raddb-sites-default

1. ######################################################################
2. #
3. # As of 2.0.0, FreeRADIUS supports virtual hosts using the
4. # "server" section, and configuration directives.
5. #
6. # Virtual hosts should be put into the "sites-available"
7. # directory. Soft links should be created in the "sites-enabled"
8. # directory to these files. This is done in a normal installation.
9. #
10. # If you are using 802.1X (EAP) authentication, please see also
11. # the "inner-tunnel" virtual server. You will likely have to edit
12. # that, too, for authentication to work.
13. #
14. # $Id: 292abcc492c6e21594ed93b2fbbd9ab226e4440d $
15. #
16. ######################################################################
17. #
18. # Read "man radiusd" before editing this file. See the section
19. # titled DEBUGGING. It outlines a method where you can quickly
20. # obtain the configuration you want, without running into
21. # trouble. See also "man unlang", which documents the format
22. # of this file.
23. #
24. # This configuration is designed to work in the widest possible
25. # set of circumstances, with the widest possible number of
26. # authentication methods. This means that in general, you should
27. # need to make very few changes to this file.
28. #
29. # The best way to configure the server for your local system
30. # is to CAREFULLY edit this file. Most attempts to make large
31. # edits to this file will BREAK THE SERVER. Any edits should
32. # be small, and tested by running the server with "radiusd -X".
33. # Once the edits have been verified to work, save a copy of these
34. # configuration files somewhere. (e.g. as a "tar" file). Then,
35. # make more edits, and test, as above.
36. #
37. # There are many "commented out" references to modules such
38. # as ldap, sql, etc. These references serve as place-holders.
39. # If you need the functionality of that module, then configure
40. # it in radiusd.conf, and un-comment the references to it in
41. # this file. In most cases, those small changes will result
42. # in the server being able to connect to the DB, and to
43. # authenticate users.
44. #
45. ######################################################################
46.  
47. server default {
48. #
49. # If you want the server to listen on additional addresses, or on
50. # additional ports, you can use multiple "listen" sections.
51. #
52. # Each section make the server listen for only one type of packet,
53. # therefore authentication and accounting have to be configured in
54. # different sections.
55. #
56. # The server ignore all "listen" section if you are using '-i' and '-p'
57. # on the command line.
58. #
59. listen {
60. # Type of packets to listen for.
61. # Allowed values are:
62. # auth listen for authentication packets
63. # acct listen for accounting packets
64. # proxy IP to use for sending proxied packets
65. # detail Read from the detail file. For examples, see
66. # raddb/sites-available/copy-acct-to-home-server
67. # status listen for Status-Server packets. For examples,
68. # see raddb/sites-available/status
69. # coa listen for CoA-Request and Disconnect-Request
70. # packets. For examples, see the file
71. # raddb/sites-available/coa
72. #
73. type = auth
74.  
75. # Note: "type = proxy" lets you control the source IP used for
76. # proxying packets, with some limitations:
77. #
78. # * A proxy listener CANNOT be used in a virtual server section.
79. # * You should probably set "port = 0".
80. # * Any "clients" configuration will be ignored.
81. #
82. # See also proxy.conf, and the "src_ipaddr" configuration entry
83. # in the sample "home_server" section. When you specify the
84. # source IP address for packets sent to a home server, the
85. # proxy listeners are automatically created.
86.  
87. # ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
88. # If multiple ones are listed, only the first one will
89. # be used, and the others will be ignored.
90. #
91. # The configuration options accept the following syntax:
92. #
93. # ipv4addr - IPv4 address (e.g.192.0.2.3)
94. # - wildcard (i.e. *)
95. # - hostname (radius.example.com)
96. # Only the A record for the host name is used.
97. # If there is no A record, an error is returned,
98. # and the server fails to start.
99. #
100. # ipv6addr - IPv6 address (e.g. 2001:db8::1)
101. # - wildcard (i.e. *)
102. # - hostname (radius.example.com)
103. # Only the AAAA record for the host name is used.
104. # If there is no AAAA record, an error is returned,
105. # and the server fails to start.
106. #
107. # ipaddr - IPv4 address as above
108. # - IPv6 address as above
109. # - wildcard (i.e. *), which means IPv4 wildcard.
110. # - hostname
111. # If there is only one A or AAAA record returned
112. # for the host name, it is used.
113. # If multiple A or AAAA records are returned
114. # for the host name, only the first one is used.
115. # If both A and AAAA records are returned
116. # for the host name, only the A record is used.
117. #
118. # ipv4addr = *
119. # ipv6addr = *
120. ipaddr = *
121.  
122. # Port on which to listen.
123. # Allowed values are:
124. # integer port number (1812)
125. # 0 means "use /etc/services for the proper port"
126. port = 0
127.  
128. # Some systems support binding to an interface, in addition
129. # to the IP address. This feature isn't strictly necessary,
130. # but for sites with many IP addresses on one interface,
131. # it's useful to say "listen on all addresses for eth0".
132. #
133. # If your system does not support this feature, you will
134. # get an error if you try to use it.
135. #
136. # interface = eth0
137.  
138. # Per-socket lists of clients. This is a very useful feature.
139. #
140. # The name here is a reference to a section elsewhere in
141. # radiusd.conf, or clients.conf. Having the name as
142. # a reference allows multiple sockets to use the same
143. # set of clients.
144. #
145. # If this configuration is used, then the global list of clients
146. # is IGNORED for this "listen" section. Take care configuring
147. # this feature, to ensure you don't accidentally disable a
148. # client you need.
149. #
150. # See clients.conf for the configuration of "per_socket_clients".
151. #
152. # clients = per_socket_clients
153.  
154. #
155. # Connection limiting for sockets with "proto = tcp".
156. #
157. # This section is ignored for other kinds of sockets.
158. #
159. limit {
160. #
161. # Limit the number of simultaneous TCP connections to the socket
162. #
163. # The default is 16.
164. # Setting this to 0 means "no limit"
165. max_connections = 16
166.  
167. # The per-socket "max_requests" option does not exist.
168.  
169. #
170. # The lifetime, in seconds, of a TCP connection. After
171. # this lifetime, the connection will be closed.
172. #
173. # Setting this to 0 means "forever".
174. lifetime = 0
175.  
176. #
177. # The idle timeout, in seconds, of a TCP connection.
178. # If no packets have been received over the connection for
179. # this time, the connection will be closed.
180. #
181. # Setting this to 0 means "no timeout".
182. #
183. # We STRONGLY RECOMMEND that you set an idle timeout.
184. #
185. idle_timeout = 30
186. }
187. }
188.  
189. #
190. # This second "listen" section is for listening on the accounting
191. # port, too.
192. #
193. listen {
194. ipaddr = *
195. # ipv6addr = ::
196. port = 0
197. type = acct
198. # interface = eth0
199. # clients = per_socket_clients
200.  
201. limit {
202. # The number of packets received can be rate limited via the
203. # "max_pps" configuration item. When it is set, the server
204. # tracks the total number of packets received in the previous
205. # second. If the count is greater than "max_pps", then the
206. # new packet is silently discarded. This helps the server
207. # deal with overload situations.
208. #
209. # The packets/s counter is tracked in a sliding window. This
210. # means that the pps calculation is done for the second
211. # before the current packet was received. NOT for the current
212. # wall-clock second, and NOT for the previous wall-clock second.
213. #
214. # Useful values are 0 (no limit), or 100 to 10000.
215. # Values lower than 100 will likely cause the server to ignore
216. # normal traffic. Few systems are capable of handling more than
217. # 10K packets/s.
218. #
219. # It is most useful for accounting systems. Set it to 50%
220. # more than the normal accounting load, and you can be sure that
221. # the server will never get overloaded
222. #
223. # max_pps = 0
224.  
225. # Only for "proto = tcp". These are ignored for "udp" sockets.
226. #
227. # idle_timeout = 0
228. # lifetime = 0
229. # max_connections = 0
230. }
231. }
232.  
233. # IPv6 versions of the above - read their full config to understand options
234. listen {
235. type = auth
236. ipv6addr = :: # any. ::1 == localhost
237. port = 0
238. # interface = eth0
239. # clients = per_socket_clients
240. limit {
241. max_connections = 16
242. lifetime = 0
243. idle_timeout = 30
244. }
245. }
246.  
247. listen {
248. ipv6addr = ::
249. port = 0
250. type = acct
251. # interface = eth0
252. # clients = per_socket_clients
253.  
254. limit {
255. # max_pps = 0
256. # idle_timeout = 0
257. # lifetime = 0
258. # max_connections = 0
259. }
260. }
261.  
262. # Authorization. First preprocess (hints and huntgroups files),
263. # then realms, and finally look in the "users" file.
264. #
265. # Any changes made here should also be made to the "inner-tunnel"
266. # virtual server.
267. #
268. # The order of the realm modules will determine the order that
269. # we try to find a matching realm.
270. #
271. # Make *sure* that 'preprocess' comes before any realm if you
272. # need to setup hints for the remote radius server
273. authorize {
274. #
275. # Take a User-Name, and perform some checks on it, for spaces and other
276. # invalid characters. If the User-Name appears invalid, reject the
277. # request.
278. #
279. # See policy.d/filter for the definition of the filter_username policy.
280. #
281. filter_username
282.  
283. #
284. # Some broken equipment sends passwords with embedded zeros.
285. # i.e. the debug output will show
286. #
287. # User-Password = "password\000\000"
288. #
289. # This policy will fix it to just be "password".
290. #
291. # filter_password
292.  
293. #
294. # The preprocess module takes care of sanitizing some bizarre
295. # attributes in the request, and turning them into attributes
296. # which are more standard.
297. #
298. # It takes care of processing the 'raddb/mods-config/preprocess/hints'
299. # and the 'raddb/mods-config/preprocess/huntgroups' files.
300. preprocess
301.  
302. # If you intend to use CUI and you require that the Operator-Name
303. # be set for CUI generation and you want to generate CUI also
304. # for your local clients then uncomment the operator-name
305. # below and set the operator-name for your clients in clients.conf
306. # operator-name
307.  
308. #
309. # If you want to generate CUI for some clients that do not
310. # send proper CUI requests, then uncomment the
311. # cui below and set "add_cui = yes" for these clients in clients.conf
312. # cui
313.  
314. #
315. # If you want to have a log of authentication requests,
316. # un-comment the following line.
317. # auth_log
318.  
319. #
320. # The chap module will set 'Auth-Type := CHAP' if we are
321. # handling a CHAP request and Auth-Type has not already been set
322. # chap
323.  
324. #
325. # If the users are logging in with an MS-CHAP-Challenge
326. # attribute for authentication, the mschap module will find
327. # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
328. # to the request, which will cause the server to then use
329. # the mschap module for authentication.
330. # mschap
331.  
332. #
333. # If you have a Cisco SIP server authenticating against
334. # FreeRADIUS, uncomment the following line, and the 'digest'
335. # line in the 'authenticate' section.
336. digest
337.  
338. #
339. # The WiMAX specification says that the Calling-Station-Id
340. # is 6 octets of the MAC. This definition conflicts with
341. # RFC 3580, and all common RADIUS practices. Un-commenting
342. # the "wimax" module here means that it will fix the
343. # Calling-Station-Id attribute to the normal format as
344. # specified in RFC 3580 Section 3.21
345. # wimax
346.  
347. #
348. # Look for IPASS style 'realm/', and if not found, look for
349. # '@realm', and decide whether or not to proxy, based on
350. # that.
351. # IPASS
352.  
353. #
354. # If you are using multiple kinds of realms, you probably
355. # want to set "ignore_null = yes" for all of them.
356. # Otherwise, when the first style of realm doesn't match,
357. # the other styles won't be checked.
358. #
359. suffix
360. # ntdomain
361.  
362. #
363. # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
364. # authentication.
365. #
366. # It also sets the EAP-Type attribute in the request
367. # attribute list to the EAP type from the packet.
368. #
369. # The EAP module returns "ok" or "updated" if it is not yet ready
370. # to authenticate the user. The configuration below checks for
371. # "ok", and stops processing the "authorize" section if so.
372. #
373. # Any LDAP and/or SQL servers will not be queried for the
374. # initial set of packets that go back and forth to set up
375. # TTLS or PEAP.
376. #
377. # The "updated" check is commented out for compatibility with
378. # previous versions of this configuration, but you may wish to
379. # uncomment it as well; this will further reduce the number of
380. # LDAP and/or SQL queries for TTLS or PEAP.
381. #
382. eap {
383. ok = return
384. # updated = return
385. }
386.  
387. #
388. # Pull crypt'd passwords from /etc/passwd or /etc/shadow,
389. # using the system API's to get the password. If you want
390. # to read /etc/passwd or /etc/shadow directly, see the
391. # mods-available/passwd module.
392. #
393. # unix
394.  
395. #
396. # Read the 'users' file. In v3, this is located in
397. # raddb/mods-config/files/authorize
398. files
399.  
400. #
401. # Look in an SQL database. The schema of the database
402. # is meant to mirror the "users" file.
403. #
404. # See "Authorization Queries" in mods-available/sql
405. -sql
406.  
407. #
408. # If you are using /etc/smbpasswd, and are also doing
409. # mschap authentication, the un-comment this line, and
410. # configure the 'smbpasswd' module.
411. # smbpasswd
412.  
413. #
414. # The ldap module reads passwords from the LDAP database.
415. -ldap
416.  
417. #
418. # Enforce daily limits on time spent logged in.
419. # daily
420.  
421. #
422. expiration
423. logintime
424.  
425.  
426.  
427. # Handle multiotp authentication
428. multiotp
429.  
430.  
431. #
432. # If no other module has claimed responsibility for
433. # authentication, then try to use PAP. This allows the
434. # other modules listed above to add a "known good" password
435. # to the request, and to do nothing else. The PAP module
436. # will then see that password, and use it to do PAP
437. # authentication.
438. #
439. # This module should be listed last, so that the other modules
440. # get a chance to set Auth-Type for themselves.
441. #
442. pap
443.  
444. #
445. # If "status_server = yes", then Status-Server messages are passed
446. # through the following section, and ONLY the following section.
447. # This permits you to do DB queries, for example. If the modules
448. # listed here return "fail", then NO response is sent.
449. #
450. # Autz-Type Status-Server {
451. #
452. # }
453. }
454.  
455.  
456. # Authentication.
457. #
458. #
459. # This section lists which modules are available for authentication.
460. # Note that it does NOT mean 'try each module in order'. It means
461. # that a module from the 'authorize' section adds a configuration
462. # attribute 'Auth-Type := FOO'. That authentication type is then
463. # used to pick the appropriate module from the list below.
464. #
465.  
466. # In general, you SHOULD NOT set the Auth-Type attribute. The server
467. # will figure it out on its own, and will do the right thing. The
468. # most common side effect of erroneously setting the Auth-Type
469. # attribute is that one authentication method will work, but the
470. # others will not.
471. #
472. # The common reasons to set the Auth-Type attribute by hand
473. # is to either forcibly reject the user (Auth-Type := Reject),
474. # or to or forcibly accept the user (Auth-Type := Accept).
475. #
476. # Note that Auth-Type := Accept will NOT work with EAP.
477. #
478. # Please do not put "unlang" configurations into the "authenticate"
479. # section. Put them in the "post-auth" section instead. That's what
480. # the post-auth section is for.
481. #
482. authenticate {
483.  
484.  
485. Auth-Type multiotp {
486. multiotp
487. }
488. Auth-Type multiotpmschap {
489. multiotpmschap
490. }
491.  
492.  
493. #
494. # PAP authentication, when a back-end database listed
495. # in the 'authorize' section supplies a password. The
496. # password can be clear-text, or encrypted.
497. Auth-Type PAP {
498. pap
499. }
500.  
501. #
502. # Most people want CHAP authentication
503. # A back-end database listed in the 'authorize' section
504. # MUST supply a CLEAR TEXT password. Encrypted passwords
505. # won't work.
506. Auth-Type CHAP {
507. chap
508. }
509.  
510. #
511. # MSCHAP authentication.
512. Auth-Type MS-CHAP {
513. mschap
514. }
515.  
516. #
517. # For old names, too.
518. #
519. mschap
520.  
521. #
522. # If you have a Cisco SIP server authenticating against
523. # FreeRADIUS, uncomment the following line, and the 'digest'
524. # line in the 'authorize' section.
525. digest
526.  
527. #
528. # Pluggable Authentication Modules.
529. # pam
530.  
531. # Uncomment it if you want to use ldap for authentication
532. #
533. # Note that this means "check plain-text password against
534. # the ldap database", which means that EAP won't work,
535. # as it does not supply a plain-text password.
536. #
537. # We do NOT recommend using this. LDAP servers are databases.
538. # They are NOT authentication servers. FreeRADIUS is an
539. # authentication server, and knows what to do with authentication.
540. # LDAP servers do not.
541. #
542. # Auth-Type LDAP {
543. # ldap
544. # }
545.  
546. #
547. # Allow EAP authentication.
548. eap
549.  
550. #
551. # The older configurations sent a number of attributes in
552. # Access-Challenge packets, which wasn't strictly correct.
553. # If you want to filter out these attributes, uncomment
554. # the following lines.
555. #
556. # Auth-Type eap {
557. # eap {
558. # handled = 1
559. # }
560. # if (handled && (Response-Packet-Type == Access-Challenge)) {
561. # attr_filter.access_challenge.post-auth
562. # handled # override the "updated" code from attr_filter
563. # }
564. # }
565. }
566.  
567.  
568. #
569. # Pre-accounting. Decide which accounting type to use.
570. #
571. preacct {
572. preprocess
573.  
574. #
575. # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
576. # into a single 64bit counter Acct-[Input|Output]-Octets64.
577. #
578. # acct_counters64
579.  
580. #
581. # Session start times are *implied* in RADIUS.
582. # The NAS never sends a "start time". Instead, it sends
583. # a start packet, *possibly* with an Acct-Delay-Time.
584. # The server is supposed to conclude that the start time
585. # was "Acct-Delay-Time" seconds in the past.
586. #
587. # The code below creates an explicit start time, which can
588. # then be used in other modules. It will be *mostly* correct.
589. # Any errors are due to the 1-second resolution of RADIUS,
590. # and the possibility that the time on the NAS may be off.
591. #
592. # The start time is: NOW - delay - session_length
593. #
594.  
595. # update request {
596. # FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
597. # }
598.  
599.  
600. #
601. # Ensure that we have a semi-unique identifier for every
602. # request, and many NAS boxes are broken.
603. acct_unique
604.  
605. #
606. # Look for IPASS-style 'realm/', and if not found, look for
607. # '@realm', and decide whether or not to proxy, based on
608. # that.
609. #
610. # Accounting requests are generally proxied to the same
611. # home server as authentication requests.
612. # IPASS
613. suffix
614. # ntdomain
615.  
616. #
617. # Read the 'acct_users' file
618. files
619. }
620.  
621. #
622. # Accounting. Log the accounting data.
623. #
624. accounting {
625. # Update accounting packet by adding the CUI attribute
626. # recorded from the corresponding Access-Accept
627. # use it only if your NAS boxes do not support CUI themselves
628. # cui
629. #
630. # Create a 'detail'ed log of the packets.
631. # Note that accounting requests which are proxied
632. # are also logged in the detail file.
633. detail
634. # daily
635.  
636. # Update the wtmp file
637. #
638. # If you don't use "radlast", you can delete this line.
639. unix
640.  
641. #
642. # For Simultaneous-Use tracking.
643. #
644. # Due to packet losses in the network, the data here
645. # may be incorrect. There is little we can do about it.
646. # radutmp
647. # sradutmp
648.  
649. # Return an address to the IP Pool when we see a stop record.
650. # main_pool
651.  
652. #
653. # Log traffic to an SQL database.
654. #
655. # See "Accounting queries" in mods-available/sql
656. -sql
657.  
658. #
659. # If you receive stop packets with zero session length,
660. # they will NOT be logged in the database. The SQL module
661. # will print a message (only in debugging mode), and will
662. # return "noop".
663. #
664. # You can ignore these packets by uncommenting the following
665. # three lines. Otherwise, the server will not respond to the
666. # accounting request, and the NAS will retransmit.
667. #
668. # if (noop) {
669. # ok
670. # }
671.  
672. #
673. # Instead of sending the query to the SQL server,
674. # write it into a log file.
675. #
676. # sql_log
677.  
678. # Cisco VoIP specific bulk accounting
679. # pgsql-voip
680.  
681. # For Exec-Program and Exec-Program-Wait
682. exec
683.  
684. # Filter attributes from the accounting response.
685. attr_filter.accounting_response
686.  
687. #
688. # See "Autz-Type Status-Server" for how this works.
689. #
690. # Acct-Type Status-Server {
691. #
692. # }
693. }
694.  
695.  
696. # Session database, used for checking Simultaneous-Use. Either the radutmp
697. # or rlm_sql module can handle this.
698. # The rlm_sql module is *much* faster
699. session {
700. # radutmp
701.  
702. #
703. # See "Simultaneous Use Checking Queries" in mods-available/sql
704. # sql
705. }
706.  
707.  
708. # Post-Authentication
709. # Once we KNOW that the user has been authenticated, there are
710. # additional steps we can take.
711. post-auth {
712. #
713. # If you need to have a State attribute, you can
714. # add it here. e.g. for later CoA-Request with
715. # State, and Service-Type = Authorize-Only.
716. #
717. # if (!&reply:State) {
718. # update reply {
719. # State := "0x%{randstr:16h}"
720. # }
721. # }
722.  
723. #
724. # For EAP-TTLS and PEAP, add the cached attributes to the reply.
725. # The "session-state" attributes are automatically cached when
726. # an Access-Challenge is sent, and automatically retrieved
727. # when an Access-Request is received.
728. #
729. # The session-state attributes are automatically deleted after
730. # an Access-Reject or Access-Accept is sent.
731. #
732. update {
733. &reply: += &session-state:
734. }
735.  
736. # Get an address from the IP Pool.
737. # main_pool
738.  
739.  
740. # Create the CUI value and add the attribute to Access-Accept.
741. # Uncomment the line below if *returning* the CUI.
742. # cui
743.  
744. #
745. # If you want to have a log of authentication replies,
746. # un-comment the following line, and enable the
747. # 'detail reply_log' module.
748. # reply_log
749.  
750. #
751. # After authenticating the user, do another SQL query.
752. #
753. # See "Authentication Logging Queries" in mods-available/sql
754. -sql
755.  
756. #
757. # Instead of sending the query to the SQL server,
758. # write it into a log file.
759. #
760. # sql_log
761.  
762. #
763. # Un-comment the following if you want to modify the user's object
764. # in LDAP after a successful login.
765. #
766. # ldap
767.  
768. # For Exec-Program and Exec-Program-Wait
769. exec
770.  
771. #
772. # Calculate the various WiMAX keys. In order for this to work,
773. # you will need to define the WiMAX NAI, usually via
774. #
775. # update request {
776. # WiMAX-MN-NAI = "%{User-Name}"
777. # }
778. #
779. # If you want various keys to be calculated, you will need to
780. # update the reply with "template" values. The module will see
781. # this, and replace the template values with the correct ones
782. # taken from the cryptographic calculations. e.g.
783. #
784. # update reply {
785. # WiMAX-FA-RK-Key = 0x00
786. # WiMAX-MSK = "%{EAP-MSK}"
787. # }
788. #
789. # You may want to delete the MS-MPPE-*-Keys from the reply,
790. # as some WiMAX clients behave badly when those attributes
791. # are included. See "raddb/modules/wimax", configuration
792. # entry "delete_mppe_keys" for more information.
793. #
794. # wimax
795.  
796.  
797. # If there is a client certificate (EAP-TLS, sometimes PEAP
798. # and TTLS), then some attributes are filled out after the
799. # certificate verification has been performed. These fields
800. # MAY be available during the authentication, or they may be
801. # available only in the "post-auth" section.
802. #
803. # The first set of attributes contains information about the
804. # issuing certificate which is being used. The second
805. # contains information about the client certificate (if
806. # available).
807. #
808. # update reply {
809. # Reply-Message += "%{TLS-Cert-Serial}"
810. # Reply-Message += "%{TLS-Cert-Expiration}"
811. # Reply-Message += "%{TLS-Cert-Subject}"
812. # Reply-Message += "%{TLS-Cert-Issuer}"
813. # Reply-Message += "%{TLS-Cert-Common-Name}"
814. # Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
815. #
816. # Reply-Message += "%{TLS-Client-Cert-Serial}"
817. # Reply-Message += "%{TLS-Client-Cert-Expiration}"
818. # Reply-Message += "%{TLS-Client-Cert-Subject}"
819. # Reply-Message += "%{TLS-Client-Cert-Issuer}"
820. # Reply-Message += "%{TLS-Client-Cert-Common-Name}"
821. # Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
822. # }
823.  
824. # Insert class attribute (with unique value) into response,
825. # aids matching auth and acct records, and protects against duplicate
826. # Acct-Session-Id. Note: Only works if the NAS has implemented
827. # RFC 2865 behaviour for the class attribute, AND if the NAS
828. # supports long Class attributes. Many older or cheap NASes
829. # only support 16-octet Class attributes.
830. # insert_acct_class
831.  
832. # MacSEC requires the use of EAP-Key-Name. However, we don't
833. # want to send it for all EAP sessions. Therefore, the EAP
834. # modules put required data into the EAP-Session-Id attribute.
835. # This attribute is never put into a request or reply packet.
836. #
837. # Uncomment the next few lines to copy the required data into
838. # the EAP-Key-Name attribute
839. # if (&reply:EAP-Session-Id) {
840. # update reply {
841. # EAP-Key-Name := &reply:EAP-Session-Id
842. # }
843. # }
844.  
845. # Remove reply message if the response contains an EAP-Message
846. remove_reply_message_if_eap
847.  
848. #
849. # Access-Reject packets are sent through the REJECT sub-section of the
850. # post-auth section.
851. #
852. # Add the ldap module name (or instance) if you have set
853. # 'edir_account_policy_check = yes' in the ldap module configuration
854. #
855. # The "session-state" attributes are not available here.
856. #
857. Post-Auth-Type REJECT {
858. # log failed authentications in SQL, too.
859. -sql
860. attr_filter.access_reject
861.  
862. # Insert EAP-Failure message if the request was
863. # rejected by policy instead of because of an
864. # authentication failure
865. eap
866.  
867. # Remove reply message if the response contains an EAP-Message
868. remove_reply_message_if_eap
869. }
870.  
871. #
872. # Filter access challenges.
873. #
874. Post-Auth-Type Challenge {
875. # remove_reply_message_if_eap
876. # attr_filter.access_challenge.post-auth
877. }
878.  
879. }
880.  
881. #
882. # When the server decides to proxy a request to a home server,
883. # the proxied request is first passed through the pre-proxy
884. # stage. This stage can re-write the request, or decide to
885. # cancel the proxy.
886. #
887. # Only a few modules currently have this method.
888. #
889. pre-proxy {
890. # Before proxing the request add an Operator-Name attribute identifying
891. # if the operator-name is found for this client.
892. # No need to uncomment this if you have already enabled this in
893. # the authorize section.
894. # operator-name
895.  
896. # The client requests the CUI by sending a CUI attribute
897. # containing one zero byte.
898. # Uncomment the line below if *requesting* the CUI.
899. # cui
900.  
901. # Uncomment the following line if you want to change attributes
902. # as defined in the preproxy_users file.
903. # files
904.  
905. # Uncomment the following line if you want to filter requests
906. # sent to remote servers based on the rules defined in the
907. # 'attrs.pre-proxy' file.
908. # attr_filter.pre-proxy
909.  
910. # If you want to have a log of packets proxied to a home
911. # server, un-comment the following line, and the
912. # 'detail pre_proxy_log' section, above.
913. # pre_proxy_log
914. }
915.  
916. #
917. # When the server receives a reply to a request it proxied
918. # to a home server, the request may be massaged here, in the
919. # post-proxy stage.
920. #
921. post-proxy {
922.  
923. # If you want to have a log of replies from a home server,
924. # un-comment the following line, and the 'detail post_proxy_log'
925. # section, above.
926. # post_proxy_log
927.  
928. # Uncomment the following line if you want to filter replies from
929. # remote proxies based on the rules defined in the 'attrs' file.
930. # attr_filter.post-proxy
931.  
932. #
933. # If you are proxying LEAP, you MUST configure the EAP
934. # module, and you MUST list it here, in the post-proxy
935. # stage.
936. #
937. # You MUST also use the 'nostrip' option in the 'realm'
938. # configuration. Otherwise, the User-Name attribute
939. # in the proxied request will not match the user name
940. # hidden inside of the EAP packet, and the end server will
941. # reject the EAP request.
942. #
943. eap
944.  
945. #
946. # If the server tries to proxy a request and fails, then the
947. # request is processed through the modules in this section.
948. #
949. # The main use of this section is to permit robust proxying
950. # of accounting packets. The server can be configured to
951. # proxy accounting packets as part of normal processing.
952. # Then, if the home server goes down, accounting packets can
953. # be logged to a local "detail" file, for processing with
954. # radrelay. When the home server comes back up, radrelay
955. # will read the detail file, and send the packets to the
956. # home server.
957. #
958. # With this configuration, the server always responds to
959. # Accounting-Requests from the NAS, but only writes
960. # accounting packets to disk if the home server is down.
961. #
962. # Post-Proxy-Type Fail-Accounting {
963. # detail
964. # }
965. }
966. }