default.r1

1.  
2. server default {
3. #
4. # If you want the server to listen on additional addresses, or on
5. # additional ports, you can use multiple "listen" sections.
6. #
7. # Each section make the server listen for only one type of packet,
8. # therefore authentication and accounting have to be configured in
9. # different sections.
10. #
11. # The server ignores all "listen" section if you are using '-i' and '-p'
12. # on the command line.
13. #
14. listen {
15. # Type of packets to listen for.
16. # Allowed values are:
17. # auth listen for authentication packets
18. # acct listen for accounting packets
19. # proxy IP to use for sending proxied packets
20. # detail Read from the detail file. For examples, see
21. # raddb/sites-available/copy-acct-to-home-server
22. # status listen for Status-Server packets. For examples,
23. # see raddb/sites-available/status
24. # coa listen for CoA-Request and Disconnect-Request
25. # packets. For examples, see the file
26. # raddb/sites-available/coa
27. #
28. type = auth
29.  
30. # Note: "type = proxy" lets you control the source IP used for
31. # proxying packets, with some limitations:
32. #
33. # * A proxy listener CANNOT be used in a virtual server section.
34. # * You should probably set "port = 0".
35. # * Any "clients" configuration will be ignored.
36. #
37. # See also proxy.conf, and the "src_ipaddr" configuration entry
38. # in the sample "home_server" section. When you specify the
39. # source IP address for packets sent to a home server, the
40. # proxy listeners are automatically created.
41.  
42. # ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
43. # Out of several options the first one will be used.
44. #
45. # Allowed values are:
46. # IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr)
47. # IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr)
48. # hostname (radius.example.com,
49. # A record for ipv4addr,
50. # AAAA record for ipv6addr,
51. # A or AAAA record for ipaddr)
52. # wildcard (*)
53. #
54. # ipv4addr = *
55. # ipv6addr = *
56. ipaddr = *
57.  
58. # Port on which to listen.
59. # Allowed values are:
60. # integer port number (1812)
61. # 0 means "use /etc/services for the proper port"
62. port = 0
63.  
64. # Some systems support binding to an interface, in addition
65. # to the IP address. This feature isn't strictly necessary,
66. # but for sites with many IP addresses on one interface,
67. # it's useful to say "listen on all addresses for eth0".
68. #
69. # If your system does not support this feature, you will
70. # get an error if you try to use it.
71. #
72. # interface = eth0
73.  
74. # Per-socket lists of clients. This is a very useful feature.
75. #
76. # The name here is a reference to a section elsewhere in
77. # radiusd.conf, or clients.conf. Having the name as
78. # a reference allows multiple sockets to use the same
79. # set of clients.
80. #
81. # If this configuration is used, then the global list of clients
82. # is IGNORED for this "listen" section. Take care configuring
83. # this feature, to ensure you don't accidentally disable a
84. # client you need.
85. #
86. # See clients.conf for the configuration of "per_socket_clients".
87. #
88. # clients = per_socket_clients
89.  
90. #
91. # Connection limiting for sockets with "proto = tcp".
92. #
93. # This section is ignored for other kinds of sockets.
94. #
95. limit {
96. #
97. # Limit the number of simultaneous TCP connections to the socket
98. #
99. # The default is 16.
100. # Setting this to 0 means "no limit"
101. max_connections = 16
102.  
103. # The per-socket "max_requests" option does not exist.
104.  
105. #
106. # The lifetime, in seconds, of a TCP connection. After
107. # this lifetime, the connection will be closed.
108. #
109. # Setting this to 0 means "forever".
110. lifetime = 0
111.  
112. #
113. # The idle timeout, in seconds, of a TCP connection.
114. # If no packets have been received over the connection for
115. # this time, the connection will be closed.
116. #
117. # Setting this to 0 means "no timeout".
118. #
119. # We STRONGLY RECOMMEND that you set an idle timeout.
120. #
121. idle_timeout = 30
122. }
123. }
124.  
125. #
126. # This second "listen" section is for listening on the accounting
127. # port, too.
128. #
129. listen {
130. ipaddr = *
131. # ipv6addr = ::
132. port = 0
133. type = acct
134. # interface = eth0
135. # clients = per_socket_clients
136.  
137. limit {
138. # The number of packets received can be rate limited via the
139. # "max_pps" configuration item. When it is set, the server
140. # tracks the total number of packets received in the previous
141. # second. If the count is greater than "max_pps", then the
142. # new packet is silently discarded. This helps the server
143. # deal with overload situations.
144. #
145. # The packets/s counter is tracked in a sliding window. This
146. # means that the pps calculation is done for the second
147. # before the current packet was received. NOT for the current
148. # wall-clock second, and NOT for the previous wall-clock second.
149. #
150. # Useful values are 0 (no limit), or 100 to 10000.
151. # Values lower than 100 will likely cause the server to ignore
152. # normal traffic. Few systems are capable of handling more than
153. # 10K packets/s.
154. #
155. # It is most useful for accounting systems. Set it to 50%
156. # more than the normal accounting load, and you can be sure that
157. # the server will never get overloaded
158. #
159. # max_pps = 0
160.  
161. # Only for "proto = tcp". These are ignored for "udp" sockets.
162. #
163. # idle_timeout = 0
164. # lifetime = 0
165. # max_connections = 0
166. }
167. }
168.  
169. # IPv6 versions of the above - read their full config to understand options
170. listen {
171. type = auth
172. ipv6addr = :: # any. ::1 == localhost
173. port = 0
174. # interface = eth0
175. # clients = per_socket_clients
176. limit {
177. max_connections = 16
178. lifetime = 0
179. idle_timeout = 30
180. }
181. }
182.  
183. listen {
184. ipv6addr = ::
185. port = 0
186. type = acct
187. # interface = eth0
188. # clients = per_socket_clients
189.  
190. limit {
191. # max_pps = 0
192. # idle_timeout = 0
193. # lifetime = 0
194. # max_connections = 0
195. }
196. }
197.  
198. # Authorization. First preprocess (hints and huntgroups files),
199. # then realms, and finally look in the "users" file.
200. #
201. # Any changes made here should also be made to the "inner-tunnel"
202. # virtual server.
203. #
204. # The order of the realm modules will determine the order that
205. # we try to find a matching realm.
206. #
207. # Make *sure* that 'preprocess' comes before any realm if you
208. # need to setup hints for the remote radius server
209. authorize {
210.  
211. -ldap
212. -pap
213. }
214.  
215.  
216. # Authentication.
217. #
218. #
219. # This section lists which modules are available for authentication.
220. # Note that it does NOT mean 'try each module in order'. It means
221. # that a module from the 'authorize' section adds a configuration
222. # attribute 'Auth-Type := FOO'. That authentication type is then
223. # used to pick the appropriate module from the list below.
224. #
225.  
226. # In general, you SHOULD NOT set the Auth-Type attribute. The server
227. # will figure it out on its own, and will do the right thing. The
228. # most common side effect of erroneously setting the Auth-Type
229. # attribute is that one authentication method will work, but the
230. # others will not.
231. #
232. # The common reasons to set the Auth-Type attribute by hand
233. # is to either forcibly reject the user (Auth-Type := Reject),
234. # or to or forcibly accept the user (Auth-Type := Accept).
235. #
236. # Note that Auth-Type := Accept will NOT work with EAP.
237. #
238. # Please do not put "unlang" configurations into the "authenticate"
239. # section. Put them in the "post-auth" section instead. That's what
240. # the post-auth section is for.
241. #
242. authenticate {
243. #
244. # PAP authentication, when a back-end database listed
245. # in the 'authorize' section supplies a password. The
246. # password can be clear-text, or encrypted.
247. Auth-Type PAP {
248. pap
249. }
250.  
251.  
252. }
253.  
254.  
255. #
256. # Pre-accounting. Decide which accounting type to use.
257. #
258. preacct {
259. preprocess
260.  
261. #
262. # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
263. # into a single 64bit counter Acct-[Input|Output]-Octets64.
264. #
265. # acct_counters64
266.  
267. #
268. # Session start times are *implied* in RADIUS.
269. # The NAS never sends a "start time". Instead, it sends
270. # a start packet, *possibly* with an Acct-Delay-Time.
271. # The server is supposed to conclude that the start time
272. # was "Acct-Delay-Time" seconds in the past.
273. #
274. # The code below creates an explicit start time, which can
275. # then be used in other modules. It will be *mostly* correct.
276. # Any errors are due to the 1-second resolution of RADIUS,
277. # and the possibility that the time on the NAS may be off.
278. #
279. # The start time is: NOW - delay - session_length
280. #
281.  
282. # update request {
283. # FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
284. # }
285.  
286.  
287. #
288. # Ensure that we have a semi-unique identifier for every
289. # request, and many NAS boxes are broken.
290. acct_unique
291.  
292. #
293. # Look for IPASS-style 'realm/', and if not found, look for
294. # '@realm', and decide whether or not to proxy, based on
295. # that.
296. #
297. # Accounting requests are generally proxied to the same
298. # home server as authentication requests.
299. # IPASS
300. suffix
301. # ntdomain
302.  
303. #
304. # Read the 'acct_users' file
305. files
306. }
307.  
308. #
309. # Accounting. Log the accounting data.
310. #
311. accounting {
312. # Update accounting packet by adding the CUI attribute
313. # recorded from the corresponding Access-Accept
314. # use it only if your NAS boxes do not support CUI themselves
315. # cui
316. #
317. # Create a 'detail'ed log of the packets.
318. # Note that accounting requests which are proxied
319. # are also logged in the detail file.
320. detail
321. # daily
322.  
323. # Update the wtmp file
324. #
325. # If you don't use "radlast", you can delete this line.
326. unix
327.  
328. #
329. # For Simultaneous-Use tracking.
330. #
331. # Due to packet losses in the network, the data here
332. # may be incorrect. There is little we can do about it.
333. # radutmp
334. # sradutmp
335.  
336. # Return an address to the IP Pool when we see a stop record.
337. # main_pool
338.  
339. #
340. # Log traffic to an SQL database.
341. #
342. # See "Accounting queries" in mods-available/sql
343. -sql
344.  
345. #
346. # If you receive stop packets with zero session length,
347. # they will NOT be logged in the database. The SQL module
348. # will print a message (only in debugging mode), and will
349. # return "noop".
350. #
351. # You can ignore these packets by uncommenting the following
352. # three lines. Otherwise, the server will not respond to the
353. # accounting request, and the NAS will retransmit.
354. #
355. # if (noop) {
356. # ok
357. # }
358.  
359. #
360. # Instead of sending the query to the SQL server,
361. # write it into a log file.
362. #
363. # sql_log
364.  
365. # Cisco VoIP specific bulk accounting
366. # pgsql-voip
367.  
368. # For Exec-Program and Exec-Program-Wait
369. exec
370.  
371. # Filter attributes from the accounting response.
372. attr_filter.accounting_response
373.  
374. #
375. # See "Autz-Type Status-Server" for how this works.
376. #
377. # Acct-Type Status-Server {
378. #
379. # }
380. }
381.  
382.  
383. # Session database, used for checking Simultaneous-Use. Either the radutmp
384. # or rlm_sql module can handle this.
385. # The rlm_sql module is *much* faster
386. session {
387. # radutmp
388.  
389. #
390. # See "Simultaneous Use Checking Queries" in mods-available/sql
391. # sql
392. }
393.  
394.  
395. # Post-Authentication
396. # Once we KNOW that the user has been authenticated, there are
397. # additional steps we can take.
398. post-auth {
399. #
400. # If you need to have a State attribute, you can
401. # add it here. e.g. for later CoA-Request with
402. # State, and Service-Type = Authorize-Only.
403. #
404. # if (!&reply:State) {
405. # update reply {
406. # State := "0x%{randstr:16h}"
407. # }
408. # }
409.  
410. #
411. # For EAP-TTLS and PEAP, add the cached attributes to the reply.
412. # The "session-state" attributes are automatically cached when
413. # an Access-Challenge is sent, and automatically retrieved
414. # when an Access-Request is received.
415. #
416. # The session-state attributes are automatically deleted after
417. # an Access-Reject or Access-Accept is sent.
418. #
419. update {
420. &reply: += &session-state:
421. }
422.  
423. # Get an address from the IP Pool.
424. # main_pool
425.  
426.  
427. # Create the CUI value and add the attribute to Access-Accept.
428. # Uncomment the line below if *returning* the CUI.
429. # cui
430.  
431. #
432. # If you want to have a log of authentication replies,
433. # un-comment the following line, and enable the
434. # 'detail reply_log' module.
435. # reply_log
436.  
437. #
438. # After authenticating the user, do another SQL query.
439. #
440. # See "Authentication Logging Queries" in mods-available/sql
441. -sql
442.  
443. #
444. # Instead of sending the query to the SQL server,
445. # write it into a log file.
446. #
447. # sql_log
448.  
449. #
450. # Un-comment the following if you want to modify the user's object
451. # in LDAP after a successful login.
452. #
453. # ldap
454.  
455. # For Exec-Program and Exec-Program-Wait
456. exec
457.  
458. #
459. # Calculate the various WiMAX keys. In order for this to work,
460. # you will need to define the WiMAX NAI, usually via
461. #
462. # update request {
463. # WiMAX-MN-NAI = "%{User-Name}"
464. # }
465. #
466. # If you want various keys to be calculated, you will need to
467. # update the reply with "template" values. The module will see
468. # this, and replace the template values with the correct ones
469. # taken from the cryptographic calculations. e.g.
470. #
471. # update reply {
472. # WiMAX-FA-RK-Key = 0x00
473. # WiMAX-MSK = "%{EAP-MSK}"
474. # }
475. #
476. # You may want to delete the MS-MPPE-*-Keys from the reply,
477. # as some WiMAX clients behave badly when those attributes
478. # are included. See "raddb/modules/wimax", configuration
479. # entry "delete_mppe_keys" for more information.
480. #
481. # wimax
482.  
483.  
484. # If there is a client certificate (EAP-TLS, sometimes PEAP
485. # and TTLS), then some attributes are filled out after the
486. # certificate verification has been performed. These fields
487. # MAY be available during the authentication, or they may be
488. # available only in the "post-auth" section.
489. #
490. # The first set of attributes contains information about the
491. # issuing certificate which is being used. The second
492. # contains information about the client certificate (if
493. # available).
494. #
495. # update reply {
496. # Reply-Message += "%{session-state:TLS-Cert-Serial}"
497. # Reply-Message += "%{session-state:TLS-Cert-Expiration}"
498. # Reply-Message += "%{session-state:TLS-Cert-Subject}"
499. # Reply-Message += "%{session-state:TLS-Cert-Issuer}"
500. # Reply-Message += "%{session-state:TLS-Cert-Common-Name}"
501. # Reply-Message += "%{session-state:TLS-Cert-Subject-Alt-Name-Email}"
502. #
503. # Reply-Message += "%{session-state:TLS-Client-Cert-Serial}"
504. # Reply-Message += "%{session-state:TLS-Client-Cert-Expiration}"
505. # Reply-Message += "%{session-state:TLS-Client-Cert-Subject}"
506. # Reply-Message += "%{session-state:TLS-Client-Cert-Issuer}"
507. # Reply-Message += "%{session-state:TLS-Client-Cert-Common-Name}"
508. # Reply-Message += "%{session-state:TLS-Client-Cert-Subject-Alt-Name-Email}"
509. # }
510.  
511. # Insert class attribute (with unique value) into response,
512. # aids matching auth and acct records, and protects against duplicate
513. # Acct-Session-Id. Note: Only works if the NAS has implemented
514. # RFC 2865 behaviour for the class attribute, AND if the NAS
515. # supports long Class attributes. Many older or cheap NASes
516. # only support 16-octet Class attributes.
517. # insert_acct_class
518.  
519. # MacSEC requires the use of EAP-Key-Name. However, we don't
520. # want to send it for all EAP sessions. Therefore, the EAP
521. # modules put required data into the EAP-Session-Id attribute.
522. # This attribute is never put into a request or reply packet.
523. #
524. # Uncomment the next few lines to copy the required data into
525. # the EAP-Key-Name attribute
526. # if (&reply:EAP-Session-Id) {
527. # update reply {
528. # EAP-Key-Name := &reply:EAP-Session-Id
529. # }
530. # }
531.  
532. # Remove reply message if the response contains an EAP-Message
533. remove_reply_message_if_eap
534.  
535. #
536. # Access-Reject packets are sent through the REJECT sub-section of the
537. # post-auth section.
538. #
539. # Add the ldap module name (or instance) if you have set
540. # 'edir_account_policy_check = yes' in the ldap module configuration
541. #
542. # The "session-state" attributes are not available here.
543. #
544. Post-Auth-Type REJECT {
545. # log failed authentications in SQL, too.
546. -sql
547. attr_filter.access_reject
548.  
549. # Insert EAP-Failure message if the request was
550. # rejected by policy instead of because of an
551. # authentication failure
552. eap
553.  
554. # Remove reply message if the response contains an EAP-Message
555. remove_reply_message_if_eap
556. }
557. }
558.  
559. #
560. # When the server decides to proxy a request to a home server,
561. # the proxied request is first passed through the pre-proxy
562. # stage. This stage can re-write the request, or decide to
563. # cancel the proxy.
564. #
565. # Only a few modules currently have this method.
566. #
567. pre-proxy {
568. # Before proxing the request add an Operator-Name attribute identifying
569. # if the operator-name is found for this client.
570. # No need to uncomment this if you have already enabled this in
571. # the authorize section.
572. # operator-name
573.  
574. # The client requests the CUI by sending a CUI attribute
575. # containing one zero byte.
576. # Uncomment the line below if *requesting* the CUI.
577. # cui
578.  
579. # Uncomment the following line if you want to change attributes
580. # as defined in the preproxy_users file.
581. # files
582.  
583. # Uncomment the following line if you want to filter requests
584. # sent to remote servers based on the rules defined in the
585. # 'attrs.pre-proxy' file.
586. # attr_filter.pre-proxy
587.  
588. # If you want to have a log of packets proxied to a home
589. # server, un-comment the following line, and the
590. # 'detail pre_proxy_log' section, above.
591. # pre_proxy_log
592. }
593.  
594. #
595. # When the server receives a reply to a request it proxied
596. # to a home server, the request may be massaged here, in the
597. # post-proxy stage.
598. #
599. post-proxy {
600.  
601. # If you want to have a log of replies from a home server,
602. # un-comment the following line, and the 'detail post_proxy_log'
603. # section, above.
604. # post_proxy_log
605.  
606. # Uncomment the following line if you want to filter replies from
607. # remote proxies based on the rules defined in the 'attrs' file.
608. # attr_filter.post-proxy
609.  
610. #
611. # If you are proxying LEAP, you MUST configure the EAP
612. # module, and you MUST list it here, in the post-proxy
613. # stage.
614. #
615. # You MUST also use the 'nostrip' option in the 'realm'
616. # configuration. Otherwise, the User-Name attribute
617. # in the proxied request will not match the user name
618. # hidden inside of the EAP packet, and the end server will
619. # reject the EAP request.
620. #
621. eap
622.  
623. #
624. # If the server tries to proxy a request and fails, then the
625. # request is processed through the modules in this section.
626. #
627. # The main use of this section is to permit robust proxying
628. # of accounting packets. The server can be configured to
629. # proxy accounting packets as part of normal processing.
630. # Then, if the home server goes down, accounting packets can
631. # be logged to a local "detail" file, for processing with
632. # radrelay. When the home server comes back up, radrelay
633. # will read the detail file, and send the packets to the
634. # home server.
635. #
636. # With this configuration, the server always responds to
637. # Accounting-Requests from the NAS, but only writes
638. # accounting packets to disk if the home server is down.
639. #
640. # Post-Proxy-Type Fail-Accounting {
641. # detail
642. # }
643. }
644. }