Understanding Meta Configuration Structure
This article describes the structure of database tables storing
ClearBox configuration. Almost every field has its equivalent in
Configurator GUI. The reference syntax is [Object type].[Element
1].[Element 2]... Element may mean a tab, a button, an input box
name, etc. For example, [Realm].[Authentication].[Domain] value can
be reached selecting a realm, switching to the 'Authentication' tab
and is placed in the 'Domain' box.
These tables can be created running \AAA\meta.sql script.
Hosts
|
| A host is a RADIUS client or a remote
RADIUS server. If it is a client host, it should be referenced by
an appropriate entry in the Clients table.
|
| ID |
Counter, serves as a host name ([RADIUS server].[RADIUS server ID]). |
| IPAddress |
IP address of the host/client ([Client].[Client IP address]/[RADIUS
server].[Server IP address]). |
| RADIUSSecret |
Shared secret ([Client].[Shared secret]). Note,
that meta configuration doesn't separate authentication and
accounting secrets. |
| Retries |
If the host is a remote RADIUS server, it's the
number of attempts that ClearBox should retry sending requests
([RADIUS server].[Forwarding retries]), NULL otherwise. |
| WaitForReply |
If the host is a remote RADIUS server, it's the
number of seconds ClearBox should wait before resending requests
([RADIUS server].[Wait for response before retrying]), NULL
otherwise. |
| RADAuthenPort |
If the host is a remote RADIUS server, it's its
the authentication UDP port ([RADIUS server].[Authentication server
port]), NULL otherwise. |
| RADAcctPort |
If the host is a remote RADIUS server, it's its
the accounting UDP port ([RADIUS server].[Accounting server port]),
NULL otherwise. |
| MaxProxyFails |
If the host is a remote RADIUS server and some
realm is configured to proxy-forward requests to several hosts,
including this, then ClearBox tries them in order. If it failed to
receive a response from the remote server this number of times, it
switches to the next server in the list ([RADIUS server].[Maximum
forwarding retries]). |
Clients
|
| There should be an entry in the
Hosts table for each RADIUS client. If a host is not
referenced in Clients.HostID, it's treated as a RADIUS
server.
|
| ID |
Counter, serves as a client name ([Client].[Client ID]). |
| HostID |
References the client host from the Hosts
table by the Hosts.ID field. |
| DefaultRealm |
References the default realm for this client from
the Realms table by the Realms.ID field
([Client].[Default realm]). |
DataSources
|
| Each table row describes exactly one data
source.
|
| ID |
Counter, serves as a data source name ([Data source].[Data Source ID]). |
| Type |
Data source type. Can be mssql
(MS SQL Server), msaccess (MS Access),
odbc (ODBC data source), oledb (OLE
DB data source). |
| Path |
If Type=msaccess,
specifies the the database file location ([Data source].[Database
path]), NULL otherwise. |
| DSN |
If Type=odbc, it's the
system DSN of the data source ([Data source].[System DSN]), NULL
otherwise. |
| Server |
If Type=mssql, it's the
MS SQL Server name ([Data source].[SQL server]), NULL
otherwise. |
| ConnectionString |
If Type=oledb, it's the
OLE DB connection string ([Data source].[Connection string]), NULL
otherwise. |
| Catalog |
If Type=mssql, defines
the databas name ([Data source].[Database]), NULL otherwise. |
| [User] |
Optional user name ([Data source].[User
name]). |
| [Password] |
Optional user password ([Data source].[User
password]). |
| WindowsAuthentication |
If not zero and
Type=mssql, ClearBox service is
authenticated by MS SQL Server by its Windows account credentials
rather than by user name/password ([Data source].[Use Windows
authentication]). |
| DelayedConnection |
If not zero, ClearBox connects to the data source
during its startup ([Data source].[Delayed connection]). |
| ReconnectOnError |
If not zero, ClearBox reconnects to the data source if it fails
to issue a SQL command ([Data source].[Automatically reconnect on
errors]).
|
StateServers
|
| Each table row describes exactly one state
server.
|
| ID |
Counter, serves as a state server name ([State server].[State Server ID]). |
| DataSourceID |
References the used data source from the
DataSources table by the DataSources.ID field ([State
server].[Data source ID]). |
| AddUserQuery |
SQL command issued when a user session is started
([State server].[Session is started SQL command]). |
| UpdateUserQuery |
SQL command issued when ClearBox received interim
accounting record for a user session ([State server].[Session is in
progress SQL command]). |
| RemoveUserQuery |
SQL command issued when a user session is
terminated ([State server].[Session is terminated SQL
command]). |
| ClearAllQuery |
SQL command issued when a NAS is rebooted ([State
server].[Accounting is stopped SQL command]). |
| CountUsersQuery |
SQL command issued to count the number of
concurrent user sessions ([State server].[Get concurrent sessions
number query]). |
Realms
|
| Each table row describes exactly one
realm.
|
| ID |
Counter, serves as a realm name ([Realm].[Realm Rules].[Realm ID]). |
| Default |
If not zero, the realm is default ([Realm].[Realm
Rules].[Default realm]). |
| RewriteType |
If not NULL, may be fromattribute
(treat some attribute value as a user name) or
rewrite (use regular expression to rewrite a user
name) ([Realm].[Realm Rules].[Rewrite User Name]). |
| ReturnTranslatedName |
If not zero, ClearBox returns new user name in
Access-Accept (if changed by rewriting) ([Realm].[Realm
Rules].[Rewrite User Name].[Return this name in
Access-Accept]). |
| TakeUserNameFrom |
If
RewriteType=fromattribute,
specifies the name of the source attribute ([Realm].[Realm
Rules].[Rewrite User Name].[Take the user name value from]). |
| RewriteRule |
If
RewriteType=rewrite, specifies
the regular expression, according to which user name is transformed
([Realm].[Realm Rules].[Rewrite User Name].[Rewrite User-Name
according to this rule]). |
| StateServerID |
May reference the state server from the
StateServers table by the the StateServers.ID field
([Realm].[Authentication].[State
server ID]). |
| Priority |
As the realms order is significant, ClearBox
sorts the realms by this field in ascending order. |
RealmCommons
|
| There should exist only one row in this
table containing common settings for all realms.
|
| UseRuntime |
If not zero, ClearBox uses SelectQuery to
select a realm ID to process an incoming request ([Dynamic realm rules].[Use SQL command to
query for realm IDs]). |
| DataSourceID |
If UseRuntime=1, references the
data source from the DataSources table by the
DataSources.ID field ([Dynamic realm rules].[Data
source]). |
| SelectQuery |
If UseRuntime=1, ClearBox runs
this query to select a proper realm name (i.e. Realms.ID) ([Dynamic
realm rules].[SQL command]). |
| DiscardDataSourceID |
If LogDiscarded=1, references
the data source from the DataSources table by the
DataSources.ID field ([Error
reporting].[Data source]). |
| LogDiscarded |
If not zero, ClearBox runs Query to log a
discarded request (or a response from remote RADIUS) ([Error
reporting].[Use SQL command to log discarded packets]). |
| Query |
If LogDiscarded=1, ClearBox runs
this query to log a discarded request ([Error reporting].[SQL
command]). |
RealmRules
|
| There should exist only one row per
realm.
|
| ID |
Counter. |
| RealmID |
References an appropriate owning realm from the
Realms table by the Realms.ID field. |
| Type |
Can be username (select the
RealmID realm according to some user name
format), attribute (select RealmID
realm if some attributes listed in RealmRulesAttributes
match the rules) or none (the realm is selected
only if it is specified in some Clients.DefaultRealm entry
or Realms.Default=1) ([Realm].[Realm Rules].[Realm matching rule]). |
| StripDomain |
If not zero and
Type=username, ClearBox discards the
domain part of a user name ([Realm].[Realm rules].[By domain
name].[Strip off domain name]). |
| ChangeUserName |
If not zero, ClearBox returns new user name in
Access-Accept if domain part was stripped off ([Realm].[Realm
rules].[By domain name].[Return changed name in
Access-Accept]). |
| Delimiter |
If Type=username,
string part like @ or \\ separating domain part from
user name ([Realm].[Realm rules].[By domain name].[Domain
delimiter]), NULL otherwise. |
| DomainSuffix |
If Type=username and
domain part is a suffix, then it's a domain part of the user name
like domain.com in user@domain.com ([Realm].[Realm
rules].[By domain name].[Domain]) , NULL otherwise |
| DomainPrefix |
If Type=username and
domain part is a prefix, then it's a domain part of the user name
like DOMAIN in NTDOMAIN\\WINUSER ([Realm].[Realm
rules].[By domain name].[Domain + Domain name comes first]) , NULL
otherwise. |
RealmRulesAttributes
|
| The table may contain multiple attributes
for each exisitng Realms.ID.
|
| ID |
Counter. |
| RealmID |
References an appropriate realm from the
Realms table by the Realms.ID field. |
| [Name] |
Name of the RADIUS attribute ([Realm].[Realm rules].[By RADIUS
attributes].[Attribute]). |
| [Value] |
Value of the attribute, used if
CompareType=equal, notequal, like or
regexp ([Realm].[Realm rules].[By RADIUS
attributes].[Value]). |
| Required |
If not zero, a realm RealmID may be
matched to a request only if this attribute matches the conditions.
If zero, a realm may be matched due to other attributes matching
([Realm].[Realm rules].[By RADIUS attributes].[Required to match
the realm]). |
| CompareType |
Defnies how the attribute is compared to
attributes in an access request. May be equal (attribute
values should be equal to match), notequal (attribute values
should not be equal to match), present (attribute should be
in the request to match), notpresent (attribute should not
be in the request to match), like (attribute value in the
request should start with the [Value] field), regexp
([Value] is a regular expression) ([Realm].[Realm rules].[By RADIUS
attributes].[Comparison type]). |
RealmAuthentication
|
| There should exist only one record per each
realm. Each record describes authentication rules for a
RealmID realm.
|
| ID |
Counter. |
| RealmID |
References an appropriate realm from the
Realms table by the Realms.ID field. |
| IgnoreAuthentication |
If not zero, ClearBox doesn't authenticate the
realm users ([Realm].[Authentication].[Ignore user name and
password]). |
| MaxSessions |
If not zero and Realms.StateServerID
points to a valid state server, then the number of concurrent
sessions for all realm users is limited by this number
([Realm].[Authentication].[Maximum number of concurrent
sessions]). |
| AuthenticationSource |
Can be proxyto (authenticate against a
remote RADIUS server; remote RADIUS servers are defined in the
RealmProxyHosts table), database (against a
data source), ntsam (against Windows doman/workgroup). |
| Domain |
If
AuthenticationSource=ntsam, it is the
authentication Windows domain or workgroup name
([Realm].[Authentication].[Authenticate against Windows
domain].[Domain]), NULL otherwise. |
| LocalGroup |
If
AuthenticationSource=ntsam and
CheckGroup=1 then ClearBox check the membersip of a user in
this local domain group ([Realm].[Authentication].[Authenticate
against Windows domain].[Group name + Local group]), NULL
otherwise. |
| GlobalGroup |
If
AuthenticationSource=ntsam and
CheckGroup=1 then ClearBox check the membersip of a user in
this global domain group ([Realm].[Authentication].[Authenticate
against Windows domain].[Group name + Global group]), NULL
otherwise. |
| CheckGroup |
If not zero and
AuthenticationSource=ntsam, ClearBox
should check group membership
([Realm].[Authentication].[Authenticate against Windows
domain].[Check group membership]), NULL otherwise. |
| CheckDialinPermission |
If not zero and
AuthenticationSource=ntsam, ClearBox
checks user permission to make dialin calls
([Realm].[Authentication].[Authenticate against Windows
domain].[Check dial-in permission]), NULL otherwise. |
| CheckLogonHours |
If not zero and
AuthenticationSource=ntsam, ClearBox
checks allowed logon hours for the user
([Realm].[Authentication].[Authenticate against Windows
domain].[Check against allowed logon hours]), NULL otherwise. |
| ServerName |
If CheckGroup=1 or
CheckDialinPermission=1 or
CheckLogonHours=1, this should be set to the
domain cintroller name ([Realm].[Authentication].[Authenticate
against Windows domain].[Server name]), NULL otherwise. |
| DataSourceID |
If
AuthenticationSource=database, references
an appropriate data source from the DataSources table by the
DataSourced.ID field ([Realm].[Authentication].[Authenticate
against SQL database].[Data source ID]), NULL otherwise. |
| CaseSensitive |
If not zero and
AuthenticationSource=database, then
ClearBox passwords checks by ClearBox are case-sensitive
([Realm].[Authentication].[Authenticate against SQL database].[Case
sensitive passwords]). |
| PasswordSelectQuery |
If
AuthenticationSource=database, ClearBox
runs this query to get a user password from the DataSourceID
data source ([Realm].[Authentication].[Authenticate against SQL
database].[Password selection query]), NULL otherwise. |
| PasswordCheckQuery |
If
AuthenticationSource=database, ClearBox
runs this query to check a user password against the
DataSourceID data source
([Realm].[Authentication].[Authenticate against SQL
database].[Password check query]), NULL otherwise. |
| ProxyPreAuthen |
If
AuthenticationSource=proxyto and
ProxyPreAuthen=1, ClearBox runs
ProxyPreauthenQuery SQL command to authenticate a
request before forwarding it to a remote server
([Realm].[Authentication].[Authenticate against remote RADIUS
servers].[Use pre-authentication before forwarding]). |
| ProxyPreauthenQuery |
If
AuthenticationSource=proxyto and
ProxyPreAuthen=1, ClearBox issues this SQL command
to decide whether to forward the request or reject it immediately
([Realm].[Authentication].[Authenticate against remote RADIUS
servers].[SQL command]), NULL otherwise. |
| PreauthenDatasource |
If
AuthenticationSource=proxyto and
ProxyPreAuthen=1,
PreauthenDatasource references a data source from
DataSources table by the
DataSources.ID to run the
ProxyPreauthenQuery command
([Realm].[Authentication].[Authenticate against remote RADIUS
servers].[Data source ID]), NULL otherwise. |
RealmAllowedProtocols
|
| This table rows list allowed authentication
protocols for a RealmID realm. If nothing is listed, all
protocols are allowed.
|
| ID |
Counter. |
| RealmID |
References an appropriate realm from the
Realms table by the Realms.ID field. |
| AllowedAuthenProtocol |
May be pap, chap, mschap, mschap2
([Realm].[Authentication].[Allowed
protocols]). |
RealmAuthorization
|
| There should exist only one row per each
realm. Each record describes authorization rules for a
RealmID realm.
|
| ID |
Counter |
| RealmID |
References an appropriate realm from the
Realms table by the Realms.ID field. |
| DataSourceID |
References an appropriate data source from the
DataSources table by the DataSourced.ID field.
Note, that ClearBox working in 'meta mode'
doesn't support queries to different data sources in one
realm. |
| RejectQuery |
SQL command which loads RADIUS attribute names
and values into the Reject authorization list ([Realm].[Authorization].[Black list].[Attributes by
database query].[Query]). |
| CheckQuery |
SQL command which loads RADIUS attribute names
and values into the Check authorization list
([Realm].[Authorization].[Check list].[Attributes by database
query].[Query]). |
| ResponseQuery |
SQL command which loads RADIUS attribute names
and values into the Response authorization list
([Realm].[Authorization].[Response list].[Attributes by database
query].[Query]). |
| RejectResponseQuery |
SQL command which loads RADIUS attribute names
and values into the Response authorization list
([Realm].[Authorization].[Reject-Response list].[Attributes by
database query].[Query]). |
RealmAccounting
|
| There should exist only one record per
realm. Each record describes accounting rules for a
RealmID realm.
|
| ID |
Counter. |
| RealmID |
References an appropriate realm from the
Realms table by the Realms.ID field. |
| EnableDB |
If not zero, ClearBox logs accounting data to the
DataSourceID database ([Realm].[Accounting].[Log packets to database]). |
| EnableProxy |
If not zero, ClearBox forwards accounting
requests to the remote RADIUS server specified in the
RealmProxyHosts table
([Realm].[Accounting].[Proxy-forward accounting packets to these
remote RADIUS servers]). |
| EnableCSV |
If not zero, ClearBox logs accounting data to a
CSV log file ([Realm].[Accounting].[Log packets to file]). |
| ProcessLocally |
If not zero and EnableProxy=1,
ClearBox will honor EnableDB and EnableCSV flags and process
forwarded requsests locally ([Realm].[Accounting].[Proxy-forward
accounting packets to these remote RADIUS servers].[Process
forwarded packets locally]). |
| DataSourceID |
If EnableDB=1, references an
appropriate data source from the DataSources table by the
DataSources.ID field ([Realm].[Accounting].[Log packets to
database].[Data source ID]), NULL otherwise. |
| InsertQuery |
If EnableDB=1, ClearBox runs
this SQL command to process accounting data, placing it into a
databse table from the DataSourceID data source
([Realm].[Accounting].[Log packets to database].[Use commands]),
NULL otherwise. |
| FileName |
If EnableCSV=1, specifies the
name of the file (without extension) where accounting data is
logged ([Realm].[Accounting].[Log packets to file].[Logging
options].[File name]), NULL otherwise. |
| FileExtension |
If EnableCSV=1, specifies the
extension of the file where accounting data is logged
([Realm].[Accounting].[Log packets to file].[Logging options].[File
extension]), NULL otherwise. |
| RollOver |
If EnableCSV=1, specifies how
often should ClearBox switch to a new log file. Can have the
following values: hourly, daily, weekly, monthly, onsize
(create new log file when its current size exceeds
MaxFileSize) ([Realm].[Accounting].[Log packets to
file].[Logging options].[Rollover]), NULL otherwise. |
| AutoFlush |
If not zero and EnableCSV=1,
ClearBox write the received accounting data immediately to the disk
without any delays ([Realm].[Accounting].[Log packets to
file].[Logging options].[Auto flush data]), NULL otherwise. |
| NamePattern |
If EnableCSV=1, may specify a
pattern of the suffix appended to the log file name according to
the current date ([Realm].[Accounting].[Log packets to
file].[Logging options].[Name pattern]), NULL otherwise. |
| MaxFileSize |
If EnableCSV=1 and
RollOver=onsize, specifies the maximum
size of the log file ([Realm].[Accounting].[Log packets to
file].[Logging options].[Maximum file size]), NULL otherwise. |
| Delimiter |
If EnableCSV=1, specifies the
character which separates values in the log file
([Realm].[Accounting].[Log packets to file].[Logging
options].[Delimiter]), NULL otherwise. |
| LogEnumeratedNames |
If not zero and EnableCSV=1,
ClearBox writes string aliases of numeric RADIUS attributes when
it's possible ([Realm].[Accounting].[Log packets to file].[Logging
options].[Write names of numeric attributes if possible]). |
| LogAttributeNames |
If not zero and EnableCSV=1,
ClearBox writes name of the logged attributes on the first line of
the log file ([Realm].[Accounting].[Log packets to file].[Logging
options].[Place attribute names in the first line of each
file]). |
RealmAccountingStatus
|
| This tables rows define what accounting
packets are logged according to the rules specified in
RealmAccounting.
|
| RealmID |
References an appropriate realm from the
Realms table by the Realms.ID field. |
| AcctStatusType |
Accounting status type (1 for Start, 2 for Stop,
3 for Interim Accounting). |
| EnableForProxy |
If not zero, this AcctStatusType
may be proxy-forwarded to a remote RADIUS server specified in
RADIUSProxyHosts ([Realm].[Accounting].[Proxy-forward accounting packets
to these remote RADIUS servers].[Forwarded status types]). |
| EnableForDB |
If not zero, this AcctStatusType
may be logged to the data source specified by
RADIUSAccounting.DataSourceID ([Realm].[Accounting].[Log
packets to database].[Logged status types]). |
| EnableForCSV |
If not zero, this AcctStatusType
may be logged to the log file specified in
RADIUSAccounting.FileName ([Realm].[Accounting].[Log packets
to database].[Logged status types]). |
RealmAccountingAttributes
|
| Attribute names which should be logged to a
CSV file (when RealmAccounting.EnableCSV=1). The
attributes in each RealmID realm are sorted by the
ID field and are logged in that order.
|
| ID |
Counter. |
| RealmID |
References an appropriate realm from the
Realms table by the Realms.ID field. |
| Atribute |
RADIUS attribute name (([Realm].[Accounting].[Log packets to file].[Logging
options].[Logged attributes]). |
RealmProxyHosts
|
| Each record describes a host where
authentication or accounting requests are forwarded to, if
RealmAuthentication.AuthenticationSource=proxyto or
RealmAccounting.EnableProxy=1.
|
| ID |
Counter. |
| RealmID |
References an appropriate realm from the
Realms table by the Realms.ID field. |
| HostID |
References a remote RADIUS server from the
Hosts table by the Hosts.ID field
([Realm].[Authentication].[Authenticate against
remote RADIUS servers]/[Realm].[Accounting].[Proxy-forward
accounting packets to these remote RADIUS servers]). |
| Authen |
If Authen=1,
HostID is included to the list of RADIUS servers
for proxy authentication, otherwise HostID points
to a remote accounting RADIUS server. |
RealmAuthenLogger
|
| There should exist only one record per
realm. Each record describes authentication packets logging options
for a RealmID realm.
|
| ID |
Counter. |
| RealmID |
References an appropriate realm from the
Realms table by the Realms.ID field. |
| LogAccept |
If set to 1, ClearBox logs Access-Request +
Access-Accept packets attributes with AcceptQuery SQL
command ([Realm].[Logging
packets].[Issue this SQL command to log Access-Accept
authentication transactions]). |
| LogReject |
If set to 1, ClearBox logs Access-Request +
Access-Reject packets attributes with RejectQuery SQL
command ([Realm].[Logging packets].[Issue this SQL command to log
Access-Reject authentication transactions]).. |
| LogProxied |
If set to 1, ClearBox logs attributes from
proxy-forwarded packets (depending on LogAccept and
LogReject flags) ([Realm].[Logging packets].[Log
proxy-forwarded requests/responses]). |
| AcceptQuery |
If LogAccept=1, this SQL command is
envoked to log RADIUS attributes ([Realm].[Logging packets].[Issue
this SQL command to log Access-Accept authentication
transactions].[Access-Accept command]). |
| RejectQuery |
If LogReject=1, this SQL command is
envoked to log RADIUS attributes ([Realm].[Logging packets].[Issue
this SQL command to log Access-Reject authentication
transactions].[Access-Reject command]). |
| DataSourceID |
References an appropriate data source from the
DataSources table by the DataSources.ID field
([Realm].[Logging packets].[Data source ID]). |
| LogSyslog |
If set to 1, ClearBox logs request packet
attributes to a syslog server specified in SyslogHost
([Realm].[Logging packets].[Enable Syslog logging]). |
| SyslogPriority |
Possible values are: 0 (system is unusable), 1
(action must be taken immediately), 2 (critical conditions), 3
(error conditions), 4 (warning conditions), 5 (normal but
significant condition), 6 (informational), 7 (debug-level messages)
([Realm].[Logging packets].[Enable Syslog logging].Message
priority). |
| SyslogFacility |
Possible values are: 0 (kernel messages), 1 (random user-level
messages), 2*8 (mail system), 3*8 (system daemons), 4*8
(security/authorization messages), 5*8 (messages generated
internally by syslogd), 6*8 (line printer subsystem), 7*8 (network
news subsystem), 8*8 (UUCP subsystem), 9*8 (clock daemon), 10*8
(security/authorization messages (private)),
11*8 (ftp daemon), 12*8 (NTP subsystem), 16*8 (reserved for local
use (local 0)), 17*8 (reserved for local use (local 1)), 18*8
(reserved for local use (...)), 19*8 ... 23*8 (reserved for local
use) ([Realm].[Logging packets].[Enable Syslog
logging].[Facility]).
|
| SyslogHost |
IP address of a syslog daemon ([Realm].[Logging
packets].[Enable Syslog logging].[Syslog server IP address]). |
| SyslogFormat |
Specifies a format of messages sent to the syslog
daemon specified in SyslogHost. It may use special keys like
$r, $c and so on, radius attributes in common format (e.g.
{Calling-Station-Id} and $a to denote a Reply-Message attribute
value for a Access-Reject or 'Successful Auth' for Access-Accept
packets) ([Realm].[Logging packets].[Enable Syslog
logging].[Message string]). |
ConfigurationModifications
|
| Contains the date of configuration
modifications.
|
| ID |
Counter |
| LastModified |
Add a new row with a current date into this field
to tell ClearBox to reload the configuration. |
© 2001-2007 XPerience Technologies. www.xperiencetech.com
|
