2 ## radiusd.conf -- FreeRADIUS server configuration file.
4 ## http://www.freeradius.org/
8 # The location of other config files and
9 # logfiles are declared in this file
11 # Also general configuration for modules can be done
12 # in this file, it is exported through the API to
13 # modules that ask for it.
17 # Location of config and logfiles.
22 acct_dir = ${log_dir}/radacct
26 # pidfile: Where to place the PID of the RADIUS server.
28 # The server may be signalled while it's running by using this
31 # e.g.: kill -HUP `cat /var/run/radiusd.pid`
33 pidfile = ${run_dir}/radiusd.pid
36 # max_request_time: The maximum time (in seconds) to handle a request.
38 # Requests which take more time to process than this are killed, and
39 # a REJECT message is returned.
44 # cleanup_delay: The time to wait (in seconds) before cleaning up
45 # a reply which was already sent to the NAS. If it is set too low,
46 # then duplicate requests from the NAS MAY NOT be detected,
47 # and will instead be handled as seperate requests.
52 # max_requests: The maximum number of requests which the server keeps
53 # track of. This should be 256 multiplied by the number of clients.
54 # e.g. With 4 clients, this number should be 1024.
56 # If this number is too low, then when the server becomes busy,
57 # it will not respond to any new requests, until the 'cleanup_delay'
58 # time has passed, and it has removed the old requests.
60 # If this number is set too high, then the server will use a bit more
61 # memory for no real benefit.
63 # If you aren't sure what it should be set to, it's better to set it
64 # too high than too low. Setting it to 1000 per client is probably
65 # the highest it should be.
70 # bind_address: Make the server listen on a particular IP address, and
71 # send replies out from that address. This directive is most useful
72 # for machines with multiple IP addresses on one interface.
74 # It can either contain "*", or an IP address, or a fully qualified
75 # Internet domain name. The default is "*"
80 # port: Allows you to bind FreeRADIUS to a specific port.
82 # The default port that most NAS boxes use is 1645, which is historical.
83 # RFC 2138 defines 1812 to be the new port. Many new servers and
84 # NAS boxes use 1812, which can create interoperability problems.
86 # The port is defined here to be 1645, for backwards compatibility.
87 # It is commented out so that the server will pick up the machine's
88 # local configuration for the radius port, as defined in /etc/services.
90 # If you want to use the default RADIUS port as defined on your server,
91 # (usually through 'grep radius /etc/services') set this to 0 (zero).
93 # A port given on the command-line via '-p' over-rides this one.
98 # Where the utmp and wtmp style log files go.
100 utmpfile = ${log_dir}/radutmp
101 wtmpfile = ${log_dir}/radutmp
104 # Each NAS may be given it's own 'detail' directory.
106 detailfile = /var/log/radacct/%n/detail
109 # Which program to execute check doing concurrency checks.
111 checkrad = /usr/local/sbin/checkrad
114 # Core dumps are a bad thing. This should only be set to 'yes'
115 # if you're debugging a problem with the server.
117 # allowed values: {no, yes}
119 allow_core_dumps = no
122 # Log the full User-Name attribute, as it was found in the request.
124 # allowed values: {no, yes}
126 log_stripped_names = no
129 # Log authentication requests to the log file.
131 # allowed values: {no, yes}
136 # Log passwords with the authentication requests.
138 # allowed values: {no, yes}
143 # proxy_requests: Turns proxying of RADIUS requests on or off.
145 # The server has proxying turned on by default. If your system is NOT
146 # set up to proxy requests to another server, then you can turn proxying
147 # off here. This will save a small amount of resources on the server.
149 # If you have proxying turned off, and your configuration files say
150 # to proxy a request, then an error message will be logged.
152 # allowed values: {no, yes}
156 #######################################################################
158 # Proxy server configuration
160 # This entry controls the servers behaviour towards ALL other servers
161 # to which it sends proxy requests.
166 # If the NAS re-sends the request to us, we can immediately re-send
167 # the proxy request to the end server. To do so, use 'yes' here.
169 # If this is set to 'no', then we send the retries on our own schedule,
170 # and ignore any duplicate NAS requests.
172 # If you want to have the server send proxy retries ONLY when the NAS
173 # sends it's retries to the server, then set this to 'yes', and
174 # set the other proxy configuration parameters to 0 (zero).
179 # The time (in seconds) to wait for a response from the proxy, before
180 # re-sending the proxied request.
182 # If this time is set too high, then the NAS may re-send the request,
183 # or it may give up entirely, and reject the user.
185 # If it is set too low, then the RADIUS server which receives the proxy
186 # request will get kicked unnecessarily.
191 # The number of retries to send before giving up, and sending a reject
192 # message to the NAS.
197 #######################################################################
199 # Thread pool configuration.
201 # The thread pool is a long-lived group of threads which
202 # take turns (round-robin) handling any incoming requests.
205 # You probably also want to have a few spare threads around,
206 # so that high-load situations can be handled immediately. If you
207 # don't have any spare threads, then the request handling will
208 # be delayed while a new thread is created, and added to the pool.
210 # You probably don't want too many spare threads around,
211 # otherwise they'll be sitting there taking up resources, and
212 # not doing anything productive.
214 # The numbers given below should be adequate for most situations.
219 # Number of servers to start initially --- should be a reasonable ballpark
225 # Limit on the total number of servers running.
227 # If this limit is ever reached, clients will be LOCKED OUT, so it
228 # should NOT BE SET TOO LOW. It is intended mainly as a brake to
229 # keep a runaway server from taking the system with it as it spirals
235 # Server-pool size regulation. Rather than making you guess how many
236 # servers you need, FreeRADIUS dynamically adapts to the load it
237 # sees --- that is, it tries to maintain enough servers to
238 # handle the current load, plus a few spare servers to handle transient
241 # It does this by periodically checking how many servers are waiting
242 # for a request. If there are fewer than min_spare_servers, it creates
243 # a new spare. If there are more than max_spare_servers, some of the
244 # spares die off. The default values are probably OK for most sites.
246 min_spare_servers = 3
247 max_spare_servers = 10
250 # There may be memory leaks or resource allocation problems with
251 # the server. If so, set this value to 300 or so, so that the
252 # resources will be cleaned up periodically.
254 # This should only be necessary if there are serious bugs in the
255 # server which have not yet been fixed.
257 # '0' is a special value meaning 'infinity', or 'the servers never exit'
259 max_requests_per_server = 0
262 #######################################################################
264 # Definition of a NAS or a client.
266 # The information given here is in ADDITION to the 'clients' file.
268 # If this is defined as "client foo" then the hostname/ipaddr "foo"
269 # will be looked up according to the source IP address of the radius
270 # rqeuest packet, and the secret here will be used to check the
271 # integrety of the request.
273 # If this is defined as "nas foo" then foo will be looked up first
274 # as the NAS-IP-Address in the radius request, then as the NAS-Ident
275 # in the radius request.
277 # Normally you'd use "client" unless the request came in through a
278 # proxy server and you want to define a short name for the NAS
279 # for logging purposes, or you want to do a "checkrad" back to the
280 # original NAS and not to the proxy radius server!
282 # The "shortname" can be used for logging, and the "vendor",
283 # "type", "login" and "password" fields are mainly used for checkrad.
288 shortname = localhost
291 #client some.host.org {
292 # secret = testing123
293 # shortname = localhost
298 # secret and password are mapped through the "secrets" file.
302 # Type should extend to the line type, because of the "hole".
303 #Line#/T S Port SNMP Port
304 #-------------------------
311 #And C0 is 96 in Radius.
312 type = pm3-eur # pm3-i23 pm3-ct24 pm3-i30
314 password = someadminpas
317 #######################################################################
319 # Configuration for the proxy module.
321 # The information given here is in ADDITION to the 'realms' file.
325 # authhost = radius.isp2.com:1645
326 # accthost = radius.isp2.com:1646
327 # secret doesn't work here now
330 # utmpfile += /var/log/radutmp.isp2
331 # wtmpfile += /var/log/radwtmp.isp2
332 # detailfile += /var/log/radacct/isp2/detail
337 # authhost = radius.company.com:1600
338 # accthost = radius.company.com:1601
339 # secret = testing123
346 # secret = testing123
349 #######################################################################
351 # Configuration for the Unix module
357 # Cache /etc/passwd, /etc/shadow, and /etc/group
359 # The default is to NOT cache them. However, caching them can
360 # speed up system authentications by a substantial amount.
362 # allowed values: {no, yes}
366 # Define the locations of the normal passwd, shadow, and group files.
368 # 'shadow' is commented out by default, because not all systems have
372 # shadow = /etc/shadow
376 #######################################################################
378 # Configuration for the LDAP module.
382 login = "cn=admin,o=My Org,c=US"
384 basedn = "o=My Org,c=US"
388 #######################################################################
390 # Configuration for the SQL module.
397 password = "rootpass"
399 # Database table configuration
401 acct_table = "radacct"
403 authcheck_table = "radcheck"
404 authreply_table = "radreply"
406 groupcheck_table = "radgroupcheck"
407 groupreply_table = "radgroupreply"
409 usergroup_table = "usergroup"
411 realms_table = "realms"
412 realmgroup_table = "realmgroup"
414 # Check case on usernames
415 sensitiveusername = no
417 # Remove stale session if checkrad does not see a double login
418 deletestalesessions = yes
420 # Print all SQL statements when in debug mode (-x)
424 #######################################################################
426 # Configuration for the example module. Changing these values
427 # won't affect anything.
433 # allowed values: {no, yes}
438 # An integer, of any value.
445 string = "This is an example configuration string"
448 # An IP address, either in dotted quad (1.2.3.4) or hostname (example.com)