1279 |
richard |
1 |
######################################################################
|
|
|
2 |
#
|
|
|
3 |
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
|
|
|
4 |
# "server" section, and configuration directives.
|
|
|
5 |
#
|
|
|
6 |
# Virtual hosts should be put into the "sites-available"
|
|
|
7 |
# directory. Soft links should be created in the "sites-enabled"
|
|
|
8 |
# directory to these files. This is done in a normal installation.
|
|
|
9 |
#
|
|
|
10 |
# $Id: alcasar-radius 845 2012-03-29 21:17:03Z richard $
|
|
|
11 |
#
|
|
|
12 |
######################################################################
|
|
|
13 |
#
|
|
|
14 |
# Read "man radiusd" before editing this file. See the section
|
|
|
15 |
# titled DEBUGGING. It outlines a method where you can quickly
|
|
|
16 |
# obtain the configuration you want, without running into
|
|
|
17 |
# trouble. See also "man unlang", which documents the format
|
|
|
18 |
# of this file.
|
|
|
19 |
#
|
|
|
20 |
# This configuration is designed to work in the widest possible
|
|
|
21 |
# set of circumstances, with the widest possible number of
|
|
|
22 |
# authentication methods. This means that in general, you should
|
|
|
23 |
# need to make very few changes to this file.
|
|
|
24 |
#
|
|
|
25 |
# The best way to configure the server for your local system
|
|
|
26 |
# is to CAREFULLY edit this file. Most attempts to make large
|
|
|
27 |
# edits to this file will BREAK THE SERVER. Any edits should
|
|
|
28 |
# be small, and tested by running the server with "radiusd -X".
|
|
|
29 |
# Once the edits have been verified to work, save a copy of these
|
|
|
30 |
# configuration files somewhere. (e.g. as a "tar" file). Then,
|
|
|
31 |
# make more edits, and test, as above.
|
|
|
32 |
#
|
|
|
33 |
# There are many "commented out" references to modules such
|
|
|
34 |
# as ldap, sql, etc. These references serve as place-holders.
|
|
|
35 |
# If you need the functionality of that module, then configure
|
|
|
36 |
# it in radiusd.conf, and un-comment the references to it in
|
|
|
37 |
# this file. In most cases, those small changes will result
|
|
|
38 |
# in the server being able to connect to the DB, and to
|
|
|
39 |
# authenticate users.
|
|
|
40 |
#
|
|
|
41 |
######################################################################
|
|
|
42 |
|
|
|
43 |
#
|
|
|
44 |
# In 1.x, the "authorize", etc. sections were global in
|
|
|
45 |
# radiusd.conf. As of 2.0, they SHOULD be in a server section.
|
|
|
46 |
#
|
|
|
47 |
# The server section with no virtual server name is the "default"
|
|
|
48 |
# section. It is used when no server name is specified.
|
|
|
49 |
#
|
|
|
50 |
# We don't indent the rest of this file, because doing so
|
|
|
51 |
# would make it harder to read.
|
|
|
52 |
#
|
|
|
53 |
|
|
|
54 |
# Authorization. First preprocess (hints and huntgroups files),
|
|
|
55 |
# then realms, and finally look in the "users" file.
|
|
|
56 |
#
|
|
|
57 |
# The order of the realm modules will determine the order that
|
|
|
58 |
# we try to find a matching realm.
|
|
|
59 |
#
|
|
|
60 |
# Make *sure* that 'preprocess' comes before any realm if you
|
|
|
61 |
# need to setup hints for the remote radius server
|
|
|
62 |
authorize {
|
|
|
63 |
#
|
|
|
64 |
# The preprocess module takes care of sanitizing some bizarre
|
|
|
65 |
# attributes in the request, and turning them into attributes
|
|
|
66 |
# which are more standard.
|
|
|
67 |
#
|
|
|
68 |
# It takes care of processing the 'raddb/hints' and the
|
|
|
69 |
# 'raddb/huntgroups' files.
|
|
|
70 |
#
|
|
|
71 |
# It also adds the %{Client-IP-Address} attribute to the request.
|
|
|
72 |
preprocess
|
|
|
73 |
|
|
|
74 |
#
|
|
|
75 |
# If you want to have a log of authentication requests,
|
|
|
76 |
# un-comment the following line, and the 'detail auth_log'
|
|
|
77 |
# section, above.
|
|
|
78 |
# auth_log
|
|
|
79 |
|
|
|
80 |
#
|
|
|
81 |
# The chap module will set 'Auth-Type := CHAP' if we are
|
|
|
82 |
# handling a CHAP request and Auth-Type has not already been set
|
|
|
83 |
# chap
|
|
|
84 |
|
|
|
85 |
#
|
|
|
86 |
# If the users are logging in with an MS-CHAP-Challenge
|
|
|
87 |
# attribute for authentication, the mschap module will find
|
|
|
88 |
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
|
|
|
89 |
# to the request, which will cause the server to then use
|
|
|
90 |
# the mschap module for authentication.
|
|
|
91 |
# mschap
|
|
|
92 |
#
|
|
|
93 |
# If you have a Cisco SIP server authenticating against
|
|
|
94 |
# FreeRADIUS, uncomment the following line, and the 'digest'
|
|
|
95 |
# line in the 'authenticate' section.
|
|
|
96 |
# digest
|
|
|
97 |
|
|
|
98 |
#
|
|
|
99 |
# Look for IPASS style 'realm/', and if not found, look for
|
|
|
100 |
# '@realm', and decide whether or not to proxy, based on
|
|
|
101 |
# that.
|
|
|
102 |
# IPASS
|
|
|
103 |
|
|
|
104 |
#
|
|
|
105 |
# If you are using multiple kinds of realms, you probably
|
|
|
106 |
# want to set "ignore_null = yes" for all of them.
|
|
|
107 |
# Otherwise, when the first style of realm doesn't match,
|
|
|
108 |
# the other styles won't be checked.
|
|
|
109 |
#
|
|
|
110 |
# suffix
|
|
|
111 |
# ntdomain
|
|
|
112 |
|
|
|
113 |
#
|
|
|
114 |
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
|
|
|
115 |
# authentication.
|
|
|
116 |
#
|
|
|
117 |
# It also sets the EAP-Type attribute in the request
|
|
|
118 |
# attribute list to the EAP type from the packet.
|
|
|
119 |
#
|
|
|
120 |
# As of 2.0, the EAP module returns "ok" in the authorize stage
|
|
|
121 |
# for TTLS and PEAP. In 1.x, it never returned "ok" here, so
|
|
|
122 |
# this change is compatible with older configurations.
|
|
|
123 |
#
|
|
|
124 |
# The example below uses module failover to avoid querying all
|
|
|
125 |
# of the following modules if the EAP module returns "ok".
|
|
|
126 |
# Therefore, your LDAP and/or SQL servers will not be queried
|
|
|
127 |
# for the many packets that go back and forth to set up TTLS
|
|
|
128 |
# or PEAP. The load on those servers will therefore be reduced.
|
|
|
129 |
#
|
|
|
130 |
# eap {
|
|
|
131 |
# ok = return
|
|
|
132 |
# }
|
|
|
133 |
|
|
|
134 |
#
|
|
|
135 |
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
|
|
|
136 |
# using the system API's to get the password. If you want
|
|
|
137 |
# to read /etc/passwd or /etc/shadow directly, see the
|
|
|
138 |
# passwd module in radiusd.conf.
|
|
|
139 |
#
|
|
|
140 |
# unix
|
|
|
141 |
|
|
|
142 |
#
|
|
|
143 |
# Read the 'users' file
|
|
|
144 |
# files
|
|
|
145 |
|
|
|
146 |
#
|
|
|
147 |
# Look in an SQL database. The schema of the database
|
|
|
148 |
# is meant to mirror the "users" file.
|
|
|
149 |
#
|
|
|
150 |
# See "Authorization Queries" in sql.conf
|
|
|
151 |
sql
|
|
|
152 |
noresetcounter
|
|
|
153 |
dailycounter
|
|
|
154 |
monthlycounter
|
|
|
155 |
#
|
|
|
156 |
# If you are using /etc/smbpasswd, and are also doing
|
|
|
157 |
# mschap authentication, the un-comment this line, and
|
|
|
158 |
# configure the 'etc_smbpasswd' module, above.
|
|
|
159 |
# etc_smbpasswd
|
|
|
160 |
|
|
|
161 |
#
|
|
|
162 |
# The ldap module will set Auth-Type to LDAP if it has not
|
|
|
163 |
# already been set
|
|
|
164 |
# ldap {
|
|
|
165 |
# fail = 1
|
|
|
166 |
# }
|
|
|
167 |
|
|
|
168 |
#
|
|
|
169 |
# Enforce daily limits on time spent logged in.
|
|
|
170 |
# daily
|
|
|
171 |
|
|
|
172 |
#
|
|
|
173 |
# Use the checkval module
|
|
|
174 |
# checkval
|
|
|
175 |
|
|
|
176 |
expiration
|
|
|
177 |
logintime
|
|
|
178 |
|
|
|
179 |
#
|
|
|
180 |
# If no other module has claimed responsibility for
|
|
|
181 |
# authentication, then try to use PAP. This allows the
|
|
|
182 |
# other modules listed above to add a "known good" password
|
|
|
183 |
# to the request, and to do nothing else. The PAP module
|
|
|
184 |
# will then see that password, and use it to do PAP
|
|
|
185 |
# authentication.
|
|
|
186 |
#
|
|
|
187 |
# This module should be listed last, so that the other modules
|
|
|
188 |
# get a chance to set Auth-Type for themselves.
|
|
|
189 |
#
|
|
|
190 |
# pap
|
|
|
191 |
|
|
|
192 |
#
|
|
|
193 |
# If "status_server = yes", then Status-Server messages are passed
|
|
|
194 |
# through the following section, and ONLY the following section.
|
|
|
195 |
# This permits you to do DB queries, for example. If the modules
|
|
|
196 |
# listed here return "fail", then NO response is sent.
|
|
|
197 |
#
|
|
|
198 |
# Autz-Type Status-Server {
|
|
|
199 |
#
|
|
|
200 |
# }
|
|
|
201 |
update coa {
|
|
|
202 |
User-Name = "%{User-Name}"
|
|
|
203 |
Acct-Session-Id = "%{Acct-Session-Id}"
|
|
|
204 |
NAS-IP-Address = "%{NAS-IP-Address}"
|
|
|
205 |
}
|
|
|
206 |
}
|
|
|
207 |
|
|
|
208 |
|
|
|
209 |
# Authentication.
|
|
|
210 |
#
|
|
|
211 |
#
|
|
|
212 |
# This section lists which modules are available for authentication.
|
|
|
213 |
# Note that it does NOT mean 'try each module in order'. It means
|
|
|
214 |
# that a module from the 'authorize' section adds a configuration
|
|
|
215 |
# attribute 'Auth-Type := FOO'. That authentication type is then
|
|
|
216 |
# used to pick the apropriate module from the list below.
|
|
|
217 |
#
|
|
|
218 |
|
|
|
219 |
# In general, you SHOULD NOT set the Auth-Type attribute. The server
|
|
|
220 |
# will figure it out on its own, and will do the right thing. The
|
|
|
221 |
# most common side effect of erroneously setting the Auth-Type
|
|
|
222 |
# attribute is that one authentication method will work, but the
|
|
|
223 |
# others will not.
|
|
|
224 |
#
|
|
|
225 |
# The common reasons to set the Auth-Type attribute by hand
|
|
|
226 |
# is to either forcibly reject the user (Auth-Type := Reject),
|
|
|
227 |
# or to or forcibly accept the user (Auth-Type := Accept).
|
|
|
228 |
#
|
|
|
229 |
# Note that Auth-Type := Accept will NOT work with EAP.
|
|
|
230 |
#
|
|
|
231 |
# Please do not put "unlang" configurations into the "authenticate"
|
|
|
232 |
# section. Put them in the "post-auth" section instead. That's what
|
|
|
233 |
# the post-auth section is for.
|
|
|
234 |
#
|
|
|
235 |
authenticate {
|
|
|
236 |
# #
|
|
|
237 |
# # PAP authentication, when a back-end database listed
|
|
|
238 |
# # in the 'authorize' section supplies a password. The
|
|
|
239 |
# # password can be clear-text, or encrypted.
|
|
|
240 |
# Auth-Type PAP {
|
|
|
241 |
# pap
|
|
|
242 |
# }
|
|
|
243 |
#
|
|
|
244 |
# #
|
|
|
245 |
# # Most people want CHAP authentication
|
|
|
246 |
# # A back-end database listed in the 'authorize' section
|
|
|
247 |
# # MUST supply a CLEAR TEXT password. Encrypted passwords
|
|
|
248 |
# # won't work.
|
|
|
249 |
# Auth-Type CHAP {
|
|
|
250 |
# chap
|
|
|
251 |
# }
|
|
|
252 |
#
|
|
|
253 |
# #
|
|
|
254 |
# # MSCHAP authentication.
|
|
|
255 |
# Auth-Type MS-CHAP {
|
|
|
256 |
# mschap
|
|
|
257 |
# }
|
|
|
258 |
#
|
|
|
259 |
# #
|
|
|
260 |
# # If you have a Cisco SIP server authenticating against
|
|
|
261 |
# # FreeRADIUS, uncomment the following line, and the 'digest'
|
|
|
262 |
# # line in the 'authorize' section.
|
|
|
263 |
# digest
|
|
|
264 |
#
|
|
|
265 |
# #
|
|
|
266 |
# # Pluggable Authentication Modules.
|
|
|
267 |
# pam
|
|
|
268 |
#
|
|
|
269 |
# #
|
|
|
270 |
# # See 'man getpwent' for information on how the 'unix'
|
|
|
271 |
# # module checks the users password. Note that packets
|
|
|
272 |
# # containing CHAP-Password attributes CANNOT be authenticated
|
|
|
273 |
# # against /etc/passwd! See the FAQ for details.
|
|
|
274 |
# #
|
|
|
275 |
# unix
|
|
|
276 |
#
|
|
|
277 |
# # Uncomment it if you want to use ldap for authentication
|
|
|
278 |
# #
|
|
|
279 |
# # Note that this means "check plain-text password against
|
|
|
280 |
# # the ldap database", which means that EAP won't work,
|
|
|
281 |
# # as it does not supply a plain-text password.
|
|
|
282 |
# Auth-Type LDAP {
|
|
|
283 |
# ldap
|
|
|
284 |
# }
|
|
|
285 |
#
|
|
|
286 |
# #
|
|
|
287 |
# # Allow EAP authentication.
|
|
|
288 |
# eap
|
|
|
289 |
}
|
|
|
290 |
|
|
|
291 |
|
|
|
292 |
#
|
|
|
293 |
# Pre-accounting. Decide which accounting type to use.
|
|
|
294 |
#
|
|
|
295 |
preacct {
|
|
|
296 |
preprocess
|
|
|
297 |
|
|
|
298 |
#
|
|
|
299 |
# Ensure that we have a semi-unique identifier for every
|
|
|
300 |
# request, and many NAS boxes are broken.
|
|
|
301 |
# acct_unique
|
|
|
302 |
|
|
|
303 |
#
|
|
|
304 |
# Look for IPASS-style 'realm/', and if not found, look for
|
|
|
305 |
# '@realm', and decide whether or not to proxy, based on
|
|
|
306 |
# that.
|
|
|
307 |
#
|
|
|
308 |
# Accounting requests are generally proxied to the same
|
|
|
309 |
# home server as authentication requests.
|
|
|
310 |
# IPASS
|
|
|
311 |
# suffix
|
|
|
312 |
# ntdomain
|
|
|
313 |
|
|
|
314 |
#
|
|
|
315 |
# Read the 'acct_users' file
|
|
|
316 |
# files
|
|
|
317 |
}
|
|
|
318 |
|
|
|
319 |
#
|
|
|
320 |
# Accounting. Log the accounting data.
|
|
|
321 |
#
|
|
|
322 |
accounting {
|
|
|
323 |
#
|
|
|
324 |
# Create a 'detail'ed log of the packets.
|
|
|
325 |
# Note that accounting requests which are proxied
|
|
|
326 |
# are also logged in the detail file.
|
|
|
327 |
# detail
|
|
|
328 |
# daily
|
|
|
329 |
|
|
|
330 |
# Update the wtmp file
|
|
|
331 |
#
|
|
|
332 |
# If you don't use "radlast", you can delete this line.
|
|
|
333 |
# unix
|
|
|
334 |
|
|
|
335 |
#
|
|
|
336 |
# For Simultaneous-Use tracking.
|
|
|
337 |
#
|
|
|
338 |
# Due to packet losses in the network, the data here
|
|
|
339 |
# may be incorrect. There is little we can do about it.
|
|
|
340 |
# radutmp
|
|
|
341 |
sradutmp
|
|
|
342 |
|
|
|
343 |
# Return an address to the IP Pool when we see a stop record.
|
|
|
344 |
# main_pool
|
|
|
345 |
|
|
|
346 |
#
|
|
|
347 |
# Log traffic to an SQL database.
|
|
|
348 |
#
|
|
|
349 |
# See "Accounting queries" in sql.conf
|
|
|
350 |
sql
|
|
|
351 |
|
|
|
352 |
#
|
|
|
353 |
# Instead of sending the query to the SQL server,
|
|
|
354 |
# write it into a log file.
|
|
|
355 |
#
|
|
|
356 |
# sql_log
|
|
|
357 |
|
|
|
358 |
# Cisco VoIP specific bulk accounting
|
|
|
359 |
# pgsql-voip
|
|
|
360 |
|
|
|
361 |
# Filter attributes from the accounting response.
|
|
|
362 |
attr_filter.accounting_response
|
|
|
363 |
|
|
|
364 |
#
|
|
|
365 |
# See "Autz-Type Status-Server" for how this works.
|
|
|
366 |
#
|
|
|
367 |
# Acct-Type Status-Server {
|
|
|
368 |
#
|
|
|
369 |
# }
|
|
|
370 |
}
|
|
|
371 |
|
|
|
372 |
|
|
|
373 |
# Session database, used for checking Simultaneous-Use. Either the radutmp
|
|
|
374 |
# or rlm_sql module can handle this.
|
|
|
375 |
# The rlm_sql module is *much* faster
|
|
|
376 |
session {
|
|
|
377 |
# radutmp
|
|
|
378 |
|
|
|
379 |
#
|
|
|
380 |
# See "Simultaneous Use Checking Queries" in sql.conf
|
|
|
381 |
sql
|
|
|
382 |
}
|
|
|
383 |
|
|
|
384 |
|
|
|
385 |
# Post-Authentication
|
|
|
386 |
# Once we KNOW that the user has been authenticated, there are
|
|
|
387 |
# additional steps we can take.
|
|
|
388 |
post-auth {
|
|
|
389 |
# Get an address from the IP Pool.
|
|
|
390 |
# main_pool
|
|
|
391 |
|
|
|
392 |
#
|
|
|
393 |
# If you want to have a log of authentication replies,
|
|
|
394 |
# un-comment the following line, and the 'detail reply_log'
|
|
|
395 |
# section, above.
|
|
|
396 |
# reply_log
|
|
|
397 |
|
|
|
398 |
#
|
|
|
399 |
# After authenticating the user, do another SQL query.
|
|
|
400 |
#
|
|
|
401 |
# See "Authentication Logging Queries" in sql.conf
|
|
|
402 |
# sql
|
|
|
403 |
|
|
|
404 |
#
|
|
|
405 |
# Instead of sending the query to the SQL server,
|
|
|
406 |
# write it into a log file.
|
|
|
407 |
#
|
|
|
408 |
# sql_log
|
|
|
409 |
|
|
|
410 |
#
|
|
|
411 |
# Un-comment the following if you have set
|
|
|
412 |
# 'edir_account_policy_check = yes' in the ldap module sub-section of
|
|
|
413 |
# the 'modules' section.
|
|
|
414 |
#
|
|
|
415 |
# ldap
|
|
|
416 |
|
|
|
417 |
# exec
|
|
|
418 |
|
|
|
419 |
#
|
|
|
420 |
# Access-Reject packets are sent through the REJECT sub-section of the
|
|
|
421 |
# post-auth section.
|
|
|
422 |
#
|
|
|
423 |
# Add the ldap module name (or instance) if you have set
|
|
|
424 |
# 'edir_account_policy_check = yes' in the ldap module configuration
|
|
|
425 |
#
|
|
|
426 |
Post-Auth-Type REJECT {
|
|
|
427 |
attr_filter.access_reject
|
|
|
428 |
}
|
|
|
429 |
}
|
|
|
430 |
|
|
|
431 |
#
|
|
|
432 |
# When the server decides to proxy a request to a home server,
|
|
|
433 |
# the proxied request is first passed through the pre-proxy
|
|
|
434 |
# stage. This stage can re-write the request, or decide to
|
|
|
435 |
# cancel the proxy.
|
|
|
436 |
#
|
|
|
437 |
# Only a few modules currently have this method.
|
|
|
438 |
#
|
|
|
439 |
pre-proxy {
|
|
|
440 |
# attr_rewrite
|
|
|
441 |
|
|
|
442 |
# Uncomment the following line if you want to change attributes
|
|
|
443 |
# as defined in the preproxy_users file.
|
|
|
444 |
# files
|
|
|
445 |
|
|
|
446 |
# Uncomment the following line if you want to filter requests
|
|
|
447 |
# sent to remote servers based on the rules defined in the
|
|
|
448 |
# 'attrs.pre-proxy' file.
|
|
|
449 |
# attr_filter.pre-proxy
|
|
|
450 |
|
|
|
451 |
# If you want to have a log of packets proxied to a home
|
|
|
452 |
# server, un-comment the following line, and the
|
|
|
453 |
# 'detail pre_proxy_log' section, above.
|
|
|
454 |
# pre_proxy_log
|
|
|
455 |
}
|
|
|
456 |
|
|
|
457 |
#
|
|
|
458 |
# When the server receives a reply to a request it proxied
|
|
|
459 |
# to a home server, the request may be massaged here, in the
|
|
|
460 |
# post-proxy stage.
|
|
|
461 |
#
|
|
|
462 |
post-proxy {
|
|
|
463 |
|
|
|
464 |
# If you want to have a log of replies from a home server,
|
|
|
465 |
# un-comment the following line, and the 'detail post_proxy_log'
|
|
|
466 |
# section, above.
|
|
|
467 |
# post_proxy_log
|
|
|
468 |
|
|
|
469 |
# attr_rewrite
|
|
|
470 |
|
|
|
471 |
# Uncomment the following line if you want to filter replies from
|
|
|
472 |
# remote proxies based on the rules defined in the 'attrs' file.
|
|
|
473 |
# attr_filter.post-proxy
|
|
|
474 |
|
|
|
475 |
#
|
|
|
476 |
# If you are proxying LEAP, you MUST configure the EAP
|
|
|
477 |
# module, and you MUST list it here, in the post-proxy
|
|
|
478 |
# stage.
|
|
|
479 |
#
|
|
|
480 |
# You MUST also use the 'nostrip' option in the 'realm'
|
|
|
481 |
# configuration. Otherwise, the User-Name attribute
|
|
|
482 |
# in the proxied request will not match the user name
|
|
|
483 |
# hidden inside of the EAP packet, and the end server will
|
|
|
484 |
# reject the EAP request.
|
|
|
485 |
#
|
|
|
486 |
# eap
|
|
|
487 |
|
|
|
488 |
#
|
|
|
489 |
# If the server tries to proxy a request and fails, then the
|
|
|
490 |
# request is processed through the modules in this section.
|
|
|
491 |
#
|
|
|
492 |
# The main use of this section is to permit robust proxying
|
|
|
493 |
# of accounting packets. The server can be configured to
|
|
|
494 |
# proxy accounting packets as part of normal processing.
|
|
|
495 |
# Then, if the home server goes down, accounting packets can
|
|
|
496 |
# be logged to a local "detail" file, for processing with
|
|
|
497 |
# radrelay. When the home server comes back up, radrelay
|
|
|
498 |
# will read the detail file, and send the packets to the
|
|
|
499 |
# home server.
|
|
|
500 |
#
|
|
|
501 |
# With this configuration, the server always responds to
|
|
|
502 |
# Accounting-Requests from the NAS, but only writes
|
|
|
503 |
# accounting packets to disk if the home server is down.
|
|
|
504 |
#
|
|
|
505 |
# Post-Proxy-Type Fail {
|
|
|
506 |
# detail
|
|
|
507 |
# }
|
|
|
508 |
|
|
|
509 |
}
|
|
|
510 |
|