Skip to content

Commit

Permalink
uncomment (slightly) and clarify documentation
Browse files Browse the repository at this point in the history 
for "sql_session_start" policies
  • Loading branch information
@alandekok
alandekok committed Jul 3, 2018
1 parent 4c46c56 commit d0ef0e8
Show file tree
Hide file tree
Showing 5 changed files with 711 additions and 613 deletions.
271 changes: 145 additions & 126 deletions raddb/mods-config/sql/main/mssql/queries.conf
View file
Expand Up @@ -121,69 +121,70 @@ accounting {
query = "${..accounting-on.query}"
}

#
# Empty accounting sessions can be created during post-auth.
# This adds robustness to the simultaneous check as it becomes impossible to start multiple sessions in parallel.
# (with the standard accounting record creation, it's possible to bypass the simultaneous check by starting serveral sessions at the same time)
# When using this, the 'insert' statements in the start, interim-update & stop sections need to be replaced with the commented out 'update' query.
#
# post-auth {
# query = "\
# INSERT INTO ${....acct_table1} \
# INSERT INTO ${....acct_table1} ( \
# AcctSessionId, \
# AcctUniqueId, \
# UserName, \
# Realm, \
# NASIPAddress, \
# NASPort, \
# NASPortType, \
# AcctStartTime, \
# AcctSessionTime, \
# AcctAuthentic, \
# ConnectInfo_start, \
# ConnectInfo_stop, \
# AcctInputOctets, \
# AcctOutputOctets, \
# CalledStationId, \
# CallingStationId, \
# AcctTerminateCause, \
# ServiceType, \
# FramedProtocol, \
# FramedIPAddress) \
# VALUES(\
# '%{Acct-Session-Id}', \
# '%{Acct-Unique-Session-Id}', \
# '%{SQL-User-Name}', \
# '%{Realm}', \
# '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', \
# '%{%{NAS-Port-ID}:-%{NAS-Port}}', \
# '%{NAS-Port-Type}', \
# '%S', \
# 0, \
# '', \
# '%{Connect-Info}', \
# '', \
# 0, \
# 0, \
# '%{Called-Station-Id}', \
# '%{Calling-Station-Id}', \
# '', \
# '%{Service-Type}', \
# '', \
# '')"
#
# query = "\
# UPDATE ${....acct_table1} SET \
# AcctStartTime = '%S', \
# ConnectInfo_start = '%{Connect-Info}' \
# AcctSessionId = '%{Acct-Session-Id}', \
# WHERE UserName = '%{SQL-User-Name}' \
# AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \
# AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \
# AND NASPortType = '%{NAS-Port-Type}' \
# AND AcctStopTime IS NULL"
# }
#
# Implement the "sql_session_start" policy.
# See raddb/policy.d/accounting for more details.
#
# You also need to fix the other queries as
# documented below. Look for "sql_session_start".
#
post-auth {
query = "\
INSERT INTO ${....acct_table1} \
INSERT INTO ${....acct_table1} ( \
AcctSessionId, \
AcctUniqueId, \
UserName, \
Realm, \
NASIPAddress, \
NASPort, \
NASPortType, \
AcctStartTime, \
AcctSessionTime, \
AcctAuthentic, \
ConnectInfo_start, \
ConnectInfo_stop, \
AcctInputOctets, \
AcctOutputOctets, \
CalledStationId, \
CallingStationId, \
AcctTerminateCause, \
ServiceType, \
FramedProtocol, \
FramedIPAddress) \
VALUES(\
'%{Acct-Session-Id}', \
'%{Acct-Unique-Session-Id}', \
'%{SQL-User-Name}', \
'%{Realm}', \
'%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', \
'%{%{NAS-Port-ID}:-%{NAS-Port}}', \
'%{NAS-Port-Type}', \
'%S', \
0, \
'', \
'%{Connect-Info}', \
'', \
0, \
0, \
'%{Called-Station-Id}', \
'%{Calling-Station-Id}', \
'', \
'%{Service-Type}', \
'', \
'')"

query = "\
UPDATE ${....acct_table1} SET \
AcctStartTime = '%S', \
ConnectInfo_start = '%{Connect-Info}' \
AcctSessionId = '%{Acct-Session-Id}', \
WHERE UserName = '%{SQL-User-Name}' \
AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \
AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \
AND NASPortType = '%{NAS-Port-Type}' \
AND AcctStopTime IS NULL"
}

start {
query = "\
Expand Down Expand Up @@ -236,25 +237,31 @@ accounting {
'0', \
'%{X-Ascend-Session-Svr-Key}')"

#
# Replace above query with this one when accounting session is created in post-auth
#
# query = "\
# UPDATE ${....acct_table1} \
# SET \
# AcctSessionId = '%{Acct-Session-Id}', \
# AcctUniqueId = '%{Acct-Unique-Session-Id}', \
# AcctAuthentic = '%{Acct-Authentic}', \
# ConnectInfo_start = '%{Connect-Info}', \
# ServiceType = '%{Service-Type}', \
# FramedProtocol = '%{Framed-Protocol}', \
# FramedIpAddress = '%{Framed-IP-Address}', \
# AcctStartTime = '%S' \
# WHERE UserName = '%{SQL-User-Name}' \
# AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \
# AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \
# AND NASPortType = '%{NAS-Port-Type}' \
# AND AcctStopTime IS NULL"
#
# When using "sql_session_start", you should comment out
# the previous query, and enable this one.
#
# Just change the previous query to "-query",
# and this one to "query". The previous one
# will be ignored, and this one will be
# enabled.
#
-query = "\
UPDATE ${....acct_table1} \
SET \
AcctSessionId = '%{Acct-Session-Id}', \
AcctUniqueId = '%{Acct-Unique-Session-Id}', \
AcctAuthentic = '%{Acct-Authentic}', \
ConnectInfo_start = '%{Connect-Info}', \
ServiceType = '%{Service-Type}', \
FramedProtocol = '%{Framed-Protocol}', \
FramedIpAddress = '%{Framed-IP-Address}', \
AcctStartTime = '%S' \
WHERE UserName = '%{SQL-User-Name}' \
AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \
AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \
AND NASPortType = '%{NAS-Port-Type}' \
AND AcctStopTime IS NULL"

query = "\
UPDATE ${....acct_table1} \
Expand Down Expand Up @@ -316,26 +323,32 @@ accounting {
'0', \
'%{X-Ascend-Session-Svr-Key}')"

#
# Replace above query with this one when accounting session is created in post-auth
#
# query = "\
# UPDATE ${....acct_table1} \
# SET \
# AcctSessionId = '%{Acct-Session-Id}', \
# AcctUniqueId = '%{Acct-Unique-Session-Id}', \
# AcctAuthentic = '%{Acct-Authentic}', \
# ConnectInfo_start = '%{Connect-Info}', \
# ServiceType = '%{Service-Type}', \
# FramedProtocol = '%{Framed-Protocol}', \
# FramedIpAddress = '%{Framed-IP-Address}', \
# AcctInputOctets = convert(bigint, '%{%{Acct-Input-Gigawords}:-0}' * POWER(2.0, 32)) | '%{%{Acct-Input-Octets}:-0}', \
# AcctOutputOctets = convert(bigint, '%{%{Acct-Output-Gigawords}:-0}' * POWER(2.0, 32)) | '%{%{Acct-Output-Octets}:-0}', \
# WHERE UserName = '%{SQL-User-Name}' \
# AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \
# AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \
# AND NASPortType = '%{NAS-Port-Type}' \
# AND AcctStopTime IS NULL"
#
# When using "sql_session_start", you should comment out
# the previous query, and enable this one.
#
# Just change the previous query to "-query",
# and this one to "query". The previous one
# will be ignored, and this one will be
# enabled.
#
-query = "\
UPDATE ${....acct_table1} \
SET \
AcctSessionId = '%{Acct-Session-Id}', \
AcctUniqueId = '%{Acct-Unique-Session-Id}', \
AcctAuthentic = '%{Acct-Authentic}', \
ConnectInfo_start = '%{Connect-Info}', \
ServiceType = '%{Service-Type}', \
FramedProtocol = '%{Framed-Protocol}', \
FramedIpAddress = '%{Framed-IP-Address}', \
AcctInputOctets = convert(bigint, '%{%{Acct-Input-Gigawords}:-0}' * POWER(2.0, 32)) | '%{%{Acct-Input-Octets}:-0}', \
AcctOutputOctets = convert(bigint, '%{%{Acct-Output-Gigawords}:-0}' * POWER(2.0, 32)) | '%{%{Acct-Output-Octets}:-0}', \
WHERE UserName = '%{SQL-User-Name}' \
AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \
AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \
AND NASPortType = '%{NAS-Port-Type}' \
AND AcctStopTime IS NULL"
}

stop {
Expand Down Expand Up @@ -401,30 +414,36 @@ accounting {
'0', \
'%{%{Acct-Delay-Time}:-0}')"

#
# Replace above query with this one when accounting session is created in post-auth
#
# query = "\
# UPDATE ${....acct_table1} \
# SET \
# AcctSessionId = '%{Acct-Session-Id}', \
# AcctUniqueId = '%{Acct-Unique-Session-Id}', \
# AcctAuthentic = '%{Acct-Authentic}', \
# ConnectInfo_start = '%{Connect-Info}', \
# ServiceType = '%{Service-Type}', \
# FramedProtocol = '%{Framed-Protocol}', \
# FramedIpAddress = '%{Framed-IP-Address}', \
# AcctStopTime = '%S', \
# AcctSessionTime = %{Acct-Session-Time}, \
# AcctInputOctets = convert(bigint, '%{%{Acct-Input-Gigawords}:-0}' * POWER(2.0, 32)) | '%{%{Acct-Input-Octets}:-0}', \
# AcctOutputOctets = convert(bigint, '%{%{Acct-Output-Gigawords}:-0}' * POWER(2.0, 32)) | '%{%{Acct-Output-Octets}:-0}', \
# AcctTerminateCause = '%{Acct-Terminate-Cause}', \
# ConnectInfo_stop = '%{Connect-Info}' \
# WHERE UserName = '%{SQL-User-Name}' \
# AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \
# AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \
# AND NASPortType = '%{NAS-Port-Type}' \
# AND AcctStopTime IS NULL"
#
# When using "sql_session_start", you should comment out
# the previous query, and enable this one.
#
# Just change the previous query to "-query",
# and this one to "query". The previous one
# will be ignored, and this one will be
# enabled.
#
-query = "\
UPDATE ${....acct_table1} \
SET \
AcctSessionId = '%{Acct-Session-Id}', \
AcctUniqueId = '%{Acct-Unique-Session-Id}', \
AcctAuthentic = '%{Acct-Authentic}', \
ConnectInfo_start = '%{Connect-Info}', \
ServiceType = '%{Service-Type}', \
FramedProtocol = '%{Framed-Protocol}', \
FramedIpAddress = '%{Framed-IP-Address}', \
AcctStopTime = '%S', \
AcctSessionTime = %{Acct-Session-Time}, \
AcctInputOctets = convert(bigint, '%{%{Acct-Input-Gigawords}:-0}' * POWER(2.0, 32)) | '%{%{Acct-Input-Octets}:-0}', \
AcctOutputOctets = convert(bigint, '%{%{Acct-Output-Gigawords}:-0}' * POWER(2.0, 32)) | '%{%{Acct-Output-Octets}:-0}', \
AcctTerminateCause = '%{Acct-Terminate-Cause}', \
ConnectInfo_stop = '%{Connect-Info}' \
WHERE UserName = '%{SQL-User-Name}' \
AND NASIPAddress = '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' \
AND NASPortId = '%{%{NAS-Port-ID}:-%{NAS-Port}}' \
AND NASPortType = '%{NAS-Port-Type}' \
AND AcctStopTime IS NULL"
}

#
Expand Down

0 comments on commit d0ef0e8

Please sign in to comment.