# $Id$
#
-
# Configuration for the Python module.
#
# Where radiusd is a Python module, radiusd.py, and the
mod_accounting = radiusd_test
func_accounting = accounting
- mod_preacct = radiusd_test
- func_preacct = preacct
+ mod_pre_proxy = radiusd_test
+ func_pre_proxy = pre_proxy
+
+ mod_post_proxy = radiusd_test
+ func_post_proxy = post_proxy
+
+ mod_post_auth = radiusd_test
+ func_post_auth = post_auth
+
+ mod_recv_coa = radiusd_test
+ func_recv_coa = recv_coa
+
+ mod_send_coa = radiusd_test
+ func_send_coa = send_coa
mod_detach = radiusd_test
func_detach = detach
}
}
-
- # This module is an SQL enabled version of the counter module.
- #
- # Rather than maintaining seperate (GDBM) databases of accounting info
- # for each counter, this module uses the data stored in the raddacct
- # table by the sql modules. This module NEVER does any database
- # INSERTs or UPDATEs. It is totally dependent on the SQL module
- # to process Accounting packets.
- #
- # The 'sqlmod_inst' parameter holds the instance of the sql module to use
- # when querying the SQL database. Normally it is just "sql".
- # If you define more and one SQL module instance
- # (usually for failover situations), you can specify which module
- # has access to the Accounting Data (radacct table).
- #
- # The 'reset' parameter defines when the counters are all reset to
- # zero. It can be hourly, daily, weekly, monthly or never.
- # It can also be user defined. It should be of the form:
- # num[hdwm] where:
- # h: hours, d: days, w: weeks, m: months
- # If the letter is ommited days will be assumed. In example:
- # reset = 10h (reset every 10 hours)
- # reset = 12 (reset every 12 days)
- #
- # The 'key' parameter specifies the unique identifier for the counters
- # records (usually 'User-Name').
- #
- # The 'query' parameter specifies the SQL query used to get the
- # current Counter value from the database. There are 3 parameters
- # that can be used in the query:
- # %k 'key' parameter
- # %b unix time value of beginning of reset period
- # %e unix time value of end of reset period
- #
- # The 'check-name' parameter is the name of the 'check' attribute to use to access
- # the counter in the 'users' file or SQL radcheck or radcheckgroup
- # tables.
- #
- # DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject
- # Reply-Message = "You've used up more than one hour today"
- #1
-
- sqlcounter dailycounter {
- counter-name = Daily-Session-Time
- check-name = Max-Daily-Session
- sqlmod-inst = sqlcca3
- key = User-Name
- reset = daily
-
- # This query properly handles calls that span from the previous reset period
- # into the current period but involves more work for the SQL server than those below
- query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
-
- # This query ignores calls that started in a previous reset period and
- # continue into into this one. But it is a little easier on the SQL server
- # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
-
- # This query is the same as above, but demonstrates an additional
- # counter parameter '%e' which is the timestamp for the end of the period
- # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime BETWEEN FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
- }
-
- sqlcounter monthlycounter {
- counter-name = Monthly-Session-Time
- check-name = Max-Monthly-Session
- sqlmod-inst = sqlcca3
- key = User-Name
- reset = monthly
-
- # This query properly handles calls that span from the previous reset period
- # into the current period but involves more work for the SQL server than those below
- query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
-
- # This query ignores calls that started in a previous reset period and
- # continue into into this one. But it is a little easier on the SQL server
- # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
-
- # This query is the same as above, but demonstrates an additional
- # counter parameter '%e' which is the timestamp for the end of the period
- # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime BETWEEN FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
- }
-
- # Do server side ip pool management. Should be added in post-auth and
- # accounting sections
- # FIXME: This is highly experimental at the moment. Please give feedback
- #
- # Parameters:
- #
- # range-start,range-stop: The start and end ip addresses for the ip pool
- # netmask: The network mask used for the ip's
- # cache-size: The gdbm cache size for the db files. Should be equal to
- # the number of ip's available in the ip pool
- # session-db: The main db file used to allocate ip's to clients
- # ip-index: Helper db index file used in multilink
- #
- # The module also requires the existance of the Pool-Name attribute.
- # That way the administrator can add the Pool-Name attribute in the user profiles
- # and use different pools for different users
- # Example:
- # radiusd.conf: ippool students { [...] }
- # users file : DEFAULT Group == students, Pool-Name := "students"
- #
- # ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST THEN ERASE THE DB FILES *******
- #
- ippool main_pool {
- range-start = 192.168.1.1
- range-stop = 192.168.3.254
- netmask = 255.255.255.0
- cache-size = 800
- session-db = ${raddbdir}/db.ippool
- ip-index = ${raddbdir}/db.ipindex
- }
-
+ #
# To create a dbm users file, do:
#
# cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
# filename, but don't check if it's already there.
#
dbm {
- usersfile = ${raddbdir}/users_db
+ usersfile = ${confdir}/users_db
}
#
- # Persistent, embedded Perl interpreter.
+ # Perform NT-Domain authentication. This only works
+ # with PAP authentication. That is, Authentication-Request
+ # packets containing a User-Password attribute.
#
- perl {
- #
- # The Perl script to execute on authorize, authenticate,
- # accounting, etc. This is very similar to using
- # Exec-Program-Wait = "/path/foo.pl", but it is persistent,
- # and therefore faster.
- #
- # For now, the attributes are passed in environment
- # variables (%ENV array). See doc/variables.txt,
- # under 'Exec-Program-Wait' for more details.
- #
- # Any attributes to be added to the request are
- # returned in the %main::result hash, and exit status
- # is $!.
- #
- cmd = ${raddbdir}/test.pl
+ # To use it, add 'smb' into the 'authenticate' section,
+ # and then in another module (usually the 'users' file),
+ # set 'Auth-Type := SMB'
+ #
+ # WARNING: this module is not only experimental, it's also
+ # a security threat. It's not recommended to use it until
+ # it gets fixed.
+ #
+ smb {
+ server = ntdomain.server.example.com
+ backup = backup.server.example.com
+ domain = NTDOMAIN
+ }
- #
- # The script which provides 'package Embed::Persistent'
- # without this file, the 'cmd' Perl script will NOT be
- # persistent, and will not run.
- #
- persistent = ${raddbdir}/persistent.pl
+ # See doc/rlm_fastusers before using this
+ # module or changing these values.
+ #
+ fastusers {
+ usersfile = ${confdir}/users_fast
+ hashsize = 1000
+ compat = no
+ # Reload the hash every 600 seconds (10mins)
+ hash_reload = 600
}
+ # Caching module
+ #
+ # Should be added in the post-auth section (after all other modules)
+ # and in the authorize section (before any other modules)
+ #
+ # authorize {
+ # caching {
+ # ok = return
+ # }
+ # [... other modules ...]
+ # }
+ # post-auth {
+ # [... other modules ...]
+ # caching
+ # }
+ #
+ # The caching module will cache the Auth-Type and reply items
+ # and send them back on any subsequent requests for the same key
+ #
+ # Configuration:
+ #
+ # filename: The gdbm file to use for the cache database
+ # (can be memory mapped for more speed)
+ #
+ # key: A string to xlat and use as a key. For instance,
+ # "%{Acct-Unique-Session-Id}"
+ #
+ # post-auth: If we find a cached entry, set the post-auth to that value
+ #
+ # cache-ttl: The time to cache the entry. The same time format
+ # as the counter module apply here.
+ # num[hdwm] where:
+ # h: hours, d: days, w: weeks, m: months
+ # If the letter is ommited days will be assumed.
+ # e.g. 1d == one day
#
- # The digest module. It doesn't take any configuration
- # parameters, but it does require a configuration section,
- # otherwise the parser complains.
+ # cache-size: The gdbm cache size to request (default 1000)
#
- digest {
+ # hit-ratio: If set to non-zero we print out statistical
+ # information after so many cache requests
+ #
+ # cache-rejects: Do we also cache rejects, or not? (default 'yes')
+ #
+ caching {
+ filename = ${db_dir}/db.cache
+ cache-ttl = 1d
+ hit-ratio = 1000
+ key = "%{Acct-Unique-Session-Id}"
+ #post-auth = ""
+ # cache-size = 2000
+ # cache-rejects = yes
}
+
+ # Simple module for logging of Account packets to radiusd.log
+ # You need to declare it in the accounting section for it to work
+ acctlog {
+ acctlog_update = ""
+ acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
+ acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
+ acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online"
+ acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline"
+ }
+
+ # Another implementation of the EAP module.
#
- # Perform NT-Domain authentication. This only works
- # with PAP authentication.
+ # This module requires the libeap.so file from the hostap
+ # software (http://hostap.epitest.fi/hostapd/). It has been
+ # tested on the development version of hostapd (0.6.1) ONLY.
#
- # To use it, add 'smb' into the 'authenticate' section,
- # and then in another module (usually the 'users' file),
- # set 'Auth-Type := SMB'
+ # In order to use it, you MUST build a "libeap.so" in hostapd,
+ # which is not done by default.
#
- smb {
- server = ntdomain.server.example.com
- backup = backup.server.example.com
- domain = NTDOMAIN
+ # You MUST also edit the file: src/modules/rlm_eap2/Makefile
+ # to point to the location of the hostap include files.
+ #
+ # This module CANNOT be used in the same way as the current
+ # FreeRADIUS "eap" module. There is NO way to look inside of
+ # a tunneled request. There is NO way to proxy a tunneled
+ # request. There is NO way to even look at the user name inside
+ # of the tunneled request. There is NO way to control the
+ # choice of EAP types inside of the tunnel. You MUST force
+ # the server to choose "eap2" for authentication, because this
+ # module has no "authorize" section.
+ #
+ # If you want to use this module for experimentation, please
+ # post your comments to the freeradius-devel list:
+ #
+ # http://lists.freeradius.org/mailman/listinfo/freeradius-devel
+ #
+ # If you want to use this module in a production (i.e. real-world)
+ # environment:
+ #
+ # !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!!
+ #
+ # The module needs additional work to make it ready for
+ # production use.. Please supply patches, or sponsor the
+ # work by hiring a developer. Do NOT ask when the work will
+ # be done, because there is no plan to finish this module
+ # unless there is demand for it.
+ #
+ eap2 {
+ # EAP types are chosen in the order that they are
+ # listed in this section. There is no "default_eap_type"
+ # as with rlm_eap. Instead, the *first* EAP type is
+ # used as the default type.
+ #
+ peap {
+ }
+
+ ttls {
+ }
+
+ # This is the ONLY EAP type that has any configuration.
+ # All other EAP types have no configuration.
+ #
+ tls {
+ ca_cert = ${confdir}/certs/ca.pem
+ server_cert = ${confdir}/certs/server.pem
+ private_key_file = ${confdir}/certs/server.pem
+ private_key_password = whatever
+ }
+
+ #
+ # These next two methods do not supply keying material.
+ #
+ md5 {
+ }
+
+ mschapv2 {
+ }
+
+ # LEAP is NOT supported by this module.
+ # Use the "eap" module instead.
+
+ # For other methods that MIGHT work, see the
+ # configuration of hostap. The methods are statically
+ # linked in at compile time, and cannot be controlled
+ # here.
+ }
+
+ # Configuration for experimental EAP types. The sub-sections
+ # can be copied into eap.conf.
+ eap {
+ ikev2 {
+
+ # Server auth type
+ # Allowed values are:
+ # cert - for certificate based server authentication,
+ # other required settings for this type are
+ # 'private_key_file' and 'certificate_file'
+ # secret - for shared secret based server authentication,
+ # other required settings for this type is 'id'
+ # Default value of this option is 'secret'
+ # server_authtype=cert
+
+ # Allowed default client auth types
+ # Allowed values are:
+ # secret - for shared secret based client authentication
+ # cert - for certificate based client authentication
+ # both - shared secret and certificate is allowed
+ # none - authentication will always fail
+ # Default value for this option is 'both'. This option could
+ # be overwritten within 'usersfile' file by EAP-IKEv2-Auth
+ # option.
+ # default_authtype = both
+
+ # path to trusted CA certificate file
+ CA_file="/path/to/CA/cacert.pem"
+
+ # path to CRL file, if not set, then there will be no
+ # checks against CRL
+ # crl_file="/path/to/crl.pem"
+
+ # path to file with user settings
+ #
+ # Note that this file is read ONLY on module initialization!
+ #
+ # default ${confdir}/eap_ikev2_users
+ # usersfile=${confdir}/eap_ikev2_users
+
+#
+# Sample "eap_ikev2_users" file entry:
+#
+#username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne"
+
+## where:
+## username - client user name from IKE-AUTH (IDr) or CommonName
+## from x509 certificate
+## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload
+## allowable attributes for EAP-IKEv2-IDType:
+## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN
+## DER_ASN1_GN KEY_ID
+## EAP-IKEv2-Secret - shared secret
+## EAP-IKEv2-AuthType - optional parameter which defines expected client auth
+## type. Allowed values are: secret,cert,both,none.
+## For the meaning of this values, please see the
+## description of 'default_authtype'.
+## This attribute can overwrite 'default_authtype' value.
+
+
+
+ # path to file with server private key
+ private_key_file="/path/to/srv-private-key.pem"
+
+ # password to private key file
+ private_key_password="passwd"
+
+ # path to file with server certificate
+ certificate_file="/path/to/srv-cert.pem"
+
+ # server identity string
+ id="deMaio"
+
+ # Server identity type. Allowed values are:
+ # IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN,
+ # KEY_ID
+ # Default value is: KEY_ID
+ # id_type = KEY_ID
+
+
+ # MTU (default: 1398)
+ # fragment_size = 1398
+
+ # maximal allowed number of resends SA_INIT after receiving
+ # 'invalid KEY' notification (default 3)
+ # DH_counter_max = 3
+
+ # option which is used to control whenever send CERT REQ
+ # payload or not.
+ # Allowed values for this option are "yes" or "no".
+ #Default value is "no".
+ # certreq = "yes"
+
+ # option which cotrols fast reconnect capability.
+ # Allowed valuse for this option are "yes" or "no".
+ # Default value is "yes".
+ # enable_fast_reauth = "no"
+
+ # option which is used to control performing of DH exchange
+ # during fast rekeying protocol run.
+ # Allowed values for this option are "yes" or "no".
+ # Default value is "no"
+ # fast_DH_exchange = "yes"
+
+ # Option which is used to set up expiration time of inactive
+ # IKEv2 session.
+ # After selected period of time (in seconds), inactive
+ # session data will be deleted.
+ # Default value of this option is set to 900 seconds
+ # fast_timer_expire = 900
+
+ # list of server proposals of available cryptographic
+ # suites
+ proposals {
+ # proposal number #1
+ proposal {
+
+ # Supported transforms types: encryption,
+ # prf, integrity, dhgroup. For multiple
+ # transforms just simple repeat key (i.e.
+ # integity).
+
+ # encryption algorithm
+ # supported algorithms:
+ # null,3des,aes_128_cbc,aes_192_cbc,
+ # aes_256_cbc,idea
+ # blowfish:n, where n range from 8 to 448 bits,
+ # step 8 bits
+ # cast:n, where n range from 40 to 128 bits,
+ # step 8 bits
+ encryption = 3des
+
+ # pseudo random function. Supported prf's:
+ # hmac_md5, hmac_sha1, hmac_tiger
+ prf = hmac_sha1
+
+ # integrity algorithm. Supported algorithms:
+ # hmac_md5_96, hmac_sha1_96,des_mac
+ integrity = hmac_sha1_96
+ integrity = hmac_md5_96
+
+ # Diffie-Hellman groups:
+ # modp768, modp1024, modp1536, modp2048,
+ # modp3072, modp4096, modp6144, modp8192
+ dhgroup = modp2048
+ }
+
+ # proposal number #2
+ proposal {
+ encryption = 3des
+ prf = hmac_md5
+ integrity = hmac_md5_96
+ dhgroup = modp1024
+ }
+
+ # proposal number #3
+ proposal {
+ encryption=3des
+ prf=hmac_md5
+ integrity=hmac_md5_96
+ dhgroup=modp2048
+ }
+ }
+ }
+
+ fast {
+ pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f
+ eap_fast_a_id = xxxxxx
+ eap_fast_a_id_info = my_server
+ }
}