# -*- text -*- ## ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id$ ## ###################################################################### # # The location of other config files and logfiles are declared # in this file. # # Also general configuration for modules can be done in this # file, it is exported through the API to modules that ask for # it. # # See "man radiusd.conf" for documentation on the format of this # file. Note that the individual configuration items are NOT # documented in that "man" page. They are only documented here, # in the comments. # # As of 2.0.0, FreeRADIUS supports a simple processing language # in the "authorize", "authenticate", "accounting", etc. sections. # See "man unlang" for details. # prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct # # name of the running server. See also the "-n" command-line option. name = freeradius # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} # Should likely be ${localstatedir}/lib/radiusd db_dir = ${raddbdir} # libdir: Where to find the rlm_* modules. libdir = /usr/lib/freeradius # pidfile: Where to place the PID of the RADIUS server. # This file is written when ONLY running in daemon mode. pidfile = ${run_dir}/${name}.pid # chroot: directory where the server does "chroot". #chroot = /path/to/chroot/directory user = freerad group = freerad # max_request_time: The maximum time (in seconds) to handle a request. max_request_time = 15 # cleanup_delay: The time to wait (in seconds) before cleaning up a reply which was sent to the NAS. cleanup_delay = 10 # max_requests: The maximum number of requests which the server keeps # track of. This should be 256 multiplied by the number of clients. # e.g. With 4 clients, this number should be 1024. max_requests = 65535 # hostname_lookups: Log the names of clients or just their IP addresses # e.g., www.freeradius.org (on) or 206.47.27.232 (off). hostname_lookups = no allow_core_dumps = no # Regular expressions regular_expressions = yes extended_expressions = yes # THREAD POOL CONFIGURATION # # The thread pool is a long-lived group of threads which # take turns (round-robin) handling any incoming requests. # # You probably want to have a few spare threads around, # so that high-load situations can be handled immediately. If you # don't have any spare threads, then the request handling will # be delayed while a new thread is created, and added to the pool. thread pool { # Number of servers to start initially start_servers = 2 # Limit on the total number of servers running. # If this limit is ever reached, clients will be LOCKED OUT, so it # should NOT BE SET TOO LOW. It is intended mainly as a brake to # keep a runaway server from taking the system with it as it spirals # down... # 6 - sql max_servers = 2 # It does this by periodically checking how many servers are # waiting for a request. If there are fewer than # min_spare_servers, it creates a new spare. If there are # more than max_spare_servers, some of the spares die off. # The default values are probably OK for most sites. min_spare_servers = 1 max_spare_servers = 16 # num requests before server exit # 0 - the servers never exit max_requests_per_server = 0 } # Logging section. The various "log_*" configuration items # will eventually be moved here. log { # Destination for log messages. This can be one of: # files - log to "file", as defined below. # syslog - to syslog (see also the "syslog_facility", below. # stdout - standard output # stderr - standard error. destination = files # The logging messages for the server are appended to the # tail of this file if destination == "files" #file = ${logdir}/radius.log file = /dev/null # If this configuration parameter is set, then log messages for # a *request* go to this file, rather than to radius.log. #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log # Which syslog facility to use, if ${destination} == "syslog" syslog_facility = daemon # Log the full User-Name attribute, as it was found in the request. stripped_names = no # Log authentication requests to the log file. auth = no # Log passwords with the authentication requests. # auth_badpass - logs password if it's rejected # auth_goodpass - logs password if it's correct auth_badpass = no auth_goodpass = no # Log additional text at the end of the "Login OK" messages. # for these to work, the "auth" and "auth_goopass" or "auth_badpass" # configurations above have to be set to "yes". # # The strings below are dynamically expanded, which means that # you can put anything you want in them. However, note that # this expansion can be slow, and can negatively impact server # performance. # # msg_goodpass = "" # msg_badpass = "" } # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad # SECURITY CONFIGURATION security { # max_attributes: The maximum number of attributes # permitted in a RADIUS packet. Packets which have MORE # than this number of attributes in them will be dropped. # Setting this number to 0 means "allow any number of attributes" max_attributes = 200 # reject_delay: When sending an Access-Reject, it can be # delayed for a few seconds. This may help slow down a DoS # attack. It also helps to slow down people trying to brute-force # crack a users password. # Setting this number to 0 means "send rejects immediately" # If this number is set higher than 'cleanup_delay', then the # rejects will be sent at 'cleanup_delay' time, when the request # is deleted from the internal cache of requests. reject_delay = 1 # status_server: Whether or not the server will respond to Status-Server requests. status_server = yes } # PROXY CONFIGURATION # proxy_requests: Turns proxying of RADIUS requests on or off. proxy_requests = no #$INCLUDE proxy.conf # CLIENTS CONFIGURATION #$INCLUDE clients.conf # MODULE CONFIGURATION # # The names and configuration of each module is located in this section. # # After the modules are defined here, they may be referred to by name, # in other sections of this configuration file. # modules { sql acc_sw_sql { # # Set the database to one of: # # mysql, mssql, oracle, postgresql # database = "mysql" # # Which FreeRADIUS driver to use. # driver = "rlm_sql_${database}" # Connection info: server = "127.0.0.1" port = 3306 login = "radius" password = "1122334455" # Database table configuration for everything except Oracle radius_db = "testdb" # Print all SQL statements when in debug mode (-x) sqltrace = no sqltracefile = ${logdir}/sqltrace.sql # number of sql connections to make to server num_sql_socks = 2 # number of seconds to dely retrying on a failed database # connection (per_socket) connect_failure_retry_delay = 60 # lifetime of an SQL socket. If you are having network issues # such as TCP sessions expiring, you may need to set the socket # lifetime. If set to non-zero, any open connections will be # closed "lifetime" seconds after they were first opened. lifetime = 0 # Maximum number of queries used by an SQL socket. If you are # having issues with SQL sockets lasting "too long", you can # limit the number of queries performed over one socket. After # "max_qeuries", the socket will be closed. Use 0 for "no limit". max_queries = 0 } # As of 2.0.5, most of the module configurations are in a # sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/ # are loaded. The modules are initialized ONLY if they are # referenced in a processing section, such as authorize, # authenticate, accounting, pre/post-proxy, etc. # #$INCLUDE ${confdir}/modules/ $INCLUDE ${confdir}/modules/always } # Instantiation # # This section orders the loading of the modules. Modules # listed here will get loaded BEFORE the later sections like # authorize, authenticate, etc. get examined. # # This section is not strictly needed. When a section like # authorize refers to a module, it's automatically loaded and # initialized. However, some modules may not be listed in any # of the following sections, so they can be listed here. # # Also, listing modules here ensures that you have control over # the order in which they are initalized. If one module needs # something defined by another module, you can list them in order # here, and ensure that the configuration will be OK. # instantiate { # # Allows the execution of external scripts. # The entire command line (and output) must fit into 253 bytes. # # e.g. Framed-Pool = `%{exec:/bin/echo foo}` #exec # # The expression module doesn't do authorization, # authentication, or accounting. It only does dynamic # translation, of the form: # # Session-Timeout = `%{expr:2 + 3}` # # So the module needs to be instantiated, but CANNOT be # listed in any other section. See 'doc/rlm_expr' for # more information. # #expr # # We add the counter module here so that it registers # the check-name attribute before any module which sets # it #daily #expiration #logintime # subsections here can be thought of as "virtual" modules. # # e.g. If you have two redundant SQL servers, and you want to # use them in the authorize and accounting sections, you could # place a "redundant" block in each section, containing the # exact same text. Or, you could uncomment the following # lines, and list "redundant_sql" in the authorize and # accounting sections. # #redundant redundant_sql { # sql1 # sql2 #} acc_sw_sql } ###################################################################### # # Policies that can be applied in multiple places are listed # globally. That way, they can be defined once, and referred # to multiple times. # ###################################################################### $INCLUDE policy.conf ###################################################################### ## Load virtual servers. $INCLUDE sites-enabled/ ###################################################################### # # All of the other configuration sections like "authorize {}", # "authenticate {}", "accounting {}", have been moved to the # the file: # # raddb/sites-available/default # # This is the "default" virtual server that has the same # configuration as in version 1.0.x and 1.1.x. The default # installation enables this virtual server. You should # edit it to create policies for your local site. # # For more documentation on virtual servers, see: # # raddb/sites-available/README # ######################################################################