2 ## radiusd.conf -- FreeRADIUS server configuration file.
4 ## http://www.freeradius.org/
7 # The location of other config files and
8 # logfiles are declared in this file
10 # Also general configuration for modules can be done
11 # in this file, it is exported through the API to
12 # modules that ask for it.
16 exec_prefix = @exec_prefix@
17 sysconfdir = @sysconfdir@
18 localstatedir = @localstatedir@
23 radacctdir = @radacctdir@
25 # Location of config and logfiles.
27 run_dir = ${localstatedir}/run
29 # pidfile: Where to place the PID of the RADIUS server.
31 # The server may be signalled while it's running by using this
34 # e.g.: kill -HUP `cat /var/run/radiusd.pid`
35 pidfile = ${run_dir}/radiusd.pid
38 # user/group: The name (or #number) of the user/group to run httpd as.
39 # On SCO (ODT 3) use "user = nouser" and "group = nogroup".
40 # On HPUX you may not be able to use shared memory as nobody, and the
41 # suggested workaround is to create a user www and use that user.
43 # NOTE that some kernels refuse to setgid(group)
44 # when the value of (unsigned)group is above 60000;
45 # don't use group nobody on these systems!
47 # On systems with shadow passwords, you might have to set 'group = shadow'
48 # for the server to be able to read the shadow password file. If you can
49 # authenticate users whil in debug mode, but not in normal use, it may be
50 # because the debugged server is running as a user that can read the shadow
51 # info, and the below user can not.
55 # max_request_time: The maximum time (in seconds) to handle a request.
57 # Requests which take more time than this to process may be killed, and
58 # a REJECT message is returned.
60 # WARNING: If you notice that requests take a long time to be handled,
61 # then this MAY INDICATE a bug in the server, or in one of the modules
62 # used to handle a request.
64 # Useful range of values: 5 to 120
67 # delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
68 # to be handled, then maybe the server should delete it.
70 # If you're running in threaded, or thread pool mode, this setting
71 # should probably be 'no'. Setting it to 'yes' when using a threaded
72 # server MAY cause the server to crash!
74 delete_blocked_requests = no
76 # cleanup_delay: The time to wait (in seconds) before cleaning up
77 # a reply which was sent to the NAS.
79 # The RADIUS request is normally cached internally for a short period
80 # of time, after the reply is sent to the NAS. The reply packet may be
81 # lost in the network, and the NAS will not see it. The NAS will then
82 # re-send the request, and the server will respond quickly with the
85 # If this value is set too low, then duplicate requests from the NAS
86 # MAY NOT be detected, and will instead be handled as seperate requests.
88 # If this value is set too high, then the server will cache too many
89 # requests, and some new requests may get blocked. (See 'max_requests'.)
91 # Useful range of values: 2 to 10
94 # max_requests: The maximum number of requests which the server keeps
95 # track of. This should be 256 multiplied by the number of clients.
96 # e.g. With 4 clients, this number should be 1024.
98 # If this number is too low, then when the server becomes busy,
99 # it will not respond to any new requests, until the 'cleanup_delay'
100 # time has passed, and it has removed the old requests.
102 # If this number is set too high, then the server will use a bit more
103 # memory for no real benefit.
105 # If you aren't sure what it should be set to, it's better to set it
106 # too high than too low. Setting it to 1000 per client is probably
107 # the highest it should be.
109 # Useful range of values: 256 to infinity
112 # bind_address: Make the server listen on a particular IP address, and
113 # send replies out from that address. This directive is most useful
114 # for machines with multiple IP addresses on one interface.
116 # It can either contain "*", or an IP address, or a fully qualified
117 # Internet domain name. The default is "*"
120 # port: Allows you to bind FreeRADIUS to a specific port.
122 # The default port that most NAS boxes use is 1645, which is historical.
123 # RFC 2138 defines 1812 to be the new port. Many new servers and
124 # NAS boxes use 1812, which can create interoperability problems.
126 # The port is defined here to be 0 so that the server will pick up
127 # the machine's local configuration for the radius port, as defined
130 # If you want to use the default RADIUS port as defined on your server,
131 # (usually through 'grep radius /etc/services') set this to 0 (zero).
133 # A port given on the command-line via '-p' over-rides this one.
136 # Which program to execute check doing concurrency checks.
137 checkrad = ${sbindir}/checkrad
139 # hostname_lookups: Log the names of clients or just their IP addresses
140 # e.g., www.freeradius.org (on) or 206.47.27.232 (off).
141 # The default is off because it'd be overall better for the net if people
142 # had to knowingly turn this feature on, since enabling it means that
143 # each client request will result in AT LEAST one lookup request to the
146 # Turning hostname lookups off also means that the server won't block
147 # for 30 seconds, if it sees an IP address which has no name associated
150 # allowed values: {no, yes}
151 hostname_lookups = no
153 # Core dumps are a bad thing. This should only be set to 'yes'
154 # if you're debugging a problem with the server.
156 # allowed values: {no, yes}
157 allow_core_dumps = no
159 # Regular expressions
161 # These items are set at configure time. If they're set to "yes",
162 # then setting them to "no" turns off regular expression support.
164 # If they're set to "no" at configure time, then setting them to "yes"
165 # WILL NOT WORK. It will give you an error.
166 regular_expressions = @REGEX@
167 extended_expressions = @REGEX_EXTENDED@
169 # Log the full User-Name attribute, as it was found in the request.
171 # allowed values: {no, yes}
172 log_stripped_names = no
174 # Log authentication requests to the log file.
176 # allowed values: {no, yes}
179 # Log passwords with the authentication requests.
180 # log_auth_badpass - logs password if it's rejected
181 # log_auth_goodpass - logs password if it's correct
183 # allowed values: {no, yes}
184 log_auth_badpass = no
185 log_auth_goodpass = no
187 # usercollide: Turn "username collision" code on and off. See the
188 # "duplicate-users" documentation
191 # lower_user / lower_pass:
192 # Lowercase the username/password "before" or "after"
193 # attempting to authenticate.
195 # If "before", the server will first modify the request
196 # and then try to auth the user. If "after", the server
197 # will first auth using the values provided by the
198 # user. If that fails it will reprocess the request
199 # after modifying it as you specify below.
201 # This is as close as we can get to case insensitivity. It is
202 # the admin's job to ensure that the username on the auth
203 # db side is *also* lowercase to make this work
205 # Default is 'no' (don't lowercase values)
206 # Valid values = "before" / "after" / "no"
210 # nospace_user / nospace_pass:
211 # Some users like to enter spaces in their username or
212 # password incorrectly. To save yourself the tech support
213 # call, you can eliminate those spaces here:
215 # Default is 'no' (don't remove spaces)
216 # Valid values = "before" / "after" / "no" (explanation above)
221 # PROXY CONFIGURATION
223 # proxy_requests: Turns proxying of RADIUS requests on or off.
225 # The server has proxying turned on by default. If your system is NOT
226 # set up to proxy requests to another server, then you can turn proxying
227 # off here. This will save a small amount of resources on the server.
229 # If you have proxying turned off, and your configuration files say
230 # to proxy a request, then an error message will be logged.
232 # To disable proxying, change the "yes" to "no", and comment the
235 # allowed values: {no, yes}
237 $INCLUDE ${confdir}/proxy.conf
240 # CLIENTS CONFIGURATION
242 # Client configuration is defined in "clients.conf". If you don't
243 # use the "clients.conf", you can comment the following. The use of
244 # "clients.conf" is recommended over the old "clients", though both
247 $INCLUDE ${confdir}/clients.conf
252 # Snmp configuration is only valid if you enabled SNMP support when
253 # you compiled radius. To enable SNMP configuration, uncomment the
255 $INCLUDE ${confdir}/snmp.conf
258 # THREAD POOL CONFIGURATION
260 # The thread pool is a long-lived group of threads which
261 # take turns (round-robin) handling any incoming requests.
264 # You probably want to have a few spare threads around,
265 # so that high-load situations can be handled immediately. If you
266 # don't have any spare threads, then the request handling will
267 # be delayed while a new thread is created, and added to the pool.
269 # You probably don't want too many spare threads around,
270 # otherwise they'll be sitting there taking up resources, and
271 # not doing anything productive.
273 # The numbers given below should be adequate for most situations.
275 # Number of servers to start initially --- should be a reasonable
279 # Limit on the total number of servers running.
281 # If this limit is ever reached, clients will be LOCKED OUT, so it
282 # should NOT BE SET TOO LOW. It is intended mainly as a brake to
283 # keep a runaway server from taking the system with it as it spirals
287 # Server-pool size regulation. Rather than making you guess how many
288 # servers you need, FreeRADIUS dynamically adapts to the load it sees
289 # --- that is, it tries to maintain enough servers to handle the
290 # current load, plus a few spare servers to handle transient load
293 # It does this by periodically checking how many servers are waiting
294 # for a request. If there are fewer than min_spare_servers, it
295 # creates a new spare. If there are more than max_spare_servers, some
296 # of the spares die off. The default values are probably OK for most
298 min_spare_servers = 3
299 max_spare_servers = 10
301 # There may be memory leaks or resource allocation problems with
302 # the server. If so, set this value to 300 or so, so that the
303 # resources will be cleaned up periodically.
305 # This should only be necessary if there are serious bugs in the
306 # server which have not yet been fixed.
308 # '0' is a special value meaning 'infinity', or 'the servers never
310 max_requests_per_server = 0
316 # The name to use for PAM authentication.
317 # PAM looks in /etc/pam.d/${pam_auth_name}
318 # for it's configuration.
320 # Note that any Pam-Auth attribute set in the 'users'
321 # file over-rides this one.
327 # Cache /etc/passwd, /etc/shadow, and /etc/group
329 # The default is to NOT cache them. However, caching them can
330 # speed up system authentications by a substantial amount.
332 # allowed values: {no, yes}
336 # Define the locations of the normal passwd, shadow, and
339 # 'shadow' is commented out by default, because not all
340 # systems have shadow passwords.
343 # shadow = /etc/shadow
348 # Where the 'wtmp' file is located.
349 # This will be moved to it's own module soon..
351 radwtmp = ${logdir}/radwtmp
354 # This module definition allows you to use LDAP for
355 # authorization and authentication (Auth-Type = LDAP)
356 # See doc/rlm_ldap for description of configuration options
357 # and sample authorize{} and authenticate{} blocks
359 server = "ldap.your.domain"
360 # identity = "cn=admin,o=My Org,c=UA"
362 basedn = "o=My Org,c=UA"
364 # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
365 # profile_attribute = "radiusProfileDn"
366 access_group = "cn=clients,ou=dialup,o=My Org,c=UA"
367 access_attr = "dialupAccess"
368 dictionary_mapping = ${raddbdir}/ldap.attrmap
374 # You can have multiple instances of the realm module to
375 # support multiple realm syntaxs at the same time. The
376 # search order is defined the order in the authorize and
377 # preacct blocks after the module config block.
379 # Two config options:
380 # format - must be 'prefix' or 'suffix'
381 # delimiter - must be a single character
392 # Using this entry, IPASS users have their realm set to "IPASS".
404 # rewrite arbitrary packets. Useful in accounting and authorization.
405 ## FIXME: This is highly experimental at the moment. Please give
407 #attr_rewrite sanecallerid {
408 # attribute = Called-Station-Id
409 # may be "packet", "reply", or "config"
418 huntgroups = ${confdir}/huntgroups
419 hints = ${confdir}/hints
421 # This hack changes Ascend's wierd port numberings
422 # to standard 0-??? port numbers so that the "+" works
423 # for IP address assignments.
424 with_ascend_hack = no
425 ascend_channels_per_line = 23
427 # Windows NT machines often authenticate themselves as
430 # If this is set to 'yes', then the NT_DOMAIN portion
431 # of the user-name is silently discarded.
432 with_ntdomain_hack = no
434 # Specialix Jetstream 8500 24 port access server.
436 # If the user name is 10 characters or longer, a "/"
437 # and the excess characters after the 10th are
438 # appended to the user name.
440 # If you're not running that NAS, you don't need
442 with_specialix_jetstream_hack = no
444 # Cisco sends it's VSA attributes with the attribute
445 # name *again* in the string, like:
447 # H323-Attribute = "h323-attribute=value".
449 # If this configuration item is set to 'yes', then
450 # the redundant data in the the attribute text is stripped
451 # out. The result is:
453 # H323-Attribute = "value"
455 # If you're not running a Cisco NAS, you don't need
457 with_cisco_vsa_hack = no
461 usersfile = ${confdir}/users
462 acctusersfile = ${confdir}/acct_users
464 # If you want to use the old Cistron 'users' file
465 # with FreeRADIUS, you should change the next line
466 # to 'compat = cistron'. You can the copy your 'users'
471 # See README.rlm_fastusers before using this
472 # module or changing these values.
474 usersfile = ${confdir}/users_fast
477 # Reload the hash every 600 seconds (10mins)
482 # Note that we do NOT use NAS-IP-Address here, as that
483 # attribute MAY BE from the originating NAS, and NOT
484 # from the proxy which actually sent us the request.
485 # The Client-IP-Address attribute is ALWAYS the address
486 # of the client which sent us the request.
488 detailfile = ${radacctdir}/%{Client-IP-Address}/detail
492 # This module will add a (probably) unique session id
493 # to an accounting packet based on the attributes listed
494 # below found in the packet. see doc/README.rlm_acct_unique
496 key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
500 # Include another file that has SQL-related stuff in it.
501 # This is another file solely because it tends to be big.
502 $INCLUDE ${confdir}/sql.conf
506 filename = ${logdir}/radutmp
511 # "Safe" radutmp - does not contain caller ID, so it can be
512 # world-readable, and radwho can work for normal users, without
513 # exposing any information that isn't already exposed by who(1).
515 # This is another instance of the radutmp module, but it is given
516 # then name "sradutmp" to identify it later in the "accounting"
519 filename = ${logdir}/sradutmp
524 # attr_filter - filters the attributes received in replies from
525 # proxy servers, to make sure we send back to the upstream
526 # only allowed attributes.
528 attrsfile = ${confdir}/attrs
531 # This module takes an attribute (count-attribute), which MUST
532 # be an 'integer' or 'time' attribute. It also takes a key,
533 # and creates a counter for each unique key. The count is
534 # incremented when accounting packets are received by the
535 # server. The value of the increment is the value of the
538 # The 'reset' parameter defines when the counters are all reset to
539 # zero. It can be hourly, daily, weekly, or monthly.
541 # The counter-name is the name of the attribute in the 'users'
542 # file used to access that counter. e.g.
544 # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
545 # Reply-Message = "You've used up more than one hour today"
547 filename = ${raddbdir}/db.counter
549 count-attribute = Acct-Session-Time
551 counter-name = Daily-Session-Time
552 check-name = Max-Daily-Session
553 allowed-servicetype = Framed-User
557 # The "always" module is here for debugging purposes. Each instance simply
558 # returns the same result, always, without doing anything.
571 # Configuration for the example module. Uncommenting it will cause it
572 # to get loaded and initialized, but should have no real effect as long
573 # it is not referencened in one of the autz/auth/preacct/acct sections
576 # allowed values: {no, yes}
579 # An integer, of any value.
583 string = "This is an example configuration string"
585 # An IP address, either in dotted quad (1.2.3.4) or hostname
591 anotherinteger = 1000
594 string = "This is a different string"
603 # Authorization. First preprocess (hints and huntgroups files),
604 # then realms, and finally look in the "users" file.
605 # The order of the realm modules will determine the order that
606 # we try to find a matching realm.
607 # Make *sure* that 'preprocess' comes before any realm if you
608 # need to setup hints for the remote radius server
618 # Decide whether the supplied auth info is sufficient for access.
622 # By grouping modules together in an authtype block, that authtype will be
623 # tried on each module in sequence until one returns REJECT or OK. This
624 # allows authentication failover if the first SQL server has crashed, for
634 # Pre-accounting. Look for proxy realm in order of realms, then
635 # acct_users file, then preprocess (hints file).
643 # Accounting. Log to detail file, and to the radwtmp file, and maintain
655 # Session database, used for checking Simultaneous-Use. The radutmp module