Project

General

Profile

Download (16.5 KB) Statistics
| Branch: | Tag: | Revision:

root / config / radius-default.conf @ 65a2d8c1

1
client local {
2
       shortname = "Dynamic client"
3
       ipaddr = 192.168.5.224
4
       netmask = 32
5
       lifetime = 3600
6
       secret = mystrongsecret
7
}
8

    
9
#  Authorization. First preprocess (hints and huntgroups files),
10
#  then realms, and finally look in the "users" file.
11
#
12
#  Any changes made here should also be made to the "inner-tunnel"
13
#  virtual server.
14
#
15
#  The order of the realm modules will determine the order that
16
#  we try to find a matching realm.
17
#
18
#  Make *sure* that 'preprocess' comes before any realm if you 
19
#  need to setup hints for the remote radius server
20
authorize {
21

    
22
	#
23
	#  Security settings.  Take a User-Name, and do some simple
24
	#  checks on it, for spaces and other invalid characters.  If
25
	#  it looks like the user is trying to play games, reject it.
26
	#
27
	#  This should probably be enabled by default.
28
	#
29
	#  See policy.conf for the definition of the filter_username policy.
30
	#
31
#	filter_username
32

    
33
	#
34
	#  The preprocess module takes care of sanitizing some bizarre
35
	#  attributes in the request, and turning them into attributes
36
	#  which are more standard.
37
	#
38
	#  It takes care of processing the 'raddb/hints' and the
39
	#  'raddb/huntgroups' files.
40
	preprocess
41

    
42
	#
43
	#  If you want to have a log of authentication requests,
44
	#  un-comment the following line, and the 'detail auth_log'
45
	#  section, above.
46
	auth_log
47

    
48
	ldap
49

    
50
	#
51
	#  The chap module will set 'Auth-Type := CHAP' if we are
52
	#  handling a CHAP request and Auth-Type has not already been set
53
	chap
54

    
55
	#
56
	#  If the users are logging in with an MS-CHAP-Challenge
57
	#  attribute for authentication, the mschap module will find
58
	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
59
	#  to the request, which will cause the server to then use
60
	#  the mschap module for authentication.
61
	mschap
62

    
63
	#
64
	#  If you have a Cisco SIP server authenticating against
65
	#  FreeRADIUS, uncomment the following line, and the 'digest'
66
	#  line in the 'authenticate' section.
67
	digest
68

    
69
	#
70
	#  The WiMAX specification says that the Calling-Station-Id
71
	#  is 6 octets of the MAC.  This definition conflicts with
72
	#  RFC 3580, and all common RADIUS practices.  Un-commenting
73
	#  the "wimax" module here means that it will fix the
74
	#  Calling-Station-Id attribute to the normal format as
75
	#  specified in RFC 3580 Section 3.21
76
#	wimax
77

    
78
	#
79
	#  Look for IPASS style 'realm/', and if not found, look for
80
	#  '@realm', and decide whether or not to proxy, based on
81
	#  that.
82
#	IPASS
83

    
84
	#
85
	#  If you are using multiple kinds of realms, you probably
86
	#  want to set "ignore_null = yes" for all of them.
87
	#  Otherwise, when the first style of realm doesn't match,
88
	#  the other styles won't be checked.
89
	#
90
	suffix
91
#	ntdomain
92

    
93
	#
94
	#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
95
	#  authentication.
96
	#
97
	#  It also sets the EAP-Type attribute in the request
98
	#  attribute list to the EAP type from the packet.
99
	#
100
	#  As of 2.0, the EAP module returns "ok" in the authorize stage
101
	#  for TTLS and PEAP.  In 1.x, it never returned "ok" here, so
102
	#  this change is compatible with older configurations.
103
	#
104
	#  The example below uses module failover to avoid querying all
105
	#  of the following modules if the EAP module returns "ok".
106
	#  Therefore, your LDAP and/or SQL servers will not be queried
107
	#  for the many packets that go back and forth to set up TTLS
108
	#  or PEAP.  The load on those servers will therefore be reduced.
109
	#
110
	eap {
111
		ok = return
112
	}
113

    
114
	#
115
	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
116
	#  using the system API's to get the password.  If you want
117
	#  to read /etc/passwd or /etc/shadow directly, see the
118
	#  passwd module in radiusd.conf.
119
	#
120
#	unix
121

    
122
	#
123
	#  Read the 'users' file
124
#	files
125

    
126
	#
127
	#  Look in an SQL database.  The schema of the database
128
	#  is meant to mirror the "users" file.
129
	#
130
	#  See "Authorization Queries" in sql.conf
131
#	sql
132

    
133
	#
134
	#  If you are using /etc/smbpasswd, and are also doing
135
	#  mschap authentication, the un-comment this line, and
136
	#  configure the 'smbpasswd' module.
137
#	smbpasswd
138

    
139
        exec
140
	#
141
	#  The ldap module will set Auth-Type to LDAP if it has not
142
	#  already been set
143

    
144
	#
145
	#  Enforce daily limits on time spent logged in.
146
#	daily
147

    
148
	#
149
	# Use the checkval module
150
#	checkval
151

    
152
	expiration
153
	logintime
154

    
155
	#
156
	#  If no other module has claimed responsibility for
157
	#  authentication, then try to use PAP.  This allows the
158
	#  other modules listed above to add a "known good" password
159
	#  to the request, and to do nothing else.  The PAP module
160
	#  will then see that password, and use it to do PAP
161
	#  authentication.
162
	#
163
	#  This module should be listed last, so that the other modules
164
	#  get a chance to set Auth-Type for themselves.
165
	#
166
	pap
167

    
168
	#
169
	#  If "status_server = yes", then Status-Server messages are passed
170
	#  through the following section, and ONLY the following section.
171
	#  This permits you to do DB queries, for example.  If the modules
172
	#  listed here return "fail", then NO response is sent.
173
	#
174
#	Autz-Type Status-Server {
175
#
176
#	}
177
}
178

    
179

    
180
#  Authentication.
181
#
182
#
183
#  This section lists which modules are available for authentication.
184
#  Note that it does NOT mean 'try each module in order'.  It means
185
#  that a module from the 'authorize' section adds a configuration
186
#  attribute 'Auth-Type := FOO'.  That authentication type is then
187
#  used to pick the apropriate module from the list below.
188
#
189

    
190
#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
191
#  will figure it out on its own, and will do the right thing.  The
192
#  most common side effect of erroneously setting the Auth-Type
193
#  attribute is that one authentication method will work, but the
194
#  others will not.
195
#
196
#  The common reasons to set the Auth-Type attribute by hand
197
#  is to either forcibly reject the user (Auth-Type := Reject),
198
#  or to or forcibly accept the user (Auth-Type := Accept).
199
#
200
#  Note that Auth-Type := Accept will NOT work with EAP.
201
#
202
#  Please do not put "unlang" configurations into the "authenticate"
203
#  section.  Put them in the "post-auth" section instead.  That's what
204
#  the post-auth section is for.
205
#
206
authenticate {
207
	#
208
	#  PAP authentication, when a back-end database listed
209
	#  in the 'authorize' section supplies a password.  The
210
	#  password can be clear-text, or encrypted.
211
	Auth-Type PAP {
212
		pap
213
	}
214

    
215
	#
216
	#  Most people want CHAP authentication
217
	#  A back-end database listed in the 'authorize' section
218
	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
219
	#  won't work.
220
	Auth-Type CHAP {
221
		chap
222
	}
223

    
224
	#
225
	#  MSCHAP authentication.
226
	Auth-Type MS-CHAP {
227
		mschap
228
	}
229

    
230
	#
231
	#  If you have a Cisco SIP server authenticating against
232
	#  FreeRADIUS, uncomment the following line, and the 'digest'
233
	#  line in the 'authorize' section.
234
	digest
235

    
236
	#
237
	#  Pluggable Authentication Modules.
238
#	pam
239

    
240
	#
241
	#  See 'man getpwent' for information on how the 'unix'
242
	#  module checks the users password.  Note that packets
243
	#  containing CHAP-Password attributes CANNOT be authenticated
244
	#  against /etc/passwd!  See the FAQ for details.
245
	#
246
	#  For normal "crypt" authentication, the "pap" module should
247
	#  be used instead of the "unix" module.  The "unix" module should
248
	#  be used for authentication ONLY for compatibility with legacy
249
	#  FreeRADIUS configurations.
250
	#
251
	unix
252

    
253
	# Uncomment it if you want to use ldap for authentication
254
	#
255
	# Note that this means "check plain-text password against
256
	# the ldap database", which means that EAP won't work,
257
	# as it does not supply a plain-text password.
258
	Auth-Type LDAP {
259
		ldap
260
	}
261

    
262
	#
263
	#  Allow EAP authentication.
264
	eap
265

    
266
	#
267
	#  The older configurations sent a number of attributes in
268
	#  Access-Challenge packets, which wasn't strictly correct.
269
	#  If you want to filter out these attributes, uncomment
270
	#  the following lines.
271
	#
272
#	Auth-Type eap {
273
#		eap {
274
#			handled = 1  
275
#		}
276
#		if (handled && (Response-Packet-Type == Access-Challenge)) {
277
#			attr_filter.access_challenge.post-auth
278
#			handled  # override the "updated" code from attr_filter
279
#		}
280
#	}
281
}
282

    
283

    
284
#
285
#  Pre-accounting.  Decide which accounting type to use.
286
#
287
preacct {
288
	preprocess
289

    
290
	#
291
	#  Session start times are *implied* in RADIUS.
292
	#  The NAS never sends a "start time".  Instead, it sends
293
	#  a start packet, *possibly* with an Acct-Delay-Time.
294
	#  The server is supposed to conclude that the start time
295
	#  was "Acct-Delay-Time" seconds in the past.
296
	#
297
	#  The code below creates an explicit start time, which can
298
	#  then be used in other modules.
299
	#
300
	#  The start time is: NOW - delay - session_length
301
	#
302

    
303
#	  update request {
304
#	  	FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
305
#	}
306

    
307

    
308
	#
309
	#  Ensure that we have a semi-unique identifier for every
310
	#  request, and many NAS boxes are broken.
311
	acct_unique
312

    
313
	#
314
	#  Look for IPASS-style 'realm/', and if not found, look for
315
	#  '@realm', and decide whether or not to proxy, based on
316
	#  that.
317
	#
318
	#  Accounting requests are generally proxied to the same
319
	#  home server as authentication requests.
320
#	IPASS
321
	suffix
322
#	ntdomain
323

    
324
	#
325
	#  Read the 'acct_users' file
326
	files
327
}
328

    
329
#
330
#  Accounting.  Log the accounting data.
331
#
332
accounting {
333
	#
334
	#  Create a 'detail'ed log of the packets.
335
	#  Note that accounting requests which are proxied
336
	#  are also logged in the detail file.
337
	detail
338
#	daily
339

    
340
	#  Update the wtmp file
341
	#
342
	#  If you don't use "radlast", you can delete this line.
343
#	unix
344

    
345
	#
346
	#  For Simultaneous-Use tracking.
347
	#
348
	#  Due to packet losses in the network, the data here
349
	#  may be incorrect.  There is little we can do about it.
350
#	radutmp
351
#	sradutmp
352

    
353
	#  Return an address to the IP Pool when we see a stop record.
354
#	main_pool
355

    
356
	#
357
	#  Log traffic to an SQL database.
358
	#
359
	#  See "Accounting queries" in sql.conf
360
#	sql
361

    
362
	#
363
	#  If you receive stop packets with zero session length,
364
	#  they will NOT be logged in the database.  The SQL module
365
	#  will print a message (only in debugging mode), and will
366
	#  return "noop".
367
	#
368
	#  You can ignore these packets by uncommenting the following
369
	#  three lines.  Otherwise, the server will not respond to the
370
	#  accounting request, and the NAS will retransmit.
371
	#
372
#	if (noop) {
373
#		ok
374
#	}
375

    
376
	#
377
	#  Instead of sending the query to the SQL server,
378
	#  write it into a log file.
379
	#
380
#	sql_log
381

    
382
	#  Cisco VoIP specific bulk accounting
383
#	pgsql-voip
384

    
385
	# For Exec-Program and Exec-Program-Wait
386
	exec
387

    
388
	#  Filter attributes from the accounting response.
389
	attr_filter.accounting_response
390

    
391
	#
392
	#  See "Autz-Type Status-Server" for how this works.
393
	#
394
#	Acct-Type Status-Server {
395
#
396
#	}
397
}
398

    
399

    
400
#  Session database, used for checking Simultaneous-Use. Either the radutmp 
401
#  or rlm_sql module can handle this.
402
#  The rlm_sql module is *much* faster
403
session {
404
	radutmp
405

    
406
	#
407
	#  See "Simultaneous Use Checking Queries" in sql.conf
408
#	sql
409
}
410

    
411

    
412
#  Post-Authentication
413
#  Once we KNOW that the user has been authenticated, there are
414
#  additional steps we can take.
415
post-auth {
416
	#  Get an address from the IP Pool.
417
#	main_pool
418

    
419
	#
420
	#  If you want to have a log of authentication replies,
421
	#  un-comment the following line, and the 'detail reply_log'
422
	#  section, above.
423
#	reply_log
424

    
425
	#
426
	#  After authenticating the user, do another SQL query.
427
	#
428
	#  See "Authentication Logging Queries" in sql.conf
429
#	sql
430

    
431
	#
432
	#  Instead of sending the query to the SQL server,
433
	#  write it into a log file.
434
	#
435
#	sql_log
436

    
437
	#
438
	#  Un-comment the following if you have set
439
	#  'edir_account_policy_check = yes' in the ldap module sub-section of
440
	#  the 'modules' section.
441
	#
442
#	ldap
443

    
444
	# For Exec-Program and Exec-Program-Wait
445
	exec
446

    
447
	#
448
	#  Calculate the various WiMAX keys.  In order for this to work,
449
	#  you will need to define the WiMAX NAI, usually via
450
	#
451
	#	update request {
452
	#	       WiMAX-MN-NAI = "%{User-Name}"
453
	#	}
454
	#
455
	#  If you want various keys to be calculated, you will need to
456
	#  update the reply with "template" values.  The module will see
457
	#  this, and replace the template values with the correct ones
458
	#  taken from the cryptographic calculations.  e.g.
459
	#
460
	# 	update reply {
461
	#		WiMAX-FA-RK-Key = 0x00
462
	#		WiMAX-MSK = "%{EAP-MSK}"
463
	#	}
464
	#
465
	#  You may want to delete the MS-MPPE-*-Keys from the reply,
466
	#  as some WiMAX clients behave badly when those attributes
467
	#  are included.  See "raddb/modules/wimax", configuration
468
	#  entry "delete_mppe_keys" for more information.
469
	#
470
#	wimax
471

    
472
	#  If there is a client certificate (EAP-TLS, sometimes PEAP
473
	#  and TTLS), then some attributes are filled out after the
474
	#  certificate verification has been performed.  These fields
475
	#  MAY be available during the authentication, or they may be
476
	#  available only in the "post-auth" section.
477
	#
478
	#  The first set of attributes contains information about the
479
	#  issuing certificate which is being used.  The second
480
	#  contains information about the client certificate (if
481
	#  available).
482
#
483
#	update reply {
484
#	       Reply-Message += "%{TLS-Cert-Serial}"
485
#	       Reply-Message += "%{TLS-Cert-Expiration}"
486
#	       Reply-Message += "%{TLS-Cert-Subject}"
487
#	       Reply-Message += "%{TLS-Cert-Issuer}"
488
#	       Reply-Message += "%{TLS-Cert-Common-Name}"
489
#	       Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
490
#
491
#	       Reply-Message += "%{TLS-Client-Cert-Serial}"
492
#	       Reply-Message += "%{TLS-Client-Cert-Expiration}"
493
#	       Reply-Message += "%{TLS-Client-Cert-Subject}"
494
#	       Reply-Message += "%{TLS-Client-Cert-Issuer}"
495
#	       Reply-Message += "%{TLS-Client-Cert-Common-Name}"
496
#	       Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
497
#	}
498

    
499
	#  MacSEC requires the use of EAP-Key-Name.  However, we don't
500
	#  want to send it for all EAP sessions.  Therefore, the EAP
501
	#  modules put required data into the EAP-Session-Id attribute.
502
	#  This attribute is never put into a request or reply packet.
503
	#
504
	#  Uncomment the next few lines to copy the required data into
505
	#  the EAP-Key-Name attribute
506
#	if (reply:EAP-Session-Id) {
507
#		update reply {
508
#			EAP-Key-Name := "%{reply:EAP-Session-Id}"
509
#		}
510
#	}
511

    
512
	#  If the WiMAX module did it's work, you may want to do more
513
	#  things here, like delete the MS-MPPE-*-Key attributes.
514
	#
515
	#	if (updated) {
516
	#		update reply {
517
	#			MS-MPPE-Recv-Key !* 0x00
518
	#			MS-MPPE-Send-Key !* 0x00
519
	#		}
520
	#	}
521

    
522
	#
523
	#  Access-Reject packets are sent through the REJECT sub-section of the
524
	#  post-auth section.
525
	#
526
	#  Add the ldap module name (or instance) if you have set 
527
	#  'edir_account_policy_check = yes' in the ldap module configuration
528
	#
529
	Post-Auth-Type REJECT {
530
		# log failed authentications in SQL, too.
531
#		sql
532
		attr_filter.access_reject
533
	}
534
}
535

    
536
#
537
#  When the server decides to proxy a request to a home server,
538
#  the proxied request is first passed through the pre-proxy
539
#  stage.  This stage can re-write the request, or decide to
540
#  cancel the proxy.
541
#
542
#  Only a few modules currently have this method.
543
#
544
pre-proxy {
545
#	attr_rewrite
546

    
547
	#  Uncomment the following line if you want to change attributes
548
	#  as defined in the preproxy_users file.
549
#	files
550

    
551
	#  Uncomment the following line if you want to filter requests
552
	#  sent to remote servers based on the rules defined in the
553
	#  'attrs.pre-proxy' file.
554
#	attr_filter.pre-proxy
555

    
556
	#  If you want to have a log of packets proxied to a home
557
	#  server, un-comment the following line, and the
558
	#  'detail pre_proxy_log' section, above.
559
#	pre_proxy_log
560
}
561

    
562
#
563
#  When the server receives a reply to a request it proxied
564
#  to a home server, the request may be massaged here, in the
565
#  post-proxy stage.
566
#
567
post-proxy {
568

    
569
	#  If you want to have a log of replies from a home server,
570
	#  un-comment the following line, and the 'detail post_proxy_log'
571
	#  section, above.
572
#	post_proxy_log
573

    
574
#	attr_rewrite
575

    
576
	#  Uncomment the following line if you want to filter replies from
577
	#  remote proxies based on the rules defined in the 'attrs' file.
578
#	attr_filter.post-proxy
579

    
580
	#
581
	#  If you are proxying LEAP, you MUST configure the EAP
582
	#  module, and you MUST list it here, in the post-proxy
583
	#  stage.
584
	#
585
	#  You MUST also use the 'nostrip' option in the 'realm'
586
	#  configuration.  Otherwise, the User-Name attribute
587
	#  in the proxied request will not match the user name
588
	#  hidden inside of the EAP packet, and the end server will
589
	#  reject the EAP request.
590
	#
591
	eap
592

    
593
	#
594
	#  If the server tries to proxy a request and fails, then the
595
	#  request is processed through the modules in this section.
596
	#
597
	#  The main use of this section is to permit robust proxying
598
	#  of accounting packets.  The server can be configured to
599
	#  proxy accounting packets as part of normal processing.
600
	#  Then, if the home server goes down, accounting packets can
601
	#  be logged to a local "detail" file, for processing with
602
	#  radrelay.  When the home server comes back up, radrelay
603
	#  will read the detail file, and send the packets to the
604
	#  home server.
605
	#
606
	#  With this configuration, the server always responds to
607
	#  Accounting-Requests from the NAS, but only writes
608
	#  accounting packets to disk if the home server is down.
609
	#
610
#	Post-Proxy-Type Fail {
611
#			detail
612
#	}
613
}
(3-3/6)