New freeradius config since 3.0.11 for http://goo.gl/dHq29N

1. # Modified default server from 3.0.11 make sure you comment out the
2. # listen section in the radiusd.conf for this to work
3.  
4. ######################################################################
5. #
6. #       As of 2.0.0, FreeRADIUS supports virtual hosts using the
7. #       "server" section, and configuration directives.
8. #
9. #       Virtual hosts should be put into the "sites-available"
10. #       directory.  Soft links should be created in the "sites-enabled"
11. #       directory to these files.  This is done in a normal installation.
12. #
13. #       If you are using 802.1X (EAP) authentication, please see also
14. #       the "inner-tunnel" virtual server.  You will likely have to edit
15. #       that, too, for authentication to work.
16. #
17. #       $Id: e16363f12d3b8ba38a4c056dd09ffa9c2d5e7de1 $
18. #
19. ######################################################################
20. #
21. #       Read "man radiusd" before editing this file.  See the section
22. #       titled DEBUGGING.  It outlines a method where you can quickly
23. #       obtain the configuration you want, without running into
24. #       trouble.  See also "man unlang", which documents the format
25. #       of this file.
26. #
27. #       This configuration is designed to work in the widest possible
28. #       set of circumstances, with the widest possible number of
29. #       authentication methods.  This means that in general, you should
30. #       need to make very few changes to this file.
31. #
32. #       The best way to configure the server for your local system
33. #       is to CAREFULLY edit this file.  Most attempts to make large
34. #       edits to this file will BREAK THE SERVER.  Any edits should
35. #       be small, and tested by running the server with "radiusd -X".
36. #       Once the edits have been verified to work, save a copy of these
37. #       configuration files somewhere.  (e.g. as a "tar" file).  Then,
38. #       make more edits, and test, as above.
39. #
40. #       There are many "commented out" references to modules such
41. #       as ldap, sql, etc.  These references serve as place-holders.
42. #       If you need the functionality of that module, then configure
43. #       it in radiusd.conf, and un-comment the references to it in
44. #       this file.  In most cases, those small changes will result
45. #       in the server being able to connect to the DB, and to
46. #       authenticate users.
47. #
48. ######################################################################
49.  
50. server rpiradius {
51. #
52. #  If you want the server to listen on additional addresses, or on
53. #  additional ports, you can use multiple "listen" sections.
54. #
55. #  Each section make the server listen for only one type of packet,
56. #  therefore authentication and accounting have to be configured in
57. #  different sections.
58. #
59. #  The server ignore all "listen" section if you are using '-i' and '-p'
60. #  on the command line.
61. #
62. listen {
63.         #  Type of packets to listen for.
64.         #  Allowed values are:
65.         #       auth    listen for authentication packets
66.         #       acct    listen for accounting packets
67.         #       proxy   IP to use for sending proxied packets
68.         #       detail  Read from the detail file.  For examples, see
69.         #               raddb/sites-available/copy-acct-to-home-server
70.         #       status  listen for Status-Server packets.  For examples,
71.         #               see raddb/sites-available/status
72.         #       coa     listen for CoA-Request and Disconnect-Request
73.         #               packets.  For examples, see the file
74.         #               raddb/sites-available/coa
75.         #
76.         type = auth
77.  
78.         #  Note: "type = proxy" lets you control the source IP used for
79.         #        proxying packets, with some limitations:
80.         #
81.         #    * A proxy listener CANNOT be used in a virtual server section.
82.         #    * You should probably set "port = 0".
83.         #    * Any "clients" configuration will be ignored.
84.         #
85.         #  See also proxy.conf, and the "src_ipaddr" configuration entry
86.         #  in the sample "home_server" section.  When you specify the
87.         #  source IP address for packets sent to a home server, the
88.         #  proxy listeners are automatically created.
89.  
90.         #  ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
91.         #  Out of several options the first one will be used.
92.         #
93.         #  Allowed values are:
94.         #       IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr)
95.         #       IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr)
96.         #       hostname     (radius.example.com,
97.         #                       A record for ipv4addr,
98.         #                       AAAA record for ipv6addr,
99.         #                       A or AAAA record for ipaddr)
100.         #       wildcard     (*)
101.         #
102.         # ipv4addr = *
103.         # ipv6addr = *
104.         ipaddr = 10.0.0.253
105.  
106.         #  Port on which to listen.
107.         #  Allowed values are:
108.         #       integer port number (1812)
109.         #       0 means "use /etc/services for the proper port"
110.         port = 0
111.  
112.         #  Some systems support binding to an interface, in addition
113.         #  to the IP address.  This feature isn't strictly necessary,
114.         #  but for sites with many IP addresses on one interface,
115.         #  it's useful to say "listen on all addresses for eth0".
116.         #
117.         #  If your system does not support this feature, you will
118.         #  get an error if you try to use it.
119.         #
120. #       interface = eth0
121.  
122.         #  Per-socket lists of clients.  This is a very useful feature.
123.         #
124.         #  The name here is a reference to a section elsewhere in
125.         #  radiusd.conf, or clients.conf.  Having the name as
126.         #  a reference allows multiple sockets to use the same
127.         #  set of clients.
128.         #
129.         #  If this configuration is used, then the global list of clients
130.         #  is IGNORED for this "listen" section.  Take care configuring
131.         #  this feature, to ensure you don't accidentally disable a
132.         #  client you need.
133.         #
134.         #  See clients.conf for the configuration of "per_socket_clients".
135.         #
136. #       clients = per_socket_clients
137.  
138.         #
139.         #  Connection limiting for sockets with "proto = tcp".
140.         #
141.         #  This section is ignored for other kinds of sockets.
142.         #
143.         #limit {
144.               #
145.               #  Limit the number of simultaneous TCP connections to the socket
146.               #
147.               #  The default is 16.
148.               #  Setting this to 0 means "no limit"
149.          #     max_connections = 16
150.  
151.               #  The per-socket "max_requests" option does not exist.
152.  
153.               #
154.               #  The lifetime, in seconds, of a TCP connection.  After
155.               #  this lifetime, the connection will be closed.
156.               #
157.               #  Setting this to 0 means "forever".
158.           #    lifetime = 0
159.  
160.               #
161.               #  The idle timeout, in seconds, of a TCP connection.
162.               #  If no packets have been received over the connection for
163.               #  this time, the connection will be closed.
164.               #
165.               #  Setting this to 0 means "no timeout".
166.               #
167.               #  We STRONGLY RECOMMEND that you set an idle timeout.
168.               #
169.            #   idle_timeout = 30
170.         #}
171. }
172.  
173. #
174. #  This second "listen" section is for listening on the accounting
175. #  port, too.
176. #
177. #listen {
178. #       ipaddr = *
179. #       ipv6addr = ::
180. #       port = 0
181. #       type = acct
182. #       interface = eth0
183. #       clients = per_socket_clients
184.  
185. #       limit {
186.                 #  The number of packets received can be rate limited via the
187.                 #  "max_pps" configuration item.  When it is set, the server
188.                 #  tracks the total number of packets received in the previous
189.                 #  second.  If the count is greater than "max_pps", then the
190.                 #  new packet is silently discarded.  This helps the server
191.                 #  deal with overload situations.
192.                 #
193.                 #  The packets/s counter is tracked in a sliding window.  This
194.                 #  means that the pps calculation is done for the second
195.                 #  before the current packet was received.  NOT for the current
196.                 #  wall-clock second, and NOT for the previous wall-clock second.
197.                 #
198.                 #  Useful values are 0 (no limit), or 100 to 10000.
199.                 #  Values lower than 100 will likely cause the server to ignore
200.                 #  normal traffic.  Few systems are capable of handling more than
201.                 #  10K packets/s.
202.                 #
203.                 #  It is most useful for accounting systems.  Set it to 50%
204.                 #  more than the normal accounting load, and you can be sure that
205.                 #  the server will never get overloaded
206.                 #
207. #               max_pps = 0
208.  
209.                 # Only for "proto = tcp". These are ignored for "udp" sockets.
210.                 #
211. #               idle_timeout = 0
212. #               lifetime = 0
213. #               max_connections = 0
214. #       }
215. #}
216.  
217. # IPv6 versions of the above - read their full config to understand options
218. #listen {
219. #       type = auth
220. #       ipv6addr = ::   # any.  ::1 == localhost
221. #       port = 0
222. #       interface = eth0
223. #       clients = per_socket_clients
224. #       limit {
225. #             max_connections = 16
226. #             lifetime = 0
227. #             idle_timeout = 30
228. #       }
229. #}
230.  
231. #listen {
232. #       ipv6addr = ::
233. #       port = 0
234. #       type = acct
235. #       interface = eth0
236. #       clients = per_socket_clients
237.  
238. #       limit {
239. #               max_pps = 0
240. #               idle_timeout = 0
241. #               lifetime = 0
242. #               max_connections = 0
243. #       }
244. #}
245.  
246. #  Authorization. First preprocess (hints and huntgroups files),
247. #  then realms, and finally look in the "users" file.
248. #
249. #  Any changes made here should also be made to the "inner-tunnel"
250. #  virtual server.
251. #
252. #  The order of the realm modules will determine the order that
253. #  we try to find a matching realm.
254. #
255. #  Make *sure* that 'preprocess' comes before any realm if you
256. #  need to setup hints for the remote radius server
257. authorize {
258.         #
259.         #  Take a User-Name, and perform some checks on it, for spaces and other
260.         #  invalid characters.  If the User-Name appears invalid, reject the
261.         #  request.
262.         #
263.         #  See policy.d/filter for the definition of the filter_username policy.
264.         #
265. #       filter_username
266.  
267.         #
268.         #  The preprocess module takes care of sanitizing some bizarre
269.         #  attributes in the request, and turning them into attributes
270.         #  which are more standard.
271.         #
272.         #  It takes care of processing the 'raddb/hints' and the
273.         #  'raddb/huntgroups' files.
274.         preprocess
275.  
276.         #  If you intend to use CUI and you require that the Operator-Name
277.         #  be set for CUI generation and you want to generate CUI also
278.         #  for your local clients then uncomment the operator-name
279.         #  below and set the operator-name for your clients in clients.conf
280. #       operator-name
281.  
282.         #
283.         #  If you want to generate CUI for some clients that do not
284.         #  send proper CUI requests, then uncomment the
285.         #  cui below and set "add_cui = yes" for these clients in clients.conf
286. #       cui
287.  
288.         #
289.         #  If you want to have a log of authentication requests,
290.         #  un-comment the following line.
291.         auth_log
292.  
293.         #
294.         #  The chap module will set 'Auth-Type := CHAP' if we are
295.         #  handling a CHAP request and Auth-Type has not already been set
296. #       chap
297.  
298.         #
299.         #  If the users are logging in with an MS-CHAP-Challenge
300.         #  attribute for authentication, the mschap module will find
301.         #  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
302.         #  to the request, which will cause the server to then use
303.         #  the mschap module for authentication.
304. #       mschap
305.  
306.         #
307.         #  If you have a Cisco SIP server authenticating against
308.         #  FreeRADIUS, uncomment the following line, and the 'digest'
309.         #  line in the 'authenticate' section.
310. #       digest
311.  
312.         #
313.         #  The WiMAX specification says that the Calling-Station-Id
314.         #  is 6 octets of the MAC.  This definition conflicts with
315.         #  RFC 3580, and all common RADIUS practices.  Un-commenting
316.         #  the "wimax" module here means that it will fix the
317.         #  Calling-Station-Id attribute to the normal format as
318.         #  specified in RFC 3580 Section 3.21
319. #       wimax
320.  
321.         #
322.         #  Look for IPASS style 'realm/', and if not found, look for
323.         #  '@realm', and decide whether or not to proxy, based on
324.         #  that.
325. #       IPASS
326.  
327.         #
328.         #  If you are using multiple kinds of realms, you probably
329.         #  want to set "ignore_null = yes" for all of them.
330.         #  Otherwise, when the first style of realm doesn't match,
331.         #  the other styles won't be checked.
332.         #
333. #       suffix
334. #       ntdomain
335.  
336.         #
337.         #  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
338.         #  authentication.
339.         #
340.         #  It also sets the EAP-Type attribute in the request
341.         #  attribute list to the EAP type from the packet.
342.         #
343.         #  The EAP module returns "ok" if it is not yet ready to
344.         #  authenticate the user.  The configuration below checks for
345.         #  that code, and stops processing the "authorize" section if
346.         #  so.
347.         #
348.         #  Any LDAP and/or SQL servers will not be queried for the
349.         #  initial set of packets that go back and forth to set up
350.         #  TTLS or PEAP.
351.         #
352.         eap {
353.                 ok = return
354.         }
355.  
356.         #
357.         #  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
358.         #  using the system API's to get the password.  If you want
359.         #  to read /etc/passwd or /etc/shadow directly, see the
360.         #  mods-available/passwd module.
361.         #
362. #       unix
363.  
364.         #
365.         #  Read the 'users' file.  In v3, this is located in
366.         #  raddb/mods-config/files/authorize
367. #       files
368.  
369.         #
370.         #  Look in an SQL database.  The schema of the database
371.         #  is meant to mirror the "users" file.
372.         #
373.         #  See "Authorization Queries" in mods-available/sql
374. #       -sql
375.  
376.         #
377.         #  If you are using /etc/smbpasswd, and are also doing
378.         #  mschap authentication, the un-comment this line, and
379.         #  configure the 'smbpasswd' module.
380. #       smbpasswd
381.  
382.         #
383.         #  The ldap module reads passwords from the LDAP database.
384. #       -ldap
385.  
386.         #
387.         #  Enforce daily limits on time spent logged in.
388. #       daily
389.  
390.         #
391.         expiration
392.         logintime
393.  
394.         #
395.         #  If no other module has claimed responsibility for
396.         #  authentication, then try to use PAP.  This allows the
397.         #  other modules listed above to add a "known good" password
398.         #  to the request, and to do nothing else.  The PAP module
399.         #  will then see that password, and use it to do PAP
400.         #  authentication.
401.         #
402.         #  This module should be listed last, so that the other modules
403.         #  get a chance to set Auth-Type for themselves.
404.         #
405. #       pap
406.  
407.         #
408.         #  If "status_server = yes", then Status-Server messages are passed
409.         #  through the following section, and ONLY the following section.
410.         #  This permits you to do DB queries, for example.  If the modules
411.         #  listed here return "fail", then NO response is sent.
412.         #
413. #       Autz-Type Status-Server {
414. #
415. #       }
416. }
417.  
418.  
419. #  Authentication.
420. #
421. #
422. #  This section lists which modules are available for authentication.
423. #  Note that it does NOT mean 'try each module in order'.  It means
424. #  that a module from the 'authorize' section adds a configuration
425. #  attribute 'Auth-Type := FOO'.  That authentication type is then
426. #  used to pick the appropriate module from the list below.
427. #
428.  
429. #  In general, you SHOULD NOT set the Auth-Type attribute.  The server
430. #  will figure it out on its own, and will do the right thing.  The
431. #  most common side effect of erroneously setting the Auth-Type
432. #  attribute is that one authentication method will work, but the
433. #  others will not.
434. #
435. #  The common reasons to set the Auth-Type attribute by hand
436. #  is to either forcibly reject the user (Auth-Type := Reject),
437. #  or to or forcibly accept the user (Auth-Type := Accept).
438. #
439. #  Note that Auth-Type := Accept will NOT work with EAP.
440. #
441. #  Please do not put "unlang" configurations into the "authenticate"
442. #  section.  Put them in the "post-auth" section instead.  That's what
443. #  the post-auth section is for.
444. #
445. authenticate {
446.     #
447.     #  PAP authentication, when a back-end database listed
448.     #  in the 'authorize' section supplies a password.  The
449.     #  password can be clear-text, or encrypted.
450. #   Auth-Type PAP {
451. #       pap
452. #   }
453.  
454.     #
455.     #  Most people want CHAP authentication
456.     #  A back-end database listed in the 'authorize' section
457.     #  MUST supply a CLEAR TEXT password.  Encrypted passwords
458.     #  won't work.
459. #   Auth-Type CHAP {
460. #       chap
461. #   }
462.  
463.     #
464.     #  MSCHAP authentication.
465. #   Auth-Type MS-CHAP {
466. #       mschap
467. #   }
468.  
469.     #
470.     #  If you have a Cisco SIP server authenticating against
471.     #  FreeRADIUS, uncomment the following line, and the 'digest'
472.     #  line in the 'authorize' section.
473. #   digest
474.  
475.     #
476.     #  Pluggable Authentication Modules.
477. #   pam
478.  
479.     #  Uncomment it if you want to use ldap for authentication
480.     #
481.     #  Note that this means "check plain-text password against
482.     #  the ldap database", which means that EAP won't work,
483.     #  as it does not supply a plain-text password.
484.     #
485.     #  We do NOT recommend using this.  LDAP servers are databases.
486.     #  They are NOT authentication servers.  FreeRADIUS is an
487.     #  authentication server, and knows what to do with authentication.
488.     #  LDAP servers do not.
489.     #
490. #   Auth-Type LDAP {
491. #       ldap
492. #   }
493.  
494.     #
495.     #  Allow EAP authentication.
496.     eap
497.  
498.     #
499.     #  The older configurations sent a number of attributes in
500.     #  Access-Challenge packets, which wasn't strictly correct.
501.     #  If you want to filter out these attributes, uncomment
502.     #  the following lines.
503.     #
504. #   Auth-Type eap {
505. #       eap {
506. #           handled = 1
507. #       }
508. #       if (handled && (Response-Packet-Type == Access-Challenge)) {
509. #           attr_filter.access_challenge.post-auth
510. #           handled  # override the "updated" code from attr_filter
511. #       }
512. #   }
513. }
514.  
515.  
516. #
517. #  Pre-accounting.  Decide which accounting type to use.
518. #
519. preacct {
520.     preprocess
521.  
522.     #
523.     #  Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
524.     #  into a single 64bit counter Acct-[Input|Output]-Octets64.
525.     #
526. #   acct_counters64
527.  
528.     #
529.     #  Session start times are *implied* in RADIUS.
530.     #  The NAS never sends a "start time".  Instead, it sends
531.     #  a start packet, *possibly* with an Acct-Delay-Time.
532.     #  The server is supposed to conclude that the start time
533.     #  was "Acct-Delay-Time" seconds in the past.
534.     #
535.     #  The code below creates an explicit start time, which can
536.     #  then be used in other modules.  It will be *mostly* correct.
537.     #  Any errors are due to the 1-second resolution of RADIUS,
538.     #  and the possibility that the time on the NAS may be off.
539.     #
540.     #  The start time is: NOW - delay - session_length
541.     #
542.  
543. #   update request {
544. #       FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
545. #   }
546.  
547.  
548.     #
549.     #  Ensure that we have a semi-unique identifier for every
550.     #  request, and many NAS boxes are broken.
551.     acct_unique
552.  
553.     #
554.     #  Look for IPASS-style 'realm/', and if not found, look for
555.     #  '@realm', and decide whether or not to proxy, based on
556.     #  that.
557.     #
558.     #  Accounting requests are generally proxied to the same
559.     #  home server as authentication requests.
560. #   IPASS
561.     suffix
562. #   ntdomain
563.  
564.     #
565.     #  Read the 'acct_users' file
566.     files
567. }
568.  
569. #
570. #  Accounting.  Log the accounting data.
571. #
572. #accounting {
573.     #  Update accounting packet by adding the CUI attribute
574.     #  recorded from the corresponding Access-Accept
575.     #  use it only if your NAS boxes do not support CUI themselves
576. #   cui
577.     #
578.     #  Create a 'detail'ed log of the packets.
579.     #  Note that accounting requests which are proxied
580.     #  are also logged in the detail file.
581. #   detail
582. #   daily
583.  
584.     #  Update the wtmp file
585.     #
586.     #  If you don't use "radlast", you can delete this line.
587. #   unix
588.  
589.     #
590.     #  For Simultaneous-Use tracking.
591.     #
592.     #  Due to packet losses in the network, the data here
593.     #  may be incorrect.  There is little we can do about it.
594. #   radutmp
595. #   sradutmp
596.  
597.     #  Return an address to the IP Pool when we see a stop record.
598. #   main_pool
599.  
600.     #
601.     #  Log traffic to an SQL database.
602.     #
603.     #  See "Accounting queries" in mods-available/sql
604. #   -sql
605.  
606.     #
607.     #  If you receive stop packets with zero session length,
608.     #  they will NOT be logged in the database.  The SQL module
609.     #  will print a message (only in debugging mode), and will
610.     #  return "noop".
611.     #
612.     #  You can ignore these packets by uncommenting the following
613.     #  three lines.  Otherwise, the server will not respond to the
614.     #  accounting request, and the NAS will retransmit.
615.     #
616. #   if (noop) {
617. #       ok
618. #   }
619.  
620.     #
621.     #  Instead of sending the query to the SQL server,
622.     #  write it into a log file.
623.     #
624. #   sql_log
625.  
626.     #  Cisco VoIP specific bulk accounting
627. #   pgsql-voip
628.  
629.     # For Exec-Program and Exec-Program-Wait
630. #   exec
631.  
632.     #  Filter attributes from the accounting response.
633. #   attr_filter.accounting_response
634.  
635.     #
636.     #  See "Autz-Type Status-Server" for how this works.
637.     #
638. #   Acct-Type Status-Server {
639. #
640. #   }
641. #}
642.  
643.  
644. #  Session database, used for checking Simultaneous-Use. Either the radutmp
645. #  or rlm_sql module can handle this.
646. #  The rlm_sql module is *much* faster
647. session {
648.     radutmp
649.  
650.     #
651.     #  See "Simultaneous Use Checking Queries" in mods-available/sql
652. #   sql
653. }
654.  
655.  
656. #  Post-Authentication
657. #  Once we KNOW that the user has been authenticated, there are
658. #  additional steps we can take.
659. post-auth {
660.     #
661.     #  If you need to have a State attribute, you can
662.     #  add it here.  e.g. for later CoA-Request with
663.     #  State, and Service-Type = Authorize-Only.
664.     #
665. #   if (!&reply:State) {
666. #       update reply {
667. #           State := "0x%{randstr:16h}"
668. #       }
669. #   }
670.  
671.     #
672.     #  For EAP-TTLS and PEAP, add the cached attributes to the reply.
673.     #  The "session-state" attributes are automatically cached when
674.     #  an Access-Challenge is sent, and automatically retrieved
675.     #  when an Access-Request is received.
676.     #
677.     #  The session-state attributes are automatically deleted after
678.     #  an Access-Reject or Access-Accept is sent.
679.     #
680. #   update {
681. #       &reply: += &session-state:
682. #   }
683.  
684.     #  Get an address from the IP Pool.
685. #   main_pool
686.  
687.  
688.     #  Create the CUI value and add the attribute to Access-Accept.
689.     #  Uncomment the line below if *returning* the CUI.
690. #   cui
691.  
692.     #
693.     #  If you want to have a log of authentication replies,
694.     #  un-comment the following line, and enable the
695.     #  'detail reply_log' module.
696. #   reply_log
697.  
698.     #
699.     #  After authenticating the user, do another SQL query.
700.     #
701.     #  See "Authentication Logging Queries" in mods-available/sql
702. #   -sql
703.  
704.     #
705.     #  Instead of sending the query to the SQL server,
706.     #  write it into a log file.
707.     #
708. #   sql_log
709.  
710.     #
711.     #  Un-comment the following if you want to modify the user's object
712.     #  in LDAP after a successful login.
713.     #
714. #   ldap
715.  
716.     # For Exec-Program and Exec-Program-Wait
717.     exec
718.  
719.     #
720.     #  Calculate the various WiMAX keys.  In order for this to work,
721.     #  you will need to define the WiMAX NAI, usually via
722.     #
723.     #   update request {
724.     #          WiMAX-MN-NAI = "%{User-Name}"
725.     #   }
726.     #
727.     #  If you want various keys to be calculated, you will need to
728.     #  update the reply with "template" values.  The module will see
729.     #  this, and replace the template values with the correct ones
730.     #  taken from the cryptographic calculations.  e.g.
731.     #
732.     #   update reply {
733.     #       WiMAX-FA-RK-Key = 0x00
734.     #       WiMAX-MSK = "%{EAP-MSK}"
735.     #   }
736.     #
737.     #  You may want to delete the MS-MPPE-*-Keys from the reply,
738.     #  as some WiMAX clients behave badly when those attributes
739.     #  are included.  See "raddb/modules/wimax", configuration
740.     #  entry "delete_mppe_keys" for more information.
741.     #
742. #   wimax
743.  
744.  
745.     #  If there is a client certificate (EAP-TLS, sometimes PEAP
746.     #  and TTLS), then some attributes are filled out after the
747.     #  certificate verification has been performed.  These fields
748.     #  MAY be available during the authentication, or they may be
749.     #  available only in the "post-auth" section.
750.     #
751.     #  The first set of attributes contains information about the
752.     #  issuing certificate which is being used.  The second
753.     #  contains information about the client certificate (if
754.     #  available).
755. #
756. #   update reply {
757. #          Reply-Message += "%{TLS-Cert-Serial}"
758. #          Reply-Message += "%{TLS-Cert-Expiration}"
759. #          Reply-Message += "%{TLS-Cert-Subject}"
760. #          Reply-Message += "%{TLS-Cert-Issuer}"
761. #          Reply-Message += "%{TLS-Cert-Common-Name}"
762. #          Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
763. #
764. #          Reply-Message += "%{TLS-Client-Cert-Serial}"
765. #          Reply-Message += "%{TLS-Client-Cert-Expiration}"
766. #          Reply-Message += "%{TLS-Client-Cert-Subject}"
767. #          Reply-Message += "%{TLS-Client-Cert-Issuer}"
768. #          Reply-Message += "%{TLS-Client-Cert-Common-Name}"
769. #          Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
770. #   }
771.  
772.     #  Insert class attribute (with unique value) into response,
773.     #  aids matching auth and acct records, and protects against duplicate
774.     #  Acct-Session-Id. Note: Only works if the NAS has implemented
775.     #  RFC 2865 behaviour for the class attribute, AND if the NAS
776.     #  supports long Class attributes.  Many older or cheap NASes
777.     #  only support 16-octet Class attributes.
778. #   insert_acct_class
779.  
780.     #  MacSEC requires the use of EAP-Key-Name.  However, we don't
781.     #  want to send it for all EAP sessions.  Therefore, the EAP
782.     #  modules put required data into the EAP-Session-Id attribute.
783.     #  This attribute is never put into a request or reply packet.
784.     #
785.     #  Uncomment the next few lines to copy the required data into
786.     #  the EAP-Key-Name attribute
787. #   if (&reply:EAP-Session-Id) {
788. #       update reply {
789. #           EAP-Key-Name := &reply:EAP-Session-Id
790. #       }
791. #   }
792.  
793.     #  Remove reply message if the response contains an EAP-Message
794. #   remove_reply_message_if_eap
795.  
796.     #
797.     #  Access-Reject packets are sent through the REJECT sub-section of the
798.     #  post-auth section.
799.     #
800.     #  Add the ldap module name (or instance) if you have set
801.     #  'edir_account_policy_check = yes' in the ldap module configuration
802.     #
803.     #  The "session-state" attributes are not available here.
804.     #
805.     Post-Auth-Type REJECT {
806.         # log failed authentications in SQL, too.
807.         #-sql
808.         attr_filter.access_reject
809.  
810.         # Insert EAP-Failure message if the request was
811.         # rejected by policy instead of because of an
812.         # authentication failure
813.         eap
814.  
815.         #  Remove reply message if the response contains an EAP-Message
816.         #remove_reply_message_if_eap
817.     }
818. }
819.  
820. #
821. #  When the server decides to proxy a request to a home server,
822. #  the proxied request is first passed through the pre-proxy
823. #  stage.  This stage can re-write the request, or decide to
824. #  cancel the proxy.
825. #
826. #  Only a few modules currently have this method.
827. #
828. #pre-proxy {
829.     # Before proxing the request add an Operator-Name attribute identifying
830.     # if the operator-name is found for this client.
831.     # No need to uncomment this if you have already enabled this in
832.     # the authorize section.
833. #   operator-name
834.  
835.     #  The client requests the CUI by sending a CUI attribute
836.     #  containing one zero byte.
837.     #  Uncomment the line below if *requesting* the CUI.
838. #   cui
839.  
840.     #  Uncomment the following line if you want to change attributes
841.     #  as defined in the preproxy_users file.
842. #   files
843.  
844.     #  Uncomment the following line if you want to filter requests
845.     #  sent to remote servers based on the rules defined in the
846.     #  'attrs.pre-proxy' file.
847. #   attr_filter.pre-proxy
848.  
849.     #  If you want to have a log of packets proxied to a home
850.     #  server, un-comment the following line, and the
851.     #  'detail pre_proxy_log' section, above.
852. #   pre_proxy_log
853. #}
854.  
855. #
856. #  When the server receives a reply to a request it proxied
857. #  to a home server, the request may be massaged here, in the
858. #  post-proxy stage.
859. #
860. #post-proxy {
861.  
862.     #  If you want to have a log of replies from a home server,
863.     #  un-comment the following line, and the 'detail post_proxy_log'
864.     #  section, above.
865. #   post_proxy_log
866.  
867.     #  Uncomment the following line if you want to filter replies from
868.     #  remote proxies based on the rules defined in the 'attrs' file.
869. #   attr_filter.post-proxy
870.  
871.     #
872.     #  If you are proxying LEAP, you MUST configure the EAP
873.     #  module, and you MUST list it here, in the post-proxy
874.     #  stage.
875.     #
876.     #  You MUST also use the 'nostrip' option in the 'realm'
877.     #  configuration.  Otherwise, the User-Name attribute
878.     #  in the proxied request will not match the user name
879.     #  hidden inside of the EAP packet, and the end server will
880.     #  reject the EAP request.
881.     #
882. #   eap
883.  
884.     #
885.     #  If the server tries to proxy a request and fails, then the
886.     #  request is processed through the modules in this section.
887.     #
888.     #  The main use of this section is to permit robust proxying
889.     #  of accounting packets.  The server can be configured to
890.     #  proxy accounting packets as part of normal processing.
891.     #  Then, if the home server goes down, accounting packets can
892.     #  be logged to a local "detail" file, for processing with
893.     #  radrelay.  When the home server comes back up, radrelay
894.     #  will read the detail file, and send the packets to the
895.     #  home server.
896.     #
897.     #  With this configuration, the server always responds to
898.     #  Accounting-Requests from the NAS, but only writes
899.     #  accounting packets to disk if the home server is down.
900.     #
901. #   Post-Proxy-Type Fail-Accounting {
902. #           detail
903. #   }
904. #}
905. }