Subversion Repositories ALCASAR

Rev

Rev 2422 | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2422 Rev 2423
Line 1... Line -...
1
######################################################################
-
 
2
#
-
 
3
#	As of 2.0.0, FreeRADIUS supports virtual hosts using the
-
 
4
#	"server" section, and configuration directives.
-
 
5
#
-
 
6
#	Virtual hosts should be put into the "sites-available"
-
 
7
#	directory.  Soft links should be created in the "sites-enabled"
-
 
8
#	directory to these files.  This is done in a normal installation.
-
 
9
#
-
 
10
#	If you are using 802.1X (EAP) authentication, please see also
-
 
11
#	the "inner-tunnel" virtual server.  You will likely have to edit
-
 
12
#	that, too, for authentication to work.
-
 
13
#
-
 
14
#	$Id: 3616050e7625eb6b5e2ba44782fcb737b2ae6136 $
-
 
15
#
-
 
16
######################################################################
-
 
17
#
-
 
18
#	Read "man radiusd" before editing this file.  See the section
-
 
19
#	titled DEBUGGING.  It outlines a method where you can quickly
-
 
20
#	obtain the configuration you want, without running into
-
 
21
#	trouble.  See also "man unlang", which documents the format
-
 
22
#	of this file.
-
 
23
#
-
 
24
#	This configuration is designed to work in the widest possible
-
 
25
#	set of circumstances, with the widest possible number of
-
 
26
#	authentication methods.  This means that in general, you should
-
 
27
#	need to make very few changes to this file.
-
 
28
#
-
 
29
#	The best way to configure the server for your local system
-
 
30
#	is to CAREFULLY edit this file.  Most attempts to make large
-
 
31
#	edits to this file will BREAK THE SERVER.  Any edits should
-
 
32
#	be small, and tested by running the server with "radiusd -X".
-
 
33
#	Once the edits have been verified to work, save a copy of these
-
 
34
#	configuration files somewhere.  (e.g. as a "tar" file).  Then,
-
 
35
#	make more edits, and test, as above.
-
 
36
#
-
 
37
#	There are many "commented out" references to modules such
-
 
38
#	as ldap, sql, etc.  These references serve as place-holders.
-
 
39
#	If you need the functionality of that module, then configure
-
 
40
#	it in radiusd.conf, and un-comment the references to it in
-
 
41
#	this file.  In most cases, those small changes will result
-
 
42
#	in the server being able to connect to the DB, and to
-
 
43
#	authenticate users.
-
 
44
#
-
 
45
######################################################################
-
 
46
 
-
 
47
server default {
1
server default {
48
#
-
 
49
#  If you want the server to listen on additional addresses, or on
-
 
50
#  additional ports, you can use multiple "listen" sections.
-
 
51
#
-
 
52
#  Each section make the server listen for only one type of packet,
-
 
53
#  therefore authentication and accounting have to be configured in
-
 
54
#  different sections.
-
 
55
#
-
 
56
#  The server ignore all "listen" section if you are using '-i' and '-p'
-
 
57
#  on the command line.
-
 
58
#
-
 
59
listen {
2
listen {
60
	#  Type of packets to listen for.
-
 
61
	#  Allowed values are:
-
 
62
	#	auth	listen for authentication packets
-
 
63
	#	acct	listen for accounting packets
-
 
64
	#	proxy   IP to use for sending proxied packets
-
 
65
	#	detail  Read from the detail file.  For examples, see
-
 
66
	#               raddb/sites-available/copy-acct-to-home-server
-
 
67
	#	status  listen for Status-Server packets.  For examples,
-
 
68
	#		see raddb/sites-available/status
-
 
69
	#	coa     listen for CoA-Request and Disconnect-Request
-
 
70
	#		packets.  For examples, see the file
-
 
71
	#		raddb/sites-available/coa
-
 
72
	#
-
 
73
	type = auth
3
	type = auth
74
 
-
 
75
	#  Note: "type = proxy" lets you control the source IP used for
-
 
76
	#        proxying packets, with some limitations:
-
 
77
	#
-
 
78
	#    * A proxy listener CANNOT be used in a virtual server section.
-
 
79
	#    * You should probably set "port = 0".
-
 
80
	#    * Any "clients" configuration will be ignored.
-
 
81
	#
-
 
82
	#  See also proxy.conf, and the "src_ipaddr" configuration entry
-
 
83
	#  in the sample "home_server" section.  When you specify the
-
 
84
	#  source IP address for packets sent to a home server, the
-
 
85
	#  proxy listeners are automatically created.
-
 
86
 
-
 
87
	#  ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
-
 
88
	#  If multiple ones are listed, only the first one will
-
 
89
	#  be used, and the others will be ignored.
-
 
90
	#
-
 
91
	#  The configuration options accept the following syntax:
-
 
92
	#
-
 
93
	#  ipv4addr - IPv4 address (e.g.192.0.2.3)
-
 
94
	#  	    - wildcard (i.e. *)
-
 
95
	#  	    - hostname (radius.example.com)
-
 
96
	#  	      Only the A record for the host name is used.
-
 
97
	#	      If there is no A record, an error is returned,
-
 
98
	#	      and the server fails to start.
-
 
99
	#
-
 
100
	#  ipv6addr - IPv6 address (e.g. 2001:db8::1)
-
 
101
	#  	    - wildcard (i.e. *)
-
 
102
	#  	    - hostname (radius.example.com)
-
 
103
	#  	      Only the AAAA record for the host name is used.
-
 
104
	#	      If there is no AAAA record, an error is returned,
-
 
105
	#	      and the server fails to start.
-
 
106
	#
-
 
107
	#  ipaddr   - IPv4 address as above
-
 
108
	#  	    - IPv6 address as above
-
 
109
	#  	    - wildcard (i.e. *), which means IPv4 wildcard.
-
 
110
	#	    - hostname
-
 
111
	#	      If there is only one A or AAAA record returned
-
 
112
	#	      for the host name, it is used.
-
 
113
	#	      If multiple A or AAAA records are returned
-
 
114
	#	      for the host name, only the first one is used.
-
 
115
	#	      If both A and AAAA records are returned
-
 
116
	#	      for the host name, only the A record is used.
-
 
117
	#
-
 
118
	# ipv4addr = *
-
 
119
	# ipv6addr = *
4
	ipaddr = *
120
	ipaddr = 127.0.0.1
-
 
121
 
-
 
122
	#  Port on which to listen.
-
 
123
	#  Allowed values are:
-
 
124
	#	integer port number (1812)
-
 
125
	#	0 means "use /etc/services for the proper port"
-
 
126
	port = 0
5
	port = 0
127
 
-
 
128
	#  Some systems support binding to an interface, in addition
-
 
129
	#  to the IP address.  This feature isn't strictly necessary,
-
 
130
	#  but for sites with many IP addresses on one interface,
-
 
131
	#  it's useful to say "listen on all addresses for eth0".
-
 
132
	#
-
 
133
	#  If your system does not support this feature, you will
-
 
134
	#  get an error if you try to use it.
-
 
135
	#
-
 
136
#	interface = eth0
-
 
137
 
-
 
138
	#  Per-socket lists of clients.  This is a very useful feature.
-
 
139
	#
-
 
140
	#  The name here is a reference to a section elsewhere in
-
 
141
	#  radiusd.conf, or clients.conf.  Having the name as
-
 
142
	#  a reference allows multiple sockets to use the same
-
 
143
	#  set of clients.
-
 
144
	#
-
 
145
	#  If this configuration is used, then the global list of clients
-
 
146
	#  is IGNORED for this "listen" section.  Take care configuring
-
 
147
	#  this feature, to ensure you don't accidentally disable a
-
 
148
	#  client you need.
-
 
149
	#
-
 
150
	#  See clients.conf for the configuration of "per_socket_clients".
-
 
151
	#
-
 
152
#	clients = per_socket_clients
-
 
153
 
-
 
154
	#
-
 
155
	#  Connection limiting for sockets with "proto = tcp".
-
 
156
	#
-
 
157
	#  This section is ignored for other kinds of sockets.
-
 
158
	#
-
 
159
	limit {
6
	limit {
160
	      #
-
 
161
	      #  Limit the number of simultaneous TCP connections to the socket
-
 
162
	      #
-
 
163
	      #  The default is 16.
-
 
164
	      #  Setting this to 0 means "no limit"
-
 
165
	      max_connections = 16
7
	      max_connections = 16
166
 
-
 
167
	      #  The per-socket "max_requests" option does not exist.
-
 
168
 
-
 
169
	      #
-
 
170
	      #  The lifetime, in seconds, of a TCP connection.  After
-
 
171
	      #  this lifetime, the connection will be closed.
-
 
172
	      #
-
 
173
	      #  Setting this to 0 means "forever".
-
 
174
	      lifetime = 0
8
	      lifetime = 0
175
 
-
 
176
	      #
-
 
177
	      #  The idle timeout, in seconds, of a TCP connection.
-
 
178
	      #  If no packets have been received over the connection for
-
 
179
	      #  this time, the connection will be closed.
-
 
180
	      #
-
 
181
	      #  Setting this to 0 means "no timeout".
-
 
182
	      #
-
 
183
	      #  We STRONGLY RECOMMEND that you set an idle timeout.
-
 
184
	      #
-
 
185
	      idle_timeout = 30
9
	      idle_timeout = 30
186
	}
10
	}
187
}
11
}
188
 
12
 
189
#
-
 
190
#  This second "listen" section is for listening on the accounting
-
 
191
#  port, too.
-
 
192
#
-
 
193
listen {
13
listen {
194
	ipaddr = 127.0.0.1
-
 
195
#	ipv6addr = ::
-
 
196
	port = 0
-
 
197
	type = acct
14
	type = acct
198
#	interface = eth0
15
	ipaddr = *
199
#	clients = per_socket_clients
16
	port = 0
200
 
-
 
201
	limit {
17
	limit {
202
		#  The number of packets received can be rate limited via the
-
 
203
		#  "max_pps" configuration item.  When it is set, the server
-
 
204
		#  tracks the total number of packets received in the previous
-
 
205
		#  second.  If the count is greater than "max_pps", then the
-
 
206
		#  new packet is silently discarded.  This helps the server
-
 
207
		#  deal with overload situations.
-
 
208
		#
-
 
209
		#  The packets/s counter is tracked in a sliding window.  This
-
 
210
		#  means that the pps calculation is done for the second
-
 
211
		#  before the current packet was received.  NOT for the current
-
 
212
		#  wall-clock second, and NOT for the previous wall-clock second.
-
 
213
		#
-
 
214
		#  Useful values are 0 (no limit), or 100 to 10000.
-
 
215
		#  Values lower than 100 will likely cause the server to ignore
-
 
216
		#  normal traffic.  Few systems are capable of handling more than
-
 
217
		#  10K packets/s.
-
 
218
		#
-
 
219
		#  It is most useful for accounting systems.  Set it to 50%
-
 
220
		#  more than the normal accounting load, and you can be sure that
-
 
221
		#  the server will never get overloaded
-
 
222
		#
-
 
223
#		max_pps = 0
18
		max_pps = 0
224
 
-
 
225
		# Only for "proto = tcp". These are ignored for "udp" sockets.
-
 
226
		#
-
 
227
#		idle_timeout = 0
-
 
228
#		lifetime = 0
-
 
229
#		max_connections = 0
-
 
230
	}
19
	}
231
}
20
}
232
 
21
 
233
# IPv6 versions of the above - read their full config to understand options
-
 
234
#listen {
-
 
235
#	type = auth
-
 
236
#	ipv6addr = ::1
-
 
237
#	ipv6addr = ::	# any.  ::1 == localhost
-
 
238
#	port = 0
-
 
239
#	interface = eth0
-
 
240
#	clients = per_socket_clients
-
 
241
#	limit {
-
 
242
#	      max_connections = 16
-
 
243
#	      lifetime = 0
-
 
244
#	      idle_timeout = 30
-
 
245
#	}
-
 
246
#}
-
 
247
 
-
 
248
#listen {
-
 
249
#	type = acct
-
 
250
#	ipv6addr = ::1
-
 
251
#	ipv6addr = ::	# any.  ::1 == localhost
-
 
252
#	port = 0
-
 
253
#	interface = eth0
-
 
254
#	clients = per_socket_clients
-
 
255
#	limit {
-
 
256
#		max_pps = 0
-
 
257
#		idle_timeout = 0
-
 
258
#		lifetime = 0
-
 
259
#		max_connections = 0
-
 
260
#	}
-
 
261
#}
-
 
262
 
-
 
263
#  Authorization. First preprocess (hints and huntgroups files),
-
 
264
#  then realms, and finally look in the "users" file.
-
 
265
#
-
 
266
#  Any changes made here should also be made to the "inner-tunnel"
-
 
267
#  virtual server.
-
 
268
#
-
 
269
#  The order of the realm modules will determine the order that
-
 
270
#  we try to find a matching realm.
-
 
271
#
-
 
272
#  Make *sure* that 'preprocess' comes before any realm if you
-
 
273
#  need to setup hints for the remote radius server
-
 
274
authorize {
22
authorize {
275
	#
-
 
276
	#  Take a User-Name, and perform some checks on it, for spaces and other
-
 
277
	#  invalid characters.  If the User-Name appears invalid, reject the
-
 
278
	#  request.
-
 
279
	#
-
 
280
	#  See policy.d/filter for the definition of the filter_username policy.
-
 
281
	#
-
 
282
	filter_username
-
 
283
 
-
 
284
	#
-
 
285
	#  Some broken equipment sends passwords with embedded zeros.
-
 
286
	#  i.e. the debug output will show
-
 
287
	#
-
 
288
	#	User-Password = "password\000\000"
-
 
289
	#
-
 
290
	#  This policy will fix it to just be "password".
-
 
291
	#
-
 
292
	filter_password
-
 
293
 
-
 
294
	#
-
 
295
	#  The preprocess module takes care of sanitizing some bizarre
-
 
296
	#  attributes in the request, and turning them into attributes
-
 
297
	#  which are more standard.
-
 
298
	#
-
 
299
	#  It takes care of processing the 'raddb/mods-config/preprocess/hints' 
-
 
300
	#  and the 'raddb/mods-config/preprocess/huntgroups' files.
-
 
301
	preprocess
-
 
302
 
-
 
303
	#  If you intend to use CUI and you require that the Operator-Name
-
 
304
	#  be set for CUI generation and you want to generate CUI also
-
 
305
	#  for your local clients then uncomment the operator-name
-
 
306
	#  below and set the operator-name for your clients in clients.conf
-
 
307
#	operator-name
-
 
308
 
-
 
309
	#
-
 
310
	#  If you want to generate CUI for some clients that do not
-
 
311
	#  send proper CUI requests, then uncomment the
-
 
312
	#  cui below and set "add_cui = yes" for these clients in clients.conf
-
 
313
#	cui
-
 
314
 
-
 
315
	#
-
 
316
	#  If you want to have a log of authentication requests,
-
 
317
	#  un-comment the following line.
-
 
318
#	auth_log
-
 
319
 
-
 
320
	#
-
 
321
	#  The chap module will set 'Auth-Type := CHAP' if we are
-
 
322
	#  handling a CHAP request and Auth-Type has not already been set
-
 
323
#	chap
-
 
324
 
-
 
325
	#
-
 
326
	#  If the users are logging in with an MS-CHAP-Challenge
-
 
327
	#  attribute for authentication, the mschap module will find
-
 
328
	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
-
 
329
	#  to the request, which will cause the server to then use
-
 
330
	#  the mschap module for authentication.
-
 
331
#	mschap
-
 
332
 
-
 
333
	#
-
 
334
	#  If you have a Cisco SIP server authenticating against
-
 
335
	#  FreeRADIUS, uncomment the following line, and the 'digest'
-
 
336
	#  line in the 'authenticate' section.
-
 
337
#	digest
-
 
338
 
-
 
339
	#
-
 
340
	#  The WiMAX specification says that the Calling-Station-Id
-
 
341
	#  is 6 octets of the MAC.  This definition conflicts with
-
 
342
	#  RFC 3580, and all common RADIUS practices.  Un-commenting
-
 
343
	#  the "wimax" module here means that it will fix the
-
 
344
	#  Calling-Station-Id attribute to the normal format as
-
 
345
	#  specified in RFC 3580 Section 3.21
-
 
346
#	wimax
-
 
347
 
-
 
348
	#
-
 
349
	#  Look for IPASS style 'realm/', and if not found, look for
-
 
350
	#  '@realm', and decide whether or not to proxy, based on
-
 
351
	#  that.
-
 
352
#	IPASS
-
 
353
 
-
 
354
	#
-
 
355
	#  If you are using multiple kinds of realms, you probably
-
 
356
	#  want to set "ignore_null = yes" for all of them.
-
 
357
	#  Otherwise, when the first style of realm doesn't match,
-
 
358
	#  the other styles won't be checked.
-
 
359
	#
-
 
360
#	suffix
-
 
361
#	ntdomain
-
 
362
 
-
 
363
	#
-
 
364
	#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
-
 
365
	#  authentication.
-
 
366
	#
-
 
367
	#  It also sets the EAP-Type attribute in the request
-
 
368
	#  attribute list to the EAP type from the packet.
-
 
369
	#
-
 
370
	#  The EAP module returns "ok" or "updated" if it is not yet ready
-
 
371
	#  to authenticate the user.  The configuration below checks for
-
 
372
	#  "ok", and stops processing the "authorize" section if so.
-
 
373
	#
-
 
374
	#  Any LDAP and/or SQL servers will not be queried for the
-
 
375
	#  initial set of packets that go back and forth to set up
-
 
376
	#  TTLS or PEAP.
-
 
377
	#
-
 
378
	#  The "updated" check is commented out for compatibility with
-
 
379
	#  previous versions of this configuration, but you may wish to
-
 
380
	#  uncomment it as well; this will further reduce the number of
-
 
381
	#  LDAP and/or SQL queries for TTLS or PEAP.
-
 
382
	#
-
 
383
#	eap {
-
 
384
#		ok = return
-
 
385
#		updated = return
-
 
386
#	}
-
 
387
 
-
 
388
	#
-
 
389
	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
-
 
390
	#  using the system API's to get the password.  If you want
-
 
391
	#  to read /etc/passwd or /etc/shadow directly, see the
-
 
392
	#  mods-available/passwd module.
-
 
393
	#
-
 
394
#	unix
-
 
395
 
-
 
396
	#
-
 
397
	#  Read the 'users' file.  In v3, this is located in
-
 
398
	#  raddb/mods-config/files/authorize
-
 
399
#	files
-
 
400
 
-
 
401
	#
-
 
402
	#  Look in an SQL database.  The schema of the database
-
 
403
	#  is meant to mirror the "users" file.
-
 
404
	#
-
 
405
	#  See "Authorization Queries" in mods-available/sql
-
 
406
	sql
23
	sql
407
	#
-
 
408
	#  If you are using /etc/smbpasswd, and are also doing
-
 
409
	#  mschap authentication, the un-comment this line, and
-
 
410
	#  configure the 'smbpasswd' module.
-
 
411
#	smbpasswd
24
	noresetcounter
412
 
-
 
413
	#
-
 
414
	#  The ldap module reads passwords from the LDAP database.
-
 
415
#	-ldap
-
 
416
 
-
 
417
	#
-
 
418
	#  Enforce daily limits on time spent logged in.
-
 
419
#	daily
25
	dailycounter
420
 
-
 
421
	#
26
	monthlycounter
422
	expiration
27
	expiration
423
	logintime
28
	logintime
424
 
-
 
425
	#
-
 
426
	#  If no other module has claimed responsibility for
-
 
427
	#  authentication, then try to use PAP.  This allows the
-
 
428
	#  other modules listed above to add a "known good" password
-
 
429
	#  to the request, and to do nothing else.  The PAP module
-
 
430
	#  will then see that password, and use it to do PAP
-
 
431
	#  authentication.
-
 
432
	#
-
 
433
	#  This module should be listed last, so that the other modules
-
 
434
	#  get a chance to set Auth-Type for themselves.
-
 
435
	#
-
 
436
	pap
29
	pap
437
 
-
 
438
	#
-
 
439
	#  If "status_server = yes", then Status-Server messages are passed
-
 
440
	#  through the following section, and ONLY the following section.
-
 
441
	#  This permits you to do DB queries, for example.  If the modules
-
 
442
	#  listed here return "fail", then NO response is sent.
-
 
443
	#
-
 
444
#	Autz-Type Status-Server {
-
 
445
#
-
 
446
#	}
-
 
447
}
30
}
448
 
31
 
449
 
-
 
450
#  Authentication.
-
 
451
#
-
 
452
#
-
 
453
#  This section lists which modules are available for authentication.
-
 
454
#  Note that it does NOT mean 'try each module in order'.  It means
-
 
455
#  that a module from the 'authorize' section adds a configuration
-
 
456
#  attribute 'Auth-Type := FOO'.  That authentication type is then
-
 
457
#  used to pick the appropriate module from the list below.
-
 
458
#
-
 
459
 
-
 
460
#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
-
 
461
#  will figure it out on its own, and will do the right thing.  The
-
 
462
#  most common side effect of erroneously setting the Auth-Type
-
 
463
#  attribute is that one authentication method will work, but the
-
 
464
#  others will not.
-
 
465
#
-
 
466
#  The common reasons to set the Auth-Type attribute by hand
-
 
467
#  is to either forcibly reject the user (Auth-Type := Reject),
-
 
468
#  or to or forcibly accept the user (Auth-Type := Accept).
-
 
469
#
-
 
470
#  Note that Auth-Type := Accept will NOT work with EAP.
-
 
471
#
-
 
472
#  Please do not put "unlang" configurations into the "authenticate"
-
 
473
#  section.  Put them in the "post-auth" section instead.  That's what
-
 
474
#  the post-auth section is for.
-
 
475
#
-
 
476
authenticate {
32
authenticate {
477
	#
-
 
478
	#  PAP authentication, when a back-end database listed
-
 
479
	#  in the 'authorize' section supplies a password.  The
-
 
480
	#  password can be clear-text, or encrypted.
-
 
481
	Auth-Type PAP {
33
	Auth-Type PAP {
482
		pap
34
		pap
483
	}
35
	}
484
 
-
 
485
	#
-
 
486
	#  Most people want CHAP authentication
-
 
487
	#  A back-end database listed in the 'authorize' section
-
 
488
	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
-
 
489
	#  won't work.
-
 
490
#	Auth-Type CHAP {
-
 
491
#		chap
-
 
492
#	}
-
 
493
 
-
 
494
	#
-
 
495
	#  MSCHAP authentication.
-
 
496
#	Auth-Type MS-CHAP {
-
 
497
#		mschap
-
 
498
#	}
-
 
499
 
-
 
500
	#
-
 
501
	#  For old names, too.
-
 
502
	#
-
 
503
#	mschap
-
 
504
 
-
 
505
	#
-
 
506
	#  If you have a Cisco SIP server authenticating against
-
 
507
	#  FreeRADIUS, uncomment the following line, and the 'digest'
-
 
508
	#  line in the 'authorize' section.
-
 
509
#	digest
-
 
510
 
-
 
511
	#
-
 
512
	#  Pluggable Authentication Modules.
-
 
513
#	pam
-
 
514
 
-
 
515
	#  Uncomment it if you want to use ldap for authentication
-
 
516
	#
-
 
517
	#  Note that this means "check plain-text password against
-
 
518
	#  the ldap database", which means that EAP won't work,
-
 
519
	#  as it does not supply a plain-text password.
-
 
520
	#
-
 
521
	#  We do NOT recommend using this.  LDAP servers are databases.
-
 
522
	#  They are NOT authentication servers.  FreeRADIUS is an
-
 
523
	#  authentication server, and knows what to do with authentication.
-
 
524
	#  LDAP servers do not.
-
 
525
	#
-
 
526
#	Auth-Type LDAP {
-
 
527
#		ldap
-
 
528
#	}
-
 
529
 
-
 
530
	#
-
 
531
	#  Allow EAP authentication.
-
 
532
#	eap
-
 
533
 
-
 
534
	#
-
 
535
	#  The older configurations sent a number of attributes in
-
 
536
	#  Access-Challenge packets, which wasn't strictly correct.
-
 
537
	#  If you want to filter out these attributes, uncomment
-
 
538
	#  the following lines.
-
 
539
	#
-
 
540
#	Auth-Type eap {
-
 
541
#		eap {
-
 
542
#			handled = 1
-
 
543
#		}
-
 
544
#		if (handled && (Response-Packet-Type == Access-Challenge)) {
-
 
545
#			attr_filter.access_challenge.post-auth
-
 
546
#			handled  # override the "updated" code from attr_filter
-
 
547
#		}
-
 
548
#	}
-
 
549
}
36
}
550
 
37
 
551
 
-
 
552
#
-
 
553
#  Pre-accounting.  Decide which accounting type to use.
-
 
554
#
-
 
555
preacct {
-
 
556
#	preprocess
-
 
557
 
-
 
558
	#
-
 
559
	#  Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
-
 
560
	#  into a single 64bit counter Acct-[Input|Output]-Octets64.
-
 
561
	#
-
 
562
#	acct_counters64
-
 
563
 
-
 
564
	#
-
 
565
	#  Session start times are *implied* in RADIUS.
-
 
566
	#  The NAS never sends a "start time".  Instead, it sends
-
 
567
	#  a start packet, *possibly* with an Acct-Delay-Time.
-
 
568
	#  The server is supposed to conclude that the start time
-
 
569
	#  was "Acct-Delay-Time" seconds in the past.
-
 
570
	#
-
 
571
	#  The code below creates an explicit start time, which can
-
 
572
	#  then be used in other modules.  It will be *mostly* correct.
-
 
573
	#  Any errors are due to the 1-second resolution of RADIUS,
-
 
574
	#  and the possibility that the time on the NAS may be off.
-
 
575
	#
-
 
576
	#  The start time is: NOW - delay - session_length
-
 
577
	#
-
 
578
 
-
 
579
#	update request {
-
 
580
#	  	&FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
-
 
581
#	}
-
 
582
 
-
 
583
 
-
 
584
	#
-
 
585
	#  Ensure that we have a semi-unique identifier for every
-
 
586
	#  request, and many NAS boxes are broken.
-
 
587
	acct_unique
-
 
588
 
-
 
589
	#
-
 
590
	#  Look for IPASS-style 'realm/', and if not found, look for
-
 
591
	#  '@realm', and decide whether or not to proxy, based on
-
 
592
	#  that.
-
 
593
	#
-
 
594
	#  Accounting requests are generally proxied to the same
-
 
595
	#  home server as authentication requests.
-
 
596
#	IPASS
-
 
597
#	suffix
-
 
598
#	ntdomain
-
 
599
 
-
 
600
	#
-
 
601
	#  Read the 'acct_users' file
-
 
602
#	files
-
 
603
}
-
 
604
 
-
 
605
#
-
 
606
#  Accounting.  Log the accounting data.
-
 
607
#
-
 
608
accounting {
38
accounting {
609
	#  Update accounting packet by adding the CUI attribute
-
 
610
	#  recorded from the corresponding Access-Accept
-
 
611
	#  use it only if your NAS boxes do not support CUI themselves
-
 
612
#	cui
-
 
613
	#
-
 
614
	#  Create a 'detail'ed log of the packets.
-
 
615
	#  Note that accounting requests which are proxied
-
 
616
	#  are also logged in the detail file.
-
 
617
#	detail
-
 
618
#	daily
-
 
619
 
-
 
620
	#  Update the wtmp file
-
 
621
	#
-
 
622
	#  If you don't use "radlast", you can delete this line.
-
 
623
#	unix
-
 
624
 
-
 
625
	#
-
 
626
	#  For Simultaneous-Use tracking.
-
 
627
	#
-
 
628
	#  Due to packet losses in the network, the data here
-
 
629
	#  may be incorrect.  There is little we can do about it.
-
 
630
#	radutmp
-
 
631
#	sradutmp
-
 
632
 
-
 
633
	#  Return an address to the IP Pool when we see a stop record.
-
 
634
#	main_pool
-
 
635
 
-
 
636
	#
-
 
637
	#  Log traffic to an SQL database.
-
 
638
	#
-
 
639
	#  See "Accounting queries" in mods-available/sql
-
 
640
	-sql
39
	sql
641
 
-
 
642
	#
-
 
643
	#  If you receive stop packets with zero session length,
-
 
644
	#  they will NOT be logged in the database.  The SQL module
-
 
645
	#  will print a message (only in debugging mode), and will
-
 
646
	#  return "noop".
-
 
647
	#
-
 
648
	#  You can ignore these packets by uncommenting the following
-
 
649
	#  three lines.  Otherwise, the server will not respond to the
-
 
650
	#  accounting request, and the NAS will retransmit.
-
 
651
	#
-
 
652
#	if (noop) {
-
 
653
#		ok
-
 
654
#	}
-
 
655
 
-
 
656
	#  Cisco VoIP specific bulk accounting
-
 
657
#	pgsql-voip
-
 
658
 
-
 
659
	# For Exec-Program and Exec-Program-Wait
-
 
660
	exec
-
 
661
 
-
 
662
	#  Filter attributes from the accounting response.
-
 
663
	attr_filter.accounting_response
-
 
664
 
-
 
665
	#
-
 
666
	#  See "Autz-Type Status-Server" for how this works.
-
 
667
	#
-
 
668
#	Acct-Type Status-Server {
-
 
669
#
-
 
670
#	}
-
 
671
}
40
}
672
 
41
 
673
 
-
 
674
#  Session database, used for checking Simultaneous-Use. Either the radutmp
-
 
675
#  or rlm_sql module can handle this.
-
 
676
#  The rlm_sql module is *much* faster
-
 
677
session {
42
session {
678
#	radutmp
-
 
679
 
-
 
680
	#
-
 
681
	#  See "Simultaneous Use Checking Queries" in mods-available/sql
-
 
682
	sql
43
	sql
683
}
44
}
684
 
45
 
685
 
-
 
686
#  Post-Authentication
-
 
687
#  Once we KNOW that the user has been authenticated, there are
-
 
688
#  additional steps we can take.
-
 
689
post-auth {
46
post-auth {
690
	#
-
 
691
	#  If you need to have a State attribute, you can
-
 
692
	#  add it here.  e.g. for later CoA-Request with
-
 
693
	#  State, and Service-Type = Authorize-Only.
-
 
694
	#
-
 
695
#	if (!&reply:State) {
-
 
696
#		update reply {
-
 
697
#			State := "0x%{randstr:16h}"
-
 
698
#		}
-
 
699
#	}
-
 
700
 
-
 
701
	#
-
 
702
	#  For EAP-TTLS and PEAP, add the cached attributes to the reply.
-
 
703
	#  The "session-state" attributes are automatically cached when
-
 
704
	#  an Access-Challenge is sent, and automatically retrieved
-
 
705
	#  when an Access-Request is received.
-
 
706
	#
-
 
707
	#  The session-state attributes are automatically deleted after
-
 
708
	#  an Access-Reject or Access-Accept is sent.
-
 
709
	#
-
 
710
	update {
-
 
711
		&reply: += &session-state:
-
 
712
	}
-
 
713
 
-
 
714
	#  Get an address from the IP Pool.
-
 
715
#	main_pool
-
 
716
 
-
 
717
 
-
 
718
	#  Create the CUI value and add the attribute to Access-Accept.
-
 
719
	#  Uncomment the line below if *returning* the CUI.
-
 
720
#	cui
-
 
721
 
-
 
722
	#
-
 
723
	#  If you want to have a log of authentication replies,
-
 
724
	#  un-comment the following line, and enable the
-
 
725
	#  'detail reply_log' module.
-
 
726
#	reply_log
-
 
727
 
-
 
728
	#
-
 
729
	#  After authenticating the user, do another SQL query.
-
 
730
	#
-
 
731
	#  See "Authentication Logging Queries" in mods-available/sql
-
 
732
	sql
-
 
733
 
-
 
734
	#
-
 
735
	#  Un-comment the following if you want to modify the user's object
-
 
736
	#  in LDAP after a successful login.
-
 
737
	#
-
 
738
#	ldap
-
 
739
 
-
 
740
	# For Exec-Program and Exec-Program-Wait
-
 
741
#	exec
-
 
742
 
-
 
743
	#
-
 
744
	#  Calculate the various WiMAX keys.  In order for this to work,
-
 
745
	#  you will need to define the WiMAX NAI, usually via
-
 
746
	#
-
 
747
	#	update request {
-
 
748
	#	       WiMAX-MN-NAI = "%{User-Name}"
-
 
749
	#	}
-
 
750
	#
-
 
751
	#  If you want various keys to be calculated, you will need to
-
 
752
	#  update the reply with "template" values.  The module will see
-
 
753
	#  this, and replace the template values with the correct ones
-
 
754
	#  taken from the cryptographic calculations.  e.g.
-
 
755
	#
-
 
756
	# 	update reply {
-
 
757
	#		WiMAX-FA-RK-Key = 0x00
-
 
758
	#		WiMAX-MSK = "%{EAP-MSK}"
-
 
759
	#	}
-
 
760
	#
-
 
761
	#  You may want to delete the MS-MPPE-*-Keys from the reply,
-
 
762
	#  as some WiMAX clients behave badly when those attributes
-
 
763
	#  are included.  See "raddb/modules/wimax", configuration
-
 
764
	#  entry "delete_mppe_keys" for more information.
-
 
765
	#
-
 
766
#	wimax
-
 
767
 
-
 
768
 
-
 
769
	#  If there is a client certificate (EAP-TLS, sometimes PEAP
-
 
770
	#  and TTLS), then some attributes are filled out after the
-
 
771
	#  certificate verification has been performed.  These fields
-
 
772
	#  MAY be available during the authentication, or they may be
-
 
773
	#  available only in the "post-auth" section.
-
 
774
	#
-
 
775
	#  The first set of attributes contains information about the
-
 
776
	#  issuing certificate which is being used.  The second
-
 
777
	#  contains information about the client certificate (if
-
 
778
	#  available).
-
 
779
#
-
 
780
#	update reply {
-
 
781
#	       Reply-Message += "%{TLS-Cert-Serial}"
-
 
782
#	       Reply-Message += "%{TLS-Cert-Expiration}"
-
 
783
#	       Reply-Message += "%{TLS-Cert-Subject}"
-
 
784
#	       Reply-Message += "%{TLS-Cert-Issuer}"
-
 
785
#	       Reply-Message += "%{TLS-Cert-Common-Name}"
-
 
786
#	       Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
-
 
787
#
-
 
788
#	       Reply-Message += "%{TLS-Client-Cert-Serial}"
-
 
789
#	       Reply-Message += "%{TLS-Client-Cert-Expiration}"
-
 
790
#	       Reply-Message += "%{TLS-Client-Cert-Subject}"
-
 
791
#	       Reply-Message += "%{TLS-Client-Cert-Issuer}"
-
 
792
#	       Reply-Message += "%{TLS-Client-Cert-Common-Name}"
-
 
793
#	       Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
-
 
794
#	}
-
 
795
 
-
 
796
	#  Insert class attribute (with unique value) into response,
-
 
797
	#  aids matching auth and acct records, and protects against duplicate
-
 
798
	#  Acct-Session-Id. Note: Only works if the NAS has implemented
-
 
799
	#  RFC 2865 behaviour for the class attribute, AND if the NAS
-
 
800
	#  supports long Class attributes.  Many older or cheap NASes
-
 
801
	#  only support 16-octet Class attributes.
-
 
802
#	insert_acct_class
-
 
803
 
-
 
804
	#  MacSEC requires the use of EAP-Key-Name.  However, we don't
-
 
805
	#  want to send it for all EAP sessions.  Therefore, the EAP
-
 
806
	#  modules put required data into the EAP-Session-Id attribute.
-
 
807
	#  This attribute is never put into a request or reply packet.
-
 
808
	#
-
 
809
	#  Uncomment the next few lines to copy the required data into
-
 
810
	#  the EAP-Key-Name attribute
-
 
811
#	if (&reply:EAP-Session-Id) {
-
 
812
#		update reply {
-
 
813
#			EAP-Key-Name := &reply:EAP-Session-Id
-
 
814
#		}
-
 
815
#	}
-
 
816
 
-
 
817
	#  Remove reply message if the response contains an EAP-Message
-
 
818
	remove_reply_message_if_eap
-
 
819
 
-
 
820
	#
-
 
821
	#  Access-Reject packets are sent through the REJECT sub-section of the
-
 
822
	#  post-auth section.
-
 
823
	#
-
 
824
	#  Add the ldap module name (or instance) if you have set
-
 
825
	#  'edir_account_policy_check = yes' in the ldap module configuration
-
 
826
	#
-
 
827
	#  The "session-state" attributes are not available here.
-
 
828
	#
-
 
829
	Post-Auth-Type REJECT {
47
	Post-Auth-Type REJECT {
830
		# log failed authentications in SQL, too.
-
 
831
		-sql
-
 
832
		attr_filter.access_reject
48
		attr_filter.access_reject
833
 
-
 
834
		# Insert EAP-Failure message if the request was
-
 
835
		# rejected by policy instead of because of an
-
 
836
		# authentication failure
-
 
837
		eap
-
 
838
 
-
 
839
		#  Remove reply message if the response contains an EAP-Message
-
 
840
        #  remove_reply_message_if_eap
-
 
841
	}
49
	}
842
 
-
 
843
	#
-
 
844
	#  Filter access challenges.
-
 
845
	#
-
 
846
	Post-Auth-Type Challenge {
-
 
847
#		remove_reply_message_if_eap
-
 
848
#		attr_filter.access_challenge.post-auth
-
 
849
	}
-
 
850
 
-
 
851
}
50
}
852
 
-
 
853
#
-
 
854
#  When the server decides to proxy a request to a home server,
-
 
855
#  the proxied request is first passed through the pre-proxy
-
 
856
#  stage.  This stage can re-write the request, or decide to
-
 
857
#  cancel the proxy.
-
 
858
#
-
 
859
#  Only a few modules currently have this method.
-
 
860
#
-
 
861
pre-proxy {
-
 
862
	# Before proxing the request add an Operator-Name attribute identifying
-
 
863
	# if the operator-name is found for this client.
-
 
864
	# No need to uncomment this if you have already enabled this in
-
 
865
	# the authorize section.
-
 
866
#	operator-name
-
 
867
 
-
 
868
	#  The client requests the CUI by sending a CUI attribute
-
 
869
	#  containing one zero byte.
-
 
870
	#  Uncomment the line below if *requesting* the CUI.
-
 
871
#	cui
-
 
872
 
-
 
873
	#  Uncomment the following line if you want to change attributes
-
 
874
	#  as defined in the preproxy_users file.
-
 
875
#	files
-
 
876
 
-
 
877
	#  Uncomment the following line if you want to filter requests
-
 
878
	#  sent to remote servers based on the rules defined in the
-
 
879
	#  'attrs.pre-proxy' file.
-
 
880
#	attr_filter.pre-proxy
-
 
881
 
-
 
882
	#  If you want to have a log of packets proxied to a home
-
 
883
	#  server, un-comment the following line, and the
-
 
884
	#  'detail pre_proxy_log' section, above.
-
 
885
#	pre_proxy_log
-
 
886
}
51
}
887
 
52
 
888
#
-
 
889
#  When the server receives a reply to a request it proxied
-
 
890
#  to a home server, the request may be massaged here, in the
-
 
891
#  post-proxy stage.
-
 
892
#
-
 
893
post-proxy {
-
 
894
 
-
 
895
	#  If you want to have a log of replies from a home server,
-
 
896
	#  un-comment the following line, and the 'detail post_proxy_log'
-
 
897
	#  section, above.
-
 
898
#	post_proxy_log
-
 
899
 
-
 
900
	#  Uncomment the following line if you want to filter replies from
-
 
901
	#  remote proxies based on the rules defined in the 'attrs' file.
-
 
902
#	attr_filter.post-proxy
-
 
903
 
53
 
904
	#
-
 
905
	#  If you are proxying LEAP, you MUST configure the EAP
-
 
906
	#  module, and you MUST list it here, in the post-proxy
-
 
907
	#  stage.
-
 
908
	#
-
 
909
	#  You MUST also use the 'nostrip' option in the 'realm'
-
 
910
	#  configuration.  Otherwise, the User-Name attribute
-
 
911
	#  in the proxied request will not match the user name
-
 
912
	#  hidden inside of the EAP packet, and the end server will
-
 
913
	#  reject the EAP request.
-
 
914
	#
-
 
915
#	eap
-
 
916
 
-
 
917
	#
-
 
918
	#  If the server tries to proxy a request and fails, then the
-
 
919
	#  request is processed through the modules in this section.
-
 
920
	#
-
 
921
	#  The main use of this section is to permit robust proxying
-
 
922
	#  of accounting packets.  The server can be configured to
-
 
923
	#  proxy accounting packets as part of normal processing.
-
 
924
	#  Then, if the home server goes down, accounting packets can
-
 
925
	#  be logged to a local "detail" file, for processing with
-
 
926
	#  radrelay.  When the home server comes back up, radrelay
-
 
927
	#  will read the detail file, and send the packets to the
-
 
928
	#  home server.
-
 
929
	#
-
 
930
	#  With this configuration, the server always responds to
-
 
931
	#  Accounting-Requests from the NAS, but only writes
-
 
932
	#  accounting packets to disk if the home server is down.
-
 
933
	#
-
 
934
#	Post-Proxy-Type Fail-Accounting {
-
 
935
#			detail
-
 
936
#	}
-
 
937
}
-
 
938
}
-