log_file = ${logdir}/radius.log
#
+# Destination for log messages. This can be one of:
+#
+# files - log to ${log_file}, as defined above.
+# syslog - to syslog (see also the log{} section, below)
+# stdout - standard output
+# stderr - standard error.
+#
+# The command-line option "-X" over-rides this option, and forces
+# logging to go to stdout.
+#
+log_destination = files
+
+#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
max_requests = 1024
-# bind_address: Make the server listen on a particular IP address, and
-# send replies out from that address. This directive is most useful
-# for machines with multiple IP addresses on one interface.
-#
-# It can either contain "*", or an IP address, or a fully qualified
-# Internet domain name. The default is "*"
-#
-# As of 1.0, you can also use the "listen" directive. See below for
-# more information.
-#
-bind_address = *
-
-# port: Allows you to bind FreeRADIUS to a specific port.
+# listen: Make the server listen on a particular IP address, and send
+# replies out from that address. This directive is most useful for
+# hosts with multiple IP addresses on one interface.
#
-# The default port that most NAS boxes use is 1645, which is historical.
-# RFC 2138 defines 1812 to be the new port. Many new servers and
-# NAS boxes use 1812, which can create interoperability problems.
+# If you want the server to listen on additional addresses, or on
+# additionnal ports, you can use multiple "listen" sections.
#
-# The port is defined here to be 0 so that the server will pick up
-# the machine's local configuration for the radius port, as defined
-# in /etc/services.
+# Each section make the server listen for only one type of packet,
+# therefore authentication and accounting have to be configured in
+# different sections.
#
-# If you want to use the default RADIUS port as defined on your server,
-# (usually through 'grep radius /etc/services') set this to 0 (zero).
+# The server ignore all "listen" section if you are using '-i' and '-p'
+# on the command line.
#
-# A port given on the command-line via '-p' over-rides this one.
-#
-# As of 1.0, you can also use the "listen" directive. See below for
-# more information.
-#
-port = 0
-
-#
-# By default, the server uses "bind_address" to listen to all IP's
-# on a machine, or just one IP. The "port" configuration is used
-# to select the authentication port used when listening on those
-# addresses.
-#
-# If you want the server to listen on additional addresses, you can
-# use the "listen" section. A sample section (commented out) is included
-# below. This "listen" section duplicates the functionality of the
-# "bind_address" and "port" configuration entries, but it only listens
-# for authentication packets.
-#
-# If you comment out the "bind_address" and "port" configuration entries,
-# then it becomes possible to make the server accept only accounting,
-# or authentication packets. Previously, it always listened for both
-# types of packets, and it was impossible to make it listen for only
-# one type of packet.
-#
-#listen {
+listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
-# ipaddr = *
+ ipaddr = *
+
+ # OR, you can use an IPv6 address, but not both
+ # at the same time.
+# ipv6addr = :: # any. ::1 == localhost
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
-# port = 0
+ port = 0
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
#
-# type = auth
-#}
+ type = auth
+
+ # Some systems support binding to an interface, in addition
+ # to the IP address. This feature isn't strictly necessary,
+ # but for sites with many IP addresses on one interface,
+ # it's useful to say "listen on all addresses for eth0".
+ #
+ # If your system does not support this feature, you will
+ # get an error if you try to use it.
+ #
+# interface = eth0
+ # Per-socket lists of clients. This is a very useful feature.
+ #
+ # The name here is a reference to a section elsewhere in
+ # radiusd.conf, or clients.conf. Having the name as
+ # a reference allows multiple sockets to use the same
+ # set of clients.
+ #
+ # If this configuration is used, then the global list of clients
+ # is IGNORED for this "listen" section. Take care configuring
+ # this feature, to ensure you don't accidentally disable a
+ # client you need.
+ #
+ # See clients.conf for the configuration of "per_socket_clients".
+ #
+# clients = per_socket_clients
+}
+
+# This second "listen" section is for listening on the accounting
+# port, too.
+#
+listen {
+ ipaddr = *
+# ipv6addr = ::
+ port = 0
+ type = acct
+# interface = eth0
+# clients = per_socket_clients
+}
# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
regular_expressions = @REGEX@
extended_expressions = @REGEX_EXTENDED@
+#
+# Logging section. The various "log_*" configuration items
+# will eventually be moved here.
+#
+log {
+ #
+ # Which syslog facility to use, if ${log_destination} == "syslog"
+ #
+ # The exact values permitted here are OS-dependent. You probably
+ # don't want to change this.
+ #
+ syslog_facility = daemon
+}
+
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
log_auth_badpass = no
log_auth_goodpass = no
-# usercollide: Turn "username collision" code on and off. See the
-# "doc/duplicate-users" file
-#
-# WARNING
-# !!!!!!! Setting this to "yes" may result in the server behaving
-# !!!!!!! strangely. The "username collision" code will ONLY work
-# !!!!!!! with clear-text passwords. Even then, it may not do what
-# !!!!!!! you want, or what you expect.
-# !!!!!!!
-# !!!!!!! We STRONGLY RECOMMEND that you do not use this feature,
-# !!!!!!! and that you find another way of acheiving the same goal.
-# !!!!!!!
-# !!!!!!! e,g. module fail-over. See 'doc/configurable_failover'
-# WARNING
-#
-usercollide = no
-
-# lower_user / lower_pass:
-# Lower case the username/password "before" or "after"
-# attempting to authenticate.
-#
-# If "before", the server will first modify the request and then try
-# to auth the user. If "after", the server will first auth using the
-# values provided by the user. If that fails it will reprocess the
-# request after modifying it as you specify below.
-#
-# This is as close as we can get to case insensitivity. It is the
-# admin's job to ensure that the username on the auth db side is
-# *also* lowercase to make this work
-#
-# Default is 'no' (don't lowercase values)
-# Valid values = "before" / "after" / "no"
-#
-lower_user = no
-lower_pass = no
-
-# nospace_user / nospace_pass:
-#
-# Some users like to enter spaces in their username or password
-# incorrectly. To save yourself the tech support call, you can
-# eliminate those spaces here:
-#
-# Default is 'no' (don't remove spaces)
-# Valid values = "before" / "after" / "no" (explanation above)
-#
-nospace_user = no
-nospace_pass = no
-
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
# PAP module to authenticate users based on their stored password
#
- # Supports multiple encryption schemes
- # clear: Clear text
- # crypt: Unix crypt
- # md5: MD5 ecnryption
- # sha1: SHA1 encryption.
- # DEFAULT: crypt
+ # Supports multiple encryption/hash schemes. See "man passwd"
+ # for details.
+ #
+ # The "auto_header" configuration item can be set to "yes".
+ # In this case, the module will look inside of the User-Password
+ # attribute for the headers {crypt}, {clear}, etc., and will
+ # automatically create the attribute on the right-hand side,
+ # with the correct value. It will also automatically handle
+ # Base-64 encoded data, hex strings, and binary data.
pap {
- encryption_scheme = crypt
+ auto_header = no
}
# CHAP module
# Unix /etc/passwd style authentication
#
unix {
+ # As of 1.1.0, the Unix module no longer reads,
+ # or caches /etc/passwd, /etc/shadow, or /etc/group.
+ # If you wish to cache those files, see the passwd
+ # module, above.
#
- # Cache /etc/passwd, /etc/shadow, and /etc/group
- #
- # The default is to NOT cache them.
- #
- # For FreeBSD and NetBSD, you do NOT want to enable
- # the cache, as it's password lookups are done via a
- # database, so set this value to 'no'.
- #
- # Some systems (e.g. RedHat Linux with pam_pwbd) can
- # take *seconds* to check a password, when th passwd
- # file containing 1000's of entries. For those systems,
- # you should set the cache value to 'yes', and set
- # the locations of the 'passwd', 'shadow', and 'group'
- # files, below.
- #
- # allowed values: {no, yes}
- cache = no
-
- # Reload the cache every 600 seconds (10mins). 0 to disable.
- cache_reload = 600
-
- #
- # Define the locations of the normal passwd, shadow, and
- # group files.
- #
- # 'shadow' is commented out by default, because not all
- # systems have shadow passwords.
- #
- # To force the module to use the system password functions,
- # instead of reading the files, leave the following entries
- # commented out.
- #
- # This is required for some systems, like FreeBSD,
- # and Mac OSX.
- #
- # passwd = /etc/passwd
- # shadow = /etc/shadow
- # group = /etc/group
#
# The location of the "wtmp" file.
# and sample authorize{} and authenticate{} blocks
ldap {
server = "ldap.your.domain"
- # identity = "cn=admin,o=My Org,c=UA"
- # password = mypass
+ #identity = "cn=admin,o=My Org,c=UA"
+ #password = mypass
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
- # base_filter = "(objectclass=radiusprofile)"
-
- # set this to 'yes' to use TLS encrypted connections
- # to the LDAP database by using the StartTLS extended
- # operation.
- # The StartTLS operation is supposed to be used with normal
- # ldap connections instead of using ldaps (port 689) connections
- start_tls = no
-
- # tls_cacertfile = /path/to/cacert.pem
- # tls_cacertdir = /path/to/ca/dir/
- # tls_certfile = /path/to/radius.crt
- # tls_keyfile = /path/to/radius.key
- # tls_randfile = /path/to/rnd
- # tls_require_cert = "demand"
+ #base_filter = "(objectclass=radiusprofile)"
+
+ # How many connections to keep open to the LDAP server.
+ # This saves time over opening a new LDAP socket for
+ # every authentication request.
+ ldap_connections_number = 5
+
+ timeout = 4
+ timelimit = 3
+ net_timeout = 1
+
+ #
+ # This subsection configures the tls related items
+ # that control how FreeRADIUS connects to an LDAP
+ # server. It contains all of the "tls_*" configuration
+ # entries used in older versions of FreeRADIUS. Those
+ # configuration entries can still be used, but we recommend
+ # using these.
+ #
+ tls {
+ # Set this to 'yes' to use TLS encrypted connections
+ # to the LDAP database by using the StartTLS extended
+ # operation.
+ #
+ # The StartTLS operation is supposed to be
+ # used with normal ldap connections instead of
+ # using ldaps (port 689) connections
+ start_tls = no
+
+ # cacertfile = /path/to/cacert.pem
+ # cacertdir = /path/to/ca/dir/
+ # certfile = /path/to/radius.crt
+ # keyfile = /path/to/radius.key
+ # randfile = /path/to/rnd
+ # require_cert = "demand"
+ }
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
- access_attr = "dialupAccess"
+ # access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
- ldap_connections_number = 5
-
- #
- # NOTICE: The password_header directive is NOT case insensitive
- #
- # password_header = "{clear}"
- #
- # Set:
- # password_attribute = nspmPassword
- #
- # to get the user's password from a Novell eDirectory
- # backend. This will work *only if* freeRADIUS is
- # configured to build with --with-edir option.
- #
- #
- # The server can usually figure this out on its own, and pull
- # the correct User-Password or NT-Password from the database.
- #
- # Note that NT-Passwords MUST be stored as a 32-digit hex
- # string, and MUST start off with "0x", such as:
- #
- # 0x000102030405060708090a0b0c0d0e0f
- #
- # Without the leading "0x", NT-Passwords will not work.
- # This goes for NT-Passwords stored in SQL, too.
+ # Set password_attribute = nspmPassword to get the
+ # user's password from a Novell eDirectory
+ # backend. This will work ONLY IF FreeRADIUS has been
+ # built with the --with-edir configure option.
#
# password_attribute = userPassword
- #
- # Un-comment the following to disable Novell eDirectory account
- # policy check and intruder detection. This will work *only if*
- # FreeRADIUS is configured to build with --with-edir option.
- #
- # edir_account_policy_check=no
+
+ # As of 1.1.0, the LDAP module will auto-discover
+ # the password headers (which are non-standard).
+ # It will use the following table to map passwords
+ # to RADIUS attributes. The PAP module (see above)
+ # can then automatically determine the hashing
+ # method to use to authenticate the user.
+ #
+ # Header Attribute
+ # ------ ---------
+ # {clear} User-Password
+ # {cleartext} User-Password
+ # {md5} MD5-Password
+ # {smd5} SMD5-Password
+ # {crypt} Crypt-Password
+ # {sha} SHA-Password
+ # {ssha} SSHA-Password
+ # {nt} NT-Password
+ # {ns-mta-md5} NS-MTA-MD5-Password
+ #
+ #
+ # The headers are compared in a case-insensitive manner.
+ # The format of the password in LDAP (base 64-encoded, hex,
+ # clear-text, whatever) is not that important. The PAP
+ # module will figure it out.
+ #
+ # The default for "auto_header" is "no", to enable backwards
+ # compatibility with the "password_header" directive,
+ # which is now deprecated. If this is set to "yes",
+ # then the above table will be used, and the
+ # "password_header" directive will be ignored.
+
+ #auto_header = yes
+
+ # Un-comment the following to disable Novell
+ # eDirectory account policy check and intruder
+ # detection. This will work *only if* FreeRADIUS is
+ # configured to build with --with-edir option.
+ #
+ #edir_account_policy_check = no
+
+ #
+ # Group membership checking. Disabled by default.
#
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
- timeout = 4
- timelimit = 3
- net_timeout = 1
+
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# Field marked as ',' may contain a comma separated list
# of attributes.
- # authtype - if record found this Auth-Type is used to authenticate
- # user
# hashsize - hashtable size. If 0 or not specified records are not
# stored in memory and file is red on every request.
# allowmultiplekeys - if few records for every key are allowed
#passwd etc_smbpasswd {
# filename = /etc/smbpasswd
# format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
- # authtype = MS-CHAP
# hashsize = 100
# ignorenislike = no
# allowmultiplekeys = no
# preacct sections.
#
# Four config options:
- # format - must be 'prefix' or 'suffix'
+ # format - must be "prefix" or "suffix"
+ # The special cases of "DEFAULT"
+ # and "NULL" are allowed, too.
# delimiter - must be a single character
- # ignore_default - set to 'yes' or 'no'
- # ignore_null - set to 'yes' or 'no'
- #
- # ignore_default and ignore_null can be set to 'yes' to prevent
- # the module from matching against DEFAULT or NULL realms. This
- # may be useful if you have have multiple instances of the
- # realm module.
- #
- # They both default to 'no'.
- #
# 'realm/username'
#
realm IPASS {
format = prefix
delimiter = "/"
- ignore_default = no
- ignore_null = no
}
# 'username@realm'
realm suffix {
format = suffix
delimiter = "@"
- ignore_default = no
- ignore_null = no
}
# 'username%realm'
realm realmpercent {
format = suffix
delimiter = "%"
- ignore_default = no
- ignore_null = no
}
#
realm ntdomain {
format = prefix
delimiter = "\\"
- ignore_default = no
- ignore_null = no
}
# A simple value checking module
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
detailperm = 0600
+
+ #
+ # Every entry in th edetail file has a header which
+ # is a timestamp. By default, we use the ctime
+ # format (see "man ctime" for details).
+ #
+ # The header can be customized by editing this
+ # string. See "doc/variables.txt" for a description
+ # of what can be put here.
+ #
+ header = "%t"
+
}
#
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
- attr_filter {
+ attr_filter attr_filter.post-proxy {
attrsfile = ${confdir}/attrs
}
+ # attr_filter - filters the attributes in the packets we send to
+ # the RADIUS home servers.
+ attr_filter attr_filter.pre-proxy {
+ attrsfile = ${confdir}/attrs.pre-proxy
+ }
+
# counter module:
# This module takes an attribute (count-attribute).
# It also takes a key, and creates a counter for each unique
# the radius.log
# If the count attribute is Acct-Session-Time then on each login
# we send back the remaining online time as a Session-Timeout attribute
+ # ELSE and if the return-attribute is set, we send back that attribute.
+ # The return-attribute is set MUST be of an integer type
#
# The counter-name can also be used instead of using the check-name
# like below:
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
+ #return-attribute = Session-Timeout
cache-size = 5000
}
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
+ #
+ # The module also registers a few paircompare functions
expr {
}
}
#
+ # The expiration module. This handles the Expiration attribute
+ # It should be included in the *end* of the authorize section
+ # in order to handle user Expiration. It should also be included
+ # in the instantiate section in order to register the Expiration
+ # compare function
+ #
+ expiration {
+ #
+ # The Reply-Message which will be sent back in case the
+ # account has expired. Dynamic substitution is supported
+ #
+ reply-message = "Password Has Expired\r\n"
+# reply-message = "Your account has expired, %{User-Name}\r\n"
+ }
+
+ # The logintime module. This handles the Login-Time,
+ # Current-Time, and Time-Of-Day attributes. It should be
+ # included in the *end* of the authorize section in order to
+ # handle Login-Time checks. It should also be included in the
+ # instantiate section in order to register the Current-Time
+ # and Time-Of-Day comparison functions.
+ #
+ # When the Login-Time attribute is set to some value, and the
+ # user has bene permitted to log in, a Session-Timeout is
+ # calculated based on the remaining time. See "doc/README".
+ #
+ logintime {
+ #
+ # The Reply-Message which will be sent back in case
+ # the account is calling outside of the allowed
+ # timespan. Dynamic substitution is supported.
+ #
+ reply-message = "You are calling outside your allowed timespan\r\n"
+# reply-message = "Outside allowed timespan (%{check:Login-Time}), %{User-Name}\r\n"
+
+ # The minimum timeout (in seconds) a user is allowed
+ # to have. If the calculated timeout is lower we don't
+ # allow the logon. Some NASes do not handle values
+ # lower than 60 seconds well.
+ minimum-timeout = 60
+ }
+ #
# Execute external programs
#
# This module is useful only for 'xlat'. To use it,
exec {
wait = yes
input_pairs = request
+ shell_escape = yes
+ output = none
}
#
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
- #
+ #
+ # The return value of the program run determines the result
+ # of the exec instance call as follows:
+ # (See doc/configurable_failover for details)
+ #
+ # < 0 : fail the module failed
+ # = 0 : ok the module succeeded
+ # = 1 : reject the module rejected the user
+ # = 2 : fail the module failed
+ # = 3 : ok the module succeeded
+ # = 4 : handled the module has done everything to handle the request
+ # = 5 : invalid the user's configuration entry was invalid
+ # = 6 : userlock the user was locked out
+ # = 7 : notfound the user was not found
+ # = 8 : noop the module did nothing
+ # = 9 : updated the module updated information in the request
+ # > 9 : fail the module failed
+ #
exec echo {
#
# Wait for the program to finish.
# being sent to the NAS.
#
#packet_type = Access-Accept
+
+ #
+ # Should we escape the environment variables?
+ #
+ # If this is set, all the RADIUS attributes
+ # are capitalised and dashes replaced with
+ # underscores. Also, RADIUS values are surrounded
+ # with double-quotes.
+ #
+ # That is to say: User-Name=BobUser => USER_NAME="BobUser"
+ shell_escape = yes
+
}
# Do server side ip pool management. Should be added in post-auth and
# attribute in the user profiles and use different pools
# for different users. The Pool-Name attribute is a *check* item not
# a reply item.
+ # The Pool-Name should be set to the ippool module instance name or to
+ # DEFAULT to match any module.
#
# Example:
# radiusd.conf: ippool students { [...] }
+ # ippool teachers { [...] }
# users file : DEFAULT Group == students, Pool-Name := "students"
+ # DEFAULT Group == teachers, Pool-Name := "teachers"
+ # DEFAULT Group == other, Pool-Name := "DEFAULT"
#
# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *********
# ********* THEN ERASE THE DB FILES *********
# maximum-timeout: If not zero specifies the maximum time in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
+
+ # The key to use for the session database (which holds the allocated ip's)
+ # normally it should just be the nas ip/port (which is the default)
+ #key = "%{NAS-IP-Address} %{NAS-Port}"
}
# OTP token support. Not included by default.
# $INCLUDE ${confdir}/otp.conf
+ #
+ # Implements Login-Time, Current-Time, and Time-Of-Day
+ #
+ logintime {
+ #
+ # Don't worry about anything here for now..
+ #
+ }
+
+ #
+ # Kerberos. See doc/rlm_krb5 for minimal docs.
+ #
+# krb5 {
+# keytab = /path/to/keytab
+# service_principal = name_of_principle
+# }
}
# Instantiation
# the check-name attribute before any module which sets
# it
# daily
+ expiration
+ logintime
+
+ # subsections here can be thought of as "virtual" modules.
+ #
+ # e.g. If you have two redundant SQL servers, and you want to
+ # use them in the authorize and accounting sections, you could
+ # place a "redundant" block in each section, containing the
+ # exact same text. Or, you could uncomment the following
+ # lines, and list "redundant_sql" in the authorize and
+ # accounting sections.
+ #
+ #redundant redundant_sql {
+ # sql1
+ # sql2
+ #}
}
# Authorization. First preprocess (hints and huntgroups files),
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log
-
-# attr_filter
#
# The chap module will set 'Auth-Type := CHAP' if we are
mschap
#
+ # Pull crypt'd passwords from /etc/passwd or /etc/shadow,
+ # using the system API's to get the password. If you want
+ # to read /etc/passwd or /etc/shadow directly, see the
+ # passwd module, above.
+ #
+ unix
+
+ #
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
#
# Use the checkval module
# checkval
+
+ expiration
+ logintime
+
+ #
+ # If no other module has claimed responsibility for
+ # authentication, then try to use PAP. This allows the
+ # other modules listed above to add a "known good" password
+ # to the request, and to do nothing else. The PAP module
+ # will then see that password, and use it to do PAP
+ # authentication.
+ #
+ # This module should be listed last, so that the other modules
+ # get a chance to set Auth-Type for themselves.
+ #
+ pap
}
# as defined in the preproxy_users file.
# files
+ # Uncomment the following line if you want to filter requests
+ # sent to remote servers based on the rules defined in the
+ # 'attrs.pre-proxy' file.
+# attr_filter.pre-proxy
+
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
-
-# attr_filter
+# attr_filter.post-proxy
#
# If you are proxying LEAP, you MUST configure the EAP