
prefix = /usr
exec_prefix = /usr
sysconfdir = ${prefix}/etc
log_destination = syslog
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = syslog
raddbdir = /var/etc/raddb
radacctdir = /var/radius/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
#log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib/radius
pidfile = ${run_dir}/radiusd.pid
max_request_time = 120
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
#user = admin
#group = users
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = yes
regular_expressions = yes
extended_expressions = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad

security {
	max_attributes = 200
	reject_delay = 0
	status_server = no
}

proxy_requests = yes

$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf

thread pool {
	start_servers = 5
	max_servers = 32
	min_spare_servers = 3
	max_spare_servers = 10
	max_requests_per_server = 0
}

modules {
	pap {
		auto_header =  no
	}

	pam {
		pam_auth = radiusd
	}

	unix {
		cache = no
		cache_reload = 600
		radwtmp = /var/radius/radwtmp
	}

	mschap {
		authtype = MS-CHAP
		#use_mppe = no
		#require_encryption = yes
		#require_strong = yes
		with_ntdomain_hack = yes
		ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
	}

	mschap_local {
		authtype = MS-CHAP
		#use_mppe = no
		#require_encryption = yes
		#require_strong = yes
		with_ntdomain_hack = yes
	}

	ldap ldap_primary {
		server = ldap.your.domain
		port = 389
		identity = cn=Manager,o=SYMBOL,c=INDIA
		password = secret
		basedn = o=SYMBOL,c=INDIA
		filter = (uid=%{Stripped-User-Name:-%{User-Name}})
		start_tls = no
		access_attr = "dialupacces"
		dictionary_mapping = ${raddbdir}/ldap.attrmap
		ldap_connections_number = 5
		#password_header = "{SHA}"
		password_attribute = userPassword
		groupname_attribute = cn
		groupmembership_filter = (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
		groupmembership_attribute = radiusGroupName
		timeout = 20
		timelimit = 20
		net_timeout = 10
		access_attr_used_for_allow = no
		group_verification = yes
		chase_referrals = yes
		rebind = yes
		dead_period = 120
	}

	ldap ldap_secondary {
		server = 192.168.4.11
		port = 389
		identity = "cn=symbol,cn=users,DC=MotorolaSymbol,dc=local"
		password = "Symb0l@123"
		basedn = "cn=Users,DC=MotorolaSymbol,dc=local"
		filter = "(sAMAccountName=%{Stripped-User-Name})"
		start_tls = no
		access_attr = "dialupacces"
		dictionary_mapping = ${raddbdir}/ldap.attrmap
		ldap_connections_number = 5
		#password_header = "{SHA}"
		password_attribute = "userPassword"
		groupname_attribute = "cn"
		groupmembership_filter = "(&(objectClass=Group)(member=%{control:Ldap-UserDn}))"
		groupmembership_attribute = "radiusGroupName"
		timeout = 6
		timelimit = 6
		net_timeout = 3
		access_attr_used_for_allow = no
		group_verification = yes
		chase_referrals = yes
		rebind = yes
		dead_period = 120
	}

	passwd etc_passwd {
		filename = /var/etc/passwd
		format = "*Stripped-User-Name::User-Password"
		delimiter = :
	}

	passwd etc_group {
		filename = /var/etc/group
		format = "~Group-Name::*,Stripped-User-Name"
		delimiter = :
	}

	realm suffix_oblic {
		format = suffix
		delimiter = /
		ignore_default = no
		ignore_null = no
	}

	realm suffix_oblic_fs {
		format = suffix
		delimiter = '\\'
		ignore_default = no
		ignore_null = no
	}

	realm prefix_oblic {
		format = prefix
		delimiter = /
		ignore_default = no
		ignore_null = no
	}

	realm prefix_oblic_fs {
		format = prefix
		delimiter = '\\'
		ignore_default = no
		ignore_null = no
	}

	realm suffix_at {
		format = suffix
		delimiter = @
		ignore_default = no
		ignore_null = no
	}

	realm prefix_at {
		format = prefix
		delimiter = @
		ignore_default = no
		ignore_null = no
	}

	realm suffix_percent {
		format = suffix
		delimiter = %
		ignore_default = no
		ignore_null = no
	}

	realm prefix_percent {
		format = prefix
		delimiter = %
		ignore_default = no
		ignore_null = no
	}

	checkval {
		item-name = Calling-Station-Id
		check-name = Calling-Station-Id
		data-type = string
		#notfound-reject = no
	}

	preprocess {
		huntgroups = ${confdir}/huntgroups
		hu_int32_ts = ${confdir}/hints
		with_ascend_hack = no
		ascend_channels_per_line = 23
		with_ntdomain_hack = no
		with_specialix_jetstream_hack = no
		with_cisco_vsa_hack = no
	}

	attr_rewrite copy_user_name {
		attribute = Stripped-User-Name
		new_attribute = yes
		searchin = packet
		searchfor = ""
		replacewith = "%{User-Name}"
	}

	attr_rewrite add_dollar_sign {
		attribute = Stripped-User-Name
		new_attribute = no
		searchin = packet
		searchfor = "^(.*[\\/]+)"
		replacewith = ""
	}

	files {
		usersfile = ${confdir}/users
		acctusersfile = ${confdir}/acct_users
		compat = no
	}

	files_local {
		usersfile = ${confdir}/users_local
		acctusersfile = ${confdir}/acct_users
		compat = no
	}

	detail  {
		detailfile = ${radacctdir}/accounting.log
		detailperm = 0666
	}

	acct_unique {
		key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
	}

	attr_filter {
		attrsfile = ${confdir}/attrs
	}

	counter daily {
		filename = ${raddbdir}/db.daily
		key = User-Name
		count-attribute = Acct-Session-Time
		reset = daily
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		allowed-servicetype = Framed-User
		cache-size = 5000
	}

	always fail {
		rcode = fail
	}

	always reject {
		rcode = reject
	}

	always ok {
		rcode = ok
		simulcount = 0
		mpp = no
	}

	expr {
	}

	digest {
	}

	logintime {
		reply-message = Outside allowed timespan (%{control:Login-Time}), %{User-Name}
		minimum-timeout = 60
	}

	exec  {
		wait = yes
		input_pairs = request
	}

	exec echo {
		wait = yes
		program = "/bin/echo %{User-Name}"
		input_pairs = request
		output_pairs = reply
	}

	ippool main_pool {
		range-start = 192.168.1.1
		range-stop = 192.168.3.254
		netmask = 255.255.255.0
		cache-size = 800
		session-db = ${raddbdir}/db.ippool
		ip-index = ${raddbdir}/db.ipindex
		override = no
		maximum-timeout = 0
	}

	$INCLUDE  ${confdir}/eap.conf
}

instantiate {
	#exec
	#expr
	ldap_secondary
	ldap_primary
	logintime
}

authorize {
	preprocess
	suffix_oblic
	suffix_oblic_fs
	prefix_oblic
	prefix_oblic_fs
	suffix_at
	prefix_at
	suffix_percent
	prefix_percent
	copy_user_name
	#etc_passwd
	#etc_group
	mschap
	files
	redundant {
			ldap_secondary
		}
	eap
	pap
	logintime
}

authenticate {
	Auth-Type PAP {
		pap
	}

	Auth-Type MS-CHAP {
		mschap
	}

	Auth-Type ldap_primary {
		ldap_primary
	}

	Auth-Type ldap_secondary {
		ldap_secondary
	}

	Auth-Type DUAL-LDAP {
		redundant {
			ldap_secondary
		}
	}

	#unix
	eap
}

preacct {
	preprocess
	acct_unique
	suffix_at
	suffix_oblic
	files
}

accounting {
	detail
	#unix
	#radutmp
}

session {
	#radutmp
}

post-auth {
}

pre-proxy {
}

post-proxy {
	eap
}

log {
	syslog_facility = daemon
	stripped_names = yes
	auth = yes
	auth_badpass = no
	auth_goodpass = no
}
