http:\/\/www.kernel.org\/pub\/linux\/libs\/pam\/index.html<\/a>
#
# WARNING: On many systems, the system PAM libraries have
# memory leaks! We STRONGLY SUGGEST that you do not
# use PAM for authentication, due to those memory leaks.
#
pam {
#
# The name to use for PAM authentication.
# PAM looks in \/etc\/pam.d\/${pam_auth_name}
# for it's configuration. See 'redhat\/radiusd-pam'
# for a sample PAM configuration file.
#
# Note that any Pam-Auth attribute set in the 'authorize'
# section will over-ride this one.
#
pam_auth = radiusd
}<\/p>\n # Unix \/etc\/passwd style authentication
#
unix {
#
# Cache \/etc\/passwd, \/etc\/shadow, and \/etc\/group
#
# The default is to NOT cache them.
#
# For FreeBSD and NetBSD, you do NOT want to enable
# the cache, as it's password lookups are done via a
# database, so set this value to 'no'.
#
# Some systems (e.g. RedHat Linux with pam_pwbd) can
# take *seconds* to check a password, when th passwd
# file containing 1000's of entries. For those systems,
# you should set the cache value to 'yes', and set
# the locations of the 'passwd', 'shadow', and 'group'
# files, below.
#
# allowed values: {no, yes}
cache = no<\/p>\n
# Reload the cache every 600 seconds (10mins). 0 to disable.
cache_reload = 600<\/p>\n
#
# Define the locations of the normal passwd, shadow, and
# group files.
#
# 'shadow' is commented out by default, because not all
# systems have shadow passwords.
#
# To force the module to use the system password functions,
# instead of reading the files, leave the following entries
# commented out.
#
# This is required for some systems, like FreeBSD,
# and Mac OSX.
#
# passwd = \/etc\/passwd
shadow = \/etc\/shadow
# group = \/etc\/group<\/p>\n
#
# The location of the \"wtmp\" file.
# This should be moved to it's own module soon.
#
# The only use for 'radlast'. If you don't use
# 'radlast', then you can comment out this item.
#
radwtmp = ${logdir}\/radwtmp
}<\/p>\n
# Extensible Authentication Protocol
#
# For all EAP related authentications.
# Now in another file, because it is very large.
#
$INCLUDE ${confdir}\/eap.conf<\/p>\n
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# As of 0.9, the mschap module does NOT support
# reading from \/etc\/smbpasswd.
#
# If you are using \/etc\/smbpasswd, see the 'passwd'
# module for an example of how to use \/etc\/smbpasswd<\/p>\n
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key\/MS-MPPE-Send-Key for MS-CHAPv2
#
#use_mppe = no<\/p>\n
# if mppe is enabled require_encryption makes
# encryption moderate
#
#require_encryption = yes<\/p>\n
# require_strong always requires 128 bit key
# encryption
#
#require_strong = yes<\/p>\n
# Windows sends us a username in the form of
# DOMAIN\\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
#with_ntdomain_hack = no<\/p>\n
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have \"winbindd\" and
# \"nmbd\" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# Be VERY careful when editing the following line!
#
#ntlm_auth = \"\/path\/to\/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}\"
}<\/p>\n
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication.
#
# See doc\/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
#
# However, LDAP can be used for authentication ONLY when the
# Access-Request packet contains a clear-text User-Password
# attribute. LDAP authentication will NOT work for any other
# authentication method.
#
# This means that LDAP servers don't understand EAP. If you
# force \"Auth-Type = LDAP\", and then send the server a
# request containing EAP authentication, then authentication
# WILL NOT WORK.
#
# The solution is to use the default configuration, which does
# work.
#
# Setting \"Auth-Type = LDAP\" is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
#
ldap {
server = \"ldap.your.domain\"
# identity = \"cn=admin,o=My Org,c=UA\"
# password = mypass
basedn = \"o=My Org,c=UA\"
filter = \"(uid=%{Stripped-User-Name:-%{User-Name}})\"
# base_filter = \"(objectclass=radiusprofile)\"<\/p>\n
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no<\/p>\n
# tls_cacertfile = \/path\/to\/cacert.pem
# tls_cacertdir = \/path\/to\/ca\/dir\/
# tls_certfile = \/path\/to\/radius.crt
# tls_keyfile = \/path\/to\/radius.key
# tls_randfile = \/path\/to\/rnd
# tls_require_cert = \"demand\"<\/p>\n
# default_profile = \"cn=radprofile,ou=dialup,o=My Org,c=UA\"
# profile_attribute = \"radiusProfileDn\"
access_attr = \"dialupAccess\"<\/p>\n
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}\/ldap.attrmap<\/p>\n
ldap_connections_number = 5<\/p>\n
#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = \"{clear}\"
#
# Set:
# password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with \"0x\", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading \"0x\", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
#
# Un-comment the following to disable Novell eDirectory account
# policy check and intruder detection. This will work *only if*
# FreeRADIUS is configured to build with --with-edir option.
#
# edir_account_policy_check=no
#
# groupname_attribute = cn
# groupmembership_filter = \"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))\"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes<\/p>\n
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# You can disable this behavior by setting the following
# configuration entry to \"no\".
#
# allowed values: {no, yes}
# set_auth_type = yes
}<\/p>\n
# passwd module allows to do authorization via any passwd-like
# file and to extract any attributes from these modules
#
# parameters are:
# filename - path to filename
# format - format for filename record. This parameters
# correlates record in the passwd file and RADIUS
# attributes.
#
# Field marked as '*' is key field. That is, the parameter
# with this name from the request is used to search for
# the record from passwd file
# Attribute marked as '=' is added to reply_itmes instead
# of default configure_itmes
# Attribute marked as '~' is added to request_items
#
# Field marked as ',' may contain a comma separated list
# of attributes.
# authtype - if record found this Auth-Type is used to authenticate
# user
# hashsize - hashtable size. If 0 or not specified records are not
# stored in memory and file is red on every request.
# allowmultiplekeys - if few records for every key are allowed
# ignorenislike - ignore NIS-related records
# delimiter - symbol to use as a field separator in passwd file,
# for format ':' symbol is always used. '\\0', '\\n' are
# not allowed
#<\/p>\n
# An example configuration for using \/etc\/smbpasswd.
#
#passwd etc_smbpasswd {
# filename = \/etc\/smbpasswd
# format = \"*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::\"
# authtype = MS-CHAP
# hashsize = 100
# ignorenislike = no
# allowmultiplekeys = no
#}<\/p>\n
# Similar configuration, for the \/etc\/group file. Adds a Group-Name
# attribute for every group that the user is member of.
#
#passwd etc_group {
# filename = \/etc\/group
# format = \"=Group-Name:::*,User-Name\"
# hashsize = 50
# ignorenislike = yes
# allowmultiplekeys = yes
# delimiter = \":\"
#}<\/p>\n
# Realm module, for proxying.
#
# You can have multiple instances of the realm module to
# support multiple realm syntaxs at the same time. The
# search order is defined by the order in the authorize and
# preacct sections.
#
# Four config options:
# format - must be 'prefix' or 'suffix'
# delimiter - must be a single character
# ignore_default - set to 'yes' or 'no'
# ignore_null - set to 'yes' or 'no'
#
# ignore_default and ignore_null can be set to 'yes' to prevent
# the module from matching against DEFAULT or NULL realms. This
# may be useful if you have have multiple instances of the
# realm module.
#
# They both default to 'no'.
#<\/p>\n
# 'realm\/username'
#
# Using this entry, IPASS users have their realm set to \"IPASS\".
realm IPASS {
format = prefix
delimiter = \"\/\"
ignore_default = no
ignore_null = no
}<\/p>\n
# 'username@realm'
#
realm suffix {
format = suffix
delimiter = \"@\"
ignore_default = no
ignore_null = no
}<\/p>\n
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = \"%\"
ignore_default = no
ignore_null = no
}<\/p>\n
#
# 'domain\\user'
#
realm ntdomain {
format = prefix
delimiter = \"\\\\\"
ignore_default = no
ignore_null = no
} <\/p>\n
# A simple value checking module
#
# It can be used to check if an attribute value in the request
# matches a (possibly multi valued) attribute in the check
# items This can be used for example for caller-id
# authentication. For the module to run, both the request
# attribute and the check items attribute must exist
#
# i.e.
# A user has an ldap entry with 2 radiusCallingStationId
# attributes with values \"12345678\" and \"12345679\". If we
# enable rlm_checkval, then any request which contains a
# Calling-Station-Id with one of those two values will be
# accepted. Requests with other values for
# Calling-Station-Id will be rejected.
#
# Regular expressions in the check attribute value are allowed
# as long as the operator is '=~'
#
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id<\/p>\n
# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id<\/p>\n
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string<\/p>\n
# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}
# rewrite arbitrary packets. Useful in accounting and authorization.
#
#
# The module can also use the Rewrite-Rule attribute. If it
# is set and matches the name of the module instance, then
# that module instance will be the only one which runs.
#
# Also if new_attribute is set to yes then a new attribute
# will be created containing the value replacewith and it
# will be added to searchin (packet, reply, proxy, proxy_reply or config).
# searchfor,ignore_case and max_matches will be ignored in that case.
#
# Backreferences are supported: %{0} will contain the string the whole match
# and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses
#
# If max_matches is greater than one the backreferences will correspond to the
# first match<\/p>\n
#
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be \"packet\", \"reply\", \"proxy\", \"proxy_reply\" or \"config\"
# searchin = packet
# searchfor = \"[+ ]\"
# replacewith = \"\"
# ignore_case = no
# new_attribute = no
# max_matches = 10
# ## If set to yes then the replace string will be appended to the original string
# append = no
#}<\/p>\n
# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
# This module processes the 'huntgroups' and 'hints' files.
# In addition, it re-writes some weird attributes created
# by some NASes, and converts the attributes into a form which
# is a little more standard.
#
preprocess {
huntgroups = ${confdir}\/huntgroups
hints = ${confdir}\/hints<\/p>\n
# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the \"+\" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23<\/p>\n
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the \"realms\" module for a better way to handle
# NT domains.
with_ntdomain_hack = no<\/p>\n
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a \"\/\"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no<\/p>\n
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = \"h323-attribute=value\".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = \"value\"
#
# If you're not running a Cisco or Quintum NAS, you don't
# need this hack.
with_cisco_vsa_hack = no
}<\/p>\n
# Livingston-style 'users' file
#
files {
usersfile = ${confdir}\/users
acctusersfile = ${confdir}\/acct_users
preproxy_usersfile = ${confdir}\/preproxy_users<\/p>\n
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}<\/p>\n
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request. The Client-IP-Address attribute is ALWAYS
# the address of the client which sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want
# to add a ':%H' (see doc\/variables.txt) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ....\/detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
detailfile = ${radacctdir}\/%{Client-IP-Address}\/detail-%Y%m%d<\/p>\n
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
detailperm = 0600<\/p>\n
#
# Certain attributes such as User-Password may be
# \"sensitive\", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
#suppress {
# User-Password
#}
}<\/p>\n
#
# Many people want to log authentication requests.
# Rather than modifying the server core to print out more
# messages, we can use a different instance of the 'detail'
# module, to log the authentication requests to a file.
#
# You will also need to un-comment the 'auth_log' line
# in the 'authorize' section, below.
#
# detail auth_log {
# detailfile = ${radacctdir}\/%{Client-IP-Address}\/auth-detail-%Y%m%d<\/p>\n
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }<\/p>\n
#
# This module logs authentication reply packets sent
# to a NAS. Both Access-Accept and Access-Reject packets
# are logged.
#
# You will also need to un-comment the 'reply_log' line
# in the 'post-auth' section, below.
#
# detail reply_log {
# detailfile = ${radacctdir}\/%{Client-IP-Address}\/reply-detail-%Y%m%d<\/p>\n
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }<\/p>\n
#
# This module logs packets proxied to a home server.
#
# You will also need to un-comment the 'pre_proxy_log' line
# in the 'pre-proxy' section, below.
#
# detail pre_proxy_log {
# detailfile = ${radacctdir}\/%{Client-IP-Address}\/pre-proxy-detail-%Y%m%d<\/p>\n
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }<\/p>\n
#
# This module logs response packets from a home server.
#
# You will also need to un-comment the 'post_proxy_log' line
# in the 'post-proxy' section, below.
#
# detail post_proxy_log {
# detailfile = ${radacctdir}\/%{Client-IP-Address}\/post-proxy-detail-%Y%m%d<\/p>\n
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
# detailperm = 0600
# }<\/p>\n
#
# The rlm_sql_log module appends the SQL queries in a log
# file which is read later by the radsqlrelay program.
#
# This module only performs the dynamic expansion of the
# variables found in the SQL statements. No operation is
# executed on the database server. (this could be done
# later by an external program) That means the module is
# useful only with non-\"SELECT\" statements.
#
# See rlm_sql_log(5) manpage.
#
# sql_log {
# path = ${radacctdir}\/sql-relay
# acct_table = \"radacct\"
# postauth_table = \"radpostauth\"
#
# Start = \"INSERT INTO ${acct_table} (AcctSessionId, UserName, \\
# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \\
# AcctSessionTime, AcctTerminateCause) VALUES \\
# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \\
# '%{Framed-IP-Address}', '%S', '0', '0', '');\"
# Stop = \"INSERT INTO ${acct_table} (AcctSessionId, UserName, \\
# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \\
# AcctSessionTime, AcctTerminateCause) VALUES \\
# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \\
# '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \\
# '%{Acct-Terminate-Cause}');\"
# Alive = \"INSERT INTO ${acct_table} (AcctSessionId, UserName, \\
# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \\
# AcctSessionTime, AcctTerminateCause) VALUES \\
# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \\
# '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');\"
#
# Post-Auth = \"INSERT INTO ${postauth_table} \\
# (user, pass, reply, date) VALUES \\
# ('%{User-Name}', '%{User-Password:-Chap-Password}', \\
# '%{reply:Packet-Type}', '%S');\"
# }<\/p>\n
#
# Create a unique accounting session Id. Many NASes re-use
# or repeat values for Acct-Session-Id, causing no end of
# confusion.
#
# This module will add a (probably) unique session id
# to an accounting packet based on the attributes listed
# below found in the packet. See doc\/rlm_acct_unique for
# more information.
#
acct_unique {
key = \"User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port\"
}<\/p>\n
# Include another file that has the SQL-related configuration.
# This is another file only because it tends to be big.
#
# The following configuration file is for use with MySQL.
#
# For Postgresql, use: ${confdir}\/postgresql.conf
# For MS-SQL, use: ${confdir}\/mssql.conf
# For Oracle, use: ${confdir}\/oraclesql.conf
#
$INCLUDE ${confdir}\/sql.conf<\/p>\n
# For Cisco VoIP specific accounting with Postgresql,
# use: ${confdir}\/pgsql-voip.conf
#
# You will also need the sql schema from:
# src\/billing\/cisco_h323_db_schema-postgres.sql
# Note: This config can be use AS WELL AS the standard sql
# config if you need SQL based Auth<\/p>\n
# Write a 'utmp' style file, of which users are currently
# logged in, and where they've logged in from.
#
# This file is used mainly for Simultaneous-Use checking,
# and also 'radwho', to see who's currently logged in.
#
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}\/radutmp<\/p>\n
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{Stripped-User-Name:-%{User-Name}}
username = %{User-Name}<\/p>\n
# Whether or not we want to treat \"user\" the same
# as \"USER\", or \"User\". Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes<\/p>\n
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes <\/p>\n
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600<\/p>\n
callerid = \"yes\"
}<\/p>\n
# \"Safe\" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another 'instance' of the radutmp module, but it is given
# then name \"sradutmp\" to identify it later in the \"accounting\"
# section.
radutmp sradutmp {
filename = ${logdir}\/sradutmp
perm = 0644
callerid = \"no\"
}<\/p>\n
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter {
attrsfile = ${confdir}\/attrs
}<\/p>\n
# counter module:
# This module takes an attribute (count-attribute).
# It also takes a key, and creates a counter for each unique
# key. The count is incremented when accounting packets are
# received by the server. The value of the increment depends
# on the attribute type.
# If the attribute is Acct-Session-Time or of an integer type we add the
# value of the attribute. If it is anything else we increase the
# counter by one.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, monthly or never.
#
# hourly: Reset on 00:00 of every hour
# daily: Reset on 00:00:00 every day
# weekly: Reset on 00:00:00 on sunday
# monthly: Reset on 00:00:00 of the first day of each month
#
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
#
# The check-name attribute defines an attribute which will be
# registered by the counter module and can be used to set the
# maximum allowed value for the counter after which the user
# is rejected.
# Something like:
#
# DEFAULT Max-Daily-Session := 36000
# Fall-Through = 1
#
# You should add the counter module in the instantiate
# section so that it registers check-name before the files
# module reads the users file.
#
# If check-name is set and the user is to be rejected then we
# send back a Reply-Message and we log a Failure-Message in
# the radius.log
# If the count attribute is Acct-Session-Time then on each login
# we send back the remaining online time as a Session-Timeout attribute
#
# The counter-name can also be used instead of using the check-name
# like below:
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = \"You've used up more than one hour today\"
#
# The allowed-servicetype attribute can be used to only take
# into account specific sessions. For example if a user first
# logs in through a login menu and then selects ppp there will
# be two sessions. One for Login-User and one for Framed-User
# service type. We only need to take into account the second one.
#
# The module should be added in the instantiate, authorize and
# accounting sections. Make sure that in the authorize
# section it comes after any module which sets the
# 'check-name' attribute.
#
counter daily {
filename = ${raddbdir}\/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}<\/p>\n
#
# This module is an SQL enabled version of the counter module.
#
# Rather than maintaining seperate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
# totally dependent on the SQL module to process Accounting
# packets.
#
# The 'sqlmod_inst' parameter holds the instance of the sql
# module to use when querying the SQL database. Normally it
# is just \"sql\". If you define more and one SQL module
# instance (usually for failover situations), you can
# specify which module has access to the Accounting Data
# (radacct table).
#
# The 'reset' parameter defines when the counters are all
# reset to zero. It can be hourly, daily, weekly, monthly or
# never. It can also be user defined. It should be of the
# form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
# The 'key' parameter specifies the unique identifier for the
# counter records (usually 'User-Name').
#
# The 'query' parameter specifies the SQL query used to get
# the current Counter value from the database. There are 3
# parameters that can be used in the query:
# %k 'key' parameter
# %b unix time value of beginning of reset period
# %e unix time value of end of reset period
#
# The 'check-name' parameter is the name of the 'check'
# attribute to use to access the counter in the 'users' file
# or SQL radcheck or radcheckgroup tables.
#
# DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject
# Reply-Message = \"You've used up more than one hour today\"
#
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily<\/p>\n
# This query properly handles calls that span from the
# previous reset period into the current period but
# involves more work for the SQL server than those
# below
# For mysql:
query = \"SELECT SUM(AcctSessionTime - \\
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \\
FROM radacct WHERE UserName='%{%k}' AND \\
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'\"<\/p>\n
# For postgresql:
# query = \"SELECT SUM(AcctSessionTime - \\
# GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) \\
# FROM radacct WHERE UserName='%{%k}' AND \\
# AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%b'\"<\/p>\n
# This query ignores calls that started in a previous
# reset period and continue into into this one. But it
# is a little easier on the SQL server
# For mysql:
# query = \"SELECT SUM(AcctSessionTime) FROM radacct WHERE \\
# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')\"<\/p>\n
# For postgresql:
# query = \"SELECT SUM(AcctSessionTime) FROM radacct WHERE \\
# UserName='%{%k}' AND AND AcctStartTime::ABSTIME::INT4 > '%b'\"<\/p>\n
# This query is the same as above, but demonstrates an
# additional counter parameter '%e' which is the
# timestamp for the end of the period
# For mysql:
# query = \"SELECT SUM(AcctSessionTime) FROM radacct \\
# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \\
# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')\"<\/p>\n
# For postgresql:
# query = \"SELECT SUM(AcctSessionTime) FROM radacct \\
# WHERE UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 \\
# BETWEEN '%b' AND '%e'\"
}<\/p>\n
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly<\/p>\n
# This query properly handles calls that span from the
# previous reset period into the current period but
# involves more work for the SQL server than those
# below
# The same notes above about the differences between mysql
# versus postgres queries apply here.
query = \"SELECT SUM(AcctSessionTime - \\
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \\
FROM radacct WHERE UserName='%{%k}' AND \\
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'\"<\/p>\n
# This query ignores calls that started in a previous
# reset period and continue into into this one. But it
# is a little easier on the SQL server
# query = \"SELECT SUM(AcctSessionTime) FROM radacct WHERE \\
# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')\"<\/p>\n
# This query is the same as above, but demonstrates an
# additional counter parameter '%e' which is the
# timestamp for the end of the period
# query = \"SELECT SUM(AcctSessionTime) FROM radacct \\
# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \\
# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')\"
}<\/p>\n
#
# The \"always\" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}<\/p>\n
#
# The 'expression' module currently has no configuration.
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
expr {
}<\/p>\n
#
# The 'digest' module currently has no configuration.
#
# \"Digest\" authentication against a Cisco SIP server.
# See 'doc\/rfc\/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}<\/p>\n
#
# Execute external programs
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{exec:\/path\/to\/program args}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The RADIUS attributes from the user request will be placed
# into environment variables of the executed program, as
# described in 'doc\/variables.txt'
#
exec {
wait = yes
input_pairs = request
}<\/p>\n
#
# This is a more general example of the execute module.
#
# This one is called \"echo\".
#
# Attribute-Name = `%{echo:\/path\/to\/program args}`
#
# If you wish to execute an external program in more than
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
#
exec echo {
#
# Wait for the program to finish.
#
# If we do NOT wait, then the program is \"fire and
# forget\", and any output attributes from it are ignored.
#
# If we are looking for the program to output
# attributes, and want to add those attributes to the
# request, then we MUST wait for the program to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes<\/p>\n
#
# The name of the program to execute, and it's
# arguments. Dynamic translation is done on this
# field, so things like the following example will
# work.
#
program = \"\/bin\/echo %{User-Name}\"<\/p>\n
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
#
input_pairs = request<\/p>\n
#
# Where to place the output attributes (if any) from
# the executed program. The values allowed, and the
# restrictions as to availability, are the same as
# for the input_pairs.
#
output_pairs = reply<\/p>\n
#
# When to execute the program. If the packet
# type does NOT match what's listed here, then
# the module does NOT execute the program.
#
# For a list of allowed packet types, see
# the 'dictionary' file, and look for VALUEs
# of the Packet-Type attribute.
#
# By default, the module executes on ANY packet.
# Un-comment out the following line to tell the
# module to execute only if an Access-Accept is
# being sent to the NAS.
#
#packet_type = Access-Accept
}<\/p>\n
# Do server side ip pool management. Should be added in post-auth and
# accounting sections.
#
# The module also requires the existance of the Pool-Name
# attribute. That way the administrator can add the Pool-Name
# attribute in the user profiles and use different pools
# for different users. The Pool-Name attribute is a *check* item not
# a reply item.
#
# Example:
# radiusd.conf: ippool students { [...] }
# users file : DEFAULT Group == students, Pool-Name := \"students\"
#
# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *********
# ********* THEN ERASE THE DB FILES *********
#
ippool main_pool {<\/p>\n
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start = 192.168.1.1
range-stop = 192.168.3.254<\/p>\n
# netmask: The network mask used for the ip's
netmask = 255.255.255.0<\/p>\n
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 800<\/p>\n
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}\/db.ippool<\/p>\n
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}\/db.ipindex<\/p>\n
# override: Will this ippool override a Framed-IP-Address already set
override = no<\/p>\n
# maximum-timeout: If not zero specifies the maximum time in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}<\/p>\n
# $INCLUDE ${confdir}\/sqlippool.conf<\/p>\n
# OTP token support. Not included by default.
# $INCLUDE ${confdir}\/otp.conf<\/p>\n
}<\/p>\n
# Instantiation
#
# This section orders the loading of the modules. Modules
# listed here will get loaded BEFORE the later sections like
# authorize, authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like
# authorize refers to a module, it's automatically loaded and
# initialized. However, some modules may not be listed in any
# of the following sections, so they can be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initalized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:\/bin\/echo foo}`
exec<\/p>\n
#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc\/rlm_expr' for
# more information.
#
expr<\/p>\n
#
# We add the counter module here so that it registers
# the check-name attribute before any module which sets
# it
# daily
}<\/p>\n
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the \"users\" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb\/hints' and the
# 'raddb\/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the request.
preprocess<\/p>\n
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log
# attr_filter<\/p>\n
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap<\/p>\n
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap<\/p>\n
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
# digest<\/p>\n
#
# Look for IPASS style 'realm\/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS<\/p>\n
#
# If you are using multiple kinds of realms, you probably
# want to set \"ignore_null = yes\" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
# ntdomain<\/p>\n
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
eap<\/p>\n
#
# Read the 'users' file
files<\/p>\n
#
# Look in an SQL database. The schema of the database
# is meant to mirror the \"users\" file.
#
# See \"Authorization Queries\" in sql.conf
sql<\/p>\n
#
# If you are using \/etc\/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd<\/p>\n
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
# ldap<\/p>\n
#
# Enforce daily limits on time spent logged in.
# daily<\/p>\n
#
# Use the checkval module
# checkval
}<\/p>\n
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#<\/p>\n
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}<\/p>\n
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}<\/p>\n
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}<\/p>\n
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
# digest<\/p>\n
#
# Pluggable Authentication Modules.
# pam<\/p>\n
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against \/etc\/passwd! See the FAQ for details.
#
unix<\/p>\n
# Uncomment it if you want to use ldap for authentication
#
# Note that this means \"check plain-text password against
# the ldap database\", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }<\/p>\n
#
# Allow EAP authentication.
eap
}<\/p>\n
#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess<\/p>\n
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique<\/p>\n
#
# Look for IPASS-style 'realm\/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
# IPASS
suffix
# ntdomain<\/p>\n
#
# Read the 'acct_users' file
files
}<\/p>\n
#
# Accounting. Log the accounting data.
#
accounting {
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
# daily<\/p>\n
# Update the wtmp file
#
# If you don't use \"radlast\", you can delete this line.
unix<\/p>\n
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
radutmp
# sradutmp<\/p>\n
# Return an address to the IP Pool when we see a stop record.
# main_pool<\/p>\n
#
# Log traffic to an SQL database.
#
# See \"Accounting queries\" in sql.conf
sql<\/p>\n
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log<\/p>\n
# Cisco VoIP specific bulk accounting
# pgsql-voip<\/p>\n
}<\/p>\n
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp<\/p>\n
#
# See \"Simultaneous Use Checking Querie\" in sql.conf
sql
}<\/p>\n
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
# main_pool<\/p>\n
#
# If you want to have a log of authentication replies,
# un-comment the following line, and the 'detail reply_log'
# section, above.
# reply_log<\/p>\n
#
# After authenticating the user, do another SQL query.
#
# See \"Authentication Logging Queries\" in sql.conf
sql<\/p>\n
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log<\/p>\n
#
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
# ldap
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
# Uncomment the following and set the module name to the ldap instance
# name if you have set 'edir_account_policy_check = yes' in the ldap
# module sub-section of the 'modules' section.
#
# Post-Auth-Type REJECT {
# insert-module-name-here
# }<\/p>\n
}<\/p>\n
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# attr_rewrite<\/p>\n
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files<\/p>\n
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}<\/p>\n
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {<\/p>\n
# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log<\/p>\n
# attr_rewrite<\/p>\n
# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.<\/p>\n
# attr_filter<\/p>\n
#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap
}<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\u4fee\u6539\/etc\/freeradius\/sql.conf<\/p>\n
\u5c06\u5982\u4e0b\u90e8\u5206\u5bf9\u5e94Mysql\u4e2d\u8bbe\u7f6e\u8fdb\u884c\u4fee\u6539.<\/p>\n
# Connect info
server = \"localhost\"
login = \"root\"
password = \"u password \"<\/p>\n
# Database table configuration
radius_db = \"radius\"<\/p>\n
<\/p>\n
vim \/etc\/freeradius\/sql.conf<\/p>\n