3 ## radiusd.conf -- FreeRADIUS server configuration file.
5 ## http://www.freeradius.org/
9 ######################################################################
11 # Read "man radiusd" before editing this file. See the section
12 # titled DEBUGGING. It outlines a method where you can quickly
13 # obtain the configuration you want, without running into
16 # Run the server in debugging mode, and READ the output.
20 # We cannot emphasize this point strongly enough. The vast
21 # majority of problems can be solved by carefully reading the
22 # debugging output, which includes warnings about common issues,
23 # and suggestions for how they may be fixed.
25 # There may be a lot of output, but look carefully for words like:
26 # "warning", "error", "reject", or "failure". The messages there
27 # will usually be enough to guide you to a solution.
29 # If you are going to ask a question on the mailing list, then
30 # explain what you are trying to do, and include the output from
31 # debugging mode (radiusd -X). Failure to do so means that all
32 # of the responses to your question will be people telling you
33 # to "post the output of radiusd -X".
35 ######################################################################
37 # The location of other config files and logfiles are declared
40 # Also general configuration for modules can be done in this
41 # file, it is exported through the API to modules that ask for
44 # See "man radiusd.conf" for documentation on the format of this
45 # file. Note that the individual configuration items are NOT
46 # documented in that "man" page. They are only documented here,
49 # As of 2.0.0, FreeRADIUS supports a simple processing language
50 # in the "authorize", "authenticate", "accounting", etc. sections.
51 # See "man unlang" for details.
55 exec_prefix = @exec_prefix@
56 sysconfdir = @sysconfdir@
57 localstatedir = @localstatedir@
61 radacctdir = @radacctdir@
64 # name of the running server. See also the "-n" command-line option.
67 # Location of config and logfiles.
69 run_dir = ${localstatedir}/run/${name}
71 # Should likely be ${localstatedir}/lib/radiusd
75 # libdir: Where to find the rlm_* modules.
77 # This should be automatically set at configuration time.
79 # If the server builds and installs, but fails at execution time
80 # with an 'undefined symbol' error, then you can use the libdir
81 # directive to work around the problem.
83 # The cause is usually that a library has been installed on your
84 # system in a place where the dynamic linker CANNOT find it. When
85 # executing as root (or another user), your personal environment MAY
86 # be set up to allow the dynamic linker to find the library. When
87 # executing as a daemon, FreeRADIUS MAY NOT have the same
88 # personalized configuration.
90 # To work around the problem, find out which library contains that symbol,
91 # and add the directory containing that library to the end of 'libdir',
92 # with a colon separating the directory names. NO spaces are allowed.
94 # e.g. libdir = /usr/local/lib:/opt/package/lib
96 # You can also try setting the LD_LIBRARY_PATH environment variable
97 # in a script which starts the server.
99 # If that does not work, then you can re-configure and re-build the
100 # server to NOT use shared libraries, via:
102 # ./configure --disable-shared
108 # pidfile: Where to place the PID of the RADIUS server.
110 # The server may be signalled while it's running by using this
113 # This file is written when ONLY running in daemon mode.
115 # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
117 pidfile = ${run_dir}/${name}.pid
119 # chroot: directory where the server does "chroot".
121 # The chroot is done very early in the process of starting the server.
122 # After the chroot has been performed it switches to the "user" listed
123 # below (which MUST be specified). If "group" is specified, it switchs
124 # to that group, too. Any other groups listed for the specified "user"
125 # in "/etc/group" are also added as part of this process.
127 # The current working directory (chdir / cd) is left *outside* of the
128 # chroot until all of the modules have been initialized. This allows
129 # the "raddb" directory to be left outside of the chroot. Once the
130 # modules have been initialized, it does a "chdir" to ${logdir}. This
131 # means that it should be impossible to break out of the chroot.
133 # If you are worried about security issues related to this use of chdir,
134 # then simply ensure that the "raddb" directory is inside of the chroot,
135 # end be sure to do "cd raddb" BEFORE starting the server.
137 # If the server is statically linked, then the only files that have
138 # to exist in the chroot are ${run_dir} and ${logdir}. If you do the
139 # "cd raddb" as discussed above, then the "raddb" directory has to be
140 # inside of the chroot directory, too.
142 #chroot = /path/to/chroot/directory
144 # user/group: The name (or #number) of the user/group to run radiusd as.
146 # If these are commented out, the server will run as the user/group
147 # that started it. In order to change to a different user/group, you
148 # MUST be root ( or have root privleges ) to start the server.
150 # We STRONGLY recommend that you run the server with as few permissions
151 # as possible. That is, if you're not using shadow passwords, the
152 # user and group items below should be set to radius'.
154 # NOTE that some kernels refuse to setgid(group) when the value of
155 # (unsigned)group is above 60000; don't use group nobody on these systems!
157 # On systems with shadow passwords, you might have to set 'group = shadow'
158 # for the server to be able to read the shadow password file. If you can
159 # authenticate users while in debug mode, but not in daemon mode, it may be
160 # that the debugging mode server is running as a user that can read the
161 # shadow info, and the user listed below can not.
163 # The server will also try to use "initgroups" to read /etc/groups.
164 # It will join all groups where "user" is a member. This can allow
165 # for some finer-grained access controls.
170 # panic_action: Command to execute if the server dies unexpectedly.
172 # FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
173 # AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
174 # AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
176 # The panic action is a command which will be executed if the server
177 # receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
180 # This can be used to start an interactive debugging session so
181 # that information regarding the current state of the server can
184 # The following string substitutions are available:
185 # - %e The currently executing program e.g. /sbin/radiusd
186 # - %p The PID of the currently executing program e.g. 12345
188 # Standard ${} substitutions are also allowed.
190 # An example panic action for opening an interactive session in GDB would be:
192 #panic_action = "gdb %e %p"
194 # Again, don't use that on a production system.
196 # An example panic action for opening an automated session in GDB would be:
198 #panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p > ${logdir}/gdb-%e-%p.log 2>&1"
200 # That command can be used on a production system.
203 # max_request_time: The maximum time (in seconds) to handle a request.
205 # Requests which take more time than this to process may be killed, and
206 # a REJECT message is returned.
208 # WARNING: If you notice that requests take a long time to be handled,
209 # then this MAY INDICATE a bug in the server, in one of the modules
210 # used to handle a request, OR in your local configuration.
212 # This problem is most often seen when using an SQL database. If it takes
213 # more than a second or two to receive an answer from the SQL database,
214 # then it probably means that you haven't indexed the database. See your
215 # SQL server documentation for more information.
217 # Useful range of values: 5 to 120
219 max_request_time = 30
221 # cleanup_delay: The time to wait (in seconds) before cleaning up
222 # a reply which was sent to the NAS.
224 # The RADIUS request is normally cached internally for a short period
225 # of time, after the reply is sent to the NAS. The reply packet may be
226 # lost in the network, and the NAS will not see it. The NAS will then
227 # re-send the request, and the server will respond quickly with the
230 # If this value is set too low, then duplicate requests from the NAS
231 # MAY NOT be detected, and will instead be handled as seperate requests.
233 # If this value is set too high, then the server will cache too many
234 # requests, and some new requests may get blocked. (See 'max_requests'.)
236 # Useful range of values: 2 to 10
240 # max_requests: The maximum number of requests which the server keeps
241 # track of. This should be 256 multiplied by the number of clients.
242 # e.g. With 4 clients, this number should be 1024.
244 # If this number is too low, then when the server becomes busy,
245 # it will not respond to any new requests, until the 'cleanup_delay'
246 # time has passed, and it has removed the old requests.
248 # If this number is set too high, then the server will use a bit more
249 # memory for no real benefit.
251 # If you aren't sure what it should be set to, it's better to set it
252 # too high than too low. Setting it to 1000 per client is probably
253 # the highest it should be.
255 # Useful range of values: 256 to infinity
259 # listen: Make the server listen on a particular IP address, and send
260 # replies out from that address. This directive is most useful for
261 # hosts with multiple IP addresses on one interface.
263 # If you want the server to listen on additional addresses, or on
264 # additionnal ports, you can use multiple "listen" sections.
266 # Each section make the server listen for only one type of packet,
267 # therefore authentication and accounting have to be configured in
268 # different sections.
270 # The server ignore all "listen" section if you are using '-i' and '-p'
271 # on the command line.
274 # Type of packets to listen for.
275 # Allowed values are:
276 # auth listen for authentication packets
277 # acct listen for accounting packets
278 # proxy IP to use for sending proxied packets
279 # detail Read from the detail file. For examples, see
280 # raddb/sites-available/copy-acct-to-home-server
281 # status listen for Status-Server packets. For examples,
282 # see raddb/sites-available/status
283 # coa listen for CoA-Request and Disconnect-Request
284 # packets. For examples, see the file
285 # raddb/sites-available/coa
289 # Note: "type = proxy" lets you control the source IP used for
290 # proxying packets, with some limitations:
292 # * A proxy listener CANNOT be used in a virtual server section.
293 # * You should probably set "port = 0".
294 # * Any "clients" configuration will be ignored.
296 # See also proxy.conf, and the "src_ipaddr" configuration entry
297 # in the sample "home_server" section. When you specify the
298 # source IP address for packets sent to a home server, the
299 # proxy listeners are automatically created.
301 # IP address on which to listen.
302 # Allowed values are:
303 # dotted quad (1.2.3.4)
304 # hostname (radius.example.com)
308 # OR, you can use an IPv6 address, but not both
310 # ipv6addr = :: # any. ::1 == localhost
312 # Port on which to listen.
313 # Allowed values are:
314 # integer port number (1812)
315 # 0 means "use /etc/services for the proper port"
318 # Some systems support binding to an interface, in addition
319 # to the IP address. This feature isn't strictly necessary,
320 # but for sites with many IP addresses on one interface,
321 # it's useful to say "listen on all addresses for eth0".
323 # If your system does not support this feature, you will
324 # get an error if you try to use it.
328 # Per-socket lists of clients. This is a very useful feature.
330 # The name here is a reference to a section elsewhere in
331 # radiusd.conf, or clients.conf. Having the name as
332 # a reference allows multiple sockets to use the same
335 # If this configuration is used, then the global list of clients
336 # is IGNORED for this "listen" section. Take care configuring
337 # this feature, to ensure you don't accidentally disable a
340 # See clients.conf for the configuration of "per_socket_clients".
342 # clients = per_socket_clients
345 # This second "listen" section is for listening on the accounting
354 # clients = per_socket_clients
357 # hostname_lookups: Log the names of clients or just their IP addresses
358 # e.g., www.freeradius.org (on) or 206.47.27.232 (off).
360 # The default is 'off' because it would be overall better for the net
361 # if people had to knowingly turn this feature on, since enabling it
362 # means that each client request will result in AT LEAST one lookup
363 # request to the nameserver. Enabling hostname_lookups will also
364 # mean that your server may stop randomly for 30 seconds from time
365 # to time, if the DNS requests take too long.
367 # Turning hostname lookups off also means that the server won't block
368 # for 30 seconds, if it sees an IP address which has no name associated
371 # allowed values: {no, yes}
373 hostname_lookups = no
375 # Core dumps are a bad thing. This should only be set to 'yes'
376 # if you're debugging a problem with the server.
378 # allowed values: {no, yes}
380 allow_core_dumps = no
382 # Regular expressions
384 # These items are set at configure time. If they're set to "yes",
385 # then setting them to "no" turns off regular expression support.
387 # If they're set to "no" at configure time, then setting them to "yes"
388 # WILL NOT WORK. It will give you an error.
390 regular_expressions = @REGEX@
391 extended_expressions = @REGEX_EXTENDED@
394 # Logging section. The various "log_*" configuration items
395 # will eventually be moved here.
399 # Destination for log messages. This can be one of:
401 # files - log to "file", as defined below.
402 # syslog - to syslog (see also the "syslog_facility", below.
403 # stdout - standard output
404 # stderr - standard error.
406 # The command-line option "-X" over-rides this option, and forces
407 # logging to go to stdout.
412 # The logging messages for the server are appended to the
413 # tail of this file if destination == "files"
415 # If the server is running in debugging mode, this file is
418 file = ${logdir}/radius.log
421 # If this configuration parameter is set, then log messages for
422 # a *request* go to this file, rather than to radius.log.
424 # i.e. This is a log file per request, once the server has accepted
425 # the request as being from a valid client. Messages that are
426 # not associated with a request still go to radius.log.
428 # Not all log messages in the server core have been updated to use
429 # this new internal API. As a result, some messages will still
430 # go to radius.log. Please submit patches to fix this behavior.
432 # The file name is expanded dynamically. You should ONLY user
433 # server-side attributes for the filename (e.g. things you control).
434 # Using this feature MAY also slow down the server substantially,
435 # especially if you do thinks like SQL calls as part of the
436 # expansion of the filename.
438 # The name of the log file should use attributes that don't change
439 # over the lifetime of a request, such as User-Name,
440 # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
441 # messages will be distributed over multiple files.
443 # Logging can be enabled for an individual request by a special
444 # dynamic expansion macro: %{debug: 1}, where the debug level
445 # for this request is set to '1' (or 2, 3, etc.). e.g.
449 # Tmp-String-0 = "%{debug:1}"
453 # The attribute that the value is assigned to is unimportant,
454 # and should be a "throw-away" attribute with no side effects.
456 #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
459 # Which syslog facility to use, if ${destination} == "syslog"
461 # The exact values permitted here are OS-dependent. You probably
462 # don't want to change this.
464 syslog_facility = daemon
466 # Log the full User-Name attribute, as it was found in the request.
468 # allowed values: {no, yes}
472 # Log authentication requests to the log file.
474 # allowed values: {no, yes}
478 # Log passwords with the authentication requests.
479 # auth_badpass - logs password if it's rejected
480 # auth_goodpass - logs password if it's correct
482 # allowed values: {no, yes}
487 # Log additional text at the end of the "Login OK" messages.
488 # for these to work, the "auth" and "auth_goopass" or "auth_badpass"
489 # configurations above have to be set to "yes".
491 # The strings below are dynamically expanded, which means that
492 # you can put anything you want in them. However, note that
493 # this expansion can be slow, and can negatively impact server
500 # The program to execute to do concurrency checks.
501 checkrad = ${sbindir}/checkrad
503 # SECURITY CONFIGURATION
505 # There may be multiple methods of attacking on the server. This
506 # section holds the configuration items which minimize the impact
511 # max_attributes: The maximum number of attributes
512 # permitted in a RADIUS packet. Packets which have MORE
513 # than this number of attributes in them will be dropped.
515 # If this number is set too low, then no RADIUS packets
518 # If this number is set too high, then an attacker may be
519 # able to send a small number of packets which will cause
520 # the server to use all available memory on the machine.
522 # Setting this number to 0 means "allow any number of attributes"
526 # reject_delay: When sending an Access-Reject, it can be
527 # delayed for a few seconds. This may help slow down a DoS
528 # attack. It also helps to slow down people trying to brute-force
529 # crack a users password.
531 # Setting this number to 0 means "send rejects immediately"
533 # If this number is set higher than 'cleanup_delay', then the
534 # rejects will be sent at 'cleanup_delay' time, when the request
535 # is deleted from the internal cache of requests.
537 # Useful ranges: 1 to 5
541 # status_server: Whether or not the server will respond
542 # to Status-Server requests.
544 # When sent a Status-Server message, the server responds with
545 # an Access-Accept or Accounting-Response packet.
547 # This is mainly useful for administrators who want to "ping"
548 # the server, without adding test users, or creating fake
549 # accounting packets.
551 # It's also useful when a NAS marks a RADIUS server "dead".
552 # The NAS can periodically "ping" the server with a Status-Server
553 # packet. If the server responds, it must be alive, and the
554 # NAS can start using it for real requests.
556 # See also raddb/sites-available/status
561 # allow_vulnerable_openssl: Allow the server to start with
562 # versions of OpenSSL known to have critical vulnerabilities.
564 # This check is based on the version number reported by libssl
565 # and may not reflect patches applied to libssl by
566 # distribution maintainers.
568 allow_vulnerable_openssl = no
571 # PROXY CONFIGURATION
573 # proxy_requests: Turns proxying of RADIUS requests on or off.
575 # The server has proxying turned on by default. If your system is NOT
576 # set up to proxy requests to another server, then you can turn proxying
577 # off here. This will save a small amount of resources on the server.
579 # If you have proxying turned off, and your configuration files say
580 # to proxy a request, then an error message will be logged.
582 # To disable proxying, change the "yes" to "no", and comment the
585 # allowed values: {no, yes}
591 # CLIENTS CONFIGURATION
593 # Client configuration is defined in "clients.conf".
596 # The 'clients.conf' file contains all of the information from the old
597 # 'clients' and 'naslist' configuration files. We recommend that you
598 # do NOT use 'client's or 'naslist', although they are still
601 # Anything listed in 'clients.conf' will take precedence over the
602 # information from the old-style configuration files.
604 $INCLUDE clients.conf
607 # THREAD POOL CONFIGURATION
609 # The thread pool is a long-lived group of threads which
610 # take turns (round-robin) handling any incoming requests.
612 # You probably want to have a few spare threads around,
613 # so that high-load situations can be handled immediately. If you
614 # don't have any spare threads, then the request handling will
615 # be delayed while a new thread is created, and added to the pool.
617 # You probably don't want too many spare threads around,
618 # otherwise they'll be sitting there taking up resources, and
619 # not doing anything productive.
621 # The numbers given below should be adequate for most situations.
624 # Number of servers to start initially --- should be a reasonable
628 # Limit on the total number of servers running.
630 # If this limit is ever reached, clients will be LOCKED OUT, so it
631 # should NOT BE SET TOO LOW. It is intended mainly as a brake to
632 # keep a runaway server from taking the system with it as it spirals
635 # You may find that the server is regularly reaching the
636 # 'max_servers' number of threads, and that increasing
637 # 'max_servers' doesn't seem to make much difference.
639 # If this is the case, then the problem is MOST LIKELY that
640 # your back-end databases are taking too long to respond, and
641 # are preventing the server from responding in a timely manner.
643 # The solution is NOT do keep increasing the 'max_servers'
644 # value, but instead to fix the underlying cause of the
645 # problem: slow database, or 'hostname_lookups=yes'.
647 # For more information, see 'max_request_time', above.
651 # Server-pool size regulation. Rather than making you guess
652 # how many servers you need, FreeRADIUS dynamically adapts to
653 # the load it sees, that is, it tries to maintain enough
654 # servers to handle the current load, plus a few spare
655 # servers to handle transient load spikes.
657 # It does this by periodically checking how many servers are
658 # waiting for a request. If there are fewer than
659 # min_spare_servers, it creates a new spare. If there are
660 # more than max_spare_servers, some of the spares die off.
661 # The default values are probably OK for most sites.
663 min_spare_servers = 3
664 max_spare_servers = 10
666 # When the server receives a packet, it places it onto an
667 # internal queue, where the worker threads (configured above)
668 # pick it up for processing. The maximum size of that queue
671 # When the queue is full, any new packets will be silently
674 # The most common cause of the queue being full is that the
675 # server is dependent on a slow database, and it has received
676 # a large "spike" of traffic. When that happens, there is
677 # very little you can do other than make sure the server
678 # receives less traffic, or make sure that the database can
681 # max_queue_size = 65536
683 # There may be memory leaks or resource allocation problems with
684 # the server. If so, set this value to 300 or so, so that the
685 # resources will be cleaned up periodically.
687 # This should only be necessary if there are serious bugs in the
688 # server which have not yet been fixed.
690 # '0' is a special value meaning 'infinity', or 'the servers never
692 max_requests_per_server = 0
695 # MODULE CONFIGURATION
697 # The names and configuration of each module is located in this section.
699 # After the modules are defined here, they may be referred to by name,
700 # in other sections of this configuration file.
704 # Each module has a configuration as follows:
706 # name [ instance ] {
707 # config_item = value
711 # The 'name' is used to load the 'rlm_name' library
712 # which implements the functionality of the module.
714 # The 'instance' is optional. To have two different instances
715 # of a module, it first must be referred to by 'name'.
716 # The different copies of the module are then created by
717 # inventing two 'instance' names, e.g. 'instance1' and 'instance2'
719 # The instance names can then be used in later configuration
720 # INSTEAD of the original 'name'. See the 'radutmp' configuration
725 # As of 2.0.5, most of the module configurations are in a
726 # sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/
727 # are loaded. The modules are initialized ONLY if they are
728 # referenced in a processing section, such as authorize,
729 # authenticate, accounting, pre/post-proxy, etc.
731 $INCLUDE ${confdir}/modules/
733 # Extensible Authentication Protocol
735 # For all EAP related authentications.
736 # Now in another file, because it is very large.
740 # Include another file that has the SQL-related configuration.
741 # This is another file only because it tends to be big.
746 # This module is an SQL enabled version of the counter module.
748 # Rather than maintaining seperate (GDBM) databases of
749 # accounting info for each counter, this module uses the data
750 # stored in the raddacct table by the sql modules. This
751 # module NEVER does any database INSERTs or UPDATEs. It is
752 # totally dependent on the SQL module to process Accounting
755 # $INCLUDE sql/mysql/counter.conf
758 # IP addresses managed in an SQL table.
760 # $INCLUDE sqlippool.conf
765 # This section orders the loading of the modules. Modules
766 # listed here will get loaded BEFORE the later sections like
767 # authorize, authenticate, etc. get examined.
769 # This section is not strictly needed. When a section like
770 # authorize refers to a module, it's automatically loaded and
771 # initialized. However, some modules may not be listed in any
772 # of the following sections, so they can be listed here.
774 # Also, listing modules here ensures that you have control over
775 # the order in which they are initalized. If one module needs
776 # something defined by another module, you can list them in order
777 # here, and ensure that the configuration will be OK.
781 # Allows the execution of external scripts.
782 # The entire command line (and output) must fit into 253 bytes.
784 # e.g. Framed-Pool = `%{exec:/bin/echo foo}`
788 # The expression module doesn't do authorization,
789 # authentication, or accounting. It only does dynamic
790 # translation, of the form:
792 # Session-Timeout = `%{expr:2 + 3}`
794 # This module needs to be instantiated, but CANNOT be
795 # listed in any other section. See 'doc/rlm_expr' for
798 # rlm_expr is also responsible for registering many
799 # other xlat functions such as md5, sha1 and lc.
801 # We do not recommend removing it's listing here.
805 # We add the counter module here so that it registers
806 # the check-name attribute before any module which sets
812 # subsections here can be thought of as "virtual" modules.
814 # e.g. If you have two redundant SQL servers, and you want to
815 # use them in the authorize and accounting sections, you could
816 # place a "redundant" block in each section, containing the
817 # exact same text. Or, you could uncomment the following
818 # lines, and list "redundant_sql" in the authorize and
819 # accounting sections.
821 #redundant redundant_sql {
827 ######################################################################
829 # Policies that can be applied in multiple places are listed
830 # globally. That way, they can be defined once, and referred
833 ######################################################################
836 ######################################################################
838 # Load virtual servers.
840 # This next $INCLUDE line loads files in the directory that
841 # match the regular expression: /[a-zA-Z0-9_.]+/
843 # It allows you to define new virtual servers simply by placing
844 # a file into the raddb/sites-enabled/ directory.
846 $INCLUDE sites-enabled/
848 ######################################################################
850 # All of the other configuration sections like "authorize {}",
851 # "authenticate {}", "accounting {}", have been moved to the
854 # raddb/sites-available/default
856 # This is the "default" virtual server that has the same
857 # configuration as in version 1.0.x and 1.1.x. The default
858 # installation enables this virtual server. You should
859 # edit it to create policies for your local site.
861 # For more documentation on virtual servers, see:
863 # raddb/sites-available/README
865 ######################################################################