Context Navigation

radiusd.conf @ 5160d62

perl-5.22

Last change on this file since 5160d62 was c5c522c, checked in by Edwin Eefting <edwin@datux.nl>, 8 years ago
initial commit, transferred from cleaned syn3 svn tree
Property mode set to `100644`
File size: 64.1 KB

Line
1	##
2	## radiusd.conf -- FreeRADIUS server configuration file.
3	##
4	## http://www.freeradius.org/
5	## $Id: radiusd.conf.in,v 1.188.2.4.2.12 2006/07/29 19:43:30 nbk Exp $
6	##
7
8	# The location of other config files and
9	# logfiles are declared in this file
10	#
11	# Also general configuration for modules can be done
12	# in this file, it is exported through the API to
13	# modules that ask for it.
14	#
15	# The configuration variables defined here are of the form ${foo}
16	# They are local to this file, and do not change from request to
17	# request.
18	#
19	# The per-request variables are of the form %{Attribute-Name}, and
20	# are taken from the values of the attribute in the incoming
21	# request. See 'doc/variables.txt' for more information.
22
23	prefix = /usr
24	exec_prefix = ${prefix}
25	sysconfdir = /home/system/radius
26	localstatedir = /var
27	sbindir = /usr/sbin
28	logdir = ${localstatedir}/log/radius
29	raddbdir = ${sysconfdir}/raddb
30	radacctdir = ${logdir}/radacct
31
32	# Location of config and logfiles.
33	confdir = ${raddbdir}
34	run_dir = ${localstatedir}/run/radiusd
35	#
36	# The logging messages for the server are appended to the
37	# tail of this file.
38	#
39	log_file = ${logdir}/radius.log
40
41	#
42	# libdir: Where to find the rlm_* modules.
43	#
44	# This should be automatically set at configuration time.
45	#
46	# If the server builds and installs, but fails at execution time
47	# with an 'undefined symbol' error, then you can use the libdir
48	# directive to work around the problem.
49	#
50	# The cause is usually that a library has been installed on your
51	# system in a place where the dynamic linker CANNOT find it. When
52	# executing as root (or another user), your personal environment MAY
53	# be set up to allow the dynamic linker to find the library. When
54	# executing as a daemon, FreeRADIUS MAY NOT have the same
55	# personalized configuration.
56	#
57	# To work around the problem, find out which library contains that symbol,
58	# and add the directory containing that library to the end of 'libdir',
59	# with a colon separating the directory names. NO spaces are allowed.
60	#
61	# e.g. libdir = /usr/local/lib:/opt/package/lib
62	#
63	# You can also try setting the LD_LIBRARY_PATH environment variable
64	# in a script which starts the server.
65	#
66	# If that does not work, then you can re-configure and re-build the
67	# server to NOT use shared libraries, via:
68	#
69	# ./configure --disable-shared
70	# make
71	# make install
72	#
73	libdir = /usr/lib
74
75	# pidfile: Where to place the PID of the RADIUS server.
76	#
77	# The server may be signalled while it's running by using this
78	# file.
79	#
80	# This file is written when ONLY running in daemon mode.
81	#
82	# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
83	#
84	pidfile = ${run_dir}/radiusd.pid
85
86
87	# user/group: The name (or #number) of the user/group to run radiusd as.
88	#
89	# If these are commented out, the server will run as the user/group
90	# that started it. In order to change to a different user/group, you
91	# MUST be root ( or have root privleges ) to start the server.
92	#
93	# We STRONGLY recommend that you run the server with as few permissions
94	# as possible. That is, if you're not using shadow passwords, the
95	# user and group items below should be set to 'nobody'.
96	#
97	# On SCO (ODT 3) use "user = nouser" and "group = nogroup".
98	#
99	# NOTE that some kernels refuse to setgid(group) when the value of
100	# (unsigned)group is above 60000; don't use group nobody on these systems!
101	#
102	# On systems with shadow passwords, you might have to set 'group = shadow'
103	# for the server to be able to read the shadow password file. If you can
104	# authenticate users while in debug mode, but not in daemon mode, it may be
105	# that the debugging mode server is running as a user that can read the
106	# shadow info, and the user listed below can not.
107	#
108	#user = nobody
109	#group = nobody
110
111	# max_request_time: The maximum time (in seconds) to handle a request.
112	#
113	# Requests which take more time than this to process may be killed, and
114	# a REJECT message is returned.
115	#
116	# WARNING: If you notice that requests take a long time to be handled,
117	# then this MAY INDICATE a bug in the server, in one of the modules
118	# used to handle a request, OR in your local configuration.
119	#
120	# This problem is most often seen when using an SQL database. If it takes
121	# more than a second or two to receive an answer from the SQL database,
122	# then it probably means that you haven't indexed the database. See your
123	# SQL server documentation for more information.
124	#
125	# Useful range of values: 5 to 120
126	#
127	max_request_time = 30
128
129	# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
130	# to be handled, then maybe the server should delete it.
131	#
132	# If you're running in threaded, or thread pool mode, this setting
133	# should probably be 'no'. Setting it to 'yes' when using a threaded
134	# server MAY cause the server to crash!
135	#
136	delete_blocked_requests = no
137
138	# cleanup_delay: The time to wait (in seconds) before cleaning up
139	# a reply which was sent to the NAS.
140	#
141	# The RADIUS request is normally cached internally for a short period
142	# of time, after the reply is sent to the NAS. The reply packet may be
143	# lost in the network, and the NAS will not see it. The NAS will then
144	# re-send the request, and the server will respond quickly with the
145	# cached reply.
146	#
147	# If this value is set too low, then duplicate requests from the NAS
148	# MAY NOT be detected, and will instead be handled as seperate requests.
149	#
150	# If this value is set too high, then the server will cache too many
151	# requests, and some new requests may get blocked. (See 'max_requests'.)
152	#
153	# Useful range of values: 2 to 10
154	#
155	cleanup_delay = 5
156
157	# max_requests: The maximum number of requests which the server keeps
158	# track of. This should be 256 multiplied by the number of clients.
159	# e.g. With 4 clients, this number should be 1024.
160	#
161	# If this number is too low, then when the server becomes busy,
162	# it will not respond to any new requests, until the 'cleanup_delay'
163	# time has passed, and it has removed the old requests.
164	#
165	# If this number is set too high, then the server will use a bit more
166	# memory for no real benefit.
167	#
168	# If you aren't sure what it should be set to, it's better to set it
169	# too high than too low. Setting it to 1000 per client is probably
170	# the highest it should be.
171	#
172	# Useful range of values: 256 to infinity
173	#
174	max_requests = 1024
175
176	# bind_address: Make the server listen on a particular IP address, and
177	# send replies out from that address. This directive is most useful
178	# for machines with multiple IP addresses on one interface.
179	#
180	# It can either contain "*", or an IP address, or a fully qualified
181	# Internet domain name. The default is "*"
182	#
183	# As of 1.0, you can also use the "listen" directive. See below for
184	# more information.
185	#
186	bind_address = *
187
188	# port: Allows you to bind FreeRADIUS to a specific port.
189	#
190	# The default port that most NAS boxes use is 1645, which is historical.
191	# RFC 2138 defines 1812 to be the new port. Many new servers and
192	# NAS boxes use 1812, which can create interoperability problems.
193	#
194	# The port is defined here to be 0 so that the server will pick up
195	# the machine's local configuration for the radius port, as defined
196	# in /etc/services.
197	#
198	# If you want to use the default RADIUS port as defined on your server,
199	# (usually through 'grep radius /etc/services') set this to 0 (zero).
200	#
201	# A port given on the command-line via '-p' over-rides this one.
202	#
203	# As of 1.0, you can also use the "listen" directive. See below for
204	# more information.
205	#
206	port = 0
207
208	#
209	# By default, the server uses "bind_address" to listen to all IP's
210	# on a machine, or just one IP. The "port" configuration is used
211	# to select the authentication port used when listening on those
212	# addresses.
213	#
214	# If you want the server to listen on additional addresses, you can
215	# use the "listen" section. A sample section (commented out) is included
216	# below. This "listen" section duplicates the functionality of the
217	# "bind_address" and "port" configuration entries, but it only listens
218	# for authentication packets.
219	#
220	# If you comment out the "bind_address" and "port" configuration entries,
221	# then it becomes possible to make the server accept only accounting,
222	# or authentication packets. Previously, it always listened for both
223	# types of packets, and it was impossible to make it listen for only
224	# one type of packet.
225	#
226	#listen {
227	# IP address on which to listen.
228	# Allowed values are:
229	# dotted quad (1.2.3.4)
230	# hostname (radius.example.com)
231	# wildcard (*)
232	# ipaddr = *
233
234	# Port on which to listen.
235	# Allowed values are:
236	# integer port number (1812)
237	# 0 means "use /etc/services for the proper port"
238	# port = 0
239
240	# Type of packets to listen for.
241	# Allowed values are:
242	# auth listen for authentication packets
243	# acct listen for accounting packets
244	#
245	# type = auth
246	#}
247
248
249	# hostname_lookups: Log the names of clients or just their IP addresses
250	# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
251	#
252	# The default is 'off' because it would be overall better for the net
253	# if people had to knowingly turn this feature on, since enabling it
254	# means that each client request will result in AT LEAST one lookup
255	# request to the nameserver. Enabling hostname_lookups will also
256	# mean that your server may stop randomly for 30 seconds from time
257	# to time, if the DNS requests take too long.
258	#
259	# Turning hostname lookups off also means that the server won't block
260	# for 30 seconds, if it sees an IP address which has no name associated
261	# with it.
262	#
263	# allowed values: {no, yes}
264	#
265	hostname_lookups = no
266
267	# Core dumps are a bad thing. This should only be set to 'yes'
268	# if you're debugging a problem with the server.
269	#
270	# allowed values: {no, yes}
271	#
272	allow_core_dumps = no
273
274	# Regular expressions
275	#
276	# These items are set at configure time. If they're set to "yes",
277	# then setting them to "no" turns off regular expression support.
278	#
279	# If they're set to "no" at configure time, then setting them to "yes"
280	# WILL NOT WORK. It will give you an error.
281	#
282	regular_expressions = @REGEX@
283	extended_expressions = @REGEX_EXTENDED@
284
285	# Log the full User-Name attribute, as it was found in the request.
286	#
287	# allowed values: {no, yes}
288	#
289	log_stripped_names = no
290
291	# Log authentication requests to the log file.
292	#
293	# allowed values: {no, yes}
294	#
295	log_auth = no
296
297	# Log passwords with the authentication requests.
298	# log_auth_badpass - logs password if it's rejected
299	# log_auth_goodpass - logs password if it's correct
300	#
301	# allowed values: {no, yes}
302	#
303	log_auth_badpass = no
304	log_auth_goodpass = no
305
306	# usercollide: Turn "username collision" code on and off. See the
307	# "doc/duplicate-users" file
308	#
309	# WARNING
310	# !!!!!!! Setting this to "yes" may result in the server behaving
311	# !!!!!!! strangely. The "username collision" code will ONLY work
312	# !!!!!!! with clear-text passwords. Even then, it may not do what
313	# !!!!!!! you want, or what you expect.
314	# !!!!!!!
315	# !!!!!!! We STRONGLY RECOMMEND that you do not use this feature,
316	# !!!!!!! and that you find another way of acheiving the same goal.
317	# !!!!!!!
318	# !!!!!!! e,g. module fail-over. See 'doc/configurable_failover'
319	# WARNING
320	#
321	usercollide = no
322
323	# lower_user / lower_pass:
324	# Lower case the username/password "before" or "after"
325	# attempting to authenticate.
326	#
327	# If "before", the server will first modify the request and then try
328	# to auth the user. If "after", the server will first auth using the
329	# values provided by the user. If that fails it will reprocess the
330	# request after modifying it as you specify below.
331	#
332	# This is as close as we can get to case insensitivity. It is the
333	# admin's job to ensure that the username on the auth db side is
334	# also lowercase to make this work
335	#
336	# Default is 'no' (don't lowercase values)
337	# Valid values = "before" / "after" / "no"
338	#
339	lower_user = no
340	lower_pass = no
341
342	# nospace_user / nospace_pass:
343	#
344	# Some users like to enter spaces in their username or password
345	# incorrectly. To save yourself the tech support call, you can
346	# eliminate those spaces here:
347	#
348	# Default is 'no' (don't remove spaces)
349	# Valid values = "before" / "after" / "no" (explanation above)
350	#
351	nospace_user = no
352	nospace_pass = no
353
354	# The program to execute to do concurrency checks.
355	checkrad = ${sbindir}/checkrad
356
357	# SECURITY CONFIGURATION
358	#
359	# There may be multiple methods of attacking on the server. This
360	# section holds the configuration items which minimize the impact
361	# of those attacks
362	#
363	security {
364	#
365	# max_attributes: The maximum number of attributes
366	# permitted in a RADIUS packet. Packets which have MORE
367	# than this number of attributes in them will be dropped.
368	#
369	# If this number is set too low, then no RADIUS packets
370	# will be accepted.
371	#
372	# If this number is set too high, then an attacker may be
373	# able to send a small number of packets which will cause
374	# the server to use all available memory on the machine.
375	#
376	# Setting this number to 0 means "allow any number of attributes"
377	max_attributes = 200
378
379	#
380	# reject_delay: When sending an Access-Reject, it can be
381	# delayed for a few seconds. This may help slow down a DoS
382	# attack. It also helps to slow down people trying to brute-force
383	# crack a users password.
384	#
385	# Setting this number to 0 means "send rejects immediately"
386	#
387	# If this number is set higher than 'cleanup_delay', then the
388	# rejects will be sent at 'cleanup_delay' time, when the request
389	# is deleted from the internal cache of requests.
390	#
391	# Useful ranges: 1 to 5
392	reject_delay = 1
393
394	#
395	# status_server: Whether or not the server will respond
396	# to Status-Server requests.
397	#
398	# Normally this should be set to "no", because they're useless.
399	# See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives
400	#
401	# However, certain NAS boxes may require them.
402	#
403	# When sent a Status-Server message, the server responds with
404	# an Access-Accept packet, containing a Reply-Message attribute,
405	# which is a string describing how long the server has been
406	# running.
407	#
408	status_server = no
409	}
410
411	# PROXY CONFIGURATION
412	#
413	# proxy_requests: Turns proxying of RADIUS requests on or off.
414	#
415	# The server has proxying turned on by default. If your system is NOT
416	# set up to proxy requests to another server, then you can turn proxying
417	# off here. This will save a small amount of resources on the server.
418	#
419	# If you have proxying turned off, and your configuration files say
420	# to proxy a request, then an error message will be logged.
421	#
422	# To disable proxying, change the "yes" to "no", and comment the
423	# $INCLUDE line.
424	#
425	# allowed values: {no, yes}
426	#
427	#proxy_requests = yes
428	#$INCLUDE ${confdir}/proxy.conf
429
430
431	# CLIENTS CONFIGURATION
432	#
433	# Client configuration is defined in "clients.conf".
434	#
435
436	# The 'clients.conf' file contains all of the information from the old
437	# 'clients' and 'naslist' configuration files. We recommend that you
438	# do NOT use 'client's or 'naslist', although they are still
439	# supported.
440	#
441	# Anything listed in 'clients.conf' will take precedence over the
442	# information from the old-style configuration files.
443	#
444	#
445	$INCLUDE ${confdir}/clients.conf
446
447
448	# SNMP CONFIGURATION
449	#
450	# Snmp configuration is only valid if SNMP support was enabled
451	# at compile time.
452	#
453	# To enable SNMP querying of the server, set the value of the
454	# 'snmp' attribute to 'yes'
455	#
456	snmp = no
457	#$INCLUDE ${confdir}/snmp.conf
458
459
460	# THREAD POOL CONFIGURATION
461	#
462	# The thread pool is a long-lived group of threads which
463	# take turns (round-robin) handling any incoming requests.
464	#
465	# You probably want to have a few spare threads around,
466	# so that high-load situations can be handled immediately. If you
467	# don't have any spare threads, then the request handling will
468	# be delayed while a new thread is created, and added to the pool.
469	#
470	# You probably don't want too many spare threads around,
471	# otherwise they'll be sitting there taking up resources, and
472	# not doing anything productive.
473	#
474	# The numbers given below should be adequate for most situations.
475	#
476	thread pool {
477	# Number of servers to start initially --- should be a reasonable
478	# ballpark figure.
479	start_servers = 5
480
481	# Limit on the total number of servers running.
482	#
483	# If this limit is ever reached, clients will be LOCKED OUT, so it
484	# should NOT BE SET TOO LOW. It is intended mainly as a brake to
485	# keep a runaway server from taking the system with it as it spirals
486	# down...
487	#
488	# You may find that the server is regularly reaching the
489	# 'max_servers' number of threads, and that increasing
490	# 'max_servers' doesn't seem to make much difference.
491	#
492	# If this is the case, then the problem is MOST LIKELY that
493	# your back-end databases are taking too long to respond, and
494	# are preventing the server from responding in a timely manner.
495	#
496	# The solution is NOT do keep increasing the 'max_servers'
497	# value, but instead to fix the underlying cause of the
498	# problem: slow database, or 'hostname_lookups=yes'.
499	#
500	# For more information, see 'max_request_time', above.
501	#
502	max_servers = 32
503
504	# Server-pool size regulation. Rather than making you guess
505	# how many servers you need, FreeRADIUS dynamically adapts to
506	# the load it sees, that is, it tries to maintain enough
507	# servers to handle the current load, plus a few spare
508	# servers to handle transient load spikes.
509	#
510	# It does this by periodically checking how many servers are
511	# waiting for a request. If there are fewer than
512	# min_spare_servers, it creates a new spare. If there are
513	# more than max_spare_servers, some of the spares die off.
514	# The default values are probably OK for most sites.
515	#
516	min_spare_servers = 3
517	max_spare_servers = 10
518
519	# There may be memory leaks or resource allocation problems with
520	# the server. If so, set this value to 300 or so, so that the
521	# resources will be cleaned up periodically.
522	#
523	# This should only be necessary if there are serious bugs in the
524	# server which have not yet been fixed.
525	#
526	# '0' is a special value meaning 'infinity', or 'the servers never
527	# exit'
528	max_requests_per_server = 0
529	}
530
531	# MODULE CONFIGURATION
532	#
533	# The names and configuration of each module is located in this section.
534	#
535	# After the modules are defined here, they may be referred to by name,
536	# in other sections of this configuration file.
537	#
538	modules {
539	#
540	# Each module has a configuration as follows:
541	#
542	# name [ instance ] {
543	# config_item = value
544	# ...
545	# }
546	#
547	# The 'name' is used to load the 'rlm_name' library
548	# which implements the functionality of the module.
549	#
550	# The 'instance' is optional. To have two different instances
551	# of a module, it first must be referred to by 'name'.
552	# The different copies of the module are then created by
553	# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
554	#
555	# The instance names can then be used in later configuration
556	# INSTEAD of the original 'name'. See the 'radutmp' configuration
557	# below for an example.
558	#
559
560	# PAP module to authenticate users based on their stored password
561	#
562	# Supports multiple encryption schemes
563	# clear: Clear text
564	# crypt: Unix crypt
565	# md5: MD5 ecnryption
566	# sha1: SHA1 encryption.
567	# DEFAULT: crypt
568	pap {
569	encryption_scheme = crypt
570	}
571
572	# CHAP module
573	#
574	# To authenticate requests containing a CHAP-Password attribute.
575	#
576	chap {
577	authtype = CHAP
578	}
579
580	# Pluggable Authentication Modules
581	#
582	# For Linux, see:
583	# http://www.kernel.org/pub/linux/libs/pam/index.html
584	#
585	# WARNING: On many systems, the system PAM libraries have
586	# memory leaks! We STRONGLY SUGGEST that you do not
587	# use PAM for authentication, due to those memory leaks.
588	#
589	pam {
590	#
591	# The name to use for PAM authentication.
592	# PAM looks in /etc/pam.d/${pam_auth_name}
593	# for it's configuration. See 'redhat/radiusd-pam'
594	# for a sample PAM configuration file.
595	#
596	# Note that any Pam-Auth attribute set in the 'authorize'
597	# section will over-ride this one.
598	#
599	pam_auth = radiusd
600	}
601
602	# Unix /etc/passwd style authentication
603	#
604	unix {
605	#
606	# Cache /etc/passwd, /etc/shadow, and /etc/group
607	#
608	# The default is to NOT cache them.
609	#
610	# For FreeBSD and NetBSD, you do NOT want to enable
611	# the cache, as it's password lookups are done via a
612	# database, so set this value to 'no'.
613	#
614	# Some systems (e.g. RedHat Linux with pam_pwbd) can
615	# take seconds to check a password, when th passwd
616	# file containing 1000's of entries. For those systems,
617	# you should set the cache value to 'yes', and set
618	# the locations of the 'passwd', 'shadow', and 'group'
619	# files, below.
620	#
621	# allowed values: {no, yes}
622	cache = no
623
624	# Reload the cache every 600 seconds (10mins). 0 to disable.
625	cache_reload = 600
626
627	#
628	# Define the locations of the normal passwd, shadow, and
629	# group files.
630	#
631	# 'shadow' is commented out by default, because not all
632	# systems have shadow passwords.
633	#
634	# To force the module to use the system password functions,
635	# instead of reading the files, leave the following entries
636	# commented out.
637	#
638	# This is required for some systems, like FreeBSD,
639	# and Mac OSX.
640	#
641	# passwd = /etc/passwd
642	# shadow = /etc/shadow
643	# group = /etc/group
644
645	#
646	# The location of the "wtmp" file.
647	# This should be moved to it's own module soon.
648	#
649	# The only use for 'radlast'. If you don't use
650	# 'radlast', then you can comment out this item.
651	#
652	radwtmp = ${logdir}/radwtmp
653	}
654
655
656	# Microsoft CHAP authentication
657	#
658	# This module supports MS-CHAP and MS-CHAPv2 authentication.
659	# It also enforces the SMB-Account-Ctrl attribute.
660	#
661	mschap {
662	#
663	# As of 0.9, the mschap module does NOT support
664	# reading from /etc/smbpasswd.
665	#
666	# If you are using /etc/smbpasswd, see the 'passwd'
667	# module for an example of how to use /etc/smbpasswd
668
669	# if use_mppe is not set to no mschap will
670	# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
671	# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
672	#
673	use_mppe = yes
674
675	# if mppe is enabled require_encryption makes
676	# encryption moderate
677	#
678	require_encryption = yes
679
680	# require_strong always requires 128 bit key
681	# encryption
682	#
683	require_strong = yes
684
685	# Windows sends us a username in the form of
686	# DOMAIN\user, but sends the challenge response
687	# based on only the user portion. This hack
688	# corrects for that incorrect behavior.
689	#
690	#with_ntdomain_hack = no
691
692	# The module can perform authentication itself, OR
693	# use a Windows Domain Controller. This configuration
694	# directive tells the module to call the ntlm_auth
695	# program, which will do the authentication, and return
696	# the NT-Key. Note that you MUST have "winbindd" and
697	# "nmbd" running on the local machine for ntlm_auth
698	# to work. See the ntlm_auth program documentation
699	# for details.
700	#
701	# Be VERY careful when editing the following line!
702	#
703	#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
704	}
705
706	# Lightweight Directory Access Protocol (LDAP)
707	#
708	# This module definition allows you to use LDAP for
709	# authorization and authentication.
710	#
711	# See doc/rlm_ldap for description of configuration options
712	# and sample authorize{} and authenticate{} blocks
713	#
714	# However, LDAP can be used for authentication ONLY when the
715	# Access-Request packet contains a clear-text User-Password
716	# attribute. LDAP authentication will NOT work for any other
717	# authentication method.
718	#
719	# This means that LDAP servers don't understand EAP. If you
720	# force "Auth-Type = LDAP", and then send the server a
721	# request containing EAP authentication, then authentication
722	# WILL NOT WORK.
723	#
724	# The solution is to use the default configuration, which does
725	# work.
726	#
727	# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
728	# really can't emphasize this enough.
729	#
730	ldap {
731	server = "ldap-master"
732	identity = "cn=Manager,dc=syn-3"
733	password = asje2
734	basedn = "dc=syn-3"
735	filter = "(&(OXGroupID=520)(uid=%u))"
736	base_filter = "(objectclass=OXUserObject)"
737
738	# set this to 'yes' to use TLS encrypted connections
739	# to the LDAP database by using the StartTLS extended
740	# operation.
741	# The StartTLS operation is supposed to be used with normal
742	# ldap connections instead of using ldaps (port 689) connections
743	start_tls = no
744
745	# tls_cacertfile = /path/to/cacert.pem
746	# tls_cacertdir = /path/to/ca/dir/
747	# tls_certfile = /path/to/radius.crt
748	# tls_keyfile = /path/to/radius.key
749	# tls_randfile = /path/to/rnd
750	# tls_require_cert = "demand"
751
752	# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
753	# profile_attribute = "radiusProfileDn"
754	#access_attr = "OXUserObject"
755
756	# Mapping of RADIUS dictionary attributes to LDAP
757	# directory attributes.
758	dictionary_mapping = ${raddbdir}/ldap.attrmap
759
760	ldap_connections_number = 5
761
762	#
763	# NOTICE: The password_header directive is NOT case insensitive
764	#
765	#password_header = "{CRYPT}"
766	#
767	# Set:
768	password_attribute = userPassword
769	#
770	# to get the user's password from a Novell eDirectory
771	# backend. This will work only if freeRADIUS is
772	# configured to build with --with-edir option.
773	#
774	#
775	# The server can usually figure this out on its own, and pull
776	# the correct User-Password or NT-Password from the database.
777	#
778	# Note that NT-Passwords MUST be stored as a 32-digit hex
779	# string, and MUST start off with "0x", such as:
780	#
781	# 0x000102030405060708090a0b0c0d0e0f
782	#
783	# Without the leading "0x", NT-Passwords will not work.
784	# This goes for NT-Passwords stored in SQL, too.
785	#
786	# password_attribute = userPassword
787	#
788	# Un-comment the following to disable Novell eDirectory account
789	# policy check and intruder detection. This will work only if
790	# FreeRADIUS is configured to build with --with-edir option.
791	#
792	# edir_account_policy_check=no
793	#
794	timeout = 4
795	timelimit = 3
796	net_timeout = 1
797	compare_check_items = no
798	# do_xlat = yes
799	# access_attr_used_for_allow = yes
800
801	#
802	# By default, if the packet contains a User-Password,
803	# and no other module is configured to handle the
804	# authentication, the LDAP module sets itself to do
805	# LDAP bind for authentication.
806	#
807	# You can disable this behavior by setting the following
808	# configuration entry to "no".
809	#
810	# allowed values: {no, yes}
811	set_auth_type = yes
812	}
813	# passwd module allows to do authorization via any passwd-like
814	# file and to extract any attributes from these modules
815	#
816	# parameters are:
817	# filename - path to filename
818	# format - format for filename record. This parameters
819	# correlates record in the passwd file and RADIUS
820	# attributes.
821	#
822	# Field marked as '*' is key field. That is, the parameter
823	# with this name from the request is used to search for
824	# the record from passwd file
825	# Attribute marked as '=' is added to reply_itmes instead
826	# of default configure_itmes
827	# Attribute marked as '~' is added to request_items
828	#
829	# Field marked as ',' may contain a comma separated list
830	# of attributes.
831	# authtype - if record found this Auth-Type is used to authenticate
832	# user
833	# hashsize - hashtable size. If 0 or not specified records are not
834	# stored in memory and file is red on every request.
835	# allowmultiplekeys - if few records for every key are allowed
836	# ignorenislike - ignore NIS-related records
837	# delimiter - symbol to use as a field separator in passwd file,
838	# for format ':' symbol is always used. '\0', '\n' are
839	# not allowed
840	#
841
842	# An example configuration for using /etc/smbpasswd.
843	#
844	#passwd etc_smbpasswd {
845	# filename = /etc/smbpasswd
846	# format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
847	# authtype = MS-CHAP
848	# hashsize = 100
849	# ignorenislike = no
850	# allowmultiplekeys = no
851	#}
852
853	# Similar configuration, for the /etc/group file. Adds a Group-Name
854	# attribute for every group that the user is member of.
855	#
856	#passwd etc_group {
857	# filename = /etc/group
858	# format = "=Group-Name:::*,User-Name"
859	# hashsize = 50
860	# ignorenislike = yes
861	# allowmultiplekeys = yes
862	# delimiter = ":"
863	#}
864
865	# Realm module, for proxying.
866	#
867	# You can have multiple instances of the realm module to
868	# support multiple realm syntaxs at the same time. The
869	# search order is defined by the order in the authorize and
870	# preacct sections.
871	#
872	# Four config options:
873	# format - must be 'prefix' or 'suffix'
874	# delimiter - must be a single character
875	# ignore_default - set to 'yes' or 'no'
876	# ignore_null - set to 'yes' or 'no'
877	#
878	# ignore_default and ignore_null can be set to 'yes' to prevent
879	# the module from matching against DEFAULT or NULL realms. This
880	# may be useful if you have have multiple instances of the
881	# realm module.
882	#
883	# They both default to 'no'.
884	#
885
886	# 'realm/username'
887	#
888	# Using this entry, IPASS users have their realm set to "IPASS".
889	realm IPASS {
890	format = prefix
891	delimiter = "/"
892	ignore_default = no
893	ignore_null = no
894	}
895
896	# 'username@realm'
897	#
898	realm suffix {
899	format = suffix
900	delimiter = "@"
901	ignore_default = no
902	ignore_null = no
903	}
904
905	# 'username%realm'
906	#
907	realm realmpercent {
908	format = suffix
909	delimiter = "%"
910	ignore_default = no
911	ignore_null = no
912	}
913
914	#
915	# 'domain\user'
916	#
917	realm ntdomain {
918	format = prefix
919	delimiter = "\\"
920	ignore_default = no
921	ignore_null = no
922	}
923
924	# A simple value checking module
925	#
926	# It can be used to check if an attribute value in the request
927	# matches a (possibly multi valued) attribute in the check
928	# items This can be used for example for caller-id
929	# authentication. For the module to run, both the request
930	# attribute and the check items attribute must exist
931	#
932	# i.e.
933	# A user has an ldap entry with 2 radiusCallingStationId
934	# attributes with values "12345678" and "12345679". If we
935	# enable rlm_checkval, then any request which contains a
936	# Calling-Station-Id with one of those two values will be
937	# accepted. Requests with other values for
938	# Calling-Station-Id will be rejected.
939	#
940	# Regular expressions in the check attribute value are allowed
941	# as long as the operator is '=~'
942	#
943	checkval {
944	# The attribute to look for in the request
945	item-name = Calling-Station-Id
946
947	# The attribute to look for in check items. Can be multi valued
948	check-name = Calling-Station-Id
949
950	# The data type. Can be
951	# string,integer,ipaddr,date,abinary,octets
952	data-type = string
953
954	# If set to yes and we dont find the item-name attribute in the
955	# request then we send back a reject
956	# DEFAULT is no
957	#notfound-reject = no
958	}
959
960	# rewrite arbitrary packets. Useful in accounting and authorization.
961	#
962	#
963	# The module can also use the Rewrite-Rule attribute. If it
964	# is set and matches the name of the module instance, then
965	# that module instance will be the only one which runs.
966	#
967	# Also if new_attribute is set to yes then a new attribute
968	# will be created containing the value replacewith and it
969	# will be added to searchin (packet, reply, proxy, proxy_reply or config).
970	# searchfor,ignore_case and max_matches will be ignored in that case.
971	#
972	# Backreferences are supported: %{0} will contain the string the whole match
973	# and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses
974	#
975	# If max_matches is greater than one the backreferences will correspond to the
976	# first match
977
978	#
979	#attr_rewrite sanecallerid {
980	# attribute = Called-Station-Id
981	# may be "packet", "reply", "proxy", "proxy_reply" or "config"
982	# searchin = packet
983	# searchfor = "[+ ]"
984	# replacewith = ""
985	# ignore_case = no
986	# new_attribute = no
987	# max_matches = 10
988	# ## If set to yes then the replace string will be appended to the original string
989	# append = no
990	#}
991
992	# Preprocess the incoming RADIUS request, before handing it off
993	# to other modules.
994	#
995	# This module processes the 'huntgroups' and 'hints' files.
996	# In addition, it re-writes some weird attributes created
997	# by some NASes, and converts the attributes into a form which
998	# is a little more standard.
999	#
1000	preprocess {
1001	huntgroups = ${confdir}/huntgroups
1002	hints = ${confdir}/hints
1003
1004	# This hack changes Ascend's wierd port numberings
1005	# to standard 0-??? port numbers so that the "+" works
1006	# for IP address assignments.
1007	with_ascend_hack = no
1008	ascend_channels_per_line = 23
1009
1010	# Windows NT machines often authenticate themselves as
1011	# NT_DOMAIN\username
1012	#
1013	# If this is set to 'yes', then the NT_DOMAIN portion
1014	# of the user-name is silently discarded.
1015	#
1016	# This configuration entry SHOULD NOT be used.
1017	# See the "realms" module for a better way to handle
1018	# NT domains.
1019	with_ntdomain_hack = no
1020
1021	# Specialix Jetstream 8500 24 port access server.
1022	#
1023	# If the user name is 10 characters or longer, a "/"
1024	# and the excess characters after the 10th are
1025	# appended to the user name.
1026	#
1027	# If you're not running that NAS, you don't need
1028	# this hack.
1029	with_specialix_jetstream_hack = no
1030
1031	# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
1032	# with the attribute name again in the string, like:
1033	#
1034	# H323-Attribute = "h323-attribute=value".
1035	#
1036	# If this configuration item is set to 'yes', then
1037	# the redundant data in the the attribute text is stripped
1038	# out. The result is:
1039	#
1040	# H323-Attribute = "value"
1041	#
1042	# If you're not running a Cisco or Quintum NAS, you don't
1043	# need this hack.
1044	with_cisco_vsa_hack = no
1045	}
1046
1047	# Livingston-style 'users' file
1048	#
1049	files {
1050	usersfile = ${confdir}/users
1051	acctusersfile = ${confdir}/acct_users
1052	preproxy_usersfile = ${confdir}/preproxy_users
1053
1054	# If you want to use the old Cistron 'users' file
1055	# with FreeRADIUS, you should change the next line
1056	# to 'compat = cistron'. You can the copy your 'users'
1057	# file from Cistron.
1058	compat = no
1059	}
1060
1061	# Write a detailed log of all accounting records received.
1062	#
1063	detail {
1064	# Note that we do NOT use NAS-IP-Address here, as
1065	# that attribute MAY BE from the originating NAS, and
1066	# NOT from the proxy which actually sent us the
1067	# request. The Client-IP-Address attribute is ALWAYS
1068	# the address of the client which sent us the
1069	# request.
1070	#
1071	# The following line creates a new detail file for
1072	# every radius client (by IP address or hostname).
1073	# In addition, a new detail file is created every
1074	# day, so that the detail file doesn't have to go
1075	# through a 'log rotation'
1076	#
1077	# If your detail files are large, you may also want
1078	# to add a ':%H' (see doc/variables.txt) to the end
1079	# of it, to create a new detail file every hour, e.g.:
1080	#
1081	# ..../detail-%Y%m%d:%H
1082	#
1083	# This will create a new detail file for every hour.
1084	#
1085	detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
1086
1087	#
1088	# The Unix-style permissions on the 'detail' file.
1089	#
1090	# The detail file often contains secret or private
1091	# information about users. So by keeping the file
1092	# permissions restrictive, we can prevent unwanted
1093	# people from seeing that information.
1094	detailperm = 0600
1095
1096	#
1097	# Certain attributes such as User-Password may be
1098	# "sensitive", so they should not be printed in the
1099	# detail file. This section lists the attributes
1100	# that should be suppressed.
1101	#
1102	# The attributes should be listed one to a line.
1103	#
1104	#suppress {
1105	# User-Password
1106	#}
1107	}
1108
1109	#
1110	# Many people want to log authentication requests.
1111	# Rather than modifying the server core to print out more
1112	# messages, we can use a different instance of the 'detail'
1113	# module, to log the authentication requests to a file.
1114	#
1115	# You will also need to un-comment the 'auth_log' line
1116	# in the 'authorize' section, below.
1117	#
1118	# detail auth_log {
1119	# detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
1120
1121	#
1122	# This MUST be 0600, otherwise anyone can read
1123	# the users passwords!
1124	# detailperm = 0600
1125	# }
1126
1127	#
1128	# This module logs authentication reply packets sent
1129	# to a NAS. Both Access-Accept and Access-Reject packets
1130	# are logged.
1131	#
1132	# You will also need to un-comment the 'reply_log' line
1133	# in the 'post-auth' section, below.
1134	#
1135	# detail reply_log {
1136	# detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
1137
1138	#
1139	# This MUST be 0600, otherwise anyone can read
1140	# the users passwords!
1141	# detailperm = 0600
1142	# }
1143
1144	#
1145	# This module logs packets proxied to a home server.
1146	#
1147	# You will also need to un-comment the 'pre_proxy_log' line
1148	# in the 'pre-proxy' section, below.
1149	#
1150	# detail pre_proxy_log {
1151	# detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
1152
1153	#
1154	# This MUST be 0600, otherwise anyone can read
1155	# the users passwords!
1156	# detailperm = 0600
1157	# }
1158
1159	#
1160	# This module logs response packets from a home server.
1161	#
1162	# You will also need to un-comment the 'post_proxy_log' line
1163	# in the 'post-proxy' section, below.
1164	#
1165	# detail post_proxy_log {
1166	# detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
1167
1168	#
1169	# This MUST be 0600, otherwise anyone can read
1170	# the users passwords!
1171	# detailperm = 0600
1172	# }
1173
1174	#
1175	# The rlm_sql_log module appends the SQL queries in a log
1176	# file which is read later by the radsqlrelay program.
1177	#
1178	# This module only performs the dynamic expansion of the
1179	# variables found in the SQL statements. No operation is
1180	# executed on the database server. (this could be done
1181	# later by an external program) That means the module is
1182	# useful only with non-"SELECT" statements.
1183	#
1184	# See rlm_sql_log(5) manpage.
1185	#
1186	# sql_log {
1187	# path = ${radacctdir}/sql-relay
1188	# acct_table = "radacct"
1189	# postauth_table = "radpostauth"
1190	#
1191	# Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
1192	# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
1193	# AcctSessionTime, AcctTerminateCause) VALUES \
1194	# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
1195	# '%{Framed-IP-Address}', '%S', '0', '0', '');"
1196	# Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
1197	# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
1198	# AcctSessionTime, AcctTerminateCause) VALUES \
1199	# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
1200	# '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \
1201	# '%{Acct-Terminate-Cause}');"
1202	# Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
1203	# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
1204	# AcctSessionTime, AcctTerminateCause) VALUES \
1205	# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
1206	# '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
1207	#
1208	# Post-Auth = "INSERT INTO ${postauth_table} \
1209	# (user, pass, reply, date) VALUES \
1210	# ('%{User-Name}', '%{User-Password:-Chap-Password}', \
1211	# '%{reply:Packet-Type}', '%S');"
1212	# }
1213
1214	#
1215	# Create a unique accounting session Id. Many NASes re-use
1216	# or repeat values for Acct-Session-Id, causing no end of
1217	# confusion.
1218	#
1219	# This module will add a (probably) unique session id
1220	# to an accounting packet based on the attributes listed
1221	# below found in the packet. See doc/rlm_acct_unique for
1222	# more information.
1223	#
1224	acct_unique {
1225	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
1226	}
1227
1228
1229	# Include another file that has the SQL-related configuration.
1230	# This is another file only because it tends to be big.
1231	#
1232	# The following configuration file is for use with MySQL.
1233	#
1234	# For Postgresql, use: ${confdir}/postgresql.conf
1235	# For MS-SQL, use: ${confdir}/mssql.conf
1236	# For Oracle, use: ${confdir}/oraclesql.conf
1237	#
1238	#$INCLUDE ${confdir}/sql.conf
1239
1240
1241	# For Cisco VoIP specific accounting with Postgresql,
1242	# use: ${confdir}/pgsql-voip.conf
1243	#
1244	# You will also need the sql schema from:
1245	# src/billing/cisco_h323_db_schema-postgres.sql
1246	# Note: This config can be use AS WELL AS the standard sql
1247	# config if you need SQL based Auth
1248
1249
1250	# Write a 'utmp' style file, of which users are currently
1251	# logged in, and where they've logged in from.
1252	#
1253	# This file is used mainly for Simultaneous-Use checking,
1254	# and also 'radwho', to see who's currently logged in.
1255	#
1256	radutmp {
1257	# Where the file is stored. It's not a log file,
1258	# so it doesn't need rotating.
1259	#
1260	filename = ${logdir}/radutmp
1261
1262	# The field in the packet to key on for the
1263	# 'user' name, If you have other fields which you want
1264	# to use to key on to control Simultaneous-Use,
1265	# then you can use them here.
1266	#
1267	# Note, however, that the size of the field in the
1268	# 'utmp' data structure is small, around 32
1269	# characters, so that will limit the possible choices
1270	# of keys.
1271	#
1272	# You may want instead: %{Stripped-User-Name:-%{User-Name}}
1273	username = %{User-Name}
1274
1275
1276	# Whether or not we want to treat "user" the same
1277	# as "USER", or "User". Some systems have problems
1278	# with case sensitivity, so this should be set to
1279	# 'no' to enable the comparisons of the key attribute
1280	# to be case insensitive.
1281	#
1282	case_sensitive = yes
1283
1284	# Accounting information may be lost, so the user MAY
1285	# have logged off of the NAS, but we haven't noticed.
1286	# If so, we can verify this information with the NAS,
1287	#
1288	# If we want to believe the 'utmp' file, then this
1289	# configuration entry can be set to 'no'.
1290	#
1291	check_with_nas = yes
1292
1293	# Set the file permissions, as the contents of this file
1294	# are usually private.
1295	perm = 0600
1296
1297	callerid = "yes"
1298	}
1299
1300	# "Safe" radutmp - does not contain caller ID, so it can be
1301	# world-readable, and radwho can work for normal users, without
1302	# exposing any information that isn't already exposed by who(1).
1303	#
1304	# This is another 'instance' of the radutmp module, but it is given
1305	# then name "sradutmp" to identify it later in the "accounting"
1306	# section.
1307	radutmp sradutmp {
1308	filename = ${logdir}/sradutmp
1309	perm = 0644
1310	callerid = "no"
1311	}
1312
1313	# attr_filter - filters the attributes received in replies from
1314	# proxied servers, to make sure we send back to our RADIUS client
1315	# only allowed attributes.
1316	attr_filter {
1317	attrsfile = ${confdir}/attrs
1318	}
1319
1320	# counter module:
1321	# This module takes an attribute (count-attribute).
1322	# It also takes a key, and creates a counter for each unique
1323	# key. The count is incremented when accounting packets are
1324	# received by the server. The value of the increment depends
1325	# on the attribute type.
1326	# If the attribute is Acct-Session-Time or of an integer type we add the
1327	# value of the attribute. If it is anything else we increase the
1328	# counter by one.
1329	#
1330	# The 'reset' parameter defines when the counters are all reset to
1331	# zero. It can be hourly, daily, weekly, monthly or never.
1332	#
1333	# hourly: Reset on 00:00 of every hour
1334	# daily: Reset on 00:00:00 every day
1335	# weekly: Reset on 00:00:00 on sunday
1336	# monthly: Reset on 00:00:00 of the first day of each month
1337	#
1338	# It can also be user defined. It should be of the form:
1339	# num[hdwm] where:
1340	# h: hours, d: days, w: weeks, m: months
1341	# If the letter is ommited days will be assumed. In example:
1342	# reset = 10h (reset every 10 hours)
1343	# reset = 12 (reset every 12 days)
1344	#
1345	#
1346	# The check-name attribute defines an attribute which will be
1347	# registered by the counter module and can be used to set the
1348	# maximum allowed value for the counter after which the user
1349	# is rejected.
1350	# Something like:
1351	#
1352	# DEFAULT Max-Daily-Session := 36000
1353	# Fall-Through = 1
1354	#
1355	# You should add the counter module in the instantiate
1356	# section so that it registers check-name before the files
1357	# module reads the users file.
1358	#
1359	# If check-name is set and the user is to be rejected then we
1360	# send back a Reply-Message and we log a Failure-Message in
1361	# the radius.log
1362	# If the count attribute is Acct-Session-Time then on each login
1363	# we send back the remaining online time as a Session-Timeout attribute
1364	#
1365	# The counter-name can also be used instead of using the check-name
1366	# like below:
1367	#
1368	# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
1369	# Reply-Message = "You've used up more than one hour today"
1370	#
1371	# The allowed-servicetype attribute can be used to only take
1372	# into account specific sessions. For example if a user first
1373	# logs in through a login menu and then selects ppp there will
1374	# be two sessions. One for Login-User and one for Framed-User
1375	# service type. We only need to take into account the second one.
1376	#
1377	# The module should be added in the instantiate, authorize and
1378	# accounting sections. Make sure that in the authorize
1379	# section it comes after any module which sets the
1380	# 'check-name' attribute.
1381	#
1382	counter daily {
1383	filename = ${raddbdir}/db.daily
1384	key = User-Name
1385	count-attribute = Acct-Session-Time
1386	reset = daily
1387	counter-name = Daily-Session-Time
1388	check-name = Max-Daily-Session
1389	allowed-servicetype = Framed-User
1390	cache-size = 5000
1391	}
1392
1393	#
1394	# This module is an SQL enabled version of the counter module.
1395	#
1396	# Rather than maintaining seperate (GDBM) databases of
1397	# accounting info for each counter, this module uses the data
1398	# stored in the raddacct table by the sql modules. This
1399	# module NEVER does any database INSERTs or UPDATEs. It is
1400	# totally dependent on the SQL module to process Accounting
1401	# packets.
1402	#
1403	# The 'sqlmod_inst' parameter holds the instance of the sql
1404	# module to use when querying the SQL database. Normally it
1405	# is just "sql". If you define more and one SQL module
1406	# instance (usually for failover situations), you can
1407	# specify which module has access to the Accounting Data
1408	# (radacct table).
1409	#
1410	# The 'reset' parameter defines when the counters are all
1411	# reset to zero. It can be hourly, daily, weekly, monthly or
1412	# never. It can also be user defined. It should be of the
1413	# form:
1414	# num[hdwm] where:
1415	# h: hours, d: days, w: weeks, m: months
1416	# If the letter is ommited days will be assumed. In example:
1417	# reset = 10h (reset every 10 hours)
1418	# reset = 12 (reset every 12 days)
1419	#
1420	# The 'key' parameter specifies the unique identifier for the
1421	# counter records (usually 'User-Name').
1422	#
1423	# The 'query' parameter specifies the SQL query used to get
1424	# the current Counter value from the database. There are 3
1425	# parameters that can be used in the query:
1426	# %k 'key' parameter
1427	# %b unix time value of beginning of reset period
1428	# %e unix time value of end of reset period
1429	#
1430	# The 'check-name' parameter is the name of the 'check'
1431	# attribute to use to access the counter in the 'users' file
1432	# or SQL radcheck or radcheckgroup tables.
1433	#
1434	# DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject
1435	# Reply-Message = "You've used up more than one hour today"
1436	#
1437	sqlcounter dailycounter {
1438	counter-name = Daily-Session-Time
1439	check-name = Max-Daily-Session
1440	sqlmod-inst = sql
1441	key = User-Name
1442	reset = daily
1443
1444	# This query properly handles calls that span from the
1445	# previous reset period into the current period but
1446	# involves more work for the SQL server than those
1447	# below
1448	# For mysql:
1449	query = "SELECT SUM(AcctSessionTime - \
1450	GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
1451	FROM radacct WHERE UserName='%{%k}' AND \
1452	UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
1453
1454	# For postgresql:
1455	# query = "SELECT SUM(AcctSessionTime - \
1456	# GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) \
1457	# FROM radacct WHERE UserName='%{%k}' AND \
1458	# AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%b'"
1459
1460	# This query ignores calls that started in a previous
1461	# reset period and continue into into this one. But it
1462	# is a little easier on the SQL server
1463	# For mysql:
1464	# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
1465	# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
1466
1467	# For postgresql:
1468	# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
1469	# UserName='%{%k}' AND AND AcctStartTime::ABSTIME::INT4 > '%b'"
1470
1471	# This query is the same as above, but demonstrates an
1472	# additional counter parameter '%e' which is the
1473	# timestamp for the end of the period
1474	# For mysql:
1475	# query = "SELECT SUM(AcctSessionTime) FROM radacct \
1476	# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
1477	# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
1478
1479	# For postgresql:
1480	# query = "SELECT SUM(AcctSessionTime) FROM radacct \
1481	# WHERE UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 \
1482	# BETWEEN '%b' AND '%e'"
1483	}
1484
1485	sqlcounter monthlycounter {
1486	counter-name = Monthly-Session-Time
1487	check-name = Max-Monthly-Session
1488	sqlmod-inst = sql
1489	key = User-Name
1490	reset = monthly
1491
1492	# This query properly handles calls that span from the
1493	# previous reset period into the current period but
1494	# involves more work for the SQL server than those
1495	# below
1496	# The same notes above about the differences between mysql
1497	# versus postgres queries apply here.
1498	query = "SELECT SUM(AcctSessionTime - \
1499	GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
1500	FROM radacct WHERE UserName='%{%k}' AND \
1501	UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
1502
1503	# This query ignores calls that started in a previous
1504	# reset period and continue into into this one. But it
1505	# is a little easier on the SQL server
1506	# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
1507	# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
1508
1509	# This query is the same as above, but demonstrates an
1510	# additional counter parameter '%e' which is the
1511	# timestamp for the end of the period
1512	# query = "SELECT SUM(AcctSessionTime) FROM radacct \
1513	# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
1514	# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
1515	}
1516
1517	#
1518	# The "always" module is here for debugging purposes. Each
1519	# instance simply returns the same result, always, without
1520	# doing anything.
1521	always fail {
1522	rcode = fail
1523	}
1524	always reject {
1525	rcode = reject
1526	}
1527	always ok {
1528	rcode = ok
1529	simulcount = 0
1530	mpp = no
1531	}
1532
1533	#
1534	# The 'expression' module currently has no configuration.
1535	#
1536	# This module is useful only for 'xlat'. To use it,
1537	# put 'exec' into the 'instantiate' section. You can then
1538	# do dynamic translation of attributes like:
1539	#
1540	# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
1541	#
1542	# The value of the attribute will be replaced with the output
1543	# of the program which is executed. Due to RADIUS protocol
1544	# limitations, any output over 253 bytes will be ignored.
1545	expr {
1546	}
1547
1548	#
1549	# The 'digest' module currently has no configuration.
1550	#
1551	# "Digest" authentication against a Cisco SIP server.
1552	# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
1553	# on performing digest authentication for Cisco SIP servers.
1554	#
1555	digest {
1556	}
1557
1558	#
1559	# Execute external programs
1560	#
1561	# This module is useful only for 'xlat'. To use it,
1562	# put 'exec' into the 'instantiate' section. You can then
1563	# do dynamic translation of attributes like:
1564	#
1565	# Attribute-Name = `%{exec:/path/to/program args}`
1566	#
1567	# The value of the attribute will be replaced with the output
1568	# of the program which is executed. Due to RADIUS protocol
1569	# limitations, any output over 253 bytes will be ignored.
1570	#
1571	# The RADIUS attributes from the user request will be placed
1572	# into environment variables of the executed program, as
1573	# described in 'doc/variables.txt'
1574	#
1575	exec {
1576	wait = yes
1577	input_pairs = request
1578	}
1579
1580	#
1581	# This is a more general example of the execute module.
1582	#
1583	# This one is called "echo".
1584	#
1585	# Attribute-Name = `%{echo:/path/to/program args}`
1586	#
1587	# If you wish to execute an external program in more than
1588	# one section (e.g. 'authorize', 'pre_proxy', etc), then it
1589	# is probably best to define a different instance of the
1590	# 'exec' module for every section.
1591	#
1592	exec echo {
1593	#
1594	# Wait for the program to finish.
1595	#
1596	# If we do NOT wait, then the program is "fire and
1597	# forget", and any output attributes from it are ignored.
1598	#
1599	# If we are looking for the program to output
1600	# attributes, and want to add those attributes to the
1601	# request, then we MUST wait for the program to
1602	# finish, and therefore set 'wait=yes'
1603	#
1604	# allowed values: {no, yes}
1605	wait = yes
1606
1607	#
1608	# The name of the program to execute, and it's
1609	# arguments. Dynamic translation is done on this
1610	# field, so things like the following example will
1611	# work.
1612	#
1613	program = "/bin/echo %{User-Name}"
1614
1615	#
1616	# The attributes which are placed into the
1617	# environment variables for the program.
1618	#
1619	# Allowed values are:
1620	#
1621	# request attributes from the request
1622	# config attributes from the configuration items list
1623	# reply attributes from the reply
1624	# proxy-request attributes from the proxy request
1625	# proxy-reply attributes from the proxy reply
1626	#
1627	# Note that some attributes may not exist at some
1628	# stages. e.g. There may be no proxy-reply
1629	# attributes if this module is used in the
1630	# 'authorize' section.
1631	#
1632	input_pairs = request
1633
1634	#
1635	# Where to place the output attributes (if any) from
1636	# the executed program. The values allowed, and the
1637	# restrictions as to availability, are the same as
1638	# for the input_pairs.
1639	#
1640	output_pairs = reply
1641
1642	#
1643	# When to execute the program. If the packet
1644	# type does NOT match what's listed here, then
1645	# the module does NOT execute the program.
1646	#
1647	# For a list of allowed packet types, see
1648	# the 'dictionary' file, and look for VALUEs
1649	# of the Packet-Type attribute.
1650	#
1651	# By default, the module executes on ANY packet.
1652	# Un-comment out the following line to tell the
1653	# module to execute only if an Access-Accept is
1654	# being sent to the NAS.
1655	#
1656	#packet_type = Access-Accept
1657	}
1658
1659	# Do server side ip pool management. Should be added in post-auth and
1660	# accounting sections.
1661	#
1662	# The module also requires the existance of the Pool-Name
1663	# attribute. That way the administrator can add the Pool-Name
1664	# attribute in the user profiles and use different pools
1665	# for different users. The Pool-Name attribute is a check item not
1666	# a reply item.
1667	#
1668	# Example:
1669	# radiusd.conf: ippool students { [...] }
1670	# users file : DEFAULT Group == students, Pool-Name := "students"
1671	#
1672	# ******* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *******
1673	# ******* THEN ERASE THE DB FILES *******
1674	#
1675	ippool main_pool {
1676
1677	# range-start,range-stop: The start and end ip
1678	# addresses for the ip pool
1679	range-start = 192.168.1.1
1680	range-stop = 192.168.3.254
1681
1682	# netmask: The network mask used for the ip's
1683	netmask = 255.255.255.0
1684
1685	# cache-size: The gdbm cache size for the db
1686	# files. Should be equal to the number of ip's
1687	# available in the ip pool
1688	cache-size = 800
1689
1690	# session-db: The main db file used to allocate ip's to clients
1691	session-db = ${raddbdir}/db.ippool
1692
1693	# ip-index: Helper db index file used in multilink
1694	ip-index = ${raddbdir}/db.ipindex
1695
1696	# override: Will this ippool override a Framed-IP-Address already set
1697	override = no
1698
1699	# maximum-timeout: If not zero specifies the maximum time in seconds an
1700	# entry may be active. Default: 0
1701	maximum-timeout = 0
1702	}
1703
1704	# $INCLUDE ${confdir}/sqlippool.conf
1705
1706	# OTP token support. Not included by default.
1707	# $INCLUDE ${confdir}/otp.conf
1708
1709	}
1710
1711	# Instantiation
1712	#
1713	# This section orders the loading of the modules. Modules
1714	# listed here will get loaded BEFORE the later sections like
1715	# authorize, authenticate, etc. get examined.
1716	#
1717	# This section is not strictly needed. When a section like
1718	# authorize refers to a module, it's automatically loaded and
1719	# initialized. However, some modules may not be listed in any
1720	# of the following sections, so they can be listed here.
1721	#
1722	# Also, listing modules here ensures that you have control over
1723	# the order in which they are initalized. If one module needs
1724	# something defined by another module, you can list them in order
1725	# here, and ensure that the configuration will be OK.
1726	#
1727	instantiate {
1728	#
1729	# Allows the execution of external scripts.
1730	# The entire command line (and output) must fit into 253 bytes.
1731	#
1732	# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
1733	exec
1734
1735	#
1736	# The expression module doesn't do authorization,
1737	# authentication, or accounting. It only does dynamic
1738	# translation, of the form:
1739	#
1740	# Session-Timeout = `%{expr:2 + 3}`
1741	#
1742	# So the module needs to be instantiated, but CANNOT be
1743	# listed in any other section. See 'doc/rlm_expr' for
1744	# more information.
1745	#
1746	expr
1747
1748	#
1749	# We add the counter module here so that it registers
1750	# the check-name attribute before any module which sets
1751	# it
1752	# daily
1753	}
1754
1755	# Authorization. First preprocess (hints and huntgroups files),
1756	# then realms, and finally look in the "users" file.
1757	#
1758	# The order of the realm modules will determine the order that
1759	# we try to find a matching realm.
1760	#
1761	# Make sure that 'preprocess' comes before any realm if you
1762	# need to setup hints for the remote radius server
1763	authorize {
1764	#
1765	# The preprocess module takes care of sanitizing some bizarre
1766	# attributes in the request, and turning them into attributes
1767	# which are more standard.
1768	#
1769	# It takes care of processing the 'raddb/hints' and the
1770	# 'raddb/huntgroups' files.
1771	#
1772	# It also adds the %{Client-IP-Address} attribute to the request.
1773	preprocess
1774
1775	#
1776	# If you want to have a log of authentication requests,
1777	# un-comment the following line, and the 'detail auth_log'
1778	# section, above.
1779	# auth_log
1780
1781	# attr_filter
1782
1783	#
1784	# The chap module will set 'Auth-Type := CHAP' if we are
1785	# handling a CHAP request and Auth-Type has not already been set
1786	chap
1787
1788	#
1789	# If the users are logging in with an MS-CHAP-Challenge
1790	# attribute for authentication, the mschap module will find
1791	# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
1792	# to the request, which will cause the server to then use
1793	# the mschap module for authentication.
1794	mschap
1795
1796	#
1797	# If you have a Cisco SIP server authenticating against
1798	# FreeRADIUS, uncomment the following line, and the 'digest'
1799	# line in the 'authenticate' section.
1800	# digest
1801
1802	#
1803	# Look for IPASS style 'realm/', and if not found, look for
1804	# '@realm', and decide whether or not to proxy, based on
1805	# that.
1806	# IPASS
1807
1808	#
1809	# If you are using multiple kinds of realms, you probably
1810	# want to set "ignore_null = yes" for all of them.
1811	# Otherwise, when the first style of realm doesn't match,
1812	# the other styles won't be checked.
1813	#
1814	suffix
1815	# ntdomain
1816
1817	#
1818	# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
1819	# authentication.
1820	#
1821	# It also sets the EAP-Type attribute in the request
1822	# attribute list to the EAP type from the packet.
1823
1824	#
1825	# Read the 'users' file
1826	files
1827
1828	#
1829	# Look in an SQL database. The schema of the database
1830	# is meant to mirror the "users" file.
1831	#
1832	# See "Authorization Queries" in sql.conf
1833	# sql
1834
1835	#
1836	# If you are using /etc/smbpasswd, and are also doing
1837	# mschap authentication, the un-comment this line, and
1838	# configure the 'etc_smbpasswd' module, above.
1839	# etc_smbpasswd
1840
1841	#
1842	# The ldap module will set Auth-Type to LDAP if it has not
1843	# already been set
1844	ldap
1845
1846	#
1847	# Enforce daily limits on time spent logged in.
1848	# daily
1849
1850	#
1851	# Use the checkval module
1852	# checkval
1853	}
1854
1855
1856	# Authentication.
1857	#
1858	#
1859	# This section lists which modules are available for authentication.
1860	# Note that it does NOT mean 'try each module in order'. It means
1861	# that a module from the 'authorize' section adds a configuration
1862	# attribute 'Auth-Type := FOO'. That authentication type is then
1863	# used to pick the apropriate module from the list below.
1864	#
1865
1866	# In general, you SHOULD NOT set the Auth-Type attribute. The server
1867	# will figure it out on its own, and will do the right thing. The
1868	# most common side effect of erroneously setting the Auth-Type
1869	# attribute is that one authentication method will work, but the
1870	# others will not.
1871	#
1872	# The common reasons to set the Auth-Type attribute by hand
1873	# is to either forcibly reject the user, or forcibly accept him.
1874	#
1875	authenticate {
1876	#
1877	# PAP authentication, when a back-end database listed
1878	# in the 'authorize' section supplies a password. The
1879	# password can be clear-text, or encrypted.
1880	Auth-Type PAP {
1881	pap
1882	}
1883
1884	#
1885	# Most people want CHAP authentication
1886	# A back-end database listed in the 'authorize' section
1887	# MUST supply a CLEAR TEXT password. Encrypted passwords
1888	# won't work.
1889	Auth-Type CHAP {
1890	chap
1891	}
1892
1893	#
1894	# MSCHAP authentication.
1895	Auth-Type MS-CHAP {
1896	mschap
1897	}
1898
1899	#
1900	# If you have a Cisco SIP server authenticating against
1901	# FreeRADIUS, uncomment the following line, and the 'digest'
1902	# line in the 'authorize' section.
1903	# digest
1904
1905	#
1906	# Pluggable Authentication Modules.
1907	# pam
1908
1909	#
1910	# See 'man getpwent' for information on how the 'unix'
1911	# module checks the users password. Note that packets
1912	# containing CHAP-Password attributes CANNOT be authenticated
1913	# against /etc/passwd! See the FAQ for details.
1914	#
1915	unix
1916
1917	# Uncomment it if you want to use ldap for authentication
1918	#
1919	# Note that this means "check plain-text password against
1920	# the ldap database", which means that EAP won't work,
1921	# as it does not supply a plain-text password.
1922	Auth-Type LDAP {
1923	ldap
1924	}
1925
1926	#
1927	# Allow EAP authentication.
1928	}
1929
1930
1931	#
1932	# Pre-accounting. Decide which accounting type to use.
1933	#
1934	preacct {
1935	preprocess
1936
1937	#
1938	# Ensure that we have a semi-unique identifier for every
1939	# request, and many NAS boxes are broken.
1940	acct_unique
1941
1942	#
1943	# Look for IPASS-style 'realm/', and if not found, look for
1944	# '@realm', and decide whether or not to proxy, based on
1945	# that.
1946	#
1947	# Accounting requests are generally proxied to the same
1948	# home server as authentication requests.
1949	# IPASS
1950	suffix
1951	# ntdomain
1952
1953	#
1954	# Read the 'acct_users' file
1955	files
1956	}
1957
1958	#
1959	# Accounting. Log the accounting data.
1960	#
1961	accounting {
1962	#
1963	# Create a 'detail'ed log of the packets.
1964	# Note that accounting requests which are proxied
1965	# are also logged in the detail file.
1966	detail
1967	# daily
1968
1969	# Update the wtmp file
1970	#
1971	# If you don't use "radlast", you can delete this line.
1972	unix
1973
1974	#
1975	# For Simultaneous-Use tracking.
1976	#
1977	# Due to packet losses in the network, the data here
1978	# may be incorrect. There is little we can do about it.
1979	radutmp
1980	# sradutmp
1981
1982	# Return an address to the IP Pool when we see a stop record.
1983	# main_pool
1984
1985	#
1986	# Log traffic to an SQL database.
1987	#
1988	# See "Accounting queries" in sql.conf
1989	# sql
1990
1991	#
1992	# Instead of sending the query to the SQL server,
1993	# write it into a log file.
1994	#
1995	# sql_log
1996
1997	# Cisco VoIP specific bulk accounting
1998	# pgsql-voip
1999
2000	}
2001
2002
2003	# Session database, used for checking Simultaneous-Use. Either the radutmp
2004	# or rlm_sql module can handle this.
2005	# The rlm_sql module is much faster
2006	session {
2007	radutmp
2008
2009	#
2010	# See "Simultaneous Use Checking Querie" in sql.conf
2011	# sql
2012	}
2013
2014
2015	# Post-Authentication
2016	# Once we KNOW that the user has been authenticated, there are
2017	# additional steps we can take.
2018	post-auth {
2019	# Get an address from the IP Pool.
2020	# main_pool
2021
2022	#
2023	# If you want to have a log of authentication replies,
2024	# un-comment the following line, and the 'detail reply_log'
2025	# section, above.
2026	# reply_log
2027
2028	#
2029	# After authenticating the user, do another SQL query.
2030	#
2031	# See "Authentication Logging Queries" in sql.conf
2032	# sql
2033
2034	#
2035	# Instead of sending the query to the SQL server,
2036	# write it into a log file.
2037	#
2038	# sql_log
2039
2040	#
2041	# Un-comment the following if you have set
2042	# 'edir_account_policy_check = yes' in the ldap module sub-section of
2043	# the 'modules' section.
2044	#
2045	# ldap
2046	#
2047	# Access-Reject packets are sent through the REJECT sub-section of the
2048	# post-auth section.
2049	# Uncomment the following and set the module name to the ldap instance
2050	# name if you have set 'edir_account_policy_check = yes' in the ldap
2051	# module sub-section of the 'modules' section.
2052	#
2053	# Post-Auth-Type REJECT {
2054	# insert-module-name-here
2055	# }
2056
2057	}
2058
2059	#
2060	# When the server decides to proxy a request to a home server,
2061	# the proxied request is first passed through the pre-proxy
2062	# stage. This stage can re-write the request, or decide to
2063	# cancel the proxy.
2064	#
2065	# Only a few modules currently have this method.
2066	#
2067	pre-proxy {
2068	# attr_rewrite
2069
2070	# Uncomment the following line if you want to change attributes
2071	# as defined in the preproxy_users file.
2072	# files
2073
2074	# If you want to have a log of packets proxied to a home
2075	# server, un-comment the following line, and the
2076	# 'detail pre_proxy_log' section, above.
2077	# pre_proxy_log
2078	}
2079
2080	#
2081	# When the server receives a reply to a request it proxied
2082	# to a home server, the request may be massaged here, in the
2083	# post-proxy stage.
2084	#
2085	post-proxy {
2086
2087	# If you want to have a log of replies from a home server,
2088	# un-comment the following line, and the 'detail post_proxy_log'
2089	# section, above.
2090	# post_proxy_log
2091
2092	# attr_rewrite
2093
2094	# Uncomment the following line if you want to filter replies from
2095	# remote proxies based on the rules defined in the 'attrs' file.
2096
2097	# attr_filter
2098
2099	#
2100	# If you are proxying LEAP, you MUST configure the EAP
2101	# module, and you MUST list it here, in the post-proxy
2102	# stage.
2103	#
2104	# You MUST also use the 'nostrip' option in the 'realm'
2105	# configuration. Otherwise, the User-Name attribute
2106	# in the proxied request will not match the user name
2107	# hidden inside of the EAP packet, and the end server will
2108	# reject the EAP request.
2109	#
2110	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format