GNU Radius Manual - Authorization Parameters

Go to the first, previous, next, last section, table of contents.

Authorization Parameters

These parameters define queries used to retrieve the authorization information from the SQL database. All the queries refer to the authentication database.

check_attr_query string

This query must return a list of triplets:

    attr-name, attr-value, opcode

The query is executed before comparing the request with the profile entry. The values returned by the query are added to LHS of the entry. opcode here means one of valid operation codes: `=', `!=', `<', `>', `<=', `>='.

reply_attr_query string

This query must return pairs:

    attr-name, attr-value

The query is executed after a successful match, the values it returns are added to the RHS list of the matched entry, and are therefore returned to the NAS in the reply packet.

Example of Authorization Parameters

Suppose your attribute information is stored in a SQL table of the following structure:

    CREATE TABLE attrib (
      user_name varchar(32) default '' not null,
      attr      char(32) default '' not null,
      value     char(128),
      op enum("=", "!=", "<", ">", "<=", ">=") default null
    );

Each row of the table contains the attribute-value pair for a given user. If op field is NULL, the row describes LHS (check) pair. Otherwise, it describes a RHS (reply) pair. The authorization queries for this table will look as follows:

    check_attr_query  SELECT attr,value,op \
                      FROM attrib \
                      WHERE user_name='%u' \
                      AND op IS NOT NULL
    
    reply_attr_query  SELECT attr,value \
                      FROM attrib \
                      WHERE user_name='%u' \
                      AND op IS NULL

Now, let's suppose the `raddb/users' contains only one entry:

    DEFAULT Auth-Type = SQL
            Service-Type = Framed-User

And the attrib table contains following rows:

=10.10.10.11 @tab NULL

user_name	attr	value	op
`jsmith`	`NAS-IP-Address`	`10.10.10.1`
`jsmith`	`NAS-Port-Id`	`20`	`<=`
`jsmith`	`Framed-Protocol`	`PPP`	`NULL`
`jsmith`	`Framed-IP-Address`

Then, when the user jsmith is trying to authenticate, the following happens:

Radius finds the matching entry (DEFAULT) in the `raddb/users'.
It queries the database using the check_attr_query. The triplets it returns are then added to the LHS of the profile entry. Thus, the LHS will contain:
```
    Auth-Type = SQL,
    NAS-IP-Address = 10.10.10.1,
    NAS-Port-Id <= 20
```
Radius compares the incoming request with the LHS pairs thus obtained. If the comparison fails, it rejects the authentication. Please note, that the Auth-Type attributes itself triggers execution of auth_query, described in the previous section.
After a successful authentication, Radius queries the database, using reply_attr_query, and adds its return to the list of RHS pairs. The RHS pairs will then be:
```
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Framed-IP-Address = 10.10.10.11
```
This list is returned to the NAS along with the authentication accept packet.

Thus, this configuration allows the user jsmith to use only NAS 10.10.10.1, ports from 1 to 20 inclusive. If the user meets these conditions, he is allowed to use PPP service, and is assigned IP address 10.10.10.11.

Go to the first, previous, next, last section, table of contents.