1279 |
richard |
1 |
######################################################################
|
|
|
2 |
#
|
|
|
3 |
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
|
|
|
4 |
# "server" section, and configuration directives.
|
|
|
5 |
#
|
|
|
6 |
# Virtual hosts should be put into the "sites-available"
|
|
|
7 |
# directory. Soft links should be created in the "sites-enabled"
|
|
|
8 |
# directory to these files. This is done in a normal installation.
|
|
|
9 |
#
|
2420 |
richard |
10 |
# If you are using 802.1X (EAP) authentication, please see also
|
|
|
11 |
# the "inner-tunnel" virtual server. You will likely have to edit
|
|
|
12 |
# that, too, for authentication to work.
|
1279 |
richard |
13 |
#
|
2420 |
richard |
14 |
# $Id: 3616050e7625eb6b5e2ba44782fcb737b2ae6136 $
|
|
|
15 |
#
|
1279 |
richard |
16 |
######################################################################
|
|
|
17 |
#
|
|
|
18 |
# Read "man radiusd" before editing this file. See the section
|
|
|
19 |
# titled DEBUGGING. It outlines a method where you can quickly
|
|
|
20 |
# obtain the configuration you want, without running into
|
|
|
21 |
# trouble. See also "man unlang", which documents the format
|
|
|
22 |
# of this file.
|
|
|
23 |
#
|
|
|
24 |
# This configuration is designed to work in the widest possible
|
|
|
25 |
# set of circumstances, with the widest possible number of
|
|
|
26 |
# authentication methods. This means that in general, you should
|
|
|
27 |
# need to make very few changes to this file.
|
|
|
28 |
#
|
|
|
29 |
# The best way to configure the server for your local system
|
|
|
30 |
# is to CAREFULLY edit this file. Most attempts to make large
|
|
|
31 |
# edits to this file will BREAK THE SERVER. Any edits should
|
|
|
32 |
# be small, and tested by running the server with "radiusd -X".
|
|
|
33 |
# Once the edits have been verified to work, save a copy of these
|
|
|
34 |
# configuration files somewhere. (e.g. as a "tar" file). Then,
|
|
|
35 |
# make more edits, and test, as above.
|
|
|
36 |
#
|
|
|
37 |
# There are many "commented out" references to modules such
|
|
|
38 |
# as ldap, sql, etc. These references serve as place-holders.
|
|
|
39 |
# If you need the functionality of that module, then configure
|
|
|
40 |
# it in radiusd.conf, and un-comment the references to it in
|
|
|
41 |
# this file. In most cases, those small changes will result
|
|
|
42 |
# in the server being able to connect to the DB, and to
|
|
|
43 |
# authenticate users.
|
|
|
44 |
#
|
|
|
45 |
######################################################################
|
|
|
46 |
|
2420 |
richard |
47 |
server default {
|
1279 |
richard |
48 |
#
|
2420 |
richard |
49 |
# If you want the server to listen on additional addresses, or on
|
|
|
50 |
# additional ports, you can use multiple "listen" sections.
|
1279 |
richard |
51 |
#
|
2420 |
richard |
52 |
# Each section make the server listen for only one type of packet,
|
|
|
53 |
# therefore authentication and accounting have to be configured in
|
|
|
54 |
# different sections.
|
1279 |
richard |
55 |
#
|
2420 |
richard |
56 |
# The server ignore all "listen" section if you are using '-i' and '-p'
|
|
|
57 |
# on the command line.
|
1279 |
richard |
58 |
#
|
2420 |
richard |
59 |
listen {
|
|
|
60 |
# Type of packets to listen for.
|
|
|
61 |
# Allowed values are:
|
|
|
62 |
# auth listen for authentication packets
|
|
|
63 |
# acct listen for accounting packets
|
|
|
64 |
# proxy IP to use for sending proxied packets
|
|
|
65 |
# detail Read from the detail file. For examples, see
|
|
|
66 |
# raddb/sites-available/copy-acct-to-home-server
|
|
|
67 |
# status listen for Status-Server packets. For examples,
|
|
|
68 |
# see raddb/sites-available/status
|
|
|
69 |
# coa listen for CoA-Request and Disconnect-Request
|
|
|
70 |
# packets. For examples, see the file
|
|
|
71 |
# raddb/sites-available/coa
|
|
|
72 |
#
|
|
|
73 |
type = auth
|
1279 |
richard |
74 |
|
2420 |
richard |
75 |
# Note: "type = proxy" lets you control the source IP used for
|
|
|
76 |
# proxying packets, with some limitations:
|
|
|
77 |
#
|
|
|
78 |
# * A proxy listener CANNOT be used in a virtual server section.
|
|
|
79 |
# * You should probably set "port = 0".
|
|
|
80 |
# * Any "clients" configuration will be ignored.
|
|
|
81 |
#
|
|
|
82 |
# See also proxy.conf, and the "src_ipaddr" configuration entry
|
|
|
83 |
# in the sample "home_server" section. When you specify the
|
|
|
84 |
# source IP address for packets sent to a home server, the
|
|
|
85 |
# proxy listeners are automatically created.
|
|
|
86 |
|
|
|
87 |
# ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
|
|
|
88 |
# If multiple ones are listed, only the first one will
|
|
|
89 |
# be used, and the others will be ignored.
|
|
|
90 |
#
|
|
|
91 |
# The configuration options accept the following syntax:
|
|
|
92 |
#
|
|
|
93 |
# ipv4addr - IPv4 address (e.g.192.0.2.3)
|
|
|
94 |
# - wildcard (i.e. *)
|
|
|
95 |
# - hostname (radius.example.com)
|
|
|
96 |
# Only the A record for the host name is used.
|
|
|
97 |
# If there is no A record, an error is returned,
|
|
|
98 |
# and the server fails to start.
|
|
|
99 |
#
|
|
|
100 |
# ipv6addr - IPv6 address (e.g. 2001:db8::1)
|
|
|
101 |
# - wildcard (i.e. *)
|
|
|
102 |
# - hostname (radius.example.com)
|
|
|
103 |
# Only the AAAA record for the host name is used.
|
|
|
104 |
# If there is no AAAA record, an error is returned,
|
|
|
105 |
# and the server fails to start.
|
|
|
106 |
#
|
|
|
107 |
# ipaddr - IPv4 address as above
|
|
|
108 |
# - IPv6 address as above
|
|
|
109 |
# - wildcard (i.e. *), which means IPv4 wildcard.
|
|
|
110 |
# - hostname
|
|
|
111 |
# If there is only one A or AAAA record returned
|
|
|
112 |
# for the host name, it is used.
|
|
|
113 |
# If multiple A or AAAA records are returned
|
|
|
114 |
# for the host name, only the first one is used.
|
|
|
115 |
# If both A and AAAA records are returned
|
|
|
116 |
# for the host name, only the A record is used.
|
|
|
117 |
#
|
|
|
118 |
# ipv4addr = *
|
|
|
119 |
# ipv6addr = *
|
|
|
120 |
ipaddr = 127.0.0.1
|
|
|
121 |
|
|
|
122 |
# Port on which to listen.
|
|
|
123 |
# Allowed values are:
|
|
|
124 |
# integer port number (1812)
|
|
|
125 |
# 0 means "use /etc/services for the proper port"
|
|
|
126 |
port = 0
|
|
|
127 |
|
|
|
128 |
# Some systems support binding to an interface, in addition
|
|
|
129 |
# to the IP address. This feature isn't strictly necessary,
|
|
|
130 |
# but for sites with many IP addresses on one interface,
|
|
|
131 |
# it's useful to say "listen on all addresses for eth0".
|
|
|
132 |
#
|
|
|
133 |
# If your system does not support this feature, you will
|
|
|
134 |
# get an error if you try to use it.
|
|
|
135 |
#
|
|
|
136 |
# interface = eth0
|
|
|
137 |
|
|
|
138 |
# Per-socket lists of clients. This is a very useful feature.
|
|
|
139 |
#
|
|
|
140 |
# The name here is a reference to a section elsewhere in
|
|
|
141 |
# radiusd.conf, or clients.conf. Having the name as
|
|
|
142 |
# a reference allows multiple sockets to use the same
|
|
|
143 |
# set of clients.
|
|
|
144 |
#
|
|
|
145 |
# If this configuration is used, then the global list of clients
|
|
|
146 |
# is IGNORED for this "listen" section. Take care configuring
|
|
|
147 |
# this feature, to ensure you don't accidentally disable a
|
|
|
148 |
# client you need.
|
|
|
149 |
#
|
|
|
150 |
# See clients.conf for the configuration of "per_socket_clients".
|
|
|
151 |
#
|
|
|
152 |
# clients = per_socket_clients
|
|
|
153 |
|
|
|
154 |
#
|
|
|
155 |
# Connection limiting for sockets with "proto = tcp".
|
|
|
156 |
#
|
|
|
157 |
# This section is ignored for other kinds of sockets.
|
|
|
158 |
#
|
|
|
159 |
limit {
|
|
|
160 |
#
|
|
|
161 |
# Limit the number of simultaneous TCP connections to the socket
|
|
|
162 |
#
|
|
|
163 |
# The default is 16.
|
|
|
164 |
# Setting this to 0 means "no limit"
|
|
|
165 |
max_connections = 16
|
|
|
166 |
|
|
|
167 |
# The per-socket "max_requests" option does not exist.
|
|
|
168 |
|
|
|
169 |
#
|
|
|
170 |
# The lifetime, in seconds, of a TCP connection. After
|
|
|
171 |
# this lifetime, the connection will be closed.
|
|
|
172 |
#
|
|
|
173 |
# Setting this to 0 means "forever".
|
|
|
174 |
lifetime = 0
|
|
|
175 |
|
|
|
176 |
#
|
|
|
177 |
# The idle timeout, in seconds, of a TCP connection.
|
|
|
178 |
# If no packets have been received over the connection for
|
|
|
179 |
# this time, the connection will be closed.
|
|
|
180 |
#
|
|
|
181 |
# Setting this to 0 means "no timeout".
|
|
|
182 |
#
|
|
|
183 |
# We STRONGLY RECOMMEND that you set an idle timeout.
|
|
|
184 |
#
|
|
|
185 |
idle_timeout = 30
|
|
|
186 |
}
|
|
|
187 |
}
|
|
|
188 |
|
|
|
189 |
#
|
|
|
190 |
# This second "listen" section is for listening on the accounting
|
|
|
191 |
# port, too.
|
|
|
192 |
#
|
|
|
193 |
listen {
|
|
|
194 |
ipaddr = 127.0.0.1
|
|
|
195 |
# ipv6addr = ::
|
|
|
196 |
port = 0
|
|
|
197 |
type = acct
|
|
|
198 |
# interface = eth0
|
|
|
199 |
# clients = per_socket_clients
|
|
|
200 |
|
|
|
201 |
limit {
|
|
|
202 |
# The number of packets received can be rate limited via the
|
|
|
203 |
# "max_pps" configuration item. When it is set, the server
|
|
|
204 |
# tracks the total number of packets received in the previous
|
|
|
205 |
# second. If the count is greater than "max_pps", then the
|
|
|
206 |
# new packet is silently discarded. This helps the server
|
|
|
207 |
# deal with overload situations.
|
|
|
208 |
#
|
|
|
209 |
# The packets/s counter is tracked in a sliding window. This
|
|
|
210 |
# means that the pps calculation is done for the second
|
|
|
211 |
# before the current packet was received. NOT for the current
|
|
|
212 |
# wall-clock second, and NOT for the previous wall-clock second.
|
|
|
213 |
#
|
|
|
214 |
# Useful values are 0 (no limit), or 100 to 10000.
|
|
|
215 |
# Values lower than 100 will likely cause the server to ignore
|
|
|
216 |
# normal traffic. Few systems are capable of handling more than
|
|
|
217 |
# 10K packets/s.
|
|
|
218 |
#
|
|
|
219 |
# It is most useful for accounting systems. Set it to 50%
|
|
|
220 |
# more than the normal accounting load, and you can be sure that
|
|
|
221 |
# the server will never get overloaded
|
|
|
222 |
#
|
|
|
223 |
# max_pps = 0
|
|
|
224 |
|
|
|
225 |
# Only for "proto = tcp". These are ignored for "udp" sockets.
|
|
|
226 |
#
|
|
|
227 |
# idle_timeout = 0
|
|
|
228 |
# lifetime = 0
|
|
|
229 |
# max_connections = 0
|
|
|
230 |
}
|
|
|
231 |
}
|
|
|
232 |
|
|
|
233 |
# IPv6 versions of the above - read their full config to understand options
|
|
|
234 |
#listen {
|
|
|
235 |
# type = auth
|
|
|
236 |
# ipv6addr = ::1
|
|
|
237 |
# ipv6addr = :: # any. ::1 == localhost
|
|
|
238 |
# port = 0
|
|
|
239 |
# interface = eth0
|
|
|
240 |
# clients = per_socket_clients
|
|
|
241 |
# limit {
|
|
|
242 |
# max_connections = 16
|
|
|
243 |
# lifetime = 0
|
|
|
244 |
# idle_timeout = 30
|
|
|
245 |
# }
|
|
|
246 |
#}
|
|
|
247 |
|
|
|
248 |
#listen {
|
|
|
249 |
# type = acct
|
|
|
250 |
# ipv6addr = ::1
|
|
|
251 |
# ipv6addr = :: # any. ::1 == localhost
|
|
|
252 |
# port = 0
|
|
|
253 |
# interface = eth0
|
|
|
254 |
# clients = per_socket_clients
|
|
|
255 |
# limit {
|
|
|
256 |
# max_pps = 0
|
|
|
257 |
# idle_timeout = 0
|
|
|
258 |
# lifetime = 0
|
|
|
259 |
# max_connections = 0
|
|
|
260 |
# }
|
|
|
261 |
#}
|
|
|
262 |
|
1279 |
richard |
263 |
# Authorization. First preprocess (hints and huntgroups files),
|
|
|
264 |
# then realms, and finally look in the "users" file.
|
|
|
265 |
#
|
2420 |
richard |
266 |
# Any changes made here should also be made to the "inner-tunnel"
|
|
|
267 |
# virtual server.
|
|
|
268 |
#
|
1279 |
richard |
269 |
# The order of the realm modules will determine the order that
|
|
|
270 |
# we try to find a matching realm.
|
|
|
271 |
#
|
|
|
272 |
# Make *sure* that 'preprocess' comes before any realm if you
|
|
|
273 |
# need to setup hints for the remote radius server
|
|
|
274 |
authorize {
|
|
|
275 |
#
|
2420 |
richard |
276 |
# Take a User-Name, and perform some checks on it, for spaces and other
|
|
|
277 |
# invalid characters. If the User-Name appears invalid, reject the
|
|
|
278 |
# request.
|
|
|
279 |
#
|
|
|
280 |
# See policy.d/filter for the definition of the filter_username policy.
|
|
|
281 |
#
|
|
|
282 |
filter_username
|
|
|
283 |
|
|
|
284 |
#
|
|
|
285 |
# Some broken equipment sends passwords with embedded zeros.
|
|
|
286 |
# i.e. the debug output will show
|
|
|
287 |
#
|
|
|
288 |
# User-Password = "password\000\000"
|
|
|
289 |
#
|
|
|
290 |
# This policy will fix it to just be "password".
|
|
|
291 |
#
|
|
|
292 |
filter_password
|
|
|
293 |
|
|
|
294 |
#
|
1279 |
richard |
295 |
# The preprocess module takes care of sanitizing some bizarre
|
|
|
296 |
# attributes in the request, and turning them into attributes
|
|
|
297 |
# which are more standard.
|
|
|
298 |
#
|
2420 |
richard |
299 |
# It takes care of processing the 'raddb/mods-config/preprocess/hints'
|
|
|
300 |
# and the 'raddb/mods-config/preprocess/huntgroups' files.
|
|
|
301 |
preprocess
|
|
|
302 |
|
|
|
303 |
# If you intend to use CUI and you require that the Operator-Name
|
|
|
304 |
# be set for CUI generation and you want to generate CUI also
|
|
|
305 |
# for your local clients then uncomment the operator-name
|
|
|
306 |
# below and set the operator-name for your clients in clients.conf
|
|
|
307 |
# operator-name
|
|
|
308 |
|
1279 |
richard |
309 |
#
|
2420 |
richard |
310 |
# If you want to generate CUI for some clients that do not
|
|
|
311 |
# send proper CUI requests, then uncomment the
|
|
|
312 |
# cui below and set "add_cui = yes" for these clients in clients.conf
|
|
|
313 |
# cui
|
1279 |
richard |
314 |
|
|
|
315 |
#
|
|
|
316 |
# If you want to have a log of authentication requests,
|
2420 |
richard |
317 |
# un-comment the following line.
|
1279 |
richard |
318 |
# auth_log
|
|
|
319 |
|
|
|
320 |
#
|
|
|
321 |
# The chap module will set 'Auth-Type := CHAP' if we are
|
|
|
322 |
# handling a CHAP request and Auth-Type has not already been set
|
|
|
323 |
# chap
|
|
|
324 |
|
|
|
325 |
#
|
|
|
326 |
# If the users are logging in with an MS-CHAP-Challenge
|
|
|
327 |
# attribute for authentication, the mschap module will find
|
|
|
328 |
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
|
|
|
329 |
# to the request, which will cause the server to then use
|
|
|
330 |
# the mschap module for authentication.
|
|
|
331 |
# mschap
|
2420 |
richard |
332 |
|
1279 |
richard |
333 |
#
|
|
|
334 |
# If you have a Cisco SIP server authenticating against
|
|
|
335 |
# FreeRADIUS, uncomment the following line, and the 'digest'
|
|
|
336 |
# line in the 'authenticate' section.
|
|
|
337 |
# digest
|
|
|
338 |
|
|
|
339 |
#
|
2420 |
richard |
340 |
# The WiMAX specification says that the Calling-Station-Id
|
|
|
341 |
# is 6 octets of the MAC. This definition conflicts with
|
|
|
342 |
# RFC 3580, and all common RADIUS practices. Un-commenting
|
|
|
343 |
# the "wimax" module here means that it will fix the
|
|
|
344 |
# Calling-Station-Id attribute to the normal format as
|
|
|
345 |
# specified in RFC 3580 Section 3.21
|
|
|
346 |
# wimax
|
|
|
347 |
|
|
|
348 |
#
|
1279 |
richard |
349 |
# Look for IPASS style 'realm/', and if not found, look for
|
|
|
350 |
# '@realm', and decide whether or not to proxy, based on
|
|
|
351 |
# that.
|
|
|
352 |
# IPASS
|
|
|
353 |
|
|
|
354 |
#
|
|
|
355 |
# If you are using multiple kinds of realms, you probably
|
|
|
356 |
# want to set "ignore_null = yes" for all of them.
|
|
|
357 |
# Otherwise, when the first style of realm doesn't match,
|
|
|
358 |
# the other styles won't be checked.
|
|
|
359 |
#
|
|
|
360 |
# suffix
|
|
|
361 |
# ntdomain
|
|
|
362 |
|
|
|
363 |
#
|
|
|
364 |
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
|
|
|
365 |
# authentication.
|
|
|
366 |
#
|
|
|
367 |
# It also sets the EAP-Type attribute in the request
|
|
|
368 |
# attribute list to the EAP type from the packet.
|
|
|
369 |
#
|
2420 |
richard |
370 |
# The EAP module returns "ok" or "updated" if it is not yet ready
|
|
|
371 |
# to authenticate the user. The configuration below checks for
|
|
|
372 |
# "ok", and stops processing the "authorize" section if so.
|
1279 |
richard |
373 |
#
|
2420 |
richard |
374 |
# Any LDAP and/or SQL servers will not be queried for the
|
|
|
375 |
# initial set of packets that go back and forth to set up
|
|
|
376 |
# TTLS or PEAP.
|
1279 |
richard |
377 |
#
|
2420 |
richard |
378 |
# The "updated" check is commented out for compatibility with
|
|
|
379 |
# previous versions of this configuration, but you may wish to
|
|
|
380 |
# uncomment it as well; this will further reduce the number of
|
|
|
381 |
# LDAP and/or SQL queries for TTLS or PEAP.
|
|
|
382 |
#
|
1279 |
richard |
383 |
# eap {
|
|
|
384 |
# ok = return
|
2420 |
richard |
385 |
# updated = return
|
|
|
386 |
}
|
1279 |
richard |
387 |
|
|
|
388 |
#
|
|
|
389 |
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
|
|
|
390 |
# using the system API's to get the password. If you want
|
|
|
391 |
# to read /etc/passwd or /etc/shadow directly, see the
|
2420 |
richard |
392 |
# mods-available/passwd module.
|
1279 |
richard |
393 |
#
|
|
|
394 |
# unix
|
|
|
395 |
|
|
|
396 |
#
|
2420 |
richard |
397 |
# Read the 'users' file. In v3, this is located in
|
|
|
398 |
# raddb/mods-config/files/authorize
|
1279 |
richard |
399 |
# files
|
|
|
400 |
|
|
|
401 |
#
|
|
|
402 |
# Look in an SQL database. The schema of the database
|
|
|
403 |
# is meant to mirror the "users" file.
|
|
|
404 |
#
|
2420 |
richard |
405 |
# See "Authorization Queries" in mods-available/sql
|
1279 |
richard |
406 |
sql
|
|
|
407 |
#
|
|
|
408 |
# If you are using /etc/smbpasswd, and are also doing
|
|
|
409 |
# mschap authentication, the un-comment this line, and
|
2420 |
richard |
410 |
# configure the 'smbpasswd' module.
|
|
|
411 |
# smbpasswd
|
1279 |
richard |
412 |
|
|
|
413 |
#
|
2420 |
richard |
414 |
# The ldap module reads passwords from the LDAP database.
|
|
|
415 |
# -ldap
|
1279 |
richard |
416 |
|
|
|
417 |
#
|
|
|
418 |
# Enforce daily limits on time spent logged in.
|
|
|
419 |
# daily
|
|
|
420 |
|
|
|
421 |
#
|
|
|
422 |
expiration
|
|
|
423 |
logintime
|
|
|
424 |
|
|
|
425 |
#
|
|
|
426 |
# If no other module has claimed responsibility for
|
|
|
427 |
# authentication, then try to use PAP. This allows the
|
|
|
428 |
# other modules listed above to add a "known good" password
|
|
|
429 |
# to the request, and to do nothing else. The PAP module
|
|
|
430 |
# will then see that password, and use it to do PAP
|
|
|
431 |
# authentication.
|
|
|
432 |
#
|
|
|
433 |
# This module should be listed last, so that the other modules
|
|
|
434 |
# get a chance to set Auth-Type for themselves.
|
|
|
435 |
#
|
1464 |
richard |
436 |
pap
|
1279 |
richard |
437 |
|
|
|
438 |
#
|
|
|
439 |
# If "status_server = yes", then Status-Server messages are passed
|
|
|
440 |
# through the following section, and ONLY the following section.
|
|
|
441 |
# This permits you to do DB queries, for example. If the modules
|
|
|
442 |
# listed here return "fail", then NO response is sent.
|
|
|
443 |
#
|
|
|
444 |
# Autz-Type Status-Server {
|
|
|
445 |
#
|
|
|
446 |
# }
|
|
|
447 |
}
|
|
|
448 |
|
|
|
449 |
|
|
|
450 |
# Authentication.
|
|
|
451 |
#
|
|
|
452 |
#
|
|
|
453 |
# This section lists which modules are available for authentication.
|
|
|
454 |
# Note that it does NOT mean 'try each module in order'. It means
|
|
|
455 |
# that a module from the 'authorize' section adds a configuration
|
|
|
456 |
# attribute 'Auth-Type := FOO'. That authentication type is then
|
2420 |
richard |
457 |
# used to pick the appropriate module from the list below.
|
1279 |
richard |
458 |
#
|
|
|
459 |
|
|
|
460 |
# In general, you SHOULD NOT set the Auth-Type attribute. The server
|
|
|
461 |
# will figure it out on its own, and will do the right thing. The
|
|
|
462 |
# most common side effect of erroneously setting the Auth-Type
|
|
|
463 |
# attribute is that one authentication method will work, but the
|
|
|
464 |
# others will not.
|
|
|
465 |
#
|
|
|
466 |
# The common reasons to set the Auth-Type attribute by hand
|
|
|
467 |
# is to either forcibly reject the user (Auth-Type := Reject),
|
|
|
468 |
# or to or forcibly accept the user (Auth-Type := Accept).
|
|
|
469 |
#
|
|
|
470 |
# Note that Auth-Type := Accept will NOT work with EAP.
|
|
|
471 |
#
|
|
|
472 |
# Please do not put "unlang" configurations into the "authenticate"
|
|
|
473 |
# section. Put them in the "post-auth" section instead. That's what
|
|
|
474 |
# the post-auth section is for.
|
|
|
475 |
#
|
|
|
476 |
authenticate {
|
2420 |
richard |
477 |
#
|
|
|
478 |
# PAP authentication, when a back-end database listed
|
|
|
479 |
# in the 'authorize' section supplies a password. The
|
|
|
480 |
# password can be clear-text, or encrypted.
|
1464 |
richard |
481 |
Auth-Type PAP {
|
|
|
482 |
pap
|
|
|
483 |
}
|
2420 |
richard |
484 |
|
|
|
485 |
#
|
|
|
486 |
# Most people want CHAP authentication
|
|
|
487 |
# A back-end database listed in the 'authorize' section
|
|
|
488 |
# MUST supply a CLEAR TEXT password. Encrypted passwords
|
|
|
489 |
# won't work.
|
1279 |
richard |
490 |
# Auth-Type CHAP {
|
|
|
491 |
# chap
|
|
|
492 |
# }
|
2420 |
richard |
493 |
|
|
|
494 |
#
|
|
|
495 |
# MSCHAP authentication.
|
1279 |
richard |
496 |
# Auth-Type MS-CHAP {
|
|
|
497 |
# mschap
|
|
|
498 |
# }
|
2420 |
richard |
499 |
|
|
|
500 |
#
|
|
|
501 |
# For old names, too.
|
|
|
502 |
#
|
|
|
503 |
# mschap
|
|
|
504 |
|
|
|
505 |
#
|
|
|
506 |
# If you have a Cisco SIP server authenticating against
|
|
|
507 |
# FreeRADIUS, uncomment the following line, and the 'digest'
|
|
|
508 |
# line in the 'authorize' section.
|
1279 |
richard |
509 |
# digest
|
2420 |
richard |
510 |
|
|
|
511 |
#
|
|
|
512 |
# Pluggable Authentication Modules.
|
1279 |
richard |
513 |
# pam
|
2420 |
richard |
514 |
|
|
|
515 |
# Uncomment it if you want to use ldap for authentication
|
|
|
516 |
#
|
|
|
517 |
# Note that this means "check plain-text password against
|
|
|
518 |
# the ldap database", which means that EAP won't work,
|
|
|
519 |
# as it does not supply a plain-text password.
|
|
|
520 |
#
|
|
|
521 |
# We do NOT recommend using this. LDAP servers are databases.
|
|
|
522 |
# They are NOT authentication servers. FreeRADIUS is an
|
|
|
523 |
# authentication server, and knows what to do with authentication.
|
|
|
524 |
# LDAP servers do not.
|
|
|
525 |
#
|
1279 |
richard |
526 |
# Auth-Type LDAP {
|
|
|
527 |
# ldap
|
|
|
528 |
# }
|
2420 |
richard |
529 |
|
|
|
530 |
#
|
|
|
531 |
# Allow EAP authentication.
|
1279 |
richard |
532 |
# eap
|
2420 |
richard |
533 |
|
|
|
534 |
#
|
|
|
535 |
# The older configurations sent a number of attributes in
|
|
|
536 |
# Access-Challenge packets, which wasn't strictly correct.
|
|
|
537 |
# If you want to filter out these attributes, uncomment
|
|
|
538 |
# the following lines.
|
|
|
539 |
#
|
|
|
540 |
# Auth-Type eap {
|
|
|
541 |
# eap {
|
|
|
542 |
# handled = 1
|
|
|
543 |
# }
|
|
|
544 |
# if (handled && (Response-Packet-Type == Access-Challenge)) {
|
|
|
545 |
# attr_filter.access_challenge.post-auth
|
|
|
546 |
# handled # override the "updated" code from attr_filter
|
|
|
547 |
# }
|
|
|
548 |
# }
|
1279 |
richard |
549 |
}
|
|
|
550 |
|
|
|
551 |
|
|
|
552 |
#
|
|
|
553 |
# Pre-accounting. Decide which accounting type to use.
|
|
|
554 |
#
|
|
|
555 |
preacct {
|
1464 |
richard |
556 |
# preprocess
|
1279 |
richard |
557 |
|
|
|
558 |
#
|
2420 |
richard |
559 |
# Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
|
|
|
560 |
# into a single 64bit counter Acct-[Input|Output]-Octets64.
|
|
|
561 |
#
|
|
|
562 |
# acct_counters64
|
|
|
563 |
|
|
|
564 |
#
|
|
|
565 |
# Session start times are *implied* in RADIUS.
|
|
|
566 |
# The NAS never sends a "start time". Instead, it sends
|
|
|
567 |
# a start packet, *possibly* with an Acct-Delay-Time.
|
|
|
568 |
# The server is supposed to conclude that the start time
|
|
|
569 |
# was "Acct-Delay-Time" seconds in the past.
|
|
|
570 |
#
|
|
|
571 |
# The code below creates an explicit start time, which can
|
|
|
572 |
# then be used in other modules. It will be *mostly* correct.
|
|
|
573 |
# Any errors are due to the 1-second resolution of RADIUS,
|
|
|
574 |
# and the possibility that the time on the NAS may be off.
|
|
|
575 |
#
|
|
|
576 |
# The start time is: NOW - delay - session_length
|
|
|
577 |
#
|
|
|
578 |
|
|
|
579 |
# update request {
|
|
|
580 |
# &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
|
|
|
581 |
# }
|
|
|
582 |
|
|
|
583 |
|
|
|
584 |
#
|
1279 |
richard |
585 |
# Ensure that we have a semi-unique identifier for every
|
|
|
586 |
# request, and many NAS boxes are broken.
|
2420 |
richard |
587 |
acct_unique
|
1279 |
richard |
588 |
|
|
|
589 |
#
|
|
|
590 |
# Look for IPASS-style 'realm/', and if not found, look for
|
|
|
591 |
# '@realm', and decide whether or not to proxy, based on
|
|
|
592 |
# that.
|
|
|
593 |
#
|
|
|
594 |
# Accounting requests are generally proxied to the same
|
|
|
595 |
# home server as authentication requests.
|
|
|
596 |
# IPASS
|
|
|
597 |
# suffix
|
|
|
598 |
# ntdomain
|
|
|
599 |
|
|
|
600 |
#
|
|
|
601 |
# Read the 'acct_users' file
|
|
|
602 |
# files
|
|
|
603 |
}
|
|
|
604 |
|
|
|
605 |
#
|
|
|
606 |
# Accounting. Log the accounting data.
|
|
|
607 |
#
|
|
|
608 |
accounting {
|
2420 |
richard |
609 |
# Update accounting packet by adding the CUI attribute
|
|
|
610 |
# recorded from the corresponding Access-Accept
|
|
|
611 |
# use it only if your NAS boxes do not support CUI themselves
|
|
|
612 |
# cui
|
1279 |
richard |
613 |
#
|
|
|
614 |
# Create a 'detail'ed log of the packets.
|
|
|
615 |
# Note that accounting requests which are proxied
|
|
|
616 |
# are also logged in the detail file.
|
|
|
617 |
# detail
|
|
|
618 |
# daily
|
|
|
619 |
|
|
|
620 |
# Update the wtmp file
|
|
|
621 |
#
|
|
|
622 |
# If you don't use "radlast", you can delete this line.
|
|
|
623 |
# unix
|
|
|
624 |
|
|
|
625 |
#
|
|
|
626 |
# For Simultaneous-Use tracking.
|
|
|
627 |
#
|
|
|
628 |
# Due to packet losses in the network, the data here
|
|
|
629 |
# may be incorrect. There is little we can do about it.
|
|
|
630 |
# radutmp
|
1283 |
richard |
631 |
# sradutmp
|
1279 |
richard |
632 |
|
|
|
633 |
# Return an address to the IP Pool when we see a stop record.
|
|
|
634 |
# main_pool
|
|
|
635 |
|
|
|
636 |
#
|
|
|
637 |
# Log traffic to an SQL database.
|
|
|
638 |
#
|
2420 |
richard |
639 |
# See "Accounting queries" in mods-available/sql
|
|
|
640 |
-sql
|
1279 |
richard |
641 |
|
|
|
642 |
#
|
2420 |
richard |
643 |
# If you receive stop packets with zero session length,
|
|
|
644 |
# they will NOT be logged in the database. The SQL module
|
|
|
645 |
# will print a message (only in debugging mode), and will
|
|
|
646 |
# return "noop".
|
1279 |
richard |
647 |
#
|
2420 |
richard |
648 |
# You can ignore these packets by uncommenting the following
|
|
|
649 |
# three lines. Otherwise, the server will not respond to the
|
|
|
650 |
# accounting request, and the NAS will retransmit.
|
|
|
651 |
#
|
|
|
652 |
# if (noop) {
|
|
|
653 |
# ok
|
|
|
654 |
# }
|
1279 |
richard |
655 |
|
|
|
656 |
# Cisco VoIP specific bulk accounting
|
|
|
657 |
# pgsql-voip
|
|
|
658 |
|
2420 |
richard |
659 |
# For Exec-Program and Exec-Program-Wait
|
|
|
660 |
exec
|
|
|
661 |
|
1279 |
richard |
662 |
# Filter attributes from the accounting response.
|
|
|
663 |
attr_filter.accounting_response
|
|
|
664 |
|
|
|
665 |
#
|
|
|
666 |
# See "Autz-Type Status-Server" for how this works.
|
|
|
667 |
#
|
|
|
668 |
# Acct-Type Status-Server {
|
|
|
669 |
#
|
|
|
670 |
# }
|
|
|
671 |
}
|
|
|
672 |
|
|
|
673 |
|
|
|
674 |
# Session database, used for checking Simultaneous-Use. Either the radutmp
|
|
|
675 |
# or rlm_sql module can handle this.
|
|
|
676 |
# The rlm_sql module is *much* faster
|
|
|
677 |
session {
|
|
|
678 |
# radutmp
|
|
|
679 |
|
|
|
680 |
#
|
2420 |
richard |
681 |
# See "Simultaneous Use Checking Queries" in mods-available/sql
|
1279 |
richard |
682 |
sql
|
|
|
683 |
}
|
|
|
684 |
|
|
|
685 |
|
|
|
686 |
# Post-Authentication
|
|
|
687 |
# Once we KNOW that the user has been authenticated, there are
|
|
|
688 |
# additional steps we can take.
|
|
|
689 |
post-auth {
|
2420 |
richard |
690 |
#
|
|
|
691 |
# If you need to have a State attribute, you can
|
|
|
692 |
# add it here. e.g. for later CoA-Request with
|
|
|
693 |
# State, and Service-Type = Authorize-Only.
|
|
|
694 |
#
|
|
|
695 |
# if (!&reply:State) {
|
|
|
696 |
# update reply {
|
|
|
697 |
# State := "0x%{randstr:16h}"
|
|
|
698 |
# }
|
|
|
699 |
# }
|
|
|
700 |
|
|
|
701 |
#
|
|
|
702 |
# For EAP-TTLS and PEAP, add the cached attributes to the reply.
|
|
|
703 |
# The "session-state" attributes are automatically cached when
|
|
|
704 |
# an Access-Challenge is sent, and automatically retrieved
|
|
|
705 |
# when an Access-Request is received.
|
|
|
706 |
#
|
|
|
707 |
# The session-state attributes are automatically deleted after
|
|
|
708 |
# an Access-Reject or Access-Accept is sent.
|
|
|
709 |
#
|
|
|
710 |
update {
|
|
|
711 |
&reply: += &session-state:
|
|
|
712 |
}
|
|
|
713 |
|
1279 |
richard |
714 |
# Get an address from the IP Pool.
|
|
|
715 |
# main_pool
|
|
|
716 |
|
2420 |
richard |
717 |
|
|
|
718 |
# Create the CUI value and add the attribute to Access-Accept.
|
|
|
719 |
# Uncomment the line below if *returning* the CUI.
|
|
|
720 |
# cui
|
|
|
721 |
|
1279 |
richard |
722 |
#
|
|
|
723 |
# If you want to have a log of authentication replies,
|
2420 |
richard |
724 |
# un-comment the following line, and enable the
|
|
|
725 |
# 'detail reply_log' module.
|
1279 |
richard |
726 |
# reply_log
|
|
|
727 |
|
|
|
728 |
#
|
|
|
729 |
# After authenticating the user, do another SQL query.
|
|
|
730 |
#
|
2420 |
richard |
731 |
# See "Authentication Logging Queries" in mods-available/sql
|
|
|
732 |
sql
|
1279 |
richard |
733 |
|
|
|
734 |
#
|
2420 |
richard |
735 |
# Un-comment the following if you want to modify the user's object
|
|
|
736 |
# in LDAP after a successful login.
|
1279 |
richard |
737 |
#
|
2420 |
richard |
738 |
# ldap
|
1279 |
richard |
739 |
|
2420 |
richard |
740 |
# For Exec-Program and Exec-Program-Wait
|
|
|
741 |
# exec
|
|
|
742 |
|
1279 |
richard |
743 |
#
|
2420 |
richard |
744 |
# Calculate the various WiMAX keys. In order for this to work,
|
|
|
745 |
# you will need to define the WiMAX NAI, usually via
|
1279 |
richard |
746 |
#
|
2420 |
richard |
747 |
# update request {
|
|
|
748 |
# WiMAX-MN-NAI = "%{User-Name}"
|
|
|
749 |
# }
|
|
|
750 |
#
|
|
|
751 |
# If you want various keys to be calculated, you will need to
|
|
|
752 |
# update the reply with "template" values. The module will see
|
|
|
753 |
# this, and replace the template values with the correct ones
|
|
|
754 |
# taken from the cryptographic calculations. e.g.
|
|
|
755 |
#
|
|
|
756 |
# update reply {
|
|
|
757 |
# WiMAX-FA-RK-Key = 0x00
|
|
|
758 |
# WiMAX-MSK = "%{EAP-MSK}"
|
|
|
759 |
# }
|
|
|
760 |
#
|
|
|
761 |
# You may want to delete the MS-MPPE-*-Keys from the reply,
|
|
|
762 |
# as some WiMAX clients behave badly when those attributes
|
|
|
763 |
# are included. See "raddb/modules/wimax", configuration
|
|
|
764 |
# entry "delete_mppe_keys" for more information.
|
|
|
765 |
#
|
|
|
766 |
# wimax
|
1279 |
richard |
767 |
|
|
|
768 |
|
2420 |
richard |
769 |
# If there is a client certificate (EAP-TLS, sometimes PEAP
|
|
|
770 |
# and TTLS), then some attributes are filled out after the
|
|
|
771 |
# certificate verification has been performed. These fields
|
|
|
772 |
# MAY be available during the authentication, or they may be
|
|
|
773 |
# available only in the "post-auth" section.
|
1279 |
richard |
774 |
#
|
2420 |
richard |
775 |
# The first set of attributes contains information about the
|
|
|
776 |
# issuing certificate which is being used. The second
|
|
|
777 |
# contains information about the client certificate (if
|
|
|
778 |
# available).
|
|
|
779 |
#
|
|
|
780 |
# update reply {
|
|
|
781 |
# Reply-Message += "%{TLS-Cert-Serial}"
|
|
|
782 |
# Reply-Message += "%{TLS-Cert-Expiration}"
|
|
|
783 |
# Reply-Message += "%{TLS-Cert-Subject}"
|
|
|
784 |
# Reply-Message += "%{TLS-Cert-Issuer}"
|
|
|
785 |
# Reply-Message += "%{TLS-Cert-Common-Name}"
|
|
|
786 |
# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
|
|
|
787 |
#
|
|
|
788 |
# Reply-Message += "%{TLS-Client-Cert-Serial}"
|
|
|
789 |
# Reply-Message += "%{TLS-Client-Cert-Expiration}"
|
|
|
790 |
# Reply-Message += "%{TLS-Client-Cert-Subject}"
|
|
|
791 |
# Reply-Message += "%{TLS-Client-Cert-Issuer}"
|
|
|
792 |
# Reply-Message += "%{TLS-Client-Cert-Common-Name}"
|
|
|
793 |
# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
|
|
|
794 |
# }
|
|
|
795 |
|
|
|
796 |
# Insert class attribute (with unique value) into response,
|
|
|
797 |
# aids matching auth and acct records, and protects against duplicate
|
|
|
798 |
# Acct-Session-Id. Note: Only works if the NAS has implemented
|
|
|
799 |
# RFC 2865 behaviour for the class attribute, AND if the NAS
|
|
|
800 |
# supports long Class attributes. Many older or cheap NASes
|
|
|
801 |
# only support 16-octet Class attributes.
|
|
|
802 |
# insert_acct_class
|
|
|
803 |
|
|
|
804 |
# MacSEC requires the use of EAP-Key-Name. However, we don't
|
|
|
805 |
# want to send it for all EAP sessions. Therefore, the EAP
|
|
|
806 |
# modules put required data into the EAP-Session-Id attribute.
|
|
|
807 |
# This attribute is never put into a request or reply packet.
|
|
|
808 |
#
|
|
|
809 |
# Uncomment the next few lines to copy the required data into
|
|
|
810 |
# the EAP-Key-Name attribute
|
|
|
811 |
# if (&reply:EAP-Session-Id) {
|
|
|
812 |
# update reply {
|
|
|
813 |
# EAP-Key-Name := &reply:EAP-Session-Id
|
|
|
814 |
# }
|
|
|
815 |
# }
|
|
|
816 |
|
|
|
817 |
# Remove reply message if the response contains an EAP-Message
|
|
|
818 |
remove_reply_message_if_eap
|
|
|
819 |
|
|
|
820 |
#
|
1279 |
richard |
821 |
# Access-Reject packets are sent through the REJECT sub-section of the
|
|
|
822 |
# post-auth section.
|
|
|
823 |
#
|
|
|
824 |
# Add the ldap module name (or instance) if you have set
|
|
|
825 |
# 'edir_account_policy_check = yes' in the ldap module configuration
|
|
|
826 |
#
|
2420 |
richard |
827 |
# The "session-state" attributes are not available here.
|
|
|
828 |
#
|
1279 |
richard |
829 |
Post-Auth-Type REJECT {
|
2420 |
richard |
830 |
# log failed authentications in SQL, too.
|
|
|
831 |
sql
|
1279 |
richard |
832 |
attr_filter.access_reject
|
2420 |
richard |
833 |
|
|
|
834 |
# Insert EAP-Failure message if the request was
|
|
|
835 |
# rejected by policy instead of because of an
|
|
|
836 |
# authentication failure
|
|
|
837 |
# eap
|
|
|
838 |
|
|
|
839 |
# Remove reply message if the response contains an EAP-Message
|
|
|
840 |
# remove_reply_message_if_eap
|
1279 |
richard |
841 |
}
|
2420 |
richard |
842 |
|
|
|
843 |
#
|
|
|
844 |
# Filter access challenges.
|
|
|
845 |
#
|
|
|
846 |
Post-Auth-Type Challenge {
|
|
|
847 |
# remove_reply_message_if_eap
|
|
|
848 |
# attr_filter.access_challenge.post-auth
|
|
|
849 |
}
|
|
|
850 |
|
1279 |
richard |
851 |
}
|
|
|
852 |
|
|
|
853 |
#
|
|
|
854 |
# When the server decides to proxy a request to a home server,
|
|
|
855 |
# the proxied request is first passed through the pre-proxy
|
|
|
856 |
# stage. This stage can re-write the request, or decide to
|
|
|
857 |
# cancel the proxy.
|
|
|
858 |
#
|
|
|
859 |
# Only a few modules currently have this method.
|
|
|
860 |
#
|
|
|
861 |
pre-proxy {
|
2420 |
richard |
862 |
# Before proxing the request add an Operator-Name attribute identifying
|
|
|
863 |
# if the operator-name is found for this client.
|
|
|
864 |
# No need to uncomment this if you have already enabled this in
|
|
|
865 |
# the authorize section.
|
|
|
866 |
# operator-name
|
1279 |
richard |
867 |
|
2420 |
richard |
868 |
# The client requests the CUI by sending a CUI attribute
|
|
|
869 |
# containing one zero byte.
|
|
|
870 |
# Uncomment the line below if *requesting* the CUI.
|
|
|
871 |
# cui
|
|
|
872 |
|
1279 |
richard |
873 |
# Uncomment the following line if you want to change attributes
|
|
|
874 |
# as defined in the preproxy_users file.
|
|
|
875 |
# files
|
|
|
876 |
|
|
|
877 |
# Uncomment the following line if you want to filter requests
|
|
|
878 |
# sent to remote servers based on the rules defined in the
|
|
|
879 |
# 'attrs.pre-proxy' file.
|
|
|
880 |
# attr_filter.pre-proxy
|
|
|
881 |
|
|
|
882 |
# If you want to have a log of packets proxied to a home
|
|
|
883 |
# server, un-comment the following line, and the
|
|
|
884 |
# 'detail pre_proxy_log' section, above.
|
|
|
885 |
# pre_proxy_log
|
|
|
886 |
}
|
|
|
887 |
|
|
|
888 |
#
|
|
|
889 |
# When the server receives a reply to a request it proxied
|
|
|
890 |
# to a home server, the request may be massaged here, in the
|
|
|
891 |
# post-proxy stage.
|
|
|
892 |
#
|
|
|
893 |
post-proxy {
|
|
|
894 |
|
|
|
895 |
# If you want to have a log of replies from a home server,
|
|
|
896 |
# un-comment the following line, and the 'detail post_proxy_log'
|
|
|
897 |
# section, above.
|
|
|
898 |
# post_proxy_log
|
|
|
899 |
|
|
|
900 |
# Uncomment the following line if you want to filter replies from
|
|
|
901 |
# remote proxies based on the rules defined in the 'attrs' file.
|
|
|
902 |
# attr_filter.post-proxy
|
|
|
903 |
|
|
|
904 |
#
|
|
|
905 |
# If you are proxying LEAP, you MUST configure the EAP
|
|
|
906 |
# module, and you MUST list it here, in the post-proxy
|
|
|
907 |
# stage.
|
|
|
908 |
#
|
|
|
909 |
# You MUST also use the 'nostrip' option in the 'realm'
|
|
|
910 |
# configuration. Otherwise, the User-Name attribute
|
|
|
911 |
# in the proxied request will not match the user name
|
|
|
912 |
# hidden inside of the EAP packet, and the end server will
|
|
|
913 |
# reject the EAP request.
|
|
|
914 |
#
|
|
|
915 |
# eap
|
|
|
916 |
|
|
|
917 |
#
|
|
|
918 |
# If the server tries to proxy a request and fails, then the
|
|
|
919 |
# request is processed through the modules in this section.
|
|
|
920 |
#
|
|
|
921 |
# The main use of this section is to permit robust proxying
|
|
|
922 |
# of accounting packets. The server can be configured to
|
|
|
923 |
# proxy accounting packets as part of normal processing.
|
|
|
924 |
# Then, if the home server goes down, accounting packets can
|
|
|
925 |
# be logged to a local "detail" file, for processing with
|
|
|
926 |
# radrelay. When the home server comes back up, radrelay
|
|
|
927 |
# will read the detail file, and send the packets to the
|
|
|
928 |
# home server.
|
|
|
929 |
#
|
|
|
930 |
# With this configuration, the server always responds to
|
|
|
931 |
# Accounting-Requests from the NAS, but only writes
|
|
|
932 |
# accounting packets to disk if the home server is down.
|
|
|
933 |
#
|
2420 |
richard |
934 |
# Post-Proxy-Type Fail-Accounting {
|
1279 |
richard |
935 |
# detail
|
|
|
936 |
# }
|
|
|
937 |
}
|
2420 |
richard |
938 |
}
|