2 ## radiusd.conf -- FreeRADIUS server configuration file.
4 ## http://www.freeradius.org/
8 # The location of other config files and
9 # logfiles are declared in this file
11 # Also general configuration for modules can be done
12 # in this file, it is exported through the API to
13 # modules that ask for it.
18 exec_prefix = @exec_prefix@
19 sysconfdir = @sysconfdir@
20 localstatedir = @localstatedir@
25 radacctdir = @radacctdir@
28 # Location of config and logfiles.
32 run_dir = ${localstatedir}/run
35 # pidfile: Where to place the PID of the RADIUS server.
37 # The server may be signalled while it's running by using this
40 # e.g.: kill -HUP `cat /var/run/radiusd.pid`
42 pidfile = ${run_dir}/radiusd.pid
45 # max_request_time: The maximum time (in seconds) to handle a request.
47 # Requests which take more time than this to process are killed, and
48 # a REJECT message is returned.
50 # Useful range of values: 5 to 120
55 # cleanup_delay: The time to wait (in seconds) before cleaning up
56 # a reply which was sent to the NAS.
58 # The RADIUS request is normally cached internally for a short period
59 # of time, after the reply is sent to the NAS. The reply packet may be
60 # lost in the network, and the NAS will not see it. The NAS will then
61 # re-send the request, and the server will respond quickly with the
64 # If this value is set too low, then duplicate requests from the NAS
65 # MAY NOT be detected, and will instead be handled as seperate requests.
67 # If this value is set too high, then the server will cache too many
68 # requests, and some new requests may get blocked. (See 'max_requests'.)
70 # Useful range of values: 2 to 10
75 # max_requests: The maximum number of requests which the server keeps
76 # track of. This should be 256 multiplied by the number of clients.
77 # e.g. With 4 clients, this number should be 1024.
79 # If this number is too low, then when the server becomes busy,
80 # it will not respond to any new requests, until the 'cleanup_delay'
81 # time has passed, and it has removed the old requests.
83 # If this number is set too high, then the server will use a bit more
84 # memory for no real benefit.
86 # If you aren't sure what it should be set to, it's better to set it
87 # too high than too low. Setting it to 1000 per client is probably
88 # the highest it should be.
90 # Useful range of values: 256 to infinity
95 # bind_address: Make the server listen on a particular IP address, and
96 # send replies out from that address. This directive is most useful
97 # for machines with multiple IP addresses on one interface.
99 # It can either contain "*", or an IP address, or a fully qualified
100 # Internet domain name. The default is "*"
105 # port: Allows you to bind FreeRADIUS to a specific port.
107 # The default port that most NAS boxes use is 1645, which is historical.
108 # RFC 2138 defines 1812 to be the new port. Many new servers and
109 # NAS boxes use 1812, which can create interoperability problems.
111 # The port is defined here to be 0 so that the server will pick up
112 # the machine's local configuration for the radius port, as defined
115 # If you want to use the default RADIUS port as defined on your server,
116 # (usually through 'grep radius /etc/services') set this to 0 (zero).
118 # A port given on the command-line via '-p' over-rides this one.
123 # Which program to execute check doing concurrency checks.
125 checkrad = ${sbindir}/checkrad
128 # hostname_lookups: Log the names of clients or just their IP addresses
129 # e.g., www.freeradius.org (on) or 206.47.27.232 (off).
130 # The default is off because it'd be overall better for the net if people
131 # had to knowingly turn this feature on, since enabling it means that
132 # each client request will result in AT LEAST one lookup request to the
135 # Turning hostname lookups off also means that the server won't block
136 # for 30 seconds, if it sees an IP address which has no name associated
139 # allowed values: {no, yes}
141 hostname_lookups = no
144 # Core dumps are a bad thing. This should only be set to 'yes'
145 # if you're debugging a problem with the server.
147 # allowed values: {no, yes}
149 allow_core_dumps = no
152 # Log the full User-Name attribute, as it was found in the request.
154 # allowed values: {no, yes}
156 log_stripped_names = no
159 # Log authentication requests to the log file.
161 # allowed values: {no, yes}
166 # Log passwords with the authentication requests.
168 # allowed values: {no, yes}
173 # usercollide: Turn user collision code on and off.
174 # See README.usercollide
179 # lower_user / lower_pass:
180 # Lowercase the username/password before processing it
181 # This is as close as we can get to case insensitivity. It is
182 # the admin's job to ensure that the username on the auth
183 # db side is *also* lowercase to make this work
184 # Default is 'no' (don't lowercase values)
190 # If you have configured above to lowercase the username and
191 # password, you can decide here *when* to do that. You can
192 # lowercase them "before" any processing occurs, or you can
193 # lowercase "after" authentication processing once and the
194 # server will retry with the new lowercased values.
196 # Valid values: "before" / "after"
199 # nospace_user / nospace_pass:
200 # Some users like to enter spaces in their username or
201 # password incorrectly. To save yourself the tech support
202 # call, you can eliminate those spaces here:
203 # Default is 'no' (don't remove spaces)
208 # See above for lower_time explanation. Works the same way
209 # except does nospace processing.
211 # Valid values: "before" / "after"
212 nospace_time = before
215 #######################################################################
217 # Include optional/module specific configurations.
220 # PROXY CONFIGURATION
222 # proxy_requests: Turns proxying of RADIUS requests on or off.
224 # The server has proxying turned on by default. If your system is NOT
225 # set up to proxy requests to another server, then you can turn proxying
226 # off here. This will save a small amount of resources on the server.
228 # If you have proxying turned off, and your configuration files say
229 # to proxy a request, then an error message will be logged.
231 # allowed values: {no, yes}
233 # To disable proxying, change the "yes" to "no", and comment the
236 $INCLUDE ${confdir}/proxy.conf
238 # CLIENTS CONFIGURATION
240 # Client configuration is defined in "clients.conf". If you don't
241 # use the "clients.conf", you can comment the following. The use of
242 # "clients.conf" is recommended over the old "clients", though both
245 $INCLUDE ${confdir}/clients.conf
249 # Snmp configuration is only valid if you enabled SNMP support when
250 # you compiled radius. To enable SNMP configuration, uncomment the
252 $INCLUDE ${confdir}/snmp.conf
255 #######################################################################
257 # Thread pool configuration.
259 # The thread pool is a long-lived group of threads which
260 # take turns (round-robin) handling any incoming requests.
263 # You probably want to have a few spare threads around,
264 # so that high-load situations can be handled immediately. If you
265 # don't have any spare threads, then the request handling will
266 # be delayed while a new thread is created, and added to the pool.
268 # You probably don't want too many spare threads around,
269 # otherwise they'll be sitting there taking up resources, and
270 # not doing anything productive.
272 # The numbers given below should be adequate for most situations.
277 # Number of servers to start initially --- should be a reasonable ballpark
283 # Limit on the total number of servers running.
285 # If this limit is ever reached, clients will be LOCKED OUT, so it
286 # should NOT BE SET TOO LOW. It is intended mainly as a brake to
287 # keep a runaway server from taking the system with it as it spirals
293 # Server-pool size regulation. Rather than making you guess how many
294 # servers you need, FreeRADIUS dynamically adapts to the load it
295 # sees --- that is, it tries to maintain enough servers to
296 # handle the current load, plus a few spare servers to handle transient
299 # It does this by periodically checking how many servers are waiting
300 # for a request. If there are fewer than min_spare_servers, it creates
301 # a new spare. If there are more than max_spare_servers, some of the
302 # spares die off. The default values are probably OK for most sites.
304 min_spare_servers = 3
305 max_spare_servers = 10
308 # There may be memory leaks or resource allocation problems with
309 # the server. If so, set this value to 300 or so, so that the
310 # resources will be cleaned up periodically.
312 # This should only be necessary if there are serious bugs in the
313 # server which have not yet been fixed.
315 # '0' is a special value meaning 'infinity', or 'the servers never exit'
317 max_requests_per_server = 0
322 # No config options for this yet
326 # Cache /etc/passwd, /etc/shadow, and /etc/group
328 # The default is to NOT cache them. However, caching them can
329 # speed up system authentications by a substantial amount.
331 # allowed values: {no, yes}
335 # Define the locations of the normal passwd, shadow, and
338 # 'shadow' is commented out by default, because not all
339 # systems have shadow passwords.
342 # shadow = /etc/shadow
346 # Uncomment this if you want to use ldap (Auth-Type = LDAP)
347 # Also uncomment it in the authenticate{} block below
350 # login = "cn=admin,o=My Org,c=US"
352 # basedn = "o=My Org,c=US"
353 # filter = "(uid=%u)"
357 # You can have multiple instances of the realm module to
358 # support multiple realm syntaxs at the same time. The
359 # search order is defined the order in the authorize and
360 # preacct blocks after the module config block.
362 # Two config options:
363 # format - must be 'prefix' or 'suffix'
364 # delimiter - must be a single character
388 huntgroups = ${confdir}/huntgroups
389 hints = ${confdir}/hints
392 # This hack changes Ascend's wierd port numberings
393 # to standard 0-??? port numbers so that the "+" works
394 # for IP address assignments.
396 with_ascend_hack = no
397 ascend_channels_per_line = 23
400 # Windows NT machines often authenticate themselves as
403 # If this is set to 'yes', then the NT_DOMAIN portion
404 # of the user-name is silently discarded.
406 with_ntdomain_hack = no
409 # Specialix Jetstream 8500 24 port access server.
411 # If the user name is 10 characters or longer, a "/"
412 # and the excess characters after the 10th are
413 # appended to the user name.
415 # If you're not running that NAS, you don't need
418 with_specialix_jetstream_hack = no
421 usersfile = ${confdir}/users
422 acctusersfile = ${confdir}/acct_users
425 # If you want to use the old Cistron 'users' file
426 # with FreeRADIUS, you should change the next line
427 # to 'compat = cistron'. You can the copy your 'users'
433 # See README.rlm_fastusers before using this
434 # module or changing these values
436 usersfile = ${confdir}/users_fast
439 normal_defaults = yes
443 detailfile = %A/%n/detail
447 # This module will add a (probably) unique session id
448 # to an accounting packet based on the attributes listed
449 # below found in the packet. see doc/README.rlm_acct_unique
451 key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Port-Id"
456 # Configuration for the SQL module.
463 password = "rootpass"
465 # Database table configuration
467 acct_table = "radacct"
469 authcheck_table = "radcheck"
470 authreply_table = "radreply"
472 groupcheck_table = "radgroupcheck"
473 groupreply_table = "radgroupreply"
475 usergroup_table = "usergroup"
477 realms_table = "realms"
478 realmgroup_table = "realmgroup"
480 # Check case on usernames
481 sensitiveusername = no
483 # Remove stale session if checkrad does not see a double login
484 deletestalesessions = yes
486 # Print all SQL statements when in debug mode (-x)
488 sqltracefile = ${logdir}/sqltrace.sql
490 # number of sql connections to make to server
495 # A second instance of the same module, with the name "sql2" to identify it
500 server = "myothersever"
502 password = "rootpass"
504 # Database table configuration
506 acct_table = "radacct"
508 authcheck_table = "radcheck"
509 authreply_table = "radreply"
511 groupcheck_table = "radgroupcheck"
512 groupreply_table = "radgroupreply"
514 usergroup_table = "usergroup"
516 realms_table = "realms"
517 realmgroup_table = "realmgroup"
519 # Check case on usernames
520 sensitiveusername = no
522 # Remove stale session if checkrad does not see a double login
523 deletestalesessions = yes
525 # Print all SQL statements when in debug mode (-x)
529 #######################################################################
531 # Configuration for the example module. Uncommenting it will cause it
532 # to get loaded and initialized, but should have no real effect as long
533 # it is not referencened in one of the autz/auth/preacct/acct sections
539 # allowed values: {no, yes}
544 # An integer, of any value.
551 string = "This is an example configuration string"
554 # An IP address, either in dotted quad (1.2.3.4) or hostname
563 anotherinteger = 1000
568 string = "This is a different string"
574 # Authentication types, Auth-Type = System and PAM for now.
578 # By grouping modules together in an authtype block, that authtype will be
579 # tried on each module in sequence until one returns REJECT or OK. This
580 # allows authentication failover if the first SQL server has crashed, for
586 # Uncomment this if you want to use ldap (Auth-Type = LDAP)
590 # Authorization. First preprocess (hints and huntgroups files),
591 # then realms, and finally look in the "users" file.
592 # The order of the realm modules will determine the order that
593 # we try to find a matching realm.
594 # Make *sure* that 'preprocess' comes before any realm if you
595 # need to setup hints for the remote radius server
602 # Pre-accounting. Look for proxy realm in order of realms, then
603 # acct_users file, then preprocess (hints file).
610 # Accounting. Log to detail file, and to the radwtmp file.
617 # Session database, used for checking Simultaneous-Use. The radutmp module