Subversion Repositories ALCASAR

Rev

Rev 1464 | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1464 Rev 2420
Line 5... Line 5...
5
#
5
#
6
#	Virtual hosts should be put into the "sites-available"
6
#	Virtual hosts should be put into the "sites-available"
7
#	directory.  Soft links should be created in the "sites-enabled"
7
#	directory.  Soft links should be created in the "sites-enabled"
8
#	directory to these files.  This is done in a normal installation.
8
#	directory to these files.  This is done in a normal installation.
9
#
9
#
-
 
10
#	If you are using 802.1X (EAP) authentication, please see also
-
 
11
#	the "inner-tunnel" virtual server.  You will likely have to edit
-
 
12
#	that, too, for authentication to work.
-
 
13
#
10
#	$Id: alcasar-radius 845 2012-03-29 21:17:03Z richard $
14
#	$Id: 3616050e7625eb6b5e2ba44782fcb737b2ae6136 $
11
#
15
#
12
######################################################################
16
######################################################################
13
#
17
#
14
#	Read "man radiusd" before editing this file.  See the section
18
#	Read "man radiusd" before editing this file.  See the section
15
#	titled DEBUGGING.  It outlines a method where you can quickly
19
#	titled DEBUGGING.  It outlines a method where you can quickly
Line 38... Line 42...
38
#	in the server being able to connect to the DB, and to
42
#	in the server being able to connect to the DB, and to
39
#	authenticate users.
43
#	authenticate users.
40
#
44
#
41
######################################################################
45
######################################################################
42
 
46
 
-
 
47
server default {
43
#
48
#
44
#	In 1.x, the "authorize", etc. sections were global in
49
#  If you want the server to listen on additional addresses, or on
45
#	radiusd.conf.  As of 2.0, they SHOULD be in a server section.
50
#  additional ports, you can use multiple "listen" sections.
46
#
51
#
47
#	The server section with no virtual server name is the "default"
52
#  Each section make the server listen for only one type of packet,
-
 
53
#  therefore authentication and accounting have to be configured in
-
 
54
#  different sections.
-
 
55
#
-
 
56
#  The server ignore all "listen" section if you are using '-i' and '-p'
-
 
57
#  on the command line.
-
 
58
#
-
 
59
listen {
-
 
60
	#  Type of packets to listen for.
-
 
61
	#  Allowed values are:
-
 
62
	#	auth	listen for authentication packets
-
 
63
	#	acct	listen for accounting packets
-
 
64
	#	proxy   IP to use for sending proxied packets
-
 
65
	#	detail  Read from the detail file.  For examples, see
-
 
66
	#               raddb/sites-available/copy-acct-to-home-server
-
 
67
	#	status  listen for Status-Server packets.  For examples,
-
 
68
	#		see raddb/sites-available/status
-
 
69
	#	coa     listen for CoA-Request and Disconnect-Request
-
 
70
	#		packets.  For examples, see the file
-
 
71
	#		raddb/sites-available/coa
-
 
72
	#
-
 
73
	type = auth
-
 
74
 
-
 
75
	#  Note: "type = proxy" lets you control the source IP used for
-
 
76
	#        proxying packets, with some limitations:
-
 
77
	#
-
 
78
	#    * A proxy listener CANNOT be used in a virtual server section.
-
 
79
	#    * You should probably set "port = 0".
-
 
80
	#    * Any "clients" configuration will be ignored.
-
 
81
	#
-
 
82
	#  See also proxy.conf, and the "src_ipaddr" configuration entry
-
 
83
	#  in the sample "home_server" section.  When you specify the
-
 
84
	#  source IP address for packets sent to a home server, the
-
 
85
	#  proxy listeners are automatically created.
-
 
86
 
-
 
87
	#  ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
-
 
88
	#  If multiple ones are listed, only the first one will
-
 
89
	#  be used, and the others will be ignored.
-
 
90
	#
-
 
91
	#  The configuration options accept the following syntax:
-
 
92
	#
-
 
93
	#  ipv4addr - IPv4 address (e.g.192.0.2.3)
-
 
94
	#  	    - wildcard (i.e. *)
-
 
95
	#  	    - hostname (radius.example.com)
-
 
96
	#  	      Only the A record for the host name is used.
-
 
97
	#	      If there is no A record, an error is returned,
-
 
98
	#	      and the server fails to start.
-
 
99
	#
-
 
100
	#  ipv6addr - IPv6 address (e.g. 2001:db8::1)
-
 
101
	#  	    - wildcard (i.e. *)
-
 
102
	#  	    - hostname (radius.example.com)
-
 
103
	#  	      Only the AAAA record for the host name is used.
-
 
104
	#	      If there is no AAAA record, an error is returned,
-
 
105
	#	      and the server fails to start.
-
 
106
	#
-
 
107
	#  ipaddr   - IPv4 address as above
-
 
108
	#  	    - IPv6 address as above
-
 
109
	#  	    - wildcard (i.e. *), which means IPv4 wildcard.
-
 
110
	#	    - hostname
-
 
111
	#	      If there is only one A or AAAA record returned
-
 
112
	#	      for the host name, it is used.
-
 
113
	#	      If multiple A or AAAA records are returned
-
 
114
	#	      for the host name, only the first one is used.
-
 
115
	#	      If both A and AAAA records are returned
-
 
116
	#	      for the host name, only the A record is used.
-
 
117
	#
-
 
118
	# ipv4addr = *
-
 
119
	# ipv6addr = *
-
 
120
	ipaddr = 127.0.0.1
-
 
121
 
-
 
122
	#  Port on which to listen.
-
 
123
	#  Allowed values are:
-
 
124
	#	integer port number (1812)
-
 
125
	#	0 means "use /etc/services for the proper port"
-
 
126
	port = 0
-
 
127
 
-
 
128
	#  Some systems support binding to an interface, in addition
-
 
129
	#  to the IP address.  This feature isn't strictly necessary,
-
 
130
	#  but for sites with many IP addresses on one interface,
-
 
131
	#  it's useful to say "listen on all addresses for eth0".
-
 
132
	#
-
 
133
	#  If your system does not support this feature, you will
-
 
134
	#  get an error if you try to use it.
-
 
135
	#
-
 
136
#	interface = eth0
-
 
137
 
-
 
138
	#  Per-socket lists of clients.  This is a very useful feature.
-
 
139
	#
-
 
140
	#  The name here is a reference to a section elsewhere in
-
 
141
	#  radiusd.conf, or clients.conf.  Having the name as
-
 
142
	#  a reference allows multiple sockets to use the same
-
 
143
	#  set of clients.
-
 
144
	#
-
 
145
	#  If this configuration is used, then the global list of clients
-
 
146
	#  is IGNORED for this "listen" section.  Take care configuring
-
 
147
	#  this feature, to ensure you don't accidentally disable a
-
 
148
	#  client you need.
-
 
149
	#
-
 
150
	#  See clients.conf for the configuration of "per_socket_clients".
-
 
151
	#
-
 
152
#	clients = per_socket_clients
-
 
153
 
-
 
154
	#
-
 
155
	#  Connection limiting for sockets with "proto = tcp".
-
 
156
	#
-
 
157
	#  This section is ignored for other kinds of sockets.
-
 
158
	#
-
 
159
	limit {
-
 
160
	      #
-
 
161
	      #  Limit the number of simultaneous TCP connections to the socket
-
 
162
	      #
-
 
163
	      #  The default is 16.
-
 
164
	      #  Setting this to 0 means "no limit"
-
 
165
	      max_connections = 16
-
 
166
 
-
 
167
	      #  The per-socket "max_requests" option does not exist.
-
 
168
 
-
 
169
	      #
-
 
170
	      #  The lifetime, in seconds, of a TCP connection.  After
-
 
171
	      #  this lifetime, the connection will be closed.
-
 
172
	      #
-
 
173
	      #  Setting this to 0 means "forever".
-
 
174
	      lifetime = 0
-
 
175
 
-
 
176
	      #
-
 
177
	      #  The idle timeout, in seconds, of a TCP connection.
-
 
178
	      #  If no packets have been received over the connection for
48
#	section.  It is used when no server name is specified.
179
	      #  this time, the connection will be closed.
-
 
180
	      #
-
 
181
	      #  Setting this to 0 means "no timeout".
-
 
182
	      #
-
 
183
	      #  We STRONGLY RECOMMEND that you set an idle timeout.
-
 
184
	      #
-
 
185
	      idle_timeout = 30
-
 
186
	}
-
 
187
}
-
 
188
 
49
#
189
#
50
#	We don't indent the rest of this file, because doing so
190
#  This second "listen" section is for listening on the accounting
51
#	would make it harder to read.
191
#  port, too.
52
#
192
#
-
 
193
listen {
-
 
194
	ipaddr = 127.0.0.1
-
 
195
#	ipv6addr = ::
-
 
196
	port = 0
-
 
197
	type = acct
-
 
198
#	interface = eth0
-
 
199
#	clients = per_socket_clients
-
 
200
 
-
 
201
	limit {
-
 
202
		#  The number of packets received can be rate limited via the
-
 
203
		#  "max_pps" configuration item.  When it is set, the server
-
 
204
		#  tracks the total number of packets received in the previous
-
 
205
		#  second.  If the count is greater than "max_pps", then the
-
 
206
		#  new packet is silently discarded.  This helps the server
-
 
207
		#  deal with overload situations.
-
 
208
		#
-
 
209
		#  The packets/s counter is tracked in a sliding window.  This
-
 
210
		#  means that the pps calculation is done for the second
-
 
211
		#  before the current packet was received.  NOT for the current
-
 
212
		#  wall-clock second, and NOT for the previous wall-clock second.
-
 
213
		#
-
 
214
		#  Useful values are 0 (no limit), or 100 to 10000.
-
 
215
		#  Values lower than 100 will likely cause the server to ignore
-
 
216
		#  normal traffic.  Few systems are capable of handling more than
-
 
217
		#  10K packets/s.
-
 
218
		#
-
 
219
		#  It is most useful for accounting systems.  Set it to 50%
-
 
220
		#  more than the normal accounting load, and you can be sure that
-
 
221
		#  the server will never get overloaded
-
 
222
		#
-
 
223
#		max_pps = 0
-
 
224
 
-
 
225
		# Only for "proto = tcp". These are ignored for "udp" sockets.
-
 
226
		#
-
 
227
#		idle_timeout = 0
-
 
228
#		lifetime = 0
-
 
229
#		max_connections = 0
-
 
230
	}
-
 
231
}
-
 
232
 
-
 
233
# IPv6 versions of the above - read their full config to understand options
-
 
234
#listen {
-
 
235
#	type = auth
-
 
236
#	ipv6addr = ::1
-
 
237
#	ipv6addr = ::	# any.  ::1 == localhost
-
 
238
#	port = 0
-
 
239
#	interface = eth0
-
 
240
#	clients = per_socket_clients
-
 
241
#	limit {
-
 
242
#	      max_connections = 16
-
 
243
#	      lifetime = 0
-
 
244
#	      idle_timeout = 30
-
 
245
#	}
-
 
246
#}
-
 
247
 
-
 
248
#listen {
-
 
249
#	type = acct
-
 
250
#	ipv6addr = ::1
-
 
251
#	ipv6addr = ::	# any.  ::1 == localhost
-
 
252
#	port = 0
-
 
253
#	interface = eth0
-
 
254
#	clients = per_socket_clients
-
 
255
#	limit {
-
 
256
#		max_pps = 0
-
 
257
#		idle_timeout = 0
-
 
258
#		lifetime = 0
-
 
259
#		max_connections = 0
-
 
260
#	}
-
 
261
#}
53
 
262
 
54
#  Authorization. First preprocess (hints and huntgroups files),
263
#  Authorization. First preprocess (hints and huntgroups files),
55
#  then realms, and finally look in the "users" file.
264
#  then realms, and finally look in the "users" file.
56
#
265
#
-
 
266
#  Any changes made here should also be made to the "inner-tunnel"
-
 
267
#  virtual server.
-
 
268
#
57
#  The order of the realm modules will determine the order that
269
#  The order of the realm modules will determine the order that
58
#  we try to find a matching realm.
270
#  we try to find a matching realm.
59
#
271
#
60
#  Make *sure* that 'preprocess' comes before any realm if you
272
#  Make *sure* that 'preprocess' comes before any realm if you
61
#  need to setup hints for the remote radius server
273
#  need to setup hints for the remote radius server
62
authorize {
274
authorize {
63
	#
275
	#
-
 
276
	#  Take a User-Name, and perform some checks on it, for spaces and other
-
 
277
	#  invalid characters.  If the User-Name appears invalid, reject the
-
 
278
	#  request.
-
 
279
	#
-
 
280
	#  See policy.d/filter for the definition of the filter_username policy.
-
 
281
	#
-
 
282
	filter_username
-
 
283
 
-
 
284
	#
-
 
285
	#  Some broken equipment sends passwords with embedded zeros.
-
 
286
	#  i.e. the debug output will show
-
 
287
	#
-
 
288
	#	User-Password = "password\000\000"
-
 
289
	#
-
 
290
	#  This policy will fix it to just be "password".
-
 
291
	#
-
 
292
	filter_password
-
 
293
 
-
 
294
	#
64
	#  The preprocess module takes care of sanitizing some bizarre
295
	#  The preprocess module takes care of sanitizing some bizarre
65
	#  attributes in the request, and turning them into attributes
296
	#  attributes in the request, and turning them into attributes
66
	#  which are more standard.
297
	#  which are more standard.
67
	#
298
	#
68
	#  It takes care of processing the 'raddb/hints' and the
299
	#  It takes care of processing the 'raddb/mods-config/preprocess/hints' 
69
	#  'raddb/huntgroups' files.
300
	#  and the 'raddb/mods-config/preprocess/huntgroups' files.
-
 
301
	preprocess
-
 
302
 
-
 
303
	#  If you intend to use CUI and you require that the Operator-Name
-
 
304
	#  be set for CUI generation and you want to generate CUI also
-
 
305
	#  for your local clients then uncomment the operator-name
-
 
306
	#  below and set the operator-name for your clients in clients.conf
-
 
307
#	operator-name
-
 
308
 
70
	#
309
	#
71
	#  It also adds the %{Client-IP-Address} attribute to the request.
310
	#  If you want to generate CUI for some clients that do not
-
 
311
	#  send proper CUI requests, then uncomment the
-
 
312
	#  cui below and set "add_cui = yes" for these clients in clients.conf
72
#	preprocess
313
#	cui
73
 
314
 
74
	#
315
	#
75
	#  If you want to have a log of authentication requests,
316
	#  If you want to have a log of authentication requests,
76
	#  un-comment the following line, and the 'detail auth_log'
317
	#  un-comment the following line.
77
	#  section, above.
-
 
78
#	auth_log
318
#	auth_log
79
 
319
 
80
	#
320
	#
81
	#  The chap module will set 'Auth-Type := CHAP' if we are
321
	#  The chap module will set 'Auth-Type := CHAP' if we are
82
	#  handling a CHAP request and Auth-Type has not already been set
322
	#  handling a CHAP request and Auth-Type has not already been set
Line 87... Line 327...
87
	#  attribute for authentication, the mschap module will find
327
	#  attribute for authentication, the mschap module will find
88
	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
328
	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
89
	#  to the request, which will cause the server to then use
329
	#  to the request, which will cause the server to then use
90
	#  the mschap module for authentication.
330
	#  the mschap module for authentication.
91
#	mschap
331
#	mschap
-
 
332
 
92
	#
333
	#
93
	#  If you have a Cisco SIP server authenticating against
334
	#  If you have a Cisco SIP server authenticating against
94
	#  FreeRADIUS, uncomment the following line, and the 'digest'
335
	#  FreeRADIUS, uncomment the following line, and the 'digest'
95
	#  line in the 'authenticate' section.
336
	#  line in the 'authenticate' section.
96
#	digest
337
#	digest
97
 
338
 
98
	#
339
	#
-
 
340
	#  The WiMAX specification says that the Calling-Station-Id
-
 
341
	#  is 6 octets of the MAC.  This definition conflicts with
-
 
342
	#  RFC 3580, and all common RADIUS practices.  Un-commenting
-
 
343
	#  the "wimax" module here means that it will fix the
-
 
344
	#  Calling-Station-Id attribute to the normal format as
-
 
345
	#  specified in RFC 3580 Section 3.21
-
 
346
#	wimax
-
 
347
 
-
 
348
	#
99
	#  Look for IPASS style 'realm/', and if not found, look for
349
	#  Look for IPASS style 'realm/', and if not found, look for
100
	#  '@realm', and decide whether or not to proxy, based on
350
	#  '@realm', and decide whether or not to proxy, based on
101
	#  that.
351
	#  that.
102
#	IPASS
352
#	IPASS
103
 
353
 
Line 115... Line 365...
115
	#  authentication.
365
	#  authentication.
116
	#
366
	#
117
	#  It also sets the EAP-Type attribute in the request
367
	#  It also sets the EAP-Type attribute in the request
118
	#  attribute list to the EAP type from the packet.
368
	#  attribute list to the EAP type from the packet.
119
	#
369
	#
120
	#  As of 2.0, the EAP module returns "ok" in the authorize stage
370
	#  The EAP module returns "ok" or "updated" if it is not yet ready
121
	#  for TTLS and PEAP.  In 1.x, it never returned "ok" here, so
371
	#  to authenticate the user.  The configuration below checks for
122
	#  this change is compatible with older configurations.
372
	#  "ok", and stops processing the "authorize" section if so.
123
	#
373
	#
124
	#  The example below uses module failover to avoid querying all
374
	#  Any LDAP and/or SQL servers will not be queried for the
125
	#  of the following modules if the EAP module returns "ok".
375
	#  initial set of packets that go back and forth to set up
-
 
376
	#  TTLS or PEAP.
-
 
377
	#
126
	#  Therefore, your LDAP and/or SQL servers will not be queried
378
	#  The "updated" check is commented out for compatibility with
127
	#  for the many packets that go back and forth to set up TTLS
379
	#  previous versions of this configuration, but you may wish to
128
	#  or PEAP.  The load on those servers will therefore be reduced.
380
	#  uncomment it as well; this will further reduce the number of
-
 
381
	#  LDAP and/or SQL queries for TTLS or PEAP.
129
	#
382
	#
130
#	eap {
383
#	eap {
131
#		ok = return
384
#		ok = return
-
 
385
#		updated = return
132
#	}
386
	}
133
 
387
 
134
	#
388
	#
135
	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
389
	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
136
	#  using the system API's to get the password.  If you want
390
	#  using the system API's to get the password.  If you want
137
	#  to read /etc/passwd or /etc/shadow directly, see the
391
	#  to read /etc/passwd or /etc/shadow directly, see the
138
	#  passwd module in radiusd.conf.
392
	#  mods-available/passwd module.
139
	#
393
	#
140
#	unix
394
#	unix
141
 
395
 
142
	#
396
	#
143
	#  Read the 'users' file
397
	#  Read the 'users' file.  In v3, this is located in
-
 
398
	#  raddb/mods-config/files/authorize
144
#	files
399
#	files
145
 
400
 
146
	#
401
	#
147
	#  Look in an SQL database.  The schema of the database
402
	#  Look in an SQL database.  The schema of the database
148
	#  is meant to mirror the "users" file.
403
	#  is meant to mirror the "users" file.
149
	#
404
	#
150
	#  See "Authorization Queries" in sql.conf
405
	#  See "Authorization Queries" in mods-available/sql
151
	sql
406
	sql
152
	noresetcounter
-
 
153
	dailycounter
-
 
154
	monthlycounter
-
 
155
	#
407
	#
156
	#  If you are using /etc/smbpasswd, and are also doing
408
	#  If you are using /etc/smbpasswd, and are also doing
157
	#  mschap authentication, the un-comment this line, and
409
	#  mschap authentication, the un-comment this line, and
158
	#  configure the 'etc_smbpasswd' module, above.
410
	#  configure the 'smbpasswd' module.
159
#	etc_smbpasswd
411
#	smbpasswd
160
 
412
 
161
	#
413
	#
162
	#  The ldap module will set Auth-Type to LDAP if it has not
414
	#  The ldap module reads passwords from the LDAP database.
163
	#  already been set
-
 
164
#	ldap {
415
#	-ldap
165
#		fail = 1
-
 
166
#	}
-
 
167
 
416
 
168
	#
417
	#
169
	#  Enforce daily limits on time spent logged in.
418
	#  Enforce daily limits on time spent logged in.
170
#	daily
419
#	daily
171
 
420
 
172
	#
421
	#
173
	# Use the checkval module
-
 
174
#	checkval
-
 
175
 
-
 
176
	expiration
422
	expiration
177
	logintime
423
	logintime
178
 
424
 
179
	#
425
	#
180
	#  If no other module has claimed responsibility for
426
	#  If no other module has claimed responsibility for
Line 196... Line 442...
196
	#  listed here return "fail", then NO response is sent.
442
	#  listed here return "fail", then NO response is sent.
197
	#
443
	#
198
#	Autz-Type Status-Server {
444
#	Autz-Type Status-Server {
199
#
445
#
200
#	}
446
#	}
201
#	update coa {
-
 
202
#		User-Name = "%{User-Name}"
-
 
203
#		Acct-Session-Id = "%{Acct-Session-Id}"
-
 
204
#		NAS-IP-Address = "%{NAS-IP-Address}"
-
 
205
#	}
-
 
206
}
447
}
207
 
448
 
208
 
449
 
209
#  Authentication.
450
#  Authentication.
210
#
451
#
211
#
452
#
212
#  This section lists which modules are available for authentication.
453
#  This section lists which modules are available for authentication.
213
#  Note that it does NOT mean 'try each module in order'.  It means
454
#  Note that it does NOT mean 'try each module in order'.  It means
214
#  that a module from the 'authorize' section adds a configuration
455
#  that a module from the 'authorize' section adds a configuration
215
#  attribute 'Auth-Type := FOO'.  That authentication type is then
456
#  attribute 'Auth-Type := FOO'.  That authentication type is then
216
#  used to pick the apropriate module from the list below.
457
#  used to pick the appropriate module from the list below.
217
#
458
#
218
 
459
 
219
#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
460
#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
220
#  will figure it out on its own, and will do the right thing.  The
461
#  will figure it out on its own, and will do the right thing.  The
221
#  most common side effect of erroneously setting the Auth-Type
462
#  most common side effect of erroneously setting the Auth-Type
Line 231... Line 472...
231
#  Please do not put "unlang" configurations into the "authenticate"
472
#  Please do not put "unlang" configurations into the "authenticate"
232
#  section.  Put them in the "post-auth" section instead.  That's what
473
#  section.  Put them in the "post-auth" section instead.  That's what
233
#  the post-auth section is for.
474
#  the post-auth section is for.
234
#
475
#
235
authenticate {
476
authenticate {
236
#	#
477
	#
237
#	#  PAP authentication, when a back-end database listed
478
	#  PAP authentication, when a back-end database listed
238
#	#  in the 'authorize' section supplies a password.  The
479
	#  in the 'authorize' section supplies a password.  The
239
#	#  password can be clear-text, or encrypted.
480
	#  password can be clear-text, or encrypted.
240
	Auth-Type PAP {
481
	Auth-Type PAP {
241
		pap
482
		pap
242
	}
483
	}
243
#
484
 
244
#	#
485
	#
245
#	#  Most people want CHAP authentication
486
	#  Most people want CHAP authentication
246
#	#  A back-end database listed in the 'authorize' section
487
	#  A back-end database listed in the 'authorize' section
247
#	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
488
	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
248
#	#  won't work.
489
	#  won't work.
249
#	Auth-Type CHAP {
490
#	Auth-Type CHAP {
250
#		chap
491
#		chap
251
#	}
492
#	}
252
#
493
 
253
#	#
494
	#
254
#	#  MSCHAP authentication.
495
	#  MSCHAP authentication.
255
#	Auth-Type MS-CHAP {
496
#	Auth-Type MS-CHAP {
256
#		mschap
497
#		mschap
257
#	}
498
#	}
-
 
499
 
-
 
500
	#
-
 
501
	#  For old names, too.
258
#
502
	#
-
 
503
#	mschap
-
 
504
 
259
#	#
505
	#
260
#	#  If you have a Cisco SIP server authenticating against
506
	#  If you have a Cisco SIP server authenticating against
261
#	#  FreeRADIUS, uncomment the following line, and the 'digest'
507
	#  FreeRADIUS, uncomment the following line, and the 'digest'
262
#	#  line in the 'authorize' section.
508
	#  line in the 'authorize' section.
263
#	digest
509
#	digest
264
#
510
 
265
#	#
511
	#
266
#	#  Pluggable Authentication Modules.
512
	#  Pluggable Authentication Modules.
267
#	pam
513
#	pam
268
#
514
 
-
 
515
	#  Uncomment it if you want to use ldap for authentication
269
#	#
516
	#
270
#	#  See 'man getpwent' for information on how the 'unix'
517
	#  Note that this means "check plain-text password against
271
#	#  module checks the users password.  Note that packets
518
	#  the ldap database", which means that EAP won't work,
272
#	#  containing CHAP-Password attributes CANNOT be authenticated
-
 
273
#	#  against /etc/passwd!  See the FAQ for details.
519
	#  as it does not supply a plain-text password.
274
#	#
520
	#
275
#	unix
-
 
276
#
-
 
277
#	# Uncomment it if you want to use ldap for authentication
521
	#  We do NOT recommend using this.  LDAP servers are databases.
278
#	#
-
 
279
#	# Note that this means "check plain-text password against
522
	#  They are NOT authentication servers.  FreeRADIUS is an
280
#	# the ldap database", which means that EAP won't work,
523
	#  authentication server, and knows what to do with authentication.
281
#	# as it does not supply a plain-text password.
524
	#  LDAP servers do not.
-
 
525
	#
282
#	Auth-Type LDAP {
526
#	Auth-Type LDAP {
283
#		ldap
527
#		ldap
284
#	}
528
#	}
285
#
529
 
286
#	#
530
	#
287
#	#  Allow EAP authentication.
531
	#  Allow EAP authentication.
288
#	eap
532
#	eap
-
 
533
 
-
 
534
	#
-
 
535
	#  The older configurations sent a number of attributes in
-
 
536
	#  Access-Challenge packets, which wasn't strictly correct.
-
 
537
	#  If you want to filter out these attributes, uncomment
-
 
538
	#  the following lines.
-
 
539
	#
-
 
540
#	Auth-Type eap {
-
 
541
#		eap {
-
 
542
#			handled = 1
-
 
543
#		}
-
 
544
#		if (handled && (Response-Packet-Type == Access-Challenge)) {
-
 
545
#			attr_filter.access_challenge.post-auth
-
 
546
#			handled  # override the "updated" code from attr_filter
-
 
547
#		}
-
 
548
#	}
289
}
549
}
290
 
550
 
291
 
551
 
292
#
552
#
293
#  Pre-accounting.  Decide which accounting type to use.
553
#  Pre-accounting.  Decide which accounting type to use.
294
#
554
#
295
preacct {
555
preacct {
296
#	preprocess
556
#	preprocess
297
 
557
 
298
	#
558
	#
-
 
559
	#  Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
-
 
560
	#  into a single 64bit counter Acct-[Input|Output]-Octets64.
-
 
561
	#
-
 
562
#	acct_counters64
-
 
563
 
-
 
564
	#
-
 
565
	#  Session start times are *implied* in RADIUS.
-
 
566
	#  The NAS never sends a "start time".  Instead, it sends
-
 
567
	#  a start packet, *possibly* with an Acct-Delay-Time.
-
 
568
	#  The server is supposed to conclude that the start time
-
 
569
	#  was "Acct-Delay-Time" seconds in the past.
-
 
570
	#
-
 
571
	#  The code below creates an explicit start time, which can
-
 
572
	#  then be used in other modules.  It will be *mostly* correct.
-
 
573
	#  Any errors are due to the 1-second resolution of RADIUS,
-
 
574
	#  and the possibility that the time on the NAS may be off.
-
 
575
	#
-
 
576
	#  The start time is: NOW - delay - session_length
-
 
577
	#
-
 
578
 
-
 
579
#	update request {
-
 
580
#	  	&FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
-
 
581
#	}
-
 
582
 
-
 
583
 
-
 
584
	#
299
	#  Ensure that we have a semi-unique identifier for every
585
	#  Ensure that we have a semi-unique identifier for every
300
	#  request, and many NAS boxes are broken.
586
	#  request, and many NAS boxes are broken.
301
#	acct_unique
587
	acct_unique
302
 
588
 
303
	#
589
	#
304
	#  Look for IPASS-style 'realm/', and if not found, look for
590
	#  Look for IPASS-style 'realm/', and if not found, look for
305
	#  '@realm', and decide whether or not to proxy, based on
591
	#  '@realm', and decide whether or not to proxy, based on
306
	#  that.
592
	#  that.
Line 318... Line 604...
318
 
604
 
319
#
605
#
320
#  Accounting.  Log the accounting data.
606
#  Accounting.  Log the accounting data.
321
#
607
#
322
accounting {
608
accounting {
-
 
609
	#  Update accounting packet by adding the CUI attribute
-
 
610
	#  recorded from the corresponding Access-Accept
-
 
611
	#  use it only if your NAS boxes do not support CUI themselves
-
 
612
#	cui
323
	#
613
	#
324
	#  Create a 'detail'ed log of the packets.
614
	#  Create a 'detail'ed log of the packets.
325
	#  Note that accounting requests which are proxied
615
	#  Note that accounting requests which are proxied
326
	#  are also logged in the detail file.
616
	#  are also logged in the detail file.
327
#	detail
617
#	detail
Line 344... Line 634...
344
#	main_pool
634
#	main_pool
345
 
635
 
346
	#
636
	#
347
	#  Log traffic to an SQL database.
637
	#  Log traffic to an SQL database.
348
	#
638
	#
349
	#  See "Accounting queries" in sql.conf
639
	#  See "Accounting queries" in mods-available/sql
350
	sql
640
	-sql
351
 
641
 
352
	#
642
	#
-
 
643
	#  If you receive stop packets with zero session length,
353
	#  Instead of sending the query to the SQL server,
644
	#  they will NOT be logged in the database.  The SQL module
-
 
645
	#  will print a message (only in debugging mode), and will
354
	#  write it into a log file.
646
	#  return "noop".
-
 
647
	#
-
 
648
	#  You can ignore these packets by uncommenting the following
-
 
649
	#  three lines.  Otherwise, the server will not respond to the
-
 
650
	#  accounting request, and the NAS will retransmit.
355
	#
651
	#
-
 
652
#	if (noop) {
356
#	sql_log
653
#		ok
-
 
654
#	}
357
 
655
 
358
	#  Cisco VoIP specific bulk accounting
656
	#  Cisco VoIP specific bulk accounting
359
#	pgsql-voip
657
#	pgsql-voip
360
 
658
 
-
 
659
	# For Exec-Program and Exec-Program-Wait
-
 
660
	exec
-
 
661
 
361
	#  Filter attributes from the accounting response.
662
	#  Filter attributes from the accounting response.
362
	attr_filter.accounting_response
663
	attr_filter.accounting_response
363
 
664
 
364
	#
665
	#
365
	#  See "Autz-Type Status-Server" for how this works.
666
	#  See "Autz-Type Status-Server" for how this works.
Line 375... Line 676...
375
#  The rlm_sql module is *much* faster
676
#  The rlm_sql module is *much* faster
376
session {
677
session {
377
#	radutmp
678
#	radutmp
378
 
679
 
379
	#
680
	#
380
	#  See "Simultaneous Use Checking Queries" in sql.conf
681
	#  See "Simultaneous Use Checking Queries" in mods-available/sql
381
	sql
682
	sql
382
}
683
}
383
 
684
 
384
 
685
 
385
#  Post-Authentication
686
#  Post-Authentication
386
#  Once we KNOW that the user has been authenticated, there are
687
#  Once we KNOW that the user has been authenticated, there are
387
#  additional steps we can take.
688
#  additional steps we can take.
388
post-auth {
689
post-auth {
-
 
690
	#
-
 
691
	#  If you need to have a State attribute, you can
-
 
692
	#  add it here.  e.g. for later CoA-Request with
-
 
693
	#  State, and Service-Type = Authorize-Only.
-
 
694
	#
-
 
695
#	if (!&reply:State) {
-
 
696
#		update reply {
-
 
697
#			State := "0x%{randstr:16h}"
-
 
698
#		}
-
 
699
#	}
-
 
700
 
-
 
701
	#
-
 
702
	#  For EAP-TTLS and PEAP, add the cached attributes to the reply.
-
 
703
	#  The "session-state" attributes are automatically cached when
-
 
704
	#  an Access-Challenge is sent, and automatically retrieved
-
 
705
	#  when an Access-Request is received.
-
 
706
	#
-
 
707
	#  The session-state attributes are automatically deleted after
-
 
708
	#  an Access-Reject or Access-Accept is sent.
-
 
709
	#
-
 
710
	update {
-
 
711
		&reply: += &session-state:
-
 
712
	}
-
 
713
 
389
	#  Get an address from the IP Pool.
714
	#  Get an address from the IP Pool.
390
#	main_pool
715
#	main_pool
391
 
716
 
-
 
717
 
-
 
718
	#  Create the CUI value and add the attribute to Access-Accept.
-
 
719
	#  Uncomment the line below if *returning* the CUI.
-
 
720
#	cui
-
 
721
 
392
	#
722
	#
393
	#  If you want to have a log of authentication replies,
723
	#  If you want to have a log of authentication replies,
394
	#  un-comment the following line, and the 'detail reply_log'
724
	#  un-comment the following line, and enable the
395
	#  section, above.
725
	#  'detail reply_log' module.
396
#	reply_log
726
#	reply_log
397
 
727
 
398
	#
728
	#
399
	#  After authenticating the user, do another SQL query.
729
	#  After authenticating the user, do another SQL query.
400
	#
730
	#
401
	#  See "Authentication Logging Queries" in sql.conf
731
	#  See "Authentication Logging Queries" in mods-available/sql
402
#	sql
732
	sql
403
 
733
 
404
	#
734
	#
405
	#  Instead of sending the query to the SQL server,
735
	#  Un-comment the following if you want to modify the user's object
406
	#  write it into a log file.
736
	#  in LDAP after a successful login.
407
	#
737
	#
408
#	sql_log
738
#	ldap
-
 
739
 
-
 
740
	# For Exec-Program and Exec-Program-Wait
-
 
741
#	exec
409
 
742
 
410
	#
743
	#
411
	#  Un-comment the following if you have set
744
	#  Calculate the various WiMAX keys.  In order for this to work,
412
	#  'edir_account_policy_check = yes' in the ldap module sub-section of
745
	#  you will need to define the WiMAX NAI, usually via
413
	#  the 'modules' section.
-
 
414
	#
746
	#
-
 
747
	#	update request {
-
 
748
	#	       WiMAX-MN-NAI = "%{User-Name}"
-
 
749
	#	}
-
 
750
	#
-
 
751
	#  If you want various keys to be calculated, you will need to
-
 
752
	#  update the reply with "template" values.  The module will see
-
 
753
	#  this, and replace the template values with the correct ones
-
 
754
	#  taken from the cryptographic calculations.  e.g.
-
 
755
	#
-
 
756
	# 	update reply {
-
 
757
	#		WiMAX-FA-RK-Key = 0x00
-
 
758
	#		WiMAX-MSK = "%{EAP-MSK}"
-
 
759
	#	}
-
 
760
	#
-
 
761
	#  You may want to delete the MS-MPPE-*-Keys from the reply,
-
 
762
	#  as some WiMAX clients behave badly when those attributes
-
 
763
	#  are included.  See "raddb/modules/wimax", configuration
-
 
764
	#  entry "delete_mppe_keys" for more information.
-
 
765
	#
415
#	ldap
766
#	wimax
-
 
767
 
-
 
768
 
-
 
769
	#  If there is a client certificate (EAP-TLS, sometimes PEAP
-
 
770
	#  and TTLS), then some attributes are filled out after the
-
 
771
	#  certificate verification has been performed.  These fields
-
 
772
	#  MAY be available during the authentication, or they may be
-
 
773
	#  available only in the "post-auth" section.
-
 
774
	#
-
 
775
	#  The first set of attributes contains information about the
-
 
776
	#  issuing certificate which is being used.  The second
-
 
777
	#  contains information about the client certificate (if
-
 
778
	#  available).
-
 
779
#
-
 
780
#	update reply {
-
 
781
#	       Reply-Message += "%{TLS-Cert-Serial}"
-
 
782
#	       Reply-Message += "%{TLS-Cert-Expiration}"
-
 
783
#	       Reply-Message += "%{TLS-Cert-Subject}"
-
 
784
#	       Reply-Message += "%{TLS-Cert-Issuer}"
-
 
785
#	       Reply-Message += "%{TLS-Cert-Common-Name}"
-
 
786
#	       Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
-
 
787
#
-
 
788
#	       Reply-Message += "%{TLS-Client-Cert-Serial}"
-
 
789
#	       Reply-Message += "%{TLS-Client-Cert-Expiration}"
-
 
790
#	       Reply-Message += "%{TLS-Client-Cert-Subject}"
-
 
791
#	       Reply-Message += "%{TLS-Client-Cert-Issuer}"
-
 
792
#	       Reply-Message += "%{TLS-Client-Cert-Common-Name}"
-
 
793
#	       Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
-
 
794
#	}
416
 
795
 
-
 
796
	#  Insert class attribute (with unique value) into response,
-
 
797
	#  aids matching auth and acct records, and protects against duplicate
-
 
798
	#  Acct-Session-Id. Note: Only works if the NAS has implemented
-
 
799
	#  RFC 2865 behaviour for the class attribute, AND if the NAS
-
 
800
	#  supports long Class attributes.  Many older or cheap NASes
-
 
801
	#  only support 16-octet Class attributes.
-
 
802
#	insert_acct_class
-
 
803
 
-
 
804
	#  MacSEC requires the use of EAP-Key-Name.  However, we don't
-
 
805
	#  want to send it for all EAP sessions.  Therefore, the EAP
-
 
806
	#  modules put required data into the EAP-Session-Id attribute.
-
 
807
	#  This attribute is never put into a request or reply packet.
-
 
808
	#
-
 
809
	#  Uncomment the next few lines to copy the required data into
-
 
810
	#  the EAP-Key-Name attribute
-
 
811
#	if (&reply:EAP-Session-Id) {
-
 
812
#		update reply {
-
 
813
#			EAP-Key-Name := &reply:EAP-Session-Id
417
#	exec
814
#		}
-
 
815
#	}
-
 
816
 
-
 
817
	#  Remove reply message if the response contains an EAP-Message
-
 
818
	remove_reply_message_if_eap
418
 
819
 
419
	#
820
	#
420
	#  Access-Reject packets are sent through the REJECT sub-section of the
821
	#  Access-Reject packets are sent through the REJECT sub-section of the
421
	#  post-auth section.
822
	#  post-auth section.
422
	#
823
	#
423
	#  Add the ldap module name (or instance) if you have set
824
	#  Add the ldap module name (or instance) if you have set
424
	#  'edir_account_policy_check = yes' in the ldap module configuration
825
	#  'edir_account_policy_check = yes' in the ldap module configuration
425
	#
826
	#
-
 
827
	#  The "session-state" attributes are not available here.
-
 
828
	#
426
	Post-Auth-Type REJECT {
829
	Post-Auth-Type REJECT {
-
 
830
		# log failed authentications in SQL, too.
-
 
831
		sql
427
		attr_filter.access_reject
832
		attr_filter.access_reject
-
 
833
 
-
 
834
		# Insert EAP-Failure message if the request was
-
 
835
		# rejected by policy instead of because of an
-
 
836
		# authentication failure
-
 
837
#		eap
-
 
838
 
-
 
839
		#  Remove reply message if the response contains an EAP-Message
-
 
840
#		remove_reply_message_if_eap
428
	}
841
	}
-
 
842
 
-
 
843
	#
-
 
844
	#  Filter access challenges.
-
 
845
	#
-
 
846
	Post-Auth-Type Challenge {
-
 
847
#		remove_reply_message_if_eap
-
 
848
#		attr_filter.access_challenge.post-auth
-
 
849
	}
-
 
850
 
429
}
851
}
430
 
852
 
431
#
853
#
432
#  When the server decides to proxy a request to a home server,
854
#  When the server decides to proxy a request to a home server,
433
#  the proxied request is first passed through the pre-proxy
855
#  the proxied request is first passed through the pre-proxy
Line 435... Line 857...
435
#  cancel the proxy.
857
#  cancel the proxy.
436
#
858
#
437
#  Only a few modules currently have this method.
859
#  Only a few modules currently have this method.
438
#
860
#
439
pre-proxy {
861
pre-proxy {
-
 
862
	# Before proxing the request add an Operator-Name attribute identifying
-
 
863
	# if the operator-name is found for this client.
-
 
864
	# No need to uncomment this if you have already enabled this in
-
 
865
	# the authorize section.
440
#	attr_rewrite
866
#	operator-name
-
 
867
 
-
 
868
	#  The client requests the CUI by sending a CUI attribute
-
 
869
	#  containing one zero byte.
-
 
870
	#  Uncomment the line below if *requesting* the CUI.
-
 
871
#	cui
441
 
872
 
442
	#  Uncomment the following line if you want to change attributes
873
	#  Uncomment the following line if you want to change attributes
443
	#  as defined in the preproxy_users file.
874
	#  as defined in the preproxy_users file.
444
#	files
875
#	files
445
 
876
 
Line 464... Line 895...
464
	#  If you want to have a log of replies from a home server,
895
	#  If you want to have a log of replies from a home server,
465
	#  un-comment the following line, and the 'detail post_proxy_log'
896
	#  un-comment the following line, and the 'detail post_proxy_log'
466
	#  section, above.
897
	#  section, above.
467
#	post_proxy_log
898
#	post_proxy_log
468
 
899
 
469
#	attr_rewrite
-
 
470
 
-
 
471
	#  Uncomment the following line if you want to filter replies from
900
	#  Uncomment the following line if you want to filter replies from
472
	#  remote proxies based on the rules defined in the 'attrs' file.
901
	#  remote proxies based on the rules defined in the 'attrs' file.
473
#	attr_filter.post-proxy
902
#	attr_filter.post-proxy
474
 
903
 
475
	#
904
	#
Line 500... Line 929...
500
	#
929
	#
501
	#  With this configuration, the server always responds to
930
	#  With this configuration, the server always responds to
502
	#  Accounting-Requests from the NAS, but only writes
931
	#  Accounting-Requests from the NAS, but only writes
503
	#  accounting packets to disk if the home server is down.
932
	#  accounting packets to disk if the home server is down.
504
	#
933
	#
505
#	Post-Proxy-Type Fail {
934
#	Post-Proxy-Type Fail-Accounting {
506
#			detail
935
#			detail
507
#	}
936
#	}
508
 
-
 
509
}
937
}
510
 
938
}