Chetan Gaonker | 7f4bf74 | 2016-05-04 15:56:08 -0700 | [diff] [blame] | 1 | ###################################################################### |
| 2 | # |
| 3 | # As of 2.0.0, FreeRADIUS supports virtual hosts using the |
| 4 | # "server" section, and configuration directives. |
| 5 | # |
| 6 | # Virtual hosts should be put into the "sites-available" |
| 7 | # directory. Soft links should be created in the "sites-enabled" |
| 8 | # directory to these files. This is done in a normal installation. |
| 9 | # |
| 10 | # If you are using 802.1X (EAP) authentication, please see also |
| 11 | # the "inner-tunnel" virtual server. You will likely have to edit |
| 12 | # that, too, for authentication to work. |
| 13 | # |
| 14 | # $Id: 3278975e054fab504afda5ba8fc999239cb2fb9d $ |
| 15 | # |
| 16 | ###################################################################### |
| 17 | # |
| 18 | # Read "man radiusd" before editing this file. See the section |
| 19 | # titled DEBUGGING. It outlines a method where you can quickly |
| 20 | # obtain the configuration you want, without running into |
| 21 | # trouble. See also "man unlang", which documents the format |
| 22 | # of this file. |
| 23 | # |
| 24 | # This configuration is designed to work in the widest possible |
| 25 | # set of circumstances, with the widest possible number of |
| 26 | # authentication methods. This means that in general, you should |
| 27 | # need to make very few changes to this file. |
| 28 | # |
| 29 | # The best way to configure the server for your local system |
| 30 | # is to CAREFULLY edit this file. Most attempts to make large |
| 31 | # edits to this file will BREAK THE SERVER. Any edits should |
| 32 | # be small, and tested by running the server with "radiusd -X". |
| 33 | # Once the edits have been verified to work, save a copy of these |
| 34 | # configuration files somewhere. (e.g. as a "tar" file). Then, |
| 35 | # make more edits, and test, as above. |
| 36 | # |
| 37 | # There are many "commented out" references to modules such |
| 38 | # as ldap, sql, etc. These references serve as place-holders. |
| 39 | # If you need the functionality of that module, then configure |
| 40 | # it in radiusd.conf, and un-comment the references to it in |
| 41 | # this file. In most cases, those small changes will result |
| 42 | # in the server being able to connect to the DB, and to |
| 43 | # authenticate users. |
| 44 | # |
| 45 | ###################################################################### |
| 46 | |
| 47 | server default { |
| 48 | # |
| 49 | # If you want the server to listen on additional addresses, or on |
| 50 | # additional ports, you can use multiple "listen" sections. |
| 51 | # |
| 52 | # Each section make the server listen for only one type of packet, |
| 53 | # therefore authentication and accounting have to be configured in |
| 54 | # different sections. |
| 55 | # |
| 56 | # The server ignore all "listen" section if you are using '-i' and '-p' |
| 57 | # on the command line. |
| 58 | # |
| 59 | listen { |
| 60 | # Type of packets to listen for. |
| 61 | # Allowed values are: |
| 62 | # auth listen for authentication packets |
| 63 | # acct listen for accounting packets |
| 64 | # proxy IP to use for sending proxied packets |
| 65 | # detail Read from the detail file. For examples, see |
| 66 | # raddb/sites-available/copy-acct-to-home-server |
| 67 | # status listen for Status-Server packets. For examples, |
| 68 | # see raddb/sites-available/status |
| 69 | # coa listen for CoA-Request and Disconnect-Request |
| 70 | # packets. For examples, see the file |
| 71 | # raddb/sites-available/coa-server |
| 72 | # |
| 73 | type = auth |
| 74 | |
| 75 | # Note: "type = proxy" lets you control the source IP used for |
| 76 | # proxying packets, with some limitations: |
| 77 | # |
| 78 | # * A proxy listener CANNOT be used in a virtual server section. |
| 79 | # * You should probably set "port = 0". |
| 80 | # * Any "clients" configuration will be ignored. |
| 81 | # |
| 82 | # See also proxy.conf, and the "src_ipaddr" configuration entry |
| 83 | # in the sample "home_server" section. When you specify the |
| 84 | # source IP address for packets sent to a home server, the |
| 85 | # proxy listeners are automatically created. |
| 86 | |
| 87 | # IP address on which to listen. |
| 88 | # Allowed values are: |
| 89 | # dotted quad (1.2.3.4) |
| 90 | # hostname (radius.example.com) |
| 91 | # wildcard (*) |
| 92 | ipaddr = * |
| 93 | |
| 94 | # OR, you can use an IPv6 address, but not both |
| 95 | # at the same time. |
| 96 | # ipv6addr = :: # any. ::1 == localhost |
| 97 | |
| 98 | # Port on which to listen. |
| 99 | # Allowed values are: |
| 100 | # integer port number (1812) |
| 101 | # 0 means "use /etc/services for the proper port" |
| 102 | port = 0 |
| 103 | |
| 104 | # Some systems support binding to an interface, in addition |
| 105 | # to the IP address. This feature isn't strictly necessary, |
| 106 | # but for sites with many IP addresses on one interface, |
| 107 | # it's useful to say "listen on all addresses for eth0". |
| 108 | # |
| 109 | # If your system does not support this feature, you will |
| 110 | # get an error if you try to use it. |
| 111 | # |
| 112 | # interface = eth0 |
| 113 | |
| 114 | # Per-socket lists of clients. This is a very useful feature. |
| 115 | # |
| 116 | # The name here is a reference to a section elsewhere in |
| 117 | # radiusd.conf, or clients.conf. Having the name as |
| 118 | # a reference allows multiple sockets to use the same |
| 119 | # set of clients. |
| 120 | # |
| 121 | # If this configuration is used, then the global list of clients |
| 122 | # is IGNORED for this "listen" section. Take care configuring |
| 123 | # this feature, to ensure you don't accidentally disable a |
| 124 | # client you need. |
| 125 | # |
| 126 | # See clients.conf for the configuration of "per_socket_clients". |
| 127 | # |
| 128 | # clients = per_socket_clients |
| 129 | |
| 130 | # |
| 131 | # Connection limiting for sockets with "proto = tcp". |
| 132 | # |
| 133 | # This section is ignored for other kinds of sockets. |
| 134 | # |
| 135 | limit { |
| 136 | # |
| 137 | # Limit the number of simultaneous TCP connections to the socket |
| 138 | # |
| 139 | # The default is 16. |
| 140 | # Setting this to 0 means "no limit" |
| 141 | max_connections = 16 |
| 142 | |
| 143 | # The per-socket "max_requests" option does not exist. |
| 144 | |
| 145 | # |
| 146 | # The lifetime, in seconds, of a TCP connection. After |
| 147 | # this lifetime, the connection will be closed. |
| 148 | # |
| 149 | # Setting this to 0 means "forever". |
| 150 | lifetime = 0 |
| 151 | |
| 152 | # |
| 153 | # The idle timeout, in seconds, of a TCP connection. |
| 154 | # If no packets have been received over the connection for |
| 155 | # this time, the connection will be closed. |
| 156 | # |
| 157 | # Setting this to 0 means "no timeout". |
| 158 | # |
| 159 | # We STRONGLY RECOMMEND that you set an idle timeout. |
| 160 | # |
| 161 | idle_timeout = 30 |
| 162 | } |
| 163 | } |
| 164 | |
| 165 | # |
| 166 | # This second "listen" section is for listening on the accounting |
| 167 | # port, too. |
| 168 | # |
| 169 | listen { |
| 170 | ipaddr = * |
| 171 | # ipv6addr = :: |
| 172 | port = 0 |
| 173 | type = acct |
| 174 | # interface = eth0 |
| 175 | # clients = per_socket_clients |
| 176 | |
| 177 | limit { |
| 178 | # The number of packets received can be rate limited via the |
| 179 | # "max_pps" configuration item. When it is set, the server |
| 180 | # tracks the total number of packets received in the previous |
| 181 | # second. If the count is greater than "max_pps", then the |
| 182 | # new packet is silently discarded. This helps the server |
| 183 | # deal with overload situations. |
| 184 | # |
| 185 | # The packets/s counter is tracked in a sliding window. This |
| 186 | # means that the pps calculation is done for the second |
| 187 | # before the current packet was received. NOT for the current |
| 188 | # wall-clock second, and NOT for the previous wall-clock second. |
| 189 | # |
| 190 | # Useful values are 0 (no limit), or 100 to 10000. |
| 191 | # Values lower than 100 will likely cause the server to ignore |
| 192 | # normal traffic. Few systems are capable of handling more than |
| 193 | # 10K packets/s. |
| 194 | # |
| 195 | # It is most useful for accounting systems. Set it to 50% |
| 196 | # more than the normal accounting load, and you can be sure that |
| 197 | # the server will never get overloaded |
| 198 | # |
| 199 | # max_pps = 0 |
| 200 | |
| 201 | # Only for "proto = tcp". These are ignored for "udp" sockets. |
| 202 | # |
| 203 | # idle_timeout = 0 |
| 204 | # lifetime = 0 |
| 205 | # max_connections = 0 |
| 206 | } |
| 207 | } |
| 208 | |
| 209 | # Authorization. First preprocess (hints and huntgroups files), |
| 210 | # then realms, and finally look in the "users" file. |
| 211 | # |
| 212 | # Any changes made here should also be made to the "inner-tunnel" |
| 213 | # virtual server. |
| 214 | # |
| 215 | # The order of the realm modules will determine the order that |
| 216 | # we try to find a matching realm. |
| 217 | # |
| 218 | # Make *sure* that 'preprocess' comes before any realm if you |
| 219 | # need to setup hints for the remote radius server |
| 220 | authorize { |
| 221 | # |
| 222 | # Take a User-Name, and perform some checks on it, for spaces and other |
| 223 | # invalid characters. If the User-Name appears invalid, reject the |
| 224 | # request. |
| 225 | # |
| 226 | # See policy.d/filter for the definition of the filter_username policy. |
| 227 | # |
| 228 | filter_username |
| 229 | |
| 230 | # |
| 231 | # The preprocess module takes care of sanitizing some bizarre |
| 232 | # attributes in the request, and turning them into attributes |
| 233 | # which are more standard. |
| 234 | # |
| 235 | # It takes care of processing the 'raddb/hints' and the |
| 236 | # 'raddb/huntgroups' files. |
| 237 | preprocess |
| 238 | |
| 239 | # If you intend to use CUI and you require that the Operator-Name |
| 240 | # be set for CUI generation and you want to generate CUI also |
| 241 | # for your local clients then uncomment the operator-name |
| 242 | # below and set the operator-name for your clients in clients.conf |
| 243 | # operator-name |
| 244 | |
| 245 | # |
| 246 | # If you want to generate CUI for some clients that do not |
| 247 | # send proper CUI requests, then uncomment the |
| 248 | # cui below and set "add_cui = yes" for these clients in clients.conf |
| 249 | # cui |
| 250 | |
| 251 | # |
| 252 | # If you want to have a log of authentication requests, |
| 253 | # un-comment the following line, and the 'detail auth_log' |
| 254 | # section, above. |
| 255 | # auth_log |
| 256 | |
| 257 | # |
| 258 | # The chap module will set 'Auth-Type := CHAP' if we are |
| 259 | # handling a CHAP request and Auth-Type has not already been set |
| 260 | #chap |
| 261 | |
| 262 | # |
| 263 | # If the users are logging in with an MS-CHAP-Challenge |
| 264 | # attribute for authentication, the mschap module will find |
| 265 | # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' |
| 266 | # to the request, which will cause the server to then use |
| 267 | # the mschap module for authentication. |
| 268 | #mschap |
| 269 | |
| 270 | # |
| 271 | # If you have a Cisco SIP server authenticating against |
| 272 | # FreeRADIUS, uncomment the following line, and the 'digest' |
| 273 | # line in the 'authenticate' section. |
| 274 | #digest |
| 275 | |
| 276 | # |
| 277 | # The WiMAX specification says that the Calling-Station-Id |
| 278 | # is 6 octets of the MAC. This definition conflicts with |
| 279 | # RFC 3580, and all common RADIUS practices. Un-commenting |
| 280 | # the "wimax" module here means that it will fix the |
| 281 | # Calling-Station-Id attribute to the normal format as |
| 282 | # specified in RFC 3580 Section 3.21 |
| 283 | # wimax |
| 284 | |
| 285 | # |
| 286 | # Look for IPASS style 'realm/', and if not found, look for |
| 287 | # '@realm', and decide whether or not to proxy, based on |
| 288 | # that. |
| 289 | # IPASS |
| 290 | |
| 291 | # |
| 292 | # If you are using multiple kinds of realms, you probably |
| 293 | # want to set "ignore_null = yes" for all of them. |
| 294 | # Otherwise, when the first style of realm doesn't match, |
| 295 | # the other styles won't be checked. |
| 296 | # |
| 297 | suffix |
| 298 | # ntdomain |
| 299 | |
| 300 | # |
| 301 | # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP |
| 302 | # authentication. |
| 303 | # |
| 304 | # It also sets the EAP-Type attribute in the request |
| 305 | # attribute list to the EAP type from the packet. |
| 306 | # |
| 307 | # As of 2.0, the EAP module returns "ok" in the authorize stage |
| 308 | # for TTLS and PEAP. In 1.x, it never returned "ok" here, so |
| 309 | # this change is compatible with older configurations. |
| 310 | # |
| 311 | # The example below uses module failover to avoid querying all |
| 312 | # of the following modules if the EAP module returns "ok". |
| 313 | # Therefore, your LDAP and/or SQL servers will not be queried |
| 314 | # for the many packets that go back and forth to set up TTLS |
| 315 | # or PEAP. The load on those servers will therefore be reduced. |
| 316 | # |
| 317 | eap { |
| 318 | ok = return |
| 319 | } |
| 320 | |
| 321 | # |
| 322 | # Pull crypt'd passwords from /etc/passwd or /etc/shadow, |
| 323 | # using the system API's to get the password. If you want |
| 324 | # to read /etc/passwd or /etc/shadow directly, see the |
| 325 | # passwd module in radiusd.conf. |
| 326 | # |
| 327 | # unix |
| 328 | |
| 329 | # |
| 330 | # Read the 'users' file |
| 331 | files |
| 332 | |
| 333 | # |
| 334 | # Look in an SQL database. The schema of the database |
| 335 | # is meant to mirror the "users" file. |
| 336 | # |
| 337 | # See "Authorization Queries" in sql.conf |
| 338 | -sql |
| 339 | |
| 340 | # |
| 341 | # If you are using /etc/smbpasswd, and are also doing |
| 342 | # mschap authentication, the un-comment this line, and |
| 343 | # configure the 'smbpasswd' module. |
| 344 | # smbpasswd |
| 345 | |
| 346 | # |
| 347 | # The ldap module reads passwords from the LDAP database. |
| 348 | -ldap |
| 349 | |
| 350 | # |
| 351 | # Enforce daily limits on time spent logged in. |
| 352 | # daily |
| 353 | |
| 354 | # |
| 355 | expiration |
| 356 | logintime |
| 357 | |
| 358 | # |
| 359 | # If no other module has claimed responsibility for |
| 360 | # authentication, then try to use PAP. This allows the |
| 361 | # other modules listed above to add a "known good" password |
| 362 | # to the request, and to do nothing else. The PAP module |
| 363 | # will then see that password, and use it to do PAP |
| 364 | # authentication. |
| 365 | # |
| 366 | # This module should be listed last, so that the other modules |
| 367 | # get a chance to set Auth-Type for themselves. |
| 368 | # |
| 369 | pap |
| 370 | |
| 371 | # |
| 372 | # If "status_server = yes", then Status-Server messages are passed |
| 373 | # through the following section, and ONLY the following section. |
| 374 | # This permits you to do DB queries, for example. If the modules |
| 375 | # listed here return "fail", then NO response is sent. |
| 376 | # |
| 377 | # Autz-Type Status-Server { |
| 378 | # |
| 379 | # } |
| 380 | } |
| 381 | |
| 382 | |
| 383 | # Authentication. |
| 384 | # |
| 385 | # |
| 386 | # This section lists which modules are available for authentication. |
| 387 | # Note that it does NOT mean 'try each module in order'. It means |
| 388 | # that a module from the 'authorize' section adds a configuration |
| 389 | # attribute 'Auth-Type := FOO'. That authentication type is then |
| 390 | # used to pick the appropriate module from the list below. |
| 391 | # |
| 392 | |
| 393 | # In general, you SHOULD NOT set the Auth-Type attribute. The server |
| 394 | # will figure it out on its own, and will do the right thing. The |
| 395 | # most common side effect of erroneously setting the Auth-Type |
| 396 | # attribute is that one authentication method will work, but the |
| 397 | # others will not. |
| 398 | # |
| 399 | # The common reasons to set the Auth-Type attribute by hand |
| 400 | # is to either forcibly reject the user (Auth-Type := Reject), |
| 401 | # or to or forcibly accept the user (Auth-Type := Accept). |
| 402 | # |
| 403 | # Note that Auth-Type := Accept will NOT work with EAP. |
| 404 | # |
| 405 | # Please do not put "unlang" configurations into the "authenticate" |
| 406 | # section. Put them in the "post-auth" section instead. That's what |
| 407 | # the post-auth section is for. |
| 408 | # |
| 409 | authenticate { |
| 410 | # |
| 411 | # PAP authentication, when a back-end database listed |
| 412 | # in the 'authorize' section supplies a password. The |
| 413 | # password can be clear-text, or encrypted. |
| 414 | Auth-Type PAP { |
| 415 | pap |
| 416 | } |
| 417 | |
| 418 | # |
| 419 | # Most people want CHAP authentication |
| 420 | # A back-end database listed in the 'authorize' section |
| 421 | # MUST supply a CLEAR TEXT password. Encrypted passwords |
| 422 | # won't work. |
| 423 | #Auth-Type CHAP { |
| 424 | # |
| 425 | # chap |
| 426 | # } |
| 427 | |
| 428 | # |
| 429 | # MSCHAP authentication. |
| 430 | # Auth-Type MS-CHAP { |
| 431 | # mschap |
| 432 | # } |
| 433 | |
| 434 | # |
| 435 | # If you have a Cisco SIP server authenticating against |
| 436 | # FreeRADIUS, uncomment the following line, and the 'digest' |
| 437 | # line in the 'authorize' section. |
| 438 | # digest |
| 439 | |
| 440 | # |
| 441 | # Pluggable Authentication Modules. |
| 442 | # pam |
| 443 | |
| 444 | # Uncomment it if you want to use ldap for authentication |
| 445 | # |
| 446 | # Note that this means "check plain-text password against |
| 447 | # the ldap database", which means that EAP won't work, |
| 448 | # as it does not supply a plain-text password. |
| 449 | # |
| 450 | # We do NOT recommend using this. LDAP servers are databases. |
| 451 | # They are NOT authentication servers. FreeRADIUS is an |
| 452 | # authentication server, and knows what to do with authentication. |
| 453 | # LDAP servers do not. |
| 454 | # |
| 455 | # Auth-Type LDAP { |
| 456 | # ldap |
| 457 | # } |
| 458 | |
| 459 | # |
| 460 | # Allow EAP authentication. |
| 461 | eap |
| 462 | |
| 463 | # |
| 464 | # The older configurations sent a number of attributes in |
| 465 | # Access-Challenge packets, which wasn't strictly correct. |
| 466 | # If you want to filter out these attributes, uncomment |
| 467 | # the following lines. |
| 468 | # |
| 469 | # Auth-Type eap { |
| 470 | # eap { |
| 471 | # handled = 1 |
| 472 | # } |
| 473 | # if (handled && (Response-Packet-Type == Access-Challenge)) { |
| 474 | # attr_filter.access_challenge.post-auth |
| 475 | # handled # override the "updated" code from attr_filter |
| 476 | # } |
| 477 | # } |
| 478 | } |
| 479 | |
| 480 | |
| 481 | # |
| 482 | # Pre-accounting. Decide which accounting type to use. |
| 483 | # |
| 484 | preacct { |
| 485 | preprocess |
| 486 | |
| 487 | # |
| 488 | # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets |
| 489 | # into a single 64bit counter Acct-[Input|Output]-Octets64. |
| 490 | # |
| 491 | # acct_counters64 |
| 492 | |
| 493 | # |
| 494 | # Session start times are *implied* in RADIUS. |
| 495 | # The NAS never sends a "start time". Instead, it sends |
| 496 | # a start packet, *possibly* with an Acct-Delay-Time. |
| 497 | # The server is supposed to conclude that the start time |
| 498 | # was "Acct-Delay-Time" seconds in the past. |
| 499 | # |
| 500 | # The code below creates an explicit start time, which can |
| 501 | # then be used in other modules. It will be *mostly* correct. |
| 502 | # Any errors are due to the 1-second resolution of RADIUS, |
| 503 | # and the possibility that the time on the NAS may be off. |
| 504 | # |
| 505 | # The start time is: NOW - delay - session_length |
| 506 | # |
| 507 | |
| 508 | # update request { |
| 509 | # FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" |
| 510 | # } |
| 511 | |
| 512 | |
| 513 | # |
| 514 | # Ensure that we have a semi-unique identifier for every |
| 515 | # request, and many NAS boxes are broken. |
| 516 | acct_unique |
| 517 | |
| 518 | # |
| 519 | # Look for IPASS-style 'realm/', and if not found, look for |
| 520 | # '@realm', and decide whether or not to proxy, based on |
| 521 | # that. |
| 522 | # |
| 523 | # Accounting requests are generally proxied to the same |
| 524 | # home server as authentication requests. |
| 525 | # IPASS |
| 526 | suffix |
| 527 | # ntdomain |
| 528 | |
| 529 | # |
| 530 | # Read the 'acct_users' file |
| 531 | files |
| 532 | } |
| 533 | |
| 534 | # |
| 535 | # Accounting. Log the accounting data. |
| 536 | # |
| 537 | accounting { |
| 538 | # Update accounting packet by adding the CUI attribute |
| 539 | # recorded from the corresponding Access-Accept |
| 540 | # use it only if your NAS boxes do not support CUI themselves |
| 541 | # cui |
| 542 | # |
| 543 | # Create a 'detail'ed log of the packets. |
| 544 | # Note that accounting requests which are proxied |
| 545 | # are also logged in the detail file. |
| 546 | detail |
| 547 | # daily |
| 548 | |
| 549 | # Update the wtmp file |
| 550 | # |
| 551 | # If you don't use "radlast", you can delete this line. |
| 552 | unix |
| 553 | |
| 554 | # |
| 555 | # For Simultaneous-Use tracking. |
| 556 | # |
| 557 | # Due to packet losses in the network, the data here |
| 558 | # may be incorrect. There is little we can do about it. |
| 559 | # radutmp |
| 560 | # sradutmp |
| 561 | |
| 562 | # Return an address to the IP Pool when we see a stop record. |
| 563 | # main_pool |
| 564 | |
| 565 | # |
| 566 | # Log traffic to an SQL database. |
| 567 | # |
| 568 | # See "Accounting queries" in sql.conf |
| 569 | -sql |
| 570 | |
| 571 | # |
| 572 | # If you receive stop packets with zero session length, |
| 573 | # they will NOT be logged in the database. The SQL module |
| 574 | # will print a message (only in debugging mode), and will |
| 575 | # return "noop". |
| 576 | # |
| 577 | # You can ignore these packets by uncommenting the following |
| 578 | # three lines. Otherwise, the server will not respond to the |
| 579 | # accounting request, and the NAS will retransmit. |
| 580 | # |
| 581 | # if (noop) { |
| 582 | # ok |
| 583 | # } |
| 584 | |
| 585 | # |
| 586 | # Instead of sending the query to the SQL server, |
| 587 | # write it into a log file. |
| 588 | # |
| 589 | # sql_log |
| 590 | |
| 591 | # Cisco VoIP specific bulk accounting |
| 592 | # pgsql-voip |
| 593 | |
| 594 | # For Exec-Program and Exec-Program-Wait |
| 595 | exec |
| 596 | |
| 597 | # Filter attributes from the accounting response. |
| 598 | attr_filter.accounting_response |
| 599 | |
| 600 | # |
| 601 | # See "Autz-Type Status-Server" for how this works. |
| 602 | # |
| 603 | # Acct-Type Status-Server { |
| 604 | # |
| 605 | # } |
| 606 | } |
| 607 | |
| 608 | |
| 609 | # Session database, used for checking Simultaneous-Use. Either the radutmp |
| 610 | # or rlm_sql module can handle this. |
| 611 | # The rlm_sql module is *much* faster |
| 612 | session { |
| 613 | # radutmp |
| 614 | |
| 615 | # |
| 616 | # See "Simultaneous Use Checking Queries" in sql.conf |
| 617 | # sql |
| 618 | } |
| 619 | |
| 620 | |
| 621 | # Post-Authentication |
| 622 | # Once we KNOW that the user has been authenticated, there are |
| 623 | # additional steps we can take. |
| 624 | post-auth { |
| 625 | # Get an address from the IP Pool. |
| 626 | # main_pool |
| 627 | |
| 628 | |
| 629 | # Create the CUI value and add the attribute to Access-Accept. |
| 630 | # Uncomment the line below if *returning* the CUI. |
| 631 | # cui |
| 632 | |
| 633 | # |
| 634 | # If you want to have a log of authentication replies, |
| 635 | # un-comment the following line, and enable the |
| 636 | # 'detail reply_log' module. |
| 637 | # reply_log |
| 638 | |
| 639 | # |
| 640 | # After authenticating the user, do another SQL query. |
| 641 | # |
| 642 | # See "Authentication Logging Queries" in sql.conf |
| 643 | -sql |
| 644 | |
| 645 | # |
| 646 | # Instead of sending the query to the SQL server, |
| 647 | # write it into a log file. |
| 648 | # |
| 649 | # sql_log |
| 650 | |
| 651 | # |
| 652 | # Un-comment the following if you want to modify the user's object |
| 653 | # in LDAP after a successful login. |
| 654 | # |
| 655 | # ldap |
| 656 | |
| 657 | # For Exec-Program and Exec-Program-Wait |
| 658 | exec |
| 659 | |
| 660 | # |
| 661 | # Calculate the various WiMAX keys. In order for this to work, |
| 662 | # you will need to define the WiMAX NAI, usually via |
| 663 | # |
| 664 | # update request { |
| 665 | # WiMAX-MN-NAI = "%{User-Name}" |
| 666 | # } |
| 667 | # |
| 668 | # If you want various keys to be calculated, you will need to |
| 669 | # update the reply with "template" values. The module will see |
| 670 | # this, and replace the template values with the correct ones |
| 671 | # taken from the cryptographic calculations. e.g. |
| 672 | # |
| 673 | # update reply { |
| 674 | # WiMAX-FA-RK-Key = 0x00 |
| 675 | # WiMAX-MSK = "%{EAP-MSK}" |
| 676 | # } |
| 677 | # |
| 678 | # You may want to delete the MS-MPPE-*-Keys from the reply, |
| 679 | # as some WiMAX clients behave badly when those attributes |
| 680 | # are included. See "raddb/modules/wimax", configuration |
| 681 | # entry "delete_mppe_keys" for more information. |
| 682 | # |
| 683 | # wimax |
| 684 | |
| 685 | |
| 686 | # If there is a client certificate (EAP-TLS, sometimes PEAP |
| 687 | # and TTLS), then some attributes are filled out after the |
| 688 | # certificate verification has been performed. These fields |
| 689 | # MAY be available during the authentication, or they may be |
| 690 | # available only in the "post-auth" section. |
| 691 | # |
| 692 | # The first set of attributes contains information about the |
| 693 | # issuing certificate which is being used. The second |
| 694 | # contains information about the client certificate (if |
| 695 | # available). |
| 696 | # |
| 697 | # update reply { |
| 698 | # Reply-Message += "%{TLS-Cert-Serial}" |
| 699 | # Reply-Message += "%{TLS-Cert-Expiration}" |
| 700 | # Reply-Message += "%{TLS-Cert-Subject}" |
| 701 | # Reply-Message += "%{TLS-Cert-Issuer}" |
| 702 | # Reply-Message += "%{TLS-Cert-Common-Name}" |
| 703 | # Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" |
| 704 | # |
| 705 | # Reply-Message += "%{TLS-Client-Cert-Serial}" |
| 706 | # Reply-Message += "%{TLS-Client-Cert-Expiration}" |
| 707 | # Reply-Message += "%{TLS-Client-Cert-Subject}" |
| 708 | # Reply-Message += "%{TLS-Client-Cert-Issuer}" |
| 709 | # Reply-Message += "%{TLS-Client-Cert-Common-Name}" |
| 710 | # Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" |
| 711 | # } |
| 712 | |
| 713 | # Insert class attribute (with unique value) into response, |
| 714 | # aids matching auth and acct records, and protects against duplicate |
| 715 | # Acct-Session-Id. Note: Only works if the NAS has implemented |
| 716 | # RFC 2865 behaviour for the class attribute, AND if the NAS |
| 717 | # supports long Class attributes. Many older or cheap NASes |
| 718 | # only support 16-octet Class attributes. |
| 719 | # insert_acct_class |
| 720 | |
| 721 | # MacSEC requires the use of EAP-Key-Name. However, we don't |
| 722 | # want to send it for all EAP sessions. Therefore, the EAP |
| 723 | # modules put required data into the EAP-Session-Id attribute. |
| 724 | # This attribute is never put into a request or reply packet. |
| 725 | # |
| 726 | # Uncomment the next few lines to copy the required data into |
| 727 | # the EAP-Key-Name attribute |
| 728 | # if (reply:EAP-Session-Id) { |
| 729 | # update reply { |
| 730 | # EAP-Key-Name := "%{reply:EAP-Session-Id}" |
| 731 | # } |
| 732 | # } |
| 733 | |
| 734 | # Remove reply message if the response contains an EAP-Message |
| 735 | remove_reply_message_if_eap |
| 736 | |
| 737 | # |
| 738 | # Access-Reject packets are sent through the REJECT sub-section of the |
| 739 | # post-auth section. |
| 740 | # |
| 741 | # Add the ldap module name (or instance) if you have set |
| 742 | # 'edir_account_policy_check = yes' in the ldap module configuration |
| 743 | # |
| 744 | Post-Auth-Type REJECT { |
| 745 | # log failed authentications in SQL, too. |
| 746 | -sql |
| 747 | attr_filter.access_reject |
| 748 | |
| 749 | # Insert EAP-Failure message if the request was |
| 750 | # rejected by policy instead of because of an |
| 751 | # authentication failure |
| 752 | eap |
| 753 | |
| 754 | # Remove reply message if the response contains an EAP-Message |
| 755 | remove_reply_message_if_eap |
| 756 | } |
| 757 | } |
| 758 | |
| 759 | # |
| 760 | # When the server decides to proxy a request to a home server, |
| 761 | # the proxied request is first passed through the pre-proxy |
| 762 | # stage. This stage can re-write the request, or decide to |
| 763 | # cancel the proxy. |
| 764 | # |
| 765 | # Only a few modules currently have this method. |
| 766 | # |
| 767 | pre-proxy { |
| 768 | # Before proxing the request add an Operator-Name attribute identifying |
| 769 | # if the operator-name is found for this client. |
| 770 | # No need to uncomment this if you have already enabled this in |
| 771 | # the authorize section. |
| 772 | # operator-name |
| 773 | |
| 774 | # The client requests the CUI by sending a CUI attribute |
| 775 | # containing one zero byte. |
| 776 | # Uncomment the line below if *requesting* the CUI. |
| 777 | # cui |
| 778 | |
| 779 | # Uncomment the following line if you want to change attributes |
| 780 | # as defined in the preproxy_users file. |
| 781 | # files |
| 782 | |
| 783 | # Uncomment the following line if you want to filter requests |
| 784 | # sent to remote servers based on the rules defined in the |
| 785 | # 'attrs.pre-proxy' file. |
| 786 | # attr_filter.pre-proxy |
| 787 | |
| 788 | # If you want to have a log of packets proxied to a home |
| 789 | # server, un-comment the following line, and the |
| 790 | # 'detail pre_proxy_log' section, above. |
| 791 | # pre_proxy_log |
| 792 | } |
| 793 | |
| 794 | # |
| 795 | # When the server receives a reply to a request it proxied |
| 796 | # to a home server, the request may be massaged here, in the |
| 797 | # post-proxy stage. |
| 798 | # |
| 799 | post-proxy { |
| 800 | |
| 801 | # If you want to have a log of replies from a home server, |
| 802 | # un-comment the following line, and the 'detail post_proxy_log' |
| 803 | # section, above. |
| 804 | # post_proxy_log |
| 805 | |
| 806 | # Uncomment the following line if you want to filter replies from |
| 807 | # remote proxies based on the rules defined in the 'attrs' file. |
| 808 | # attr_filter.post-proxy |
| 809 | |
| 810 | # |
| 811 | # If you are proxying LEAP, you MUST configure the EAP |
| 812 | # module, and you MUST list it here, in the post-proxy |
| 813 | # stage. |
| 814 | # |
| 815 | # You MUST also use the 'nostrip' option in the 'realm' |
| 816 | # configuration. Otherwise, the User-Name attribute |
| 817 | # in the proxied request will not match the user name |
| 818 | # hidden inside of the EAP packet, and the end server will |
| 819 | # reject the EAP request. |
| 820 | # |
| 821 | eap |
| 822 | |
| 823 | # |
| 824 | # If the server tries to proxy a request and fails, then the |
| 825 | # request is processed through the modules in this section. |
| 826 | # |
| 827 | # The main use of this section is to permit robust proxying |
| 828 | # of accounting packets. The server can be configured to |
| 829 | # proxy accounting packets as part of normal processing. |
| 830 | # Then, if the home server goes down, accounting packets can |
| 831 | # be logged to a local "detail" file, for processing with |
| 832 | # radrelay. When the home server comes back up, radrelay |
| 833 | # will read the detail file, and send the packets to the |
| 834 | # home server. |
| 835 | # |
| 836 | # With this configuration, the server always responds to |
| 837 | # Accounting-Requests from the NAS, but only writes |
| 838 | # accounting packets to disk if the home server is down. |
| 839 | # |
| 840 | # Post-Proxy-Type Fail { |
| 841 | # detail |
| 842 | # } |
| 843 | } |
| 844 | } |