Advertisement
Guest User

raddb-sites-default

a guest
Jul 23rd, 2018
277
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ######################################################################
  2. #
  3. # As of 2.0.0, FreeRADIUS supports virtual hosts using the
  4. # "server" section, and configuration directives.
  5. #
  6. # Virtual hosts should be put into the "sites-available"
  7. # directory. Soft links should be created in the "sites-enabled"
  8. # directory to these files. This is done in a normal installation.
  9. #
  10. # If you are using 802.1X (EAP) authentication, please see also
  11. # the "inner-tunnel" virtual server. You will likely have to edit
  12. # that, too, for authentication to work.
  13. #
  14. # $Id: 292abcc492c6e21594ed93b2fbbd9ab226e4440d $
  15. #
  16. ######################################################################
  17. #
  18. # Read "man radiusd" before editing this file. See the section
  19. # titled DEBUGGING. It outlines a method where you can quickly
  20. # obtain the configuration you want, without running into
  21. # trouble. See also "man unlang", which documents the format
  22. # of this file.
  23. #
  24. # This configuration is designed to work in the widest possible
  25. # set of circumstances, with the widest possible number of
  26. # authentication methods. This means that in general, you should
  27. # need to make very few changes to this file.
  28. #
  29. # The best way to configure the server for your local system
  30. # is to CAREFULLY edit this file. Most attempts to make large
  31. # edits to this file will BREAK THE SERVER. Any edits should
  32. # be small, and tested by running the server with "radiusd -X".
  33. # Once the edits have been verified to work, save a copy of these
  34. # configuration files somewhere. (e.g. as a "tar" file). Then,
  35. # make more edits, and test, as above.
  36. #
  37. # There are many "commented out" references to modules such
  38. # as ldap, sql, etc. These references serve as place-holders.
  39. # If you need the functionality of that module, then configure
  40. # it in radiusd.conf, and un-comment the references to it in
  41. # this file. In most cases, those small changes will result
  42. # in the server being able to connect to the DB, and to
  43. # authenticate users.
  44. #
  45. ######################################################################
  46.  
  47. server default {
  48. #
  49. # If you want the server to listen on additional addresses, or on
  50. # additional ports, you can use multiple "listen" sections.
  51. #
  52. # Each section make the server listen for only one type of packet,
  53. # therefore authentication and accounting have to be configured in
  54. # different sections.
  55. #
  56. # The server ignore all "listen" section if you are using '-i' and '-p'
  57. # on the command line.
  58. #
  59. listen {
  60. # Type of packets to listen for.
  61. # Allowed values are:
  62. # auth listen for authentication packets
  63. # acct listen for accounting packets
  64. # proxy IP to use for sending proxied packets
  65. # detail Read from the detail file. For examples, see
  66. # raddb/sites-available/copy-acct-to-home-server
  67. # status listen for Status-Server packets. For examples,
  68. # see raddb/sites-available/status
  69. # coa listen for CoA-Request and Disconnect-Request
  70. # packets. For examples, see the file
  71. # raddb/sites-available/coa
  72. #
  73. type = auth
  74.  
  75. # Note: "type = proxy" lets you control the source IP used for
  76. # proxying packets, with some limitations:
  77. #
  78. # * A proxy listener CANNOT be used in a virtual server section.
  79. # * You should probably set "port = 0".
  80. # * Any "clients" configuration will be ignored.
  81. #
  82. # See also proxy.conf, and the "src_ipaddr" configuration entry
  83. # in the sample "home_server" section. When you specify the
  84. # source IP address for packets sent to a home server, the
  85. # proxy listeners are automatically created.
  86.  
  87. # ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
  88. # If multiple ones are listed, only the first one will
  89. # be used, and the others will be ignored.
  90. #
  91. # The configuration options accept the following syntax:
  92. #
  93. # ipv4addr - IPv4 address (e.g.192.0.2.3)
  94. # - wildcard (i.e. *)
  95. # - hostname (radius.example.com)
  96. # Only the A record for the host name is used.
  97. # If there is no A record, an error is returned,
  98. # and the server fails to start.
  99. #
  100. # ipv6addr - IPv6 address (e.g. 2001:db8::1)
  101. # - wildcard (i.e. *)
  102. # - hostname (radius.example.com)
  103. # Only the AAAA record for the host name is used.
  104. # If there is no AAAA record, an error is returned,
  105. # and the server fails to start.
  106. #
  107. # ipaddr - IPv4 address as above
  108. # - IPv6 address as above
  109. # - wildcard (i.e. *), which means IPv4 wildcard.
  110. # - hostname
  111. # If there is only one A or AAAA record returned
  112. # for the host name, it is used.
  113. # If multiple A or AAAA records are returned
  114. # for the host name, only the first one is used.
  115. # If both A and AAAA records are returned
  116. # for the host name, only the A record is used.
  117. #
  118. # ipv4addr = *
  119. # ipv6addr = *
  120. ipaddr = *
  121.  
  122. # Port on which to listen.
  123. # Allowed values are:
  124. # integer port number (1812)
  125. # 0 means "use /etc/services for the proper port"
  126. port = 0
  127.  
  128. # Some systems support binding to an interface, in addition
  129. # to the IP address. This feature isn't strictly necessary,
  130. # but for sites with many IP addresses on one interface,
  131. # it's useful to say "listen on all addresses for eth0".
  132. #
  133. # If your system does not support this feature, you will
  134. # get an error if you try to use it.
  135. #
  136. # interface = eth0
  137.  
  138. # Per-socket lists of clients. This is a very useful feature.
  139. #
  140. # The name here is a reference to a section elsewhere in
  141. # radiusd.conf, or clients.conf. Having the name as
  142. # a reference allows multiple sockets to use the same
  143. # set of clients.
  144. #
  145. # If this configuration is used, then the global list of clients
  146. # is IGNORED for this "listen" section. Take care configuring
  147. # this feature, to ensure you don't accidentally disable a
  148. # client you need.
  149. #
  150. # See clients.conf for the configuration of "per_socket_clients".
  151. #
  152. # clients = per_socket_clients
  153.  
  154. #
  155. # Connection limiting for sockets with "proto = tcp".
  156. #
  157. # This section is ignored for other kinds of sockets.
  158. #
  159. limit {
  160. #
  161. # Limit the number of simultaneous TCP connections to the socket
  162. #
  163. # The default is 16.
  164. # Setting this to 0 means "no limit"
  165. max_connections = 16
  166.  
  167. # The per-socket "max_requests" option does not exist.
  168.  
  169. #
  170. # The lifetime, in seconds, of a TCP connection. After
  171. # this lifetime, the connection will be closed.
  172. #
  173. # Setting this to 0 means "forever".
  174. lifetime = 0
  175.  
  176. #
  177. # The idle timeout, in seconds, of a TCP connection.
  178. # If no packets have been received over the connection for
  179. # this time, the connection will be closed.
  180. #
  181. # Setting this to 0 means "no timeout".
  182. #
  183. # We STRONGLY RECOMMEND that you set an idle timeout.
  184. #
  185. idle_timeout = 30
  186. }
  187. }
  188.  
  189. #
  190. # This second "listen" section is for listening on the accounting
  191. # port, too.
  192. #
  193. listen {
  194. ipaddr = *
  195. # ipv6addr = ::
  196. port = 0
  197. type = acct
  198. # interface = eth0
  199. # clients = per_socket_clients
  200.  
  201. limit {
  202. # The number of packets received can be rate limited via the
  203. # "max_pps" configuration item. When it is set, the server
  204. # tracks the total number of packets received in the previous
  205. # second. If the count is greater than "max_pps", then the
  206. # new packet is silently discarded. This helps the server
  207. # deal with overload situations.
  208. #
  209. # The packets/s counter is tracked in a sliding window. This
  210. # means that the pps calculation is done for the second
  211. # before the current packet was received. NOT for the current
  212. # wall-clock second, and NOT for the previous wall-clock second.
  213. #
  214. # Useful values are 0 (no limit), or 100 to 10000.
  215. # Values lower than 100 will likely cause the server to ignore
  216. # normal traffic. Few systems are capable of handling more than
  217. # 10K packets/s.
  218. #
  219. # It is most useful for accounting systems. Set it to 50%
  220. # more than the normal accounting load, and you can be sure that
  221. # the server will never get overloaded
  222. #
  223. # max_pps = 0
  224.  
  225. # Only for "proto = tcp". These are ignored for "udp" sockets.
  226. #
  227. # idle_timeout = 0
  228. # lifetime = 0
  229. # max_connections = 0
  230. }
  231. }
  232.  
  233. # IPv6 versions of the above - read their full config to understand options
  234. listen {
  235. type = auth
  236. ipv6addr = :: # any. ::1 == localhost
  237. port = 0
  238. # interface = eth0
  239. # clients = per_socket_clients
  240. limit {
  241. max_connections = 16
  242. lifetime = 0
  243. idle_timeout = 30
  244. }
  245. }
  246.  
  247. listen {
  248. ipv6addr = ::
  249. port = 0
  250. type = acct
  251. # interface = eth0
  252. # clients = per_socket_clients
  253.  
  254. limit {
  255. # max_pps = 0
  256. # idle_timeout = 0
  257. # lifetime = 0
  258. # max_connections = 0
  259. }
  260. }
  261.  
  262. # Authorization. First preprocess (hints and huntgroups files),
  263. # then realms, and finally look in the "users" file.
  264. #
  265. # Any changes made here should also be made to the "inner-tunnel"
  266. # virtual server.
  267. #
  268. # The order of the realm modules will determine the order that
  269. # we try to find a matching realm.
  270. #
  271. # Make *sure* that 'preprocess' comes before any realm if you
  272. # need to setup hints for the remote radius server
  273. authorize {
  274. #
  275. # Take a User-Name, and perform some checks on it, for spaces and other
  276. # invalid characters. If the User-Name appears invalid, reject the
  277. # request.
  278. #
  279. # See policy.d/filter for the definition of the filter_username policy.
  280. #
  281. filter_username
  282.  
  283. #
  284. # Some broken equipment sends passwords with embedded zeros.
  285. # i.e. the debug output will show
  286. #
  287. # User-Password = "password\000\000"
  288. #
  289. # This policy will fix it to just be "password".
  290. #
  291. # filter_password
  292.  
  293. #
  294. # The preprocess module takes care of sanitizing some bizarre
  295. # attributes in the request, and turning them into attributes
  296. # which are more standard.
  297. #
  298. # It takes care of processing the 'raddb/mods-config/preprocess/hints'
  299. # and the 'raddb/mods-config/preprocess/huntgroups' files.
  300. preprocess
  301.  
  302. # If you intend to use CUI and you require that the Operator-Name
  303. # be set for CUI generation and you want to generate CUI also
  304. # for your local clients then uncomment the operator-name
  305. # below and set the operator-name for your clients in clients.conf
  306. # operator-name
  307.  
  308. #
  309. # If you want to generate CUI for some clients that do not
  310. # send proper CUI requests, then uncomment the
  311. # cui below and set "add_cui = yes" for these clients in clients.conf
  312. # cui
  313.  
  314. #
  315. # If you want to have a log of authentication requests,
  316. # un-comment the following line.
  317. # auth_log
  318.  
  319. #
  320. # The chap module will set 'Auth-Type := CHAP' if we are
  321. # handling a CHAP request and Auth-Type has not already been set
  322. # chap
  323.  
  324. #
  325. # If the users are logging in with an MS-CHAP-Challenge
  326. # attribute for authentication, the mschap module will find
  327. # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
  328. # to the request, which will cause the server to then use
  329. # the mschap module for authentication.
  330. # mschap
  331.  
  332. #
  333. # If you have a Cisco SIP server authenticating against
  334. # FreeRADIUS, uncomment the following line, and the 'digest'
  335. # line in the 'authenticate' section.
  336. digest
  337.  
  338. #
  339. # The WiMAX specification says that the Calling-Station-Id
  340. # is 6 octets of the MAC. This definition conflicts with
  341. # RFC 3580, and all common RADIUS practices. Un-commenting
  342. # the "wimax" module here means that it will fix the
  343. # Calling-Station-Id attribute to the normal format as
  344. # specified in RFC 3580 Section 3.21
  345. # wimax
  346.  
  347. #
  348. # Look for IPASS style 'realm/', and if not found, look for
  349. # '@realm', and decide whether or not to proxy, based on
  350. # that.
  351. # IPASS
  352.  
  353. #
  354. # If you are using multiple kinds of realms, you probably
  355. # want to set "ignore_null = yes" for all of them.
  356. # Otherwise, when the first style of realm doesn't match,
  357. # the other styles won't be checked.
  358. #
  359. suffix
  360. # ntdomain
  361.  
  362. #
  363. # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
  364. # authentication.
  365. #
  366. # It also sets the EAP-Type attribute in the request
  367. # attribute list to the EAP type from the packet.
  368. #
  369. # The EAP module returns "ok" or "updated" if it is not yet ready
  370. # to authenticate the user. The configuration below checks for
  371. # "ok", and stops processing the "authorize" section if so.
  372. #
  373. # Any LDAP and/or SQL servers will not be queried for the
  374. # initial set of packets that go back and forth to set up
  375. # TTLS or PEAP.
  376. #
  377. # The "updated" check is commented out for compatibility with
  378. # previous versions of this configuration, but you may wish to
  379. # uncomment it as well; this will further reduce the number of
  380. # LDAP and/or SQL queries for TTLS or PEAP.
  381. #
  382. eap {
  383. ok = return
  384. # updated = return
  385. }
  386.  
  387. #
  388. # Pull crypt'd passwords from /etc/passwd or /etc/shadow,
  389. # using the system API's to get the password. If you want
  390. # to read /etc/passwd or /etc/shadow directly, see the
  391. # mods-available/passwd module.
  392. #
  393. # unix
  394.  
  395. #
  396. # Read the 'users' file. In v3, this is located in
  397. # raddb/mods-config/files/authorize
  398. files
  399.  
  400. #
  401. # Look in an SQL database. The schema of the database
  402. # is meant to mirror the "users" file.
  403. #
  404. # See "Authorization Queries" in mods-available/sql
  405. -sql
  406.  
  407. #
  408. # If you are using /etc/smbpasswd, and are also doing
  409. # mschap authentication, the un-comment this line, and
  410. # configure the 'smbpasswd' module.
  411. # smbpasswd
  412.  
  413. #
  414. # The ldap module reads passwords from the LDAP database.
  415. -ldap
  416.  
  417. #
  418. # Enforce daily limits on time spent logged in.
  419. # daily
  420.  
  421. #
  422. expiration
  423. logintime
  424.  
  425.  
  426.  
  427. # Handle multiotp authentication
  428. multiotp
  429.  
  430.  
  431. #
  432. # If no other module has claimed responsibility for
  433. # authentication, then try to use PAP. This allows the
  434. # other modules listed above to add a "known good" password
  435. # to the request, and to do nothing else. The PAP module
  436. # will then see that password, and use it to do PAP
  437. # authentication.
  438. #
  439. # This module should be listed last, so that the other modules
  440. # get a chance to set Auth-Type for themselves.
  441. #
  442. pap
  443.  
  444. #
  445. # If "status_server = yes", then Status-Server messages are passed
  446. # through the following section, and ONLY the following section.
  447. # This permits you to do DB queries, for example. If the modules
  448. # listed here return "fail", then NO response is sent.
  449. #
  450. # Autz-Type Status-Server {
  451. #
  452. # }
  453. }
  454.  
  455.  
  456. # Authentication.
  457. #
  458. #
  459. # This section lists which modules are available for authentication.
  460. # Note that it does NOT mean 'try each module in order'. It means
  461. # that a module from the 'authorize' section adds a configuration
  462. # attribute 'Auth-Type := FOO'. That authentication type is then
  463. # used to pick the appropriate module from the list below.
  464. #
  465.  
  466. # In general, you SHOULD NOT set the Auth-Type attribute. The server
  467. # will figure it out on its own, and will do the right thing. The
  468. # most common side effect of erroneously setting the Auth-Type
  469. # attribute is that one authentication method will work, but the
  470. # others will not.
  471. #
  472. # The common reasons to set the Auth-Type attribute by hand
  473. # is to either forcibly reject the user (Auth-Type := Reject),
  474. # or to or forcibly accept the user (Auth-Type := Accept).
  475. #
  476. # Note that Auth-Type := Accept will NOT work with EAP.
  477. #
  478. # Please do not put "unlang" configurations into the "authenticate"
  479. # section. Put them in the "post-auth" section instead. That's what
  480. # the post-auth section is for.
  481. #
  482. authenticate {
  483.  
  484.  
  485. Auth-Type multiotp {
  486. multiotp
  487. }
  488. Auth-Type multiotpmschap {
  489. multiotpmschap
  490. }
  491.  
  492.  
  493. #
  494. # PAP authentication, when a back-end database listed
  495. # in the 'authorize' section supplies a password. The
  496. # password can be clear-text, or encrypted.
  497. Auth-Type PAP {
  498. pap
  499. }
  500.  
  501. #
  502. # Most people want CHAP authentication
  503. # A back-end database listed in the 'authorize' section
  504. # MUST supply a CLEAR TEXT password. Encrypted passwords
  505. # won't work.
  506. Auth-Type CHAP {
  507. chap
  508. }
  509.  
  510. #
  511. # MSCHAP authentication.
  512. Auth-Type MS-CHAP {
  513. mschap
  514. }
  515.  
  516. #
  517. # For old names, too.
  518. #
  519. mschap
  520.  
  521. #
  522. # If you have a Cisco SIP server authenticating against
  523. # FreeRADIUS, uncomment the following line, and the 'digest'
  524. # line in the 'authorize' section.
  525. digest
  526.  
  527. #
  528. # Pluggable Authentication Modules.
  529. # pam
  530.  
  531. # Uncomment it if you want to use ldap for authentication
  532. #
  533. # Note that this means "check plain-text password against
  534. # the ldap database", which means that EAP won't work,
  535. # as it does not supply a plain-text password.
  536. #
  537. # We do NOT recommend using this. LDAP servers are databases.
  538. # They are NOT authentication servers. FreeRADIUS is an
  539. # authentication server, and knows what to do with authentication.
  540. # LDAP servers do not.
  541. #
  542. # Auth-Type LDAP {
  543. # ldap
  544. # }
  545.  
  546. #
  547. # Allow EAP authentication.
  548. eap
  549.  
  550. #
  551. # The older configurations sent a number of attributes in
  552. # Access-Challenge packets, which wasn't strictly correct.
  553. # If you want to filter out these attributes, uncomment
  554. # the following lines.
  555. #
  556. # Auth-Type eap {
  557. # eap {
  558. # handled = 1
  559. # }
  560. # if (handled && (Response-Packet-Type == Access-Challenge)) {
  561. # attr_filter.access_challenge.post-auth
  562. # handled # override the "updated" code from attr_filter
  563. # }
  564. # }
  565. }
  566.  
  567.  
  568. #
  569. # Pre-accounting. Decide which accounting type to use.
  570. #
  571. preacct {
  572. preprocess
  573.  
  574. #
  575. # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
  576. # into a single 64bit counter Acct-[Input|Output]-Octets64.
  577. #
  578. # acct_counters64
  579.  
  580. #
  581. # Session start times are *implied* in RADIUS.
  582. # The NAS never sends a "start time". Instead, it sends
  583. # a start packet, *possibly* with an Acct-Delay-Time.
  584. # The server is supposed to conclude that the start time
  585. # was "Acct-Delay-Time" seconds in the past.
  586. #
  587. # The code below creates an explicit start time, which can
  588. # then be used in other modules. It will be *mostly* correct.
  589. # Any errors are due to the 1-second resolution of RADIUS,
  590. # and the possibility that the time on the NAS may be off.
  591. #
  592. # The start time is: NOW - delay - session_length
  593. #
  594.  
  595. # update request {
  596. # FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
  597. # }
  598.  
  599.  
  600. #
  601. # Ensure that we have a semi-unique identifier for every
  602. # request, and many NAS boxes are broken.
  603. acct_unique
  604.  
  605. #
  606. # Look for IPASS-style 'realm/', and if not found, look for
  607. # '@realm', and decide whether or not to proxy, based on
  608. # that.
  609. #
  610. # Accounting requests are generally proxied to the same
  611. # home server as authentication requests.
  612. # IPASS
  613. suffix
  614. # ntdomain
  615.  
  616. #
  617. # Read the 'acct_users' file
  618. files
  619. }
  620.  
  621. #
  622. # Accounting. Log the accounting data.
  623. #
  624. accounting {
  625. # Update accounting packet by adding the CUI attribute
  626. # recorded from the corresponding Access-Accept
  627. # use it only if your NAS boxes do not support CUI themselves
  628. # cui
  629. #
  630. # Create a 'detail'ed log of the packets.
  631. # Note that accounting requests which are proxied
  632. # are also logged in the detail file.
  633. detail
  634. # daily
  635.  
  636. # Update the wtmp file
  637. #
  638. # If you don't use "radlast", you can delete this line.
  639. unix
  640.  
  641. #
  642. # For Simultaneous-Use tracking.
  643. #
  644. # Due to packet losses in the network, the data here
  645. # may be incorrect. There is little we can do about it.
  646. # radutmp
  647. # sradutmp
  648.  
  649. # Return an address to the IP Pool when we see a stop record.
  650. # main_pool
  651.  
  652. #
  653. # Log traffic to an SQL database.
  654. #
  655. # See "Accounting queries" in mods-available/sql
  656. -sql
  657.  
  658. #
  659. # If you receive stop packets with zero session length,
  660. # they will NOT be logged in the database. The SQL module
  661. # will print a message (only in debugging mode), and will
  662. # return "noop".
  663. #
  664. # You can ignore these packets by uncommenting the following
  665. # three lines. Otherwise, the server will not respond to the
  666. # accounting request, and the NAS will retransmit.
  667. #
  668. # if (noop) {
  669. # ok
  670. # }
  671.  
  672. #
  673. # Instead of sending the query to the SQL server,
  674. # write it into a log file.
  675. #
  676. # sql_log
  677.  
  678. # Cisco VoIP specific bulk accounting
  679. # pgsql-voip
  680.  
  681. # For Exec-Program and Exec-Program-Wait
  682. exec
  683.  
  684. # Filter attributes from the accounting response.
  685. attr_filter.accounting_response
  686.  
  687. #
  688. # See "Autz-Type Status-Server" for how this works.
  689. #
  690. # Acct-Type Status-Server {
  691. #
  692. # }
  693. }
  694.  
  695.  
  696. # Session database, used for checking Simultaneous-Use. Either the radutmp
  697. # or rlm_sql module can handle this.
  698. # The rlm_sql module is *much* faster
  699. session {
  700. # radutmp
  701.  
  702. #
  703. # See "Simultaneous Use Checking Queries" in mods-available/sql
  704. # sql
  705. }
  706.  
  707.  
  708. # Post-Authentication
  709. # Once we KNOW that the user has been authenticated, there are
  710. # additional steps we can take.
  711. post-auth {
  712. #
  713. # If you need to have a State attribute, you can
  714. # add it here. e.g. for later CoA-Request with
  715. # State, and Service-Type = Authorize-Only.
  716. #
  717. # if (!&reply:State) {
  718. # update reply {
  719. # State := "0x%{randstr:16h}"
  720. # }
  721. # }
  722.  
  723. #
  724. # For EAP-TTLS and PEAP, add the cached attributes to the reply.
  725. # The "session-state" attributes are automatically cached when
  726. # an Access-Challenge is sent, and automatically retrieved
  727. # when an Access-Request is received.
  728. #
  729. # The session-state attributes are automatically deleted after
  730. # an Access-Reject or Access-Accept is sent.
  731. #
  732. update {
  733. &reply: += &session-state:
  734. }
  735.  
  736. # Get an address from the IP Pool.
  737. # main_pool
  738.  
  739.  
  740. # Create the CUI value and add the attribute to Access-Accept.
  741. # Uncomment the line below if *returning* the CUI.
  742. # cui
  743.  
  744. #
  745. # If you want to have a log of authentication replies,
  746. # un-comment the following line, and enable the
  747. # 'detail reply_log' module.
  748. # reply_log
  749.  
  750. #
  751. # After authenticating the user, do another SQL query.
  752. #
  753. # See "Authentication Logging Queries" in mods-available/sql
  754. -sql
  755.  
  756. #
  757. # Instead of sending the query to the SQL server,
  758. # write it into a log file.
  759. #
  760. # sql_log
  761.  
  762. #
  763. # Un-comment the following if you want to modify the user's object
  764. # in LDAP after a successful login.
  765. #
  766. # ldap
  767.  
  768. # For Exec-Program and Exec-Program-Wait
  769. exec
  770.  
  771. #
  772. # Calculate the various WiMAX keys. In order for this to work,
  773. # you will need to define the WiMAX NAI, usually via
  774. #
  775. # update request {
  776. # WiMAX-MN-NAI = "%{User-Name}"
  777. # }
  778. #
  779. # If you want various keys to be calculated, you will need to
  780. # update the reply with "template" values. The module will see
  781. # this, and replace the template values with the correct ones
  782. # taken from the cryptographic calculations. e.g.
  783. #
  784. # update reply {
  785. # WiMAX-FA-RK-Key = 0x00
  786. # WiMAX-MSK = "%{EAP-MSK}"
  787. # }
  788. #
  789. # You may want to delete the MS-MPPE-*-Keys from the reply,
  790. # as some WiMAX clients behave badly when those attributes
  791. # are included. See "raddb/modules/wimax", configuration
  792. # entry "delete_mppe_keys" for more information.
  793. #
  794. # wimax
  795.  
  796.  
  797. # If there is a client certificate (EAP-TLS, sometimes PEAP
  798. # and TTLS), then some attributes are filled out after the
  799. # certificate verification has been performed. These fields
  800. # MAY be available during the authentication, or they may be
  801. # available only in the "post-auth" section.
  802. #
  803. # The first set of attributes contains information about the
  804. # issuing certificate which is being used. The second
  805. # contains information about the client certificate (if
  806. # available).
  807. #
  808. # update reply {
  809. # Reply-Message += "%{TLS-Cert-Serial}"
  810. # Reply-Message += "%{TLS-Cert-Expiration}"
  811. # Reply-Message += "%{TLS-Cert-Subject}"
  812. # Reply-Message += "%{TLS-Cert-Issuer}"
  813. # Reply-Message += "%{TLS-Cert-Common-Name}"
  814. # Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
  815. #
  816. # Reply-Message += "%{TLS-Client-Cert-Serial}"
  817. # Reply-Message += "%{TLS-Client-Cert-Expiration}"
  818. # Reply-Message += "%{TLS-Client-Cert-Subject}"
  819. # Reply-Message += "%{TLS-Client-Cert-Issuer}"
  820. # Reply-Message += "%{TLS-Client-Cert-Common-Name}"
  821. # Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
  822. # }
  823.  
  824. # Insert class attribute (with unique value) into response,
  825. # aids matching auth and acct records, and protects against duplicate
  826. # Acct-Session-Id. Note: Only works if the NAS has implemented
  827. # RFC 2865 behaviour for the class attribute, AND if the NAS
  828. # supports long Class attributes. Many older or cheap NASes
  829. # only support 16-octet Class attributes.
  830. # insert_acct_class
  831.  
  832. # MacSEC requires the use of EAP-Key-Name. However, we don't
  833. # want to send it for all EAP sessions. Therefore, the EAP
  834. # modules put required data into the EAP-Session-Id attribute.
  835. # This attribute is never put into a request or reply packet.
  836. #
  837. # Uncomment the next few lines to copy the required data into
  838. # the EAP-Key-Name attribute
  839. # if (&reply:EAP-Session-Id) {
  840. # update reply {
  841. # EAP-Key-Name := &reply:EAP-Session-Id
  842. # }
  843. # }
  844.  
  845. # Remove reply message if the response contains an EAP-Message
  846. remove_reply_message_if_eap
  847.  
  848. #
  849. # Access-Reject packets are sent through the REJECT sub-section of the
  850. # post-auth section.
  851. #
  852. # Add the ldap module name (or instance) if you have set
  853. # 'edir_account_policy_check = yes' in the ldap module configuration
  854. #
  855. # The "session-state" attributes are not available here.
  856. #
  857. Post-Auth-Type REJECT {
  858. # log failed authentications in SQL, too.
  859. -sql
  860. attr_filter.access_reject
  861.  
  862. # Insert EAP-Failure message if the request was
  863. # rejected by policy instead of because of an
  864. # authentication failure
  865. eap
  866.  
  867. # Remove reply message if the response contains an EAP-Message
  868. remove_reply_message_if_eap
  869. }
  870.  
  871. #
  872. # Filter access challenges.
  873. #
  874. Post-Auth-Type Challenge {
  875. # remove_reply_message_if_eap
  876. # attr_filter.access_challenge.post-auth
  877. }
  878.  
  879. }
  880.  
  881. #
  882. # When the server decides to proxy a request to a home server,
  883. # the proxied request is first passed through the pre-proxy
  884. # stage. This stage can re-write the request, or decide to
  885. # cancel the proxy.
  886. #
  887. # Only a few modules currently have this method.
  888. #
  889. pre-proxy {
  890. # Before proxing the request add an Operator-Name attribute identifying
  891. # if the operator-name is found for this client.
  892. # No need to uncomment this if you have already enabled this in
  893. # the authorize section.
  894. # operator-name
  895.  
  896. # The client requests the CUI by sending a CUI attribute
  897. # containing one zero byte.
  898. # Uncomment the line below if *requesting* the CUI.
  899. # cui
  900.  
  901. # Uncomment the following line if you want to change attributes
  902. # as defined in the preproxy_users file.
  903. # files
  904.  
  905. # Uncomment the following line if you want to filter requests
  906. # sent to remote servers based on the rules defined in the
  907. # 'attrs.pre-proxy' file.
  908. # attr_filter.pre-proxy
  909.  
  910. # If you want to have a log of packets proxied to a home
  911. # server, un-comment the following line, and the
  912. # 'detail pre_proxy_log' section, above.
  913. # pre_proxy_log
  914. }
  915.  
  916. #
  917. # When the server receives a reply to a request it proxied
  918. # to a home server, the request may be massaged here, in the
  919. # post-proxy stage.
  920. #
  921. post-proxy {
  922.  
  923. # If you want to have a log of replies from a home server,
  924. # un-comment the following line, and the 'detail post_proxy_log'
  925. # section, above.
  926. # post_proxy_log
  927.  
  928. # Uncomment the following line if you want to filter replies from
  929. # remote proxies based on the rules defined in the 'attrs' file.
  930. # attr_filter.post-proxy
  931.  
  932. #
  933. # If you are proxying LEAP, you MUST configure the EAP
  934. # module, and you MUST list it here, in the post-proxy
  935. # stage.
  936. #
  937. # You MUST also use the 'nostrip' option in the 'realm'
  938. # configuration. Otherwise, the User-Name attribute
  939. # in the proxied request will not match the user name
  940. # hidden inside of the EAP packet, and the end server will
  941. # reject the EAP request.
  942. #
  943. eap
  944.  
  945. #
  946. # If the server tries to proxy a request and fails, then the
  947. # request is processed through the modules in this section.
  948. #
  949. # The main use of this section is to permit robust proxying
  950. # of accounting packets. The server can be configured to
  951. # proxy accounting packets as part of normal processing.
  952. # Then, if the home server goes down, accounting packets can
  953. # be logged to a local "detail" file, for processing with
  954. # radrelay. When the home server comes back up, radrelay
  955. # will read the detail file, and send the packets to the
  956. # home server.
  957. #
  958. # With this configuration, the server always responds to
  959. # Accounting-Requests from the NAS, but only writes
  960. # accounting packets to disk if the home server is down.
  961. #
  962. # Post-Proxy-Type Fail-Accounting {
  963. # detail
  964. # }
  965. }
  966. }
Advertisement
RAW Paste Data Copied
Advertisement