@prefix = /usr @exec_prefix = /usr @sysconfdir = /etc @localstatedir = /var @sbindir = ${exec_prefix}/sbin @logdir = /var/log/freeradius @raddbdir = /etc/freeradius @radacctdir = ${logdir}/radacct @ @confdir = ${raddbdir} @run_dir = ${localstatedir}/run/freeradius @ @db_dir = $(raddbdir) @ @libdir = /usr/lib/freeradius @ @pidfile = ${run_dir}/freeradius.pid @ @ @user = freerad @group = freerad @ @max_request_time = 30 @ @cleanup_delay = 5 @ @max_requests = 1024 @ @listen { @ @ type = auth @ ipaddr = * @ port = 0 @ @} @ @hostname_lookups = no @ @allow_core_dumps = no @ @regular_expressions = yes @extended_expressions = yes @ @log { @ destination = files @ file = ${logdir}/radius.log @ syslog_facility = daemon @ stripped_names = no @ auth = yes @ auth_badpass = yes @ auth_goodpass = yes @} @ @checkrad = ${sbindir}/checkrad @ @security { @ max_attributes = 200 @ reject_delay = 1 @ status_server = yes @} @ @$INCLUDE clients.conf @ @thread pool { @ start_servers = 10 @ max_servers = 32 @ min_spare_servers = 3 @ max_spare_servers = 10 @ max_requests_per_server = 0 @} @ @modules { @ checkval { @ # The attribute to look for in the request @ item-name = Calling-Station-Id @ @ # The attribute to look for in check items. Can be multi valued @ check-name = Calling-Station-Id @ @ # The data type. Can be @ # string,integer,ipaddr,date,abinary,octets @ data-type = string @ @ # If set to yes and we dont find the item-name attribute in the @ # request then we send back a reject @ # DEFAULT is no @ #notfound-reject = no @ } @ @ # Preprocess the incoming RADIUS request, before handing it off @ # to other modules. @ # @ # This module processes the 'huntgroups' and 'hints' files. @ # In addition, it re-writes some weird attributes created @ # by some NASes, and converts the attributes into a form which @ # is a little more standard. @ # @ preprocess { @ huntgroups = ${confdir}/huntgroups @ hints = ${confdir}/hints @ @ # This hack changes Ascend's wierd port numberings @ # to standard 0-??? port numbers so that the "+" works @ # for IP address assignments. @ with_ascend_hack = no @ ascend_channels_per_line = 23 @ with_ntdomain_hack = no @ with_specialix_jetstream_hack = no @ with_cisco_vsa_hack = no @ } @ @ # Livingston-style 'users' file @ # @ files { @ # The default key attribute to use for matches. The content @ # of this attribute is used to match the "name" of the @ # entry. @ #key = "%{Stripped-User-Name:-%{User-Name}}" @ @ # C'est dans ce fichier que l'on va voir si la requĂȘte est bien du type @ # qu'on attend @ usersfile = ${confdir}/users @ compat = no @ } @ @ # Write a detailed log of all accounting records received. @ # @ detail { @ detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d @ detailperm = 0600 @ @ # @ # Every entry in the detail file has a header which @ # is a timestamp. By default, we use the ctime @ # format (see "man ctime" for details). @ # @ # The header can be customized by editing this @ # string. See "doc/variables.txt" for a description @ # of what can be put here. @ # @ header = "%t" @ } @ detail auth_log { @ detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d @ } @ detail reply_log { @ detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d @ @ detailperm = 0600 @ } @ @ acct_unique { @ key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" @ } @ @ # Enforce RFC requirements on the contents of Access-Reject @ # packets. See the comments at the top of the file for @ # more details. @ # @ attr_filter attr_filter.access_reject { @ key = %{User-Name} @ attrsfile = ${confdir}/attrs.access_reject @ } @ @ # Enforce RFC requirements on the contents of the @ # Accounting-Response packets. See the comments at the @ # top of the file for more details. @ # @ attr_filter attr_filter.accounting_response { @ key = %{User-Name} @ attrsfile = ${confdir}/attrs.accounting_response @ } @ @ counter daily { @ filename = ${db_dir}/db.daily @ key = User-Name @ count-attribute = Acct-Session-Time @ reset = daily @ counter-name = Daily-Session-Time @ check-name = Max-Daily-Session @ reply-name = Session-Timeout @ allowed-servicetype = Framed-User @ cache-size = 5000 @ } @ @ # @ # Execute external programs @ # @ # This module is useful only for 'xlat'. To use it, @ # put 'exec' into the 'instantiate' section. You can then @ # do dynamic translation of attributes like: @ # @ # Attribute-Name = `%{exec:/path/to/program args}` @ # @ # The value of the attribute will be replaced with the output @ # of the program which is executed. Due to RADIUS protocol @ # limitations, any output over 253 bytes will be ignored. @ # @ # The RADIUS attributes from the user request will be placed @ # into environment variables of the executed program, as @ # described in 'doc/variables.txt' @ # @ exec { @ wait = yes @ program = "/usr/scripts/radius_auth.py" @ input_pairs = request @ # Pour avoir la sortie du script qui soit reprise par freeradius @ output_pairs = reply @ } @ @ # @ # This is a more general example of the execute module. @ # @ # This one is called "echo". @ # @ # Attribute-Name = `%{echo:/path/to/program args}` @ # @ # If you wish to execute an external program in more than @ # one section (e.g. 'authorize', 'pre_proxy', etc), then it @ # is probably best to define a different instance of the @ # 'exec' module for every section. @ # @ # The return value of the program run determines the result @ # of the exec instance call as follows: @ # (See doc/configurable_failover for details) @ # @ # < 0 : fail the module failed @ # = 0 : ok the module succeeded @ # = 1 : reject the module rejected the user @ # = 2 : fail the module failed @ # = 3 : ok the module succeeded @ # = 4 : handled the module has done everything to handle the request @ # = 5 : invalid the user's configuration entry was invalid @ # = 6 : userlock the user was locked out @ # = 7 : notfound the user was not found @ # = 8 : noop the module did nothing @ # = 9 : updated the module updated information in the request @ # > 9 : fail the module failed @ # @ exec echo { @ # @ # Wait for the program to finish. @ # @ # If we do NOT wait, then the program is "fire and @ # forget", and any output attributes from it are ignored. @ # @ # If we are looking for the program to output @ # attributes, and want to add those attributes to the @ # request, then we MUST wait for the program to @ # finish, and therefore set 'wait=yes' @ # @ # allowed values: {no, yes} @ wait = yes @ @ # @ # The name of the program to execute, and it's @ # arguments. Dynamic translation is done on this @ # field, so things like the following example will @ # work. @ # @ program = "/bin/echo %{User-Name}" @ @ # @ # The attributes which are placed into the @ # environment variables for the program. @ # @ # Allowed values are: @ # @ # request attributes from the request @ # config attributes from the configuration items list @ # reply attributes from the reply @ # proxy-request attributes from the proxy request @ # proxy-reply attributes from the proxy reply @ # @ # Note that some attributes may not exist at some @ # stages. e.g. There may be no proxy-reply @ # attributes if this module is used in the @ # 'authorize' section. @ # @ input_pairs = request @ @ # @ # Where to place the output attributes (if any) from @ # the executed program. The values allowed, and the @ # restrictions as to availability, are the same as @ # for the input_pairs. @ # @ output_pairs = reply @ @ # @ # When to execute the program. If the packet @ # type does NOT match what's listed here, then @ # the module does NOT execute the program. @ # @ # For a list of allowed packet types, see @ # the 'dictionary' file, and look for VALUEs @ # of the Packet-Type attribute. @ # @ # By default, the module executes on ANY packet. @ # Un-comment out the following line to tell the @ # module to execute only if an Access-Accept is @ # being sent to the NAS. @ # @ #packet_type = Access-Accept @ @ # @ # Should we escape the environment variables? @ # @ # If this is set, all the RADIUS attributes @ # are capitalised and dashes replaced with @ # underscores. Also, RADIUS values are surrounded @ # with double-quotes. @ # @ # That is to say: User-Name=BobUser => USER_NAME="BobUser" @ shell_escape = yes @ @ } @ @ # Module implementing a DIFFERENT policy language. @ # The syntax here is NOT "unlang", but something else. @ # @ # See the "policy.txt" file for documentation and examples. @ # @ policy { @ # The only configuration item is a filename containing @ # the policies to execute. @ # @ # When "policy" is listed in a section (e.g. "authorize"), @ # it will run a policy named for that section. @ # @ filename = ${confdir}/policy.txt @ } @ @} @ @instantiate { @ # @ # Allows the execution of external scripts. @ # The entire command line (and output) must fit into 253 bytes. @ # @ # e.g. Framed-Pool = `%{exec:/bin/echo foo}` @ # exec @ @ # @ # The expression module doesn't do authorization, @ # authentication, or accounting. It only does dynamic @ # translation, of the form: @ # @ # Session-Timeout = `%{expr:2 + 3}` @ # @ # So the module needs to be instantiated, but CANNOT be @ # listed in any other section. See 'doc/rlm_expr' for @ # more information. @ # @# expr @ @ # @ # We add the counter module here so that it registers @ # the check-name attribute before any module which sets @ # it @# expiration @# logintime @ @} @ @$INCLUDE policy.conf @ @ @authorize { @ preprocess @ files @} @ @authenticate { @ files @} @ @preacct { @ preprocess @ acct_unique @ files @} @ @#accounting { @# detail @# radutmp @#} @ @#session { @# radutmp @#} @post-auth { @ exec @} @