# An example configuration for using /etc/smbpasswd. # #passwd etc_smbpasswd { # filename = /etc/smbpasswd # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" # authtype = MS-CHAP # hashsize = 100 # ignorenislike = no # allowmultiplekeys = no #}
# Similar configuration, for the /etc/group file. Adds a Group-Name # attribute for every group that the user is member of. # #passwd etc_group { # filename = /etc/group # format = "=Group-Name:::*,User-Name" # hashsize = 50 # ignorenislike = yes # allowmultiplekeys = yes # delimiter = ":" #} # Realm module, for proxying. # # You can have multiple instances of the realm module to # support multiple realm syntaxs at the same time. The # search order is defined the order in the authorize and # preacct blocks after the module config block. # # Two config options: # format - must be 'prefix' or 'suffix' # delimiter - must be a single character # 'realm/username' # # Using this entry, IPASS users have their realm set to "IPASS". #realm realmslash { # format = prefix # delimiter = "/" #} # '[EMAIL PROTECTED]' # realm suffix { format = suffix delimiter = "@" } # 'username%realm' # #realm realmpercent { # format = suffix # delimiter = "%" #} # rewrite arbitrary packets. Useful in accounting and authorization. # ## This module is highly experimental at the moment. Please give ## feedback to the mailing list. # # The module can also use the Rewrite-Rule attribute. If it # is set and matches the name of the module instance, then # that module instance will be the only one which runs. # # Also if new_attribute is set to yes then a new attribute # will be created containing the value replacewith and it # will be added to searchin (packet, reply or config). # searchfor,ignore_case and max_matches will be ignored in that case. # #attr_rewrite sanecallerid { # attribute = Called-Station-Id # may be "packet", "reply", or "config" # searchin = packet # searchfor = "[+ ]" # replacewith = "" # ignore_case = no # new_attribute = no # max_matches = 10 # ## If set to yes then the replace string will be appended to the original string # append = no #} # Preprocess the incoming RADIUS request, before handing it off # to other modules. # # This module processes the 'huntgroups' and 'hints' files. # In addition, it re-writes some weird attributes created # by some NASes, and converts the attributes into a form which # is a little more standard. # preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints # This hack changes Ascend's wierd port numberings # to standard 0-??? port numbers so that the "+" works # for IP address assignments. # with_ascend_hack = no # ascend_channels_per_line = 23 # Windows NT machines often authenticate themselves as # NT_DOMAIN\username # # If this is set to 'yes', then the NT_DOMAIN portion # of the user-name is silently discarded. # with_ntdomain_hack = no # Specialix Jetstream 8500 24 port access server. # # If the user name is 10 characters or longer, a "/" # and the excess characters after the 10th are # appended to the user name. # # If you're not running that NAS, you don't need # this hack. # with_specialix_jetstream_hack = no # Cisco sends it's VSA attributes with the attribute # name *again* in the string, like: # # H323-Attribute = "h323-attribute=value". # # If this configuration item is set to 'yes', then # the redundant data in the the attribute text is stripped # out. The result is: # # H323-Attribute = "value" # # If you're not running a Cisco NAS, you don't need # this hack. # with_cisco_vsa_hack = no } # Livingston-style 'users' file # files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } # Write a detailed log of all accounting records received. # detail { # Note that we do NOT use NAS-IP-Address here, as # that attribute MAY BE from the originating NAS, and # NOT from the proxy which actually sent us the # request. The Client-IP-Address attribute is ALWAYS # the address of the client which sent us the # request. # # The following line creates a new detail file for # every radius client (by IP address or hostname). # In addition, a new detail file is created every # day, so that the detail file doesn't have to go # through a 'log rotation' # # If your detail files are large, you may also want # to add a ':%H' (see doc/variables.txt) to the end # of it, to create a new detail file every hour, e.g.: # # ..../detail-%Y%m%d:%H # # This will create a new detail file for every hour. # detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d # # The Unix-style permissions on the 'detail' file. # # The detail file often contains secret or private # information about users. So by keeping the file # permissions restrictive, we can prevent unwanted # people from seeing that information. #detailperm = 0600 } # Create a unique accounting session Id. Many NASes re-use or # repeat values for Acct-Session-Id, causing no end of # confusion. # # This module will add a (probably) unique session id # to an accounting packet based on the attributes listed # below found in the packet. See doc/rlm_acct_unique for # more information. # acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } # Include another file that has the SQL-related configuration. # This is another file only because it tends to be big. # # The following configuration file is for use with MySQL. # # For Postgresql, use: ${confdir}/postgresql.conf # For MS-SQL, use: ${confdir}/mssql.conf # For Oracle, use: ${confdir}/oraclesql.conf # #$INCLUDE ${confdir}/sql.conf # Write a 'utmp' style file, of which users are currently # logged in, and where they've logged in from. # # This file is used mainly for Simultaneous-Use checking, # and also 'radwho', to see who's currently logged in. # radutmp { # Where the file is stored. It's not a log file, # so it doesn't need rotating. # filename = ${logdir}/radutmp # The field in the packet to key on for the # 'user' name, If you have other fields which you want # to use to key on to control Simultaneous-Use, # then you can use them here. # # Note, however, that the size of the field in the # 'utmp' data structure is small, around 32 # characters, so that will limit the possible choices # of keys. # username = %{User-Name} # Whether or not we want to treat "user" the same # as "USER", or "User". Some systems have problems # with case sensitivity, so this should be set to # 'no' to enable the comparisons of the key attribute # to be case insensitive. # case_sensitive = yes # Accounting information may be lost, so the user MAY # have logged off of the NAS, but we haven't noticed. # If so, we can verify this information with the NAS, # # If we want to believe the 'utmp' file, then this # configuration entry can be set to 'no'. # check_with_nas = yes # Set the file permissions, as the contents of this file # are usually private. perm = 0600 callerid = "yes" } # "Safe" radutmp - does not contain caller ID, so it can be # world-readable, and radwho can work for normal users, without # exposing any information that isn't already exposed by who(1). # # This is another 'instance' of the radutmp module, but it is given # then name "sradutmp" to identify it later in the "accounting" # section. radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } # attr_filter - filters the attributes received in replies from # proxied servers, to make sure we send back to our RADIUS client # only allowed attributes. attr_filter { attrsfile = ${confdir}/attrs } # counter module: # This module takes an attribute (count-attribute). # It also takes a key, and creates a counter for each unique # key. The count is incremented when accounting packets are # received by the server. The value of the increment depends # on the attribute type. # If the attribute is Acct-Session-Time or of an integer type we add the # value of the attribute. If it is anything else we increase the # counter by one. # # The 'reset' parameter defines when the counters are all reset to # zero. It can be hourly, daily, weekly, monthly or never. # # hourly: Reset on 00:00 of every hour # daily: Reset on 00:00:00 every day # weekly: Reset on 00:00:00 on sunday # monthly: Reset on 00:00:00 of the first day of each month # # It can also be user defined. It should be of the form: # num[hdwm] where: # h: hours, d: days, w: weeks, m: months # If the letter is ommited days will be assumed. In example: # reset = 10h (reset every 10 hours) # reset = 12 (reset every 12 days) # # # The check-name attribute defines an attribute which will be # registered by the counter module and can be used to set the # maximum allowed value for the counter after which the user # is rejected. # Something like: # # DEFAULT Max-Daily-Session := 36000 # Fall-Through = 1 # # You should add the counter module in the instantiate # section so that it registers check-name before the files # module reads the users file. # # If check-name is set and the user is to be rejected then we # send back a Reply-Message and we log a Failure-Message in # the radius.log # If the count attribute is Acct-Session-Time then on each login # we send back the remaining online time as a Session-Timeout attribute # # The counter-name can also be used instead of using the check-name # like below: # # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject # Reply-Message = "You've used up more than one hour today" # # The allowed-servicetype attribute can be used to only take # into account specific sessions. For example if a user first # logs in through a login menu and then selects ppp there will # be two sessions. One for Login-User and one for Framed-User # service type. We only need to take into account the second one. # # The module should be added in the instantiate, authorize and # accounting sections. Make sure that in the authorize # section it comes after any module which sets the # 'check-name' attribute. # counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } # The "always" module is here for debugging purposes. Each # instance simply returns the same result, always, without # doing anything. always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } # # The 'expression' module currently has no configuration. expr { } # # The 'digest' module currently has no configuration. # # "Digest" authentication against a Cisco SIP server. # See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details # on performing digest authentication for Cisco SIP servers. # digest { } # # Execute external programs # # The first example is useful only for 'xlat'. To use it, # put 'exec' into the 'instantiate' section. You can then # do dynamic translation of attributes like: # # Attribute-Name = `{%exec:/path/to/program args}` # # The value of the attribute will be replaced with the output # of the program which is executed. Due to RADIUS protocol # limitations, any output over 253 bytes will be ignored. # # The RADIUS attributes from the user request will be placed # into environment variables of the executed program, as # described in 'doc/variables.txt' # exec { wait = yes input_pairs = request } # # This is a more general example of the execute module. # # If you wish to execute an external program in more than # one section (e.g. 'authorize', 'pre_proxy', etc), then it # is probably best to define a different instance of the # 'exec' module for every section. # exec echo { # # Wait for the program to finish. # # If we do NOT wait, then the program is "fire and # forget", and any output attributes from it are ignored. # # If we are looking for the program to output # attributes, and want to add those attributes to the # request, then we MUST wait for the program to # finish, and therefore set 'wait=yes' # # allowed values: {no, yes} wait = yes # # The name of the program to execute, and it's # arguments. Dynamic translation is done on this # field, so things like the following example will # work. # program = "/bin/echo %{User-Name}" # # The attributes which are placed into the # environment variables for the program. # # Allowed values are: # # request attributes from the request # reply attributes from the reply # proxy-request attributes from the proxy request # proxy-reply attributes from the proxy reply # # Note that some attributes may not exist at some # stages. e.g. There may be no proxy-reply # attributes if this module is used in the # 'authorize' section. # input_pairs = request # # Where to place the output attributes (if any) from # the executed program. The values allowed, and the # restrictions as to availability, are the same as # for the input_pairs. # output_pairs = reply # # When to execute the program. If the packet # type does NOT match what's listed here, then # the module does NOT execute the program. # # For a list of allowed packet types, see # the 'dictionary' file, and look for VALUEs # of the Packet-Type attribute. # # By default, the module executes on ANY packet. # Un-comment out the following line to tell the # module to execute only if an Access-Accept is # being sent to the NAS. # packet_type = Access-Accept } # Do server side ip pool management. Should be added in post-auth and # accounting sections. # # The module also requires the existance of the Pool-Name # attribute. That way the administrator can add the Pool-Name # attribute in the user profiles and use different pools # for different users. The Pool-Name attribute is a *check* item not # a reply item. # # Example: # radiusd.conf: ippool students { [...] } # users file : DEFAULT Group == students, Pool-Name := "students" # # ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST THEN ERASE THE DB FILES ******* # ippool main_pool { # range-start,range-stop: The start and end ip # addresses for the ip pool range-start = 192.168.1.1 range-stop = 192.168.3.254 # netmask: The network mask used for the ip's netmask = 255.255.255.0 # cache-size: The gdbm cache size for the db # files. Should be equal to the number of ip's # available in the ip pool cache-size = 800 # session-db: The main db file used to allocate ip's to clients session-db = ${raddbdir}/db.ippool # ip-index: Helper db index file used in multilink ip-index = ${raddbdir}/db.ipindex # override: Will this ippool override a Framed-IP-Address already set override = no } # ANSI X9.9 token support. Not included by default. # $INCLUDE ${confdir}/x99.conf } # Instantiation # # This section orders the loading of the modules. Modules # listed here will get loaded BEFORE the later sections like # authorize, authenticate, etc. get examined. # # This section is not strictly needed. When a section like # authorize refers to a module, it's automatically loaded and # initialized. However, some modules may not be listed in any # of the following sections, so they can be listed here. # # Also, listing modules here ensures that you have control over # the order in which they are initalized. If one module needs # something defined by another module, you can list them in order # here, and ensure that the configuration will be OK. # instantiate { # # The expression module doesn't do authorization, # authentication, or accounting. It only does dynamic # translation, of the form: # # Session-Timeout = `%{expr:2 + 3}` # # So the module needs to be instantiated, but CANNOT be # listed in any other section. See 'doc/rlm_expr' for # more information. # expr # # We add the counter module here so that it registers # the check-name attribute before any module which sets # it # daily } # Authorization. First preprocess (hints and huntgroups files), # then realms, and finally look in the "users" file. # # The order of the realm modules will determine the order that # we try to find a matching realm. # # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. # # It also adds a Client-IP-Address attribute to the request. preprocess # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set #chap attr_filter # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. eap # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line. # digest # # Look for IPASS style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # realmslash suffix # # Read the 'users' file files # # If you are using /etc/smbpasswd, and are also doing # mschap authentication, the un-comment this line, and # configure the 'etc_smbpasswd' module, above. # etc_smbpasswd # # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. #mschap # The ldap module will set Auth-Type to LDAP if it has not already been set # ldap # daily } # Authentication. # # This section lists which modules are available for authentication. # Note that it does NOT mean 'try each module in order'. It means # that you have to have a module from the 'authorize' section add # a configuration attribute 'Auth-Type := FOO'. That authentication type # is then used to pick the apropriate module from the list below. # # The default Auth-Type is Local. That is, whatever is not included inside # an authtype section will be called only if Auth-Type is set to Local. # # So you should do the following: # - Set Auth-Type to an appropriate value in the authorize modules above. # For example, the chap module will set Auth-Type to CHAP, ldap to LDAP, etc. # - After that create corresponding authtype sections in the # authenticate section below and call the appropriate modules. authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. #Auth-Type PAP { # pap #} # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. #Auth-Type CHAP { # chap #} # # MSCHAP authentication. #Auth-Type MS-CHAP { # mschap #} # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line. # digest # # Pluggable Authentication Modules. #pam # # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # #unix # Uncomment it if you want to use ldap for authentication #Auth-Type LDAP { # ldap #} # # Allow EAP authentication. eap } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess # # Look for IPASS-style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # # Accounting requests are generally proxied to the same # home server as authentication requests. # realmslash suffix # # Read the 'acct_users' file files } # # Accounting. Log the accounting data. # accounting { # # Ensure that we have a semi-unique identifier for every # request, and many NAS boxes are broken. acct_unique # # Create a 'detail'ed log of the packets. # Note that accounting requests which are proxied # are also logged in the detail file. detail # daily unix # wtmp file # # For Simultaneous-Use tracking. # # Due to packet losses in the network, the data here # may be incorrect. There's little we can do about it. radutmp # sradutmp # Return an address to the IP Pool when we see a stop record. # main_pool } # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp # sql } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { # Get an address from the IP Pool. # main_pool } # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # pre-proxy { # attr_rewrite } # # When the server receives a reply to a request it proxied # to a home server, the request may be massaged here, in the # post-proxy stage. # post-proxy { # attr_rewrite # # If you are proxing LEAP, you MUST configure the EAP # module, and you MUST list it here, in the post-proxy # stage. # # You MUST also use the 'nostrip' option in the 'realm' # configuration. Otherwise, the User-Name attribute # in the proxied request will not match the user name # hidden inside of the EAP packet, and the end server will # reject the EAP request. # eap } Radius.conf is pretty long nowadays... Log will follow on the next file... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html