<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.3059" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>hi, <BR>i need help to configurate the MAC based
authentication. <BR>I use freeradius 1.0.1 and openldap 2.0.27-17. The config
from the <BR>HP Switch to the Radius is ok. <BR>In the LDAP there are the MAC
Adresses from all my Laptops like "macAdress". </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>LDAP: <BR>ldapsearch -LL -x -H <A
href="ldap://atmacldapsr01">ldap://atmacldapsr01</A> -D
<BR>cn=Manager,o=wuestenrot,c=at -w secret -b
<BR>ou=workstation,o=wuestenrot,c=at macAddress=00:1E:37:1C:5F:D4
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>wueroRechnername: ATTSBGVARR40<BR>macAddress:
00:06:1B:CA:53:64 </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>I only want that radius check at the LDAP, if the
MAC Address <BR>exists. IF the MAC exists go to VLAN 5 else go to VLAN 10.
<BR>Have anyone an idea were my problem is??? or an good Howto??<BR>Is it right
to make this with the checkval? users File?<BR>Have anyone an
example?</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Next step, I want to make checks over an extern
script? Where to I <BR>activate this feature? </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Please help me. <BR>thanks a lot <BR>andi
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>RADIUS: <BR>[root@atmacradsr01 raddb]# radiusd
-Xf<BR>Starting - reading configuration files ...<BR>reread_config:
reading radiusd.conf<BR>Config: including file:
/etc/raddb/proxy.conf<BR>Config: including file:
/etc/raddb/clients.conf<BR>Config: including file:
/etc/raddb/snmp.conf<BR>Config: including file:
/etc/raddb/eap.conf<BR> main: prefix = "/usr"<BR> main: localstatedir
= "/var"<BR> main: logdir = "/var/log/radius"<BR> main: libdir =
"/usr/lib"<BR> main: radacctdir = "/var/log/radius/radacct"<BR> main:
hostname_lookups = no<BR> main: max_request_time = 30<BR> main:
cleanup_delay = 5<BR> main: max_requests = 1024<BR> main:
delete_blocked_requests = 0<BR> main: port = 0<BR> main:
allow_core_dumps = no<BR> main: log_stripped_names = no<BR> main:
log_file = "/var/log/radius/radius.log"<BR> main: log_auth =
yes<BR> main: log_auth_badpass = no<BR> main: log_auth_goodpass =
no<BR> main: pidfile = "/var/run/radiusd/radiusd.pid"<BR> main: user =
"radiusd"<BR> main: group = "radiusd"<BR> main: usercollide =
no<BR> main: lower_user = "yes"<BR> main: lower_pass =
"yes"<BR> main: nospace_user = "no"<BR> main: nospace_pass =
"no"<BR> main: checkrad = "/usr/sbin/checkrad"<BR> main:
proxy_requests = yes<BR> proxy: retry_delay = 5<BR> proxy: retry_count
= 3<BR> proxy: synchronous = no<BR> proxy: default_fallback =
yes<BR> proxy: dead_time = 120<BR> proxy: post_proxy_authorize =
yes<BR> proxy: wake_all_if_all_dead = no<BR> security: max_attributes
= 200<BR> security: reject_delay = 1<BR> security: status_server =
no<BR> main: debug_level = 0<BR>read_config_files: reading
dictionary<BR>read_config_files: reading naslist<BR>Using deprecated
naslist file. Support for this will go away
soon.<BR>read_config_files: reading clients<BR>read_config_files:
reading realms<BR>radiusd: entering modules setup<BR>Module: Library
search path is /usr/lib<BR>Module: Loaded exec <BR> exec: wait =
yes<BR> exec: program = "(null)"<BR> exec: input_pairs =
"request"<BR> exec: output_pairs = "(null)"<BR> exec: packet_type =
"(null)"<BR>rlm_exec: Wait=yes but no output defined. Did you mean
output=none?<BR>Module: Instantiated exec (exec) <BR>Module: Loaded expr
<BR>Module: Instantiated expr (expr) <BR>Module: Loaded LDAP <BR> ldap:
server = "atmacldapsr01"<BR> ldap: port = 389<BR> ldap: net_timeout =
1<BR> ldap: timeout = 4<BR> ldap: timelimit = 3<BR> ldap:
identity = "cn=Manager,o=wuestenrot,c=at"<BR> ldap: tls_mode =
no<BR> ldap: start_tls = no<BR> ldap: tls_cacertfile =
"(null)"<BR> ldap: tls_cacertdir = "(null)"<BR> ldap: tls_certfile =
"(null)"<BR> ldap: tls_keyfile = "(null)"<BR> ldap: tls_randfile =
"(null)"<BR> ldap: tls_require_cert = "allow"<BR> ldap: password =
"secret"<BR> ldap: basedn =
"ou=workstation,o=wuestenrot,c=at"<BR> ldap: filter =
"(macAddress=%{User-Name})"<BR> ldap: base_filter =
"(objectclass=radiusprofile)"<BR> ldap: default_profile =
"(null)"<BR> ldap: profile_attribute = "(null)"<BR> ldap:
password_header = "(null)"<BR> ldap: password_attribute =
"(null)"<BR> ldap: access_attr = "(null)"<BR> ldap:
groupname_attribute = "cn"<BR> ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)<BR>(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)<BR>(uniquemember=%{Ldap-UserDn})))"<BR> ldap:
groupmembership_attribute = "(null)"<BR> ldap: dictionary_mapping =
"/etc/raddb/ldap.attrmap"<BR> ldap: ldap_debug = 0<BR> ldap:
ldap_connections_number = 5<BR> ldap: compare_check_items =
no<BR> ldap: access_attr_used_for_allow = yes<BR> ldap: do_xlat =
yes<BR>rlm_ldap: Registering ldap_groupcmp for Ldap-Group<BR>rlm_ldap:
Registering ldap_xlat with xlat_name ldap<BR>rlm_ldap: reading
ldap<->radius mappings from file /etc/raddb/ldap.attrmap<BR>rlm_ldap: LDAP
radiusCheckItem mapped to RADIUS $GENERIC$<BR>rlm_ldap: LDAP radiusReplyItem
mapped to RADIUS $GENERIC$<BR>rlm_ldap: LDAP macAddress mapped to RADIUS
User-Name<BR>rlm_ldap: LDAP radiusAuthType mapped to RADIUS
Auth-Type<BR>rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS
Simultaneous-Use<BR>rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS
Called-Station-Id<BR>rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Id<BR>rlm_ldap: LDAP sambaLMPassword mapped to RADIUS
LM-Password<BR>rlm_ldap: LDAP sambaNTPassword mapped to RADIUS
NT-Password<BR>rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS
SMB-Account-CTRL-TEXT<BR>rlm_ldap: LDAP radiusExpiration mapped to RADIUS
Expiration<BR>rlm_ldap: LDAP radiusServiceType mapped to RADIUS
Service-Type<BR>rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS
Framed-Protocol<BR>rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS
Framed-IP-Address<BR>rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS
Framed-IP-Netmask<BR>rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS
Framed-Route<BR>rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS
Framed-Routing<BR>rlm_ldap: LDAP radiusFilterId mapped to RADIUS
Filter-Id<BR>rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS
Framed-MTU<BR>rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS
Framed-Compression<BR>rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS
Login-IP-Host<BR>rlm_ldap: LDAP radiusLoginService mapped to RADIUS
Login-Service<BR>rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS
Login-TCP-Port<BR>rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS
Callback-Number<BR>rlm_ldap: LDAP radiusCallbackId mapped to RADIUS
Callback-Id<BR>rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS
Framed-IPX-Network<BR>rlm_ldap: LDAP radiusClass mapped to RADIUS
Class<BR>rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS
Session-Timeout<BR>rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS
Idle-Timeout<BR>rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS
Termination-Action<BR>rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS
Login-LAT-Service<BR>rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS
Login-LAT-Node<BR>rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS
Login-LAT-Group<BR>rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-<BR>AppleTalk-Link<BR>rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped
to RADIUS Framed-<BR>AppleTalk-Network<BR>rlm_ldap: LDAP
radiusFramedAppleTalkZone mapped to RADIUS
Framed-<BR>AppleTalk-Zone<BR>rlm_ldap: LDAP radiusPortLimit mapped to RADIUS
Port-Limit<BR>rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS
Login-LAT-Port<BR>conns: 0x8bb05a8<BR>Module: Instantiated ldap (ldap)
<BR>Module: Loaded preprocess <BR> preprocess: huntgroups =
"/etc/raddb/huntgroups"<BR> preprocess: hints =
"/etc/raddb/hints"<BR> preprocess: with_ascend_hack =
no<BR> preprocess: ascend_channels_per_line = 23<BR> preprocess:
with_ntdomain_hack = no<BR> preprocess: with_specialix_jetstream_hack =
no<BR> preprocess: with_cisco_vsa_hack = no<BR>Module: Instantiated
preprocess (preprocess) <BR>Module: Loaded detail <BR> detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/<BR>auth-detail-%Y%m%d"<BR> detail:
detailperm = 384<BR> detail: dirperm = 493<BR> detail: locking =
no<BR>Module: Instantiated detail (auth_log) <BR>Module: Loaded checkval
<BR> checkval: item-name = "User-Name"<BR> checkval: check-name =
"macAddress"<BR> checkval: data-type = "string"<BR> checkval:
notfound-reject = no<BR>rlm_checkval: Registered name macAddress for attribute
1671<BR>Module: Instantiated checkval (checkval) <BR>Module: Loaded
Acct-Unique-Session-Id <BR> acct_unique: key = "User-Name, Acct-Session-Id,
NAS-IP-Address, <BR>Client-IP-Address, NAS-Port"<BR>Module: Instantiated
acct_unique (acct_unique) <BR>Module: Loaded realm <BR> realm: format =
"suffix"<BR> realm: delimiter = "@"<BR> realm: ignore_default =
no<BR> realm: ignore_null = no<BR>Module: Instantiated realm (suffix)
<BR>Module: Loaded files <BR> files: usersfile =
"/etc/raddb/users"<BR> files: acctusersfile =
"/etc/raddb/acct_users"<BR> files: preproxy_usersfile =
"/etc/raddb/preproxy_users"<BR> files: compat = "no"<BR>Module:
Instantiated files (files) <BR> detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/<BR>detail-%Y%m%d"<BR> detail:
detailperm = 384<BR> detail: dirperm = 493<BR> detail: locking =
no<BR>Module: Instantiated detail (detail) <BR>Module: Loaded radutmp
<BR> radutmp: filename = "/var/log/radius/radutmp"<BR> radutmp:
username = "%{User-Name}"<BR> radutmp: case_sensitive =
yes<BR> radutmp: check_with_nas = yes<BR> radutmp: perm =
384<BR> radutmp: callerid = yes<BR>Module: Instantiated radutmp (radutmp)
<BR>Module: Loaded eap <BR> eap: default_eap_type = "md5"<BR> eap:
timer_expire = 60<BR> eap: ignore_unknown_eap_types = no<BR> eap:
cisco_accounting_username_bug = no<BR>rlm_eap: Loaded and initialized type
md5<BR>rlm_eap: Loaded and initialized type leap<BR> gtc: challenge =
"Password: "<BR> gtc: auth_type = "PAP"<BR>rlm_eap: Loaded and initialized
type gtc<BR> mschapv2: with_ntdomain_hack = no<BR>rlm_eap: Loaded and
initialized type mschapv2<BR>Module: Instantiated eap (eap) <BR>Listening on
authentication *:1812<BR>Listening on accounting *:1813<BR>Listening on proxy
*:1814<BR>Ready to process requests.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Now I connect an Laptop on the switch and this is
shown on the radius: <BR>rad_recv: Access-Request packet from host
192.168.10.1:1024,
id=241,length=183<BR> Framed-MTU =
9178<BR> NAS-IP-Address =
192.168.10.1<BR> NAS-Identifier =
"MAC-VAR"<BR> User-Name =
"00:06:1b:ca:53:64"<BR> Service-Type =
Framed-User<BR> Framed-Protocol =
PPP<BR> NAS-Port =
17<BR> NAS-Port-Type =
Ethernet<BR> NAS-Port-Id =
"17"<BR> Called-Station-Id =
"00-18-fe-e6-36-ef"<BR>
Calling-Station-Id =
"00-06-1b-ca-53-64"<BR> Connect-Info =
"CONNECT Ethernet 100Mbps Full
duplex"<BR> CHAP-Password =
0x50eec0218f3e8b36308a4c070b9eca0267<BR> Processing the authorize section
of radiusd.conf<BR>modcall: entering group authorize for request 0<BR>
modcall[authorize]: module "preprocess" returns ok for request
0<BR>radius_xlat:
'/var/log/radius/radacct/192.168.10.1/auth-detail-20080328'<BR>rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-<BR>detail-%Y%m%d expands to
/var/log/radius/radacct/192.168.10.1/auth-<BR>detail-20080328<BR>
modcall[authorize]: module "auth_log" returns ok for request 0<BR>rlm_ldap: -
authorize<BR>rlm_ldap: performing user authorization for
00:06:1b:ca:53:64<BR>radius_xlat:
'(macAddress=00:06:1b:ca:53:64)'<BR>radius_xlat:
'ou=workstation,o=wuestenrot,c=at'<BR>rlm_ldap: ldap_get_conn: Checking Id:
0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: attempting LDAP
reconnection<BR>rlm_ldap: (re)connect to atmacldapsr01:389, authentication
0<BR>rlm_ldap: bind as cn=Manager,o=wuestenrot,c=at/secret to
atmacldapsr01:389<BR>rlm_ldap: waiting for bind result ...<BR>rlm_ldap: Bind was
successful<BR>rlm_ldap: performing search in ou=workstation,o=wuestenrot,c=at,
<BR>with filter (macAddress=00:06:1b:ca:53:64)<BR>rlm_ldap: looking for check
items in directory...<BR>rlm_ldap: Adding macAddress as User-Name, value
00:06:1B:CA:53:64 & op=21<BR>rlm_ldap: looking for reply items in
directory...<BR>rlm_ldap: user 00:06:1b:ca:53:64 authorized to use remote
access<BR>rlm_ldap: ldap_release_conn: Release Id: 0<BR>
modcall[authorize]: module "ldap" returns ok for request 0<BR>rlm_checkval: Item
Name: User-Name, Value: 00:06:1b:ca:53:64<BR>rlm_checkval: Could not find
attribute named macAddress in check pairs<BR> modcall[authorize]: module
"checkval" returns notfound for request 0<BR>modcall: group authorize returns ok
for request 0<BR> rad_check_password: Found Auth-Type LDAP<BR>auth:
type "LDAP"<BR> Processing the authenticate section of
radiusd.conf<BR>modcall: entering group Auth-Type for request 0<BR>rlm_ldap: -
authenticate<BR>rlm_ldap: Attribute "User-Password" is required for
authentication. <BR>Cannot use "CHAP-Password".<BR> modcall[authenticate]:
module "ldap" returns invalid for request 0<BR>modcall: group Auth-Type returns
invalid for request 0<BR>auth: Failed to validate the user.<BR>Login incorrect:
[00:06:1b:ca:53:64] (from client private-network-1 <BR>port 17 cli
00-06-1b-ca-53-64)<BR>Delaying request 0 for 1 seconds<BR>Finished request
0<BR>Going to the next request<BR>--- Walking the entire request list
---<BR>Waking up in 1 seconds...<BR>--- Walking the entire request list
---<BR>Waking up in 1 seconds...<BR>--- Walking the entire request list
---<BR>Sending Access-Reject of id 241 to 192.168.10.1:1024<BR>Waking up in 4
seconds...<BR>--- Walking the entire request list ---<BR>Cleaning up request 0
ID 241 with timestamp 47eca277<BR>Nothing to do. Sleeping until we see a
request.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>This are my config Files: <BR>cat ldap.attrmap
<BR>checkItem
$GENERIC$
radiusCheckItem<BR>replyItem
$GENERIC$
radiusReplyItem</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>checkItem
User-Name
macAddress<BR>checkItem
Auth-Type
radiusAuthType<BR>checkItem
Simultaneous-Use
radiusSimultaneousUse<BR>checkItem
Called-Station-Id
radiusCalledStationId<BR>checkItem
Calling-Station-Id
radiusCallingStationId<BR>checkItem
LM-Password
sambaLMPassword<BR>checkItem
NT-Password
sambaNTPassword<BR>checkItem
SMB-Account-CTRL-TEXT
sambaAcctFlags<BR>checkItem
Expiration
radiusExpiration</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>replyItem
Service-Type
radiusServiceType<BR>replyItem
Framed-Protocol
radiusFramedProtocol<BR>replyItem
Framed-IP-Address
radiusFramedIPAddress<BR>replyItem
Framed-IP-Netmask
radiusFramedIPNetmask<BR>replyItem
Framed-Route
radiusFramedRoute<BR>replyItem
Framed-Routing
radiusFramedRouting<BR>replyItem
Filter-Id
radiusFilterId<BR>replyItem
Framed-MTU
radiusFramedMTU<BR>replyItem
Framed-Compression
radiusFramedCompression<BR>replyItem
Login-IP-Host
radiusLoginIPHost<BR>replyItem
Login-Service
radiusLoginService<BR>replyItem
Login-TCP-Port
radiusLoginTCPPort<BR>replyItem
Callback-Number
radiusCallbackNumber<BR>replyItem
Callback-Id
radiusCallbackId<BR>replyItem
Framed-IPX-Network
radiusFramedIPXNetwork<BR>replyItem
Class
radiusClass<BR>replyItem
Session-Timeout
radiusSessionTimeout<BR>replyItem
Idle-Timeout
radiusIdleTimeout<BR>replyItem
Termination-Action
radiusTerminationAction<BR>replyItem
Login-LAT-Service
radiusLoginLATService<BR>replyItem
Login-LAT-Node
radiusLoginLATNode<BR>replyItem
Login-LAT-Group
radiusLoginLATGroup<BR>replyItem
Framed-AppleTalk-Link
radiusFramedAppleTalkLink<BR>replyItem
Framed-AppleTalk-Network
radiusFramedAppleTalkNetwork<BR>replyItem
Framed-AppleTalk-Zone
radiusFramedAppleTalkZone<BR>replyItem
Port-Limit
radiusPortLimit<BR>replyItem
Login-LAT-Port
radiusLoginLATPort</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>file: clients.conf: only add my segment <BR>client
192.168.10.0/24 { <BR>
secret
= testing123-1 <BR>
shortname = private-network-1 <BR>}
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>file: users: only add LDAP as Auth-Type <BR># First
setup all accounts to be checked against the UNIX /etc/passwd. <BR># (Unless a
password was already given earlier in this file). <BR>#
<BR>DEFAULT Auth-Type = LDAP
<BR> Fall-Through = 1 </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># <BR># Set up different IP address pools for the
terminal servers. <BR># Note that the "+" behind the IP address means that this
is the "base" <BR># IP address. The Port-Id (S0, S1 etc) will be added to it.
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>file: radius.conf </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>prefix = /usr<BR>exec_prefix = /usr<BR>sysconfdir =
/etc<BR>localstatedir = /var<BR>sbindir = /usr/sbin<BR>logdir =
${localstatedir}/log/radius<BR>raddbdir = ${sysconfdir}/raddb<BR>radacctdir =
${logdir}/radacct</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>confdir = ${raddbdir}<BR>run_dir =
${localstatedir}/run/radiusd<BR>log_file = ${logdir}/radius.log</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>libdir = /usr/lib</FONT></DIV>
<DIV><FONT face=Arial size=2><BR>pidfile = ${run_dir}/radiusd.pid</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>user = radiusd<BR>group = radiusd</FONT></DIV>
<DIV><FONT face=Arial size=2><BR>max_request_time = 30</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>delete_blocked_requests = no</FONT></DIV>
<DIV><FONT face=Arial size=2><BR>cleanup_delay = 5</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>max_requests = 1024</FONT></DIV>
<DIV><FONT face=Arial size=2>bind_address = *</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>port = 0</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>#listen {<BR> # IP address on which to
listen.<BR> # Allowed values are:<BR> # dotted quad
(1.2.3.4)<BR> #
hostname
(radius.example.com)<BR> #
wildcard (*)<BR># ipaddr = *</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> # Port on which to
listen.<BR> # Allowed values are:<BR> # integer port number
(1812)<BR> # 0 means "use /etc/services for the proper port"<BR># port =
0</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> # Type of packets to listen
for.<BR> # Allowed values are:<BR> # auth listen for
authentication packets<BR> # acct listen for accounting
packets<BR> #<BR># type = auth<BR>#}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># hostname_lookups: Log the names of clients
or just their IP addresses<BR># allowed values: {no,
yes}<BR>#<BR>hostname_lookups = no</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># Core dumps are a bad thing. This
should only be set to 'yes'<BR># if you're debugging a problem with the
server.<BR># allowed values: {no, yes}<BR>allow_core_dumps =
no</FONT></DIV>
<DIV><FONT face=Arial size=2>regular_expressions = yes<BR>extended_expressions =
yes</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># Log the full User-Name attribute, as it was
found in the request.<BR>#<BR># allowed values: {no,
yes}<BR>#<BR>log_stripped_names = no</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># Log authentication requests to the log
file.<BR>#<BR># allowed values: {no, yes}<BR>#<BR>log_auth =
yes</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># Log passwords with the authentication
requests.<BR># log_auth_badpass - logs password if it's
rejected<BR># log_auth_goodpass - logs password if it's
correct<BR>#<BR># allowed values: {no, yes}<BR>#<BR>log_auth_badpass =
no<BR>log_auth_goodpass = no</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># usercollide: Turn "username collision" code
on and off. See the<BR># "doc/duplicate-users" file<BR>usercollide =
no</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># Default is 'no' (don't lowercase values)<BR>#
Valid values = "before" / "after" / "no"<BR>#<BR>#lower_user = no<BR>#lower_pass
= no</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>lower_user = yes<BR>lower_pass = yes</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># nospace_user / nospace_pass:<BR># Some
users like to enter spaces in their username or password<BR>#
incorrectly. To save yourself the tech support call, you can<BR>#
eliminate those spaces here:<BR># Default is 'no' (don't remove spaces)<BR>#
Valid values = "before" / "after" / "no" (explanation above)<BR>nospace_user =
no<BR>nospace_pass = no</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># The program to execute to do concurrency
checks.<BR>checkrad = ${sbindir}/checkrad</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># SECURITY CONFIGURATION<BR>#<BR>security
{<BR> #<BR> max_attributes = 200</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> reject_delay = 1</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> status_server = no<BR>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># PROXY CONFIGURATION<BR># proxy_requests:
Turns proxying of RADIUS requests on or off.<BR># allowed values: {no,
yes}<BR>proxy_requests = yes<BR>$INCLUDE
${confdir}/proxy.conf</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># CLIENTS CONFIGURATION<BR># The
'clients.conf' file contains all of the information from the old<BR>#
'clients' and 'naslist' configuration files. We recommend that
you<BR># do NOT use 'client's or 'naslist', although they are
still<BR># supported.<BR># Anything listed in 'clients.conf' will
take precedence over the<BR># information from the old-style configuration
files.<BR>$INCLUDE ${confdir}/clients.conf</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># SNMP CONFIGURATION<BR># 'snmp' attribute to
'yes'<BR>snmp = no<BR>$INCLUDE ${confdir}/snmp.conf</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># THREAD POOL CONFIGURATION<BR># The thread
pool is a long-lived group of threads which<BR># take turns (round-robin)
handling any incoming requests.<BR>#<BR>thread pool {<BR> # Number of
servers to start initially --- should be a reasonable<BR> # ballpark
figure.<BR> start_servers = 5</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # Limit on the total number of servers
running.<BR> #<BR> max_servers = 32</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # Server-pool size regulation.
Rather than making you guess<BR> min_spare_servers =
3<BR> max_spare_servers = 10</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # '0' is a special value meaning
'infinity', or 'the servers never<BR> #
exit'<BR> max_requests_per_server = 0<BR>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># MODULE CONFIGURATION<BR>#<BR>modules
{<BR> #<BR> # Each module has a configuration as
follows:<BR> #<BR> # name [ instance ] {<BR> # config_item
= value<BR> # ...<BR> # }<BR> #<BR> # The 'name'
is used to load the 'rlm_name' library<BR> # which implements the
functionality of the module.<BR> #<BR> # Supports multiple
encryption schemes<BR> # clear: Clear text<BR> # crypt:
Unix crypt<BR> # md5: MD5
ecnryption<BR> # sha1: SHA1 encryption.<BR> #
DEFAULT: crypt<BR> #auskommentiert<BR> #pap {<BR> #
encryption_scheme = crypt<BR> #}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # CHAP module<BR> #<BR> # To
authenticate requests containing a CHAP-Password
attribute.<BR> #<BR> #aukommentiert<BR> #chap {<BR> #
authtype = CHAP<BR> #}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # Pluggable Authentication
Modules<BR> #<BR> # For Linux, see:<BR> # <A
href="http://www.kernel.org/pub/linux/libs/pam/index.html">http://www.kernel.org/pub/linux/libs/pam/index.html</A><BR> #<BR> #
WARNING: On many systems, the system PAM libraries
have<BR> #
memory leaks! We STRONGLY SUGGEST that you do
not<BR> # use PAM for authentication, due to those
memory leaks.<BR> #<BR> #pam {<BR> #<BR> #}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR>$INCLUDE
${confdir}/eap.conf</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # Lightweight Directory Access Protocol
(LDAP)<BR> #<BR> # This module definition allows you to use LDAP
for<BR> # authorization and authentication (Auth-Type :=
LDAP)<BR> #<BR> # See doc/rlm_ldap for description of
configuration options <BR> # and sample authorize{} and
authenticate{} blocks <BR> ldap {<BR> server =
"atmacldapsr01"<BR> identity = "cn=Manager,o=wuestenrot,c=at"<BR>
password = secret<BR> basedn =
"ou=workstation,o=wuestenrot,c=at"<BR> #filter =
"(uid=%{Stripped-User-Name:-%{User-Name}})"<BR> filter =
"(macAddress=%{User-Name})"<BR> #filter =
"(macAddress=%{Stripped-User-Name:-%{User-Name}})"<BR> # base_filter =
"(objectclass=radiusprofile)"</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # set this to 'yes' to use TLS encrypted
connections<BR> # to the LDAP database by using the StartTLS
extended<BR> # operation.<BR> # The StartTLS operation is supposed
to be used with normal<BR> # ldap connections instead of using ldaps (port
689) connections<BR> start_tls = no</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # tls_cacertfile =
/path/to/cacert.pem<BR> # tls_cacertdir = /path/to/ca/dir/<BR>
# tls_certfile = /path/to/radius.crt<BR> # tls_keyfile =
/path/to/radius.key<BR> # tls_randfile = /path/to/rnd<BR> #
tls_require_cert = "demand"</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # default_profile =
"cn=radprofile,ou=dialup,o=My Org,c=UA"<BR> # profile_attribute =
"radiusProfileDn"<BR> #aukommendiert<BR> #access_attr =
"dialupAccess"</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # Mapping of RADIUS dictionary attributes to
LDAP<BR> # directory attributes.<BR> dictionary_mapping =
${raddbdir}/ldap.attrmap</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> ldap_connections_number = 5</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # password_attribute =
userPassword<BR> # groupname_attribute = cn<BR> #
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)<BR>(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)<BR>(uniquemember=%{Ldap-UserDn})))"<BR>
# groupmembership_attribute = radiusGroupName<BR> timeout = 4<BR>
timelimit = 3<BR> net_timeout = 1<BR> # compare_check_items =
yes<BR> # do_xlat = yes<BR> # access_attr_used_for_allow =
yes<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> </FONT><FONT face=Arial size=2> #
'realm/username'<BR> #<BR> # Using this entry, IPASS users have
their realm set to "IPASS".<BR> realm IPASS {<BR> format =
prefix<BR> delimiter = "/"<BR> ignore_default = no<BR>
ignore_null = no<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # <A
href="mailto:'username@realm'">'username@realm'</A><BR> #<BR> realm
suffix {<BR> format = suffix<BR> delimiter = "@"<BR>
ignore_default = no<BR> ignore_null = no<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #
'username%realm'<BR> #<BR> realm realmpercent {<BR> format =
suffix<BR> delimiter = "%"<BR> ignore_default = no<BR>
ignore_null = no<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> #
'domain\user'<BR> #<BR> realm ntdomain {<BR> format =
prefix<BR> delimiter = "\\"<BR> ignore_default = no<BR>
ignore_null = no<BR> } </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # A simple value checking
module<BR> #<BR> #<BR> # Regular expressions in the check
attribute value are allowed<BR> # as long as the operator is
'=~'<BR> #<BR> checkval {<BR> # The attribute to look for in the
request<BR> #item-name = Calling-Station-Id<BR> item-name =
User-Name<BR> <BR> # The attribute to look for in check items. Can
be multi valued<BR> #check-name = Calling-Station-Id<BR> check-name
= macAddress</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # The data type. Can be<BR> #
string,integer,ipaddr,date,abinary,octets<BR> data-type =
string</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # If set to yes and we dont find the
item-name attribute in the<BR> # request then we send back a
reject<BR> # DEFAULT is no<BR> #notfound-reject = no<BR>
#notfound-reject = no<BR> }<BR> <BR> # rewrite arbitrary
packets. Useful in accounting and authorization.<BR> # Backreferences
are supported: %{0} will contain the string the whole match<BR> # and %{1}
to %{8} will contain the contents of the 1st to the 8th
<BR>parentheses<BR> #<BR> # If max_matches is greater than one the
backreferences will <BR>correspond to the<BR> # first match</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> #attr_rewrite sanecallerid
{<BR> # attribute = Called-Station-Id<BR> # may be "packet", "reply",
"proxy", "proxy_reply" or "config"<BR> # searchin = packet<BR> #
searchfor = "[+ ]"<BR> # replacewith = ""<BR> # ignore_case =
no<BR> # new_attribute = no<BR> # max_matches = 10<BR> # ## If
set to yes then the replace string will be appended to the <BR>original
string<BR> # append = no<BR> #}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # Preprocess the incoming RADIUS request,
before handing it off<BR> # to other
modules.<BR> #<BR> preprocess {<BR> huntgroups =
${confdir}/huntgroups<BR> hints = ${confdir}/hints</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # This hack changes Ascend's wierd port
numberings<BR> # to standard 0-??? port numbers so that the "+"
works<BR> # for IP address assignments.<BR> with_ascend_hack =
no<BR> ascend_channels_per_line = 23</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # Windows NT machines often authenticate
themselves as<BR> with_ntdomain_hack = no</FONT></DIV>
<DIV><FONT face=Arial size=2><BR> #<BR> # If you're not running a
Cisco NAS, you don't need<BR> # this hack.<BR> with_cisco_vsa_hack =
no<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # Livingston-style 'users'
file<BR> #<BR> files {<BR> usersfile =
${confdir}/users<BR> acctusersfile = ${confdir}/acct_users</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # If you want to use the old Cistron
'users' file<BR> # with FreeRADIUS, you should change the next
line<BR> # to 'compat = cistron'. You can the copy your
'users'<BR> # file from Cistron.<BR> compat =
no<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # Write a detailed log of all accounting
records received.<BR> #<BR> detail {<BR> detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d<BR> detailperm =
0600<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> detail auth_log {<BR> detailfile =
${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # This MUST be 0600,
otherwise anyone can read<BR> # the users passwords!<BR> #
detailperm = 0600<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV>
<DIV><FONT face=Arial size=2> # Create a unique accounting session
Id. Many NASes re-use or<BR> # repeat values for Acct-Session-Id,
causing no end of<BR> # confusion.<BR> acct_unique {<BR> key =
"User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-<BR>Address,
NAS-Port"<BR> }</FONT></DIV></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> radutmp {<BR> # Where the file is
stored. It's not a log file,<BR> # so it doesn't need
rotating.<BR> #<BR> filename = ${logdir}/radutmp</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # You may want instead:
%{Stripped-User-Name:-%{User-Name}}<BR> username =
%{User-Name}</FONT></DIV>
<DIV><FONT face=Arial size=2> #<BR> case_sensitive =
yes</FONT></DIV>
<DIV><FONT face=Arial size=2> #<BR> check_with_nas = yes
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # Set the file permissions, as the contents
of this file<BR> # are usually private.<BR> perm = 0600</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> callerid = "yes"<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # "Safe" radutmp - does not contain caller
ID, so it can be<BR> # world-readable, and radwho can work for normal
users, without<BR> # exposing any information that isn't already exposed by
who(1).<BR> #<BR> # This is another 'instance' of the radutmp module,
but it is given<BR> # then name "sradutmp" to identify it later in the
"accounting"<BR> # section.<BR> radutmp sradutmp {<BR> filename
= ${logdir}/sradutmp<BR> perm = 0644<BR> callerid =
"no"<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # attr_filter - filters the attributes
received in replies from<BR> # proxied servers, to make sure we send back
to our RADIUS client<BR> # only allowed attributes.<BR> attr_filter
{<BR> attrsfile = ${confdir}/attrs<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # counter module:<BR> #
DEFAULT Max-Daily-Session :=
36000<BR> #
Fall-Through = 1<BR> #<BR> # 'check-name'
attribute.<BR> #<BR> counter daily {<BR> filename =
${raddbdir}/db.daily<BR> key = User-Name<BR> count-attribute =
Acct-Session-Time<BR> reset = daily<BR> counter-name =
Daily-Session-Time<BR> check-name = Max-Daily-Session<BR>
allowed-servicetype = Framed-User<BR> cache-size =
5000<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # The "ALways" module is here for debugging
purposes. Each<BR> # instance simply returns the same result, always,
without<BR> # doing anything.<BR> always fail {<BR> rcode =
fail<BR> }<BR> always reject {<BR> rcode =
reject<BR> }<BR> always ok {<BR> rcode = ok<BR> simulcount
= 0<BR> mpp = no<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # The 'expression' module
currently has no configuration.<BR> #<BR> # Attribute-Name =
`%{expr:2 + 3 + %{exec: uid -u}}`<BR> #<BR> # The value of the
attribute will be replaced with the output<BR> # of the program which
is executed. Due to RADIUS protocol<BR> # limitations, any
output over 253 bytes will be ignored.<BR> expr {<BR> }</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # The 'digest' module
currently has no configuration.<BR> #<BR> # "Digest"
authentication against a Cisco SIP server.<BR> # See
'doc/rfc/draft-sterman-aaa-sip-00.txt' for details<BR> # on
performing digest authentication for Cisco SIP
servers.<BR> #<BR> digest {<BR> }</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # Execute external
programs<BR> #<BR> exec {<BR> wait = yes<BR> programm =
"/bin/echo %{User-Name}"<BR> input_pairs = request<BR> }</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> execok {<BR> rcode =
ok<BR>}<BR> #<BR> # This is a more general example of the
execute module.<BR> # <BR> exec echo {<BR> #<BR> #
Wait for the program to finish.<BR> #<BR> # If we do NOT wait,
then the program is "fire and<BR> # forget", and any output
attributes from it are ignored.<BR> #<BR> # If we are looking
for the program to output<BR> # attributes, and want to add those
attributes to the<BR> # request, then we MUST wait for the program
to<BR> # finish, and therefore set 'wait=yes'<BR> #<BR>
# allowed values: {no, yes}<BR> wait = yes</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # The name of the program
to execute, and it's<BR> # arguments. Dynamic translation is
done on this<BR> # field, so things like the following example
will<BR> # work.<BR> #<BR> program = "/bin/echo
%{User-Name}"</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # The attributes which are
placed into the<BR> # environment variables for the
program.<BR> #<BR> input_pairs = request</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # Where to place the
output attributes (if any) from<BR> #<BR> output_pairs =
reply</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> #<BR> #packet_type =
Access-Accept<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # Do server side ip pool management.
Should be added in post-auth and<BR> # accounting
sections.<BR>
*********<BR> #<BR> ippool main_pool {</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # range-start,range-stop: The start
and end ip<BR> # addresses for the ip pool<BR> range-start =
192.168.1.1<BR> range-stop = 192.168.3.254</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # netmask: The network mask used for
the ip's<BR> netmask = 255.255.255.0</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # cache-size: The gdbm cache size for
the db<BR> # files. Should be equal to the number of ip's<BR>
# available in the ip pool<BR> cache-size = 800</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # session-db: The main db file used to
allocate ip's to clients<BR> session-db =
${raddbdir}/db.ippool</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # ip-index: Helper db index file used in
multilink<BR> ip-index = ${raddbdir}/db.ipindex</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # override: Will this ippool override a
Framed-IP-Address already set<BR> override = no</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # maximum-timeout: If not zero specifies the
maximum time in seconds an<BR> # entry may be active. Default: 0<BR>
maximum-timeout = 0<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # ANSI X9.9 token support. Not included
by default.<BR> # $INCLUDE ${confdir}/x99.conf</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># Instantiation<BR>#<BR># This section orders
the loading of the modules. Modules<BR># listed here will get loaded
BEFORE the later sections like<BR># authorize, authenticate, etc. get
examined.<BR>#<BR>instantiate {<BR> #<BR> # Allows the execution
of external scripts.<BR> # The entire command line (and output) must
fit into 253 bytes.<BR> #<BR> # e.g. Framed-Pool =
`%{exec:/bin/echo foo}`<BR> exec</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # The expression module
doesn't do authorization,<BR> # authentication, or accounting.
It only does dynamic<BR> # translation, of the
form:<BR> #<BR> # Session-Timeout = `%{expr:2 +
3}`<BR> #<BR> #<BR> expr</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # We add the counter module here
so that it registers<BR> # the check-name attribute before any module which
sets<BR> # it<BR># daily<BR>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># Authorization. First preprocess (hints and
huntgroups files),<BR># then realms, and finally look in the "users"
file.<BR>authorize {<BR> #<BR> # The preprocess module takes
care of sanitizing some bizarre<BR> # attributes in the request, and
turning them into attributes<BR> # which are more
standard.<BR> #<BR> # It takes care of processing the
'raddb/hints' and the<BR> # 'raddb/huntgroups'
files.<BR> #<BR> # It also adds the %{Client-IP-Address}
attribute to the request.<BR> preprocess</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # If you want to have a log
of authentication requests,<BR> # un-comment the following line, and
the 'detail auth_log'<BR> # section, above.<BR> auth_log<BR>#
attr_filter</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # The chap module will set
'Auth-Type := CHAP' if we are<BR> # handling a CHAP request and
Auth-Type has not already been set<BR> #chap</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # If the users are logging
in with an MS-CHAP-Challenge<BR> #mschap</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # If you have a Cisco SIP
server authenticating against<BR> # FreeRADIUS, uncomment the
following line, and the 'digest'<BR> # line in the 'authenticate'
section.<BR># digest</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # Look for IPASS style
'realm/', and if not found, look for<BR> # <A
href="mailto:'@realm'">'@realm'</A>, and decide whether or not to proxy, based
on<BR> # that.<BR># IPASS</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # If you are using multiple
kinds of realms, you probably<BR> # want to set "ignore_null = yes"
for all of them.<BR> # Otherwise, when the first style of realm
doesn't match,<BR> # the other styles won't be
checked.<BR> #<BR># suffIx<BR># ntdomain</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # This module takes care of
EAP-MD5, EAP-TLS, and EAP-LEAP<BR> #
authentication.<BR> #<BR> # It also sets the EAP-Type attribute
in the request<BR> # attribute list to the EAP type from the
packet.<BR> #auskommentiert<BR> #eap</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # Read the 'users'
file<BR> #auskommentiert<BR> #files</FONT></DIV>
<DIV>
<DIV><FONT face=Arial size=2></FONT></DIV></DIV>
<DIV><FONT face=Arial size=2> #<BR> # The ldap module will set
Auth-Type to LDAP if it has not<BR> # already been
set<BR> ldap<BR> #<BR> # Enforce daily limits on time spent
logged in.<BR># daily</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # Use the checkval
module<BR> ##auskommentiert<BR> checkval<BR>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># Authentication.<BR></FONT><FONT face=Arial
size=2>#<BR># The common reasons to set the Auth-Type attribute by
hand<BR># is to either forcibly reject the user, or forcibly accept
him.<BR>#<BR>authenticate {<BR> Auth-Type LDAP {<BR> #exec<BR>
ldap <BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>#<BR># Pre-accounting. Decide which
accounting type to use.<BR>#<BR>preacct {<BR> preprocess</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # Ensure that we have a
semi-unique identifier for every<BR> # request, and many NAS boxes
are broken.<BR> acct_unique</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># IPASS<BR> suffix<BR># ntdomain</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # Read the 'acct_users'
file<BR> files<BR>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>#<BR># Accounting. Log the accounting
data.<BR>#<BR>accounting {<BR> #<BR>detail<BR># daily</FONT></DIV>
<DIV><FONT face=Arial size=2><BR> radutmp<BR># sradutmp</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # Return an address to the IP Pool when
we see a stop record.<BR># main_pool</FONT></DIV>
<DIV><FONT face=Arial size=2># Cisco VoIP specific bulk accounting<BR>#
pgsql-voip</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># Session database, used for checking
Simultaneous-Use. Either the radutmp <BR># The rlm_sql module is *much*
faster<BR>session {<BR> radutmp</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # See "Simultaneous Use
Checking Querie" in sql.conf<BR># sql<BR>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># Post-Authentication<BR># Once we KNOW
that the user has been authenticated, there are<BR># additional steps we
can take.<BR>post-auth {<BR> # Get an address from the IP Pool.<BR>#
main_pool</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # If you want to have a log
of authentication replies,<BR> # un-comment the following line, and
the 'detail reply_log'<BR> # section, above.<BR>#
reply_log</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # After authenticating the
user, do another SQL qeury.<BR> #<BR> # See "Authentication
Logging Queries" in sql.conf<BR># sql</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # Access-Reject packets are
sent through the REJECT sub-section<BR> # of the post-auth
section.<BR> #<BR># Post-Auth-Type REJECT {<BR>#
insert-module-name-here<BR># }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>#<BR>#<BR># Only a few modules currently have
this method.<BR>#<BR>pre-proxy {<BR># attr_rewrite</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># pre_proxy_log<BR>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>#<BR>post-proxy {</FONT><FONT face=Arial
size=2><BR># post_proxy_log</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># attr_rewrite</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> # Uncomment the following line if you
want to filter replies from<BR> # remote proxies based on the rules
defined in the 'attrs' file.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># attr_filter</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> #<BR> # If you are proxying LEAP,
you MUST configure the EAP<BR> # module, and you MUST list it here,
in the post-proxy<BR> #<BR> eap<BR>}</FONT></DIV></BODY></HTML>