Project

General

Profile

Download (16.4 KB) Statistics
| Branch: | Tag: | Revision:

root / share / radius-default.conf @ 17f6c75c

1
#  Authorization. First preprocess (hints and huntgroups files),
2
#  then realms, and finally look in the "users" file.
3
#
4
#  Any changes made here should also be made to the "inner-tunnel"
5
#  virtual server.
6
#
7
#  The order of the realm modules will determine the order that
8
#  we try to find a matching realm.
9
#
10
#  Make *sure* that 'preprocess' comes before any realm if you 
11
#  need to setup hints for the remote radius server
12
authorize {
13

    
14
	#
15
	#  Security settings.  Take a User-Name, and do some simple
16
	#  checks on it, for spaces and other invalid characters.  If
17
	#  it looks like the user is trying to play games, reject it.
18
	#
19
	#  This should probably be enabled by default.
20
	#
21
	#  See policy.conf for the definition of the filter_username policy.
22
	#
23
#	filter_username
24

    
25
	#
26
	#  The preprocess module takes care of sanitizing some bizarre
27
	#  attributes in the request, and turning them into attributes
28
	#  which are more standard.
29
	#
30
	#  It takes care of processing the 'raddb/hints' and the
31
	#  'raddb/huntgroups' files.
32
	preprocess
33

    
34
	#
35
	#  If you want to have a log of authentication requests,
36
	#  un-comment the following line, and the 'detail auth_log'
37
	#  section, above.
38
	auth_log
39

    
40
	ldap
41

    
42
	#
43
	#  The chap module will set 'Auth-Type := CHAP' if we are
44
	#  handling a CHAP request and Auth-Type has not already been set
45
	chap
46

    
47
	#
48
	#  If the users are logging in with an MS-CHAP-Challenge
49
	#  attribute for authentication, the mschap module will find
50
	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
51
	#  to the request, which will cause the server to then use
52
	#  the mschap module for authentication.
53
	mschap
54

    
55
	#
56
	#  If you have a Cisco SIP server authenticating against
57
	#  FreeRADIUS, uncomment the following line, and the 'digest'
58
	#  line in the 'authenticate' section.
59
	digest
60

    
61
	#
62
	#  The WiMAX specification says that the Calling-Station-Id
63
	#  is 6 octets of the MAC.  This definition conflicts with
64
	#  RFC 3580, and all common RADIUS practices.  Un-commenting
65
	#  the "wimax" module here means that it will fix the
66
	#  Calling-Station-Id attribute to the normal format as
67
	#  specified in RFC 3580 Section 3.21
68
#	wimax
69

    
70
	#
71
	#  Look for IPASS style 'realm/', and if not found, look for
72
	#  '@realm', and decide whether or not to proxy, based on
73
	#  that.
74
#	IPASS
75

    
76
	#
77
	#  If you are using multiple kinds of realms, you probably
78
	#  want to set "ignore_null = yes" for all of them.
79
	#  Otherwise, when the first style of realm doesn't match,
80
	#  the other styles won't be checked.
81
	#
82
	suffix
83
#	ntdomain
84

    
85
	#
86
	#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
87
	#  authentication.
88
	#
89
	#  It also sets the EAP-Type attribute in the request
90
	#  attribute list to the EAP type from the packet.
91
	#
92
	#  As of 2.0, the EAP module returns "ok" in the authorize stage
93
	#  for TTLS and PEAP.  In 1.x, it never returned "ok" here, so
94
	#  this change is compatible with older configurations.
95
	#
96
	#  The example below uses module failover to avoid querying all
97
	#  of the following modules if the EAP module returns "ok".
98
	#  Therefore, your LDAP and/or SQL servers will not be queried
99
	#  for the many packets that go back and forth to set up TTLS
100
	#  or PEAP.  The load on those servers will therefore be reduced.
101
	#
102
	eap {
103
		ok = return
104
	}
105

    
106
	#
107
	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
108
	#  using the system API's to get the password.  If you want
109
	#  to read /etc/passwd or /etc/shadow directly, see the
110
	#  passwd module in radiusd.conf.
111
	#
112
#	unix
113

    
114
	#
115
	#  Read the 'users' file
116
#	files
117

    
118
	#
119
	#  Look in an SQL database.  The schema of the database
120
	#  is meant to mirror the "users" file.
121
	#
122
	#  See "Authorization Queries" in sql.conf
123
#	sql
124

    
125
	#
126
	#  If you are using /etc/smbpasswd, and are also doing
127
	#  mschap authentication, the un-comment this line, and
128
	#  configure the 'smbpasswd' module.
129
#	smbpasswd
130

    
131
        exec
132
	#
133
	#  The ldap module will set Auth-Type to LDAP if it has not
134
	#  already been set
135

    
136
	#
137
	#  Enforce daily limits on time spent logged in.
138
#	daily
139

    
140
	#
141
	# Use the checkval module
142
#	checkval
143

    
144
	expiration
145
	logintime
146

    
147
	#
148
	#  If no other module has claimed responsibility for
149
	#  authentication, then try to use PAP.  This allows the
150
	#  other modules listed above to add a "known good" password
151
	#  to the request, and to do nothing else.  The PAP module
152
	#  will then see that password, and use it to do PAP
153
	#  authentication.
154
	#
155
	#  This module should be listed last, so that the other modules
156
	#  get a chance to set Auth-Type for themselves.
157
	#
158
	pap
159

    
160
	#
161
	#  If "status_server = yes", then Status-Server messages are passed
162
	#  through the following section, and ONLY the following section.
163
	#  This permits you to do DB queries, for example.  If the modules
164
	#  listed here return "fail", then NO response is sent.
165
	#
166
#	Autz-Type Status-Server {
167
#
168
#	}
169
}
170

    
171

    
172
#  Authentication.
173
#
174
#
175
#  This section lists which modules are available for authentication.
176
#  Note that it does NOT mean 'try each module in order'.  It means
177
#  that a module from the 'authorize' section adds a configuration
178
#  attribute 'Auth-Type := FOO'.  That authentication type is then
179
#  used to pick the apropriate module from the list below.
180
#
181

    
182
#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
183
#  will figure it out on its own, and will do the right thing.  The
184
#  most common side effect of erroneously setting the Auth-Type
185
#  attribute is that one authentication method will work, but the
186
#  others will not.
187
#
188
#  The common reasons to set the Auth-Type attribute by hand
189
#  is to either forcibly reject the user (Auth-Type := Reject),
190
#  or to or forcibly accept the user (Auth-Type := Accept).
191
#
192
#  Note that Auth-Type := Accept will NOT work with EAP.
193
#
194
#  Please do not put "unlang" configurations into the "authenticate"
195
#  section.  Put them in the "post-auth" section instead.  That's what
196
#  the post-auth section is for.
197
#
198
authenticate {
199
	#
200
	#  PAP authentication, when a back-end database listed
201
	#  in the 'authorize' section supplies a password.  The
202
	#  password can be clear-text, or encrypted.
203
	Auth-Type PAP {
204
		pap
205
	}
206

    
207
	#
208
	#  Most people want CHAP authentication
209
	#  A back-end database listed in the 'authorize' section
210
	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
211
	#  won't work.
212
	Auth-Type CHAP {
213
		chap
214
	}
215

    
216
	#
217
	#  MSCHAP authentication.
218
	Auth-Type MS-CHAP {
219
		mschap
220
	}
221

    
222
	#
223
	#  If you have a Cisco SIP server authenticating against
224
	#  FreeRADIUS, uncomment the following line, and the 'digest'
225
	#  line in the 'authorize' section.
226
	digest
227

    
228
	#
229
	#  Pluggable Authentication Modules.
230
#	pam
231

    
232
	#
233
	#  See 'man getpwent' for information on how the 'unix'
234
	#  module checks the users password.  Note that packets
235
	#  containing CHAP-Password attributes CANNOT be authenticated
236
	#  against /etc/passwd!  See the FAQ for details.
237
	#
238
	#  For normal "crypt" authentication, the "pap" module should
239
	#  be used instead of the "unix" module.  The "unix" module should
240
	#  be used for authentication ONLY for compatibility with legacy
241
	#  FreeRADIUS configurations.
242
	#
243
	unix
244

    
245
	# Uncomment it if you want to use ldap for authentication
246
	#
247
	# Note that this means "check plain-text password against
248
	# the ldap database", which means that EAP won't work,
249
	# as it does not supply a plain-text password.
250
	Auth-Type LDAP {
251
		ldap
252
	}
253

    
254
	#
255
	#  Allow EAP authentication.
256
	eap
257

    
258
	#
259
	#  The older configurations sent a number of attributes in
260
	#  Access-Challenge packets, which wasn't strictly correct.
261
	#  If you want to filter out these attributes, uncomment
262
	#  the following lines.
263
	#
264
#	Auth-Type eap {
265
#		eap {
266
#			handled = 1  
267
#		}
268
#		if (handled && (Response-Packet-Type == Access-Challenge)) {
269
#			attr_filter.access_challenge.post-auth
270
#			handled  # override the "updated" code from attr_filter
271
#		}
272
#	}
273
}
274

    
275

    
276
#
277
#  Pre-accounting.  Decide which accounting type to use.
278
#
279
preacct {
280
	preprocess
281

    
282
	#
283
	#  Session start times are *implied* in RADIUS.
284
	#  The NAS never sends a "start time".  Instead, it sends
285
	#  a start packet, *possibly* with an Acct-Delay-Time.
286
	#  The server is supposed to conclude that the start time
287
	#  was "Acct-Delay-Time" seconds in the past.
288
	#
289
	#  The code below creates an explicit start time, which can
290
	#  then be used in other modules.
291
	#
292
	#  The start time is: NOW - delay - session_length
293
	#
294

    
295
#	  update request {
296
#	  	FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
297
#	}
298

    
299

    
300
	#
301
	#  Ensure that we have a semi-unique identifier for every
302
	#  request, and many NAS boxes are broken.
303
	acct_unique
304

    
305
	#
306
	#  Look for IPASS-style 'realm/', and if not found, look for
307
	#  '@realm', and decide whether or not to proxy, based on
308
	#  that.
309
	#
310
	#  Accounting requests are generally proxied to the same
311
	#  home server as authentication requests.
312
#	IPASS
313
	suffix
314
#	ntdomain
315

    
316
	#
317
	#  Read the 'acct_users' file
318
	files
319
}
320

    
321
#
322
#  Accounting.  Log the accounting data.
323
#
324
accounting {
325
	#
326
	#  Create a 'detail'ed log of the packets.
327
	#  Note that accounting requests which are proxied
328
	#  are also logged in the detail file.
329
	detail
330
#	daily
331

    
332
	#  Update the wtmp file
333
	#
334
	#  If you don't use "radlast", you can delete this line.
335
#	unix
336

    
337
	#
338
	#  For Simultaneous-Use tracking.
339
	#
340
	#  Due to packet losses in the network, the data here
341
	#  may be incorrect.  There is little we can do about it.
342
#	radutmp
343
#	sradutmp
344

    
345
	#  Return an address to the IP Pool when we see a stop record.
346
#	main_pool
347

    
348
	#
349
	#  Log traffic to an SQL database.
350
	#
351
	#  See "Accounting queries" in sql.conf
352
#	sql
353

    
354
	#
355
	#  If you receive stop packets with zero session length,
356
	#  they will NOT be logged in the database.  The SQL module
357
	#  will print a message (only in debugging mode), and will
358
	#  return "noop".
359
	#
360
	#  You can ignore these packets by uncommenting the following
361
	#  three lines.  Otherwise, the server will not respond to the
362
	#  accounting request, and the NAS will retransmit.
363
	#
364
#	if (noop) {
365
#		ok
366
#	}
367

    
368
	#
369
	#  Instead of sending the query to the SQL server,
370
	#  write it into a log file.
371
	#
372
#	sql_log
373

    
374
	#  Cisco VoIP specific bulk accounting
375
#	pgsql-voip
376

    
377
	# For Exec-Program and Exec-Program-Wait
378
	exec
379

    
380
	#  Filter attributes from the accounting response.
381
	attr_filter.accounting_response
382

    
383
	#
384
	#  See "Autz-Type Status-Server" for how this works.
385
	#
386
#	Acct-Type Status-Server {
387
#
388
#	}
389
}
390

    
391

    
392
#  Session database, used for checking Simultaneous-Use. Either the radutmp 
393
#  or rlm_sql module can handle this.
394
#  The rlm_sql module is *much* faster
395
session {
396
	radutmp
397

    
398
	#
399
	#  See "Simultaneous Use Checking Queries" in sql.conf
400
#	sql
401
}
402

    
403

    
404
#  Post-Authentication
405
#  Once we KNOW that the user has been authenticated, there are
406
#  additional steps we can take.
407
post-auth {
408
	#  Get an address from the IP Pool.
409
#	main_pool
410

    
411
	#
412
	#  If you want to have a log of authentication replies,
413
	#  un-comment the following line, and the 'detail reply_log'
414
	#  section, above.
415
#	reply_log
416

    
417
	#
418
	#  After authenticating the user, do another SQL query.
419
	#
420
	#  See "Authentication Logging Queries" in sql.conf
421
#	sql
422

    
423
	#
424
	#  Instead of sending the query to the SQL server,
425
	#  write it into a log file.
426
	#
427
#	sql_log
428

    
429
	#
430
	#  Un-comment the following if you have set
431
	#  'edir_account_policy_check = yes' in the ldap module sub-section of
432
	#  the 'modules' section.
433
	#
434
#	ldap
435

    
436
	# For Exec-Program and Exec-Program-Wait
437
	exec
438

    
439
	#
440
	#  Calculate the various WiMAX keys.  In order for this to work,
441
	#  you will need to define the WiMAX NAI, usually via
442
	#
443
	#	update request {
444
	#	       WiMAX-MN-NAI = "%{User-Name}"
445
	#	}
446
	#
447
	#  If you want various keys to be calculated, you will need to
448
	#  update the reply with "template" values.  The module will see
449
	#  this, and replace the template values with the correct ones
450
	#  taken from the cryptographic calculations.  e.g.
451
	#
452
	# 	update reply {
453
	#		WiMAX-FA-RK-Key = 0x00
454
	#		WiMAX-MSK = "%{EAP-MSK}"
455
	#	}
456
	#
457
	#  You may want to delete the MS-MPPE-*-Keys from the reply,
458
	#  as some WiMAX clients behave badly when those attributes
459
	#  are included.  See "raddb/modules/wimax", configuration
460
	#  entry "delete_mppe_keys" for more information.
461
	#
462
#	wimax
463

    
464
	#  If there is a client certificate (EAP-TLS, sometimes PEAP
465
	#  and TTLS), then some attributes are filled out after the
466
	#  certificate verification has been performed.  These fields
467
	#  MAY be available during the authentication, or they may be
468
	#  available only in the "post-auth" section.
469
	#
470
	#  The first set of attributes contains information about the
471
	#  issuing certificate which is being used.  The second
472
	#  contains information about the client certificate (if
473
	#  available).
474
#
475
#	update reply {
476
#	       Reply-Message += "%{TLS-Cert-Serial}"
477
#	       Reply-Message += "%{TLS-Cert-Expiration}"
478
#	       Reply-Message += "%{TLS-Cert-Subject}"
479
#	       Reply-Message += "%{TLS-Cert-Issuer}"
480
#	       Reply-Message += "%{TLS-Cert-Common-Name}"
481
#	       Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
482
#
483
#	       Reply-Message += "%{TLS-Client-Cert-Serial}"
484
#	       Reply-Message += "%{TLS-Client-Cert-Expiration}"
485
#	       Reply-Message += "%{TLS-Client-Cert-Subject}"
486
#	       Reply-Message += "%{TLS-Client-Cert-Issuer}"
487
#	       Reply-Message += "%{TLS-Client-Cert-Common-Name}"
488
#	       Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
489
#	}
490

    
491
	#  MacSEC requires the use of EAP-Key-Name.  However, we don't
492
	#  want to send it for all EAP sessions.  Therefore, the EAP
493
	#  modules put required data into the EAP-Session-Id attribute.
494
	#  This attribute is never put into a request or reply packet.
495
	#
496
	#  Uncomment the next few lines to copy the required data into
497
	#  the EAP-Key-Name attribute
498
#	if (reply:EAP-Session-Id) {
499
#		update reply {
500
#			EAP-Key-Name := "%{reply:EAP-Session-Id}"
501
#		}
502
#	}
503

    
504
	#  If the WiMAX module did it's work, you may want to do more
505
	#  things here, like delete the MS-MPPE-*-Key attributes.
506
	#
507
	#	if (updated) {
508
	#		update reply {
509
	#			MS-MPPE-Recv-Key !* 0x00
510
	#			MS-MPPE-Send-Key !* 0x00
511
	#		}
512
	#	}
513

    
514
	#
515
	#  Access-Reject packets are sent through the REJECT sub-section of the
516
	#  post-auth section.
517
	#
518
	#  Add the ldap module name (or instance) if you have set 
519
	#  'edir_account_policy_check = yes' in the ldap module configuration
520
	#
521
	Post-Auth-Type REJECT {
522
		# log failed authentications in SQL, too.
523
#		sql
524
		attr_filter.access_reject
525
	}
526
}
527

    
528
#
529
#  When the server decides to proxy a request to a home server,
530
#  the proxied request is first passed through the pre-proxy
531
#  stage.  This stage can re-write the request, or decide to
532
#  cancel the proxy.
533
#
534
#  Only a few modules currently have this method.
535
#
536
pre-proxy {
537
#	attr_rewrite
538

    
539
	#  Uncomment the following line if you want to change attributes
540
	#  as defined in the preproxy_users file.
541
#	files
542

    
543
	#  Uncomment the following line if you want to filter requests
544
	#  sent to remote servers based on the rules defined in the
545
	#  'attrs.pre-proxy' file.
546
#	attr_filter.pre-proxy
547

    
548
	#  If you want to have a log of packets proxied to a home
549
	#  server, un-comment the following line, and the
550
	#  'detail pre_proxy_log' section, above.
551
#	pre_proxy_log
552
}
553

    
554
#
555
#  When the server receives a reply to a request it proxied
556
#  to a home server, the request may be massaged here, in the
557
#  post-proxy stage.
558
#
559
post-proxy {
560

    
561
	#  If you want to have a log of replies from a home server,
562
	#  un-comment the following line, and the 'detail post_proxy_log'
563
	#  section, above.
564
#	post_proxy_log
565

    
566
#	attr_rewrite
567

    
568
	#  Uncomment the following line if you want to filter replies from
569
	#  remote proxies based on the rules defined in the 'attrs' file.
570
#	attr_filter.post-proxy
571

    
572
	#
573
	#  If you are proxying LEAP, you MUST configure the EAP
574
	#  module, and you MUST list it here, in the post-proxy
575
	#  stage.
576
	#
577
	#  You MUST also use the 'nostrip' option in the 'realm'
578
	#  configuration.  Otherwise, the User-Name attribute
579
	#  in the proxied request will not match the user name
580
	#  hidden inside of the EAP packet, and the end server will
581
	#  reject the EAP request.
582
	#
583
	eap
584

    
585
	#
586
	#  If the server tries to proxy a request and fails, then the
587
	#  request is processed through the modules in this section.
588
	#
589
	#  The main use of this section is to permit robust proxying
590
	#  of accounting packets.  The server can be configured to
591
	#  proxy accounting packets as part of normal processing.
592
	#  Then, if the home server goes down, accounting packets can
593
	#  be logged to a local "detail" file, for processing with
594
	#  radrelay.  When the home server comes back up, radrelay
595
	#  will read the detail file, and send the packets to the
596
	#  home server.
597
	#
598
	#  With this configuration, the server always responds to
599
	#  Accounting-Requests from the NAS, but only writes
600
	#  accounting packets to disk if the home server is down.
601
	#
602
#	Post-Proxy-Type Fail {
603
#			detail
604
#	}
605
}
(2-2/3)