forked from infra/ansible
866 lines
29 KiB
Plaintext
866 lines
29 KiB
Plaintext
|
# -*- text -*-
|
||
|
##
|
||
|
## radiusd.conf -- FreeRADIUS server configuration file.
|
||
|
##
|
||
|
## http://www.freeradius.org/
|
||
|
## $Id: 201b70b31b5bb4c2ef98c102690daa3462d5e1e3 $
|
||
|
##
|
||
|
|
||
|
######################################################################
|
||
|
#
|
||
|
# Read "man radiusd" before editing this file. See the section
|
||
|
# titled DEBUGGING. It outlines a method where you can quickly
|
||
|
# obtain the configuration you want, without running into
|
||
|
# trouble.
|
||
|
#
|
||
|
# Run the server in debugging mode, and READ the output.
|
||
|
#
|
||
|
# $ radiusd -X
|
||
|
#
|
||
|
# We cannot emphasize this point strongly enough. The vast
|
||
|
# majority of problems can be solved by carefully reading the
|
||
|
# debugging output, which includes warnings about common issues,
|
||
|
# and suggestions for how they may be fixed.
|
||
|
#
|
||
|
# There may be a lot of output, but look carefully for words like:
|
||
|
# "warning", "error", "reject", or "failure". The messages there
|
||
|
# will usually be enough to guide you to a solution.
|
||
|
#
|
||
|
# If you are going to ask a question on the mailing list, then
|
||
|
# explain what you are trying to do, and include the output from
|
||
|
# debugging mode (radiusd -X). Failure to do so means that all
|
||
|
# of the responses to your question will be people telling you
|
||
|
# to "post the output of radiusd -X".
|
||
|
|
||
|
######################################################################
|
||
|
#
|
||
|
# The location of other config files and logfiles are declared
|
||
|
# in this file.
|
||
|
#
|
||
|
# Also general configuration for modules can be done in this
|
||
|
# file, it is exported through the API to modules that ask for
|
||
|
# it.
|
||
|
#
|
||
|
# See "man radiusd.conf" for documentation on the format of this
|
||
|
# file. Note that the individual configuration items are NOT
|
||
|
# documented in that "man" page. They are only documented here,
|
||
|
# in the comments.
|
||
|
#
|
||
|
# As of 2.0.0, FreeRADIUS supports a simple processing language
|
||
|
# in the "authorize", "authenticate", "accounting", etc. sections.
|
||
|
# See "man unlang" for details.
|
||
|
#
|
||
|
|
||
|
prefix = /usr
|
||
|
exec_prefix = /usr
|
||
|
sysconfdir = /etc
|
||
|
localstatedir = /var
|
||
|
sbindir = ${exec_prefix}/sbin
|
||
|
logdir = /var/log/freeradius
|
||
|
raddbdir = ${sysconfdir}/raddb
|
||
|
radacctdir = ${logdir}/radacct
|
||
|
|
||
|
#
|
||
|
# name of the running server. See also the "-n" command-line option.
|
||
|
name = freeradius
|
||
|
|
||
|
# Location of config and logfiles.
|
||
|
confdir = ${raddbdir}
|
||
|
run_dir = ${localstatedir}/run/${name}
|
||
|
|
||
|
# Should likely be ${localstatedir}/lib/radiusd
|
||
|
db_dir = ${raddbdir}
|
||
|
|
||
|
#
|
||
|
# libdir: Where to find the rlm_* modules.
|
||
|
#
|
||
|
# This should be automatically set at configuration time.
|
||
|
#
|
||
|
# If the server builds and installs, but fails at execution time
|
||
|
# with an 'undefined symbol' error, then you can use the libdir
|
||
|
# directive to work around the problem.
|
||
|
#
|
||
|
# The cause is usually that a library has been installed on your
|
||
|
# system in a place where the dynamic linker CANNOT find it. When
|
||
|
# executing as root (or another user), your personal environment MAY
|
||
|
# be set up to allow the dynamic linker to find the library. When
|
||
|
# executing as a daemon, FreeRADIUS MAY NOT have the same
|
||
|
# personalized configuration.
|
||
|
#
|
||
|
# To work around the problem, find out which library contains that symbol,
|
||
|
# and add the directory containing that library to the end of 'libdir',
|
||
|
# with a colon separating the directory names. NO spaces are allowed.
|
||
|
#
|
||
|
# e.g. libdir = /usr/local/lib:/opt/package/lib
|
||
|
#
|
||
|
# You can also try setting the LD_LIBRARY_PATH environment variable
|
||
|
# in a script which starts the server.
|
||
|
#
|
||
|
# If that does not work, then you can re-configure and re-build the
|
||
|
# server to NOT use shared libraries, via:
|
||
|
#
|
||
|
# ./configure --disable-shared
|
||
|
# make
|
||
|
# make install
|
||
|
#
|
||
|
libdir = /usr/lib/freeradius
|
||
|
|
||
|
# pidfile: Where to place the PID of the RADIUS server.
|
||
|
#
|
||
|
# The server may be signalled while it's running by using this
|
||
|
# file.
|
||
|
#
|
||
|
# This file is written when ONLY running in daemon mode.
|
||
|
#
|
||
|
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
|
||
|
#
|
||
|
pidfile = ${run_dir}/${name}.pid
|
||
|
|
||
|
# chroot: directory where the server does "chroot".
|
||
|
#
|
||
|
# The chroot is done very early in the process of starting the server.
|
||
|
# After the chroot has been performed it switches to the "user" listed
|
||
|
# below (which MUST be specified). If "group" is specified, it switchs
|
||
|
# to that group, too. Any other groups listed for the specified "user"
|
||
|
# in "/etc/group" are also added as part of this process.
|
||
|
#
|
||
|
# The current working directory (chdir / cd) is left *outside* of the
|
||
|
# chroot until all of the modules have been initialized. This allows
|
||
|
# the "raddb" directory to be left outside of the chroot. Once the
|
||
|
# modules have been initialized, it does a "chdir" to ${logdir}. This
|
||
|
# means that it should be impossible to break out of the chroot.
|
||
|
#
|
||
|
# If you are worried about security issues related to this use of chdir,
|
||
|
# then simply ensure that the "raddb" directory is inside of the chroot,
|
||
|
# end be sure to do "cd raddb" BEFORE starting the server.
|
||
|
#
|
||
|
# If the server is statically linked, then the only files that have
|
||
|
# to exist in the chroot are ${run_dir} and ${logdir}. If you do the
|
||
|
# "cd raddb" as discussed above, then the "raddb" directory has to be
|
||
|
# inside of the chroot directory, too.
|
||
|
#
|
||
|
#chroot = /path/to/chroot/directory
|
||
|
|
||
|
# user/group: The name (or #number) of the user/group to run radiusd as.
|
||
|
#
|
||
|
# If these are commented out, the server will run as the user/group
|
||
|
# that started it. In order to change to a different user/group, you
|
||
|
# MUST be root ( or have root privleges ) to start the server.
|
||
|
#
|
||
|
# We STRONGLY recommend that you run the server with as few permissions
|
||
|
# as possible. That is, if you're not using shadow passwords, the
|
||
|
# user and group items below should be set to radius'.
|
||
|
#
|
||
|
# NOTE that some kernels refuse to setgid(group) when the value of
|
||
|
# (unsigned)group is above 60000; don't use group nobody on these systems!
|
||
|
#
|
||
|
# On systems with shadow passwords, you might have to set 'group = shadow'
|
||
|
# for the server to be able to read the shadow password file. If you can
|
||
|
# authenticate users while in debug mode, but not in daemon mode, it may be
|
||
|
# that the debugging mode server is running as a user that can read the
|
||
|
# shadow info, and the user listed below can not.
|
||
|
#
|
||
|
# The server will also try to use "initgroups" to read /etc/groups.
|
||
|
# It will join all groups where "user" is a member. This can allow
|
||
|
# for some finer-grained access controls.
|
||
|
#
|
||
|
user = freerad
|
||
|
group = freerad
|
||
|
|
||
|
# panic_action: Command to execute if the server dies unexpectedly.
|
||
|
#
|
||
|
# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
|
||
|
# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
|
||
|
# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
|
||
|
#
|
||
|
# The panic action is a command which will be executed if the server
|
||
|
# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
|
||
|
# SIGABRT or SIGFPE.
|
||
|
#
|
||
|
# This can be used to start an interactive debugging session so
|
||
|
# that information regarding the current state of the server can
|
||
|
# be acquired.
|
||
|
#
|
||
|
# The following string substitutions are available:
|
||
|
# - %e The currently executing program e.g. /sbin/radiusd
|
||
|
# - %p The PID of the currently executing program e.g. 12345
|
||
|
#
|
||
|
# Standard ${} substitutions are also allowed.
|
||
|
#
|
||
|
# An example panic action for opening an interactive session in GDB would be:
|
||
|
#
|
||
|
#panic_action = "gdb %e %p"
|
||
|
#
|
||
|
# Again, don't use that on a production system.
|
||
|
#
|
||
|
# An example panic action for opening an automated session in GDB would be:
|
||
|
#
|
||
|
#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p > ${logdir}/gdb-%e-%p.log 2>&1"
|
||
|
#
|
||
|
# That command can be used on a production system.
|
||
|
#
|
||
|
|
||
|
# max_request_time: The maximum time (in seconds) to handle a request.
|
||
|
#
|
||
|
# Requests which take more time than this to process may be killed, and
|
||
|
# a REJECT message is returned.
|
||
|
#
|
||
|
# WARNING: If you notice that requests take a long time to be handled,
|
||
|
# then this MAY INDICATE a bug in the server, in one of the modules
|
||
|
# used to handle a request, OR in your local configuration.
|
||
|
#
|
||
|
# This problem is most often seen when using an SQL database. If it takes
|
||
|
# more than a second or two to receive an answer from the SQL database,
|
||
|
# then it probably means that you haven't indexed the database. See your
|
||
|
# SQL server documentation for more information.
|
||
|
#
|
||
|
# Useful range of values: 5 to 120
|
||
|
#
|
||
|
max_request_time = 30
|
||
|
|
||
|
# cleanup_delay: The time to wait (in seconds) before cleaning up
|
||
|
# a reply which was sent to the NAS.
|
||
|
#
|
||
|
# The RADIUS request is normally cached internally for a short period
|
||
|
# of time, after the reply is sent to the NAS. The reply packet may be
|
||
|
# lost in the network, and the NAS will not see it. The NAS will then
|
||
|
# re-send the request, and the server will respond quickly with the
|
||
|
# cached reply.
|
||
|
#
|
||
|
# If this value is set too low, then duplicate requests from the NAS
|
||
|
# MAY NOT be detected, and will instead be handled as seperate requests.
|
||
|
#
|
||
|
# If this value is set too high, then the server will cache too many
|
||
|
# requests, and some new requests may get blocked. (See 'max_requests'.)
|
||
|
#
|
||
|
# Useful range of values: 2 to 10
|
||
|
#
|
||
|
cleanup_delay = 5
|
||
|
|
||
|
# max_requests: The maximum number of requests which the server keeps
|
||
|
# track of. This should be 256 multiplied by the number of clients.
|
||
|
# e.g. With 4 clients, this number should be 1024.
|
||
|
#
|
||
|
# If this number is too low, then when the server becomes busy,
|
||
|
# it will not respond to any new requests, until the 'cleanup_delay'
|
||
|
# time has passed, and it has removed the old requests.
|
||
|
#
|
||
|
# If this number is set too high, then the server will use a bit more
|
||
|
# memory for no real benefit.
|
||
|
#
|
||
|
# If you aren't sure what it should be set to, it's better to set it
|
||
|
# too high than too low. Setting it to 1000 per client is probably
|
||
|
# the highest it should be.
|
||
|
#
|
||
|
# Useful range of values: 256 to infinity
|
||
|
#
|
||
|
max_requests = 1024
|
||
|
|
||
|
# listen: Make the server listen on a particular IP address, and send
|
||
|
# replies out from that address. This directive is most useful for
|
||
|
# hosts with multiple IP addresses on one interface.
|
||
|
#
|
||
|
# If you want the server to listen on additional addresses, or on
|
||
|
# additionnal ports, you can use multiple "listen" sections.
|
||
|
#
|
||
|
# Each section make the server listen for only one type of packet,
|
||
|
# therefore authentication and accounting have to be configured in
|
||
|
# different sections.
|
||
|
#
|
||
|
# The server ignore all "listen" section if you are using '-i' and '-p'
|
||
|
# on the command line.
|
||
|
#
|
||
|
listen {
|
||
|
# Type of packets to listen for.
|
||
|
# Allowed values are:
|
||
|
# auth listen for authentication packets
|
||
|
# acct listen for accounting packets
|
||
|
# proxy IP to use for sending proxied packets
|
||
|
# detail Read from the detail file. For examples, see
|
||
|
# raddb/sites-available/copy-acct-to-home-server
|
||
|
# status listen for Status-Server packets. For examples,
|
||
|
# see raddb/sites-available/status
|
||
|
# coa listen for CoA-Request and Disconnect-Request
|
||
|
# packets. For examples, see the file
|
||
|
# raddb/sites-available/coa
|
||
|
#
|
||
|
type = auth
|
||
|
|
||
|
# Note: "type = proxy" lets you control the source IP used for
|
||
|
# proxying packets, with some limitations:
|
||
|
#
|
||
|
# * A proxy listener CANNOT be used in a virtual server section.
|
||
|
# * You should probably set "port = 0".
|
||
|
# * Any "clients" configuration will be ignored.
|
||
|
#
|
||
|
# See also proxy.conf, and the "src_ipaddr" configuration entry
|
||
|
# in the sample "home_server" section. When you specify the
|
||
|
# source IP address for packets sent to a home server, the
|
||
|
# proxy listeners are automatically created.
|
||
|
|
||
|
# IP address on which to listen.
|
||
|
# Allowed values are:
|
||
|
# dotted quad (1.2.3.4)
|
||
|
# hostname (radius.example.com)
|
||
|
# wildcard (*)
|
||
|
ipaddr = *
|
||
|
|
||
|
# OR, you can use an IPv6 address, but not both
|
||
|
# at the same time.
|
||
|
# ipv6addr = :: # any. ::1 == localhost
|
||
|
|
||
|
# Port on which to listen.
|
||
|
# Allowed values are:
|
||
|
# integer port number (1812)
|
||
|
# 0 means "use /etc/services for the proper port"
|
||
|
port = 0
|
||
|
|
||
|
# Some systems support binding to an interface, in addition
|
||
|
# to the IP address. This feature isn't strictly necessary,
|
||
|
# but for sites with many IP addresses on one interface,
|
||
|
# it's useful to say "listen on all addresses for eth0".
|
||
|
#
|
||
|
# If your system does not support this feature, you will
|
||
|
# get an error if you try to use it.
|
||
|
#
|
||
|
# interface = eth0
|
||
|
|
||
|
# Per-socket lists of clients. This is a very useful feature.
|
||
|
#
|
||
|
# The name here is a reference to a section elsewhere in
|
||
|
# radiusd.conf, or clients.conf. Having the name as
|
||
|
# a reference allows multiple sockets to use the same
|
||
|
# set of clients.
|
||
|
#
|
||
|
# If this configuration is used, then the global list of clients
|
||
|
# is IGNORED for this "listen" section. Take care configuring
|
||
|
# this feature, to ensure you don't accidentally disable a
|
||
|
# client you need.
|
||
|
#
|
||
|
# See clients.conf for the configuration of "per_socket_clients".
|
||
|
#
|
||
|
# clients = per_socket_clients
|
||
|
}
|
||
|
|
||
|
# This second "listen" section is for listening on the accounting
|
||
|
# port, too.
|
||
|
#
|
||
|
listen {
|
||
|
ipaddr = *
|
||
|
# ipv6addr = ::
|
||
|
port = 0
|
||
|
type = acct
|
||
|
# interface = eth0
|
||
|
# clients = per_socket_clients
|
||
|
}
|
||
|
|
||
|
# hostname_lookups: Log the names of clients or just their IP addresses
|
||
|
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
|
||
|
#
|
||
|
# The default is 'off' because it would be overall better for the net
|
||
|
# if people had to knowingly turn this feature on, since enabling it
|
||
|
# means that each client request will result in AT LEAST one lookup
|
||
|
# request to the nameserver. Enabling hostname_lookups will also
|
||
|
# mean that your server may stop randomly for 30 seconds from time
|
||
|
# to time, if the DNS requests take too long.
|
||
|
#
|
||
|
# Turning hostname lookups off also means that the server won't block
|
||
|
# for 30 seconds, if it sees an IP address which has no name associated
|
||
|
# with it.
|
||
|
#
|
||
|
# allowed values: {no, yes}
|
||
|
#
|
||
|
hostname_lookups = no
|
||
|
|
||
|
# Core dumps are a bad thing. This should only be set to 'yes'
|
||
|
# if you're debugging a problem with the server.
|
||
|
#
|
||
|
# allowed values: {no, yes}
|
||
|
#
|
||
|
allow_core_dumps = no
|
||
|
|
||
|
# Regular expressions
|
||
|
#
|
||
|
# These items are set at configure time. If they're set to "yes",
|
||
|
# then setting them to "no" turns off regular expression support.
|
||
|
#
|
||
|
# If they're set to "no" at configure time, then setting them to "yes"
|
||
|
# WILL NOT WORK. It will give you an error.
|
||
|
#
|
||
|
regular_expressions = yes
|
||
|
extended_expressions = yes
|
||
|
|
||
|
#
|
||
|
# Logging section. The various "log_*" configuration items
|
||
|
# will eventually be moved here.
|
||
|
#
|
||
|
log {
|
||
|
#
|
||
|
# Destination for log messages. This can be one of:
|
||
|
#
|
||
|
# files - log to "file", as defined below.
|
||
|
# syslog - to syslog (see also the "syslog_facility", below.
|
||
|
# stdout - standard output
|
||
|
# stderr - standard error.
|
||
|
#
|
||
|
# The command-line option "-X" over-rides this option, and forces
|
||
|
# logging to go to stdout.
|
||
|
#
|
||
|
destination = files
|
||
|
|
||
|
#
|
||
|
# The logging messages for the server are appended to the
|
||
|
# tail of this file if destination == "files"
|
||
|
#
|
||
|
# If the server is running in debugging mode, this file is
|
||
|
# NOT used.
|
||
|
#
|
||
|
file = ${logdir}/radius.log
|
||
|
|
||
|
#
|
||
|
# If this configuration parameter is set, then log messages for
|
||
|
# a *request* go to this file, rather than to radius.log.
|
||
|
#
|
||
|
# i.e. This is a log file per request, once the server has accepted
|
||
|
# the request as being from a valid client. Messages that are
|
||
|
# not associated with a request still go to radius.log.
|
||
|
#
|
||
|
# Not all log messages in the server core have been updated to use
|
||
|
# this new internal API. As a result, some messages will still
|
||
|
# go to radius.log. Please submit patches to fix this behavior.
|
||
|
#
|
||
|
# The file name is expanded dynamically. You should ONLY user
|
||
|
# server-side attributes for the filename (e.g. things you control).
|
||
|
# Using this feature MAY also slow down the server substantially,
|
||
|
# especially if you do thinks like SQL calls as part of the
|
||
|
# expansion of the filename.
|
||
|
#
|
||
|
# The name of the log file should use attributes that don't change
|
||
|
# over the lifetime of a request, such as User-Name,
|
||
|
# Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
|
||
|
# messages will be distributed over multiple files.
|
||
|
#
|
||
|
# Logging can be enabled for an individual request by a special
|
||
|
# dynamic expansion macro: %{debug: 1}, where the debug level
|
||
|
# for this request is set to '1' (or 2, 3, etc.). e.g.
|
||
|
#
|
||
|
# ...
|
||
|
# update control {
|
||
|
# Tmp-String-0 = "%{debug:1}"
|
||
|
# }
|
||
|
# ...
|
||
|
#
|
||
|
# The attribute that the value is assigned to is unimportant,
|
||
|
# and should be a "throw-away" attribute with no side effects.
|
||
|
#
|
||
|
#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
|
||
|
|
||
|
#
|
||
|
# Which syslog facility to use, if ${destination} == "syslog"
|
||
|
#
|
||
|
# The exact values permitted here are OS-dependent. You probably
|
||
|
# don't want to change this.
|
||
|
#
|
||
|
syslog_facility = daemon
|
||
|
|
||
|
# Log the full User-Name attribute, as it was found in the request.
|
||
|
#
|
||
|
# allowed values: {no, yes}
|
||
|
#
|
||
|
stripped_names = no
|
||
|
|
||
|
# Log authentication requests to the log file.
|
||
|
#
|
||
|
# allowed values: {no, yes}
|
||
|
#
|
||
|
auth = no
|
||
|
|
||
|
# Log passwords with the authentication requests.
|
||
|
# auth_badpass - logs password if it's rejected
|
||
|
# auth_goodpass - logs password if it's correct
|
||
|
#
|
||
|
# allowed values: {no, yes}
|
||
|
#
|
||
|
auth_badpass = no
|
||
|
auth_goodpass = no
|
||
|
|
||
|
# Log additional text at the end of the "Login OK" messages.
|
||
|
# for these to work, the "auth" and "auth_goopass" or "auth_badpass"
|
||
|
# configurations above have to be set to "yes".
|
||
|
#
|
||
|
# The strings below are dynamically expanded, which means that
|
||
|
# you can put anything you want in them. However, note that
|
||
|
# this expansion can be slow, and can negatively impact server
|
||
|
# performance.
|
||
|
#
|
||
|
# msg_goodpass = ""
|
||
|
# msg_badpass = ""
|
||
|
}
|
||
|
|
||
|
# The program to execute to do concurrency checks.
|
||
|
checkrad = ${sbindir}/checkrad
|
||
|
|
||
|
# SECURITY CONFIGURATION
|
||
|
#
|
||
|
# There may be multiple methods of attacking on the server. This
|
||
|
# section holds the configuration items which minimize the impact
|
||
|
# of those attacks
|
||
|
#
|
||
|
security {
|
||
|
#
|
||
|
# max_attributes: The maximum number of attributes
|
||
|
# permitted in a RADIUS packet. Packets which have MORE
|
||
|
# than this number of attributes in them will be dropped.
|
||
|
#
|
||
|
# If this number is set too low, then no RADIUS packets
|
||
|
# will be accepted.
|
||
|
#
|
||
|
# If this number is set too high, then an attacker may be
|
||
|
# able to send a small number of packets which will cause
|
||
|
# the server to use all available memory on the machine.
|
||
|
#
|
||
|
# Setting this number to 0 means "allow any number of attributes"
|
||
|
max_attributes = 200
|
||
|
|
||
|
#
|
||
|
# reject_delay: When sending an Access-Reject, it can be
|
||
|
# delayed for a few seconds. This may help slow down a DoS
|
||
|
# attack. It also helps to slow down people trying to brute-force
|
||
|
# crack a users password.
|
||
|
#
|
||
|
# Setting this number to 0 means "send rejects immediately"
|
||
|
#
|
||
|
# If this number is set higher than 'cleanup_delay', then the
|
||
|
# rejects will be sent at 'cleanup_delay' time, when the request
|
||
|
# is deleted from the internal cache of requests.
|
||
|
#
|
||
|
# Useful ranges: 1 to 5
|
||
|
reject_delay = 1
|
||
|
|
||
|
#
|
||
|
# status_server: Whether or not the server will respond
|
||
|
# to Status-Server requests.
|
||
|
#
|
||
|
# When sent a Status-Server message, the server responds with
|
||
|
# an Access-Accept or Accounting-Response packet.
|
||
|
#
|
||
|
# This is mainly useful for administrators who want to "ping"
|
||
|
# the server, without adding test users, or creating fake
|
||
|
# accounting packets.
|
||
|
#
|
||
|
# It's also useful when a NAS marks a RADIUS server "dead".
|
||
|
# The NAS can periodically "ping" the server with a Status-Server
|
||
|
# packet. If the server responds, it must be alive, and the
|
||
|
# NAS can start using it for real requests.
|
||
|
#
|
||
|
# See also raddb/sites-available/status
|
||
|
#
|
||
|
status_server = yes
|
||
|
|
||
|
#
|
||
|
# allow_vulnerable_openssl: Allow the server to start with
|
||
|
# versions of OpenSSL known to have critical vulnerabilities.
|
||
|
#
|
||
|
# This check is based on the version number reported by libssl
|
||
|
# and may not reflect patches applied to libssl by
|
||
|
# distribution maintainers.
|
||
|
#
|
||
|
allow_vulnerable_openssl = no
|
||
|
}
|
||
|
|
||
|
# PROXY CONFIGURATION
|
||
|
#
|
||
|
# proxy_requests: Turns proxying of RADIUS requests on or off.
|
||
|
#
|
||
|
# The server has proxying turned on by default. If your system is NOT
|
||
|
# set up to proxy requests to another server, then you can turn proxying
|
||
|
# off here. This will save a small amount of resources on the server.
|
||
|
#
|
||
|
# If you have proxying turned off, and your configuration files say
|
||
|
# to proxy a request, then an error message will be logged.
|
||
|
#
|
||
|
# To disable proxying, change the "yes" to "no", and comment the
|
||
|
# $INCLUDE line.
|
||
|
#
|
||
|
# allowed values: {no, yes}
|
||
|
#
|
||
|
proxy_requests = yes
|
||
|
$INCLUDE proxy.conf
|
||
|
|
||
|
|
||
|
# CLIENTS CONFIGURATION
|
||
|
#
|
||
|
# Client configuration is defined in "clients.conf".
|
||
|
#
|
||
|
|
||
|
# The 'clients.conf' file contains all of the information from the old
|
||
|
# 'clients' and 'naslist' configuration files. We recommend that you
|
||
|
# do NOT use 'client's or 'naslist', although they are still
|
||
|
# supported.
|
||
|
#
|
||
|
# Anything listed in 'clients.conf' will take precedence over the
|
||
|
# information from the old-style configuration files.
|
||
|
#
|
||
|
$INCLUDE clients.conf
|
||
|
|
||
|
|
||
|
# THREAD POOL CONFIGURATION
|
||
|
#
|
||
|
# The thread pool is a long-lived group of threads which
|
||
|
# take turns (round-robin) handling any incoming requests.
|
||
|
#
|
||
|
# You probably want to have a few spare threads around,
|
||
|
# so that high-load situations can be handled immediately. If you
|
||
|
# don't have any spare threads, then the request handling will
|
||
|
# be delayed while a new thread is created, and added to the pool.
|
||
|
#
|
||
|
# You probably don't want too many spare threads around,
|
||
|
# otherwise they'll be sitting there taking up resources, and
|
||
|
# not doing anything productive.
|
||
|
#
|
||
|
# The numbers given below should be adequate for most situations.
|
||
|
#
|
||
|
thread pool {
|
||
|
# Number of servers to start initially --- should be a reasonable
|
||
|
# ballpark figure.
|
||
|
start_servers = 5
|
||
|
|
||
|
# Limit on the total number of servers running.
|
||
|
#
|
||
|
# If this limit is ever reached, clients will be LOCKED OUT, so it
|
||
|
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
|
||
|
# keep a runaway server from taking the system with it as it spirals
|
||
|
# down...
|
||
|
#
|
||
|
# You may find that the server is regularly reaching the
|
||
|
# 'max_servers' number of threads, and that increasing
|
||
|
# 'max_servers' doesn't seem to make much difference.
|
||
|
#
|
||
|
# If this is the case, then the problem is MOST LIKELY that
|
||
|
# your back-end databases are taking too long to respond, and
|
||
|
# are preventing the server from responding in a timely manner.
|
||
|
#
|
||
|
# The solution is NOT do keep increasing the 'max_servers'
|
||
|
# value, but instead to fix the underlying cause of the
|
||
|
# problem: slow database, or 'hostname_lookups=yes'.
|
||
|
#
|
||
|
# For more information, see 'max_request_time', above.
|
||
|
#
|
||
|
max_servers = 32
|
||
|
|
||
|
# Server-pool size regulation. Rather than making you guess
|
||
|
# how many servers you need, FreeRADIUS dynamically adapts to
|
||
|
# the load it sees, that is, it tries to maintain enough
|
||
|
# servers to handle the current load, plus a few spare
|
||
|
# servers to handle transient load spikes.
|
||
|
#
|
||
|
# It does this by periodically checking how many servers are
|
||
|
# waiting for a request. If there are fewer than
|
||
|
# min_spare_servers, it creates a new spare. If there are
|
||
|
# more than max_spare_servers, some of the spares die off.
|
||
|
# The default values are probably OK for most sites.
|
||
|
#
|
||
|
min_spare_servers = 3
|
||
|
max_spare_servers = 10
|
||
|
|
||
|
# When the server receives a packet, it places it onto an
|
||
|
# internal queue, where the worker threads (configured above)
|
||
|
# pick it up for processing. The maximum size of that queue
|
||
|
# is given here.
|
||
|
#
|
||
|
# When the queue is full, any new packets will be silently
|
||
|
# discarded.
|
||
|
#
|
||
|
# The most common cause of the queue being full is that the
|
||
|
# server is dependent on a slow database, and it has received
|
||
|
# a large "spike" of traffic. When that happens, there is
|
||
|
# very little you can do other than make sure the server
|
||
|
# receives less traffic, or make sure that the database can
|
||
|
# handle the load.
|
||
|
#
|
||
|
# max_queue_size = 65536
|
||
|
|
||
|
# There may be memory leaks or resource allocation problems with
|
||
|
# the server. If so, set this value to 300 or so, so that the
|
||
|
# resources will be cleaned up periodically.
|
||
|
#
|
||
|
# This should only be necessary if there are serious bugs in the
|
||
|
# server which have not yet been fixed.
|
||
|
#
|
||
|
# '0' is a special value meaning 'infinity', or 'the servers never
|
||
|
# exit'
|
||
|
max_requests_per_server = 0
|
||
|
}
|
||
|
|
||
|
# MODULE CONFIGURATION
|
||
|
#
|
||
|
# The names and configuration of each module is located in this section.
|
||
|
#
|
||
|
# After the modules are defined here, they may be referred to by name,
|
||
|
# in other sections of this configuration file.
|
||
|
#
|
||
|
modules {
|
||
|
#
|
||
|
# Each module has a configuration as follows:
|
||
|
#
|
||
|
# name [ instance ] {
|
||
|
# config_item = value
|
||
|
# ...
|
||
|
# }
|
||
|
#
|
||
|
# The 'name' is used to load the 'rlm_name' library
|
||
|
# which implements the functionality of the module.
|
||
|
#
|
||
|
# The 'instance' is optional. To have two different instances
|
||
|
# of a module, it first must be referred to by 'name'.
|
||
|
# The different copies of the module are then created by
|
||
|
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
|
||
|
#
|
||
|
# The instance names can then be used in later configuration
|
||
|
# INSTEAD of the original 'name'. See the 'radutmp' configuration
|
||
|
# for an example.
|
||
|
#
|
||
|
|
||
|
#
|
||
|
# As of 2.0.5, most of the module configurations are in a
|
||
|
# sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/
|
||
|
# are loaded. The modules are initialized ONLY if they are
|
||
|
# referenced in a processing section, such as authorize,
|
||
|
# authenticate, accounting, pre/post-proxy, etc.
|
||
|
#
|
||
|
$INCLUDE ${confdir}/modules/
|
||
|
|
||
|
# Extensible Authentication Protocol
|
||
|
#
|
||
|
# For all EAP related authentications.
|
||
|
# Now in another file, because it is very large.
|
||
|
#
|
||
|
$INCLUDE eap.conf
|
||
|
|
||
|
# Include another file that has the SQL-related configuration.
|
||
|
# This is another file only because it tends to be big.
|
||
|
#
|
||
|
# $INCLUDE sql.conf
|
||
|
|
||
|
#
|
||
|
# This module is an SQL enabled version of the counter module.
|
||
|
#
|
||
|
# Rather than maintaining seperate (GDBM) databases of
|
||
|
# accounting info for each counter, this module uses the data
|
||
|
# stored in the raddacct table by the sql modules. This
|
||
|
# module NEVER does any database INSERTs or UPDATEs. It is
|
||
|
# totally dependent on the SQL module to process Accounting
|
||
|
# packets.
|
||
|
#
|
||
|
# $INCLUDE sql/mysql/counter.conf
|
||
|
|
||
|
#
|
||
|
# IP addresses managed in an SQL table.
|
||
|
#
|
||
|
# $INCLUDE sqlippool.conf
|
||
|
}
|
||
|
|
||
|
# Instantiation
|
||
|
#
|
||
|
# This section orders the loading of the modules. Modules
|
||
|
# listed here will get loaded BEFORE the later sections like
|
||
|
# authorize, authenticate, etc. get examined.
|
||
|
#
|
||
|
# This section is not strictly needed. When a section like
|
||
|
# authorize refers to a module, it's automatically loaded and
|
||
|
# initialized. However, some modules may not be listed in any
|
||
|
# of the following sections, so they can be listed here.
|
||
|
#
|
||
|
# Also, listing modules here ensures that you have control over
|
||
|
# the order in which they are initalized. If one module needs
|
||
|
# something defined by another module, you can list them in order
|
||
|
# here, and ensure that the configuration will be OK.
|
||
|
#
|
||
|
instantiate {
|
||
|
#
|
||
|
# Allows the execution of external scripts.
|
||
|
# The entire command line (and output) must fit into 253 bytes.
|
||
|
#
|
||
|
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
|
||
|
exec
|
||
|
|
||
|
#
|
||
|
# The expression module doesn't do authorization,
|
||
|
# authentication, or accounting. It only does dynamic
|
||
|
# translation, of the form:
|
||
|
#
|
||
|
# Session-Timeout = `%{expr:2 + 3}`
|
||
|
#
|
||
|
# This module needs to be instantiated, but CANNOT be
|
||
|
# listed in any other section. See 'doc/rlm_expr' for
|
||
|
# more information.
|
||
|
#
|
||
|
# rlm_expr is also responsible for registering many
|
||
|
# other xlat functions such as md5, sha1 and lc.
|
||
|
#
|
||
|
# We do not recommend removing it's listing here.
|
||
|
expr
|
||
|
|
||
|
#
|
||
|
# We add the counter module here so that it registers
|
||
|
# the check-name attribute before any module which sets
|
||
|
# it
|
||
|
# daily
|
||
|
expiration
|
||
|
logintime
|
||
|
|
||
|
# subsections here can be thought of as "virtual" modules.
|
||
|
#
|
||
|
# e.g. If you have two redundant SQL servers, and you want to
|
||
|
# use them in the authorize and accounting sections, you could
|
||
|
# place a "redundant" block in each section, containing the
|
||
|
# exact same text. Or, you could uncomment the following
|
||
|
# lines, and list "redundant_sql" in the authorize and
|
||
|
# accounting sections.
|
||
|
#
|
||
|
#redundant redundant_sql {
|
||
|
# sql1
|
||
|
# sql2
|
||
|
#}
|
||
|
}
|
||
|
|
||
|
######################################################################
|
||
|
#
|
||
|
# Policies that can be applied in multiple places are listed
|
||
|
# globally. That way, they can be defined once, and referred
|
||
|
# to multiple times.
|
||
|
#
|
||
|
######################################################################
|
||
|
$INCLUDE policy.conf
|
||
|
|
||
|
######################################################################
|
||
|
#
|
||
|
# Load virtual servers.
|
||
|
#
|
||
|
# This next $INCLUDE line loads files in the directory that
|
||
|
# match the regular expression: /[a-zA-Z0-9_.]+/
|
||
|
#
|
||
|
# It allows you to define new virtual servers simply by placing
|
||
|
# a file into the raddb/sites-enabled/ directory.
|
||
|
#
|
||
|
$INCLUDE sites-enabled/
|
||
|
|
||
|
######################################################################
|
||
|
#
|
||
|
# All of the other configuration sections like "authorize {}",
|
||
|
# "authenticate {}", "accounting {}", have been moved to the
|
||
|
# the file:
|
||
|
#
|
||
|
# raddb/sites-available/default
|
||
|
#
|
||
|
# This is the "default" virtual server that has the same
|
||
|
# configuration as in version 1.0.x and 1.1.x. The default
|
||
|
# installation enables this virtual server. You should
|
||
|
# edit it to create policies for your local site.
|
||
|
#
|
||
|
# For more documentation on virtual servers, see:
|
||
|
#
|
||
|
# raddb/sites-available/README
|
||
|
#
|
||
|
######################################################################
|