X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=raddb%2Fradiusd.conf.in;h=8c588c681a050ee3f169f68f8fbaac23a3a13e4e;hb=5902f678526bb59d12a51ed61efcbec6ed3beaac;hp=ba7161cd5b5598828a5092d095d0116649eb9e30;hpb=fea338f150d549806b5f44dc3432f6a694a51128;p=freeradius.git diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in index ba7161c..8c588c6 100644 --- a/raddb/radiusd.conf.in +++ b/raddb/radiusd.conf.in @@ -40,6 +40,19 @@ run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log # +# Destination for log messages. This can be one of: +# +# files - log to ${log_file}, as defined above. +# syslog - to syslog (see also the log{} section, below) +# stdout - standard output +# stderr - standard error. +# +# The command-line option "-X" over-rides this option, and forces +# logging to go to stdout. +# +log_destination = files + +# # libdir: Where to find the rlm_* modules. # # This should be automatically set at configuration time. @@ -174,78 +187,83 @@ cleanup_delay = 5 # max_requests = 1024 -# bind_address: Make the server listen on a particular IP address, and -# send replies out from that address. This directive is most useful -# for machines with multiple IP addresses on one interface. -# -# It can either contain "*", or an IP address, or a fully qualified -# Internet domain name. The default is "*" -# -# As of 1.0, you can also use the "listen" directive. See below for -# more information. -# -bind_address = * - -# port: Allows you to bind FreeRADIUS to a specific port. +# listen: Make the server listen on a particular IP address, and send +# replies out from that address. This directive is most useful for +# hosts with multiple IP addresses on one interface. # -# The default port that most NAS boxes use is 1645, which is historical. -# RFC 2138 defines 1812 to be the new port. Many new servers and -# NAS boxes use 1812, which can create interoperability problems. +# If you want the server to listen on additional addresses, or on +# additionnal ports, you can use multiple "listen" sections. # -# The port is defined here to be 0 so that the server will pick up -# the machine's local configuration for the radius port, as defined -# in /etc/services. +# Each section make the server listen for only one type of packet, +# therefore authentication and accounting have to be configured in +# different sections. # -# If you want to use the default RADIUS port as defined on your server, -# (usually through 'grep radius /etc/services') set this to 0 (zero). +# The server ignore all "listen" section if you are using '-i' and '-p' +# on the command line. # -# A port given on the command-line via '-p' over-rides this one. -# -# As of 1.0, you can also use the "listen" directive. See below for -# more information. -# -port = 0 - -# -# By default, the server uses "bind_address" to listen to all IP's -# on a machine, or just one IP. The "port" configuration is used -# to select the authentication port used when listening on those -# addresses. -# -# If you want the server to listen on additional addresses, you can -# use the "listen" section. A sample section (commented out) is included -# below. This "listen" section duplicates the functionality of the -# "bind_address" and "port" configuration entries, but it only listens -# for authentication packets. -# -# If you comment out the "bind_address" and "port" configuration entries, -# then it becomes possible to make the server accept only accounting, -# or authentication packets. Previously, it always listened for both -# types of packets, and it was impossible to make it listen for only -# one type of packet. -# -#listen { +listen { # IP address on which to listen. # Allowed values are: # dotted quad (1.2.3.4) # hostname (radius.example.com) # wildcard (*) -# ipaddr = * + ipaddr = * + + # OR, you can use an IPv6 address, but not both + # at the same time. +# ipv6addr = :: # any. ::1 == localhost # Port on which to listen. # Allowed values are: # integer port number (1812) # 0 means "use /etc/services for the proper port" -# port = 0 + port = 0 # Type of packets to listen for. # Allowed values are: # auth listen for authentication packets # acct listen for accounting packets # -# type = auth -#} + type = auth + + # Some systems support binding to an interface, in addition + # to the IP address. This feature isn't strictly necessary, + # but for sites with many IP addresses on one interface, + # it's useful to say "listen on all addresses for eth0". + # + # If your system does not support this feature, you will + # get an error if you try to use it. + # +# interface = eth0 + # Per-socket lists of clients. This is a very useful feature. + # + # The name here is a reference to a section elsewhere in + # radiusd.conf, or clients.conf. Having the name as + # a reference allows multiple sockets to use the same + # set of clients. + # + # If this configuration is used, then the global list of clients + # is IGNORED for this "listen" section. Take care configuring + # this feature, to ensure you don't accidentally disable a + # client you need. + # + # See clients.conf for the configuration of "per_socket_clients". + # +# clients = per_socket_clients +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + ipaddr = * +# ipv6addr = :: + port = 0 + type = acct +# interface = eth0 +# clients = per_socket_clients +} # hostname_lookups: Log the names of clients or just their IP addresses # e.g., www.freeradius.org (on) or 206.47.27.232 (off). @@ -283,6 +301,20 @@ allow_core_dumps = no regular_expressions = @REGEX@ extended_expressions = @REGEX_EXTENDED@ +# +# Logging section. The various "log_*" configuration items +# will eventually be moved here. +# +log { + # + # Which syslog facility to use, if ${log_destination} == "syslog" + # + # The exact values permitted here are OS-dependent. You probably + # don't want to change this. + # + syslog_facility = daemon +} + # Log the full User-Name attribute, as it was found in the request. # # allowed values: {no, yes} @@ -304,54 +336,6 @@ log_auth = no log_auth_badpass = no log_auth_goodpass = no -# usercollide: Turn "username collision" code on and off. See the -# "doc/duplicate-users" file -# -# WARNING -# !!!!!!! Setting this to "yes" may result in the server behaving -# !!!!!!! strangely. The "username collision" code will ONLY work -# !!!!!!! with clear-text passwords. Even then, it may not do what -# !!!!!!! you want, or what you expect. -# !!!!!!! -# !!!!!!! We STRONGLY RECOMMEND that you do not use this feature, -# !!!!!!! and that you find another way of acheiving the same goal. -# !!!!!!! -# !!!!!!! e,g. module fail-over. See 'doc/configurable_failover' -# WARNING -# -usercollide = no - -# lower_user / lower_pass: -# Lower case the username/password "before" or "after" -# attempting to authenticate. -# -# If "before", the server will first modify the request and then try -# to auth the user. If "after", the server will first auth using the -# values provided by the user. If that fails it will reprocess the -# request after modifying it as you specify below. -# -# This is as close as we can get to case insensitivity. It is the -# admin's job to ensure that the username on the auth db side is -# *also* lowercase to make this work -# -# Default is 'no' (don't lowercase values) -# Valid values = "before" / "after" / "no" -# -lower_user = no -lower_pass = no - -# nospace_user / nospace_pass: -# -# Some users like to enter spaces in their username or password -# incorrectly. To save yourself the tech support call, you can -# eliminate those spaces here: -# -# Default is 'no' (don't remove spaces) -# Valid values = "before" / "after" / "no" (explanation above) -# -nospace_user = no -nospace_pass = no - # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad @@ -559,14 +543,17 @@ modules { # PAP module to authenticate users based on their stored password # - # Supports multiple encryption schemes - # clear: Clear text - # crypt: Unix crypt - # md5: MD5 ecnryption - # sha1: SHA1 encryption. - # DEFAULT: crypt + # Supports multiple encryption/hash schemes. See "man passwd" + # for details. + # + # The "auto_header" configuration item can be set to "yes". + # In this case, the module will look inside of the User-Password + # attribute for the headers {crypt}, {clear}, etc., and will + # automatically create the attribute on the right-hand side, + # with the correct value. It will also automatically handle + # Base-64 encoded data, hex strings, and binary data. pap { - encryption_scheme = crypt + auto_header = no } # CHAP module @@ -602,45 +589,11 @@ modules { # Unix /etc/passwd style authentication # unix { + # As of 1.1.0, the Unix module no longer reads, + # or caches /etc/passwd, /etc/shadow, or /etc/group. + # If you wish to cache those files, see the passwd + # module, above. # - # Cache /etc/passwd, /etc/shadow, and /etc/group - # - # The default is to NOT cache them. - # - # For FreeBSD and NetBSD, you do NOT want to enable - # the cache, as it's password lookups are done via a - # database, so set this value to 'no'. - # - # Some systems (e.g. RedHat Linux with pam_pwbd) can - # take *seconds* to check a password, when th passwd - # file containing 1000's of entries. For those systems, - # you should set the cache value to 'yes', and set - # the locations of the 'passwd', 'shadow', and 'group' - # files, below. - # - # allowed values: {no, yes} - cache = no - - # Reload the cache every 600 seconds (10mins). 0 to disable. - cache_reload = 600 - - # - # Define the locations of the normal passwd, shadow, and - # group files. - # - # 'shadow' is commented out by default, because not all - # systems have shadow passwords. - # - # To force the module to use the system password functions, - # instead of reading the files, leave the following entries - # commented out. - # - # This is required for some systems, like FreeBSD, - # and Mac OSX. - # - # passwd = /etc/passwd - # shadow = /etc/shadow - # group = /etc/group # # The location of the "wtmp" file. @@ -723,74 +676,109 @@ $INCLUDE ${confdir}/eap.conf # and sample authorize{} and authenticate{} blocks ldap { server = "ldap.your.domain" - # identity = "cn=admin,o=My Org,c=UA" - # password = mypass + #identity = "cn=admin,o=My Org,c=UA" + #password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" - # base_filter = "(objectclass=radiusprofile)" - - # set this to 'yes' to use TLS encrypted connections - # to the LDAP database by using the StartTLS extended - # operation. - # The StartTLS operation is supposed to be used with normal - # ldap connections instead of using ldaps (port 689) connections - start_tls = no - - # tls_cacertfile = /path/to/cacert.pem - # tls_cacertdir = /path/to/ca/dir/ - # tls_certfile = /path/to/radius.crt - # tls_keyfile = /path/to/radius.key - # tls_randfile = /path/to/rnd - # tls_require_cert = "demand" + #base_filter = "(objectclass=radiusprofile)" + + # How many connections to keep open to the LDAP server. + # This saves time over opening a new LDAP socket for + # every authentication request. + ldap_connections_number = 5 + + timeout = 4 + timelimit = 3 + net_timeout = 1 + + # + # This subsection configures the tls related items + # that control how FreeRADIUS connects to an LDAP + # server. It contains all of the "tls_*" configuration + # entries used in older versions of FreeRADIUS. Those + # configuration entries can still be used, but we recommend + # using these. + # + tls { + # Set this to 'yes' to use TLS encrypted connections + # to the LDAP database by using the StartTLS extended + # operation. + # + # The StartTLS operation is supposed to be + # used with normal ldap connections instead of + # using ldaps (port 689) connections + start_tls = no + + # cacertfile = /path/to/cacert.pem + # cacertdir = /path/to/ca/dir/ + # certfile = /path/to/radius.crt + # keyfile = /path/to/radius.key + # randfile = /path/to/rnd + # require_cert = "demand" + } # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" - access_attr = "dialupAccess" + # access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap - ldap_connections_number = 5 - - # - # NOTICE: The password_header directive is NOT case insensitive - # - # password_header = "{clear}" - # - # Set: - # password_attribute = nspmPassword - # - # to get the user's password from a Novell eDirectory - # backend. This will work *only if* freeRADIUS is - # configured to build with --with-edir option. - # - # - # The server can usually figure this out on its own, and pull - # the correct User-Password or NT-Password from the database. - # - # Note that NT-Passwords MUST be stored as a 32-digit hex - # string, and MUST start off with "0x", such as: - # - # 0x000102030405060708090a0b0c0d0e0f - # - # Without the leading "0x", NT-Passwords will not work. - # This goes for NT-Passwords stored in SQL, too. + # Set password_attribute = nspmPassword to get the + # user's password from a Novell eDirectory + # backend. This will work ONLY IF FreeRADIUS has been + # built with the --with-edir configure option. # # password_attribute = userPassword - # - # Un-comment the following to disable Novell eDirectory account - # policy check and intruder detection. This will work *only if* - # FreeRADIUS is configured to build with --with-edir option. - # - # edir_account_policy_check=no + + # As of 1.1.0, the LDAP module will auto-discover + # the password headers (which are non-standard). + # It will use the following table to map passwords + # to RADIUS attributes. The PAP module (see above) + # can then automatically determine the hashing + # method to use to authenticate the user. + # + # Header Attribute + # ------ --------- + # {clear} User-Password + # {cleartext} User-Password + # {md5} MD5-Password + # {smd5} SMD5-Password + # {crypt} Crypt-Password + # {sha} SHA-Password + # {ssha} SSHA-Password + # {nt} NT-Password + # {ns-mta-md5} NS-MTA-MD5-Password + # + # + # The headers are compared in a case-insensitive manner. + # The format of the password in LDAP (base 64-encoded, hex, + # clear-text, whatever) is not that important. The PAP + # module will figure it out. + # + # The default for "auto_header" is "no", to enable backwards + # compatibility with the "password_header" directive, + # which is now deprecated. If this is set to "yes", + # then the above table will be used, and the + # "password_header" directive will be ignored. + + #auto_header = yes + + # Un-comment the following to disable Novell + # eDirectory account policy check and intruder + # detection. This will work *only if* FreeRADIUS is + # configured to build with --with-edir option. + # + #edir_account_policy_check = no + + # + # Group membership checking. Disabled by default. # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName - timeout = 4 - timelimit = 3 - net_timeout = 1 + # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes @@ -826,8 +814,6 @@ $INCLUDE ${confdir}/eap.conf # # Field marked as ',' may contain a comma separated list # of attributes. - # authtype - if record found this Auth-Type is used to authenticate - # user # hashsize - hashtable size. If 0 or not specified records are not # stored in memory and file is red on every request. # allowmultiplekeys - if few records for every key are allowed @@ -842,7 +828,6 @@ $INCLUDE ${confdir}/eap.conf #passwd etc_smbpasswd { # filename = /etc/smbpasswd # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" - # authtype = MS-CHAP # hashsize = 100 # ignorenislike = no # allowmultiplekeys = no @@ -868,18 +853,10 @@ $INCLUDE ${confdir}/eap.conf # preacct sections. # # Four config options: - # format - must be 'prefix' or 'suffix' + # format - must be "prefix" or "suffix" + # The special cases of "DEFAULT" + # and "NULL" are allowed, too. # delimiter - must be a single character - # ignore_default - set to 'yes' or 'no' - # ignore_null - set to 'yes' or 'no' - # - # ignore_default and ignore_null can be set to 'yes' to prevent - # the module from matching against DEFAULT or NULL realms. This - # may be useful if you have have multiple instances of the - # realm module. - # - # They both default to 'no'. - # # 'realm/username' # @@ -887,8 +864,6 @@ $INCLUDE ${confdir}/eap.conf realm IPASS { format = prefix delimiter = "/" - ignore_default = no - ignore_null = no } # 'username@realm' @@ -896,8 +871,6 @@ $INCLUDE ${confdir}/eap.conf realm suffix { format = suffix delimiter = "@" - ignore_default = no - ignore_null = no } # 'username%realm' @@ -905,8 +878,6 @@ $INCLUDE ${confdir}/eap.conf realm realmpercent { format = suffix delimiter = "%" - ignore_default = no - ignore_null = no } # @@ -915,8 +886,6 @@ $INCLUDE ${confdir}/eap.conf realm ntdomain { format = prefix delimiter = "\\" - ignore_default = no - ignore_null = no } # A simple value checking module @@ -1090,6 +1059,18 @@ $INCLUDE ${confdir}/eap.conf # permissions restrictive, we can prevent unwanted # people from seeing that information. detailperm = 0600 + + # + # Every entry in th edetail file has a header which + # is a timestamp. By default, we use the ctime + # format (see "man ctime" for details). + # + # The header can be customized by editing this + # string. See "doc/variables.txt" for a description + # of what can be put here. + # + header = "%t" + } # @@ -1299,10 +1280,16 @@ $INCLUDE ${confdir}/eap.conf # attr_filter - filters the attributes received in replies from # proxied servers, to make sure we send back to our RADIUS client # only allowed attributes. - attr_filter { + attr_filter attr_filter.post-proxy { attrsfile = ${confdir}/attrs } + # attr_filter - filters the attributes in the packets we send to + # the RADIUS home servers. + attr_filter attr_filter.pre-proxy { + attrsfile = ${confdir}/attrs.pre-proxy + } + # counter module: # This module takes an attribute (count-attribute). # It also takes a key, and creates a counter for each unique @@ -1347,6 +1334,8 @@ $INCLUDE ${confdir}/eap.conf # the radius.log # If the count attribute is Acct-Session-Time then on each login # we send back the remaining online time as a Session-Timeout attribute + # ELSE and if the return-attribute is set, we send back that attribute. + # The return-attribute is set MUST be of an integer type # # The counter-name can also be used instead of using the check-name # like below: @@ -1373,6 +1362,7 @@ $INCLUDE ${confdir}/eap.conf counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User + #return-attribute = Session-Timeout cache-size = 5000 } @@ -1508,6 +1498,8 @@ $INCLUDE ${confdir}/eap.conf # The value of the attribute will be replaced with the output # of the program which is executed. Due to RADIUS protocol # limitations, any output over 253 bytes will be ignored. + # + # The module also registers a few paircompare functions expr { } @@ -1522,6 +1514,48 @@ $INCLUDE ${confdir}/eap.conf } # + # The expiration module. This handles the Expiration attribute + # It should be included in the *end* of the authorize section + # in order to handle user Expiration. It should also be included + # in the instantiate section in order to register the Expiration + # compare function + # + expiration { + # + # The Reply-Message which will be sent back in case the + # account has expired. Dynamic substitution is supported + # + reply-message = "Password Has Expired\r\n" +# reply-message = "Your account has expired, %{User-Name}\r\n" + } + + # The logintime module. This handles the Login-Time, + # Current-Time, and Time-Of-Day attributes. It should be + # included in the *end* of the authorize section in order to + # handle Login-Time checks. It should also be included in the + # instantiate section in order to register the Current-Time + # and Time-Of-Day comparison functions. + # + # When the Login-Time attribute is set to some value, and the + # user has bene permitted to log in, a Session-Timeout is + # calculated based on the remaining time. See "doc/README". + # + logintime { + # + # The Reply-Message which will be sent back in case + # the account is calling outside of the allowed + # timespan. Dynamic substitution is supported. + # + reply-message = "You are calling outside your allowed timespan\r\n" +# reply-message = "Outside allowed timespan (%{check:Login-Time}), %{User-Name}\r\n" + + # The minimum timeout (in seconds) a user is allowed + # to have. If the calculated timeout is lower we don't + # allow the logon. Some NASes do not handle values + # lower than 60 seconds well. + minimum-timeout = 60 + } + # # Execute external programs # # This module is useful only for 'xlat'. To use it, @@ -1541,6 +1575,8 @@ $INCLUDE ${confdir}/eap.conf exec { wait = yes input_pairs = request + shell_escape = yes + output = none } # @@ -1554,7 +1590,24 @@ $INCLUDE ${confdir}/eap.conf # one section (e.g. 'authorize', 'pre_proxy', etc), then it # is probably best to define a different instance of the # 'exec' module for every section. - # + # + # The return value of the program run determines the result + # of the exec instance call as follows: + # (See doc/configurable_failover for details) + # + # < 0 : fail the module failed + # = 0 : ok the module succeeded + # = 1 : reject the module rejected the user + # = 2 : fail the module failed + # = 3 : ok the module succeeded + # = 4 : handled the module has done everything to handle the request + # = 5 : invalid the user's configuration entry was invalid + # = 6 : userlock the user was locked out + # = 7 : notfound the user was not found + # = 8 : noop the module did nothing + # = 9 : updated the module updated information in the request + # > 9 : fail the module failed + # exec echo { # # Wait for the program to finish. @@ -1620,6 +1673,18 @@ $INCLUDE ${confdir}/eap.conf # being sent to the NAS. # #packet_type = Access-Accept + + # + # Should we escape the environment variables? + # + # If this is set, all the RADIUS attributes + # are capitalised and dashes replaced with + # underscores. Also, RADIUS values are surrounded + # with double-quotes. + # + # That is to say: User-Name=BobUser => USER_NAME="BobUser" + shell_escape = yes + } # Do server side ip pool management. Should be added in post-auth and @@ -1630,10 +1695,15 @@ $INCLUDE ${confdir}/eap.conf # attribute in the user profiles and use different pools # for different users. The Pool-Name attribute is a *check* item not # a reply item. + # The Pool-Name should be set to the ippool module instance name or to + # DEFAULT to match any module. # # Example: # radiusd.conf: ippool students { [...] } + # ippool teachers { [...] } # users file : DEFAULT Group == students, Pool-Name := "students" + # DEFAULT Group == teachers, Pool-Name := "teachers" + # DEFAULT Group == other, Pool-Name := "DEFAULT" # # ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST ********* # ********* THEN ERASE THE DB FILES ********* @@ -1665,11 +1735,31 @@ $INCLUDE ${confdir}/eap.conf # maximum-timeout: If not zero specifies the maximum time in seconds an # entry may be active. Default: 0 maximum-timeout = 0 + + # The key to use for the session database (which holds the allocated ip's) + # normally it should just be the nas ip/port (which is the default) + #key = "%{NAS-IP-Address} %{NAS-Port}" } # OTP token support. Not included by default. # $INCLUDE ${confdir}/otp.conf + # + # Implements Login-Time, Current-Time, and Time-Of-Day + # + logintime { + # + # Don't worry about anything here for now.. + # + } + + # + # Kerberos. See doc/rlm_krb5 for minimal docs. + # +# krb5 { +# keytab = /path/to/keytab +# service_principal = name_of_principle +# } } # Instantiation @@ -1714,6 +1804,22 @@ instantiate { # the check-name attribute before any module which sets # it # daily + expiration + logintime + + # subsections here can be thought of as "virtual" modules. + # + # e.g. If you have two redundant SQL servers, and you want to + # use them in the authorize and accounting sections, you could + # place a "redundant" block in each section, containing the + # exact same text. Or, you could uncomment the following + # lines, and list "redundant_sql" in the authorize and + # accounting sections. + # + #redundant redundant_sql { + # sql1 + # sql2 + #} } # Authorization. First preprocess (hints and huntgroups files), @@ -1741,8 +1847,6 @@ authorize { # un-comment the following line, and the 'detail auth_log' # section, above. # auth_log - -# attr_filter # # The chap module will set 'Auth-Type := CHAP' if we are @@ -1758,6 +1862,14 @@ authorize { mschap # + # Pull crypt'd passwords from /etc/passwd or /etc/shadow, + # using the system API's to get the password. If you want + # to read /etc/passwd or /etc/shadow directly, see the + # passwd module, above. + # + unix + + # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section. @@ -1815,6 +1927,22 @@ authorize { # # Use the checkval module # checkval + + expiration + logintime + + # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password + # to the request, and to do nothing else. The PAP module + # will then see that password, and use it to do PAP + # authentication. + # + # This module should be listed last, so that the other modules + # get a chance to set Auth-Type for themselves. + # + pap } @@ -2037,6 +2165,11 @@ pre-proxy { # as defined in the preproxy_users file. # files + # Uncomment the following line if you want to filter requests + # sent to remote servers based on the rules defined in the + # 'attrs.pre-proxy' file. +# attr_filter.pre-proxy + # If you want to have a log of packets proxied to a home # server, un-comment the following line, and the # 'detail pre_proxy_log' section, above. @@ -2059,8 +2192,7 @@ post-proxy { # Uncomment the following line if you want to filter replies from # remote proxies based on the rules defined in the 'attrs' file. - -# attr_filter +# attr_filter.post-proxy # # If you are proxying LEAP, you MUST configure the EAP