Part of Slepp's ProjectsPastebinTURLImagebinFilebin
Feedback -- English French German Japanese
Create Upload Newest Tools Donate
Sign In | Create Account

Advertising

users
Tuesday, April 17th, 2007 at 4:20:49am UTC 

  1. ##
  2. ## radiusd.conf -- FreeRADIUS server configuration file.
  3. ##
  4. ##      http://www.freeradius.org/
  5. ##      $Id: radiusd.conf.in,v 1.188.2.4.2.12 2006/07/29 19:43:30 nbk Exp $
  6. ##
  7.  
  8. #       The location of other config files and
  9. #       logfiles are declared in this file
  10. #
  11. #       Also general configuration for modules can be done
  12. #       in this file, it is exported through the API to
  13. #       modules that ask for it.
  14. #
  15. #       The configuration variables defined here are of the form ${foo}
  16. #       They are local to this file, and do not change from request to
  17. #       request.
  18. #
  19. #       The per-request variables are of the form %{Attribute-Name}, and
  20. #       are taken from the values of the attribute in the incoming
  21. #       request.  See 'doc/variables.txt' for more information.
  22.  
  23. prefix = /usr
  24. exec_prefix = /usr
  25. sysconfdir = /etc
  26. localstatedir = /var
  27. sbindir = /usr/sbin
  28. logdir = ${localstatedir}/log/radius
  29. raddbdir = ${sysconfdir}/raddb
  30. radacctdir = ${logdir}/radacct
  31.  
  32. #  Location of config and logfiles.
  33. confdir = ${raddbdir}
  34. run_dir = ${localstatedir}/run/radiusd
  35.  
  36. #
  37. #  The logging messages for the server are appended to the
  38. #  tail of this file.
  39. #
  40. log_file = ${logdir}/radius.log
  41.  
  42. #
  43. # libdir: Where to find the rlm_* modules.
  44. #
  45. #   This should be automatically set at configuration time.
  46. #
  47. #   If the server builds and installs, but fails at execution time
  48. #   with an 'undefined symbol' error, then you can use the libdir
  49. #   directive to work around the problem.
  50. #
  51. #   The cause is usually that a library has been installed on your
  52. #   system in a place where the dynamic linker CANNOT find it.  When
  53. #   executing as root (or another user), your personal environment MAY
  54. #   be set up to allow the dynamic linker to find the library.  When
  55. #   executing as a daemon, FreeRADIUS MAY NOT have the same
  56. #   personalized configuration.
  57. #
  58. #   To work around the problem, find out which library contains that symbol,
  59. #   and add the directory containing that library to the end of 'libdir',
  60. #   with a colon separating the directory names.  NO spaces are allowed.
  61. #
  62. #   e.g. libdir = /usr/local/lib:/opt/package/lib
  63. #
  64. #   You can also try setting the LD_LIBRARY_PATH environment variable
  65. #   in a script which starts the server.
  66. #
  67. #   If that does not work, then you can re-configure and re-build the
  68. #   server to NOT use shared libraries, via:
  69. #
  70. #       ./configure --disable-shared
  71. #       make
  72. #       make install
  73. #
  74. libdir = /usr/lib
  75.  
  76. #  pidfile: Where to place the PID of the RADIUS server.
  77. #
  78. #  The server may be signalled while it's running by using this
  79. #  file.
  80. #
  81. #  This file is written when ONLY running in daemon mode.
  82. #
  83. #  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
  84. #
  85. pidfile = ${run_dir}/radiusd.pid
  86.  
  87.  
  88. # user/group: The name (or #number) of the user/group to run radiusd as.
  89. #
  90. #   If these are commented out, the server will run as the user/group
  91. #   that started it.  In order to change to a different user/group, you
  92. #   MUST be root ( or have root privleges ) to start the server.
  93. #
  94. #   We STRONGLY recommend that you run the server with as few permissions
  95. #   as possible.  That is, if you're not using shadow passwords, the
  96. #   user and group items below should be set to 'nobody'.
  97. #
  98. #    On SCO (ODT 3) use "user = nouser" and "group = nogroup".
  99. #
  100. #  NOTE that some kernels refuse to setgid(group) when the value of
  101. (unsigned)group is above 60000; don't use group nobody on these systems!
  102. #
  103. #  On systems with shadow passwords, you might have to set 'group = shadow'
  104. #  for the server to be able to read the shadow password file.  If you can
  105. #  authenticate users while in debug mode, but not in daemon mode, it may be
  106. #  that the debugging mode server is running as a user that can read the
  107. #  shadow info, and the user listed below can not.
  108. #
  109. user = radiusd
  110. group = radiusd
  111.  
  112. #  max_request_time: The maximum time (in seconds) to handle a request.
  113. #
  114. #  Requests which take more time than this to process may be killed, and
  115. #  a REJECT message is returned.
  116. #
  117. #  WARNING: If you notice that requests take a long time to be handled,
  118. #  then this MAY INDICATE a bug in the server, in one of the modules
  119. #  used to handle a request, OR in your local configuration.
  120. #
  121. #  This problem is most often seen when using an SQL database.  If it takes
  122. #  more than a second or two to receive an answer from the SQL database,
  123. #  then it probably means that you haven't indexed the database.  See your
  124. #  SQL server documentation for more information.
  125. #
  126. #  Useful range of values: 5 to 120
  127. #
  128. max_request_time = 30
  129.  
  130. #  delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
  131. #  to be handled, then maybe the server should delete it.
  132. #
  133. #  If you're running in threaded, or thread pool mode, this setting
  134. #  should probably be 'no'.  Setting it to 'yes' when using a threaded
  135. #  server MAY cause the server to crash!
  136. #
  137. delete_blocked_requests = no
  138.  
  139. #  cleanup_delay: The time to wait (in seconds) before cleaning up
  140. #  a reply which was sent to the NAS.
  141. #
  142. #  The RADIUS request is normally cached internally for a short period
  143. #  of time, after the reply is sent to the NAS.  The reply packet may be
  144. #  lost in the network, and the NAS will not see it.  The NAS will then
  145. #  re-send the request, and the server will respond quickly with the
  146. #  cached reply.
  147. #
  148. #  If this value is set too low, then duplicate requests from the NAS
  149. #  MAY NOT be detected, and will instead be handled as seperate requests.
  150. #
  151. #  If this value is set too high, then the server will cache too many
  152. #  requests, and some new requests may get blocked.  (See 'max_requests'.)
  153. #
  154. #  Useful range of values: 2 to 10
  155. #
  156. cleanup_delay = 5
  157.  
  158. #  max_requests: The maximum number of requests which the server keeps
  159. #  track of.  This should be 256 multiplied by the number of clients.
  160. #  e.g. With 4 clients, this number should be 1024.
  161. #
  162. #  If this number is too low, then when the server becomes busy,
  163. #  it will not respond to any new requests, until the 'cleanup_delay'
  164. #  time has passed, and it has removed the old requests.
  165. #
  166. #  If this number is set too high, then the server will use a bit more
  167. #  memory for no real benefit.
  168. #
  169. #  If you aren't sure what it should be set to, it's better to set it
  170. #  too high than too low.  Setting it to 1000 per client is probably
  171. #  the highest it should be.
  172. #
  173. #  Useful range of values: 256 to infinity
  174. #
  175. max_requests = 1024
  176.  
  177. #  bind_address:  Make the server listen on a particular IP address, and
  178. #  send replies out from that address.  This directive is most useful
  179. #  for machines with multiple IP addresses on one interface.
  180. #
  181. #  It can either contain "*", or an IP address, or a fully qualified
  182. #  Internet domain name.  The default is "*"
  183. #
  184. #  As of 1.0, you can also use the "listen" directive.  See below for
  185. #  more information.
  186. #
  187. bind_address = *
  188.  
  189. #  port: Allows you to bind FreeRADIUS to a specific port.
  190. #
  191. #  The default port that most NAS boxes use is 1645, which is historical.
  192. #  RFC 2138 defines 1812 to be the new port.  Many new servers and
  193. #  NAS boxes use 1812, which can create interoperability problems.
  194. #
  195. #  The port is defined here to be 0 so that the server will pick up
  196. #  the machine's local configuration for the radius port, as defined
  197. #  in /etc/services.
  198. #
  199. #  If you want to use the default RADIUS port as defined on your server,
  200. (usually through 'grep radius /etc/services') set this to 0 (zero).
  201. #
  202. #  A port given on the command-line via '-p' over-rides this one.
  203. #
  204. #  As of 1.0, you can also use the "listen" directive.  See below for
  205. #  more information.
  206. #
  207. port = 0
  208.  
  209. #
  210. #  By default, the server uses "bind_address" to listen to all IP's
  211. #  on a machine, or just one IP.  The "port" configuration is used
  212. #  to select the authentication port used when listening on those
  213. #  addresses.
  214. #
  215. #  If you want the server to listen on additional addresses, you can
  216. #  use the "listen" section.  A sample section (commented out) is included
  217. #  below.  This "listen" section duplicates the functionality of the
  218. #  "bind_address" and "port" configuration entries, but it only listens
  219. #  for authentication packets.
  220. #
  221. #  If you comment out the "bind_address" and "port" configuration entries,
  222. #  then it becomes possible to make the server accept only accounting,
  223. #  or authentication packets.  Previously, it always listened for both
  224. #  types of packets, and it was impossible to make it listen for only
  225. #  one type of packet.
  226. #
  227. #listen {
  228.         #  IP address on which to listen.
  229.         #  Allowed values are:
  230.         #       dotted quad (1.2.3.4)
  231.         #       hostname    (radius.example.com)
  232.         #       wildcard    (*)
  233. #       ipaddr = *
  234.  
  235.         #  Port on which to listen.
  236.         #  Allowed values are:
  237.         #       integer port number (1812)
  238.         #       0 means "use /etc/services for the proper port"
  239. #       port = 0
  240.  
  241.         #  Type of packets to listen for.
  242.         #  Allowed values are:
  243.         #       auth   listen for authentication packets
  244.         #       acct   listen for accounting packets
  245.         #
  246. #       type = auth
  247. #}
  248.  
  249.  
  250. #  hostname_lookups: Log the names of clients or just their IP addresses
  251. #  e.g., www.freeradius.org (on) or 206.47.27.232 (off).
  252. #
  253. #  The default is 'off' because it would be overall better for the net
  254. #  if people had to knowingly turn this feature on, since enabling it
  255. #  means that each client request will result in AT LEAST one lookup
  256. #  request to the nameserver.   Enabling hostname_lookups will also
  257. #  mean that your server may stop randomly for 30 seconds from time
  258. #  to time, if the DNS requests take too long.
  259. #
  260. #  Turning hostname lookups off also means that the server won't block
  261. #  for 30 seconds, if it sees an IP address which has no name associated
  262. #  with it.
  263. #
  264. #  allowed values: {no, yes}
  265. #
  266. hostname_lookups = no
  267.  
  268. #  Core dumps are a bad thing.  This should only be set to 'yes'
  269. #  if you're debugging a problem with the server.
  270. #
  271. #  allowed values: {no, yes}
  272. #
  273. allow_core_dumps = no
  274.  
  275. #  Regular expressions
  276. #
  277. #  These items are set at configure time.  If they're set to "yes",
  278. #  then setting them to "no" turns off regular expression support.
  279. #
  280. #  If they're set to "no" at configure time, then setting them to "yes"
  281. #  WILL NOT WORK.  It will give you an error.
  282. #
  283. regular_expressions     = yes
  284. extended_expressions    = yes
  285.  
  286. #  Log the full User-Name attribute, as it was found in the request.
  287. #
  288. # allowed values: {no, yes}
  289. #
  290. log_stripped_names = no
  291.  
  292. #  Log authentication requests to the log file.
  293. #
  294. #  allowed values: {no, yes}
  295. #
  296. log_auth = no
  297.  
  298. #  Log passwords with the authentication requests.
  299. #  log_auth_badpass  - logs password if it's rejected
  300. #  log_auth_goodpass - logs password if it's correct
  301. #
  302. #  allowed values: {no, yes}
  303. #
  304. log_auth_badpass = no
  305. log_auth_goodpass = no
  306.  
  307. # usercollide:  Turn "username collision" code on and off.  See the
  308. # "doc/duplicate-users" file
  309. #
  310. #  WARNING
  311. #  !!!!!!!  Setting this to "yes" may result in the server behaving
  312. #  !!!!!!!  strangely.  The "username collision" code will ONLY work
  313. #  !!!!!!!  with clear-text passwords.  Even then, it may not do what
  314. #  !!!!!!!  you want, or what you expect.
  315. #  !!!!!!!
  316. #  !!!!!!!  We STRONGLY RECOMMEND that you do not use this feature,
  317. #  !!!!!!!  and that you find another way of acheiving the same goal.
  318. #  !!!!!!!
  319. #  !!!!!!!  e,g. module fail-over.  See 'doc/configurable_failover'
  320. #  WARNING
  321. #
  322. usercollide = no
  323.  
  324. # lower_user / lower_pass: 
  325. # Lower case the username/password "before" or "after"
  326. # attempting to authenticate. 
  327. #
  328. #  If "before", the server will first modify the request and then try
  329. #  to auth the user.  If "after", the server will first auth using the
  330. #  values provided by the user.  If that fails it will reprocess the
  331. #  request after modifying it as you specify below.
  332. #
  333. #  This is as close as we can get to case insensitivity.  It is the
  334. #  admin's job to ensure that the username on the auth db side is
  335. #  *also* lowercase to make this work
  336. #
  337. # Default is 'no' (don't lowercase values)
  338. # Valid values = "before" / "after" / "no"
  339. #
  340. lower_user = no
  341. lower_pass = no
  342.  
  343. # nospace_user / nospace_pass:
  344. #
  345. #  Some users like to enter spaces in their username or password
  346. #  incorrectly.  To save yourself the tech support call, you can
  347. #  eliminate those spaces here:
  348. #
  349. # Default is 'no' (don't remove spaces)
  350. # Valid values = "before" / "after" / "no" (explanation above)
  351. #
  352. nospace_user = no
  353. nospace_pass = no
  354.  
  355. #  The program to execute to do concurrency checks.
  356. checkrad = ${sbindir}/checkrad
  357.  
  358. # SECURITY CONFIGURATION
  359. #
  360. #  There may be multiple methods of attacking on the server.  This
  361. #  section holds the configuration items which minimize the impact
  362. #  of those attacks
  363. #
  364. security {
  365.         #
  366.         #  max_attributes: The maximum number of attributes
  367.         #  permitted in a RADIUS packet.  Packets which have MORE
  368.         #  than this number of attributes in them will be dropped.
  369.         #
  370.         #  If this number is set too low, then no RADIUS packets
  371.         #  will be accepted.
  372.         #
  373.         #  If this number is set too high, then an attacker may be
  374.         #  able to send a small number of packets which will cause
  375.         #  the server to use all available memory on the machine.
  376.         #
  377.         #  Setting this number to 0 means "allow any number of attributes"
  378.         max_attributes = 200
  379.  
  380.         #
  381.         #  reject_delay: When sending an Access-Reject, it can be
  382.         #  delayed for a few seconds.  This may help slow down a DoS
  383.         #  attack.  It also helps to slow down people trying to brute-force
  384.         #  crack a users password.
  385.         #
  386.         #  Setting this number to 0 means "send rejects immediately"
  387.         #
  388.         #  If this number is set higher than 'cleanup_delay', then the
  389.         #  rejects will be sent at 'cleanup_delay' time, when the request
  390.         #  is deleted from the internal cache of requests.
  391.         #
  392.         #  Useful ranges: 1 to 5
  393.         reject_delay = 1
  394.  
  395.         #
  396.         #  status_server: Whether or not the server will respond
  397.         #  to Status-Server requests.
  398.         #
  399.         #  Normally this should be set to "no", because they're useless.
  400.         #  See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives
  401.         #
  402.         #  However, certain NAS boxes may require them. 
  403.         #
  404.         #  When sent a Status-Server message, the server responds with
  405.         #  an Access-Accept packet, containing a Reply-Message attribute,
  406.         #  which is a string describing how long the server has been
  407.         #  running.
  408.         #
  409.         status_server = no
  410. }
  411.  
  412. # PROXY CONFIGURATION
  413. #
  414. #  proxy_requests: Turns proxying of RADIUS requests on or off.
  415. #
  416. #  The server has proxying turned on by default.  If your system is NOT
  417. #  set up to proxy requests to another server, then you can turn proxying
  418. #  off here.  This will save a small amount of resources on the server.
  419. #
  420. #  If you have proxying turned off, and your configuration files say
  421. #  to proxy a request, then an error message will be logged.
  422. #
  423. #  To disable proxying, change the "yes" to "no", and comment the
  424. #  $INCLUDE line.
  425. #
  426. #  allowed values: {no, yes}
  427. #
  428. proxy_requests  = yes
  429. $INCLUDE  ${confdir}/proxy.conf
  430.  
  431.  
  432. # CLIENTS CONFIGURATION
  433. #
  434. #  Client configuration is defined in "clients.conf". 
  435. #
  436.  
  437. #  The 'clients.conf' file contains all of the information from the old
  438. #  'clients' and 'naslist' configuration files.  We recommend that you
  439. #  do NOT use 'client's or 'naslist', although they are still
  440. #  supported.
  441. #
  442. #  Anything listed in 'clients.conf' will take precedence over the
  443. #  information from the old-style configuration files.
  444. #
  445. $INCLUDE  ${confdir}/clients.conf
  446.  
  447.  
  448. # SNMP CONFIGURATION
  449. #
  450. #  Snmp configuration is only valid if SNMP support was enabled
  451. #  at compile time.
  452. #
  453. #  To enable SNMP querying of the server, set the value of the
  454. #  'snmp' attribute to 'yes'
  455. #
  456. snmp    = no
  457. $INCLUDE  ${confdir}/snmp.conf
  458.  
  459.  
  460. # THREAD POOL CONFIGURATION
  461. #
  462. #  The thread pool is a long-lived group of threads which
  463. #  take turns (round-robin) handling any incoming requests.
  464. #
  465. #  You probably want to have a few spare threads around,
  466. #  so that high-load situations can be handled immediately.  If you
  467. #  don't have any spare threads, then the request handling will
  468. #  be delayed while a new thread is created, and added to the pool.
  469. #
  470. #  You probably don't want too many spare threads around,
  471. #  otherwise they'll be sitting there taking up resources, and
  472. #  not doing anything productive.
  473. #
  474. #  The numbers given below should be adequate for most situations.
  475. #
  476. thread pool {
  477.         #  Number of servers to start initially --- should be a reasonable
  478.         #  ballpark figure.
  479.         start_servers = 5
  480.  
  481.         #  Limit on the total number of servers running.
  482.         #
  483.         #  If this limit is ever reached, clients will be LOCKED OUT, so it
  484.         #  should NOT BE SET TOO LOW.  It is intended mainly as a brake to
  485.         #  keep a runaway server from taking the system with it as it spirals
  486.         #  down...
  487.         #
  488.         #  You may find that the server is regularly reaching the
  489.         #  'max_servers' number of threads, and that increasing
  490.         #  'max_servers' doesn't seem to make much difference.
  491.         #
  492.         #  If this is the case, then the problem is MOST LIKELY that
  493.         #  your back-end databases are taking too long to respond, and
  494.         #  are preventing the server from responding in a timely manner.
  495.         #
  496.         #  The solution is NOT do keep increasing the 'max_servers'
  497.         #  value, but instead to fix the underlying cause of the
  498.         #  problem: slow database, or 'hostname_lookups=yes'.
  499.         #
  500.         #  For more information, see 'max_request_time', above.
  501.         #
  502.         max_servers = 32
  503.  
  504.         #  Server-pool size regulation.  Rather than making you guess
  505.         #  how many servers you need, FreeRADIUS dynamically adapts to
  506.         #  the load it sees, that is, it tries to maintain enough
  507.         #  servers to handle the current load, plus a few spare
  508.         #  servers to handle transient load spikes.
  509.         #
  510.         #  It does this by periodically checking how many servers are
  511.         #  waiting for a request.  If there are fewer than
  512.         #  min_spare_servers, it creates a new spare.  If there are
  513.         #  more than max_spare_servers, some of the spares die off.
  514.         #  The default values are probably OK for most sites.
  515.         #
  516.         min_spare_servers = 3
  517.         max_spare_servers = 10
  518.  
  519.         #  There may be memory leaks or resource allocation problems with
  520.         #  the server.  If so, set this value to 300 or so, so that the
  521.         #  resources will be cleaned up periodically.
  522.         #
  523.         #  This should only be necessary if there are serious bugs in the
  524.         #  server which have not yet been fixed.
  525.         #
  526.         #  '0' is a special value meaning 'infinity', or 'the servers never
  527.         #  exit'
  528.         max_requests_per_server = 0
  529. }
  530.  
  531. # MODULE CONFIGURATION
  532. #
  533. #  The names and configuration of each module is located in this section.
  534. #
  535. #  After the modules are defined here, they may be referred to by name,
  536. #  in other sections of this configuration file.
  537. #
  538. modules {
  539.         #
  540.         #  Each module has a configuration as follows:
  541.         #
  542.         #       name [ instance ] {
  543.         #              config_item = value
  544.         #              ...
  545.         #       }
  546.         #
  547.         #  The 'name' is used to load the 'rlm_name' library
  548.         #  which implements the functionality of the module.
  549.         #
  550.         #  The 'instance' is optional.  To have two different instances
  551.         #  of a module, it first must be referred to by 'name'.
  552.         #  The different copies of the module are then created by
  553.         #  inventing two 'instance' names, e.g. 'instance1' and 'instance2'
  554.         #
  555.         #  The instance names can then be used in later configuration
  556.         #  INSTEAD of the original 'name'.  See the 'radutmp' configuration
  557.         #  below for an example.
  558.         #
  559.  
  560.         # PAP module to authenticate users based on their stored password
  561.         #
  562.         #  Supports multiple encryption schemes
  563.         #  clear: Clear text
  564.         #  crypt: Unix crypt
  565.         #    md5: MD5 ecnryption
  566.         #   sha1: SHA1 encryption.
  567.         #  DEFAULT: crypt
  568.         pap {
  569.                 encryption_scheme = crypt
  570.         }
  571.  
  572.         # CHAP module
  573.         #
  574.         #  To authenticate requests containing a CHAP-Password attribute.
  575.         #
  576.         chap {
  577.                 authtype = CHAP
  578.         }
  579.  
  580.         # Pluggable Authentication Modules
  581.         #
  582.         #  For Linux, see:
  583.         #       http://www.kernel.org/pub/linux/libs/pam/index.html
  584.         #
  585.         #  WARNING: On many systems, the system PAM libraries have
  586.         #           memory leaks!  We STRONGLY SUGGEST that you do not
  587.         #           use PAM for authentication, due to those memory leaks.
  588.         #
  589. #       pam {
  590.                 #
  591.                 #  The name to use for PAM authentication.
  592.                 #  PAM looks in /etc/pam.d/${pam_auth_name}
  593.                 #  for it's configuration.  See 'redhat/radiusd-pam'
  594.                 #  for a sample PAM configuration file.
  595.                 #
  596.                 #  Note that any Pam-Auth attribute set in the 'authorize'
  597.                 #  section will over-ride this one.
  598.                 #
  599. #              pam_auth = radiusd
  600. #       }
  601.  
  602.         # Unix /etc/passwd style authentication
  603.         #
  604. #       unix {
  605.                 #
  606.                 #  Cache /etc/passwd, /etc/shadow, and /etc/group
  607.                 #
  608.                 #  The default is to NOT cache them.
  609.                 #
  610.                 #  For FreeBSD and NetBSD, you do NOT want to enable
  611.                 #  the cache, as it's password lookups are done via a
  612.                 #  database, so set this value to 'no'.
  613.                 #
  614.                 #  Some systems (e.g. RedHat Linux with pam_pwbd) can
  615.                 #  take *seconds* to check a password, when th passwd
  616.                 #  file containing 1000's of entries.  For those systems,
  617.                 #  you should set the cache value to 'yes', and set
  618.                 #  the locations of the 'passwd', 'shadow', and 'group'
  619.                 #  files, below.
  620.                 #
  621.                 # allowed values: {no, yes}
  622. #              cache = no
  623.  
  624.                 # Reload the cache every 600 seconds (10mins). 0 to disable.
  625. #              cache_reload = 600
  626.  
  627.                 #
  628.                 #  Define the locations of the normal passwd, shadow, and
  629.                 #  group files.
  630.                 #
  631.                 #  'shadow' is commented out by default, because not all
  632.                 #  systems have shadow passwords.
  633.                 #
  634.                 #  To force the module to use the system password functions,
  635.                 #  instead of reading the files, leave the following entries
  636.                 #  commented out.
  637.                 #
  638.                 #  This is required for some systems, like FreeBSD,
  639.                 #  and Mac OSX.
  640.                 #
  641.                 #       passwd = /etc/passwd
  642. #              shadow = /etc/shadow
  643.                 #       group = /etc/group
  644.  
  645.                 #
  646.                 #  The location of the "wtmp" file.
  647.                 #  This should be moved to it's own module soon.
  648.                 #
  649.                 #  The only use for 'radlast'.  If you don't use
  650.                 #  'radlast', then you can comment out this item.
  651.                 #
  652. #              radwtmp = ${logdir}/radwtmp
  653. #       }
  654.  
  655.         #  Extensible Authentication Protocol
  656.         #
  657.         #  For all EAP related authentications.
  658.         #  Now in another file, because it is very large.
  659.         #
  660. $INCLUDE ${confdir}/eap.conf
  661.  
  662.         # Microsoft CHAP authentication
  663.  
  664.         mschap {
  665.                 #use_mppe = no
  666.                 #require_encryption = yes
  667.                 #require_strong = yes
  668.  
  669.                 # !!
  670.                 authtype = MS-CHAP
  671.                 with_ntdomain_hack = yes
  672.  
  673.                 # new command from http://deployingradius.com/documents/configuration/active_directory.html
  674.                 ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
  675.         }
  676.  
  677.         # Lightweight Directory Access Protocol (LDAP)
  678.         #
  679.  
  680.         ldap {
  681.                 server          = tfxschoolfs01.tfxschool.internal
  682.                 #login          = "cn=admin,o=tfxschool,c=US"
  683.                 #password       = mypass
  684.                 basedn          = "ou=users,dc=tfxschool,dc=com"
  685.                 filter          = "(posixAccount)(uid=%u))"
  686.         }
  687.  
  688.         # Realm module, for proxying.
  689.         #
  690.  
  691.         #  'realm/username'
  692.         #
  693.         #  Using this entry, IPASS users have their realm set to "IPASS".
  694.         realm IPASS {
  695.                 format = prefix
  696.                 delimiter = "/"
  697.                 ignore_default = no
  698.                 ignore_null = no
  699.         }
  700.  
  701.         #  [email protected]'
  702.         #
  703.         realm suffix {
  704.                 format = suffix
  705.                 delimiter = "@"
  706.                 ignore_default = no
  707.                 ignore_null = no
  708.         }
  709.  
  710.         #  'username%realm'
  711.         #
  712.         realm realmpercent {
  713.                 format = suffix
  714.                 delimiter = "%"
  715.                 ignore_default = no
  716.                 ignore_null = no
  717.         }
  718.  
  719.         #
  720.         #  'domain\user'
  721.         #
  722.         realm ntdomain {
  723.                 format = prefix
  724.                 delimiter = "\\"
  725.                 ignore_default = no
  726.                 ignore_null = no
  727.         }       
  728.  
  729.         #  A simple value checking module
  730.         #
  731.         #  It can be used to check if an attribute value in the request
  732.         #  matches a (possibly multi valued) attribute in the check
  733.         #  items This can be used for example for caller-id
  734.         #  authentication.  For the module to run, both the request
  735.         #  attribute and the check items attribute must exist
  736.         #
  737.         #  i.e.
  738.         #  A user has an ldap entry with 2 radiusCallingStationId
  739.         #  attributes with values "12345678" and "12345679".  If we
  740.         #  enable rlm_checkval, then any request which contains a
  741.         #  Calling-Station-Id with one of those two values will be
  742.         #  accepted.  Requests with other values for
  743.         #  Calling-Station-Id will be rejected.
  744.         #
  745.         #  Regular expressions in the check attribute value are allowed
  746.         #  as long as the operator is '=~'
  747.         #
  748.         checkval {
  749.                 # The attribute to look for in the request
  750.                 item-name = Calling-Station-Id
  751.  
  752.                 # The attribute to look for in check items. Can be multi valued
  753.                 check-name = Calling-Station-Id
  754.  
  755.                 # The data type. Can be
  756.                 # string,integer,ipaddr,date,abinary,octets
  757.                 data-type = string
  758.  
  759.                 # If set to yes and we dont find the item-name attribute in the
  760.                 # request then we send back a reject
  761.                 # DEFAULT is no
  762.                 #notfound-reject = no
  763.         }
  764.        
  765.         # Preprocess the incoming RADIUS request, before handing it off
  766.         # to other modules.
  767.         #
  768.         #  This module processes the 'huntgroups' and 'hints' files.
  769.         #  In addition, it re-writes some weird attributes created
  770.         #  by some NASes, and converts the attributes into a form which
  771.         #  is a little more standard.
  772.         #
  773.         preprocess {
  774.                 huntgroups = ${confdir}/huntgroups
  775.                 hints = ${confdir}/hints
  776.  
  777.                 # This hack changes Ascend's wierd port numberings
  778.                 # to standard 0-??? port numbers so that the "+" works
  779.                 # for IP address assignments.
  780.                 with_ascend_hack = no
  781.                 ascend_channels_per_line = 23
  782.  
  783.                 # Windows NT machines often authenticate themselves as
  784.                 # NT_DOMAIN\username
  785.                 #
  786.                 # If this is set to 'yes', then the NT_DOMAIN portion
  787.                 # of the user-name is silently discarded.
  788.                 #
  789.                 # This configuration entry SHOULD NOT be used.
  790.                 # See the "realms" module for a better way to handle
  791.                 # NT domains.
  792.                 with_ntdomain_hack = no
  793.  
  794.                 # Specialix Jetstream 8500 24 port access server.
  795.                 #
  796.                 # If the user name is 10 characters or longer, a "/"
  797.                 # and the excess characters after the 10th are
  798.                 # appended to the user name.
  799.                 #
  800.                 # If you're not running that NAS, you don't need
  801.                 # this hack.
  802.                 with_specialix_jetstream_hack = no
  803.  
  804.                 # Cisco (and Quintum in Cisco mode) sends it's VSA attributes
  805.                 # with the attribute name *again* in the string, like:
  806.                 #
  807.                 #   H323-Attribute = "h323-attribute=value".
  808.                 #
  809.                 # If this configuration item is set to 'yes', then
  810.                 # the redundant data in the the attribute text is stripped
  811.                 # out.  The result is:
  812.                 #
  813.                 #  H323-Attribute = "value"
  814.                 #
  815.                 # If you're not running a Cisco or Quintum NAS, you don't
  816.                 # need this hack.
  817.                 with_cisco_vsa_hack = no
  818.         }
  819.  
  820.         # Livingston-style 'users' file
  821.         #
  822.         files {
  823.                 usersfile = ${confdir}/users
  824.                 acctusersfile = ${confdir}/acct_users
  825.                 preproxy_usersfile = ${confdir}/preproxy_users
  826.  
  827.                 #  If you want to use the old Cistron 'users' file
  828.                 #  with FreeRADIUS, you should change the next line
  829.                 #  to 'compat = cistron'.  You can the copy your 'users'
  830.                 #  file from Cistron.
  831.                 compat = no
  832.         }
  833.  
  834.         # Write a detailed log of all accounting records received.
  835.         #
  836.         detail {
  837.  
  838.                 detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
  839.                 detailperm = 0600
  840.         }
  841.  
  842.  
  843.         acct_unique {
  844.                 key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  845.         }
  846.  
  847.         #  Write a 'utmp' style file, of which users are currently
  848.         #  logged in, and where they've logged in from.
  849.         #
  850.         #  This file is used mainly for Simultaneous-Use checking,
  851.         #  and also 'radwho', to see who's currently logged in.
  852.         #
  853.         radutmp {
  854.                 filename = ${logdir}/radutmp
  855.                 username = %{User-Name}
  856.                 case_sensitive = yes
  857.                 check_with_nas = yes       
  858.                 perm = 0600
  859.                 callerid = "yes"
  860.         }
  861.  
  862.         # "Safe" radutmp - does not contain caller ID, so it can be
  863.         # world-readable, and radwho can work for normal users, without
  864.         # exposing any information that isn't already exposed by who(1).
  865.         #
  866.         radutmp sradutmp {
  867.                 filename = ${logdir}/sradutmp
  868.                 perm = 0644
  869.                 callerid = "no"
  870.         }
  871.  
  872.         # attr_filter - filters the attributes received in replies from
  873.         # proxied servers, to make sure we send back to our RADIUS client
  874.         # only allowed attributes.
  875.         attr_filter {
  876.                 attrsfile = ${confdir}/attrs
  877.         }
  878.  
  879.         #  counter module:
  880.         counter daily {
  881.                 filename = ${raddbdir}/db.daily
  882.                 key = User-Name
  883.                 count-attribute = Acct-Session-Time
  884.                 reset = daily
  885.                 counter-name = Daily-Session-Time
  886.                 check-name = Max-Daily-Session
  887.                 allowed-servicetype = Framed-User
  888.                 cache-size = 5000
  889.         }
  890.  
  891.         #
  892.         #  This module is an SQL enabled version of the counter module.
  893.         #
  894.         sqlcounter dailycounter {
  895.                 counter-name = Daily-Session-Time
  896.                 check-name = Max-Daily-Session
  897.                 sqlmod-inst = sql
  898.                 key = User-Name
  899.                 reset = daily
  900.  
  901.                 # This query properly handles calls that span from the
  902.                 # previous reset period into the current period but
  903.                 # involves more work for the SQL server than those
  904.                 # below
  905.                 # For mysql:
  906.                 query = "SELECT SUM(AcctSessionTime - \
  907.                  GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
  908.                  FROM radacct WHERE UserName='%{%k}' AND \
  909.                  UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
  910.  
  911.                 # For postgresql:
  912. #              query = "SELECT SUM(AcctSessionTime - \
  913. #                GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) \
  914. #                FROM radacct WHERE UserName='%{%k}' AND \
  915. #                AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%b'"
  916.  
  917.                 # This query ignores calls that started in a previous
  918.                 # reset period and continue into into this one. But it
  919.                 # is a little easier on the SQL server
  920.                 # For mysql:
  921. #              query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
  922. #                UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
  923.  
  924.                 # For postgresql:
  925. #              query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
  926. #                UserName='%{%k}' AND AND AcctStartTime::ABSTIME::INT4 > '%b'"
  927.  
  928.                 # This query is the same as above, but demonstrates an
  929.                 # additional counter parameter '%e' which is the
  930.                 # timestamp for the end of the period
  931.                 # For mysql:
  932. #              query = "SELECT SUM(AcctSessionTime) FROM radacct \
  933. #                WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
  934. #                FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
  935.  
  936.                 # For postgresql:
  937. #              query = "SELECT SUM(AcctSessionTime) FROM radacct \
  938. #                WHERE UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 \
  939. #                BETWEEN '%b' AND '%e'"
  940.         }
  941.  
  942.         sqlcounter monthlycounter {
  943.                 counter-name = Monthly-Session-Time
  944.                 check-name = Max-Monthly-Session
  945.                 sqlmod-inst = sql
  946.                 key = User-Name
  947.                 reset = monthly
  948.  
  949.                 # This query properly handles calls that span from the
  950.                 # previous reset period into the current period but
  951.                 # involves more work for the SQL server than those
  952.                 # below
  953.                 # The same notes above about the differences between mysql
  954.                 # versus postgres queries apply here.
  955.                 query = "SELECT SUM(AcctSessionTime - \
  956.                  GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
  957.                  FROM radacct WHERE UserName='%{%k}' AND \
  958.                  UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
  959.  
  960.                 # This query ignores calls that started in a previous
  961.                 # reset period and continue into into this one. But it
  962.                 # is a little easier on the SQL server
  963. #              query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
  964. #                UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
  965.  
  966.                 # This query is the same as above, but demonstrates an
  967.                 # additional counter parameter '%e' which is the
  968.                 # timestamp for the end of the period
  969. #              query = "SELECT SUM(AcctSessionTime) FROM radacct \
  970. #                WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
  971. #                FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
  972.         }
  973.  
  974.         #
  975.         # The "always" module is here for debugging purposes. Each
  976.         # instance simply returns the same result, always, without
  977.         # doing anything.
  978.         always fail {
  979.                 rcode = fail
  980.         }
  981.         always reject {
  982.                 rcode = reject
  983.         }
  984.         always ok {
  985.                 rcode = ok
  986.                 simulcount = 0
  987.                 mpp = no
  988.         }
  989.  
  990.         #
  991.         #  The 'expression' module currently has no configuration.
  992.         #
  993.         #  This module is useful only for 'xlat'.  To use it,
  994.         #  put 'exec' into the 'instantiate' section.  You can then
  995.         #  do dynamic translation of attributes like:
  996.         #
  997.         #  Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
  998.         #
  999.         #  The value of the attribute will be replaced with the output
  1000.         #  of the program which is executed.  Due to RADIUS protocol
  1001.         #  limitations, any output over 253 bytes will be ignored.
  1002.         expr {
  1003.         }
  1004.  
  1005.         #
  1006.         #  The 'digest' module currently has no configuration.
  1007.         #
  1008.         #  "Digest" authentication against a Cisco SIP server.
  1009.         #  See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
  1010.         #  on performing digest authentication for Cisco SIP servers.
  1011.         #
  1012.         digest {
  1013.         }
  1014.  
  1015.         #
  1016.         #  Execute external programs
  1017.         #
  1018.         #  This module is useful only for 'xlat'.  To use it,
  1019.         #  put 'exec' into the 'instantiate' section.  You can then
  1020.         #  do dynamic translation of attributes like:
  1021.         #
  1022.         #  Attribute-Name = `%{exec:/path/to/program args}`
  1023.         #
  1024.         #  The value of the attribute will be replaced with the output
  1025.         #  of the program which is executed.  Due to RADIUS protocol
  1026.         #  limitations, any output over 253 bytes will be ignored.
  1027.         #
  1028.         #  The RADIUS attributes from the user request will be placed
  1029.         #  into environment variables of the executed program, as
  1030.         #  described in 'doc/variables.txt'
  1031.         #
  1032.         exec {
  1033.                 wait = yes
  1034.                 input_pairs = request
  1035.         }
  1036.  
  1037.         #
  1038.         #  This is a more general example of the execute module.
  1039.         #
  1040.         #  This one is called "echo".
  1041.         #
  1042.         #  Attribute-Name = `%{echo:/path/to/program args}`
  1043.         #
  1044.         #  If you wish to execute an external program in more than
  1045.         #  one section (e.g. 'authorize', 'pre_proxy', etc), then it
  1046.         #  is probably best to define a different instance of the
  1047.         #  'exec' module for every section.     
  1048.         #       
  1049.         exec echo {
  1050.                 #
  1051.                 #  Wait for the program to finish.
  1052.                 #
  1053.                 #  If we do NOT wait, then the program is "fire and
  1054.                 #  forget", and any output attributes from it are ignored.
  1055.                 #
  1056.                 #  If we are looking for the program to output
  1057.                 #  attributes, and want to add those attributes to the
  1058.                 #  request, then we MUST wait for the program to
  1059.                 #  finish, and therefore set 'wait=yes'
  1060.                 #
  1061.                 # allowed values: {no, yes}
  1062.                 wait = yes
  1063.  
  1064.                 #
  1065.                 #  The name of the program to execute, and it's
  1066.                 #  arguments.  Dynamic translation is done on this
  1067.                 #  field, so things like the following example will
  1068.                 #  work.
  1069.                 #
  1070.                 program = "/bin/echo %{User-Name}"
  1071.  
  1072.                 #
  1073.                 #  The attributes which are placed into the
  1074.                 #  environment variables for the program.
  1075.                 #
  1076.                 #  Allowed values are:
  1077.                 #
  1078.                 #       request                attributes from the request
  1079.                 #       config  attributes from the configuration items list
  1080.                 #       reply    attributes from the reply
  1081.                 #       proxy-request  attributes from the proxy request
  1082.                 #       proxy-reply    attributes from the proxy reply
  1083.                 #
  1084.                 #  Note that some attributes may not exist at some
  1085.                 #  stages.  e.g. There may be no proxy-reply
  1086.                 #  attributes if this module is used in the
  1087.                 #  'authorize' section.
  1088.                 #
  1089.                 input_pairs = request
  1090.  
  1091.                 #
  1092.                 #  Where to place the output attributes (if any) from
  1093.                 #  the executed program.  The values allowed, and the
  1094.                 #  restrictions as to availability, are the same as
  1095.                 #  for the input_pairs.
  1096.                 #
  1097.                 output_pairs = reply
  1098.  
  1099.                 #
  1100.                 #  When to execute the program.  If the packet
  1101.                 #  type does NOT match what's listed here, then
  1102.                 #  the module does NOT execute the program.
  1103.                 #
  1104.                 #  For a list of allowed packet types, see
  1105.                 #  the 'dictionary' file, and look for VALUEs
  1106.                 #  of the Packet-Type attribute.
  1107.                 #
  1108.                 #  By default, the module executes on ANY packet.
  1109.                 #  Un-comment out the following line to tell the
  1110.                 #  module to execute only if an Access-Accept is
  1111.                 #  being sent to the NAS.
  1112.                 #
  1113.                 #packet_type = Access-Accept
  1114.         }
  1115.  
  1116.         #  Do server side ip pool management. Should be added in post-auth and
  1117.         #  accounting sections.
  1118.         #
  1119.         #  The module also requires the existance of the Pool-Name
  1120.         #  attribute. That way the administrator can add the Pool-Name
  1121.         #  attribute in the user profiles and use different pools
  1122.         #  for different users. The Pool-Name attribute is a *check* item not
  1123.         #  a reply item.
  1124.         #
  1125.         # Example:
  1126.         # radiusd.conf: ippool students { [...] }
  1127.         # users file  : DEFAULT Group == students, Pool-Name := "students"
  1128.         #
  1129.         # ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *********
  1130.         # ********* THEN ERASE THE DB FILES                     *********
  1131.         #
  1132.         ippool main_pool {
  1133.  
  1134.                 #  range-start,range-stop: The start and end ip
  1135.                 #  addresses for the ip pool
  1136.                 range-start = 192.168.1.1
  1137.                 range-stop = 192.168.3.254
  1138.  
  1139.                 #  netmask: The network mask used for the ip's
  1140.                 netmask = 255.255.255.0
  1141.  
  1142.                 #  cache-size: The gdbm cache size for the db
  1143.                 #  files. Should be equal to the number of ip's
  1144.                 #  available in the ip pool
  1145.                 cache-size = 800
  1146.  
  1147.                 # session-db: The main db file used to allocate ip's to clients
  1148.                 session-db = ${raddbdir}/db.ippool
  1149.  
  1150.                 # ip-index: Helper db index file used in multilink
  1151.                 ip-index = ${raddbdir}/db.ipindex
  1152.  
  1153.                 # override: Will this ippool override a Framed-IP-Address already set
  1154.                 override = no
  1155.  
  1156.                 # maximum-timeout: If not zero specifies the maximum time in seconds an
  1157.                 # entry may be active. Default: 0
  1158.                 maximum-timeout = 0
  1159.         }
  1160.  
  1161.         # $INCLUDE  ${confdir}/sqlippool.conf
  1162.  
  1163.         # OTP token support.  Not included by default.
  1164.         # $INCLUDE  ${confdir}/otp.conf
  1165.  
  1166.         exec ntlm_auth {
  1167.                         wait = no
  1168.                         program = "/usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
  1169.                 }
  1170.         }
  1171.  
  1172. # Instantiation
  1173. #
  1174. #  This section orders the loading of the modules.  Modules
  1175. #  listed here will get loaded BEFORE the later sections like
  1176. #  authorize, authenticate, etc. get examined.
  1177. #
  1178. #  This section is not strictly needed.  When a section like
  1179. #  authorize refers to a module, it's automatically loaded and
  1180. #  initialized.  However, some modules may not be listed in any
  1181. #  of the following sections, so they can be listed here.
  1182. #
  1183. #  Also, listing modules here ensures that you have control over
  1184. #  the order in which they are initalized.  If one module needs
  1185. #  something defined by another module, you can list them in order
  1186. #  here, and ensure that the configuration will be OK.
  1187. #
  1188. instantiate {
  1189.         #
  1190.         #  Allows the execution of external scripts.
  1191.         #  The entire command line (and output) must fit into 253 bytes.
  1192.         #
  1193.         #  e.g. Framed-Pool = `%{exec:/bin/echo foo}`
  1194.         exec
  1195.  
  1196.         #
  1197.         #  The expression module doesn't do authorization,
  1198.         #  authentication, or accounting.  It only does dynamic
  1199.         #  translation, of the form:
  1200.         #
  1201.         #       Session-Timeout = `%{expr:2 + 3}`
  1202.         #
  1203.         #  So the module needs to be instantiated, but CANNOT be
  1204.         #  listed in any other section.  See 'doc/rlm_expr' for
  1205.         #  more information.
  1206.         #
  1207.         expr
  1208.  
  1209.         #
  1210.         # We add the counter module here so that it registers
  1211.         # the check-name attribute before any module which sets
  1212.         # it
  1213. #       daily
  1214. }
  1215.  
  1216. #  Authorization. First preprocess (hints and huntgroups files),
  1217. #  then realms, and finally look in the "users" file.
  1218. #
  1219. #  The order of the realm modules will determine the order that
  1220. #  we try to find a matching realm.
  1221. #
  1222. #  Make *sure* that 'preprocess' comes before any realm if you
  1223. #  need to setup hints for the remote radius server
  1224. authorize {
  1225.         #
  1226.         #  The preprocess module takes care of sanitizing some bizarre
  1227.         #  attributes in the request, and turning them into attributes
  1228.         #  which are more standard.
  1229.         #
  1230.         #  It takes care of processing the 'raddb/hints' and the
  1231.         #  'raddb/huntgroups' files.
  1232.         #
  1233.         #  It also adds the %{Client-IP-Address} attribute to the request.
  1234.         preprocess
  1235.  
  1236.         #
  1237.         #  If you want to have a log of authentication requests,
  1238.         #  un-comment the following line, and the 'detail auth_log'
  1239.         #  section, above.
  1240. #       auth_log
  1241.        
  1242. #       attr_filter
  1243.  
  1244.         #
  1245.         #  The chap module will set 'Auth-Type := CHAP' if we are
  1246.         #  handling a CHAP request and Auth-Type has not already been set
  1247.         chap
  1248.  
  1249.         #
  1250.         #  If the users are logging in with an MS-CHAP-Challenge
  1251.         #  attribute for authentication, the mschap module will find
  1252.         #  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
  1253.         #  to the request, which will cause the server to then use
  1254.         #  the mschap module for authentication.
  1255.         mschap
  1256.  
  1257.         #
  1258.         #  If you have a Cisco SIP server authenticating against
  1259.         #  FreeRADIUS, uncomment the following line, and the 'digest'
  1260.         #  line in the 'authenticate' section.
  1261. #       digest
  1262.  
  1263.         #
  1264.         #  Look for IPASS style 'realm/', and if not found, look for
  1265.         #  [email protected]', and decide whether or not to proxy, based on
  1266.         #  that.
  1267. #       IPASS
  1268.  
  1269.         #
  1270.         #  If you are using multiple kinds of realms, you probably
  1271.         #  want to set "ignore_null = yes" for all of them.
  1272.         #  Otherwise, when the first style of realm doesn't match,
  1273.         #  the other styles won't be checked.
  1274.         #
  1275.         suffix
  1276. #       ntdomain
  1277.  
  1278.         #
  1279.         #  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
  1280.         #  authentication.
  1281.         #
  1282.         #  It also sets the EAP-Type attribute in the request
  1283.         #  attribute list to the EAP type from the packet.
  1284.         eap
  1285.  
  1286.         #
  1287.         #  Read the 'users' file
  1288.         files
  1289.  
  1290.         #
  1291.         #  Look in an SQL database.  The schema of the database
  1292.         #  is meant to mirror the "users" file.
  1293.         #
  1294.         #  See "Authorization Queries" in sql.conf
  1295. #       sql
  1296.  
  1297.         #
  1298.         #  If you are using /etc/smbpasswd, and are also doing
  1299.         #  mschap authentication, the un-comment this line, and
  1300.         #  configure the 'etc_smbpasswd' module, above.
  1301. #       etc_smbpasswd
  1302.  
  1303.         #ldap
  1304.         #  The ldap module will set Auth-Type to LDAP if it has not
  1305.         #  already been set
  1306. #       ldap
  1307.  
  1308.         #
  1309.         #  Enforce daily limits on time spent logged in.
  1310. #       daily
  1311.  
  1312.         #
  1313.         # Use the checkval module
  1314. #       checkval
  1315. }
  1316.  
  1317.  
  1318. #  Authentication.
  1319. #
  1320. #
  1321. #  This section lists which modules are available for authentication.
  1322. #  Note that it does NOT mean 'try each module in order'.  It means
  1323. #  that a module from the 'authorize' section adds a configuration
  1324. #  attribute 'Auth-Type := FOO'.  That authentication type is then
  1325. #  used to pick the apropriate module from the list below.
  1326. #
  1327.  
  1328. #  In general, you SHOULD NOT set the Auth-Type attribute.  The server
  1329. #  will figure it out on its own, and will do the right thing.  The
  1330. #  most common side effect of erroneously setting the Auth-Type
  1331. #  attribute is that one authentication method will work, but the
  1332. #  others will not.
  1333. #
  1334. #  The common reasons to set the Auth-Type attribute by hand
  1335. #  is to either forcibly reject the user, or forcibly accept him.
  1336. #
  1337. authenticate {
  1338.         ntlm_auth
  1339.         eap
  1340.         Auth-Type MS-CHAP {
  1341.                 mschap
  1342.         }
  1343.         Auth-Type CHAP {
  1344.                 chap
  1345.         }
  1346.         ldap
  1347. }
  1348.  
  1349.  
  1350. #
  1351. #  Pre-accounting.  Decide which accounting type to use.
  1352. #
  1353. preacct {
  1354.         preprocess
  1355.  
  1356.         #
  1357.         #  Ensure that we have a semi-unique identifier for every
  1358.         #  request, and many NAS boxes are broken.
  1359.         acct_unique
  1360.  
  1361.         #
  1362.         #  Look for IPASS-style 'realm/', and if not found, look for
  1363.         #  [email protected]', and decide whether or not to proxy, based on
  1364.         #  that.
  1365.         #
  1366.         #  Accounting requests are generally proxied to the same
  1367.         #  home server as authentication requests.
  1368. #       IPASS
  1369.         suffix
  1370. #       ntdomain
  1371.  
  1372.         #
  1373.         #  Read the 'acct_users' file
  1374.         files
  1375. }
  1376.  
  1377. #
  1378. #  Accounting.  Log the accounting data.
  1379. #
  1380. accounting {
  1381.         #
  1382.         #  Create a 'detail'ed log of the packets.
  1383.         #  Note that accounting requests which are proxied
  1384.         #  are also logged in the detail file.
  1385.         detail
  1386. #       daily
  1387.  
  1388.         #  Update the wtmp file
  1389.         #
  1390.         #  If you don't use "radlast", you can delete this line.
  1391. #       unix
  1392.  
  1393.         #
  1394.         #  For Simultaneous-Use tracking.
  1395.         #
  1396.         #  Due to packet losses in the network, the data here
  1397.         #  may be incorrect.  There is little we can do about it.
  1398.         radutmp
  1399. #       sradutmp
  1400.  
  1401.         #  Return an address to the IP Pool when we see a stop record.
  1402. #       main_pool
  1403.  
  1404.         #
  1405.         #  Log traffic to an SQL database.
  1406.         #
  1407.         #  See "Accounting queries" in sql.conf
  1408. #       sql
  1409.  
  1410.         #
  1411.         #  Instead of sending the query to the SQL server,
  1412.         #  write it into a log file.
  1413.         #
  1414. #       sql_log
  1415.  
  1416.         #  Cisco VoIP specific bulk accounting
  1417. #       pgsql-voip
  1418.  
  1419. }
  1420.  
  1421.  
  1422. #  Session database, used for checking Simultaneous-Use. Either the radutmp
  1423. #  or rlm_sql module can handle this.
  1424. #  The rlm_sql module is *much* faster
  1425. session {
  1426.         radutmp
  1427.  
  1428.         #
  1429.         #  See "Simultaneous Use Checking Querie" in sql.conf
  1430. #       sql
  1431. }
  1432.  
  1433.  
  1434. #  Post-Authentication
  1435. #  Once we KNOW that the user has been authenticated, there are
  1436. #  additional steps we can take.
  1437. post-auth {
  1438.         #  Get an address from the IP Pool.
  1439. #       main_pool
  1440.  
  1441.         #
  1442.         #  If you want to have a log of authentication replies,
  1443.         #  un-comment the following line, and the 'detail reply_log'
  1444.         #  section, above.
  1445. #       reply_log
  1446.  
  1447.         #
  1448.         #  After authenticating the user, do another SQL query.
  1449.         #
  1450.         #  See "Authentication Logging Queries" in sql.conf
  1451. #       sql
  1452.  
  1453.         #
  1454.         #  Instead of sending the query to the SQL server,
  1455.         #  write it into a log file.
  1456.         #
  1457. #       sql_log
  1458.  
  1459.         #
  1460.         #  Un-comment the following if you have set
  1461.         #  'edir_account_policy_check = yes' in the ldap module sub-section of
  1462.         #  the 'modules' section.
  1463.         #
  1464. #       ldap
  1465.         #
  1466.         #  Access-Reject packets are sent through the REJECT sub-section of the
  1467.         #  post-auth section.
  1468.         #  Uncomment the following and set the module name to the ldap instance
  1469.         #  name if you have set 'edir_account_policy_check = yes' in the ldap
  1470.         #  module sub-section of the 'modules' section.
  1471.         #
  1472. #       Post-Auth-Type REJECT {
  1473. #              insert-module-name-here
  1474. #       }
  1475.  
  1476. }
  1477.  
  1478. #
  1479. #  When the server decides to proxy a request to a home server,
  1480. #  the proxied request is first passed through the pre-proxy
  1481. #  stage.  This stage can re-write the request, or decide to
  1482. #  cancel the proxy.
  1483. #
  1484. #  Only a few modules currently have this method.
  1485. #
  1486. pre-proxy {
  1487. #       attr_rewrite
  1488.  
  1489.         #  Uncomment the following line if you want to change attributes
  1490.         #  as defined in the preproxy_users file.
  1491. #       files
  1492.  
  1493.         #  If you want to have a log of packets proxied to a home
  1494.         #  server, un-comment the following line, and the
  1495.         #  'detail pre_proxy_log' section, above.
  1496. #       pre_proxy_log
  1497. }
  1498.  
  1499. #
  1500. #  When the server receives a reply to a request it proxied
  1501. #  to a home server, the request may be massaged here, in the
  1502. #  post-proxy stage.
  1503. #
  1504. post-proxy {
  1505.  
  1506.         #  If you want to have a log of replies from a home server,
  1507.         #  un-comment the following line, and the 'detail post_proxy_log'
  1508.         #  section, above.
  1509. #       post_proxy_log
  1510.  
  1511. #       attr_rewrite
  1512.  
  1513.         #  Uncomment the following line if you want to filter replies from
  1514.         #  remote proxies based on the rules defined in the 'attrs' file.
  1515.  
  1516. #       attr_filter
  1517.  
  1518.         #
  1519.         #  If you are proxying LEAP, you MUST configure the EAP
  1520.         #  module, and you MUST list it here, in the post-proxy
  1521.         #  stage.
  1522.         #
  1523.         #  You MUST also use the 'nostrip' option in the 'realm'
  1524.         #  configuration.  Otherwise, the User-Name attribute
  1525.         #  in the proxied request will not match the user name
  1526.         #  hidden inside of the EAP packet, and the end server will
  1527.         #  reject the EAP request.
  1528.         #
  1529.         eap
  1530. }

advertising

Update the Post

Either update this post and resubmit it with changes, or make a new post.

You may also comment on this post.

update paste below
details of the post (optional)

Note: Only the paste content is required, though the following information can be useful to others.

Save name / title?

(space separated, optional)



Please note that information posted here will expire by default in one month. If you do not want it to expire, please set the expiry time above. If it is set to expire, web search engines will not be allowed to index it prior to it expiring. Items that are not marked to expire will be indexable by search engines. Be careful with your passwords. All illegal activities will be reported and any information will be handed over to the authorities, so be good.

comments powered by Disqus
worth-right
worth-right
worth-right