2 ## radiusd.conf -- FreeRADIUS server configuration file.
4 ## http://www.freeradius.org/
8 # The location of other config files and
9 # logfiles are declared in this file
11 # Also general configuration for modules can be done
12 # in this file, it is exported through the API to
13 # modules that ask for it.
18 exec_prefix = @exec_prefix@
19 sysconfdir = @sysconfdir@
20 localstatedir = @localstatedir@
25 radacctdir = @radacctdir@
28 # Location of config and logfiles.
32 run_dir = ${localstatedir}/run
35 # pidfile: Where to place the PID of the RADIUS server.
37 # The server may be signalled while it's running by using this
40 # e.g.: kill -HUP `cat /var/run/radiusd.pid`
42 pidfile = ${run_dir}/radiusd.pid
45 # user/group: The name (or #number) of the user/group to run httpd as.
46 # On SCO (ODT 3) use "user = nouser" and "group = nogroup".
47 # On HPUX you may not be able to use shared memory as nobody, and the
48 # suggested workaround is to create a user www and use that user.
50 # NOTE that some kernels refuse to setgid(group)
51 # when the value of (unsigned)group is above 60000;
52 # don't use group nobody on these systems!
54 # On systems with shadow passwords, you might have to set 'group = shadow'
55 # for the server to be able to read the shadow password file.
61 # max_request_time: The maximum time (in seconds) to handle a request.
63 # Requests which take more time than this to process may be killed, and
64 # a REJECT message is returned.
66 # WARNING: If you notice that requests take a long time to be handled,
67 # then this MAY INDICATE a bug in the server, or in one of the modules
68 # used to handle a request.
70 # Useful range of values: 5 to 120
75 # delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
76 # to be handled, then maybe the server should delete it.
78 # If you're running in threaded, or thread pool mode, this setting
79 # should probably be 'no'. Setting it to 'yes' when using a threaded
80 # server MAY cause the server to crash!
82 delete_blocked_requests = no
85 # cleanup_delay: The time to wait (in seconds) before cleaning up
86 # a reply which was sent to the NAS.
88 # The RADIUS request is normally cached internally for a short period
89 # of time, after the reply is sent to the NAS. The reply packet may be
90 # lost in the network, and the NAS will not see it. The NAS will then
91 # re-send the request, and the server will respond quickly with the
94 # If this value is set too low, then duplicate requests from the NAS
95 # MAY NOT be detected, and will instead be handled as seperate requests.
97 # If this value is set too high, then the server will cache too many
98 # requests, and some new requests may get blocked. (See 'max_requests'.)
100 # Useful range of values: 2 to 10
105 # max_requests: The maximum number of requests which the server keeps
106 # track of. This should be 256 multiplied by the number of clients.
107 # e.g. With 4 clients, this number should be 1024.
109 # If this number is too low, then when the server becomes busy,
110 # it will not respond to any new requests, until the 'cleanup_delay'
111 # time has passed, and it has removed the old requests.
113 # If this number is set too high, then the server will use a bit more
114 # memory for no real benefit.
116 # If you aren't sure what it should be set to, it's better to set it
117 # too high than too low. Setting it to 1000 per client is probably
118 # the highest it should be.
120 # Useful range of values: 256 to infinity
125 # bind_address: Make the server listen on a particular IP address, and
126 # send replies out from that address. This directive is most useful
127 # for machines with multiple IP addresses on one interface.
129 # It can either contain "*", or an IP address, or a fully qualified
130 # Internet domain name. The default is "*"
135 # port: Allows you to bind FreeRADIUS to a specific port.
137 # The default port that most NAS boxes use is 1645, which is historical.
138 # RFC 2138 defines 1812 to be the new port. Many new servers and
139 # NAS boxes use 1812, which can create interoperability problems.
141 # The port is defined here to be 0 so that the server will pick up
142 # the machine's local configuration for the radius port, as defined
145 # If you want to use the default RADIUS port as defined on your server,
146 # (usually through 'grep radius /etc/services') set this to 0 (zero).
148 # A port given on the command-line via '-p' over-rides this one.
153 # Which program to execute check doing concurrency checks.
155 checkrad = ${sbindir}/checkrad
158 # hostname_lookups: Log the names of clients or just their IP addresses
159 # e.g., www.freeradius.org (on) or 206.47.27.232 (off).
160 # The default is off because it'd be overall better for the net if people
161 # had to knowingly turn this feature on, since enabling it means that
162 # each client request will result in AT LEAST one lookup request to the
165 # Turning hostname lookups off also means that the server won't block
166 # for 30 seconds, if it sees an IP address which has no name associated
169 # allowed values: {no, yes}
171 hostname_lookups = no
174 # Core dumps are a bad thing. This should only be set to 'yes'
175 # if you're debugging a problem with the server.
177 # allowed values: {no, yes}
179 allow_core_dumps = no
182 # Regular expressions
184 # These items are set at configure time. If they're set to "yes",
185 # then setting them to "no" turns off regular expression support.
187 # If they're set to "no" at configure time, then setting them to "yes"
188 # WILL NOT WORK. It will give you an error.
190 regular_expressions = @REGEX@
191 extended_expressions = @REGEX_EXTENDED@
194 # Log the full User-Name attribute, as it was found in the request.
196 # allowed values: {no, yes}
198 log_stripped_names = no
201 # Log authentication requests to the log file.
203 # allowed values: {no, yes}
208 # Log passwords with the authentication requests.
209 # log_auth_badpass - logs password if it's rejected
210 # log_auth_goodpass - logs password if it's correct
212 # allowed values: {no, yes}
214 log_auth_badpass = no
215 log_auth_goodpass = no
218 # usercollide: Turn user collision code on and off.
219 # See doc/duplicate-users
223 # lower_user / lower_pass:
224 # Lowercase the username/password "before" or "after"
225 # attempting to authenticate.
227 # If "before", the server will first modify the request
228 # and then try to auth the user. If "after", the server
229 # will first auth using the values provided by the
230 # user. If that fails it will reprocess the request
231 # after modifying it as you specify below.
233 # This is as close as we can get to case insensitivity. It is
234 # the admin's job to ensure that the username on the auth
235 # db side is *also* lowercase to make this work
237 # Default is 'no' (don't lowercase values)
238 # Valid values = "before" / "after" / "no"
243 # nospace_user / nospace_pass:
244 # Some users like to enter spaces in their username or
245 # password incorrectly. To save yourself the tech support
246 # call, you can eliminate those spaces here:
248 # Default is 'no' (don't remove spaces)
249 # Valid values = "before" / "after" / "no" (explanation above)
254 #######################################################################
256 # Include optional/module specific configurations.
259 # PROXY CONFIGURATION
261 # proxy_requests: Turns proxying of RADIUS requests on or off.
263 # The server has proxying turned on by default. If your system is NOT
264 # set up to proxy requests to another server, then you can turn proxying
265 # off here. This will save a small amount of resources on the server.
267 # If you have proxying turned off, and your configuration files say
268 # to proxy a request, then an error message will be logged.
270 # allowed values: {no, yes}
272 # To disable proxying, change the "yes" to "no", and comment the
275 $INCLUDE ${confdir}/proxy.conf
277 # CLIENTS CONFIGURATION
279 # Client configuration is defined in "clients.conf". If you don't
280 # use the "clients.conf", you can comment the following. The use of
281 # "clients.conf" is recommended over the old "clients", though both
284 $INCLUDE ${confdir}/clients.conf
288 # Snmp configuration is only valid if you enabled SNMP support when
289 # you compiled radius. To enable SNMP configuration, uncomment the
291 $INCLUDE ${confdir}/snmp.conf
294 #######################################################################
296 # Thread pool configuration.
298 # The thread pool is a long-lived group of threads which
299 # take turns (round-robin) handling any incoming requests.
302 # You probably want to have a few spare threads around,
303 # so that high-load situations can be handled immediately. If you
304 # don't have any spare threads, then the request handling will
305 # be delayed while a new thread is created, and added to the pool.
307 # You probably don't want too many spare threads around,
308 # otherwise they'll be sitting there taking up resources, and
309 # not doing anything productive.
311 # The numbers given below should be adequate for most situations.
316 # Number of servers to start initially --- should be a reasonable ballpark
322 # Limit on the total number of servers running.
324 # If this limit is ever reached, clients will be LOCKED OUT, so it
325 # should NOT BE SET TOO LOW. It is intended mainly as a brake to
326 # keep a runaway server from taking the system with it as it spirals
332 # Server-pool size regulation. Rather than making you guess how many
333 # servers you need, FreeRADIUS dynamically adapts to the load it
334 # sees --- that is, it tries to maintain enough servers to
335 # handle the current load, plus a few spare servers to handle transient
338 # It does this by periodically checking how many servers are waiting
339 # for a request. If there are fewer than min_spare_servers, it creates
340 # a new spare. If there are more than max_spare_servers, some of the
341 # spares die off. The default values are probably OK for most sites.
343 min_spare_servers = 3
344 max_spare_servers = 10
347 # There may be memory leaks or resource allocation problems with
348 # the server. If so, set this value to 300 or so, so that the
349 # resources will be cleaned up periodically.
351 # This should only be necessary if there are serious bugs in the
352 # server which have not yet been fixed.
354 # '0' is a special value meaning 'infinity', or 'the servers never exit'
356 max_requests_per_server = 0
362 # The name to use for PAM authentication.
363 # PAM looks in /etc/pam.d/${pam_auth_name}
364 # for it's configuration.
366 # Note that any Pam-Auth attribute set in the 'users'
367 # file over-rides this one.
369 ## pam_auth = radiusd
373 # Cache /etc/passwd, /etc/shadow, and /etc/group
375 # The default is to NOT cache them. However, caching them can
376 # speed up system authentications by a substantial amount.
378 # allowed values: {no, yes}
382 # Define the locations of the normal passwd, shadow, and
385 # 'shadow' is commented out by default, because not all
386 # systems have shadow passwords.
389 # shadow = /etc/shadow
394 # Where the 'wtmp' file is located.
395 # This will be moved to it's own module soon..
397 radwtmp = ${logdir}/radwtmp
400 # This module definition allows you to use LDAP for
401 # authorization and authentication (Auth-Type = LDAP)
402 # See doc/rlm_ldap for description of configuration options
403 # and sample authorize{} and authenticate{} blocks
405 server = "ldap.your.domain"
406 # identity = "cn=admin,o=My Org,c=UA"
408 basedn = "o=My Org,c=UA"
410 # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
411 access_group = "cn=clients,ou=dialup,o=My Org,c=UA"
412 access_attr = "dialupAccess"
413 dictionary_mapping = ${raddbdir}/ldap.attrmap
420 # You can have multiple instances of the realm module to
421 # support multiple realm syntaxs at the same time. The
422 # search order is defined the order in the authorize and
423 # preacct blocks after the module config block.
425 # Two config options:
426 # format - must be 'prefix' or 'suffix'
427 # delimiter - must be a single character
439 # Using this entry, IPASS users have their realm set to "IPASS".
456 huntgroups = ${confdir}/huntgroups
457 hints = ${confdir}/hints
460 # This hack changes Ascend's wierd port numberings
461 # to standard 0-??? port numbers so that the "+" works
462 # for IP address assignments.
464 with_ascend_hack = no
465 ascend_channels_per_line = 23
468 # Windows NT machines often authenticate themselves as
471 # If this is set to 'yes', then the NT_DOMAIN portion
472 # of the user-name is silently discarded.
474 with_ntdomain_hack = no
477 # Specialix Jetstream 8500 24 port access server.
479 # If the user name is 10 characters or longer, a "/"
480 # and the excess characters after the 10th are
481 # appended to the user name.
483 # If you're not running that NAS, you don't need
486 with_specialix_jetstream_hack = no
489 # Cisco sends it's VSA attributes with the attribute
490 # name *again* in the string, like:
492 # H323-Attribute = "h323-attribute=value".
494 # If this configuration item is set to 'yes', then
495 # the redundant data in the the attribute text is stripped
496 # out. The result is:
498 # H323-Attribute = "value"
500 # If you're not running a Cisco NAS, you don't need
503 with_cisco_vsa_hack = no
507 usersfile = ${confdir}/users
508 acctusersfile = ${confdir}/acct_users
511 # If you want to use the old Cistron 'users' file
512 # with FreeRADIUS, you should change the next line
513 # to 'compat = cistron'. You can the copy your 'users'
519 # See README.rlm_fastusers before using this
520 # module or changing these values.
522 usersfile = ${confdir}/users_fast
525 # Reload the hash every 600 seconds (10mins)
531 # Note that we do NOT use NAS-IP-Address here, as that
532 # attribute MAY BE from the originating NAS, and NOT
533 # from the proxy which actually sent us the request.
534 # The Client-IP-Address attribute is ALWAYS the address
535 # of the client which sent us the request.
537 detailfile = ${radacctdir}/%{Client-IP-Address}/detail
541 # This module will add a (probably) unique session id
542 # to an accounting packet based on the attributes listed
543 # below found in the packet. see doc/README.rlm_acct_unique
545 key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
548 $INCLUDE ${confdir}/sql.conf
551 filename = ${logdir}/radutmp
556 # "Safe" radutmp - does not contain caller ID, so it can be
557 # world-readable, and radwho can work for normal users, without
558 # exposing any information that isn't already exposed by who(1).
560 # This is another instance of the radutmp module, but it is given
561 # then name "sradutmp" to identify it later in the "accounting"
564 filename = ${logdir}/sradutmp
570 # attr_filter - filters the attributes received in replies from
571 # proxy servers, to make sure we send back to the upstream
572 # only allowed attributes.
576 attrsfile = ${confdir}/attrs
579 #######################################################################
581 # Configuration for the counter module
583 # This module takes an attribute (count-attribute), which MUST
584 # be an 'integer' or 'time' attribute. It also takes a key,
585 # and creates a counter for each unique key. The count is
586 # incremented when accounting packets are received by the
587 # server. The value of the increment is the value of the
590 # The 'reset' parameter defines when the counters are all reset to
591 # zero. It can be hourly, daily, weekly, or monthly.
593 # The counter-name is the name of the attribute in the 'users'
594 # file used to access that counter. e.g.
596 # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
597 # Reply-Message = "You've used up more than one hour today"
600 filename = ${raddbdir}/db.counter
602 count-attribute = Acct-Session-Time
604 counter-name = Daily-Session-Time
608 # The "always" module is here for debugging purposes. Each instance simply
609 # returns the same result, always, without doing anything.
623 #######################################################################
625 # Configuration for the example module. Uncommenting it will cause it
626 # to get loaded and initialized, but should have no real effect as long
627 # it is not referencened in one of the autz/auth/preacct/acct sections
633 # allowed values: {no, yes}
638 # An integer, of any value.
645 string = "This is an example configuration string"
648 # An IP address, either in dotted quad (1.2.3.4) or hostname
657 anotherinteger = 1000
662 string = "This is a different string"
668 # Authentication types, Auth-Type = System for now.
670 # Uncomment this if you want to use PAM (Auth-Type = PAM)
673 # By grouping modules together in an authtype block, that authtype will be
674 # tried on each module in sequence until one returns REJECT or OK. This
675 # allows authentication failover if the first SQL server has crashed, for
681 # Uncomment this if you want to use ldap (Auth-Type = LDAP)
685 # Authorization. First preprocess (hints and huntgroups files),
686 # then realms, and finally look in the "users" file.
687 # The order of the realm modules will determine the order that
688 # we try to find a matching realm.
689 # Make *sure* that 'preprocess' comes before any realm if you
690 # need to setup hints for the remote radius server
699 # Pre-accounting. Look for proxy realm in order of realms, then
700 # acct_users file, then preprocess (hints file).
707 # Accounting. Log to detail file, and to the radwtmp file, and maintain
718 # Session database, used for checking Simultaneous-Use. The radutmp module