Hello, I've been using FreeRADIUS 1.0.0 so far. I just tried to install FreeRADIUS 1.0.1, but I'm encountering a problem : I get a bus error upon receiving an access-request.
I've got a very simple module that, on "authorize" event, tries to access "request", "request->packet" and "request->packet->vps". When trying to access request->packet->vps the program generates a bus error, but I don't know if the packet or request are valid pointers either at the beginning of my function... I did not have any problem with exactly the same code and configuration when using FreeRADIUS 1.0.0. In my configuration, I'm also using other modules such as "detail". Those modules work fine, but I don't know why mine doesn't. Any ideas ? (As a side note, the FreeRADIUS 1.0.1 package found at the address below contains CSV directories. Thus, when configuring, the developper mode is enabled. This mode generates tons of warnings when compiling. Removing the top-level CVS directory before "configure" fixes the problem. ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.1.tar.gz ) Please find below : 1. the request that I'm sending to the server with radclient 2. complete debug logs 3. source file of my module 4. my makefile 5. my radiusd.conf file 1. RADIUS test request [EMAIL PROTECTED] User-Password=ABC NAS-IP-Address=172.26.233.18 Framed-IP-Address=1.2.3.4 NAS-Port-Type=19 Acct-Session-ID=1234567890ABCDEF 2. debug logs @freerad0//home2/freerad0>$HOME/freeradius/sbin/radiusd -d $HOME/freeradius/etc/raddb -X Fri Oct 29 15:29:22 2004 : Info: Starting - reading configuration files ... Fri Oct 29 15:29:22 2004 : Debug: reread_config: reading radiusd.conf Fri Oct 29 15:29:22 2004 : Debug: Config: including file: /home2/freerad0/freeradius/etc/raddb/proxy.conf Fri Oct 29 15:29:22 2004 : Debug: Config: including file: /home2/freerad0/freeradius/etc/raddb/clients.conf Fri Oct 29 15:29:22 2004 : Debug: Config: including file: /home2/freerad0/freeradius/etc/raddb/cg_custom.conf Fri Oct 29 15:29:22 2004 : Debug: main: prefix = "/home2/freerad0/freeradius" Fri Oct 29 15:29:22 2004 : Debug: main: localstatedir = "/home2/freerad0/freeradius/var" Fri Oct 29 15:29:22 2004 : Debug: main: logdir = "/home2/freerad0/freeradius/var/log/radius" Fri Oct 29 15:29:22 2004 : Debug: main: libdir = "/home2/freerad0/freeradius/lib" Fri Oct 29 15:29:22 2004 : Debug: main: radacctdir = "/home2/freerad0/freeradius/var/log/radius/radacct" Fri Oct 29 15:29:22 2004 : Debug: main: hostname_lookups = no Fri Oct 29 15:29:22 2004 : Debug: main: max_request_time = 30 Fri Oct 29 15:29:22 2004 : Debug: main: cleanup_delay = 5 Fri Oct 29 15:29:22 2004 : Debug: main: max_requests = 256 Fri Oct 29 15:29:22 2004 : Debug: main: delete_blocked_requests = 0 Fri Oct 29 15:29:22 2004 : Debug: main: port = 1645 Fri Oct 29 15:29:22 2004 : Debug: main: allow_core_dumps = no Fri Oct 29 15:29:22 2004 : Debug: main: log_stripped_names = no Fri Oct 29 15:29:22 2004 : Debug: main: log_file = "/home2/freerad0/freeradius/var/log/radius/radius.log" Fri Oct 29 15:29:22 2004 : Debug: main: log_auth = no Fri Oct 29 15:29:22 2004 : Debug: main: log_auth_badpass = no Fri Oct 29 15:29:22 2004 : Debug: main: log_auth_goodpass = no Fri Oct 29 15:29:22 2004 : Debug: main: pidfile = "/home2/freerad0/freeradius/var/run/radiusd/radiusd.pid" Fri Oct 29 15:29:22 2004 : Debug: main: user = "(null)" Fri Oct 29 15:29:22 2004 : Debug: main: group = "(null)" Fri Oct 29 15:29:22 2004 : Debug: main: usercollide = no Fri Oct 29 15:29:22 2004 : Debug: main: lower_user = "no" Fri Oct 29 15:29:22 2004 : Debug: main: lower_pass = "no" Fri Oct 29 15:29:22 2004 : Debug: main: nospace_user = "no" Fri Oct 29 15:29:22 2004 : Debug: main: nospace_pass = "no" Fri Oct 29 15:29:22 2004 : Debug: main: checkrad = "/home2/freerad0/freeradius/sbin/checkrad" Fri Oct 29 15:29:22 2004 : Debug: main: proxy_requests = yes Fri Oct 29 15:29:22 2004 : Debug: proxy: retry_delay = 5 Fri Oct 29 15:29:22 2004 : Debug: proxy: retry_count = 3 Fri Oct 29 15:29:22 2004 : Debug: proxy: synchronous = no Fri Oct 29 15:29:22 2004 : Debug: proxy: default_fallback = yes Fri Oct 29 15:29:22 2004 : Debug: proxy: dead_time = 60 Fri Oct 29 15:29:22 2004 : Debug: proxy: post_proxy_authorize = no Fri Oct 29 15:29:22 2004 : Debug: proxy: wake_all_if_all_dead = no Fri Oct 29 15:29:22 2004 : Debug: security: max_attributes = 200 Fri Oct 29 15:29:22 2004 : Debug: security: reject_delay = 0 Fri Oct 29 15:29:22 2004 : Debug: security: status_server = no Fri Oct 29 15:29:22 2004 : Debug: main: debug_level = 0 Fri Oct 29 15:29:22 2004 : Debug: read_config_files: reading dictionary Fri Oct 29 15:29:23 2004 : Debug: read_config_files: reading naslist Fri Oct 29 15:29:23 2004 : Info: Using deprecated naslist file. Support for this will go away soon. Fri Oct 29 15:29:23 2004 : Debug: read_config_files: reading clients Fri Oct 29 15:29:23 2004 : Debug: read_config_files: reading realms Fri Oct 29 15:29:23 2004 : Debug: radiusd: entering modules setup Fri Oct 29 15:29:23 2004 : Debug: Module: Library search path is /home2/freerad0/freeradius/lib Fri Oct 29 15:29:23 2004 : Debug: Module: Loaded exec Fri Oct 29 15:29:23 2004 : Debug: exec: wait = yes Fri Oct 29 15:29:23 2004 : Debug: exec: program = "(null)" Fri Oct 29 15:29:23 2004 : Debug: exec: input_pairs = "request" Fri Oct 29 15:29:23 2004 : Debug: exec: output_pairs = "none" Fri Oct 29 15:29:23 2004 : Debug: exec: packet_type = "(null)" Fri Oct 29 15:29:23 2004 : Debug: Module: Instantiated exec (exec) Fri Oct 29 15:29:23 2004 : Debug: Module: Loaded expr Fri Oct 29 15:29:23 2004 : Debug: Module: Instantiated expr (expr) Fri Oct 29 15:29:23 2004 : Debug: Module: Loaded bug Fri Oct 29 15:29:23 2004 : Debug: Module: Instantiated bug (bug) Fri Oct 29 15:29:23 2004 : Debug: Module: Loaded detail Fri Oct 29 15:29:23 2004 : Debug: detail: detailfile = "/home2/freerad0/freeradius/var/log/radius/radius_detail_%Y%m%d.log" Fri Oct 29 15:29:23 2004 : Debug: detail: detailperm = 384 Fri Oct 29 15:29:23 2004 : Debug: detail: dirperm = 493 Fri Oct 29 15:29:23 2004 : Debug: detail: locking = no Fri Oct 29 15:29:23 2004 : Debug: Module: Instantiated detail (auth_log) Fri Oct 29 15:29:23 2004 : Debug: Module: Loaded realm Fri Oct 29 15:29:23 2004 : Debug: realm: format = "suffix" Fri Oct 29 15:29:23 2004 : Debug: realm: delimiter = "@" Fri Oct 29 15:29:23 2004 : Debug: realm: ignore_default = no Fri Oct 29 15:29:23 2004 : Debug: realm: ignore_null = no Fri Oct 29 15:29:23 2004 : Debug: Module: Instantiated realm (suffix) Fri Oct 29 15:29:23 2004 : Debug: Module: Loaded files Fri Oct 29 15:29:23 2004 : Debug: files: usersfile = "/home2/freerad0/freeradius/etc/raddb/users" Fri Oct 29 15:29:23 2004 : Debug: files: acctusersfile = "/home2/freerad0/freeradius/etc/raddb/acct_users" Fri Oct 29 15:29:23 2004 : Debug: files: preproxy_usersfile = "/home2/freerad0/freeradius/etc/raddb/preproxy_users" Fri Oct 29 15:29:23 2004 : Debug: files: compat = "no" Fri Oct 29 15:29:23 2004 : Debug: Module: Instantiated files (files) Fri Oct 29 15:29:23 2004 : Debug: Module: Loaded cg_custom Fri Oct 29 15:29:23 2004 : Debug: cg_custom: debug = 0 Fri Oct 29 15:29:23 2004 : Debug: cg_custom: ssg_service = "FullInternet" Fri Oct 29 15:29:23 2004 : Debug: cg_custom: default_idle_timeout = 1200 Fri Oct 29 15:29:23 2004 : Debug: cg_custom: local_idle_timeout = 1200 Fri Oct 29 15:29:23 2004 : Debug: cg_custom: default_session_timeout = 21600 Fri Oct 29 15:29:23 2004 : Debug: cg_custom: local_session_timeout = 21600 Fri Oct 29 15:29:23 2004 : Debug: cg_custom: nas_identifier = "FRAF0" Fri Oct 29 15:29:23 2004 : Debug: cg_custom: wispr_location_name = "Naxos,fr" Fri Oct 29 15:29:23 2004 : Debug: cg_custom: wait_disconnect_unknown = 60 Fri Oct 29 15:29:23 2004 : Debug: cg_custom: max_delay_preconnect = 30 Fri Oct 29 15:29:23 2004 : Debug: cg_custom: db_driver = "rlm_sql_postgresql" Fri Oct 29 15:29:23 2004 : Debug: cg_custom: db_server = "localhost" Fri Oct 29 15:29:23 2004 : Debug: cg_custom: db_port = "5432" Fri Oct 29 15:29:23 2004 : Debug: cg_custom: db_login = "postgres" Fri Oct 29 15:29:23 2004 : Debug: cg_custom: db_password = "" Fri Oct 29 15:29:23 2004 : Debug: cg_custom: db_database = "wixos1" Fri Oct 29 15:29:23 2004 : Debug: cg_custom: db_num_sql_socks = 5 Fri Oct 29 15:29:23 2004 : Debug: cg_custom: db_connect_failure_retry_delay = 60 Fri Oct 29 15:29:23 2004 : Debug: cg_custom: db_pool_max_retries = 3 Fri Oct 29 15:29:23 2004 : Debug: cg_custom: db_pool_delay = 300 Fri Oct 29 15:29:23 2004 : Info: *** FreeRADIUS started ! Fri Oct 29 15:29:23 2004 : Debug: Module: Instantiated cg_custom (cg_custom) Fri Oct 29 15:29:23 2004 : Debug: Listening on authentication *:1645 Fri Oct 29 15:29:23 2004 : Debug: Listening on accounting *:1646 Fri Oct 29 15:29:23 2004 : Debug: Listening on proxy *:1647 Fri Oct 29 15:29:23 2004 : Info: Ready to process requests. rad_recv: Access-Request packet from host 172.26.233.22:40002, id=106, length=90 User-Name = "[EMAIL PROTECTED]" User-Password = "ABC" NAS-IP-Address = 172.26.233.18 Framed-IP-Address = 1.2.3.4 NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "1234567890ABCDEF" Fri Oct 29 15:30:57 2004 : Debug: Processing the authorize section of radiusd.conf Fri Oct 29 15:30:57 2004 : Debug: modcall: entering group authorize for request 0 Fri Oct 29 15:30:57 2004 : Debug: modsingle[authorize]: calling bug (rlm_bug) for request 0 BEGIN MODULE .1 .2 Bus Error (core dumped) 3. source file of my module #include "autoconf.h" #include "libradius.h" #include <sys/stat.h> #include <sys/select.h> #include <stdlib.h> #include <string.h> #include <ctype.h> #include <fcntl.h> #include "radiusd.h" #include "modules.h" struct bug_instance { int my_param; }; static CONF_PARSER module_config[] = { { NULL, -1, 0, NULL, NULL } }; /* * (Re-)read radiusd.conf into memory. */ static int bug_instantiate(CONF_SECTION *conf, void **instance) { struct bug_instance *inst; inst = rad_malloc(sizeof(*inst)); if (!inst) { return -1; } memset(inst, 0, sizeof(*inst)); if (cf_section_parse(conf, inst, module_config) < 0) { free(inst); return -1; } *instance = inst; return 0; } /* * Incoming Access Request */ static int bug_authorize(void *instance, REQUEST *request) { printf("BEGIN MODULE\n"); if( NULL == request) { printf("Request is NULL\n"); return RLM_MODULE_FAIL; } printf(".1\n"); if( NULL == request->packet) { printf("Packet is NULL\n"); return RLM_MODULE_FAIL; } printf(".2\n"); if( NULL == request->packet->vps) { printf("VPs is NULL\n"); return RLM_MODULE_FAIL; } printf(".3\n"); printf("END MODULE\n"); return RLM_MODULE_NOOP; } /* * Clean up. */ static int bug_detach(void *instance) { struct bug_instance *inst = instance; free(inst); return 0; } /* globally exported name */ module_t rlm_bug = { "bug", RLM_TYPE_THREAD_UNSAFE, /* type: reserved */ NULL, /* initialization */ bug_instantiate, /* instantiation */ { NULL, /* authentication */ bug_authorize, /* authorization */ NULL, /* preaccounting */ NULL, /* accounting */ NULL, /* checksimul */ NULL, /* pre-proxy */ NULL, /* post-proxy */ NULL /* post-auth */ }, bug_detach, /* detach */ NULL /* destroy */ }; 4. makefile TARGET = rlm_bug SRCS = rlm_bug.c include ../rules.mak 5. my radiusd.conf file ## ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id: radiusd.conf.in,v 1.188 2004/05/13 20:10:19 pnixon Exp $ ## # The location of other config files and # logfiles are declared in this file # # Also general configuration for modules can be done # in this file, it is exported through the API to # modules that ask for it. # # The configuration variables defined here are of the form ${foo} # They are local to this file, and do not change from request to # request. # # The per-request variables are of the form %{Attribute-Name}, and # are taken from the values of the attribute in the incoming # request. See 'doc/variables.txt' for more information. prefix = /home2/freerad0/freeradius exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = ${logdir}/radius.log # # libdir: Where to find the rlm_* modules. # # This should be automatically set at configuration time. # # If the server builds and installs, but fails at execution time # with an 'undefined symbol' error, then you can use the libdir # directive to work around the problem. # # The cause is usually that a library has been installed on your # system in a place where the dynamic linker CANNOT find it. When # executing as root (or another user), your personal environment MAY # be set up to allow the dynamic linker to find the library. When # executing as a daemon, FreeRADIUS MAY NOT have the same # personalized configuration. # # To work around the problem, find out which library contains that symbol, # and add the directory containing that library to the end of 'libdir', # with a colon separating the directory names. NO spaces are allowed. # # e.g. libdir = /usr/local/lib:/opt/package/lib # # You can also try setting the LD_LIBRARY_PATH environment variable # in a script which starts the server. # # If that does not work, then you can re-configure and re-build the # server to NOT use shared libraries, via: # # ./configure --disable-shared # make # make install # libdir = ${exec_prefix}/lib # pidfile: Where to place the PID of the RADIUS server. # # The server may be signalled while it's running by using this # file. # # This file is written when ONLY running in daemon mode. # # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` # pidfile = ${run_dir}/radiusd.pid # user/group: The name (or #number) of the user/group to run radiusd as. # # If these are commented out, the server will run as the user/group # that started it. In order to change to a different user/group, you # MUST be root ( or have root privleges ) to start the server. # # We STRONGLY recommend that you run the server with as few permissions # as possible. That is, if you're not using shadow passwords, the # user and group items below should be set to 'nobody'. # # On SCO (ODT 3) use "user = nouser" and "group = nogroup". # # NOTE that some kernels refuse to setgid(group) when the value of # (unsigned)group is above 60000; don't use group nobody on these systems! # # On systems with shadow passwords, you might have to set 'group = shadow' # for the server to be able to read the shadow password file. If you can # authenticate users while in debug mode, but not in daemon mode, it may be # that the debugging mode server is running as a user that can read the # shadow info, and the user listed below can not. # #user = nobody #group = nobody # max_request_time: The maximum time (in seconds) to handle a request. # # Requests which take more time than this to process may be killed, and # a REJECT message is returned. # # WARNING: If you notice that requests take a long time to be handled, # then this MAY INDICATE a bug in the server, in one of the modules # used to handle a request, OR in your local configuration. # # This problem is most often seen when using an SQL database. If it takes # more than a second or two to receive an answer from the SQL database, # then it probably means that you haven't indexed the database. See your # SQL server documentation for more information. # # Useful range of values: 5 to 120 # max_request_time = 30 # delete_blocked_requests: If the request takes MORE THAN 'max_request_time' # to be handled, then maybe the server should delete it. # # If you're running in threaded, or thread pool mode, this setting # should probably be 'no'. Setting it to 'yes' when using a threaded # server MAY cause the server to crash! # delete_blocked_requests = no # cleanup_delay: The time to wait (in seconds) before cleaning up # a reply which was sent to the NAS. # # The RADIUS request is normally cached internally for a short period # of time, after the reply is sent to the NAS. The reply packet may be # lost in the network, and the NAS will not see it. The NAS will then # re-send the request, and the server will respond quickly with the # cached reply. # # If this value is set too low, then duplicate requests from the NAS # MAY NOT be detected, and will instead be handled as seperate requests. # # If this value is set too high, then the server will cache too many # requests, and some new requests may get blocked. (See 'max_requests'.) # # Useful range of values: 2 to 10 # cleanup_delay = 5 # max_requests: The maximum number of requests which the server keeps # track of. This should be 256 multiplied by the number of clients. # e.g. With 4 clients, this number should be 1024. # # If this number is too low, then when the server becomes busy, # it will not respond to any new requests, until the 'cleanup_delay' # time has passed, and it has removed the old requests. # # If this number is set too high, then the server will use a bit more # memory for no real benefit. # # If you aren't sure what it should be set to, it's better to set it # too high than too low. Setting it to 1000 per client is probably # the highest it should be. # # Useful range of values: 256 to infinity # max_requests = 256 # bind_address: Make the server listen on a particular IP address, and # send replies out from that address. This directive is most useful # for machines with multiple IP addresses on one interface. # # It can either contain "*", or an IP address, or a fully qualified # Internet domain name. The default is "*" # # As of 1.0, you can also use the "listen" directive. See below for # more information. # bind_address = * # port: Allows you to bind FreeRADIUS to a specific port. # # The default port that most NAS boxes use is 1645, which is historical. # RFC 2138 defines 1812 to be the new port. Many new servers and # NAS boxes use 1812, which can create interoperability problems. # # The port is defined here to be 0 so that the server will pick up # the machine's local configuration for the radius port, as defined # in /etc/services. # # If you want to use the default RADIUS port as defined on your server, # (usually through 'grep radius /etc/services') set this to 0 (zero). # # A port given on the command-line via '-p' over-rides this one. # # As of 1.0, you can also use the "listen" directive. See below for # more information. # port = 1645 # # By default, the server uses "bind_address" to listen to all IP's # on a machine, or just one IP. The "port" configuration is used # to select the authentication port used when listening on those # addresses. # # If you want the server to listen on additional addresses, you can # use the "listen" section. A sample section (commented out) is included # below. This "listen" section duplicates the functionality of the # "bind_address" and "port" configuration entries, but it only listens # for authentication packets. # # If you comment out the "bind_address" and "port" configuration entries, # then it becomes possible to make the server accept only accounting, # or authentication packets. Previously, it always listened for both # types of packets, and it was impossible to make it listen for only # one type of packet. # #listen { # IP address on which to listen. # Allowed values are: # dotted quad (1.2.3.4) # hostname (radius.example.com) # wildcard (*) # ipaddr = * # Port on which to listen. # Allowed values are: # integer port number (1812) # 0 means "use /etc/services for the proper port" # port = 0 # Type of packets to listen for. # Allowed values are: # auth listen for authentication packets # acct listen for accounting packets # # type = auth #} # hostname_lookups: Log the names of clients or just their IP addresses # e.g., www.freeradius.org (on) or 206.47.27.232 (off). # # The default is 'off' because it would be overall better for the net # if people had to knowingly turn this feature on, since enabling it # means that each client request will result in AT LEAST one lookup # request to the nameserver. Enabling hostname_lookups will also # mean that your server may stop randomly for 30 seconds from time # to time, if the DNS requests take too long. # # Turning hostname lookups off also means that the server won't block # for 30 seconds, if it sees an IP address which has no name associated # with it. # # allowed values: {no, yes} # hostname_lookups = no # Core dumps are a bad thing. This should only be set to 'yes' # if you're debugging a problem with the server. # # allowed values: {no, yes} # allow_core_dumps = no # Regular expressions # # These items are set at configure time. If they're set to "yes", # then setting them to "no" turns off regular expression support. # # If they're set to "no" at configure time, then setting them to "yes" # WILL NOT WORK. It will give you an error. # regular_expressions = yes extended_expressions = yes # Log the full User-Name attribute, as it was found in the request. # # allowed values: {no, yes} # log_stripped_names = no # Log authentication requests to the log file. # # allowed values: {no, yes} # # NCH: #log_auth = no #log_auth = yes # Log passwords with the authentication requests. # log_auth_badpass - logs password if it's rejected # log_auth_goodpass - logs password if it's correct # # allowed values: {no, yes} # log_auth_badpass = no log_auth_goodpass = no # usercollide: Turn "username collision" code on and off. See the # "doc/duplicate-users" file # # WARNING # !!!!!!! Setting this to "yes" may result in the server behaving # !!!!!!! strangely. The "username collision" code will ONLY work # !!!!!!! with clear-text passwords. Even then, it may not do what # !!!!!!! you want, or what you expect. # !!!!!!! # !!!!!!! We STRONGLY RECOMMEND that you do not use this feature, # !!!!!!! and that you find another way of acheiving the same goal. # !!!!!!! # !!!!!!! e,g. module fail-over. See 'doc/configurable_failover' # WARNING # usercollide = no # lower_user / lower_pass: # Lower case the username/password "before" or "after" # attempting to authenticate. # # If "before", the server will first modify the request and then try # to auth the user. If "after", the server will first auth using the # values provided by the user. If that fails it will reprocess the # request after modifying it as you specify below. # # This is as close as we can get to case insensitivity. It is the # admin's job to ensure that the username on the auth db side is # *also* lowercase to make this work # # Default is 'no' (don't lowercase values) # Valid values = "before" / "after" / "no" # lower_user = no lower_pass = no # nospace_user / nospace_pass: # # Some users like to enter spaces in their username or password # incorrectly. To save yourself the tech support call, you can # eliminate those spaces here: # # Default is 'no' (don't remove spaces) # Valid values = "before" / "after" / "no" (explanation above) # nospace_user = no nospace_pass = no # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad # SECURITY CONFIGURATION # # There may be multiple methods of attacking on the server. This # section holds the configuration items which minimize the impact # of those attacks # security { # # max_attributes: The maximum number of attributes # permitted in a RADIUS packet. Packets which have MORE # than this number of attributes in them will be dropped. # # If this number is set too low, then no RADIUS packets # will be accepted. # # If this number is set too high, then an attacker may be # able to send a small number of packets which will cause # the server to use all available memory on the machine. # # Setting this number to 0 means "allow any number of attributes" max_attributes = 200 # # delayed_reject: When sending an Access-Reject, it can be # delayed for a few seconds. This may help slow down a DoS # attack. It also helps to slow down people trying to brute-force # crack a users password. # # Setting this number to 0 means "send rejects immediately" # # If this number is set higher than 'cleanup_delay', then the # rejects will be sent at 'cleanup_delay' time, when the request # is deleted from the internal cache of requests. # # Useful ranges: 1 to 5 reject_delay = 0 # # status_server: Whether or not the server will respond # to Status-Server requests. # # Normally this should be set to "no", because they're useless. # See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives # # However, certain NAS boxes may require them. # # When sent a Status-Server message, the server responds with # an Access-Accept packet, containing a Reply-Message attribute, # which is a string describing how long the server has been # running. # status_server = no } # PROXY CONFIGURATION # # proxy_requests: Turns proxying of RADIUS requests on or off. # # The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server. # # If you have proxying turned off, and your configuration files say # to proxy a request, then an error message will be logged. # # To disable proxying, change the "yes" to "no", and comment the # $INCLUDE line. # # allowed values: {no, yes} # proxy_requests = yes $INCLUDE ${confdir}/proxy.conf # CLIENTS CONFIGURATION # # Client configuration is defined in "clients.conf". # # The 'clients.conf' file contains all of the information from the old # 'clients' and 'naslist' configuration files. We recommend that you # do NOT use 'client's or 'naslist', although they are still # supported. # # Anything listed in 'clients.conf' will take precedence over the # information from the old-style configuration files. # $INCLUDE ${confdir}/clients.conf # SNMP CONFIGURATION # # Snmp configuration is only valid if SNMP support was enabled # at compile time. # # To enable SNMP querying of the server, set the value of the # 'snmp' attribute to 'yes' # snmp = no #$INCLUDE ${confdir}/snmp.conf # THREAD POOL CONFIGURATION # # The thread pool is a long-lived group of threads which # take turns (round-robin) handling any incoming requests. # # You probably want to have a few spare threads around, # so that high-load situations can be handled immediately. If you # don't have any spare threads, then the request handling will # be delayed while a new thread is created, and added to the pool. # # You probably don't want too many spare threads around, # otherwise they'll be sitting there taking up resources, and # not doing anything productive. # # The numbers given below should be adequate for most situations. # thread pool { # Number of servers to start initially --- should be a reasonable # ballpark figure. start_servers = 5 # Limit on the total number of servers running. # # If this limit is ever reached, clients will be LOCKED OUT, so it # should NOT BE SET TOO LOW. It is intended mainly as a brake to # keep a runaway server from taking the system with it as it spirals # down... # # You may find that the server is regularly reaching the # 'max_servers' number of threads, and that increasing # 'max_servers' doesn't seem to make much difference. # # If this is the case, then the problem is MOST LIKELY that # your back-end databases are taking too long to respond, and # are preventing the server from responding in a timely manner. # # The solution is NOT do keep increasing the 'max_servers' # value, but instead to fix the underlying cause of the # problem: slow database, or 'hostname_lookups=yes'. # # For more information, see 'max_request_time', above. # max_servers = 32 # Server-pool size regulation. Rather than making you guess # how many servers you need, FreeRADIUS dynamically adapts to # the load it sees, that is, it tries to maintain enough # servers to handle the current load, plus a few spare # servers to handle transient load spikes. # # It does this by periodically checking how many servers are # waiting for a request. If there are fewer than # min_spare_servers, it creates a new spare. If there are # more than max_spare_servers, some of the spares die off. # The default values are probably OK for most sites. # min_spare_servers = 3 max_spare_servers = 10 # There may be memory leaks or resource allocation problems with # the server. If so, set this value to 300 or so, so that the # resources will be cleaned up periodically. # # This should only be necessary if there are serious bugs in the # server which have not yet been fixed. # # '0' is a special value meaning 'infinity', or 'the servers never # exit' max_requests_per_server = 0 } # MODULE CONFIGURATION # # The names and configuration of each module is located in this section. # # After the modules are defined here, they may be referred to by name, # in other sections of this configuration file. # modules { # # Each module has a configuration as follows: # # name [ instance ] { # config_item = value # ... # } # # The 'name' is used to load the 'rlm_name' library # which implements the functionality of the module. # # The 'instance' is optional. To have two different instances # of a module, it first must be referred to by 'name'. # The different copies of the module are then created by # inventing two 'instance' names, e.g. 'instance1' and 'instance2' # # The instance names can then be used in later configuration # INSTEAD of the original 'name'. See the 'radutmp' configuration # below for an example. # $INCLUDE ${confdir}/cg_custom.conf bug { my_param = 2 } cg_pref { debug = 3 prefix = "toto" } # '[EMAIL PROTECTED]' # realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } # Livingston-style 'users' file # files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } # Write a detailed log of all accounting records received. # detail { # Note that we do NOT use NAS-IP-Address here, as # that attribute MAY BE from the originating NAS, and # NOT from the proxy which actually sent us the # request. The Client-IP-Address attribute is ALWAYS # the address of the client which sent us the # request. # # The following line creates a new detail file for # every radius client (by IP address or hostname). # In addition, a new detail file is created every # day, so that the detail file doesn't have to go # through a 'log rotation' # # If your detail files are large, you may also want # to add a ':%H' (see doc/variables.txt) to the end # of it, to create a new detail file every hour, e.g.: # # ..../detail-%Y%m%d:%H # # This will create a new detail file for every hour. # # NCH: test... #detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailfile = ${logdir}/radius_detail_%Y%m%d.log # # The Unix-style permissions on the 'detail' file. # # The detail file often contains secret or private # information about users. So by keeping the file # permissions restrictive, we can prevent unwanted # people from seeing that information. detailperm = 0600 } # # Many people want to log authentication requests. # Rather than modifying the server core to print out more # messages, we can use a different instance of the 'detail' # module, to log the authentication requests to a file. # # You will also need to un-comment the 'auth_log' line # in the 'authorize' section, below. # detail auth_log { detailfile = ${logdir}/radius_detail_%Y%m%d.log # # This MUST be 0600, otherwise anyone can read # the users passwords! detailperm = 0600 } # # This module logs authentication reply packets sent # to a NAS. Both Access-Accept and Access-Reject packets # are logged. # # You will also need to un-comment the 'reply_log' line # in the 'post-auth' section, below. # detail reply_log { detailfile = ${logdir}/radius_detail_%Y%m%d.log # # This MUST be 0600, otherwise anyone can read # the users passwords! detailperm = 0600 } # # This module logs packets proxied to a home server. # # You will also need to un-comment the 'pre_proxy_log' line # in the 'pre-proxy' section, below. # detail pre_proxy_log { detailfile = ${logdir}/radius_detail_%Y%m%d.log # # This MUST be 0600, otherwise anyone can read # the users passwords! detailperm = 0600 } # # This module logs response packets from a home server. # # You will also need to un-comment the 'post_proxy_log' line # in the 'post-proxy' section, below. # detail post_proxy_log { detailfile = ${logdir}/radius_detail_%Y%m%d.log # # This MUST be 0600, otherwise anyone can read # the users passwords! detailperm = 0600 } # Create a unique accounting session Id. Many NASes re-use or # repeat values for Acct-Session-Id, causing no end of # confusion. # # This module will add a (probably) unique session id # to an accounting packet based on the attributes listed # below found in the packet. See doc/rlm_acct_unique for # more information. # acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } # Include another file that has the SQL-related configuration. # This is another file only because it tends to be big. # # The following configuration file is for use with MySQL. # # For Postgresql, use: ${confdir}/postgresql.conf # For MS-SQL, use: ${confdir}/mssql.conf # For Oracle, use: ${confdir}/oraclesql.conf # #$INCLUDE ${confdir}/postgresql.conf # attr_filter - filters the attributes received in replies from # proxied servers, to make sure we send back to our RADIUS client # only allowed attributes. attr_filter { attrsfile = ${confdir}/attrs } # The "always" module is here for debugging purposes. Each # instance simply returns the same result, always, without # doing anything. always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } # # The 'expression' module currently has no configuration. # # This module is useful only for 'xlat'. To use it, # put 'exec' into the 'instantiate' section. You can then # do dynamic translation of attributes like: # # Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}` # # The value of the attribute will be replaced with the output # of the program which is executed. Due to RADIUS protocol # limitations, any output over 253 bytes will be ignored. expr { } # # Execute external programs # # This module is useful only for 'xlat'. To use it, # put 'exec' into the 'instantiate' section. You can then # do dynamic translation of attributes like: # # Attribute-Name = `%{exec:/path/to/program args}` # # The value of the attribute will be replaced with the output # of the program which is executed. Due to RADIUS protocol # limitations, any output over 253 bytes will be ignored. # # The RADIUS attributes from the user request will be placed # into environment variables of the executed program, as # described in 'doc/variables.txt' # exec { wait = yes input_pairs = request output_pairs = none } } # Instantiation # # This section orders the loading of the modules. Modules # listed here will get loaded BEFORE the later sections like # authorize, authenticate, etc. get examined. # # This section is not strictly needed. When a section like # authorize refers to a module, it's automatically loaded and # initialized. However, some modules may not be listed in any # of the following sections, so they can be listed here. # # Also, listing modules here ensures that you have control over # the order in which they are initalized. If one module needs # something defined by another module, you can list them in order # here, and ensure that the configuration will be OK. # instantiate { # # Allows the execution of external scripts. # The entire command line (and output) must fit into 253 bytes. # # e.g. Framed-Pool = `%{exec:/bin/echo foo}` exec # # The expression module doesn't do authorization, # authentication, or accounting. It only does dynamic # translation, of the form: # # Session-Timeout = `%{expr:2 + 3}` # # So the module needs to be instantiated, but CANNOT be # listed in any other section. See 'doc/rlm_expr' for # more information. # expr } # Authorization. First preprocess (hints and huntgroups files), # then realms, and finally look in the "users" file. # # The order of the realm modules will determine the order that # we try to find a matching realm. # # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { bug # request pre-authorization processing #cg_custom # The following line is a template directive that will be replaced # by an instance of the "detail" module, in order to log RADIUS # messages only if a specific parameter is passed to the startup script. # <<RADIUS_DETAIL_AUTH>> auth_log # checking if the user is a Naxos user or a roamer in, in which case # we will proxy the message to the H-WISP suffix # TEST #cg_pref # at this point, we are processing a non roaming user (or a service profile) # call the "files" module to check login/password files } # Authentication. # # # This section lists which modules are available for authentication. # Note that it does NOT mean 'try each module in order'. It means # that a module from the 'authorize' section adds a configuration # attribute 'Auth-Type := FOO'. That authentication type is then # used to pick the apropriate module from the list below. # # In general, you SHOULD NOT set the Auth-Type attribute. The server # will figure it out on its own, and will do the right thing. The # most common side effect of erroneously setting the Auth-Type # attribute is that one authentication method will work, but the # others will not. # # The common reasons to set the Auth-Type attribute by hand # is to either forcibly reject the user, or forcibly accept him. # authenticate { # this component is empty. We do not need to perform authentication # because it is already managed in the "users" file for a Naxos user # in the authorize section, and by the H-WISP for a roamer in } # # Pre-accounting. Decide which accounting type to use. # preacct { # pre-accounting processing : # - discard non service accounting # - context database management cg_custom # checking if the user is a Naxos user or a roamer in, in which case # we will proxy the message to the H-WISP suffix } # # Accounting. Log the accounting data. # accounting { # The following line is a template directive that will be replaced # by an instance of the "detail" module, in order to log RADIUS # messages only if a specific parameter is passed to the startup script. # <<RADIUS_DETAIL_ACCT>> } # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { # this component is empty. We're using our own means of tracking # simultaneous use (see context database). } # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { # user authenticated : processing before sending Accept (or Reject) : # - simultaneous connection check for Naxos users # - context database management cg_custom # user authentication / authorization rejected : processing before # sending Reject : # - context database management Post-Auth-Type REJECT { cg_custom } # The following line is a template directive that will be replaced # by an instance of the "detail" module, in order to log RADIUS # messages only if a specific parameter is passed to the startup script. # <<RADIUS_DETAIL_REPLY>> } # # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. # # Only a few modules currently have this method. # pre-proxy { # processing before proxying message to the H-WISP : # - context database management # - message filtering and enrichment cg_custom # The following line is a template directive that will be replaced # by an instance of the "detail" module, in order to log RADIUS # messages only if a specific parameter is passed to the startup script. # <<RADIUS_DETAIL_PRE_PROXY>> } # # When the server receives a reply to a request it proxied # to a home server, the request may be massaged here, in the # post-proxy stage. # post-proxy { # The following line is a template directive that will be replaced # by an instance of the "detail" module, in order to log RADIUS # messages only if a specific parameter is passed to the startup script. # <<RADIUS_DETAIL_POST_PROXY>> # processing upon receiving answer from the H-WISP : # - context database management # - message filtering and enrichment cg_custom } Vous manquez d’espace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
