2 # This file contains the configuration for experimental modules.
4 # By default, it is NOT included in the build.
9 # Configuration for the Python module.
11 # Where radiusd is a Python module, radiusd.py, and the
12 # function 'authorize' is called. Here is a dummy piece
15 # def authorize(params):
17 # return (5, ('Reply-Message', 'banned'))
19 # The RADIUS value-pairs are passed as a tuple of tuple
20 # pairs as the first argument, e.g. (('attribute1',
21 # 'value1'), ('attribute2', 'value2'))
23 # The function return is a tuple with the first element
24 # being the return value of the function.
25 # The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
26 # write the return values as Python symbols to avoid
29 # The remaining tuple members are the string form of
30 # value-pairs which are passed on to pairmake().
33 mod_instantiate = radiusd_test
34 func_instantiate = instantiate
36 mod_authorize = radiusd_test
37 func_authorize = authorize
39 mod_accounting = radiusd_test
40 func_accounting = accounting
42 mod_pre_proxy = radiusd_test
43 func_pre_proxy = pre_proxy
45 mod_post_proxy = radiusd_test
46 func_post_proxy = post_proxy
48 mod_post_auth = radiusd_test
49 func_post_auth = post_auth
51 mod_recv_coa = radiusd_test
52 func_recv_coa = recv_coa
54 mod_send_coa = radiusd_test
55 func_send_coa = send_coa
57 mod_detach = radiusd_test
62 # Configuration for the example module. Uncommenting it will cause it
63 # to get loaded and initialized, but should have no real effect as long
64 # it is not referencened in one of the autz/auth/preacct/acct sections
67 # allowed values: {no, yes}
70 # An integer, of any value.
74 string = "This is an example configuration string"
76 # An IP address, either in dotted quad (1.2.3.4) or hostname
85 string = "This is a different string"
91 # To create a dbm users file, do:
93 # cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
95 # Then add 'dbm' in 'authorize' section.
97 # Note that even if the file has a ".db" or ".dbm" extension,
98 # you may have to specify it here without that extension. This
99 # is because the DBM libraries "helpfully" add a ".db" to the
100 # filename, but don't check if it's already there.
103 usersfile = ${confdir}/users_db
106 # See doc/rlm_fastusers before using this
107 # module or changing these values.
110 usersfile = ${confdir}/users_fast
113 # Reload the hash every 600 seconds (10mins)
117 # Another implementation of the EAP module.
119 # This module requires the libeap.so file from the hostap
120 # software (http://hostap.epitest.fi/hostapd/). It has been
121 # tested on the development version of hostapd (0.6.1) ONLY.
123 # In order to use it, you MUST build a "libeap.so" in hostapd,
124 # which is not done by default.
126 # You MUST also edit the file: src/modules/rlm_eap2/Makefile
127 # to point to the location of the hostap include files.
129 # This module CANNOT be used in the same way as the current
130 # FreeRADIUS "eap" module. There is NO way to look inside of
131 # a tunneled request. There is NO way to proxy a tunneled
132 # request. There is NO way to even look at the user name inside
133 # of the tunneled request. There is NO way to control the
134 # choice of EAP types inside of the tunnel. You MUST force
135 # the server to choose "eap2" for authentication, because this
136 # module has no "authorize" section.
138 # If you want to use this module for experimentation, please
139 # post your comments to the freeradius-devel list:
141 # http://lists.freeradius.org/mailman/listinfo/freeradius-devel
143 # If you want to use this module in a production (i.e. real-world)
146 # !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!!
148 # The module needs additional work to make it ready for
149 # production use.. Please supply patches, or sponsor the
150 # work by hiring a developer. Do NOT ask when the work will
151 # be done, because there is no plan to finish this module
152 # unless there is demand for it.
155 # EAP types are chosen in the order that they are
156 # listed in this section. There is no "default_eap_type"
157 # as with rlm_eap. Instead, the *first* EAP type is
158 # used as the default type.
166 # This is the ONLY EAP type that has any configuration.
167 # All other EAP types have no configuration.
170 ca_cert = ${confdir}/certs/ca.pem
171 server_cert = ${confdir}/certs/server.pem
172 private_key_file = ${confdir}/certs/server.pem
173 private_key_password = whatever
177 # These next two methods do not supply keying material.
186 pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f
187 eap_fast_a_id = xxxxxx
188 eap_fast_a_id_info = my_server
190 pac_key_lifetime = 604800 # 7 days
191 pac_key_refresh_tim = 86400
194 # LEAP is NOT supported by this module.
195 # Use the "eap" module instead.
197 # For other methods that MIGHT work, see the
198 # configuration of hostap. The methods are statically
199 # linked in at compile time, and cannot be controlled
203 # Configuration for experimental EAP types. The sub-sections
204 # can be copied into eap.conf.
209 # Allowed values are:
210 # cert - for certificate based server authentication,
211 # other required settings for this type are
212 # 'private_key_file' and 'certificate_file'
213 # secret - for shared secret based server authentication,
214 # other required settings for this type is 'id'
215 # Default value of this option is 'secret'
216 # server_authtype=cert
218 # Allowed default client auth types
219 # Allowed values are:
220 # secret - for shared secret based client authentication
221 # cert - for certificate based client authentication
222 # both - shared secret and certificate is allowed
223 # none - authentication will always fail
224 # Default value for this option is 'both'. This option could
225 # be overwritten within 'usersfile' file by EAP-IKEv2-Auth
227 # default_authtype = both
229 # path to trusted CA certificate file
230 CA_file="/path/to/CA/cacert.pem"
232 # path to CRL file, if not set, then there will be no
234 # crl_file="/path/to/crl.pem"
236 # path to file with user settings
238 # Note that this file is read ONLY on module initialization!
240 # default ${confdir}/eap_ikev2_users
241 # usersfile=${confdir}/eap_ikev2_users
244 # Sample "eap_ikev2_users" file entry:
246 #username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne"
249 ## username - client user name from IKE-AUTH (IDr) or CommonName
250 ## from x509 certificate
251 ## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload
252 ## allowable attributes for EAP-IKEv2-IDType:
253 ## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN
254 ## DER_ASN1_GN KEY_ID
255 ## EAP-IKEv2-Secret - shared secret
256 ## EAP-IKEv2-AuthType - optional parameter which defines expected client auth
257 ## type. Allowed values are: secret,cert,both,none.
258 ## For the meaning of this values, please see the
259 ## description of 'default_authtype'.
260 ## This attribute can overwrite 'default_authtype' value.
264 # path to file with server private key
265 private_key_file="/path/to/srv-private-key.pem"
267 # password to private key file
268 private_key_password="passwd"
270 # path to file with server certificate
271 certificate_file="/path/to/srv-cert.pem"
273 # server identity string
276 # Server identity type. Allowed values are:
277 # IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN,
279 # Default value is: KEY_ID
283 # MTU (default: 1398)
284 # fragment_size = 1398
286 # maximal allowed number of resends SA_INIT after receiving
287 # 'invalid KEY' notification (default 3)
290 # option which is used to control whenever send CERT REQ
292 # Allowed values for this option are "yes" or "no".
293 #Default value is "no".
296 # option which cotrols fast reconnect capability.
297 # Allowed valuse for this option are "yes" or "no".
298 # Default value is "yes".
299 # enable_fast_reauth = "no"
301 # option which is used to control performing of DH exchange
302 # during fast rekeying protocol run.
303 # Allowed values for this option are "yes" or "no".
304 # Default value is "no"
305 # fast_DH_exchange = "yes"
307 # Option which is used to set up expiration time of inactive
309 # After selected period of time (in seconds), inactive
310 # session data will be deleted.
311 # Default value of this option is set to 900 seconds
312 # fast_timer_expire = 900
314 # list of server proposals of available cryptographic
320 # Supported transforms types: encryption,
321 # prf, integrity, dhgroup. For multiple
322 # transforms just simple repeat key (i.e.
325 # encryption algorithm
326 # supported algorithms:
327 # null,3des,aes_128_cbc,aes_192_cbc,
329 # blowfish:n, where n range from 8 to 448 bits,
331 # cast:n, where n range from 40 to 128 bits,
335 # pseudo random function. Supported prf's:
336 # hmac_md5, hmac_sha1, hmac_tiger
339 # integrity algorithm. Supported algorithms:
340 # hmac_md5_96, hmac_sha1_96,des_mac
341 integrity = hmac_sha1_96
342 integrity = hmac_md5_96
344 # Diffie-Hellman groups:
345 # modp768, modp1024, modp1536, modp2048,
346 # modp3072, modp4096, modp6144, modp8192
354 integrity = hmac_md5_96
362 integrity=hmac_md5_96