4 ######################################################################
6 # Read "man radiusd" before editing this file. See the section
7 # titled DEBUGGING. It outlines a method where you can quickly
8 # obtain the configuration you want, without running into
9 # trouble. See also "man unlang", which documents the format
13 # This file represents a server that is implementing an identity
14 # provider for GSS-EAP (RFC 7055) using the trust router protocol for
15 # dynamic realm discovery. Any ABFAB identity provider is also an
16 # ABFAB relying party proxy.
26 clients = radsec-abfab
28 private_key_password = whatever
29 # Moonshot tends to distribute certs separate from keys
30 private_key_file = ${certdir}/server.key
31 certificate_file = ${certdir}/server.pem
32 ca_file = ${cadir}/ca.pem
33 dh_file = ${certdir}/dh
36 cipher_list = "DEFAULT"
43 require_ient_cert = yes
46 psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{tls-psk-identity}';}"
63 # If you intend to use CUI and you require that the Operator-Name
64 # be set for CUI generation and you want to generate CUI also
65 # for your local clients then uncomment the operator-name
66 # below and set the operator-name for your clients in clients.conf
70 # If you want to generate CUI for some clients that do not
71 # send proper CUI requests, then uncomment the
72 # cui below and set "add_cui = yes" for these clients in clients.conf
85 # Autz-Type Status-Server {
91 # Allow EAP authentication.
95 # Session database, used for checking Simultaneous-Use. Either the radutmp
96 # or rlm_sql module can handle this.
97 # The rlm_sql module is *much* faster
102 # See "Simultaneous Use Checking Queries" in sql.conf
107 # Post-Authentication
108 # Once we KNOW that the user has been authenticated, there are
109 # additional steps we can take.
111 # Create the CUI value and add the attribute to Access-Accept.
112 # Uncomment the line below if *returning* the CUI.
116 # If you want to have a log of authentication replies,
117 # un-comment the following line, and enable the
118 # 'detail reply_log' module.
121 # After authenticating the user, do another SQL query.
123 # See "Authentication Logging Queries" in sql.conf
127 # Instead of sending the query to the SQL server,
128 # write it into a log file.
133 # Un-comment the following if you want to modify the user's object
134 # in LDAP after a successful login.
138 # For Exec-Program and Exec-Program-Wait
140 # Remove reply message if the response contains an EAP-Message
141 remove_reply_message_if_eap
142 # Access-Reject packets are sent through the REJECT sub-section of the
145 # Add the ldap module name (or instance) if you have set
146 # 'edir_account_policy_check = yes' in the ldap module configuration
148 Post-Auth-Type REJECT {
149 # log failed authentications in SQL, too.
151 attr_filter.access_reject
153 # Insert EAP-Failure message if the request was
154 # rejected by policy instead of because of an
155 # authentication failure
158 # Remove reply message if the response contains an EAP-Message
159 remove_reply_message_if_eap
163 # When the server decides to proxy a request to a home server,
164 # the proxied request is first passed through the pre-proxy
165 # stage. This stage can re-write the request, or decide to
168 # Only a few modules currently have this method.
171 # Before proxing the request add an Operator-Name attribute identifying
172 # if the operator-name is found for this client.
173 # No need to uncomment this if you have already enabled this in
174 # the authorize section.
178 # The client requests the CUI by sending a CUI attribute
179 # containing one zero byte.
180 # Uncomment the line below if *requesting* the CUI.
183 # Uncomment the following line if you want to change attributes
184 # as defined in the preproxy_users file.
187 # Uncomment the following line if you want to filter requests
188 # sent to remote servers based on the rules defined in the
189 # 'attrs.pre-proxy' file.
190 # attr_filter.pre-proxy
192 # If you want to have a log of packets proxied to a home
193 # server, un-comment the following line, and the
194 # 'detail pre_proxy_log' section, above.
198 # When the server receives a reply to a request it proxied
199 # to a home server, the request may be massaged here, in the
204 # If you want to have a log of replies from a home server,
205 # un-comment the following line, and the 'detail post_proxy_log'
209 # Uncomment the following line if you want to filter replies from
210 # remote proxies based on the rules defined in the 'attrs' file.
211 # attr_filter.post-proxy
214 # If you are proxying LEAP, you MUST configure the EAP
215 # module, and you MUST list it here, in the post-proxy
218 # You MUST also use the 'nostrip' option in the 'realm'
219 # configuration. Otherwise, the User-Name attribute
220 # in the proxied request will not match the user name
221 # hidden inside of the EAP packet, and the end server will
222 # reject the EAP request.
227 # If the server tries to proxy a request and fails, then the
228 # request is processed through the modules in this section.
230 # The main use of this section is to permit robust proxying
231 # of accounting packets. The server can be configured to
232 # proxy accounting packets as part of normal processing.
233 # Then, if the home server goes down, accounting packets can
234 # be logged to a local "detail" file, for processing with
235 # radrelay. When the home server comes back up, radrelay
236 # will read the detail file, and send the packets to the
239 # With this configuration, the server always responds to
240 # Accounting-Requests from the NAS, but only writes
241 # accounting packets to disk if the home server is down.
243 # Post-Proxy-Type Fail {