2 # This file contains the configuration for experimental modules.
4 # By default, it is NOT included in the build.
9 # Configuration for the Python module.
11 # Where radiusd is a Python module, radiusd.py, and the
12 # function 'authorize' is called. Here is a dummy piece
15 # def authorize(params):
17 # return (5, ('Reply-Message', 'banned'))
19 # The RADIUS value-pairs are passed as a tuple of tuple
20 # pairs as the first argument, e.g. (('attribute1',
21 # 'value1'), ('attribute2', 'value2'))
23 # The function return is a tuple with the first element
24 # being the return value of the function.
25 # The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
26 # write the return values as Python symbols to avoid
29 # The remaining tuple members are the string form of
30 # value-pairs which are passed on to pairmake().
33 mod_instantiate = radiusd_test
34 func_instantiate = instantiate
36 mod_authorize = radiusd_test
37 func_authorize = authorize
39 mod_accounting = radiusd_test
40 func_accounting = accounting
42 mod_preacct = radiusd_test
43 func_preacct = preacct
45 mod_detach = radiusd_test
50 # Configuration for the example module. Uncommenting it will cause it
51 # to get loaded and initialized, but should have no real effect as long
52 # it is not referencened in one of the autz/auth/preacct/acct sections
55 # allowed values: {no, yes}
58 # An integer, of any value.
62 string = "This is an example configuration string"
64 # An IP address, either in dotted quad (1.2.3.4) or hostname
73 string = "This is a different string"
79 # This module is an SQL enabled version of the counter module.
81 # Rather than maintaining seperate (GDBM) databases of
82 # accounting info for each counter, this module uses the data
83 # stored in the raddacct table by the sql modules. This
84 # module NEVER does any database INSERTs or UPDATEs. It is
85 # totally dependent on the SQL module to process Accounting
88 # The 'sqlmod_inst' parameter holds the instance of the sql
89 # module to use when querying the SQL database. Normally it
90 # is just "sql". If you define more and one SQL module
91 # instance (usually for failover situations), you can
92 # specify which module has access to the Accounting Data
95 # The 'reset' parameter defines when the counters are all
96 # reset to zero. It can be hourly, daily, weekly, monthly or
97 # never. It can also be user defined. It should be of the
100 # h: hours, d: days, w: weeks, m: months
101 # If the letter is ommited days will be assumed. In example:
102 # reset = 10h (reset every 10 hours)
103 # reset = 12 (reset every 12 days)
105 # The 'key' parameter specifies the unique identifier for the
106 # counter records (usually 'User-Name').
108 # The 'query' parameter specifies the SQL query used to get
109 # the current Counter value from the database. There are 3
110 # parameters that can be used in the query:
112 # %b unix time value of beginning of reset period
113 # %e unix time value of end of reset period
116 # The 'check-name' parameter is the name of the 'check'
117 # attribute to use to access the counter in the 'users' file
118 # or SQL radcheck or radcheckgroup tables.
120 # DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject
121 # Reply-Message = "You've used up more than one hour today"
123 sqlcounter dailycounter {
124 counter-name = Daily-Session-Time
125 check-name = Max-Daily-Session
126 sqlmod-inst = sqlcca3
130 # This query properly handles calls that span from the
131 # previous reset period into the current period but
132 # involves more work for the SQL server than those
134 query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
136 # This query ignores calls that started in a previous
137 # reset period and continue into into this one. But it
138 # is a little easier on the SQL server
139 # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
141 # This query is the same as above, but demonstrates an
142 # additional counter parameter '%e' which is the
143 # timestamp for the end of the period
144 # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime BETWEEN FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
147 sqlcounter monthlycounter {
148 counter-name = Monthly-Session-Time
149 check-name = Max-Monthly-Session
150 sqlmod-inst = sqlcca3
154 # This query properly handles calls that span from the
155 # previous reset period into the current period but
156 # involves more work for the SQL server than those
158 query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
160 # This query ignores calls that started in a previous
161 # reset period and continue into into this one. But it
162 # is a little easier on the SQL server
163 # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
165 # This query is the same as above, but demonstrates an
166 # additional counter parameter '%e' which is the
167 # timestamp for the end of the period
168 # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime BETWEEN FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
171 # Do server side ip pool management. Should be added in post-auth and
172 # accounting sections.
174 ## This module is highly experimental at the moment. Please
175 ## give feedback on the mailing list.
177 # The module also requires the existance of the Pool-Name
178 # attribute. That way the administrator can add the Pool-Name
179 # attribute in the user profiles and use different pools
180 # for different users. The Pool-Name attribute is a *check* item not
184 # radiusd.conf: ippool students { [...] }
185 # users file : DEFAULT Group == students, Pool-Name := "students"
187 # ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST THEN ERASE THE DB FILES *******
191 # range-start,range-stop: The start and end ip
192 # addresses for the ip pool
193 range-start = 192.168.1.1
194 range-stop = 192.168.3.254
196 # netmask: The network mask used for the ip's
197 netmask = 255.255.255.0
199 # cache-size: The gdbm cache size for the db
200 # files. Should be equal to the number of ip's
201 # available in the ip pool
204 # session-db: The main db file used to allocate ip's to clients
205 session-db = ${raddbdir}/db.ippool
207 # ip-index: Helper db index file used in multilink
208 ip-index = ${raddbdir}/db.ipindex
211 # To create a dbm users file, do:
213 # cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
215 # Then add 'dbm' in 'authorize' section.
217 # Note that even if the file has a ".db" or ".dbm" extension,
218 # you may have to specify it here without that extension. This
219 # is because the DBM libraries "helpfully" add a ".db" to the
220 # filename, but don't check if it's already there.
223 usersfile = ${raddbdir}/users_db
227 # Persistent, embedded Perl interpreter.
231 # The Perl script to execute on authorize, authenticate,
232 # accounting, xlat, etc. This is very similar to using
233 # Exec-Program-Wait = "/path/foo.pl", but it is persistent,
234 # and therefore faster.
236 module = /path/to/your/perl_program
239 # The following hashes are given to the module and
240 # filled with value-pairs (Attribute names and values)
242 # %RAD_REPLY Attributes to go into the reply
243 # %RAD_REQUEST Attributes from the request
244 # %RAD_CHECK Check items
246 # Only the %RAD_REPLY hash can be modified.
247 # All of the other hashes are read only.
249 # The return codes from functions in the perl_script
250 # are passed directly back to the server. These
251 # codes are defined in doc/configurable_failover,
252 # src/include/modules.h (RLM_MODULE_REJECT, etc),
253 # and are pre-defined in the 'example.pl' program
256 func_accounting = accounting
257 func_authentication = authenticate
258 func_preacct = preacct
259 func_checksimul = checksimul
264 # The digest module. It doesn't take any configuration
265 # parameters, but it does require a configuration section,
266 # otherwise the parser complains.
270 # See '../doc/rfc/draft-sterman-aaa-sip-00.txt' for details
271 # on performing digest authentication for Cisco SIP servers.
277 # Perform NT-Domain authentication. This only works
278 # with PAP authentication. That is, Authentication-Request
279 # packets containing a User-Password attribute.
281 # To use it, add 'smb' into the 'authenticate' section,
282 # and then in another module (usually the 'users' file),
283 # set 'Auth-Type := SMB'
286 server = ntdomain.server.example.com
287 backup = backup.server.example.com
291 # See doc/rlm_fastusers before using this
292 # module or changing these values.
295 usersfile = ${confdir}/users_fast
298 # Reload the hash every 600 seconds (10mins)
302 # A simple value checking module
304 # It can be used to check if an attribute value in the request
305 # matches a (possibly multi valued) attribute in the check
306 # items This can be used for example for caller-id
307 # authentication. For the module to run, both the request
308 # attribute and the check items attribute must exist
311 # A user has an ldap entry with 2 radiusCallingStationId
312 # attributes with values "12345678" and "12345679". If we
313 # enable rlm_checkval, then any request which contains a
314 # Calling-Station-Id with one of those two values will be
315 # accepted. Requests with other values for
316 # Calling-Station-Id will be rejected.
318 # Regular expressions in the check attribute value are allowed
319 # as long as the operator is '=~'
322 # The attribute to look for in the request
323 item-name = Calling-Station-Id
325 # The attribute to look for in check items. Can be multi valued
326 check-name = Calling-Station-Id
328 # The data type. Can be
329 # string,integer,ipaddr,date,abinary,octets
334 # Execute external programs
336 # The first example is useful only for 'xlat'. To use it,
337 # put 'exec' into the 'instantiate' section. You can then
338 # do dynamic translation of attributes like:
340 # Attribute-Name = `{%exec:/path/to/program args}`
342 # The value of the attribute will be replaced with the output
343 # of the program which is executed. Due to RADIUS protocol
344 # limitations, any output over 253 bytes will be ignored.
346 # The RADIUS attributes from the user request will be placed
347 # into environment variables of the executed program, as
348 # described in 'doc/variables.txt'
352 input_pairs = request
356 # This is a more general example of the execute module.
358 # If you wish to execute an external program in more than
359 # one section (e.g. 'authorize', 'pre_proxy', etc), then it
360 # is probably best to define a different instance of the
361 # 'exec' module for every section.
365 # Wait for the program to finish.
367 # If we do NOT wait, then the program is "fire and
368 # forget", and any output attributes from it are ignored.
370 # If we are looking for the program to output
371 # attributes, and want to add those attributes to the
372 # request, then we MUST wait for the program to
373 # finish, and therefore set 'wait=yes'
375 # allowed values: {no, yes}
379 # The name of the program to execute, and it's
380 # arguments. Dynamic translation is done on this
381 # field, so things like the following example will
384 program = "/bin/echo %{User-Name}"
387 # The attributes which are placed into the
388 # environment variables for the program.
390 # Allowed values are:
392 # request attributes from the request
393 # reply attributes from the reply
394 # proxy-request attributes from the proxy request
395 # proxy-reply attributes from the proxy reply
397 # Note that some attributes may not exist at some
398 # stages. e.g. There may be no proxy-reply
399 # attributes if this module is used in the
400 # 'authorize' section.
402 input_pairs = request
405 # Where to place the output attributes (if any) from
406 # the executed program. The values allowed, and the
407 # restrictions as to availability, are the same as
408 # for the input_pairs.
projects / freeradius.git / blob