X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=raddb%2Fradrelay.conf.in;h=d3d6c93c060aa72e6572259c731f3501d49964ea;hb=HEAD;hp=c82fd3d3190b354d0ce584821e8d8399850a56a1;hpb=1c4fbb8d7d5beb5319193cbbc73b79b91caf065d;p=freeradius.git diff --git a/raddb/radrelay.conf.in b/raddb/radrelay.conf.in index c82fd3d..d3d6c93 100644 --- a/raddb/radrelay.conf.in +++ b/raddb/radrelay.conf.in @@ -1,18 +1,32 @@ +# -*- text -*- ## -## radrelay.conf -- FreeRADIUS server configuration file. +## radrelay.conf -- FreeRADIUS server configuration file. +## +## Use with: radiusd -n radrelay ## ## http://www.freeradius.org/ ## $Id$ ## + +###################################################################### # -# This configuration file is for the "radrelay" personality -# of FreeRADIUS. It contains some of the same configuration -# items as "radiusd.conf", but many have been deleted, as they -# do not apply to "radrelay". +# This file is a sample configuration that replaces the old +# "radrelay" program. It is a *minimal* configuration that +# does little more than read the detail file, and proxy the +# packets to a home server. If you need it to do more than +# just replace radrelay, you will need to add additional +# configuration. # -# The server reads this file when it is run as "radiusd -n radrelay". +# See raddb/sites-available/copy-acct-to-home-server for a +# more complete example. That example is intended to be run +# as part of a larger radius configuration, where the server +# also listens on ports 1812, etc. The example given here +# is a minimal example that has ONLY radrelay functionality. # +# See radiusd.conf for a complete description of the configuration +# parameters used here. # +###################################################################### prefix = @prefix@ exec_prefix = @exec_prefix@ @@ -23,573 +37,130 @@ logdir = @logdir@ raddbdir = @raddbdir@ radacctdir = @radacctdir@ -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# -# The logging messages for the server are appended to the -# tail of this file. -# -log_file = ${logdir}/radius.log - -# -# Destination for log messages. This can be one of: # -# files - log to ${log_file}, as defined above. -# syslog - to syslog (see also the log{} section, below) -# stdout - standard output -# stderr - standard error. +# name of the running server. See also the "-n" command-line option. # -# The command-line option "-X" over-rides this option, and forces -# logging to go to stdout. -# -log_destination = files +name = radrelay # -# libdir: Where to find the rlm_* modules. -# -# This should be automatically set at configuration time. -# -# If the server builds and installs, but fails at execution time -# with an 'undefined symbol' error, then you can use the libdir -# directive to work around the problem. -# -# The cause is usually that a library has been installed on your -# system in a place where the dynamic linker CANNOT find it. When -# executing as root (or another user), your personal environment MAY -# be set up to allow the dynamic linker to find the library. When -# executing as a daemon, FreeRADIUS MAY NOT have the same -# personalized configuration. -# -# To work around the problem, find out which library contains that symbol, -# and add the directory containing that library to the end of 'libdir', -# with a colon separating the directory names. NO spaces are allowed. -# -# e.g. libdir = /usr/local/lib:/opt/package/lib -# -# You can also try setting the LD_LIBRARY_PATH environment variable -# in a script which starts the server. -# -# If that does not work, then you can re-configure and re-build the -# server to NOT use shared libraries, via: -# -# ./configure --disable-shared -# make -# make install +# Generic configuration # +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/${name} libdir = @libdir@ +pidfile = ${run_dir}/${name}.pid -# pidfile: Where to place the PID of the RADIUS server. -# -# The server may be signalled while it's running by using this -# file. -# -# This file is written when ONLY running in daemon mode. # -# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` +# Request handling configuration # -pidfile = ${run_dir}/radrelay.pid - -# -# radrelay doesn't need any special permissions to run. -# -#user = nobody -#group = nobody - max_request_time = 30 -delete_blocked_requests = no cleanup_delay = 5 -max_requests = 1024 +max_requests = 65536 # -# You can have as many "listen" sections as you want. -# -# The server CANNOT listen on type "detail" and type "acct" -# at the same time. +# Logging section. # -listen { - type = detail - - # where the detail file is located - detail = ${confdir}/detail - - # - - # Send no more than N requests to the server at once. - # If this is set to 0 (zero), then the requests will be read - # from the detail file as fast as possible, potentially - # overwhelming the server. - # - max_outstanding = 100 - - - # - # Server identity. This lets you tell the different "listen" - # sections apart. When a packet is read from a detail file, - # the Server-Identity attribute will be set to the value below - # for that packet. - # - identity = radrelay -} - - -hostname_lookups = no - log { - syslog_facility = daemon + destination = files + file = ${logdir}/${name}.log } -# PROXY CONFIGURATION -# -# proxy_requests: Turns proxying of RADIUS requests on or off. -# -# The server has proxying turned on by default. If your system is NOT -# set up to proxy requests to another server, then you can turn proxying -# off here. This will save a small amount of resources on the server. -# -# If you have proxying turned off, and your configuration files say -# to proxy a request, then an error message will be logged. -# -# To disable proxying, change the "yes" to "no", and comment the -# $INCLUDE line. # -# allowed values: {no, yes} +# Security configuration # -proxy_requests = yes -$INCLUDE ${confdir}/proxy.conf +security { + max_attributes = 200 + # reject_delay && status_server don't apply when we are + # only reading accounting packets from the detail file +} -# CLIENTS CONFIGURATION -# -# Client configuration is defined in "clients.conf". # -# The "radrelay" personality of the server does not have -# any clients, and does not need, or read, "clients.conf". - - -# SNMP CONFIGURATION +# If you need more modules, add them here. # -# The "radrelay" personality of the server does not have -# any SNMP configuration. - +modules { + $INCLUDE ${confdir}/modules/always +} -# THREAD POOL CONFIGURATION # -# Threads are less useful for radrelay than for radiusd. -# This section is here just to remind you that it can be controlled. +# If you need to instantiate modules, add them here. # -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 +instantiate { } -# MODULE CONFIGURATION -# -# The names and configuration of each module is located in this section. # -# Some modules have been deleted from this section. e.g +# Configuration of home servers, etc. # -# pap -# chap -# mschap -# eap -# detail -# unix -# radutmp +proxy_requests = yes + # -# It doesn't make sense to use these modules when the server is running -# as "radrelay". +# See proxy.conf for additional home server configuration. # -modules { - # Realm module, for proxying. - # - # You can have multiple instances of the realm module to - # support multiple realm syntaxs at the same time. The - # search order is defined by the order in the authorize and - # preacct sections. - # - # Four config options: - # format - must be "prefix" or "suffix" - # The special cases of "DEFAULT" - # and "NULL" are allowed, too. - # delimiter - must be a single character +home_server home1 { + type = acct - # 'realm/username' # - # Using this entry, IPASS users have their realm set to "IPASS". - realm IPASS { - format = prefix - delimiter = "/" - } - - # 'username@realm' + # This directive replaces the "-r" command-line option + # in radrelay # - realm suffix { - format = suffix - delimiter = "@" - } + ipaddr = 192.168.10.20 - # 'username%realm' - # - realm realmpercent { - format = suffix - delimiter = "%" - } + port = 1812 # - # 'domain\user' + # This directive replaces the "-i" command-line option + # in radrelay # - realm ntdomain { - format = prefix - delimiter = "\\" - } +# src_ipaddr = 192.168.1.1 - # A simple value checking module # - # It can be used to check if an attribute value in the request - # matches a (possibly multi valued) attribute in the check - # items This can be used for example for caller-id - # authentication. For the module to run, both the request - # attribute and the check items attribute must exist + # This directive replaces the "-s", "-S", and "-n" command-line + # options in radrelay # - # i.e. - # A user has an ldap entry with 2 radiusCallingStationId - # attributes with values "12345678" and "12345679". If we - # enable rlm_checkval, then any request which contains a - # Calling-Station-Id with one of those two values will be - # accepted. Requests with other values for - # Calling-Station-Id will be rejected. - # - # Regular expressions in the check attribute value are allowed - # as long as the operator is '=~' - # - checkval { - # The attribute to look for in the request - item-name = Calling-Station-Id - - # The attribute to look for in check items. Can be multi valued - check-name = Calling-Station-Id - - # The data type. Can be - # string,integer,ipaddr,date,abinary,octets - data-type = string - - # If set to yes and we dont find the item-name attribute in the - # request then we send back a reject - # DEFAULT is no - #notfound-reject = no - } - - # rewrite arbitrary packets. Useful in accounting and authorization. - # - # - # The module can also use the Rewrite-Rule attribute. If it - # is set and matches the name of the module instance, then - # that module instance will be the only one which runs. - # - # Also if new_attribute is set to yes then a new attribute - # will be created containing the value replacewith and it - # will be added to searchin (packet, reply, proxy, proxy_reply or config). - # searchfor,ignore_case and max_matches will be ignored in that case. - # - # Backreferences are supported: %{0} will contain the string the whole match - # and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses - # - # If max_matches is greater than one the backreferences will correspond to the - # first match - - # - #attr_rewrite sanecallerid { - # attribute = Called-Station-Id - # may be "packet", "reply", "proxy", "proxy_reply" or "config" - # searchin = packet - # searchfor = "[+ ]" - # replacewith = "" - # ignore_case = no - # new_attribute = no - # max_matches = 10 - # ## If set to yes then the replace string will be appended to the original string - # append = no - #} - - # Preprocess the incoming RADIUS request, before handing it off - # to other modules. - # - # This module processes the 'huntgroups' and 'hints' files. - # In addition, it re-writes some weird attributes created - # by some NASes, and converts the attributes into a form which - # is a little more standard. - # - preprocess { - huntgroups = ${confdir}/huntgroups - hints = ${confdir}/hints - - # This hack changes Ascend's wierd port numberings - # to standard 0-??? port numbers so that the "+" works - # for IP address assignments. - with_ascend_hack = no - ascend_channels_per_line = 23 - - # Windows NT machines often authenticate themselves as - # NT_DOMAIN\username - # - # If this is set to 'yes', then the NT_DOMAIN portion - # of the user-name is silently discarded. - # - # This configuration entry SHOULD NOT be used. - # See the "realms" module for a better way to handle - # NT domains. - with_ntdomain_hack = no - - # Specialix Jetstream 8500 24 port access server. - # - # If the user name is 10 characters or longer, a "/" - # and the excess characters after the 10th are - # appended to the user name. - # - # If you're not running that NAS, you don't need - # this hack. - with_specialix_jetstream_hack = no - - # Cisco (and Quintum in Cisco mode) sends it's VSA attributes - # with the attribute name *again* in the string, like: - # - # H323-Attribute = "h323-attribute=value". - # - # If this configuration item is set to 'yes', then - # the redundant data in the the attribute text is stripped - # out. The result is: - # - # H323-Attribute = "value" - # - # If you're not running a Cisco or Quintum NAS, you don't - # need this hack. - with_cisco_vsa_hack = no - } - - # Livingston-style 'users' file - # - files { - usersfile = ${confdir}/users - acctusersfile = ${confdir}/acct_users - - # If you want to use the old Cistron 'users' file - # with FreeRADIUS, you should change the next line - # to 'compat = cistron'. You can the copy your 'users' - # file from Cistron. - compat = no - } - - # Create a unique accounting session Id. Many NASes re-use or - # repeat values for Acct-Session-Id, causing no end of - # confusion. - # - # This module will add a (probably) unique session id - # to an accounting packet based on the attributes listed - # below found in the packet. See doc/rlm_acct_unique for - # more information. - # - acct_unique { - key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" - } - - - # Include another file that has the SQL-related configuration. - # This is another file only because it tends to be big. - # - # The following configuration file is for use with MySQL. - # - # For Postgresql, use: ${confdir}/postgresql.conf - # For MS-SQL, use: ${confdir}/mssql.conf - # For Oracle, use: ${confdir}/oraclesql.conf - # -# $INCLUDE ${confdir}/sql.conf - - - # For Cisco VoIP specific accounting with Postgresql, - # use: ${confdir}/pgsql-voip.conf - # - # You will also need the sql schema from: - # src/billing/cisco_h323_db_schema-postgres.sql - # Note: This config can be use AS WELL AS the standard sql - # config if you need SQL based Auth - - # The "always" module is here for debugging purposes. Each - # instance simply returns the same result, always, without - # doing anything. - always fail { - rcode = fail - } - always reject { - rcode = reject - } - always ok { - rcode = ok - simulcount = 0 - mpp = no - } - - # - # The 'expression' module currently has no configuration. - # - # This module is useful only for 'xlat'. To use it, - # put 'exec' into the 'instantiate' section. You can then - # do dynamic translation of attributes like: - # - # Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}` - # - # The value of the attribute will be replaced with the output - # of the program which is executed. Due to RADIUS protocol - # limitations, any output over 253 bytes will be ignored. - # - # The module also registers a few paircompare functions - expr { - } - - # - # Execute external programs - # - # This module is useful only for 'xlat'. To use it, - # put 'exec' into the 'instantiate' section. You can then - # do dynamic translation of attributes like: - # - # Attribute-Name = `%{exec:/path/to/program args}` - # - # The value of the attribute will be replaced with the output - # of the program which is executed. Due to RADIUS protocol - # limitations, any output over 253 bytes will be ignored. - # - # The RADIUS attributes from the user request will be placed - # into environment variables of the executed program, as - # described in 'doc/variables.txt' - # - exec { - wait = yes - input_pairs = request - shell_escape = yes - } + secret = testing123 } -# Instantiation -# -# This section orders the loading of the modules. Modules -# listed here will get loaded BEFORE the later sections like -# authorize, authenticate, etc. get examined. -# -# This section is not strictly needed. When a section like -# authorize refers to a module, it's automatically loaded and -# initialized. However, some modules may not be listed in any -# of the following sections, so they can be listed here. # -# Also, listing modules here ensures that you have control over -# the order in which they are initalized. If one module needs -# something defined by another module, you can list them in order -# here, and ensure that the configuration will be OK. +# List one or more home servers here for fail-over, load-balancing, etc. # -instantiate { - exec - expr - - # subsections here can be thought of as "virtual" modules. - # - # e.g. If you have two redundant SQL servers, and you want to - # use them in the authorize and accounting sections, you could - # place a "redundant" block in each section, containing the - # exact same text. Or, you could uncomment the following - # lines, and list "redundant_sql" in the authorize and - # accounting sections. - # - #redundant redundant_sql { - # sql1 - # sql2 - #} +home_server_pool radrelay { + type = fail-over + home_server = home1 } # -# There are no authorize, authenticate, or post-auth sections. +# A dummy realm. # +realm radrelay { + acct_pool = radrelay +} # -# Pre-accounting. Decide which accounting type to use. +# Read the detail file. # -preacct { - preprocess - - # - # Ensure that we have a semi-unique identifier for every - # request, and many NAS boxes are broken. - acct_unique +listen { + type = detail # - # Look for IPASS-style 'realm/', and if not found, look for - # '@realm', and decide whether or not to proxy, based on - # that. + # The "radacctdir" parameter below replaces the "-a" command- + # line option in radrelay. The "detail" parameter replaces + # the "detailfile" command-line option in radrelay # - # Accounting requests are generally proxied to the same - # home server as authentication requests. -# IPASS - suffix -# ntdomain - - # - # Read the 'acct_users' file - files + filename = ${radacctdir}/detail + load_factor = 90 } # -# Accounting. Log the accounting data. +# See also raddb/sites-available/copy-acct-to-home-server +# for additional description. # -accounting { - # - # Log traffic to an SQL database. +preacct { # - # See "Accounting queries" in sql.conf -# sql - - - # Cisco VoIP specific bulk accounting -# pgsql-voip - -} - - -# -# When the server decides to proxy a request to a home server, -# the proxied request is first passed through the pre-proxy -# stage. This stage can re-write the request, or decide to -# cancel the proxy. -# -# Only a few modules currently have this method. -# -pre-proxy { -# attr_rewrite - - # If you want to have a log of packets proxied to a home - # server, un-comment the following line, and the - # 'detail pre_proxy_log' section, above. -# pre_proxy_log -} - -# -# When the server receives a reply to a request it proxied -# to a home server, the request may be massaged here, in the -# post-proxy stage. -# -post-proxy { + # Proxy the packet using the given realm. + # Note that we do not use the realm for anything else such + # as prefix/suffix stripping or comparisons. # - - # If you want to have a log of replies from a home server, - # un-comment the following line, and the 'detail post_proxy_log' - # section, above. -# post_proxy_log - -# attr_rewrite - - # Uncomment the following line if you want to filter replies from - # remote proxies based on the rules defined in the 'attrs' file. - -# attr_filter + update control { + Proxy-To-Realm := "radrelay" + } }