2 ## radrelay.conf -- FreeRADIUS server configuration file.
4 ## http://www.freeradius.org/
8 # This configuration file is for the "radrelay" personality
9 # of FreeRADIUS. It contains some of the same configuration
10 # items as "radiusd.conf", but many have been deleted, as they
11 # do not apply to "radrelay".
13 # The server reads this file when it is run as "radiusd -n radrelay".
18 exec_prefix = @exec_prefix@
19 sysconfdir = @sysconfdir@
20 localstatedir = @localstatedir@
24 radacctdir = @radacctdir@
26 # Location of config and logfiles.
28 run_dir = ${localstatedir}/run/radiusd
31 # The logging messages for the server are appended to the
34 log_file = ${logdir}/radius.log
37 # Destination for log messages. This can be one of:
39 # files - log to ${log_file}, as defined above.
40 # syslog - to syslog (see also the log{} section, below)
41 # stdout - standard output
42 # stderr - standard error.
44 # The command-line option "-X" over-rides this option, and forces
45 # logging to go to stdout.
47 log_destination = files
50 # libdir: Where to find the rlm_* modules.
52 # This should be automatically set at configuration time.
54 # If the server builds and installs, but fails at execution time
55 # with an 'undefined symbol' error, then you can use the libdir
56 # directive to work around the problem.
58 # The cause is usually that a library has been installed on your
59 # system in a place where the dynamic linker CANNOT find it. When
60 # executing as root (or another user), your personal environment MAY
61 # be set up to allow the dynamic linker to find the library. When
62 # executing as a daemon, FreeRADIUS MAY NOT have the same
63 # personalized configuration.
65 # To work around the problem, find out which library contains that symbol,
66 # and add the directory containing that library to the end of 'libdir',
67 # with a colon separating the directory names. NO spaces are allowed.
69 # e.g. libdir = /usr/local/lib:/opt/package/lib
71 # You can also try setting the LD_LIBRARY_PATH environment variable
72 # in a script which starts the server.
74 # If that does not work, then you can re-configure and re-build the
75 # server to NOT use shared libraries, via:
77 # ./configure --disable-shared
83 # pidfile: Where to place the PID of the RADIUS server.
85 # The server may be signalled while it's running by using this
88 # This file is written when ONLY running in daemon mode.
90 # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
92 pidfile = ${run_dir}/radrelay.pid
95 # radrelay doesn't need any special permissions to run.
100 max_request_time = 30
101 delete_blocked_requests = no
106 # You can have as many "listen" sections as you want.
108 # The server CANNOT listen on type "detail" and type "acct"
114 # where the detail file is located
115 detail = ${confdir}/detail
119 # Send no more than N requests to the server at once.
120 # If this is set to 0 (zero), then the requests will be read
121 # from the detail file as fast as possible, potentially
122 # overwhelming the server.
124 max_outstanding = 100
128 # Server identity. This lets you tell the different "listen"
129 # sections apart. When a packet is read from a detail file,
130 # the Server-Identity attribute will be set to the value below
137 hostname_lookups = no
140 syslog_facility = daemon
143 # PROXY CONFIGURATION
145 # proxy_requests: Turns proxying of RADIUS requests on or off.
147 # The server has proxying turned on by default. If your system is NOT
148 # set up to proxy requests to another server, then you can turn proxying
149 # off here. This will save a small amount of resources on the server.
151 # If you have proxying turned off, and your configuration files say
152 # to proxy a request, then an error message will be logged.
154 # To disable proxying, change the "yes" to "no", and comment the
157 # allowed values: {no, yes}
160 $INCLUDE ${confdir}/proxy.conf
163 # CLIENTS CONFIGURATION
165 # Client configuration is defined in "clients.conf".
167 # The "radrelay" personality of the server does not have
168 # any clients, and does not need, or read, "clients.conf".
173 # The "radrelay" personality of the server does not have
174 # any SNMP configuration.
177 # THREAD POOL CONFIGURATION
179 # Threads are less useful for radrelay than for radiusd.
180 # This section is here just to remind you that it can be controlled.
185 min_spare_servers = 3
186 max_spare_servers = 10
189 # MODULE CONFIGURATION
191 # The names and configuration of each module is located in this section.
193 # Some modules have been deleted from this section. e.g
203 # It doesn't make sense to use these modules when the server is running
207 # Realm module, for proxying.
209 # You can have multiple instances of the realm module to
210 # support multiple realm syntaxs at the same time. The
211 # search order is defined by the order in the authorize and
214 # Four config options:
215 # format - must be "prefix" or "suffix"
216 # The special cases of "DEFAULT"
217 # and "NULL" are allowed, too.
218 # delimiter - must be a single character
222 # Using this entry, IPASS users have their realm set to "IPASS".
250 # A simple value checking module
252 # It can be used to check if an attribute value in the request
253 # matches a (possibly multi valued) attribute in the check
254 # items This can be used for example for caller-id
255 # authentication. For the module to run, both the request
256 # attribute and the check items attribute must exist
259 # A user has an ldap entry with 2 radiusCallingStationId
260 # attributes with values "12345678" and "12345679". If we
261 # enable rlm_checkval, then any request which contains a
262 # Calling-Station-Id with one of those two values will be
263 # accepted. Requests with other values for
264 # Calling-Station-Id will be rejected.
266 # Regular expressions in the check attribute value are allowed
267 # as long as the operator is '=~'
270 # The attribute to look for in the request
271 item-name = Calling-Station-Id
273 # The attribute to look for in check items. Can be multi valued
274 check-name = Calling-Station-Id
276 # The data type. Can be
277 # string,integer,ipaddr,date,abinary,octets
280 # If set to yes and we dont find the item-name attribute in the
281 # request then we send back a reject
283 #notfound-reject = no
286 # rewrite arbitrary packets. Useful in accounting and authorization.
289 # The module can also use the Rewrite-Rule attribute. If it
290 # is set and matches the name of the module instance, then
291 # that module instance will be the only one which runs.
293 # Also if new_attribute is set to yes then a new attribute
294 # will be created containing the value replacewith and it
295 # will be added to searchin (packet, reply, proxy, proxy_reply or config).
296 # searchfor,ignore_case and max_matches will be ignored in that case.
298 # Backreferences are supported: %{0} will contain the string the whole match
299 # and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses
301 # If max_matches is greater than one the backreferences will correspond to the
305 #attr_rewrite sanecallerid {
306 # attribute = Called-Station-Id
307 # may be "packet", "reply", "proxy", "proxy_reply" or "config"
314 # ## If set to yes then the replace string will be appended to the original string
318 # Preprocess the incoming RADIUS request, before handing it off
321 # This module processes the 'huntgroups' and 'hints' files.
322 # In addition, it re-writes some weird attributes created
323 # by some NASes, and converts the attributes into a form which
324 # is a little more standard.
327 huntgroups = ${confdir}/huntgroups
328 hints = ${confdir}/hints
330 # This hack changes Ascend's wierd port numberings
331 # to standard 0-??? port numbers so that the "+" works
332 # for IP address assignments.
333 with_ascend_hack = no
334 ascend_channels_per_line = 23
336 # Windows NT machines often authenticate themselves as
339 # If this is set to 'yes', then the NT_DOMAIN portion
340 # of the user-name is silently discarded.
342 # This configuration entry SHOULD NOT be used.
343 # See the "realms" module for a better way to handle
345 with_ntdomain_hack = no
347 # Specialix Jetstream 8500 24 port access server.
349 # If the user name is 10 characters or longer, a "/"
350 # and the excess characters after the 10th are
351 # appended to the user name.
353 # If you're not running that NAS, you don't need
355 with_specialix_jetstream_hack = no
357 # Cisco (and Quintum in Cisco mode) sends it's VSA attributes
358 # with the attribute name *again* in the string, like:
360 # H323-Attribute = "h323-attribute=value".
362 # If this configuration item is set to 'yes', then
363 # the redundant data in the the attribute text is stripped
364 # out. The result is:
366 # H323-Attribute = "value"
368 # If you're not running a Cisco or Quintum NAS, you don't
370 with_cisco_vsa_hack = no
373 # Livingston-style 'users' file
376 usersfile = ${confdir}/users
377 acctusersfile = ${confdir}/acct_users
379 # If you want to use the old Cistron 'users' file
380 # with FreeRADIUS, you should change the next line
381 # to 'compat = cistron'. You can the copy your 'users'
386 # Create a unique accounting session Id. Many NASes re-use or
387 # repeat values for Acct-Session-Id, causing no end of
390 # This module will add a (probably) unique session id
391 # to an accounting packet based on the attributes listed
392 # below found in the packet. See doc/rlm_acct_unique for
396 key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
400 # Include another file that has the SQL-related configuration.
401 # This is another file only because it tends to be big.
403 # The following configuration file is for use with MySQL.
405 # For Postgresql, use: ${confdir}/postgresql.conf
406 # For MS-SQL, use: ${confdir}/mssql.conf
407 # For Oracle, use: ${confdir}/oraclesql.conf
409 # $INCLUDE ${confdir}/sql.conf
412 # For Cisco VoIP specific accounting with Postgresql,
413 # use: ${confdir}/pgsql-voip.conf
415 # You will also need the sql schema from:
416 # src/billing/cisco_h323_db_schema-postgres.sql
417 # Note: This config can be use AS WELL AS the standard sql
418 # config if you need SQL based Auth
420 # The "always" module is here for debugging purposes. Each
421 # instance simply returns the same result, always, without
436 # The 'expression' module currently has no configuration.
438 # This module is useful only for 'xlat'. To use it,
439 # put 'exec' into the 'instantiate' section. You can then
440 # do dynamic translation of attributes like:
442 # Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
444 # The value of the attribute will be replaced with the output
445 # of the program which is executed. Due to RADIUS protocol
446 # limitations, any output over 253 bytes will be ignored.
448 # The module also registers a few paircompare functions
453 # Execute external programs
455 # This module is useful only for 'xlat'. To use it,
456 # put 'exec' into the 'instantiate' section. You can then
457 # do dynamic translation of attributes like:
459 # Attribute-Name = `%{exec:/path/to/program args}`
461 # The value of the attribute will be replaced with the output
462 # of the program which is executed. Due to RADIUS protocol
463 # limitations, any output over 253 bytes will be ignored.
465 # The RADIUS attributes from the user request will be placed
466 # into environment variables of the executed program, as
467 # described in 'doc/variables.txt'
471 input_pairs = request
478 # This section orders the loading of the modules. Modules
479 # listed here will get loaded BEFORE the later sections like
480 # authorize, authenticate, etc. get examined.
482 # This section is not strictly needed. When a section like
483 # authorize refers to a module, it's automatically loaded and
484 # initialized. However, some modules may not be listed in any
485 # of the following sections, so they can be listed here.
487 # Also, listing modules here ensures that you have control over
488 # the order in which they are initalized. If one module needs
489 # something defined by another module, you can list them in order
490 # here, and ensure that the configuration will be OK.
496 # subsections here can be thought of as "virtual" modules.
498 # e.g. If you have two redundant SQL servers, and you want to
499 # use them in the authorize and accounting sections, you could
500 # place a "redundant" block in each section, containing the
501 # exact same text. Or, you could uncomment the following
502 # lines, and list "redundant_sql" in the authorize and
503 # accounting sections.
505 #redundant redundant_sql {
512 # There are no authorize, authenticate, or post-auth sections.
516 # Pre-accounting. Decide which accounting type to use.
522 # Ensure that we have a semi-unique identifier for every
523 # request, and many NAS boxes are broken.
527 # Look for IPASS-style 'realm/', and if not found, look for
528 # '@realm', and decide whether or not to proxy, based on
531 # Accounting requests are generally proxied to the same
532 # home server as authentication requests.
538 # Read the 'acct_users' file
543 # Accounting. Log the accounting data.
547 # Log traffic to an SQL database.
549 # See "Accounting queries" in sql.conf
553 # Cisco VoIP specific bulk accounting
560 # When the server decides to proxy a request to a home server,
561 # the proxied request is first passed through the pre-proxy
562 # stage. This stage can re-write the request, or decide to
565 # Only a few modules currently have this method.
570 # If you want to have a log of packets proxied to a home
571 # server, un-comment the following line, and the
572 # 'detail pre_proxy_log' section, above.
577 # When the server receives a reply to a request it proxied
578 # to a home server, the request may be massaged here, in the
584 # If you want to have a log of replies from a home server,
585 # un-comment the following line, and the 'detail post_proxy_log'
591 # Uncomment the following line if you want to filter replies from
592 # remote proxies based on the rules defined in the 'attrs' file.