# crypt: Unix crypt
# md5: MD5 ecnryption
# sha1: SHA1 encryption.
+ # nt: NT-Password encryption
+ # lm: LM-Password encryption
# DEFAULT: crypt
pap {
encryption_scheme = crypt
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
- access_attr = "dialupAccess"
+ # access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
+ # Set password_attribute = nspmPassword to get user's password
+ # from a Novell eDirectory backend. This will work *only if*
+ # freeRADIUS is configured to build with --with-edir option.
+ #
# password_attribute = userPassword
+ #
+ # Un-comment the following to disable Novell eDirectory account
+ # policy check and intruder detection. This will work *only if*
+ # FreeRADIUS is configured to build with --with-edir option.
+ #
+ # edir_account_policy_check=no
+ #
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
# this hack.
with_specialix_jetstream_hack = no
- # Cisco sends it's VSA attributes with the attribute
- # name *again* in the string, like:
+ # Cisco (and Quintum in Cisco mode) sends it's VSA attributes
+ # with the attribute name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
#
# H323-Attribute = "value"
#
- # If you're not running a Cisco NAS, you don't need
- # this hack.
+ # If you're not running a Cisco or Quintum NAS, you don't
+ # need this hack.
with_cisco_vsa_hack = no
}
# the radius.log
# If the count attribute is Acct-Session-Time then on each login
# we send back the remaining online time as a Session-Timeout attribute
+ # ELSE and if the return-attribute is set, we send back that attribute.
+ # The return-attribute is set MUST be of an integer type
#
# The counter-name can also be used instead of using the check-name
# like below:
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
+ #return-attribute = Session-Timeout
cache-size = 5000
}
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
+ #
+ # The module also registers a few paircompare functions
expr {
}
# reply-message = "Your account has expired, %{User-Name}\r\n"
}
+ # The logintime module. This handles the Login-Time,
+ # Current-Time, and Time-Of-Day attributes. It should be
+ # included in the *end* of the authorize section in order to
+ # handle Login-Time checks. It should also be included in the
+ # instantiate section in order to register the Current-Time
+ # and Time-Of-Day comparison functions.
#
- # The logintime module. Handles the Login-Time and Current-Time attributes.
- # It should be included in the *end* of the authorize section
- # in order to handle Login-Time checks. It should also be included in
- # the instantiate section in order to register the Current-Time compare
- # function.
- # If the user is allowed to logon a Session-Timeout is calculated based on the
- # remaining time.
+ # When the Login-Time attribute is set to some value, and the
+ # user has bene permitted to log in, a Session-Timeout is
+ # calculated based on the remaining time. See "doc/README".
#
logintime {
#
- # The Reply-Message which will be sent back in case the account
- # is calling outside of the allowed timespan. Dynamic substitution is
- # supported.
+ # The Reply-Message which will be sent back in case
+ # the account is calling outside of the allowed
+ # timespan. Dynamic substitution is supported.
#
reply-message = "You are calling outside your allowed timespan\r\n"
# reply-message = "Outside allowed timespan (%{check:Login-Time}), %{User-Name}\r\n"
- #
- # The minimum timeout (in seconds) a user is allowed to have. If the calculated
- # timeout is lower we don't allow the logon. Some NASes do not handle
- # values lower than 60 seconds well.
- #
+
+ # The minimum timeout (in seconds) a user is allowed
+ # to have. If the calculated timeout is lower we don't
+ # allow the logon. Some NASes do not handle values
+ # lower than 60 seconds well.
minimum-timeout = 60
}
#
exec {
wait = yes
input_pairs = request
+ shell_escape = yes
}
#
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
- #
+ #
+ # The return value of the program run determines the result
+ # of the exec instance call as follows:
+ # (See doc/configurable_failover for details)
+ #
+ # < 0 : fail the module failed
+ # = 0 : ok the module succeeded
+ # = 1 : reject the module rejected the user
+ # = 2 : fail the module failed
+ # = 3 : ok the module succeeded
+ # = 4 : handled the module has done everything to handle the request
+ # = 5 : invalid the user's configuration entry was invalid
+ # = 6 : userlock the user was locked out
+ # = 7 : notfound the user was not found
+ # = 8 : noop the module did nothing
+ # = 9 : updated the module updated information in the request
+ # > 9 : fail the module failed
+ #
exec echo {
#
# Wait for the program to finish.
# being sent to the NAS.
#
#packet_type = Access-Accept
+
+ #
+ # Should we escape the environment variables?
+ #
+ # If this is set, all the RADIUS attributes
+ # are capitalised and dashes replaced with
+ # underscores. Also, RADIUS values are surrounded
+ # with double-quotes.
+ #
+ # That is to say: User-Name=BobUser => USER_NAME="BobUser"
+ shell_escape = yes
+
}
# Do server side ip pool management. Should be added in post-auth and
# ANSI X9.9 token support. Not included by default.
# $INCLUDE ${confdir}/x99.conf
+ #
+ # Implements Login-Time, Current-Time, and Time-Of-Day
+ #
+ logintime {
+ #
+ # Don't worry about anything here for now..
+ #
+ }
}
# Instantiation
# the check-name attribute before any module which sets
# it
# daily
+ expiration
+ logintime
}
# Authorization. First preprocess (hints and huntgroups files),
#
# Use the checkval module
# checkval
+
+ expiration
+ logintime
}
# sql
#
- # Access-Reject packets are sent through the REJECT sub-section
- # of the post-auth section.
+ # Un-comment the following if you have set
+ # 'edir_account_policy_check = yes' in the ldap module sub-section of
+ # the 'modules' section.
+ #
+# ldap
+ #
+ # Access-Reject packets are sent through the REJECT sub-section of the
+ # post-auth section.
+ # Uncomment the following and set the module name to the ldap instance
+ # name if you have set 'edir_account_policy_check = yes' in the ldap
+ # module sub-section of the 'modules' section.
#
# Post-Auth-Type REJECT {
# insert-module-name-here