radiusd.conf

H.323网守实现

		#  then you can use them here.
		#
		#  Note, however, that the size of the field in the
		#  'utmp' data structure is small, around 32
		#  characters, so that will limit the possible choices
		#  of keys.
		#
		username = %{User-Name}

		#  Whether or not we want to treat "user" the same
		#  as "USER", or "User".  Some systems have problems
		#  with case sensitivity, so this should be set to
		#  'no' to enable the comparisons of the key attribute
		#  to be case insensitive.
		#
		case_sensitive = yes

		#  Accounting information may be lost, so the user MAY
		#  have logged off of the NAS, but we haven't noticed.
		#  If so, we can verify this information with the NAS,
		#
		#  If we want to believe the 'utmp' file, then this
		#  configuration entry can be set to 'no'.
		#
		check_with_nas = yes		

		# Set the file permissions, as the contents of this file
		# are usually private.
		perm = 0600

		callerid = "yes"
	}

	# "Safe" radutmp - does not contain caller ID, so it can be
	# world-readable, and radwho can work for normal users, without
	# exposing any information that isn't already exposed by who(1).
	#
	# This is another 'instance' of the radutmp module, but it is given
	# then name "sradutmp" to identify it later in the "accounting"
	# section.
	radutmp sradutmp {
		filename = ${logdir}/sradutmp
		perm = 0644
		callerid = "no"
	}

	# attr_filter - filters the attributes received in replies from
	# proxied servers, to make sure we send back to our RADIUS client
	# only allowed attributes.
	attr_filter {
		attrsfile = ${confdir}/attrs
	}

	#  counter module:
	#  This module takes an attribute (count-attribute).
	#  It also takes a key, and creates a counter for each unique
	#  key.  The count is incremented when accounting packets are
	#  received by the server.  The value of the increment depends
	#  on the attribute type.
	#  If the attribute is Acct-Session-Time or of an integer type we add the
	#  value of the attribute. If it is anything else we increase the
	#  counter by one.
	#
	#  The 'reset' parameter defines when the counters are all reset to
	#  zero.  It can be hourly, daily, weekly, monthly or never.
	#
	#  hourly: Reset on 00:00 of every hour
	#  daily: Reset on 00:00:00 every day
	#  weekly: Reset on 00:00:00 on sunday
	#  monthly: Reset on 00:00:00 of the first day of each month
	#
	#  It can also be user defined. It should be of the form:
	#  num[hdwm] where:
	#  h: hours, d: days, w: weeks, m: months
	#  If the letter is ommited days will be assumed. In example:
	#  reset = 10h (reset every 10 hours)
	#  reset = 12  (reset every 12 days)
	#
	#
	#  The check-name attribute defines an attribute which will be
	#  registered by the counter module and can be used to set the
	#  maximum allowed value for the counter after which the user
	#  is rejected.
	#  Something like:
	#
	#  DEFAULT Max-Daily-Session := 36000
	#          Fall-Through = 1
	#
	#  You should add the counter module in the instantiate
	#  section so that it registers check-name before the files
	#  module reads the users file.
	#
	#  If check-name is set and the user is to be rejected then we
	#  send back a Reply-Message and we log a Failure-Message in
	#  the radius.log
	#  If the count attribute is Acct-Session-Time then on each login
	#  we send back the remaining online time as a Session-Timeout attribute
	#
	#  The counter-name can also be used instead of using the check-name
	#  like below:
	#
	#  DEFAULT  Daily-Session-Time > 3600, Auth-Type = Reject
	#      Reply-Message = "You've used up more than one hour today"
	#
	#  The allowed-servicetype attribute can be used to only take
	#  into account specific sessions. For example if a user first
	#  logs in through a login menu and then selects ppp there will
	#  be two sessions. One for Login-User and one for Framed-User
	#  service type. We only need to take into account the second one.
	#
	#  The module should be added in the instantiate, authorize and
	#  accounting sections.  Make sure that in the authorize
	#  section it comes after any module which sets the
	#  'check-name' attribute.
	#
	counter daily {
		filename = ${raddbdir}/db.daily
		key = User-Name
		count-attribute = Acct-Session-Time
		reset = daily
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		allowed-servicetype = Framed-User
		cache-size = 5000
	}

	# The "always" module is here for debugging purposes. Each
	# instance simply returns the same result, always, without
	# doing anything.
	always fail {
		rcode = fail
	}
	always reject {
		rcode = reject
	}
	always ok {
		rcode = ok
		simulcount = 0
		mpp = no
	}

	#
	#  The 'expression' module currently has no configuration.
	expr {
	}

	#
	#  The 'digest' module currently has no configuration.
	#
	#  "Digest" authentication against a Cisco SIP server.
	#  See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
	#  on performing digest authentication for Cisco SIP servers.
	#
	digest {
	}

	#
	#  Execute external programs
	#
	#  The first example is useful only for 'xlat'.  To use it,
	#  put 'exec' into the 'instantiate' section.  You can then
	#  do dynamic translation of attributes like:
	#
	#  Attribute-Name = `{%exec:/path/to/program args}`
	#
	#  The value of the attribute will be replaced with the output
	#  of the program which is executed.  Due to RADIUS protocol
	#  limitations, any output over 253 bytes will be ignored.
	#
	#  The RADIUS attributes from the user request will be placed
	#  into environment variables of the executed program, as
	#  described in 'doc/variables.txt'
	#
	exec {
		wait = yes
		input_pairs = request
	}

	#
	#  This is a more general example of the execute module.
	#
	#  If you wish to execute an external program in more than
	#  one section (e.g. 'authorize', 'pre_proxy', etc), then it
	#  is probably best to define a different instance of the
	#  'exec' module for every section.	
	#	
	exec echo {
		#
		#  Wait for the program to finish.
		#
		#  If we do NOT wait, then the program is "fire and
		#  forget", and any output attributes from it are ignored.
		#
		#  If we are looking for the program to output
		#  attributes, and want to add those attributes to the
		#  request, then we MUST wait for the program to
		#  finish, and therefore set 'wait=yes'
		#
		# allowed values: {no, yes}
		wait = yes

		#
		#  The name of the program to execute, and it's
		#  arguments.  Dynamic translation is done on this
		#  field, so things like the following example will
		#  work.
		#
		program = "/bin/echo %{User-Name}"

		#
		#  The attributes which are placed into the
		#  environment variables for the program.
		#
		#  Allowed values are:
		#
		#	request		attributes from the request
		#	reply		attributes from the reply
		#	proxy-request	attributes from the proxy request
		#	proxy-reply	attributes from the proxy reply
		#
		#  Note that some attributes may not exist at some
		#  stages.  e.g. There may be no proxy-reply
		#  attributes if this module is used in the
		#  'authorize' section.
		#
		input_pairs = request

		#
		#  Where to place the output attributes (if any) from
		#  the executed program.  The values allowed, and the
		#  restrictions as to availability, are the same as
		#  for the input_pairs.
		#
		output_pairs = reply

		#
		#  When to execute the program.  If the packet
		#  type does NOT match what's listed here, then
		#  the module does NOT execute the program.
		#
		#  For a list of allowed packet types, see
		#  the 'dictionary' file, and look for VALUEs
		#  of the Packet-Type attribute.
		#
		#  By default, the module executes on ANY packet.
		#  Un-comment out the following line to tell the
		#  module to execute only if an Access-Accept is
		#  being sent to the NAS.
		#
		#packet_type = Access-Accept
	}

	#  Do server side ip pool management. Should be added in post-auth and
	#  accounting sections.
	#
	#  The module also requires the existance of the Pool-Name
	#  attribute. That way the administrator can add the Pool-Name
	#  attribute in the user profiles and use different pools
	#  for different users. The Pool-Name attribute is a *check* item not
	#  a reply item.
	#
	# Example:
	# radiusd.conf: ippool students { [...] }
	# users file  : DEFAULT Group == students, Pool-Name := "students"
	#
	# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST THEN ERASE THE DB FILES *******
	#
	ippool main_pool {

		#  range-start,range-stop: The start and end ip
		#  addresses for the ip pool
		range-start = 192.168.1.1
		range-stop = 192.168.3.254

		#  netmask: The network mask used for the ip's
		netmask = 255.255.255.0

		#  cache-size: The gdbm cache size for the db
		#  files. Should be equal to the number of ip's
		#  available in the ip pool
		cache-size = 800

		# session-db: The main db file used to allocate ip's to clients
		session-db = ${raddbdir}/db.ippool

		# ip-index: Helper db index file used in multilink
		ip-index = ${raddbdir}/db.ipindex

		# override: Will this ippool override a Framed-IP-Address already set
		override = no
	}

	# ANSI X9.9 token support.  Not included by default.
	# $INCLUDE  ${confdir}/x99.conf

}

instantiate {
	expr
}

authorize {
	preprocess
	auth_log
	chap
	suffix
	sql
}

authenticate {
	Auth-Type PAP {
		pap
	}

	Auth-Type CHAP {
		chap
	}
}

preacct {
	preprocess
	suffix
}

accounting {
	acct_unique
	sql
}

session {
}

post-auth {
	reply_log
}

pre-proxy {
	# attr_rewrite
}

post-proxy {
}