wish to read through them all before making and changes.
-edit radiusd.conf::
-
- ----Begin radiusd.conf----
- ##
- ## radiusd.conf -- FreeRADIUS server configuration file.
- ##
-
- prefix = /usr/local
- exec_prefix = ${prefix}
- sysconfdir = /usr/local/etc/raddb
- localstatedir = ${prefix}/var
- sbindir = ${exec_prefix}/sbin
- logdir = /var/log
- raddbdir = /usr/local/etc/raddb
- radacctdir = /var/log/radacct
-
- # Location of config and logfiles.
- confdir = ${raddbdir}
- run_dir = ${localstatedir}/run/radiusd
- log_file = ${logdir}/radius.log
- libdir = ${exec_prefix}/lib
- pidfile = ${run_dir}/radiusd.pid
-
- #user = nobody
- #group = nobody
-
- max_request_time = 30
- delete_blocked_requests = no
- cleanup_delay = 5
- max_requests = 0
- bind_address = *
- port = 0
- hostname_lookups = no
- allow_core_dumps = no
- log_stripped_names = no
- log_auth = no
- log_auth_badpass = no
- log_auth_goodpass = no
-
- # The program to execute to do concurrency checks.
- #checkrad = ${sbindir}/checkrad
-
- security {
- max_attributes = 200
- reject_delay = 0
- status_server = no
- }
-
- proxy_requests = yes
- $INCLUDE ${confdir}/proxy.conf
-
- $INCLUDE ${confdir}/clients.conf
-
- thread pool {
- start_servers = 5
- max_servers = 32
- min_spare_servers = 3
- max_spare_servers = 10
- max_requests_per_server = 0
- }
-
- modules {
-
- ldap {
- server = "localhost"
- identity = "uid=freeradius,ou=admins,ou=radius,dc=mydomain,dc=com"
- password = example
- basedn = "ou=users,ou=radius,dc=mydomain,dc=com"
- filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})
- (objectclass=radiusprofile)"
- start_tls = no
- tls_mode = no
- #default_profile = "uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com"
- #profile_attribute = "radiusProfileDn"
- dictionary_mapping = ${raddbdir}/ldap.attrmap
- ldap_cache_timeout = 120
- ldap_cache_size = 0
- ldap_connections_number = 10
- #password_header = "{clear}"
- password_attribute = userPassword
- groupname_attribute = radiusGroupName
- groupmembership_filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))
- (objectclass=radiusProfile)"
- groupmembership_attribute = radiusGroupName
- timeout = 3
- timelimit = 5
- net_timeout = 1
- compare_check_items = no
- #access_attr_used_for_allow = yes
- }
-
- realm suffix {
- format = suffix
- delimiter = "@"
- }
-
- preprocess {
- huntgroups = ${confdir}/huntgroups
- #hints = ${confdir}/hints
- with_ascend_hack = no
- ascend_channels_per_line = 23
- with_ntdomain_hack = no
- with_specialix_jetstream_hack = no
- with_cisco_vsa_hack = no
- }
-
- files {
- usersfile = ${confdir}/users
- #acctusersfile = ${confdir}/acct_users
- compat = no
- #use old style users
- }
- # regular detail files
- detail detail1 {
- filename = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
- permissions = 0600
- dir_permissions = 0755
- }
- # temp detail file to replicate to accountrad
- detail detail2 {
- filename = ${radacctdir}/detail-combined
- permissions = 0600
- dir_permissions = 0755
- locking = yes
- }
-
- #radutmp {
- # filename = ${logdir}/radutmp
- # permissions = 0600
- # caller_id = "yes"
- #}
-
- #radutmp sradutmp {
- # filename = ${logdir}/sradutmp
- # permissions = 0644
- # caller_id = "no"
- #}
-
- #attr_filter {
- # attrsfile = ${confdir}/attrs
- #}
-
-
- # The "always" module is here for debugging purposes. Each
- # instance simply returns the same result, always, without
- # doing anything.
- always fail {
- rcode = fail
- }
- always reject {
- rcode = reject
- }
- always ok {
- rcode = ok
- simulcount = 0
- mpp = no
- }
-
- #
- # The 'expression' module current has no configuration.
- expr {
- }
-
- }
-
- instantiate {
- expr
- }
-
- authorize {
- preprocess
- suffix
- files
- ldap
- }
-
- authenticate {
- authtype LDAP {
- ldap
- }
- }
-
- preacct {
- preprocess
- suffix
- files
- }
-
- accounting {
- acct_unique
- detail1
- detail2
- #radutmp
- #sradutmp
- }
-
-
- #session {
- #radutmp
- #}
-
- #post-auth {
- # Get an address from the IP Pool.
- #main_pool
- #}
- ----End radiusd.conf----
-
-
edit huntgroups to specify a NAS to a huntgroup::
----Begin huntgroups----
}
#ifdef WITH_COA
- if (request->packet->code == request->proxy->code)
+ if (request->packet->code == request->proxy->code) {
/*
* Don't run the next bit if we originated a CoA
* packet, after receiving an Access-Request or
*/
#endif
- /*
- * There may NOT be a proxy reply, as we may be
- * running Post-Proxy-Type = Fail.
- */
- if (reply) {
- fr_pair_add(&request->reply->vps, fr_pair_list_copy(request->reply, reply->vps));
-
/*
- * Delete the Proxy-State Attributes from
- * the reply. These include Proxy-State
- * attributes from us and remote server.
+ * There may NOT be a proxy reply, as we may be
+ * running Post-Proxy-Type = Fail.
*/
- fr_pair_delete_by_num(&request->reply->vps, PW_PROXY_STATE, 0, TAG_ANY);
- }
+ if (reply) {
+ fr_pair_add(&request->reply->vps, fr_pair_list_copy(request->reply, reply->vps));
+
+ /*
+ * Delete the Proxy-State Attributes from
+ * the reply. These include Proxy-State
+ * attributes from us and remote server.
+ */
+ fr_pair_delete_by_num(&request->reply->vps, PW_PROXY_STATE, 0, TAG_ANY);
+ } else {
+ vp = fr_pair_find_by_num(request->config, PW_RESPONSE_PACKET_TYPE, 0, TAG_ANY);
+ if (vp) {
+ request->proxy_reply = rad_alloc_reply(request, request->proxy);
+ request->proxy_reply->code = vp->vp_integer;
+ fr_pair_delete_by_num(&request->config, PW_RESPONSE_PACKET_TYPE, 0, TAG_ANY);
+ }
+ }
+#ifdef WITH_COA
+ }
+#endif
switch (rcode) {
default: /* Don't do anything */
break;