AD, Groups, and LDAP (was Re: separating Users?)
freeradius at corwyn.net
freeradius at corwyn.net
Thu Dec 3 22:44:36 CET 2009
Having just followed all of those instructions to
build out my production systems, I have a few
tweaks to fix all those little things that drive
one insane when following someone's instructions
because they never tested them.
Using FreeRADIUS2
Rick Steeves – 091203
freeradius2 at corwyn.net
Setup, configuration, troubleshooting instructions, on CentOS 5.x
Goals:
o Authentication telnet sessions for Cisco
switches against AD for a specific security group (Infrastructure)
o Authentication for VPN users using MSCHAP
on a sonicwall firewall using a Windows VPN
client with L2TP against AD for a specific security group (VPN_Users)
Install
The linux site for the rpm download of freeradius2 is:
http://people.redhat.com/jdennis/freeradius-rhel-centos
Create /etc/yum.repos.d/freeradius2.repo:
[freeradius2]
name=Freeradius2
baseurl=http://people.redhat.com/jdennis/freeradius-rhel-centos
enabled=1
gpgcheck=0
Install freeradius2:
yum clean all
yum install freeradius2 freeradius2-utils freeradius2-ldap
Enable FreeRadius to start on boot:
chkconfig radiusd on
To start the freeRadius service
service radiusd start
To run the service in debug mode (which you
should be doing until everything works):
service radiusd stop
radiusd –X
Quirks
If you get an error from the output of radiusd –X along the lines of:
Exec-Program output: winbind client not
authorized to use winbindd_pam_auth_crap. Ensure
permissions on
/var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
then the issue is that radiusd doesn't have
access to the winbindd_privileged folder. You can fix with:
chgrp radiusd /var/cache/samba/winbindd_privileged
chmod g+rw /var/cache/samba/winbindd_privileged
Configuration
See http://deployingradius.com/documents/configuration/active_directory.html
Note that the configuring of SAMBA, kerberos, and
adding to the domain should already be done as
part of the default Linux install, see
h:\is\operating system\Linux\Guide_linux.doc
Verify that a user in the domain can be authenticated:
wbinfo -a user%password
Try the same login with the ntlm_auth program,
which is what FreeRADIUS will be using:
ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=user --password=password
/etc/raddb/radiusd.conf (see Appendix C)
Update max_requests to # users * 256
Add to the end of the auth listen {..} (to permit groups of clients)
clients = disambiguate
Add to the end of the acct listen {..} (to permit groups of clients)
clients = disambiguate
Add to the end of the modules{..} section: (to
enable ntlm_auth as an authentication method)
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth ntlm_auth
--request-nt-key --domain=example.com
-username=%{mschap:User-Name} --password=%{User-Password}"
}
In log{..}
auth = yes (to log authentication requests)
/etc/raddb/huntgroups
huntgroups let you restrict which clients are
associated with which user. You will need to add
each IP of each device that will be using the
RADIUS server, and associate it with the correct
huntgroup. This will let the /etc/raddb/users
file associate the user with the appropriate device:
/etc/radbb/huntgroups:
Cisco_Huntgroup NAS-IP-Address == 10.100.0.1
Cisco_Huntgroup NAS-IP-Address == 10.100.0.2
Cisco_Huntgroup NAS-IP-Address == 10.100.0.3
VPN_Huntgroup NAS-IP-Address == 10.4.1.2
/etc/raddb/modules/ldap
If this file is missing, you need to install the RPM for freeradius2-ldap.
This section is one of the biggest pains to
configure, as all of your LDAP strings need to be
100% correct, andt hey will be very specific to
the environment. Of course, update server,
identify, password, basedn for your own environment.
You will need a user account in AD to permit the
bind to LDAP. In this example, that account is in:
CN=_useraccount,OU=Service Accounts,OU=Special
User Accounts,OU=Enterprise,DC=example,DC=com
In this example, the Security groups are located in (or below):
OU=Enterprise,DC=example,DC=com
ldap {
server = "example.com"
identity = "CN=_useraccount,OU=Service
Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com"
password = secretpassword
basedn = "OU=Enterprise,DC=example,DC=com"
filter =
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
groupmembership_attribute = "memberOf"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
}
Configuration of different virtual sites
For this you'll have 3 general sites, default
(used mostly for testing on 127.0.0.1),
server_cisco (used to AAA the Cisco users), and
server_vpn (used to AAA the VPN users). These
live in /etc/raddb/sites-available/
inner-tunnel
Add:
ntlm_auth
to the end of the authenticate{..} section
default
Add:
ntlm_auth
to the end of the authenticate{..} section
server_cisco (see Appendix B)
We're going to duplicate the default config, and
modify it for that particular virtual server:
cp /etc/raddb/sites-available/default /etc/raddb/sites-available/server_cisco
Edit server_cisco and change it from server{..} to server server_cisco{..}
Since we're not using any of these methods for
the Ciscos, in authenticate{..} disable: chap,
mschap, suffix, ntdomain, unix, pap
Add to the end of the authorize{..} section:
ntlm_auth
server_vpn (see Appendix A)
cp /etc/raddb/sites-available/server_cisco
/etc/raddb/sites-available/server_vpn
Edit server_vpn and change it from server
server_cisco {..} to server server_vpn {..}
To get it to restrict who gets authorized based
on the LDAP group, add to authorize {..}:
if(Huntgroup-Name == "VPN_Huntgroup") {
if(Ldap-Group == "VPN_Users") {
ok
}
else {
reject
}
}
Link sites-enabled to sites-available:
chown root:radiusd /etc/raddb/sites-available/server_cisco
chown root:radiusd /etc/raddb/sites-available/server_vpn
cd /etc/raddb/sites-enabled
ln –s ../sites-available/server_cisco server_cisco
ln –s ../sites-available/server_vpn server_vpn
/etc/raddb/clients.conf
This defines which individual clients connect to
which virtual server, letting you differentiate
the server config (including the secret) by client
Note: The secret needs to match the secret set on
the respective client. Change the secret to an actual secret
clients disambiguate {
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
}
client VPN {
ipaddr = 10.4.1.2
secret = secret
virtual_server = server_vpn
}
client Cisco {
ipaddr = 10.100.0.0
netmask = 16
secret = secret
virtual_server = server_cisco
nastype = cisco
}}
/etc/raddb/users
This file determines which AAA is done against
which device and associates the defined huntgroups with the type of AAA
#testuser Huntgroup-Name == Cisco_Huntgroup, Cleartext-Password:="testpass"
# Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15"
DEFAULT Huntgroup-Name == Cisco_Huntgroup,
Auth-Type:=ntlm_auth, Ldap-Group == "Infrastructure"
Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15"
DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users"
/etc/raddb/modules/mschap
mschap {
ntlm_auth = "/usr/bin/ntlm_auth
--request-nt-key --username=%{mschap:User-Name}
--domain=%{mschap:NT-Domain:-example.com}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
Cisco config
On each switch, you have to point the
authentication, authorization, and accounting to
the RADIUS server. You'll want to have defined
login and enable passwords already in case you
screw up. you can then just bring the RADIUS
server down and it will default to the next form of authentication:
aaa authentication login default group radius line
aaa authentication enable default group radius enable
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting system default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting commands 1 default stop-only group radius
aaa accounting commands 15 default wait-start group radius
radius host 10.10.20.23 auth-port 1812 acct-port 1813 timeout 3
radius host 10.11.20.25 auth-port 1812 acct-port 1813 timeout 3
radius host 10.10.20.24 auth-port 1812 acct-port 1813 timeout 3
radius-server directed-request restricted
radius key <sharedsecret>
radius retransmit 0
privilege exec level 1 show configuration
For local LAN switches (to control which IP
address is used to connect to RADIUS, important since the clients are by IP)
ip radius source-interface Vlan100
What this config does is set the sequence of
things the Cisco switch tries to use to
authenticate (and authorize) the user. Example:
aaa authentication login default group radius line
means, for login, check:
group radius: The defined RADIUS servers
line: the password for line input
Others are:
enable: the password for enable input
local: a locally defined AAA user accout,
configured with username <username> password <password>
SonicWall config
Sorry, outside the scope of this document.
Adding/changing Devices
To add a new Cisco Switch
Add the switch to the appropriate huntgroup in
/etc/raddb/huntgroups so it associates with the
correct user authorization method in /etc/raddb/users
Add a new client entry for the switch in
/etc/raddb/clients.conf. The name of the client
is what's used in the log entries.
To add/change user authentication
Update the entries in /etc/raddb/users. If you
actually need to add a totally new authentication
method, you'll have to update the appropriate
entries in the individual server config, and
likely update the config for the individual
authentication module in /etc/raddb/modules
Checking Logs
Logs for the main RADIUS server are in /var/log/radius/radius.log
Logs for Accounting for individual devices are in
/var/log/radius/radacct/<ip address of client>
Troubleshooting:
If you're having problems, the easiest thing to
do it stop the service and restart in debug mode:
service radiusd stop
radiusd –X
and then try the thing that's failng again and look at the logs.
To authenticate against a specific RADIUS server,
you can specify the RADIUS server in the user login with:
userid at ip.add.r.ess (this works because of the
radius-server directed-request restricted entry on the switch)
Different Testing methods
From Windows:
Ntradping.exe
From Linux:
radtest testuser testpass localhost 0 testing123
ntlm_auth --request-nt-key --domain=example.com
--username=testuser --password=testpass
Appendix A – server_vpn
server server_vpn {
authorize {
preprocess
mschap
files
ldap
if(Huntgroup-Name == "VPN_Huntgroup") {
if(Ldap-Group == "VPN_Users") {
ok
}
else {
reject
}
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
ntlm_auth
}
preacct {
preprocess
acct_unique
files
}
accounting {
detail
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
}
}
Appendix B: server_cisco
server server_cisco {
authorize {
preprocess
mschap
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
ntlm_auth
}
preacct {
preprocess
acct_unique
files
}
accounting {
detail
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
}
}
Appendix C – radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 25600
listen {
type = auth
ipaddr = *
port = 0
clients = disambiguate
}
listen {
ipaddr = *
port = 0
type = acct
clients = disambiguate
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = no
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth
ntlm_auth --request-nt-key --domain=example.com
--username=%{mschap:User-Name} --password=%{User-Password}"
}
}
instantiate {
exec
expr
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/
At 06:31 PM 12/1/2009, freeradius at corwyn.net wrote:
>Well, thanks to an inordinate amount of help,
>I've got my RADIUS server up and running exactly how I want it to.
>
>As part of my business process, I've got a
>detailed doc on how the server is/was
>constructed. I'd like to contribute that to the
>wiki, but I don't see that I can create an account.
>
>Also, since it drives me nuts when I'm searching
>on line for a fix, and an email thread ends JUST
>before I have the data that I need, or a piece
>is missing, here's that documentation as well
>
>Rick Steeves 091201
>freeradius2 at corwyn.net
>
>Setup and configuration instructions, on CentOS 5.x
>Goals:
>o Authentication telnet sessions for Cisco
>switches against AD for a specific security group (Infrastructure)
>o Authentication for VPN users using
>MSCHAP on a sonicwall firewall using a Windows
>VPN client with L2TP against AD for a specific security group (VPN_Users)
>Install
>The linux site for the rpm download of freeradius2 is:
>http://people.redhat.com/jdennis/freeradius-rhel-centos
>
>Create /etc/yum.repos.d/freeradius2.repo:
>
>[freeradius2]
>name=Freeradius2
>baseurl=http://people.redhat.com/jdennis/freeradius-rhel-centos
>enabled=1
>gpgenabled=0
>
>Install freeradius2:
>yum install freeradius2 freeradius2-utils freeradius2-ldap
>
>Enable FreeRadius to start on boot:
>chkconfig radiusd on
>
>To start the freeRadius service
>service radiusd start
>
>To run the service in debug mode (which you
>should be doing until everything works):
>service radiusd stop
>radiusd X
>Configuration
>http://deployingradius.com/documents/configuration/active_directory.html
>
>Note that the configuring of SAMBA, kerberos,
>and adding to the domain should already be done
>as part of the default Linux install, see
>h:\is\operating system\Linux\Guide_linux.doc
>Verify that a user in the domain can be authenticated:
>wbinfo -a user%password
>Try the same login with the ntlm_auth program,
>which is what FreeRADIUS will be using:
>ntlm_auth --request-nt-key --domain=MYDOMAIN
>--username=user --password=password
>./raddb/radiusd.conf (see Appendix C)
>
>Update max_requests to # users * 256
>
>Add to the end of the auth listen {..}
> clients = disambiguate
>
>Add to the end of the acct listen {..}
> clients = disambiguate
>
>Add to the end of the modules{..} section:
>
>exec ntlm_auth {
> wait = yes
> program = "/usr/bin/ntlm_auth ntlm_auth
> --request-nt-key --domain=example.com
> -username=%{mschap:User-Name} --password=%{User-Password}"
>}
>
>In log {..}
>
>auth = yes
>huntgroups
>huntgroups let you restrict which clients are
>associated with which user. You will need to add
>each IP of each device that will be using the
>RADIUS server, and associate it with the correct
>huntgroup. This will let the ./users file
>associate the user with the appropriate device:
>
>/etc/radbb/huntgroups:
>Cisco_Huntgroup NAS-IP-Address == 10.100.0.1
>Cisco_Huntgroup NAS-IP-Address == 10.100.0.2
>Cisco_Huntgroup NAS-IP-Address == 10.100.0.3
>
>VPN_Huntgroup NAS-IP-Address == 10.4.1.2
>./raddb/modules/ldap (See appendix D)
>If this file is missing, you need to install the RPM for freeradius2-ldap.
>
>This section is one of the biggest pains to
>configure, as all of your LDAP strings need to
>be 100% correct, andt hey will be very specific
>to the environment. Of course, update server,
>identify, password, basedn for your own environment.
>
>You will need a user account in AD to permit the
>bind to LDAP. In this example, that account is in:
>CN=_useraccount,OU=Service Accounts,OU=Special
>User Accounts,OU=Enterprise,DC=example,DC=com
>
>In this example, the Security groups are located in (or below):
>OU=Enterprise,DC=example,DC=com
>
>ldap {
> server = "example.com"
> identity = "CN=_useraccount,OU=Service
> Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com"
> password = secretpassword
> basedn = "OU=Enterprise,DC=example,DC=com"
> filter =
> (&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
> groupmembership_attribute = "memberOf"
> ldap_connections_number = 5
> timeout = 4
> timelimit = 3
> net_timeout = 1
> tls {
> start_tls = no
> }
> dictionary_mapping = ${confdir}/ldap.attrmap
> edir_account_policy_check = no
> groupname_attribute = cn
> groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
>}
>Configuration of different virtual sites
>For this you'll have 3 general sites, default
>(used mostly for testing on 127.0.0.1),
>server_cisco (used to AAA the Cisco users), and
>server_vpn (used to AAA the VPN users).
>inner-tunnel
>Add:
>ntlm_auth
>to the end of the authenticate{..} section
>default
>Add:
> ntlm_auth
>to the end of the authenticate{..} section
>server_cisco (see Appendix B)
>We're going to duplicate the default config, and
>modify it for that particular virtual server:
>
>cp /etc/raddb/sites-available/default /etc/raddb/sites-available/server_cisco
>
>Edit server_cisco and change it from server{..} to server server_cisco{..}
>
>Since we're not using any of these methods for
>the Ciscos, in authenticate{..} disable: chap,
>mschap, suffix, ntdomain, unix, pap
>
>Add to the end of the authorize{..} section:
>ntlm_auth
>server_vpn (see Appendix A)
>cp /etc/raddb/sites-available/server_cisco
>/etc/raddb/sites-available/server_vpn
>Edit server_vpn and change it from server
>server_cisco {..} to server server_vpn {..}
>
>To get it to restrict who gets authorized based
>on the LDAP group, add to authorize {..}:
>if(Huntgroup-Name == "VPN_Huntgroup") {
> if(Ldap-Group == "VPN_Users") {
> ok
> }
> else {
> reject
> }
>}
>
>Link sites-enabled to sites-available:
>cd /etc/raddb/sites-enabled
>ln s ../sites-available/server_cisco server_cisco
>ln s ../sites-available/server_vpn server_vpn
>./raddb/clients.conf
>This defines which individual clients connect to
>which virtual server, letting you differentiate
>the server config (including the secret) by client
>
>Note: The secret needs to match the secret set
>on the respective client. Change the secret to an actual secret
>
>clients disambiguate {
>client localhost {
> ipaddr = 127.0.0.1
> secret = testing123
> require_message_authenticator = no
>}
>client VPN {
> ipaddr = 10.4.1.2
> secret = secret
> virtual_server = server_vpn
>}
>
>client Cisco {
> ipaddr = 10.100.0.0
> netmask = 16
> secret = secret
> virtual_server = server_cisco
> nastype = cisco
>}}
>
>./raddb/users
>This file determines which AAA is done against
>which device and associates the defined huntgroups with the type of AAA
>
>#testuser Huntgroup-Name == Cisco_Huntgroup, Cleartext-Password:="testpass"
># Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15"
>DEFAULT Huntgroup-Name == Cisco_Huntgroup,
>Auth-Type:=ntlm_auth, Ldap-Group == "Infrastructure"
> Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15"
>DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users"
>Cisco config
>
>On each switch, you have to point the
>authentication, authorization, and accounting to
>the RADIUS server. You'll want to have defined
>login and enable passwords already in case you
>screw up. you can then just bring the RADIUS
>server down and it will default to the next form of authentication:
>
>aaa authentication login default group radius line
>aaa authentication enable default group radius line
>aaa authorization exec default group radius none
>no aaa accounting exec default start-stop group radius
>no aaa accounting system default start-stop group radius
>no aaa accounting network default start-stop group radius
>no aaa accounting connection default start-stop group radius
>no aaa accounting commands 1 default stop-only group radius
>no aaa accounting commands 15 default wait-start group radius
>radius host 10.10.20.24 auth-port 1812 acct-port 1813 timeout 3
>radius key <mysharedsecret>
>radius retransmit 2
>sonicwall config
>Sorry, outside the scope of this document.
>Different Testing methods
> From Windows:
>Ntradping.exe
>
> From Linux:
>radtest testuser testpass localhost 0 testing123
>ntlm_auth --request-nt-key --domain=example.com
>--username=testuser --password=testpass
>
>Troubleshooting:
>If you get an error from the output of radiusd X along the lines of:
>
>Exec-Program output: winbind client not
>authorized to use
>winbindd_pam_auth_crap. Ensure permissions on
>/var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
>
>hen the issue is that radiusd doesn't have
>access to the winbindd_privileged folder. you can fix with:
>
>chgrp radiusd /var/cache/samba/winbindd_privileged
>chmod g+rw /var/cache/samba/winbindd_privileged
>
>Appendix A server_vpn
>server server_vpn {
>authorize {
> preprocess
> mschap
> files
> ldap
>if(Huntgroup-Name == "VPN_Huntgroup") {
> if(Ldap-Group == "VPN_Users") {
> ok
> }
> else {
> reject
> }
>}
>}
>authenticate {
> Auth-Type PAP {
> pap
> }
> Auth-Type CHAP {
> chap
> }
> Auth-Type MS-CHAP {
> mschap
> }
> ntlm_auth
>}
>preacct {
> preprocess
> acct_unique
> files
>}
>accounting {
> detail
> radutmp
> attr_filter.accounting_response
>}
>session {
> radutmp
>}
>post-auth {
> exec
> Post-Auth-Type REJECT {
> attr_filter.access_reject
> }
>}
>pre-proxy {
>}
>post-proxy {
>}
>}
>
>Appendix B: server_cisco
>server server_cisco {
>authorize {
> preprocess
> mschap
> files
> ldap
>}
>authenticate {
> Auth-Type PAP {
> pap
> }
> Auth-Type CHAP {
> chap
> }
> Auth-Type MS-CHAP {
> mschap
> }
>ntlm_auth
>}
>preacct {
> preprocess
> acct_unique
> files
>}
>accounting {
> detail
> radutmp
> attr_filter.accounting_response
>}
>session {
> radutmp
>}
>post-auth {
> exec
> Post-Auth-Type REJECT {
> attr_filter.access_reject
> }
>}
>pre-proxy {
>}
>post-proxy {
>}
>}
>
>Appendix C radiusd.conf
>
>prefix = /usr
>exec_prefix = /usr
>sysconfdir = /etc
>localstatedir = /var
>sbindir = /usr/sbin
>logdir = ${localstatedir}/log/radius
>raddbdir = ${sysconfdir}/raddb
>radacctdir = ${logdir}/radacct
>name = radiusd
>confdir = ${raddbdir}
>run_dir = ${localstatedir}/run/${name}
>db_dir = ${raddbdir}
>libdir = /usr/lib/freeradius
>pidfile = ${run_dir}/${name}.pid
>user = radiusd
>group = radiusd
>max_request_time = 30
>cleanup_delay = 5
>max_requests = 25600
>listen {
> type = auth
> ipaddr = *
> port = 0
> clients = disambiguate
>}
>listen {
> ipaddr = *
> port = 0
> type = acct
> clients = disambiguate
>}
>hostname_lookups = no
>allow_core_dumps = no
>regular_expressions = yes
>extended_expressions = yes
>log {
> destination = files
> file = ${logdir}/radius.log
> syslog_facility = daemon
> stripped_names = no
> auth = yes
> auth_badpass = no
> auth_goodpass = no
>}
>checkrad = ${sbindir}/checkrad
>security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
>}
>proxy_requests = yes
>$INCLUDE proxy.conf
>$INCLUDE clients.conf
>thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
>}
>modules {
> $INCLUDE ${confdir}/modules/
>exec ntlm_auth {
> wait = yes
> program = "/usr/bin/ntlm_auth
> ntlm_auth --request-nt-key --domain=example.com
> --username=%{mschap:User-Name} --password=%{User-Password}"
> }
>}
>instantiate {
> exec
> expr
> expiration
> logintime
>}
>$INCLUDE policy.conf
>$INCLUDE sites-enabled/
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list