Pulled fix from branch_1_1

[freeradius.git] / raddb / radrelay.conf.in

##
## radrelay.conf        -- FreeRADIUS server configuration file.
##
##      http://www.freeradius.org/
##      $Id$
##
#
#       This configuration file is for the "radrelay" personality
#       of FreeRADIUS.  It contains some of the same configuration
#       items as "radiusd.conf", but many have been deleted, as they
#       do not apply to "radrelay".
#
#       The server reads this file when it is run as "radiusd -n radrelay".
#
#

prefix = @prefix@
exec_prefix = @exec_prefix@
sysconfdir = @sysconfdir@
localstatedir = @localstatedir@
sbindir = @sbindir@
logdir = @logdir@
raddbdir = @raddbdir@
radacctdir = @radacctdir@

#  Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd

#
#  The logging messages for the server are appended to the
#  tail of this file.
#
log_file = ${logdir}/radius.log

#
#  Destination for log messages.  This can be one of:
#
#       files - log to ${log_file}, as defined above.
#       syslog - to syslog (see also the log{} section, below)
#       stdout - standard output
#       stderr - standard error.
#
#  The command-line option "-X" over-rides this option, and forces
#  logging to go to stdout.
#
log_destination = files

#
# libdir: Where to find the rlm_* modules.
#
#   This should be automatically set at configuration time.
#
#   If the server builds and installs, but fails at execution time
#   with an 'undefined symbol' error, then you can use the libdir
#   directive to work around the problem.
#
#   The cause is usually that a library has been installed on your
#   system in a place where the dynamic linker CANNOT find it.  When
#   executing as root (or another user), your personal environment MAY
#   be set up to allow the dynamic linker to find the library.  When
#   executing as a daemon, FreeRADIUS MAY NOT have the same
#   personalized configuration.
#
#   To work around the problem, find out which library contains that symbol,
#   and add the directory containing that library to the end of 'libdir',
#   with a colon separating the directory names.  NO spaces are allowed.
#
#   e.g. libdir = /usr/local/lib:/opt/package/lib
#
#   You can also try setting the LD_LIBRARY_PATH environment variable
#   in a script which starts the server.
#
#   If that does not work, then you can re-configure and re-build the
#   server to NOT use shared libraries, via:
#
#       ./configure --disable-shared
#       make
#       make install
#
libdir = @libdir@

#  pidfile: Where to place the PID of the RADIUS server.
#
#  The server may be signalled while it's running by using this
#  file.
#
#  This file is written when ONLY running in daemon mode.
#
#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/radrelay.pid

#
#  radrelay doesn't need any special permissions to run.
#
#user = nobody
#group = nobody

max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024

#
#  You can have as many "listen" sections as you want.
#
#  The server CANNOT listen on type "detail" and type "acct"
#  at the same time.
#
listen {
        type = detail

        # where the detail file is located
        filename = ${confdir}/detail

        #
        #  The server can read accounting packets from the detail file
        #  much more quickly than those packets can be written to a
        #  database.  If we overload the database, then bad things happen.
        #

        #  The server will keep track of how long it takes to process
        #  an entry from the detail file, and pause between handling
        #  entries.  This pause allows databases to "catch up", and
        #  gives the server time to notice that other packets may have
        #  arrived.
        #
        #  The pause is calculated dynamically, to ensure that the
        #  load due to reading the detail files is limited to a small
        #  percentage of CPU time.  The "load_factor" configuration
        #  item is a number between 1 and 100.  The server will try to
        #  keep the percentage of time taken by "detail" file entries
        #  to "load_factor" percentage of the CPU time.
        #
        #  If the "load_factor" is set to 100, then the server will
        #  read packets as fast as it can, usually causing databases
        #  to go into overload.
        #  
        load_factor = 10

        #
        #  Server identity.  This lets you tell the different "listen"
        #  sections apart.  When a packet is read from a detail file,
        #  the Server-Identity attribute will be set to the value below
        #  for that packet.
        #
        identity = radrelay
}


hostname_lookups = no

log {
        syslog_facility = daemon
}

# PROXY CONFIGURATION
#
#  proxy_requests: Turns proxying of RADIUS requests on or off.
#
#  The server has proxying turned on by default.  If your system is NOT
#  set up to proxy requests to another server, then you can turn proxying
#  off here.  This will save a small amount of resources on the server.
#
#  If you have proxying turned off, and your configuration files say
#  to proxy a request, then an error message will be logged.
#
#  To disable proxying, change the "yes" to "no", and comment the
#  $INCLUDE line.
#
#  allowed values: {no, yes}
#
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf


# CLIENTS CONFIGURATION
#
#  Client configuration is defined in "clients.conf".  
#
#  The "radrelay" personality of the server does not have
#  any clients, and does not need, or read, "clients.conf".


# SNMP CONFIGURATION
#
# The "radrelay" personality of the server does not have
# any SNMP configuration.


# THREAD POOL CONFIGURATION
#
#  Threads are less useful for radrelay than for radiusd.
#  This section is here just to remind you that it can be controlled.
#
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
}

# MODULE CONFIGURATION
#
#  The names and configuration of each module is located in this section.
#
#  Some modules have been deleted from this section.  e.g
#
#       pap
#       chap
#       mschap
#       eap
#       detail
#       unix
#       radutmp
#
#  It doesn't make sense to use these modules when the server is running
#  as "radrelay".
#
modules {
        # Realm module, for proxying.
        #
        #  You can have multiple instances of the realm module to
        #  support multiple realm syntaxs at the same time.  The
        #  search order is defined by the order in the authorize and
        #  preacct sections.
        #
        #  Four config options:
        #       format         -  must be "prefix" or "suffix"
        #                         The special cases of "DEFAULT"
        #                         and "NULL" are allowed, too.
        #       delimiter      -  must be a single character

        #  'realm/username'
        #
        #  Using this entry, IPASS users have their realm set to "IPASS".
        realm IPASS {
                format = prefix
                delimiter = "/"
        }

        #  'username@realm'
        #
        realm suffix {
                format = suffix
                delimiter = "@"
        }

        #  'username%realm'
        #
        realm realmpercent {
                format = suffix
                delimiter = "%"
        }

        #
        #  'domain\user'
        #
        realm ntdomain {
                format = prefix
                delimiter = "\\"
        }       

        #  A simple value checking module
        #
        #  It can be used to check if an attribute value in the request
        #  matches a (possibly multi valued) attribute in the check
        #  items This can be used for example for caller-id
        #  authentication.  For the module to run, both the request
        #  attribute and the check items attribute must exist
        #
        #  i.e.
        #  A user has an ldap entry with 2 radiusCallingStationId
        #  attributes with values "12345678" and "12345679".  If we
        #  enable rlm_checkval, then any request which contains a
        #  Calling-Station-Id with one of those two values will be
        #  accepted.  Requests with other values for
        #  Calling-Station-Id will be rejected.
        #
        #  Regular expressions in the check attribute value are allowed
        #  as long as the operator is '=~'
        #
        checkval {
                # The attribute to look for in the request
                item-name = Calling-Station-Id

                # The attribute to look for in check items. Can be multi valued
                check-name = Calling-Station-Id

                # The data type. Can be
                # string,integer,ipaddr,date,abinary,octets
                data-type = string

                # If set to yes and we dont find the item-name attribute in the
                # request then we send back a reject
                # DEFAULT is no
                #notfound-reject = no
        }
        
        #  rewrite arbitrary packets.  Useful in accounting and authorization.
        #
        #
        #  The module can also use the Rewrite-Rule attribute. If it
        #  is set and matches the name of the module instance, then
        #  that module instance will be the only one which runs.
        #
        #  Also if new_attribute is set to yes then a new attribute
        #  will be created containing the value replacewith and it
        #  will be added to searchin (packet, reply, proxy, proxy_reply or config).
        # searchfor,ignore_case and max_matches will be ignored in that case.
        #
        # Backreferences are supported: %{0} will contain the string the whole match
        # and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses
        #
        # If max_matches is greater than one the backreferences will correspond to the
        # first match

        #
        #attr_rewrite sanecallerid {
        #       attribute = Called-Station-Id
                # may be "packet", "reply", "proxy", "proxy_reply" or "config"
        #       searchin = packet
        #       searchfor = "[+ ]"
        #       replacewith = ""
        #       ignore_case = no
        #       new_attribute = no
        #       max_matches = 10
        #       ## If set to yes then the replace string will be appended to the original string
        #       append = no
        #}

        # Preprocess the incoming RADIUS request, before handing it off
        # to other modules.
        #
        #  This module processes the 'huntgroups' and 'hints' files.
        #  In addition, it re-writes some weird attributes created
        #  by some NASes, and converts the attributes into a form which
        #  is a little more standard.
        #
        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints

                # This hack changes Ascend's wierd port numberings
                # to standard 0-??? port numbers so that the "+" works
                # for IP address assignments.
                with_ascend_hack = no
                ascend_channels_per_line = 23

                # Windows NT machines often authenticate themselves as
                # NT_DOMAIN\username
                #
                # If this is set to 'yes', then the NT_DOMAIN portion
                # of the user-name is silently discarded.
                #
                # This configuration entry SHOULD NOT be used.
                # See the "realms" module for a better way to handle
                # NT domains.
                with_ntdomain_hack = no

                # Specialix Jetstream 8500 24 port access server.
                #
                # If the user name is 10 characters or longer, a "/"
                # and the excess characters after the 10th are
                # appended to the user name.
                #
                # If you're not running that NAS, you don't need
                # this hack.
                with_specialix_jetstream_hack = no

                # Cisco (and Quintum in Cisco mode) sends it's VSA attributes
                # with the attribute name *again* in the string, like:
                #
                #   H323-Attribute = "h323-attribute=value".
                #
                # If this configuration item is set to 'yes', then
                # the redundant data in the the attribute text is stripped
                # out.  The result is:
                #
                #  H323-Attribute = "value"
                #
                # If you're not running a Cisco or Quintum NAS, you don't
                # need this hack.
                with_cisco_vsa_hack = no
        }

        # Livingston-style 'users' file
        #
        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users

                #  If you want to use the old Cistron 'users' file
                #  with FreeRADIUS, you should change the next line
                #  to 'compat = cistron'.  You can the copy your 'users'
                #  file from Cistron.
                compat = no
        }

        # Create a unique accounting session Id.  Many NASes re-use or
        # repeat values for Acct-Session-Id, causing no end of
        # confusion.
        #
        #  This module will add a (probably) unique session id 
        #  to an accounting packet based on the attributes listed
        #  below found in the packet.  See doc/rlm_acct_unique for
        #  more information.
        #
        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
        }


        #  Include another file that has the SQL-related configuration.
        #  This is another file only because it tends to be big.
        #
        #  The following configuration file is for use with MySQL.
        #
        #  For Postgresql, use:         ${confdir}/postgresql.conf
        #  For MS-SQL, use:             ${confdir}/mssql.conf
        #  For Oracle, use:             ${confdir}/oraclesql.conf
        #
#       $INCLUDE  ${confdir}/sql.conf


        #  For Cisco VoIP specific accounting with Postgresql,
        #  use:         ${confdir}/pgsql-voip.conf
        #
        #  You will also need the sql schema from:
        #        src/billing/cisco_h323_db_schema-postgres.sql
        #  Note: This config can be use AS WELL AS the standard sql
        #  config if you need SQL based Auth

        # The "always" module is here for debugging purposes. Each
        # instance simply returns the same result, always, without
        # doing anything.
        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }

        #
        #  The 'expression' module currently has no configuration.
        #
        #  This module is useful only for 'xlat'.  To use it,
        #  put 'exec' into the 'instantiate' section.  You can then
        #  do dynamic translation of attributes like:
        #
        #  Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
        #
        #  The value of the attribute will be replaced with the output
        #  of the program which is executed.  Due to RADIUS protocol
        #  limitations, any output over 253 bytes will be ignored.
        #
        #  The module also registers a few paircompare functions
        expr {
        }

        #
        #  Execute external programs
        #
        #  This module is useful only for 'xlat'.  To use it,
        #  put 'exec' into the 'instantiate' section.  You can then
        #  do dynamic translation of attributes like:
        #
        #  Attribute-Name = `%{exec:/path/to/program args}`
        #
        #  The value of the attribute will be replaced with the output
        #  of the program which is executed.  Due to RADIUS protocol
        #  limitations, any output over 253 bytes will be ignored.
        #
        #  The RADIUS attributes from the user request will be placed
        #  into environment variables of the executed program, as
        #  described in 'doc/variables.txt'
        #
        exec {
                wait = yes
                input_pairs = request
                shell_escape = yes
        }
}

# Instantiation
#
#  This section orders the loading of the modules.  Modules
#  listed here will get loaded BEFORE the later sections like
#  authorize, authenticate, etc. get examined.
#
#  This section is not strictly needed.  When a section like
#  authorize refers to a module, it's automatically loaded and
#  initialized.  However, some modules may not be listed in any
#  of the following sections, so they can be listed here.
#
#  Also, listing modules here ensures that you have control over
#  the order in which they are initalized.  If one module needs
#  something defined by another module, you can list them in order
#  here, and ensure that the configuration will be OK.
#
instantiate {
        exec
        expr

        # subsections here can be thought of as "virtual" modules.
        #
        # e.g. If you have two redundant SQL servers, and you want to
        # use them in the authorize and accounting sections, you could
        # place a "redundant" block in each section, containing the
        # exact same text.  Or, you could uncomment the following
        # lines, and list "redundant_sql" in the authorize and
        # accounting sections.
        #
        #redundant redundant_sql {
        #       sql1
        #       sql2
        #}
}

#
#  There are no authorize, authenticate, or post-auth sections.
#

#
#  Pre-accounting.  Decide which accounting type to use.
#
preacct {
        preprocess

        #
        #  Ensure that we have a semi-unique identifier for every
        #  request, and many NAS boxes are broken.
        acct_unique

        #
        #  Look for IPASS-style 'realm/', and if not found, look for
        #  '@realm', and decide whether or not to proxy, based on
        #  that.
        #
        #  Accounting requests are generally proxied to the same
        #  home server as authentication requests.
#       IPASS
        suffix
#       ntdomain

        #
        #  Read the 'acct_users' file
        files
}

#
#  Accounting.  Log the accounting data.
#
accounting {
        #
        #  Log traffic to an SQL database.
        #
        #  See "Accounting queries" in sql.conf
#       sql


        #  Cisco VoIP specific bulk accounting
#       pgsql-voip

}


#
#  When the server decides to proxy a request to a home server,
#  the proxied request is first passed through the pre-proxy
#  stage.  This stage can re-write the request, or decide to
#  cancel the proxy.
#
#  Only a few modules currently have this method.
#
pre-proxy {
#       attr_rewrite

        #  If you want to have a log of packets proxied to a home
        #  server, un-comment the following line, and the
        #  'detail pre_proxy_log' section, above.
#       pre_proxy_log
}

#
#  When the server receives a reply to a request it proxied
#  to a home server, the request may be massaged here, in the
#  post-proxy stage.
#
post-proxy {
        #

        #  If you want to have a log of replies from a home server,
        #  un-comment the following line, and the 'detail post_proxy_log'
        #  section, above.
#       post_proxy_log

#       attr_rewrite

        #  Uncomment the following line if you want to filter replies from
        #  remote proxies based on the rules defined in the 'attrs' file.

#       attr_filter
}