time=%C{Acct-Session-Time},\
acct_input_octets=%C{Acct-Input-Octets},\
acct_output_octets=%C{Acct-Output-Octets},\
connect_term_reason=%C{Acct-Terminate-Cause} \
WHERE user_name='%C{User-Name}' \
AND status = 1 \
AND acct_session_id='%C{Acct-Session-Id}'
Upon receiving a Keepalive Packet we will update the information
stored with acct_start_query:
acct_alive_query UPDATE calls \
SET acct_session_time=%C{Acct-Session-Time},\
acct_input_octets=%C{Acct-Input-Octets},\
acct_output_octets=%C{Acct-Output-Octets},\
framed_ip_address=%C{Framed-IP-Address} \
WHERE user_name='%C{User-Name}' \
AND status = 1 \
AND acct_session_id='%C{Acct-Session-Id}'
Further, there may be times when it is necessary to bring some NAS
down. To correctly close the currently active sessions on this NAS
we will define a acct_nasdown_query so that it would
set status column to 2 and update acct_session_time
in all records having status = 1 and
nas_ip_address equal to IP address of the NAS. Thus, all
sessions on a given NAS will be closed correctly when it brought
down. The acct_session_time can be computed as difference
between the current time and the time stored in event_date_time
column:
# Query to be used when a NAS goes down, i.e. when it sends
# Accounting-Off packet
acct_nasdown_query UPDATE calls \
SET status=2,\
acct_session_time=unix_timestamp(now())-\
unix_timestamp(event_date_time) \
WHERE status=1 \
AND nas_ip_address='%C{NAS-IP-Address}'
We have not covered only one case: when a NAS crashes, e.g. due to
a power failure. In this case it does not have a time to send
Accounting-Off request and all its records remain open. But when
the power supply is restored, the NAS will send an
Accounting On packet, so we define a acct_nasup_query to
set status column to 3 and update acct_session_time
in all open records belonging to this NAS. Thus we will know that
each record having status = 3 represents a crashed session.
The query constructed will be:
# Query to be used when a NAS goes up, i.e. when it sends
# Accounting-On packet
acct_nasup_query UPDATE calls \
SET status=3,\
acct_session_time=unix_timestamp(now())-\
unix_timestamp(event_date_time) \
WHERE status=1 \
AND nas_ip_address='%C{NAS-IP-Address}'
The file `raddb/rewrite' contains definitions of Rewrite extension functions. For information regarding Rewrite extension language See section Rewrite.
The menus is a way to allow user the choice between various services
he could be provided. The menu functionality is enabled when Radius
is compiled with --enable-livingston-menus option.
A user is presented a menu after it is authenticated if the RHS of his profile record consists of a single A/V pair in the form:
Menu = <menu-name>
The menu files are stored in directory `raddb/menus'.
A menu file is a text file containing a menu declaration and any number of choice descriptions. The menus can be nested to an arbitrary depth.
A comment is introduced by a `#' character. All characters from this one up to the end of line are discarded.
The menu declaration is contained between the words `menu' and `end'. Each of these must be the only word on a line and must start in column 1.
Choice descriptions follow the menu declaration. Each description starts with a line containing choice identifier. A choice identifier is an arbitrary word identifying this choice, or a word `DEFAULT'. It is followed by comma-separated list of A/V pairs which will be returned to the server when a user selects this choice.
Suppose the following file is stored under `raddb/menus/menu1':
menu
*** Welcome EEE user! ***
Please select an option:
1. Start CSLIP session
2. Start PPP session
3. Quit
Option:
end
# CSLIP choice
# Framed-IP-Address of 255.255.255.254 indicates that the NAS should
# select an address for the user from its own IP pool.
1
Service-Type = Framed-User,
Framed-Protocol = SLIP,
Framed-IP-Address = 255.255.255.254,
Termination-Menu = "menu1"
# PPP choice
2
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Termination-Menu = "menu1"
# A special menu EXIT means abort the session
3
Menu = "EXIT"
# Return to this menu if no valid choice have been entered
DEFAULT
Menu = "menu1"
Now, suppose the `raddb/users' contains the following profile entry:
DEFAULT Auth-Type = System
Menu = "menu1"
and user `jsmith' has a valid system account and tries to log in
from some NAS. Upon authenticating the user, the Radius server sees that
his reply pairs contain the Menu attribute. Radius then sends
Access-Challenge packet to the NAS with the text of the menu in it.
The `jsmith' then sees on his terminal:
*** Welcome EEE user! ***
Please select an option:
1. Start CSLIP session
2. Start PPP session
3. Quit
Option:
He then enters `2'. The NAS sends the Access-Request packet to the server, which sees that user wishes to use option 2 and replies to the NAS with an Access-Accept packet containing the following attributes:
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Termination-Menu = "menu1"
The Termination-Menu in this list makes sure the same process
will continue when `jsmith' logs out, i.e. he will be presented
the same menu again until he enters choice `3' which will
disconnect him.
In this example, the `other' choice refers to the menu above.
menu
*** Welcome here! ***
Please enter an option:
ppp --- Start PPP session
telnet --- Begin guest login session
other --- Select other option
Enter your choice:
end
ppp
Service-Type = Framed-User,
Framed-Protocol = PPP
telnet
Service-Type = Login-User,
Login-IP-Host = 10.11.11.7,
Login-Service = Telnet,
Login-TCP-Port = 23
other
Menu = "menu1"
DEFAULT
menu = "menu2"
Some statements in the configuration files need to use the actual values of the attributes supplied with the request. These are:
Exec-Program and Exec-Program-Wait assignments in `users' database
In these statements the following macros are replaced by the value of corresponding attributes:
%Cnum
%C{attr-name}
%Rnum
%R{attr-name}
%D
%G
The "`{}' form" allows to specify default value for the substitution. The default value will be used when no such attribute is encountered in the pairlist. The syntax for specifying the default value resembles that of shell environment variables.
The substitution %C{attr-name:-defval} is expanded
to the value of attr-name attribute, if it is present in the
request pairlist, and to defval otherwise. For example:
%C{Acct-Session-Time:-0}
will return the value of Acct-Session-Time attribute or 0 if it doesn't exist in the request pairlist.
The substitition %C{attr-name:=defval} is expanded
to the value of attr-name attribute. If this attribute is not
present in the request pairlist, it will be created and assigned the
value defval. E.g.:
%C{Acct-Session-Time:=0}
The substitution %C{attr-name:?message} is expanded
to the value of attr-name attribute, if it is present. Otherwise
the diagnostic message "attr-name: message" is issued to
the log error channel, and string "message" is returned.
The substitition %C{attr-name:+retval} is expanded
to empty string if the attribute attr-name is present in the
referenced pairlist. Othervise it is expanded to retval.
You can also use the following shortcuts:
%p
%n
%f
%u
%c
%i
%t
%a
%s
Go to the first, previous, next, last section, table of contents.