1,938 → 1,53 |
###################################################################### |
# |
# As of 2.0.0, FreeRADIUS supports virtual hosts using the |
# "server" section, and configuration directives. |
# |
# Virtual hosts should be put into the "sites-available" |
# directory. Soft links should be created in the "sites-enabled" |
# directory to these files. This is done in a normal installation. |
# |
# If you are using 802.1X (EAP) authentication, please see also |
# the "inner-tunnel" virtual server. You will likely have to edit |
# that, too, for authentication to work. |
# |
# $Id: 3616050e7625eb6b5e2ba44782fcb737b2ae6136 $ |
# |
###################################################################### |
# |
# Read "man radiusd" before editing this file. See the section |
# titled DEBUGGING. It outlines a method where you can quickly |
# obtain the configuration you want, without running into |
# trouble. See also "man unlang", which documents the format |
# of this file. |
# |
# This configuration is designed to work in the widest possible |
# set of circumstances, with the widest possible number of |
# authentication methods. This means that in general, you should |
# need to make very few changes to this file. |
# |
# The best way to configure the server for your local system |
# is to CAREFULLY edit this file. Most attempts to make large |
# edits to this file will BREAK THE SERVER. Any edits should |
# be small, and tested by running the server with "radiusd -X". |
# Once the edits have been verified to work, save a copy of these |
# configuration files somewhere. (e.g. as a "tar" file). Then, |
# make more edits, and test, as above. |
# |
# There are many "commented out" references to modules such |
# as ldap, sql, etc. These references serve as place-holders. |
# If you need the functionality of that module, then configure |
# it in radiusd.conf, and un-comment the references to it in |
# this file. In most cases, those small changes will result |
# in the server being able to connect to the DB, and to |
# authenticate users. |
# |
###################################################################### |
|
server default { |
# |
# If you want the server to listen on additional addresses, or on |
# additional ports, you can use multiple "listen" sections. |
# |
# Each section make the server listen for only one type of packet, |
# therefore authentication and accounting have to be configured in |
# different sections. |
# |
# The server ignore all "listen" section if you are using '-i' and '-p' |
# on the command line. |
# |
listen { |
# Type of packets to listen for. |
# Allowed values are: |
# auth listen for authentication packets |
# acct listen for accounting packets |
# proxy IP to use for sending proxied packets |
# detail Read from the detail file. For examples, see |
# raddb/sites-available/copy-acct-to-home-server |
# status listen for Status-Server packets. For examples, |
# see raddb/sites-available/status |
# coa listen for CoA-Request and Disconnect-Request |
# packets. For examples, see the file |
# raddb/sites-available/coa |
# |
type = auth |
|
# Note: "type = proxy" lets you control the source IP used for |
# proxying packets, with some limitations: |
# |
# * A proxy listener CANNOT be used in a virtual server section. |
# * You should probably set "port = 0". |
# * Any "clients" configuration will be ignored. |
# |
# See also proxy.conf, and the "src_ipaddr" configuration entry |
# in the sample "home_server" section. When you specify the |
# source IP address for packets sent to a home server, the |
# proxy listeners are automatically created. |
|
# ipaddr/ipv4addr/ipv6addr - IP address on which to listen. |
# If multiple ones are listed, only the first one will |
# be used, and the others will be ignored. |
# |
# The configuration options accept the following syntax: |
# |
# ipv4addr - IPv4 address (e.g.192.0.2.3) |
# - wildcard (i.e. *) |
# - hostname (radius.example.com) |
# Only the A record for the host name is used. |
# If there is no A record, an error is returned, |
# and the server fails to start. |
# |
# ipv6addr - IPv6 address (e.g. 2001:db8::1) |
# - wildcard (i.e. *) |
# - hostname (radius.example.com) |
# Only the AAAA record for the host name is used. |
# If there is no AAAA record, an error is returned, |
# and the server fails to start. |
# |
# ipaddr - IPv4 address as above |
# - IPv6 address as above |
# - wildcard (i.e. *), which means IPv4 wildcard. |
# - hostname |
# If there is only one A or AAAA record returned |
# for the host name, it is used. |
# If multiple A or AAAA records are returned |
# for the host name, only the first one is used. |
# If both A and AAAA records are returned |
# for the host name, only the A record is used. |
# |
# ipv4addr = * |
# ipv6addr = * |
ipaddr = 127.0.0.1 |
|
# Port on which to listen. |
# Allowed values are: |
# integer port number (1812) |
# 0 means "use /etc/services for the proper port" |
ipaddr = * |
port = 0 |
|
# Some systems support binding to an interface, in addition |
# to the IP address. This feature isn't strictly necessary, |
# but for sites with many IP addresses on one interface, |
# it's useful to say "listen on all addresses for eth0". |
# |
# If your system does not support this feature, you will |
# get an error if you try to use it. |
# |
# interface = eth0 |
|
# Per-socket lists of clients. This is a very useful feature. |
# |
# The name here is a reference to a section elsewhere in |
# radiusd.conf, or clients.conf. Having the name as |
# a reference allows multiple sockets to use the same |
# set of clients. |
# |
# If this configuration is used, then the global list of clients |
# is IGNORED for this "listen" section. Take care configuring |
# this feature, to ensure you don't accidentally disable a |
# client you need. |
# |
# See clients.conf for the configuration of "per_socket_clients". |
# |
# clients = per_socket_clients |
|
# |
# Connection limiting for sockets with "proto = tcp". |
# |
# This section is ignored for other kinds of sockets. |
# |
limit { |
# |
# Limit the number of simultaneous TCP connections to the socket |
# |
# The default is 16. |
# Setting this to 0 means "no limit" |
max_connections = 16 |
|
# The per-socket "max_requests" option does not exist. |
|
# |
# The lifetime, in seconds, of a TCP connection. After |
# this lifetime, the connection will be closed. |
# |
# Setting this to 0 means "forever". |
lifetime = 0 |
|
# |
# The idle timeout, in seconds, of a TCP connection. |
# If no packets have been received over the connection for |
# this time, the connection will be closed. |
# |
# Setting this to 0 means "no timeout". |
# |
# We STRONGLY RECOMMEND that you set an idle timeout. |
# |
idle_timeout = 30 |
} |
} |
|
# |
# This second "listen" section is for listening on the accounting |
# port, too. |
# |
listen { |
ipaddr = 127.0.0.1 |
# ipv6addr = :: |
type = acct |
ipaddr = * |
port = 0 |
type = acct |
# interface = eth0 |
# clients = per_socket_clients |
|
limit { |
# The number of packets received can be rate limited via the |
# "max_pps" configuration item. When it is set, the server |
# tracks the total number of packets received in the previous |
# second. If the count is greater than "max_pps", then the |
# new packet is silently discarded. This helps the server |
# deal with overload situations. |
# |
# The packets/s counter is tracked in a sliding window. This |
# means that the pps calculation is done for the second |
# before the current packet was received. NOT for the current |
# wall-clock second, and NOT for the previous wall-clock second. |
# |
# Useful values are 0 (no limit), or 100 to 10000. |
# Values lower than 100 will likely cause the server to ignore |
# normal traffic. Few systems are capable of handling more than |
# 10K packets/s. |
# |
# It is most useful for accounting systems. Set it to 50% |
# more than the normal accounting load, and you can be sure that |
# the server will never get overloaded |
# |
# max_pps = 0 |
|
# Only for "proto = tcp". These are ignored for "udp" sockets. |
# |
# idle_timeout = 0 |
# lifetime = 0 |
# max_connections = 0 |
max_pps = 0 |
} |
} |
|
# IPv6 versions of the above - read their full config to understand options |
#listen { |
# type = auth |
# ipv6addr = ::1 |
# ipv6addr = :: # any. ::1 == localhost |
# port = 0 |
# interface = eth0 |
# clients = per_socket_clients |
# limit { |
# max_connections = 16 |
# lifetime = 0 |
# idle_timeout = 30 |
# } |
#} |
|
#listen { |
# type = acct |
# ipv6addr = ::1 |
# ipv6addr = :: # any. ::1 == localhost |
# port = 0 |
# interface = eth0 |
# clients = per_socket_clients |
# limit { |
# max_pps = 0 |
# idle_timeout = 0 |
# lifetime = 0 |
# max_connections = 0 |
# } |
#} |
|
# Authorization. First preprocess (hints and huntgroups files), |
# then realms, and finally look in the "users" file. |
# |
# Any changes made here should also be made to the "inner-tunnel" |
# virtual server. |
# |
# The order of the realm modules will determine the order that |
# we try to find a matching realm. |
# |
# Make *sure* that 'preprocess' comes before any realm if you |
# need to setup hints for the remote radius server |
authorize { |
# |
# Take a User-Name, and perform some checks on it, for spaces and other |
# invalid characters. If the User-Name appears invalid, reject the |
# request. |
# |
# See policy.d/filter for the definition of the filter_username policy. |
# |
filter_username |
|
# |
# Some broken equipment sends passwords with embedded zeros. |
# i.e. the debug output will show |
# |
# User-Password = "password\000\000" |
# |
# This policy will fix it to just be "password". |
# |
filter_password |
|
# |
# The preprocess module takes care of sanitizing some bizarre |
# attributes in the request, and turning them into attributes |
# which are more standard. |
# |
# It takes care of processing the 'raddb/mods-config/preprocess/hints' |
# and the 'raddb/mods-config/preprocess/huntgroups' files. |
preprocess |
|
# If you intend to use CUI and you require that the Operator-Name |
# be set for CUI generation and you want to generate CUI also |
# for your local clients then uncomment the operator-name |
# below and set the operator-name for your clients in clients.conf |
# operator-name |
|
# |
# If you want to generate CUI for some clients that do not |
# send proper CUI requests, then uncomment the |
# cui below and set "add_cui = yes" for these clients in clients.conf |
# cui |
|
# |
# If you want to have a log of authentication requests, |
# un-comment the following line. |
# auth_log |
|
# |
# The chap module will set 'Auth-Type := CHAP' if we are |
# handling a CHAP request and Auth-Type has not already been set |
# chap |
|
# |
# If the users are logging in with an MS-CHAP-Challenge |
# attribute for authentication, the mschap module will find |
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' |
# to the request, which will cause the server to then use |
# the mschap module for authentication. |
# mschap |
|
# |
# If you have a Cisco SIP server authenticating against |
# FreeRADIUS, uncomment the following line, and the 'digest' |
# line in the 'authenticate' section. |
# digest |
|
# |
# The WiMAX specification says that the Calling-Station-Id |
# is 6 octets of the MAC. This definition conflicts with |
# RFC 3580, and all common RADIUS practices. Un-commenting |
# the "wimax" module here means that it will fix the |
# Calling-Station-Id attribute to the normal format as |
# specified in RFC 3580 Section 3.21 |
# wimax |
|
# |
# Look for IPASS style 'realm/', and if not found, look for |
# '@realm', and decide whether or not to proxy, based on |
# that. |
# IPASS |
|
# |
# If you are using multiple kinds of realms, you probably |
# want to set "ignore_null = yes" for all of them. |
# Otherwise, when the first style of realm doesn't match, |
# the other styles won't be checked. |
# |
# suffix |
# ntdomain |
|
# |
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP |
# authentication. |
# |
# It also sets the EAP-Type attribute in the request |
# attribute list to the EAP type from the packet. |
# |
# The EAP module returns "ok" or "updated" if it is not yet ready |
# to authenticate the user. The configuration below checks for |
# "ok", and stops processing the "authorize" section if so. |
# |
# Any LDAP and/or SQL servers will not be queried for the |
# initial set of packets that go back and forth to set up |
# TTLS or PEAP. |
# |
# The "updated" check is commented out for compatibility with |
# previous versions of this configuration, but you may wish to |
# uncomment it as well; this will further reduce the number of |
# LDAP and/or SQL queries for TTLS or PEAP. |
# |
# eap { |
# ok = return |
# updated = return |
# } |
|
# |
# Pull crypt'd passwords from /etc/passwd or /etc/shadow, |
# using the system API's to get the password. If you want |
# to read /etc/passwd or /etc/shadow directly, see the |
# mods-available/passwd module. |
# |
# unix |
|
# |
# Read the 'users' file. In v3, this is located in |
# raddb/mods-config/files/authorize |
# files |
|
# |
# Look in an SQL database. The schema of the database |
# is meant to mirror the "users" file. |
# |
# See "Authorization Queries" in mods-available/sql |
sql |
# |
# If you are using /etc/smbpasswd, and are also doing |
# mschap authentication, the un-comment this line, and |
# configure the 'smbpasswd' module. |
# smbpasswd |
|
# |
# The ldap module reads passwords from the LDAP database. |
# -ldap |
|
# |
# Enforce daily limits on time spent logged in. |
# daily |
|
# |
noresetcounter |
dailycounter |
monthlycounter |
expiration |
logintime |
|
# |
# If no other module has claimed responsibility for |
# authentication, then try to use PAP. This allows the |
# other modules listed above to add a "known good" password |
# to the request, and to do nothing else. The PAP module |
# will then see that password, and use it to do PAP |
# authentication. |
# |
# This module should be listed last, so that the other modules |
# get a chance to set Auth-Type for themselves. |
# |
pap |
|
# |
# If "status_server = yes", then Status-Server messages are passed |
# through the following section, and ONLY the following section. |
# This permits you to do DB queries, for example. If the modules |
# listed here return "fail", then NO response is sent. |
# |
# Autz-Type Status-Server { |
# |
# } |
} |
|
|
# Authentication. |
# |
# |
# This section lists which modules are available for authentication. |
# Note that it does NOT mean 'try each module in order'. It means |
# that a module from the 'authorize' section adds a configuration |
# attribute 'Auth-Type := FOO'. That authentication type is then |
# used to pick the appropriate module from the list below. |
# |
|
# In general, you SHOULD NOT set the Auth-Type attribute. The server |
# will figure it out on its own, and will do the right thing. The |
# most common side effect of erroneously setting the Auth-Type |
# attribute is that one authentication method will work, but the |
# others will not. |
# |
# The common reasons to set the Auth-Type attribute by hand |
# is to either forcibly reject the user (Auth-Type := Reject), |
# or to or forcibly accept the user (Auth-Type := Accept). |
# |
# Note that Auth-Type := Accept will NOT work with EAP. |
# |
# Please do not put "unlang" configurations into the "authenticate" |
# section. Put them in the "post-auth" section instead. That's what |
# the post-auth section is for. |
# |
authenticate { |
# |
# PAP authentication, when a back-end database listed |
# in the 'authorize' section supplies a password. The |
# password can be clear-text, or encrypted. |
Auth-Type PAP { |
pap |
} |
|
# |
# Most people want CHAP authentication |
# A back-end database listed in the 'authorize' section |
# MUST supply a CLEAR TEXT password. Encrypted passwords |
# won't work. |
# Auth-Type CHAP { |
# chap |
# } |
|
# |
# MSCHAP authentication. |
# Auth-Type MS-CHAP { |
# mschap |
# } |
|
# |
# For old names, too. |
# |
# mschap |
|
# |
# If you have a Cisco SIP server authenticating against |
# FreeRADIUS, uncomment the following line, and the 'digest' |
# line in the 'authorize' section. |
# digest |
|
# |
# Pluggable Authentication Modules. |
# pam |
|
# Uncomment it if you want to use ldap for authentication |
# |
# Note that this means "check plain-text password against |
# the ldap database", which means that EAP won't work, |
# as it does not supply a plain-text password. |
# |
# We do NOT recommend using this. LDAP servers are databases. |
# They are NOT authentication servers. FreeRADIUS is an |
# authentication server, and knows what to do with authentication. |
# LDAP servers do not. |
# |
# Auth-Type LDAP { |
# ldap |
# } |
|
# |
# Allow EAP authentication. |
# eap |
|
# |
# The older configurations sent a number of attributes in |
# Access-Challenge packets, which wasn't strictly correct. |
# If you want to filter out these attributes, uncomment |
# the following lines. |
# |
# Auth-Type eap { |
# eap { |
# handled = 1 |
# } |
# if (handled && (Response-Packet-Type == Access-Challenge)) { |
# attr_filter.access_challenge.post-auth |
# handled # override the "updated" code from attr_filter |
# } |
# } |
} |
|
|
# |
# Pre-accounting. Decide which accounting type to use. |
# |
preacct { |
# preprocess |
|
# |
# Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets |
# into a single 64bit counter Acct-[Input|Output]-Octets64. |
# |
# acct_counters64 |
|
# |
# Session start times are *implied* in RADIUS. |
# The NAS never sends a "start time". Instead, it sends |
# a start packet, *possibly* with an Acct-Delay-Time. |
# The server is supposed to conclude that the start time |
# was "Acct-Delay-Time" seconds in the past. |
# |
# The code below creates an explicit start time, which can |
# then be used in other modules. It will be *mostly* correct. |
# Any errors are due to the 1-second resolution of RADIUS, |
# and the possibility that the time on the NAS may be off. |
# |
# The start time is: NOW - delay - session_length |
# |
|
# update request { |
# &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" |
# } |
|
|
# |
# Ensure that we have a semi-unique identifier for every |
# request, and many NAS boxes are broken. |
acct_unique |
|
# |
# Look for IPASS-style 'realm/', and if not found, look for |
# '@realm', and decide whether or not to proxy, based on |
# that. |
# |
# Accounting requests are generally proxied to the same |
# home server as authentication requests. |
# IPASS |
# suffix |
# ntdomain |
|
# |
# Read the 'acct_users' file |
# files |
} |
|
# |
# Accounting. Log the accounting data. |
# |
accounting { |
# Update accounting packet by adding the CUI attribute |
# recorded from the corresponding Access-Accept |
# use it only if your NAS boxes do not support CUI themselves |
# cui |
# |
# Create a 'detail'ed log of the packets. |
# Note that accounting requests which are proxied |
# are also logged in the detail file. |
# detail |
# daily |
|
# Update the wtmp file |
# |
# If you don't use "radlast", you can delete this line. |
# unix |
|
# |
# For Simultaneous-Use tracking. |
# |
# Due to packet losses in the network, the data here |
# may be incorrect. There is little we can do about it. |
# radutmp |
# sradutmp |
|
# Return an address to the IP Pool when we see a stop record. |
# main_pool |
|
# |
# Log traffic to an SQL database. |
# |
# See "Accounting queries" in mods-available/sql |
-sql |
|
# |
# If you receive stop packets with zero session length, |
# they will NOT be logged in the database. The SQL module |
# will print a message (only in debugging mode), and will |
# return "noop". |
# |
# You can ignore these packets by uncommenting the following |
# three lines. Otherwise, the server will not respond to the |
# accounting request, and the NAS will retransmit. |
# |
# if (noop) { |
# ok |
# } |
|
# Cisco VoIP specific bulk accounting |
# pgsql-voip |
|
# For Exec-Program and Exec-Program-Wait |
exec |
|
# Filter attributes from the accounting response. |
attr_filter.accounting_response |
|
# |
# See "Autz-Type Status-Server" for how this works. |
# |
# Acct-Type Status-Server { |
# |
# } |
sql |
} |
|
|
# Session database, used for checking Simultaneous-Use. Either the radutmp |
# or rlm_sql module can handle this. |
# The rlm_sql module is *much* faster |
session { |
# radutmp |
|
# |
# See "Simultaneous Use Checking Queries" in mods-available/sql |
sql |
} |
|
|
# Post-Authentication |
# Once we KNOW that the user has been authenticated, there are |
# additional steps we can take. |
post-auth { |
# |
# If you need to have a State attribute, you can |
# add it here. e.g. for later CoA-Request with |
# State, and Service-Type = Authorize-Only. |
# |
# if (!&reply:State) { |
# update reply { |
# State := "0x%{randstr:16h}" |
# } |
# } |
|
# |
# For EAP-TTLS and PEAP, add the cached attributes to the reply. |
# The "session-state" attributes are automatically cached when |
# an Access-Challenge is sent, and automatically retrieved |
# when an Access-Request is received. |
# |
# The session-state attributes are automatically deleted after |
# an Access-Reject or Access-Accept is sent. |
# |
update { |
&reply: += &session-state: |
} |
|
# Get an address from the IP Pool. |
# main_pool |
|
|
# Create the CUI value and add the attribute to Access-Accept. |
# Uncomment the line below if *returning* the CUI. |
# cui |
|
# |
# If you want to have a log of authentication replies, |
# un-comment the following line, and enable the |
# 'detail reply_log' module. |
# reply_log |
|
# |
# After authenticating the user, do another SQL query. |
# |
# See "Authentication Logging Queries" in mods-available/sql |
sql |
|
# |
# Un-comment the following if you want to modify the user's object |
# in LDAP after a successful login. |
# |
# ldap |
|
# For Exec-Program and Exec-Program-Wait |
# exec |
|
# |
# Calculate the various WiMAX keys. In order for this to work, |
# you will need to define the WiMAX NAI, usually via |
# |
# update request { |
# WiMAX-MN-NAI = "%{User-Name}" |
# } |
# |
# If you want various keys to be calculated, you will need to |
# update the reply with "template" values. The module will see |
# this, and replace the template values with the correct ones |
# taken from the cryptographic calculations. e.g. |
# |
# update reply { |
# WiMAX-FA-RK-Key = 0x00 |
# WiMAX-MSK = "%{EAP-MSK}" |
# } |
# |
# You may want to delete the MS-MPPE-*-Keys from the reply, |
# as some WiMAX clients behave badly when those attributes |
# are included. See "raddb/modules/wimax", configuration |
# entry "delete_mppe_keys" for more information. |
# |
# wimax |
|
|
# If there is a client certificate (EAP-TLS, sometimes PEAP |
# and TTLS), then some attributes are filled out after the |
# certificate verification has been performed. These fields |
# MAY be available during the authentication, or they may be |
# available only in the "post-auth" section. |
# |
# The first set of attributes contains information about the |
# issuing certificate which is being used. The second |
# contains information about the client certificate (if |
# available). |
# |
# update reply { |
# Reply-Message += "%{TLS-Cert-Serial}" |
# Reply-Message += "%{TLS-Cert-Expiration}" |
# Reply-Message += "%{TLS-Cert-Subject}" |
# Reply-Message += "%{TLS-Cert-Issuer}" |
# Reply-Message += "%{TLS-Cert-Common-Name}" |
# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" |
# |
# Reply-Message += "%{TLS-Client-Cert-Serial}" |
# Reply-Message += "%{TLS-Client-Cert-Expiration}" |
# Reply-Message += "%{TLS-Client-Cert-Subject}" |
# Reply-Message += "%{TLS-Client-Cert-Issuer}" |
# Reply-Message += "%{TLS-Client-Cert-Common-Name}" |
# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" |
# } |
|
# Insert class attribute (with unique value) into response, |
# aids matching auth and acct records, and protects against duplicate |
# Acct-Session-Id. Note: Only works if the NAS has implemented |
# RFC 2865 behaviour for the class attribute, AND if the NAS |
# supports long Class attributes. Many older or cheap NASes |
# only support 16-octet Class attributes. |
# insert_acct_class |
|
# MacSEC requires the use of EAP-Key-Name. However, we don't |
# want to send it for all EAP sessions. Therefore, the EAP |
# modules put required data into the EAP-Session-Id attribute. |
# This attribute is never put into a request or reply packet. |
# |
# Uncomment the next few lines to copy the required data into |
# the EAP-Key-Name attribute |
# if (&reply:EAP-Session-Id) { |
# update reply { |
# EAP-Key-Name := &reply:EAP-Session-Id |
# } |
# } |
|
# Remove reply message if the response contains an EAP-Message |
remove_reply_message_if_eap |
|
# |
# Access-Reject packets are sent through the REJECT sub-section of the |
# post-auth section. |
# |
# Add the ldap module name (or instance) if you have set |
# 'edir_account_policy_check = yes' in the ldap module configuration |
# |
# The "session-state" attributes are not available here. |
# |
Post-Auth-Type REJECT { |
# log failed authentications in SQL, too. |
-sql |
attr_filter.access_reject |
|
# Insert EAP-Failure message if the request was |
# rejected by policy instead of because of an |
# authentication failure |
eap |
|
# Remove reply message if the response contains an EAP-Message |
# remove_reply_message_if_eap |
} |
|
# |
# Filter access challenges. |
# |
Post-Auth-Type Challenge { |
# remove_reply_message_if_eap |
# attr_filter.access_challenge.post-auth |
} |
|
} |
|
# |
# When the server decides to proxy a request to a home server, |
# the proxied request is first passed through the pre-proxy |
# stage. This stage can re-write the request, or decide to |
# cancel the proxy. |
# |
# Only a few modules currently have this method. |
# |
pre-proxy { |
# Before proxing the request add an Operator-Name attribute identifying |
# if the operator-name is found for this client. |
# No need to uncomment this if you have already enabled this in |
# the authorize section. |
# operator-name |
|
# The client requests the CUI by sending a CUI attribute |
# containing one zero byte. |
# Uncomment the line below if *requesting* the CUI. |
# cui |
|
# Uncomment the following line if you want to change attributes |
# as defined in the preproxy_users file. |
# files |
|
# Uncomment the following line if you want to filter requests |
# sent to remote servers based on the rules defined in the |
# 'attrs.pre-proxy' file. |
# attr_filter.pre-proxy |
|
# If you want to have a log of packets proxied to a home |
# server, un-comment the following line, and the |
# 'detail pre_proxy_log' section, above. |
# pre_proxy_log |
} |
|
# |
# When the server receives a reply to a request it proxied |
# to a home server, the request may be massaged here, in the |
# post-proxy stage. |
# |
post-proxy { |
|
# If you want to have a log of replies from a home server, |
# un-comment the following line, and the 'detail post_proxy_log' |
# section, above. |
# post_proxy_log |
|
# Uncomment the following line if you want to filter replies from |
# remote proxies based on the rules defined in the 'attrs' file. |
# attr_filter.post-proxy |
|
# |
# If you are proxying LEAP, you MUST configure the EAP |
# module, and you MUST list it here, in the post-proxy |
# stage. |
# |
# You MUST also use the 'nostrip' option in the 'realm' |
# configuration. Otherwise, the User-Name attribute |
# in the proxied request will not match the user name |
# hidden inside of the EAP packet, and the end server will |
# reject the EAP request. |
# |
# eap |
|
# |
# If the server tries to proxy a request and fails, then the |
# request is processed through the modules in this section. |
# |
# The main use of this section is to permit robust proxying |
# of accounting packets. The server can be configured to |
# proxy accounting packets as part of normal processing. |
# Then, if the home server goes down, accounting packets can |
# be logged to a local "detail" file, for processing with |
# radrelay. When the home server comes back up, radrelay |
# will read the detail file, and send the packets to the |
# home server. |
# |
# With this configuration, the server always responds to |
# Accounting-Requests from the NAS, but only writes |
# accounting packets to disk if the home server is down. |
# |
# Post-Proxy-Type Fail-Accounting { |
# detail |
# } |
} |
} |