1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
Run-time variables
==================
See "man unlang" for more complete documentation on the run-time
variables. This file is here only for historical purposes.
The above variable expansions also support the following
meta-attributes. These are not normal RADIUS attributes, but are
created by the server to be used like them, for ease of use. They can
only be queried, and cannot be assigned.
+-----------------------+-------------------------------------------------+
| Packet-Type | RADIUS packet type (Access-Request, etc.) |
+-----------------------+-------------------------------------------------+
| Packet-Src-IP-Address | IP address from which the packet was sent |
+-----------------------+-------------------------------------------------+
| Packet-Dst-IP-Address | IP address to which the packet was sent. |
| | This may be "0.0.0.0", if the server |
| | was configured with ``bind_address = *``. |
+-----------------------+-------------------------------------------------+
| Packet-Src-Port | UDP port from which the packet was sent |
+-----------------------+-------------------------------------------------+
| Packet-Dst-Port | UDP port to which the packet was sent. |
+-----------------------+-------------------------------------------------+
``%{config:section.subsection.item}``
Corresponding value in ``radiusd.conf`` for the string value of that item.
The ``%{config:...}`` variables should be used VERY carefully, as they
may leak secret information from your RADIUS server, if you use them
in reply attributes to the NAS!
::
DEFAULT User-Name =~ "^([^@]+)@(.*)"
All-That-Matched = `%{0}`
Just-The-User-Name = `%{1}`
Just-The-Realm-Name = `%{2}`
The variables are used in dynamically translated strings. Most of the
configuration entries in ``radiusd.conf`` (and related files) will do
dynamic string translation. To do the same dynamic translation in a
RADIUS attribute (when pulling it from a database, or "users" file),
you must put the string into an back-quoted string:
::
Session-Timeout = `%{expr: 2 + 3}`
To do the dynamic translation in the ``radiusd.conf`` (or some other
configuration files), just use the variable as-is. See
``radiusd.conf`` for examples.
Attributes as environment variables in executed programs
--------------------------------------------------------
When calling an external program (e.g. from ``rlm_exec`` module), these
variables can be passed on the command line to the program. In
addition, the server places all of the attributes in the RADIUS
request into environment variables for the external program. The
variables are renamed under the following rules:
#. All letters are made upper-case.
#. All hyphens '-' are turned into underscores '_'
so the attribute ``User-Name`` can be passed on the command line to the
program as ``%{User-Name}``, or used inside the program as the environment
variable ``USER_NAME`` (or ``$USER_NAME`` for shell scripts).
If you want to see the list of all of the variables, try adding a line
``printenv > /tmp/exec-program-wait`` to the script. Then look in the
file for a complete list of variables.
One-character variables
-----------------------
The following one-character variables were defined. They were duplicates of the
previous general cases, and were only provided for backwards compatibility.
They are in the process of being removed, this table documents the old variables
and their new equivalents.
(i.e. ``:-``, as described above.
+-----------+---------------------------+-----------------------+
| Variable | Description | Proper Equivalent |
+===========+===========================+=======================+
|%a |Protocol (SLIP/PPP) |%{Framed-Protocol} |
+-----------+---------------------------+-----------------------+
|%c |Callback-Number |%{Callback-Number} |
+-----------+---------------------------+-----------------------+
|%d |request day (DD) | |
+-----------+---------------------------+-----------------------+
|%f |Framed IP address |%{Framed-IP-Address} |
+-----------+---------------------------+-----------------------+
|%i |Calling Station ID |%{Calling-Station-Id} |
+-----------+---------------------------+-----------------------+
|%l |request timestamp | |
+-----------+---------------------------+-----------------------+
|%m |request month (MM) | |
+-----------+---------------------------+-----------------------+
|%n |NAS IP address |%{NAS-IP-Address} |
+-----------+---------------------------+-----------------------+
|%p |Port number |%{NAS-Port} |
+-----------+---------------------------+-----------------------+
|%s |Speed (PW_CONNECT_INFO) |%{Connect-Info} |
+-----------+---------------------------+-----------------------+
|%t |request in ctime format | |
+-----------+---------------------------+-----------------------+
|%u |User name |%{User-Name} |
+-----------+---------------------------+-----------------------+
|%A |radacct_dir |%{config:radacctdir} |
+-----------+---------------------------+-----------------------+
|%C |clientname | |
+-----------+---------------------------+-----------------------+
|%D |request date (YYYYMMDD) | |
+-----------+---------------------------+-----------------------+
|%G |request minute | |
+-----------+---------------------------+-----------------------+
|%H |request hour | |
+-----------+---------------------------+-----------------------+
|%I |request ID | |
+-----------+---------------------------+-----------------------+
|%L |radlog_dir |%{config:logdir} |
+-----------+---------------------------+-----------------------+
|%M |MTU |%{Framed-MTU} |
+-----------+---------------------------+-----------------------+
|%R |radius_dir |%{config:raddbdir} |
+-----------+---------------------------+-----------------------+
|%S |request timestamp | |
| |in SQL format | |
+-----------+---------------------------+-----------------------+
|%T |request timestamp | |
| |in database format | |
+-----------+---------------------------+-----------------------+
|%U |Stripped User name |%{Stripped-User-Name} |
+-----------+---------------------------+-----------------------+
|%V |Request-Authenticator | |
| |(Verified/None) | |
+-----------+---------------------------+-----------------------+
|%v |Server Version | |
+-----------+---------------------------+-----------------------+
|%Y |request year (YYYY) | |
+-----------+---------------------------+-----------------------+
|%Z |All request attributes | |
| |except password | |
| |(must have a big buffer) | |
+-----------+---------------------------+-----------------------+
$Id$
|
