Is Multiple radcheck tables possible?
Alan DeKok
aland at deployingradius.com
Tue May 27 11:15:15 CEST 2008
Pete Kay wrote:
> I want to have two radcheck tables, one for storing user-password for
> system accessing and the other for storing user-password for management
> interface accessing. Is it possible to config the server to switch to
> different table according to some parameters pass by the client?
Yes. That is why the queries are editable, and expanded dynamically.
But you don't want to do *exactly* that. Instead, create a new
attribute in the "dictionary" file: SQL-Table-Name. I've just added it
to CVS, as this is becoming a common request:
ATTRIBUTE SQL-Table-Name 1110 string
Then, use "unlang" to check the parameters from the client, and set
SQL-Table-Name to the appropriate value. Do NOT use the parameters from
the client directly. It can be used to create an SQL injection attack.
Then, edit the query in dialup.conf (or other file). Replace the
table name
SELECT ... FROM ${authcheck_table} ...
with
SELECT ... FROM %{%{SQL-Table-Name}:-${authcheck_table} ...
i.e. expand the table name dynamically.
> I
> think it can be done by having two servers and each server has its own
> config and each config has its own dialup sql setting. However, since I
> would hope to see if it is possible to do it with just one server.
In 2.0, you don't need multiple servers. Many things are dynamically
expanded, and the virtual servers help a lot, too.
Alan DeKok.
More information about the Freeradius-Users
mailing list