attributes.texi

gnu 的radius服务器很好用的

                Auth-Type = System
        Service-Type = Login
@end smallexample

@noindent
and, finally, @file{huntgroups} contains the following entry:

@smallexample
users_group     NAS-IP-Address = 10.11.11.1
                NAS-Port-Id < 32
@end smallexample

@noindent
Then the authentication request will succeed, since it contains
@attr{NAS-Port-Id} attribute and its value is less than 32.

@xref{huntgroups file}.

@node Log-Mode-Mask
@subsection @attr{Log-Mode-Mask}
@atindex Log-Mode-Mask

@defattr{Log-Mode-Mask,2007,integer,L-,-R,-R,Append,@acronym{N/A}}

@smallexample
VALUE           Log-Mode-Mask           Log-Auth                1
VALUE           Log-Mode-Mask           Log-Auth-Pass           2
VALUE           Log-Mode-Mask           Log-Failed-Pass         4
VALUE           Log-Mode-Mask           Log-Pass                6
VALUE           Log-Mode-Mask           Log-All                 7
@end smallexample

@attr{Log-Mode-Mask} is used to control the verbosity of authentication
log messages for given user or class of users. The meaning of its
values is:

@table @code
@item Log-Auth
Do not log successful authentications.
@item Log-Auth-Pass
Do not show the password with the log message from a successful authentication.
@item Log-Failed-Pass
Do not show a failed password.
@item Log-Pass
Do not show a plaintext password, either failed or succeeded.
@item Log-All
Do not log authentications at all.
@end table

Technical details: After authentication, the server collects all
@attr{Log-Mode-Mask} attributes from the incoming request and @LHS{}
of the user's entry. The values of these attributes @sc{or}ed together
form a mask, which is applied via an @sc{xor} operation to the current log
mode. The value thus obtained is used as effective log mode.

@comment **************************************************************
@node Login-Time
@subsection @attr{Login-Time}
@atindex Login-Time

@defattr{Login-Time,1042,string,L-,--,--,Append,No}

The @attr{Login-Time} attribute specifies the time range over which the user
is allowed to log in. The attribute should be specified in the @LHS{}.

The format of the @attr{Login-Time} string is the same as that of UUCP
time ranges. The following description of the time range format is
adopted from the documentation for the Taylor UUCP package:

A time string may be a list of simple time strings separated with
vertical bars @samp{|} or commas @samp{,}.

Each simple time string must begin either with a day-of-week abbreviation
(one of @samp{Su}, @samp{Mo}, @samp{Tu}, @samp{We}, @samp{Th},
@samp{Fr}, @samp{Sa}), or @samp{Wk} for any day from Monday to
Friday inclusive, or @samp{Any} or @samp{Al} for any day.

Following the day may be a range of hours separated with a hyphen, using
24-hour time.  The range of hours may cross 0; for example
@samp{2300-0700} means any time except 7 AM to 11 PM.  If no time is
given, calls may be made at any time on the specified day(s).  

The time string may also be the single word @samp{Never}, which does not
match any time.

Here are a few sample time strings with an explanation of what they
mean.

@table @samp

@item Wk2305-0855,Sa,Su2305-1655

This means weekdays before 8:55 AM or after 11:05 PM, any time Saturday,
or Sunday before 4:55 PM or after 11:05 PM.  These are approximately the
times during which night rates apply to phone calls in the U.S.A.  Note
that this time string uses, for example, @samp{2305} rather than
@samp{2300}; this will ensure a cheap rate even if the
computer clock is running up to five minutes ahead of the real time.

@item Wk0905-2255,Su1705-2255

This means weekdays from 9:05 AM to 10:55 PM, or Sunday from 5:05 PM to
10:55 PM.  This is approximately the opposite of the previous example.

@item Any

This means any day.  Since no time is specified, it means any time on
any day.

@end table

@comment **************************************************************
@node Match-Profile
@subsection @attr{Match-Profile}
@atindex Match-Profile

@defattr{Match-Profile,2004,string,LR,-R,-R,Append,No}

The @attr{Match-Profile} attribute can be used in @LHS{} and @RHS{} lists of a
user profile. Its value is the name of another user's profile (target
profile). When @attr{Match-Profile} is used in the @LHS{}, the incoming
packet will match this profile only if it matches the target profile.
In this case the reply pairs will be formed by concatenating the @RHS{}
lists from both profiles.
When used in the @RHS{}, this attribute causes the reply pairs
from the target profile to be appended to the reply from the current
profile if the target profile matches the incoming request.

For example:

@smallexample
IPPOOL  NAS-IP-Address = 10.10.10.1
                Framed-Protocol = PPP,
                Framed-IP-Address = "10.10.10.2"

IPPOOL  NAS-IP-Address = 10.10.11.1
                Framed-Protocol = PPP,
                Framed-IP-Address = "10.10.11.2"

guest   Auth-Type = SQL
                Service-Type = Framed-User,
        Match-Profile = IPPOOL
@end smallexample

In this example, when user @code{guest} comes from @NAS{}
@code{10.10.10.1}, he is
assigned IP @code{10.10.10.2}, otherwise if he is coming from @NAS{}
@code{10.10.11.1} he is assigned IP @code{10.10.11.2}.
                
@comment **************************************************************
@node Menu
@subsection @attr{Menu}
@atindex Menu

@defattr{Menu,1001,string,-R,--,--,Replace,No}

This attribute should be used in the @RHS{}. If it is used, it should
be the only reply item.

The @attr{Menu} attribute specifies the name of the menu to be presented
to the user. The corresponding menu code is looked up in the
@file{RADIUS_DIR/menus/} directory (@pxref{menus directory}).

@comment **************************************************************
@node Pam-Auth
@subsection @attr{Pam-Auth}
@atindex Pam-Auth

@defattr{Pam-Auth,1041,string,L-,-R,-R,Append,No}

The @attr{Pam-Auth} attribute can be used in conjunction with

@smallexample
Auth-Type = Pam
@end smallexample

@noindent
to supply the PAM service name instead of the default @samp{radius}.
It is ignored if @attr{Auth-Type} attribute is not set to @code{Pam}.

@comment **************************************************************
@node Prefix
@subsection @attr{Prefix}
@atindex Prefix

@defattr{Prefix,1003,string,L-,L-,LR,Append,No}

The @attr{Prefix} attribute indicates the prefix that the user name
should contain in order for a particular record in the profile
to be matched. This attribute should be specified in the @LHS{}
of the @file{users} or @file{hints} file.

For example, if the @file{users} file contained

@smallexample
DEFAULT Prefix = "U", Auth-Type = System
                Service-Type = Login-User
@end smallexample

@noindent
then the user names @samp{Ugray} and @samp{Uyoda} would match this record,
whereas @samp{gray} and @samp{yoda} would not.

Both @attr{Prefix} and @attr{Suffix} attributes may be specified in
a profile. In this case the record is matched only if the user name
contains both the prefix and the suffix specified.

@xref{Suffix}, and
@ref{Strip-User-Name}.

@comment **************************************************************
@node Proxy-Replied
@subsection @attr{Proxy-Replied}
@atindex Proxy-Replied

@defattr{Proxy-Replied,2012,integer,L-,L-,L-,Replace,@acronym{N/A}}

@smallexample
VALUE      Proxy-Replied     No                   0       
VALUE      Proxy-Replied     Yes                  1       
@end smallexample

@command{radiusd} adds this attribute to the incoming request if it
was already processed by a remote radius server.

@comment **************************************************************
@node Realm-Name
@subsection @attr{Realm-Name}
@atindex Realm-Name
@UNREVISED{}

@defattr{Realm-Name,2013,string,L-,L-,L-,Append,No}

@FIXME{This is an @samp{internal attribute}. It keeps the realm name
of the user. The @attr{Realm-Name} attribute is added to the proxied
request after receiving a reply from the realm server. @xref{Proxy-Replied}.}

@comment **************************************************************
@node Replace-User-Name
@subsection @attr{Replace-User-Name}
@atindex Replace-User-Name

@defattr{Replace-User-Name,2001,string,LR,LR,--,Append,No}

@smallexample
VALUE      Replace-User-Name  No                   0       
VALUE      Replace-User-Name  Yes                  1       
@end smallexample

Use this attribute to modify the user name from the incoming packet. The
@attr{Replace-User-Name} can reference any attributes from both @LHS{}
and @RHS{} pairlists using attribute macros (@ref{Macro Substitution}).

For example, the @file{users} entry

@smallexample
guest   NAS-IP-Address = 11.10.10.11,
                Calling-Station-Id != ""
                Auth-Type = Accept
        Replace-User-Name = "guest#%C@{Calling-Station-Id@}",
                Service-Type = Framed-User,
                Framed-Protocol = PPP
@end smallexample

@noindent
allows the use of PPP service for user name @code{guest}, coming from @NAS{}
@samp{11.10.10.11} with a nonempty @attr{Calling-Station-Id} attribute.
A string consisting of a @samp{#} character followed by the
@attr{Calling-Station-Id} value is appended to the user name.

@comment **************************************************************
@node Rewrite-Function
@subsection @attr{Rewrite-Function}
@atindex Rewrite-Function

@defattr{Rewrite-Function,2004,string,LR,LR,LR,Append,No}

The @attr{Rewrite-Function} attribute specifies the name of the
rewriting function to be applied to the request. The attribute
may be specified in either pairlist in the entries of
the @file{hints} or @file{huntgroups} configuration file.

The corresponding function should be defined in @file{rewrite} as

@smallexample
integer @var{name}()
@end smallexample

@noindent
i.e., it should return an integer value and should not take any arguments.

@xref{rewrite file,, Packet rewriting rules},
@ref{hints file};
@ref{huntgroups file}.

@node Scheme-Acct-Procedure
@subsection @attr{Scheme-Acct-Procedure}
@atindex Scheme-Acct-Procedure

@defattr{Scheme-Acct-Procedure,2010,string,--,-R,--,Replace,@acronym{N/A}} 

The @attr{Scheme-Acct-Procedure} attribute is used to set the name
of the Scheme accounting procedure. @xref{Accounting with Scheme}, for
information about how to write Scheme accounting procedures.

@comment **************************************************************
@node Scheme-Procedure
@subsection @attr{Scheme-Procedure}
@atindex Scheme-Procedure

@defattr{Scheme-Procedure,2009,string,-R,--,--,Append,@acronym{N/A}}

The @attr{Scheme-Procedure} attribute is used to set the name
of the Scheme authentication procedure. @xref{Authentication with Scheme}, for
information about how to write Scheme authentication procedures.

@comment **************************************************************
@node Simultaneous-Use
@subsection @attr{Simultaneous-Use}
@atindex Simultaneous-Use

@defattr{Simultaneous-Use,1034,integer,L-,-R,-R,Append,No}

This attribute specifies the maximum number of simultaneous logins
a given user is permitted to have. When the user is logged in this
number of times, any further attempts to log in are rejected.

@xref{Multiple Login Checking}.
 
@comment **************************************************************
@node Strip-User-Name
@subsection @attr{Strip-User-Name}
@atindex Strip-User-Name

@defattr{Strip-User-Name,1035,integer,LR,LR,-R,Append,No}

@smallexample
VALUE      Strip-User-Name   No                   0       
VALUE      Strip-User-Name   Yes                  1       
@end smallexample

The value of @attr{Strip-User-Name} indicates whether Radius should
strip any prefixes/suffixes specified in the user's profile from the
user name. When it is set to @code{Yes}, the user names will be logged and
accounted without any prefixes or suffixes.

A user may have several user names for different kind of services. In
this case differentiating the user names by their prefixes and stripping
them off before accounting would help keep accounting records
consistent.

For example, let's suppose the @file{users} file contains

@smallexample
DEFAULT Suffix = ".ppp",
                Strip-User-Name = Yes,
                Auth-Type = SQL
        Service-Type = Framed-User,
                Framed-Protocol = PPP

DEFAULT Suffix = ".slip",
                Strip-User-Name = Yes,
                Auth-Type = SQL
        Service-Type = Framed-User,
                Framed-Protocol = SLIP
@end smallexample

@noindent
Now, user @samp{johns}, having a valid account in the @sc{sql} database,
logs in as @samp{johns.ppp}. She then is provided the PPP service,
and her PPP session is accounted under user name @samp{johns}.
Later on, she logs in as @samp{johns.slip}. In this case she is
provided the SLIP service and again her session is accounted
under her real user name @samp{johns}.

@comment **************************************************************
@node Suffix
@subsection @attr{Suffix}
@atindex Suffix

@defattr{Suffix,1004,string,L-,L-,LR,Append,No}

The @attr{Suffix} attribute indicates the suffix that the user name
should contain in order for a particular record in the profile
to be matched. This attribute should be specified in @LHS{}
of the @file{users} or @file{hints} file.

For example, if the @file{users} file contained

@smallexample
DEFAULT Suffix = ".ppp", Auth-Type = System,
                Strip-User-Name = Yes
        Service-Type = Framed-User,
                Framed-Protocol = PPP        
@end smallexample

@noindent
then the user names @samp{gray.ppp} and @samp{yoda.ppp} would match this record,
whereas @samp{gray} and @samp{yoda} would not.

Both @attr{Prefix} and @attr{Suffix} attributes may be specified in
a profile. In this case the record is matched only if the user name
contains both the prefix and the suffix specified.

@xref{Prefix}, and
@ref{Strip-User-Name}.

@comment **************************************************************
@node Termination-Menu
@subsection @attr{Termination-Menu}
@atindex Termination-Menu

@defattr{Termination-Menu,1002,string,-R,--,--,Replace,No}

This attribute should be used in the @RHS{}. If it is used, it should
be the only reply item.

The @attr{Termination-Menu} specifies the name of the menu file to be
presented to the user after finishing his session. The corresponding
menu code is looked up in the @file{RADIUS_DIR/menus/} directory
(@pxref{menus directory}).