Part of Slepp's ProjectsPastebinTURLImagebinFilebin
Feedback -- English French German Japanese
Create Upload Newest Tools Donate
Sign In | Create Account

Advertising

Miscellany
Sunday, April 29th, 2007 at 10:44:33am UTC 

  1. ##
  2. ## radiusd.conf -- FreeRADIUS server configuration file.
  3. ##
  4. ##      http://www.freeradius.org/
  5. ##      $Id: radiusd.conf.in,v 1.188.2.4.2.16 2007/02/04 15:28:46 pnixon Exp $
  6. ##
  7.  
  8. #       The location of other config files and
  9. #       logfiles are declared in this file
  10. #
  11. #       Also general configuration for modules can be done
  12. #       in this file, it is exported through the API to
  13. #       modules that ask for it.
  14. #
  15. #       The configuration variables defined here are of the form ${foo}
  16. #       They are local to this file, and do not change from request to
  17. #       request.
  18. #
  19. #       The per-request variables are of the form %{Attribute-Name}, and
  20. #       are taken from the values of the attribute in the incoming
  21. #       request.  See 'doc/variables.txt' for more information.
  22.  
  23. prefix = /usr
  24. exec_prefix = /usr
  25. sysconfdir = /etc
  26. localstatedir = /var
  27. sbindir = /usr/sbin
  28. logdir = ${localstatedir}/log/radius
  29. raddbdir = ${sysconfdir}/raddb
  30. radacctdir = ${logdir}/radacct
  31.  
  32. #  Location of config and logfiles.
  33. confdir = ${raddbdir}
  34. run_dir = ${localstatedir}/run/radiusd
  35.  
  36. #
  37. #  The logging messages for the server are appended to the
  38. #  tail of this file.
  39. #
  40. log_file = ${logdir}/radius.log
  41.  
  42. #
  43. # libdir: Where to find the rlm_* modules.
  44. #
  45. #   This should be automatically set at configuration time.
  46. #
  47. #   If the server builds and installs, but fails at execution time
  48. #   with an 'undefined symbol' error, then you can use the libdir
  49. #   directive to work around the problem.
  50. #
  51. #   The cause is usually that a library has been installed on your
  52. #   system in a place where the dynamic linker CANNOT find it.  When
  53. #   executing as root (or another user), your personal environment MAY
  54. #   be set up to allow the dynamic linker to find the library.  When
  55. #   executing as a daemon, FreeRADIUS MAY NOT have the same
  56. #   personalized configuration.
  57. #
  58. #   To work around the problem, find out which library contains that symbol,
  59. #   and add the directory containing that library to the end of 'libdir',
  60. #   with a colon separating the directory names.  NO spaces are allowed.
  61. #
  62. #   e.g. libdir = /usr/local/lib:/opt/package/lib
  63. #
  64. #   You can also try setting the LD_LIBRARY_PATH environment variable
  65. #   in a script which starts the server.
  66. #
  67. #   If that does not work, then you can re-configure and re-build the
  68. #   server to NOT use shared libraries, via:
  69. #
  70. #       ./configure --disable-shared
  71. #       make
  72. #       make install
  73. #
  74. libdir = /usr/lib
  75.  
  76. #  pidfile: Where to place the PID of the RADIUS server.
  77. #
  78. #  The server may be signalled while it's running by using this
  79. #  file.
  80. #
  81. #  This file is written when ONLY running in daemon mode.
  82. #
  83. #  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
  84. #
  85. pidfile = ${run_dir}/radiusd.pid
  86.  
  87.  
  88. # user/group: The name (or #number) of the user/group to run radiusd as.
  89. #
  90. #   If these are commented out, the server will run as the user/group
  91. #   that started it.  In order to change to a different user/group, you
  92. #   MUST be root ( or have root privleges ) to start the server.
  93. #
  94. #   We STRONGLY recommend that you run the server with as few permissions
  95. #   as possible.  That is, if you're not using shadow passwords, the
  96. #   user and group items below should be set to 'nobody'.
  97. #
  98. #    On SCO (ODT 3) use "user = nouser" and "group = nogroup".
  99. #
  100. #  NOTE that some kernels refuse to setgid(group) when the value of
  101. (unsigned)group is above 60000; don't use group nobody on these systems!
  102. #
  103. #  On systems with shadow passwords, you might have to set 'group = shadow'
  104. #  for the server to be able to read the shadow password file.  If you can
  105. #  authenticate users while in debug mode, but not in daemon mode, it may be
  106. #  that the debugging mode server is running as a user that can read the
  107. #  shadow info, and the user listed below can not.
  108. #
  109. user = radiusd
  110. group = radiusd
  111.  
  112. #  max_request_time: The maximum time (in seconds) to handle a request.
  113. #
  114. #  Requests which take more time than this to process may be killed, and
  115. #  a REJECT message is returned.
  116. #
  117. #  WARNING: If you notice that requests take a long time to be handled,
  118. #  then this MAY INDICATE a bug in the server, in one of the modules
  119. #  used to handle a request, OR in your local configuration.
  120. #
  121. #  This problem is most often seen when using an SQL database.  If it takes
  122. #  more than a second or two to receive an answer from the SQL database,
  123. #  then it probably means that you haven't indexed the database.  See your
  124. #  SQL server documentation for more information.
  125. #
  126. #  Useful range of values: 5 to 120
  127. #
  128. max_request_time = 30
  129.  
  130. #  delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
  131. #  to be handled, then maybe the server should delete it.
  132. #
  133. #  If you're running in threaded, or thread pool mode, this setting
  134. #  should probably be 'no'.  Setting it to 'yes' when using a threaded
  135. #  server MAY cause the server to crash!
  136. #
  137. delete_blocked_requests = no
  138.  
  139. #  cleanup_delay: The time to wait (in seconds) before cleaning up
  140. #  a reply which was sent to the NAS.
  141. #
  142. #  The RADIUS request is normally cached internally for a short period
  143. #  of time, after the reply is sent to the NAS.  The reply packet may be
  144. #  lost in the network, and the NAS will not see it.  The NAS will then
  145. #  re-send the request, and the server will respond quickly with the
  146. #  cached reply.
  147. #
  148. #  If this value is set too low, then duplicate requests from the NAS
  149. #  MAY NOT be detected, and will instead be handled as seperate requests.
  150. #
  151. #  If this value is set too high, then the server will cache too many
  152. #  requests, and some new requests may get blocked.  (See 'max_requests'.)
  153. #
  154. #  Useful range of values: 2 to 10
  155. #
  156. cleanup_delay = 5
  157.  
  158. #  max_requests: The maximum number of requests which the server keeps
  159. #  track of.  This should be 256 multiplied by the number of clients.
  160. #  e.g. With 4 clients, this number should be 1024.
  161. #
  162. #  If this number is too low, then when the server becomes busy,
  163. #  it will not respond to any new requests, until the 'cleanup_delay'
  164. #  time has passed, and it has removed the old requests.
  165. #
  166. #  If this number is set too high, then the server will use a bit more
  167. #  memory for no real benefit.
  168. #
  169. #  If you aren't sure what it should be set to, it's better to set it
  170. #  too high than too low.  Setting it to 1000 per client is probably
  171. #  the highest it should be.
  172. #
  173. #  Useful range of values: 256 to infinity
  174. #
  175. max_requests = 1024
  176.  
  177. #  bind_address:  Make the server listen on a particular IP address, and
  178. #  send replies out from that address.  This directive is most useful
  179. #  for machines with multiple IP addresses on one interface.
  180. #
  181. #  It can either contain "*", or an IP address, or a fully qualified
  182. #  Internet domain name.  The default is "*"
  183. #
  184. #  As of 1.0, you can also use the "listen" directive.  See below for
  185. #  more information.
  186. #
  187. bind_address = *
  188.  
  189. #  port: Allows you to bind FreeRADIUS to a specific port.
  190. #
  191. #  The default port that most NAS boxes use is 1645, which is historical.
  192. #  RFC 2138 defines 1812 to be the new port.  Many new servers and
  193. #  NAS boxes use 1812, which can create interoperability problems.
  194. #
  195. #  The port is defined here to be 0 so that the server will pick up
  196. #  the machine's local configuration for the radius port, as defined
  197. #  in /etc/services.
  198. #
  199. #  If you want to use the default RADIUS port as defined on your server,
  200. (usually through 'grep radius /etc/services') set this to 0 (zero).
  201. #
  202. #  A port given on the command-line via '-p' over-rides this one.
  203. #
  204. #  As of 1.0, you can also use the "listen" directive.  See below for
  205. #  more information.
  206. #
  207. port = 0
  208.  
  209. #
  210. #  By default, the server uses "bind_address" to listen to all IP's
  211. #  on a machine, or just one IP.  The "port" configuration is used
  212. #  to select the authentication port used when listening on those
  213. #  addresses.
  214. #
  215. #  If you want the server to listen on additional addresses, you can
  216. #  use the "listen" section.  A sample section (commented out) is included
  217. #  below.  This "listen" section duplicates the functionality of the
  218. #  "bind_address" and "port" configuration entries, but it only listens
  219. #  for authentication packets.
  220. #
  221. #  If you comment out the "bind_address" and "port" configuration entries,
  222. #  then it becomes possible to make the server accept only accounting,
  223. #  or authentication packets.  Previously, it always listened for both
  224. #  types of packets, and it was impossible to make it listen for only
  225. #  one type of packet.
  226. #
  227. #listen {
  228.         #  IP address on which to listen.
  229.         #  Allowed values are:
  230.         #       dotted quad (1.2.3.4)
  231.         #       hostname    (radius.example.com)
  232.         #       wildcard    (*)
  233. #       ipaddr = *
  234.  
  235.         #  Port on which to listen.
  236.         #  Allowed values are:
  237.         #       integer port number (1812)
  238.         #       0 means "use /etc/services for the proper port"
  239. #       port = 0
  240.  
  241.         #  Type of packets to listen for.
  242.         #  Allowed values are:
  243.         #       auth   listen for authentication packets
  244.         #       acct   listen for accounting packets
  245.         #
  246. #       type = auth
  247. #}
  248.  
  249.  
  250. #  hostname_lookups: Log the names of clients or just their IP addresses
  251. #  e.g., www.freeradius.org (on) or 206.47.27.232 (off).
  252. #
  253. #  The default is 'off' because it would be overall better for the net
  254. #  if people had to knowingly turn this feature on, since enabling it
  255. #  means that each client request will result in AT LEAST one lookup
  256. #  request to the nameserver.   Enabling hostname_lookups will also
  257. #  mean that your server may stop randomly for 30 seconds from time
  258. #  to time, if the DNS requests take too long.
  259. #
  260. #  Turning hostname lookups off also means that the server won't block
  261. #  for 30 seconds, if it sees an IP address which has no name associated
  262. #  with it.
  263. #
  264. #  allowed values: {no, yes}
  265. #
  266. hostname_lookups = no
  267.  
  268. #  Core dumps are a bad thing.  This should only be set to 'yes'
  269. #  if you're debugging a problem with the server.
  270. #
  271. #  allowed values: {no, yes}
  272. #
  273. allow_core_dumps = no
  274.  
  275. #  Regular expressions
  276. #
  277. #  These items are set at configure time.  If they're set to "yes",
  278. #  then setting them to "no" turns off regular expression support.
  279. #
  280. #  If they're set to "no" at configure time, then setting them to "yes"
  281. #  WILL NOT WORK.  It will give you an error.
  282. #
  283. regular_expressions     = yes
  284. extended_expressions    = yes
  285.  
  286. #  Log the full User-Name attribute, as it was found in the request.
  287. #
  288. # allowed values: {no, yes}
  289. #
  290. log_stripped_names = no
  291.  
  292. #  Log authentication requests to the log file.
  293. #
  294. #  allowed values: {no, yes}
  295. #
  296. log_auth = no
  297.  
  298. #  Log passwords with the authentication requests.
  299. #  log_auth_badpass  - logs password if it's rejected
  300. #  log_auth_goodpass - logs password if it's correct
  301. #
  302. #  allowed values: {no, yes}
  303. #
  304. log_auth_badpass = no
  305. log_auth_goodpass = no
  306.  
  307. # usercollide:  Turn "username collision" code on and off.  See the
  308. # "doc/duplicate-users" file
  309. #
  310. #  WARNING
  311. #  !!!!!!!  Setting this to "yes" may result in the server behaving
  312. #  !!!!!!!  strangely.  The "username collision" code will ONLY work
  313. #  !!!!!!!  with clear-text passwords.  Even then, it may not do what
  314. #  !!!!!!!  you want, or what you expect.
  315. #  !!!!!!!
  316. #  !!!!!!!  We STRONGLY RECOMMEND that you do not use this feature,
  317. #  !!!!!!!  and that you find another way of acheiving the same goal.
  318. #  !!!!!!!
  319. #  !!!!!!!  e,g. module fail-over.  See 'doc/configurable_failover'
  320. #  WARNING
  321. #
  322. usercollide = no
  323.  
  324. # lower_user / lower_pass: 
  325. # Lower case the username/password "before" or "after"
  326. # attempting to authenticate. 
  327. #
  328. #  If "before", the server will first modify the request and then try
  329. #  to auth the user.  If "after", the server will first auth using the
  330. #  values provided by the user.  If that fails it will reprocess the
  331. #  request after modifying it as you specify below.
  332. #
  333. #  This is as close as we can get to case insensitivity.  It is the
  334. #  admin's job to ensure that the username on the auth db side is
  335. #  *also* lowercase to make this work
  336. #
  337. # Default is 'no' (don't lowercase values)
  338. # Valid values = "before" / "after" / "no"
  339. #
  340. lower_user = no
  341. lower_pass = no
  342.  
  343. # nospace_user / nospace_pass:
  344. #
  345. #  Some users like to enter spaces in their username or password
  346. #  incorrectly.  To save yourself the tech support call, you can
  347. #  eliminate those spaces here:
  348. #
  349. # Default is 'no' (don't remove spaces)
  350. # Valid values = "before" / "after" / "no" (explanation above)
  351. #
  352. nospace_user = no
  353. nospace_pass = no
  354.  
  355. #  The program to execute to do concurrency checks.
  356. checkrad = ${sbindir}/checkrad
  357.  
  358. # SECURITY CONFIGURATION
  359. #
  360. #  There may be multiple methods of attacking on the server.  This
  361. #  section holds the configuration items which minimize the impact
  362. #  of those attacks
  363. #
  364. security {
  365.         #
  366.         #  max_attributes: The maximum number of attributes
  367.         #  permitted in a RADIUS packet.  Packets which have MORE
  368.         #  than this number of attributes in them will be dropped.
  369.         #
  370.         #  If this number is set too low, then no RADIUS packets
  371.         #  will be accepted.
  372.         #
  373.         #  If this number is set too high, then an attacker may be
  374.         #  able to send a small number of packets which will cause
  375.         #  the server to use all available memory on the machine.
  376.         #
  377.         #  Setting this number to 0 means "allow any number of attributes"
  378.         max_attributes = 200
  379.  
  380.         #
  381.         #  reject_delay: When sending an Access-Reject, it can be
  382.         #  delayed for a few seconds.  This may help slow down a DoS
  383.         #  attack.  It also helps to slow down people trying to brute-force
  384.         #  crack a users password.
  385.         #
  386.         #  Setting this number to 0 means "send rejects immediately"
  387.         #
  388.         #  If this number is set higher than 'cleanup_delay', then the
  389.         #  rejects will be sent at 'cleanup_delay' time, when the request
  390.         #  is deleted from the internal cache of requests.
  391.         #
  392.         #  Useful ranges: 1 to 5
  393.         reject_delay = 1
  394.  
  395.         #
  396.         #  status_server: Whether or not the server will respond
  397.         #  to Status-Server requests.
  398.         #
  399.         #  Normally this should be set to "no", because they're useless.
  400.         #  See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives
  401.         #
  402.         #  However, certain NAS boxes may require them. 
  403.         #
  404.         #  When sent a Status-Server message, the server responds with
  405.         #  an Access-Accept packet, containing a Reply-Message attribute,
  406.         #  which is a string describing how long the server has been
  407.         #  running.
  408.         #
  409.         status_server = no
  410. }
  411.  
  412. # PROXY CONFIGURATION
  413. #
  414. #  proxy_requests: Turns proxying of RADIUS requests on or off.
  415. #
  416. #  The server has proxying turned on by default.  If your system is NOT
  417. #  set up to proxy requests to another server, then you can turn proxying
  418. #  off here.  This will save a small amount of resources on the server.
  419. #
  420. #  If you have proxying turned off, and your configuration files say
  421. #  to proxy a request, then an error message will be logged.
  422. #
  423. #  To disable proxying, change the "yes" to "no", and comment the
  424. #  $INCLUDE line.
  425. #
  426. #  allowed values: {no, yes}
  427. #
  428. proxy_requests  = yes
  429. $INCLUDE  ${confdir}/proxy.conf
  430.  
  431.  
  432. # CLIENTS CONFIGURATION
  433. #
  434. #  Client configuration is defined in "clients.conf". 
  435. #
  436.  
  437. #  The 'clients.conf' file contains all of the information from the old
  438. #  'clients' and 'naslist' configuration files.  We recommend that you
  439. #  do NOT use 'client's or 'naslist', although they are still
  440. #  supported.
  441. #
  442. #  Anything listed in 'clients.conf' will take precedence over the
  443. #  information from the old-style configuration files.
  444. #
  445. $INCLUDE  ${confdir}/clients.conf
  446.  
  447.  
  448. # SNMP CONFIGURATION
  449. #
  450. #  Snmp configuration is only valid if SNMP support was enabled
  451. #  at compile time.
  452. #
  453. #  To enable SNMP querying of the server, set the value of the
  454. #  'snmp' attribute to 'yes'
  455. #
  456. snmp    = no
  457. $INCLUDE  ${confdir}/snmp.conf
  458.  
  459.  
  460. # THREAD POOL CONFIGURATION
  461. #
  462. #  The thread pool is a long-lived group of threads which
  463. #  take turns (round-robin) handling any incoming requests.
  464. #
  465. #  You probably want to have a few spare threads around,
  466. #  so that high-load situations can be handled immediately.  If you
  467. #  don't have any spare threads, then the request handling will
  468. #  be delayed while a new thread is created, and added to the pool.
  469. #
  470. #  You probably don't want too many spare threads around,
  471. #  otherwise they'll be sitting there taking up resources, and
  472. #  not doing anything productive.
  473. #
  474. #  The numbers given below should be adequate for most situations.
  475. #
  476. thread pool {
  477.         #  Number of servers to start initially --- should be a reasonable
  478.         #  ballpark figure.
  479.         start_servers = 5
  480.  
  481.         #  Limit on the total number of servers running.
  482.         #
  483.         #  If this limit is ever reached, clients will be LOCKED OUT, so it
  484.         #  should NOT BE SET TOO LOW.  It is intended mainly as a brake to
  485.         #  keep a runaway server from taking the system with it as it spirals
  486.         #  down...
  487.         #
  488.         #  You may find that the server is regularly reaching the
  489.         #  'max_servers' number of threads, and that increasing
  490.         #  'max_servers' doesn't seem to make much difference.
  491.         #
  492.         #  If this is the case, then the problem is MOST LIKELY that
  493.         #  your back-end databases are taking too long to respond, and
  494.         #  are preventing the server from responding in a timely manner.
  495.         #
  496.         #  The solution is NOT do keep increasing the 'max_servers'
  497.         #  value, but instead to fix the underlying cause of the
  498.         #  problem: slow database, or 'hostname_lookups=yes'.
  499.         #
  500.         #  For more information, see 'max_request_time', above.
  501.         #
  502.         max_servers = 32
  503.  
  504.         #  Server-pool size regulation.  Rather than making you guess
  505.         #  how many servers you need, FreeRADIUS dynamically adapts to
  506.         #  the load it sees, that is, it tries to maintain enough
  507.         #  servers to handle the current load, plus a few spare
  508.         #  servers to handle transient load spikes.
  509.         #
  510.         #  It does this by periodically checking how many servers are
  511.         #  waiting for a request.  If there are fewer than
  512.         #  min_spare_servers, it creates a new spare.  If there are
  513.         #  more than max_spare_servers, some of the spares die off.
  514.         #  The default values are probably OK for most sites.
  515.         #
  516.         min_spare_servers = 3
  517.         max_spare_servers = 10
  518.  
  519.         #  There may be memory leaks or resource allocation problems with
  520.         #  the server.  If so, set this value to 300 or so, so that the
  521.         #  resources will be cleaned up periodically.
  522.         #
  523.         #  This should only be necessary if there are serious bugs in the
  524.         #  server which have not yet been fixed.
  525.         #
  526.         #  '0' is a special value meaning 'infinity', or 'the servers never
  527.         #  exit'
  528.         max_requests_per_server = 0
  529. }
  530.  
  531. # MODULE CONFIGURATION
  532. #
  533. #  The names and configuration of each module is located in this section.
  534. #
  535. #  After the modules are defined here, they may be referred to by name,
  536. #  in other sections of this configuration file.
  537. #
  538.  
  539. modules {
  540.   ldap {
  541.     server = "tfxschoolfs01.tfxschool.internal"
  542.     identity = "CN=Jacob Jarick,OU=People,DC=tfxschool,DC=internal"
  543.     password = "pass"
  544.  
  545.     basedn = "OU=People,DC=tfxschool,DC=internal"
  546.     filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
  547.  
  548.     dictionary_mapping = ${raddbdir}/ldap.attrmap
  549.  
  550.     ldap_connections_number = 5
  551.     timeout = 4
  552.     timelimit = 3
  553.     net_timeout = 1
  554.   }
  555.  
  556.   preprocess {
  557.     huntgroups = ${confdir}/huntgroups
  558.     hints = ${confdir}/hints
  559.  
  560.     with_ascend_hack = no
  561.     ascend_channels_per_line = 23
  562.  
  563.     with_ntdomain_hack = no
  564.     with_specialix_jetstream_hack = no
  565.     with_cisco_vsa_hack = no
  566.   }
  567.  
  568.   detail {
  569.     detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
  570.     detailperm = 0644
  571.   }
  572.  
  573. }
  574.  
  575. instantiate {
  576. }
  577.  
  578. authorize {
  579.   preprocess
  580.  
  581.   ldap
  582. }
  583.  
  584. authenticate {
  585.   Auth-Type LDAP {
  586.     ldap
  587.   }
  588. }
  589.  
  590.  
  591. preacct {
  592.   preprocess
  593. }
  594.  
  595. accounting {
  596.   detail
  597. }
  598.  
  599.  
  600. session {
  601. }
  602.  
  603. post-auth {
  604. }
  605.  
  606. pre-proxy {
  607. }
  608.  
  609. post-proxy {
  610. }

advertising

Update the Post

Either update this post and resubmit it with changes, or make a new post.

You may also comment on this post.

update paste below
details of the post (optional)

Note: Only the paste content is required, though the following information can be useful to others.

Save name / title?

(space separated, optional)



Please note that information posted here will expire by default in one month. If you do not want it to expire, please set the expiry time above. If it is set to expire, web search engines will not be allowed to index it prior to it expiring. Items that are not marked to expire will be indexable by search engines. Be careful with your passwords. All illegal activities will be reported and any information will be handed over to the authorities, so be good.

comments powered by Disqus
worth-right
worth-right