--- /dev/null
+##
+## radrelay.conf -- FreeRADIUS server configuration file.
+##
+## http://www.freeradius.org/
+## $Id$
+##
+#
+# This configuration file is for the "radrelay" personality
+# of FreeRADIUS. It contains some of the same configuration
+# items as "radiusd.conf", but many have been deleted, as they
+# do not apply to "radrelay".
+#
+# The server reads this file when it is run as "radiusd -n radrelay".
+#
+#
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+sysconfdir = @sysconfdir@
+localstatedir = @localstatedir@
+sbindir = @sbindir@
+logdir = @logdir@
+raddbdir = @raddbdir@
+radacctdir = @radacctdir@
+
+# Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+#
+# The logging messages for the server are appended to the
+# tail of this file.
+#
+log_file = ${logdir}/radius.log
+
+#
+# Destination for log messages. This can be one of:
+#
+# files - log to ${log_file}, as defined above.
+# syslog - to syslog (see also the log{} section, below)
+# stdout - standard output
+# stderr - standard error.
+#
+# The command-line option "-X" over-rides this option, and forces
+# logging to go to stdout.
+#
+log_destination = files
+
+#
+# libdir: Where to find the rlm_* modules.
+#
+# This should be automatically set at configuration time.
+#
+# If the server builds and installs, but fails at execution time
+# with an 'undefined symbol' error, then you can use the libdir
+# directive to work around the problem.
+#
+# The cause is usually that a library has been installed on your
+# system in a place where the dynamic linker CANNOT find it. When
+# executing as root (or another user), your personal environment MAY
+# be set up to allow the dynamic linker to find the library. When
+# executing as a daemon, FreeRADIUS MAY NOT have the same
+# personalized configuration.
+#
+# To work around the problem, find out which library contains that symbol,
+# and add the directory containing that library to the end of 'libdir',
+# with a colon separating the directory names. NO spaces are allowed.
+#
+# e.g. libdir = /usr/local/lib:/opt/package/lib
+#
+# You can also try setting the LD_LIBRARY_PATH environment variable
+# in a script which starts the server.
+#
+# If that does not work, then you can re-configure and re-build the
+# server to NOT use shared libraries, via:
+#
+# ./configure --disable-shared
+# make
+# make install
+#
+libdir = @libdir@
+
+# pidfile: Where to place the PID of the RADIUS server.
+#
+# The server may be signalled while it's running by using this
+# file.
+#
+# This file is written when ONLY running in daemon mode.
+#
+# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
+#
+pidfile = ${run_dir}/radrelay.pid
+
+#
+# radrelay doesn't need any special permissions to run.
+#
+#user = nobody
+#group = nobody
+
+max_request_time = 30
+delete_blocked_requests = no
+cleanup_delay = 5
+max_requests = 1024
+
+#
+# You can have as many "listen" sections as you want.
+#
+# The server CANNOT listen on type "detail" and type "acct"
+# at the same time.
+#
+listen {
+ type = detail
+
+ # where the detail file is located
+ detail = ${confdir}/detail
+
+ #
+
+ # Send no more than N requests to the server at once.
+ # If this is set to 0 (zero), then the requests will be read
+ # from the detail file as fast as possible, potentially
+ # overwhelming the server.
+ #
+ max_outstanding = 100
+
+
+ #
+ # Server identity. This lets you tell the different "listen"
+ # sections apart. When a packet is read from a detail file,
+ # the Server-Identity attribute will be set to the value below
+ # for that packet.
+ #
+ identity = radrelay
+}
+
+
+hostname_lookups = no
+
+log {
+ syslog_facility = daemon
+}
+
+# PROXY CONFIGURATION
+#
+# proxy_requests: Turns proxying of RADIUS requests on or off.
+#
+# The server has proxying turned on by default. If your system is NOT
+# set up to proxy requests to another server, then you can turn proxying
+# off here. This will save a small amount of resources on the server.
+#
+# If you have proxying turned off, and your configuration files say
+# to proxy a request, then an error message will be logged.
+#
+# To disable proxying, change the "yes" to "no", and comment the
+# $INCLUDE line.
+#
+# allowed values: {no, yes}
+#
+proxy_requests = yes
+$INCLUDE ${confdir}/proxy.conf
+
+
+# CLIENTS CONFIGURATION
+#
+# Client configuration is defined in "clients.conf".
+#
+# The "radrelay" personality of the server does not have
+# any clients, and does not need, or read, "clients.conf".
+
+
+# SNMP CONFIGURATION
+#
+# The "radrelay" personality of the server does not have
+# any SNMP configuration.
+
+
+# THREAD POOL CONFIGURATION
+#
+# Threads are less useful for radrelay than for radiusd.
+# This section is here just to remind you that it can be controlled.
+#
+thread pool {
+ start_servers = 5
+ max_servers = 32
+ min_spare_servers = 3
+ max_spare_servers = 10
+}
+
+# MODULE CONFIGURATION
+#
+# The names and configuration of each module is located in this section.
+#
+# Some modules have been deleted from this section. e.g
+#
+# pap
+# chap
+# mschap
+# eap
+# detail
+# unix
+# radutmp
+#
+# It doesn't make sense to use these modules when the server is running
+# as "radrelay".
+#
+modules {
+ # Realm module, for proxying.
+ #
+ # You can have multiple instances of the realm module to
+ # support multiple realm syntaxs at the same time. The
+ # search order is defined by the order in the authorize and
+ # preacct sections.
+ #
+ # Four config options:
+ # format - must be "prefix" or "suffix"
+ # The special cases of "DEFAULT"
+ # and "NULL" are allowed, too.
+ # delimiter - must be a single character
+
+ # 'realm/username'
+ #
+ # Using this entry, IPASS users have their realm set to "IPASS".
+ realm IPASS {
+ format = prefix
+ delimiter = "/"
+ }
+
+ # 'username@realm'
+ #
+ realm suffix {
+ format = suffix
+ delimiter = "@"
+ }
+
+ # 'username%realm'
+ #
+ realm realmpercent {
+ format = suffix
+ delimiter = "%"
+ }
+
+ #
+ # 'domain\user'
+ #
+ realm ntdomain {
+ format = prefix
+ delimiter = "\\"
+ }
+
+ # A simple value checking module
+ #
+ # It can be used to check if an attribute value in the request
+ # matches a (possibly multi valued) attribute in the check
+ # items This can be used for example for caller-id
+ # authentication. For the module to run, both the request
+ # attribute and the check items attribute must exist
+ #
+ # i.e.
+ # A user has an ldap entry with 2 radiusCallingStationId
+ # attributes with values "12345678" and "12345679". If we
+ # enable rlm_checkval, then any request which contains a
+ # Calling-Station-Id with one of those two values will be
+ # accepted. Requests with other values for
+ # Calling-Station-Id will be rejected.
+ #
+ # Regular expressions in the check attribute value are allowed
+ # as long as the operator is '=~'
+ #
+ checkval {
+ # The attribute to look for in the request
+ item-name = Calling-Station-Id
+
+ # The attribute to look for in check items. Can be multi valued
+ check-name = Calling-Station-Id
+
+ # The data type. Can be
+ # string,integer,ipaddr,date,abinary,octets
+ data-type = string
+
+ # If set to yes and we dont find the item-name attribute in the
+ # request then we send back a reject
+ # DEFAULT is no
+ #notfound-reject = no
+ }
+
+ # rewrite arbitrary packets. Useful in accounting and authorization.
+ #
+ #
+ # The module can also use the Rewrite-Rule attribute. If it
+ # is set and matches the name of the module instance, then
+ # that module instance will be the only one which runs.
+ #
+ # Also if new_attribute is set to yes then a new attribute
+ # will be created containing the value replacewith and it
+ # will be added to searchin (packet, reply, proxy, proxy_reply or config).
+ # searchfor,ignore_case and max_matches will be ignored in that case.
+ #
+ # Backreferences are supported: %{0} will contain the string the whole match
+ # and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses
+ #
+ # If max_matches is greater than one the backreferences will correspond to the
+ # first match
+
+ #
+ #attr_rewrite sanecallerid {
+ # attribute = Called-Station-Id
+ # may be "packet", "reply", "proxy", "proxy_reply" or "config"
+ # searchin = packet
+ # searchfor = "[+ ]"
+ # replacewith = ""
+ # ignore_case = no
+ # new_attribute = no
+ # max_matches = 10
+ # ## If set to yes then the replace string will be appended to the original string
+ # append = no
+ #}
+
+ # Preprocess the incoming RADIUS request, before handing it off
+ # to other modules.
+ #
+ # This module processes the 'huntgroups' and 'hints' files.
+ # In addition, it re-writes some weird attributes created
+ # by some NASes, and converts the attributes into a form which
+ # is a little more standard.
+ #
+ preprocess {
+ huntgroups = ${confdir}/huntgroups
+ hints = ${confdir}/hints
+
+ # This hack changes Ascend's wierd port numberings
+ # to standard 0-??? port numbers so that the "+" works
+ # for IP address assignments.
+ with_ascend_hack = no
+ ascend_channels_per_line = 23
+
+ # Windows NT machines often authenticate themselves as
+ # NT_DOMAIN\username
+ #
+ # If this is set to 'yes', then the NT_DOMAIN portion
+ # of the user-name is silently discarded.
+ #
+ # This configuration entry SHOULD NOT be used.
+ # See the "realms" module for a better way to handle
+ # NT domains.
+ with_ntdomain_hack = no
+
+ # Specialix Jetstream 8500 24 port access server.
+ #
+ # If the user name is 10 characters or longer, a "/"
+ # and the excess characters after the 10th are
+ # appended to the user name.
+ #
+ # If you're not running that NAS, you don't need
+ # this hack.
+ with_specialix_jetstream_hack = no
+
+ # Cisco (and Quintum in Cisco mode) sends it's VSA attributes
+ # with the attribute name *again* in the string, like:
+ #
+ # H323-Attribute = "h323-attribute=value".
+ #
+ # If this configuration item is set to 'yes', then
+ # the redundant data in the the attribute text is stripped
+ # out. The result is:
+ #
+ # H323-Attribute = "value"
+ #
+ # If you're not running a Cisco or Quintum NAS, you don't
+ # need this hack.
+ with_cisco_vsa_hack = no
+ }
+
+ # Livingston-style 'users' file
+ #
+ files {
+ usersfile = ${confdir}/users
+ acctusersfile = ${confdir}/acct_users
+
+ # If you want to use the old Cistron 'users' file
+ # with FreeRADIUS, you should change the next line
+ # to 'compat = cistron'. You can the copy your 'users'
+ # file from Cistron.
+ compat = no
+ }
+
+ # Create a unique accounting session Id. Many NASes re-use or
+ # repeat values for Acct-Session-Id, causing no end of
+ # confusion.
+ #
+ # This module will add a (probably) unique session id
+ # to an accounting packet based on the attributes listed
+ # below found in the packet. See doc/rlm_acct_unique for
+ # more information.
+ #
+ acct_unique {
+ key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
+ }
+
+
+ # Include another file that has the SQL-related configuration.
+ # This is another file only because it tends to be big.
+ #
+ # The following configuration file is for use with MySQL.
+ #
+ # For Postgresql, use: ${confdir}/postgresql.conf
+ # For MS-SQL, use: ${confdir}/mssql.conf
+ # For Oracle, use: ${confdir}/oraclesql.conf
+ #
+# $INCLUDE ${confdir}/sql.conf
+
+
+ # For Cisco VoIP specific accounting with Postgresql,
+ # use: ${confdir}/pgsql-voip.conf
+ #
+ # You will also need the sql schema from:
+ # src/billing/cisco_h323_db_schema-postgres.sql
+ # Note: This config can be use AS WELL AS the standard sql
+ # config if you need SQL based Auth
+
+ # The "always" module is here for debugging purposes. Each
+ # instance simply returns the same result, always, without
+ # doing anything.
+ always fail {
+ rcode = fail
+ }
+ always reject {
+ rcode = reject
+ }
+ always ok {
+ rcode = ok
+ simulcount = 0
+ mpp = no
+ }
+
+ #
+ # The 'expression' module currently has no configuration.
+ #
+ # This module is useful only for 'xlat'. To use it,
+ # put 'exec' into the 'instantiate' section. You can then
+ # do dynamic translation of attributes like:
+ #
+ # Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
+ #
+ # The value of the attribute will be replaced with the output
+ # of the program which is executed. Due to RADIUS protocol
+ # limitations, any output over 253 bytes will be ignored.
+ #
+ # The module also registers a few paircompare functions
+ expr {
+ }
+
+ #
+ # Execute external programs
+ #
+ # This module is useful only for 'xlat'. To use it,
+ # put 'exec' into the 'instantiate' section. You can then
+ # do dynamic translation of attributes like:
+ #
+ # Attribute-Name = `%{exec:/path/to/program args}`
+ #
+ # The value of the attribute will be replaced with the output
+ # of the program which is executed. Due to RADIUS protocol
+ # limitations, any output over 253 bytes will be ignored.
+ #
+ # The RADIUS attributes from the user request will be placed
+ # into environment variables of the executed program, as
+ # described in 'doc/variables.txt'
+ #
+ exec {
+ wait = yes
+ input_pairs = request
+ shell_escape = yes
+ }
+
+ # TESTING ONLY
+ detail {
+ detailfile = ${raddbdir}/detail-2
+ }
+
+}
+
+# Instantiation
+#
+# This section orders the loading of the modules. Modules
+# listed here will get loaded BEFORE the later sections like
+# authorize, authenticate, etc. get examined.
+#
+# This section is not strictly needed. When a section like
+# authorize refers to a module, it's automatically loaded and
+# initialized. However, some modules may not be listed in any
+# of the following sections, so they can be listed here.
+#
+# Also, listing modules here ensures that you have control over
+# the order in which they are initalized. If one module needs
+# something defined by another module, you can list them in order
+# here, and ensure that the configuration will be OK.
+#
+instantiate {
+ exec
+ expr
+
+ # subsections here can be thought of as "virtual" modules.
+ #
+ # e.g. If you have two redundant SQL servers, and you want to
+ # use them in the authorize and accounting sections, you could
+ # place a "redundant" block in each section, containing the
+ # exact same text. Or, you could uncomment the following
+ # lines, and list "redundant_sql" in the authorize and
+ # accounting sections.
+ #
+ #redundant redundant_sql {
+ # sql1
+ # sql2
+ #}
+}
+
+#
+# There are no authorize, authenticate, or post-auth sections.
+#
+
+#
+# Pre-accounting. Decide which accounting type to use.
+#
+preacct {
+ preprocess
+
+ #
+ # Ensure that we have a semi-unique identifier for every
+ # request, and many NAS boxes are broken.
+ acct_unique
+
+ #
+ # Look for IPASS-style 'realm/', and if not found, look for
+ # '@realm', and decide whether or not to proxy, based on
+ # that.
+ #
+ # Accounting requests are generally proxied to the same
+ # home server as authentication requests.
+# IPASS
+ suffix
+# ntdomain
+
+ #
+ # Read the 'acct_users' file
+ files
+}
+
+#
+# Accounting. Log the accounting data.
+#
+accounting {
+ #
+ # Log traffic to an SQL database.
+ #
+ # See "Accounting queries" in sql.conf
+# sql
+
+
+ # Cisco VoIP specific bulk accounting
+# pgsql-voip
+
+}
+
+
+#
+# When the server decides to proxy a request to a home server,
+# the proxied request is first passed through the pre-proxy
+# stage. This stage can re-write the request, or decide to
+# cancel the proxy.
+#
+# Only a few modules currently have this method.
+#
+pre-proxy {
+# attr_rewrite
+
+ # If you want to have a log of packets proxied to a home
+ # server, un-comment the following line, and the
+ # 'detail pre_proxy_log' section, above.
+# pre_proxy_log
+}
+
+#
+# When the server receives a reply to a request it proxied
+# to a home server, the request may be massaged here, in the
+# post-proxy stage.
+#
+post-proxy {
+ #
+
+ # If you want to have a log of replies from a home server,
+ # un-comment the following line, and the 'detail post_proxy_log'
+ # section, above.
+# post_proxy_log
+
+# attr_rewrite
+
+ # Uncomment the following line if you want to filter replies from
+ # remote proxies based on the rules defined in the 'attrs' file.
+
+# attr_filter
+}