# # WARNING: This file is automatically generated, do not edit # # $CONFIG_FILE_VERSION_INFO # prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = $${localstatedir}/log/radius raddbdir = $${sysconfdir}/raddb radacctdir = $${logdir}/radacct confdir = $${raddbdir} run_dir = $${localstatedir}/run/radiusd db_dir = $${localstatedir}/lib/radiusd log_file = $${logdir}/radius.log libdir = /usr/lib pidfile = $${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = $${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $$INCLUDE $${confdir}/proxy.conf $$INCLUDE $${confdir}/clients.conf snmp = no $$INCLUDE $${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = $${logdir}/radwtmp } $$INCLUDE $${confdir}/eap.conf mschap { } ldap { server = "$LDAP_SERVER" use_sasl = yes sasl_mech = "GSSAPI" krb_keytab = "$RADIUS_KEYTAB" krb_principal = "$RADIUS_PRINCIPAL" basedn = "$RADIUS_USER_BASE_DN" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = no profile_attribute = "radiusProfileDn" default_profile = "uid=ipa_default,cn=profiles,cn=radius,cn=services,cn=etc,$SUFFIX # FIXME: we'll want to toggle the access_attr feature on/off, # but it needs a control, so disable it for now. #access_attr = "$ACCESS_ATTRIBUTE" #access_attr_used_for_allow = "$ACCESS_ATTRIBUTE_DEFAULT" dictionary_mapping = $${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 clients_basedn = "$CLIENTS_BASEDN" } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = $${confdir}/huntgroups hints = $${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = $${confdir}/users acctusersfile = $${confdir}/acct_users preproxy_usersfile = $${confdir}/preproxy_users compat = no } detail { detailfile = $${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = $${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = $${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = $${confdir}/attrs } counter daily { filename = $${db_dir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = $${db_dir}/db.ippool ip-index = $${db_dir}/db.ipindex override = no maximum-timeout = 0 } krb5 { keytab = "$RADIUS_KEYTAB" service_principal = "$RADIUS_PRINCIPAL" } } instantiate { exec expr } authorize { preprocess chap mschap suffix eap #files ldap } authenticate { Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap Auth-Type Kerberos { krb5 } } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap }