2 ## vmpsd.conf -- FreeRADIUS VMPS server configuration file.
4 ## http://www.freeradius.org/
9 # This configuration file is for a stand-alone VMPS server that
10 # does not do RADIUS. For an integrated radius + vmps server,
11 # edit "radiusd.conf", and add two sections to it:
23 # See the text below for additional documentation on those two
27 # The location of other config files and
28 # logfiles are declared in this file
30 # Also general configuration for modules can be done
31 # in this file, it is exported through the API to
32 # modules that ask for it.
34 # The configuration variables defined here are of the form ${foo}
35 # They are local to this file, and do not change from request to
38 # The per-request variables are of the form %{Attribute-Name}, and
39 # are taken from the values of the attribute in the incoming
40 # request. See 'doc/variables.txt' for more information.
43 # Standard includes, etc.
45 # FIXME: to make this work: prefix, etc. See radiusd.conf...
48 exec_prefix = @exec_prefix@
49 sysconfdir = @sysconfdir@
50 localstatedir = @localstatedir@
54 radacctdir = @radacctdir@
57 # The logging messages for the server are appended to the
60 log_file = ${logdir}/vmpsd.log
63 # Destination for log messages. This can be one of:
65 # files - log to ${log_file}, as defined above.
66 # syslog - to syslog (see also the log{} section, below)
67 # stdout - standard output
68 # stderr - standard error.
70 # The command-line option "-X" over-rides this option, and forces
71 # logging to go to stdout.
73 log_destination = files
76 # libdir: Where to find the rlm_* modules.
78 # This should be automatically set at configuration time.
80 # If the server builds and installs, but fails at execution time
81 # with an 'undefined symbol' error, then you can use the libdir
82 # directive to work around the problem.
84 # The cause is usually that a library has been installed on your
85 # system in a place where the dynamic linker CANNOT find it. When
86 # executing as root (or another user), your personal environment MAY
87 # be set up to allow the dynamic linker to find the library. When
88 # executing as a daemon, FreeRADIUS MAY NOT have the same
89 # personalized configuration.
91 # To work around the problem, find out which library contains that symbol,
92 # and add the directory containing that library to the end of 'libdir',
93 # with a colon separating the directory names. NO spaces are allowed.
95 # e.g. libdir = /usr/local/lib:/opt/package/lib
97 # You can also try setting the LD_LIBRARY_PATH environment variable
98 # in a script which starts the server.
100 # If that does not work, then you can re-configure and re-build the
101 # server to NOT use shared libraries, via:
103 # ./configure --disable-shared
109 # pidfile: Where to place the PID of the RADIUS server.
111 # The server may be signalled while it's running by using this
114 # This file is written when ONLY running in daemon mode.
116 # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
118 pidfile = ${run_dir}/vmpsd.pid
121 # user/group: The name (or #number) of the user/group to run vmpsd as.
123 # If these are commented out, the server will run as the user/group
124 # that started it. In order to change to a different user/group, you
125 # MUST be root ( or have root privleges ) to start the server.
127 # We STRONGLY recommend that you run the server with as few permissions
128 # as possible. That is, if you're not using shadow passwords, the
129 # user and group items below should be set to 'nobody'.
131 # On SCO (ODT 3) use "user = nouser" and "group = nogroup".
133 # NOTE that some kernels refuse to setgid(group) when the value of
134 # (unsigned)group is above 60000; don't use group nobody on these systems!
136 # On systems with shadow passwords, you might have to set 'group = shadow'
137 # for the server to be able to read the shadow password file. If you can
138 # authenticate users while in debug mode, but not in daemon mode, it may be
139 # that the debugging mode server is running as a user that can read the
140 # shadow info, and the user listed below can not.
145 # max_request_time: The maximum time (in seconds) to handle a request.
147 # Requests which take more time than this to process may be killed, and
148 # a REJECT message is returned.
150 # WARNING: If you notice that requests take a long time to be handled,
151 # then this MAY INDICATE a bug in the server, in one of the modules
152 # used to handle a request, OR in your local configuration.
154 # This problem is most often seen when using an SQL database. If it takes
155 # more than a second or two to receive an answer from the SQL database,
156 # then it probably means that you haven't indexed the database. See your
157 # SQL server documentation for more information.
159 # Useful range of values: 5 to 120
161 max_request_time = 30
163 # cleanup_delay: The time to wait (in seconds) before cleaning up
164 # a reply which was sent to the NAS.
166 # The VMPS request is normally cached internally for a short period
167 # of time, after the reply is sent to the NAS. The reply packet may be
168 # lost in the network, and the NAS will not see it. The NAS will then
169 # re-send the request, and the server will respond quickly with the
172 # If this value is set too low, then duplicate requests from the NAS
173 # MAY NOT be detected, and will instead be handled as seperate requests.
175 # If this value is set too high, then the server will cache too many
176 # requests, and some new requests may get blocked. (See 'max_requests'.)
178 # Useful range of values: 2 to 10
182 # listen: Make the server listen on a particular IP address, and send
183 # replies out from that address. This directive is most useful for
184 # hosts with multiple IP addresses on one interface.
186 # If you want the server to listen on additional addresses, or on
187 # additionnal ports, you can use multiple "listen" sections.
189 # Each section make the server listen for only one type of packet,
190 # therefore authentication and accounting have to be configured in
191 # different sections.
193 # The server ignore all "listen" section if you are using '-i' and '-p'
194 # on the command line.
197 # IP address on which to listen.
198 # Allowed values are:
199 # dotted quad (1.2.3.4)
200 # hostname (radius.example.com)
204 # OR, you can use an IPv6 address, but not both
206 # ipv6addr = :: # any. ::1 == localhost
208 # Port on which to listen.
209 # Allowed values are:
210 # integer port number
211 # 1589 is the default VMPS port.
214 # Type of packets to listen for. Use "vmps" for VMPSd.
218 # Some systems support binding to an interface, in addition
219 # to the IP address. This feature isn't strictly necessary,
220 # but for sites with many IP addresses on one interface,
221 # it's useful to say "listen on all addresses for eth0".
223 # If your system does not support this feature, you will
224 # get an error if you try to use it.
228 # Per-socket lists of clients. This is a very useful feature.
230 # The name here is a reference to a section elsewhere in
231 # radiusd.conf, or clients.conf. Having the name as
232 # a reference allows multiple sockets to use the same
235 # If this configuration is used, then the global list of clients
236 # is IGNORED for this "listen" section. Take care configuring
237 # this feature, to ensure you don't accidentally disable a
240 # See clients.conf for the configuration of "per_socket_clients".
242 # clients = per_socket_clients
245 # hostname_lookups: Log the names of clients or just their IP addresses
246 # e.g., www.freeradius.org (on) or 206.47.27.232 (off).
248 # The default is 'off' because it would be overall better for the net
249 # if people had to knowingly turn this feature on, since enabling it
250 # means that each client request will result in AT LEAST one lookup
251 # request to the nameserver. Enabling hostname_lookups will also
252 # mean that your server may stop randomly for 30 seconds from time
253 # to time, if the DNS requests take too long.
255 # Turning hostname lookups off also means that the server won't block
256 # for 30 seconds, if it sees an IP address which has no name associated
259 # allowed values: {no, yes}
261 hostname_lookups = no
263 # Core dumps are a bad thing. This should only be set to 'yes'
264 # if you're debugging a problem with the server.
266 # allowed values: {no, yes}
268 allow_core_dumps = no
270 # Regular expressions
272 # These items are set at configure time. If they're set to "yes",
273 # then setting them to "no" turns off regular expression support.
275 # If they're set to "no" at configure time, then setting them to "yes"
276 # WILL NOT WORK. It will give you an error.
278 regular_expressions = yes
279 extended_expressions = yes
282 # Logging section. The various "log_*" configuration items
283 # will eventually be moved here.
287 # Which syslog facility to use, if ${log_destination} == "syslog"
289 # The exact values permitted here are OS-dependent. You probably
290 # don't want to change this.
292 syslog_facility = daemon
295 # THREAD POOL CONFIGURATION
297 # The thread pool is a long-lived group of threads which
298 # take turns (round-robin) handling any incoming requests.
300 # You probably want to have a few spare threads around,
301 # so that high-load situations can be handled immediately. If you
302 # don't have any spare threads, then the request handling will
303 # be delayed while a new thread is created, and added to the pool.
305 # You probably don't want too many spare threads around,
306 # otherwise they'll be sitting there taking up resources, and
307 # not doing anything productive.
309 # The numbers given below should be adequate for most situations.
312 # Number of servers to start initially --- should be a reasonable
316 # Limit on the total number of servers running.
318 # If this limit is ever reached, clients will be LOCKED OUT, so it
319 # should NOT BE SET TOO LOW. It is intended mainly as a brake to
320 # keep a runaway server from taking the system with it as it spirals
323 # You may find that the server is regularly reaching the
324 # 'max_servers' number of threads, and that increasing
325 # 'max_servers' doesn't seem to make much difference.
327 # If this is the case, then the problem is MOST LIKELY that
328 # your back-end databases are taking too long to respond, and
329 # are preventing the server from responding in a timely manner.
331 # The solution is NOT do keep increasing the 'max_servers'
332 # value, but instead to fix the underlying cause of the
333 # problem: slow database, or 'hostname_lookups=yes'.
335 # For more information, see 'max_request_time', above.
339 # Server-pool size regulation. Rather than making you guess
340 # how many servers you need, The server dynamically adapts to
341 # the load it sees, that is, it tries to maintain enough
342 # servers to handle the current load, plus a few spare
343 # servers to handle transient load spikes.
345 # It does this by periodically checking how many servers are
346 # waiting for a request. If there are fewer than
347 # min_spare_servers, it creates a new spare. If there are
348 # more than max_spare_servers, some of the spares die off.
349 # The default values are probably OK for most sites.
351 min_spare_servers = 3
352 max_spare_servers = 10
354 # There may be memory leaks or resource allocation problems with
355 # the server. If so, set this value to 300 or so, so that the
356 # resources will be cleaned up periodically.
358 # This should only be necessary if there are serious bugs in the
359 # server which have not yet been fixed.
361 # '0' is a special value meaning 'infinity', or 'the servers never
363 max_requests_per_server = 0
366 # MODULE CONFIGURATION
368 # The names and configuration of each module is located in this section.
370 # After the modules are defined here, they may be referred to by name,
371 # in other sections of this configuration file.
375 # Add modules here. See "radiusd.conf" for examples.
381 # This section orders the loading of the modules. Modules
382 # listed here will get loaded BEFORE the later sections like
383 # authorize, authenticate, etc. get examined.
385 # This section is not strictly needed. When a section like
386 # authorize refers to a module, it's automatically loaded and
387 # initialized. However, some modules may not be listed in any
388 # of the following sections, so they can be listed here.
390 # Also, listing modules here ensures that you have control over
391 # the order in which they are initalized. If one module needs
392 # something defined by another module, you can list them in order
393 # here, and ensure that the configuration will be OK.
397 # Add modules here. See "radiusd.conf" for examples.
402 # And the REAL contents. This section is just like the "post-auth"
403 # section of radiusd.conf. In fact, it calls the "post-auth" component
404 # of the modules that are listed here. But it's called "vmps" for
409 # This is a hack for testing
412 VMPS-Packet-Type = VMPS-Join-Response
413 VMPS-VLAN-Name = "foo"
414 VMPS-Cookie = "%{VMPS-Mac}"