FreeRadius 2.0.5 AD PEAP
Brooks, Kyle
Kyle.Brooks at nrc-cnrc.gc.ca
Thu Aug 14 17:00:11 CEST 2008
Here are the .conf files.
# -*- text -*-
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id: radiusd.conf.in,v 1.268 2008/03/04 16:53:02 aland Exp $
##
######################################################################
#
# Read "man radiusd" before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble.
#
# Run the server in debugging mode, and READ the output.
#
# $ radiusd -X
#
# We cannot emphasize this point strongly enough. The vast
# majority of problems can be solved by carefully reading the
# debugging output, which includes warnings about common issues,
# and suggestions for how they may be fixed.
#
# There may be a lot of output, but look carefully for words like:
# "warning", "error", "reject", or "failure". The messages there
# will usually be enough to guide you to a solution.
#
# If you are going to ask a question on the mailing list, then
# explain what you are trying to do, and include the output from
# debugging mode (radiusd -X). Failure to do so means that all
# of the responses to your question will be people telling you
# to "post the output of radiusd -X".
######################################################################
#
# The location of other config files and logfiles are declared
# in this file.
#
# Also general configuration for modules can be done in this
# file, it is exported through the API to modules that ask for
# it.
#
# See "man radiusd.conf" for documentation on the format of this
# file. Note that the individual configuration items are NOT
# documented in that "man" page. They are only documented here,
# in the comments.
#
# As of 2.0.0, FreeRADIUS supports a simple processing language
# in the "authorize", "authenticate", "accounting", etc. sections.
# See "man unlang" for details.
#
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
# Should likely be ${localstatedir}/lib/radiusd
db_dir = $(raddbdir)
#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that
symbol,
# and add the directory containing that library to the end of
'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = /usr/lib/freeradius
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/radiusd.pid
# user/group: The name (or #number) of the user/group to run radiusd as.
#
# If these are commented out, the server will run as the user/group
# that started it. In order to change to a different user/group, you
# MUST be root ( or have root privleges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few
permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to 'nobody'.
#
# On SCO (ODT 3) use "user = nouser" and "group = nogroup".
#
# NOTE that some kernels refuse to setgid(group) when the value of
# (unsigned)group is above 60000; don't use group nobody on these
systems!
#
# On systems with shadow passwords, you might have to set 'group =
shadow'
# for the server to be able to read the shadow password file. If you
can
# authenticate users while in debug mode, but not in daemon mode, it
may be
# that the debugging mode server is running as a user that can read the
# shadow info, and the user listed below can not.
#
#user = radiusd
#group = radiusd
user = root
group = root
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it
takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See
your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate
requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See
'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 1024
# listen: Make the server listen on a particular IP address, and send
# replies out from that address. This directive is most useful for
# hosts with multiple IP addresses on one interface.
#
# If you want the server to listen on additional addresses, or on
# additionnal ports, you can use multiple "listen" sections.
#
# Each section make the server listen for only one type of packet,
# therefore authentication and accounting have to be configured in
# different sections.
#
# The server ignore all "listen" section if you are using '-i' and '-p'
# on the command line.
#
listen {
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
# proxy IP to use for sending proxied packets
#
type = auth
# Note: "type = proxy" lets you control the source IP used for
# proxying packets, with some limitations:
#
# * Only ONE proxy listener can be defined.
# * A proxy listener CANNOT be used in a virtual server
section.
# * You should probably set "port = 0".
# * Any "clients" configuration will be ignored.
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
ipaddr = *
# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
port = 0
# Some systems support binding to an interface, in addition
# to the IP address. This feature isn't strictly necessary,
# but for sites with many IP addresses on one interface,
# it's useful to say "listen on all addresses for eth0".
#
# If your system does not support this feature, you will
# get an error if you try to use it.
#
# interface = eth0
# Per-socket lists of clients. This is a very useful feature.
#
# The name here is a reference to a section elsewhere in
# radiusd.conf, or clients.conf. Having the name as
# a reference allows multiple sockets to use the same
# set of clients.
#
# If this configuration is used, then the global list of
clients
# is IGNORED for this "listen" section. Take care configuring
# this feature, to ensure you don't accidentally disable a
# client you need.
#
# See clients.conf for the configuration of
"per_socket_clients".
#
# clients = per_socket_clients
}
# This second "listen" section is for listening on the accounting
# port, too.
#
listen {
ipaddr = *
# ipv6addr = ::
port = 0
type = acct
# interface = eth0
# clients = per_socket_clients
}
# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
# The default is 'off' because it would be overall better for the net
# if people had to knowingly turn this feature on, since enabling it
# means that each client request will result in AT LEAST one lookup
# request to the nameserver. Enabling hostname_lookups will also
# mean that your server may stop randomly for 30 seconds from time
# to time, if the DNS requests take too long.
#
# Turning hostname lookups off also means that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no
# Regular expressions
#
# These items are set at configure time. If they're set to "yes",
# then setting them to "no" turns off regular expression support.
#
# If they're set to "no" at configure time, then setting them to "yes"
# WILL NOT WORK. It will give you an error.
#
regular_expressions = yes
extended_expressions = yes
#
# Logging section. The various "log_*" configuration items
# will eventually be moved here.
#
log {
#
# Destination for log messages. This can be one of:
#
# files - log to "file", as defined below.
# syslog - to syslog (see also the "syslog_facility",
below.
# stdout - standard output
# stderr - standard error.
#
# The command-line option "-X" over-rides this option, and
forces
# logging to go to stdout.
#
destination = files
#
# The logging messages for the server are appended to the
# tail of this file if ${destination} == "files"
#
# If the server is running in debugging mode, this file is
# NOT used.
#
file = ${logdir}/radius.log
#
# Which syslog facility to use, if ${destination} == "syslog"
#
# The exact values permitted here are OS-dependent. You
probably
# don't want to change this.
#
syslog_facility = daemon
# Log the full User-Name attribute, as it was found in the
request.
#
# allowed values: {no, yes}
#
stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = no
# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
auth_badpass = no
auth_goodpass = no
}
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
# section holds the configuration items which minimize the impact
# of those attacks
#
security {
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no RADIUS packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the server to use all available memory on the machine.
#
# Setting this number to 0 means "allow any number of
attributes"
max_attributes = 200
#
# reject_delay: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to
brute-force
# crack a users password.
#
# Setting this number to 0 means "send rejects immediately"
#
# If this number is set higher than 'cleanup_delay', then the
# rejects will be sent at 'cleanup_delay' time, when the
request
# is deleted from the internal cache of requests.
#
# Useful ranges: 1 to 5
reject_delay = 1
#
# status_server: Whether or not the server will respond
# to Status-Server requests.
#
# When sent a Status-Server message, the server responds with
# an Access-Accept or Accounting-Response packet.
#
# This is mainly useful for administrators who want to "ping"
# the server, without adding test users, or creating fake
# accounting packets.
#
# It's also useful when a NAS marks a RADIUS server "dead".
# The NAS can periodically "ping" the server with a
Status-Server
# packet. If the server responds, it must be alive, and the
# NAS can start using it for real requests.
#
status_server = yes
}
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn
proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE proxy.conf
# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf".
#
# The 'clients.conf' file contains all of the information from the old
# 'clients' and 'naslist' configuration files. We recommend that you
# do NOT use 'client's or 'naslist', although they are still
# supported.
#
# Anything listed in 'clients.conf' will take precedence over the
# information from the old-style configuration files.
#
$INCLUDE clients.conf
# SNMP CONFIGURATION
#
# Snmp configuration is only valid if SNMP support was enabled
# at compile time.
#
# To enable SNMP querying of the server, set the value of the
# 'snmp' attribute to 'yes'
#
snmp = no
$INCLUDE snmp.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a
reasonable
# ballpark figure.
start_servers = 5
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so
it
# should NOT BE SET TOO LOW. It is intended mainly as a brake
to
# keep a runaway server from taking the system with it as it
spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 32
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10
# There may be memory leaks or resource allocation problems
with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in
the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers
never
# exit'
max_requests_per_server = 0
}
# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this
section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# ...
# }
#
# The 'name' is used to load the 'rlm_name' library
# which implements the functionality of the module.
#
# The 'instance' is optional. To have two different instances
# of a module, it first must be referred to by 'name'.
# The different copies of the module are then created by
# inventing two 'instance' names, e.g. 'instance1' and
'instance2'
#
# The instance names can then be used in later configuration
# INSTEAD of the original 'name'. See the 'radutmp'
configuration
# below for an example.
#
# PAP module to authenticate users based on their stored
password
#
# Supports multiple encryption/hash schemes. See "man pap"
# for details.
#
# The "auto_header" configuration item can be set to "yes".
# In this case, the module will look inside of the
User-Password
# attribute for the headers {crypt}, {clear}, etc., and will
# automatically create the attribute on the right-hand side,
# with the correct value. It will also automatically handle
# Base-64 encoded data, hex strings, and binary data.
pap {
auto_header = no
}
# CHAP module
#
# To authenticate requests containing a CHAP-Password
attribute.
#
chap {
authtype = CHAP
}
# Pluggable Authentication Modules
#
# For Linux, see:
# http://www.kernel.org/pub/linux/libs/pam/index.html
#
# WARNING: On many systems, the system PAM libraries have
# memory leaks! We STRONGLY SUGGEST that you do not
# use PAM for authentication, due to those memory
leaks.
#
pam {
#
# The name to use for PAM authentication.
# PAM looks in /etc/pam.d/${pam_auth_name}
# for it's configuration. See 'redhat/radiusd-pam'
# for a sample PAM configuration file.
#
# Note that any Pam-Auth attribute set in the
'authorize'
# section will over-ride this one.
#
pam_auth = radiusd
}
# Unix /etc/passwd style authentication
#
unix {
# As of 1.1.0, the Unix module no longer reads,
# or caches /etc/passwd, /etc/shadow, or /etc/group.
# If you wish to cache those files, see the passwd
# module, above.
#
#
# The location of the "wtmp" file.
# This should be moved to it's own module soon.
#
# The only use for 'radlast'. If you don't use
# 'radlast', then you can comment out this item.
#
radwtmp = ${logdir}/radwtmp
}
# Extensible Authentication Protocol
#
# For all EAP related authentications.
# Now in another file, because it is very large.
#
$INCLUDE eap.conf
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# As of 0.9, the mschap module does NOT support
# reading from /etc/smbpasswd.
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
use_mppe = no
# if mppe is enabled require_encryption makes
# encryption moderate
#
require_encryption = yes
# require_strong always requires 128 bit key
# encryption
#
require_strong = no
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
with_ntdomain_hack = yes
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# Be VERY careful when editing the following line!
#
# You can also try setting the user name as:
#
# ... --username=%{mschap:User-Name} ...
#
# In that case, the mschap module will look at the
User-Name
# attribute, and do prefix/suffix checks in order to
obtain
# the "best" user name for the request.
#
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=**** --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
#
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication.
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
#
# However, LDAP can be used for authentication ONLY when the
# Access-Request packet contains a clear-text User-Password
# attribute. LDAP authentication will NOT work for any other
# authentication method.
#
# This means that LDAP servers don't understand EAP. If you
# force "Auth-Type = LDAP", and then send the server a
# request containing EAP authentication, then authentication
# WILL NOT WORK.
#
# The solution is to use the default configuration, which does
# work.
#
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
#
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "cnsad.ads.****.org"
port = 3268
identity = "bckup at ads.****.org"
password = "3MFmqw_6f"
#server = "ldap.your.domain"
#identity = "cn=admin,o=My Org,c=UA"
#password = mypass
#basedn = "o=My Org,c=UA"
basedn = "dc=ads,dc=****,dc=org"
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
filter = "(&(samaccountName=%{mschap:User-Name}))"
#base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query
(server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we
recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can
be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the
cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't
verify.)
#
# The default is "allow"
# require_cert = "demand"
}
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# See also the following links:
#
#
http://www.novell.com/coolsolutions/appnote/16745.html
#
https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_
f.SAL_Public.html
#
# Novell may require TLS encrypted sessions before
returning
# the user's password.
#
# password_attribute = userPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
edir_account_policy_check = no
#
# Group membership checking. Disabled by default.
#
groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
#groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectC
lass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = memberOf
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x
(EAP).
#
# You can disable this behavior by setting the
following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
#ldap_debug = 0x0028
}
# passwd module allows to do authorization via any passwd-like
# file and to extract any attributes from these modules
#
# parameters are:
# filename - path to filename
# format - format for filename record. This parameters
# correlates record in the passwd file and RADIUS
# attributes.
#
# Field marked as '*' is key field. That is, the
parameter
# with this name from the request is used to search
for
# the record from passwd file
# Attribute marked as '=' is added to reply_itmes
instead
# of default configure_itmes
# Attribute marked as '~' is added to request_items
#
# Field marked as ',' may contain a comma separated
list
# of attributes.
# hashsize - hashtable size. If 0 or not specified records are
not
# stored in memory and file is red on every request.
# allowmultiplekeys - if few records for every key are allowed
# ignorenislike - ignore NIS-related records
# delimiter - symbol to use as a field separator in passwd
file,
# for format ':' symbol is always used. '\0', '\n'
are
# not allowed
#
# An example configuration for using /etc/smbpasswd.
#
#passwd etc_smbpasswd {
# filename = /etc/smbpasswd
# format =
"*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
# hashsize = 100
# ignorenislike = no
# allowmultiplekeys = no
#}
# Similar configuration, for the /etc/group file. Adds a
Group-Name
# attribute for every group that the user is member of.
#
#passwd etc_group {
# filename = /etc/group
# format = "=Group-Name:::*,User-Name"
# hashsize = 50
# ignorenislike = yes
# allowmultiplekeys = yes
# delimiter = ":"
#}
# Realm module, for proxying.
#
# You can have multiple instances of the realm module to
# support multiple realm syntaxs at the same time. The
# search order is defined by the order in the authorize and
# preacct sections.
#
# Four config options:
# format - must be "prefix" or "suffix"
# The special cases of "DEFAULT"
# and "NULL" are allowed, too.
# delimiter - must be a single character
# 'realm/username'
#
# Using this entry, IPASS users have their realm set to
"IPASS".
realm IPASS {
format = prefix
delimiter = "/"
}
# 'username at realm'
#
realm suffix {
format = suffix
delimiter = "@"
}
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
}
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
}
# A simple value checking module
#
# It can be used to check if an attribute value in the request
# matches a (possibly multi valued) attribute in the check
# items This can be used for example for caller-id
# authentication. For the module to run, both the request
# attribute and the check items attribute must exist
#
# i.e.
# A user has an ldap entry with 2 radiusCallingStationId
# attributes with values "12345678" and "12345679". If we
# enable rlm_checkval, then any request which contains a
# Calling-Station-Id with one of those two values will be
# accepted. Requests with other values for
# Calling-Station-Id will be rejected.
#
# Regular expressions in the check attribute value are allowed
# as long as the operator is '=~'
#
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi
valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute
in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}
# rewrite arbitrary packets. Useful in accounting and
authorization.
#
#
# The module can also use the Rewrite-Rule attribute. If it
# is set and matches the name of the module instance, then
# that module instance will be the only one which runs.
#
# Also if new_attribute is set to yes then a new attribute
# will be created containing the value replacewith and it
# will be added to searchin (packet, reply, proxy,
# proxy_reply or config).
#
# searchfor,ignore_case and max_matches will be ignored in that
case.
#
# Backreferences are supported.
# %{0} will contain the string the whole match
# %{1} to %{8} will contain the contents of the 1st to
# the 8th parentheses
#
# If max_matches is greater than one, the backreferences will
# correspond to the first attributed that matched.
#
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be "packet", "reply", "proxy", "proxy_reply" or
"config"
# searchin = packet
# searchfor = "[+ ]"
# replacewith = ""
# ignore_case = no
# new_attribute = no
# max_matches = 10
#
# ## If set to yes then the replace string will be
# ## appended to the original string
# append = no
#}
# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
# This module processes the 'huntgroups' and 'hints' files.
# In addition, it re-writes some weird attributes created
# by some NASes, and converts the attributes into a form which
# is a little more standard.
#
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = no
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no
# Cisco (and Quintum in Cisco mode) sends it's VSA
attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is
stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you
don't
# need this hack.
with_cisco_vsa_hack = no
}
# Livingston-style 'users' file
#
files {
# The default key attribute to use for matches. The
content
# of this attribute is used to match the "name" of the
# entry.
#key = "%{Stripped-User-Name:-%{User-Name}}"
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request. The Client-IP-Address attribute is ALWAYS
# the address of the client which sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want
# to add a ':%H' (see doc/variables.txt) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
detailperm = 0600
#
# Every entry in the detail file has a header which
# is a timestamp. By default, we use the ctime
# format (see "man ctime" for details).
#
# The header can be customized by editing this
# string. See "doc/variables.txt" for a description
# of what can be put here.
#
header = "%t"
#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
#suppress {
# User-Password
#}
}
#
# Many people want to log authentication requests.
# Rather than modifying the server core to print out more
# messages, we can use a different instance of the 'detail'
# module, to log the authentication requests to a file.
#
# You will also need to un-comment the 'auth_log' line
# in the 'authorize' section, below.
#
# detail auth_log {
# detailfile =
${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# You may also strip out passwords completely
#suppress {
# User-Password
#}
# }
#
# This module logs authentication reply packets sent
# to a NAS. Both Access-Accept and Access-Reject packets
# are logged.
#
# You will also need to un-comment the 'reply_log' line
# in the 'post-auth' section, below.
#
# detail reply_log {
# detailfile =
${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
# detailperm = 0600
# }
#
# This module logs packets proxied to a home server.
#
# You will also need to un-comment the 'pre_proxy_log' line
# in the 'pre-proxy' section, below.
#
# detail pre_proxy_log {
# detailfile =
${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# You may also strip out passwords completely
#suppress {
# User-Password
#}
# }
#
# This module logs response packets from a home server.
#
# You will also need to un-comment the 'post_proxy_log' line
# in the 'post-proxy' section, below.
#
# detail post_proxy_log {
# detailfile =
${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
# detailperm = 0600
# }
#
# The rlm_sql_log module appends the SQL queries in a log
# file which is read later by the radsqlrelay program.
#
# This module only performs the dynamic expansion of the
# variables found in the SQL statements. No operation is
# executed on the database server. (this could be done
# later by an external program) That means the module is
# useful only with non-"SELECT" statements.
#
# See rlm_sql_log(5) manpage.
#
# sql_log {
# path = "${radacctdir}/sql-relay"
# acct_table = "radacct"
# postauth_table = "radpostauth"
# sql_user_name = "%{%{User-Name}:-DEFAULT}"
#
# Start = "INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES
\
# ('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '%S', '0', '0', '');"
# Stop = "INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES
\
# ('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '0', '%S',
'%{Acct-Session-Time}', \
# '%{Acct-Terminate-Cause}');"
# Alive = "INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES
\
# ('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '0', '0',
'%{Acct-Session-Time}','');"
#
# Post-Auth = "INSERT INTO ${postauth_table}
\
# (username, pass, reply, authdate) VALUES
\
# ('%{User-Name}', '%{User-Password:-Chap-Password}',
\
# '%{reply:Packet-Type}', '%S');"
# }
#
# Create a unique accounting session Id. Many NASes re-use
# or repeat values for Acct-Session-Id, causing no end of
# confusion.
#
# This module will add a (probably) unique session id
# to an accounting packet based on the attributes listed
# below found in the packet. See doc/rlm_acct_unique for
# more information.
#
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
# Include another file that has the SQL-related configuration.
# This is another file only because it tends to be big.
#
#$INCLUDE sql.conf
# For Cisco VoIP specific accounting with Postgresql,
# use: ${confdir}/sql/postgresql/voip-postpaid.conf
#
# You will also need the sql schema from:
# src/billing/cisco_h323_db_schema-postgres.sql
# Note: This config can be use AS WELL AS the standard sql
# config if you need SQL based Auth
# Write a 'utmp' style file, of which users are currently
# logged in, and where they've logged in from.
#
# This file is used mainly for Simultaneous-Use checking,
# and also 'radwho', to see who's currently logged in.
#
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead:
%{Stripped-User-Name:-%{User-Name}}
username = %{User-Name}
# Whether or not we want to treat "user" the same
# as "USER", or "User". Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600
callerid = "yes"
}
# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another 'instance' of the radutmp module, but it is
given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS
client
# only allowed attributes.
attr_filter attr_filter.post-proxy {
attrsfile = ${confdir}/attrs
}
# attr_filter - filters the attributes in the packets we send to
# the RADIUS home servers.
attr_filter attr_filter.pre-proxy {
attrsfile = ${confdir}/attrs.pre-proxy
}
# Enforce RFC requirements on the contents of Access-Reject
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_reject {
key = %{User-Name}
attrsfile = ${confdir}/attrs.access_reject
}
# Enforce RFC requirements on the contents of the
# Accounting-Response packets. See the comments at the
# top of the file for more details.
#
attr_filter attr_filter.accounting_response {
key = %{User-Name}
attrsfile = ${confdir}/attrs.accounting_response
}
# counter module:
# This module takes an attribute (count-attribute).
# It also takes a key, and creates a counter for each unique
# key. The count is incremented when accounting packets are
# received by the server. The value of the increment depends
# on the attribute type.
# If the attribute is Acct-Session-Time or of an integer type
we add
# the value of the attribute. If it is anything else we
increase the
# counter by one.
#
# The 'reset' parameter defines when the counters are all reset
to
# zero. It can be hourly, daily, weekly, monthly or never.
#
# hourly: Reset on 00:00 of every hour
# daily: Reset on 00:00:00 every day
# weekly: Reset on 00:00:00 on sunday
# monthly: Reset on 00:00:00 of the first day of each month
#
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
#
# The check-name attribute defines an attribute which will be
# registered by the counter module and can be used to set the
# maximum allowed value for the counter after which the user
# is rejected.
# Something like:
#
# DEFAULT Max-Daily-Session := 36000
# Fall-Through = 1
#
# You should add the counter module in the instantiate
# section so that it registers check-name before the files
# module reads the users file.
#
# If check-name is set and the user is to be rejected then we
# send back a Reply-Message and we log a Failure-Message in
# the radius.log
#
# If the count attribute is Acct-Session-Time then on each
# login we send back the remaining online time as a
# Session-Timeout attribute ELSE and if the reply-name is
# set, we send back that attribute. The reply-name attribute
# MUST be of an integer type.
#
# The counter-name can also be used instead of using the
check-name
# like below:
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The allowed-servicetype attribute can be used to only take
# into account specific sessions. For example if a user first
# logs in through a login menu and then selects ppp there will
# be two sessions. One for Login-User and one for Framed-User
# service type. We only need to take into account the second
one.
#
# The module should be added in the instantiate, authorize and
# accounting sections. Make sure that in the authorize
# section it comes after any module which sets the
# 'check-name' attribute.
#
counter daily {
filename = ${db_dir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
allowed-servicetype = Framed-User
cache-size = 5000
}
#
# This module is an SQL enabled version of the counter module.
#
# Rather than maintaining seperate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
# totally dependent on the SQL module to process Accounting
# packets.
#
#$INCLUDE sql/mysql/counter.conf
#$INCLUDE sql/postgresql/counter.conf
#
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always noop {
rcode = noop
}
always handled {
rcode = handled
}
always updated {
rcode = updated
}
always notfound {
rcode = notfound
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
#
# The 'expression' module currently has no configuration.
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The module also registers a few paircompare functions
expr {
}
#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}
#
# The expiration module. This handles the Expiration attribute
# It should be included in the *end* of the authorize section
# in order to handle user Expiration. It should also be included
# in the instantiate section in order to register the Expiration
# compare function
#
expiration {
#
# The Reply-Message which will be sent back in case the
# account has expired. Dynamic substitution is supported
#
reply-message = "Password Has Expired\r\n"
# reply-message = "Your account has expired,
%{User-Name}\r\n"
}
# The logintime module. This handles the Login-Time,
# Current-Time, and Time-Of-Day attributes. It should be
# included in the *end* of the authorize section in order to
# handle Login-Time checks. It should also be included in the
# instantiate section in order to register the Current-Time
# and Time-Of-Day comparison functions.
#
# When the Login-Time attribute is set to some value, and the
# user has bene permitted to log in, a Session-Timeout is
# calculated based on the remaining time. See "doc/README".
#
logintime {
#
# The Reply-Message which will be sent back in case
# the account is calling outside of the allowed
# timespan. Dynamic substitution is supported.
#
reply-message = "You are calling outside your allowed
timespan\r\n"
# reply-message = "Outside allowed timespan
(%{control:Login-Time}), %{User-Name}\r\n"
# The minimum timeout (in seconds) a user is allowed
# to have. If the calculated timeout is lower we don't
# allow the logon. Some NASes do not handle values
# lower than 60 seconds well.
minimum-timeout = 60
}
#
# Execute external programs
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{exec:/path/to/program args}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The RADIUS attributes from the user request will be placed
# into environment variables of the executed program, as
# described in 'doc/variables.txt'
#
exec {
wait = yes
input_pairs = request
shell_escape = yes
output = none
}
#
# This is a more general example of the execute module.
#
# This one is called "echo".
#
# Attribute-Name = `%{echo:/path/to/program args}`
#
# If you wish to execute an external program in more than
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
#
# The return value of the program run determines the result
# of the exec instance call as follows:
# (See doc/configurable_failover for details)
#
# < 0 : fail the module failed
# = 0 : ok the module succeeded
# = 1 : reject the module rejected the user
# = 2 : fail the module failed
# = 3 : ok the module succeeded
# = 4 : handled the module has done everything to handle the
request
# = 5 : invalid the user's configuration entry was invalid
# = 6 : userlock the user was locked out
# = 7 : notfound the user was not found
# = 8 : noop the module did nothing
# = 9 : updated the module updated information in the request
# > 9 : fail the module failed
#
exec echo {
#
# Wait for the program to finish.
#
# If we do NOT wait, then the program is "fire and
# forget", and any output attributes from it are
ignored.
#
# If we are looking for the program to output
# attributes, and want to add those attributes to the
# request, then we MUST wait for the program to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes
#
# The name of the program to execute, and it's
# arguments. Dynamic translation is done on this
# field, so things like the following example will
# work.
#
program = "/bin/echo %{User-Name}"
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the
configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy
request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
#
input_pairs = request
#
# Where to place the output attributes (if any) from
# the executed program. The values allowed, and the
# restrictions as to availability, are the same as
# for the input_pairs.
#
output_pairs = reply
#
# When to execute the program. If the packet
# type does NOT match what's listed here, then
# the module does NOT execute the program.
#
# For a list of allowed packet types, see
# the 'dictionary' file, and look for VALUEs
# of the Packet-Type attribute.
#
# By default, the module executes on ANY packet.
# Un-comment out the following line to tell the
# module to execute only if an Access-Accept is
# being sent to the NAS.
#
#packet_type = Access-Accept
#
# Should we escape the environment variables?
#
# If this is set, all the RADIUS attributes
# are capitalised and dashes replaced with
# underscores. Also, RADIUS values are surrounded
# with double-quotes.
#
# That is to say: User-Name=BobUser =>
USER_NAME="BobUser"
shell_escape = yes
}
# Do server side ip pool management. Should be added in
# post-auth and accounting sections.
#
# The module also requires the existance of the Pool-Name
# attribute. That way the administrator can add the Pool-Name
# attribute in the user profiles and use different pools for
# different users. The Pool-Name attribute is a *check* item
# not a reply item.
#
# The Pool-Name should be set to the ippool module instance
# name or to DEFAULT to match any module.
#
# Example:
# radiusd.conf: ippool students { [...] }
# ippool teachers { [...] }
# users file : DEFAULT Group == students, Pool-Name :=
"students"
# DEFAULT Group == teachers, Pool-Name :=
"teachers"
# DEFAULT Group == other, Pool-Name := "DEFAULT"
#
# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST
*********
# ********* THEN ERASE THE DB FILES
*********
#
ippool main_pool {
# range-start,range-stop:
# The start and end ip addresses for this pool.
range-start = 192.168.1.1
range-stop = 192.168.3.254
# netmask:
# The network mask used for this pool.
netmask = 255.255.255.0
# cache-size:
# The gdbm cache size for the db files. Should
# be equal to the number of ip's available in
# the ip pool
cache-size = 800
# session-db:
# The main db file used to allocate addresses.
session-db = ${db_dir}/db.ippool
# ip-index:
# Helper db index file used in multilink
ip-index = ${db_dir}/db.ipindex
# override:
# If set, the Framed-IP-Address already in the
# reply (if any) will be discarded, and replaced
# with a Framed-IP-Address assigned here.
override = no
# maximum-timeout:
# Specifies the maximum time in seconds that an
# entry may be active. If set to zero, means
# "no timeout". The default value is 0
maximum-timeout = 0
# key:
# The key to use for the session database (which
# holds the allocated ip's) normally it should
# just be the nas ip/port (which is the default).
#
# If your NAS sends the same value of NAS-Port
# all requests, the key should be based on some
# other attribute that is in ALL requests, AND
# is unique to each machine needing an IP address.
#key = "%{NAS-IP-Address} %{NAS-Port}"
}
# $INCLUDE sqlippool.conf
# OTP token support. Not included by default.
# $INCLUDE otp.conf
#
# Kerberos. See doc/rlm_krb5 for minimal docs.
#
# krb5 {
# keytab = /path/to/keytab
# service_principal = name_of_principle
# }
#
# Module implementing a DIFFERENT policy language.
# The syntax here is NOT "unlang", but something else.
#
# See the "policy.txt" file for documentation and examples.
#
policy {
# The only configuration item is a filename containing
# the policies to execute.
#
# When "policy" is listed in a section (e.g.
"authorize"),
# it will run a policy named for that section.
#
filename = ${confdir}/policy.txt
}
}
# Instantiation
#
# This section orders the loading of the modules. Modules
# listed here will get loaded BEFORE the later sections like
# authorize, authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like
# authorize refers to a module, it's automatically loaded and
# initialized. However, some modules may not be listed in any
# of the following sections, so they can be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initalized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec
#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
# more information.
#
expr
#
# We add the counter module here so that it registers
# the check-name attribute before any module which sets
# it
# daily
expiration
logintime
# subsections here can be thought of as "virtual" modules.
#
# e.g. If you have two redundant SQL servers, and you want to
# use them in the authorize and accounting sections, you could
# place a "redundant" block in each section, containing the
# exact same text. Or, you could uncomment the following
# lines, and list "redundant_sql" in the authorize and
# accounting sections.
#
#redundant redundant_sql {
# sql1
# sql2
#}
}
######################################################################
#
# Policies that can be applied in multiple places are listed
# globally. That way, they can be defined once, and referred
# to multiple times.
#
######################################################################
$INCLUDE policy.conf
######################################################################
#
# As of 2.0.0, the "authorize", "authenticate", etc. sections
# are in separate configuration files, per virtual host.
#
######################################################################
######################################################################
#
# Include all enabled virtual hosts.
#
# The following directory is searched for files that match
# the regex:
#
# /[a-zA-Z0-9_.]+/
#
# The files are then included here, just as if they were cut
# and pasted into this file.
#
# See "sites-enabled/default" for some additional documentation.
#
$INCLUDE sites-enabled/
# -*- text -*-
##
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
## $Id: eap.conf,v 1.24 2008/02/26 09:32:29 aland Exp $
#######################################################################
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# EAP types NOT listed here may be supported via the "eap2" module.
# See experimental.conf for documentation.
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a
time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
#default_eap_type = md5
default_eap_type = peap
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to "yes", you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When
given
# a User-Name attribute in an Access-Accept, it copies
one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
#md5 {
#}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments.
See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's
authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
#leap {
#}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in
plain-text,
# for anyone to see.
#
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
# The plain-text response which comes back
# is put into a User-Password attribute,
# and passed to another module for
# authentication. This allows the EAP-GTC
# response to be checked against plain-text,
# or crypt'd passwords.
#
# If you say "Local" instead of "PAP", then
# the module will look for a User-Password
# configured for the request, and do the
# authentication itself.
#
auth_type = PAP
}
## EAP-TLS
#
# See raddb/certs/README for additional comments
# on certificates.
#
# If OpenSSL was not found at the time the server was
# built, the "tls", "ttls", and "peap" sections will
# be ignored.
#
# Otherwise, when the server first starts in debugging
# mode, test certificates will be created. See the
# "make_cert_command" below for details, and the README
# file in raddb/certs
#
# These test certificates SHOULD NOT be used in a
normal
# deployment. They are created only to make it easier
# to install the server, and to perform some simple
# tests with EAP-TLS, TTLS, or PEAP.
#
# See also:
#
#
http://www.dslreports.com/forum/remark,9286052~mode=flat
#
tls {
#
# These is used to simplify later
configurations.
#
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = cnsradius
#private_key_file = ${certdir}/ns1.pem
private_key_file = ${certdir}/server.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
#certificate_file =
${certdir}/cnsradius02.ads.****.org.pem
certificate_file = ${certdir}/server.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for
authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you
do
# not use client certificates, and you do not
want
# to permit EAP-TLS authentication, then delete
# this configuration item.
CA_file = ${cadir}/ca.pem
#CA_file = ${cadir}/****CA.pem
#
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
# openssl dhparam -out certs/dh 1024
#
dh_file = ${certdir}/dh
random_file = ${certdir}/random
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
# fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
# include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same
directory.
# 2) Execute 'c_rehash <CA certs&CRLs
Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
# CA_path =
/path/to/directory/with/ca_certs/and/crls/
#
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
#
# check_cert_issuer =
"/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
# check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"
#
# This configuration entry should be deleted
# once the server is running in a normal
# configuration. It is here ONLY to make
# initial deployments easier.
#
# make_cert_command = "${certdir}/bootstrap"
}
# The TTLS module implements the EAP-TTLS protocol,
# which can be described as EAP inside of Diameter,
# inside of TLS, inside of EAP, inside of RADIUS...
#
# Surprisingly, it works quite well.
#
# The TTLS module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-TTLS does not
# require a client certificate.
#
# You can make TTLS require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
ttls {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# TTLS tunnel, we recommend using EAP-MD5.
# If the request does not contain an EAP
# conversation, then this configuration entry
# is ignored.
#default_eap_type = md5
default_eap_type = gtc
# The tunneled authentication request does
# not usually contain useful attributes
# like 'Calling-Station-Id', etc. These
# attributes are outside of the tunnel,
# and normally unavailable to the tunneled
# authentication request.
#
# By setting this configuration entry to
# 'yes', any attribute which NOT in the
# tunneled authentication request, but
# which IS available outside of the tunnel,
# is copied to the tunneled request.
#
# allowed values: {no, yes}
copy_request_to_tunnel = yes
# The reply attributes sent to the NAS are
# usually based on the name of the user
# 'outside' of the tunnel (usually
# 'anonymous'). If you want to send the
# reply attributes based on the user name
# inside of the tunnel, then set this
# configuration entry to 'yes', and the reply
# to the NAS will be taken from the reply to
# the tunneled request.
#
# allowed values: {no, yes}
#use_tunneled_reply = no
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
}
##################################################
#
# !!!!! WARNINGS for Windows compatibility !!!!!
#
##################################################
#
# If you see the server send an Access-Challenge,
# and the client never sends another Access-Request,
# then
#
# STOP!
#
# The server certificate has to have special OID's
# in it, or else the Microsoft clients will silently
# fail. See the "scripts/xpextensions" file for
# details, and the following page:
#
# http://support.microsoft.com/kb/814394/en-us
#
# For additional Windows XP SP2 issues, see:
#
# http://support.microsoft.com/kb/885453/en-us
#
# Note that we do not necessarily agree with their
# explanation... but the fix does appear to work.
#
##################################################
#
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TLS/PEAP tunnel, we
# recommend using EAP-MS-CHAPv2.
#
# The PEAP module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-PEAP does not
# require a client certificate.
#
#
# You can make TTLS require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
#copy_request_to_tunnel = no
#use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
#proxy_tunneled_request_as_eap = yes
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
}
#
# This takes no configuration.
#
# Note that it is the EAP MS-CHAPv2 sub-module, not
# the main 'mschap' module.
#
# Note also that in order for this sub-module to work,
# the main 'mschap' module MUST ALSO be configured.
#
# This module is the *Microsoft* implementation of
MS-CHAPv2
# in EAP. There is another (incompatible)
implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does
not
# currently support.
#
mschapv2 {
}
}
More information about the Freeradius-Users
mailing list