Chetan Gaonker | 7f4bf74 | 2016-05-04 15:56:08 -0700 | [diff] [blame] | 1 | # -*- text -*- |
| 2 | ## |
| 3 | ## radiusd.conf -- FreeRADIUS server configuration file - 3.0.3 |
| 4 | ## |
| 5 | ## http://www.freeradius.org/ |
| 6 | ## $Id: 307ae108f579b9c339e6ba819387ff7ad8baff87 $ |
| 7 | ## |
| 8 | |
| 9 | ###################################################################### |
| 10 | # |
| 11 | # Read "man radiusd" before editing this file. See the section |
| 12 | # titled DEBUGGING. It outlines a method where you can quickly |
| 13 | # obtain the configuration you want, without running into |
| 14 | # trouble. |
| 15 | # |
| 16 | # Run the server in debugging mode, and READ the output. |
| 17 | # |
| 18 | # $ radiusd -X |
| 19 | # |
| 20 | # We cannot emphasize this point strongly enough. The vast |
| 21 | # majority of problems can be solved by carefully reading the |
| 22 | # debugging output, which includes warnings about common issues, |
| 23 | # and suggestions for how they may be fixed. |
| 24 | # |
| 25 | # There may be a lot of output, but look carefully for words like: |
| 26 | # "warning", "error", "reject", or "failure". The messages there |
| 27 | # will usually be enough to guide you to a solution. |
| 28 | # |
| 29 | # If you are going to ask a question on the mailing list, then |
| 30 | # explain what you are trying to do, and include the output from |
| 31 | # debugging mode (radiusd -X). Failure to do so means that all |
| 32 | # of the responses to your question will be people telling you |
| 33 | # to "post the output of radiusd -X". |
| 34 | |
| 35 | ###################################################################### |
| 36 | # |
| 37 | # The location of other config files and logfiles are declared |
| 38 | # in this file. |
| 39 | # |
| 40 | # Also general configuration for modules can be done in this |
| 41 | # file, it is exported through the API to modules that ask for |
| 42 | # it. |
| 43 | # |
| 44 | # See "man radiusd.conf" for documentation on the format of this |
| 45 | # file. Note that the individual configuration items are NOT |
| 46 | # documented in that "man" page. They are only documented here, |
| 47 | # in the comments. |
| 48 | # |
| 49 | # The "unlang" policy language can be used to create complex |
| 50 | # if / else policies. See "man unlang" for details. |
| 51 | # |
| 52 | |
| 53 | prefix = /usr |
| 54 | exec_prefix = /usr |
| 55 | sysconfdir = /etc |
| 56 | localstatedir = /var |
| 57 | sbindir = ${exec_prefix}/sbin |
| 58 | logdir = /var/log/freeradius |
| 59 | raddbdir = /etc/freeradius |
| 60 | radacctdir = ${logdir}/radacct |
| 61 | |
| 62 | # |
| 63 | # name of the running server. See also the "-n" command-line option. |
| 64 | name = radiusd |
| 65 | |
| 66 | # Location of config and logfiles. |
| 67 | confdir = ${raddbdir} |
| 68 | modconfdir = ${confdir}/mods-config |
A R Karthick | aa10a20 | 2016-08-15 15:06:21 -0700 | [diff] [blame] | 69 | certdir = ${confdir}/certs_2 |
| 70 | cadir = ${confdir}/certs_2 |
Chetan Gaonker | 7f4bf74 | 2016-05-04 15:56:08 -0700 | [diff] [blame] | 71 | run_dir = ${localstatedir}/run/${name} |
| 72 | |
| 73 | # Should likely be ${localstatedir}/lib/radiusd |
| 74 | db_dir = ${raddbdir} |
| 75 | |
| 76 | # |
| 77 | # libdir: Where to find the rlm_* modules. |
| 78 | # |
| 79 | # This should be automatically set at configuration time. |
| 80 | # |
| 81 | # If the server builds and installs, but fails at execution time |
| 82 | # with an 'undefined symbol' error, then you can use the libdir |
| 83 | # directive to work around the problem. |
| 84 | # |
| 85 | # The cause is usually that a library has been installed on your |
| 86 | # system in a place where the dynamic linker CANNOT find it. When |
| 87 | # executing as root (or another user), your personal environment MAY |
| 88 | # be set up to allow the dynamic linker to find the library. When |
| 89 | # executing as a daemon, FreeRADIUS MAY NOT have the same |
| 90 | # personalized configuration. |
| 91 | # |
| 92 | # To work around the problem, find out which library contains that symbol, |
| 93 | # and add the directory containing that library to the end of 'libdir', |
| 94 | # with a colon separating the directory names. NO spaces are allowed. |
| 95 | # |
| 96 | # e.g. libdir = /usr/local/lib:/opt/package/lib |
| 97 | # |
| 98 | # You can also try setting the LD_LIBRARY_PATH environment variable |
| 99 | # in a script which starts the server. |
| 100 | # |
| 101 | # If that does not work, then you can re-configure and re-build the |
| 102 | # server to NOT use shared libraries, via: |
| 103 | # |
| 104 | # ./configure --disable-shared |
| 105 | # make |
| 106 | # make install |
| 107 | # |
| 108 | libdir = /usr/lib/freeradius |
| 109 | |
| 110 | # pidfile: Where to place the PID of the RADIUS server. |
| 111 | # |
| 112 | # The server may be signalled while it's running by using this |
| 113 | # file. |
| 114 | # |
| 115 | # This file is written when ONLY running in daemon mode. |
| 116 | # |
| 117 | # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` |
| 118 | # |
| 119 | pidfile = ${run_dir}/${name}.pid |
| 120 | |
| 121 | # panic_action: Command to execute if the server dies unexpectedly. |
| 122 | # |
| 123 | # FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT. |
| 124 | # AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS. |
| 125 | # AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART. |
| 126 | # |
| 127 | # THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE |
| 128 | # PATTACH CAN BE USED AS AN ATTACK VECTOR. |
| 129 | # |
| 130 | # The panic action is a command which will be executed if the server |
| 131 | # receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS, |
| 132 | # SIGABRT or SIGFPE. |
| 133 | # |
| 134 | # This can be used to start an interactive debugging session so |
| 135 | # that information regarding the current state of the server can |
| 136 | # be acquired. |
| 137 | # |
| 138 | # The following string substitutions are available: |
| 139 | # - %e The currently executing program e.g. /sbin/radiusd |
| 140 | # - %p The PID of the currently executing program e.g. 12345 |
| 141 | # |
| 142 | # Standard ${} substitutions are also allowed. |
| 143 | # |
| 144 | # An example panic action for opening an interactive session in GDB would be: |
| 145 | # |
| 146 | #panic_action = "gdb %e %p" |
| 147 | # |
| 148 | # Again, don't use that on a production system. |
| 149 | # |
| 150 | # An example panic action for opening an automated session in GDB would be: |
| 151 | # |
| 152 | #panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log" |
| 153 | # |
| 154 | # That command can be used on a production system. |
| 155 | # |
| 156 | |
| 157 | # max_request_time: The maximum time (in seconds) to handle a request. |
| 158 | # |
| 159 | # Requests which take more time than this to process may be killed, and |
| 160 | # a REJECT message is returned. |
| 161 | # |
| 162 | # WARNING: If you notice that requests take a long time to be handled, |
| 163 | # then this MAY INDICATE a bug in the server, in one of the modules |
| 164 | # used to handle a request, OR in your local configuration. |
| 165 | # |
| 166 | # This problem is most often seen when using an SQL database. If it takes |
| 167 | # more than a second or two to receive an answer from the SQL database, |
| 168 | # then it probably means that you haven't indexed the database. See your |
| 169 | # SQL server documentation for more information. |
| 170 | # |
| 171 | # Useful range of values: 5 to 120 |
| 172 | # |
| 173 | max_request_time = 30 |
| 174 | |
| 175 | # cleanup_delay: The time to wait (in seconds) before cleaning up |
| 176 | # a reply which was sent to the NAS. |
| 177 | # |
| 178 | # The RADIUS request is normally cached internally for a short period |
| 179 | # of time, after the reply is sent to the NAS. The reply packet may be |
| 180 | # lost in the network, and the NAS will not see it. The NAS will then |
| 181 | # re-send the request, and the server will respond quickly with the |
| 182 | # cached reply. |
| 183 | # |
| 184 | # If this value is set too low, then duplicate requests from the NAS |
| 185 | # MAY NOT be detected, and will instead be handled as separate requests. |
| 186 | # |
| 187 | # If this value is set too high, then the server will cache too many |
| 188 | # requests, and some new requests may get blocked. (See 'max_requests'.) |
| 189 | # |
| 190 | # Useful range of values: 2 to 10 |
| 191 | # |
| 192 | cleanup_delay = 5 |
| 193 | |
| 194 | # max_requests: The maximum number of requests which the server keeps |
| 195 | # track of. This should be 256 multiplied by the number of clients. |
| 196 | # e.g. With 4 clients, this number should be 1024. |
| 197 | # |
| 198 | # If this number is too low, then when the server becomes busy, |
| 199 | # it will not respond to any new requests, until the 'cleanup_delay' |
| 200 | # time has passed, and it has removed the old requests. |
| 201 | # |
| 202 | # If this number is set too high, then the server will use a bit more |
| 203 | # memory for no real benefit. |
| 204 | # |
| 205 | # If you aren't sure what it should be set to, it's better to set it |
| 206 | # too high than too low. Setting it to 1000 per client is probably |
| 207 | # the highest it should be. |
| 208 | # |
| 209 | # Useful range of values: 256 to infinity |
| 210 | # |
| 211 | max_requests = 1024 |
| 212 | |
| 213 | # hostname_lookups: Log the names of clients or just their IP addresses |
| 214 | # e.g., www.freeradius.org (on) or 206.47.27.232 (off). |
| 215 | # |
| 216 | # The default is 'off' because it would be overall better for the net |
| 217 | # if people had to knowingly turn this feature on, since enabling it |
| 218 | # means that each client request will result in AT LEAST one lookup |
| 219 | # request to the nameserver. Enabling hostname_lookups will also |
| 220 | # mean that your server may stop randomly for 30 seconds from time |
| 221 | # to time, if the DNS requests take too long. |
| 222 | # |
| 223 | # Turning hostname lookups off also means that the server won't block |
| 224 | # for 30 seconds, if it sees an IP address which has no name associated |
| 225 | # with it. |
| 226 | # |
| 227 | # allowed values: {no, yes} |
| 228 | # |
| 229 | hostname_lookups = no |
| 230 | |
| 231 | # |
| 232 | # Logging section. The various "log_*" configuration items |
| 233 | # will eventually be moved here. |
| 234 | # |
| 235 | log { |
| 236 | # |
| 237 | # Destination for log messages. This can be one of: |
| 238 | # |
| 239 | # files - log to "file", as defined below. |
| 240 | # syslog - to syslog (see also the "syslog_facility", below. |
| 241 | # stdout - standard output |
| 242 | # stderr - standard error. |
| 243 | # |
| 244 | # The command-line option "-X" over-rides this option, and forces |
| 245 | # logging to go to stdout. |
| 246 | # |
| 247 | destination = files |
| 248 | |
| 249 | # |
| 250 | # Highlight important messages sent to stderr and stdout. |
| 251 | # |
| 252 | # Option will be ignored (disabled) if output if TERM is not |
| 253 | # an xterm or output is not to a TTY. |
| 254 | # |
| 255 | colourise = yes |
| 256 | |
| 257 | # |
| 258 | # The logging messages for the server are appended to the |
| 259 | # tail of this file if destination == "files" |
| 260 | # |
| 261 | # If the server is running in debugging mode, this file is |
| 262 | # NOT used. |
| 263 | # |
| 264 | file = ${logdir}/radius.log |
| 265 | |
| 266 | # |
| 267 | # If this configuration parameter is set, then log messages for |
| 268 | # a *request* go to this file, rather than to radius.log. |
| 269 | # |
| 270 | # i.e. This is a log file per request, once the server has accepted |
| 271 | # the request as being from a valid client. Messages that are |
| 272 | # not associated with a request still go to radius.log. |
| 273 | # |
| 274 | # Not all log messages in the server core have been updated to use |
| 275 | # this new internal API. As a result, some messages will still |
| 276 | # go to radius.log. Please submit patches to fix this behavior. |
| 277 | # |
| 278 | # The file name is expanded dynamically. You should ONLY user |
| 279 | # server-side attributes for the filename (e.g. things you control). |
| 280 | # Using this feature MAY also slow down the server substantially, |
| 281 | # especially if you do thinks like SQL calls as part of the |
| 282 | # expansion of the filename. |
| 283 | # |
| 284 | # The name of the log file should use attributes that don't change |
| 285 | # over the lifetime of a request, such as User-Name, |
| 286 | # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log |
| 287 | # messages will be distributed over multiple files. |
| 288 | # |
| 289 | # Logging can be enabled for an individual request by a special |
| 290 | # dynamic expansion macro: %{debug: 1}, where the debug level |
| 291 | # for this request is set to '1' (or 2, 3, etc.). e.g. |
| 292 | # |
| 293 | # ... |
| 294 | # update control { |
| 295 | # Tmp-String-0 = "%{debug:1}" |
| 296 | # } |
| 297 | # ... |
| 298 | # |
| 299 | # The attribute that the value is assigned to is unimportant, |
| 300 | # and should be a "throw-away" attribute with no side effects. |
| 301 | # |
| 302 | #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log |
| 303 | |
| 304 | # |
| 305 | # Which syslog facility to use, if ${destination} == "syslog" |
| 306 | # |
| 307 | # The exact values permitted here are OS-dependent. You probably |
| 308 | # don't want to change this. |
| 309 | # |
| 310 | syslog_facility = daemon |
| 311 | |
| 312 | # Log the full User-Name attribute, as it was found in the request. |
| 313 | # |
| 314 | # allowed values: {no, yes} |
| 315 | # |
| 316 | stripped_names = no |
| 317 | |
| 318 | # Log authentication requests to the log file. |
| 319 | # |
| 320 | # allowed values: {no, yes} |
| 321 | # |
| 322 | auth = no |
| 323 | |
| 324 | # Log passwords with the authentication requests. |
| 325 | # auth_badpass - logs password if it's rejected |
| 326 | # auth_goodpass - logs password if it's correct |
| 327 | # |
| 328 | # allowed values: {no, yes} |
| 329 | # |
| 330 | auth_badpass = no |
| 331 | auth_goodpass = no |
| 332 | |
| 333 | # Log additional text at the end of the "Login OK" messages. |
| 334 | # for these to work, the "auth" and "auth_goodpass" or "auth_badpass" |
| 335 | # configurations above have to be set to "yes". |
| 336 | # |
| 337 | # The strings below are dynamically expanded, which means that |
| 338 | # you can put anything you want in them. However, note that |
| 339 | # this expansion can be slow, and can negatively impact server |
| 340 | # performance. |
| 341 | # |
| 342 | # msg_goodpass = "" |
| 343 | # msg_badpass = "" |
| 344 | |
| 345 | # The message when the user exceeds the Simultaneous-Use limit. |
| 346 | # |
| 347 | msg_denied = "You are already logged in - access denied" |
| 348 | } |
| 349 | |
| 350 | # The program to execute to do concurrency checks. |
| 351 | checkrad = ${sbindir}/checkrad |
| 352 | |
| 353 | # SECURITY CONFIGURATION |
| 354 | # |
| 355 | # There may be multiple methods of attacking on the server. This |
| 356 | # section holds the configuration items which minimize the impact |
| 357 | # of those attacks |
| 358 | # |
| 359 | security { |
| 360 | # chroot: directory where the server does "chroot". |
| 361 | # |
| 362 | # The chroot is done very early in the process of starting |
| 363 | # the server. After the chroot has been performed it |
| 364 | # switches to the "user" listed below (which MUST be |
| 365 | # specified). If "group" is specified, it switches to that |
| 366 | # group, too. Any other groups listed for the specified |
| 367 | # "user" in "/etc/group" are also added as part of this |
| 368 | # process. |
| 369 | # |
| 370 | # The current working directory (chdir / cd) is left |
| 371 | # *outside* of the chroot until all of the modules have been |
| 372 | # initialized. This allows the "raddb" directory to be left |
| 373 | # outside of the chroot. Once the modules have been |
| 374 | # initialized, it does a "chdir" to ${logdir}. This means |
| 375 | # that it should be impossible to break out of the chroot. |
| 376 | # |
| 377 | # If you are worried about security issues related to this |
| 378 | # use of chdir, then simply ensure that the "raddb" directory |
| 379 | # is inside of the chroot, end be sure to do "cd raddb" |
| 380 | # BEFORE starting the server. |
| 381 | # |
| 382 | # If the server is statically linked, then the only files |
| 383 | # that have to exist in the chroot are ${run_dir} and |
| 384 | # ${logdir}. If you do the "cd raddb" as discussed above, |
| 385 | # then the "raddb" directory has to be inside of the chroot |
| 386 | # directory, too. |
| 387 | # |
| 388 | # chroot = /path/to/chroot/directory |
| 389 | |
| 390 | # user/group: The name (or #number) of the user/group to run radiusd as. |
| 391 | # |
| 392 | # If these are commented out, the server will run as the |
| 393 | # user/group that started it. In order to change to a |
| 394 | # different user/group, you MUST be root ( or have root |
| 395 | # privileges ) to start the server. |
| 396 | # |
| 397 | # We STRONGLY recommend that you run the server with as few |
| 398 | # permissions as possible. That is, if you're not using |
| 399 | # shadow passwords, the user and group items below should be |
| 400 | # set to radius'. |
| 401 | # |
| 402 | # NOTE that some kernels refuse to setgid(group) when the |
| 403 | # value of (unsigned)group is above 60000; don't use group |
| 404 | # "nobody" on these systems! |
| 405 | # |
| 406 | # On systems with shadow passwords, you might have to set |
| 407 | # 'group = shadow' for the server to be able to read the |
| 408 | # shadow password file. If you can authenticate users while |
| 409 | # in debug mode, but not in daemon mode, it may be that the |
| 410 | # debugging mode server is running as a user that can read |
| 411 | # the shadow info, and the user listed below can not. |
| 412 | # |
| 413 | # The server will also try to use "initgroups" to read |
| 414 | # /etc/groups. It will join all groups where "user" is a |
| 415 | # member. This can allow for some finer-grained access |
| 416 | # controls. |
| 417 | # |
| 418 | # user = radius |
| 419 | # group = radius |
| 420 | |
| 421 | # Core dumps are a bad thing. This should only be set to |
| 422 | # 'yes' if you're debugging a problem with the server. |
| 423 | # |
| 424 | # allowed values: {no, yes} |
| 425 | # |
| 426 | allow_core_dumps = no |
| 427 | |
| 428 | # |
| 429 | # max_attributes: The maximum number of attributes |
| 430 | # permitted in a RADIUS packet. Packets which have MORE |
| 431 | # than this number of attributes in them will be dropped. |
| 432 | # |
| 433 | # If this number is set too low, then no RADIUS packets |
| 434 | # will be accepted. |
| 435 | # |
| 436 | # If this number is set too high, then an attacker may be |
| 437 | # able to send a small number of packets which will cause |
| 438 | # the server to use all available memory on the machine. |
| 439 | # |
| 440 | # Setting this number to 0 means "allow any number of attributes" |
| 441 | max_attributes = 200 |
| 442 | |
| 443 | # |
| 444 | # reject_delay: When sending an Access-Reject, it can be |
| 445 | # delayed for a few seconds. This may help slow down a DoS |
| 446 | # attack. It also helps to slow down people trying to brute-force |
| 447 | # crack a users password. |
| 448 | # |
| 449 | # Setting this number to 0 means "send rejects immediately" |
| 450 | # |
| 451 | # If this number is set higher than 'cleanup_delay', then the |
| 452 | # rejects will be sent at 'cleanup_delay' time, when the request |
| 453 | # is deleted from the internal cache of requests. |
| 454 | # |
| 455 | # Useful ranges: 1 to 5 |
| 456 | reject_delay = 1 |
| 457 | |
| 458 | # |
| 459 | # status_server: Whether or not the server will respond |
| 460 | # to Status-Server requests. |
| 461 | # |
| 462 | # When sent a Status-Server message, the server responds with |
| 463 | # an Access-Accept or Accounting-Response packet. |
| 464 | # |
| 465 | # This is mainly useful for administrators who want to "ping" |
| 466 | # the server, without adding test users, or creating fake |
| 467 | # accounting packets. |
| 468 | # |
| 469 | # It's also useful when a NAS marks a RADIUS server "dead". |
| 470 | # The NAS can periodically "ping" the server with a Status-Server |
| 471 | # packet. If the server responds, it must be alive, and the |
| 472 | # NAS can start using it for real requests. |
| 473 | # |
| 474 | # See also raddb/sites-available/status |
| 475 | # |
| 476 | status_server = yes |
| 477 | |
| 478 | # |
| 479 | # allow_vulnerable_openssl = yes |
| 480 | # versions of OpenSSL known to have critical vulnerabilities. |
| 481 | # |
| 482 | # This check is based on the version number reported by libssl |
| 483 | # and may not reflect patches applied to libssl by |
| 484 | # distribution maintainers. |
| 485 | # |
| 486 | allow_vulnerable_openssl = yes |
| 487 | } |
| 488 | |
| 489 | # PROXY CONFIGURATION |
| 490 | # |
| 491 | # proxy_requests: Turns proxying of RADIUS requests on or off. |
| 492 | # |
| 493 | # The server has proxying turned on by default. If your system is NOT |
| 494 | # set up to proxy requests to another server, then you can turn proxying |
| 495 | # off here. This will save a small amount of resources on the server. |
| 496 | # |
| 497 | # If you have proxying turned off, and your configuration files say |
| 498 | # to proxy a request, then an error message will be logged. |
| 499 | # |
| 500 | # To disable proxying, change the "yes" to "no", and comment the |
| 501 | # $INCLUDE line. |
| 502 | # |
| 503 | # allowed values: {no, yes} |
| 504 | # |
| 505 | proxy_requests = yes |
| 506 | $INCLUDE proxy.conf |
| 507 | |
| 508 | |
| 509 | # CLIENTS CONFIGURATION |
| 510 | # |
| 511 | # Client configuration is defined in "clients.conf". |
| 512 | # |
| 513 | |
| 514 | # The 'clients.conf' file contains all of the information from the old |
| 515 | # 'clients' and 'naslist' configuration files. We recommend that you |
| 516 | # do NOT use 'client's or 'naslist', although they are still |
| 517 | # supported. |
| 518 | # |
| 519 | # Anything listed in 'clients.conf' will take precedence over the |
| 520 | # information from the old-style configuration files. |
| 521 | # |
| 522 | $INCLUDE clients.conf |
| 523 | |
| 524 | |
| 525 | # THREAD POOL CONFIGURATION |
| 526 | # |
| 527 | # The thread pool is a long-lived group of threads which |
| 528 | # take turns (round-robin) handling any incoming requests. |
| 529 | # |
| 530 | # You probably want to have a few spare threads around, |
| 531 | # so that high-load situations can be handled immediately. If you |
| 532 | # don't have any spare threads, then the request handling will |
| 533 | # be delayed while a new thread is created, and added to the pool. |
| 534 | # |
| 535 | # You probably don't want too many spare threads around, |
| 536 | # otherwise they'll be sitting there taking up resources, and |
| 537 | # not doing anything productive. |
| 538 | # |
| 539 | # The numbers given below should be adequate for most situations. |
| 540 | # |
| 541 | thread pool { |
| 542 | # Number of servers to start initially --- should be a reasonable |
| 543 | # ballpark figure. |
| 544 | start_servers = 5 |
| 545 | |
| 546 | # Limit on the total number of servers running. |
| 547 | # |
| 548 | # If this limit is ever reached, clients will be LOCKED OUT, so it |
| 549 | # should NOT BE SET TOO LOW. It is intended mainly as a brake to |
| 550 | # keep a runaway server from taking the system with it as it spirals |
| 551 | # down... |
| 552 | # |
| 553 | # You may find that the server is regularly reaching the |
| 554 | # 'max_servers' number of threads, and that increasing |
| 555 | # 'max_servers' doesn't seem to make much difference. |
| 556 | # |
| 557 | # If this is the case, then the problem is MOST LIKELY that |
| 558 | # your back-end databases are taking too long to respond, and |
| 559 | # are preventing the server from responding in a timely manner. |
| 560 | # |
| 561 | # The solution is NOT do keep increasing the 'max_servers' |
| 562 | # value, but instead to fix the underlying cause of the |
| 563 | # problem: slow database, or 'hostname_lookups=yes'. |
| 564 | # |
| 565 | # For more information, see 'max_request_time', above. |
| 566 | # |
| 567 | max_servers = 32 |
| 568 | |
| 569 | # Server-pool size regulation. Rather than making you guess |
| 570 | # how many servers you need, FreeRADIUS dynamically adapts to |
| 571 | # the load it sees, that is, it tries to maintain enough |
| 572 | # servers to handle the current load, plus a few spare |
| 573 | # servers to handle transient load spikes. |
| 574 | # |
| 575 | # It does this by periodically checking how many servers are |
| 576 | # waiting for a request. If there are fewer than |
| 577 | # min_spare_servers, it creates a new spare. If there are |
| 578 | # more than max_spare_servers, some of the spares die off. |
| 579 | # The default values are probably OK for most sites. |
| 580 | # |
| 581 | min_spare_servers = 3 |
| 582 | max_spare_servers = 10 |
| 583 | |
| 584 | # When the server receives a packet, it places it onto an |
| 585 | # internal queue, where the worker threads (configured above) |
| 586 | # pick it up for processing. The maximum size of that queue |
| 587 | # is given here. |
| 588 | # |
| 589 | # When the queue is full, any new packets will be silently |
| 590 | # discarded. |
| 591 | # |
| 592 | # The most common cause of the queue being full is that the |
| 593 | # server is dependent on a slow database, and it has received |
| 594 | # a large "spike" of traffic. When that happens, there is |
| 595 | # very little you can do other than make sure the server |
| 596 | # receives less traffic, or make sure that the database can |
| 597 | # handle the load. |
| 598 | # |
| 599 | # max_queue_size = 65536 |
| 600 | |
| 601 | # There may be memory leaks or resource allocation problems with |
| 602 | # the server. If so, set this value to 300 or so, so that the |
| 603 | # resources will be cleaned up periodically. |
| 604 | # |
| 605 | # This should only be necessary if there are serious bugs in the |
| 606 | # server which have not yet been fixed. |
| 607 | # |
| 608 | # '0' is a special value meaning 'infinity', or 'the servers never |
| 609 | # exit' |
| 610 | max_requests_per_server = 0 |
| 611 | |
| 612 | # Automatically limit the number of accounting requests. |
| 613 | # This configuration item tracks how many requests per second |
| 614 | # the server can handle. It does this by tracking the |
| 615 | # packets/s received by the server for processing, and |
| 616 | # comparing that to the packets/s handled by the child |
| 617 | # threads. |
| 618 | # |
| 619 | |
| 620 | # If the received PPS is larger than the processed PPS, *and* |
| 621 | # the queue is more than half full, then new accounting |
| 622 | # requests are probabilistically discarded. This lowers the |
| 623 | # number of packets that the server needs to process. Over |
| 624 | # time, the server will "catch up" with the traffic. |
| 625 | # |
| 626 | # Throwing away accounting packets is usually safe and low |
| 627 | # impact. The NAS will retransmit them in a few seconds, or |
| 628 | # even a few minutes. Vendors should read RFC 5080 Section 2.2.1 |
| 629 | # to see how accounting packets should be retransmitted. Using |
| 630 | # any other method is likely to cause network meltdowns. |
| 631 | # |
| 632 | auto_limit_acct = no |
| 633 | } |
| 634 | |
| 635 | # MODULE CONFIGURATION |
| 636 | # |
| 637 | # The names and configuration of each module is located in this section. |
| 638 | # |
| 639 | # After the modules are defined here, they may be referred to by name, |
| 640 | # in other sections of this configuration file. |
| 641 | # |
| 642 | modules { |
| 643 | # |
| 644 | # Each module has a configuration as follows: |
| 645 | # |
| 646 | # name [ instance ] { |
| 647 | # config_item = value |
| 648 | # ... |
| 649 | # } |
| 650 | # |
| 651 | # The 'name' is used to load the 'rlm_name' library |
| 652 | # which implements the functionality of the module. |
| 653 | # |
| 654 | # The 'instance' is optional. To have two different instances |
| 655 | # of a module, it first must be referred to by 'name'. |
| 656 | # The different copies of the module are then created by |
| 657 | # inventing two 'instance' names, e.g. 'instance1' and 'instance2' |
| 658 | # |
| 659 | # The instance names can then be used in later configuration |
| 660 | # INSTEAD of the original 'name'. See the 'radutmp' configuration |
| 661 | # for an example. |
| 662 | # |
| 663 | |
| 664 | # |
| 665 | # As of 3.0, modules are in mods-enabled/. Files matching |
| 666 | # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are |
| 667 | # initialized ONLY if they are referenced in a processing |
| 668 | # section, such as authorize, authenticate, accounting, |
| 669 | # pre/post-proxy, etc. |
| 670 | # |
| 671 | $INCLUDE mods-enabled/ |
| 672 | } |
| 673 | |
| 674 | # Instantiation |
| 675 | # |
| 676 | # This section orders the loading of the modules. Modules |
| 677 | # listed here will get loaded BEFORE the later sections like |
| 678 | # authorize, authenticate, etc. get examined. |
| 679 | # |
| 680 | # This section is not strictly needed. When a section like |
| 681 | # authorize refers to a module, it's automatically loaded and |
| 682 | # initialized. However, some modules may not be listed in any |
| 683 | # of the following sections, so they can be listed here. |
| 684 | # |
| 685 | # Also, listing modules here ensures that you have control over |
| 686 | # the order in which they are initialized. If one module needs |
| 687 | # something defined by another module, you can list them in order |
| 688 | # here, and ensure that the configuration will be OK. |
| 689 | # |
| 690 | # After the modules listed here have been loaded, all of the modules |
| 691 | # in the "mods-enabled" directory will be loaded. Loading the |
| 692 | # "mods-enabled" directory means that unlike Version 2, you usually |
| 693 | # don't need to list modules here. |
| 694 | # |
| 695 | instantiate { |
| 696 | # |
| 697 | # We list the counter module here so that it registers |
| 698 | # the check_name attribute before any module which sets |
| 699 | # it |
| 700 | # daily |
| 701 | |
| 702 | # subsections here can be thought of as "virtual" modules. |
| 703 | # |
| 704 | # e.g. If you have two redundant SQL servers, and you want to |
| 705 | # use them in the authorize and accounting sections, you could |
| 706 | # place a "redundant" block in each section, containing the |
| 707 | # exact same text. Or, you could uncomment the following |
| 708 | # lines, and list "redundant_sql" in the authorize and |
| 709 | # accounting sections. |
| 710 | # |
| 711 | #redundant redundant_sql { |
| 712 | # sql1 |
| 713 | # sql2 |
| 714 | #} |
| 715 | } |
| 716 | |
| 717 | ###################################################################### |
| 718 | # |
| 719 | # Policies are virtual modules, similar to those defined in the |
| 720 | # "instantiate" section above. |
| 721 | # |
| 722 | # Defining a policy in one of the policy.d files means that it can be |
| 723 | # referenced in multiple places as a *name*, rather than as a series of |
| 724 | # conditions to match, and actions to take. |
| 725 | # |
| 726 | # Policies are something like subroutines in a normal language, but |
| 727 | # they cannot be called recursively. They MUST be defined in order. |
| 728 | # If policy A calls policy B, then B MUST be defined before A. |
| 729 | # |
| 730 | ###################################################################### |
| 731 | policy { |
| 732 | $INCLUDE policy.d/ |
| 733 | } |
| 734 | |
| 735 | ###################################################################### |
| 736 | # |
| 737 | # SNMP notifications. Uncomment the following line to enable |
| 738 | # snmptraps. Note that you MUST also configure the full path |
| 739 | # to the "snmptrap" command in the "trigger.conf" file. |
| 740 | # |
| 741 | #$INCLUDE trigger.conf |
| 742 | |
| 743 | ###################################################################### |
| 744 | # |
| 745 | # Load virtual servers. |
| 746 | # |
| 747 | # This next $INCLUDE line loads files in the directory that |
| 748 | # match the regular expression: /[a-zA-Z0-9_.]+/ |
| 749 | # |
| 750 | # It allows you to define new virtual servers simply by placing |
| 751 | # a file into the raddb/sites-enabled/ directory. |
| 752 | # |
| 753 | $INCLUDE sites-enabled/ |
| 754 | |
| 755 | ###################################################################### |
| 756 | # |
| 757 | # All of the other configuration sections like "authorize {}", |
| 758 | # "authenticate {}", "accounting {}", have been moved to the |
| 759 | # the file: |
| 760 | # |
| 761 | # raddb/sites-available/default |
| 762 | # |
| 763 | # This is the "default" virtual server that has the same |
| 764 | # configuration as in version 1.0.x and 1.1.x. The default |
| 765 | # installation enables this virtual server. You should |
| 766 | # edit it to create policies for your local site. |
| 767 | # |
| 768 | # For more documentation on virtual servers, see: |
| 769 | # |
| 770 | # raddb/sites-available/README |
| 771 | # |
| 772 | ###################################################################### |