2 ## radiusd.conf -- FreeRADIUS server configuration file.
4 ## http://www.freeradius.org/
8 # The location of other config files and
9 # logfiles are declared in this file
11 # Also general configuration for modules can be done
12 # in this file, it is exported through the API to
13 # modules that ask for it.
18 exec_prefix = @exec_prefix@
19 sysconfdir = @sysconfdir@
20 localstatedir = @localstatedir@
25 radacctdir = @radacctdir@
28 # Location of config and logfiles.
33 run_dir = ${localstatedir}/run
36 # pidfile: Where to place the PID of the RADIUS server.
38 # The server may be signalled while it's running by using this
41 # e.g.: kill -HUP `cat /var/run/radiusd.pid`
43 pidfile = ${run_dir}/radiusd.pid
46 # max_request_time: The maximum time (in seconds) to handle a request.
48 # Requests which take more time to process than this are killed, and
49 # a REJECT message is returned.
54 # cleanup_delay: The time to wait (in seconds) before cleaning up
55 # a reply which was already sent to the NAS. If it is set too low,
56 # then duplicate requests from the NAS MAY NOT be detected,
57 # and will instead be handled as seperate requests.
62 # max_requests: The maximum number of requests which the server keeps
63 # track of. This should be 256 multiplied by the number of clients.
64 # e.g. With 4 clients, this number should be 1024.
66 # If this number is too low, then when the server becomes busy,
67 # it will not respond to any new requests, until the 'cleanup_delay'
68 # time has passed, and it has removed the old requests.
70 # If this number is set too high, then the server will use a bit more
71 # memory for no real benefit.
73 # If you aren't sure what it should be set to, it's better to set it
74 # too high than too low. Setting it to 1000 per client is probably
75 # the highest it should be.
80 # bind_address: Make the server listen on a particular IP address, and
81 # send replies out from that address. This directive is most useful
82 # for machines with multiple IP addresses on one interface.
84 # It can either contain "*", or an IP address, or a fully qualified
85 # Internet domain name. The default is "*"
90 # port: Allows you to bind FreeRADIUS to a specific port.
92 # The default port that most NAS boxes use is 1645, which is historical.
93 # RFC 2138 defines 1812 to be the new port. Many new servers and
94 # NAS boxes use 1812, which can create interoperability problems.
96 # The port is defined here to be 1645, for backwards compatibility.
97 # It is commented out so that the server will pick up the machine's
98 # local configuration for the radius port, as defined in /etc/services.
100 # If you want to use the default RADIUS port as defined on your server,
101 # (usually through 'grep radius /etc/services') set this to 0 (zero).
103 # A port given on the command-line via '-p' over-rides this one.
108 # Where the utmp and wtmp style log files go.
110 utmpfile = ${log_dir}/radutmp
111 wtmpfile = ${log_dir}/radutmp
114 # Each NAS may be given it's own 'detail' directory.
116 detailfile = ${radacctdir}/%n/detail
119 # Which program to execute check doing concurrency checks.
121 checkrad = ${sbindir}/checkrad
124 # Core dumps are a bad thing. This should only be set to 'yes'
125 # if you're debugging a problem with the server.
127 # allowed values: {no, yes}
129 allow_core_dumps = no
132 # Log the full User-Name attribute, as it was found in the request.
134 # allowed values: {no, yes}
136 log_stripped_names = no
139 # Log authentication requests to the log file.
141 # allowed values: {no, yes}
146 # Log passwords with the authentication requests.
148 # allowed values: {no, yes}
153 # proxy_requests: Turns proxying of RADIUS requests on or off.
155 # The server has proxying turned on by default. If your system is NOT
156 # set up to proxy requests to another server, then you can turn proxying
157 # off here. This will save a small amount of resources on the server.
159 # If you have proxying turned off, and your configuration files say
160 # to proxy a request, then an error message will be logged.
162 # allowed values: {no, yes}
166 #######################################################################
168 # Proxy server configuration
170 # This entry controls the servers behaviour towards ALL other servers
171 # to which it sends proxy requests.
176 # If the NAS re-sends the request to us, we can immediately re-send
177 # the proxy request to the end server. To do so, use 'yes' here.
179 # If this is set to 'no', then we send the retries on our own schedule,
180 # and ignore any duplicate NAS requests.
182 # If you want to have the server send proxy retries ONLY when the NAS
183 # sends it's retries to the server, then set this to 'yes', and
184 # set the other proxy configuration parameters to 0 (zero).
189 # The time (in seconds) to wait for a response from the proxy, before
190 # re-sending the proxied request.
192 # If this time is set too high, then the NAS may re-send the request,
193 # or it may give up entirely, and reject the user.
195 # If it is set too low, then the RADIUS server which receives the proxy
196 # request will get kicked unnecessarily.
201 # The number of retries to send before giving up, and sending a reject
202 # message to the NAS.
207 #######################################################################
209 # Thread pool configuration.
211 # The thread pool is a long-lived group of threads which
212 # take turns (round-robin) handling any incoming requests.
215 # You probably also want to have a few spare threads around,
216 # so that high-load situations can be handled immediately. If you
217 # don't have any spare threads, then the request handling will
218 # be delayed while a new thread is created, and added to the pool.
220 # You probably don't want too many spare threads around,
221 # otherwise they'll be sitting there taking up resources, and
222 # not doing anything productive.
224 # The numbers given below should be adequate for most situations.
229 # Number of servers to start initially --- should be a reasonable ballpark
235 # Limit on the total number of servers running.
237 # If this limit is ever reached, clients will be LOCKED OUT, so it
238 # should NOT BE SET TOO LOW. It is intended mainly as a brake to
239 # keep a runaway server from taking the system with it as it spirals
245 # Server-pool size regulation. Rather than making you guess how many
246 # servers you need, FreeRADIUS dynamically adapts to the load it
247 # sees --- that is, it tries to maintain enough servers to
248 # handle the current load, plus a few spare servers to handle transient
251 # It does this by periodically checking how many servers are waiting
252 # for a request. If there are fewer than min_spare_servers, it creates
253 # a new spare. If there are more than max_spare_servers, some of the
254 # spares die off. The default values are probably OK for most sites.
256 min_spare_servers = 3
257 max_spare_servers = 10
260 # There may be memory leaks or resource allocation problems with
261 # the server. If so, set this value to 300 or so, so that the
262 # resources will be cleaned up periodically.
264 # This should only be necessary if there are serious bugs in the
265 # server which have not yet been fixed.
267 # '0' is a special value meaning 'infinity', or 'the servers never exit'
269 max_requests_per_server = 0
272 #######################################################################
274 # Definition of a NAS or a client.
276 # The information given here is in ADDITION to the 'clients' file.
278 # If this is defined as "client foo" then the hostname/ipaddr "foo"
279 # will be looked up according to the source IP address of the radius
280 # rqeuest packet, and the secret here will be used to check the
281 # integrety of the request.
283 # If this is defined as "nas foo" then foo will be looked up first
284 # as the NAS-IP-Address in the radius request, then as the NAS-Ident
285 # in the radius request.
287 # Normally you'd use "client" unless the request came in through a
288 # proxy server and you want to define a short name for the NAS
289 # for logging purposes, or you want to do a "checkrad" back to the
290 # original NAS and not to the proxy radius server!
292 # The "shortname" can be used for logging, and the "vendor",
293 # "type", "login" and "password" fields are mainly used for checkrad.
298 shortname = localhost
301 #client some.host.org {
302 # secret = testing123
303 # shortname = localhost
308 # secret and password are mapped through the "secrets" file.
312 # Type should extend to the line type, because of the "hole".
313 #Line#/T S Port SNMP Port
314 #-------------------------
321 #And C0 is 96 in Radius.
322 type = pm3-eur # pm3-i23 pm3-ct24 pm3-i30
324 password = someadminpas
327 #######################################################################
329 # Configuration for the proxy module.
331 # The information given here is in ADDITION to the 'realms' file.
335 # authhost = radius.isp2.com:1645
336 # accthost = radius.isp2.com:1646
339 # utmpfile += /var/log/radutmp.isp2
340 # wtmpfile += /var/log/radwtmp.isp2
341 # detailfile += /var/log/radacct/isp2/detail
346 # authhost = radius.company.com:1600
347 # accthost = radius.company.com:1601
348 # secret = testing123
355 # secret = testing123
360 # No config options for this yet
364 # Cache /etc/passwd, /etc/shadow, and /etc/group
366 # The default is to NOT cache them. However, caching them can
367 # speed up system authentications by a substantial amount.
369 # allowed values: {no, yes}
373 # Define the locations of the normal passwd, shadow, and
376 # 'shadow' is commented out by default, because not all
377 # systems have shadow passwords.
380 # shadow = /etc/shadow
384 # Uncomment this if you want to use ldap (Auth-Type = LDAP)
385 # Also uncomment it in the authenticate{} block below
388 # login = "cn=admin,o=My Org,c=US"
390 # basedn = "o=My Org,c=US"
391 # filter = "(uid=%u)"
395 # No config options for this yet
398 # No config options for this yet
401 usersfile = ${confdir}/users
402 acctusersfile = ${confdir}/acct_users
407 # Configuration for the SQL module.
414 password = "rootpass"
416 # Database table configuration
418 acct_table = "radacct"
420 authcheck_table = "radcheck"
421 authreply_table = "radreply"
423 groupcheck_table = "radgroupcheck"
424 groupreply_table = "radgroupreply"
426 usergroup_table = "usergroup"
428 realms_table = "realms"
429 realmgroup_table = "realmgroup"
431 # Check case on usernames
432 sensitiveusername = no
434 # Remove stale session if checkrad does not see a double login
435 deletestalesessions = yes
437 # Print all SQL statements when in debug mode (-x)
442 # A second instance of the same module, with the name "sql2" to identify it
447 server = "myothersever"
449 password = "rootpass"
451 # Database table configuration
453 acct_table = "radacct"
455 authcheck_table = "radcheck"
456 authreply_table = "radreply"
458 groupcheck_table = "radgroupcheck"
459 groupreply_table = "radgroupreply"
461 usergroup_table = "usergroup"
463 realms_table = "realms"
464 realmgroup_table = "realmgroup"
466 # Check case on usernames
467 sensitiveusername = no
469 # Remove stale session if checkrad does not see a double login
470 deletestalesessions = yes
472 # Print all SQL statements when in debug mode (-x)
476 #######################################################################
478 # Configuration for the example module. Uncommenting it will cause it
479 # to get loaded and initialized, but should have no real effect as long
480 # it is not referencened in one of the autz/auth/preacct/acct sections
486 # allowed values: {no, yes}
491 # An integer, of any value.
498 string = "This is an example configuration string"
501 # An IP address, either in dotted quad (1.2.3.4) or hostname
510 anotherinteger = 1000
515 string = "This is a different string"
521 # Authentication types, Auth-Type = System and PAM for now.
527 # Uncomment this if you want to use ldap (Auth-Type = LDAP)
531 # Authorization. First preprocess (hints and huntgroups files),
532 # then look in the "users" file.
539 # Pre-accounting. Look for proxy realm, first with the @suffix rule, then the
540 # acct_users file, then preprocess (hints file).
547 # Accounting. Log to detail file, and to the radwtmp file.