The company I work at is having to change who their Dialup modem pool goes through. The new company blocks outgoing SMTP by default to prevent spamming. To enable port 25 for our mail servers, they we have to send them some attributes in the Radius ACCEPT packet during authentication. I haven’t really gotten into the Radius server that we use, because it has always worked and we’ve never had to change anything on it until now. So I began digging into FreeRadius, and found out that it is pretty useful.
Our server was configured to authenticate against a MySQL database that contains all of the configuration. I believe it is a pretty standard configuration. In the radius configuration, it defines certain queries to run for authentication, and also for attributes to send in the accept packet. Specifically, it’s was configured to do this query for the attributes:
authorize_reply_query = "
SELECT id,UserName,Attribute,Value,op
FROM ${authreply_table}
WHERE Username = '%{SQL-User-Name}'
ORDER BY id"
So, I can just put additional rows into the ${authreply_table} to add the attributes that this new provider requires. With the default setup, though, I would have to add the attributes for each user. That would get to be a mess, because I would have to modify the billing system which populates the radius database. Instead I modified the SQL query to include rows where the Username = ALLUSERS, like this:
authorize_reply_query = "
SELECT id,UserName,Attribute,Value,op
FROM ${authreply_table}
WHERE (
Username = '%{SQL-User-Name}' OR
Username = 'ALLUSERS'
)
ORDER BY id"
Now, I can just insert rows for those attributes once, and no further modification is necessary. Pretty handy.