/conf/radius/alcasar-radius.orig |
---|
File deleted |
/conf/radius/dialup.conf |
---|
File deleted |
/conf/radius/alcasar-radius |
---|
7,8 → 7,12 |
# directory. Soft links should be created in the "sites-enabled" |
# directory to these files. This is done in a normal installation. |
# |
# $Id: alcasar-radius 845 2012-03-29 21:17:03Z richard $ |
# If you are using 802.1X (EAP) authentication, please see also |
# the "inner-tunnel" virtual server. You will likely have to edit |
# that, too, for authentication to work. |
# |
# $Id: 3616050e7625eb6b5e2ba44782fcb737b2ae6136 $ |
# |
###################################################################### |
# |
# Read "man radiusd" before editing this file. See the section |
40,20 → 44,228 |
# |
###################################################################### |
server default { |
# |
# In 1.x, the "authorize", etc. sections were global in |
# radiusd.conf. As of 2.0, they SHOULD be in a server section. |
# If you want the server to listen on additional addresses, or on |
# additional ports, you can use multiple "listen" sections. |
# |
# The server section with no virtual server name is the "default" |
# section. It is used when no server name is specified. |
# Each section make the server listen for only one type of packet, |
# therefore authentication and accounting have to be configured in |
# different sections. |
# |
# We don't indent the rest of this file, because doing so |
# would make it harder to read. |
# The server ignore all "listen" section if you are using '-i' and '-p' |
# on the command line. |
# |
listen { |
# Type of packets to listen for. |
# Allowed values are: |
# auth listen for authentication packets |
# acct listen for accounting packets |
# proxy IP to use for sending proxied packets |
# detail Read from the detail file. For examples, see |
# raddb/sites-available/copy-acct-to-home-server |
# status listen for Status-Server packets. For examples, |
# see raddb/sites-available/status |
# coa listen for CoA-Request and Disconnect-Request |
# packets. For examples, see the file |
# raddb/sites-available/coa |
# |
type = auth |
# Note: "type = proxy" lets you control the source IP used for |
# proxying packets, with some limitations: |
# |
# * A proxy listener CANNOT be used in a virtual server section. |
# * You should probably set "port = 0". |
# * Any "clients" configuration will be ignored. |
# |
# See also proxy.conf, and the "src_ipaddr" configuration entry |
# in the sample "home_server" section. When you specify the |
# source IP address for packets sent to a home server, the |
# proxy listeners are automatically created. |
# ipaddr/ipv4addr/ipv6addr - IP address on which to listen. |
# If multiple ones are listed, only the first one will |
# be used, and the others will be ignored. |
# |
# The configuration options accept the following syntax: |
# |
# ipv4addr - IPv4 address (e.g.192.0.2.3) |
# - wildcard (i.e. *) |
# - hostname (radius.example.com) |
# Only the A record for the host name is used. |
# If there is no A record, an error is returned, |
# and the server fails to start. |
# |
# ipv6addr - IPv6 address (e.g. 2001:db8::1) |
# - wildcard (i.e. *) |
# - hostname (radius.example.com) |
# Only the AAAA record for the host name is used. |
# If there is no AAAA record, an error is returned, |
# and the server fails to start. |
# |
# ipaddr - IPv4 address as above |
# - IPv6 address as above |
# - wildcard (i.e. *), which means IPv4 wildcard. |
# - hostname |
# If there is only one A or AAAA record returned |
# for the host name, it is used. |
# If multiple A or AAAA records are returned |
# for the host name, only the first one is used. |
# If both A and AAAA records are returned |
# for the host name, only the A record is used. |
# |
# ipv4addr = * |
# ipv6addr = * |
ipaddr = 127.0.0.1 |
# Port on which to listen. |
# Allowed values are: |
# integer port number (1812) |
# 0 means "use /etc/services for the proper port" |
port = 0 |
# Some systems support binding to an interface, in addition |
# to the IP address. This feature isn't strictly necessary, |
# but for sites with many IP addresses on one interface, |
# it's useful to say "listen on all addresses for eth0". |
# |
# If your system does not support this feature, you will |
# get an error if you try to use it. |
# |
# interface = eth0 |
# Per-socket lists of clients. This is a very useful feature. |
# |
# The name here is a reference to a section elsewhere in |
# radiusd.conf, or clients.conf. Having the name as |
# a reference allows multiple sockets to use the same |
# set of clients. |
# |
# If this configuration is used, then the global list of clients |
# is IGNORED for this "listen" section. Take care configuring |
# this feature, to ensure you don't accidentally disable a |
# client you need. |
# |
# See clients.conf for the configuration of "per_socket_clients". |
# |
# clients = per_socket_clients |
# |
# Connection limiting for sockets with "proto = tcp". |
# |
# This section is ignored for other kinds of sockets. |
# |
limit { |
# |
# Limit the number of simultaneous TCP connections to the socket |
# |
# The default is 16. |
# Setting this to 0 means "no limit" |
max_connections = 16 |
# The per-socket "max_requests" option does not exist. |
# |
# The lifetime, in seconds, of a TCP connection. After |
# this lifetime, the connection will be closed. |
# |
# Setting this to 0 means "forever". |
lifetime = 0 |
# |
# The idle timeout, in seconds, of a TCP connection. |
# If no packets have been received over the connection for |
# this time, the connection will be closed. |
# |
# Setting this to 0 means "no timeout". |
# |
# We STRONGLY RECOMMEND that you set an idle timeout. |
# |
idle_timeout = 30 |
} |
} |
# |
# This second "listen" section is for listening on the accounting |
# port, too. |
# |
listen { |
ipaddr = 127.0.0.1 |
# ipv6addr = :: |
port = 0 |
type = acct |
# interface = eth0 |
# clients = per_socket_clients |
limit { |
# The number of packets received can be rate limited via the |
# "max_pps" configuration item. When it is set, the server |
# tracks the total number of packets received in the previous |
# second. If the count is greater than "max_pps", then the |
# new packet is silently discarded. This helps the server |
# deal with overload situations. |
# |
# The packets/s counter is tracked in a sliding window. This |
# means that the pps calculation is done for the second |
# before the current packet was received. NOT for the current |
# wall-clock second, and NOT for the previous wall-clock second. |
# |
# Useful values are 0 (no limit), or 100 to 10000. |
# Values lower than 100 will likely cause the server to ignore |
# normal traffic. Few systems are capable of handling more than |
# 10K packets/s. |
# |
# It is most useful for accounting systems. Set it to 50% |
# more than the normal accounting load, and you can be sure that |
# the server will never get overloaded |
# |
# max_pps = 0 |
# Only for "proto = tcp". These are ignored for "udp" sockets. |
# |
# idle_timeout = 0 |
# lifetime = 0 |
# max_connections = 0 |
} |
} |
# IPv6 versions of the above - read their full config to understand options |
#listen { |
# type = auth |
# ipv6addr = ::1 |
# ipv6addr = :: # any. ::1 == localhost |
# port = 0 |
# interface = eth0 |
# clients = per_socket_clients |
# limit { |
# max_connections = 16 |
# lifetime = 0 |
# idle_timeout = 30 |
# } |
#} |
#listen { |
# type = acct |
# ipv6addr = ::1 |
# ipv6addr = :: # any. ::1 == localhost |
# port = 0 |
# interface = eth0 |
# clients = per_socket_clients |
# limit { |
# max_pps = 0 |
# idle_timeout = 0 |
# lifetime = 0 |
# max_connections = 0 |
# } |
#} |
# Authorization. First preprocess (hints and huntgroups files), |
# then realms, and finally look in the "users" file. |
# |
# Any changes made here should also be made to the "inner-tunnel" |
# virtual server. |
# |
# The order of the realm modules will determine the order that |
# we try to find a matching realm. |
# |
61,20 → 273,48 |
# need to setup hints for the remote radius server |
authorize { |
# |
# Take a User-Name, and perform some checks on it, for spaces and other |
# invalid characters. If the User-Name appears invalid, reject the |
# request. |
# |
# See policy.d/filter for the definition of the filter_username policy. |
# |
filter_username |
# |
# Some broken equipment sends passwords with embedded zeros. |
# i.e. the debug output will show |
# |
# User-Password = "password\000\000" |
# |
# This policy will fix it to just be "password". |
# |
filter_password |
# |
# The preprocess module takes care of sanitizing some bizarre |
# attributes in the request, and turning them into attributes |
# which are more standard. |
# |
# It takes care of processing the 'raddb/hints' and the |
# 'raddb/huntgroups' files. |
# It takes care of processing the 'raddb/mods-config/preprocess/hints' |
# and the 'raddb/mods-config/preprocess/huntgroups' files. |
preprocess |
# If you intend to use CUI and you require that the Operator-Name |
# be set for CUI generation and you want to generate CUI also |
# for your local clients then uncomment the operator-name |
# below and set the operator-name for your clients in clients.conf |
# operator-name |
# |
# It also adds the %{Client-IP-Address} attribute to the request. |
# preprocess |
# If you want to generate CUI for some clients that do not |
# send proper CUI requests, then uncomment the |
# cui below and set "add_cui = yes" for these clients in clients.conf |
# cui |
# |
# If you want to have a log of authentication requests, |
# un-comment the following line, and the 'detail auth_log' |
# section, above. |
# un-comment the following line. |
# auth_log |
# |
89,6 → 329,7 |
# to the request, which will cause the server to then use |
# the mschap module for authentication. |
# mschap |
# |
# If you have a Cisco SIP server authenticating against |
# FreeRADIUS, uncomment the following line, and the 'digest' |
96,6 → 337,15 |
# digest |
# |
# The WiMAX specification says that the Calling-Station-Id |
# is 6 octets of the MAC. This definition conflicts with |
# RFC 3580, and all common RADIUS practices. Un-commenting |
# the "wimax" module here means that it will fix the |
# Calling-Station-Id attribute to the normal format as |
# specified in RFC 3580 Section 3.21 |
# wimax |
# |
# Look for IPASS style 'realm/', and if not found, look for |
# '@realm', and decide whether or not to proxy, based on |
# that. |
117,30 → 367,35 |
# It also sets the EAP-Type attribute in the request |
# attribute list to the EAP type from the packet. |
# |
# As of 2.0, the EAP module returns "ok" in the authorize stage |
# for TTLS and PEAP. In 1.x, it never returned "ok" here, so |
# this change is compatible with older configurations. |
# The EAP module returns "ok" or "updated" if it is not yet ready |
# to authenticate the user. The configuration below checks for |
# "ok", and stops processing the "authorize" section if so. |
# |
# The example below uses module failover to avoid querying all |
# of the following modules if the EAP module returns "ok". |
# Therefore, your LDAP and/or SQL servers will not be queried |
# for the many packets that go back and forth to set up TTLS |
# or PEAP. The load on those servers will therefore be reduced. |
# Any LDAP and/or SQL servers will not be queried for the |
# initial set of packets that go back and forth to set up |
# TTLS or PEAP. |
# |
# The "updated" check is commented out for compatibility with |
# previous versions of this configuration, but you may wish to |
# uncomment it as well; this will further reduce the number of |
# LDAP and/or SQL queries for TTLS or PEAP. |
# |
# eap { |
# ok = return |
# } |
# updated = return |
} |
# |
# Pull crypt'd passwords from /etc/passwd or /etc/shadow, |
# using the system API's to get the password. If you want |
# to read /etc/passwd or /etc/shadow directly, see the |
# passwd module in radiusd.conf. |
# mods-available/passwd module. |
# |
# unix |
# |
# Read the 'users' file |
# Read the 'users' file. In v3, this is located in |
# raddb/mods-config/files/authorize |
# files |
# |
147,23 → 402,17 |
# Look in an SQL database. The schema of the database |
# is meant to mirror the "users" file. |
# |
# See "Authorization Queries" in sql.conf |
# See "Authorization Queries" in mods-available/sql |
sql |
noresetcounter |
dailycounter |
monthlycounter |
# |
# If you are using /etc/smbpasswd, and are also doing |
# mschap authentication, the un-comment this line, and |
# configure the 'etc_smbpasswd' module, above. |
# etc_smbpasswd |
# configure the 'smbpasswd' module. |
# smbpasswd |
# |
# The ldap module will set Auth-Type to LDAP if it has not |
# already been set |
# ldap { |
# fail = 1 |
# } |
# The ldap module reads passwords from the LDAP database. |
# -ldap |
# |
# Enforce daily limits on time spent logged in. |
170,9 → 419,6 |
# daily |
# |
# Use the checkval module |
# checkval |
expiration |
logintime |
198,11 → 444,6 |
# Autz-Type Status-Server { |
# |
# } |
# update coa { |
# User-Name = "%{User-Name}" |
# Acct-Session-Id = "%{Acct-Session-Id}" |
# NAS-IP-Address = "%{NAS-IP-Address}" |
# } |
} |
213,7 → 454,7 |
# Note that it does NOT mean 'try each module in order'. It means |
# that a module from the 'authorize' section adds a configuration |
# attribute 'Auth-Type := FOO'. That authentication type is then |
# used to pick the apropriate module from the list below. |
# used to pick the appropriate module from the list below. |
# |
# In general, you SHOULD NOT set the Auth-Type attribute. The server |
233,59 → 474,78 |
# the post-auth section is for. |
# |
authenticate { |
# # |
# # PAP authentication, when a back-end database listed |
# # in the 'authorize' section supplies a password. The |
# # password can be clear-text, or encrypted. |
# |
# PAP authentication, when a back-end database listed |
# in the 'authorize' section supplies a password. The |
# password can be clear-text, or encrypted. |
Auth-Type PAP { |
pap |
} |
# |
# # |
# # Most people want CHAP authentication |
# # A back-end database listed in the 'authorize' section |
# # MUST supply a CLEAR TEXT password. Encrypted passwords |
# # won't work. |
# |
# Most people want CHAP authentication |
# A back-end database listed in the 'authorize' section |
# MUST supply a CLEAR TEXT password. Encrypted passwords |
# won't work. |
# Auth-Type CHAP { |
# chap |
# } |
# |
# # |
# # MSCHAP authentication. |
# |
# MSCHAP authentication. |
# Auth-Type MS-CHAP { |
# mschap |
# } |
# |
# # |
# # If you have a Cisco SIP server authenticating against |
# # FreeRADIUS, uncomment the following line, and the 'digest' |
# # line in the 'authorize' section. |
# |
# For old names, too. |
# |
# mschap |
# |
# If you have a Cisco SIP server authenticating against |
# FreeRADIUS, uncomment the following line, and the 'digest' |
# line in the 'authorize' section. |
# digest |
# |
# # |
# # Pluggable Authentication Modules. |
# |
# Pluggable Authentication Modules. |
# pam |
# |
# # |
# # See 'man getpwent' for information on how the 'unix' |
# # module checks the users password. Note that packets |
# # containing CHAP-Password attributes CANNOT be authenticated |
# # against /etc/passwd! See the FAQ for details. |
# # |
# unix |
# |
# # Uncomment it if you want to use ldap for authentication |
# # |
# # Note that this means "check plain-text password against |
# # the ldap database", which means that EAP won't work, |
# # as it does not supply a plain-text password. |
# Uncomment it if you want to use ldap for authentication |
# |
# Note that this means "check plain-text password against |
# the ldap database", which means that EAP won't work, |
# as it does not supply a plain-text password. |
# |
# We do NOT recommend using this. LDAP servers are databases. |
# They are NOT authentication servers. FreeRADIUS is an |
# authentication server, and knows what to do with authentication. |
# LDAP servers do not. |
# |
# Auth-Type LDAP { |
# ldap |
# } |
# |
# # |
# # Allow EAP authentication. |
# |
# Allow EAP authentication. |
# eap |
# |
# The older configurations sent a number of attributes in |
# Access-Challenge packets, which wasn't strictly correct. |
# If you want to filter out these attributes, uncomment |
# the following lines. |
# |
# Auth-Type eap { |
# eap { |
# handled = 1 |
# } |
# if (handled && (Response-Packet-Type == Access-Challenge)) { |
# attr_filter.access_challenge.post-auth |
# handled # override the "updated" code from attr_filter |
# } |
# } |
} |
296,9 → 556,35 |
# preprocess |
# |
# Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets |
# into a single 64bit counter Acct-[Input|Output]-Octets64. |
# |
# acct_counters64 |
# |
# Session start times are *implied* in RADIUS. |
# The NAS never sends a "start time". Instead, it sends |
# a start packet, *possibly* with an Acct-Delay-Time. |
# The server is supposed to conclude that the start time |
# was "Acct-Delay-Time" seconds in the past. |
# |
# The code below creates an explicit start time, which can |
# then be used in other modules. It will be *mostly* correct. |
# Any errors are due to the 1-second resolution of RADIUS, |
# and the possibility that the time on the NAS may be off. |
# |
# The start time is: NOW - delay - session_length |
# |
# update request { |
# &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" |
# } |
# |
# Ensure that we have a semi-unique identifier for every |
# request, and many NAS boxes are broken. |
# acct_unique |
acct_unique |
# |
# Look for IPASS-style 'realm/', and if not found, look for |
320,6 → 606,10 |
# Accounting. Log the accounting data. |
# |
accounting { |
# Update accounting packet by adding the CUI attribute |
# recorded from the corresponding Access-Accept |
# use it only if your NAS boxes do not support CUI themselves |
# cui |
# |
# Create a 'detail'ed log of the packets. |
# Note that accounting requests which are proxied |
346,18 → 636,29 |
# |
# Log traffic to an SQL database. |
# |
# See "Accounting queries" in sql.conf |
sql |
# See "Accounting queries" in mods-available/sql |
-sql |
# |
# Instead of sending the query to the SQL server, |
# write it into a log file. |
# If you receive stop packets with zero session length, |
# they will NOT be logged in the database. The SQL module |
# will print a message (only in debugging mode), and will |
# return "noop". |
# |
# sql_log |
# You can ignore these packets by uncommenting the following |
# three lines. Otherwise, the server will not respond to the |
# accounting request, and the NAS will retransmit. |
# |
# if (noop) { |
# ok |
# } |
# Cisco VoIP specific bulk accounting |
# pgsql-voip |
# For Exec-Program and Exec-Program-Wait |
exec |
# Filter attributes from the accounting response. |
attr_filter.accounting_response |
377,7 → 678,7 |
# radutmp |
# |
# See "Simultaneous Use Checking Queries" in sql.conf |
# See "Simultaneous Use Checking Queries" in mods-available/sql |
sql |
} |
386,37 → 687,137 |
# Once we KNOW that the user has been authenticated, there are |
# additional steps we can take. |
post-auth { |
# |
# If you need to have a State attribute, you can |
# add it here. e.g. for later CoA-Request with |
# State, and Service-Type = Authorize-Only. |
# |
# if (!&reply:State) { |
# update reply { |
# State := "0x%{randstr:16h}" |
# } |
# } |
# |
# For EAP-TTLS and PEAP, add the cached attributes to the reply. |
# The "session-state" attributes are automatically cached when |
# an Access-Challenge is sent, and automatically retrieved |
# when an Access-Request is received. |
# |
# The session-state attributes are automatically deleted after |
# an Access-Reject or Access-Accept is sent. |
# |
update { |
&reply: += &session-state: |
} |
# Get an address from the IP Pool. |
# main_pool |
# Create the CUI value and add the attribute to Access-Accept. |
# Uncomment the line below if *returning* the CUI. |
# cui |
# |
# If you want to have a log of authentication replies, |
# un-comment the following line, and the 'detail reply_log' |
# section, above. |
# un-comment the following line, and enable the |
# 'detail reply_log' module. |
# reply_log |
# |
# After authenticating the user, do another SQL query. |
# |
# See "Authentication Logging Queries" in sql.conf |
# sql |
# See "Authentication Logging Queries" in mods-available/sql |
sql |
# |
# Instead of sending the query to the SQL server, |
# write it into a log file. |
# Un-comment the following if you want to modify the user's object |
# in LDAP after a successful login. |
# |
# sql_log |
# ldap |
# For Exec-Program and Exec-Program-Wait |
# exec |
# |
# Un-comment the following if you have set |
# 'edir_account_policy_check = yes' in the ldap module sub-section of |
# the 'modules' section. |
# Calculate the various WiMAX keys. In order for this to work, |
# you will need to define the WiMAX NAI, usually via |
# |
# ldap |
# update request { |
# WiMAX-MN-NAI = "%{User-Name}" |
# } |
# |
# If you want various keys to be calculated, you will need to |
# update the reply with "template" values. The module will see |
# this, and replace the template values with the correct ones |
# taken from the cryptographic calculations. e.g. |
# |
# update reply { |
# WiMAX-FA-RK-Key = 0x00 |
# WiMAX-MSK = "%{EAP-MSK}" |
# } |
# |
# You may want to delete the MS-MPPE-*-Keys from the reply, |
# as some WiMAX clients behave badly when those attributes |
# are included. See "raddb/modules/wimax", configuration |
# entry "delete_mppe_keys" for more information. |
# |
# wimax |
# exec |
# If there is a client certificate (EAP-TLS, sometimes PEAP |
# and TTLS), then some attributes are filled out after the |
# certificate verification has been performed. These fields |
# MAY be available during the authentication, or they may be |
# available only in the "post-auth" section. |
# |
# The first set of attributes contains information about the |
# issuing certificate which is being used. The second |
# contains information about the client certificate (if |
# available). |
# |
# update reply { |
# Reply-Message += "%{TLS-Cert-Serial}" |
# Reply-Message += "%{TLS-Cert-Expiration}" |
# Reply-Message += "%{TLS-Cert-Subject}" |
# Reply-Message += "%{TLS-Cert-Issuer}" |
# Reply-Message += "%{TLS-Cert-Common-Name}" |
# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" |
# |
# Reply-Message += "%{TLS-Client-Cert-Serial}" |
# Reply-Message += "%{TLS-Client-Cert-Expiration}" |
# Reply-Message += "%{TLS-Client-Cert-Subject}" |
# Reply-Message += "%{TLS-Client-Cert-Issuer}" |
# Reply-Message += "%{TLS-Client-Cert-Common-Name}" |
# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" |
# } |
# Insert class attribute (with unique value) into response, |
# aids matching auth and acct records, and protects against duplicate |
# Acct-Session-Id. Note: Only works if the NAS has implemented |
# RFC 2865 behaviour for the class attribute, AND if the NAS |
# supports long Class attributes. Many older or cheap NASes |
# only support 16-octet Class attributes. |
# insert_acct_class |
# MacSEC requires the use of EAP-Key-Name. However, we don't |
# want to send it for all EAP sessions. Therefore, the EAP |
# modules put required data into the EAP-Session-Id attribute. |
# This attribute is never put into a request or reply packet. |
# |
# Uncomment the next few lines to copy the required data into |
# the EAP-Key-Name attribute |
# if (&reply:EAP-Session-Id) { |
# update reply { |
# EAP-Key-Name := &reply:EAP-Session-Id |
# } |
# } |
# Remove reply message if the response contains an EAP-Message |
remove_reply_message_if_eap |
# |
# Access-Reject packets are sent through the REJECT sub-section of the |
# post-auth section. |
# |
423,9 → 824,30 |
# Add the ldap module name (or instance) if you have set |
# 'edir_account_policy_check = yes' in the ldap module configuration |
# |
# The "session-state" attributes are not available here. |
# |
Post-Auth-Type REJECT { |
# log failed authentications in SQL, too. |
sql |
attr_filter.access_reject |
# Insert EAP-Failure message if the request was |
# rejected by policy instead of because of an |
# authentication failure |
# eap |
# Remove reply message if the response contains an EAP-Message |
# remove_reply_message_if_eap |
} |
# |
# Filter access challenges. |
# |
Post-Auth-Type Challenge { |
# remove_reply_message_if_eap |
# attr_filter.access_challenge.post-auth |
} |
} |
# |
437,8 → 859,17 |
# Only a few modules currently have this method. |
# |
pre-proxy { |
# attr_rewrite |
# Before proxing the request add an Operator-Name attribute identifying |
# if the operator-name is found for this client. |
# No need to uncomment this if you have already enabled this in |
# the authorize section. |
# operator-name |
# The client requests the CUI by sending a CUI attribute |
# containing one zero byte. |
# Uncomment the line below if *requesting* the CUI. |
# cui |
# Uncomment the following line if you want to change attributes |
# as defined in the preproxy_users file. |
# files |
466,8 → 897,6 |
# section, above. |
# post_proxy_log |
# attr_rewrite |
# Uncomment the following line if you want to filter replies from |
# remote proxies based on the rules defined in the 'attrs' file. |
# attr_filter.post-proxy |
502,9 → 931,8 |
# Accounting-Requests from the NAS, but only writes |
# accounting packets to disk if the home server is down. |
# |
# Post-Proxy-Type Fail { |
# Post-Proxy-Type Fail-Accounting { |
# detail |
# } |
} |
} |
/conf/radius/alcasar-radius-orig |
---|
0,0 → 1,938 |
###################################################################### |
# |
# As of 2.0.0, FreeRADIUS supports virtual hosts using the |
# "server" section, and configuration directives. |
# |
# Virtual hosts should be put into the "sites-available" |
# directory. Soft links should be created in the "sites-enabled" |
# directory to these files. This is done in a normal installation. |
# |
# If you are using 802.1X (EAP) authentication, please see also |
# the "inner-tunnel" virtual server. You will likely have to edit |
# that, too, for authentication to work. |
# |
# $Id: 3616050e7625eb6b5e2ba44782fcb737b2ae6136 $ |
# |
###################################################################### |
# |
# Read "man radiusd" before editing this file. See the section |
# titled DEBUGGING. It outlines a method where you can quickly |
# obtain the configuration you want, without running into |
# trouble. See also "man unlang", which documents the format |
# of this file. |
# |
# This configuration is designed to work in the widest possible |
# set of circumstances, with the widest possible number of |
# authentication methods. This means that in general, you should |
# need to make very few changes to this file. |
# |
# The best way to configure the server for your local system |
# is to CAREFULLY edit this file. Most attempts to make large |
# edits to this file will BREAK THE SERVER. Any edits should |
# be small, and tested by running the server with "radiusd -X". |
# Once the edits have been verified to work, save a copy of these |
# configuration files somewhere. (e.g. as a "tar" file). Then, |
# make more edits, and test, as above. |
# |
# There are many "commented out" references to modules such |
# as ldap, sql, etc. These references serve as place-holders. |
# If you need the functionality of that module, then configure |
# it in radiusd.conf, and un-comment the references to it in |
# this file. In most cases, those small changes will result |
# in the server being able to connect to the DB, and to |
# authenticate users. |
# |
###################################################################### |
server default { |
# |
# If you want the server to listen on additional addresses, or on |
# additional ports, you can use multiple "listen" sections. |
# |
# Each section make the server listen for only one type of packet, |
# therefore authentication and accounting have to be configured in |
# different sections. |
# |
# The server ignore all "listen" section if you are using '-i' and '-p' |
# on the command line. |
# |
listen { |
# Type of packets to listen for. |
# Allowed values are: |
# auth listen for authentication packets |
# acct listen for accounting packets |
# proxy IP to use for sending proxied packets |
# detail Read from the detail file. For examples, see |
# raddb/sites-available/copy-acct-to-home-server |
# status listen for Status-Server packets. For examples, |
# see raddb/sites-available/status |
# coa listen for CoA-Request and Disconnect-Request |
# packets. For examples, see the file |
# raddb/sites-available/coa |
# |
type = auth |
# Note: "type = proxy" lets you control the source IP used for |
# proxying packets, with some limitations: |
# |
# * A proxy listener CANNOT be used in a virtual server section. |
# * You should probably set "port = 0". |
# * Any "clients" configuration will be ignored. |
# |
# See also proxy.conf, and the "src_ipaddr" configuration entry |
# in the sample "home_server" section. When you specify the |
# source IP address for packets sent to a home server, the |
# proxy listeners are automatically created. |
# ipaddr/ipv4addr/ipv6addr - IP address on which to listen. |
# If multiple ones are listed, only the first one will |
# be used, and the others will be ignored. |
# |
# The configuration options accept the following syntax: |
# |
# ipv4addr - IPv4 address (e.g.192.0.2.3) |
# - wildcard (i.e. *) |
# - hostname (radius.example.com) |
# Only the A record for the host name is used. |
# If there is no A record, an error is returned, |
# and the server fails to start. |
# |
# ipv6addr - IPv6 address (e.g. 2001:db8::1) |
# - wildcard (i.e. *) |
# - hostname (radius.example.com) |
# Only the AAAA record for the host name is used. |
# If there is no AAAA record, an error is returned, |
# and the server fails to start. |
# |
# ipaddr - IPv4 address as above |
# - IPv6 address as above |
# - wildcard (i.e. *), which means IPv4 wildcard. |
# - hostname |
# If there is only one A or AAAA record returned |
# for the host name, it is used. |
# If multiple A or AAAA records are returned |
# for the host name, only the first one is used. |
# If both A and AAAA records are returned |
# for the host name, only the A record is used. |
# |
# ipv4addr = * |
# ipv6addr = * |
ipaddr = * |
# Port on which to listen. |
# Allowed values are: |
# integer port number (1812) |
# 0 means "use /etc/services for the proper port" |
port = 0 |
# Some systems support binding to an interface, in addition |
# to the IP address. This feature isn't strictly necessary, |
# but for sites with many IP addresses on one interface, |
# it's useful to say "listen on all addresses for eth0". |
# |
# If your system does not support this feature, you will |
# get an error if you try to use it. |
# |
# interface = eth0 |
# Per-socket lists of clients. This is a very useful feature. |
# |
# The name here is a reference to a section elsewhere in |
# radiusd.conf, or clients.conf. Having the name as |
# a reference allows multiple sockets to use the same |
# set of clients. |
# |
# If this configuration is used, then the global list of clients |
# is IGNORED for this "listen" section. Take care configuring |
# this feature, to ensure you don't accidentally disable a |
# client you need. |
# |
# See clients.conf for the configuration of "per_socket_clients". |
# |
# clients = per_socket_clients |
# |
# Connection limiting for sockets with "proto = tcp". |
# |
# This section is ignored for other kinds of sockets. |
# |
limit { |
# |
# Limit the number of simultaneous TCP connections to the socket |
# |
# The default is 16. |
# Setting this to 0 means "no limit" |
max_connections = 16 |
# The per-socket "max_requests" option does not exist. |
# |
# The lifetime, in seconds, of a TCP connection. After |
# this lifetime, the connection will be closed. |
# |
# Setting this to 0 means "forever". |
lifetime = 0 |
# |
# The idle timeout, in seconds, of a TCP connection. |
# If no packets have been received over the connection for |
# this time, the connection will be closed. |
# |
# Setting this to 0 means "no timeout". |
# |
# We STRONGLY RECOMMEND that you set an idle timeout. |
# |
idle_timeout = 30 |
} |
} |
# |
# This second "listen" section is for listening on the accounting |
# port, too. |
# |
listen { |
ipaddr = * |
# ipv6addr = :: |
port = 0 |
type = acct |
# interface = eth0 |
# clients = per_socket_clients |
limit { |
# The number of packets received can be rate limited via the |
# "max_pps" configuration item. When it is set, the server |
# tracks the total number of packets received in the previous |
# second. If the count is greater than "max_pps", then the |
# new packet is silently discarded. This helps the server |
# deal with overload situations. |
# |
# The packets/s counter is tracked in a sliding window. This |
# means that the pps calculation is done for the second |
# before the current packet was received. NOT for the current |
# wall-clock second, and NOT for the previous wall-clock second. |
# |
# Useful values are 0 (no limit), or 100 to 10000. |
# Values lower than 100 will likely cause the server to ignore |
# normal traffic. Few systems are capable of handling more than |
# 10K packets/s. |
# |
# It is most useful for accounting systems. Set it to 50% |
# more than the normal accounting load, and you can be sure that |
# the server will never get overloaded |
# |
# max_pps = 0 |
# Only for "proto = tcp". These are ignored for "udp" sockets. |
# |
# idle_timeout = 0 |
# lifetime = 0 |
# max_connections = 0 |
} |
} |
# IPv6 versions of the above - read their full config to understand options |
listen { |
type = auth |
ipv6addr = :: # any. ::1 == localhost |
port = 0 |
# interface = eth0 |
# clients = per_socket_clients |
limit { |
max_connections = 16 |
lifetime = 0 |
idle_timeout = 30 |
} |
} |
listen { |
ipv6addr = :: |
port = 0 |
type = acct |
# interface = eth0 |
# clients = per_socket_clients |
limit { |
# max_pps = 0 |
# idle_timeout = 0 |
# lifetime = 0 |
# max_connections = 0 |
} |
} |
# Authorization. First preprocess (hints and huntgroups files), |
# then realms, and finally look in the "users" file. |
# |
# Any changes made here should also be made to the "inner-tunnel" |
# virtual server. |
# |
# The order of the realm modules will determine the order that |
# we try to find a matching realm. |
# |
# Make *sure* that 'preprocess' comes before any realm if you |
# need to setup hints for the remote radius server |
authorize { |
# |
# Take a User-Name, and perform some checks on it, for spaces and other |
# invalid characters. If the User-Name appears invalid, reject the |
# request. |
# |
# See policy.d/filter for the definition of the filter_username policy. |
# |
filter_username |
# |
# Some broken equipment sends passwords with embedded zeros. |
# i.e. the debug output will show |
# |
# User-Password = "password\000\000" |
# |
# This policy will fix it to just be "password". |
# |
# filter_password |
# |
# The preprocess module takes care of sanitizing some bizarre |
# attributes in the request, and turning them into attributes |
# which are more standard. |
# |
# It takes care of processing the 'raddb/mods-config/preprocess/hints' |
# and the 'raddb/mods-config/preprocess/huntgroups' files. |
preprocess |
# If you intend to use CUI and you require that the Operator-Name |
# be set for CUI generation and you want to generate CUI also |
# for your local clients then uncomment the operator-name |
# below and set the operator-name for your clients in clients.conf |
# operator-name |
# |
# If you want to generate CUI for some clients that do not |
# send proper CUI requests, then uncomment the |
# cui below and set "add_cui = yes" for these clients in clients.conf |
# cui |
# |
# If you want to have a log of authentication requests, |
# un-comment the following line. |
# auth_log |
# |
# The chap module will set 'Auth-Type := CHAP' if we are |
# handling a CHAP request and Auth-Type has not already been set |
chap |
# |
# If the users are logging in with an MS-CHAP-Challenge |
# attribute for authentication, the mschap module will find |
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' |
# to the request, which will cause the server to then use |
# the mschap module for authentication. |
mschap |
# |
# If you have a Cisco SIP server authenticating against |
# FreeRADIUS, uncomment the following line, and the 'digest' |
# line in the 'authenticate' section. |
digest |
# |
# The WiMAX specification says that the Calling-Station-Id |
# is 6 octets of the MAC. This definition conflicts with |
# RFC 3580, and all common RADIUS practices. Un-commenting |
# the "wimax" module here means that it will fix the |
# Calling-Station-Id attribute to the normal format as |
# specified in RFC 3580 Section 3.21 |
# wimax |
# |
# Look for IPASS style 'realm/', and if not found, look for |
# '@realm', and decide whether or not to proxy, based on |
# that. |
# IPASS |
# |
# If you are using multiple kinds of realms, you probably |
# want to set "ignore_null = yes" for all of them. |
# Otherwise, when the first style of realm doesn't match, |
# the other styles won't be checked. |
# |
suffix |
# ntdomain |
# |
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP |
# authentication. |
# |
# It also sets the EAP-Type attribute in the request |
# attribute list to the EAP type from the packet. |
# |
# The EAP module returns "ok" or "updated" if it is not yet ready |
# to authenticate the user. The configuration below checks for |
# "ok", and stops processing the "authorize" section if so. |
# |
# Any LDAP and/or SQL servers will not be queried for the |
# initial set of packets that go back and forth to set up |
# TTLS or PEAP. |
# |
# The "updated" check is commented out for compatibility with |
# previous versions of this configuration, but you may wish to |
# uncomment it as well; this will further reduce the number of |
# LDAP and/or SQL queries for TTLS or PEAP. |
# |
eap { |
ok = return |
# updated = return |
} |
# |
# Pull crypt'd passwords from /etc/passwd or /etc/shadow, |
# using the system API's to get the password. If you want |
# to read /etc/passwd or /etc/shadow directly, see the |
# mods-available/passwd module. |
# |
# unix |
# |
# Read the 'users' file. In v3, this is located in |
# raddb/mods-config/files/authorize |
files |
# |
# Look in an SQL database. The schema of the database |
# is meant to mirror the "users" file. |
# |
# See "Authorization Queries" in mods-available/sql |
-sql |
# |
# If you are using /etc/smbpasswd, and are also doing |
# mschap authentication, the un-comment this line, and |
# configure the 'smbpasswd' module. |
# smbpasswd |
# |
# The ldap module reads passwords from the LDAP database. |
-ldap |
# |
# Enforce daily limits on time spent logged in. |
# daily |
# |
expiration |
logintime |
# |
# If no other module has claimed responsibility for |
# authentication, then try to use PAP. This allows the |
# other modules listed above to add a "known good" password |
# to the request, and to do nothing else. The PAP module |
# will then see that password, and use it to do PAP |
# authentication. |
# |
# This module should be listed last, so that the other modules |
# get a chance to set Auth-Type for themselves. |
# |
pap |
# |
# If "status_server = yes", then Status-Server messages are passed |
# through the following section, and ONLY the following section. |
# This permits you to do DB queries, for example. If the modules |
# listed here return "fail", then NO response is sent. |
# |
# Autz-Type Status-Server { |
# |
# } |
} |
# Authentication. |
# |
# |
# This section lists which modules are available for authentication. |
# Note that it does NOT mean 'try each module in order'. It means |
# that a module from the 'authorize' section adds a configuration |
# attribute 'Auth-Type := FOO'. That authentication type is then |
# used to pick the appropriate module from the list below. |
# |
# In general, you SHOULD NOT set the Auth-Type attribute. The server |
# will figure it out on its own, and will do the right thing. The |
# most common side effect of erroneously setting the Auth-Type |
# attribute is that one authentication method will work, but the |
# others will not. |
# |
# The common reasons to set the Auth-Type attribute by hand |
# is to either forcibly reject the user (Auth-Type := Reject), |
# or to or forcibly accept the user (Auth-Type := Accept). |
# |
# Note that Auth-Type := Accept will NOT work with EAP. |
# |
# Please do not put "unlang" configurations into the "authenticate" |
# section. Put them in the "post-auth" section instead. That's what |
# the post-auth section is for. |
# |
authenticate { |
# |
# PAP authentication, when a back-end database listed |
# in the 'authorize' section supplies a password. The |
# password can be clear-text, or encrypted. |
Auth-Type PAP { |
pap |
} |
# |
# Most people want CHAP authentication |
# A back-end database listed in the 'authorize' section |
# MUST supply a CLEAR TEXT password. Encrypted passwords |
# won't work. |
Auth-Type CHAP { |
chap |
} |
# |
# MSCHAP authentication. |
Auth-Type MS-CHAP { |
mschap |
} |
# |
# For old names, too. |
# |
mschap |
# |
# If you have a Cisco SIP server authenticating against |
# FreeRADIUS, uncomment the following line, and the 'digest' |
# line in the 'authorize' section. |
digest |
# |
# Pluggable Authentication Modules. |
# pam |
# Uncomment it if you want to use ldap for authentication |
# |
# Note that this means "check plain-text password against |
# the ldap database", which means that EAP won't work, |
# as it does not supply a plain-text password. |
# |
# We do NOT recommend using this. LDAP servers are databases. |
# They are NOT authentication servers. FreeRADIUS is an |
# authentication server, and knows what to do with authentication. |
# LDAP servers do not. |
# |
# Auth-Type LDAP { |
# ldap |
# } |
# |
# Allow EAP authentication. |
eap |
# |
# The older configurations sent a number of attributes in |
# Access-Challenge packets, which wasn't strictly correct. |
# If you want to filter out these attributes, uncomment |
# the following lines. |
# |
# Auth-Type eap { |
# eap { |
# handled = 1 |
# } |
# if (handled && (Response-Packet-Type == Access-Challenge)) { |
# attr_filter.access_challenge.post-auth |
# handled # override the "updated" code from attr_filter |
# } |
# } |
} |
# |
# Pre-accounting. Decide which accounting type to use. |
# |
preacct { |
preprocess |
# |
# Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets |
# into a single 64bit counter Acct-[Input|Output]-Octets64. |
# |
# acct_counters64 |
# |
# Session start times are *implied* in RADIUS. |
# The NAS never sends a "start time". Instead, it sends |
# a start packet, *possibly* with an Acct-Delay-Time. |
# The server is supposed to conclude that the start time |
# was "Acct-Delay-Time" seconds in the past. |
# |
# The code below creates an explicit start time, which can |
# then be used in other modules. It will be *mostly* correct. |
# Any errors are due to the 1-second resolution of RADIUS, |
# and the possibility that the time on the NAS may be off. |
# |
# The start time is: NOW - delay - session_length |
# |
# update request { |
# &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" |
# } |
# |
# Ensure that we have a semi-unique identifier for every |
# request, and many NAS boxes are broken. |
acct_unique |
# |
# Look for IPASS-style 'realm/', and if not found, look for |
# '@realm', and decide whether or not to proxy, based on |
# that. |
# |
# Accounting requests are generally proxied to the same |
# home server as authentication requests. |
# IPASS |
suffix |
# ntdomain |
# |
# Read the 'acct_users' file |
files |
} |
# |
# Accounting. Log the accounting data. |
# |
accounting { |
# Update accounting packet by adding the CUI attribute |
# recorded from the corresponding Access-Accept |
# use it only if your NAS boxes do not support CUI themselves |
# cui |
# |
# Create a 'detail'ed log of the packets. |
# Note that accounting requests which are proxied |
# are also logged in the detail file. |
detail |
# daily |
# Update the wtmp file |
# |
# If you don't use "radlast", you can delete this line. |
unix |
# |
# For Simultaneous-Use tracking. |
# |
# Due to packet losses in the network, the data here |
# may be incorrect. There is little we can do about it. |
# radutmp |
# sradutmp |
# Return an address to the IP Pool when we see a stop record. |
# main_pool |
# |
# Log traffic to an SQL database. |
# |
# See "Accounting queries" in mods-available/sql |
-sql |
# |
# If you receive stop packets with zero session length, |
# they will NOT be logged in the database. The SQL module |
# will print a message (only in debugging mode), and will |
# return "noop". |
# |
# You can ignore these packets by uncommenting the following |
# three lines. Otherwise, the server will not respond to the |
# accounting request, and the NAS will retransmit. |
# |
# if (noop) { |
# ok |
# } |
# Cisco VoIP specific bulk accounting |
# pgsql-voip |
# For Exec-Program and Exec-Program-Wait |
exec |
# Filter attributes from the accounting response. |
attr_filter.accounting_response |
# |
# See "Autz-Type Status-Server" for how this works. |
# |
# Acct-Type Status-Server { |
# |
# } |
} |
# Session database, used for checking Simultaneous-Use. Either the radutmp |
# or rlm_sql module can handle this. |
# The rlm_sql module is *much* faster |
session { |
# radutmp |
# |
# See "Simultaneous Use Checking Queries" in mods-available/sql |
# sql |
} |
# Post-Authentication |
# Once we KNOW that the user has been authenticated, there are |
# additional steps we can take. |
post-auth { |
# |
# If you need to have a State attribute, you can |
# add it here. e.g. for later CoA-Request with |
# State, and Service-Type = Authorize-Only. |
# |
# if (!&reply:State) { |
# update reply { |
# State := "0x%{randstr:16h}" |
# } |
# } |
# |
# For EAP-TTLS and PEAP, add the cached attributes to the reply. |
# The "session-state" attributes are automatically cached when |
# an Access-Challenge is sent, and automatically retrieved |
# when an Access-Request is received. |
# |
# The session-state attributes are automatically deleted after |
# an Access-Reject or Access-Accept is sent. |
# |
update { |
&reply: += &session-state: |
} |
# Get an address from the IP Pool. |
# main_pool |
# Create the CUI value and add the attribute to Access-Accept. |
# Uncomment the line below if *returning* the CUI. |
# cui |
# |
# If you want to have a log of authentication replies, |
# un-comment the following line, and enable the |
# 'detail reply_log' module. |
# reply_log |
# |
# After authenticating the user, do another SQL query. |
# |
# See "Authentication Logging Queries" in mods-available/sql |
-sql |
# |
# Un-comment the following if you want to modify the user's object |
# in LDAP after a successful login. |
# |
# ldap |
# For Exec-Program and Exec-Program-Wait |
exec |
# |
# Calculate the various WiMAX keys. In order for this to work, |
# you will need to define the WiMAX NAI, usually via |
# |
# update request { |
# WiMAX-MN-NAI = "%{User-Name}" |
# } |
# |
# If you want various keys to be calculated, you will need to |
# update the reply with "template" values. The module will see |
# this, and replace the template values with the correct ones |
# taken from the cryptographic calculations. e.g. |
# |
# update reply { |
# WiMAX-FA-RK-Key = 0x00 |
# WiMAX-MSK = "%{EAP-MSK}" |
# } |
# |
# You may want to delete the MS-MPPE-*-Keys from the reply, |
# as some WiMAX clients behave badly when those attributes |
# are included. See "raddb/modules/wimax", configuration |
# entry "delete_mppe_keys" for more information. |
# |
# wimax |
# If there is a client certificate (EAP-TLS, sometimes PEAP |
# and TTLS), then some attributes are filled out after the |
# certificate verification has been performed. These fields |
# MAY be available during the authentication, or they may be |
# available only in the "post-auth" section. |
# |
# The first set of attributes contains information about the |
# issuing certificate which is being used. The second |
# contains information about the client certificate (if |
# available). |
# |
# update reply { |
# Reply-Message += "%{TLS-Cert-Serial}" |
# Reply-Message += "%{TLS-Cert-Expiration}" |
# Reply-Message += "%{TLS-Cert-Subject}" |
# Reply-Message += "%{TLS-Cert-Issuer}" |
# Reply-Message += "%{TLS-Cert-Common-Name}" |
# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" |
# |
# Reply-Message += "%{TLS-Client-Cert-Serial}" |
# Reply-Message += "%{TLS-Client-Cert-Expiration}" |
# Reply-Message += "%{TLS-Client-Cert-Subject}" |
# Reply-Message += "%{TLS-Client-Cert-Issuer}" |
# Reply-Message += "%{TLS-Client-Cert-Common-Name}" |
# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" |
# } |
# Insert class attribute (with unique value) into response, |
# aids matching auth and acct records, and protects against duplicate |
# Acct-Session-Id. Note: Only works if the NAS has implemented |
# RFC 2865 behaviour for the class attribute, AND if the NAS |
# supports long Class attributes. Many older or cheap NASes |
# only support 16-octet Class attributes. |
# insert_acct_class |
# MacSEC requires the use of EAP-Key-Name. However, we don't |
# want to send it for all EAP sessions. Therefore, the EAP |
# modules put required data into the EAP-Session-Id attribute. |
# This attribute is never put into a request or reply packet. |
# |
# Uncomment the next few lines to copy the required data into |
# the EAP-Key-Name attribute |
# if (&reply:EAP-Session-Id) { |
# update reply { |
# EAP-Key-Name := &reply:EAP-Session-Id |
# } |
# } |
# Remove reply message if the response contains an EAP-Message |
remove_reply_message_if_eap |
# |
# Access-Reject packets are sent through the REJECT sub-section of the |
# post-auth section. |
# |
# Add the ldap module name (or instance) if you have set |
# 'edir_account_policy_check = yes' in the ldap module configuration |
# |
# The "session-state" attributes are not available here. |
# |
Post-Auth-Type REJECT { |
# log failed authentications in SQL, too. |
-sql |
attr_filter.access_reject |
# Insert EAP-Failure message if the request was |
# rejected by policy instead of because of an |
# authentication failure |
eap |
# Remove reply message if the response contains an EAP-Message |
remove_reply_message_if_eap |
} |
# |
# Filter access challenges. |
# |
Post-Auth-Type Challenge { |
# remove_reply_message_if_eap |
# attr_filter.access_challenge.post-auth |
} |
} |
# |
# When the server decides to proxy a request to a home server, |
# the proxied request is first passed through the pre-proxy |
# stage. This stage can re-write the request, or decide to |
# cancel the proxy. |
# |
# Only a few modules currently have this method. |
# |
pre-proxy { |
# Before proxing the request add an Operator-Name attribute identifying |
# if the operator-name is found for this client. |
# No need to uncomment this if you have already enabled this in |
# the authorize section. |
# operator-name |
# The client requests the CUI by sending a CUI attribute |
# containing one zero byte. |
# Uncomment the line below if *requesting* the CUI. |
# cui |
# Uncomment the following line if you want to change attributes |
# as defined in the preproxy_users file. |
# files |
# Uncomment the following line if you want to filter requests |
# sent to remote servers based on the rules defined in the |
# 'attrs.pre-proxy' file. |
# attr_filter.pre-proxy |
# If you want to have a log of packets proxied to a home |
# server, un-comment the following line, and the |
# 'detail pre_proxy_log' section, above. |
# pre_proxy_log |
} |
# |
# When the server receives a reply to a request it proxied |
# to a home server, the request may be massaged here, in the |
# post-proxy stage. |
# |
post-proxy { |
# If you want to have a log of replies from a home server, |
# un-comment the following line, and the 'detail post_proxy_log' |
# section, above. |
# post_proxy_log |
# Uncomment the following line if you want to filter replies from |
# remote proxies based on the rules defined in the 'attrs' file. |
# attr_filter.post-proxy |
# |
# If you are proxying LEAP, you MUST configure the EAP |
# module, and you MUST list it here, in the post-proxy |
# stage. |
# |
# You MUST also use the 'nostrip' option in the 'realm' |
# configuration. Otherwise, the User-Name attribute |
# in the proxied request will not match the user name |
# hidden inside of the EAP packet, and the end server will |
# reject the EAP request. |
# |
eap |
# |
# If the server tries to proxy a request and fails, then the |
# request is processed through the modules in this section. |
# |
# The main use of this section is to permit robust proxying |
# of accounting packets. The server can be configured to |
# proxy accounting packets as part of normal processing. |
# Then, if the home server goes down, accounting packets can |
# be logged to a local "detail" file, for processing with |
# radrelay. When the home server comes back up, radrelay |
# will read the detail file, and send the packets to the |
# home server. |
# |
# With this configuration, the server always responds to |
# Accounting-Requests from the NAS, but only writes |
# accounting packets to disk if the home server is down. |
# |
# Post-Proxy-Type Fail-Accounting { |
# detail |
# } |
} |
} |
/conf/radius/queries.conf |
---|
0,0 → 1,303 |
# -*- text -*- |
## |
## dialup.conf -- MySQL configuration for default schema (schema.sql) |
## |
## $Id: dialup.conf 983 2012-08-16 13:34:14Z franck $ |
# Safe characters list for sql queries. Everything else is replaced |
# with their mime-encoded equivalents. |
# The default list should be ok |
#safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" |
####################################################################### |
# Query config: Username |
####################################################################### |
# This is the username that will get substituted, escaped, and added |
# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below |
# everywhere a username substitution is needed so you you can be sure |
# the username passed from the client is escaped properly. |
# |
# Uncomment the next line, if you want the sql_user_name to mean: |
# |
# Use Stripped-User-Name, if it's there. |
# Else use User-Name, if it's there, |
# Else use hard-coded string "DEFAULT" as the user name. |
#sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" |
# |
sql_user_name = "%{User-Name}" |
####################################################################### |
# Default profile |
####################################################################### |
# This is the default profile. It is found in SQL by group membership. |
# That means that this profile must be a member of at least one group |
# which will contain the corresponding check and reply items. |
# This profile will be queried in the authorize section for every user. |
# The point is to assign all users a default profile without having to |
# manually add each one to a group that will contain the profile. |
# The SQL module will also honor the User-Profile attribute. This |
# attribute can be set anywhere in the authorize section (ie the users |
# file). It is found exactly as the default profile is found. |
# If it is set then it will *overwrite* the default profile setting. |
# The idea is to select profiles based on checks on the incoming packets, |
# not on user group membership. For example: |
# -- users file -- |
# DEFAULT Service-Type == Outbound-User, User-Profile := "outbound" |
# DEFAULT Service-Type == Framed-User, User-Profile := "framed" |
# |
# By default the default_user_profile is not set |
# |
default_user_profile = "ldap" |
####################################################################### |
# NAS Query |
####################################################################### |
# This query retrieves the radius clients |
# |
# 0. Row ID (currently unused) |
# 1. Name (or IP address) |
# 2. Shortname |
# 3. Type |
# 4. Secret |
####################################################################### |
nas_query = "SELECT id, nasname, shortname, type, secret FROM ${nas_table}" |
####################################################################### |
# Authorization Queries |
####################################################################### |
# These queries compare the check items for the user |
# in ${authcheck_table} and setup the reply items in |
# ${authreply_table}. You can use any query/tables |
# you want, but the return data for each row MUST |
# be in the following order: |
# |
# 0. Row ID (currently unused) |
# 1. UserName/GroupName |
# 2. Item Attr Name |
# 3. Item Attr Value |
# 4. Item Attr Operation |
####################################################################### |
# Use these for case sensitive usernames. |
authorize_check_query = "SELECT id, username, attribute, value, op \ |
FROM ${authcheck_table} \ |
WHERE username = BINARY '%{SQL-User-Name}' \ |
ORDER BY id" |
authorize_reply_query = "SELECT id, username, attribute, value, op \ |
FROM ${authreply_table} \ |
WHERE username = BINARY '%{SQL-User-Name}' \ |
ORDER BY id" |
# The default queries are case insensitive. (for compatibility with |
# older versions of FreeRADIUS) |
# authorize_check_query = "SELECT id, username, attribute, value, op \ |
# FROM ${authcheck_table} \ |
# WHERE username = '%{SQL-User-Name}' \ |
# ORDER BY id" |
# authorize_reply_query = "SELECT id, username, attribute, value, op \ |
# FROM ${authreply_table} \ |
# WHERE username = '%{SQL-User-Name}' \ |
# ORDER BY id" |
# Use these for case sensitive usernames. |
group_membership_query = "SELECT groupname \ |
FROM ${usergroup_table} \ |
WHERE username = BINARY '%{SQL-User-Name}' \ |
ORDER BY priority" |
# group_membership_query = "SELECT groupname \ |
# FROM ${usergroup_table} \ |
# WHERE username = '%{SQL-User-Name}' \ |
# ORDER BY priority" |
authorize_group_check_query = "SELECT id, groupname, attribute, \ |
Value, op \ |
FROM ${groupcheck_table} \ |
WHERE groupname = '%{Sql-Group}' \ |
ORDER BY id" |
authorize_group_reply_query = "SELECT id, groupname, attribute, \ |
value, op \ |
FROM ${groupreply_table} \ |
WHERE groupname = '%{Sql-Group}' \ |
ORDER BY id" |
####################################################################### |
# Accounting Queries |
####################################################################### |
# accounting_onoff_query - query for Accounting On/Off packets |
# accounting_update_query - query for Accounting update packets |
# accounting_update_query_alt - query for Accounting update packets |
# (alternate in case first query fails) |
# accounting_start_query - query for Accounting start packets |
# accounting_start_query_alt - query for Accounting start packets |
# (alternate in case first query fails) |
# accounting_stop_query - query for Accounting stop packets |
# accounting_stop_query_alt - query for Accounting start packets |
# (alternate in case first query doesn't |
# affect any existing rows in the table) |
####################################################################### |
accounting_onoff_query = "\ |
UPDATE ${acct_table1} \ |
SET \ |
acctstoptime = '%S', \ |
acctsessiontime = unix_timestamp('%S') - \ |
unix_timestamp(acctstarttime), \ |
acctterminatecause = '%{Acct-Terminate-Cause}', \ |
acctstopdelay = %{%{Acct-Delay-Time}:-0} \ |
WHERE acctstoptime IS NULL \ |
AND nasipaddress = '%{NAS-IP-Address}' \ |
AND acctstarttime <= '%S'" |
accounting_update_query = " \ |
UPDATE ${acct_table1} \ |
SET \ |
framedipaddress = '%{Framed-IP-Address}', \ |
acctsessiontime = '%{Acct-Session-Time}', \ |
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | \ |
'%{%{Acct-Input-Octets}:-0}', \ |
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | \ |
'%{%{Acct-Output-Octets}:-0}' \ |
WHERE acctsessionid = '%{Acct-Session-Id}' \ |
AND username = '%{SQL-User-Name}' \ |
AND nasipaddress = '%{NAS-IP-Address}'" |
accounting_update_query_alt = " \ |
INSERT INTO ${acct_table1} \ |
(acctsessionid, acctuniqueid, username, \ |
realm, nasipaddress, nasportid, \ |
nasporttype, acctstarttime, acctsessiontime, \ |
acctauthentic, connectinfo_start, acctinputoctets, \ |
acctoutputoctets, calledstationid, callingstationid, \ |
servicetype, framedprotocol, framedipaddress, \ |
acctstartdelay, xascendsessionsvrkey) \ |
VALUES \ |
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \ |
'%{SQL-User-Name}', \ |
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \ |
'%{NAS-Port-Type}', \ |
DATE_SUB('%S', \ |
INTERVAL (%{%{Acct-Session-Time}:-0} + \ |
%{%{Acct-Delay-Time}:-0}) SECOND), \ |
'%{Acct-Session-Time}', \ |
'%{Acct-Authentic}', '', \ |
'%{%{Acct-Input-Gigawords}:-0}' << 32 | \ |
'%{%{Acct-Input-Octets}:-0}', \ |
'%{%{Acct-Output-Gigawords}:-0}' << 32 | \ |
'%{%{Acct-Output-Octets}:-0}', \ |
'%{Called-Station-Id}', '%{Calling-Station-Id}', \ |
'%{Service-Type}', '%{Framed-Protocol}', \ |
'%{Framed-IP-Address}', \ |
'0', '%{X-Ascend-Session-Svr-Key}')" |
accounting_start_query = " \ |
INSERT INTO ${acct_table1} \ |
(acctsessionid, acctuniqueid, username, \ |
realm, nasipaddress, nasportid, \ |
nasporttype, acctstarttime, acctstoptime, \ |
acctsessiontime, acctauthentic, connectinfo_start, \ |
connectinfo_stop, acctinputoctets, acctoutputoctets, \ |
calledstationid, callingstationid, acctterminatecause, \ |
servicetype, framedprotocol, framedipaddress, \ |
acctstartdelay, acctstopdelay, xascendsessionsvrkey) \ |
VALUES \ |
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \ |
'%{SQL-User-Name}', \ |
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \ |
'%{NAS-Port-Type}', '%S', NULL, \ |
'0', '%{Acct-Authentic}', '%{Connect-Info}', \ |
'', '0', '0', \ |
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', \ |
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \ |
'%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" |
accounting_start_query_alt = " \ |
UPDATE ${acct_table1} SET \ |
acctstarttime = '%S', \ |
acctstartdelay = '%{%{Acct-Delay-Time}:-0}', \ |
connectinfo_start = '%{Connect-Info}' \ |
WHERE acctsessionid = '%{Acct-Session-Id}' \ |
AND username = '%{SQL-User-Name}' \ |
AND nasipaddress = '%{NAS-IP-Address}'" |
accounting_stop_query = " \ |
UPDATE ${acct_table2} SET \ |
acctstoptime = '%S', \ |
acctsessiontime = '%{Acct-Session-Time}', \ |
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | \ |
'%{%{Acct-Input-Octets}:-0}', \ |
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | \ |
'%{%{Acct-Output-Octets}:-0}', \ |
acctterminatecause = '%{Acct-Terminate-Cause}', \ |
acctstopdelay = '%{%{Acct-Delay-Time}:-0}', \ |
connectinfo_stop = '%{Connect-Info}' \ |
WHERE acctsessionid = '%{Acct-Session-Id}' \ |
AND username = '%{SQL-User-Name}' \ |
AND nasipaddress = '%{NAS-IP-Address}'" |
accounting_stop_query_alt = " \ |
INSERT INTO ${acct_table2} \ |
(acctsessionid, acctuniqueid, username, \ |
realm, nasipaddress, nasportid, \ |
nasporttype, acctstarttime, acctstoptime, \ |
acctsessiontime, acctauthentic, connectinfo_start, \ |
connectinfo_stop, acctinputoctets, acctoutputoctets, \ |
calledstationid, callingstationid, acctterminatecause, \ |
servicetype, framedprotocol, framedipaddress, \ |
acctstartdelay, acctstopdelay) \ |
VALUES \ |
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \ |
'%{SQL-User-Name}', \ |
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', \ |
'%{NAS-Port-Type}', \ |
DATE_SUB('%S', \ |
INTERVAL (%{%{Acct-Session-Time}:-0} + \ |
%{%{Acct-Delay-Time}:-0}) SECOND), \ |
'%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', \ |
'%{Connect-Info}', \ |
'%{%{Acct-Input-Gigawords}:-0}' << 32 | \ |
'%{%{Acct-Input-Octets}:-0}', \ |
'%{%{Acct-Output-Gigawords}:-0}' << 32 | \ |
'%{%{Acct-Output-Octets}:-0}', \ |
'%{Called-Station-Id}', '%{Calling-Station-Id}', \ |
'%{Acct-Terminate-Cause}', \ |
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \ |
'0', '%{%{Acct-Delay-Time}:-0}')" |
####################################################################### |
# Simultaneous Use Checking Queries |
####################################################################### |
# simul_count_query - query for the number of current connections |
# - If this is not defined, no simultaneouls use checking |
# - will be performed by this module instance |
# simul_verify_query - query to return details of current connections for verification |
# - Leave blank or commented out to disable verification step |
# - Note that the returned field order should not be changed. |
####################################################################### |
# Uncomment simul_count_query to enable simultaneous use checking |
simul_count_query = "SELECT COUNT(*) \ |
FROM ${acct_table1} \ |
WHERE username = '%{SQL-User-Name}' \ |
AND acctstoptime IS NULL" |
#simul_verify_query = "SELECT radacctid, acctsessionid, username, \ |
#nasipaddress, nasportid, framedipaddress, \ |
#callingstationid, framedprotocol \ |
#FROM ${acct_table1} \ |
#WHERE username = '%{SQL-User-Name}' \ |
#AND acctstoptime IS NULL" |
####################################################################### |
# Authentication Logging Queries |
####################################################################### |
# postauth_query - Insert some info after authentication |
####################################################################### |
# (username, pass, reply, authdate) \ |
# '%{%{User-Password}:-%{Chap-Password}}', \ |
postauth_query = "INSERT INTO ${postauth_table} \ |
(username, reply, authdate) \ |
VALUES ( \ |
'%{User-Name}', \ |
'%{reply:Packet-Type}', '%S')" |
/conf/radius/sql |
---|
0,0 → 1,264 |
# -*- text -*- |
## |
## sql.conf -- SQL modules |
## |
## $Id: 4a59483c35c77f573fb177919e19ba4434cc3da1 $ |
###################################################################### |
# |
# Configuration for the SQL module |
# |
# The database schemas and queries are located in subdirectories: |
# |
# sql/<DB>/main/schema.sql Schema |
# sql/<DB>/main/queries.conf Authorisation and Accounting queries |
# |
# Where "DB" is mysql, mssql, oracle, or postgresql. |
# |
# |
sql { |
# The sub-module to use to execute queries. This should match |
# the database you're attempting to connect to. |
# |
# * rlm_sql_mysql |
# * rlm_sql_mssql |
# * rlm_sql_oracle |
# * rlm_sql_postgresql |
# * rlm_sql_sqlite |
# * rlm_sql_null (log queries to disk) |
# |
driver = "rlm_sql_mysql" |
# |
# Several drivers accept specific options, to set them, a |
# config section with the the name as the driver should be added |
# to the sql instance. |
# |
# Driver specific options are: |
# |
# sqlite { |
# # Path to the sqlite database |
# filename = "/tmp/freeradius.db" |
# |
# # How long to wait for write locks on the database to be |
# # released (in ms) before giving up. |
# busy_timeout = 200 |
# |
# # If the file above does not exist and bootstrap is set |
# # a new database file will be created, and the SQL statements |
# # contained within the bootstrap file will be executed. |
# bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql" |
# } |
# |
# mysql { |
# # If any of the files below are set, TLS encryption is enabled |
# tls { |
# ca_file = "/etc/ssl/certs/my_ca.crt" |
# ca_path = "/etc/ssl/certs/" |
# certificate_file = "/etc/ssl/certs/private/client.crt" |
# private_key_file = "/etc/ssl/certs/private/client.key" |
# cipher = "DHE-RSA-AES256-SHA:AES128-SHA" |
# } |
# |
# # If yes, (or auto and libmysqlclient reports warnings are |
# # available), will retrieve and log additional warnings from |
# # the server if an error has occured. Defaults to 'auto' |
# warnings = auto |
# } |
# |
# postgresql { |
# |
# # unlike MySQL, which has a tls{} connection configuration, postgresql |
# # uses its connection parameters - see the radius_db option below in |
# # this file |
# |
# # Send application_name to the postgres server |
# # Only supported in PG 9.0 and greater. Defaults to no. |
# send_application_name = yes |
# } |
# |
# The dialect of SQL you want to use, this should usually match |
# the driver you selected above. |
# |
# If you're using rlm_sql_null, then it should be the type of |
# database the logged queries are going to be executed against. |
dialect = "mysql" |
# Connection info: |
# |
server = "localhost" |
port = 3306 |
login = "radius" |
password = "radpass" |
# Database table configuration for everything except Oracle |
radius_db = "radius" |
# If you are using Oracle then use this instead |
# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))" |
# If you're using postgresql this can also be used instead of the connection info parameters |
# radius_db = "dbname=radius host=localhost user=radius password=raddpass" |
# Postgreql doesn't take tls{} options in its module config like mysql does - if you want to |
# use SSL connections then use this form of connection info parameter |
# radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt" |
# If you want both stop and start records logged to the |
# same SQL table, leave this as is. If you want them in |
# different tables, put the start table in acct_table1 |
# and stop table in acct_table2 |
acct_table1 = "radacct" |
acct_table2 = "radacct" |
# Allow for storing data after authentication |
postauth_table = "radpostauth" |
# Tables containing 'check' items |
authcheck_table = "radcheck" |
groupcheck_table = "radgroupcheck" |
# Tables containing 'reply' items |
authreply_table = "radreply" |
groupreply_table = "radgroupreply" |
# Table to keep group info |
usergroup_table = "radusergroup" |
# If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table. |
# If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table. |
# read_groups = yes |
# If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table. |
# If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table. |
# read_profiles = yes |
# Remove stale session if checkrad does not see a double login |
delete_stale_sessions = yes |
# Write SQL queries to a logfile. This is potentially useful for tracing |
# issues with authorization queries. See also "logfile" directives in |
# mods-config/sql/main/*/queries.conf. You can enable per-section logging |
# by enabling "logfile" there, or global logging by enabling "logfile" here. |
# |
# Per-section logging can be disabled by setting "logfile = ''" |
# logfile = ${logdir}/sqllog.sql |
# Set the maximum query duration and connection timeout |
# for rlm_sql_mysql. |
# query_timeout = 5 |
# As of version 3.0, the "pool" section has replaced the |
# following configuration items: |
# |
# num_sql_socks |
# connect_failure_retry_delay |
# lifetime |
# max_queries |
# |
# The connection pool is new for 3.0, and will be used in many |
# modules, for all kinds of connection-related activity. |
# |
# When the server is not threaded, the connection pool |
# limits are ignored, and only one connection is used. |
# |
# If you want to have multiple SQL modules re-use the same |
# connection pool, use "pool = name" instead of a "pool" |
# section. e.g. |
# |
# sql1 { |
# ... |
# pool { |
# ... |
# } |
# } |
# |
# # sql2 will use the connection pool from sql1 |
# sql2 { |
# ... |
# pool = sql1 |
# } |
# |
pool { |
# Connections to create during module instantiation. |
# If the server cannot create specified number of |
# connections during instantiation it will exit. |
# Set to 0 to allow the server to start without the |
# database being available. |
start = ${thread[pool].start_servers} |
# Minimum number of connections to keep open |
min = ${thread[pool].min_spare_servers} |
# Maximum number of connections |
# |
# If these connections are all in use and a new one |
# is requested, the request will NOT get a connection. |
# |
# Setting 'max' to LESS than the number of threads means |
# that some threads may starve, and you will see errors |
# like 'No connections available and at max connection limit' |
# |
# Setting 'max' to MORE than the number of threads means |
# that there are more connections than necessary. |
max = ${thread[pool].max_servers} |
# Spare connections to be left idle |
# |
# NOTE: Idle connections WILL be closed if "idle_timeout" |
# is set. This should be less than or equal to "max" above. |
spare = ${thread[pool].max_spare_servers} |
# Number of uses before the connection is closed |
# |
# 0 means "infinite" |
uses = 0 |
# The number of seconds to wait after the server tries |
# to open a connection, and fails. During this time, |
# no new connections will be opened. |
retry_delay = 30 |
# The lifetime (in seconds) of the connection |
lifetime = 0 |
# idle timeout (in seconds). A connection which is |
# unused for this length of time will be closed. |
idle_timeout = 60 |
# NOTE: All configuration settings are enforced. If a |
# connection is closed because of "idle_timeout", |
# "uses", or "lifetime", then the total number of |
# connections MAY fall below "min". When that |
# happens, it will open a new connection. It will |
# also log a WARNING message. |
# |
# The solution is to either lower the "min" connections, |
# or increase lifetime/idle_timeout. |
} |
# Set to 'yes' to read radius clients from the database ('nas' table) |
# Clients will ONLY be read on server startup. |
# read_clients = yes |
# Table to keep radius client info |
client_table = "nas" |
# |
# The group attribute specific to this instance of rlm_sql |
# |
# This entry should be used for additional instances (sql foo {}) |
# of the SQL module. |
# group_attribute = "${.:instance}-SQL-Group" |
# This entry should be used for the default instance (sql {}) |
# of the SQL module. |
group_attribute = "SQL-Group" |
# Read database-specific queries |
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf |
} |