prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} log_auth = yes run_dir = ${localstatedir}/run/radiusd db_dir = $(raddbdir) libdir = /usr/lib/freeradius pidfile = ${run_dir}/radiusd.pid max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes ##### proxy ##### # $INCLUDE proxy.conf realm NULL { type = radius authhost = LOCAL accthost = LOCAL secret = ss } ###### clients ###### # $INCLUDE clients.conf client 127.0.0.1 { secret = ss shortname = localhost nastype = other } client 10.1.11.0{ netmask = 24 secret = ss shortname = LAN_clients nastype = other } snmp = no $INCLUDE snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { # $INCLUDE ${confdir}/modules/ #### acct_unique #### acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } ### detail #### detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 header = "%t" } #### files #### files { usersfile = ${confdir}/users #acctusersfile = ${confdir}/acct_users #preproxy_usersfile = ${confdir}/preproxy_users compat = no } #### mschap #### mschap { authtype = MS-CHAP } #### pap #### pap { auto_header = no } #### preprocess #### preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } #### realm #### realm suffix { format = suffix delimiter = "@" } ######## eap ####### eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" #make_cert_command = "${certdir}/bootstrap" fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 #copy_request_to_tunnel = no #use_tunneled_reply = no use_tunneled_reply = yes #virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 proxy_tunneled_request_as_eap = yes #copy_request_to_tunnel = no #use_tunneled_reply = no use_tunneled_reply = yes #virtual_server = "inner-tunnel" } mschapv2 { } } # $INCLUDE sql.conf # $INCLUDE sql/mysql/counter.conf } # instantiate { # exec # expr # expiration # logintime # } # # $INCLUDE policy.conf #### sites enabled #### # $INCLUDE sites-enabled/ authorize { preprocess mschap suffix eap #chap #eap { # ok = return #} #unix files #expiration #logintime #pap } authenticate { Auth-Type PAP { pap } #Auth-Type CHAP { # chap #} Auth-Type MS-CHAP { mschap } #unix eap } preacct { preprocess acct_unique #suffix files } accounting { detail #unix #radutmp #attr_filter.accounting_response } #session { # radutmp #} #post-auth { # exec # Post-Auth-Type REJECT { # attr_filter.access_reject # } #} #pre-proxy { #} #post-proxy { # eap #}