+# -*- text -*-
##
-## radrelay.conf -- FreeRADIUS server configuration file.
+## radrelay.conf -- FreeRADIUS server configuration file.
+##
+## Use with: radiusd -n radrelay
##
## http://www.freeradius.org/
## $Id$
##
+
+######################################################################
#
-# This configuration file is for the "radrelay" personality
-# of FreeRADIUS. It contains some of the same configuration
-# items as "radiusd.conf", but many have been deleted, as they
-# do not apply to "radrelay".
+# This file is a sample configuration that replaces the old
+# "radrelay" program. It is a *minimal* configuration that
+# does little more than read the detail file, and proxy the
+# packets to a home server. If you need it to do more than
+# just replace radrelay, you will need to add additional
+# configuration.
#
-# The server reads this file when it is run as "radiusd -n radrelay".
+# See raddb/sites-available/copy-acct-to-home-server for a
+# more complete example. That example is intended to be run
+# as part of a larger radius configuration, where the server
+# also listens on ports 1812, etc. The example given here
+# is a minimal example that has ONLY radrelay functionality.
#
+# See radiusd.conf for a complete description of the configuration
+# parameters used here.
#
+######################################################################
prefix = @prefix@
exec_prefix = @exec_prefix@
raddbdir = @raddbdir@
radacctdir = @radacctdir@
-# Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-#
-# The logging messages for the server are appended to the
-# tail of this file.
-#
-log_file = ${logdir}/radius.log
-
-#
-# Destination for log messages. This can be one of:
#
-# files - log to ${log_file}, as defined above.
-# syslog - to syslog (see also the log{} section, below)
-# stdout - standard output
-# stderr - standard error.
+# name of the running server. See also the "-n" command-line option.
#
-# The command-line option "-X" over-rides this option, and forces
-# logging to go to stdout.
-#
-log_destination = files
+name = radrelay
#
-# libdir: Where to find the rlm_* modules.
-#
-# This should be automatically set at configuration time.
-#
-# If the server builds and installs, but fails at execution time
-# with an 'undefined symbol' error, then you can use the libdir
-# directive to work around the problem.
-#
-# The cause is usually that a library has been installed on your
-# system in a place where the dynamic linker CANNOT find it. When
-# executing as root (or another user), your personal environment MAY
-# be set up to allow the dynamic linker to find the library. When
-# executing as a daemon, FreeRADIUS MAY NOT have the same
-# personalized configuration.
-#
-# To work around the problem, find out which library contains that symbol,
-# and add the directory containing that library to the end of 'libdir',
-# with a colon separating the directory names. NO spaces are allowed.
-#
-# e.g. libdir = /usr/local/lib:/opt/package/lib
-#
-# You can also try setting the LD_LIBRARY_PATH environment variable
-# in a script which starts the server.
-#
-# If that does not work, then you can re-configure and re-build the
-# server to NOT use shared libraries, via:
-#
-# ./configure --disable-shared
-# make
-# make install
+# Generic configuration
#
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/${name}
libdir = @libdir@
+pidfile = ${run_dir}/${name}.pid
-# pidfile: Where to place the PID of the RADIUS server.
-#
-# The server may be signalled while it's running by using this
-# file.
-#
-# This file is written when ONLY running in daemon mode.
#
-# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
+# Request handling configuration
#
-pidfile = ${run_dir}/radrelay.pid
-
-#
-# radrelay doesn't need any special permissions to run.
-#
-#user = nobody
-#group = nobody
-
max_request_time = 30
-delete_blocked_requests = no
cleanup_delay = 5
-max_requests = 1024
+max_requests = 65536
#
-# You can have as many "listen" sections as you want.
-#
-# The server CANNOT listen on type "detail" and type "acct"
-# at the same time.
+# Logging section.
#
-listen {
- type = detail
-
- # where the detail file is located
- detail = ${confdir}/detail
-
- #
-
- # Send no more than N requests to the server at once.
- # If this is set to 0 (zero), then the requests will be read
- # from the detail file as fast as possible, potentially
- # overwhelming the server.
- #
- max_outstanding = 100
-
-
- #
- # Server identity. This lets you tell the different "listen"
- # sections apart. When a packet is read from a detail file,
- # the Server-Identity attribute will be set to the value below
- # for that packet.
- #
- identity = radrelay
-}
-
-
-hostname_lookups = no
-
log {
- syslog_facility = daemon
+ destination = files
+ file = ${logdir}/${name}.log
}
-# PROXY CONFIGURATION
-#
-# proxy_requests: Turns proxying of RADIUS requests on or off.
-#
-# The server has proxying turned on by default. If your system is NOT
-# set up to proxy requests to another server, then you can turn proxying
-# off here. This will save a small amount of resources on the server.
-#
-# If you have proxying turned off, and your configuration files say
-# to proxy a request, then an error message will be logged.
-#
-# To disable proxying, change the "yes" to "no", and comment the
-# $INCLUDE line.
#
-# allowed values: {no, yes}
+# Security configuration
#
-proxy_requests = yes
-$INCLUDE ${confdir}/proxy.conf
+security {
+ max_attributes = 200
+ # reject_delay && status_server don't apply when we are
+ # only reading accounting packets from the detail file
+}
-# CLIENTS CONFIGURATION
-#
-# Client configuration is defined in "clients.conf".
#
-# The "radrelay" personality of the server does not have
-# any clients, and does not need, or read, "clients.conf".
-
-
-# SNMP CONFIGURATION
+# If you need more modules, add them here.
#
-# The "radrelay" personality of the server does not have
-# any SNMP configuration.
-
+modules {
+ $INCLUDE ${confdir}/modules/always
+}
-# THREAD POOL CONFIGURATION
#
-# Threads are less useful for radrelay than for radiusd.
-# This section is here just to remind you that it can be controlled.
+# If you need to instantiate modules, add them here.
#
-thread pool {
- start_servers = 5
- max_servers = 32
- min_spare_servers = 3
- max_spare_servers = 10
+instantiate {
}
-# MODULE CONFIGURATION
-#
-# The names and configuration of each module is located in this section.
#
-# Some modules have been deleted from this section. e.g
+# Configuration of home servers, etc.
#
-# pap
-# chap
-# mschap
-# eap
-# detail
-# unix
-# radutmp
+proxy_requests = yes
+
#
-# It doesn't make sense to use these modules when the server is running
-# as "radrelay".
+# See proxy.conf for additional home server configuration.
#
-modules {
- # Realm module, for proxying.
- #
- # You can have multiple instances of the realm module to
- # support multiple realm syntaxs at the same time. The
- # search order is defined by the order in the authorize and
- # preacct sections.
- #
- # Four config options:
- # format - must be "prefix" or "suffix"
- # The special cases of "DEFAULT"
- # and "NULL" are allowed, too.
- # delimiter - must be a single character
+home_server home1 {
+ type = acct
- # 'realm/username'
#
- # Using this entry, IPASS users have their realm set to "IPASS".
- realm IPASS {
- format = prefix
- delimiter = "/"
- }
-
- # 'username@realm'
+ # This directive replaces the "-r" command-line option
+ # in radrelay
#
- realm suffix {
- format = suffix
- delimiter = "@"
- }
+ ipaddr = 192.168.10.20
- # 'username%realm'
- #
- realm realmpercent {
- format = suffix
- delimiter = "%"
- }
+ port = 1812
#
- # 'domain\user'
+ # This directive replaces the "-i" command-line option
+ # in radrelay
#
- realm ntdomain {
- format = prefix
- delimiter = "\\"
- }
+# src_ipaddr = 192.168.1.1
- # A simple value checking module
#
- # It can be used to check if an attribute value in the request
- # matches a (possibly multi valued) attribute in the check
- # items This can be used for example for caller-id
- # authentication. For the module to run, both the request
- # attribute and the check items attribute must exist
+ # This directive replaces the "-s", "-S", and "-n" command-line
+ # options in radrelay
#
- # i.e.
- # A user has an ldap entry with 2 radiusCallingStationId
- # attributes with values "12345678" and "12345679". If we
- # enable rlm_checkval, then any request which contains a
- # Calling-Station-Id with one of those two values will be
- # accepted. Requests with other values for
- # Calling-Station-Id will be rejected.
- #
- # Regular expressions in the check attribute value are allowed
- # as long as the operator is '=~'
- #
- checkval {
- # The attribute to look for in the request
- item-name = Calling-Station-Id
-
- # The attribute to look for in check items. Can be multi valued
- check-name = Calling-Station-Id
-
- # The data type. Can be
- # string,integer,ipaddr,date,abinary,octets
- data-type = string
-
- # If set to yes and we dont find the item-name attribute in the
- # request then we send back a reject
- # DEFAULT is no
- #notfound-reject = no
- }
-
- # rewrite arbitrary packets. Useful in accounting and authorization.
- #
- #
- # The module can also use the Rewrite-Rule attribute. If it
- # is set and matches the name of the module instance, then
- # that module instance will be the only one which runs.
- #
- # Also if new_attribute is set to yes then a new attribute
- # will be created containing the value replacewith and it
- # will be added to searchin (packet, reply, proxy, proxy_reply or config).
- # searchfor,ignore_case and max_matches will be ignored in that case.
- #
- # Backreferences are supported: %{0} will contain the string the whole match
- # and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses
- #
- # If max_matches is greater than one the backreferences will correspond to the
- # first match
-
- #
- #attr_rewrite sanecallerid {
- # attribute = Called-Station-Id
- # may be "packet", "reply", "proxy", "proxy_reply" or "config"
- # searchin = packet
- # searchfor = "[+ ]"
- # replacewith = ""
- # ignore_case = no
- # new_attribute = no
- # max_matches = 10
- # ## If set to yes then the replace string will be appended to the original string
- # append = no
- #}
-
- # Preprocess the incoming RADIUS request, before handing it off
- # to other modules.
- #
- # This module processes the 'huntgroups' and 'hints' files.
- # In addition, it re-writes some weird attributes created
- # by some NASes, and converts the attributes into a form which
- # is a little more standard.
- #
- preprocess {
- huntgroups = ${confdir}/huntgroups
- hints = ${confdir}/hints
-
- # This hack changes Ascend's wierd port numberings
- # to standard 0-??? port numbers so that the "+" works
- # for IP address assignments.
- with_ascend_hack = no
- ascend_channels_per_line = 23
-
- # Windows NT machines often authenticate themselves as
- # NT_DOMAIN\username
- #
- # If this is set to 'yes', then the NT_DOMAIN portion
- # of the user-name is silently discarded.
- #
- # This configuration entry SHOULD NOT be used.
- # See the "realms" module for a better way to handle
- # NT domains.
- with_ntdomain_hack = no
-
- # Specialix Jetstream 8500 24 port access server.
- #
- # If the user name is 10 characters or longer, a "/"
- # and the excess characters after the 10th are
- # appended to the user name.
- #
- # If you're not running that NAS, you don't need
- # this hack.
- with_specialix_jetstream_hack = no
-
- # Cisco (and Quintum in Cisco mode) sends it's VSA attributes
- # with the attribute name *again* in the string, like:
- #
- # H323-Attribute = "h323-attribute=value".
- #
- # If this configuration item is set to 'yes', then
- # the redundant data in the the attribute text is stripped
- # out. The result is:
- #
- # H323-Attribute = "value"
- #
- # If you're not running a Cisco or Quintum NAS, you don't
- # need this hack.
- with_cisco_vsa_hack = no
- }
-
- # Livingston-style 'users' file
- #
- files {
- usersfile = ${confdir}/users
- acctusersfile = ${confdir}/acct_users
-
- # If you want to use the old Cistron 'users' file
- # with FreeRADIUS, you should change the next line
- # to 'compat = cistron'. You can the copy your 'users'
- # file from Cistron.
- compat = no
- }
-
- # Create a unique accounting session Id. Many NASes re-use or
- # repeat values for Acct-Session-Id, causing no end of
- # confusion.
- #
- # This module will add a (probably) unique session id
- # to an accounting packet based on the attributes listed
- # below found in the packet. See doc/rlm_acct_unique for
- # more information.
- #
- acct_unique {
- key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
- }
-
-
- # Include another file that has the SQL-related configuration.
- # This is another file only because it tends to be big.
- #
- # The following configuration file is for use with MySQL.
- #
- # For Postgresql, use: ${confdir}/postgresql.conf
- # For MS-SQL, use: ${confdir}/mssql.conf
- # For Oracle, use: ${confdir}/oraclesql.conf
- #
-# $INCLUDE ${confdir}/sql.conf
-
-
- # For Cisco VoIP specific accounting with Postgresql,
- # use: ${confdir}/pgsql-voip.conf
- #
- # You will also need the sql schema from:
- # src/billing/cisco_h323_db_schema-postgres.sql
- # Note: This config can be use AS WELL AS the standard sql
- # config if you need SQL based Auth
-
- # The "always" module is here for debugging purposes. Each
- # instance simply returns the same result, always, without
- # doing anything.
- always fail {
- rcode = fail
- }
- always reject {
- rcode = reject
- }
- always ok {
- rcode = ok
- simulcount = 0
- mpp = no
- }
-
- #
- # The 'expression' module currently has no configuration.
- #
- # This module is useful only for 'xlat'. To use it,
- # put 'exec' into the 'instantiate' section. You can then
- # do dynamic translation of attributes like:
- #
- # Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
- #
- # The value of the attribute will be replaced with the output
- # of the program which is executed. Due to RADIUS protocol
- # limitations, any output over 253 bytes will be ignored.
- #
- # The module also registers a few paircompare functions
- expr {
- }
-
- #
- # Execute external programs
- #
- # This module is useful only for 'xlat'. To use it,
- # put 'exec' into the 'instantiate' section. You can then
- # do dynamic translation of attributes like:
- #
- # Attribute-Name = `%{exec:/path/to/program args}`
- #
- # The value of the attribute will be replaced with the output
- # of the program which is executed. Due to RADIUS protocol
- # limitations, any output over 253 bytes will be ignored.
- #
- # The RADIUS attributes from the user request will be placed
- # into environment variables of the executed program, as
- # described in 'doc/variables.txt'
- #
- exec {
- wait = yes
- input_pairs = request
- shell_escape = yes
- }
+ secret = testing123
}
-# Instantiation
-#
-# This section orders the loading of the modules. Modules
-# listed here will get loaded BEFORE the later sections like
-# authorize, authenticate, etc. get examined.
-#
-# This section is not strictly needed. When a section like
-# authorize refers to a module, it's automatically loaded and
-# initialized. However, some modules may not be listed in any
-# of the following sections, so they can be listed here.
#
-# Also, listing modules here ensures that you have control over
-# the order in which they are initalized. If one module needs
-# something defined by another module, you can list them in order
-# here, and ensure that the configuration will be OK.
+# List one or more home servers here for fail-over, load-balancing, etc.
#
-instantiate {
- exec
- expr
-
- # subsections here can be thought of as "virtual" modules.
- #
- # e.g. If you have two redundant SQL servers, and you want to
- # use them in the authorize and accounting sections, you could
- # place a "redundant" block in each section, containing the
- # exact same text. Or, you could uncomment the following
- # lines, and list "redundant_sql" in the authorize and
- # accounting sections.
- #
- #redundant redundant_sql {
- # sql1
- # sql2
- #}
+home_server_pool radrelay {
+ type = fail-over
+ home_server = home1
}
#
-# There are no authorize, authenticate, or post-auth sections.
+# A dummy realm.
#
+realm radrelay {
+ acct_pool = radrelay
+}
#
-# Pre-accounting. Decide which accounting type to use.
+# Read the detail file.
#
-preacct {
- preprocess
-
- #
- # Ensure that we have a semi-unique identifier for every
- # request, and many NAS boxes are broken.
- acct_unique
+listen {
+ type = detail
#
- # Look for IPASS-style 'realm/', and if not found, look for
- # '@realm', and decide whether or not to proxy, based on
- # that.
+ # The "radacctdir" parameter below replaces the "-a" command-
+ # line option in radrelay. The "detail" parameter replaces
+ # the "detailfile" command-line option in radrelay
#
- # Accounting requests are generally proxied to the same
- # home server as authentication requests.
-# IPASS
- suffix
-# ntdomain
-
- #
- # Read the 'acct_users' file
- files
+ filename = ${radacctdir}/detail
+ load_factor = 90
}
#
-# Accounting. Log the accounting data.
+# See also raddb/sites-available/copy-acct-to-home-server
+# for additional description.
#
-accounting {
- #
- # Log traffic to an SQL database.
+preacct {
#
- # See "Accounting queries" in sql.conf
-# sql
-
-
- # Cisco VoIP specific bulk accounting
-# pgsql-voip
-
-}
-
-
-#
-# When the server decides to proxy a request to a home server,
-# the proxied request is first passed through the pre-proxy
-# stage. This stage can re-write the request, or decide to
-# cancel the proxy.
-#
-# Only a few modules currently have this method.
-#
-pre-proxy {
-# attr_rewrite
-
- # If you want to have a log of packets proxied to a home
- # server, un-comment the following line, and the
- # 'detail pre_proxy_log' section, above.
-# pre_proxy_log
-}
-
-#
-# When the server receives a reply to a request it proxied
-# to a home server, the request may be massaged here, in the
-# post-proxy stage.
-#
-post-proxy {
+ # Proxy the packet using the given realm.
+ # Note that we do not use the realm for anything else such
+ # as prefix/suffix stripping or comparisons.
#
-
- # If you want to have a log of replies from a home server,
- # un-comment the following line, and the 'detail post_proxy_log'
- # section, above.
-# post_proxy_log
-
-# attr_rewrite
-
- # Uncomment the following line if you want to filter replies from
- # remote proxies based on the rules defined in the 'attrs' file.
-
-# attr_filter
+ update control {
+ Proxy-To-Realm := "radrelay"
+ }
}