3 ## radiusd.conf -- FreeRADIUS server configuration file - @RADIUSD_VERSION_STRING@
5 ## http://www.freeradius.org/
9 ######################################################################
11 # Read "man radiusd" before editing this file. See the section
12 # titled DEBUGGING. It outlines a method where you can quickly
13 # obtain the configuration you want, without running into
16 # Run the server in debugging mode, and READ the output.
20 # We cannot emphasize this point strongly enough. The vast
21 # majority of problems can be solved by carefully reading the
22 # debugging output, which includes warnings about common issues,
23 # and suggestions for how they may be fixed.
25 # There may be a lot of output, but look carefully for words like:
26 # "warning", "error", "reject", or "failure". The messages there
27 # will usually be enough to guide you to a solution.
29 # If you are going to ask a question on the mailing list, then
30 # explain what you are trying to do, and include the output from
31 # debugging mode (radiusd -X). Failure to do so means that all
32 # of the responses to your question will be people telling you
33 # to "post the output of radiusd -X".
35 ######################################################################
37 # The location of other config files and logfiles are declared
40 # Also general configuration for modules can be done in this
41 # file, it is exported through the API to modules that ask for
44 # See "man radiusd.conf" for documentation on the format of this
45 # file. Note that the individual configuration items are NOT
46 # documented in that "man" page. They are only documented here,
49 # The "unlang" policy language can be used to create complex
50 # if / else policies. See "man unlang" for details.
54 exec_prefix = @exec_prefix@
55 sysconfdir = @sysconfdir@
56 localstatedir = @localstatedir@
60 radacctdir = @radacctdir@
63 # name of the running server. See also the "-n" command-line option.
66 # Location of config and logfiles.
68 modconfdir = ${confdir}/mods-config
69 certdir = ${confdir}/certs
70 cadir = ${confdir}/certs
71 run_dir = ${localstatedir}/run/${name}
73 # Should likely be ${localstatedir}/lib/radiusd
77 # libdir: Where to find the rlm_* modules.
79 # This should be automatically set at configuration time.
81 # If the server builds and installs, but fails at execution time
82 # with an 'undefined symbol' error, then you can use the libdir
83 # directive to work around the problem.
85 # The cause is usually that a library has been installed on your
86 # system in a place where the dynamic linker CANNOT find it. When
87 # executing as root (or another user), your personal environment MAY
88 # be set up to allow the dynamic linker to find the library. When
89 # executing as a daemon, FreeRADIUS MAY NOT have the same
90 # personalized configuration.
92 # To work around the problem, find out which library contains that symbol,
93 # and add the directory containing that library to the end of 'libdir',
94 # with a colon separating the directory names. NO spaces are allowed.
96 # e.g. libdir = /usr/local/lib:/opt/package/lib
98 # You can also try setting the LD_LIBRARY_PATH environment variable
99 # in a script which starts the server.
101 # If that does not work, then you can re-configure and re-build the
102 # server to NOT use shared libraries, via:
104 # ./configure --disable-shared
110 # pidfile: Where to place the PID of the RADIUS server.
112 # The server may be signalled while it's running by using this
115 # This file is written when ONLY running in daemon mode.
117 # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
119 pidfile = ${run_dir}/${name}.pid
122 # correct_escapes: use correct backslash escaping
124 # Prior to version 3.0.5, the handling of backslashes was a little
125 # awkward, i.e. "wrong". In some cases, to get one backslash into
126 # a regex, you had to put 4 in the config files.
128 # Version 3.0.5 fixes that. However, for backwards compatibility,
129 # the new method of escaping is DISABLED BY DEFAULT. This means
130 # that upgrading to 3.0.5 won't break your configuration.
132 # If you don't have double backslashes (i.e. \\) in your configuration,
133 # this won't matter to you. If you do have them, fix that to use only
134 # one backslash, and then set "correct_escapes = true".
136 # You can check for this by doing:
138 # $ grep '\\\\' $(find raddb -type f -print)
140 correct_escapes = true
142 # panic_action: Command to execute if the server dies unexpectedly.
144 # FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
145 # AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
146 # AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
148 # THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
149 # PATTACH CAN BE USED AS AN ATTACK VECTOR.
151 # The panic action is a command which will be executed if the server
152 # receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
155 # This can be used to start an interactive debugging session so
156 # that information regarding the current state of the server can
159 # The following string substitutions are available:
160 # - %e The currently executing program e.g. /sbin/radiusd
161 # - %p The PID of the currently executing program e.g. 12345
163 # Standard ${} substitutions are also allowed.
165 # An example panic action for opening an interactive session in GDB would be:
167 #panic_action = "gdb %e %p"
169 # Again, don't use that on a production system.
171 # An example panic action for opening an automated session in GDB would be:
173 #panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
175 # That command can be used on a production system.
178 # max_request_time: The maximum time (in seconds) to handle a request.
180 # Requests which take more time than this to process may be killed, and
181 # a REJECT message is returned.
183 # WARNING: If you notice that requests take a long time to be handled,
184 # then this MAY INDICATE a bug in the server, in one of the modules
185 # used to handle a request, OR in your local configuration.
187 # This problem is most often seen when using an SQL database. If it takes
188 # more than a second or two to receive an answer from the SQL database,
189 # then it probably means that you haven't indexed the database. See your
190 # SQL server documentation for more information.
192 # Useful range of values: 5 to 120
194 max_request_time = 30
196 # cleanup_delay: The time to wait (in seconds) before cleaning up
197 # a reply which was sent to the NAS.
199 # The RADIUS request is normally cached internally for a short period
200 # of time, after the reply is sent to the NAS. The reply packet may be
201 # lost in the network, and the NAS will not see it. The NAS will then
202 # re-send the request, and the server will respond quickly with the
205 # If this value is set too low, then duplicate requests from the NAS
206 # MAY NOT be detected, and will instead be handled as separate requests.
208 # If this value is set too high, then the server will cache too many
209 # requests, and some new requests may get blocked. (See 'max_requests'.)
211 # Useful range of values: 2 to 10
215 # max_requests: The maximum number of requests which the server keeps
216 # track of. This should be 256 multiplied by the number of clients.
217 # e.g. With 4 clients, this number should be 1024.
219 # If this number is too low, then when the server becomes busy,
220 # it will not respond to any new requests, until the 'cleanup_delay'
221 # time has passed, and it has removed the old requests.
223 # If this number is set too high, then the server will use a bit more
224 # memory for no real benefit.
226 # If you aren't sure what it should be set to, it's better to set it
227 # too high than too low. Setting it to 1000 per client is probably
228 # the highest it should be.
230 # Useful range of values: 256 to infinity
234 # hostname_lookups: Log the names of clients or just their IP addresses
235 # e.g., www.freeradius.org (on) or 206.47.27.232 (off).
237 # The default is 'off' because it would be overall better for the net
238 # if people had to knowingly turn this feature on, since enabling it
239 # means that each client request will result in AT LEAST one lookup
240 # request to the nameserver. Enabling hostname_lookups will also
241 # mean that your server may stop randomly for 30 seconds from time
242 # to time, if the DNS requests take too long.
244 # Turning hostname lookups off also means that the server won't block
245 # for 30 seconds, if it sees an IP address which has no name associated
248 # allowed values: {no, yes}
250 hostname_lookups = no
253 # Logging section. The various "log_*" configuration items
254 # will eventually be moved here.
258 # Destination for log messages. This can be one of:
260 # files - log to "file", as defined below.
261 # syslog - to syslog (see also the "syslog_facility", below.
262 # stdout - standard output
263 # stderr - standard error.
265 # The command-line option "-X" over-rides this option, and forces
266 # logging to go to stdout.
271 # Highlight important messages sent to stderr and stdout.
273 # Option will be ignored (disabled) if output if TERM is not
274 # an xterm or output is not to a TTY.
279 # The logging messages for the server are appended to the
280 # tail of this file if destination == "files"
282 # If the server is running in debugging mode, this file is
285 file = ${logdir}/radius.log
288 # Which syslog facility to use, if ${destination} == "syslog"
290 # The exact values permitted here are OS-dependent. You probably
291 # don't want to change this.
293 syslog_facility = daemon
295 # Log the full User-Name attribute, as it was found in the request.
297 # allowed values: {no, yes}
301 # Log authentication requests to the log file.
303 # allowed values: {no, yes}
307 # Log passwords with the authentication requests.
308 # auth_badpass - logs password if it's rejected
309 # auth_goodpass - logs password if it's correct
311 # allowed values: {no, yes}
316 # Log additional text at the end of the "Login OK" messages.
317 # for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
318 # configurations above have to be set to "yes".
320 # The strings below are dynamically expanded, which means that
321 # you can put anything you want in them. However, note that
322 # this expansion can be slow, and can negatively impact server
328 # The message when the user exceeds the Simultaneous-Use limit.
330 msg_denied = "You are already logged in - access denied"
333 # The program to execute to do concurrency checks.
334 checkrad = ${sbindir}/checkrad
336 # SECURITY CONFIGURATION
338 # There may be multiple methods of attacking on the server. This
339 # section holds the configuration items which minimize the impact
343 # chroot: directory where the server does "chroot".
345 # The chroot is done very early in the process of starting
346 # the server. After the chroot has been performed it
347 # switches to the "user" listed below (which MUST be
348 # specified). If "group" is specified, it switches to that
349 # group, too. Any other groups listed for the specified
350 # "user" in "/etc/group" are also added as part of this
353 # The current working directory (chdir / cd) is left
354 # *outside* of the chroot until all of the modules have been
355 # initialized. This allows the "raddb" directory to be left
356 # outside of the chroot. Once the modules have been
357 # initialized, it does a "chdir" to ${logdir}. This means
358 # that it should be impossible to break out of the chroot.
360 # If you are worried about security issues related to this
361 # use of chdir, then simply ensure that the "raddb" directory
362 # is inside of the chroot, end be sure to do "cd raddb"
363 # BEFORE starting the server.
365 # If the server is statically linked, then the only files
366 # that have to exist in the chroot are ${run_dir} and
367 # ${logdir}. If you do the "cd raddb" as discussed above,
368 # then the "raddb" directory has to be inside of the chroot
371 # chroot = /path/to/chroot/directory
373 # user/group: The name (or #number) of the user/group to run radiusd as.
375 # If these are commented out, the server will run as the
376 # user/group that started it. In order to change to a
377 # different user/group, you MUST be root ( or have root
378 # privileges ) to start the server.
380 # We STRONGLY recommend that you run the server with as few
381 # permissions as possible. That is, if you're not using
382 # shadow passwords, the user and group items below should be
385 # NOTE that some kernels refuse to setgid(group) when the
386 # value of (unsigned)group is above 60000; don't use group
387 # "nobody" on these systems!
389 # On systems with shadow passwords, you might have to set
390 # 'group = shadow' for the server to be able to read the
391 # shadow password file. If you can authenticate users while
392 # in debug mode, but not in daemon mode, it may be that the
393 # debugging mode server is running as a user that can read
394 # the shadow info, and the user listed below can not.
396 # The server will also try to use "initgroups" to read
397 # /etc/groups. It will join all groups where "user" is a
398 # member. This can allow for some finer-grained access
404 # Core dumps are a bad thing. This should only be set to
405 # 'yes' if you're debugging a problem with the server.
407 # allowed values: {no, yes}
409 allow_core_dumps = no
412 # max_attributes: The maximum number of attributes
413 # permitted in a RADIUS packet. Packets which have MORE
414 # than this number of attributes in them will be dropped.
416 # If this number is set too low, then no RADIUS packets
419 # If this number is set too high, then an attacker may be
420 # able to send a small number of packets which will cause
421 # the server to use all available memory on the machine.
423 # Setting this number to 0 means "allow any number of attributes"
427 # reject_delay: When sending an Access-Reject, it can be
428 # delayed for a few seconds. This may help slow down a DoS
429 # attack. It also helps to slow down people trying to brute-force
430 # crack a users password.
432 # Setting this number to 0 means "send rejects immediately"
434 # If this number is set higher than 'cleanup_delay', then the
435 # rejects will be sent at 'cleanup_delay' time, when the request
436 # is deleted from the internal cache of requests.
438 # As of Version 3.0.5, "reject_delay" has sub-second resolution.
439 # e.g. "reject_delay = 1.4" seconds is possible.
441 # Useful ranges: 1 to 5
445 # status_server: Whether or not the server will respond
446 # to Status-Server requests.
448 # When sent a Status-Server message, the server responds with
449 # an Access-Accept or Accounting-Response packet.
451 # This is mainly useful for administrators who want to "ping"
452 # the server, without adding test users, or creating fake
453 # accounting packets.
455 # It's also useful when a NAS marks a RADIUS server "dead".
456 # The NAS can periodically "ping" the server with a Status-Server
457 # packet. If the server responds, it must be alive, and the
458 # NAS can start using it for real requests.
460 # See also raddb/sites-available/status
464 @openssl_version_check_config@
467 # PROXY CONFIGURATION
469 # proxy_requests: Turns proxying of RADIUS requests on or off.
471 # The server has proxying turned on by default. If your system is NOT
472 # set up to proxy requests to another server, then you can turn proxying
473 # off here. This will save a small amount of resources on the server.
475 # If you have proxying turned off, and your configuration files say
476 # to proxy a request, then an error message will be logged.
478 # To disable proxying, change the "yes" to "no", and comment the
481 # allowed values: {no, yes}
487 # CLIENTS CONFIGURATION
489 # Client configuration is defined in "clients.conf".
492 # The 'clients.conf' file contains all of the information from the old
493 # 'clients' and 'naslist' configuration files. We recommend that you
494 # do NOT use 'client's or 'naslist', although they are still
497 # Anything listed in 'clients.conf' will take precedence over the
498 # information from the old-style configuration files.
500 $INCLUDE clients.conf
503 # THREAD POOL CONFIGURATION
505 # The thread pool is a long-lived group of threads which
506 # take turns (round-robin) handling any incoming requests.
508 # You probably want to have a few spare threads around,
509 # so that high-load situations can be handled immediately. If you
510 # don't have any spare threads, then the request handling will
511 # be delayed while a new thread is created, and added to the pool.
513 # You probably don't want too many spare threads around,
514 # otherwise they'll be sitting there taking up resources, and
515 # not doing anything productive.
517 # The numbers given below should be adequate for most situations.
520 # Number of servers to start initially --- should be a reasonable
524 # Limit on the total number of servers running.
526 # If this limit is ever reached, clients will be LOCKED OUT, so it
527 # should NOT BE SET TOO LOW. It is intended mainly as a brake to
528 # keep a runaway server from taking the system with it as it spirals
531 # You may find that the server is regularly reaching the
532 # 'max_servers' number of threads, and that increasing
533 # 'max_servers' doesn't seem to make much difference.
535 # If this is the case, then the problem is MOST LIKELY that
536 # your back-end databases are taking too long to respond, and
537 # are preventing the server from responding in a timely manner.
539 # The solution is NOT do keep increasing the 'max_servers'
540 # value, but instead to fix the underlying cause of the
541 # problem: slow database, or 'hostname_lookups=yes'.
543 # For more information, see 'max_request_time', above.
547 # Server-pool size regulation. Rather than making you guess
548 # how many servers you need, FreeRADIUS dynamically adapts to
549 # the load it sees, that is, it tries to maintain enough
550 # servers to handle the current load, plus a few spare
551 # servers to handle transient load spikes.
553 # It does this by periodically checking how many servers are
554 # waiting for a request. If there are fewer than
555 # min_spare_servers, it creates a new spare. If there are
556 # more than max_spare_servers, some of the spares die off.
557 # The default values are probably OK for most sites.
559 min_spare_servers = 3
560 max_spare_servers = 10
562 # When the server receives a packet, it places it onto an
563 # internal queue, where the worker threads (configured above)
564 # pick it up for processing. The maximum size of that queue
567 # When the queue is full, any new packets will be silently
570 # The most common cause of the queue being full is that the
571 # server is dependent on a slow database, and it has received
572 # a large "spike" of traffic. When that happens, there is
573 # very little you can do other than make sure the server
574 # receives less traffic, or make sure that the database can
577 # max_queue_size = 65536
579 # There may be memory leaks or resource allocation problems with
580 # the server. If so, set this value to 300 or so, so that the
581 # resources will be cleaned up periodically.
583 # This should only be necessary if there are serious bugs in the
584 # server which have not yet been fixed.
586 # '0' is a special value meaning 'infinity', or 'the servers never
588 max_requests_per_server = 0
590 # Automatically limit the number of accounting requests.
591 # This configuration item tracks how many requests per second
592 # the server can handle. It does this by tracking the
593 # packets/s received by the server for processing, and
594 # comparing that to the packets/s handled by the child
598 # If the received PPS is larger than the processed PPS, *and*
599 # the queue is more than half full, then new accounting
600 # requests are probabilistically discarded. This lowers the
601 # number of packets that the server needs to process. Over
602 # time, the server will "catch up" with the traffic.
604 # Throwing away accounting packets is usually safe and low
605 # impact. The NAS will retransmit them in a few seconds, or
606 # even a few minutes. Vendors should read RFC 5080 Section 2.2.1
607 # to see how accounting packets should be retransmitted. Using
608 # any other method is likely to cause network meltdowns.
613 ######################################################################
615 # SNMP notifications. Uncomment the following line to enable
616 # snmptraps. Note that you MUST also configure the full path
617 # to the "snmptrap" command in the "trigger.conf" file.
619 #$INCLUDE trigger.conf
621 # MODULE CONFIGURATION
623 # The names and configuration of each module is located in this section.
625 # After the modules are defined here, they may be referred to by name,
626 # in other sections of this configuration file.
630 # Each module has a configuration as follows:
632 # name [ instance ] {
633 # config_item = value
637 # The 'name' is used to load the 'rlm_name' library
638 # which implements the functionality of the module.
640 # The 'instance' is optional. To have two different instances
641 # of a module, it first must be referred to by 'name'.
642 # The different copies of the module are then created by
643 # inventing two 'instance' names, e.g. 'instance1' and 'instance2'
645 # The instance names can then be used in later configuration
646 # INSTEAD of the original 'name'. See the 'radutmp' configuration
651 # As of 3.0, modules are in mods-enabled/. Files matching
652 # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are
653 # initialized ONLY if they are referenced in a processing
654 # section, such as authorize, authenticate, accounting,
655 # pre/post-proxy, etc.
657 $INCLUDE mods-enabled/
662 # This section orders the loading of the modules. Modules
663 # listed here will get loaded BEFORE the later sections like
664 # authorize, authenticate, etc. get examined.
666 # This section is not strictly needed. When a section like
667 # authorize refers to a module, it's automatically loaded and
668 # initialized. However, some modules may not be listed in any
669 # of the following sections, so they can be listed here.
671 # Also, listing modules here ensures that you have control over
672 # the order in which they are initialized. If one module needs
673 # something defined by another module, you can list them in order
674 # here, and ensure that the configuration will be OK.
676 # After the modules listed here have been loaded, all of the modules
677 # in the "mods-enabled" directory will be loaded. Loading the
678 # "mods-enabled" directory means that unlike Version 2, you usually
679 # don't need to list modules here.
683 # We list the counter module here so that it registers
684 # the check_name attribute before any module which sets
688 # subsections here can be thought of as "virtual" modules.
690 # e.g. If you have two redundant SQL servers, and you want to
691 # use them in the authorize and accounting sections, you could
692 # place a "redundant" block in each section, containing the
693 # exact same text. Or, you could uncomment the following
694 # lines, and list "redundant_sql" in the authorize and
695 # accounting sections.
697 # The "virtual" module defined here can also be used with
698 # dynamic expansions, under a few conditions:
700 # * The section is "redundant", or "load-balance", or
701 # "redundant-load-balance"
702 # * The section contains modules ONLY, and no sub-sections
703 # * all modules in the section are using the same rlm_
704 # driver, e.g. They are all sql, or all ldap, etc.
706 # When those conditions are satisfied, the server will
707 # automatically register a dynamic expansion, using the
708 # name of the "virtual" module. In the example below,
709 # it will be "redundant_sql". You can then use this expansion
710 # just like any other:
713 # Filter-Id := "%{redundant_sql: ... }"
716 # In this example, the expansion is done via module "sql1",
717 # and if that expansion fails, using module "sql2".
719 # For best results, configure the "pool" subsection of the
720 # module so that "retry_delay" is non-zero. That will allow
721 # the redundant block to quickly ignore all "down" SQL
722 # databases. If instead we have "retry_delay = 0", then
723 # every time the redundant block is used, the server will try
724 # to open a connection to every "down" database, causing
727 #redundant redundant_sql {
733 ######################################################################
735 # Policies are virtual modules, similar to those defined in the
736 # "instantiate" section above.
738 # Defining a policy in one of the policy.d files means that it can be
739 # referenced in multiple places as a *name*, rather than as a series of
740 # conditions to match, and actions to take.
742 # Policies are something like subroutines in a normal language, but
743 # they cannot be called recursively. They MUST be defined in order.
744 # If policy A calls policy B, then B MUST be defined before A.
746 ######################################################################
751 ######################################################################
753 # Load virtual servers.
755 # This next $INCLUDE line loads files in the directory that
756 # match the regular expression: /[a-zA-Z0-9_.]+/
758 # It allows you to define new virtual servers simply by placing
759 # a file into the raddb/sites-enabled/ directory.
761 $INCLUDE sites-enabled/
763 ######################################################################
765 # All of the other configuration sections like "authorize {}",
766 # "authenticate {}", "accounting {}", have been moved to the
769 # raddb/sites-available/default
771 # This is the "default" virtual server that has the same
772 # configuration as in version 1.0.x and 1.1.x. The default
773 # installation enables this virtual server. You should
774 # edit it to create policies for your local site.
776 # For more documentation on virtual servers, see:
778 # raddb/sites-available/README
780 ######################################################################