269 lines
9.1 KiB
Plaintext
269 lines
9.1 KiB
Plaintext
{
|
|
# radiusd.conf -- FreeRADIUS server configuration file.
|
|
#
|
|
# http://www.freeradius.org/
|
|
#
|
|
# The location of other config files and
|
|
# logfiles are declared in this file
|
|
#
|
|
# Also general configuration for modules can be done
|
|
# in this file, it is exported through the API to
|
|
# modules that ask for it.
|
|
#
|
|
# The configuration variables defined here are of the form $\{foo\}
|
|
# They are local to this file, and do not change from request to
|
|
# request.
|
|
#
|
|
# The per-request variables are of the form %\{Attribute-Name\}, and
|
|
# are taken from the values of the attribute in the incoming
|
|
# request. See 'doc/variables.txt' for more information.
|
|
}
|
|
prefix = /usr
|
|
exec_prefix = /usr
|
|
sysconfdir = /etc
|
|
localstatedir = /var
|
|
sbindir = /usr/sbin
|
|
logdir = $\{localstatedir\}/log/radius
|
|
raddbdir = $\{sysconfdir\}/raddb
|
|
radacctdir = $\{logdir\}/radacct
|
|
|
|
{
|
|
#
|
|
# name of the running server. See also the "-n" command-line option.
|
|
}
|
|
name = radiusd
|
|
|
|
confdir = $\{raddbdir\}
|
|
modconfdir = $\{confdir\}/mods-config
|
|
certdir = $\{confdir\}/certs
|
|
cadir = $\{confdir\}/certs
|
|
run_dir = $\{localstatedir\}/run/radiusd
|
|
{
|
|
# libdir: Where to find the rlm_* modules.
|
|
#
|
|
# This should be automatically set at configuration time.
|
|
#
|
|
# If the server builds and installs, but fails at execution time
|
|
# with an 'undefined symbol' error, then you can use the libdir
|
|
# directive to work around the problem.
|
|
#
|
|
# The cause is usually that a library has been installed on your
|
|
# system in a place where the dynamic linker CANNOT find it. When
|
|
# executing as root (or another user), your personal environment MAY
|
|
# be set up to allow the dynamic linker to find the library. When
|
|
# executing as a daemon, FreeRADIUS MAY NOT have the same
|
|
# personalized configuration.
|
|
#
|
|
# To work around the problem, find out which library contains that symbol,
|
|
# and add the directory containing that library to the end of 'libdir',
|
|
# with a colon separating the directory names. NO spaces are allowed.
|
|
#
|
|
# e.g. libdir = /usr/local/lib:/opt/package/lib
|
|
#
|
|
# You can also try setting the LD_LIBRARY_PATH environment variable
|
|
# in a script which starts the server.
|
|
#
|
|
# If that does not work, then you can re-configure and re-build the
|
|
# server to NOT use shared libraries, via:
|
|
#
|
|
# ./configure --disable-shared
|
|
# make
|
|
# make install
|
|
}
|
|
libdir = /usr/lib
|
|
{
|
|
# pidfile: Where to place the PID of the RADIUS server.
|
|
#
|
|
# The server may be signalled while it's running by using this
|
|
# file.
|
|
#
|
|
# This file is written when ONLY running in daemon mode.
|
|
#
|
|
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
|
|
}
|
|
pidfile = $\{run_dir\}/$\{name\}.pid
|
|
{
|
|
# panic_action: Command to execute if the server dies unexpectedly.
|
|
#
|
|
# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
|
|
# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
|
|
# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
|
|
#
|
|
# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
|
|
# PATTACH CAN BE USED AS AN ATTACK VECTOR.
|
|
#
|
|
# The panic action is a command which will be executed if the server
|
|
# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
|
|
# SIGABRT or SIGFPE.
|
|
#
|
|
# This can be used to start an interactive debugging session so
|
|
# that information regarding the current state of the server can
|
|
# be acquired.
|
|
#
|
|
# The following string substitutions are available:
|
|
# - %e The currently executing program e.g. /sbin/radiusd
|
|
# - %p The PID of the currently executing program e.g. 12345
|
|
#
|
|
# Standard ${} substitutions are also allowed.
|
|
#
|
|
# An example panic action for opening an interactive session in GDB would be:
|
|
#
|
|
#panic_action = "gdb %e %p"
|
|
#
|
|
# Again, don't use that on a production system.
|
|
#
|
|
# An example panic action for opening an automated session in GDB would be:
|
|
#
|
|
#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
|
|
#
|
|
# That command can be used on a production system.
|
|
#
|
|
}
|
|
|
|
{
|
|
# max_request_time: The maximum time (in seconds) to handle a request.
|
|
#
|
|
# Requests which take more time than this to process may be killed, and
|
|
# a REJECT message is returned.
|
|
#
|
|
# WARNING: If you notice that requests take a long time to be handled,
|
|
# then this MAY INDICATE a bug in the server, in one of the modules
|
|
# used to handle a request, OR in your local configuration.
|
|
#
|
|
# This problem is most often seen when using an SQL database. If it takes
|
|
# more than a second or two to receive an answer from the SQL database,
|
|
# then it probably means that you haven't indexed the database. See your
|
|
# SQL server documentation for more information.
|
|
#
|
|
# Useful range of values: 5 to 120
|
|
}
|
|
max_request_time = 30
|
|
{
|
|
# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
|
|
# to be handled, then maybe the server should delete it.
|
|
#
|
|
# If you're running in threaded, or thread pool mode, this setting
|
|
# should probably be 'no'. Setting it to 'yes' when using a threaded
|
|
# server MAY cause the server to crash!
|
|
}
|
|
delete_blocked_requests = no
|
|
{
|
|
# cleanup_delay: The time to wait (in seconds) before cleaning up
|
|
# a reply which was sent to the NAS.
|
|
#
|
|
# The RADIUS request is normally cached internally for a short period
|
|
# of time, after the reply is sent to the NAS. The reply packet may be
|
|
# lost in the network, and the NAS will not see it. The NAS will then
|
|
# re-send the request, and the server will respond quickly with the
|
|
# cached reply.
|
|
#
|
|
# If this value is set too low, then duplicate requests from the NAS
|
|
# MAY NOT be detected, and will instead be handled as seperate requests.
|
|
#
|
|
# If this value is set too high, then the server will cache too many
|
|
# requests, and some new requests may get blocked. (See 'max_requests'.)
|
|
#
|
|
# Useful range of values: 2 to 10
|
|
}
|
|
cleanup_delay = 5
|
|
{
|
|
# max_requests: The maximum number of requests which the server keeps
|
|
# track of. This should be 256 multiplied by the number of clients.
|
|
# e.g. With 4 clients, this number should be 1024.
|
|
#
|
|
# If this number is too low, then when the server becomes busy,
|
|
# it will not respond to any new requests, until the 'cleanup_delay'
|
|
# time has passed, and it has removed the old requests.
|
|
#
|
|
# If this number is set too high, then the server will use a bit more
|
|
# memory for no real benefit.
|
|
#
|
|
# If you aren't sure what it should be set to, it's better to set it
|
|
# too high than too low. Setting it to 1000 per client is probably
|
|
# the highest it should be.
|
|
#
|
|
# Useful range of values: 256 to infinity
|
|
}
|
|
max_requests = 1024
|
|
{
|
|
# hostname_lookups: Log the names of clients or just their IP addresses
|
|
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
|
|
#
|
|
# The default is 'off' because it would be overall better for the net
|
|
# if people had to knowingly turn this feature on, since enabling it
|
|
# means that each client request will result in AT LEAST one lookup
|
|
# request to the nameserver. Enabling hostname_lookups will also
|
|
# mean that your server may stop randomly for 30 seconds from time
|
|
# to time, if the DNS requests take too long.
|
|
#
|
|
# Turning hostname lookups off also means that the server won't block
|
|
# for 30 seconds, if it sees an IP address which has no name associated
|
|
# with it.
|
|
#
|
|
# allowed values: \{no, yes\}
|
|
}
|
|
hostname_lookups = no
|
|
{
|
|
# Regular expressions
|
|
#
|
|
# These items are set at configure time. If they're set to "yes",
|
|
# then setting them to "no" turns off regular expression support.
|
|
#
|
|
# If they're set to "no" at configure time, then setting them to "yes"
|
|
# WILL NOT WORK. It will give you an error.
|
|
}
|
|
regular_expressions = yes
|
|
extended_expressions = yes
|
|
{
|
|
# usercollide: Turn "username collision" code on and off. See the
|
|
# "doc/duplicate-users" file
|
|
#
|
|
# WARNING
|
|
# !!!!!!! Setting this to "yes" may result in the server behaving
|
|
# !!!!!!! strangely. The "username collision" code will ONLY work
|
|
# !!!!!!! with clear-text passwords. Even then, it may not do what
|
|
# !!!!!!! you want, or what you expect.
|
|
# !!!!!!!
|
|
# !!!!!!! We STRONGLY RECOMMEND that you do not use this feature,
|
|
# !!!!!!! and that you find another way of acheiving the same goal.
|
|
# !!!!!!!
|
|
# !!!!!!! e,g. module fail-over. See 'doc/configurable_failover'
|
|
# WARNING
|
|
}
|
|
usercollide = no
|
|
{
|
|
# lower_user / lower_pass:
|
|
# Lower case the username/password "before" or "after"
|
|
# attempting to authenticate.
|
|
#
|
|
# If "before", the server will first modify the request and then try
|
|
# to auth the user. If "after", the server will first auth using the
|
|
# values provided by the user. If that fails it will reprocess the
|
|
# request after modifying it as you specify below.
|
|
#
|
|
# This is as close as we can get to case insensitivity. It is the
|
|
# admin's job to ensure that the username on the auth db side is
|
|
# *also* lowercase to make this work
|
|
#
|
|
# Default is 'no' (don't lowercase values)
|
|
# Valid values = "before" / "after" / "no"
|
|
}
|
|
lower_user = no
|
|
lower_pass = no
|
|
{
|
|
# nospace_user / nospace_pass:
|
|
#
|
|
# Some users like to enter spaces in their username or password
|
|
# incorrectly. To save yourself the tech support call, you can
|
|
# eliminate those spaces here:
|
|
#
|
|
# Default is 'no' (don't remove spaces)
|
|
# Valid values = "before" / "after" / "no" (explanation above)
|
|
}
|
|
nospace_user = no
|
|
nospace_pass = no
|
|
{
|
|
# The program to execute to do concurrency checks.
|
|
}
|
|
checkrad = $\{sbindir\}/checkrad
|