# # This file contains the configuration for experimental modules. # # By default, it is NOT included in the build. # # $Id$ # # Configuration for the Python module. # # Where radiusd is a Python module, radiusd.py, and the # function 'authorize' is called. Here is a dummy piece # of code: # # def authorize(params): # print params # return (5, ('Reply-Message', 'banned')) # # The RADIUS value-pairs are passed as a tuple of tuple # pairs as the first argument, e.g. (('attribute1', # 'value1'), ('attribute2', 'value2')) # # The function return is a tuple with the first element # being the return value of the function. # The 5 corresponds to RLM_MODULE_USERLOCK. I plan to # write the return values as Python symbols to avoid # confusion. # # The remaining tuple members are the string form of # value-pairs which are passed on to pairmake(). # python { mod_instantiate = radiusd_test func_instantiate = instantiate mod_authorize = radiusd_test func_authorize = authorize mod_accounting = radiusd_test func_accounting = accounting mod_pre_proxy = radiusd_test func_pre_proxy = pre_proxy mod_post_proxy = radiusd_test func_post_proxy = post_proxy mod_post_auth = radiusd_test func_post_auth = post_auth mod_recv_coa = radiusd_test func_recv_coa = recv_coa mod_send_coa = radiusd_test func_send_coa = send_coa mod_detach = radiusd_test func_detach = detach } # Configuration for the example module. Uncommenting it will cause it # to get loaded and initialized, but should have no real effect as long # it is not referencened in one of the autz/auth/preacct/acct sections example { # Boolean variable. # allowed values: {no, yes} boolean = yes # An integer, of any value. integer = 16 # A string. string = "This is an example configuration string" # An IP address, either in dotted quad (1.2.3.4) or hostname # (example.com) ipaddr = 127.0.0.1 # A subsection mysubsection { anotherinteger = 1000 # They nest deeply nested { string = "This is a different string" } } } # # To create a dbm users file, do: # # cat test.users | rlm_dbm_parser -f /etc/raddb/users_db # # Then add 'dbm' in 'authorize' section. # # Note that even if the file has a ".db" or ".dbm" extension, # you may have to specify it here without that extension. This # is because the DBM libraries "helpfully" add a ".db" to the # filename, but don't check if it's already there. # dbm { usersfile = ${confdir}/users_db } # # Perform NT-Domain authentication. This only works # with PAP authentication. That is, Authentication-Request # packets containing a User-Password attribute. # # To use it, add 'smb' into the 'authenticate' section, # and then in another module (usually the 'users' file), # set 'Auth-Type := SMB' # # WARNING: this module is not only experimental, it's also # a security threat. It's not recommended to use it until # it gets fixed. # smb { server = ntdomain.server.example.com backup = backup.server.example.com domain = NTDOMAIN } # See doc/rlm_fastusers before using this # module or changing these values. # fastusers { usersfile = ${confdir}/users_fast hashsize = 1000 compat = no # Reload the hash every 600 seconds (10mins) hash_reload = 600 } # Caching module # # Should be added in the post-auth section (after all other modules) # and in the authorize section (before any other modules) # # authorize { # caching { # ok = return # } # [... other modules ...] # } # post-auth { # [... other modules ...] # caching # } # # The caching module will cache the Auth-Type and reply items # and send them back on any subsequent requests for the same key # # Configuration: # # filename: The gdbm file to use for the cache database # (can be memory mapped for more speed) # # key: A string to xlat and use as a key. For instance, # "%{Acct-Unique-Session-Id}" # # post-auth: If we find a cached entry, set the post-auth to that value # # cache-ttl: The time to cache the entry. The same time format # as the counter module apply here. # num[hdwm] where: # h: hours, d: days, w: weeks, m: months # If the letter is ommited days will be assumed. # e.g. 1d == one day # # cache-size: The gdbm cache size to request (default 1000) # # hit-ratio: If set to non-zero we print out statistical # information after so many cache requests # # cache-rejects: Do we also cache rejects, or not? (default 'yes') # caching { filename = ${db_dir}/db.cache cache-ttl = 1d hit-ratio = 1000 key = "%{Acct-Unique-Session-Id}" #post-auth = "" # cache-size = 2000 # cache-rejects = yes } # Simple module for logging of Account packets to radiusd.log # You need to declare it in the accounting section for it to work acctlog { acctlog_update = "" acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})" acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds" acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online" acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline" } # Another implementation of the EAP module. # # This module requires the libeap.so file from the hostap # software (http://hostap.epitest.fi/hostapd/). It has been # tested on the development version of hostapd (0.6.1) ONLY. # # In order to use it, you MUST build a "libeap.so" in hostapd, # which is not done by default. # # You MUST also edit the file: src/modules/rlm_eap2/Makefile # to point to the location of the hostap include files. # # This module CANNOT be used in the same way as the current # FreeRADIUS "eap" module. There is NO way to look inside of # a tunneled request. There is NO way to proxy a tunneled # request. There is NO way to even look at the user name inside # of the tunneled request. There is NO way to control the # choice of EAP types inside of the tunnel. You MUST force # the server to choose "eap2" for authentication, because this # module has no "authorize" section. # # If you want to use this module for experimentation, please # post your comments to the freeradius-devel list: # # http://lists.freeradius.org/mailman/listinfo/freeradius-devel # # If you want to use this module in a production (i.e. real-world) # environment: # # !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!! # # The module needs additional work to make it ready for # production use.. Please supply patches, or sponsor the # work by hiring a developer. Do NOT ask when the work will # be done, because there is no plan to finish this module # unless there is demand for it. # eap2 { # EAP types are chosen in the order that they are # listed in this section. There is no "default_eap_type" # as with rlm_eap. Instead, the *first* EAP type is # used as the default type. # peap { } ttls { } # This is the ONLY EAP type that has any configuration. # All other EAP types have no configuration. # tls { ca_cert = ${confdir}/certs/ca.pem server_cert = ${confdir}/certs/server.pem private_key_file = ${confdir}/certs/server.pem private_key_password = whatever } # # These next two methods do not supply keying material. # md5 { } mschapv2 { } # LEAP is NOT supported by this module. # Use the "eap" module instead. # For other methods that MIGHT work, see the # configuration of hostap. The methods are statically # linked in at compile time, and cannot be controlled # here. } # Configuration for experimental EAP types. The sub-sections # can be copied into eap.conf. eap { ikev2 { # Server auth type # Allowed values are: # cert - for certificate based server authentication, # other required settings for this type are # 'private_key_file' and 'certificate_file' # secret - for shared secret based server authentication, # other required settings for this type is 'id' # Default value of this option is 'secret' # server_authtype=cert # Allowed default client auth types # Allowed values are: # secret - for shared secret based client authentication # cert - for certificate based client authentication # both - shared secret and certificate is allowed # none - authentication will always fail # Default value for this option is 'both'. This option could # be overwritten within 'usersfile' file by EAP-IKEv2-Auth # option. # default_authtype = both # path to trusted CA certificate file CA_file="/path/to/CA/cacert.pem" # path to CRL file, if not set, then there will be no # checks against CRL # crl_file="/path/to/crl.pem" # path to file with user settings # # Note that this file is read ONLY on module initialization! # # default ${confdir}/eap_ikev2_users # usersfile=${confdir}/eap_ikev2_users # # Sample "eap_ikev2_users" file entry: # #username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne" ## where: ## username - client user name from IKE-AUTH (IDr) or CommonName ## from x509 certificate ## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload ## allowable attributes for EAP-IKEv2-IDType: ## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN ## DER_ASN1_GN KEY_ID ## EAP-IKEv2-Secret - shared secret ## EAP-IKEv2-AuthType - optional parameter which defines expected client auth ## type. Allowed values are: secret,cert,both,none. ## For the meaning of this values, please see the ## description of 'default_authtype'. ## This attribute can overwrite 'default_authtype' value. # path to file with server private key private_key_file="/path/to/srv-private-key.pem" # password to private key file private_key_password="passwd" # path to file with server certificate certificate_file="/path/to/srv-cert.pem" # server identity string id="deMaio" # Server identity type. Allowed values are: # IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN, # KEY_ID # Default value is: KEY_ID # id_type = KEY_ID # MTU (default: 1398) # fragment_size = 1398 # maximal allowed number of resends SA_INIT after receiving # 'invalid KEY' notification (default 3) # DH_counter_max = 3 # option which is used to control whenever send CERT REQ # payload or not. # Allowed values for this option are "yes" or "no". #Default value is "no". # certreq = "yes" # option which cotrols fast reconnect capability. # Allowed valuse for this option are "yes" or "no". # Default value is "yes". # enable_fast_reauth = "no" # option which is used to control performing of DH exchange # during fast rekeying protocol run. # Allowed values for this option are "yes" or "no". # Default value is "no" # fast_DH_exchange = "yes" # Option which is used to set up expiration time of inactive # IKEv2 session. # After selected period of time (in seconds), inactive # session data will be deleted. # Default value of this option is set to 900 seconds # fast_timer_expire = 900 # list of server proposals of available cryptographic # suites proposals { # proposal number #1 proposal { # Supported transforms types: encryption, # prf, integrity, dhgroup. For multiple # transforms just simple repeat key (i.e. # integity). # encryption algorithm # supported algorithms: # null,3des,aes_128_cbc,aes_192_cbc, # aes_256_cbc,idea # blowfish:n, where n range from 8 to 448 bits, # step 8 bits # cast:n, where n range from 40 to 128 bits, # step 8 bits encryption = 3des # pseudo random function. Supported prf's: # hmac_md5, hmac_sha1, hmac_tiger prf = hmac_sha1 # integrity algorithm. Supported algorithms: # hmac_md5_96, hmac_sha1_96,des_mac integrity = hmac_sha1_96 integrity = hmac_md5_96 # Diffie-Hellman groups: # modp768, modp1024, modp1536, modp2048, # modp3072, modp4096, modp6144, modp8192 dhgroup = modp2048 } # proposal number #2 proposal { encryption = 3des prf = hmac_md5 integrity = hmac_md5_96 dhgroup = modp1024 } # proposal number #3 proposal { encryption=3des prf=hmac_md5 integrity=hmac_md5_96 dhgroup=modp2048 } } } }