crans/crans_bcfg2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
crans_bcfg2/Python/etc/freeradius/radiusd.conf
Daniel STAN 069837f9cf [radiusd.conf] deplacement de radius_auth.py 
parce que c'est une modif qui traîne sans être commitée ! (et même add)
2013-05-18 03:34:42 +02:00

395 lines
9.8 KiB
Text
Raw Blame History

@prefix = /usr
@exec_prefix = /usr
@sysconfdir = /etc
@localstatedir = /var
@sbindir = ${exec_prefix}/sbin
@logdir = /var/log/freeradius
@raddbdir = /etc/freeradius
@radacctdir = ${logdir}/radacct
@
@confdir = ${raddbdir}
@run_dir = ${localstatedir}/run/freeradius
@
@db_dir = $(raddbdir)
@
@libdir = /usr/lib/freeradius
@
@pidfile = ${run_dir}/freeradius.pid
@
@
@user = freerad
@group = freerad
@
@max_request_time = 30
@
@cleanup_delay = 5
@
@max_requests = 1024
@
@listen {
@
@ type = auth
@ ipaddr = *
@ port = 0
@
@}
@
@hostname_lookups = no
@
@allow_core_dumps = no
@
@regular_expressions = yes
@extended_expressions = yes
@
@log {
@ destination = files
@ file = ${logdir}/radius.log
@ syslog_facility = daemon
@ stripped_names = no
@ auth = yes
@ auth_badpass = yes
@ auth_goodpass = yes
@}
@
@checkrad = ${sbindir}/checkrad
@
@security {
@ max_attributes = 200
@ reject_delay = 1
@ status_server = yes
@}
@
@$INCLUDE clients.conf
@
@thread pool {
@ start_servers = 10
@ max_servers = 32
@ min_spare_servers = 3
@ max_spare_servers = 10
@ max_requests_per_server = 0
@}
@
@modules {
@ checkval {
@ # The attribute to look for in the request
@ item-name = Calling-Station-Id
@
@ # The attribute to look for in check items. Can be multi valued
@ check-name = Calling-Station-Id
@
@ # The data type. Can be
@ # string,integer,ipaddr,date,abinary,octets
@ data-type = string
@
@ # If set to yes and we dont find the item-name attribute in the
@ # request then we send back a reject
@ # DEFAULT is no
@ #notfound-reject = no
@ }
@
@ # Preprocess the incoming RADIUS request, before handing it off
@ # to other modules.
@ #
@ # This module processes the 'huntgroups' and 'hints' files.
@ # In addition, it re-writes some weird attributes created
@ # by some NASes, and converts the attributes into a form which
@ # is a little more standard.
@ #
@ preprocess {
@ huntgroups = ${confdir}/huntgroups
@ hints = ${confdir}/hints
@
@ # This hack changes Ascend's wierd port numberings
@ # to standard 0-??? port numbers so that the "+" works
@ # for IP address assignments.
@ with_ascend_hack = no
@ ascend_channels_per_line = 23
@ with_ntdomain_hack = no
@ with_specialix_jetstream_hack = no
@ with_cisco_vsa_hack = no
@ }
@
@ # Livingston-style 'users' file
@ #
@ files {
@ # The default key attribute to use for matches. The content
@ # of this attribute is used to match the "name" of the
@ # entry.
@ #key = "%{Stripped-User-Name:-%{User-Name}}"
@
@ # C'est dans ce fichier que l'on va voir si la requête est bien du type
@ # qu'on attend
@ usersfile = ${confdir}/users
@ compat = no
@ }
@
@ # Write a detailed log of all accounting records received.
@ #
@ detail {
@ detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
@ detailperm = 0600
@
@ #
@ # Every entry in the detail file has a header which
@ # is a timestamp. By default, we use the ctime
@ # format (see "man ctime" for details).
@ #
@ # The header can be customized by editing this
@ # string. See "doc/variables.txt" for a description
@ # of what can be put here.
@ #
@ header = "%t"
@ }
@ detail auth_log {
@ detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
@ }
@ detail reply_log {
@ detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
@
@ detailperm = 0600
@ }
@
@ acct_unique {
@ key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
@ }
@
@ # Enforce RFC requirements on the contents of Access-Reject
@ # packets. See the comments at the top of the file for
@ # more details.
@ #
@ attr_filter attr_filter.access_reject {
@ key = %{User-Name}
@ attrsfile = ${confdir}/attrs.access_reject
@ }
@
@ # Enforce RFC requirements on the contents of the
@ # Accounting-Response packets. See the comments at the
@ # top of the file for more details.
@ #
@ attr_filter attr_filter.accounting_response {
@ key = %{User-Name}
@ attrsfile = ${confdir}/attrs.accounting_response
@ }
@
@ counter daily {
@ filename = ${db_dir}/db.daily
@ key = User-Name
@ count-attribute = Acct-Session-Time
@ reset = daily
@ counter-name = Daily-Session-Time
@ check-name = Max-Daily-Session
@ reply-name = Session-Timeout
@ allowed-servicetype = Framed-User
@ cache-size = 5000
@ }
@
@ #
@ # Execute external programs
@ #
@ # This module is useful only for 'xlat'. To use it,
@ # put 'exec' into the 'instantiate' section. You can then
@ # do dynamic translation of attributes like:
@ #
@ # Attribute-Name = `%{exec:/path/to/program args}`
@ #
@ # The value of the attribute will be replaced with the output
@ # of the program which is executed. Due to RADIUS protocol
@ # limitations, any output over 253 bytes will be ignored.
@ #
@ # The RADIUS attributes from the user request will be placed
@ # into environment variables of the executed program, as
@ # described in 'doc/variables.txt'
@ #
@ exec {
@ wait = yes
@ program = "/usr/scripts/utils/radius_auth.py"
@ input_pairs = request
@ # Pour avoir la sortie du script qui soit reprise par freeradius
@ output_pairs = reply
@ }
@
@ #
@ # This is a more general example of the execute module.
@ #
@ # This one is called "echo".
@ #
@ # Attribute-Name = `%{echo:/path/to/program args}`
@ #
@ # If you wish to execute an external program in more than
@ # one section (e.g. 'authorize', 'pre_proxy', etc), then it
@ # is probably best to define a different instance of the
@ # 'exec' module for every section.
@ #
@ # The return value of the program run determines the result
@ # of the exec instance call as follows:
@ # (See doc/configurable_failover for details)
@ #
@ # < 0 : fail the module failed
@ # = 0 : ok the module succeeded
@ # = 1 : reject the module rejected the user
@ # = 2 : fail the module failed
@ # = 3 : ok the module succeeded
@ # = 4 : handled the module has done everything to handle the request
@ # = 5 : invalid the user's configuration entry was invalid
@ # = 6 : userlock the user was locked out
@ # = 7 : notfound the user was not found
@ # = 8 : noop the module did nothing
@ # = 9 : updated the module updated information in the request
@ # > 9 : fail the module failed
@ #
@ exec echo {
@ #
@ # Wait for the program to finish.
@ #
@ # If we do NOT wait, then the program is "fire and
@ # forget", and any output attributes from it are ignored.
@ #
@ # If we are looking for the program to output
@ # attributes, and want to add those attributes to the
@ # request, then we MUST wait for the program to
@ # finish, and therefore set 'wait=yes'
@ #
@ # allowed values: {no, yes}
@ wait = yes
@
@ #
@ # The name of the program to execute, and it's
@ # arguments. Dynamic translation is done on this
@ # field, so things like the following example will
@ # work.
@ #
@ program = "/bin/echo %{User-Name}"
@
@ #
@ # The attributes which are placed into the
@ # environment variables for the program.
@ #
@ # Allowed values are:
@ #
@ # request attributes from the request
@ # config attributes from the configuration items list
@ # reply attributes from the reply
@ # proxy-request attributes from the proxy request
@ # proxy-reply attributes from the proxy reply
@ #
@ # Note that some attributes may not exist at some
@ # stages. e.g. There may be no proxy-reply
@ # attributes if this module is used in the
@ # 'authorize' section.
@ #
@ input_pairs = request
@
@ #
@ # Where to place the output attributes (if any) from
@ # the executed program. The values allowed, and the
@ # restrictions as to availability, are the same as
@ # for the input_pairs.
@ #
@ output_pairs = reply
@
@ #
@ # When to execute the program. If the packet
@ # type does NOT match what's listed here, then
@ # the module does NOT execute the program.
@ #
@ # For a list of allowed packet types, see
@ # the 'dictionary' file, and look for VALUEs
@ # of the Packet-Type attribute.
@ #
@ # By default, the module executes on ANY packet.
@ # Un-comment out the following line to tell the
@ # module to execute only if an Access-Accept is
@ # being sent to the NAS.
@ #
@ #packet_type = Access-Accept
@
@ #
@ # Should we escape the environment variables?
@ #
@ # If this is set, all the RADIUS attributes
@ # are capitalised and dashes replaced with
@ # underscores. Also, RADIUS values are surrounded
@ # with double-quotes.
@ #
@ # That is to say: User-Name=BobUser => USER_NAME="BobUser"
@ shell_escape = yes
@
@ }
@
@ # Module implementing a DIFFERENT policy language.
@ # The syntax here is NOT "unlang", but something else.
@ #
@ # See the "policy.txt" file for documentation and examples.
@ #
@ policy {
@ # The only configuration item is a filename containing
@ # the policies to execute.
@ #
@ # When "policy" is listed in a section (e.g. "authorize"),
@ # it will run a policy named for that section.
@ #
@ filename = ${confdir}/policy.txt
@ }
@
@}
@
@instantiate {
@ #
@ # Allows the execution of external scripts.
@ # The entire command line (and output) must fit into 253 bytes.
@ #
@ # e.g. Framed-Pool = `%{exec:/bin/echo foo}`
@ # exec
@
@ #
@ # The expression module doesn't do authorization,
@ # authentication, or accounting. It only does dynamic
@ # translation, of the form:
@ #
@ # Session-Timeout = `%{expr:2 + 3}`
@ #
@ # So the module needs to be instantiated, but CANNOT be
@ # listed in any other section. See 'doc/rlm_expr' for
@ # more information.
@ #
@# expr
@
@ #
@ # We add the counter module here so that it registers
@ # the check-name attribute before any module which sets
@ # it
@# expiration
@# logintime
@
@}
@
@$INCLUDE policy.conf
@
@
@authorize {
@ preprocess
@ files
@}
@
@authenticate {
@ files
@}
@
@preacct {
@ preprocess
@ acct_unique
@ files
@}
@
@#accounting {
@# detail
@# radutmp
@#}
@
@#session {
@# radutmp
@#}
@post-auth {
@ exec
@}
@
Reference in a new issue View git blame Copy permalink