#
# $Id$
#
+######################################################################
+#
+# Read "man radiusd" before editing this file. See the section
+# titled DEBUGGING. It outlines a method where you can quickly
+# obtain the configuration you want, without running into
+# trouble. See also "man unlang", which documents the format
+# of this file.
+#
+# This configuration is designed to work in the widest possible
+# set of circumstances, with the widest possible number of
+# authentication methods. This means that in general, you should
+# need to make very few changes to this file.
+#
+# The best way to configure the server for your local system
+# is to CAREFULLY edit this file. Most attempts to make large
+# edits to this file will BREAK THE SERVER. Any edits should
+# be small, and tested by running the server with "radiusd -X".
+# Once the edits have been verified to work, save a copy of these
+# configuration files somewhere. (e.g. as a "tar" file). Then,
+# make more edits, and test, as above.
+#
+# There are many "commented out" references to modules such
+# as ldap, sql, etc. These references serve as place-holders.
+# If you need the functionality of that module, then configure
+# it in radiusd.conf, and un-comment the references to it in
+# this file. In most cases, those small changes will result
+# in the server being able to connect to the DB, and to
+# authenticate users.
#
######################################################################
#
# In 1.x, the "authorize", etc. sections were global in
-# radiusd.conf. As of 2.0, they MUST be in a server section.
+# radiusd.conf. As of 2.0, they SHOULD be in a server section.
#
# The server section with no virtual server name is the "default"
# section. It is used when no server name is specified.
# We don't indent the rest of this file, because doing so
# would make it harder to read.
#
-server {
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
- #
- # It also adds the %{Client-IP-Address} attribute to the request.
preprocess
#
mschap
#
- # Pull crypt'd passwords from /etc/passwd or /etc/shadow,
- # using the system API's to get the password. If you want
- # to read /etc/passwd or /etc/shadow directly, see the
- # passwd module, above.
- #
- unix
-
- #
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
# digest
#
+ # The WiMAX specification says that the Calling-Station-Id
+ # is 6 octets of the MAC. This definition conflicts with
+ # RFC 3580, and all common RADIUS practices. Un-commenting
+ # the "wimax" module here means that it will fix the
+ # Calling-Station-Id attribute to the normal format as
+ # specified in RFC 3580 Section 3.21
+# wimax
+
+ #
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
}
#
+ # Pull crypt'd passwords from /etc/passwd or /etc/shadow,
+ # using the system API's to get the password. If you want
+ # to read /etc/passwd or /etc/shadow directly, see the
+ # passwd module in radiusd.conf.
+ #
+ unix
+
+ #
# Read the 'users' file
files
#
# Allow EAP authentication.
eap
+
+ #
+ # The older configurations sent a number of attributes in
+ # Access-Challenge packets, which wasn't strictly correct.
+ # If you want to filter out these attributes, uncomment
+ # the following lines.
+ #
+# Auth-Type eap {
+# eap {
+# handled = 1
+# }
+# if (handled && (Response-Packet-Type == Access-Challenge)) {
+# attr_filter.access_challenge.post-auth
+# handled # override the "updated" code from attr_filter
+# }
+# }
}
#
# ldap
+ exec
+
+ #
+ # Calculate the various WiMAX keys. In order for this to work,
+ # you will need to define the WiMAX NAI, usually via
+ #
+ # update request {
+ # WiMAX-MN-NAI = "%{User-Name}"
+ # }
+ #
+ # If you want various keys to be calculated, you will need to
+ # update the reply with "template" values. The module will see
+ # this, and replace the template values with the correct ones
+ # taken from the cryptographic calculations. e.g.
+ #
+ # update reply {
+ # WiMAX-FA-RK-Key = 0x00
+ # WiMAX-MSK = "%{EAP-MSK}"
+ # }
+ #
+ # You may want to delete the MS-MPPE-*-Keys from the reply,
+ # as some WiMAX clients behave badly when those attributes
+ # are included. See "raddb/modules/wimax", configuration
+ # entry "delete_mppe_keys" for more information.
+ #
+# wimax
+
+ # If the WiMAX module did it's work, you may want to do more
+ # things here, like delete the MS-MPPE-*-Key attributes.
+ #
+ # if (updated) {
+ # update reply {
+ # MS-MPPE-Recv-Key !* 0x00
+ # MS-MPPE-Send-Key !* 0x00
+ # }
+ # }
+
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
}
-} # default server block