summaryrefslogtreecommitdiffstats
path: root/ipa-radius-server/share/radius.radiusd.conf.template
diff options
context:
space:
mode:
Diffstat (limited to 'ipa-radius-server/share/radius.radiusd.conf.template')
-rw-r--r--ipa-radius-server/share/radius.radiusd.conf.template285
1 files changed, 285 insertions, 0 deletions
diff --git a/ipa-radius-server/share/radius.radiusd.conf.template b/ipa-radius-server/share/radius.radiusd.conf.template
new file mode 100644
index 000000000..3bc4927dd
--- /dev/null
+++ b/ipa-radius-server/share/radius.radiusd.conf.template
@@ -0,0 +1,285 @@
+#
+# WARNING: This file is automatically generated, do not edit
+#
+# $CONFIG_FILE_VERSION_INFO
+#
+prefix = /usr
+exec_prefix = /usr
+sysconfdir = /etc
+localstatedir = /var
+sbindir = /usr/sbin
+logdir = $${localstatedir}/log/radius
+raddbdir = $${sysconfdir}/raddb
+radacctdir = $${logdir}/radacct
+confdir = $${raddbdir}
+run_dir = $${localstatedir}/run/radiusd
+db_dir = $${localstatedir}/lib/radiusd
+log_file = $${logdir}/radius.log
+libdir = /usr/lib
+pidfile = $${run_dir}/radiusd.pid
+user = radiusd
+group = radiusd
+max_request_time = 30
+delete_blocked_requests = no
+cleanup_delay = 5
+max_requests = 1024
+bind_address = *
+port = 0
+hostname_lookups = no
+allow_core_dumps = no
+regular_expressions = yes
+extended_expressions = yes
+log_stripped_names = no
+log_auth = no
+log_auth_badpass = no
+log_auth_goodpass = no
+usercollide = no
+lower_user = no
+lower_pass = no
+nospace_user = no
+nospace_pass = no
+checkrad = $${sbindir}/checkrad
+security {
+ max_attributes = 200
+ reject_delay = 1
+ status_server = no
+}
+proxy_requests = yes
+$$INCLUDE $${confdir}/proxy.conf
+$$INCLUDE $${confdir}/clients.conf
+snmp = no
+$$INCLUDE $${confdir}/snmp.conf
+thread pool {
+ start_servers = 5
+ max_servers = 32
+ min_spare_servers = 3
+ max_spare_servers = 10
+ max_requests_per_server = 0
+}
+modules {
+ chap {
+ authtype = CHAP
+ }
+ pam {
+ pam_auth = radiusd
+ }
+ unix {
+ cache = no
+ cache_reload = 600
+ shadow = /etc/shadow
+ radwtmp = $${logdir}/radwtmp
+ }
+$$INCLUDE $${confdir}/eap.conf
+ mschap {
+ }
+ ldap {
+ server = "$LDAP_SERVER"
+ use_sasl = yes
+ sasl_mech = "GSSAPI"
+ krb_keytab = "$RADIUS_KEYTAB"
+ krb_principal = "$RADIUS_PRINCIPAL"
+ basedn = "$RADIUS_USER_BASE_DN"
+ filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
+ base_filter = "(objectclass=radiusprofile)"
+ start_tls = no
+ profile_attribute = "radiusProfileDn"
+ default_profile = "uid=ipa_default,cn=profiles,cn=radius,cn=services,cn=etc,$SUFFIX
+ # FIXME: we'll want to toggle the access_attr feature on/off,
+ # but it needs a control, so disable it for now.
+ #access_attr = "$ACCESS_ATTRIBUTE"
+ #access_attr_used_for_allow = "$ACCESS_ATTRIBUTE_DEFAULT"
+ dictionary_mapping = $${raddbdir}/ldap.attrmap
+ ldap_connections_number = 5
+ edir_account_policy_check=no
+ timeout = 4
+ timelimit = 3
+ net_timeout = 1
+ clients_basedn = "$CLIENTS_BASEDN"
+ }
+ realm IPASS {
+ format = prefix
+ delimiter = "/"
+ ignore_default = no
+ ignore_null = no
+ }
+ realm suffix {
+ format = suffix
+ delimiter = "@"
+ ignore_default = no
+ ignore_null = no
+ }
+ realm realmpercent {
+ format = suffix
+ delimiter = "%"
+ ignore_default = no
+ ignore_null = no
+ }
+ realm ntdomain {
+ format = prefix
+ delimiter = "\\"
+ ignore_default = no
+ ignore_null = no
+ }
+ checkval {
+ item-name = Calling-Station-Id
+ check-name = Calling-Station-Id
+ data-type = string
+ }
+ preprocess {
+ huntgroups = $${confdir}/huntgroups
+ hints = $${confdir}/hints
+ with_ascend_hack = no
+ ascend_channels_per_line = 23
+ with_ntdomain_hack = no
+ with_specialix_jetstream_hack = no
+ with_cisco_vsa_hack = no
+ }
+ files {
+ usersfile = $${confdir}/users
+ acctusersfile = $${confdir}/acct_users
+ preproxy_usersfile = $${confdir}/preproxy_users
+ compat = no
+ }
+ detail {
+ detailfile = $${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
+ detailperm = 0600
+ }
+ acct_unique {
+ key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
+ }
+ radutmp {
+ filename = $${logdir}/radutmp
+ username = %{User-Name}
+ case_sensitive = yes
+ check_with_nas = yes
+ perm = 0600
+ callerid = "yes"
+ }
+ radutmp sradutmp {
+ filename = $${logdir}/sradutmp
+ perm = 0644
+ callerid = "no"
+ }
+ attr_filter {
+ attrsfile = $${confdir}/attrs
+ }
+ counter daily {
+ filename = $${db_dir}/db.daily
+ key = User-Name
+ count-attribute = Acct-Session-Time
+ reset = daily
+ counter-name = Daily-Session-Time
+ check-name = Max-Daily-Session
+ allowed-servicetype = Framed-User
+ cache-size = 5000
+ }
+ sqlcounter dailycounter {
+ counter-name = Daily-Session-Time
+ check-name = Max-Daily-Session
+ reply-name = Session-Timeout
+ sqlmod-inst = sql
+ key = User-Name
+ reset = daily
+ query = "SELECT SUM(AcctSessionTime - \
+ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
+ FROM radacct WHERE UserName='%{%k}' AND \
+ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
+ }
+ sqlcounter monthlycounter {
+ counter-name = Monthly-Session-Time
+ check-name = Max-Monthly-Session
+ reply-name = Session-Timeout
+ sqlmod-inst = sql
+ key = User-Name
+ reset = monthly
+ query = "SELECT SUM(AcctSessionTime - \
+ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
+ FROM radacct WHERE UserName='%{%k}' AND \
+ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
+ }
+ always fail {
+ rcode = fail
+ }
+ always reject {
+ rcode = reject
+ }
+ always ok {
+ rcode = ok
+ simulcount = 0
+ mpp = no
+ }
+ expr {
+ }
+ digest {
+ }
+ exec {
+ wait = yes
+ input_pairs = request
+ }
+ exec echo {
+ wait = yes
+ program = "/bin/echo %{User-Name}"
+ input_pairs = request
+ output_pairs = reply
+ }
+ ippool main_pool {
+ range-start = 192.168.1.1
+ range-stop = 192.168.3.254
+ netmask = 255.255.255.0
+ cache-size = 800
+ session-db = $${db_dir}/db.ippool
+ ip-index = $${db_dir}/db.ipindex
+ override = no
+ maximum-timeout = 0
+ }
+ krb5 {
+ keytab = "$RADIUS_KEYTAB"
+ service_principal = "$RADIUS_PRINCIPAL"
+ }
+}
+instantiate {
+ exec
+ expr
+}
+authorize {
+ preprocess
+ chap
+ mschap
+ suffix
+ eap
+ #files
+ ldap
+}
+authenticate {
+ Auth-Type CHAP {
+ chap
+ }
+ Auth-Type MS-CHAP {
+ mschap
+ }
+ eap
+ Auth-Type Kerberos {
+ krb5
+ }
+}
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+accounting {
+ detail
+ unix
+ radutmp
+}
+session {
+ radutmp
+}
+post-auth {
+}
+pre-proxy {
+}
+post-proxy {
+ eap
+}
generated by cgit (git 2.34.1) at 2024-05-07 17:37:49 +0000