SQL Authentication Header Files

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

Steel-Belted Radius Carrier 7.2.x Reference Guide > SQL Authentication Files > SQL Authentication Header Files
SQL Authentication Header Files
The header files used to configure SQL authentication methods must have the .aut extension; for example, radsql.aut. The format of a header file is comparable to that of a Windows INI file: it is composed of several sections; section names are enclosed in brackets; each section may contain multiple parameter/value pairs.

[Bootstrap] Section

The [Bootstrap] section (Table 123) of the SQL authentication header file specifies information that Steel-Belted Radius Carrier uses to load and start an SQL authentication method.
[Bootstrap]
LibraryName=radsql.auth_ora.so
Enable=0
InitializationString=SQL
AcceptsAuthorizeOnly=1
Table 123: *.aut [Bootstrap] Syntax

Parameter

Function

AcceptsAuthorizeOnly

If set to 1, Authorize Only requests are accepted for this authentication method, when all of the following conditions are true:

The Access-Request contains the Service-Type attribute with a value=Authorize-Only

Message-Authenticator is present and valid

A session already exists in SBR Carrier for the AAA session ID (WiMAX or 3GPP2)

AuthorizeOnly=1 in the [Configuration] section of radius.ini

If set to 0, Authorize Only requests are not accepted for this authentication method regardless of whether AuthorizeOnly=1 in radius.ini.

NOTE: SBR Carrier is only able to process Authorize-Only requests for WiMAX and 3GPP2 sessions because a session must be located in the current session table, indexed by a WiMAX or 3GPP2 AAA Session Id.

LibraryName

Specifies the name of the SQL authentication module.

Enter radsql_auth_ora.so for Oracle.

Enter radsql_auth_jdbc.so for JDBC.

Enable

Specifies whether the SQL authentication method is enabled.

If set to 0, the authentication method is disabled and does not appear in the Authentication Methods list displayed in the Authentication Policies>Order of Methods panel in SBR Administrator.

If set to 1, the authentication method is enabled.

Default value is 0.

InitializationString

Specifies the name of the authentication method to appear in the Authentication Methods list displayed in the Authentication Policies>Order of Methods panel in SBR Administrator.

In the sample header file, this entry is set to SQL. You can modify this name as needed.

The name of each authentication method must be unique. If you create additional .aut files to implement authentication against multiple databases, the InitializationString value in each file must specify a unique method name.

[FailedSuccessResultAttributes] Section

The [FailedSuccessResultAttributes] section (Table 124) of the SQL authentication header file can be used to map any RADIUS attribute returned from the database. Attributes can be specified in two ways:

Attributes can be specified with a literal value enclosed in single quotes. Values must be enclosed with single quotes, even when they represent numeric values.

Attributes can be specified with a numeric value that corresponds to the ordering of values returned from the SQL select statement.

Precede attribute names with @ and enter them as they appear in the dictionary (.dct) files, or the subattribute dictionary (.jdict) files. Enclose attribute values (including integers and IP addresses) in single quotes. For example:
[FailedSuccessResultAttributes]
@Reply-Message = 'Please re-enter your password.'
@Filter-Id = '3'
[Failure] Section

The [Failure] section of the SQL authentication header file can be used to determine the result of the authentication process (accept or reject) when connectivity to all of the configured SQL databases has failed. For example:
[Failure]
Accept = 1
Profile = XYZ
FullName = Unauthenticated!
 NOTE: The Profile option and the Alias option cannot be used together. Read the following descriptions and choose the one that suits your needs.
Table 124: *.aut [Failure] Syntax

Parameter

Function

Accept

If set to 1, Steel-Belted Radius Carrier returns an Access-Accept packet with the Profile and any combination of the FullName and Alias attributes specified in the corresponding [Failure] section parameters.

If set to 0, the user is rejected.

Profile

Specifies the name of a Steel-Belted Radius Carrier profile whose check list and return list attributes are applied to the user's connection.

FullName

By indicating a FullName, Steel-Belted Radius Carrier returns a value in the class attribute, allowing for all [Failure] connections to be accounted.

Alias

As an alternative to using the Profile parameter, you can use the Alias parameter to name an existing Steel-Belted Radius Carrier Native User entry. Steel-Belted Radius Carrier then applies the check list and return list attributes of this User entry to the user's connection.

NOTE: The Alias feature permits the Maximum Concurrent Connection limit (which is configured in the Add Users dialog) to be applied to the user's connection.

NOTE: For security, Native User entries without passwords cannot be authenticated. Therefore, setting up Native User entries in preparation for using the Alias parameter with SQL authentication does not pose a "back door" security risk.

NOTE: The Native User authentication method displayed in the Authentication Policies panel does not need to be activated for the Alias feature to work.

NOTE: Individual attributes retrieved from the external database override profile attributes of the same name.

[Results] Section

The [Results] section (Table 125) of the SQL authentication header file maps the columns named in its SELECT query to the type of data that Steel-Belted Radius Carrier expects these columns to contain.
[Results]
Password=1/48
Profile=2/48
The following parameters (Table 125) may be present in a [Results] section. Each parameter represents a type of data required to authenticate an Access-Request, and if desired, apply authorization information as well.

NOTE: The Profile option and the Alias option cannot be used together. Read the following descriptions and choose the one that suits your needs.

Table 125: *.aut [Results] Syntax

Parameter

Function

%LoginLimit

Specifies the name of the variable identifying the Maximum Concurrent Connection limits.

%Password

The value returned from this column is understood to be the user's password. The value returned by the SQL query is then matched with the user's password received in the Access-Request.

By default, Steel-Belted Radius Carrier expects the user's password to stored in the SQL table in clear-text format. If you want to configure Steel-Belted Radius Carrier to expect that the password value is encrypted with UNIXcrypt, then set PasswordFormat to 3 in the [Settings] section of the SQL authentication header file.

%Profile

The value returned from this column is interpreted as the name of the profile to associate with the user. The value returned by the SQL query is matched with an existing Profile entry of the same name. If the value is prof1, and a Profile called prof1 exists in the Steel-Belted Radius Carrier database, any return list or check list attributes in prof1 are applied to the user's connection.

If the value cannot be matched with an existing Profile in the Steel-Belted Radius Carrier database, the user is rejected due to "Insufficient Resources."

%ProxyRealm

Specifies the realm to which the authentication must be proxied. If ProxyRealm is not set, Routed Proxy does not occur.

%ProxyUserName

Specifies the User-Name attribute, which must be sent in the proxy request. If ProxyUserName is not set, the User-Name from the original request packet is used.

NOTE: Enter the value for %ProxyUserName in capital letters.

%Alias

Specifies the value returned from this column that is matched with an existing Steel-Belted Radius Carrier Native User entry of the same name.

For example, if the value is max1, and a native user called max1 exists in the Steel-Belted Radius Carrier database, then any return list or check list attributes, as well as any concurrent connection limit configured for max1, are applied to the user's connection.

If you want to apply concurrent connection limits to users who are being authenticated by means of SQL, you must set up a Native User entry with no password.

NOTE: Use of %Alias is not recommended. Instead, use %Profile.

The %LoginLimit value lets you implement the concurrent connection limits previously available through %Alias.

Generally, even if a very large number of users resides in the SQL database, you need to add only one or two Native User entries to the Steel-Belted Radius Carrier database. The concurrent connection limit associated with a single Native User entry may be applied to any number of users in the SQL database. Often a Native User entry with a connection limit of 1, and a second Native User entry with a connection limit of 2, is sufficient for an entire SQL database.

For example, analog users may be allowed a connection limit of 1, while ISDN users are allowed a connection limit of 2.

NOTE: The Native User authentication method displayed in the Authentication Policies panel does not need to be activated for the %Alias feature to work.

%FullName

The value returned from this column is interpreted as the full name of the user. This feature is often used to distinguish the user's full name from the actual User-Name sent in the Access-Request.

RADIUS attributes

Any RADIUS attribute (preceded by an @) can be returned from the database and mapped into the [Results] section. Use attribute names as they appear in the appropriate .dct or .jdict (subattributes) files.

Consider the following SELECT statement:
SELECT user_pwd, attribs, fullname FROM rasusers WHERE user_id = %name
where user_pwd, attribs, fullname, and user_id are the names of columns in the SQL table, and rasusers is the name of the SQL table itself. The [Results] section of this header file must map the SQL table columns user_pwd, attribs, and fullname to authentication and/or authorization data types; for example.
[Results]
Password=1
Profile=2
FullName=3
Columns in the SQL query are identified in the [Results] section by number; 1 represents the first column in the SELECT query (from left to right), and if other columns are also referenced, 2 represents the second, and 3 the third.

Along with a number representing the column order, each entry in the [Results] section also specifies the storage format of the column in the SQL table, using the same slash (/), length, and type conventions as the SQL query.

Default [Results] Parameters

The DefaultResults flag in the [Settings] section of radsql.auth_ora.so specifies whether default values for Password, Profile, Alias, and FullName are automatically bound to the returned SQL data. The default radsql.auth_ora.so file sets it to 0.

With DefaultResults=0, the results list is no longer automatically bound, and only explicit columns in the [Results] section, or embedded Parameters to a stored procedure, are used. This is the recommended setting.

The DefaultResults=1 option remains only for backward-compatibility with old .aut files that rely on the default results behavior to ensure that the set of default columns are automatically bound.

[Server] Section

Steel-Belted Radius Carrier can maintain multiple SQL server connections and authenticate users against authentication databases in a round-robin fashion. This convention distributes the authentication workload across several servers.

The [Server] section (Table 126) of the SQL authentication header file gives Steel-Belted Radius Carrier a pool of servers from which to create the round-robin list. The [Server] section names each server that might be used. It also provides rules for when to include or exclude each of the possible servers in the round-robin list.
[Server]
ServerName=TargetNumber
ServerName=TargetNumber
.
.
.


 Table 126:  *.aut [Server] Syntax

 Parameter
 Function

 ServerName

 The name of the header file section that contains configuration information for that server.


 TargetNumber

 An activation target number, a number that controls when this server is activated for backup purposes.
 TargetNumber is optional and may be left blank.
A Steel-Belted Radius Carrier server maintains connectivity with its SQL servers according to the following rules:

The priority of the server by order. The first entry in the [Server] section has the highest priority.

By activation target number. The rule for the activation target is that if the number of SQL servers to which Steel-Belted Radius Carrier is connected is less than the activation target, Steel-Belted Radius Carrier connects to the server and includes it in the round-robin list. While the number of active servers is equal to or greater that the activation target, Steel-Belted Radius Carrier does not use that server in the round-robin list. An activation target of 0 indicates that, in the current configuration, this machine is never used.

[Server/name] Sections

You must provide a [Server/name] section for each server you named in the [Server] section:
[Server/name]
Connect=username/password@servicename
where the values for username and password are specific to the SQL database, and servicename is the Oracle service name.

NOTE: Do not use the SA account or leave the password blank.

Last Resort Server

You may identify a "last resort" SQL server by providing a LastResort parameter in one of these [Server/name] sections, and setting its value to 1. If a SQL query against some other server results in "no record found," the authentication server tries the last resort server before accepting or rejecting the user.

In the following example, server s3 is the last resort server. The @mydb string refers to the service name for an Oracle database in the tnsnames.ora file (the server cannot connect to the Oracle database without this).
[Server]
s1=2
s2=2
s3=1
[Server/s1]
Connect=system1/manager
[Server/s2]
Connect=system2/manager@mydb2
[Server/s3]
Connect=system3/manager@mydb3
LastResort = 1
You might use the LastResort parameter to identify your master accounts database. This enables Steel-Belted Radius Carrier to authenticate the user in the case where a user account is newly added to the master accounts database but has not yet been propagated to all the SQL databases.

[Settings] Section

The [Settings] section (Table 127) of the SQL authentication header file defines parameters that control the database connection.
[Settings]
Connect=DSN=<dsn_name_here>;UID=<username_for_dB>;PWD=<password_for
_dB>
SQL=SELECT password, profile FROM userlist WHERE name = %name/40
ParameterMarker=?
MaxConcurrent=1
ConcurrentTimeout=30
ConnectTimeout=25
QueryTimeout=25
WaitReconnect=2
MaxWaitReconnect=360
PasswordFormat=0
DefaultResults=0
ErrorMap=oracle.ini
Table 127: *.aut [Settings] Syntax

Parameter

Function

ConcurrentTimeout

Specifies the number of seconds a request may wait for execution before it is discarded. Because there may be only up to MaxConcurrent SQL statements executing at one time, new requests must be queued as they arrive until other statements are processed.

NOTE: The MaxConcurrent parameter is valid only for Oracle SQL authentication (radsql.aut). It is not valid for JDBC SQL authentication (radsqljdbc.aut).

Connect

Specifies the string that must be passed to the database client engine to establish a connection to the database. This string has (or refers to) information about the name of the database, its location on the network, the password required to access it, and so forth.

The format of the connect string depends on the type of database you use:

Oracle:
Connect=<dB_username>/<dB_password>

JDBC: Connect=DSN=<jdbc:provider:driver:dsn_name_here>;UID=<username_for_dB>;PWD=<password_for_dB>

ConnectDelimiter

(JDBC only) Specifies the character used to separate fields (DSN, UID, PWD) in the connect string.

Default value is ; (semicolon). If the JDBC connect string requires use of semicolons as part of a field value, you can use this parameter to specify a different delimiter, such as ^ (caret).

ConnectTimeout

Specifies the number of seconds to wait when attempting to establish the connection to the database before timing out.

This value is ignored if the client database engine does not support this feature.

DefaultResults

If set to 0, no default values are assumed and the user must explicitly enter all result items (if you are not calling a stored procedure).

If set to 1, the default values for Results are used. This is the backward-compatibility setting and the setting if no value is specified in the file. In this case, each Result item must be explicitly specified.

Driver

(JDBC only) Specifies the third-party JDBC driver to load for authentication. For example:

Driver=com/provider/jdbc/sqlserver/
SQLServerDriver

NOTE: Third-party JDBC drivers must be installed in /radius/jre/lib/ext. Refer to the JDBC driver documentation for information on how to install the JDBC driver and supporting files.

ErrorMap

Specifies the name of the file that contains the native error codes that are treated as soft errors (that is, errors that do not require Steel-Belted Radius Carrier to disconnect from and reconnect to the remote database).

NOTE: Steel-Belted Radius Carrier includes three default error map files: mssql.ini (for Microsoft SQL using ODBC), mysql.ini (for MySQL using JDBC), and oracle.ini (for Oracle using OCI). See Chapter 13, "Database Error Map Files" on page 273 for information on configuring error map files.

LogLevel

Activates logging for the SQL authentication component and sets the rate at which it writes entries to the server log file (.LOG). The LogLevel may be the number 0, 1, or 2, where 0 is the lowest logging level, 1 is intermediate, and 2 is the most verbose. If the LogLevel that you set in the .aut file is different than the LogLevel in radius.ini, the radius.ini setting determines the rate of logging.

MaxConcurrent

Specifies the maximum number of instances of a single SQL statement that may be executing at one time.

NOTE: The MaxConcurrent parameter is valid only for Oracle SQL authentication (radsql.aut). It is not valid for JDBC SQL authentication (radsqljdbc.aut).

NOTE: A setting of MaxConcurrent = 1 is sufficient for all but the most demanding environments. Increase this value slowly and conservatively. For more information, see Overlapped Execution of SQL Statements in Chapter 18, Configuring SQL Authentication of the Steel-Belted Radius Carrier 7.2 Administration and Configuration Guide.

MaxWaitReconnect

Specifies the maximum number of seconds to wait after successive failures to reconnect after a failure of the database connection.

WaitReconnect specifies the time to wait after failure of the database connection. This value is doubled on each failed attempt to reconnect, up to a maximum of MaxWaitReconnect.

ParameterMarker

Specifies the character or sequence of characters used as the parameter marker in a parameterized SQL query. Normally, this is the question mark (?), but this can vary among database vendors.

PasswordFormat

If set to 0, Steel-Belted Radius Carrier tries to determine password format automatically.

If set to 3, Steel-Belted Radius Carrier expects the password value encrypted with UNIXcrypt.

By default, the PasswordFormat parameter is not listed in the [Settings] section of the .aut file.

QueryTimeout

Specifies the number of seconds to wait for a response to a query before timing out. This value is passed to the client database engine, which may or may not implement the feature.

SQL

Specifies the SQL statement used to access the password information in the database. The SQL statement may be broken over several lines by ending each line with a backslash. The backslash must be preceded by a space character, and followed by a newline character. The subsequent lines may be indented for better readability.

Example:

SQL=SELECT password, profile, fullname \
FROM usertable \
WHERE username = %name/63s

SuccessResult

Specifies the string that is the expected result of a successful authentication, to be compared to the %result parameter.

If a value is specified for this field, it is used in the following manner upon execution of the SQL statement: if the value of %result is not equal to the value given for this field, the user is rejected. The test for textual equality is not case sensitive.

No such test, or rejection, is performed if no value is specified for this field.

This is a useful technique for coordinating with the custom functionality of stored procedures.

UpperCaseName

Specifies whether the user's login name is converted to uppercase characters before using it in the SQL statement execution.

0 - Use the name exactly as received.

1 - Convert the name to uppercase.

WaitReconnect

Specifies the number of seconds to wait after a failure of the database connection before trying to connect again.

[Strip] Sections

The [Strip] sections (Table 128) of the SQL authentication header file (Table 128) allow User-Name stripping to occur. These sections enable Steel-Belted Radius Carrier to identify the username that the SQL database expects by stripping the incoming User-Name attribute value of realm names and other "decorations."

You may or may not need to employ User-Name stripping for SQL authentication. Your need for this feature depends upon the naming conventions that you employ on your network and in your SQL database entries. The SBR Carrier usual name parsing features work independently of this feature.

The following [Strip] syntax is available to enable and configure User-Name stripping for SQL authentication:
[Strip]
Authentication=Yes
[StripPrefix]
String
String
M
[StripSuffix]
String
String
M
Table 128: *.aut [Strip] Syntax

Parameter

Function

Authentication

If set to No, prefix and suffix stripping is disabled for authentication.

If set to Yes, prefix and suffix stripping is enabled for authentication packets. When an authentication packet comes into the Steel-Belted Radius Carrier server and a SQL authentication method is active, stripping of the incoming User-Name attribute value occurs prior to SQL authentication:

Prefixes listed in the [StripPrefix] section are stripped from the incoming User-Name attribute value.

Suffixes listed in [StripSuffix] are stripped.

Any other name processing that is appropriate at this point (for example, tunnel or proxy name parsing) is performed.

The fully stripped name is authenticated against the SQL database.

[StripPrefix]

Lists strings that are to be stripped from the beginning of the User-Name value. The strings are listed in order of priority. A string that appears earlier in the list takes precedence over later strings.

In the following example, if the incoming User-Name is seattleUser201, the stripped name is User201. If the incoming User-Name is seatac2000, the stripped name is tac2000:

[StripPrefix]

seattle

sea

String

Each String that you provide in a [Strip] section may be a character string, or a regular expression according to the following rules:

? is a wildcard character.

A dash (-) indicates a range of alphanumeric characters; brackets must enclose lists of characters or ranges. For example, [A-Za-z] means any letter and [0-9.,] means any number, including decimal points and commas.

A backslash (\) followed by a non-alphanumeric character indicates that character literally, for example \' indicates the question mark.

\ is also used as an escape character:

\a    bell (7)

\b    backspace (8)

\t    tab (9)

\n    newline (10)

\v    vertical tab (11)

\f    formfeed (12)

\r    return (13)

\xnn    hex value, where nn are 2 hex digits

\nnn    decimal value, where nnn are 3 decimal digits

[StripSuffix]

Lists strings that are to be stripped from the end of the User-Name value. Conventions are the same as for [StripPrefix].

Parameter	Function
AcceptsAuthorizeOnly	If set to 1, Authorize Only requests are accepted for this authentication method, when all of the following conditions are true: The Access-Request contains the Service-Type attribute with a value=Authorize-Only Message-Authenticator is present and valid A session already exists in SBR Carrier for the AAA session ID (WiMAX or 3GPP2) AuthorizeOnly=1 in the [Configuration] section of radius.ini If set to 0, Authorize Only requests are not accepted for this authentication method regardless of whether AuthorizeOnly=1 in radius.ini. NOTE: SBR Carrier is only able to process Authorize-Only requests for WiMAX and 3GPP2 sessions because a session must be located in the current session table, indexed by a WiMAX or 3GPP2 AAA Session Id.
LibraryName	Specifies the name of the SQL authentication module. Enter radsql_auth_ora.so for Oracle. Enter radsql_auth_jdbc.so for JDBC.
Enable	Specifies whether the SQL authentication method is enabled. If set to 0, the authentication method is disabled and does not appear in the Authentication Methods list displayed in the Authentication Policies>Order of Methods panel in SBR Administrator. If set to 1, the authentication method is enabled. Default value is 0.
InitializationString	Specifies the name of the authentication method to appear in the Authentication Methods list displayed in the Authentication Policies>Order of Methods panel in SBR Administrator. In the sample header file, this entry is set to SQL. You can modify this name as needed. The name of each authentication method must be unique. If you create additional .aut files to implement authentication against multiple databases, the InitializationString value in each file must specify a unique method name.

Parameter	Function
Accept	If set to 1, Steel-Belted Radius Carrier returns an Access-Accept packet with the Profile and any combination of the FullName and Alias attributes specified in the corresponding [Failure] section parameters. If set to 0, the user is rejected.
Profile	Specifies the name of a Steel-Belted Radius Carrier profile whose check list and return list attributes are applied to the user's connection.
FullName	By indicating a FullName, Steel-Belted Radius Carrier returns a value in the class attribute, allowing for all [Failure] connections to be accounted.
Alias	As an alternative to using the Profile parameter, you can use the Alias parameter to name an existing Steel-Belted Radius Carrier Native User entry. Steel-Belted Radius Carrier then applies the check list and return list attributes of this User entry to the user's connection. NOTE: The Alias feature permits the Maximum Concurrent Connection limit (which is configured in the Add Users dialog) to be applied to the user's connection. NOTE: For security, Native User entries without passwords cannot be authenticated. Therefore, setting up Native User entries in preparation for using the Alias parameter with SQL authentication does not pose a "back door" security risk. NOTE: The Native User authentication method displayed in the Authentication Policies panel does not need to be activated for the Alias feature to work. NOTE: Individual attributes retrieved from the external database override profile attributes of the same name.

Parameter	Function
%LoginLimit	Specifies the name of the variable identifying the Maximum Concurrent Connection limits.
%Password	The value returned from this column is understood to be the user's password. The value returned by the SQL query is then matched with the user's password received in the Access-Request. By default, Steel-Belted Radius Carrier expects the user's password to stored in the SQL table in clear-text format. If you want to configure Steel-Belted Radius Carrier to expect that the password value is encrypted with UNIXcrypt, then set PasswordFormat to 3 in the [Settings] section of the SQL authentication header file.
%Profile	The value returned from this column is interpreted as the name of the profile to associate with the user. The value returned by the SQL query is matched with an existing Profile entry of the same name. If the value is prof1, and a Profile called prof1 exists in the Steel-Belted Radius Carrier database, any return list or check list attributes in prof1 are applied to the user's connection. If the value cannot be matched with an existing Profile in the Steel-Belted Radius Carrier database, the user is rejected due to "Insufficient Resources."
%ProxyRealm	Specifies the realm to which the authentication must be proxied. If ProxyRealm is not set, Routed Proxy does not occur.
%ProxyUserName	Specifies the User-Name attribute, which must be sent in the proxy request. If ProxyUserName is not set, the User-Name from the original request packet is used. NOTE: Enter the value for %ProxyUserName in capital letters.
%Alias	Specifies the value returned from this column that is matched with an existing Steel-Belted Radius Carrier Native User entry of the same name. For example, if the value is max1, and a native user called max1 exists in the Steel-Belted Radius Carrier database, then any return list or check list attributes, as well as any concurrent connection limit configured for max1, are applied to the user's connection. If you want to apply concurrent connection limits to users who are being authenticated by means of SQL, you must set up a Native User entry with no password. NOTE: Use of %Alias is not recommended. Instead, use %Profile. The %LoginLimit value lets you implement the concurrent connection limits previously available through %Alias. Generally, even if a very large number of users resides in the SQL database, you need to add only one or two Native User entries to the Steel-Belted Radius Carrier database. The concurrent connection limit associated with a single Native User entry may be applied to any number of users in the SQL database. Often a Native User entry with a connection limit of 1, and a second Native User entry with a connection limit of 2, is sufficient for an entire SQL database. For example, analog users may be allowed a connection limit of 1, while ISDN users are allowed a connection limit of 2. NOTE: The Native User authentication method displayed in the Authentication Policies panel does not need to be activated for the %Alias feature to work.
%FullName	The value returned from this column is interpreted as the full name of the user. This feature is often used to distinguish the user's full name from the actual User-Name sent in the Access-Request.
RADIUS attributes	Any RADIUS attribute (preceded by an @) can be returned from the database and mapped into the [Results] section. Use attribute names as they appear in the appropriate .dct or .jdict (subattributes) files.

Parameter	Function
ServerName	The name of the header file section that contains configuration information for that server.
TargetNumber	An activation target number, a number that controls when this server is activated for backup purposes. TargetNumber is optional and may be left blank.

Parameter	Function
ConcurrentTimeout	Specifies the number of seconds a request may wait for execution before it is discarded. Because there may be only up to MaxConcurrent SQL statements executing at one time, new requests must be queued as they arrive until other statements are processed. NOTE: The MaxConcurrent parameter is valid only for Oracle SQL authentication (radsql.aut). It is not valid for JDBC SQL authentication (radsqljdbc.aut).
Connect	Specifies the string that must be passed to the database client engine to establish a connection to the database. This string has (or refers to) information about the name of the database, its location on the network, the password required to access it, and so forth. The format of the connect string depends on the type of database you use: Oracle: Connect=<dB_username>/<dB_password> JDBC: Connect=DSN=<jdbc:provider:driver:dsn_name_here>;UID=<username_for_dB>;PWD=<password_for_dB>
ConnectDelimiter	(JDBC only) Specifies the character used to separate fields (DSN, UID, PWD) in the connect string. Default value is ; (semicolon). If the JDBC connect string requires use of semicolons as part of a field value, you can use this parameter to specify a different delimiter, such as ^ (caret).
ConnectTimeout	Specifies the number of seconds to wait when attempting to establish the connection to the database before timing out. This value is ignored if the client database engine does not support this feature.
DefaultResults	If set to 0, no default values are assumed and the user must explicitly enter all result items (if you are not calling a stored procedure). If set to 1, the default values for Results are used. This is the backward-compatibility setting and the setting if no value is specified in the file. In this case, each Result item must be explicitly specified.
Driver	(JDBC only) Specifies the third-party JDBC driver to load for authentication. For example: Driver=com/provider/jdbc/sqlserver/ SQLServerDriver NOTE: Third-party JDBC drivers must be installed in /radius/jre/lib/ext. Refer to the JDBC driver documentation for information on how to install the JDBC driver and supporting files.
ErrorMap	Specifies the name of the file that contains the native error codes that are treated as soft errors (that is, errors that do not require Steel-Belted Radius Carrier to disconnect from and reconnect to the remote database). NOTE: Steel-Belted Radius Carrier includes three default error map files: mssql.ini (for Microsoft SQL using ODBC), mysql.ini (for MySQL using JDBC), and oracle.ini (for Oracle using OCI). See Chapter 13, "Database Error Map Files" on page 273 for information on configuring error map files.
LogLevel	Activates logging for the SQL authentication component and sets the rate at which it writes entries to the server log file (.LOG). The LogLevel may be the number 0, 1, or 2, where 0 is the lowest logging level, 1 is intermediate, and 2 is the most verbose. If the LogLevel that you set in the .aut file is different than the LogLevel in radius.ini, the radius.ini setting determines the rate of logging.
MaxConcurrent	Specifies the maximum number of instances of a single SQL statement that may be executing at one time. NOTE: The MaxConcurrent parameter is valid only for Oracle SQL authentication (radsql.aut). It is not valid for JDBC SQL authentication (radsqljdbc.aut). NOTE: A setting of MaxConcurrent = 1 is sufficient for all but the most demanding environments. Increase this value slowly and conservatively. For more information, see Overlapped Execution of SQL Statements in Chapter 18, Configuring SQL Authentication of the Steel-Belted Radius Carrier 7.2 Administration and Configuration Guide.
MaxWaitReconnect	Specifies the maximum number of seconds to wait after successive failures to reconnect after a failure of the database connection. WaitReconnect specifies the time to wait after failure of the database connection. This value is doubled on each failed attempt to reconnect, up to a maximum of MaxWaitReconnect.
ParameterMarker	Specifies the character or sequence of characters used as the parameter marker in a parameterized SQL query. Normally, this is the question mark (?), but this can vary among database vendors.
PasswordFormat	If set to 0, Steel-Belted Radius Carrier tries to determine password format automatically. If set to 3, Steel-Belted Radius Carrier expects the password value encrypted with UNIXcrypt. By default, the PasswordFormat parameter is not listed in the [Settings] section of the .aut file.
QueryTimeout	Specifies the number of seconds to wait for a response to a query before timing out. This value is passed to the client database engine, which may or may not implement the feature.
SQL	Specifies the SQL statement used to access the password information in the database. The SQL statement may be broken over several lines by ending each line with a backslash. The backslash must be preceded by a space character, and followed by a newline character. The subsequent lines may be indented for better readability. Example: SQL=SELECT password, profile, fullname \ FROM usertable \ WHERE username = %name/63s
SuccessResult	Specifies the string that is the expected result of a successful authentication, to be compared to the %result parameter. If a value is specified for this field, it is used in the following manner upon execution of the SQL statement: if the value of %result is not equal to the value given for this field, the user is rejected. The test for textual equality is not case sensitive. No such test, or rejection, is performed if no value is specified for this field. This is a useful technique for coordinating with the custom functionality of stored procedures.
UpperCaseName	Specifies whether the user's login name is converted to uppercase characters before using it in the SQL statement execution. 0 - Use the name exactly as received. 1 - Convert the name to uppercase.
WaitReconnect	Specifies the number of seconds to wait after a failure of the database connection before trying to connect again.

Parameter	Function
Authentication	If set to `No`, prefix and suffix stripping is disabled for authentication. If set to `Yes`, prefix and suffix stripping is enabled for authentication packets. When an authentication packet comes into the Steel-Belted Radius Carrier server and a SQL authentication method is active, stripping of the incoming User-Name attribute value occurs prior to SQL authentication: Prefixes listed in the [StripPrefix] section are stripped from the incoming User-Name attribute value. Suffixes listed in [StripSuffix] are stripped. Any other name processing that is appropriate at this point (for example, tunnel or proxy name parsing) is performed. The fully stripped name is authenticated against the SQL database.
[StripPrefix]	Lists strings that are to be stripped from the beginning of the User-Name value. The strings are listed in order of priority. A string that appears earlier in the list takes precedence over later strings. In the following example, if the incoming User-Name is seattleUser201, the stripped name is User201. If the incoming User-Name is seatac2000, the stripped name is tac2000: `[StripPrefix]` seattle sea
String	Each String that you provide in a [Strip] section may be a character string, or a regular expression according to the following rules: ? is a wildcard character. A dash (-) indicates a range of alphanumeric characters; brackets must enclose lists of characters or ranges. For example, [A-Za-z] means any letter and [0-9.,] means any number, including decimal points and commas. A backslash (\) followed by a non-alphanumeric character indicates that character literally, for example \' indicates the question mark. \ is also used as an escape character: \a bell (7) \b backspace (8) \t tab (9) \n newline (10) \v vertical tab (11) \f formfeed (12) \r return (13) \xnn hex value, where nn are 2 hex digits \nnn decimal value, where nnn are 3 decimal digits
[StripSuffix]	Lists strings that are to be stripped from the end of the User-Name value. Conventions are the same as for [StripPrefix].

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]