engine.config

RADIUS协议的认证计费服务

#
# Miscellaneous Merit AAA Server configuration file.
#

# Copyright [C] The Regents of the University of Michigan and Merit Network,
# Inc. 1993, 1994, 1995, 1996, 1997, 1998 All Rights Reserved.

#
# RCSID:	$Id: engine.config,v 1.1.1.1 2001/08/10 20:49:27 bonze Exp $
#

# Using engine.config allows for the overriding or changing of various
# compiled-in default values of the Merit AAA Server.

# The configuration file is formatted as a <variable> = <value>, that is:
#
# 	default_reply_holdtime = 6
#
# even when that format isn't very appropriate.  A hostname prefix (such
# as is used in the "clients" file) may also allowed.  For example:
#
#	radserver1.myisp.net/default_reply_holdtime = 6
#	radserver2.myisp.net/default_reply_holdtime = 0
#
# Note: The hostname here is the hostname returned by the 'hostname(1)'
# command, not the fully-qualified DNS name.

# Note: Any whitespace characters (blanks and tabs) surrounding the equal
# sign character ("=") are ignored, as is leading whitespace.  Trailing
# whitespace MAY be significant!  Lines which begin with a pound sign
# character ("#") are ignored, as are lines entirely made up of blanks.
# All lines are counted for the purpose of reporting errors, warnings
# or changes.

# Most changes to configuration values are reported.  The old and new values
# are reported, although not necessarily in a way that may be used to
# feed back into the engine.config file itself.

# The engine.config file is read during initialization time, and whenever the
# server receives an INT or HUP signal.

# The engine.config file has a maximum input line length of 255 characters.
# NO checking is done to insure that a configuration statement has exceeded
# this limit.

# The engine.config file may be used for performance tuning, debugging or 
# specifying of defaults which can not be configured in other parts of the 
# Merit AAA Server.

# The following items are useful for general server performance tuning:
#
# default_reply_holdtime, global_acct_q.limit, global_auth_q.limit
# 

# The following items are useful for configuration specific performance
# tuning (e.g., UNIX passwords, Kerberos, etc.):
#
# aatv.proc_max	  ('reply_holdtime' in "clients" file)
#

# The following items are useful for responding to network faults, DNS
# problems and other issues outside the direct control of the server operator:
#
# aatv.proc_max, dns_address_aging, dns_address_window
#

# The following items are useful for tracing the behaviour of the server
# in order to determine where an external fault might lie:
#
# log_forwarding, packet_log, reply_check
#

# The following items are useful for diagnosing load related issues with
# the server by providing additional information via radcheck(8):
#
# radcheck=+packets, radcheck=+queues
#

# configuration item	related config		Purpose
#
# aatv.direct		none			Override the compiled in type
#						of an AATV to be of type
#						AA_DIRECT.  This is VERY
#						dangerous, especially for
#						socket type AATVs, or AATVs
#						that depend on the forked
#						environment to be "reset"
#						for every fork.
#						But, it is useful for debugging
#						some AA_FORK type AATVs or
#						even AA_FREPLY type AATVs 
#						without disabling forking
#						in the server with the "-s"
#						option.
# e.g.:
#  aatv.direct=FILE

# aatv.forking		none			Override the compiled in type
#						of an AATV to be of type
#						AA_FORK.  This is VERY
#						dangerous, especially for
#						AA_SOCKET or AA_DIRECT type
#						AATVs that depend on sharing
#						the address space with the
#						main process.
# e.g.:
#  aatv.forking=UNIX-PW

# aatv.forkreply	none			Override the compiled in type
#						of an AATV to be of type
#						AA_FREPLY.  This is VERY
#						dangerous, especially for
#						socket type AATVs, or AATVs
#						that depend on the forked
#						environment to be "reset"
#						for every fork.
#						This is useful for converting
#						an AA_FORK type AATV into
#						an AA_FREPLY type AATV for
#						testing or addtional error
#						messages being returned to
#						the user. (i.e., convert the
#						AKERB or MKERB AATVs from
#						type AA_FORK to AA_FREPLY to
#						pass error messages back to
#						the NAS/user or client RADIUS
#						server.
# e.g.:
#  aatv.forkreply=MKERB
#  aatv.forkreply=AKERB
#  aatv.forkreply=TAC_PLUS


# aatv.socket		none			Override the compiled in type
#						of an AATV to be of type
#						AA_SOCKET.  This is VERY
#						dangerous, as most of the
#						socket type AATVs have a
#						socket in the AATV header
#						and this doesn't do anything
#						to put a socket there.
#						This was included for
#						completeness, not because it
#						had any useful purpose.
# no example... too dangerous!

# aatv.proc_max		none			Set the maximum simultaneous
#						number of processes for a
#						AA_FORK or AA_FREPLY type
#						AATV.  This value is normally
#						compiled into the header of a
#						forking type AATV.
#
#						This is a performance enhancing
#						feature intended to prevent
#						a UNIX platform from being
#						consumed by too many 
#						simultaneously forked processes.
#
#						The default value zero means
#						that NO maximum is applied.
#
#						When a maximum value is set,
#						the AAA server keeps track
#						of the number of outstanding
#						child processes for the
#						specified AATV.  When that limit
#						is exceeded, the authentication
#						(or accounting) request is
#						queued on the AATV until the
#						current number of child
#						processes drops below the
#						maximum. NOTE: an authentication
#						or accounting request CAN
#						time-out from this state if the
#						child processes take too long
#						to respond!
#
#						Setting this value to one allows
#						only one simultaneous child
#						process at a time (for the
#						specified AATV), which may solve
#						certain timing issues involving
#						AATVs that communicate with
#						external databases, etc., while
#						still allowing the normal AAA
#						engine functions of duplicate
#						detection, queueing or timeouts
#						to occur. (i.e., try using this
#						first instead of 'aatv.direct'
#						on a forking type AATV.)

#			See also		Information suitable for
#			 'radcheck = +queues'	tailoring this value may be
#						found from radcheck(8).  Each
#						forking-type AATV is listed
#						by radcheck(8) one per line.
#
#						Tailoring of this value
#						should be influenced by the
#						"total" and "holding" values
#						reported on a per-request basis.
# e.g.:
#  aatv.proc_max=UNIX-PW 8
#  aatv.proc_max=AKERB   8

# default_reply_holdtime			Specify the number of seconds
#			"clients" file		to hold on to a request after
#			"reply_holdtime =	it has been replied to by the
#				<seconds>"	REPLY AATV in the finite state
#						machine (FSM) table. This should
#						be two times the default
#			See also		retransmission period of the
#			the TTL and		NASes involved.  This value is
#			TTL_SLICE AATVs		applied if no 'reply_holdtime'
#			for related		is specified for a particular
#			configuration		NAS client.  This does NOT
#			options.		apply to packets that are
#						forwarded to a client in the
#						"clients" file.
#
#						A value of zero invokes special
#						behaviour whereby the REPLY
#						AATV does NOT change the hold-
#						time for a request.  This would
#						cause all received
#						authentication or accounting
#						requests to be held for the
#						full TTL (time-to-live), no
#						matter if the request took a
#						short time to process before
#						being replied to.
#
#						NOTE: Using the special value
#						of zero, or using a hold time
#						greatly in excess of the
#						retransmission policy of a NAS
#						may cause the authentication and
#						accounting queues to grow too
#						large. See 'global_acct_q.limit'
#						and 'global_auth_q.limit' below.
#
#						The TTL AATV and TIMEOUT AATVs
#						may be used to modify the TTL
#						of a request.  The default TTL
#						of a received request is 30
#						seconds.
#
#						The TTL of a request is normally
#						reset to the ttlslice value
#						when a duplicate request is
#						received, except after the
#						the request has been
#						replied to.  The TTL_SLICE AATV
#						may be used to reset the default
#						ttlslice value.
#
#						Tailoring of this value
#						should be influenced by the
#						"total" and "holding" values
#						reported on a per-request basis.
# e.g.:
#  default_reply_holdtime=0
#  default_reply_holdtime=6

# default_retry_limit	See also		Limit the maximum number of
#			'default_seqch_limit',	retransmissions allowed before
#			and the AATVs		a RETRY event occurs.  A RETRY
#			RETRY_LIMIT,		event is like a TIMEOUT event
#			SEQCH_LIMIT,		and should be caught by the
#			FAIL and WAIT.		built-in (default) FSM table.
#						If the value is zero, the
#						default, no limits are imposed.
#						The purpose of this is to catch
#						an authentication request
#						and perform some action when
#				 		a certain number of
#						retransmissions from a NAS
#						occur.
#
#						In particular, it may be useful
#						to have a primary authentication
#						server deny access (using the
#						FAIL AATV) before a backup
#						server starts to authenticate,
#						allowing the backup server to
#						backup just the primary and not
#						the whole AAA system.
# e.g.:
#   default_retry_limit=8