From e9c843f6d57ed21e3aa682eb12579355638cea77 Mon Sep 17 00:00:00 2001 From: Daniel STAN Date: Sat, 14 Mar 2015 15:08:48 +0100 Subject: [PATCH] radius: conf de test sur pea --- .../radiusd.conf/radiusd.conf.G00_pea | 772 ++++++++++++++++++ 1 file changed, 772 insertions(+) create mode 100644 Cfg/etc/freeradius/radiusd.conf/radiusd.conf.G00_pea diff --git a/Cfg/etc/freeradius/radiusd.conf/radiusd.conf.G00_pea b/Cfg/etc/freeradius/radiusd.conf/radiusd.conf.G00_pea new file mode 100644 index 0000000..c9ad25d --- /dev/null +++ b/Cfg/etc/freeradius/radiusd.conf/radiusd.conf.G00_pea @@ -0,0 +1,772 @@ +# -*- text -*- +## +## radiusd.conf -- FreeRADIUS server configuration file. +## +## http://www.freeradius.org/ +## $Id: radiusd.conf.in,v 1.275 2008/05/30 09:18:43 aland Exp $ +## + +###################################################################### +# +# Read "man radiusd" before editing this file. See the section +# titled DEBUGGING. It outlines a method where you can quickly +# obtain the configuration you want, without running into +# trouble. +# +# Run the server in debugging mode, and READ the output. +# +# $ radiusd -X +# +# We cannot emphasize this point strongly enough. The vast +# majority of problems can be solved by carefully reading the +# debugging output, which includes warnings about common issues, +# and suggestions for how they may be fixed. +# +# There may be a lot of output, but look carefully for words like: +# "warning", "error", "reject", or "failure". The messages there +# will usually be enough to guide you to a solution. +# +# If you are going to ask a question on the mailing list, then +# explain what you are trying to do, and include the output from +# debugging mode (radiusd -X). Failure to do so means that all +# of the responses to your question will be people telling you +# to "post the output of radiusd -X". + +###################################################################### +# +# The location of other config files and logfiles are declared +# in this file. +# +# Also general configuration for modules can be done in this +# file, it is exported through the API to modules that ask for +# it. +# +# See "man radiusd.conf" for documentation on the format of this +# file. Note that the individual configuration items are NOT +# documented in that "man" page. They are only documented here, +# in the comments. +# +# As of 2.0.0, FreeRADIUS supports a simple processing language +# in the "authorize", "authenticate", "accounting", etc. sections. +# See "man unlang" for details. +# + +prefix = /usr +exec_prefix = /usr +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = /var/log/freeradius +raddbdir = /etc/freeradius +radacctdir = ${logdir}/radacct +crans_conf = /usr/scripts/freeradius + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/freeradius + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = $(raddbdir) + +# +# libdir: Where to find the rlm_* modules. +# +# This should be automatically set at configuration time. +# +# If the server builds and installs, but fails at execution time +# with an 'undefined symbol' error, then you can use the libdir +# directive to work around the problem. +# +# The cause is usually that a library has been installed on your +# system in a place where the dynamic linker CANNOT find it. When +# executing as root (or another user), your personal environment MAY +# be set up to allow the dynamic linker to find the library. When +# executing as a daemon, FreeRADIUS MAY NOT have the same +# personalized configuration. +# +# To work around the problem, find out which library contains that symbol, +# and add the directory containing that library to the end of 'libdir', +# with a colon separating the directory names. NO spaces are allowed. +# +# e.g. libdir = /usr/local/lib:/opt/package/lib +# +# You can also try setting the LD_LIBRARY_PATH environment variable +# in a script which starts the server. +# +# If that does not work, then you can re-configure and re-build the +# server to NOT use shared libraries, via: +# +# ./configure --disable-shared +# make +# make install +# +libdir = /usr/lib/freeradius + +# pidfile: Where to place the PID of the RADIUS server. +# +# The server may be signalled while it's running by using this +# file. +# +# This file is written when ONLY running in daemon mode. +# +# e.g.: kill -HUP `cat /var/run/freeradius/freeradius.pid` +# +pidfile = ${run_dir}/freeradius.pid + +# chroot: directory where the server does "chroot". +# +# The chroot is done very early in the process of starting the server. +# After the chroot has been performed it switches to the "user" listed +# below (which MUST be specified). If "group" is specified, it switchs +# to that group, too. Any other groups listed for the specified "user" +# in "/etc/group" are also added as part of this process. +# +# The current working directory (chdir / cd) is left *outside* of the +# chroot until all of the modules have been initialized. This allows +# the "raddb" directory to be left outside of the chroot. Once the +# modules have been initialized, it does a "chdir" to ${logdir}. This +# means that it should be impossible to break out of the chroot. +# +# If you are worried about security issues related to this use of chdir, +# then simply ensure that the "raddb" directory is inside of the chroot, +# end be sure to do "cd raddb" BEFORE starting the server. +# +# If the server is statically linked, then the only files that have +# to exist in the chroot are ${run_dir} and ${logdir}. If you do the +# "cd raddb" as discussed above, then the "raddb" directory has to be +# inside of the chroot directory, too. +# +#chroot = /path/to/chroot/directory + +# user/group: The name (or #number) of the user/group to run freeradius as. +# +# If these are commented out, the server will run as the user/group +# that started it. In order to change to a different user/group, you +# MUST be root ( or have root privleges ) to start the server. +# +# We STRONGLY recommend that you run the server with as few permissions +# as possible. That is, if you're not using shadow passwords, the +# user and group items below should be set to radius'. +# +# NOTE that some kernels refuse to setgid(group) when the value of +# (unsigned)group is above 60000; don't use group nobody on these systems! +# +# On systems with shadow passwords, you might have to set 'group = shadow' +# for the server to be able to read the shadow password file. If you can +# authenticate users while in debug mode, but not in daemon mode, it may be +# that the debugging mode server is running as a user that can read the +# shadow info, and the user listed below can not. +# +# The server will also try to use "initgroups" to read /etc/groups. +# It will join all groups where "user" is a member. This can allow +# for some finer-grained access controls. +# +user = freerad +group = freerad + +# max_request_time: The maximum time (in seconds) to handle a request. +# +# Requests which take more time than this to process may be killed, and +# a REJECT message is returned. +# +# WARNING: If you notice that requests take a long time to be handled, +# then this MAY INDICATE a bug in the server, in one of the modules +# used to handle a request, OR in your local configuration. +# +# This problem is most often seen when using an SQL database. If it takes +# more than a second or two to receive an answer from the SQL database, +# then it probably means that you haven't indexed the database. See your +# SQL server documentation for more information. +# +# Useful range of values: 5 to 120 +# +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +# a reply which was sent to the NAS. +# +# The RADIUS request is normally cached internally for a short period +# of time, after the reply is sent to the NAS. The reply packet may be +# lost in the network, and the NAS will not see it. The NAS will then +# re-send the request, and the server will respond quickly with the +# cached reply. +# +# If this value is set too low, then duplicate requests from the NAS +# MAY NOT be detected, and will instead be handled as seperate requests. +# +# If this value is set too high, then the server will cache too many +# requests, and some new requests may get blocked. (See 'max_requests'.) +# +# Useful range of values: 2 to 10 +# +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +# track of. This should be 256 multiplied by the number of clients. +# e.g. With 4 clients, this number should be 1024. +# +# If this number is too low, then when the server becomes busy, +# it will not respond to any new requests, until the 'cleanup_delay' +# time has passed, and it has removed the old requests. +# +# If this number is set too high, then the server will use a bit more +# memory for no real benefit. +# +# If you aren't sure what it should be set to, it's better to set it +# too high than too low. Setting it to 1000 per client is probably +# the highest it should be. +# +# Useful range of values: 256 to infinity +# +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +# replies out from that address. This directive is most useful for +# hosts with multiple IP addresses on one interface. +# +# If you want the server to listen on additional addresses, or on +# additionnal ports, you can use multiple "listen" sections. +# +# Each section make the server listen for only one type of packet, +# therefore authentication and accounting have to be configured in +# different sections. +# +# The server ignore all "listen" section if you are using '-i' and '-p' +# on the command line. +# +listen { + # Type of packets to listen for. + # Allowed values are: + # auth listen for authentication packets + # acct listen for accounting packets + # proxy IP to use for sending proxied packets + # detail Read from the detail file. For examples, see + # raddb/sites-available/copy-acct-to-home-server + # + type = auth + + # Note: "type = proxy" lets you control the source IP used for + # proxying packets, with some limitations: + # + # * Only ONE proxy listener can be defined. + # * A proxy listener CANNOT be used in a virtual server section. + # * You should probably set "port = 0". + # * Any "clients" configuration will be ignored. + + # IP address on which to listen. + # Allowed values are: + # dotted quad (1.2.3.4) + # hostname (radius.example.com) + # wildcard (*) + ipaddr = * + + # OR, you can use an IPv6 address, but not both + # at the same time. +# ipv6addr = :: # any. ::1 == localhost + + # Port on which to listen. + # Allowed values are: + # integer port number (1812) + # 0 means "use /etc/services for the proper port" + port = 0 + + # Some systems support binding to an interface, in addition + # to the IP address. This feature isn't strictly necessary, + # but for sites with many IP addresses on one interface, + # it's useful to say "listen on all addresses for eth0". + # + # If your system does not support this feature, you will + # get an error if you try to use it. + # +# interface = eth0 + + # Per-socket lists of clients. This is a very useful feature. + # + # The name here is a reference to a section elsewhere in + # radiusd.conf, or clients.conf. Having the name as + # a reference allows multiple sockets to use the same + # set of clients. + # + # If this configuration is used, then the global list of clients + # is IGNORED for this "listen" section. Take care configuring + # this feature, to ensure you don't accidentally disable a + # client you need. + # + # See clients.conf for the configuration of "per_socket_clients". + # +# clients = per_socket_clients +} + +# Le même mais en ipv6 +listen { + type = auth + ipv6addr = :: # any. ::1 == localhost + port = 0 +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +#listen { +# ipaddr = * +# ipv6addr = :: +# port = 0 +# type = acct +# interface = eth0 +# clients = per_socket_clients +#} + +# hostname_lookups: Log the names of clients or just their IP addresses +# e.g., www.freeradius.org (on) or 206.47.27.232 (off). +# +# The default is 'off' because it would be overall better for the net +# if people had to knowingly turn this feature on, since enabling it +# means that each client request will result in AT LEAST one lookup +# request to the nameserver. Enabling hostname_lookups will also +# mean that your server may stop randomly for 30 seconds from time +# to time, if the DNS requests take too long. +# +# Turning hostname lookups off also means that the server won't block +# for 30 seconds, if it sees an IP address which has no name associated +# with it. +# +# allowed values: {no, yes} +# +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +# if you're debugging a problem with the server. +# +# allowed values: {no, yes} +# +allow_core_dumps = no + +# Regular expressions +# +# These items are set at configure time. If they're set to "yes", +# then setting them to "no" turns off regular expression support. +# +# If they're set to "no" at configure time, then setting them to "yes" +# WILL NOT WORK. It will give you an error. +# +regular_expressions = yes +extended_expressions = yes + +# +# Logging section. The various "log_*" configuration items +# will eventually be moved here. +# +log { + # + # Destination for log messages. This can be one of: + # + # files - log to "file", as defined below. + # syslog - to syslog (see also the "syslog_facility", below. + # stdout - standard output + # stderr - standard error. + # + # The command-line option "-X" over-rides this option, and forces + # logging to go to stdout. + # + destination = syslog + + # + # The logging messages for the server are appended to the + # tail of this file if ${destination} == "files" + # + # If the server is running in debugging mode, this file is + # NOT used. + # + file = ${logdir}/radius.log + + # + # Which syslog facility to use, if ${destination} == "syslog" + # + # The exact values permitted here are OS-dependent. You probably + # don't want to change this. + # + syslog_facility = daemon + + # Log the full User-Name attribute, as it was found in the request. + # + # allowed values: {no, yes} + # + stripped_names = yes + + # Log authentication requests to the log file. + # + # allowed values: {no, yes} + # + auth = yes + + # Log passwords with the authentication requests. + # auth_badpass - logs password if it's rejected + # auth_goodpass - logs password if it's correct + # + # allowed values: {no, yes} + # + auth_badpass = yes + auth_goodpass = yes + + # On rajoute l'IP de la borne aux logs + # ainsi que la Mac (qui devraient contenir des ":" cf hints) + msg_goodpass="Nas: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} Mac: %{Calling-Station-Id}" + msg_badpass="Nas: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} Mac: %{Calling-Station-Id}" +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# SECURITY CONFIGURATION +# +# There may be multiple methods of attacking on the server. This +# section holds the configuration items which minimize the impact +# of those attacks +# +security { + # + # max_attributes: The maximum number of attributes + # permitted in a RADIUS packet. Packets which have MORE + # than this number of attributes in them will be dropped. + # + # If this number is set too low, then no RADIUS packets + # will be accepted. + # + # If this number is set too high, then an attacker may be + # able to send a small number of packets which will cause + # the server to use all available memory on the machine. + # + # Setting this number to 0 means "allow any number of attributes" + max_attributes = 200 + + # + # reject_delay: When sending an Access-Reject, it can be + # delayed for a few seconds. This may help slow down a DoS + # attack. It also helps to slow down people trying to brute-force + # crack a users password. + # + # Setting this number to 0 means "send rejects immediately" + # + # If this number is set higher than 'cleanup_delay', then the + # rejects will be sent at 'cleanup_delay' time, when the request + # is deleted from the internal cache of requests. + # + # Useful ranges: 1 to 5 + reject_delay = 1 + + # + # status_server: Whether or not the server will respond + # to Status-Server requests. + # + # When sent a Status-Server message, the server responds with + # an Access-Accept or Accounting-Response packet. + # + # This is mainly useful for administrators who want to "ping" + # the server, without adding test users, or creating fake + # accounting packets. + # + # It's also useful when a NAS marks a RADIUS server "dead". + # The NAS can periodically "ping" the server with a Status-Server + # packet. If the server responds, it must be alive, and the + # NAS can start using it for real requests. + # + status_server = yes +} + +# PROXY CONFIGURATION +# +# proxy_requests: Turns proxying of RADIUS requests on or off. +# +# The server has proxying turned on by default. If your system is NOT +# set up to proxy requests to another server, then you can turn proxying +# off here. This will save a small amount of resources on the server. +# +# If you have proxying turned off, and your configuration files say +# to proxy a request, then an error message will be logged. +# +# To disable proxying, change the "yes" to "no", and comment the +# $INCLUDE line. +# +# allowed values: {no, yes} +# +proxy_requests = no +#$INCLUDE ${confdir}/proxy.conf + + +# CLIENTS CONFIGURATION +# +# Client configuration is defined in "clients.conf". +# + +# The 'clients.conf' file contains all of the information from the old +# 'clients' and 'naslist' configuration files. We recommend that you +# do NOT use 'client's or 'naslist', although they are still +# supported. +# +# Anything listed in 'clients.conf' will take precedence over the +# information from the old-style configuration files. +# +#$INCLUDE ${confdir}/clients.conf +$INCLUDE ${crans_conf}/dynamic_clients.conf + + +# SNMP CONFIGURATION +# +# Snmp configuration is only valid if SNMP support was enabled +# at compile time. +# +# To enable SNMP querying of the server, set the value of the +# 'snmp' attribute to 'yes' +# +snmp = no +#$INCLUDE ${confdir}/snmp.conf + + +# THREAD POOL CONFIGURATION +# +# The thread pool is a long-lived group of threads which +# take turns (round-robin) handling any incoming requests. +# +# You probably want to have a few spare threads around, +# so that high-load situations can be handled immediately. If you +# don't have any spare threads, then the request handling will +# be delayed while a new thread is created, and added to the pool. +# +# You probably don't want too many spare threads around, +# otherwise they'll be sitting there taking up resources, and +# not doing anything productive. +# +# The numbers given below should be adequate for most situations. +# +thread pool { + # Number of servers to start initially --- should be a reasonable + # ballpark figure. + start_servers = 5 + + # Limit on the total number of servers running. + # + # If this limit is ever reached, clients will be LOCKED OUT, so it + # should NOT BE SET TOO LOW. It is intended mainly as a brake to + # keep a runaway server from taking the system with it as it spirals + # down... + # + # You may find that the server is regularly reaching the + # 'max_servers' number of threads, and that increasing + # 'max_servers' doesn't seem to make much difference. + # + # If this is the case, then the problem is MOST LIKELY that + # your back-end databases are taking too long to respond, and + # are preventing the server from responding in a timely manner. + # + # The solution is NOT do keep increasing the 'max_servers' + # value, but instead to fix the underlying cause of the + # problem: slow database, or 'hostname_lookups=yes'. + # + # For more information, see 'max_request_time', above. + # + max_servers = 32 + + # Server-pool size regulation. Rather than making you guess + # how many servers you need, FreeRADIUS dynamically adapts to + # the load it sees, that is, it tries to maintain enough + # servers to handle the current load, plus a few spare + # servers to handle transient load spikes. + # + # It does this by periodically checking how many servers are + # waiting for a request. If there are fewer than + # min_spare_servers, it creates a new spare. If there are + # more than max_spare_servers, some of the spares die off. + # The default values are probably OK for most sites. + # + min_spare_servers = 3 + max_spare_servers = 10 + + # There may be memory leaks or resource allocation problems with + # the server. If so, set this value to 300 or so, so that the + # resources will be cleaned up periodically. + # + # This should only be necessary if there are serious bugs in the + # server which have not yet been fixed. + # + # '0' is a special value meaning 'infinity', or 'the servers never + # exit' + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +# +# The names and configuration of each module is located in this section. +# +# After the modules are defined here, they may be referred to by name, +# in other sections of this configuration file. +# +modules { + # + # Each module has a configuration as follows: + # + # name [ instance ] { + # config_item = value + # ... + # } + # + # The 'name' is used to load the 'rlm_name' library + # which implements the functionality of the module. + # + # The 'instance' is optional. To have two different instances + # of a module, it first must be referred to by 'name'. + # The different copies of the module are then created by + # inventing two 'instance' names, e.g. 'instance1' and 'instance2' + # + # The instance names can then be used in later configuration + # INSTEAD of the original 'name'. See the 'radutmp' configuration + # below for an example. + # + + # + # As of 2.0.5, most of the module configurations are in a + # separate directory. Files matching the regex /[a-zA-Z0-9_.]+/ + # are loaded. The modules are initialized ONLY if they are + # referenced in a processing section, such as authorize, + # authenticate, accounting, pre/post-proxy, etc. + # +# $INCLUDE ${confdir}/modules/ + $INCLUDE ${confdir}/modules/ldap + $INCLUDE ${confdir}/modules/mschap + $INCLUDE ${confdir}/modules/preprocess + $INCLUDE ${confdir}/modules/realm + $INCLUDE ${confdir}/modules/chap + $INCLUDE ${confdir}/modules/acct_unique + $INCLUDE ${crans_conf}/modules/ + # Extensible Authentication Protocol + # + # For all EAP related authentications. + # Now in another file, because it is very large. + # + $INCLUDE ${confdir}/eap.conf + + # Include another file that has the SQL-related configuration. + # This is another file only because it tends to be big. + # +# $INCLUDE ${confdir}/sql.conf + + + # For Cisco VoIP specific accounting with Postgresql, + # use: ${confdir}/sql/postgresql/voip-postpaid.conf + # + # You will also need the sql schema from: + # src/billing/cisco_h323_db_schema-postgres.sql + # Note: This config can be use AS WELL AS the standard sql + # config if you need SQL based Auth + + # + # This module is an SQL enabled version of the counter module. + # + # Rather than maintaining seperate (GDBM) databases of + # accounting info for each counter, this module uses the data + # stored in the raddacct table by the sql modules. This + # module NEVER does any database INSERTs or UPDATEs. It is + # totally dependent on the SQL module to process Accounting + # packets. + # +# $INCLUDE ${confdir}/sql/mysql/counter.conf + #$INCLUDE ${confdir}/sql/postgresql/counter.conf + + # $INCLUDE ${confdir}/sqlippool.conf + + # OTP token support. Not included by default. + # $INCLUDE ${confdir}/otp.conf + +} + +# Instantiation +# +# This section orders the loading of the modules. Modules +# listed here will get loaded BEFORE the later sections like +# authorize, authenticate, etc. get examined. +# +# This section is not strictly needed. When a section like +# authorize refers to a module, it's automatically loaded and +# initialized. However, some modules may not be listed in any +# of the following sections, so they can be listed here. +# +# Also, listing modules here ensures that you have control over +# the order in which they are initalized. If one module needs +# something defined by another module, you can list them in order +# here, and ensure that the configuration will be OK. +# +instantiate { + # + # Allows the execution of external scripts. + # The entire command line (and output) must fit into 253 bytes. + # + # e.g. Framed-Pool = `%{exec:/bin/echo foo}` +# exec + + # + # The expression module doesn't do authorization, + # authentication, or accounting. It only does dynamic + # translation, of the form: + # + # Session-Timeout = `%{expr:2 + 3}` + # + # So the module needs to be instantiated, but CANNOT be + # listed in any other section. See 'doc/rlm_expr' for + # more information. + # +# expr + + # + # We add the counter module here so that it registers + # the check-name attribute before any module which sets + # it +# daily +# expiration +# logintime + + # subsections here can be thought of as "virtual" modules. + # + # e.g. If you have two redundant SQL servers, and you want to + # use them in the authorize and accounting sections, you could + # place a "redundant" block in each section, containing the + # exact same text. Or, you could uncomment the following + # lines, and list "redundant_sql" in the authorize and + # accounting sections. + # + #redundant redundant_sql { + # sql1 + # sql2 + #} +} + +###################################################################### +# +# Policies that can be applied in multiple places are listed +# globally. That way, they can be defined once, and referred +# to multiple times. +# +###################################################################### +$INCLUDE ${confdir}/policy.conf + +###################################################################### +# +# As of 2.0.0, the "authorize", "authenticate", etc. sections +# are in separate configuration files, per virtual host. +# +###################################################################### + +###################################################################### +# +# Include all enabled virtual hosts. +# +# The following directory is searched for files that match +# the regex: +# +# /[a-zA-Z0-9_.]+/ +# +# The files are then included here, just as if they were cut +# and pasted into this file. +# +# See "sites-enabled/default" for some additional documentation. +# +$INCLUDE sites-enabled/ +$INCLUDE ${crans_conf}/sites-available/