2 ## radiusd.conf -- FreeRADIUS server configuration file.
4 ## http://www.freeradius.org/
8 # The location of other config files and
9 # logfiles are declared in this file
11 # Also general configuration for modules can be done
12 # in this file, it is exported through the API to
13 # modules that ask for it.
18 exec_prefix = @exec_prefix@
19 sysconfdir = @sysconfdir@
20 localstatedir = @localstatedir@
25 radacctdir = @radacctdir@
28 # Location of config and logfiles.
32 run_dir = ${localstatedir}/run
35 # pidfile: Where to place the PID of the RADIUS server.
37 # The server may be signalled while it's running by using this
40 # e.g.: kill -HUP `cat /var/run/radiusd.pid`
42 pidfile = ${run_dir}/radiusd.pid
45 # max_request_time: The maximum time (in seconds) to handle a request.
47 # Requests which take more time than this to process are killed, and
48 # a REJECT message is returned.
50 # Useful range of values: 5 to 120
55 # cleanup_delay: The time to wait (in seconds) before cleaning up
56 # a reply which was sent to the NAS.
58 # The RADIUS request is normally cached internally for a short period
59 # of time, after the reply is sent to the NAS. The reply packet may be
60 # lost in the network, and the NAS will not see it. The NAS will then
61 # re-send the request, and the server will respond quickly with the
64 # If this value is set too low, then duplicate requests from the NAS
65 # MAY NOT be detected, and will instead be handled as seperate requests.
67 # If this value is set too high, then the server will cache too many
68 # requests, and some new requests may get blocked. (See 'max_requests'.)
70 # Useful range of values: 2 to 10
75 # max_requests: The maximum number of requests which the server keeps
76 # track of. This should be 256 multiplied by the number of clients.
77 # e.g. With 4 clients, this number should be 1024.
79 # If this number is too low, then when the server becomes busy,
80 # it will not respond to any new requests, until the 'cleanup_delay'
81 # time has passed, and it has removed the old requests.
83 # If this number is set too high, then the server will use a bit more
84 # memory for no real benefit.
86 # If you aren't sure what it should be set to, it's better to set it
87 # too high than too low. Setting it to 1000 per client is probably
88 # the highest it should be.
90 # Useful range of values: 256 to infinity
95 # bind_address: Make the server listen on a particular IP address, and
96 # send replies out from that address. This directive is most useful
97 # for machines with multiple IP addresses on one interface.
99 # It can either contain "*", or an IP address, or a fully qualified
100 # Internet domain name. The default is "*"
105 # port: Allows you to bind FreeRADIUS to a specific port.
107 # The default port that most NAS boxes use is 1645, which is historical.
108 # RFC 2138 defines 1812 to be the new port. Many new servers and
109 # NAS boxes use 1812, which can create interoperability problems.
111 # The port is defined here to be 0 so that the server will pick up
112 # the machine's local configuration for the radius port, as defined
115 # If you want to use the default RADIUS port as defined on your server,
116 # (usually through 'grep radius /etc/services') set this to 0 (zero).
118 # A port given on the command-line via '-p' over-rides this one.
123 # Which program to execute check doing concurrency checks.
125 checkrad = ${sbindir}/checkrad
128 # hostname_lookups: Log the names of clients or just their IP addresses
129 # e.g., www.freeradius.org (on) or 206.47.27.232 (off).
130 # The default is off because it'd be overall better for the net if people
131 # had to knowingly turn this feature on, since enabling it means that
132 # each client request will result in AT LEAST one lookup request to the
135 # Turning hostname lookups off also means that the server won't block
136 # for 30 seconds, if it sees an IP address which has no name associated
139 # allowed values: {no, yes}
141 hostname_lookups = no
144 # Core dumps are a bad thing. This should only be set to 'yes'
145 # if you're debugging a problem with the server.
147 # allowed values: {no, yes}
149 allow_core_dumps = no
152 # Log the full User-Name attribute, as it was found in the request.
154 # allowed values: {no, yes}
156 log_stripped_names = no
159 # Log authentication requests to the log file.
161 # allowed values: {no, yes}
166 # Log passwords with the authentication requests.
168 # allowed values: {no, yes}
173 # proxy_requests: Turns proxying of RADIUS requests on or off.
175 # The server has proxying turned on by default. If your system is NOT
176 # set up to proxy requests to another server, then you can turn proxying
177 # off here. This will save a small amount of resources on the server.
179 # If you have proxying turned off, and your configuration files say
180 # to proxy a request, then an error message will be logged.
182 # allowed values: {no, yes}
186 #######################################################################
190 # NOTE: This part will only work if your radiusd is compiled with SNMP
193 # smux_password: Password used for SMUX registration.
195 # Specifies password used when connecting to the SNMP master agent.
196 # This must match the password as configured on the agent. The OID
197 # used to register the radius subagent is 1.3.6.1.4.1.3317.1.3.1.
198 # A sample entry for the ucd-snmp deamon looks like this:
200 # smuxpeer .1.3.6.1.4.1.3317.1.3.1 verysecret
202 # A sample entry for AIX 4.3 is:
204 # smux 1.3.6.1.4.1.3317.1.3.1 verysecret
206 # The default password is an empty password.
208 #smux_password = verysecret
212 # Controls if write access to the radiusd via SNMP is enabled or not.
213 # Set this value to yes, if you want to be able to reload radiusd from
214 # your network management station.
216 # For this to work, you also have to make sure that your master agent
217 # is configured to allow SNMP set requests. For security reasons, this
218 # setting defaults to no.
220 # allowed values: {no, yes}
222 #snmp_write_access = no
224 #######################################################################
226 # Proxy server configuration
228 # This entry controls the servers behaviour towards ALL other servers
229 # to which it sends proxy requests.
234 # If the NAS re-sends the request to us, we can immediately re-send
235 # the proxy request to the end server. To do so, use 'yes' here.
237 # If this is set to 'no', then we send the retries on our own schedule,
238 # and ignore any duplicate NAS requests.
240 # If you want to have the server send proxy retries ONLY when the NAS
241 # sends it's retries to the server, then set this to 'yes', and
242 # set the other proxy configuration parameters to 0 (zero).
244 # allowed values: {no, yes}
249 # After sending a proxied request to the end server, we wait
250 # 'retry_delay' seconds for the response. If we do not receive a response
251 # from the end server within that time, then the proxy request is sent
252 # again to the end server. We then wait another for another retry_delay.
254 # If this timeout is set too high, then the NAS *may* give up on the
255 # request before we send a reply back to it. Most NAS boxes will give up
256 # on requests within 30 seconds.
258 # If this timeout is set too low, then the end server may not have time
259 # to finish processing the request, before it receives the retry. Many
260 # radius servers can take 2-3 seconds to process a request.
265 # The number of times we send retry packets to the end server.
266 # If we send 'retry_count' packets without receiving a response,
267 # then we give up on that server, and return a rejection
268 # message to the NAS.
273 #######################################################################
275 # Thread pool configuration.
277 # The thread pool is a long-lived group of threads which
278 # take turns (round-robin) handling any incoming requests.
281 # You probably want to have a few spare threads around,
282 # so that high-load situations can be handled immediately. If you
283 # don't have any spare threads, then the request handling will
284 # be delayed while a new thread is created, and added to the pool.
286 # You probably don't want too many spare threads around,
287 # otherwise they'll be sitting there taking up resources, and
288 # not doing anything productive.
290 # The numbers given below should be adequate for most situations.
295 # Number of servers to start initially --- should be a reasonable ballpark
301 # Limit on the total number of servers running.
303 # If this limit is ever reached, clients will be LOCKED OUT, so it
304 # should NOT BE SET TOO LOW. It is intended mainly as a brake to
305 # keep a runaway server from taking the system with it as it spirals
311 # Server-pool size regulation. Rather than making you guess how many
312 # servers you need, FreeRADIUS dynamically adapts to the load it
313 # sees --- that is, it tries to maintain enough servers to
314 # handle the current load, plus a few spare servers to handle transient
317 # It does this by periodically checking how many servers are waiting
318 # for a request. If there are fewer than min_spare_servers, it creates
319 # a new spare. If there are more than max_spare_servers, some of the
320 # spares die off. The default values are probably OK for most sites.
322 min_spare_servers = 3
323 max_spare_servers = 10
326 # There may be memory leaks or resource allocation problems with
327 # the server. If so, set this value to 300 or so, so that the
328 # resources will be cleaned up periodically.
330 # This should only be necessary if there are serious bugs in the
331 # server which have not yet been fixed.
333 # '0' is a special value meaning 'infinity', or 'the servers never exit'
335 max_requests_per_server = 0
338 #######################################################################
340 # Definition of a NAS or a client.
342 # The information given here is in ADDITION to the 'clients' file.
344 # If this is defined as "client foo" then the hostname/ipaddr "foo"
345 # will be looked up according to the source IP address of the radius
346 # rqeuest packet, and the secret here will be used to check the
347 # integrety of the request.
349 # If this is defined as "nas foo" then foo will be looked up first
350 # as the NAS-IP-Address in the radius request, then as the NAS-Ident
351 # in the radius request.
353 # Normally you'd use "client" unless the request came in through a
354 # proxy server and you want to define a short name for the NAS
355 # for logging purposes, or you want to do a "checkrad" back to the
356 # original NAS and not to the proxy radius server!
358 # The "shortname" can be used for logging, and the "vendor",
359 # "type", "login" and "password" fields are mainly used for checkrad.
364 shortname = localhost
367 #client some.host.org {
368 # secret = testing123
369 # shortname = localhost
374 # secret and password are mapped through the "secrets" file.
378 # Type should extend to the line type, because of the "hole".
379 #Line#/T S Port SNMP Port
380 #-------------------------
387 #And C0 is 96 in Radius.
388 type = pm3-eur # pm3-i23 pm3-ct24 pm3-i30
390 password = someadminpas
393 #######################################################################
395 # Configuration for the proxy module.
397 # The information given here is in ADDITION to the 'realms' file.
401 # authhost = radius.isp2.com:1645
402 # accthost = radius.isp2.com:1646
405 # utmpfile += /var/log/radutmp.isp2
406 # wtmpfile += /var/log/radwtmp.isp2
407 # detailfile += /var/log/radacct/isp2/detail
412 # authhost = radius.company.com:1600
413 # accthost = radius.company.com:1601
414 # secret = testing123
421 # secret = testing123
426 # authhost = radius.company.com:1600
427 # accthost = radius.company.com:1601
428 # secret = testing123
435 # No config options for this yet
439 # Cache /etc/passwd, /etc/shadow, and /etc/group
441 # The default is to NOT cache them. However, caching them can
442 # speed up system authentications by a substantial amount.
444 # allowed values: {no, yes}
448 # Define the locations of the normal passwd, shadow, and
451 # 'shadow' is commented out by default, because not all
452 # systems have shadow passwords.
455 # shadow = /etc/shadow
459 # Uncomment this if you want to use ldap (Auth-Type = LDAP)
460 # Also uncomment it in the authenticate{} block below
463 # login = "cn=admin,o=My Org,c=US"
465 # basedn = "o=My Org,c=US"
466 # filter = "(uid=%u)"
470 # No config options for this yet
473 # No config options for this yet
476 usersfile = ${confdir}/users
477 acctusersfile = ${confdir}/acct_users
480 # If you want to use the old Cistron 'users' file
481 # with FreeRADIUS, you should change the next line
482 # to 'compat = cistron'. You can the copy your 'users'
488 detailfile = %A/%n/detail
492 # This module will add a (probably) unique session id
493 # to an accounting packet based on the attributes listed
494 # below found in the packet. see doc/README.rlm_acct_unique
496 key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Port-Id"
501 # Configuration for the SQL module.
508 password = "rootpass"
510 # Database table configuration
512 acct_table = "radacct"
514 authcheck_table = "radcheck"
515 authreply_table = "radreply"
517 groupcheck_table = "radgroupcheck"
518 groupreply_table = "radgroupreply"
520 usergroup_table = "usergroup"
522 realms_table = "realms"
523 realmgroup_table = "realmgroup"
525 # Check case on usernames
526 sensitiveusername = no
528 # Remove stale session if checkrad does not see a double login
529 deletestalesessions = yes
531 # Print all SQL statements when in debug mode (-x)
536 # A second instance of the same module, with the name "sql2" to identify it
541 server = "myothersever"
543 password = "rootpass"
545 # Database table configuration
547 acct_table = "radacct"
549 authcheck_table = "radcheck"
550 authreply_table = "radreply"
552 groupcheck_table = "radgroupcheck"
553 groupreply_table = "radgroupreply"
555 usergroup_table = "usergroup"
557 realms_table = "realms"
558 realmgroup_table = "realmgroup"
560 # Check case on usernames
561 sensitiveusername = no
563 # Remove stale session if checkrad does not see a double login
564 deletestalesessions = yes
566 # Print all SQL statements when in debug mode (-x)
570 #######################################################################
572 # Configuration for the example module. Uncommenting it will cause it
573 # to get loaded and initialized, but should have no real effect as long
574 # it is not referencened in one of the autz/auth/preacct/acct sections
580 # allowed values: {no, yes}
585 # An integer, of any value.
592 string = "This is an example configuration string"
595 # An IP address, either in dotted quad (1.2.3.4) or hostname
604 anotherinteger = 1000
609 string = "This is a different string"
615 # Authentication types, Auth-Type = System and PAM for now.
619 # By grouping modules together in an authtype block, that authtype will be
620 # tried on each module in sequence until one returns REJECT or OK. This
621 # allows authentication failover if the first SQL server has crashed, for
627 # Uncomment this if you want to use ldap (Auth-Type = LDAP)
631 # Authorization. First preprocess (hints and huntgroups files),
632 # then realms, and finally look in the "users" file.
633 # Make *sure* that 'preprocess' comes before 'realm' if you
634 # need to setup hints for the remote radius server
641 # Pre-accounting. Look for proxy realm, first with the @suffix rule, then the
642 # acct_users file, then preprocess (hints file).
649 # Accounting. Log to detail file, and to the radwtmp file.
656 # Session database, used for checking Simultaneous-Use. The radutmp module