配置模塊詳細(xì)說

1、Radiusd.conf文件配置Radiusd.conf文件是freeradius的核心配置文件，其中設(shè)置了服務(wù)器的基本信息，配 置文件與日志文件的環(huán)境變量，并詳細(xì)配置freeradius模塊所使用的信息，與認(rèn)證和計(jì)費(fèi) 所使用模塊的配置.配置的變量定義的形式為$仃。，他們就在這個(gè)文件上，并且不隨請(qǐng) 求到請(qǐng)求而改變.變量的格式參照variables.txt.此處定義其他配置文件以及目錄的位置，也就是環(huán)境變量prefix = /usr/localexec_prefix = $prefixsysconfdir = $prefix/etclocalstatedir = $prefix/varsbind

2、ir = $exec_prefix/sbinlogdir = $localstatedir/log/radiusraddbdir = $sysconfdir/raddbradacctdir = $logdir/radacct配置文件和日志文件的位置confdir = $raddbdirrun_dir = $localstatedir/run/radiusd日志文件的信息，添加到如下配置文件的底部log_file = $logdir/radius.log模塊的位置由libdir來配置。如果不能工作，那么你可以從新配置，從新Build源碼，并且使用共享庫(kù)。pidfile: Where to pla

3、ce the PID of the RADIUS server.pidfile = $run_dir/radiusd.piduser/group如果有評(píng)論，服務(wù)器會(huì)運(yùn)行用戶/組啟動(dòng)它.修改用戶/組，必須具有root權(quán)限啟動(dòng)服務(wù) 器這里的含義是指定啟動(dòng)radius服務(wù)可以限定操作系統(tǒng)上的用戶和組，但是不建議啟動(dòng)它.#user = nobody#group = nobody最長(zhǎng)請(qǐng)求時(shí)間（秒），這樣的問題經(jīng)常需要存在在應(yīng)用SQL數(shù)據(jù)庫(kù)時(shí)候，建議設(shè)置為5秒到 120秒之間.max_request_time = 30當(dāng)請(qǐng)求超過最長(zhǎng)請(qǐng)求時(shí)間的時(shí)候，可以設(shè)置服務(wù)器刪除請(qǐng)求.當(dāng)你的服務(wù)在threaded（線程

4、 下）運(yùn)行，或者線程池（thread pool）模式，建議這里設(shè)置為no.但用threaded服務(wù)設(shè) 置為yes時(shí)，有可能使服務(wù)器崩潰.delete_blocked_requests = no在reply發(fā)送給NAS后的等待清空時(shí)間.建議2秒 到10秒cleanup_delay = 5服務(wù)器的請(qǐng)求最大數(shù)，建議值256到無(wú)窮max_requests = 1024讓服務(wù)器監(jiān)聽某個(gè)IP，并且從次IP發(fā)送 相應(yīng)信息.主要是為了服務(wù)器同時(shí)具有多服務(wù) 器時(shí)候使用.bind_address = *可以指定raidus的使用端口號(hào)，使用0表示使用默認(rèn)的radius端口，在配置文件 /etc/services

5、配置.port = 0如果需要服務(wù)器同時(shí)監(jiān)聽其他的IP,可以用listen塊.下面是例子#listen IP address on which to listen.Allowed values are:dotted quad ()hostname ()wildcard (*)ipaddr = *Port on which to listen.Allowed values are:integer port number (1812)0 means use /etc/services for the proper portport = 0Type of packets to listen for.

6、Allowed values are:auth listen for authentication packetsacct listen for accounting packets#type = auth#hostname_lookups大概是表示為NAS查找它的域名信息？可以通過域名配置NAS?hostname_lookups = no是否允許core dumps.allow_core_dumps = noexpressions支持，規(guī)則和擴(kuò)展.regular_expressions = yesextended_expressions = yes記錄User-Name屬性的全稱.log_s

7、tripped_names = no是否記錄認(rèn)證請(qǐng)求信息到日志文件log_auth = no當(dāng)請(qǐng)求被拒絕時(shí)記錄密碼，當(dāng)請(qǐng)求正確時(shí)記錄密碼log_auth_badpass = nolog_auth_goodpass = no是否允許用戶名沖突，即重復(fù)同用戶同時(shí)登陸.強(qiáng)烈不建議啟用重復(fù)用戶.usercollide = no將用戶名小寫化，將密碼小寫化.lower_user = nolower_pass = no是否去除用戶名和密碼中的空格nospace_user = nonospace_pass = no程序執(zhí)行并發(fā)檢查（不理解含義）checkrad = $sbindir/checkrad安全配置

8、域security 指在Radius包中的最大屬性數(shù)目.設(shè)置為0表示無(wú)窮大.max_attributes = 200發(fā)送Access-Reject包時(shí)候，可以設(shè)置一定的延遲，以緩慢DOS攻擊，也可以緩慢窮舉破解用戶名和密碼的攻擊reject_delay = 1服務(wù)器是否對(duì)狀態(tài)服務(wù)器的請(qǐng)求信息進(jìn)行相應(yīng).status_server = noPROXY CONFIGURATION代理域.是否開啟代理服務(wù)，具體配置參照$confdir/proxy.confproxy_requests = yes$INCLUDE $confdir/proxy.confClients 配置$INCLUDE $confdi

9、r/clients.conf是否啟用snmp配置，具體配置文件在snmp.confsnmp = no$INCLUDE $confdir/snmp.conf線程池配置域thread pool 啟動(dòng)時(shí)服務(wù)的個(gè)數(shù).（在啟動(dòng)Mysql模塊后可以明顯看到.）當(dāng)同時(shí)進(jìn)行的請(qǐng)求數(shù)超過5個(gè)時(shí)， 會(huì)增加線程服務(wù).start_servers = 5最大的服務(wù)數(shù)max_servers = 32當(dāng)少于最少空閑服務(wù)時(shí)，它會(huì)建立服務(wù)，大于最大空閑服務(wù)時(shí)會(huì)停止多余的服務(wù).最少空閑 服務(wù)，與最大空閑服務(wù).min_spare_servers = 3max_spare_servers = 10每個(gè)server最大的請(qǐng)求數(shù).當(dāng)有內(nèi)

10、存漏洞時(shí)，可能需要配置.max_requests_per_server = 01.3模塊配置PAP 模塊# Supports multiple encryption schemes 支持多種加密方式# clear: Clear text 明文# crypt: Unix crypt Unix 加密md5: MD5 ecnryption MD5 加密shal: SHA1 encryption. SHA1 加密DEFAULT: crypt 默認(rèn)是 UnX 加密pap encryption_scheme = cryptCHAP 模塊chap authtype = CHAPPAM 模塊PAM模塊（PAM

11、）是行業(yè)標(biāo)準(zhǔn)驗(yàn)證框架，鑒于很多系統(tǒng)的PAM庫(kù)都有內(nèi)存漏洞，所以不建 議使用。pam pam_auth = radiusdUNIX系統(tǒng)用戶的 認(rèn)證模塊unix cache = nocache_reload = 600passwd = /etc/passwdshadow = /etc/shadowgroup = /etc/groupradwtmp = $logdir/radwtmpEAP 模塊詳細(xì)見 $confdir/eap.conf$INCLUDE $confdir/eap.confMSCHAP 模塊mschap #use_mppe = no#require_encryption = yes#r

12、equire_strong = yes#為了糾正window發(fā)送chap時(shí)有時(shí)包括域，有時(shí)又不包括域的信息.#with_ntdomain_hack = no#ntlm_auth = /path/to/ntlm_auth-request-nt-key-username=%Stripped-User-Name:-%User-Name:-None-challenge=%mschap:Challenge:-00-nt-response=%mschap:NT-Response:-00”LDAP配置模塊LDAP模塊只能在Access-Request packet中包含明文密碼屬性才可以被使用。LDAP 認(rèn)

13、證不能在其他任何認(rèn)證方法中使用。具體配置詳見下屬章節(jié)。（參看doc/rlm_ldap）。passwd 模塊Passwd模塊允許通過任何passwd樣式的文件進(jìn)行授權(quán)，并可以從這些模塊中提取屬性 信息。smbpasswd 例子#passwd etc_smbpasswd filename = /etc/smbpasswdformat =*User-Name:LM-Password:NT-Password:SMB-Account-CTRL-TEXT:authtype = MS-CHAPhashsize = 100ignorenislike = noallowmultiplekeys = no#pas

14、swd etc_group # filename = /etc/groupformat = =Group-Name:*, User-Namehashsize = 50ignorenislike = yesallowmultiplekeys = yesdelimiter =:#1.3.9 Realm 模塊應(yīng)用在代理上.You can have multiple instances of the realm module to support multiple realm syntaxs at the same time. The search order is defined by the or

15、der in the authorize and preacct sections.realm IPASS format = prefixdelimiter = /ignore_default = noignore_null = nousernamerealm#realm suffix format = suffixdelimiter = ignore_default = noignore_null = nousername%realm#realm realmpercent format = suffix delimiter = % ignore_default = no ignore_nul

16、l = nodomainuser#realm ntdomain format = prefix delimiter = ignore_default = no ignore_null = no1.3.10簡(jiǎn)單值檢查模塊(checkval)It can be used to check if an attribute value in the request matches a (possibly multi valued) attribute in the check items This can be used for example for caller-id authentication

17、. For the module to run both the request attribute and the check items attribute must exist.checkval The attribute to look for in the requestRequest包中查找的屬性名稱item-name = Calling-Station-IdThe attribute to look for in check items. Can be multi valuedCheck表中查找的屬性名稱check-name = Calling-Station-IdThe dat

18、a type. Can be#數(shù)據(jù)類型的種類string，integer，ipaddr，date，abinary，octetsdata-type = stringIf set to yes and we dont find the item-name attribute in therequest then we send back a reject#如果設(shè)置為yes，我們不在request包中查找屬性名稱直接發(fā)送reject.DEFAULT is no#notfound-reject = no1.3.11 從寫屬性模塊(attr_rewrite)從寫任何包，在認(rèn)證和計(jì)費(fèi)時(shí)都很有用.在拿到包后

19、，可以從寫包里屬性的內(nèi)容.#attr_rewrite sanecallerid attribute = Called-Station-Idmay be packet， reply， proxy， proxy_reply or config# searchin = packetsearchfor = + replacewith =ignore_case = nonew_attribute = nomax_matches = 10# If set to yes then the replace string will be appended to the original stringappend

20、 = no#1.3.12 預(yù)處理 radius 請(qǐng)求模塊(preprocess)預(yù)處理Radius請(qǐng)求，在交付其他模塊處理前.包含這兩個(gè)配置文件.可以從寫那些由一些 NAS添加的很奇怪的屬性.然后把這些屬性轉(zhuǎn)換到一個(gè)形態(tài)。參見第二章。配置實(shí)例：preprocess huntgroups = $confdir/huntgroupshints = $confdir/hintswith_ascend_hack = noascend_channels_per_line = 23with_ntdomain_hack = nowith_specialix_jetstream_hack = nowith_c

21、isco_vsa_hack = no1.3.13用戶文件模塊(files) files usersfile = $confdir/users acctusersfile = $confdir/acct_userspreproxy_usersfile = $confdir/preproxy_userscompat = no1.3.14日志信息記錄模塊(detail)將計(jì)費(fèi)信息詳細(xì)記錄到文件上，按照設(shè)定時(shí)間，每隔一個(gè)時(shí)段生成一個(gè)新文件記錄.detail detailfile = $radacctdir/%Client-IP-Address/detail-%Y%m%ddetailperm = 060

22、0#suppress # User-Password#將認(rèn)證信息詳細(xì)記錄到文件上，按照設(shè)定時(shí)間，每隔一個(gè)時(shí)段生成一個(gè)新文件記錄.detail auth_log detailfile = $radacctdir/%Client-IP-Address/auth-detail-%Y%m%dThis MUST be 0600， otherwise anyone can readthe users passwords!detailperm = 0600將相應(yīng)(日。？日)信息詳細(xì)記錄到文件上，按照設(shè)定時(shí)間，每隔一個(gè)時(shí)段生成一個(gè)新文件記錄detail reply_log detailfile = $rada

23、cctdir/%Client-IP-Address/reply-detail-%Y%m%dThis MUST be 0600,This MUST be 0600,the users passwords!detailperm = 0600 This module logs packets proxied to a home server.detail pre_proxy_log detailfile = $radacctdir/%Client-IP-Address/pre-proxy-detail-%Y%m%dThis MUST be 0600, otherwise anyone can rea

24、dthe users passwords!detailperm = 0600 This module logs response packets from a home server.detail post_proxy_log detailfile = $radacctdir/%Client-IP-Address/post-proxy-detail-%Y%m%dThis MUST be 0600, otherwise anyone can readthe users passwords!detailperm = 0600SQL日志記錄模塊(sql_log)The rlm_sql_log mod

25、ule appends the SQL queries in a log file which is read later by the radsqlrelay program.它只是將sql語(yǔ)句寫到文件里，而后由radsqlrelay程序讀取.參看計(jì)費(fèi)唯一 sessionid 模塊針對(duì)NAS不停重復(fù)Acct-Session-Id values造成混淆的問題，建立唯一的計(jì)費(fèi)sessionid acct_unique key = User-Name， Acct-Session-Id，NAS-IP-Address， Client-IP-Address， NAS-PortSQL 模塊通過$INCLU

26、DE來把數(shù)據(jù)庫(kù)的模塊的配置文件鏈接進(jìn)來.The following configuration file is for use with MySQL.#For Postgresql， use: $confdir/postgresql.confFor MS-SQL， use: $confdir/mssql.confFor Oracle， use: $confdir/oraclesql.conf$INCLUDE $confdir/sql.confRadutmp 模塊記錄了那些在線用戶的用戶名，以及他們從哪里登陸的信息.實(shí)例 1 radutmpradutmp filename = $logdir/r

27、adutmpusername = %User-Namecase_sensitive = yescheck_with_nas = yes perm = 0600callerid = yes實(shí)例2 Safe radutmpradutmp sradutmp filename = $logdir/sradutmpperm = 0644callerid = no1.3.19屬性過濾模塊屬性過濾模塊，過濾從代理raidus服務(wù)器那里收到響應(yīng)信息里的屬性，來確保我們可以發(fā) 送回給我們的Radius客戶端，詳細(xì)見attrs配置文件.attr_filter attrsfile = $confdir/attrs1

28、.3.20計(jì)數(shù)模塊從計(jì)費(fèi)包信息中拿去一個(gè)屬性及它的值，統(tǒng)計(jì)這個(gè)屬性不同值的總數(shù).counter daily filename = $raddbdir/db.dailykey = User-Namecount-attribute = Acct-Session-Timereset = dailycounter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 50001.3.21 SQL計(jì)數(shù)模塊該模塊所需要的信息都儲(chǔ)存raddacct表中。它

29、并不進(jìn)行在數(shù)據(jù)庫(kù)中插入數(shù)據(jù)項(xiàng)和更新數(shù)據(jù) 項(xiàng)，它完全依賴SQL模塊來處理計(jì)費(fèi)信息包。(具體請(qǐng)參照SQL模塊配置分析第七章)例1sqlcounter dailycounter counter-name = Daily-Session-Timecheck-name = Max-Daily-Sessionsqlmod-inst = sqlkey = User-Namereset = dailyquery = SELECT SUM(AcctSessionTime - GREATEST(%b - UNIX_TIMESTAMP(AcctStartTime), 0) FROM radacct WHERE Us

30、erName= %k AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime %b 例2sqlcounter monthlycounter counter-name = Monthly-Session-Timecheck-name = Max-Monthly-Sessionsqlmod-inst = sqlkey = User-Namereset = monthly query = SELECT SUM(AcctSessionTime - GREATEST(%b - UNIX_TIMESTAMP(AcctStartTime), 0) FROM r

31、adacct WHERE UserName= %k AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime %bAlways 模塊為了測(cè)試用的Always模塊，不做任何事情.always fail rcode = failalways reject rcode = rejectalways ok rcode = oksimulcount = 0mpp = noExpression 模塊(expr)This module is useful only for xlat .expr Digest 模塊 目前沒有配置Digest authenticat

32、ion against a Cisco SIP server.1.3.25外部程序執(zhí)行模塊(exec)This module is useful only for xlat可以將外界程序運(yùn)行的結(jié)果賦予給屬性值.如:Attribute-Name = %exec:/path/to/program argsexec wait = yesinput_pairs = request例 This is a more general example of the execute module.exec echo wait = yesprogram = /bin/echo %User-Nameinput_pa

33、irs = requestoutput_pairs = replyIP地址池模塊服務(wù)器端IP地址池管理，應(yīng)該在post-auth和accounting域應(yīng)該被添加.例:ippool main_pool range-start = range-stop = 54netmask = cache-size = 800session-db = $raddbdir/db.ippoolip-index = $raddbdir/db.ipindexoverride = nomaximum-timeout = 01.4關(guān)鍵域?qū)嵗?Instantiation)這部分的目的是裝載模塊，那些被列在該域的模塊講在

34、authorize, authenticate，等域 之前裝載.本部分并不是必須步驟.instantiate execexprauthorize 域The preprocess module takes care of sanitizing some bizarre attributes in the request， and turning them into attributes which are more standard. It takes care of processing the raddb/hints and the raddb/huntgroups files. It al

35、so adds the %Client-IP-Address attribute to the request.這個(gè)預(yù)處理模塊解決對(duì)request包中的那些奇怪的屬性的處理，并把這些奇怪的屬性放到 標(biāo)準(zhǔn)的屬性中.它同樣處理hints與huntgroups文件.并在request包中添加%Client-IP-Address屬性.authorize preprocessauth_logattr_filterChapMschapdigestIPASSsuffixntdomainEapFilesSqletc_smbpasswdldapdailycheckvalAuthentication 域這部分列出

36、驗(yàn)證所需要的模塊.但各個(gè)模塊并不是按照順序進(jìn)行嘗試的.它的含義是在 authorize域添加一份配置屬性Auth-Type := FOO.這個(gè)驗(yàn)證類型用來拿去域模塊列表 中合適的模塊.一般來說，不應(yīng)該設(shè)置Auth-Type屬性.Radius服務(wù)器會(huì)自己來判斷， 然后做正確的事.Auth-Type 一般來說，不正確設(shè)置的最普通效果就是只有一種認(rèn)證方法 運(yùn)行，其他的全部失敗.手動(dòng)設(shè)置Auth-Type attribute的原因一般為要強(qiáng)制拒絕用戶，或者強(qiáng)制通過認(rèn)證用戶.authenticate Auth-Type PAP papAuth-Type CHAP chapAuth-Type MS-CHA

37、P mschapdigestpamUnixAuth-Type LDAP ldapeapPre-accounting 域決定用何種計(jì)費(fèi)方式preacct preprocessacct_uniqueIPASSsuffixntdomainfilesAccounting 域accounting 建立packets的詳細(xì)日志記錄那些代理的計(jì)費(fèi)requests，并在detail文件中記錄detaildailyUpdate the wtmp file#如果你不使用radlast，你就不能刪掉下面這行unix#For Simultaneous-Use tracking.#Due to packet losse

38、s in the network，the data heremay be incorrect. There is little we can do about it.#由于網(wǎng)絡(luò)上數(shù)據(jù)包的丟失，這里的數(shù)據(jù)有可能會(huì)不正確，對(duì)此我們無(wú)能為力radutmpsradutmpReturn an address to the IP Pool when we see a stop record.#當(dāng)我們看到停止記錄時(shí)向IP Pool中返回地址信息main_pool#Log traffic to an SQL database.#向SQL數(shù)據(jù)庫(kù)中記錄日志#See Accounting queries in sq

39、l.conf#在sql.conf中查看”計(jì)費(fèi)queries”sql#Instead of sending the query to the SQL server，write it into a log file.#除了向SQL數(shù)據(jù)庫(kù)中寫入query信息，還可以將信息寫入log file來代替.sql_logCisco VoIP specific bulk accountingpgsql-voipSession 域Session database， used for checking Simultaneous-Use. Either the radutmpor rlm_sql module ca

40、n handle this.The rlm_sql module is *much* fasterSession數(shù)據(jù)庫(kù)用來檢查用戶的并發(fā)使用.不論是Radutmp還是rlm_sql模塊都在這里 被處理，rlm_sql模塊相比來說速度更快.session radutmp#See Simultaneous Use Checking Querie in sql.confsqlpost-auth 域Post-AuthenticationOnce we KNOW that the user has been authenticated, there areadditional steps we can

41、take.當(dāng)用戶已經(jīng)通過前面的認(rèn)證過程，我們還可以額外添加一些步驟.post-auth Get an address from the IP Pool.#從IP Pool中拿到地址main_pool#If you want to have a log of authentication replies，un-comment the following line， and the detail reply_log#如果你想獲得一個(gè)認(rèn)證replies信息的日志記錄，解除掉這行與detail reply_log的 注釋.section， above.reply_log#After authentic

42、ating the user， do another SQL query.#在認(rèn)證用戶后，進(jìn)行另外的SQL querySee Authentication Logging Queries in sql.conf詳細(xì)請(qǐng)看 sql.conf 文件中Authentication Logging Queries部分.sql#Instead of sending the query to the SQL server,write it into a log file.#除了向數(shù)據(jù)庫(kù)中寫入query信息，還可以寫在文件中作為代替.#sql_log#Un-comment the following if y

43、ou have setedir_account_policy_check = yes in the ldap module sub-section ofthe modules section.如果你設(shè)置了edir_account_policy_check = yes在 ldap 模塊的域中（見上）.#ldap#Access-Reject packets are sent through the REJECT sub-section of thepost-auth section.Uncomment the following and set the module name to the lda

44、p instancename if you have set edir_account_policy_check = yes in the ldapmodule sub-section of the modules section.#如果你設(shè)置了edir_account_policy_check = yes在ldap模塊的域中，請(qǐng)解除下面 的注釋信息Post-Auth-Type REJECT insert-module-name-herepre-proxy 域When the server decides to proxy a request to a home server,the prox

45、ied request is first passed through the pre-proxystage. This stage can re-write the request, or decide tocancel the proxy.#Only a few modules currently have this method.pre-proxy attr_rewriteUncomment the following line if you want to change attributesas defined in the preproxy_users file.filesIf yo

46、u want to have a log of packets proxied to a homeserver, un-comment the following line, and thedetail pre_proxy_log section, above.pre_proxy_logpost-proxy 域# When the server receives a reply to a request it proxiedto a home server, the request may be massaged here, in thepost-proxy stage.#post-proxy

47、 If you want to have a log of replies from a home server,un-comment the following line, and the detail post_proxy_logsection, above.post_proxy_logattr_rewriteUncomment the following line if you want to filter replies fromremote proxies based on the rules defined in the attrs file.attr_filter#If you

48、are proxying LEAP, you MUST configure the EAPmodule, and you MUST list it here, in the post-proxystage.#You MUST also use the nostrip option in the realmconfiguration. Otherwise, the User-Name attributein the proxied request will not match the user namehidden inside of the EAP packet, and the end se

49、rver willreject the EAP request.# eapSql.conf文件配置說明sql driver = rlm_sql_mysql /*使用的數(shù)據(jù)庫(kù)類型，當(dāng)前表示MySQLserver = /*數(shù)據(jù)庫(kù)服務(wù)器地址login = root/*連接數(shù)據(jù)庫(kù)使用的用戶名password = /*連接數(shù)據(jù)庫(kù)的密碼radius_db = radius/* 數(shù)據(jù)庫(kù)名稱acct_table1 = radacct/*計(jì)費(fèi)開始時(shí)寫記錄到此表acct_table2 = radacct/*計(jì)費(fèi)結(jié)束時(shí)寫記錄到此表num_sql_socks = 5/*啟動(dòng)數(shù)據(jù)庫(kù)連接數(shù)量#Authorization

50、Queries#These queries compare the check items for the userin $authcheck_table and setup the reply items in$authreply_table. You can use any query/tablesyou want, but the return data for each row MUSTbe in the following order:#0. Row ID (currently unused)1. UserName/GroupName2. Item Attr Name3. Item

51、Attr Value4. Item Attr Operation#authorize_check_query=call online_is(%SQL-User-Name,%Calling-Station-Id,a)authorize_reply_query = SELECT id, UserName, Attribute, Value, op FROM $authreply_table WHERE Username = BINARY%SQL-User-Name ORDER BYid#Accounting Queries#accounting_onoff_query - query for Ac

52、counting On/Off packetsaccounting_update_query - query for Accounting update packetsaccounting_update_query_alt - query for Accounting update packets(alternate in case first query fails)accounting_start_query - query for Accounting start packetsaccounting_start_query_alt - query for Accounting start

53、 packets(alternate in case first query fails)accounting_stop_query- query for Accounting stop packetsaccounting_stop_query_alt - query for Accounting start packets(alternate in case first query doesntaffect any existing rows in the table)#accounting_onoff_query = UPDATE $acct_table1 SET AcctStopTime

54、=%S, AcctSessionTime=unix_timestamp(%S)-unix_timestamp(AcctStartTime),accounting_update_query = accounting_update_query = UPDATE $acct_table1 SET FramedIPAddressAcctSessionTimeAcctInputOctets=%Framed-IP-Address, =%Acct-Session-Time, =%Acct-Input-Gigawords:-0 32 I %Acct-Input-Octets:-0, AcctOutputOct

55、ets=%Acct-Output-Gigawords:-0 32 I %Acct-Output-Octets:-0 WHERE AcctSessionId = %Acct-Session-Id AND UserName= %SQL-User-Name AcctOutputOctetsaccounting_update_query_alt = accounting_update_query_alt = INSERT INTO $acct_table1 (AcctSessionId,Realm, NASPortType, AcctAuthentic,AcctUniqueId,NASIPAddres

56、s, AcctStartTime,AcctUniqueId,NASIPAddress, AcctStartTime,NASPortId, AcctSessionTime, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey) VALUES (%Acct-Session-Id, %Acct-Unique-Se

57、ssion-Id, %SQL-User-Name, %Realm, %NAS-IP-Address, %NAS-Port, %NAS-Port-Type, DATE_SUB(%S, INTERVAL (%Acct-Session-Time:-0 + %Acct-Delay-Time:-0) SECOND), %Acct-Session-Time, %Acct-Authentic, , %Acct-Input-Gigawords:-0 32 I %Acct-Input-Octets:-0, %Acct-Output-Gigawords:-0 32 I %Acct-Output-Octets:-0

58、, %Called-Station-Id, %Calling-Station-Id, %Service-Type, %Framed-Protocol, %Framed-IP-Address, 0, %X-Ascend-Session-Svr-Key)accounting_start_query = AcctUniqueId,NASIPAddress,AcctUniqueId,NASIPAddress,AcctStartTime,AcctAuthentic,UserName, NASPortId, UserName, NASPortId, AcctStopTime, ConnectInfo_st

59、art, CallingStationId, AcctTerminateCause, FramedProtocol, FramedIPAddress, CallingStationId, AcctTerminateCause, FramedProtocol, FramedIPAddress, AcctStopDelay, XAscendSessionSvrKey) (%Acct-Session-Id, %Acct-Unique-Session-Id, %SQL-User-Name, %Realm, %NAS-IP-Address, %NAS-Port, %NAS-Port-Type, %S,

60、0, 0, %Acct-Authentic, %Connect-Info, ,0, 0, %Called-Station-Id, %Calling-Station-Id, , %Service-Type, %Framed-Protocol, %Framed-IP-Address, %Acct-Delay-Time:-0, 0, %X-Ascend-Session-Svr-Key)accounting_start_query_alt = UPDATE $acct_table1 SET AcctStartTime = %S, AcctStartDelay = %Acct-Delay-Time, C