2 ## radiusd.conf -- FreeRADIUS server configuration file.
4 ## http://www.freeradius.org/
8 # The location of other config files and
9 # logfiles are declared in this file
11 # Also general configuration for modules can be done
12 # in this file, it is exported through the API to
13 # modules that ask for it.
18 exec_prefix = @exec_prefix@
19 sysconfdir = @sysconfdir@
20 localstatedir = @localstatedir@
25 radacctdir = @radacctdir@
28 # Location of config and logfiles.
32 run_dir = ${localstatedir}/run
35 # pidfile: Where to place the PID of the RADIUS server.
37 # The server may be signalled while it's running by using this
40 # e.g.: kill -HUP `cat /var/run/radiusd.pid`
42 pidfile = ${run_dir}/radiusd.pid
45 # user/group: The name (or #number) of the user/group to run httpd as.
46 # On SCO (ODT 3) use "user = nouser" and "group = nogroup".
47 # On HPUX you may not be able to use shared memory as nobody, and the
48 # suggested workaround is to create a user www and use that user.
50 # NOTE that some kernels refuse to setgid(group)
51 # when the value of (unsigned)group is above 60000;
52 # don't use group nobody on these systems!
54 # On systems with shadow passwords, you might have to set 'group = shadow'
55 # for the server to be able to read the shadow password file.
61 # max_request_time: The maximum time (in seconds) to handle a request.
63 # Requests which take more time than this to process are killed, and
64 # a REJECT message is returned.
66 # Useful range of values: 5 to 120
71 # cleanup_delay: The time to wait (in seconds) before cleaning up
72 # a reply which was sent to the NAS.
74 # The RADIUS request is normally cached internally for a short period
75 # of time, after the reply is sent to the NAS. The reply packet may be
76 # lost in the network, and the NAS will not see it. The NAS will then
77 # re-send the request, and the server will respond quickly with the
80 # If this value is set too low, then duplicate requests from the NAS
81 # MAY NOT be detected, and will instead be handled as seperate requests.
83 # If this value is set too high, then the server will cache too many
84 # requests, and some new requests may get blocked. (See 'max_requests'.)
86 # Useful range of values: 2 to 10
91 # max_requests: The maximum number of requests which the server keeps
92 # track of. This should be 256 multiplied by the number of clients.
93 # e.g. With 4 clients, this number should be 1024.
95 # If this number is too low, then when the server becomes busy,
96 # it will not respond to any new requests, until the 'cleanup_delay'
97 # time has passed, and it has removed the old requests.
99 # If this number is set too high, then the server will use a bit more
100 # memory for no real benefit.
102 # If you aren't sure what it should be set to, it's better to set it
103 # too high than too low. Setting it to 1000 per client is probably
104 # the highest it should be.
106 # Useful range of values: 256 to infinity
111 # bind_address: Make the server listen on a particular IP address, and
112 # send replies out from that address. This directive is most useful
113 # for machines with multiple IP addresses on one interface.
115 # It can either contain "*", or an IP address, or a fully qualified
116 # Internet domain name. The default is "*"
121 # port: Allows you to bind FreeRADIUS to a specific port.
123 # The default port that most NAS boxes use is 1645, which is historical.
124 # RFC 2138 defines 1812 to be the new port. Many new servers and
125 # NAS boxes use 1812, which can create interoperability problems.
127 # The port is defined here to be 0 so that the server will pick up
128 # the machine's local configuration for the radius port, as defined
131 # If you want to use the default RADIUS port as defined on your server,
132 # (usually through 'grep radius /etc/services') set this to 0 (zero).
134 # A port given on the command-line via '-p' over-rides this one.
139 # Which program to execute check doing concurrency checks.
141 checkrad = ${sbindir}/checkrad
144 # hostname_lookups: Log the names of clients or just their IP addresses
145 # e.g., www.freeradius.org (on) or 206.47.27.232 (off).
146 # The default is off because it'd be overall better for the net if people
147 # had to knowingly turn this feature on, since enabling it means that
148 # each client request will result in AT LEAST one lookup request to the
151 # Turning hostname lookups off also means that the server won't block
152 # for 30 seconds, if it sees an IP address which has no name associated
155 # allowed values: {no, yes}
157 hostname_lookups = no
160 # Core dumps are a bad thing. This should only be set to 'yes'
161 # if you're debugging a problem with the server.
163 # allowed values: {no, yes}
165 allow_core_dumps = no
168 # Log the full User-Name attribute, as it was found in the request.
170 # allowed values: {no, yes}
172 log_stripped_names = no
175 # Log authentication requests to the log file.
177 # allowed values: {no, yes}
182 # Log passwords with the authentication requests.
183 # log_auth_badpass - logs password if it's rejected
184 # log_auth_goodpass - logs password if it's correct
186 # allowed values: {no, yes}
188 log_auth_badpass = no
189 log_auth_goodpass = no
192 # usercollide: Turn user collision code on and off.
193 # See README.usercollide
197 # lower_user / lower_pass:
198 # Lowercase the username/password "before" or "after"
199 # attempting to authenticate.
201 # If "before", the server will first modify the request
202 # and then try to auth the user. If "after", the server
203 # will first auth using the values provided by the
204 # user. If that fails it will reprocess the request
205 # after modifying it as you specify below.
207 # This is as close as we can get to case insensitivity. It is
208 # the admin's job to ensure that the username on the auth
209 # db side is *also* lowercase to make this work
211 # Default is 'no' (don't lowercase values)
212 # Valid values = "before" / "after" / "no"
217 # nospace_user / nospace_pass:
218 # Some users like to enter spaces in their username or
219 # password incorrectly. To save yourself the tech support
220 # call, you can eliminate those spaces here:
222 # Default is 'no' (don't remove spaces)
223 # Valid values = "before" / "after" / "no" (explanation above)
228 #######################################################################
230 # Include optional/module specific configurations.
233 # PROXY CONFIGURATION
235 # proxy_requests: Turns proxying of RADIUS requests on or off.
237 # The server has proxying turned on by default. If your system is NOT
238 # set up to proxy requests to another server, then you can turn proxying
239 # off here. This will save a small amount of resources on the server.
241 # If you have proxying turned off, and your configuration files say
242 # to proxy a request, then an error message will be logged.
244 # allowed values: {no, yes}
246 # To disable proxying, change the "yes" to "no", and comment the
249 $INCLUDE ${confdir}/proxy.conf
251 # CLIENTS CONFIGURATION
253 # Client configuration is defined in "clients.conf". If you don't
254 # use the "clients.conf", you can comment the following. The use of
255 # "clients.conf" is recommended over the old "clients", though both
258 $INCLUDE ${confdir}/clients.conf
262 # Snmp configuration is only valid if you enabled SNMP support when
263 # you compiled radius. To enable SNMP configuration, uncomment the
265 $INCLUDE ${confdir}/snmp.conf
268 #######################################################################
270 # Thread pool configuration.
272 # The thread pool is a long-lived group of threads which
273 # take turns (round-robin) handling any incoming requests.
276 # You probably want to have a few spare threads around,
277 # so that high-load situations can be handled immediately. If you
278 # don't have any spare threads, then the request handling will
279 # be delayed while a new thread is created, and added to the pool.
281 # You probably don't want too many spare threads around,
282 # otherwise they'll be sitting there taking up resources, and
283 # not doing anything productive.
285 # The numbers given below should be adequate for most situations.
290 # Number of servers to start initially --- should be a reasonable ballpark
296 # Limit on the total number of servers running.
298 # If this limit is ever reached, clients will be LOCKED OUT, so it
299 # should NOT BE SET TOO LOW. It is intended mainly as a brake to
300 # keep a runaway server from taking the system with it as it spirals
306 # Server-pool size regulation. Rather than making you guess how many
307 # servers you need, FreeRADIUS dynamically adapts to the load it
308 # sees --- that is, it tries to maintain enough servers to
309 # handle the current load, plus a few spare servers to handle transient
312 # It does this by periodically checking how many servers are waiting
313 # for a request. If there are fewer than min_spare_servers, it creates
314 # a new spare. If there are more than max_spare_servers, some of the
315 # spares die off. The default values are probably OK for most sites.
317 min_spare_servers = 3
318 max_spare_servers = 10
321 # There may be memory leaks or resource allocation problems with
322 # the server. If so, set this value to 300 or so, so that the
323 # resources will be cleaned up periodically.
325 # This should only be necessary if there are serious bugs in the
326 # server which have not yet been fixed.
328 # '0' is a special value meaning 'infinity', or 'the servers never exit'
330 max_requests_per_server = 0
336 # The name to use for PAM authentication.
337 # PAM looks in /etc/pam.d/${pam_auth_name}
338 # for it's configuration.
340 # Note that any Pam-Auth attribute set in the 'users'
341 # file over-rides this one.
347 # Cache /etc/passwd, /etc/shadow, and /etc/group
349 # The default is to NOT cache them. However, caching them can
350 # speed up system authentications by a substantial amount.
352 # allowed values: {no, yes}
356 # Define the locations of the normal passwd, shadow, and
359 # 'shadow' is commented out by default, because not all
360 # systems have shadow passwords.
363 # shadow = /etc/shadow
368 # Where the 'wtmp' file is located.
369 # This will be moved to it's own module soon..
371 radwtmp = ${logdir}/radwtmp
374 # Uncomment this if you want to use ldap (Auth-Type = LDAP)
375 # Also uncomment it in the authenticate{} block below
378 # login = "cn=admin,o=My Org,c=US"
380 # basedn = "o=My Org,c=US"
381 # filter = "(uid=%u)"
385 # You can have multiple instances of the realm module to
386 # support multiple realm syntaxs at the same time. The
387 # search order is defined the order in the authorize and
388 # preacct blocks after the module config block.
390 # Two config options:
391 # format - must be 'prefix' or 'suffix'
392 # delimiter - must be a single character
404 # Using this entry, IPASS users have their realm set to "IPASS".
421 huntgroups = ${confdir}/huntgroups
422 hints = ${confdir}/hints
425 # This hack changes Ascend's wierd port numberings
426 # to standard 0-??? port numbers so that the "+" works
427 # for IP address assignments.
429 with_ascend_hack = no
430 ascend_channels_per_line = 23
433 # Windows NT machines often authenticate themselves as
436 # If this is set to 'yes', then the NT_DOMAIN portion
437 # of the user-name is silently discarded.
439 with_ntdomain_hack = no
442 # Specialix Jetstream 8500 24 port access server.
444 # If the user name is 10 characters or longer, a "/"
445 # and the excess characters after the 10th are
446 # appended to the user name.
448 # If you're not running that NAS, you don't need
451 with_specialix_jetstream_hack = no
454 usersfile = ${confdir}/users
455 acctusersfile = ${confdir}/acct_users
458 # If you want to use the old Cistron 'users' file
459 # with FreeRADIUS, you should change the next line
460 # to 'compat = cistron'. You can the copy your 'users'
466 # See README.rlm_fastusers before using this
467 # module or changing these values.
469 usersfile = ${confdir}/users_fast
472 # Reload the hash every 600 seconds (10mins)
477 detailfile = ${radacctdir}/%n/detail
481 # This module will add a (probably) unique session id
482 # to an accounting packet based on the attributes listed
483 # below found in the packet. see doc/README.rlm_acct_unique
485 key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Port-Id"
490 # Configuration for the SQL module.
497 password = "rootpass"
499 # Database table configuration
501 acct_table = "radacct"
503 authcheck_table = "radcheck"
504 authreply_table = "radreply"
506 groupcheck_table = "radgroupcheck"
507 groupreply_table = "radgroupreply"
509 usergroup_table = "usergroup"
511 realms_table = "realms"
512 realmgroup_table = "realmgroup"
514 # Check case on usernames
515 sensitiveusername = no
517 # Remove stale session if checkrad does not see a double login
518 deletestalesessions = yes
520 # Print all SQL statements when in debug mode (-x)
522 sqltracefile = ${logdir}/sqltrace.sql
524 # number of sql connections to make to server
529 # A second instance of the same module, with the name "sql2" to identify it
534 server = "myothersever"
536 password = "rootpass"
538 # Database table configuration
540 acct_table = "radacct"
542 authcheck_table = "radcheck"
543 authreply_table = "radreply"
545 groupcheck_table = "radgroupcheck"
546 groupreply_table = "radgroupreply"
548 usergroup_table = "usergroup"
550 realms_table = "realms"
551 realmgroup_table = "realmgroup"
553 # Check case on usernames
554 sensitiveusername = no
556 # Remove stale session if checkrad does not see a double login
557 deletestalesessions = yes
559 # Print all SQL statements when in debug mode (-x)
564 # The "always" module is here for debugging purposes. Each instance simply
565 # returns the same result, always, without doing anything.
579 #######################################################################
581 # Configuration for the example module. Uncommenting it will cause it
582 # to get loaded and initialized, but should have no real effect as long
583 # it is not referencened in one of the autz/auth/preacct/acct sections
589 # allowed values: {no, yes}
594 # An integer, of any value.
601 string = "This is an example configuration string"
604 # An IP address, either in dotted quad (1.2.3.4) or hostname
613 anotherinteger = 1000
618 string = "This is a different string"
624 # Authentication types, Auth-Type = System and PAM for now.
628 # By grouping modules together in an authtype block, that authtype will be
629 # tried on each module in sequence until one returns REJECT or OK. This
630 # allows authentication failover if the first SQL server has crashed, for
636 # Uncomment this if you want to use ldap (Auth-Type = LDAP)
640 # Authorization. First preprocess (hints and huntgroups files),
641 # then realms, and finally look in the "users" file.
642 # The order of the realm modules will determine the order that
643 # we try to find a matching realm.
644 # Make *sure* that 'preprocess' comes before any realm if you
645 # need to setup hints for the remote radius server
652 # Pre-accounting. Look for proxy realm in order of realms, then
653 # acct_users file, then preprocess (hints file).
660 # Accounting. Log to detail file, and to the radwtmp file.
667 # Session database, used for checking Simultaneous-Use. The radutmp module