Part of Slepp's ProjectsPastebinTURLImagebinFilebin
Feedback -- English French German Japanese
Create Upload Newest Tools Donate

Advertising

users
Friday, April 13th, 2007 at 5:00:06am UTC 

  1. ##
  2. ## radiusd.conf -- FreeRADIUS server configuration file.
  3. ##
  4. ##      http://www.freeradius.org/
  5. ##      $Id: radiusd.conf.in,v 1.188.2.4.2.12 2006/07/29 19:43:30 nbk Exp $
  6. ##
  7.  
  8. #       The location of other config files and
  9. #       logfiles are declared in this file
  10. #
  11. #       Also general configuration for modules can be done
  12. #       in this file, it is exported through the API to
  13. #       modules that ask for it.
  14. #
  15. #       The configuration variables defined here are of the form ${foo}
  16. #       They are local to this file, and do not change from request to
  17. #       request.
  18. #
  19. #       The per-request variables are of the form %{Attribute-Name}, and
  20. #       are taken from the values of the attribute in the incoming
  21. #       request.  See 'doc/variables.txt' for more information.
  22.  
  23. prefix = /usr
  24. exec_prefix = /usr
  25. sysconfdir = /etc
  26. localstatedir = /var
  27. sbindir = /usr/sbin
  28. logdir = ${localstatedir}/log/radius
  29. raddbdir = ${sysconfdir}/raddb
  30. radacctdir = ${logdir}/radacct
  31.  
  32. #  Location of config and logfiles.
  33. confdir = ${raddbdir}
  34. run_dir = ${localstatedir}/run/radiusd
  35.  
  36. #
  37. #  The logging messages for the server are appended to the
  38. #  tail of this file.
  39. #
  40. log_file = ${logdir}/radius.log
  41.  
  42. #
  43. # libdir: Where to find the rlm_* modules.
  44. #
  45. #   This should be automatically set at configuration time.
  46. #
  47. #   If the server builds and installs, but fails at execution time
  48. #   with an 'undefined symbol' error, then you can use the libdir
  49. #   directive to work around the problem.
  50. #
  51. #   The cause is usually that a library has been installed on your
  52. #   system in a place where the dynamic linker CANNOT find it.  When
  53. #   executing as root (or another user), your personal environment MAY
  54. #   be set up to allow the dynamic linker to find the library.  When
  55. #   executing as a daemon, FreeRADIUS MAY NOT have the same
  56. #   personalized configuration.
  57. #
  58. #   To work around the problem, find out which library contains that symbol,
  59. #   and add the directory containing that library to the end of 'libdir',
  60. #   with a colon separating the directory names.  NO spaces are allowed.
  61. #
  62. #   e.g. libdir = /usr/local/lib:/opt/package/lib
  63. #
  64. #   You can also try setting the LD_LIBRARY_PATH environment variable
  65. #   in a script which starts the server.
  66. #
  67. #   If that does not work, then you can re-configure and re-build the
  68. #   server to NOT use shared libraries, via:
  69. #
  70. #       ./configure --disable-shared
  71. #       make
  72. #       make install
  73. #
  74. libdir = /usr/lib
  75.  
  76. #  pidfile: Where to place the PID of the RADIUS server.
  77. #
  78. #  The server may be signalled while it's running by using this
  79. #  file.
  80. #
  81. #  This file is written when ONLY running in daemon mode.
  82. #
  83. #  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
  84. #
  85. pidfile = ${run_dir}/radiusd.pid
  86.  
  87.  
  88. # user/group: The name (or #number) of the user/group to run radiusd as.
  89. #
  90. #   If these are commented out, the server will run as the user/group
  91. #   that started it.  In order to change to a different user/group, you
  92. #   MUST be root ( or have root privleges ) to start the server.
  93. #
  94. #   We STRONGLY recommend that you run the server with as few permissions
  95. #   as possible.  That is, if you're not using shadow passwords, the
  96. #   user and group items below should be set to 'nobody'.
  97. #
  98. #    On SCO (ODT 3) use "user = nouser" and "group = nogroup".
  99. #
  100. #  NOTE that some kernels refuse to setgid(group) when the value of
  101. (unsigned)group is above 60000; don't use group nobody on these systems!
  102. #
  103. #  On systems with shadow passwords, you might have to set 'group = shadow'
  104. #  for the server to be able to read the shadow password file.  If you can
  105. #  authenticate users while in debug mode, but not in daemon mode, it may be
  106. #  that the debugging mode server is running as a user that can read the
  107. #  shadow info, and the user listed below can not.
  108. #
  109. user = radiusd
  110. group = radiusd
  111.  
  112. #  max_request_time: The maximum time (in seconds) to handle a request.
  113. #
  114. #  Requests which take more time than this to process may be killed, and
  115. #  a REJECT message is returned.
  116. #
  117. #  WARNING: If you notice that requests take a long time to be handled,
  118. #  then this MAY INDICATE a bug in the server, in one of the modules
  119. #  used to handle a request, OR in your local configuration.
  120. #
  121. #  This problem is most often seen when using an SQL database.  If it takes
  122. #  more than a second or two to receive an answer from the SQL database,
  123. #  then it probably means that you haven't indexed the database.  See your
  124. #  SQL server documentation for more information.
  125. #
  126. #  Useful range of values: 5 to 120
  127. #
  128. max_request_time = 30
  129.  
  130. #  delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
  131. #  to be handled, then maybe the server should delete it.
  132. #
  133. #  If you're running in threaded, or thread pool mode, this setting
  134. #  should probably be 'no'.  Setting it to 'yes' when using a threaded
  135. #  server MAY cause the server to crash!
  136. #
  137. delete_blocked_requests = no
  138.  
  139. #  cleanup_delay: The time to wait (in seconds) before cleaning up
  140. #  a reply which was sent to the NAS.
  141. #
  142. #  The RADIUS request is normally cached internally for a short period
  143. #  of time, after the reply is sent to the NAS.  The reply packet may be
  144. #  lost in the network, and the NAS will not see it.  The NAS will then
  145. #  re-send the request, and the server will respond quickly with the
  146. #  cached reply.
  147. #
  148. #  If this value is set too low, then duplicate requests from the NAS
  149. #  MAY NOT be detected, and will instead be handled as seperate requests.
  150. #
  151. #  If this value is set too high, then the server will cache too many
  152. #  requests, and some new requests may get blocked.  (See 'max_requests'.)
  153. #
  154. #  Useful range of values: 2 to 10
  155. #
  156. cleanup_delay = 5
  157.  
  158. #  max_requests: The maximum number of requests which the server keeps
  159. #  track of.  This should be 256 multiplied by the number of clients.
  160. #  e.g. With 4 clients, this number should be 1024.
  161. #
  162. #  If this number is too low, then when the server becomes busy,
  163. #  it will not respond to any new requests, until the 'cleanup_delay'
  164. #  time has passed, and it has removed the old requests.
  165. #
  166. #  If this number is set too high, then the server will use a bit more
  167. #  memory for no real benefit.
  168. #
  169. #  If you aren't sure what it should be set to, it's better to set it
  170. #  too high than too low.  Setting it to 1000 per client is probably
  171. #  the highest it should be.
  172. #
  173. #  Useful range of values: 256 to infinity
  174. #
  175. max_requests = 1024
  176.  
  177. #  bind_address:  Make the server listen on a particular IP address, and
  178. #  send replies out from that address.  This directive is most useful
  179. #  for machines with multiple IP addresses on one interface.
  180. #
  181. #  It can either contain "*", or an IP address, or a fully qualified
  182. #  Internet domain name.  The default is "*"
  183. #
  184. #  As of 1.0, you can also use the "listen" directive.  See below for
  185. #  more information.
  186. #
  187. bind_address = *
  188.  
  189. #  port: Allows you to bind FreeRADIUS to a specific port.
  190. #
  191. #  The default port that most NAS boxes use is 1645, which is historical.
  192. #  RFC 2138 defines 1812 to be the new port.  Many new servers and
  193. #  NAS boxes use 1812, which can create interoperability problems.
  194. #
  195. #  The port is defined here to be 0 so that the server will pick up
  196. #  the machine's local configuration for the radius port, as defined
  197. #  in /etc/services.
  198. #
  199. #  If you want to use the default RADIUS port as defined on your server,
  200. (usually through 'grep radius /etc/services') set this to 0 (zero).
  201. #
  202. #  A port given on the command-line via '-p' over-rides this one.
  203. #
  204. #  As of 1.0, you can also use the "listen" directive.  See below for
  205. #  more information.
  206. #
  207. port = 0
  208.  
  209. #
  210. #  By default, the server uses "bind_address" to listen to all IP's
  211. #  on a machine, or just one IP.  The "port" configuration is used
  212. #  to select the authentication port used when listening on those
  213. #  addresses.
  214. #
  215. #  If you want the server to listen on additional addresses, you can
  216. #  use the "listen" section.  A sample section (commented out) is included
  217. #  below.  This "listen" section duplicates the functionality of the
  218. #  "bind_address" and "port" configuration entries, but it only listens
  219. #  for authentication packets.
  220. #
  221. #  If you comment out the "bind_address" and "port" configuration entries,
  222. #  then it becomes possible to make the server accept only accounting,
  223. #  or authentication packets.  Previously, it always listened for both
  224. #  types of packets, and it was impossible to make it listen for only
  225. #  one type of packet.
  226. #
  227. #listen {
  228.         #  IP address on which to listen.
  229.         #  Allowed values are:
  230.         #       dotted quad (1.2.3.4)
  231.         #       hostname    (radius.example.com)
  232.         #       wildcard    (*)
  233. #       ipaddr = *
  234.  
  235.         #  Port on which to listen.
  236.         #  Allowed values are:
  237.         #       integer port number (1812)
  238.         #       0 means "use /etc/services for the proper port"
  239. #       port = 0
  240.  
  241.         #  Type of packets to listen for.
  242.         #  Allowed values are:
  243.         #       auth   listen for authentication packets
  244.         #       acct   listen for accounting packets
  245.         #
  246. #       type = auth
  247. #}
  248.  
  249.  
  250. #  hostname_lookups: Log the names of clients or just their IP addresses
  251. #  e.g., www.freeradius.org (on) or 206.47.27.232 (off).
  252. #
  253. #  The default is 'off' because it would be overall better for the net
  254. #  if people had to knowingly turn this feature on, since enabling it
  255. #  means that each client request will result in AT LEAST one lookup
  256. #  request to the nameserver.   Enabling hostname_lookups will also
  257. #  mean that your server may stop randomly for 30 seconds from time
  258. #  to time, if the DNS requests take too long.
  259. #
  260. #  Turning hostname lookups off also means that the server won't block
  261. #  for 30 seconds, if it sees an IP address which has no name associated
  262. #  with it.
  263. #
  264. #  allowed values: {no, yes}
  265. #
  266. hostname_lookups = no
  267.  
  268. #  Core dumps are a bad thing.  This should only be set to 'yes'
  269. #  if you're debugging a problem with the server.
  270. #
  271. #  allowed values: {no, yes}
  272. #
  273. allow_core_dumps = no
  274.  
  275. #  Regular expressions
  276. #
  277. #  These items are set at configure time.  If they're set to "yes",
  278. #  then setting them to "no" turns off regular expression support.
  279. #
  280. #  If they're set to "no" at configure time, then setting them to "yes"
  281. #  WILL NOT WORK.  It will give you an error.
  282. #
  283. regular_expressions     = yes
  284. extended_expressions    = yes
  285.  
  286. #  Log the full User-Name attribute, as it was found in the request.
  287. #
  288. # allowed values: {no, yes}
  289. #
  290. log_stripped_names = no
  291.  
  292. #  Log authentication requests to the log file.
  293. #
  294. #  allowed values: {no, yes}
  295. #
  296. log_auth = no
  297.  
  298. #  Log passwords with the authentication requests.
  299. #  log_auth_badpass  - logs password if it's rejected
  300. #  log_auth_goodpass - logs password if it's correct
  301. #
  302. #  allowed values: {no, yes}
  303. #
  304. log_auth_badpass = no
  305. log_auth_goodpass = no
  306.  
  307. # usercollide:  Turn "username collision" code on and off.  See the
  308. # "doc/duplicate-users" file
  309. #
  310. #  WARNING
  311. #  !!!!!!!  Setting this to "yes" may result in the server behaving
  312. #  !!!!!!!  strangely.  The "username collision" code will ONLY work
  313. #  !!!!!!!  with clear-text passwords.  Even then, it may not do what
  314. #  !!!!!!!  you want, or what you expect.
  315. #  !!!!!!!
  316. #  !!!!!!!  We STRONGLY RECOMMEND that you do not use this feature,
  317. #  !!!!!!!  and that you find another way of acheiving the same goal.
  318. #  !!!!!!!
  319. #  !!!!!!!  e,g. module fail-over.  See 'doc/configurable_failover'
  320. #  WARNING
  321. #
  322. usercollide = no
  323.  
  324. # lower_user / lower_pass: 
  325. # Lower case the username/password "before" or "after"
  326. # attempting to authenticate. 
  327. #
  328. #  If "before", the server will first modify the request and then try
  329. #  to auth the user.  If "after", the server will first auth using the
  330. #  values provided by the user.  If that fails it will reprocess the
  331. #  request after modifying it as you specify below.
  332. #
  333. #  This is as close as we can get to case insensitivity.  It is the
  334. #  admin's job to ensure that the username on the auth db side is
  335. #  *also* lowercase to make this work
  336. #
  337. # Default is 'no' (don't lowercase values)
  338. # Valid values = "before" / "after" / "no"
  339. #
  340. lower_user = no
  341. lower_pass = no
  342.  
  343. # nospace_user / nospace_pass:
  344. #
  345. #  Some users like to enter spaces in their username or password
  346. #  incorrectly.  To save yourself the tech support call, you can
  347. #  eliminate those spaces here:
  348. #
  349. # Default is 'no' (don't remove spaces)
  350. # Valid values = "before" / "after" / "no" (explanation above)
  351. #
  352. nospace_user = no
  353. nospace_pass = no
  354.  
  355. #  The program to execute to do concurrency checks.
  356. checkrad = ${sbindir}/checkrad
  357.  
  358. # SECURITY CONFIGURATION
  359. #
  360. #  There may be multiple methods of attacking on the server.  This
  361. #  section holds the configuration items which minimize the impact
  362. #  of those attacks
  363. #
  364. security {
  365.         #
  366.         #  max_attributes: The maximum number of attributes
  367.         #  permitted in a RADIUS packet.  Packets which have MORE
  368.         #  than this number of attributes in them will be dropped.
  369.         #
  370.         #  If this number is set too low, then no RADIUS packets
  371.         #  will be accepted.
  372.         #
  373.         #  If this number is set too high, then an attacker may be
  374.         #  able to send a small number of packets which will cause
  375.         #  the server to use all available memory on the machine.
  376.         #
  377.         #  Setting this number to 0 means "allow any number of attributes"
  378.         max_attributes = 200
  379.  
  380.         #
  381.         #  reject_delay: When sending an Access-Reject, it can be
  382.         #  delayed for a few seconds.  This may help slow down a DoS
  383.         #  attack.  It also helps to slow down people trying to brute-force
  384.         #  crack a users password.
  385.         #
  386.         #  Setting this number to 0 means "send rejects immediately"
  387.         #
  388.         #  If this number is set higher than 'cleanup_delay', then the
  389.         #  rejects will be sent at 'cleanup_delay' time, when the request
  390.         #  is deleted from the internal cache of requests.
  391.         #
  392.         #  Useful ranges: 1 to 5
  393.         reject_delay = 1
  394.  
  395.         #
  396.         #  status_server: Whether or not the server will respond
  397.         #  to Status-Server requests.
  398.         #
  399.         #  Normally this should be set to "no", because they're useless.
  400.         #  See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives
  401.         #
  402.         #  However, certain NAS boxes may require them. 
  403.         #
  404.         #  When sent a Status-Server message, the server responds with
  405.         #  an Access-Accept packet, containing a Reply-Message attribute,
  406.         #  which is a string describing how long the server has been
  407.         #  running.
  408.         #
  409.         status_server = no
  410. }
  411.  
  412. # PROXY CONFIGURATION
  413. #
  414. #  proxy_requests: Turns proxying of RADIUS requests on or off.
  415. #
  416. #  The server has proxying turned on by default.  If your system is NOT
  417. #  set up to proxy requests to another server, then you can turn proxying
  418. #  off here.  This will save a small amount of resources on the server.
  419. #
  420. #  If you have proxying turned off, and your configuration files say
  421. #  to proxy a request, then an error message will be logged.
  422. #
  423. #  To disable proxying, change the "yes" to "no", and comment the
  424. #  $INCLUDE line.
  425. #
  426. #  allowed values: {no, yes}
  427. #
  428. proxy_requests  = yes
  429. $INCLUDE  ${confdir}/proxy.conf
  430.  
  431.  
  432. # CLIENTS CONFIGURATION
  433. #
  434. #  Client configuration is defined in "clients.conf". 
  435. #
  436.  
  437. #  The 'clients.conf' file contains all of the information from the old
  438. #  'clients' and 'naslist' configuration files.  We recommend that you
  439. #  do NOT use 'client's or 'naslist', although they are still
  440. #  supported.
  441. #
  442. #  Anything listed in 'clients.conf' will take precedence over the
  443. #  information from the old-style configuration files.
  444. #
  445. $INCLUDE  ${confdir}/clients.conf
  446.  
  447.  
  448. # SNMP CONFIGURATION
  449. #
  450. #  Snmp configuration is only valid if SNMP support was enabled
  451. #  at compile time.
  452. #
  453. #  To enable SNMP querying of the server, set the value of the
  454. #  'snmp' attribute to 'yes'
  455. #
  456. snmp    = no
  457. $INCLUDE  ${confdir}/snmp.conf
  458.  
  459.  
  460. # THREAD POOL CONFIGURATION
  461. #
  462. #  The thread pool is a long-lived group of threads which
  463. #  take turns (round-robin) handling any incoming requests.
  464. #
  465. #  You probably want to have a few spare threads around,
  466. #  so that high-load situations can be handled immediately.  If you
  467. #  don't have any spare threads, then the request handling will
  468. #  be delayed while a new thread is created, and added to the pool.
  469. #
  470. #  You probably don't want too many spare threads around,
  471. #  otherwise they'll be sitting there taking up resources, and
  472. #  not doing anything productive.
  473. #
  474. #  The numbers given below should be adequate for most situations.
  475. #
  476. thread pool {
  477.         #  Number of servers to start initially --- should be a reasonable
  478.         #  ballpark figure.
  479.         start_servers = 5
  480.  
  481.         #  Limit on the total number of servers running.
  482.         #
  483.         #  If this limit is ever reached, clients will be LOCKED OUT, so it
  484.         #  should NOT BE SET TOO LOW.  It is intended mainly as a brake to
  485.         #  keep a runaway server from taking the system with it as it spirals
  486.         #  down...
  487.         #
  488.         #  You may find that the server is regularly reaching the
  489.         #  'max_servers' number of threads, and that increasing
  490.         #  'max_servers' doesn't seem to make much difference.
  491.         #
  492.         #  If this is the case, then the problem is MOST LIKELY that
  493.         #  your back-end databases are taking too long to respond, and
  494.         #  are preventing the server from responding in a timely manner.
  495.         #
  496.         #  The solution is NOT do keep increasing the 'max_servers'
  497.         #  value, but instead to fix the underlying cause of the
  498.         #  problem: slow database, or 'hostname_lookups=yes'.
  499.         #
  500.         #  For more information, see 'max_request_time', above.
  501.         #
  502.         max_servers = 32
  503.  
  504.         #  Server-pool size regulation.  Rather than making you guess
  505.         #  how many servers you need, FreeRADIUS dynamically adapts to
  506.         #  the load it sees, that is, it tries to maintain enough
  507.         #  servers to handle the current load, plus a few spare
  508.         #  servers to handle transient load spikes.
  509.         #
  510.         #  It does this by periodically checking how many servers are
  511.         #  waiting for a request.  If there are fewer than
  512.         #  min_spare_servers, it creates a new spare.  If there are
  513.         #  more than max_spare_servers, some of the spares die off.
  514.         #  The default values are probably OK for most sites.
  515.         #
  516.         min_spare_servers = 3
  517.         max_spare_servers = 10
  518.  
  519.         #  There may be memory leaks or resource allocation problems with
  520.         #  the server.  If so, set this value to 300 or so, so that the
  521.         #  resources will be cleaned up periodically.
  522.         #
  523.         #  This should only be necessary if there are serious bugs in the
  524.         #  server which have not yet been fixed.
  525.         #
  526.         #  '0' is a special value meaning 'infinity', or 'the servers never
  527.         #  exit'
  528.         max_requests_per_server = 0
  529. }
  530.  
  531. # MODULE CONFIGURATION
  532. #
  533. #  The names and configuration of each module is located in this section.
  534. #
  535. #  After the modules are defined here, they may be referred to by name,
  536. #  in other sections of this configuration file.
  537. #
  538. modules {
  539.         #
  540.         #  Each module has a configuration as follows:
  541.         #
  542.         #       name [ instance ] {
  543.         #              config_item = value
  544.         #              ...
  545.         #       }
  546.         #
  547.         #  The 'name' is used to load the 'rlm_name' library
  548.         #  which implements the functionality of the module.
  549.         #
  550.         #  The 'instance' is optional.  To have two different instances
  551.         #  of a module, it first must be referred to by 'name'.
  552.         #  The different copies of the module are then created by
  553.         #  inventing two 'instance' names, e.g. 'instance1' and 'instance2'
  554.         #
  555.         #  The instance names can then be used in later configuration
  556.         #  INSTEAD of the original 'name'.  See the 'radutmp' configuration
  557.         #  below for an example.
  558.         #
  559.  
  560.         # PAP module to authenticate users based on their stored password
  561.         #
  562.         #  Supports multiple encryption schemes
  563.         #  clear: Clear text
  564.         #  crypt: Unix crypt
  565.         #    md5: MD5 ecnryption
  566.         #   sha1: SHA1 encryption.
  567.         #  DEFAULT: crypt
  568.         pap {
  569.                 encryption_scheme = crypt
  570.         }
  571.  
  572.         # CHAP module
  573.         #
  574.         #  To authenticate requests containing a CHAP-Password attribute.
  575.         #
  576.         chap {
  577.                 authtype = CHAP
  578.         }
  579.  
  580.         # Pluggable Authentication Modules
  581.         #
  582.         #  For Linux, see:
  583.         #       http://www.kernel.org/pub/linux/libs/pam/index.html
  584.         #
  585.         #  WARNING: On many systems, the system PAM libraries have
  586.         #           memory leaks!  We STRONGLY SUGGEST that you do not
  587.         #           use PAM for authentication, due to those memory leaks.
  588.         #
  589.         pam {
  590.                 #
  591.                 #  The name to use for PAM authentication.
  592.                 #  PAM looks in /etc/pam.d/${pam_auth_name}
  593.                 #  for it's configuration.  See 'redhat/radiusd-pam'
  594.                 #  for a sample PAM configuration file.
  595.                 #
  596.                 #  Note that any Pam-Auth attribute set in the 'authorize'
  597.                 #  section will over-ride this one.
  598.                 #
  599.                 pam_auth = radiusd
  600.         }
  601.  
  602.         # Unix /etc/passwd style authentication
  603.         #
  604.         unix {
  605.                 #
  606.                 #  Cache /etc/passwd, /etc/shadow, and /etc/group
  607.                 #
  608.                 #  The default is to NOT cache them.
  609.                 #
  610.                 #  For FreeBSD and NetBSD, you do NOT want to enable
  611.                 #  the cache, as it's password lookups are done via a
  612.                 #  database, so set this value to 'no'.
  613.                 #
  614.                 #  Some systems (e.g. RedHat Linux with pam_pwbd) can
  615.                 #  take *seconds* to check a password, when th passwd
  616.                 #  file containing 1000's of entries.  For those systems,
  617.                 #  you should set the cache value to 'yes', and set
  618.                 #  the locations of the 'passwd', 'shadow', and 'group'
  619.                 #  files, below.
  620.                 #
  621.                 # allowed values: {no, yes}
  622.                 cache = no
  623.  
  624.                 # Reload the cache every 600 seconds (10mins). 0 to disable.
  625.                 cache_reload = 600
  626.  
  627.                 #
  628.                 #  Define the locations of the normal passwd, shadow, and
  629.                 #  group files.
  630.                 #
  631.                 #  'shadow' is commented out by default, because not all
  632.                 #  systems have shadow passwords.
  633.                 #
  634.                 #  To force the module to use the system password functions,
  635.                 #  instead of reading the files, leave the following entries
  636.                 #  commented out.
  637.                 #
  638.                 #  This is required for some systems, like FreeBSD,
  639.                 #  and Mac OSX.
  640.                 #
  641.                 #       passwd = /etc/passwd
  642.                 shadow = /etc/shadow
  643.                 #       group = /etc/group
  644.  
  645.                 #
  646.                 #  The location of the "wtmp" file.
  647.                 #  This should be moved to it's own module soon.
  648.                 #
  649.                 #  The only use for 'radlast'.  If you don't use
  650.                 #  'radlast', then you can comment out this item.
  651.                 #
  652.                 radwtmp = ${logdir}/radwtmp
  653.         }
  654.  
  655.         #  Extensible Authentication Protocol
  656.         #
  657.         #  For all EAP related authentications.
  658.         #  Now in another file, because it is very large.
  659.         #
  660. $INCLUDE ${confdir}/eap.conf
  661.  
  662.         # Microsoft CHAP authentication
  663.         #
  664.         #  This module supports MS-CHAP and MS-CHAPv2 authentication.
  665.         #  It also enforces the SMB-Account-Ctrl attribute.
  666.         #
  667.         mschap {
  668.                 #
  669.                 #  As of 0.9, the mschap module does NOT support
  670.                 #  reading from /etc/smbpasswd.
  671.                 #
  672.                 #  If you are using /etc/smbpasswd, see the 'passwd'
  673.                 #  module for an example of how to use /etc/smbpasswd
  674.  
  675.                 # if use_mppe is not set to no mschap will
  676.                 # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
  677.                 # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
  678.                 #
  679.                 #use_mppe = no
  680.  
  681.                 # if mppe is enabled require_encryption makes
  682.                 # encryption moderate
  683.                 #
  684.                 #require_encryption = yes
  685.  
  686.                 # require_strong always requires 128 bit key
  687.                 # encryption
  688.                 #
  689.                 #require_strong = yes
  690.  
  691.                 # Windows sends us a username in the form of
  692.                 # DOMAIN\user, but sends the challenge response
  693.                 # based on only the user portion.  This hack
  694.                 # corrects for that incorrect behavior.
  695.                 #
  696.                 # !!
  697.                 authtype = MS-CHAP
  698.                 with_ntdomain_hack = yes
  699.  
  700.                 # The module can perform authentication itself, OR
  701.                 # use a Windows Domain Controller.  This configuration
  702.                 # directive tells the module to call the ntlm_auth
  703.                 # program, which will do the authentication, and return
  704.                 # the NT-Key.  Note that you MUST have "winbindd" and
  705.                 # "nmbd" running on the local machine for ntlm_auth
  706.                 # to work.  See the ntlm_auth program documentation
  707.                 # for details.
  708.                 #
  709.                 # Be VERY careful when editing the following line!
  710.                 #
  711.                 ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
  712.         }
  713.  
  714.         # Lightweight Directory Access Protocol (LDAP)
  715.         #
  716.         #  This module definition allows you to use LDAP for
  717.         #  authorization and authentication.
  718.         #
  719.         #  See doc/rlm_ldap for description of configuration options
  720.         #  and sample authorize{} and authenticate{} blocks
  721.         #
  722.         #  However, LDAP can be used for authentication ONLY when the
  723.         #  Access-Request packet contains a clear-text User-Password
  724.         #  attribute.  LDAP authentication will NOT work for any other
  725.         #  authentication method.
  726.         #
  727.         #  This means that LDAP servers don't understand EAP.  If you
  728.         #  force "Auth-Type = LDAP", and then send the server a
  729.         #  request containing EAP authentication, then authentication
  730.         #  WILL NOT WORK.
  731.         #
  732.         #  The solution is to use the default configuration, which does
  733.         #  work.
  734.         #
  735.         #  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
  736.         #  really can't emphasize this enough.
  737.         #       
  738.         ldap {
  739.                 server = "ldap.your.domain"
  740.                 # identity = "cn=admin,o=My Org,c=UA"
  741.                 # password = mypass
  742.                 basedn = "o=My Org,c=UA"
  743.                 filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
  744.                 # base_filter = "(objectclass=radiusprofile)"
  745.  
  746.                 # set this to 'yes' to use TLS encrypted connections
  747.                 # to the LDAP database by using the StartTLS extended
  748.                 # operation.
  749.                 # The StartTLS operation is supposed to be used with normal
  750.                 # ldap connections instead of using ldaps (port 689) connections
  751.                 start_tls = no
  752.  
  753.                 # tls_cacertfile        = /path/to/cacert.pem
  754.                 # tls_cacertdir  = /path/to/ca/dir/
  755.                 # tls_certfile    = /path/to/radius.crt
  756.                 # tls_keyfile      = /path/to/radius.key
  757.                 # tls_randfile    = /path/to/rnd
  758.                 # tls_require_cert      = "demand"
  759.  
  760.                 # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
  761.                 # profile_attribute = "radiusProfileDn"
  762.                 access_attr = "dialupAccess"
  763.  
  764.                 # Mapping of RADIUS dictionary attributes to LDAP
  765.                 # directory attributes.
  766.                 dictionary_mapping = ${raddbdir}/ldap.attrmap
  767.  
  768.                 ldap_connections_number = 5
  769.  
  770.                 #
  771.                 # NOTICE: The password_header directive is NOT case insensitive
  772.                 #
  773.                 # password_header = "{clear}"
  774.                 #
  775.                 # Set:
  776.                 #       password_attribute = nspmPassword
  777.                 #
  778.                 # to get the user's password from a Novell eDirectory
  779.                 # backend. This will work *only if* freeRADIUS is
  780.                 # configured to build with --with-edir option.
  781.                 #
  782.                 #
  783.                 #  The server can usually figure this out on its own, and pull
  784.                 #  the correct User-Password or NT-Password from the database.
  785.                 #
  786.                 #  Note that NT-Passwords MUST be stored as a 32-digit hex
  787.                 #  string, and MUST start off with "0x", such as:
  788.                 #
  789.                 #       0x000102030405060708090a0b0c0d0e0f
  790.                 #
  791.                 #  Without the leading "0x", NT-Passwords will not work.
  792.                 #  This goes for NT-Passwords stored in SQL, too.
  793.                 #
  794.                 # password_attribute = userPassword
  795.                 #
  796.                 # Un-comment the following to disable Novell eDirectory account
  797.                 # policy check and intruder detection. This will work *only if*
  798.                 # FreeRADIUS is configured to build with --with-edir option.
  799.                 #
  800.                 # edir_account_policy_check=no
  801.                 #
  802.                 # groupname_attribute = cn
  803.                 # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
  804.                 # groupmembership_attribute = radiusGroupName
  805.                 timeout = 4
  806.                 timelimit = 3
  807.                 net_timeout = 1
  808.                 # compare_check_items = yes
  809.                 # do_xlat = yes
  810.                 # access_attr_used_for_allow = yes
  811.  
  812.                 #
  813.                 #  By default, if the packet contains a User-Password,
  814.                 #  and no other module is configured to handle the
  815.                 #  authentication, the LDAP module sets itself to do
  816.                 #  LDAP bind for authentication.
  817.                 #
  818.                 #  You can disable this behavior by setting the following
  819.                 #  configuration entry to "no".
  820.                 #
  821.                 #  allowed values: {no, yes}
  822.                 # set_auth_type = yes
  823.         }
  824.  
  825.         # passwd module allows to do authorization via any passwd-like
  826.         # file and to extract any attributes from these modules
  827.         #
  828.         # parameters are:
  829.         #   filename - path to filename
  830.         #   format - format for filename record. This parameters
  831.         #            correlates record in the passwd file and RADIUS
  832.         #            attributes.
  833.         #
  834.         #            Field marked as '*' is key field. That is, the parameter
  835.         #            with this name from the request is used to search for
  836.         #            the record from passwd file
  837.         #            Attribute marked as '=' is added to reply_itmes instead
  838.         #            of default configure_itmes
  839.         #            Attribute marked as '~' is added to request_items
  840.         #
  841.         #            Field marked as ',' may contain a comma separated list
  842.         #            of attributes.
  843.         #   authtype - if record found this Auth-Type is used to authenticate
  844.         #            user
  845.         #   hashsize - hashtable size. If 0 or not specified records are not
  846.         #            stored in memory and file is red on every request.
  847.         #   allowmultiplekeys - if few records for every key are allowed
  848.         #   ignorenislike - ignore NIS-related records
  849.         #   delimiter - symbol to use as a field separator in passwd file,
  850.         #            for format ':' symbol is always used. '\0', '\n' are
  851.         #            not allowed
  852.         #
  853.  
  854.         #  An example configuration for using /etc/smbpasswd.
  855.         #
  856.         #passwd etc_smbpasswd {
  857.         #       filename = /etc/smbpasswd
  858.         #       format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
  859.         #       authtype = MS-CHAP
  860.         #       hashsize = 100
  861.         #       ignorenislike = no
  862.         #       allowmultiplekeys = no
  863.         #}
  864.  
  865.         #  Similar configuration, for the /etc/group file. Adds a Group-Name
  866.         #  attribute for every group that the user is member of.
  867.         #
  868.         #passwd etc_group {
  869.         #       filename = /etc/group
  870.         #       format = "=Group-Name:::*,User-Name"
  871.         #       hashsize = 50
  872.         #       ignorenislike = yes
  873.         #       allowmultiplekeys = yes
  874.         #       delimiter = ":"
  875.         #}
  876.  
  877.         # Realm module, for proxying.
  878.         #
  879.         #  You can have multiple instances of the realm module to
  880.         #  support multiple realm syntaxs at the same time.  The
  881.         #  search order is defined by the order in the authorize and
  882.         #  preacct sections.
  883.         #
  884.         #  Four config options:
  885.         #       format         -  must be 'prefix' or 'suffix'
  886.         #       delimiter      -  must be a single character
  887.         #       ignore_default -  set to 'yes' or 'no'
  888.         #       ignore_null    -  set to 'yes' or 'no'
  889.         #
  890.         #  ignore_default and ignore_null can be set to 'yes' to prevent
  891.         #  the module from matching against DEFAULT or NULL realms.  This
  892.         #  may be useful if you have have multiple instances of the
  893.         #  realm module.
  894.         #
  895.         #  They both default to 'no'.
  896.         #
  897.  
  898.         #  'realm/username'
  899.         #
  900.         #  Using this entry, IPASS users have their realm set to "IPASS".
  901.         realm IPASS {
  902.                 format = prefix
  903.                 delimiter = "/"
  904.                 ignore_default = no
  905.                 ignore_null = no
  906.         }
  907.  
  908.         #  [email protected]'
  909.         #
  910.         realm suffix {
  911.                 format = suffix
  912.                 delimiter = "@"
  913.                 ignore_default = no
  914.                 ignore_null = no
  915.         }
  916.  
  917.         #  'username%realm'
  918.         #
  919.         realm realmpercent {
  920.                 format = suffix
  921.                 delimiter = "%"
  922.                 ignore_default = no
  923.                 ignore_null = no
  924.         }
  925.  
  926.         #
  927.         #  'domain\user'
  928.         #
  929.         realm ntdomain {
  930.                 format = prefix
  931.                 delimiter = "\\"
  932.                 ignore_default = no
  933.                 ignore_null = no
  934.         }       
  935.  
  936.         #  A simple value checking module
  937.         #
  938.         #  It can be used to check if an attribute value in the request
  939.         #  matches a (possibly multi valued) attribute in the check
  940.         #  items This can be used for example for caller-id
  941.         #  authentication.  For the module to run, both the request
  942.         #  attribute and the check items attribute must exist
  943.         #
  944.         #  i.e.
  945.         #  A user has an ldap entry with 2 radiusCallingStationId
  946.         #  attributes with values "12345678" and "12345679".  If we
  947.         #  enable rlm_checkval, then any request which contains a
  948.         #  Calling-Station-Id with one of those two values will be
  949.         #  accepted.  Requests with other values for
  950.         #  Calling-Station-Id will be rejected.
  951.         #
  952.         #  Regular expressions in the check attribute value are allowed
  953.         #  as long as the operator is '=~'
  954.         #
  955.         checkval {
  956.                 # The attribute to look for in the request
  957.                 item-name = Calling-Station-Id
  958.  
  959.                 # The attribute to look for in check items. Can be multi valued
  960.                 check-name = Calling-Station-Id
  961.  
  962.                 # The data type. Can be
  963.                 # string,integer,ipaddr,date,abinary,octets
  964.                 data-type = string
  965.  
  966.                 # If set to yes and we dont find the item-name attribute in the
  967.                 # request then we send back a reject
  968.                 # DEFAULT is no
  969.                 #notfound-reject = no
  970.         }
  971.        
  972.         #  rewrite arbitrary packets.  Useful in accounting and authorization.
  973.         #
  974.         #
  975.         #  The module can also use the Rewrite-Rule attribute. If it
  976.         #  is set and matches the name of the module instance, then
  977.         #  that module instance will be the only one which runs.
  978.         #
  979.         #  Also if new_attribute is set to yes then a new attribute
  980.         #  will be created containing the value replacewith and it
  981.         #  will be added to searchin (packet, reply, proxy, proxy_reply or config).
  982.         # searchfor,ignore_case and max_matches will be ignored in that case.
  983.         #
  984.         # Backreferences are supported: %{0} will contain the string the whole match
  985.         # and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses
  986.         #
  987.         # If max_matches is greater than one the backreferences will correspond to the
  988.         # first match
  989.  
  990.         #
  991.         #attr_rewrite sanecallerid {
  992.         #       attribute = Called-Station-Id
  993.                 # may be "packet", "reply", "proxy", "proxy_reply" or "config"
  994.         #       searchin = packet
  995.         #       searchfor = "[+ ]"
  996.         #       replacewith = ""
  997.         #       ignore_case = no
  998.         #       new_attribute = no
  999.         #       max_matches = 10
  1000.         #       ## If set to yes then the replace string will be appended to the original string
  1001.         #       append = no
  1002.         #}
  1003.  
  1004.         # Preprocess the incoming RADIUS request, before handing it off
  1005.         # to other modules.
  1006.         #
  1007.         #  This module processes the 'huntgroups' and 'hints' files.
  1008.         #  In addition, it re-writes some weird attributes created
  1009.         #  by some NASes, and converts the attributes into a form which
  1010.         #  is a little more standard.
  1011.         #
  1012.         preprocess {
  1013.                 huntgroups = ${confdir}/huntgroups
  1014.                 hints = ${confdir}/hints
  1015.  
  1016.                 # This hack changes Ascend's wierd port numberings
  1017.                 # to standard 0-??? port numbers so that the "+" works
  1018.                 # for IP address assignments.
  1019.                 with_ascend_hack = no
  1020.                 ascend_channels_per_line = 23
  1021.  
  1022.                 # Windows NT machines often authenticate themselves as
  1023.                 # NT_DOMAIN\username
  1024.                 #
  1025.                 # If this is set to 'yes', then the NT_DOMAIN portion
  1026.                 # of the user-name is silently discarded.
  1027.                 #
  1028.                 # This configuration entry SHOULD NOT be used.
  1029.                 # See the "realms" module for a better way to handle
  1030.                 # NT domains.
  1031.                 with_ntdomain_hack = no
  1032.  
  1033.                 # Specialix Jetstream 8500 24 port access server.
  1034.                 #
  1035.                 # If the user name is 10 characters or longer, a "/"
  1036.                 # and the excess characters after the 10th are
  1037.                 # appended to the user name.
  1038.                 #
  1039.                 # If you're not running that NAS, you don't need
  1040.                 # this hack.
  1041.                 with_specialix_jetstream_hack = no
  1042.  
  1043.                 # Cisco (and Quintum in Cisco mode) sends it's VSA attributes
  1044.                 # with the attribute name *again* in the string, like:
  1045.                 #
  1046.                 #   H323-Attribute = "h323-attribute=value".
  1047.                 #
  1048.                 # If this configuration item is set to 'yes', then
  1049.                 # the redundant data in the the attribute text is stripped
  1050.                 # out.  The result is:
  1051.                 #
  1052.                 #  H323-Attribute = "value"
  1053.                 #
  1054.                 # If you're not running a Cisco or Quintum NAS, you don't
  1055.                 # need this hack.
  1056.                 with_cisco_vsa_hack = no
  1057.         }
  1058.  
  1059.         # Livingston-style 'users' file
  1060.         #
  1061.         files {
  1062.                 usersfile = ${confdir}/users
  1063.                 acctusersfile = ${confdir}/acct_users
  1064.                 preproxy_usersfile = ${confdir}/preproxy_users
  1065.  
  1066.                 #  If you want to use the old Cistron 'users' file
  1067.                 #  with FreeRADIUS, you should change the next line
  1068.                 #  to 'compat = cistron'.  You can the copy your 'users'
  1069.                 #  file from Cistron.
  1070.                 compat = no
  1071.         }
  1072.  
  1073.         # Write a detailed log of all accounting records received.
  1074.         #
  1075.         detail {
  1076.                 #  Note that we do NOT use NAS-IP-Address here, as
  1077.                 #  that attribute MAY BE from the originating NAS, and
  1078.                 #  NOT from the proxy which actually sent us the
  1079.                 #  request.  The Client-IP-Address attribute is ALWAYS
  1080.                 #  the address of the client which sent us the
  1081.                 #  request.
  1082.                 #
  1083.                 #  The following line creates a new detail file for
  1084.                 #  every radius client (by IP address or hostname).
  1085.                 #  In addition, a new detail file is created every
  1086.                 #  day, so that the detail file doesn't have to go
  1087.                 #  through a 'log rotation'
  1088.                 #
  1089.                 #  If your detail files are large, you may also want
  1090.                 #  to add a ':%H' (see doc/variables.txt) to the end
  1091.                 #  of it, to create a new detail file every hour, e.g.:
  1092.                 #
  1093.                 #   ..../detail-%Y%m%d:%H
  1094.                 #
  1095.                 #  This will create a new detail file for every hour.
  1096.                 #
  1097.                 detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
  1098.  
  1099.                 #
  1100.                 #  The Unix-style permissions on the 'detail' file.
  1101.                 #
  1102.                 #  The detail file often contains secret or private
  1103.                 #  information about users.  So by keeping the file
  1104.                 #  permissions restrictive, we can prevent unwanted
  1105.                 #  people from seeing that information.
  1106.                 detailperm = 0600
  1107.  
  1108.                 #
  1109.                 # Certain attributes such as User-Password may be
  1110.                 # "sensitive", so they should not be printed in the
  1111.                 # detail file.  This section lists the attributes
  1112.                 # that should be suppressed.
  1113.                 #
  1114.                 # The attributes should be listed one to a line.
  1115.                 #
  1116.                 #suppress {
  1117.                         # User-Password
  1118.                 #}
  1119.         }
  1120.  
  1121.         #
  1122.         #  Many people want to log authentication requests.
  1123.         #  Rather than modifying the server core to print out more
  1124.         #  messages, we can use a different instance of the 'detail'
  1125.         #  module, to log the authentication requests to a file.
  1126.         #
  1127.         #  You will also need to un-comment the 'auth_log' line
  1128.         #  in the 'authorize' section, below.
  1129.         #
  1130.         # detail auth_log {
  1131.                 # detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
  1132.  
  1133.                 #
  1134.                 #  This MUST be 0600, otherwise anyone can read
  1135.                 #  the users passwords!
  1136.                 # detailperm = 0600
  1137.         # }
  1138.  
  1139.         #
  1140.         #  This module logs authentication reply packets sent
  1141.         #  to a NAS.  Both Access-Accept and Access-Reject packets
  1142.         #  are logged.
  1143.         #
  1144.         #  You will also need to un-comment the 'reply_log' line
  1145.         #  in the 'post-auth' section, below.
  1146.         #
  1147.         # detail reply_log {
  1148.                 # detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
  1149.  
  1150.                 #
  1151.                 #  This MUST be 0600, otherwise anyone can read
  1152.                 #  the users passwords!
  1153.                 # detailperm = 0600
  1154.         # }
  1155.  
  1156.         #
  1157.         #  This module logs packets proxied to a home server.
  1158.         #
  1159.         #  You will also need to un-comment the 'pre_proxy_log' line
  1160.         #  in the 'pre-proxy' section, below.
  1161.         #
  1162.         # detail pre_proxy_log {
  1163.                 # detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
  1164.  
  1165.                 #
  1166.                 #  This MUST be 0600, otherwise anyone can read
  1167.                 #  the users passwords!
  1168.                 # detailperm = 0600
  1169.         # }
  1170.  
  1171.         #
  1172.         #  This module logs response packets from a home server.
  1173.         #
  1174.         #  You will also need to un-comment the 'post_proxy_log' line
  1175.         #  in the 'post-proxy' section, below.
  1176.         #
  1177.         # detail post_proxy_log {
  1178.                 # detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
  1179.  
  1180.                 #
  1181.                 #  This MUST be 0600, otherwise anyone can read
  1182.                 #  the users passwords!
  1183.                 # detailperm = 0600
  1184.         # }
  1185.  
  1186.         #
  1187.         #  The rlm_sql_log module appends the SQL queries in a log
  1188.         #  file which is read later by the radsqlrelay program.
  1189.         #
  1190.         #  This module only performs the dynamic expansion of the
  1191.         #  variables found in the SQL statements. No operation is
  1192.         #  executed on the database server. (this could be done
  1193.         #  later by an external program) That means the module is
  1194.         #  useful only with non-"SELECT" statements.
  1195.         #
  1196.         #  See rlm_sql_log(5) manpage.
  1197.         #
  1198. #       sql_log {
  1199. #              path = ${radacctdir}/sql-relay
  1200. #              acct_table = "radacct"
  1201. #              postauth_table = "radpostauth"
  1202. #
  1203. #              Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
  1204. #               NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
  1205. #               AcctSessionTime, AcctTerminateCause) VALUES                 \
  1206. #               ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
  1207. #               '%{Framed-IP-Address}', '%S', '0', '0', '');"
  1208. #              Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName,  \
  1209. #               NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
  1210. #               AcctSessionTime, AcctTerminateCause) VALUES                 \
  1211. #               ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
  1212. #               '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}',  \
  1213. #               '%{Acct-Terminate-Cause}');"
  1214. #              Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
  1215. #               NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
  1216. #               AcctSessionTime, AcctTerminateCause) VALUES                 \
  1217. #               ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
  1218. #               '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
  1219. #
  1220. #              Post-Auth = "INSERT INTO ${postauth_table}                   \
  1221. #               (user, pass, reply, date) VALUES                            \
  1222. #               ('%{User-Name}', '%{User-Password:-Chap-Password}',         \
  1223. #               '%{reply:Packet-Type}', '%S');"
  1224. #       }
  1225.  
  1226.         #
  1227.         #  Create a unique accounting session Id.  Many NASes re-use
  1228.         #  or repeat values for Acct-Session-Id, causing no end of
  1229.         #  confusion.
  1230.         #
  1231.         #  This module will add a (probably) unique session id
  1232.         #  to an accounting packet based on the attributes listed
  1233.         #  below found in the packet.  See doc/rlm_acct_unique for
  1234.         #  more information.
  1235.         #
  1236.         acct_unique {
  1237.                 key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  1238.         }
  1239.  
  1240.  
  1241.         #  Include another file that has the SQL-related configuration.
  1242.         #  This is another file only because it tends to be big.
  1243.         #
  1244.         #  The following configuration file is for use with MySQL.
  1245.         #
  1246.         #  For Postgresql, use:  ${confdir}/postgresql.conf
  1247.         #  For MS-SQL, use:          ${confdir}/mssql.conf
  1248.         #  For Oracle, use:          ${confdir}/oraclesql.conf
  1249.         #
  1250. #       $INCLUDE  ${confdir}/sql.conf
  1251.  
  1252.  
  1253.         #  For Cisco VoIP specific accounting with Postgresql,
  1254.         #  use:  ${confdir}/pgsql-voip.conf
  1255.         #
  1256.         #  You will also need the sql schema from:
  1257.         #        src/billing/cisco_h323_db_schema-postgres.sql
  1258.         #  Note: This config can be use AS WELL AS the standard sql
  1259.         #  config if you need SQL based Auth
  1260.        
  1261.  
  1262.         #  Write a 'utmp' style file, of which users are currently
  1263.         #  logged in, and where they've logged in from.
  1264.         #
  1265.         #  This file is used mainly for Simultaneous-Use checking,
  1266.         #  and also 'radwho', to see who's currently logged in.
  1267.         #
  1268.         radutmp {
  1269.                 #  Where the file is stored.  It's not a log file,
  1270.                 #  so it doesn't need rotating.
  1271.                 #
  1272.                 filename = ${logdir}/radutmp
  1273.  
  1274.                 #  The field in the packet to key on for the
  1275.                 #  'user' name,  If you have other fields which you want
  1276.                 #  to use to key on to control Simultaneous-Use,
  1277.                 #  then you can use them here.
  1278.                 #
  1279.                 #  Note, however, that the size of the field in the
  1280.                 #  'utmp' data structure is small, around 32
  1281.                 #  characters, so that will limit the possible choices
  1282.                 #  of keys.
  1283.                 #
  1284.                 #  You may want instead: %{Stripped-User-Name:-%{User-Name}}
  1285.                 username = %{User-Name}
  1286.  
  1287.  
  1288.                 #  Whether or not we want to treat "user" the same
  1289.                 #  as "USER", or "User".  Some systems have problems
  1290.                 #  with case sensitivity, so this should be set to
  1291.                 #  'no' to enable the comparisons of the key attribute
  1292.                 #  to be case insensitive.
  1293.                 #
  1294.                 case_sensitive = yes
  1295.  
  1296.                 #  Accounting information may be lost, so the user MAY
  1297.                 #  have logged off of the NAS, but we haven't noticed.
  1298.                 #  If so, we can verify this information with the NAS,
  1299.                 #
  1300.                 #  If we want to believe the 'utmp' file, then this
  1301.                 #  configuration entry can be set to 'no'.
  1302.                 #
  1303.                 check_with_nas = yes       
  1304.  
  1305.                 # Set the file permissions, as the contents of this file
  1306.                 # are usually private.
  1307.                 perm = 0600
  1308.  
  1309.                 callerid = "yes"
  1310.         }
  1311.  
  1312.         # "Safe" radutmp - does not contain caller ID, so it can be
  1313.         # world-readable, and radwho can work for normal users, without
  1314.         # exposing any information that isn't already exposed by who(1).
  1315.         #
  1316.         # This is another 'instance' of the radutmp module, but it is given
  1317.         # then name "sradutmp" to identify it later in the "accounting"
  1318.         # section.
  1319.         radutmp sradutmp {
  1320.                 filename = ${logdir}/sradutmp
  1321.                 perm = 0644
  1322.                 callerid = "no"
  1323.         }
  1324.  
  1325.         # attr_filter - filters the attributes received in replies from
  1326.         # proxied servers, to make sure we send back to our RADIUS client
  1327.         # only allowed attributes.
  1328.         attr_filter {
  1329.                 attrsfile = ${confdir}/attrs
  1330.         }
  1331.  
  1332.         #  counter module:
  1333.         #  This module takes an attribute (count-attribute).
  1334.         #  It also takes a key, and creates a counter for each unique
  1335.         #  key.  The count is incremented when accounting packets are
  1336.         #  received by the server.  The value of the increment depends
  1337.         #  on the attribute type.
  1338.         #  If the attribute is Acct-Session-Time or of an integer type we add the
  1339.         #  value of the attribute. If it is anything else we increase the
  1340.         #  counter by one.
  1341.         #
  1342.         #  The 'reset' parameter defines when the counters are all reset to
  1343.         #  zero.  It can be hourly, daily, weekly, monthly or never.
  1344.         #
  1345.         #  hourly: Reset on 00:00 of every hour
  1346.         #  daily: Reset on 00:00:00 every day
  1347.         #  weekly: Reset on 00:00:00 on sunday
  1348.         #  monthly: Reset on 00:00:00 of the first day of each month
  1349.         #
  1350.         #  It can also be user defined. It should be of the form:
  1351.         #  num[hdwm] where:
  1352.         #  h: hours, d: days, w: weeks, m: months
  1353.         #  If the letter is ommited days will be assumed. In example:
  1354.         #  reset = 10h (reset every 10 hours)
  1355.         #  reset = 12  (reset every 12 days)
  1356.         #
  1357.         #
  1358.         #  The check-name attribute defines an attribute which will be
  1359.         #  registered by the counter module and can be used to set the
  1360.         #  maximum allowed value for the counter after which the user
  1361.         #  is rejected.
  1362.         #  Something like:
  1363.         #
  1364.         #  DEFAULT Max-Daily-Session := 36000
  1365.         #          Fall-Through = 1
  1366.         #
  1367.         #  You should add the counter module in the instantiate
  1368.         #  section so that it registers check-name before the files
  1369.         #  module reads the users file.
  1370.         #
  1371.         #  If check-name is set and the user is to be rejected then we
  1372.         #  send back a Reply-Message and we log a Failure-Message in
  1373.         #  the radius.log
  1374.         #  If the count attribute is Acct-Session-Time then on each login
  1375.         #  we send back the remaining online time as a Session-Timeout attribute
  1376.         #
  1377.         #  The counter-name can also be used instead of using the check-name
  1378.         #  like below:
  1379.         #
  1380.         #  DEFAULT  Daily-Session-Time > 3600, Auth-Type = Reject
  1381.         #      Reply-Message = "You've used up more than one hour today"
  1382.         #
  1383.         #  The allowed-servicetype attribute can be used to only take
  1384.         #  into account specific sessions. For example if a user first
  1385.         #  logs in through a login menu and then selects ppp there will
  1386.         #  be two sessions. One for Login-User and one for Framed-User
  1387.         #  service type. We only need to take into account the second one.
  1388.         #
  1389.         #  The module should be added in the instantiate, authorize and
  1390.         #  accounting sections.  Make sure that in the authorize
  1391.         #  section it comes after any module which sets the
  1392.         #  'check-name' attribute.
  1393.         #
  1394.         counter daily {
  1395.                 filename = ${raddbdir}/db.daily
  1396.                 key = User-Name
  1397.                 count-attribute = Acct-Session-Time
  1398.                 reset = daily
  1399.                 counter-name = Daily-Session-Time
  1400.                 check-name = Max-Daily-Session
  1401.                 allowed-servicetype = Framed-User
  1402.                 cache-size = 5000
  1403.         }
  1404.  
  1405.         #
  1406.         #  This module is an SQL enabled version of the counter module.
  1407.         #
  1408.         #  Rather than maintaining seperate (GDBM) databases of
  1409.         #  accounting info for each counter, this module uses the data
  1410.         #  stored in the raddacct table by the sql modules. This
  1411.         #  module NEVER does any database INSERTs or UPDATEs.  It is
  1412.         #  totally dependent on the SQL module to process Accounting
  1413.         #  packets.
  1414.         #
  1415.         #  The 'sqlmod_inst' parameter holds the instance of the sql
  1416.         #  module to use when querying the SQL database. Normally it
  1417.         #  is just "sql".  If you define more and one SQL module
  1418.         #  instance (usually for failover situations), you can
  1419.         #  specify which module has access to the Accounting Data
  1420.         #  (radacct table).
  1421.         #
  1422.         #  The 'reset' parameter defines when the counters are all
  1423.         #  reset to zero.  It can be hourly, daily, weekly, monthly or
  1424.         #  never.  It can also be user defined. It should be of the
  1425.         #  form:
  1426.         #       num[hdwm] where:
  1427.         #       h: hours, d: days, w: weeks, m: months
  1428.         #       If the letter is ommited days will be assumed. In example:
  1429.         #       reset = 10h (reset every 10 hours)
  1430.         #       reset = 12  (reset every 12 days)
  1431.         #
  1432.         #  The 'key' parameter specifies the unique identifier for the
  1433.         #  counter records (usually 'User-Name').
  1434.         #
  1435.         #  The 'query' parameter specifies the SQL query used to get
  1436.         #  the current Counter value from the database. There are 3
  1437.         #  parameters that can be used in the query:
  1438.         #              %k     'key' parameter
  1439.         #              %b     unix time value of beginning of reset period
  1440.         #              %e     unix time value of end of reset period
  1441.         #
  1442.         #  The 'check-name' parameter is the name of the 'check'
  1443.         #  attribute to use to access the counter in the 'users' file
  1444.         #  or SQL radcheck or radcheckgroup tables.
  1445.         #
  1446.         #  DEFAULT  Max-Daily-Session > 3600, Auth-Type = Reject
  1447.         #      Reply-Message = "You've used up more than one hour today"
  1448.         #
  1449.         sqlcounter dailycounter {
  1450.                 counter-name = Daily-Session-Time
  1451.                 check-name = Max-Daily-Session
  1452.                 sqlmod-inst = sql
  1453.                 key = User-Name
  1454.                 reset = daily
  1455.  
  1456.                 # This query properly handles calls that span from the
  1457.                 # previous reset period into the current period but
  1458.                 # involves more work for the SQL server than those
  1459.                 # below
  1460.                 # For mysql:
  1461.                 query = "SELECT SUM(AcctSessionTime - \
  1462.                  GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
  1463.                  FROM radacct WHERE UserName='%{%k}' AND \
  1464.                  UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
  1465.  
  1466.                 # For postgresql:
  1467. #              query = "SELECT SUM(AcctSessionTime - \
  1468. #                GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) \
  1469. #                FROM radacct WHERE UserName='%{%k}' AND \
  1470. #                AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%b'"
  1471.  
  1472.                 # This query ignores calls that started in a previous
  1473.                 # reset period and continue into into this one. But it
  1474.                 # is a little easier on the SQL server
  1475.                 # For mysql:
  1476. #              query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
  1477. #                UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
  1478.  
  1479.                 # For postgresql:
  1480. #              query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
  1481. #                UserName='%{%k}' AND AND AcctStartTime::ABSTIME::INT4 > '%b'"
  1482.  
  1483.                 # This query is the same as above, but demonstrates an
  1484.                 # additional counter parameter '%e' which is the
  1485.                 # timestamp for the end of the period
  1486.                 # For mysql:
  1487. #              query = "SELECT SUM(AcctSessionTime) FROM radacct \
  1488. #                WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
  1489. #                FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
  1490.  
  1491.                 # For postgresql:
  1492. #              query = "SELECT SUM(AcctSessionTime) FROM radacct \
  1493. #                WHERE UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 \
  1494. #                BETWEEN '%b' AND '%e'"
  1495.         }
  1496.  
  1497.         sqlcounter monthlycounter {
  1498.                 counter-name = Monthly-Session-Time
  1499.                 check-name = Max-Monthly-Session
  1500.                 sqlmod-inst = sql
  1501.                 key = User-Name
  1502.                 reset = monthly
  1503.  
  1504.                 # This query properly handles calls that span from the
  1505.                 # previous reset period into the current period but
  1506.                 # involves more work for the SQL server than those
  1507.                 # below
  1508.                 # The same notes above about the differences between mysql
  1509.                 # versus postgres queries apply here.
  1510.                 query = "SELECT SUM(AcctSessionTime - \
  1511.                  GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
  1512.                  FROM radacct WHERE UserName='%{%k}' AND \
  1513.                  UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
  1514.  
  1515.                 # This query ignores calls that started in a previous
  1516.                 # reset period and continue into into this one. But it
  1517.                 # is a little easier on the SQL server
  1518. #              query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
  1519. #                UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
  1520.  
  1521.                 # This query is the same as above, but demonstrates an
  1522.                 # additional counter parameter '%e' which is the
  1523.                 # timestamp for the end of the period
  1524. #              query = "SELECT SUM(AcctSessionTime) FROM radacct \
  1525. #                WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
  1526. #                FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
  1527.         }
  1528.  
  1529.         #
  1530.         # The "always" module is here for debugging purposes. Each
  1531.         # instance simply returns the same result, always, without
  1532.         # doing anything.
  1533.         always fail {
  1534.                 rcode = fail
  1535.         }
  1536.         always reject {
  1537.                 rcode = reject
  1538.         }
  1539.         always ok {
  1540.                 rcode = ok
  1541.                 simulcount = 0
  1542.                 mpp = no
  1543.         }
  1544.  
  1545.         #
  1546.         #  The 'expression' module currently has no configuration.
  1547.         #
  1548.         #  This module is useful only for 'xlat'.  To use it,
  1549.         #  put 'exec' into the 'instantiate' section.  You can then
  1550.         #  do dynamic translation of attributes like:
  1551.         #
  1552.         #  Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
  1553.         #
  1554.         #  The value of the attribute will be replaced with the output
  1555.         #  of the program which is executed.  Due to RADIUS protocol
  1556.         #  limitations, any output over 253 bytes will be ignored.
  1557.         expr {
  1558.         }
  1559.  
  1560.         #
  1561.         #  The 'digest' module currently has no configuration.
  1562.         #
  1563.         #  "Digest" authentication against a Cisco SIP server.
  1564.         #  See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
  1565.         #  on performing digest authentication for Cisco SIP servers.
  1566.         #
  1567.         digest {
  1568.         }
  1569.  
  1570.         #
  1571.         #  Execute external programs
  1572.         #
  1573.         #  This module is useful only for 'xlat'.  To use it,
  1574.         #  put 'exec' into the 'instantiate' section.  You can then
  1575.         #  do dynamic translation of attributes like:
  1576.         #
  1577.         #  Attribute-Name = `%{exec:/path/to/program args}`
  1578.         #
  1579.         #  The value of the attribute will be replaced with the output
  1580.         #  of the program which is executed.  Due to RADIUS protocol
  1581.         #  limitations, any output over 253 bytes will be ignored.
  1582.         #
  1583.         #  The RADIUS attributes from the user request will be placed
  1584.         #  into environment variables of the executed program, as
  1585.         #  described in 'doc/variables.txt'
  1586.         #
  1587.         exec {
  1588.                 wait = yes
  1589.                 input_pairs = request
  1590.         }
  1591.  
  1592.         #
  1593.         #  This is a more general example of the execute module.
  1594.         #
  1595.         #  This one is called "echo".
  1596.         #
  1597.         #  Attribute-Name = `%{echo:/path/to/program args}`
  1598.         #
  1599.         #  If you wish to execute an external program in more than
  1600.         #  one section (e.g. 'authorize', 'pre_proxy', etc), then it
  1601.         #  is probably best to define a different instance of the
  1602.         #  'exec' module for every section.     
  1603.         #       
  1604.         exec echo {
  1605.                 #
  1606.                 #  Wait for the program to finish.
  1607.                 #
  1608.                 #  If we do NOT wait, then the program is "fire and
  1609.                 #  forget", and any output attributes from it are ignored.
  1610.                 #
  1611.                 #  If we are looking for the program to output
  1612.                 #  attributes, and want to add those attributes to the
  1613.                 #  request, then we MUST wait for the program to
  1614.                 #  finish, and therefore set 'wait=yes'
  1615.                 #
  1616.                 # allowed values: {no, yes}
  1617.                 wait = yes
  1618.  
  1619.                 #
  1620.                 #  The name of the program to execute, and it's
  1621.                 #  arguments.  Dynamic translation is done on this
  1622.                 #  field, so things like the following example will
  1623.                 #  work.
  1624.                 #
  1625.                 program = "/bin/echo %{User-Name}"
  1626.  
  1627.                 #
  1628.                 #  The attributes which are placed into the
  1629.                 #  environment variables for the program.
  1630.                 #
  1631.                 #  Allowed values are:
  1632.                 #
  1633.                 #       request                attributes from the request
  1634.                 #       config  attributes from the configuration items list
  1635.                 #       reply    attributes from the reply
  1636.                 #       proxy-request  attributes from the proxy request
  1637.                 #       proxy-reply    attributes from the proxy reply
  1638.                 #
  1639.                 #  Note that some attributes may not exist at some
  1640.                 #  stages.  e.g. There may be no proxy-reply
  1641.                 #  attributes if this module is used in the
  1642.                 #  'authorize' section.
  1643.                 #
  1644.                 input_pairs = request
  1645.  
  1646.                 #
  1647.                 #  Where to place the output attributes (if any) from
  1648.                 #  the executed program.  The values allowed, and the
  1649.                 #  restrictions as to availability, are the same as
  1650.                 #  for the input_pairs.
  1651.                 #
  1652.                 output_pairs = reply
  1653.  
  1654.                 #
  1655.                 #  When to execute the program.  If the packet
  1656.                 #  type does NOT match what's listed here, then
  1657.                 #  the module does NOT execute the program.
  1658.                 #
  1659.                 #  For a list of allowed packet types, see
  1660.                 #  the 'dictionary' file, and look for VALUEs
  1661.                 #  of the Packet-Type attribute.
  1662.                 #
  1663.                 #  By default, the module executes on ANY packet.
  1664.                 #  Un-comment out the following line to tell the
  1665.                 #  module to execute only if an Access-Accept is
  1666.                 #  being sent to the NAS.
  1667.                 #
  1668.                 #packet_type = Access-Accept
  1669.         }
  1670.  
  1671.         #  Do server side ip pool management. Should be added in post-auth and
  1672.         #  accounting sections.
  1673.         #
  1674.         #  The module also requires the existance of the Pool-Name
  1675.         #  attribute. That way the administrator can add the Pool-Name
  1676.         #  attribute in the user profiles and use different pools
  1677.         #  for different users. The Pool-Name attribute is a *check* item not
  1678.         #  a reply item.
  1679.         #
  1680.         # Example:
  1681.         # radiusd.conf: ippool students { [...] }
  1682.         # users file  : DEFAULT Group == students, Pool-Name := "students"
  1683.         #
  1684.         # ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *********
  1685.         # ********* THEN ERASE THE DB FILES                     *********
  1686.         #
  1687.         ippool main_pool {
  1688.  
  1689.                 #  range-start,range-stop: The start and end ip
  1690.                 #  addresses for the ip pool
  1691.                 range-start = 192.168.1.1
  1692.                 range-stop = 192.168.3.254
  1693.  
  1694.                 #  netmask: The network mask used for the ip's
  1695.                 netmask = 255.255.255.0
  1696.  
  1697.                 #  cache-size: The gdbm cache size for the db
  1698.                 #  files. Should be equal to the number of ip's
  1699.                 #  available in the ip pool
  1700.                 cache-size = 800
  1701.  
  1702.                 # session-db: The main db file used to allocate ip's to clients
  1703.                 session-db = ${raddbdir}/db.ippool
  1704.  
  1705.                 # ip-index: Helper db index file used in multilink
  1706.                 ip-index = ${raddbdir}/db.ipindex
  1707.  
  1708.                 # override: Will this ippool override a Framed-IP-Address already set
  1709.                 override = no
  1710.  
  1711.                 # maximum-timeout: If not zero specifies the maximum time in seconds an
  1712.                 # entry may be active. Default: 0
  1713.                 maximum-timeout = 0
  1714.         }
  1715.  
  1716.         # $INCLUDE  ${confdir}/sqlippool.conf
  1717.  
  1718.         # OTP token support.  Not included by default.
  1719.         # $INCLUDE  ${confdir}/otp.conf
  1720.  
  1721. }
  1722.  
  1723. # Instantiation
  1724. #
  1725. #  This section orders the loading of the modules.  Modules
  1726. #  listed here will get loaded BEFORE the later sections like
  1727. #  authorize, authenticate, etc. get examined.
  1728. #
  1729. #  This section is not strictly needed.  When a section like
  1730. #  authorize refers to a module, it's automatically loaded and
  1731. #  initialized.  However, some modules may not be listed in any
  1732. #  of the following sections, so they can be listed here.
  1733. #
  1734. #  Also, listing modules here ensures that you have control over
  1735. #  the order in which they are initalized.  If one module needs
  1736. #  something defined by another module, you can list them in order
  1737. #  here, and ensure that the configuration will be OK.
  1738. #
  1739. instantiate {
  1740.         #
  1741.         #  Allows the execution of external scripts.
  1742.         #  The entire command line (and output) must fit into 253 bytes.
  1743.         #
  1744.         #  e.g. Framed-Pool = `%{exec:/bin/echo foo}`
  1745.         exec
  1746.  
  1747.         #
  1748.         #  The expression module doesn't do authorization,
  1749.         #  authentication, or accounting.  It only does dynamic
  1750.         #  translation, of the form:
  1751.         #
  1752.         #       Session-Timeout = `%{expr:2 + 3}`
  1753.         #
  1754.         #  So the module needs to be instantiated, but CANNOT be
  1755.         #  listed in any other section.  See 'doc/rlm_expr' for
  1756.         #  more information.
  1757.         #
  1758.         expr
  1759.  
  1760.         #
  1761.         # We add the counter module here so that it registers
  1762.         # the check-name attribute before any module which sets
  1763.         # it
  1764. #       daily
  1765. }
  1766.  
  1767. #  Authorization. First preprocess (hints and huntgroups files),
  1768. #  then realms, and finally look in the "users" file.
  1769. #
  1770. #  The order of the realm modules will determine the order that
  1771. #  we try to find a matching realm.
  1772. #
  1773. #  Make *sure* that 'preprocess' comes before any realm if you
  1774. #  need to setup hints for the remote radius server
  1775. authorize {
  1776.         #
  1777.         #  The preprocess module takes care of sanitizing some bizarre
  1778.         #  attributes in the request, and turning them into attributes
  1779.         #  which are more standard.
  1780.         #
  1781.         #  It takes care of processing the 'raddb/hints' and the
  1782.         #  'raddb/huntgroups' files.
  1783.         #
  1784.         #  It also adds the %{Client-IP-Address} attribute to the request.
  1785.         preprocess
  1786.  
  1787.         #
  1788.         #  If you want to have a log of authentication requests,
  1789.         #  un-comment the following line, and the 'detail auth_log'
  1790.         #  section, above.
  1791. #       auth_log
  1792.        
  1793. #       attr_filter
  1794.  
  1795.         #
  1796.         #  The chap module will set 'Auth-Type := CHAP' if we are
  1797.         #  handling a CHAP request and Auth-Type has not already been set
  1798.         chap
  1799.  
  1800.         #
  1801.         #  If the users are logging in with an MS-CHAP-Challenge
  1802.         #  attribute for authentication, the mschap module will find
  1803.         #  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
  1804.         #  to the request, which will cause the server to then use
  1805.         #  the mschap module for authentication.
  1806.         mschap
  1807.  
  1808.         #
  1809.         #  If you have a Cisco SIP server authenticating against
  1810.         #  FreeRADIUS, uncomment the following line, and the 'digest'
  1811.         #  line in the 'authenticate' section.
  1812. #       digest
  1813.  
  1814.         #
  1815.         #  Look for IPASS style 'realm/', and if not found, look for
  1816.         #  [email protected]', and decide whether or not to proxy, based on
  1817.         #  that.
  1818. #       IPASS
  1819.  
  1820.         #
  1821.         #  If you are using multiple kinds of realms, you probably
  1822.         #  want to set "ignore_null = yes" for all of them.
  1823.         #  Otherwise, when the first style of realm doesn't match,
  1824.         #  the other styles won't be checked.
  1825.         #
  1826.         suffix
  1827. #       ntdomain
  1828.  
  1829.         #
  1830.         #  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
  1831.         #  authentication.
  1832.         #
  1833.         #  It also sets the EAP-Type attribute in the request
  1834.         #  attribute list to the EAP type from the packet.
  1835.         eap
  1836.  
  1837.         #
  1838.         #  Read the 'users' file
  1839.         files
  1840.  
  1841.         #
  1842.         #  Look in an SQL database.  The schema of the database
  1843.         #  is meant to mirror the "users" file.
  1844.         #
  1845.         #  See "Authorization Queries" in sql.conf
  1846. #       sql
  1847.  
  1848.         #
  1849.         #  If you are using /etc/smbpasswd, and are also doing
  1850.         #  mschap authentication, the un-comment this line, and
  1851.         #  configure the 'etc_smbpasswd' module, above.
  1852. #       etc_smbpasswd
  1853.  
  1854.         #
  1855.         #  The ldap module will set Auth-Type to LDAP if it has not
  1856.         #  already been set
  1857. #       ldap
  1858.  
  1859.         #
  1860.         #  Enforce daily limits on time spent logged in.
  1861. #       daily
  1862.  
  1863.         #
  1864.         # Use the checkval module
  1865. #       checkval
  1866. }
  1867.  
  1868.  
  1869. #  Authentication.
  1870. #
  1871. #
  1872. #  This section lists which modules are available for authentication.
  1873. #  Note that it does NOT mean 'try each module in order'.  It means
  1874. #  that a module from the 'authorize' section adds a configuration
  1875. #  attribute 'Auth-Type := FOO'.  That authentication type is then
  1876. #  used to pick the apropriate module from the list below.
  1877. #
  1878.  
  1879. #  In general, you SHOULD NOT set the Auth-Type attribute.  The server
  1880. #  will figure it out on its own, and will do the right thing.  The
  1881. #  most common side effect of erroneously setting the Auth-Type
  1882. #  attribute is that one authentication method will work, but the
  1883. #  others will not.
  1884. #
  1885. #  The common reasons to set the Auth-Type attribute by hand
  1886. #  is to either forcibly reject the user, or forcibly accept him.
  1887. #
  1888. authenticate {
  1889.         #
  1890.         #  PAP authentication, when a back-end database listed
  1891.         #  in the 'authorize' section supplies a password.  The
  1892.         #  password can be clear-text, or encrypted.
  1893.         Auth-Type PAP {
  1894.                 pap
  1895.         }
  1896.  
  1897.         #
  1898.         #  Most people want CHAP authentication
  1899.         #  A back-end database listed in the 'authorize' section
  1900.         #  MUST supply a CLEAR TEXT password.  Encrypted passwords
  1901.         #  won't work.
  1902.         Auth-Type CHAP {
  1903.                 chap
  1904.         }
  1905.  
  1906.         #
  1907.         #  MSCHAP authentication.
  1908.         Auth-Type MS-CHAP {
  1909.                 mschap
  1910.         }
  1911.  
  1912.         #
  1913.         #  If you have a Cisco SIP server authenticating against
  1914.         #  FreeRADIUS, uncomment the following line, and the 'digest'
  1915.         #  line in the 'authorize' section.
  1916. #       digest
  1917.  
  1918.         #
  1919.         #  Pluggable Authentication Modules.
  1920. #       pam
  1921.  
  1922.         #
  1923.         #  See 'man getpwent' for information on how the 'unix'
  1924.         #  module checks the users password.  Note that packets
  1925.         #  containing CHAP-Password attributes CANNOT be authenticated
  1926.         #  against /etc/passwd!  See the FAQ for details.
  1927.         # 
  1928.         unix
  1929.  
  1930.         # Uncomment it if you want to use ldap for authentication
  1931.         #
  1932.         # Note that this means "check plain-text password against
  1933.         # the ldap database", which means that EAP won't work,
  1934.         # as it does not supply a plain-text password.
  1935. #       Auth-Type LDAP {
  1936. #              ldap
  1937. #       }
  1938.  
  1939.         #
  1940.         #  Allow EAP authentication.
  1941.         eap
  1942. }
  1943.  
  1944.  
  1945. #
  1946. #  Pre-accounting.  Decide which accounting type to use.
  1947. #
  1948. preacct {
  1949.         preprocess
  1950.  
  1951.         #
  1952.         #  Ensure that we have a semi-unique identifier for every
  1953.         #  request, and many NAS boxes are broken.
  1954.         acct_unique
  1955.  
  1956.         #
  1957.         #  Look for IPASS-style 'realm/', and if not found, look for
  1958.         #  [email protected]', and decide whether or not to proxy, based on
  1959.         #  that.
  1960.         #
  1961.         #  Accounting requests are generally proxied to the same
  1962.         #  home server as authentication requests.
  1963. #       IPASS
  1964.         suffix
  1965. #       ntdomain
  1966.  
  1967.         #
  1968.         #  Read the 'acct_users' file
  1969.         files
  1970. }
  1971.  
  1972. #
  1973. #  Accounting.  Log the accounting data.
  1974. #
  1975. accounting {
  1976.         #
  1977.         #  Create a 'detail'ed log of the packets.
  1978.         #  Note that accounting requests which are proxied
  1979.         #  are also logged in the detail file.
  1980.         detail
  1981. #       daily
  1982.  
  1983.         #  Update the wtmp file
  1984.         #
  1985.         #  If you don't use "radlast", you can delete this line.
  1986.         unix
  1987.  
  1988.         #
  1989.         #  For Simultaneous-Use tracking.
  1990.         #
  1991.         #  Due to packet losses in the network, the data here
  1992.         #  may be incorrect.  There is little we can do about it.
  1993.         radutmp
  1994. #       sradutmp
  1995.  
  1996.         #  Return an address to the IP Pool when we see a stop record.
  1997. #       main_pool
  1998.  
  1999.         #
  2000.         #  Log traffic to an SQL database.
  2001.         #
  2002.         #  See "Accounting queries" in sql.conf
  2003. #       sql
  2004.  
  2005.         #
  2006.         #  Instead of sending the query to the SQL server,
  2007.         #  write it into a log file.
  2008.         #
  2009. #       sql_log
  2010.  
  2011.         #  Cisco VoIP specific bulk accounting
  2012. #       pgsql-voip
  2013.  
  2014. }
  2015.  
  2016.  
  2017. #  Session database, used for checking Simultaneous-Use. Either the radutmp
  2018. #  or rlm_sql module can handle this.
  2019. #  The rlm_sql module is *much* faster
  2020. session {
  2021.         radutmp
  2022.  
  2023.         #
  2024.         #  See "Simultaneous Use Checking Querie" in sql.conf
  2025. #       sql
  2026. }
  2027.  
  2028.  
  2029. #  Post-Authentication
  2030. #  Once we KNOW that the user has been authenticated, there are
  2031. #  additional steps we can take.
  2032. post-auth {
  2033.         #  Get an address from the IP Pool.
  2034. #       main_pool
  2035.  
  2036.         #
  2037.         #  If you want to have a log of authentication replies,
  2038.         #  un-comment the following line, and the 'detail reply_log'
  2039.         #  section, above.
  2040. #       reply_log
  2041.  
  2042.         #
  2043.         #  After authenticating the user, do another SQL query.
  2044.         #
  2045.         #  See "Authentication Logging Queries" in sql.conf
  2046. #       sql
  2047.  
  2048.         #
  2049.         #  Instead of sending the query to the SQL server,
  2050.         #  write it into a log file.
  2051.         #
  2052. #       sql_log
  2053.  
  2054.         #
  2055.         #  Un-comment the following if you have set
  2056.         #  'edir_account_policy_check = yes' in the ldap module sub-section of
  2057.         #  the 'modules' section.
  2058.         #
  2059. #       ldap
  2060.         #
  2061.         #  Access-Reject packets are sent through the REJECT sub-section of the
  2062.         #  post-auth section.
  2063.         #  Uncomment the following and set the module name to the ldap instance
  2064.         #  name if you have set 'edir_account_policy_check = yes' in the ldap
  2065.         #  module sub-section of the 'modules' section.
  2066.         #
  2067. #       Post-Auth-Type REJECT {
  2068. #              insert-module-name-here
  2069. #       }
  2070.  
  2071. }
  2072.  
  2073. #
  2074. #  When the server decides to proxy a request to a home server,
  2075. #  the proxied request is first passed through the pre-proxy
  2076. #  stage.  This stage can re-write the request, or decide to
  2077. #  cancel the proxy.
  2078. #
  2079. #  Only a few modules currently have this method.
  2080. #
  2081. pre-proxy {
  2082. #       attr_rewrite
  2083.  
  2084.         #  Uncomment the following line if you want to change attributes
  2085.         #  as defined in the preproxy_users file.
  2086. #       files
  2087.  
  2088.         #  If you want to have a log of packets proxied to a home
  2089.         #  server, un-comment the following line, and the
  2090.         #  'detail pre_proxy_log' section, above.
  2091. #       pre_proxy_log
  2092. }
  2093.  
  2094. #
  2095. #  When the server receives a reply to a request it proxied
  2096. #  to a home server, the request may be massaged here, in the
  2097. #  post-proxy stage.
  2098. #
  2099. post-proxy {
  2100.  
  2101.         #  If you want to have a log of replies from a home server,
  2102.         #  un-comment the following line, and the 'detail post_proxy_log'
  2103.         #  section, above.
  2104. #       post_proxy_log
  2105.  
  2106. #       attr_rewrite
  2107.  
  2108.         #  Uncomment the following line if you want to filter replies from
  2109.         #  remote proxies based on the rules defined in the 'attrs' file.
  2110.  
  2111. #       attr_filter
  2112.  
  2113.         #
  2114.         #  If you are proxying LEAP, you MUST configure the EAP
  2115.         #  module, and you MUST list it here, in the post-proxy
  2116.         #  stage.
  2117.         #
  2118.         #  You MUST also use the 'nostrip' option in the 'realm'
  2119.         #  configuration.  Otherwise, the User-Name attribute
  2120.         #  in the proxied request will not match the user name
  2121.         #  hidden inside of the EAP packet, and the end server will
  2122.         #  reject the EAP request.
  2123.         #
  2124.         eap
  2125. }

advertising

Update the Post

Either update this post and resubmit it with changes, or make a new post.

You may also comment on this post.

update paste below
details of the post (optional)

Note: Only the paste content is required, though the following information can be useful to others.

Save name / title?

(space separated, optional)



Please note that information posted here will not expire by default. If you do not want it to expire, please set the expiry time above. If it is set to expire, web search engines will not be allowed to index it prior to it expiring. Items that are not marked to expire will be indexable by search engines. Be careful with your passwords. All illegal activities will be reported and any information will be handed over to the authorities, so be good.

comments powered by Disqus
worth-right worth-right