radiusd.conf

H.323网守实现

	#
	status_server = no
}

proxy_requests  = no

$INCLUDE  ${confdir}/clients.conf

snmp	= no


# THREAD POOL CONFIGURATION
#
#  The thread pool is a long-lived group of threads which
#  take turns (round-robin) handling any incoming requests.
#
#  You probably want to have a few spare threads around,
#  so that high-load situations can be handled immediately.  If you
#  don't have any spare threads, then the request handling will
#  be delayed while a new thread is created, and added to the pool.
#
#  You probably don't want too many spare threads around,
#  otherwise they'll be sitting there taking up resources, and
#  not doing anything productive.
#
#  The numbers given below should be adequate for most situations.
#
thread pool {
	#  Number of servers to start initially --- should be a reasonable
	#  ballpark figure.
	start_servers = 2

	#  Limit on the total number of servers running.
	#
	#  If this limit is ever reached, clients will be LOCKED OUT, so it
	#  should NOT BE SET TOO LOW.  It is intended mainly as a brake to
	#  keep a runaway server from taking the system with it as it spirals
	#  down...
	#
	#  You may find that the server is regularly reaching the
	#  'max_servers' number of threads, and that increasing
	#  'max_servers' doesn't seem to make much difference.
	#
	#  If this is the case, then the problem is MOST LIKELY that
	#  your back-end databases are taking too long to respond, and
	#  are preventing the server from responding in a timely manner.
	#
	#  The solution is NOT do keep increasing the 'max_servers'
	#  value, but instead to fix the underlying cause of the
	#  problem: slow database, or 'hostname_lookups=yes'.
	#
	#  For more information, see 'max_request_time', above.
	#
	max_servers = 10

	#  Server-pool size regulation.  Rather than making you guess
	#  how many servers you need, FreeRADIUS dynamically adapts to
	#  the load it sees, that is, it tries to maintain enough
	#  servers to handle the current load, plus a few spare
	#  servers to handle transient load spikes.
	#
	#  It does this by periodically checking how many servers are
	#  waiting for a request.  If there are fewer than
	#  min_spare_servers, it creates a new spare.  If there are
	#  more than max_spare_servers, some of the spares die off.
	#  The default values are probably OK for most sites.
	#
	min_spare_servers = 1
	max_spare_servers = 2

	#  There may be memory leaks or resource allocation problems with
	#  the server.  If so, set this value to 300 or so, so that the
	#  resources will be cleaned up periodically.
	#
	#  This should only be necessary if there are serious bugs in the
	#  server which have not yet been fixed.
	#
	#  '0' is a special value meaning 'infinity', or 'the servers never
	#  exit'
	max_requests_per_server = 0
}

# MODULE CONFIGURATION
#
#  The names and configuration of each module is located in this section.
#
#  After the modules are defined here, they may be referred to by name,
#  in other sections of this configuration file.
#
modules {
	#
	#  Each module has a configuration as follows:
	#
	#	name [ instance ] {
	#		config_item = value
	#		...
	#	}
	#
	#  The 'name' is used to load the 'rlm_name' library
	#  which implements the functionality of the module.
	#
	#  The 'instance' is optional.  To have two different instances
	#  of a module, it first must be referred to by 'name'.
	#  The different copies of the module are then created by
	#  inventing two 'instance' names, e.g. 'instance1' and 'instance2'
	#
	#  The instance names can then be used in later configuration
	#  INSTEAD of the original 'name'.  See the 'radutmp' configuration
	#  below for an example.
	#

	# PAP module to authenticate users based on their stored password
	#
	#  Supports multiple encryption schemes
	#  clear: Clear text
	#  crypt: Unix crypt
	#    md5: MD5 ecnryption
	#   sha1: SHA1 encryption.
	#  DEFAULT: crypt
	pap {
		encryption_scheme = crypt
	}

	# CHAP module
	#
	#  To authenticate requests containing a CHAP-Password attribute.
	#
	chap {
		authtype = CHAP
	}

	# Realm module, for proxying.
	#
	#  You can have multiple instances of the realm module to
	#  support multiple realm syntaxs at the same time.  The
	#  search order is defined the order in the authorize and
	#  preacct blocks after the module config block.
	#
	#  Two config options:
	#	format     -  must be 'prefix' or 'suffix'
	#	delimiter  -  must be a single character

	#  'realm/username'
	#
	#  Using this entry, IPASS users have their realm set to "IPASS".
	realm realmslash {
		format = prefix
		delimiter = "/"
	}

	#  'username@realm'
	#
	realm suffix {
		format = suffix
		delimiter = "@"
	}

	#  'username%realm'
	#
	realm realmpercent {
		format = suffix
		delimiter = "%"
	}
	
	#  rewrite arbitrary packets.  Useful in accounting and authorization.
	#
	## This module is highly experimental at the moment.  Please give 
	## feedback to the mailing list.
	#
	#  The module can also use the Rewrite-Rule attribute. If it
	#  is set and matches the name of the module instance, then
	#  that module instance will be the only one which runs.
	#
	#  Also if new_attribute is set to yes then a new attribute
	#  will be created containing the value replacewith and it
	#  will be added to searchin (packet, reply or config).
	# searchfor,ignore_case and max_matches will be ignored in that case.

	#
	#attr_rewrite sanecallerid {
	#	attribute = Called-Station-Id
		# may be "packet", "reply", or "config"
	#	searchin = packet
	#	searchfor = "[+ ]"
	#	replacewith = ""
	#	ignore_case = no
	#	new_attribute = no
	#	max_matches = 10
	#	## If set to yes then the replace string will be appended to the original string
	#	append = no
	#}

	# Preprocess the incoming RADIUS request, before handing it off
	# to other modules.
	#
	#  This module processes the 'huntgroups' and 'hints' files.
	#  In addition, it re-writes some weird attributes created
	#  by some NASes, and converts the attributes into a form which
	#  is a little more standard.
	#
	preprocess {
		# huntgroups = 'huntgroups'
		# hints = 'hints'
		
		# This hack changes Ascend's wierd port numberings
		# to standard 0-??? port numbers so that the "+" works
		# for IP address assignments.
		with_ascend_hack = no
		ascend_channels_per_line = 23

		# Windows NT machines often authenticate themselves as
		# NT_DOMAIN\username
		#
		# If this is set to 'yes', then the NT_DOMAIN portion
		# of the user-name is silently discarded.
		with_ntdomain_hack = no

		# Specialix Jetstream 8500 24 port access server.
		#
		# If the user name is 10 characters or longer, a "/"
		# and the excess characters after the 10th are
		# appended to the user name.
		#
		# If you're not running that NAS, you don't need
		# this hack.
		with_specialix_jetstream_hack = no

		# Cisco sends it's VSA attributes with the attribute
		# name *again* in the string, like:
		#
		#   H323-Attribute = "h323-attribute=value".
		#
		# If this configuration item is set to 'yes', then
		# the redundant data in the the attribute text is stripped
		# out.  The result is:
		#
		#  H323-Attribute = "value"
		#
		# If you're not running a Cisco NAS, you don't need
		# this hack.
		with_cisco_vsa_hack = yes
	}

	# Write a detailed log of all accounting records received.
	#
	detail {
		#  Note that we do NOT use NAS-IP-Address here, as
		#  that attribute MAY BE from the originating NAS, and
		#  NOT from the proxy which actually sent us the
		#  request.  The Client-IP-Address attribute is ALWAYS
		#  the address of the client which sent us the
		#  request.
		#
		#  The following line creates a new detail file for
		#  every radius client (by IP address or hostname).
		#  In addition, a new detail file is created every
		#  day, so that the detail file doesn't have to go
		#  through a 'log rotation'
		#
		#  If your detail files are large, you may also want
		#  to add a ':%H' (see doc/variables.txt) to the end
		#  of it, to create a new detail file every hour, e.g.:
		#
		#   ..../detail-%Y%m%d:%H
		#
		#  This will create a new detail file for every hour.
		#
		detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d

		#
		#  The Unix-style permissions on the 'detail' file.
		#
		#  The detail file often contains secret or private
		#  information about users.  So by keeping the file
		#  permissions restrictive, we can prevent unwanted
		#  people from seeing that information.
		detailperm = 0600
	}

	detail auth_log {
		detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d

		#
		#  This MUST be 0600, otherwise anyone can read
		#  the users passwords!
		detailperm = 0600
	}

	#
	#  This module logs authentication reply packets sent
	#  to a NAS.  Both Access-Accept and Access-Reject packets
	#  are logged.
	#
	#  You will also need to un-comment the 'reply_log' line
	#  in the 'post-auth' section, below.
	#
	detail reply_log {
		detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d

		#
		#  This MUST be 0600, otherwise anyone can read
		#  the users passwords!
		detailperm = 0600
	}

	# Create a unique accounting session Id.  Many NASes re-use or
	# repeat values for Acct-Session-Id, causing no end of
	# confusion.
	#
	#  This module will add a (probably) unique session id 
	#  to an accounting packet based on the attributes listed
	#  below found in the packet.  See doc/rlm_acct_unique for
	#  more information.
	#
	acct_unique {
		key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
	}


	#  Include another file that has the SQL-related configuration.
	#  This is another file only because it tends to be big.
	#
	#  The following configuration file is for use with MySQL.
	#
	#  For Postgresql, use:		${confdir}/postgresql.conf
	#  For MS-SQL, use:	 	${confdir}/mssql.conf
	#  For Oracle, use:	 	${confdir}/oraclesql.conf
	#
	$INCLUDE  ${confdir}/postgresql.conf

	#  Write a 'utmp' style file, of which users are currently
	#  logged in, and where they've logged in from.
	#
	#  This file is used mainly for Simultaneous-Use checking,
	#  and also 'radwho', to see who's currently logged in.
	#
	radutmp {
		#  Where the file is stored.  It's not a log file,
		#  so it doesn't need rotating.
		#
		filename = ${logdir}/radutmp

		#  The field in the packet to key on for the
		#  'user' name,  If you have other fields which you want
		#  to use to key on to control Simultaneous-Use,