X-Git-Url: https://git.stg.codes/stg.git/blobdiff_plain/8c6fa3fbaccc22127280bf77a48fab5a3ee0716e..46b0747592074017ff0ea4b33d4a7194235886e5:/stargazer/scripts/shaper_vpn_radius/freeradius/radiusd.conf diff --git a/stargazer/scripts/shaper_vpn_radius/freeradius/radiusd.conf b/stargazer/scripts/shaper_vpn_radius/freeradius/radiusd.conf new file mode 100644 index 00000000..c41d28d7 --- /dev/null +++ b/stargazer/scripts/shaper_vpn_radius/freeradius/radiusd.conf @@ -0,0 +1,1119 @@ +## +## radiusd.conf -- FreeRADIUS server configuration file. +## +## http://www.freeradius.org/ +## $Id: radiusd.conf,v 1.1 2008/03/31 13:54:59 faust Exp $ +## + +# The location of other config files and +# logfiles are declared in this file +# +# Also general configuration for modules can be done +# in this file, it is exported through the API to +# modules that ask for it. +# +# The configuration variables defined here are of the form ${foo} +# They are local to this file, and do not change from request to +# request. +# +# The per-request variables are of the form %{Attribute-Name}, and +# are taken from the values of the attribute in the incoming +# request. See 'doc/variables.txt' for more information. + +prefix = /usr +exec_prefix = /usr +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = /var/log/freeradius +raddbdir = /etc/freeradius +radacctdir = ${logdir}/radacct + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/freeradius + +# +# The logging messages for the server are appended to the +# tail of this file. +# +log_file = ${logdir}/radius.log + +# +# libdir: Where to find the rlm_* modules. +# +# This should be automatically set at configuration time. +# +# If the server builds and installs, but fails at execution time +# with an 'undefined symbol' error, then you can use the libdir +# directive to work around the problem. +# +# The cause is usually that a library has been installed on your +# system in a place where the dynamic linker CANNOT find it. When +# executing as root (or another user), your personal environment MAY +# be set up to allow the dynamic linker to find the library. When +# executing as a daemon, FreeRADIUS MAY NOT have the same +# personalized configuration. +# +# To work around the problem, find out which library contains that symbol, +# and add the directory containing that library to the end of 'libdir', +# with a colon separating the directory names. NO spaces are allowed. +# +# e.g. libdir = /usr/local/lib:/opt/package/lib +# +# You can also try setting the LD_LIBRARY_PATH environment variable +# in a script which starts the server. +# +# If that does not work, then you can re-configure and re-build the +# server to NOT use shared libraries, via: +# +# ./configure --disable-shared +# make +# make install +# +libdir = /usr/lib/freeradius + +# pidfile: Where to place the PID of the RADIUS server. +# +# The server may be signalled while it's running by using this +# file. +# +# This file is written when ONLY running in daemon mode. +# +# e.g.: kill -HUP `cat /var/run/freeradius/freeradius.pid` +# +pidfile = ${run_dir}/freeradius.pid + + +# user/group: The name (or #number) of the user/group to run radiusd as. +# +# If these are commented out, the server will run as the user/group +# that started it. In order to change to a different user/group, you +# MUST be root ( or have root privleges ) to start the server. +# +# We STRONGLY recommend that you run the server with as few permissions +# as possible. That is, if you're not using shadow passwords, the +# user and group items below should be set to 'nobody'. +# +# On SCO (ODT 3) use "user = nouser" and "group = nogroup". +# +# NOTE that some kernels refuse to setgid(group) when the value of +# (unsigned)group is above 60000; don't use group nobody on these systems! +# +# On systems with shadow passwords, you might have to set 'group = shadow' +# for the server to be able to read the shadow password file. If you can +# authenticate users while in debug mode, but not in daemon mode, it may be +# that the debugging mode server is running as a user that can read the +# shadow info, and the user listed below can not. +# +user = freerad +group = freerad + +# max_request_time: The maximum time (in seconds) to handle a request. +# +# Requests which take more time than this to process may be killed, and +# a REJECT message is returned. +# +# WARNING: If you notice that requests take a long time to be handled, +# then this MAY INDICATE a bug in the server, in one of the modules +# used to handle a request, OR in your local configuration. +# +# This problem is most often seen when using an SQL database. If it takes +# more than a second or two to receive an answer from the SQL database, +# then it probably means that you haven't indexed the database. See your +# SQL server documentation for more information. +# +# Useful range of values: 5 to 120 +# +max_request_time = 30 + +# delete_blocked_requests: If the request takes MORE THAN 'max_request_time' +# to be handled, then maybe the server should delete it. +# +# If you're running in threaded, or thread pool mode, this setting +# should probably be 'no'. Setting it to 'yes' when using a threaded +# server MAY cause the server to crash! +# +delete_blocked_requests = no + +# cleanup_delay: The time to wait (in seconds) before cleaning up +# a reply which was sent to the NAS. +# +# The RADIUS request is normally cached internally for a short period +# of time, after the reply is sent to the NAS. The reply packet may be +# lost in the network, and the NAS will not see it. The NAS will then +# re-send the request, and the server will respond quickly with the +# cached reply. +# +# If this value is set too low, then duplicate requests from the NAS +# MAY NOT be detected, and will instead be handled as seperate requests. +# +# If this value is set too high, then the server will cache too many +# requests, and some new requests may get blocked. (See 'max_requests'.) +# +# Useful range of values: 2 to 10 +# +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +# track of. This should be 256 multiplied by the number of clients. +# e.g. With 4 clients, this number should be 1024. +# +# If this number is too low, then when the server becomes busy, +# it will not respond to any new requests, until the 'cleanup_delay' +# time has passed, and it has removed the old requests. +# +# If this number is set too high, then the server will use a bit more +# memory for no real benefit. +# +# If you aren't sure what it should be set to, it's better to set it +# too high than too low. Setting it to 1000 per client is probably +# the highest it should be. +# +# Useful range of values: 256 to infinity +# +max_requests = 1024 + +# bind_address: Make the server listen on a particular IP address, and +# send replies out from that address. This directive is most useful +# for machines with multiple IP addresses on one interface. +# +# It can either contain "*", or an IP address, or a fully qualified +# Internet domain name. The default is "*" +# +# As of 1.0, you can also use the "listen" directive. See below for +# more information. +# +bind_address = * + +# port: Allows you to bind FreeRADIUS to a specific port. +# +# The default port that most NAS boxes use is 1645, which is historical. +# RFC 2138 defines 1812 to be the new port. Many new servers and +# NAS boxes use 1812, which can create interoperability problems. +# +# The port is defined here to be 0 so that the server will pick up +# the machine's local configuration for the radius port, as defined +# in /etc/services. +# +# If you want to use the default RADIUS port as defined on your server, +# (usually through 'grep radius /etc/services') set this to 0 (zero). +# +# A port given on the command-line via '-p' over-rides this one. +# +# As of 1.0, you can also use the "listen" directive. See below for +# more information. +# +port = 0 + +# +# By default, the server uses "bind_address" to listen to all IP's +# on a machine, or just one IP. The "port" configuration is used +# to select the authentication port used when listening on those +# addresses. +# +# If you want the server to listen on additional addresses, you can +# use the "listen" section. A sample section (commented out) is included +# below. This "listen" section duplicates the functionality of the +# "bind_address" and "port" configuration entries, but it only listens +# for authentication packets. +# +# If you comment out the "bind_address" and "port" configuration entries, +# then it becomes possible to make the server accept only accounting, +# or authentication packets. Previously, it always listened for both +# types of packets, and it was impossible to make it listen for only +# one type of packet. +# +#listen { + # IP address on which to listen. + # Allowed values are: + # dotted quad (1.2.3.4) + # hostname (radius.example.com) + # wildcard (*) +# ipaddr = * + + # Port on which to listen. + # Allowed values are: + # integer port number (1812) + # 0 means "use /etc/services for the proper port" +# port = 0 + + # Type of packets to listen for. + # Allowed values are: + # auth listen for authentication packets + # acct listen for accounting packets + # +# type = auth +#} + + +# hostname_lookups: Log the names of clients or just their IP addresses +# e.g., www.freeradius.org (on) or 206.47.27.232 (off). +# +# The default is 'off' because it would be overall better for the net +# if people had to knowingly turn this feature on, since enabling it +# means that each client request will result in AT LEAST one lookup +# request to the nameserver. Enabling hostname_lookups will also +# mean that your server may stop randomly for 30 seconds from time +# to time, if the DNS requests take too long. +# +# Turning hostname lookups off also means that the server won't block +# for 30 seconds, if it sees an IP address which has no name associated +# with it. +# +# allowed values: {no, yes} +# +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +# if you're debugging a problem with the server. +# +# allowed values: {no, yes} +# +allow_core_dumps = no + +# Regular expressions +# +# These items are set at configure time. If they're set to "yes", +# then setting them to "no" turns off regular expression support. +# +# If they're set to "no" at configure time, then setting them to "yes" +# WILL NOT WORK. It will give you an error. +# +regular_expressions = yes +extended_expressions = yes + +# Log the full User-Name attribute, as it was found in the request. +# +# allowed values: {no, yes} +# +log_stripped_names = no + +# Log authentication requests to the log file. +# +# allowed values: {no, yes} +# +log_auth = no + +# Log passwords with the authentication requests. +# log_auth_badpass - logs password if it's rejected +# log_auth_goodpass - logs password if it's correct +# +# allowed values: {no, yes} +# +log_auth_badpass = no +log_auth_goodpass = no + +# usercollide: Turn "username collision" code on and off. See the +# "doc/duplicate-users" file +# +# WARNING +# !!!!!!! Setting this to "yes" may result in the server behaving +# !!!!!!! strangely. The "username collision" code will ONLY work +# !!!!!!! with clear-text passwords. Even then, it may not do what +# !!!!!!! you want, or what you expect. +# !!!!!!! +# !!!!!!! We STRONGLY RECOMMEND that you do not use this feature, +# !!!!!!! and that you find another way of acheiving the same goal. +# !!!!!!! +# !!!!!!! e,g. module fail-over. See 'doc/configurable_failover' +# WARNING +# +usercollide = no + +# lower_user / lower_pass: +# Lower case the username/password "before" or "after" +# attempting to authenticate. +# +# If "before", the server will first modify the request and then try +# to auth the user. If "after", the server will first auth using the +# values provided by the user. If that fails it will reprocess the +# request after modifying it as you specify below. +# +# This is as close as we can get to case insensitivity. It is the +# admin's job to ensure that the username on the auth db side is +# *also* lowercase to make this work +# +# Default is 'no' (don't lowercase values) +# Valid values = "before" / "after" / "no" +# +lower_user = no +lower_pass = no + +# nospace_user / nospace_pass: +# +# Some users like to enter spaces in their username or password +# incorrectly. To save yourself the tech support call, you can +# eliminate those spaces here: +# +# Default is 'no' (don't remove spaces) +# Valid values = "before" / "after" / "no" (explanation above) +# +nospace_user = no +nospace_pass = no + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# SECURITY CONFIGURATION +# +# There may be multiple methods of attacking on the server. This +# section holds the configuration items which minimize the impact +# of those attacks +# +security { + # + # max_attributes: The maximum number of attributes + # permitted in a RADIUS packet. Packets which have MORE + # than this number of attributes in them will be dropped. + # + # If this number is set too low, then no RADIUS packets + # will be accepted. + # + # If this number is set too high, then an attacker may be + # able to send a small number of packets which will cause + # the server to use all available memory on the machine. + # + # Setting this number to 0 means "allow any number of attributes" + max_attributes = 200 + + # + # reject_delay: When sending an Access-Reject, it can be + # delayed for a few seconds. This may help slow down a DoS + # attack. It also helps to slow down people trying to brute-force + # crack a users password. + # + # Setting this number to 0 means "send rejects immediately" + # + # If this number is set higher than 'cleanup_delay', then the + # rejects will be sent at 'cleanup_delay' time, when the request + # is deleted from the internal cache of requests. + # + # Useful ranges: 1 to 5 + reject_delay = 1 + + # + # status_server: Whether or not the server will respond + # to Status-Server requests. + # + # Normally this should be set to "no", because they're useless. + # See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives + # + # However, certain NAS boxes may require them. + # + # When sent a Status-Server message, the server responds with + # an Access-Accept packet, containing a Reply-Message attribute, + # which is a string describing how long the server has been + # running. + # + status_server = no +} + +# PROXY CONFIGURATION +# +# proxy_requests: Turns proxying of RADIUS requests on or off. +# +# The server has proxying turned on by default. If your system is NOT +# set up to proxy requests to another server, then you can turn proxying +# off here. This will save a small amount of resources on the server. +# +# If you have proxying turned off, and your configuration files say +# to proxy a request, then an error message will be logged. +# +# To disable proxying, change the "yes" to "no", and comment the +# $INCLUDE line. +# +# allowed values: {no, yes} +# +proxy_requests = yes +$INCLUDE ${confdir}/proxy.conf + + +# CLIENTS CONFIGURATION +# +# Client configuration is defined in "clients.conf". +# + +# The 'clients.conf' file contains all of the information from the old +# 'clients' and 'naslist' configuration files. We recommend that you +# do NOT use 'client's or 'naslist', although they are still +# supported. +# +# Anything listed in 'clients.conf' will take precedence over the +# information from the old-style configuration files. +# +$INCLUDE ${confdir}/clients.conf + + +# SNMP CONFIGURATION +# +# Snmp configuration is only valid if SNMP support was enabled +# at compile time. +# +# To enable SNMP querying of the server, set the value of the +# 'snmp' attribute to 'yes' +# +snmp = no +$INCLUDE ${confdir}/snmp.conf + + +# THREAD POOL CONFIGURATION +# +# The thread pool is a long-lived group of threads which +# take turns (round-robin) handling any incoming requests. +# +# You probably want to have a few spare threads around, +# so that high-load situations can be handled immediately. If you +# don't have any spare threads, then the request handling will +# be delayed while a new thread is created, and added to the pool. +# +# You probably don't want too many spare threads around, +# otherwise they'll be sitting there taking up resources, and +# not doing anything productive. +# +# The numbers given below should be adequate for most situations. +# +thread pool { + # Number of servers to start initially --- should be a reasonable + # ballpark figure. + start_servers = 5 + + # Limit on the total number of servers running. + # + # If this limit is ever reached, clients will be LOCKED OUT, so it + # should NOT BE SET TOO LOW. It is intended mainly as a brake to + # keep a runaway server from taking the system with it as it spirals + # down... + # + # You may find that the server is regularly reaching the + # 'max_servers' number of threads, and that increasing + # 'max_servers' doesn't seem to make much difference. + # + # If this is the case, then the problem is MOST LIKELY that + # your back-end databases are taking too long to respond, and + # are preventing the server from responding in a timely manner. + # + # The solution is NOT do keep increasing the 'max_servers' + # value, but instead to fix the underlying cause of the + # problem: slow database, or 'hostname_lookups=yes'. + # + # For more information, see 'max_request_time', above. + # + max_servers = 32 + + # Server-pool size regulation. Rather than making you guess + # how many servers you need, FreeRADIUS dynamically adapts to + # the load it sees, that is, it tries to maintain enough + # servers to handle the current load, plus a few spare + # servers to handle transient load spikes. + # + # It does this by periodically checking how many servers are + # waiting for a request. If there are fewer than + # min_spare_servers, it creates a new spare. If there are + # more than max_spare_servers, some of the spares die off. + # The default values are probably OK for most sites. + # + min_spare_servers = 3 + max_spare_servers = 10 + + # There may be memory leaks or resource allocation problems with + # the server. If so, set this value to 300 or so, so that the + # resources will be cleaned up periodically. + # + # This should only be necessary if there are serious bugs in the + # server which have not yet been fixed. + # + # '0' is a special value meaning 'infinity', or 'the servers never + # exit' + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +# +# The names and configuration of each module is located in this section. +# +# After the modules are defined here, they may be referred to by name, +# in other sections of this configuration file. +# +modules { + # + # Each module has a configuration as follows: + # + # name [ instance ] { + # config_item = value + # ... + # } + # + # The 'name' is used to load the 'rlm_name' library + # which implements the functionality of the module. + # + # The 'instance' is optional. To have two different instances + # of a module, it first must be referred to by 'name'. + # The different copies of the module are then created by + # inventing two 'instance' names, e.g. 'instance1' and 'instance2' + # + # The instance names can then be used in later configuration + # INSTEAD of the original 'name'. See the 'radutmp' configuration + # below for an example. + # + + # PAP module to authenticate users based on their stored password + # + # Supports multiple encryption schemes + # clear: Clear text + # crypt: Unix crypt + # md5: MD5 ecnryption + # sha1: SHA1 encryption. + # DEFAULT: crypt + pap { + encryption_scheme = crypt + } + + # CHAP module + # + # To authenticate requests containing a CHAP-Password attribute. + # + chap { + authtype = CHAP + } + + # Extensible Authentication Protocol + # + # For all EAP related authentications. + # Now in another file, because it is very large. + # +$INCLUDE ${confdir}/eap.conf + + # Microsoft CHAP authentication + # + # This module supports MS-CHAP and MS-CHAPv2 authentication. + # It also enforces the SMB-Account-Ctrl attribute. + # + mschap { + # + # As of 0.9, the mschap module does NOT support + # reading from /etc/smbpasswd. + # + # If you are using /etc/smbpasswd, see the 'passwd' + # module for an example of how to use /etc/smbpasswd + + # if use_mppe is not set to no mschap will + # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and + # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 + # + use_mppe = yes + authtype = MS-CHAP + + # if mppe is enabled require_encryption makes + # encryption moderate + # + #require_encryption = yes + + # require_strong always requires 128 bit key + # encryption + # + #require_strong = yes + + # Windows sends us a username in the form of + # DOMAIN\user, but sends the challenge response + # based on only the user portion. This hack + # corrects for that incorrect behavior. + # + #with_ntdomain_hack = no + + # The module can perform authentication itself, OR + # use a Windows Domain Controller. This configuration + # directive tells the module to call the ntlm_auth + # program, which will do the authentication, and return + # the NT-Key. Note that you MUST have "winbindd" and + # "nmbd" running on the local machine for ntlm_auth + # to work. See the ntlm_auth program documentation + # for details. + # + # Be VERY careful when editing the following line! + # + #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" + } + + # Preprocess the incoming RADIUS request, before handing it off + # to other modules. + # + # This module processes the 'huntgroups' and 'hints' files. + # In addition, it re-writes some weird attributes created + # by some NASes, and converts the attributes into a form which + # is a little more standard. + # + preprocess { + huntgroups = ${confdir}/huntgroups + hints = ${confdir}/hints + + # This hack changes Ascend's wierd port numberings + # to standard 0-??? port numbers so that the "+" works + # for IP address assignments. + with_ascend_hack = no + ascend_channels_per_line = 23 + + # Windows NT machines often authenticate themselves as + # NT_DOMAIN\username + # + # If this is set to 'yes', then the NT_DOMAIN portion + # of the user-name is silently discarded. + # + # This configuration entry SHOULD NOT be used. + # See the "realms" module for a better way to handle + # NT domains. + with_ntdomain_hack = no + + # Specialix Jetstream 8500 24 port access server. + # + # If the user name is 10 characters or longer, a "/" + # and the excess characters after the 10th are + # appended to the user name. + # + # If you're not running that NAS, you don't need + # this hack. + with_specialix_jetstream_hack = no + + # Cisco (and Quintum in Cisco mode) sends it's VSA attributes + # with the attribute name *again* in the string, like: + # + # H323-Attribute = "h323-attribute=value". + # + # If this configuration item is set to 'yes', then + # the redundant data in the the attribute text is stripped + # out. The result is: + # + # H323-Attribute = "value" + # + # If you're not running a Cisco or Quintum NAS, you don't + # need this hack. + with_cisco_vsa_hack = no + } + + # Write a detailed log of all accounting records received. + # + detail { + # Note that we do NOT use NAS-IP-Address here, as + # that attribute MAY BE from the originating NAS, and + # NOT from the proxy which actually sent us the + # request. The Client-IP-Address attribute is ALWAYS + # the address of the client which sent us the + # request. + # + # The following line creates a new detail file for + # every radius client (by IP address or hostname). + # In addition, a new detail file is created every + # day, so that the detail file doesn't have to go + # through a 'log rotation' + # + # If your detail files are large, you may also want + # to add a ':%H' (see doc/variables.txt) to the end + # of it, to create a new detail file every hour, e.g.: + # + # ..../detail-%Y%m%d:%H + # + # This will create a new detail file for every hour. + # + detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d + + # + # The Unix-style permissions on the 'detail' file. + # + # The detail file often contains secret or private + # information about users. So by keeping the file + # permissions restrictive, we can prevent unwanted + # people from seeing that information. + detailperm = 0600 + + # + # Certain attributes such as User-Password may be + # "sensitive", so they should not be printed in the + # detail file. This section lists the attributes + # that should be suppressed. + # + # The attributes should be listed one to a line. + # + #suppress { + # User-Password + #} + } + + # + # Create a unique accounting session Id. Many NASes re-use + # or repeat values for Acct-Session-Id, causing no end of + # confusion. + # + # This module will add a (probably) unique session id + # to an accounting packet based on the attributes listed + # below found in the packet. See doc/rlm_acct_unique for + # more information. + # + acct_unique { + key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" + } + + # Write a 'utmp' style file, of which users are currently + # logged in, and where they've logged in from. + # + # This file is used mainly for Simultaneous-Use checking, + # and also 'radwho', to see who's currently logged in. + # + radutmp { + # Where the file is stored. It's not a log file, + # so it doesn't need rotating. + # + filename = ${logdir}/radutmp + + # The field in the packet to key on for the + # 'user' name, If you have other fields which you want + # to use to key on to control Simultaneous-Use, + # then you can use them here. + # + # Note, however, that the size of the field in the + # 'utmp' data structure is small, around 32 + # characters, so that will limit the possible choices + # of keys. + # + # You may want instead: %{Stripped-User-Name:-%{User-Name}} + username = %{User-Name} + + + # Whether or not we want to treat "user" the same + # as "USER", or "User". Some systems have problems + # with case sensitivity, so this should be set to + # 'no' to enable the comparisons of the key attribute + # to be case insensitive. + # + case_sensitive = yes + + # Accounting information may be lost, so the user MAY + # have logged off of the NAS, but we haven't noticed. + # If so, we can verify this information with the NAS, + # + # If we want to believe the 'utmp' file, then this + # configuration entry can be set to 'no'. + # + check_with_nas = yes + + # Set the file permissions, as the contents of this file + # are usually private. + perm = 0600 + + callerid = "yes" + } + + # "Safe" radutmp - does not contain caller ID, so it can be + # world-readable, and radwho can work for normal users, without + # exposing any information that isn't already exposed by who(1). + # + # This is another 'instance' of the radutmp module, but it is given + # then name "sradutmp" to identify it later in the "accounting" + # section. + radutmp sradutmp { + filename = ${logdir}/sradutmp + perm = 0644 + callerid = "no" + } + + # attr_filter - filters the attributes received in replies from + # proxied servers, to make sure we send back to our RADIUS client + # only allowed attributes. + attr_filter { + attrsfile = ${confdir}/attrs + } + + # counter module: + # This module takes an attribute (count-attribute). + # It also takes a key, and creates a counter for each unique + # key. The count is incremented when accounting packets are + # received by the server. The value of the increment depends + # on the attribute type. + # If the attribute is Acct-Session-Time or of an integer type we add the + # value of the attribute. If it is anything else we increase the + # counter by one. + # + # The 'reset' parameter defines when the counters are all reset to + # zero. It can be hourly, daily, weekly, monthly or never. + # + # hourly: Reset on 00:00 of every hour + # daily: Reset on 00:00:00 every day + # weekly: Reset on 00:00:00 on sunday + # monthly: Reset on 00:00:00 of the first day of each month + # + # It can also be user defined. It should be of the form: + # num[hdwm] where: + # h: hours, d: days, w: weeks, m: months + # If the letter is ommited days will be assumed. In example: + # reset = 10h (reset every 10 hours) + # reset = 12 (reset every 12 days) + # + # + # The check-name attribute defines an attribute which will be + # registered by the counter module and can be used to set the + # maximum allowed value for the counter after which the user + # is rejected. + # Something like: + # + # DEFAULT Max-Daily-Session := 36000 + # Fall-Through = 1 + # + # You should add the counter module in the instantiate + # section so that it registers check-name before the files + # module reads the users file. + # + # If check-name is set and the user is to be rejected then we + # send back a Reply-Message and we log a Failure-Message in + # the radius.log + # If the count attribute is Acct-Session-Time then on each login + # we send back the remaining online time as a Session-Timeout attribute + # + # The counter-name can also be used instead of using the check-name + # like below: + # + # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject + # Reply-Message = "You've used up more than one hour today" + # + # The allowed-servicetype attribute can be used to only take + # into account specific sessions. For example if a user first + # logs in through a login menu and then selects ppp there will + # be two sessions. One for Login-User and one for Framed-User + # service type. We only need to take into account the second one. + # + # The module should be added in the instantiate, authorize and + # accounting sections. Make sure that in the authorize + # section it comes after any module which sets the + # 'check-name' attribute. + # + counter daily { + filename = ${raddbdir}/db.daily + key = User-Name + count-attribute = Acct-Session-Time + reset = daily + counter-name = Daily-Session-Time + check-name = Max-Daily-Session + allowed-servicetype = Framed-User + cache-size = 5000 + } + + # + # The "always" module is here for debugging purposes. Each + # instance simply returns the same result, always, without + # doing anything. + always fail { + rcode = fail + } + always reject { + rcode = reject + } + always ok { + rcode = ok + simulcount = 0 + mpp = no + } + + stg { + local_port = 6667 + server = localhost + port = 6666 + password = 123456 + } + +} + +# Instantiation +# +# This section orders the loading of the modules. Modules +# listed here will get loaded BEFORE the later sections like +# authorize, authenticate, etc. get examined. +# +# This section is not strictly needed. When a section like +# authorize refers to a module, it's automatically loaded and +# initialized. However, some modules may not be listed in any +# of the following sections, so they can be listed here. +# +# Also, listing modules here ensures that you have control over +# the order in which they are initalized. If one module needs +# something defined by another module, you can list them in order +# here, and ensure that the configuration will be OK. +# +instantiate { + stg +} + +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +authorize { + # + # The preprocess module takes care of sanitizing some bizarre + # attributes in the request, and turning them into attributes + # which are more standard. + # + # It takes care of processing the 'raddb/hints' and the + # 'raddb/huntgroups' files. + # + # It also adds the %{Client-IP-Address} attribute to the request. + preprocess + + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set + chap + + # + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. + mschap + + # + # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP + # authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + eap + + stg +} + + +# Authentication. +# +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the apropriate module from the list below. +# + +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user, or forcibly accept him. +# +authenticate { + # + # PAP authentication, when a back-end database listed + # in the 'authorize' section supplies a password. The + # password can be clear-text, or encrypted. + Auth-Type PAP { + stg + pap + } + + # + # Most people want CHAP authentication + # A back-end database listed in the 'authorize' section + # MUST supply a CLEAR TEXT password. Encrypted passwords + # won't work. + Auth-Type CHAP { + stg + chap + } + + # + # MSCHAP authentication. + Auth-Type MS-CHAP { + stg + mschap + } + + # + # Allow EAP authentication. + eap +} + + +# +# Pre-accounting. Decide which accounting type to use. +# +preacct { + preprocess + + # + # Ensure that we have a semi-unique identifier for every + # request, and many NAS boxes are broken. + acct_unique +} + +# +# Accounting. Log the accounting data. +# +accounting { + # + # Create a 'detail'ed log of the packets. + # Note that accounting requests which are proxied + # are also logged in the detail file. + detail +# daily + + # + # For Simultaneous-Use tracking. + # + # Due to packet losses in the network, the data here + # may be incorrect. There is little we can do about it. + radutmp + + stg + +} + + +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +session { + radutmp +} + + +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +post-auth { + stg +} + +# +# When the server decides to proxy a request to a home server, +# the proxied request is first passed through the pre-proxy +# stage. This stage can re-write the request, or decide to +# cancel the proxy. +# +# Only a few modules currently have this method. +# +pre-proxy { +} + +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +post-proxy { + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # + eap +}