Subversion Repositories ALCASAR

Rev

Details | Last modification | View Log

Rev Author Line No. Line
1279 richard 1
######################################################################
2
#
3
#	As of 2.0.0, FreeRADIUS supports virtual hosts using the
4
#	"server" section, and configuration directives.
5
#
6
#	Virtual hosts should be put into the "sites-available"
7
#	directory.  Soft links should be created in the "sites-enabled"
8
#	directory to these files.  This is done in a normal installation.
9
#
2420 richard 10
#	If you are using 802.1X (EAP) authentication, please see also
11
#	the "inner-tunnel" virtual server.  You will likely have to edit
12
#	that, too, for authentication to work.
1279 richard 13
#
2420 richard 14
#	$Id: 3616050e7625eb6b5e2ba44782fcb737b2ae6136 $
15
#
1279 richard 16
######################################################################
17
#
18
#	Read "man radiusd" before editing this file.  See the section
19
#	titled DEBUGGING.  It outlines a method where you can quickly
20
#	obtain the configuration you want, without running into
21
#	trouble.  See also "man unlang", which documents the format
22
#	of this file.
23
#
24
#	This configuration is designed to work in the widest possible
25
#	set of circumstances, with the widest possible number of
26
#	authentication methods.  This means that in general, you should
27
#	need to make very few changes to this file.
28
#
29
#	The best way to configure the server for your local system
30
#	is to CAREFULLY edit this file.  Most attempts to make large
31
#	edits to this file will BREAK THE SERVER.  Any edits should
32
#	be small, and tested by running the server with "radiusd -X".
33
#	Once the edits have been verified to work, save a copy of these
34
#	configuration files somewhere.  (e.g. as a "tar" file).  Then,
35
#	make more edits, and test, as above.
36
#
37
#	There are many "commented out" references to modules such
38
#	as ldap, sql, etc.  These references serve as place-holders.
39
#	If you need the functionality of that module, then configure
40
#	it in radiusd.conf, and un-comment the references to it in
41
#	this file.  In most cases, those small changes will result
42
#	in the server being able to connect to the DB, and to
43
#	authenticate users.
44
#
45
######################################################################
46
 
2420 richard 47
server default {
1279 richard 48
#
2420 richard 49
#  If you want the server to listen on additional addresses, or on
50
#  additional ports, you can use multiple "listen" sections.
1279 richard 51
#
2420 richard 52
#  Each section make the server listen for only one type of packet,
53
#  therefore authentication and accounting have to be configured in
54
#  different sections.
1279 richard 55
#
2420 richard 56
#  The server ignore all "listen" section if you are using '-i' and '-p'
57
#  on the command line.
1279 richard 58
#
2420 richard 59
listen {
60
	#  Type of packets to listen for.
61
	#  Allowed values are:
62
	#	auth	listen for authentication packets
63
	#	acct	listen for accounting packets
64
	#	proxy   IP to use for sending proxied packets
65
	#	detail  Read from the detail file.  For examples, see
66
	#               raddb/sites-available/copy-acct-to-home-server
67
	#	status  listen for Status-Server packets.  For examples,
68
	#		see raddb/sites-available/status
69
	#	coa     listen for CoA-Request and Disconnect-Request
70
	#		packets.  For examples, see the file
71
	#		raddb/sites-available/coa
72
	#
73
	type = auth
1279 richard 74
 
2420 richard 75
	#  Note: "type = proxy" lets you control the source IP used for
76
	#        proxying packets, with some limitations:
77
	#
78
	#    * A proxy listener CANNOT be used in a virtual server section.
79
	#    * You should probably set "port = 0".
80
	#    * Any "clients" configuration will be ignored.
81
	#
82
	#  See also proxy.conf, and the "src_ipaddr" configuration entry
83
	#  in the sample "home_server" section.  When you specify the
84
	#  source IP address for packets sent to a home server, the
85
	#  proxy listeners are automatically created.
86
 
87
	#  ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
88
	#  If multiple ones are listed, only the first one will
89
	#  be used, and the others will be ignored.
90
	#
91
	#  The configuration options accept the following syntax:
92
	#
93
	#  ipv4addr - IPv4 address (e.g.192.0.2.3)
94
	#  	    - wildcard (i.e. *)
95
	#  	    - hostname (radius.example.com)
96
	#  	      Only the A record for the host name is used.
97
	#	      If there is no A record, an error is returned,
98
	#	      and the server fails to start.
99
	#
100
	#  ipv6addr - IPv6 address (e.g. 2001:db8::1)
101
	#  	    - wildcard (i.e. *)
102
	#  	    - hostname (radius.example.com)
103
	#  	      Only the AAAA record for the host name is used.
104
	#	      If there is no AAAA record, an error is returned,
105
	#	      and the server fails to start.
106
	#
107
	#  ipaddr   - IPv4 address as above
108
	#  	    - IPv6 address as above
109
	#  	    - wildcard (i.e. *), which means IPv4 wildcard.
110
	#	    - hostname
111
	#	      If there is only one A or AAAA record returned
112
	#	      for the host name, it is used.
113
	#	      If multiple A or AAAA records are returned
114
	#	      for the host name, only the first one is used.
115
	#	      If both A and AAAA records are returned
116
	#	      for the host name, only the A record is used.
117
	#
118
	# ipv4addr = *
119
	# ipv6addr = *
120
	ipaddr = 127.0.0.1
121
 
122
	#  Port on which to listen.
123
	#  Allowed values are:
124
	#	integer port number (1812)
125
	#	0 means "use /etc/services for the proper port"
126
	port = 0
127
 
128
	#  Some systems support binding to an interface, in addition
129
	#  to the IP address.  This feature isn't strictly necessary,
130
	#  but for sites with many IP addresses on one interface,
131
	#  it's useful to say "listen on all addresses for eth0".
132
	#
133
	#  If your system does not support this feature, you will
134
	#  get an error if you try to use it.
135
	#
136
#	interface = eth0
137
 
138
	#  Per-socket lists of clients.  This is a very useful feature.
139
	#
140
	#  The name here is a reference to a section elsewhere in
141
	#  radiusd.conf, or clients.conf.  Having the name as
142
	#  a reference allows multiple sockets to use the same
143
	#  set of clients.
144
	#
145
	#  If this configuration is used, then the global list of clients
146
	#  is IGNORED for this "listen" section.  Take care configuring
147
	#  this feature, to ensure you don't accidentally disable a
148
	#  client you need.
149
	#
150
	#  See clients.conf for the configuration of "per_socket_clients".
151
	#
152
#	clients = per_socket_clients
153
 
154
	#
155
	#  Connection limiting for sockets with "proto = tcp".
156
	#
157
	#  This section is ignored for other kinds of sockets.
158
	#
159
	limit {
160
	      #
161
	      #  Limit the number of simultaneous TCP connections to the socket
162
	      #
163
	      #  The default is 16.
164
	      #  Setting this to 0 means "no limit"
165
	      max_connections = 16
166
 
167
	      #  The per-socket "max_requests" option does not exist.
168
 
169
	      #
170
	      #  The lifetime, in seconds, of a TCP connection.  After
171
	      #  this lifetime, the connection will be closed.
172
	      #
173
	      #  Setting this to 0 means "forever".
174
	      lifetime = 0
175
 
176
	      #
177
	      #  The idle timeout, in seconds, of a TCP connection.
178
	      #  If no packets have been received over the connection for
179
	      #  this time, the connection will be closed.
180
	      #
181
	      #  Setting this to 0 means "no timeout".
182
	      #
183
	      #  We STRONGLY RECOMMEND that you set an idle timeout.
184
	      #
185
	      idle_timeout = 30
186
	}
187
}
188
 
189
#
190
#  This second "listen" section is for listening on the accounting
191
#  port, too.
192
#
193
listen {
194
	ipaddr = 127.0.0.1
195
#	ipv6addr = ::
196
	port = 0
197
	type = acct
198
#	interface = eth0
199
#	clients = per_socket_clients
200
 
201
	limit {
202
		#  The number of packets received can be rate limited via the
203
		#  "max_pps" configuration item.  When it is set, the server
204
		#  tracks the total number of packets received in the previous
205
		#  second.  If the count is greater than "max_pps", then the
206
		#  new packet is silently discarded.  This helps the server
207
		#  deal with overload situations.
208
		#
209
		#  The packets/s counter is tracked in a sliding window.  This
210
		#  means that the pps calculation is done for the second
211
		#  before the current packet was received.  NOT for the current
212
		#  wall-clock second, and NOT for the previous wall-clock second.
213
		#
214
		#  Useful values are 0 (no limit), or 100 to 10000.
215
		#  Values lower than 100 will likely cause the server to ignore
216
		#  normal traffic.  Few systems are capable of handling more than
217
		#  10K packets/s.
218
		#
219
		#  It is most useful for accounting systems.  Set it to 50%
220
		#  more than the normal accounting load, and you can be sure that
221
		#  the server will never get overloaded
222
		#
223
#		max_pps = 0
224
 
225
		# Only for "proto = tcp". These are ignored for "udp" sockets.
226
		#
227
#		idle_timeout = 0
228
#		lifetime = 0
229
#		max_connections = 0
230
	}
231
}
232
 
233
# IPv6 versions of the above - read their full config to understand options
234
#listen {
235
#	type = auth
236
#	ipv6addr = ::1
237
#	ipv6addr = ::	# any.  ::1 == localhost
238
#	port = 0
239
#	interface = eth0
240
#	clients = per_socket_clients
241
#	limit {
242
#	      max_connections = 16
243
#	      lifetime = 0
244
#	      idle_timeout = 30
245
#	}
246
#}
247
 
248
#listen {
249
#	type = acct
250
#	ipv6addr = ::1
251
#	ipv6addr = ::	# any.  ::1 == localhost
252
#	port = 0
253
#	interface = eth0
254
#	clients = per_socket_clients
255
#	limit {
256
#		max_pps = 0
257
#		idle_timeout = 0
258
#		lifetime = 0
259
#		max_connections = 0
260
#	}
261
#}
262
 
1279 richard 263
#  Authorization. First preprocess (hints and huntgroups files),
264
#  then realms, and finally look in the "users" file.
265
#
2420 richard 266
#  Any changes made here should also be made to the "inner-tunnel"
267
#  virtual server.
268
#
1279 richard 269
#  The order of the realm modules will determine the order that
270
#  we try to find a matching realm.
271
#
272
#  Make *sure* that 'preprocess' comes before any realm if you
273
#  need to setup hints for the remote radius server
274
authorize {
275
	#
2420 richard 276
	#  Take a User-Name, and perform some checks on it, for spaces and other
277
	#  invalid characters.  If the User-Name appears invalid, reject the
278
	#  request.
279
	#
280
	#  See policy.d/filter for the definition of the filter_username policy.
281
	#
282
	filter_username
283
 
284
	#
285
	#  Some broken equipment sends passwords with embedded zeros.
286
	#  i.e. the debug output will show
287
	#
288
	#	User-Password = "password\000\000"
289
	#
290
	#  This policy will fix it to just be "password".
291
	#
292
	filter_password
293
 
294
	#
1279 richard 295
	#  The preprocess module takes care of sanitizing some bizarre
296
	#  attributes in the request, and turning them into attributes
297
	#  which are more standard.
298
	#
2420 richard 299
	#  It takes care of processing the 'raddb/mods-config/preprocess/hints' 
300
	#  and the 'raddb/mods-config/preprocess/huntgroups' files.
301
	preprocess
302
 
303
	#  If you intend to use CUI and you require that the Operator-Name
304
	#  be set for CUI generation and you want to generate CUI also
305
	#  for your local clients then uncomment the operator-name
306
	#  below and set the operator-name for your clients in clients.conf
307
#	operator-name
308
 
1279 richard 309
	#
2420 richard 310
	#  If you want to generate CUI for some clients that do not
311
	#  send proper CUI requests, then uncomment the
312
	#  cui below and set "add_cui = yes" for these clients in clients.conf
313
#	cui
1279 richard 314
 
315
	#
316
	#  If you want to have a log of authentication requests,
2420 richard 317
	#  un-comment the following line.
1279 richard 318
#	auth_log
319
 
320
	#
321
	#  The chap module will set 'Auth-Type := CHAP' if we are
322
	#  handling a CHAP request and Auth-Type has not already been set
323
#	chap
324
 
325
	#
326
	#  If the users are logging in with an MS-CHAP-Challenge
327
	#  attribute for authentication, the mschap module will find
328
	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
329
	#  to the request, which will cause the server to then use
330
	#  the mschap module for authentication.
331
#	mschap
2420 richard 332
 
1279 richard 333
	#
334
	#  If you have a Cisco SIP server authenticating against
335
	#  FreeRADIUS, uncomment the following line, and the 'digest'
336
	#  line in the 'authenticate' section.
337
#	digest
338
 
339
	#
2420 richard 340
	#  The WiMAX specification says that the Calling-Station-Id
341
	#  is 6 octets of the MAC.  This definition conflicts with
342
	#  RFC 3580, and all common RADIUS practices.  Un-commenting
343
	#  the "wimax" module here means that it will fix the
344
	#  Calling-Station-Id attribute to the normal format as
345
	#  specified in RFC 3580 Section 3.21
346
#	wimax
347
 
348
	#
1279 richard 349
	#  Look for IPASS style 'realm/', and if not found, look for
350
	#  '@realm', and decide whether or not to proxy, based on
351
	#  that.
352
#	IPASS
353
 
354
	#
355
	#  If you are using multiple kinds of realms, you probably
356
	#  want to set "ignore_null = yes" for all of them.
357
	#  Otherwise, when the first style of realm doesn't match,
358
	#  the other styles won't be checked.
359
	#
360
#	suffix
361
#	ntdomain
362
 
363
	#
364
	#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
365
	#  authentication.
366
	#
367
	#  It also sets the EAP-Type attribute in the request
368
	#  attribute list to the EAP type from the packet.
369
	#
2420 richard 370
	#  The EAP module returns "ok" or "updated" if it is not yet ready
371
	#  to authenticate the user.  The configuration below checks for
372
	#  "ok", and stops processing the "authorize" section if so.
1279 richard 373
	#
2420 richard 374
	#  Any LDAP and/or SQL servers will not be queried for the
375
	#  initial set of packets that go back and forth to set up
376
	#  TTLS or PEAP.
1279 richard 377
	#
2420 richard 378
	#  The "updated" check is commented out for compatibility with
379
	#  previous versions of this configuration, but you may wish to
380
	#  uncomment it as well; this will further reduce the number of
381
	#  LDAP and/or SQL queries for TTLS or PEAP.
382
	#
1279 richard 383
#	eap {
384
#		ok = return
2420 richard 385
#		updated = return
386
	}
1279 richard 387
 
388
	#
389
	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
390
	#  using the system API's to get the password.  If you want
391
	#  to read /etc/passwd or /etc/shadow directly, see the
2420 richard 392
	#  mods-available/passwd module.
1279 richard 393
	#
394
#	unix
395
 
396
	#
2420 richard 397
	#  Read the 'users' file.  In v3, this is located in
398
	#  raddb/mods-config/files/authorize
1279 richard 399
#	files
400
 
401
	#
402
	#  Look in an SQL database.  The schema of the database
403
	#  is meant to mirror the "users" file.
404
	#
2420 richard 405
	#  See "Authorization Queries" in mods-available/sql
1279 richard 406
	sql
407
	#
408
	#  If you are using /etc/smbpasswd, and are also doing
409
	#  mschap authentication, the un-comment this line, and
2420 richard 410
	#  configure the 'smbpasswd' module.
411
#	smbpasswd
1279 richard 412
 
413
	#
2420 richard 414
	#  The ldap module reads passwords from the LDAP database.
415
#	-ldap
1279 richard 416
 
417
	#
418
	#  Enforce daily limits on time spent logged in.
419
#	daily
420
 
421
	#
422
	expiration
423
	logintime
424
 
425
	#
426
	#  If no other module has claimed responsibility for
427
	#  authentication, then try to use PAP.  This allows the
428
	#  other modules listed above to add a "known good" password
429
	#  to the request, and to do nothing else.  The PAP module
430
	#  will then see that password, and use it to do PAP
431
	#  authentication.
432
	#
433
	#  This module should be listed last, so that the other modules
434
	#  get a chance to set Auth-Type for themselves.
435
	#
1464 richard 436
	pap
1279 richard 437
 
438
	#
439
	#  If "status_server = yes", then Status-Server messages are passed
440
	#  through the following section, and ONLY the following section.
441
	#  This permits you to do DB queries, for example.  If the modules
442
	#  listed here return "fail", then NO response is sent.
443
	#
444
#	Autz-Type Status-Server {
445
#
446
#	}
447
}
448
 
449
 
450
#  Authentication.
451
#
452
#
453
#  This section lists which modules are available for authentication.
454
#  Note that it does NOT mean 'try each module in order'.  It means
455
#  that a module from the 'authorize' section adds a configuration
456
#  attribute 'Auth-Type := FOO'.  That authentication type is then
2420 richard 457
#  used to pick the appropriate module from the list below.
1279 richard 458
#
459
 
460
#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
461
#  will figure it out on its own, and will do the right thing.  The
462
#  most common side effect of erroneously setting the Auth-Type
463
#  attribute is that one authentication method will work, but the
464
#  others will not.
465
#
466
#  The common reasons to set the Auth-Type attribute by hand
467
#  is to either forcibly reject the user (Auth-Type := Reject),
468
#  or to or forcibly accept the user (Auth-Type := Accept).
469
#
470
#  Note that Auth-Type := Accept will NOT work with EAP.
471
#
472
#  Please do not put "unlang" configurations into the "authenticate"
473
#  section.  Put them in the "post-auth" section instead.  That's what
474
#  the post-auth section is for.
475
#
476
authenticate {
2420 richard 477
	#
478
	#  PAP authentication, when a back-end database listed
479
	#  in the 'authorize' section supplies a password.  The
480
	#  password can be clear-text, or encrypted.
1464 richard 481
	Auth-Type PAP {
482
		pap
483
	}
2420 richard 484
 
485
	#
486
	#  Most people want CHAP authentication
487
	#  A back-end database listed in the 'authorize' section
488
	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
489
	#  won't work.
1279 richard 490
#	Auth-Type CHAP {
491
#		chap
492
#	}
2420 richard 493
 
494
	#
495
	#  MSCHAP authentication.
1279 richard 496
#	Auth-Type MS-CHAP {
497
#		mschap
498
#	}
2420 richard 499
 
500
	#
501
	#  For old names, too.
502
	#
503
#	mschap
504
 
505
	#
506
	#  If you have a Cisco SIP server authenticating against
507
	#  FreeRADIUS, uncomment the following line, and the 'digest'
508
	#  line in the 'authorize' section.
1279 richard 509
#	digest
2420 richard 510
 
511
	#
512
	#  Pluggable Authentication Modules.
1279 richard 513
#	pam
2420 richard 514
 
515
	#  Uncomment it if you want to use ldap for authentication
516
	#
517
	#  Note that this means "check plain-text password against
518
	#  the ldap database", which means that EAP won't work,
519
	#  as it does not supply a plain-text password.
520
	#
521
	#  We do NOT recommend using this.  LDAP servers are databases.
522
	#  They are NOT authentication servers.  FreeRADIUS is an
523
	#  authentication server, and knows what to do with authentication.
524
	#  LDAP servers do not.
525
	#
1279 richard 526
#	Auth-Type LDAP {
527
#		ldap
528
#	}
2420 richard 529
 
530
	#
531
	#  Allow EAP authentication.
1279 richard 532
#	eap
2420 richard 533
 
534
	#
535
	#  The older configurations sent a number of attributes in
536
	#  Access-Challenge packets, which wasn't strictly correct.
537
	#  If you want to filter out these attributes, uncomment
538
	#  the following lines.
539
	#
540
#	Auth-Type eap {
541
#		eap {
542
#			handled = 1
543
#		}
544
#		if (handled && (Response-Packet-Type == Access-Challenge)) {
545
#			attr_filter.access_challenge.post-auth
546
#			handled  # override the "updated" code from attr_filter
547
#		}
548
#	}
1279 richard 549
}
550
 
551
 
552
#
553
#  Pre-accounting.  Decide which accounting type to use.
554
#
555
preacct {
1464 richard 556
#	preprocess
1279 richard 557
 
558
	#
2420 richard 559
	#  Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
560
	#  into a single 64bit counter Acct-[Input|Output]-Octets64.
561
	#
562
#	acct_counters64
563
 
564
	#
565
	#  Session start times are *implied* in RADIUS.
566
	#  The NAS never sends a "start time".  Instead, it sends
567
	#  a start packet, *possibly* with an Acct-Delay-Time.
568
	#  The server is supposed to conclude that the start time
569
	#  was "Acct-Delay-Time" seconds in the past.
570
	#
571
	#  The code below creates an explicit start time, which can
572
	#  then be used in other modules.  It will be *mostly* correct.
573
	#  Any errors are due to the 1-second resolution of RADIUS,
574
	#  and the possibility that the time on the NAS may be off.
575
	#
576
	#  The start time is: NOW - delay - session_length
577
	#
578
 
579
#	update request {
580
#	  	&FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
581
#	}
582
 
583
 
584
	#
1279 richard 585
	#  Ensure that we have a semi-unique identifier for every
586
	#  request, and many NAS boxes are broken.
2420 richard 587
	acct_unique
1279 richard 588
 
589
	#
590
	#  Look for IPASS-style 'realm/', and if not found, look for
591
	#  '@realm', and decide whether or not to proxy, based on
592
	#  that.
593
	#
594
	#  Accounting requests are generally proxied to the same
595
	#  home server as authentication requests.
596
#	IPASS
597
#	suffix
598
#	ntdomain
599
 
600
	#
601
	#  Read the 'acct_users' file
602
#	files
603
}
604
 
605
#
606
#  Accounting.  Log the accounting data.
607
#
608
accounting {
2420 richard 609
	#  Update accounting packet by adding the CUI attribute
610
	#  recorded from the corresponding Access-Accept
611
	#  use it only if your NAS boxes do not support CUI themselves
612
#	cui
1279 richard 613
	#
614
	#  Create a 'detail'ed log of the packets.
615
	#  Note that accounting requests which are proxied
616
	#  are also logged in the detail file.
617
#	detail
618
#	daily
619
 
620
	#  Update the wtmp file
621
	#
622
	#  If you don't use "radlast", you can delete this line.
623
#	unix
624
 
625
	#
626
	#  For Simultaneous-Use tracking.
627
	#
628
	#  Due to packet losses in the network, the data here
629
	#  may be incorrect.  There is little we can do about it.
630
#	radutmp
1283 richard 631
#	sradutmp
1279 richard 632
 
633
	#  Return an address to the IP Pool when we see a stop record.
634
#	main_pool
635
 
636
	#
637
	#  Log traffic to an SQL database.
638
	#
2420 richard 639
	#  See "Accounting queries" in mods-available/sql
640
	-sql
1279 richard 641
 
642
	#
2420 richard 643
	#  If you receive stop packets with zero session length,
644
	#  they will NOT be logged in the database.  The SQL module
645
	#  will print a message (only in debugging mode), and will
646
	#  return "noop".
1279 richard 647
	#
2420 richard 648
	#  You can ignore these packets by uncommenting the following
649
	#  three lines.  Otherwise, the server will not respond to the
650
	#  accounting request, and the NAS will retransmit.
651
	#
652
#	if (noop) {
653
#		ok
654
#	}
1279 richard 655
 
656
	#  Cisco VoIP specific bulk accounting
657
#	pgsql-voip
658
 
2420 richard 659
	# For Exec-Program and Exec-Program-Wait
660
	exec
661
 
1279 richard 662
	#  Filter attributes from the accounting response.
663
	attr_filter.accounting_response
664
 
665
	#
666
	#  See "Autz-Type Status-Server" for how this works.
667
	#
668
#	Acct-Type Status-Server {
669
#
670
#	}
671
}
672
 
673
 
674
#  Session database, used for checking Simultaneous-Use. Either the radutmp
675
#  or rlm_sql module can handle this.
676
#  The rlm_sql module is *much* faster
677
session {
678
#	radutmp
679
 
680
	#
2420 richard 681
	#  See "Simultaneous Use Checking Queries" in mods-available/sql
1279 richard 682
	sql
683
}
684
 
685
 
686
#  Post-Authentication
687
#  Once we KNOW that the user has been authenticated, there are
688
#  additional steps we can take.
689
post-auth {
2420 richard 690
	#
691
	#  If you need to have a State attribute, you can
692
	#  add it here.  e.g. for later CoA-Request with
693
	#  State, and Service-Type = Authorize-Only.
694
	#
695
#	if (!&reply:State) {
696
#		update reply {
697
#			State := "0x%{randstr:16h}"
698
#		}
699
#	}
700
 
701
	#
702
	#  For EAP-TTLS and PEAP, add the cached attributes to the reply.
703
	#  The "session-state" attributes are automatically cached when
704
	#  an Access-Challenge is sent, and automatically retrieved
705
	#  when an Access-Request is received.
706
	#
707
	#  The session-state attributes are automatically deleted after
708
	#  an Access-Reject or Access-Accept is sent.
709
	#
710
	update {
711
		&reply: += &session-state:
712
	}
713
 
1279 richard 714
	#  Get an address from the IP Pool.
715
#	main_pool
716
 
2420 richard 717
 
718
	#  Create the CUI value and add the attribute to Access-Accept.
719
	#  Uncomment the line below if *returning* the CUI.
720
#	cui
721
 
1279 richard 722
	#
723
	#  If you want to have a log of authentication replies,
2420 richard 724
	#  un-comment the following line, and enable the
725
	#  'detail reply_log' module.
1279 richard 726
#	reply_log
727
 
728
	#
729
	#  After authenticating the user, do another SQL query.
730
	#
2420 richard 731
	#  See "Authentication Logging Queries" in mods-available/sql
732
	sql
1279 richard 733
 
734
	#
2420 richard 735
	#  Un-comment the following if you want to modify the user's object
736
	#  in LDAP after a successful login.
1279 richard 737
	#
2420 richard 738
#	ldap
1279 richard 739
 
2420 richard 740
	# For Exec-Program and Exec-Program-Wait
741
#	exec
742
 
1279 richard 743
	#
2420 richard 744
	#  Calculate the various WiMAX keys.  In order for this to work,
745
	#  you will need to define the WiMAX NAI, usually via
1279 richard 746
	#
2420 richard 747
	#	update request {
748
	#	       WiMAX-MN-NAI = "%{User-Name}"
749
	#	}
750
	#
751
	#  If you want various keys to be calculated, you will need to
752
	#  update the reply with "template" values.  The module will see
753
	#  this, and replace the template values with the correct ones
754
	#  taken from the cryptographic calculations.  e.g.
755
	#
756
	# 	update reply {
757
	#		WiMAX-FA-RK-Key = 0x00
758
	#		WiMAX-MSK = "%{EAP-MSK}"
759
	#	}
760
	#
761
	#  You may want to delete the MS-MPPE-*-Keys from the reply,
762
	#  as some WiMAX clients behave badly when those attributes
763
	#  are included.  See "raddb/modules/wimax", configuration
764
	#  entry "delete_mppe_keys" for more information.
765
	#
766
#	wimax
1279 richard 767
 
768
 
2420 richard 769
	#  If there is a client certificate (EAP-TLS, sometimes PEAP
770
	#  and TTLS), then some attributes are filled out after the
771
	#  certificate verification has been performed.  These fields
772
	#  MAY be available during the authentication, or they may be
773
	#  available only in the "post-auth" section.
1279 richard 774
	#
2420 richard 775
	#  The first set of attributes contains information about the
776
	#  issuing certificate which is being used.  The second
777
	#  contains information about the client certificate (if
778
	#  available).
779
#
780
#	update reply {
781
#	       Reply-Message += "%{TLS-Cert-Serial}"
782
#	       Reply-Message += "%{TLS-Cert-Expiration}"
783
#	       Reply-Message += "%{TLS-Cert-Subject}"
784
#	       Reply-Message += "%{TLS-Cert-Issuer}"
785
#	       Reply-Message += "%{TLS-Cert-Common-Name}"
786
#	       Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
787
#
788
#	       Reply-Message += "%{TLS-Client-Cert-Serial}"
789
#	       Reply-Message += "%{TLS-Client-Cert-Expiration}"
790
#	       Reply-Message += "%{TLS-Client-Cert-Subject}"
791
#	       Reply-Message += "%{TLS-Client-Cert-Issuer}"
792
#	       Reply-Message += "%{TLS-Client-Cert-Common-Name}"
793
#	       Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
794
#	}
795
 
796
	#  Insert class attribute (with unique value) into response,
797
	#  aids matching auth and acct records, and protects against duplicate
798
	#  Acct-Session-Id. Note: Only works if the NAS has implemented
799
	#  RFC 2865 behaviour for the class attribute, AND if the NAS
800
	#  supports long Class attributes.  Many older or cheap NASes
801
	#  only support 16-octet Class attributes.
802
#	insert_acct_class
803
 
804
	#  MacSEC requires the use of EAP-Key-Name.  However, we don't
805
	#  want to send it for all EAP sessions.  Therefore, the EAP
806
	#  modules put required data into the EAP-Session-Id attribute.
807
	#  This attribute is never put into a request or reply packet.
808
	#
809
	#  Uncomment the next few lines to copy the required data into
810
	#  the EAP-Key-Name attribute
811
#	if (&reply:EAP-Session-Id) {
812
#		update reply {
813
#			EAP-Key-Name := &reply:EAP-Session-Id
814
#		}
815
#	}
816
 
817
	#  Remove reply message if the response contains an EAP-Message
818
	remove_reply_message_if_eap
819
 
820
	#
1279 richard 821
	#  Access-Reject packets are sent through the REJECT sub-section of the
822
	#  post-auth section.
823
	#
824
	#  Add the ldap module name (or instance) if you have set
825
	#  'edir_account_policy_check = yes' in the ldap module configuration
826
	#
2420 richard 827
	#  The "session-state" attributes are not available here.
828
	#
1279 richard 829
	Post-Auth-Type REJECT {
2420 richard 830
		# log failed authentications in SQL, too.
831
		sql
1279 richard 832
		attr_filter.access_reject
2420 richard 833
 
834
		# Insert EAP-Failure message if the request was
835
		# rejected by policy instead of because of an
836
		# authentication failure
837
#		eap
838
 
839
		#  Remove reply message if the response contains an EAP-Message
840
#		remove_reply_message_if_eap
1279 richard 841
	}
2420 richard 842
 
843
	#
844
	#  Filter access challenges.
845
	#
846
	Post-Auth-Type Challenge {
847
#		remove_reply_message_if_eap
848
#		attr_filter.access_challenge.post-auth
849
	}
850
 
1279 richard 851
}
852
 
853
#
854
#  When the server decides to proxy a request to a home server,
855
#  the proxied request is first passed through the pre-proxy
856
#  stage.  This stage can re-write the request, or decide to
857
#  cancel the proxy.
858
#
859
#  Only a few modules currently have this method.
860
#
861
pre-proxy {
2420 richard 862
	# Before proxing the request add an Operator-Name attribute identifying
863
	# if the operator-name is found for this client.
864
	# No need to uncomment this if you have already enabled this in
865
	# the authorize section.
866
#	operator-name
1279 richard 867
 
2420 richard 868
	#  The client requests the CUI by sending a CUI attribute
869
	#  containing one zero byte.
870
	#  Uncomment the line below if *requesting* the CUI.
871
#	cui
872
 
1279 richard 873
	#  Uncomment the following line if you want to change attributes
874
	#  as defined in the preproxy_users file.
875
#	files
876
 
877
	#  Uncomment the following line if you want to filter requests
878
	#  sent to remote servers based on the rules defined in the
879
	#  'attrs.pre-proxy' file.
880
#	attr_filter.pre-proxy
881
 
882
	#  If you want to have a log of packets proxied to a home
883
	#  server, un-comment the following line, and the
884
	#  'detail pre_proxy_log' section, above.
885
#	pre_proxy_log
886
}
887
 
888
#
889
#  When the server receives a reply to a request it proxied
890
#  to a home server, the request may be massaged here, in the
891
#  post-proxy stage.
892
#
893
post-proxy {
894
 
895
	#  If you want to have a log of replies from a home server,
896
	#  un-comment the following line, and the 'detail post_proxy_log'
897
	#  section, above.
898
#	post_proxy_log
899
 
900
	#  Uncomment the following line if you want to filter replies from
901
	#  remote proxies based on the rules defined in the 'attrs' file.
902
#	attr_filter.post-proxy
903
 
904
	#
905
	#  If you are proxying LEAP, you MUST configure the EAP
906
	#  module, and you MUST list it here, in the post-proxy
907
	#  stage.
908
	#
909
	#  You MUST also use the 'nostrip' option in the 'realm'
910
	#  configuration.  Otherwise, the User-Name attribute
911
	#  in the proxied request will not match the user name
912
	#  hidden inside of the EAP packet, and the end server will
913
	#  reject the EAP request.
914
	#
915
#	eap
916
 
917
	#
918
	#  If the server tries to proxy a request and fails, then the
919
	#  request is processed through the modules in this section.
920
	#
921
	#  The main use of this section is to permit robust proxying
922
	#  of accounting packets.  The server can be configured to
923
	#  proxy accounting packets as part of normal processing.
924
	#  Then, if the home server goes down, accounting packets can
925
	#  be logged to a local "detail" file, for processing with
926
	#  radrelay.  When the home server comes back up, radrelay
927
	#  will read the detail file, and send the packets to the
928
	#  home server.
929
	#
930
	#  With this configuration, the server always responds to
931
	#  Accounting-Requests from the NAS, but only writes
932
	#  accounting packets to disk if the home server is down.
933
	#
2420 richard 934
#	Post-Proxy-Type Fail-Accounting {
1279 richard 935
#			detail
936
#	}
937
}
2420 richard 938
}