raddbdir = @raddbdir@
radacctdir = @radacctdir@
+#
+# name of the running server. See also the "-n" command-line option.
+name = radiusd
+
# Location of config and logfiles.
confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
+run_dir = ${localstatedir}/run/${name}
# Should likely be ${localstatedir}/lib/radiusd
-db_dir = $(raddbdir)
+db_dir = ${raddbdir}
#
# libdir: Where to find the rlm_* modules.
#
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
-pidfile = ${run_dir}/radiusd.pid
+pidfile = ${run_dir}/${name}.pid
# chroot: directory where the server does "chroot".
#
# proxy IP to use for sending proxied packets
# detail Read from the detail file. For examples, see
# raddb/sites-available/copy-acct-to-home-server
+ # status listen for Status-Server packets. For examples,
+ # see raddb/sites-available/status
+ # coa listen for CoA-Request and Disconnect-Request
+ # packets. For examples, see the file
+ # raddb/sites-available/coa-server
#
type = auth
# Note: "type = proxy" lets you control the source IP used for
# proxying packets, with some limitations:
#
- # * Only ONE proxy listener can be defined.
# * A proxy listener CANNOT be used in a virtual server section.
# * You should probably set "port = 0".
# * Any "clients" configuration will be ignored.
+ #
+ # See also proxy.conf, and the "src_ipaddr" configuration entry
+ # in the sample "home_server" section. When you specify the
+ # source IP address for packets sent to a home server, the
+ # proxy listeners are automatically created.
# IP address on which to listen.
# Allowed values are:
#
# The logging messages for the server are appended to the
- # tail of this file if ${destination} == "files"
+ # tail of this file if destination == "files"
#
# If the server is running in debugging mode, this file is
# NOT used.
file = ${logdir}/radius.log
#
+ # If this configuration parameter is set, then log messages for
+ # a *request* go to this file, rather than to radius.log.
+ #
+ # i.e. This is a log file per request, once the server has accepted
+ # the request as being from a valid client. Messages that are
+ # not associated with a request still go to radius.log.
+ #
+ # Not all log messages in the server core have been updated to use
+ # this new internal API. As a result, some messages will still
+ # go to radius.log. Please submit patches to fix this behavior.
+ #
+ # The file name is expanded dynamically. You should ONLY user
+ # server-side attributes for the filename (e.g. things you control).
+ # Using this feature MAY also slow down the server substantially,
+ # especially if you do thinks like SQL calls as part of the
+ # expansion of the filename.
+ #
+ # The name of the log file should use attributes that don't change
+ # over the lifetime of a request, such as User-Name,
+ # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
+ # messages will be distributed over multiple files.
+ #
+ # Logging can be enabled for an individual request by a special
+ # dynamic expansion macro: %{debug: 1}, where the debug level
+ # for this request is set to '1' (or 2, 3, etc.). e.g.
+ #
+ # ...
+ # update control {
+ # Tmp-String-0 = "%{debug:1}"
+ # }
+ # ...
+ #
+ # The attribute that the value is assigned to is unimportant,
+ # and should be a "throw-away" attribute with no side effects.
+ #
+ #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
+
+ #
# Which syslog facility to use, if ${destination} == "syslog"
#
# The exact values permitted here are OS-dependent. You probably
#
auth_badpass = no
auth_goodpass = no
+
+ # Log additional text at the end of the "Login OK" messages.
+ # for these to work, the "auth" and "auth_goopass" or "auth_badpass"
+ # configurations above have to be set to "yes".
+ #
+ # The strings below are dynamically expanded, which means that
+ # you can put anything you want in them. However, note that
+ # this expansion can be slow, and can negatively impact server
+ # performance.
+ #
+# msg_goodpass = ""
+# msg_badpass = ""
}
# The program to execute to do concurrency checks.
# packet. If the server responds, it must be alive, and the
# NAS can start using it for real requests.
#
+ # See also raddb/sites-available/status
+ #
status_server = yes
}
$INCLUDE clients.conf
-# SNMP CONFIGURATION
-#
-# Snmp configuration is only valid if SNMP support was enabled
-# at compile time.
-#
-# To enable SNMP querying of the server, set the value of the
-# 'snmp' attribute to 'yes'
-#
-snmp = no
-$INCLUDE snmp.conf
-
-
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
#
# The instance names can then be used in later configuration
# INSTEAD of the original 'name'. See the 'radutmp' configuration
- # below for an example.
+ # for an example.
#
#
# As of 2.0.5, most of the module configurations are in a
- # separate directory. Files matching the regex /[a-zA-Z0-9_.]+/
+ # sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/
# are loaded. The modules are initialized ONLY if they are
# referenced in a processing section, such as authorize,
# authenticate, accounting, pre/post-proxy, etc.
# Include another file that has the SQL-related configuration.
# This is another file only because it tends to be big.
#
- $INCLUDE sql.conf
+# $INCLUDE sql.conf
-
- # For Cisco VoIP specific accounting with Postgresql,
- # use: ${confdir}/sql/postgresql/voip-postpaid.conf
- #
- # You will also need the sql schema from:
- # src/billing/cisco_h323_db_schema-postgres.sql
- # Note: This config can be use AS WELL AS the standard sql
- # config if you need SQL based Auth
-
#
# This module is an SQL enabled version of the counter module.
#
# totally dependent on the SQL module to process Accounting
# packets.
#
- $INCLUDE sql/mysql/counter.conf
- #$INCLUDE sql/postgresql/counter.conf
-
- # $INCLUDE sqlippool.conf
-
- # OTP token support. Not included by default.
- # $INCLUDE otp.conf
+# $INCLUDE sql/mysql/counter.conf
+ #
+ # IP addresses managed in an SQL table.
+ #
+# $INCLUDE sqlippool.conf
}
# Instantiation
######################################################################
#
-# As of 2.0.0, the "authorize", "authenticate", etc. sections
-# are in separate configuration files, per virtual host.
+# Load virtual servers.
#
-######################################################################
+# This next $INCLUDE line loads files in the directory that
+# match the regular expression: /[a-zA-Z0-9_.]+/
+#
+# It allows you to define new virtual servers simply by placing
+# a file into the raddb/sites-enabled/ directory.
+#
+$INCLUDE sites-enabled/
######################################################################
#
-# Include all enabled virtual hosts.
+# All of the other configuration sections like "authorize {}",
+# "authenticate {}", "accounting {}", have been moved to the
+# the file:
#
-# The following directory is searched for files that match
-# the regex:
+# raddb/sites-available/default
#
-# /[a-zA-Z0-9_.]+/
+# This is the "default" virtual server that has the same
+# configuration as in version 1.0.x and 1.1.x. The default
+# installation enables this virtual server. You should
+# edit it to create policies for your local site.
#
-# The files are then included here, just as if they were cut
-# and pasted into this file.
+# For more documentation on virtual servers, see:
#
-# See "sites-enabled/default" for some additional documentation.
+# raddb/sites-available/README
#
-$INCLUDE sites-enabled/
+######################################################################