# test.cfg - this is the combined auth config that I threw together # Foreground LogStdout LogDir /etc/radiator DbDir . DictionaryFile /etc/radiator/dictionary # User a lower trace level in production systems: Trace 4 Identifier Cisco Secret ####### DupInterval 0 Identifier Sophos Secret ###### DupInterval 0 Identifier Paolo Secret ####### DupInterval 0 # # DBSource dbi:mysql:radiator:localhost:3306 # DBUsername ###### # DBAuth ######## # RefreshPeriod 300 # # This is where we authenticate a PEAP inner request, which will be an # EAP request. The username of the inner request will anonymous by # default, although the identity of the EAP request will be the real # username we are trying to authenticate. Identifier Cisco DBSource dbi:mysql:radiator:localhost:3306 DBUsername ####### DBAuth ######### AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME=%0 # You can use statement caching and bound variables with AuthSelectParam: # AuthSelect select PASSWORD, FILTER from SUBSCRIBERS where USERNAME=? # AuthSelectParam %u # You can control what is done with each field returned from the # AuthSelect query with the AuthColumnDef parameter: AuthColumnDef 0, User-Password, check # AuthColumnDef 1, Filter-Id, reply, formatted # You may want to tailor these for your ACCOUNTING table # You can add your own columns to store whatever you like AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address # AcctFailedLogFileName /etc/radiator/missedaccounting # SQLRecoveryFile /etc/radiator/missedaccounting # #RoundRobinOnFailure # # AuthBy SQL supports a number of special check items, with corresponding SQL queries for # getting the counts: # Check Item SQL Query Parameter # Max-All-Session AcctTotalQuery # Max-Hourly-Session AcctTotalSinceQuery # Max-Daily-Session AcctTotalSinceQuery # Max-Monthly-Session AcctTotalSinceQuery # Max-All-Octets AcctTotalOctetsQuery # Max-All-Gigawords AcctTotalGigawordsQuery # Max-Hourly-Octets AcctTotalOctetsSinceQuery # Max-Hourly-Gigawords AcctTotalGigawordsSinceQuery # Max-Daily-Octets AcctTotalOctetsSinceQuery # Max-Daily-Gigawords AcctTotalGigawordsSinceQuery # Max-Monthly-Octets AcctTotalOctetsSinceQuery # Max-Monthly-Gigawords AcctTotalGigawordsSinceQuery # You can implement queries to get total session times in order # to enforce Max-All-Session, Max-Daily-Session, # Max-Hourly-Session and Max-Monthly-Session check items # %0 is replaced bythe username and %1 is replaced by the unix time of # the start of the time interval concerned. #AcctTotalQuery SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName=%0 #AcctTotalSinceQuery SELECT SUM(AcctSessionTime - GREATEST((%1 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName=%0 AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > %1 #AcctTotalOctetsQuery SELECT SUM(ACCTINPUTOCTETS + ACCTOUTPUTOCTETS) FROM ACCOUNTING WHERE USERNAME=%0 # #AcctTotalOctetsSinceQuery SELECT SUM(ACCTINPUTOCTETS + ACCTOUTPUTOCTETS) FROM ACCOUNTING WHERE USERNAME=%0 AND TIME_STAMP > %1 # #AcctTotalGigawordsQuery SELECT SUM(ACCTINPUTOCTETS + ACCTOUTPUTOCTETS) DIV 4294967296 + SUM(ACCTINPUTGIGAWORDS + ACCTOUTPUTGIGAWORDS) FROM ACCOUNTING WHERE USERNAME=%0 # #AcctTotalGigawordsSinceQuery SELECT SUM(ACCTINPUTOCTETS + ACCTOUTPUTOCTETS) DIV 4294967296 + SUM(ACCTINPUTGIGAWORDS + ACCTOUTPUTGIGAWORDS) FROM ACCOUNTING WHERE USERNAME=%0 AND TIME_STAMP > %1 # # If you are using EAP-FAST, and wish to store PACS in a database (or to pre-provision # pacs in a database, define the CreateEAPFastPACQuery and GetEAPFastPACQuery parameters # to save and get PAC data # CreateEAPFastPACQuery insert into EAPFAST_PAC (PAC_OPAQUE, PAC_LIFETIME, PAC_KEY) values ('%0', '%1', '%2') # GetEAPFastPACQuery select PAC_LIFETIME, PAC_KEY from EAPFAST_PAC where PAC_OPAQUE='%0' and PAC_LIFETIME >= %1 # # If group membership is to be checked, this optional parameter defines the SQL # query that will be used to get the names of the group(s) to which the user belongs. # %0 is replaced by the user name being checked. %1 is replaced by the group name being checked. # It is expected to return a single row, where the first field is the name of the group the user belongs to. # You can also use GroupMembershipQueryParam to provide bound variables. # %0 is is replaced by the user name being checked. %1 is replaced by the group name being checked. #GroupMembershipQuery select GROUPNAME from GROUPS where USERNAME=? and GROUPNAME=? #GroupMembershipQueryParam %0 #GroupMembershipQueryParam %1 Identifier radiator DBSource dbi:mysql:radiator:localhost:3306 DBUsername ###### DBAuth ########### AddQuery insert into RADONLINE (USERNAME, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS) values ('%u', %3, %{Timestamp}, '%{Framed-IP-Address}') Filename %L/%m-%Y-LKSD LogSuccess 1 LogFailure 1 FailureFormat %l:%n:%P:POP%{Called-Station-Id}:%{Calling-Station-Id}:%1 SuccessFormat %l:%n:OK Identifier Sophos DBSource dbi:mysql:radiator:localhost:3306 DBUsername ###### DBAuth ############ AuthSelect select Password from RadUsers where Username=%0 AuthColumnDef 0, User-Password, check # AuthColumnDef 1, Filter-Id, reply, formatted # You may want to tailor these for your ACCOUNTING table # You can add your own columns to store whatever you like AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address # # If group membership is to be checked, this optional parameter defines the SQL # query that will be used to get the names of the group(s) to which the user belongs. # %0 is replaced by the user name being checked. %1 is replaced by the group name being checked. # It is expected to return a single row, where the first field is the name of the group the user belongs to. # You can also use GroupMembershipQueryParam to provide bound variables. # %0 is is replaced by the user name being checked. %1 is replaced by the group name being checked. GroupMembershipQuery SELECT Groupname FROM RadUsers WHERE Username=`%0` GroupMembershipQueryParam %0 GroupMembershipQueryParam %1 #AddToReply Reply-Message = "Test" AddToReply Reply-Message = "%1" #AddToReply Reply-Message = GroupMembershipQuery select Groupname from RadUsers where Username=%0 and Groupname=%1 Identifier radiator DBSource dbi:mysql:radiator:localhost:3306 DBUsername ######### DBAuth ################### AddQuery insert into RADONLINE (USERNAME, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS) values ('%u', %3, %{Timestamp}, '%{Framed-IP-Address}') Filename %L/%m-%Y-LKSD LogSuccess 1 LogFailure 1 FailureFormat %l:%n:%P:POP%{Called-Station-Id}:%{Calling-Station-Id}:%1 SuccessFormat %l:%n:OK Identifier Paolo DBSource dbi:mysql:radiator:localhost:3306 DBUsername ####### DBAuth ############### AuthSelect select Password from RadUsers where Username=%0 AuthColumnDef 0, User-Password, check # AuthColumnDef 1, Filter-Id, reply, formatted # You may want to tailor these for your ACCOUNTING table # You can add your own columns to store whatever you like AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address # # If group membership is to be checked, this optional parameter defines the SQL # query that will be used to get the names of the group(s) to which the user belongs. # %0 is replaced by the user name being checked. %1 is replaced by the group name being checked. # It is expected to return a single row, where the first field is the name of the group the user belongs to. # You can also use GroupMembershipQueryParam to provide bound variables. # %0 is is replaced by the user name being checked. %1 is replaced by the group name being checked. GroupMembershipQuery SELECT Groupname FROM RadUsers WHERE Username=`%0` GroupMembershipQueryParam %0 GroupMembershipQueryParam %1 #AddToReply Reply-Message = "Test" AddToReply Reply-Message = "%1" #AddToReply Reply-Message = GroupMembershipQuery select Groupname from RadUsers where Username=%0 and Groupname=%1 Identifier radiator DBSource dbi:mysql:radiator:localhost:3306 DBUsername ###### DBAuth ############ AddQuery insert into RADONLINE (USERNAME, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS) values ('%u', %3, %{Timestamp}, '%{Framed-IP-Address}') Filename %L/%m-%Y-LKSD LogSuccess 1 LogFailure 1 FailureFormat %l:%n:%P:POP%{Called-Station-Id}:%{Calling-Station-Id}:%1 SuccessFormat %l:%n:OK SessionDatabase radiator #AuthLog AuthBy Cisco AcctLogFileName /etc/radiator/cisco/%m-%Y-Local SessionDatabase radiator # AuthLog /etc/radiator/sophos AuthBy Sophos AcctLogFileName /etc/radiator/sophos/%m-%Y-Local SessionDatabase radiator # AuthLog /etc/radiator/paolo AuthBy Paolo AcctLogFileName /etc/radiator/paolo/%m-%Y-Local