init
This commit is contained in:
commit
dc152265b4
288
freeradius/clients.conf
Normal file
288
freeradius/clients.conf
Normal file
@ -0,0 +1,288 @@
|
||||
# -*- text -*-
|
||||
##
|
||||
## clients.conf -- client configuration directives
|
||||
##
|
||||
## $Id: 60f9f4bf8a32804182e4516ac69ac510d25215d1 $
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# Define RADIUS clients (usually a NAS, Access Point, etc.).
|
||||
|
||||
#
|
||||
# Defines a RADIUS client.
|
||||
#
|
||||
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
|
||||
# to allow testing of the server after an initial installation. If you
|
||||
# are not going to be permitting RADIUS queries from localhost, we suggest
|
||||
# that you delete, or comment out, this entry.
|
||||
#
|
||||
#
|
||||
|
||||
#
|
||||
# Each client has a "short name" that is used to distinguish it from
|
||||
# other clients.
|
||||
#
|
||||
# In version 1.x, the string after the word "client" was the IP
|
||||
# address of the client. In 2.0, the IP address is configured via
|
||||
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
|
||||
# format is still accepted.
|
||||
#
|
||||
client localhost {
|
||||
# Only *one* of ipaddr, ipv4addr, ipv6addr may be specified for
|
||||
# a client.
|
||||
#
|
||||
# ipaddr will accept IPv4 or IPv6 addresses with optional CIDR
|
||||
# notation '/<mask>' to specify ranges.
|
||||
#
|
||||
# ipaddr will accept domain names e.g. example.org resolving
|
||||
# them via DNS.
|
||||
#
|
||||
# If both A and AAAA records are found, A records will be
|
||||
# used in preference to AAAA.
|
||||
ipaddr = 127.0.0.1
|
||||
|
||||
# Same as ipaddr but allows v4 addresses only. Requires A
|
||||
# record for domain names.
|
||||
# ipv4addr = * # any. 127.0.0.1 == localhost
|
||||
|
||||
# Same as ipaddr but allows v6 addresses only. Requires AAAA
|
||||
# record for domain names.
|
||||
# ipv6addr = :: # any. ::1 == localhost
|
||||
|
||||
#
|
||||
# A note on DNS: We STRONGLY recommend using IP addresses
|
||||
# rather than host names. Using host names means that the
|
||||
# server will do DNS lookups when it starts, making it
|
||||
# dependent on DNS. i.e. If anything goes wrong with DNS,
|
||||
# the server won't start!
|
||||
#
|
||||
# The server also looks up the IP address from DNS once, and
|
||||
# only once, when it starts. If the DNS record is later
|
||||
# updated, the server WILL NOT see that update.
|
||||
#
|
||||
|
||||
#
|
||||
# The transport protocol.
|
||||
#
|
||||
# If unspecified, defaults to "udp", which is the traditional
|
||||
# RADIUS transport. It may also be "tcp", in which case the
|
||||
# server will accept connections from this client ONLY over TCP.
|
||||
#
|
||||
proto = *
|
||||
|
||||
#
|
||||
# The shared secret use to "encrypt" and "sign" packets between
|
||||
# the NAS and FreeRADIUS. You MUST change this secret from the
|
||||
# default, otherwise it's not a secret any more!
|
||||
#
|
||||
# The secret can be any string, up to 8k characters in length.
|
||||
#
|
||||
# Control codes can be entered vi octal encoding,
|
||||
# e.g. "\101\102" == "AB"
|
||||
# Quotation marks can be entered by escaping them,
|
||||
# e.g. "foo\"bar"
|
||||
#
|
||||
# A note on security: The security of the RADIUS protocol
|
||||
# depends COMPLETELY on this secret! We recommend using a
|
||||
# shared secret that is composed of:
|
||||
#
|
||||
# upper case letters
|
||||
# lower case letters
|
||||
# numbers
|
||||
#
|
||||
# And is at LEAST 8 characters long, preferably 16 characters in
|
||||
# length. The secret MUST be random, and should not be words,
|
||||
# phrase, or anything else that is recognisable.
|
||||
#
|
||||
# The default secret below is only for testing, and should
|
||||
# not be used in any real environment.
|
||||
#
|
||||
secret = testing123
|
||||
|
||||
#
|
||||
# Old-style clients do not send a Message-Authenticator
|
||||
# in an Access-Request. RFC 5080 suggests that all clients
|
||||
# SHOULD include it in an Access-Request. The configuration
|
||||
# item below allows the server to require it. If a client
|
||||
# is required to include a Message-Authenticator and it does
|
||||
# not, then the packet will be silently discarded.
|
||||
#
|
||||
# allowed values: yes, no
|
||||
require_message_authenticator = no
|
||||
|
||||
#
|
||||
# The short name is used as an alias for the fully qualified
|
||||
# domain name, or the IP address.
|
||||
#
|
||||
# It is accepted for compatibility with 1.x, but it is no
|
||||
# longer necessary in >= 2.0
|
||||
#
|
||||
# shortname = localhost
|
||||
|
||||
#
|
||||
# the following three fields are optional, but may be used by
|
||||
# checkrad.pl for simultaneous use checks
|
||||
#
|
||||
|
||||
#
|
||||
# The nas_type tells 'checkrad.pl' which NAS-specific method to
|
||||
# use to query the NAS for simultaneous use.
|
||||
#
|
||||
# Permitted NAS types are:
|
||||
#
|
||||
# cisco
|
||||
# computone
|
||||
# livingston
|
||||
# juniper
|
||||
# max40xx
|
||||
# multitech
|
||||
# netserver
|
||||
# pathras
|
||||
# patton
|
||||
# portslave
|
||||
# tc
|
||||
# usrhiper
|
||||
# other # for all other types
|
||||
|
||||
#
|
||||
nas_type = other # localhost isn't usually a NAS...
|
||||
|
||||
#
|
||||
# The following two configurations are for future use.
|
||||
# The 'naspasswd' file is currently used to store the NAS
|
||||
# login name and password, which is used by checkrad.pl
|
||||
# when querying the NAS for simultaneous use.
|
||||
#
|
||||
# login = !root
|
||||
# password = someadminpas
|
||||
|
||||
#
|
||||
# As of 2.0, clients can also be tied to a virtual server.
|
||||
# This is done by setting the "virtual_server" configuration
|
||||
# item, as in the example below.
|
||||
#
|
||||
# virtual_server = home1
|
||||
|
||||
#
|
||||
# A pointer to the "home_server_pool" OR a "home_server"
|
||||
# section that contains the CoA configuration for this
|
||||
# client. For an example of a coa home server or pool,
|
||||
# see raddb/sites-available/originate-coa
|
||||
# coa_server = coa
|
||||
|
||||
#
|
||||
# Response window for proxied packets. If non-zero,
|
||||
# then the lower of (home, client) response_window
|
||||
# will be used.
|
||||
#
|
||||
# i.e. it can be used to lower the response_window
|
||||
# packets from one client to a home server. It cannot
|
||||
# be used to raise the response_window.
|
||||
#
|
||||
# response_window = 10.0
|
||||
|
||||
#
|
||||
# Connection limiting for clients using "proto = tcp".
|
||||
#
|
||||
# This section is ignored for clients sending UDP traffic
|
||||
#
|
||||
limit {
|
||||
#
|
||||
# Limit the number of simultaneous TCP connections from a client
|
||||
#
|
||||
# The default is 16.
|
||||
# Setting this to 0 means "no limit"
|
||||
max_connections = 16
|
||||
|
||||
# The per-socket "max_requests" option does not exist.
|
||||
|
||||
#
|
||||
# The lifetime, in seconds, of a TCP connection. After
|
||||
# this lifetime, the connection will be closed.
|
||||
#
|
||||
# Setting this to 0 means "forever".
|
||||
lifetime = 0
|
||||
|
||||
#
|
||||
# The idle timeout, in seconds, of a TCP connection.
|
||||
# If no packets have been received over the connection for
|
||||
# this time, the connection will be closed.
|
||||
#
|
||||
# Setting this to 0 means "no timeout".
|
||||
#
|
||||
# We STRONGLY RECOMMEND that you set an idle timeout.
|
||||
#
|
||||
idle_timeout = 30
|
||||
}
|
||||
}
|
||||
|
||||
# IPv6 Client
|
||||
client localhost_ipv6 {
|
||||
ipv6addr = ::1
|
||||
secret = testing123
|
||||
}
|
||||
|
||||
# All IPv6 Site-local clients
|
||||
#client sitelocal_ipv6 {
|
||||
# ipv6addr = fe80::/16
|
||||
# secret = testing123
|
||||
#}
|
||||
|
||||
#client example.org {
|
||||
# ipaddr = radius.example.org
|
||||
# secret = testing123
|
||||
#}
|
||||
|
||||
#
|
||||
# You can now specify one secret for a network of clients.
|
||||
# When a client request comes in, the BEST match is chosen.
|
||||
# i.e. The entry from the smallest possible network.
|
||||
#
|
||||
#client private-network-1 {
|
||||
# ipaddr = 192.0.2.0/24
|
||||
# secret = testing123-1
|
||||
#}
|
||||
|
||||
#client private-network-2 {
|
||||
# ipaddr = 198.51.100.0/24
|
||||
# secret = testing123-2
|
||||
#}
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# Per-socket client lists. The configuration entries are exactly
|
||||
# the same as above, but they are nested inside of a section.
|
||||
#
|
||||
# You can have as many per-socket client lists as you have "listen"
|
||||
# sections, or you can re-use a list among multiple "listen" sections.
|
||||
#
|
||||
# Un-comment this section, and edit a "listen" section to add:
|
||||
# "clients = per_socket_clients". That IP address/port combination
|
||||
# will then accept ONLY the clients listed in this section.
|
||||
#
|
||||
# There are additional considerations when using clients from SQL.
|
||||
#
|
||||
# A client can be link to a virtual server via modules such as SQL.
|
||||
# This link is done via the following process:
|
||||
#
|
||||
# If there is no listener in a virtual server, SQL clients are added
|
||||
# to the global list for that virtual server.
|
||||
#
|
||||
# If there is a listener, and the first listener does not have a
|
||||
# "clients=..." configuration item, SQL clients are added to the
|
||||
# global list.
|
||||
#
|
||||
# If there is a listener, and the first one does have a "clients=..."
|
||||
# configuration item, SQL clients are added to that list. The client
|
||||
# { ...} ` configured in that list are also added for that listener.
|
||||
#
|
||||
# The only issue is if you have multiple listeners in a virtual
|
||||
# server, each with a different client list, then the SQL clients are
|
||||
# added only to the first listener.
|
||||
#
|
||||
#clients per_socket_clients {
|
||||
# client socket_client {
|
||||
# ipaddr = 192.0.2.4
|
||||
# secret = testing123
|
||||
# }
|
||||
#}
|
712
freeradius/mods-available/ldap
Normal file
712
freeradius/mods-available/ldap
Normal file
@ -0,0 +1,712 @@
|
||||
# -*- text -*-
|
||||
#
|
||||
# $Id: 997d41efcbdf26282dad8bd87f051abecc6f88e9 $
|
||||
|
||||
#
|
||||
# Lightweight Directory Access Protocol (LDAP)
|
||||
#
|
||||
ldap {
|
||||
# Note that this needs to match the name(s) in the LDAP server
|
||||
# certificate, if you're using ldaps. See OpenLDAP documentation
|
||||
# for the behavioral semantics of specifying more than one host.
|
||||
#
|
||||
# Depending on the libldap in use, server may be an LDAP URI.
|
||||
# In the case of OpenLDAP this allows additional the following
|
||||
# additional schemes:
|
||||
# - ldaps:// (LDAP over SSL)
|
||||
# - ldapi:// (LDAP over Unix socket)
|
||||
# - ldapc:// (Connectionless LDAP)
|
||||
server = 'localhost'
|
||||
# server = 'ldap.rrdns.example.org'
|
||||
# server = 'ldap.rrdns.example.org'
|
||||
|
||||
# Port to connect on, defaults to 389, will be ignored for LDAP URIs.
|
||||
# port = 389
|
||||
|
||||
# Administrator account for searching and possibly modifying.
|
||||
# If using SASL + KRB5 these should be commented out.
|
||||
# identity = 'cn=admin,dc=example,dc=org'
|
||||
# password = mypass
|
||||
|
||||
# Unless overridden in another section, the dn from which all
|
||||
# searches will start from.
|
||||
base_dn = 'dc=example,dc=org'
|
||||
|
||||
#
|
||||
# You can run the 'ldapsearch' command line tool using the
|
||||
# parameters from this module's configuration.
|
||||
#
|
||||
# ldapsearch -D ${identity} -w ${password} -h ${server} -b 'CN=user,${base_dn}'
|
||||
#
|
||||
# That will give you the LDAP information for 'user'.
|
||||
#
|
||||
# Group membership can be queried by using the above "ldapsearch" string,
|
||||
# and adding "memberof" qualifiers. For ActiveDirectory, use:
|
||||
#
|
||||
# ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))'
|
||||
#
|
||||
# Where 'user' is the user as above, and 'group' is the group you are querying for.
|
||||
#
|
||||
|
||||
#
|
||||
# SASL parameters to use for admin binds
|
||||
#
|
||||
# When we're prompted by the SASL library, these control
|
||||
# the responses given, as well as the identity and password
|
||||
# directives above.
|
||||
#
|
||||
# If any directive is commented out, a NULL response will be
|
||||
# provided to cyrus-sasl.
|
||||
#
|
||||
# Unfortunately the only way to control Keberos here is through
|
||||
# environmental variables, as cyrus-sasl provides no API to
|
||||
# set the krb5 config directly.
|
||||
#
|
||||
# Full documentation for MIT krb5 can be found here:
|
||||
#
|
||||
# http://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html
|
||||
#
|
||||
# At a minimum you probably want to set KRB5_CLIENT_KTNAME.
|
||||
#
|
||||
sasl {
|
||||
# SASL mechanism
|
||||
# mech = 'PLAIN'
|
||||
|
||||
# SASL authorisation identity to proxy.
|
||||
# proxy = 'autz_id'
|
||||
|
||||
# SASL realm. Used for kerberos.
|
||||
# realm = 'example.org'
|
||||
}
|
||||
|
||||
#
|
||||
# Generic valuepair attribute
|
||||
#
|
||||
|
||||
# If set, this will attribute will be retrieved in addition to any
|
||||
# mapped attributes.
|
||||
#
|
||||
# Values should be in the format:
|
||||
# <radius attr> <op> <value>
|
||||
#
|
||||
# Where:
|
||||
# <radius attr>: Is the attribute you wish to create
|
||||
# with any valid list and request qualifiers.
|
||||
# <op>: Is any assignment operator (=, :=, +=).
|
||||
# <value>: Is the value to parse into the new valuepair.
|
||||
# If the value is wrapped in double quotes it
|
||||
# will be xlat expanded.
|
||||
# valuepair_attribute = 'radiusAttribute'
|
||||
|
||||
#
|
||||
# Mapping of LDAP directory attributes to RADIUS dictionary attributes.
|
||||
#
|
||||
|
||||
# WARNING: Although this format is almost identical to the unlang
|
||||
# update section format, it does *NOT* mean that you can use other
|
||||
# unlang constructs in module configuration files.
|
||||
#
|
||||
# Configuration items are in the format:
|
||||
# <radius attr> <op> <ldap attr>
|
||||
#
|
||||
# Where:
|
||||
# <radius attr>: Is the destination RADIUS attribute
|
||||
# with any valid list and request qualifiers.
|
||||
# <op>: Is any assignment attribute (=, :=, +=, -=).
|
||||
# <ldap attr>: Is the attribute associated with user or
|
||||
# profile objects in the LDAP directory.
|
||||
# If the attribute name is wrapped in double
|
||||
# quotes it will be xlat expanded.
|
||||
#
|
||||
# Request and list qualifiers may also be placed after the 'update'
|
||||
# section name to set defaults destination requests/lists
|
||||
# for unqualified RADIUS attributes.
|
||||
#
|
||||
# Note: LDAP attribute names should be single quoted unless you want
|
||||
# the name value to be derived from an xlat expansion, or an
|
||||
# attribute ref.
|
||||
update {
|
||||
control:Password-With-Header += 'userPassword'
|
||||
# control:NT-Password := 'ntPassword'
|
||||
# reply:Reply-Message := 'radiusReplyMessage'
|
||||
# reply:Tunnel-Type := 'radiusTunnelType'
|
||||
# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
|
||||
# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
|
||||
|
||||
# Where only a list is specified as the RADIUS attribute,
|
||||
# the value of the LDAP attribute is parsed as a valuepair
|
||||
# in the same format as the 'valuepair_attribute' (above).
|
||||
control: += 'radiusControlAttribute'
|
||||
request: += 'radiusRequestAttribute'
|
||||
reply: += 'radiusReplyAttribute'
|
||||
}
|
||||
|
||||
# Set to yes if you have eDirectory and want to use the universal
|
||||
# password mechanism.
|
||||
# edir = no
|
||||
|
||||
# Set to yes if you want to bind as the user after retrieving the
|
||||
# Cleartext-Password. This will consume the login grace, and
|
||||
# verify user authorization.
|
||||
# edir_autz = no
|
||||
|
||||
# LDAP "bind as user" configuration to check PAP passwords.
|
||||
#
|
||||
# Active Directory needs "bind as user", which can be done by
|
||||
# adding the following "if" statement to the authorize {} section
|
||||
# of the virtual server, after the "ldap" module. For
|
||||
# example:
|
||||
#
|
||||
# ...
|
||||
# ldap
|
||||
# if ((ok || updated) && User-Password && !control:Auth-Type) {
|
||||
# update {
|
||||
# control:Auth-Type := ldap
|
||||
# }
|
||||
# }
|
||||
# ...
|
||||
#
|
||||
# You will also need to uncomment the "Auth-Type LDAP" block in the
|
||||
# "authenticate" section.
|
||||
#
|
||||
# This configuration is required because AD will not return the users
|
||||
# "known good" password to FreeRADIUS. Instead, FreeRADIUS has to run
|
||||
# "Auth-Type LDAP" in order to do an LDAP "bind as user", which will hand
|
||||
# the user name / password to AD for verification.
|
||||
#
|
||||
|
||||
#
|
||||
# Name of the attribute that contains the user DN.
|
||||
# The default name is LDAP-UserDn.
|
||||
#
|
||||
# If you have multiple LDAP instances, you should
|
||||
# change this configuration item to:
|
||||
#
|
||||
# ${.:instance}-LDAP-UserDn
|
||||
#
|
||||
# That change allows the modules to set their own
|
||||
# User DN, and to not conflict with each other.
|
||||
#
|
||||
user_dn = "LDAP-UserDn"
|
||||
|
||||
#
|
||||
# User object identification.
|
||||
#
|
||||
user {
|
||||
# Where to start searching in the tree for users
|
||||
base_dn = "${..base_dn}"
|
||||
|
||||
# Filter for user objects, should be specific enough
|
||||
# to identify a single user object.
|
||||
#
|
||||
# For Active Directory, you should use
|
||||
# "samaccountname=" instead of "uid="
|
||||
#
|
||||
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
|
||||
|
||||
# For Active Directory nested group, you should comment out the previous 'filter = ...'
|
||||
# and use the below. Where 'group' is the group you are querying for.
|
||||
#
|
||||
# NOTE: The string '1.2.840.113556.1.4.1941' specifies LDAP_MATCHING_RULE_IN_CHAIN.
|
||||
# This applies only to DN attributes. This is an extended match operator that walks
|
||||
# the chain of ancestry in objects all the way to the root until it finds a match.
|
||||
# This reveals group nesting. It is available only on domain controllers with
|
||||
# Windows Server 2003 SP2 or Windows Server 2008 (or above).
|
||||
#
|
||||
# See: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
|
||||
#
|
||||
# filter = "(&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"
|
||||
|
||||
# SASL parameters to use for user binds
|
||||
#
|
||||
# When we're prompted by the SASL library, these control
|
||||
# the responses given.
|
||||
#
|
||||
# Any of the config items below may be an attribute ref
|
||||
# or and expansion, so different SASL mechs, proxy IDs
|
||||
# and realms may be used for different users.
|
||||
sasl {
|
||||
# SASL mechanism
|
||||
# mech = 'PLAIN'
|
||||
|
||||
# SASL authorisation identity to proxy.
|
||||
# proxy = &User-Name
|
||||
|
||||
# SASL realm. Used for kerberos.
|
||||
# realm = 'example.org'
|
||||
}
|
||||
|
||||
# Search scope, may be 'base', 'one', sub' or 'children'
|
||||
# scope = 'sub'
|
||||
|
||||
# Server side result sorting
|
||||
#
|
||||
# A list of space delimited attributes to order the result
|
||||
# set by, if the filter matches multiple objects.
|
||||
# Only the first result in the set will be processed.
|
||||
#
|
||||
# If the attribute name is prefixed with a hyphen '-' the
|
||||
# sorting order will be reversed for that attribute.
|
||||
#
|
||||
# If sort_by is set, and the server does not support sorting
|
||||
# the search will fail.
|
||||
# sort_by = '-uid'
|
||||
|
||||
# If this is undefined, anyone is authorised.
|
||||
# If it is defined, the contents of this attribute
|
||||
# determine whether or not the user is authorised
|
||||
# access_attribute = 'dialupAccess'
|
||||
|
||||
# Control whether the presence of 'access_attribute'
|
||||
# allows access, or denys access.
|
||||
#
|
||||
# If 'yes', and the access_attribute is present, or
|
||||
# 'no' and the access_attribute is absent then access
|
||||
# will be allowed.
|
||||
#
|
||||
# If 'yes', and the access_attribute is absent, or
|
||||
# 'no' and the access_attribute is present, then
|
||||
# access will not be allowed.
|
||||
#
|
||||
# If the value of the access_attribute is 'false', it
|
||||
# will negate the result.
|
||||
#
|
||||
# e.g.
|
||||
# access_positive = yes
|
||||
# access_attribute = userAccessAllowed
|
||||
#
|
||||
# With an LDAP object containing:
|
||||
# userAccessAllowed: false
|
||||
#
|
||||
# Will result in the user being locked out.
|
||||
# access_positive = yes
|
||||
}
|
||||
|
||||
#
|
||||
# User membership checking.
|
||||
#
|
||||
group {
|
||||
# Where to start searching in the tree for groups
|
||||
base_dn = "${..base_dn}"
|
||||
|
||||
# Filter for group objects, should match all available
|
||||
# group objects a user might be a member of.
|
||||
#
|
||||
# If using Active Directory you are likely to need "group"
|
||||
# instead of "posixGroup".
|
||||
filter = '(objectClass=posixGroup)'
|
||||
|
||||
# Search scope, may be 'base', 'one', sub' or 'children'
|
||||
# scope = 'sub'
|
||||
|
||||
# Attribute that uniquely identifies a group.
|
||||
# Is used when converting group DNs to group
|
||||
# names.
|
||||
# name_attribute = cn
|
||||
|
||||
# Filter to find all group objects a user is a member of.
|
||||
# That is, group objects with attributes that
|
||||
# identify members (the inverse of membership_attribute).
|
||||
#
|
||||
# Note that this configuration references the "user_dn"
|
||||
# configuration defined above.
|
||||
#
|
||||
# membership_filter = "(|(member=%{control:${..user_dn}})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
|
||||
|
||||
# The attribute, in user objects, which contain the names
|
||||
# or DNs of groups a user is a member of.
|
||||
#
|
||||
# Unless a conversion between group name and group DN is
|
||||
# needed, there's no requirement for the group objects
|
||||
# referenced to actually exist.
|
||||
#
|
||||
# If the LDAP server does not support the "memberOf"
|
||||
# attribute (or equivalent), then you will need to use the
|
||||
# membership_filter option above instead. If you can't see
|
||||
# the memberOf attribute then it is also possible that the
|
||||
# LDAP bind user does not have the correct permissions to
|
||||
# view it.
|
||||
membership_attribute = 'memberOf'
|
||||
|
||||
# If cacheable_name or cacheable_dn are enabled,
|
||||
# all group information for the user will be
|
||||
# retrieved from the directory and written to LDAP-Group
|
||||
# attributes appropriate for the instance of rlm_ldap.
|
||||
#
|
||||
# For group comparisons these attributes will be checked
|
||||
# instead of querying the LDAP directory directly.
|
||||
#
|
||||
# This feature is intended to be used with rlm_cache.
|
||||
#
|
||||
# If you wish to use this feature, you should enable
|
||||
# the type that matches the format of your check items
|
||||
# i.e. if your groups are specified as DNs then enable
|
||||
# cacheable_dn else enable cacheable_name.
|
||||
# cacheable_name = 'no'
|
||||
# cacheable_dn = 'no'
|
||||
|
||||
# Override the normal cache attribute (<inst>-LDAP-Group or
|
||||
# LDAP-Group if using the default instance) and create a
|
||||
# custom attribute. This can help if multiple module instances
|
||||
# are used in fail-over.
|
||||
# cache_attribute = 'LDAP-Cached-Membership'
|
||||
|
||||
# If the group being checked is specified as a name, but
|
||||
# the user's groups are referenced by DN, and one of those
|
||||
# group DNs is invalid, the whole group check is treated as
|
||||
# invalid, and a negative result will be returned.
|
||||
# When set to 'yes', this option ignores invalid DN
|
||||
# references.
|
||||
# allow_dangling_group_ref = 'no'
|
||||
}
|
||||
|
||||
#
|
||||
# User profiles. RADIUS profile objects contain sets of attributes
|
||||
# to insert into the request. These attributes are mapped using
|
||||
# the same mapping scheme applied to user objects (the update section above).
|
||||
#
|
||||
profile {
|
||||
# Filter for RADIUS profile objects
|
||||
# filter = '(objectclass=radiusprofile)'
|
||||
|
||||
# The default profile. This may be a DN or an attribute
|
||||
# reference.
|
||||
# To get old v2.2.x style behaviour, or to use the
|
||||
# &User-Profile attribute to specify the default profile,
|
||||
# set this to &control:User-Profile.
|
||||
# default = 'cn=radprofile,dc=example,dc=org'
|
||||
|
||||
# The LDAP attribute containing profile DNs to apply
|
||||
# in addition to the default profile above. These are
|
||||
# retrieved from the user object, at the same time as the
|
||||
# attributes from the update section, are are applied
|
||||
# if authorization is successful.
|
||||
# attribute = 'radiusProfileDn'
|
||||
}
|
||||
|
||||
#
|
||||
# Bulk load clients from the directory
|
||||
#
|
||||
client {
|
||||
# Where to start searching in the tree for clients
|
||||
base_dn = "${..base_dn}"
|
||||
|
||||
#
|
||||
# Filter to match client objects
|
||||
#
|
||||
filter = '(objectClass=radiusClient)'
|
||||
|
||||
# Search scope, may be 'base', 'one', 'sub' or 'children'
|
||||
# scope = 'sub'
|
||||
|
||||
#
|
||||
# Sets default values (not obtained from LDAP) for new client entries
|
||||
#
|
||||
template {
|
||||
# login = 'test'
|
||||
# password = 'test'
|
||||
# proto = tcp
|
||||
# require_message_authenticator = yes
|
||||
|
||||
# Uncomment to add a home_server with the same
|
||||
# attributes as the client.
|
||||
# coa_server {
|
||||
# response_window = 2.0
|
||||
# }
|
||||
}
|
||||
|
||||
#
|
||||
# Client attribute mappings are in the format:
|
||||
# <client attribute> = <ldap attribute>
|
||||
#
|
||||
# The following attributes are required:
|
||||
# * ipaddr | ipv4addr | ipv6addr - Client IP Address.
|
||||
# * secret - RADIUS shared secret.
|
||||
#
|
||||
# All other attributes usually supported in a client
|
||||
# definition are also supported here.
|
||||
#
|
||||
# Schemas are available in doc/schemas/ldap for openldap and eDirectory
|
||||
#
|
||||
attribute {
|
||||
ipaddr = 'radiusClientIdentifier'
|
||||
secret = 'radiusClientSecret'
|
||||
# shortname = 'radiusClientShortname'
|
||||
# nas_type = 'radiusClientType'
|
||||
# virtual_server = 'radiusClientVirtualServer'
|
||||
# require_message_authenticator = 'radiusClientRequireMa'
|
||||
}
|
||||
}
|
||||
|
||||
# Load clients on startup
|
||||
# read_clients = no
|
||||
|
||||
#
|
||||
# Modify user object on receiving Accounting-Request
|
||||
#
|
||||
|
||||
# Useful for recording things like the last time the user logged
|
||||
# in, or the Acct-Session-ID for CoA/DM.
|
||||
#
|
||||
# LDAP modification items are in the format:
|
||||
# <ldap attr> <op> <value>
|
||||
#
|
||||
# Where:
|
||||
# <ldap attr>: The LDAP attribute to add modify or delete.
|
||||
# <op>: One of the assignment operators:
|
||||
# (:=, +=, -=, ++).
|
||||
# Note: '=' is *not* supported.
|
||||
# <value>: The value to add modify or delete.
|
||||
#
|
||||
# WARNING: If using the ':=' operator with a multi-valued LDAP
|
||||
# attribute, all instances of the attribute will be removed and
|
||||
# replaced with a single attribute.
|
||||
accounting {
|
||||
reference = "%{tolower:type.%{Acct-Status-Type}}"
|
||||
|
||||
type {
|
||||
start {
|
||||
update {
|
||||
description := "Online at %S"
|
||||
}
|
||||
}
|
||||
|
||||
interim-update {
|
||||
update {
|
||||
description := "Last seen at %S"
|
||||
}
|
||||
}
|
||||
|
||||
stop {
|
||||
update {
|
||||
description := "Offline at %S"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Post-Auth can modify LDAP objects too
|
||||
#
|
||||
post-auth {
|
||||
update {
|
||||
description := "Authenticated at %S"
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# LDAP connection-specific options.
|
||||
#
|
||||
# These options set timeouts, keep-alives, etc. for the connections.
|
||||
#
|
||||
options {
|
||||
# Control under which situations aliases are followed.
|
||||
# May be one of 'never', 'searching', 'finding' or 'always'
|
||||
# default: libldap's default which is usually 'never'.
|
||||
#
|
||||
# LDAP_OPT_DEREF is set to this value.
|
||||
# dereference = 'always'
|
||||
|
||||
#
|
||||
# The following two configuration items control whether the
|
||||
# server follows references returned by LDAP directory.
|
||||
# They are mostly for Active Directory compatibility.
|
||||
# If you set these to 'no', then searches will likely return
|
||||
# 'operations error', instead of a useful result.
|
||||
#
|
||||
# 'rebind' causes any connections being established to follow
|
||||
# referrals to be bound using the admin credentials defined
|
||||
# for this module. If it is set to 'no' libldap will bind
|
||||
# to those connections anonymously.
|
||||
#
|
||||
chase_referrals = yes
|
||||
rebind = yes
|
||||
|
||||
# SASL Security Properties (see SASL_SECPROPS in ldap.conf man page).
|
||||
# Note - uncomment when using GSS-API sasl mechanism along with TLS
|
||||
# encryption against Active-Directory LDAP servers (this disables
|
||||
# sealing and signing at the GSS level as required by AD).
|
||||
#sasl_secprops = 'noanonymous,noplain,maxssf=0'
|
||||
|
||||
# Seconds to wait for LDAP query to finish. default: 20
|
||||
res_timeout = 10
|
||||
|
||||
# Seconds LDAP server has to process the query (server-side
|
||||
# time limit). default: 20
|
||||
#
|
||||
# LDAP_OPT_TIMELIMIT is set to this value.
|
||||
srv_timelimit = 3
|
||||
|
||||
# Seconds to wait for response of the server. (network
|
||||
# failures) default: 10
|
||||
#
|
||||
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
|
||||
net_timeout = 1
|
||||
|
||||
# LDAP_OPT_X_KEEPALIVE_IDLE
|
||||
idle = 60
|
||||
|
||||
# LDAP_OPT_X_KEEPALIVE_PROBES
|
||||
probes = 3
|
||||
|
||||
# LDAP_OPT_X_KEEPALIVE_INTERVAL
|
||||
interval = 3
|
||||
|
||||
# ldap_debug: debug flag for LDAP SDK
|
||||
# (see OpenLDAP documentation). Set this to enable
|
||||
# huge amounts of LDAP debugging on the screen.
|
||||
# You should only use this if you are an LDAP expert.
|
||||
#
|
||||
# default: 0x0000 (no debugging messages)
|
||||
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
|
||||
ldap_debug = 0x0028
|
||||
}
|
||||
|
||||
#
|
||||
# This subsection configures the tls related items
|
||||
# that control how FreeRADIUS connects to an LDAP
|
||||
# server. It contains all of the 'tls_*' configuration
|
||||
# entries used in older versions of FreeRADIUS. Those
|
||||
# configuration entries can still be used, but we recommend
|
||||
# using these.
|
||||
#
|
||||
# Note that some distributions use NSS for libldap instead
|
||||
# of OpenSSL.
|
||||
#
|
||||
# If you see something like this in the debug output:
|
||||
#
|
||||
# TLSMC: MozNSS compatibility interception begins.
|
||||
#
|
||||
# Then there is a problem.
|
||||
#
|
||||
# THIS LDAP INSTALLATION WILL NOT WORK WITH FREERADIUS.
|
||||
#
|
||||
# You MUST install fixed LDAP libraries which use OpenSSL.
|
||||
#
|
||||
# For more details, see:
|
||||
#
|
||||
# http://packages.networkradius.com
|
||||
#
|
||||
tls {
|
||||
# Set this to 'yes' to use TLS encrypted connections
|
||||
# to the LDAP database by using the StartTLS extended
|
||||
# operation.
|
||||
#
|
||||
# The StartTLS operation is supposed to be
|
||||
# used with normal ldap connections instead of
|
||||
# using ldaps (port 636) connections
|
||||
# start_tls = yes
|
||||
|
||||
# ca_file = ${certdir}/cacert.pem
|
||||
|
||||
# ca_path = ${certdir}
|
||||
# certificate_file = /path/to/radius.crt
|
||||
# private_key_file = /path/to/radius.key
|
||||
# random_file = /dev/urandom
|
||||
|
||||
# Certificate Verification requirements. Can be:
|
||||
# 'never' (do not even bother trying)
|
||||
# 'allow' (try, but don't fail if the certificate
|
||||
# cannot be verified)
|
||||
# 'demand' (fail if the certificate does not verify)
|
||||
# 'hard' (similar to 'demand' but fails if TLS
|
||||
# cannot negotiate)
|
||||
#
|
||||
# The default is libldap's default, which varies based
|
||||
# on the contents of ldap.conf.
|
||||
|
||||
# require_cert = 'demand'
|
||||
|
||||
#
|
||||
# Check the CRL, as with the EAP module.
|
||||
#
|
||||
# The default is "no".
|
||||
#
|
||||
# check_crl = yes
|
||||
|
||||
#
|
||||
# Minimum TLS version to accept. We STRONGLY recommend
|
||||
# setting this to "1.2"
|
||||
#
|
||||
# tls_min_version = "1.2"
|
||||
|
||||
# Set this option to specify the allowed
|
||||
# TLS cipher suites. The format is listed
|
||||
# in "man 1 ciphers".
|
||||
#
|
||||
cipher_list = "DEFAULT"
|
||||
}
|
||||
|
||||
# As of v3, the 'pool' section has replaced the
|
||||
# following v2 configuration items:
|
||||
#
|
||||
# ldap_connections_number
|
||||
|
||||
#
|
||||
# The connection pool is used to pool outgoing connections.
|
||||
#
|
||||
# When the server is not threaded, the connection pool
|
||||
# limits are ignored, and only one connection is used.
|
||||
pool {
|
||||
# Connections to create during module instantiation.
|
||||
# If the server cannot create specified number of
|
||||
# connections during instantiation it will exit.
|
||||
# Set to 0 to allow the server to start without the
|
||||
# directory being available.
|
||||
start = ${thread[pool].start_servers}
|
||||
|
||||
# Minimum number of connections to keep open
|
||||
min = ${thread[pool].min_spare_servers}
|
||||
|
||||
# Maximum number of connections
|
||||
#
|
||||
# If these connections are all in use and a new one
|
||||
# is requested, the request will NOT get a connection.
|
||||
#
|
||||
# Setting 'max' to LESS than the number of threads means
|
||||
# that some threads may starve, and you will see errors
|
||||
# like 'No connections available and at max connection limit'
|
||||
#
|
||||
# Setting 'max' to MORE than the number of threads means
|
||||
# that there are more connections than necessary.
|
||||
max = ${thread[pool].max_servers}
|
||||
|
||||
# Spare connections to be left idle
|
||||
#
|
||||
# NOTE: Idle connections WILL be closed if "idle_timeout"
|
||||
# is set. This should be less than or equal to "max" above.
|
||||
spare = ${thread[pool].max_spare_servers}
|
||||
|
||||
# Number of uses before the connection is closed
|
||||
#
|
||||
# 0 means "infinite"
|
||||
uses = 0
|
||||
|
||||
# The number of seconds to wait after the server tries
|
||||
# to open a connection, and fails. During this time,
|
||||
# no new connections will be opened.
|
||||
retry_delay = 30
|
||||
|
||||
# The lifetime (in seconds) of the connection
|
||||
lifetime = 0
|
||||
|
||||
# Idle timeout (in seconds). A connection which is
|
||||
# unused for this length of time will be closed.
|
||||
idle_timeout = 60
|
||||
|
||||
# NOTE: All configuration settings are enforced. If a
|
||||
# connection is closed because of 'idle_timeout',
|
||||
# 'uses', or 'lifetime', then the total number of
|
||||
# connections MAY fall below 'min'. When that
|
||||
# happens, it will open a new connection. It will
|
||||
# also log a WARNING message.
|
||||
#
|
||||
# The solution is to either lower the 'min' connections,
|
||||
# or increase lifetime/idle_timeout.
|
||||
|
||||
# Maximum number of times an operation can be retried
|
||||
# if it returns an error which indicates the connection
|
||||
# needs to be restarted. This includes timeouts.
|
||||
max_retries = 5
|
||||
}
|
||||
}
|
902
freeradius/radiusd.conf
Normal file
902
freeradius/radiusd.conf
Normal file
@ -0,0 +1,902 @@
|
||||
# -*- text -*-
|
||||
##
|
||||
## radiusd.conf -- FreeRADIUS server configuration file - 3.2.3
|
||||
##
|
||||
## http://www.freeradius.org/
|
||||
## $Id: 366dce419dee0e4ab8ea47351f6f2953bcba2899 $
|
||||
##
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# The format of this (and other) configuration file is
|
||||
# documented in "man unlang". There are also READMEs in many
|
||||
# subdirectories:
|
||||
#
|
||||
# raddb/README.rst
|
||||
# How to upgrade from v2.
|
||||
#
|
||||
# raddb/mods-available/README.rst
|
||||
# How to use mods-available / mods-enabled.
|
||||
# All of the modules are in individual files,
|
||||
# along with configuration items and full documentation.
|
||||
#
|
||||
# raddb/sites-available/README
|
||||
# virtual servers, "listen" sections, clients, etc.
|
||||
# The "sites-available" directory contains many
|
||||
# worked examples of common configurations.
|
||||
#
|
||||
# raddb/certs/README.md
|
||||
# How to create certificates for EAP or RadSec.
|
||||
#
|
||||
# Every configuration item in the server is documented
|
||||
# extensively in the comments in the example configuration
|
||||
# files.
|
||||
#
|
||||
# Before editing this (or any other) configuration file, PLEASE
|
||||
# read "man radiusd". See the section titled DEBUGGING. It
|
||||
# outlines a method where you can quickly create the
|
||||
# configuration you want, with minimal effort.
|
||||
#
|
||||
# Run the server in debugging mode, and READ the output.
|
||||
#
|
||||
# $ radiusd -X
|
||||
#
|
||||
# We cannot emphasize this point strongly enough. The vast
|
||||
# majority of problems can be solved by carefully reading the
|
||||
# debugging output, which includes warnings about common issues,
|
||||
# and suggestions for how they may be fixed.
|
||||
#
|
||||
# There may be a lot of output, but look carefully for words like:
|
||||
# "warning", "error", "reject", or "failure". The messages there
|
||||
# will usually be enough to guide you to a solution.
|
||||
#
|
||||
# More documentation on "radiusd -X" is available on the wiki:
|
||||
# https://wiki.freeradius.org/radiusd-X
|
||||
#
|
||||
# If you are going to ask a question on the mailing list, then
|
||||
# explain what you are trying to do, and include the output from
|
||||
# debugging mode (radiusd -X). Failure to do so means that all
|
||||
# of the responses to your question will be people telling you
|
||||
# to "post the output of radiusd -X".
|
||||
#
|
||||
# Guidelines for posting to the mailing list are on the wiki:
|
||||
# https://wiki.freeradius.org/list-help
|
||||
#
|
||||
# Please read those guidelines before posting to the list.
|
||||
#
|
||||
# Further documentation is available in the "doc" directory
|
||||
# of the server distribution, or on the wiki at:
|
||||
# https://wiki.freeradius.org/
|
||||
#
|
||||
# New users to RADIUS should read the Technical Guide. That guide
|
||||
# explains how RADIUS works, how FreeRADIUS works, and what each
|
||||
# part of a RADIUS system does. It is not just "configure FreeRADIUS"!
|
||||
# https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf
|
||||
#
|
||||
# More documentation on dictionaries, modules, unlang, etc. is also
|
||||
# available on the Network RADIUS web site:
|
||||
# https://networkradius.com/freeradius-documentation/
|
||||
#
|
||||
|
||||
######################################################################
|
||||
|
||||
prefix = /usr
|
||||
exec_prefix = /usr
|
||||
sysconfdir = /etc
|
||||
localstatedir = /var
|
||||
sbindir = ${exec_prefix}/sbin
|
||||
logdir = /var/log/freeradius
|
||||
raddbdir = /etc/freeradius
|
||||
radacctdir = ${logdir}/radacct
|
||||
|
||||
#
|
||||
# name of the running server. See also the "-n" command-line option.
|
||||
name = freeradius
|
||||
|
||||
# Location of config and logfiles.
|
||||
confdir = ${raddbdir}
|
||||
modconfdir = ${confdir}/mods-config
|
||||
certdir = ${confdir}/certs
|
||||
cadir = ${confdir}/certs
|
||||
run_dir = ${localstatedir}/run/${name}
|
||||
|
||||
# Should likely be ${localstatedir}/lib/radiusd
|
||||
db_dir = ${raddbdir}
|
||||
|
||||
#
|
||||
# libdir: Where to find the rlm_* modules.
|
||||
#
|
||||
# This should be automatically set at configuration time.
|
||||
#
|
||||
# If the server builds and installs, but fails at execution time
|
||||
# with an 'undefined symbol' error, then you can use the libdir
|
||||
# directive to work around the problem.
|
||||
#
|
||||
# The cause is usually that a library has been installed on your
|
||||
# system in a place where the dynamic linker CANNOT find it. When
|
||||
# executing as root (or another user), your personal environment MAY
|
||||
# be set up to allow the dynamic linker to find the library. When
|
||||
# executing as a daemon, FreeRADIUS MAY NOT have the same
|
||||
# personalized configuration.
|
||||
#
|
||||
# To work around the problem, find out which library contains that symbol,
|
||||
# and add the directory containing that library to the end of 'libdir',
|
||||
# with a colon separating the directory names. NO spaces are allowed.
|
||||
#
|
||||
# e.g. libdir = /usr/local/lib:/opt/package/lib
|
||||
#
|
||||
# You can also try setting the LD_LIBRARY_PATH environment variable
|
||||
# in a script which starts the server.
|
||||
#
|
||||
# If that does not work, then you can re-configure and re-build the
|
||||
# server to NOT use shared libraries, via:
|
||||
#
|
||||
# ./configure --disable-shared
|
||||
# make
|
||||
# make install
|
||||
#
|
||||
libdir = /usr/lib/freeradius
|
||||
|
||||
# pidfile: Where to place the PID of the RADIUS server.
|
||||
#
|
||||
# The server may be signalled while it's running by using this
|
||||
# file.
|
||||
#
|
||||
# This file is written when ONLY running in daemon mode.
|
||||
#
|
||||
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
|
||||
#
|
||||
pidfile = ${run_dir}/${name}.pid
|
||||
|
||||
# panic_action: Command to execute if the server dies unexpectedly.
|
||||
#
|
||||
# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
|
||||
# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
|
||||
# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
|
||||
#
|
||||
# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
|
||||
# PATTACH CAN BE USED AS AN ATTACK VECTOR.
|
||||
#
|
||||
# The panic action is a command which will be executed if the server
|
||||
# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
|
||||
# SIGABRT or SIGFPE.
|
||||
#
|
||||
# This can be used to start an interactive debugging session so
|
||||
# that information regarding the current state of the server can
|
||||
# be acquired.
|
||||
#
|
||||
# The following string substitutions are available:
|
||||
# - %e The currently executing program e.g. /sbin/radiusd
|
||||
# - %p The PID of the currently executing program e.g. 12345
|
||||
#
|
||||
# Standard ${} substitutions are also allowed.
|
||||
#
|
||||
# An example panic action for opening an interactive session in GDB would be:
|
||||
#
|
||||
#panic_action = "gdb %e %p"
|
||||
#
|
||||
# Again, don't use that on a production system.
|
||||
#
|
||||
# An example panic action for opening an automated session in GDB would be:
|
||||
#
|
||||
#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
|
||||
#
|
||||
# That command can be used on a production system.
|
||||
#
|
||||
|
||||
# max_request_time: The maximum time (in seconds) to handle a request.
|
||||
#
|
||||
# Requests which take more time than this to process may be killed, and
|
||||
# a REJECT message is returned.
|
||||
#
|
||||
# WARNING: If you notice that requests take a long time to be handled,
|
||||
# then this MAY INDICATE a bug in the server, in one of the modules
|
||||
# used to handle a request, OR in your local configuration.
|
||||
#
|
||||
# This problem is most often seen when using an SQL database. If it takes
|
||||
# more than a second or two to receive an answer from the SQL database,
|
||||
# then it probably means that you haven't indexed the database. See your
|
||||
# SQL server documentation for more information.
|
||||
#
|
||||
# Useful range of values: 5 to 120
|
||||
#
|
||||
max_request_time = 30
|
||||
|
||||
# cleanup_delay: The time to wait (in seconds) before cleaning up
|
||||
# a reply which was sent to the NAS.
|
||||
#
|
||||
# The RADIUS request is normally cached internally for a short period
|
||||
# of time, after the reply is sent to the NAS. The reply packet may be
|
||||
# lost in the network, and the NAS will not see it. The NAS will then
|
||||
# re-send the request, and the server will respond quickly with the
|
||||
# cached reply.
|
||||
#
|
||||
# If this value is set too low, then duplicate requests from the NAS
|
||||
# MAY NOT be detected, and will instead be handled as separate requests.
|
||||
#
|
||||
# If this value is set too high, then the server will cache too many
|
||||
# requests, and some new requests may get blocked. (See 'max_requests'.)
|
||||
#
|
||||
# Useful range of values: 2 to 30
|
||||
#
|
||||
cleanup_delay = 5
|
||||
|
||||
# max_requests: The maximum number of requests which the server keeps
|
||||
# track of. This should be 256 multiplied by the number of clients.
|
||||
# e.g. With 4 clients, this number should be 1024.
|
||||
#
|
||||
# If this number is too low, then when the server becomes busy,
|
||||
# it will not respond to any new requests, until the 'cleanup_delay'
|
||||
# time has passed, and it has removed the old requests.
|
||||
#
|
||||
# If this number is set too high, then the server will use a bit more
|
||||
# memory for no real benefit.
|
||||
#
|
||||
# If you aren't sure what it should be set to, it's better to set it
|
||||
# too high than too low. Setting it to 1000 per client is probably
|
||||
# the highest it should be.
|
||||
#
|
||||
# Useful range of values: 256 to infinity
|
||||
#
|
||||
max_requests = 16384
|
||||
|
||||
# hostname_lookups: Log the names of clients or just their IP addresses
|
||||
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
|
||||
#
|
||||
# The default is 'off' because it would be overall better for the net
|
||||
# if people had to knowingly turn this feature on, since enabling it
|
||||
# means that each client request will result in AT LEAST one lookup
|
||||
# request to the nameserver. Enabling hostname_lookups will also
|
||||
# mean that your server may stop randomly for 30 seconds from time
|
||||
# to time, if the DNS requests take too long.
|
||||
#
|
||||
# Turning hostname lookups off also means that the server won't block
|
||||
# for 30 seconds, if it sees an IP address which has no name associated
|
||||
# with it.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
hostname_lookups = no
|
||||
|
||||
#
|
||||
# Run a "Post-Auth-Type Client-Lost" section. This ONLY happens when
|
||||
# the server sends an Access-Challenge, and then client does not
|
||||
# respond to it. The goal is to allow administrators to log
|
||||
# something when the client does not respond.
|
||||
#
|
||||
# See sites-available/default, "Post-Auth-Type Client-Lost" for more
|
||||
# information.
|
||||
#
|
||||
#postauth_client_lost = no
|
||||
|
||||
#
|
||||
# Logging section. The various "log_*" configuration items
|
||||
# will eventually be moved here.
|
||||
#
|
||||
log {
|
||||
#
|
||||
# Destination for log messages. This can be one of:
|
||||
#
|
||||
# files - log to "file", as defined below.
|
||||
# syslog - to syslog (see also the "syslog_facility", below.
|
||||
# stdout - standard output
|
||||
# stderr - standard error.
|
||||
#
|
||||
# The command-line option "-X" over-rides this option, and forces
|
||||
# logging to go to stdout.
|
||||
#
|
||||
destination = files
|
||||
|
||||
#
|
||||
# Highlight important messages sent to stderr and stdout.
|
||||
#
|
||||
# Option will be ignored (disabled) if output if TERM is not
|
||||
# an xterm or output is not to a TTY.
|
||||
#
|
||||
colourise = yes
|
||||
|
||||
#
|
||||
# The logging messages for the server are appended to the
|
||||
# tail of this file if destination == "files"
|
||||
#
|
||||
# If the server is running in debugging mode, this file is
|
||||
# NOT used.
|
||||
#
|
||||
file = ${logdir}/radius.log
|
||||
|
||||
#
|
||||
# Which syslog facility to use, if ${destination} == "syslog"
|
||||
#
|
||||
# The exact values permitted here are OS-dependent. You probably
|
||||
# don't want to change this.
|
||||
#
|
||||
syslog_facility = daemon
|
||||
|
||||
# Log the full User-Name attribute, as it was found in the request.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
stripped_names = no
|
||||
|
||||
# Log all (accept and reject) authentication results to the log file.
|
||||
#
|
||||
# This is the same as setting "auth_accept = yes" and
|
||||
# "auth_reject = yes"
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
auth = no
|
||||
|
||||
# Log Access-Accept results to the log file.
|
||||
#
|
||||
# This is only used if "auth = no"
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
# auth_accept = no
|
||||
|
||||
# Log Access-Reject results to the log file.
|
||||
#
|
||||
# This is only used if "auth = no"
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
# auth_reject = no
|
||||
|
||||
# Log passwords with the authentication requests.
|
||||
# auth_badpass - logs password if it's rejected
|
||||
# auth_goodpass - logs password if it's correct
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
auth_badpass = no
|
||||
auth_goodpass = no
|
||||
|
||||
# Log additional text at the end of the "Login OK" messages.
|
||||
# for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
|
||||
# configurations above have to be set to "yes".
|
||||
#
|
||||
# The strings below are dynamically expanded, which means that
|
||||
# you can put anything you want in them. However, note that
|
||||
# this expansion can be slow, and can negatively impact server
|
||||
# performance.
|
||||
#
|
||||
# msg_goodpass = ""
|
||||
# msg_badpass = ""
|
||||
|
||||
# The message when the user exceeds the Simultaneous-Use limit.
|
||||
#
|
||||
msg_denied = "You are already logged in - access denied"
|
||||
|
||||
# Suppress "secret" attributes when printing them in debug mode.
|
||||
#
|
||||
# Secrets are NOT tracked across xlat expansions. If your
|
||||
# configuration puts secrets into other strings, they will
|
||||
# still get printed.
|
||||
#
|
||||
# Setting this to "yes" means that the server prints
|
||||
#
|
||||
# <<< secret >>>
|
||||
#
|
||||
# instead of the value, for attriburtes which contain secret
|
||||
# information. e.g. User-Name, Tunnel-Password, etc.
|
||||
#
|
||||
# This configuration is disabled by default. It is extremely
|
||||
# important for administrators to be able to debug user logins
|
||||
# by seeing what is actually being sent.
|
||||
#
|
||||
# suppress_secrets = no
|
||||
}
|
||||
|
||||
# The program to execute to do concurrency checks.
|
||||
checkrad = ${sbindir}/checkrad
|
||||
|
||||
#
|
||||
# ENVIRONMENT VARIABLES
|
||||
#
|
||||
# You can reference environment variables using an expansion like
|
||||
# `$ENV{PATH}`. However it is sometimes useful to be able to also set
|
||||
# environment variables. This section lets you do that.
|
||||
#
|
||||
# The main purpose of this section is to allow administrators to keep
|
||||
# RADIUS-specific configuration in the RADIUS configuration files.
|
||||
# For example, if you need to set an environment variable which is
|
||||
# used by a module. You could put that variable into a shell script,
|
||||
# but that's awkward. Instead, just list it here.
|
||||
#
|
||||
# Note that these environment variables are set AFTER the
|
||||
# configuration file is loaded. So you cannot set FOO here, and
|
||||
# expect to reference it via `$ENV{FOO}` in another configuration file.
|
||||
# You should instead just use a normal configuration variable for
|
||||
# that.
|
||||
#
|
||||
ENV {
|
||||
#
|
||||
# Set environment varable `FOO` to value '/bar/baz'.
|
||||
#
|
||||
# NOTE: Note that you MUST use '='. You CANNOT use '+=' to append
|
||||
# values.
|
||||
#
|
||||
# FOO = '/bar/baz'
|
||||
|
||||
#
|
||||
# Delete environment variable `BAR`.
|
||||
#
|
||||
# BAR
|
||||
|
||||
#
|
||||
# `LD_PRELOAD` is special. It is normally set before the
|
||||
# application runs, and is interpreted by the dynamic linker.
|
||||
# Which means you cannot set it inside of an application, and
|
||||
# expect it to load libraries.
|
||||
#
|
||||
# Since this functionality is useful, we extend it here.
|
||||
#
|
||||
# You can set
|
||||
#
|
||||
# LD_PRELOAD = /path/to/library.so
|
||||
#
|
||||
# and the server will load the named libraries. Multiple
|
||||
# libraries can be loaded by specificing multiple individual
|
||||
# `LD_PRELOAD` entries.
|
||||
#
|
||||
#
|
||||
# LD_PRELOAD = /path/to/library1.so
|
||||
# LD_PRELOAD = /path/to/library2.so
|
||||
}
|
||||
|
||||
# SECURITY CONFIGURATION
|
||||
#
|
||||
# There may be multiple methods of attacking on the server. This
|
||||
# section holds the configuration items which minimize the impact
|
||||
# of those attacks
|
||||
#
|
||||
security {
|
||||
# chroot: directory where the server does "chroot".
|
||||
#
|
||||
# The chroot is done very early in the process of starting
|
||||
# the server. After the chroot has been performed it
|
||||
# switches to the "user" listed below (which MUST be
|
||||
# specified). If "group" is specified, it switches to that
|
||||
# group, too. Any other groups listed for the specified
|
||||
# "user" in "/etc/group" are also added as part of this
|
||||
# process.
|
||||
#
|
||||
# The current working directory (chdir / cd) is left
|
||||
# *outside* of the chroot until all of the modules have been
|
||||
# initialized. This allows the "raddb" directory to be left
|
||||
# outside of the chroot. Once the modules have been
|
||||
# initialized, it does a "chdir" to ${logdir}. This means
|
||||
# that it should be impossible to break out of the chroot.
|
||||
#
|
||||
# If you are worried about security issues related to this
|
||||
# use of chdir, then simply ensure that the "raddb" directory
|
||||
# is inside of the chroot, and be sure to do "cd raddb"
|
||||
# BEFORE starting the server.
|
||||
#
|
||||
# If the server is statically linked, then the only files
|
||||
# that have to exist in the chroot are ${run_dir} and
|
||||
# ${logdir}. If you do the "cd raddb" as discussed above,
|
||||
# then the "raddb" directory has to be inside of the chroot
|
||||
# directory, too.
|
||||
#
|
||||
# chroot = /path/to/chroot/directory
|
||||
|
||||
# user/group: The name (or #number) of the user/group to run radiusd as.
|
||||
#
|
||||
# If these are commented out, the server will run as the
|
||||
# user/group that started it. In order to change to a
|
||||
# different user/group, you MUST be root ( or have root
|
||||
# privileges ) to start the server.
|
||||
#
|
||||
# We STRONGLY recommend that you run the server with as few
|
||||
# permissions as possible. That is, if you're not using
|
||||
# shadow passwords, the user and group items below should be
|
||||
# set to radius'.
|
||||
#
|
||||
# NOTE that some kernels refuse to setgid(group) when the
|
||||
# value of (unsigned)group is above 60000; don't use group
|
||||
# "nobody" on these systems!
|
||||
#
|
||||
# On systems with shadow passwords, you might have to set
|
||||
# 'group = shadow' for the server to be able to read the
|
||||
# shadow password file. If you can authenticate users while
|
||||
# in debug mode, but not in daemon mode, it may be that the
|
||||
# debugging mode server is running as a user that can read
|
||||
# the shadow info, and the user listed below can not.
|
||||
#
|
||||
# The server will also try to use "initgroups" to read
|
||||
# /etc/groups. It will join all groups where "user" is a
|
||||
# member. This can allow for some finer-grained access
|
||||
# controls.
|
||||
#
|
||||
user = freerad
|
||||
group = freerad
|
||||
|
||||
# Core dumps are a bad thing. This should only be set to
|
||||
# 'yes' if you're debugging a problem with the server.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
allow_core_dumps = no
|
||||
|
||||
#
|
||||
# max_attributes: The maximum number of attributes
|
||||
# permitted in a RADIUS packet. Packets which have MORE
|
||||
# than this number of attributes in them will be dropped.
|
||||
#
|
||||
# If this number is set too low, then no RADIUS packets
|
||||
# will be accepted.
|
||||
#
|
||||
# If this number is set too high, then an attacker may be
|
||||
# able to send a small number of packets which will cause
|
||||
# the server to use all available memory on the machine.
|
||||
#
|
||||
# Setting this number to 0 means "allow any number of attributes"
|
||||
max_attributes = 200
|
||||
|
||||
#
|
||||
# reject_delay: When sending an Access-Reject, it can be
|
||||
# delayed for a few seconds. This may help slow down a DoS
|
||||
# attack. It also helps to slow down people trying to brute-force
|
||||
# crack a users password.
|
||||
#
|
||||
# Setting this number to 0 means "send rejects immediately"
|
||||
#
|
||||
# If this number is set higher than 'cleanup_delay', then the
|
||||
# rejects will be sent at 'cleanup_delay' time, when the request
|
||||
# is deleted from the internal cache of requests.
|
||||
#
|
||||
# This number can be a decimal, e.g. 3.4
|
||||
#
|
||||
# Useful ranges: 1 to 5
|
||||
reject_delay = 1
|
||||
|
||||
#
|
||||
# status_server: Whether or not the server will respond
|
||||
# to Status-Server requests.
|
||||
#
|
||||
# When sent a Status-Server message, the server responds with
|
||||
# an Access-Accept or Accounting-Response packet.
|
||||
#
|
||||
# This is mainly useful for administrators who want to "ping"
|
||||
# the server, without adding test users, or creating fake
|
||||
# accounting packets.
|
||||
#
|
||||
# It's also useful when a NAS marks a RADIUS server "dead".
|
||||
# The NAS can periodically "ping" the server with a Status-Server
|
||||
# packet. If the server responds, it must be alive, and the
|
||||
# NAS can start using it for real requests.
|
||||
#
|
||||
# See also raddb/sites-available/status
|
||||
#
|
||||
status_server = yes
|
||||
|
||||
|
||||
}
|
||||
|
||||
# PROXY CONFIGURATION
|
||||
#
|
||||
# proxy_requests: Turns proxying of RADIUS requests on or off.
|
||||
#
|
||||
# The server has proxying turned on by default. If your system is NOT
|
||||
# set up to proxy requests to another server, then you can turn proxying
|
||||
# off here. This will save a small amount of resources on the server.
|
||||
#
|
||||
# If you have proxying turned off, and your configuration files say
|
||||
# to proxy a request, then an error message will be logged.
|
||||
#
|
||||
# To disable proxying, change the "yes" to "no", and comment the
|
||||
# $INCLUDE line.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
proxy_requests = yes
|
||||
$INCLUDE proxy.conf
|
||||
|
||||
|
||||
# CLIENTS CONFIGURATION
|
||||
#
|
||||
# Client configuration is defined in "clients.conf".
|
||||
#
|
||||
|
||||
# The 'clients.conf' file contains all of the information from the old
|
||||
# 'clients' and 'naslist' configuration files. We recommend that you
|
||||
# do NOT use 'client's or 'naslist', although they are still
|
||||
# supported.
|
||||
#
|
||||
# Anything listed in 'clients.conf' will take precedence over the
|
||||
# information from the old-style configuration files.
|
||||
#
|
||||
$INCLUDE clients.conf
|
||||
|
||||
|
||||
# THREAD POOL CONFIGURATION
|
||||
#
|
||||
# The thread pool is a long-lived group of threads which
|
||||
# take turns (round-robin) handling any incoming requests.
|
||||
#
|
||||
# You probably want to have a few spare threads around,
|
||||
# so that high-load situations can be handled immediately. If you
|
||||
# don't have any spare threads, then the request handling will
|
||||
# be delayed while a new thread is created, and added to the pool.
|
||||
#
|
||||
# You probably don't want too many spare threads around,
|
||||
# otherwise they'll be sitting there taking up resources, and
|
||||
# not doing anything productive.
|
||||
#
|
||||
# The numbers given below should be adequate for most situations.
|
||||
#
|
||||
thread pool {
|
||||
# Number of servers to start initially --- should be a reasonable
|
||||
# ballpark figure.
|
||||
start_servers = 5
|
||||
|
||||
# Limit on the total number of servers running.
|
||||
#
|
||||
# If this limit is ever reached, clients will be LOCKED OUT, so it
|
||||
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
|
||||
# keep a runaway server from taking the system with it as it spirals
|
||||
# down...
|
||||
#
|
||||
# You may find that the server is regularly reaching the
|
||||
# 'max_servers' number of threads, and that increasing
|
||||
# 'max_servers' doesn't seem to make much difference.
|
||||
#
|
||||
# If this is the case, then the problem is MOST LIKELY that
|
||||
# your back-end databases are taking too long to respond, and
|
||||
# are preventing the server from responding in a timely manner.
|
||||
#
|
||||
# The solution is NOT do keep increasing the 'max_servers'
|
||||
# value, but instead to fix the underlying cause of the
|
||||
# problem: slow database, or 'hostname_lookups=yes'.
|
||||
#
|
||||
# For more information, see 'max_request_time', above.
|
||||
#
|
||||
max_servers = 32
|
||||
|
||||
# Server-pool size regulation. Rather than making you guess
|
||||
# how many servers you need, FreeRADIUS dynamically adapts to
|
||||
# the load it sees, that is, it tries to maintain enough
|
||||
# servers to handle the current load, plus a few spare
|
||||
# servers to handle transient load spikes.
|
||||
#
|
||||
# It does this by periodically checking how many servers are
|
||||
# waiting for a request. If there are fewer than
|
||||
# min_spare_servers, it creates a new spare. If there are
|
||||
# more than max_spare_servers, some of the spares die off.
|
||||
# The default values are probably OK for most sites.
|
||||
#
|
||||
min_spare_servers = 3
|
||||
max_spare_servers = 10
|
||||
|
||||
# When the server receives a packet, it places it onto an
|
||||
# internal queue, where the worker threads (configured above)
|
||||
# pick it up for processing. The maximum size of that queue
|
||||
# is given here.
|
||||
#
|
||||
# When the queue is full, any new packets will be silently
|
||||
# discarded.
|
||||
#
|
||||
# The most common cause of the queue being full is that the
|
||||
# server is dependent on a slow database, and it has received
|
||||
# a large "spike" of traffic. When that happens, there is
|
||||
# very little you can do other than make sure the server
|
||||
# receives less traffic, or make sure that the database can
|
||||
# handle the load.
|
||||
#
|
||||
# max_queue_size = 65536
|
||||
|
||||
# Clean up old threads periodically. For no reason other than
|
||||
# it might be useful.
|
||||
#
|
||||
# '0' is a special value meaning 'infinity', or 'the servers never
|
||||
# exit'
|
||||
max_requests_per_server = 0
|
||||
|
||||
# Automatically limit the number of accounting requests.
|
||||
# This configuration item tracks how many requests per second
|
||||
# the server can handle. It does this by tracking the
|
||||
# packets/s received by the server for processing, and
|
||||
# comparing that to the packets/s handled by the child
|
||||
# threads.
|
||||
#
|
||||
|
||||
# If the received PPS is larger than the processed PPS, *and*
|
||||
# the queue is more than half full, then new accounting
|
||||
# requests are probabilistically discarded. This lowers the
|
||||
# number of packets that the server needs to process. Over
|
||||
# time, the server will "catch up" with the traffic.
|
||||
#
|
||||
# Throwing away accounting packets is usually safe and low
|
||||
# impact. The NAS will retransmit them in a few seconds, or
|
||||
# even a few minutes. Vendors should read RFC 5080 Section 2.2.1
|
||||
# to see how accounting packets should be retransmitted. Using
|
||||
# any other method is likely to cause network meltdowns.
|
||||
#
|
||||
auto_limit_acct = no
|
||||
}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# SNMP notifications. Uncomment the following line to enable
|
||||
# snmptraps. Note that you MUST also configure the full path
|
||||
# to the "snmptrap" command in the "trigger.conf" file.
|
||||
#
|
||||
#$INCLUDE trigger.conf
|
||||
|
||||
# MODULE CONFIGURATION
|
||||
#
|
||||
# The names and configuration of each module is located in this section.
|
||||
#
|
||||
# After the modules are defined here, they may be referred to by name,
|
||||
# in other sections of this configuration file.
|
||||
#
|
||||
modules {
|
||||
#
|
||||
# Each module has a configuration as follows:
|
||||
#
|
||||
# name [ instance ] {
|
||||
# config_item = value
|
||||
# ...
|
||||
# }
|
||||
#
|
||||
# The 'name' is used to load the 'rlm_name' library
|
||||
# which implements the functionality of the module.
|
||||
#
|
||||
# The 'instance' is optional. To have two different instances
|
||||
# of a module, it first must be referred to by 'name'.
|
||||
# The different copies of the module are then created by
|
||||
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
|
||||
#
|
||||
# The instance names can then be used in later configuration
|
||||
# INSTEAD of the original 'name'. See the 'radutmp' configuration
|
||||
# for an example.
|
||||
#
|
||||
|
||||
#
|
||||
# Some modules have ordering issues. e.g. "sqlippool" uses
|
||||
# the configuration from "sql". In that case, the "sql"
|
||||
# module must be read off of disk before the "sqlippool".
|
||||
# However, the directory inclusion below just reads the
|
||||
# directory from start to finish. Which means that the
|
||||
# modules are read off of disk randomly.
|
||||
#
|
||||
# You can list individual modules *before* the directory
|
||||
# inclusion. Those modules will be loaded first. Then, when
|
||||
# the directory is read, those modules will be skipped and
|
||||
# not read twice.
|
||||
#
|
||||
# $INCLUDE mods-enabled/sql
|
||||
|
||||
#
|
||||
# All modules are in ther mods-enabled/ directory. Files
|
||||
# matching the regex /[a-zA-Z0-9_.]+/ are read. The
|
||||
# modules are initialized ONLY if they are referenced in a
|
||||
# processing section, such as authorize, authenticate,
|
||||
# accounting, pre/post-proxy, etc.
|
||||
#
|
||||
$INCLUDE mods-enabled/
|
||||
}
|
||||
|
||||
# Instantiation
|
||||
#
|
||||
# This section sets the instantiation order of the modules. listed
|
||||
# here will get started up BEFORE the sections like authorize,
|
||||
# authenticate, etc. get examined.
|
||||
#
|
||||
# This section is not strictly needed. When a section like authorize
|
||||
# refers to a module, the module is automatically loaded and
|
||||
# initialized. However, some modules may not be listed in any of the
|
||||
# processing sections, so they should be listed here.
|
||||
#
|
||||
# Also, listing modules here ensures that you have control over
|
||||
# the order in which they are initialized. If one module needs
|
||||
# something defined by another module, you can list them in order
|
||||
# here, and ensure that the configuration will be OK.
|
||||
#
|
||||
# After the modules listed here have been loaded, all of the modules
|
||||
# in the "mods-enabled" directory will be loaded. Loading the
|
||||
# "mods-enabled" directory means that unlike Version 2, you usually
|
||||
# don't need to list modules here.
|
||||
#
|
||||
instantiate {
|
||||
#
|
||||
# We list the counter module here so that it registers
|
||||
# the check_name attribute before any module which sets
|
||||
# it
|
||||
# daily
|
||||
|
||||
# subsections here can be thought of as "virtual" modules.
|
||||
#
|
||||
# e.g. If you have two redundant SQL servers, and you want to
|
||||
# use them in the authorize and accounting sections, you could
|
||||
# place a "redundant" block in each section, containing the
|
||||
# exact same text. Or, you could uncomment the following
|
||||
# lines, and list "redundant_sql" in the authorize and
|
||||
# accounting sections.
|
||||
#
|
||||
# The "virtual" module defined here can also be used with
|
||||
# dynamic expansions, under a few conditions:
|
||||
#
|
||||
# * The section is "redundant", or "load-balance", or
|
||||
# "redundant-load-balance"
|
||||
# * The section contains modules ONLY, and no sub-sections
|
||||
# * all modules in the section are using the same rlm_
|
||||
# driver, e.g. They are all sql, or all ldap, etc.
|
||||
#
|
||||
# When those conditions are satisfied, the server will
|
||||
# automatically register a dynamic expansion, using the
|
||||
# name of the "virtual" module. In the example below,
|
||||
# it will be "redundant_sql". You can then use this expansion
|
||||
# just like any other:
|
||||
#
|
||||
# update reply {
|
||||
# Filter-Id := "%{redundant_sql: ... }"
|
||||
# }
|
||||
#
|
||||
# In this example, the expansion is done via module "sql1",
|
||||
# and if that expansion fails, using module "sql2".
|
||||
#
|
||||
# For best results, configure the "pool" subsection of the
|
||||
# module so that "retry_delay" is non-zero. That will allow
|
||||
# the redundant block to quickly ignore all "down" SQL
|
||||
# databases. If instead we have "retry_delay = 0", then
|
||||
# every time the redundant block is used, the server will try
|
||||
# to open a connection to every "down" database, causing
|
||||
# problems.
|
||||
#
|
||||
#redundant redundant_sql {
|
||||
# sql1
|
||||
# sql2
|
||||
#}
|
||||
}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# Policies are virtual modules, similar to those defined in the
|
||||
# "instantiate" section above.
|
||||
#
|
||||
# Defining a policy in one of the policy.d files means that it can be
|
||||
# referenced in multiple places as a *name*, rather than as a series of
|
||||
# conditions to match, and actions to take.
|
||||
#
|
||||
# Policies are something like subroutines in a normal language, but
|
||||
# they cannot be called recursively. They MUST be defined in order.
|
||||
# If policy A calls policy B, then B MUST be defined before A.
|
||||
#
|
||||
######################################################################
|
||||
policy {
|
||||
$INCLUDE policy.d/
|
||||
}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# Load virtual servers.
|
||||
#
|
||||
# This next $INCLUDE line loads files in the directory that
|
||||
# match the regular expression: /[a-zA-Z0-9_.]+/
|
||||
#
|
||||
# It allows you to define new virtual servers simply by placing
|
||||
# a file into the raddb/sites-enabled/ directory.
|
||||
#
|
||||
$INCLUDE sites-enabled/
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# All of the other configuration sections like "authorize {}",
|
||||
# "authenticate {}", "accounting {}", have been moved to the
|
||||
# the file:
|
||||
#
|
||||
# raddb/sites-available/default
|
||||
#
|
||||
# This is the "default" virtual server that has the same
|
||||
# configuration as in version 1.0.x and 1.1.x. The default
|
||||
# installation enables this virtual server. You should
|
||||
# edit it to create policies for your local site.
|
||||
#
|
||||
# For more documentation on virtual servers, see:
|
||||
#
|
||||
# raddb/sites-available/README
|
||||
#
|
||||
######################################################################
|
1159
freeradius/sites-available/default
Normal file
1159
freeradius/sites-available/default
Normal file
File diff suppressed because it is too large
Load Diff
468
freeradius/sites-available/inner-tunnel
Normal file
468
freeradius/sites-available/inner-tunnel
Normal file
@ -0,0 +1,468 @@
|
||||
# -*- text -*-
|
||||
######################################################################
|
||||
#
|
||||
# This is a virtual server that handles *only* inner tunnel
|
||||
# requests for EAP-TTLS and PEAP types.
|
||||
#
|
||||
# $Id: c178baad0f720d5b87608d22c70d4485a43feee4 $
|
||||
#
|
||||
######################################################################
|
||||
|
||||
server inner-tunnel {
|
||||
|
||||
#
|
||||
# This next section is here to allow testing of the "inner-tunnel"
|
||||
# authentication methods, independently from the "default" server.
|
||||
# It is listening on "localhost", so that it can only be used from
|
||||
# the same machine.
|
||||
#
|
||||
# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
|
||||
#
|
||||
# If it works, you have configured the inner tunnel correctly. To check
|
||||
# if PEAP will work, use:
|
||||
#
|
||||
# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
|
||||
#
|
||||
# If that works, PEAP should work. If that command doesn't work, then
|
||||
#
|
||||
# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
|
||||
#
|
||||
# Do NOT do any PEAP tests. It won't help. Instead, concentrate
|
||||
# on fixing the inner tunnel configuration. DO NOTHING ELSE.
|
||||
#
|
||||
listen {
|
||||
ipaddr = 127.0.0.1
|
||||
port = 18120
|
||||
type = auth
|
||||
}
|
||||
|
||||
|
||||
# Authorization. First preprocess (hints and huntgroups files),
|
||||
# then realms, and finally look in the "users" file.
|
||||
#
|
||||
# The order of the realm modules will determine the order that
|
||||
# we try to find a matching realm.
|
||||
#
|
||||
# Make *sure* that 'preprocess' comes before any realm if you
|
||||
# need to setup hints for the remote radius server
|
||||
authorize {
|
||||
#
|
||||
# Take a User-Name, and perform some checks on it, for spaces and other
|
||||
# invalid characters. If the User-Name appears invalid, reject the
|
||||
# request.
|
||||
#
|
||||
# See policy.d/filter for the definition of the filter_username policy.
|
||||
#
|
||||
filter_username
|
||||
|
||||
#
|
||||
# Do checks on outer / inner User-Name, so that users
|
||||
# can't spoof us by using incompatible identities
|
||||
#
|
||||
# filter_inner_identity
|
||||
|
||||
#
|
||||
# The chap module will set 'Auth-Type := CHAP' if we are
|
||||
# handling a CHAP request and Auth-Type has not already been set
|
||||
chap
|
||||
|
||||
#
|
||||
# If the users are logging in with an MS-CHAP-Challenge
|
||||
# attribute for authentication, the mschap module will find
|
||||
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
|
||||
# to the request, which will cause the server to then use
|
||||
# the mschap module for authentication.
|
||||
mschap
|
||||
|
||||
#
|
||||
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
|
||||
# using the system API's to get the password. If you want
|
||||
# to read /etc/passwd or /etc/shadow directly, see the
|
||||
# passwd module, above.
|
||||
#
|
||||
# unix
|
||||
|
||||
#
|
||||
# Look for IPASS style 'realm/', and if not found, look for
|
||||
# '@realm', and decide whether or not to proxy, based on
|
||||
# that.
|
||||
# IPASS
|
||||
|
||||
#
|
||||
# Look for realms in user@domain format
|
||||
#
|
||||
# Note that proxying the inner tunnel authentication means
|
||||
# that the user MAY use one identity in the outer session
|
||||
# (e.g. "anonymous", and a different one here
|
||||
# (e.g. "user@example.com"). The inner session will then be
|
||||
# proxied elsewhere for authentication. If you are not
|
||||
# careful, this means that the user can cause you to forward
|
||||
# the authentication to another RADIUS server, and have the
|
||||
# accounting logs *not* sent to the other server. This makes
|
||||
# it difficult to bill people for their network activity.
|
||||
#
|
||||
suffix
|
||||
# ntdomain
|
||||
|
||||
#
|
||||
# The "suffix" module takes care of stripping the domain
|
||||
# (e.g. "@example.com") from the User-Name attribute, and the
|
||||
# next few lines ensure that the request is not proxied.
|
||||
#
|
||||
# If you want the inner tunnel request to be proxied, delete
|
||||
# the next few lines.
|
||||
#
|
||||
update control {
|
||||
&Proxy-To-Realm := LOCAL
|
||||
}
|
||||
|
||||
#
|
||||
# This module takes care of EAP-MSCHAPv2 authentication.
|
||||
#
|
||||
# It also sets the EAP-Type attribute in the request
|
||||
# attribute list to the EAP type from the packet.
|
||||
#
|
||||
# The example below uses module failover to avoid querying all
|
||||
# of the following modules if the EAP module returns "ok".
|
||||
# Therefore, your LDAP and/or SQL servers will not be queried
|
||||
# for the many packets that go back and forth to set up TTLS
|
||||
# or PEAP. The load on those servers will therefore be reduced.
|
||||
#
|
||||
eap {
|
||||
ok = return
|
||||
}
|
||||
|
||||
#
|
||||
# Read the 'users' file
|
||||
files
|
||||
|
||||
#
|
||||
# Look in an SQL database. The schema of the database
|
||||
# is meant to mirror the "users" file.
|
||||
#
|
||||
# See "Authorization Queries" in `mods-config/sql/main/$driver/queries.conf`
|
||||
-sql
|
||||
|
||||
#
|
||||
# If you are using /etc/smbpasswd, and are also doing
|
||||
# mschap authentication, the un-comment this line, and
|
||||
# enable the "smbpasswd" module.
|
||||
# smbpasswd
|
||||
|
||||
#
|
||||
# The ldap module reads passwords from the LDAP database.
|
||||
-ldap
|
||||
|
||||
#
|
||||
# Enforce daily limits on time spent logged in.
|
||||
# daily
|
||||
|
||||
expiration
|
||||
logintime
|
||||
|
||||
#
|
||||
# If no other module has claimed responsibility for
|
||||
# authentication, then try to use PAP. This allows the
|
||||
# other modules listed above to add a "known good" password
|
||||
# to the request, and to do nothing else. The PAP module
|
||||
# will then see that password, and use it to do PAP
|
||||
# authentication.
|
||||
#
|
||||
# This module should be listed last, so that the other modules
|
||||
# get a chance to set Auth-Type for themselves.
|
||||
#
|
||||
pap
|
||||
|
||||
# Uncomment this section if you want to use ldap for
|
||||
# authentication. The "Auth-Type ldap { ...}" configuration
|
||||
# section below also has to be uncommented.
|
||||
#
|
||||
# Note that this means "check plain-text password against
|
||||
# the ldap database", which means that EAP won't work,
|
||||
# as it does not supply a plain-text password.
|
||||
#
|
||||
# We do NOT recommend using this, unless you have no other
|
||||
# choice. LDAP servers are databases. They are NOT
|
||||
# authentication servers. FreeRADIUS is an authentication
|
||||
# server, and knows what to do with authentication. LDAP
|
||||
# servers do not.
|
||||
#
|
||||
# Note that we force "Auth-Type := LDAP" ONLY if nothing else
|
||||
# is authenticating the user, AND ONLY if the request contains
|
||||
# a plain-text password.
|
||||
#
|
||||
# LDAP servers can only do PAP. They cannot do CHAP, MS-CHAP,
|
||||
# or EAP.
|
||||
#
|
||||
# if (!&control.Auth-Type && &User-Password) {
|
||||
# update control {
|
||||
# &Auth-Type := LDAP
|
||||
# }
|
||||
# }
|
||||
}
|
||||
|
||||
|
||||
# Authentication.
|
||||
#
|
||||
#
|
||||
# This section lists which modules are available for authentication.
|
||||
# Note that it does NOT mean 'try each module in order'. It means
|
||||
# that a module from the 'authorize' section adds a configuration
|
||||
# attribute 'Auth-Type := FOO'. That authentication type is then
|
||||
# used to pick the appropriate module from the list below.
|
||||
#
|
||||
|
||||
# In general, you SHOULD NOT set the Auth-Type attribute. The server
|
||||
# will figure it out on its own, and will do the right thing. The
|
||||
# most common side effect of erroneously setting the Auth-Type
|
||||
# attribute is that one authentication method will work, but the
|
||||
# others will not.
|
||||
#
|
||||
# The common reasons to set the Auth-Type attribute by hand
|
||||
# is to either forcibly reject the user, or forcibly accept him.
|
||||
#
|
||||
authenticate {
|
||||
#
|
||||
# PAP authentication, when a back-end database listed
|
||||
# in the 'authorize' section supplies a password. The
|
||||
# password can be clear-text, or encrypted.
|
||||
Auth-Type PAP {
|
||||
pap
|
||||
}
|
||||
|
||||
#
|
||||
# Most people want CHAP authentication
|
||||
# A back-end database listed in the 'authorize' section
|
||||
# MUST supply a CLEAR TEXT password. Encrypted passwords
|
||||
# won't work.
|
||||
Auth-Type CHAP {
|
||||
chap
|
||||
}
|
||||
|
||||
#
|
||||
# MSCHAP authentication.
|
||||
Auth-Type MS-CHAP {
|
||||
mschap
|
||||
}
|
||||
|
||||
#
|
||||
# For old names, too.
|
||||
#
|
||||
mschap
|
||||
|
||||
#
|
||||
# Pluggable Authentication Modules.
|
||||
# pam
|
||||
|
||||
# Uncomment this section if you want to use ldap for
|
||||
# authentication. The "Auth-Type := LDAP" configuration
|
||||
# at the end of the "authorize" section also has to be
|
||||
# uncommented.
|
||||
#
|
||||
# Note that this means "check plain-text password against
|
||||
# the ldap database", which means that EAP won't work,
|
||||
# as it does not supply a plain-text password.
|
||||
#
|
||||
# We do NOT recommend using this. LDAP servers are databases.
|
||||
# They are NOT authentication servers. FreeRADIUS is an
|
||||
# authentication server, and knows what to do with authentication.
|
||||
# LDAP servers do not.
|
||||
#
|
||||
# Auth-Type LDAP {
|
||||
# ldap
|
||||
# }
|
||||
|
||||
#
|
||||
# Allow EAP authentication.
|
||||
eap
|
||||
}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# There are no accounting requests inside of EAP-TTLS or PEAP
|
||||
# tunnels.
|
||||
#
|
||||
######################################################################
|
||||
|
||||
|
||||
# Session database, used for checking Simultaneous-Use. Either the radutmp
|
||||
# or rlm_sql module can handle this.
|
||||
# The rlm_sql module is *much* faster
|
||||
session {
|
||||
radutmp
|
||||
|
||||
#
|
||||
# See "Simultaneous Use Checking Queries" in `mods-config/sql/main/$driver/queries.conf`
|
||||
# sql
|
||||
}
|
||||
|
||||
|
||||
# Post-Authentication
|
||||
# Once we KNOW that the user has been authenticated, there are
|
||||
# additional steps we can take.
|
||||
#
|
||||
# Note that the last packet of the inner-tunnel authentication
|
||||
# MAY NOT BE the last packet of the outer session. So updating
|
||||
# the outer reply MIGHT work, and sometimes MIGHT NOT. The
|
||||
# exact functionality depends on both the inner and outer
|
||||
# authentication methods.
|
||||
#
|
||||
# If you need to send a reply attribute in the outer session,
|
||||
# the ONLY safe way is to set "use_tunneled_reply = yes", and
|
||||
# then update the inner-tunnel reply.
|
||||
post-auth {
|
||||
# If you want privacy to remain, see the
|
||||
# Chargeable-User-Identity attribute from RFC 4372.
|
||||
# If you want to use it just uncomment the line below.
|
||||
# cui-inner
|
||||
|
||||
#
|
||||
# If you want the Access-Accept to contain the inner
|
||||
# User-Name, uncomment the following lines.
|
||||
#
|
||||
# update outer.session-state {
|
||||
# User-Name := &User-Name
|
||||
# }
|
||||
|
||||
#
|
||||
# If you want to have a log of authentication replies,
|
||||
# un-comment the following line, and enable the
|
||||
# 'detail reply_log' module.
|
||||
# reply_log
|
||||
|
||||
#
|
||||
# After authenticating the user, do another SQL query.
|
||||
#
|
||||
# See "Authentication Logging Queries" in `mods-config/sql/main/$driver/queries.conf`
|
||||
-sql
|
||||
|
||||
#
|
||||
# Un-comment the following if you have set
|
||||
# 'edir = yes' in the ldap module sub-section of
|
||||
# the 'modules' section.
|
||||
#
|
||||
# ldap
|
||||
|
||||
|
||||
#
|
||||
# Un-comment the following if you want to generate Moonshot (ABFAB) TargetedIds
|
||||
#
|
||||
# IMPORTANT: This requires the UUID package to be installed, and a targeted_id_salt
|
||||
# to be configured.
|
||||
#
|
||||
# This functionality also supports SQL backing. To use this functionality, enable
|
||||
# and configure the moonshot-targeted-ids SQL module in the mods-enabled directory.
|
||||
# Then remove the comments from the appropriate lines in each of the below
|
||||
# policies in the policy.d/moonshot-targeted-ids file.
|
||||
#
|
||||
# moonshot_host_tid
|
||||
# moonshot_realm_tid
|
||||
# moonshot_coi_tid
|
||||
|
||||
#
|
||||
# Instead of "use_tunneled_reply", change this "if (0)" to an
|
||||
# "if (1)".
|
||||
#
|
||||
if (0) {
|
||||
#
|
||||
# These attributes are for the inner-tunnel only,
|
||||
# and MUST NOT be copied to the outer reply.
|
||||
#
|
||||
update reply {
|
||||
User-Name !* ANY
|
||||
Message-Authenticator !* ANY
|
||||
EAP-Message !* ANY
|
||||
Proxy-State !* ANY
|
||||
MS-MPPE-Encryption-Types !* ANY
|
||||
MS-MPPE-Encryption-Policy !* ANY
|
||||
MS-MPPE-Send-Key !* ANY
|
||||
MS-MPPE-Recv-Key !* ANY
|
||||
}
|
||||
|
||||
#
|
||||
# Copy the inner reply attributes to the outer
|
||||
# session-state list. The post-auth policy will take
|
||||
# care of copying the outer session-state list to the
|
||||
# outer reply.
|
||||
#
|
||||
update {
|
||||
&outer.session-state: += &reply:
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Access-Reject packets are sent through the REJECT sub-section of the
|
||||
# post-auth section.
|
||||
#
|
||||
# Add the ldap module name (or instance) if you have set
|
||||
# 'edir = yes' in the ldap module configuration
|
||||
#
|
||||
Post-Auth-Type REJECT {
|
||||
# log failed authentications in SQL, too.
|
||||
-sql
|
||||
attr_filter.access_reject
|
||||
|
||||
#
|
||||
# Let the outer session know which module failed, and why.
|
||||
#
|
||||
update outer.session-state {
|
||||
&Module-Failure-Message := &request:Module-Failure-Message
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# When the server decides to proxy a request to a home server,
|
||||
# the proxied request is first passed through the pre-proxy
|
||||
# stage. This stage can re-write the request, or decide to
|
||||
# cancel the proxy.
|
||||
#
|
||||
# Only a few modules currently have this method.
|
||||
#
|
||||
pre-proxy {
|
||||
# Uncomment the following line if you want to change attributes
|
||||
# as defined in the preproxy_users file.
|
||||
# files
|
||||
|
||||
# Uncomment the following line if you want to filter requests
|
||||
# sent to remote servers based on the rules defined in the
|
||||
# 'attrs.pre-proxy' file.
|
||||
# attr_filter.pre-proxy
|
||||
|
||||
# If you want to have a log of packets proxied to a home
|
||||
# server, un-comment the following line, and the
|
||||
# 'detail pre_proxy_log' section, above.
|
||||
# pre_proxy_log
|
||||
}
|
||||
|
||||
#
|
||||
# When the server receives a reply to a request it proxied
|
||||
# to a home server, the request may be massaged here, in the
|
||||
# post-proxy stage.
|
||||
#
|
||||
post-proxy {
|
||||
|
||||
# If you want to have a log of replies from a home server,
|
||||
# un-comment the following line, and the 'detail post_proxy_log'
|
||||
# section, above.
|
||||
# post_proxy_log
|
||||
|
||||
# Uncomment the following line if you want to filter replies from
|
||||
# remote proxies based on the rules defined in the 'attrs' file.
|
||||
# attr_filter.post-proxy
|
||||
|
||||
#
|
||||
# If you are proxying LEAP, you MUST configure the EAP
|
||||
# module, and you MUST list it here, in the post-proxy
|
||||
# stage.
|
||||
#
|
||||
# You MUST also use the 'nostrip' option in the 'realm'
|
||||
# configuration. Otherwise, the User-Name attribute
|
||||
# in the proxied request will not match the user name
|
||||
# hidden inside of the EAP packet, and the end server will
|
||||
# reject the EAP request.
|
||||
#
|
||||
eap
|
||||
}
|
||||
|
||||
} # inner-tunnel server block
|
Loading…
Reference in New Issue
Block a user