2 ## radrelay.conf -- FreeRADIUS server configuration file.
4 ## http://www.freeradius.org/
8 # This configuration file is for the "radrelay" personality
9 # of FreeRADIUS. It contains some of the same configuration
10 # items as "radiusd.conf", but many have been deleted, as they
11 # do not apply to "radrelay".
13 # The server reads this file when it is run as "radiusd -n radrelay".
18 exec_prefix = @exec_prefix@
19 sysconfdir = @sysconfdir@
20 localstatedir = @localstatedir@
24 radacctdir = @radacctdir@
26 # Location of config and logfiles.
28 run_dir = ${localstatedir}/run/radiusd
31 # The logging messages for the server are appended to the
34 log_file = ${logdir}/radius.log
37 # Destination for log messages. This can be one of:
39 # files - log to ${log_file}, as defined above.
40 # syslog - to syslog (see also the log{} section, below)
41 # stdout - standard output
42 # stderr - standard error.
44 # The command-line option "-X" over-rides this option, and forces
45 # logging to go to stdout.
47 log_destination = files
50 # libdir: Where to find the rlm_* modules.
52 # This should be automatically set at configuration time.
54 # If the server builds and installs, but fails at execution time
55 # with an 'undefined symbol' error, then you can use the libdir
56 # directive to work around the problem.
58 # The cause is usually that a library has been installed on your
59 # system in a place where the dynamic linker CANNOT find it. When
60 # executing as root (or another user), your personal environment MAY
61 # be set up to allow the dynamic linker to find the library. When
62 # executing as a daemon, FreeRADIUS MAY NOT have the same
63 # personalized configuration.
65 # To work around the problem, find out which library contains that symbol,
66 # and add the directory containing that library to the end of 'libdir',
67 # with a colon separating the directory names. NO spaces are allowed.
69 # e.g. libdir = /usr/local/lib:/opt/package/lib
71 # You can also try setting the LD_LIBRARY_PATH environment variable
72 # in a script which starts the server.
74 # If that does not work, then you can re-configure and re-build the
75 # server to NOT use shared libraries, via:
77 # ./configure --disable-shared
83 # pidfile: Where to place the PID of the RADIUS server.
85 # The server may be signalled while it's running by using this
88 # This file is written when ONLY running in daemon mode.
90 # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
92 pidfile = ${run_dir}/radrelay.pid
95 # radrelay doesn't need any special permissions to run.
100 max_request_time = 30
101 delete_blocked_requests = no
106 # You can have as many "listen" sections as you want.
108 # The server CANNOT listen on type "detail" and type "acct"
114 # where the detail file is located
115 filename = ${confdir}/detail
118 # The server can read accounting packets from the detail file
119 # much more quickly than those packets can be written to a
120 # database. If we overload the database, then bad things happen.
123 # The server will keep track of how long it takes to process
124 # an entry from the detail file, and pause between handling
125 # entries. This pause allows databases to "catch up", and
126 # gives the server time to notice that other packets may have
129 # The pause is calculated dynamically, to ensure that the
130 # load due to reading the detail files is limited to a small
131 # percentage of CPU time. The "load_factor" configuration
132 # item is a number between 1 and 100. The server will try to
133 # keep the percentage of time taken by "detail" file entries
134 # to "load_factor" percentage of the CPU time.
136 # If the "load_factor" is set to 100, then the server will
137 # read packets as fast as it can, usually causing databases
138 # to go into overload.
143 # Server identity. This lets you tell the different "listen"
144 # sections apart. When a packet is read from a detail file,
145 # the Server-Identity attribute will be set to the value below
152 hostname_lookups = no
155 syslog_facility = daemon
158 # PROXY CONFIGURATION
160 # proxy_requests: Turns proxying of RADIUS requests on or off.
162 # The server has proxying turned on by default. If your system is NOT
163 # set up to proxy requests to another server, then you can turn proxying
164 # off here. This will save a small amount of resources on the server.
166 # If you have proxying turned off, and your configuration files say
167 # to proxy a request, then an error message will be logged.
169 # To disable proxying, change the "yes" to "no", and comment the
172 # allowed values: {no, yes}
175 $INCLUDE ${confdir}/proxy.conf
178 # CLIENTS CONFIGURATION
180 # Client configuration is defined in "clients.conf".
182 # The "radrelay" personality of the server does not have
183 # any clients, and does not need, or read, "clients.conf".
188 # The "radrelay" personality of the server does not have
189 # any SNMP configuration.
192 # THREAD POOL CONFIGURATION
194 # Threads are less useful for radrelay than for radiusd.
195 # This section is here just to remind you that it can be controlled.
200 min_spare_servers = 3
201 max_spare_servers = 10
204 # MODULE CONFIGURATION
206 # The names and configuration of each module is located in this section.
208 # Some modules have been deleted from this section. e.g
218 # It doesn't make sense to use these modules when the server is running
222 # Realm module, for proxying.
224 # You can have multiple instances of the realm module to
225 # support multiple realm syntaxs at the same time. The
226 # search order is defined by the order in the authorize and
229 # Four config options:
230 # format - must be "prefix" or "suffix"
231 # The special cases of "DEFAULT"
232 # and "NULL" are allowed, too.
233 # delimiter - must be a single character
237 # Using this entry, IPASS users have their realm set to "IPASS".
265 # A simple value checking module
267 # It can be used to check if an attribute value in the request
268 # matches a (possibly multi valued) attribute in the check
269 # items This can be used for example for caller-id
270 # authentication. For the module to run, both the request
271 # attribute and the check items attribute must exist
274 # A user has an ldap entry with 2 radiusCallingStationId
275 # attributes with values "12345678" and "12345679". If we
276 # enable rlm_checkval, then any request which contains a
277 # Calling-Station-Id with one of those two values will be
278 # accepted. Requests with other values for
279 # Calling-Station-Id will be rejected.
281 # Regular expressions in the check attribute value are allowed
282 # as long as the operator is '=~'
285 # The attribute to look for in the request
286 item-name = Calling-Station-Id
288 # The attribute to look for in check items. Can be multi valued
289 check-name = Calling-Station-Id
291 # The data type. Can be
292 # string,integer,ipaddr,date,abinary,octets
295 # If set to yes and we dont find the item-name attribute in the
296 # request then we send back a reject
298 #notfound-reject = no
301 # rewrite arbitrary packets. Useful in accounting and authorization.
304 # The module can also use the Rewrite-Rule attribute. If it
305 # is set and matches the name of the module instance, then
306 # that module instance will be the only one which runs.
308 # Also if new_attribute is set to yes then a new attribute
309 # will be created containing the value replacewith and it
310 # will be added to searchin (packet, reply, proxy, proxy_reply or config).
311 # searchfor,ignore_case and max_matches will be ignored in that case.
313 # Backreferences are supported: %{0} will contain the string the whole match
314 # and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses
316 # If max_matches is greater than one the backreferences will correspond to the
320 #attr_rewrite sanecallerid {
321 # attribute = Called-Station-Id
322 # may be "packet", "reply", "proxy", "proxy_reply" or "config"
329 # ## If set to yes then the replace string will be appended to the original string
333 # Preprocess the incoming RADIUS request, before handing it off
336 # This module processes the 'huntgroups' and 'hints' files.
337 # In addition, it re-writes some weird attributes created
338 # by some NASes, and converts the attributes into a form which
339 # is a little more standard.
342 huntgroups = ${confdir}/huntgroups
343 hints = ${confdir}/hints
345 # This hack changes Ascend's wierd port numberings
346 # to standard 0-??? port numbers so that the "+" works
347 # for IP address assignments.
348 with_ascend_hack = no
349 ascend_channels_per_line = 23
351 # Windows NT machines often authenticate themselves as
354 # If this is set to 'yes', then the NT_DOMAIN portion
355 # of the user-name is silently discarded.
357 # This configuration entry SHOULD NOT be used.
358 # See the "realms" module for a better way to handle
360 with_ntdomain_hack = no
362 # Specialix Jetstream 8500 24 port access server.
364 # If the user name is 10 characters or longer, a "/"
365 # and the excess characters after the 10th are
366 # appended to the user name.
368 # If you're not running that NAS, you don't need
370 with_specialix_jetstream_hack = no
372 # Cisco (and Quintum in Cisco mode) sends it's VSA attributes
373 # with the attribute name *again* in the string, like:
375 # H323-Attribute = "h323-attribute=value".
377 # If this configuration item is set to 'yes', then
378 # the redundant data in the the attribute text is stripped
379 # out. The result is:
381 # H323-Attribute = "value"
383 # If you're not running a Cisco or Quintum NAS, you don't
385 with_cisco_vsa_hack = no
388 # Livingston-style 'users' file
391 usersfile = ${confdir}/users
392 acctusersfile = ${confdir}/acct_users
394 # If you want to use the old Cistron 'users' file
395 # with FreeRADIUS, you should change the next line
396 # to 'compat = cistron'. You can the copy your 'users'
401 # Create a unique accounting session Id. Many NASes re-use or
402 # repeat values for Acct-Session-Id, causing no end of
405 # This module will add a (probably) unique session id
406 # to an accounting packet based on the attributes listed
407 # below found in the packet. See doc/rlm_acct_unique for
411 key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
415 # Include another file that has the SQL-related configuration.
416 # This is another file only because it tends to be big.
418 # The following configuration file is for use with MySQL.
420 # For Postgresql, use: ${confdir}/postgresql.conf
421 # For MS-SQL, use: ${confdir}/mssql.conf
422 # For Oracle, use: ${confdir}/oraclesql.conf
424 # $INCLUDE ${confdir}/sql.conf
427 # For Cisco VoIP specific accounting with Postgresql,
428 # use: ${confdir}/pgsql-voip.conf
430 # You will also need the sql schema from:
431 # src/billing/cisco_h323_db_schema-postgres.sql
432 # Note: This config can be use AS WELL AS the standard sql
433 # config if you need SQL based Auth
435 # The "always" module is here for debugging purposes. Each
436 # instance simply returns the same result, always, without
451 # The 'expression' module currently has no configuration.
453 # This module is useful only for 'xlat'. To use it,
454 # put 'exec' into the 'instantiate' section. You can then
455 # do dynamic translation of attributes like:
457 # Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
459 # The value of the attribute will be replaced with the output
460 # of the program which is executed. Due to RADIUS protocol
461 # limitations, any output over 253 bytes will be ignored.
463 # The module also registers a few paircompare functions
468 # Execute external programs
470 # This module is useful only for 'xlat'. To use it,
471 # put 'exec' into the 'instantiate' section. You can then
472 # do dynamic translation of attributes like:
474 # Attribute-Name = `%{exec:/path/to/program args}`
476 # The value of the attribute will be replaced with the output
477 # of the program which is executed. Due to RADIUS protocol
478 # limitations, any output over 253 bytes will be ignored.
480 # The RADIUS attributes from the user request will be placed
481 # into environment variables of the executed program, as
482 # described in 'doc/variables.txt'
486 input_pairs = request
493 # This section orders the loading of the modules. Modules
494 # listed here will get loaded BEFORE the later sections like
495 # authorize, authenticate, etc. get examined.
497 # This section is not strictly needed. When a section like
498 # authorize refers to a module, it's automatically loaded and
499 # initialized. However, some modules may not be listed in any
500 # of the following sections, so they can be listed here.
502 # Also, listing modules here ensures that you have control over
503 # the order in which they are initalized. If one module needs
504 # something defined by another module, you can list them in order
505 # here, and ensure that the configuration will be OK.
511 # subsections here can be thought of as "virtual" modules.
513 # e.g. If you have two redundant SQL servers, and you want to
514 # use them in the authorize and accounting sections, you could
515 # place a "redundant" block in each section, containing the
516 # exact same text. Or, you could uncomment the following
517 # lines, and list "redundant_sql" in the authorize and
518 # accounting sections.
520 #redundant redundant_sql {
527 # There are no authorize, authenticate, or post-auth sections.
531 # Pre-accounting. Decide which accounting type to use.
537 # Ensure that we have a semi-unique identifier for every
538 # request, and many NAS boxes are broken.
542 # Look for IPASS-style 'realm/', and if not found, look for
543 # '@realm', and decide whether or not to proxy, based on
546 # Accounting requests are generally proxied to the same
547 # home server as authentication requests.
553 # Read the 'acct_users' file
558 # Accounting. Log the accounting data.
562 # Log traffic to an SQL database.
564 # See "Accounting queries" in sql.conf
568 # Cisco VoIP specific bulk accounting
575 # When the server decides to proxy a request to a home server,
576 # the proxied request is first passed through the pre-proxy
577 # stage. This stage can re-write the request, or decide to
580 # Only a few modules currently have this method.
585 # If you want to have a log of packets proxied to a home
586 # server, un-comment the following line, and the
587 # 'detail pre_proxy_log' section, above.
592 # When the server receives a reply to a request it proxied
593 # to a home server, the request may be massaged here, in the
599 # If you want to have a log of replies from a home server,
600 # un-comment the following line, and the 'detail post_proxy_log'
606 # Uncomment the following line if you want to filter replies from
607 # remote proxies based on the rules defined in the 'attrs' file.