configure.texi

gnu 的radius服务器很好用的

@code{snmp}. @dfn{priority} determines the minimum priority of
the messages displayed by this channel. The priorities in ascending
order are: @code{debug}, @code{info}, @code{notice}, @code{warn},   
@code{err}, @code{crit}, @code{alert}, @code{emerg}.

The full category specification, denoted by the @code{category_spec}
in the above section, can take any of the following three forms:

@table @asis
@item category_name
Print the messages of given category.
@item priority
Print messages of all categories, abridged by given priority. If the
priority is prefixed with @samp{=}, only messages with given priority
will be displayed. If it is prefixed with @samp{!}, the messages with
priority other than the specified will be displayed. Otherwise, the
messages with priorities equal to or greater than the specified will
be displayed.
@item category_name . priority
Print the messages of given category, abridged by given priority. The
priority may be prefixed with either @samp{=} or @samp{!} as described
above. The dot (@samp{.}) separates the priority from the category
name, it may be surrounded by any amount of whitespace.
@end table

Additional category options valid for @code{auth} category are:
@table @code
@item print-auth
Log individual authentications.
@item print-pass
Include passwords for successful authentications. It is @emph{very}
insecure, since all users' passwords will be echoed in the logfile.
This option is provided only for debugging purposes.
@item print-failed-pass
Include passwords for failed authentications.
@end table

@comment **L4***************************************************************
@node channel
@subsubsection @code{channel} statement
@cindex Logging channel
@kwindex channel
@kwindex file
@kwindex syslog
@kwindex print-pid
@kwindex print-category
@kwindex print-cons
@kwindex print-level
@kwindex print-priority
@kwindex print-tid
@kwindex print-milliseconds
@kwindex prefix-hook
@kwindex suffix-hook

Channels represent methods for recording logging information.  Each
channel has a unique name, and any categories which specify that name in
a @code{channel} statement will use that channel.

@command{radiusd} can write logging information to files or send it to
syslog.  The @code{file} statement sends the channel's output to the
named file (@pxref{Naming Conventions}).  The @code{syslog} statement
sends the channel's output to syslog with the specified facility and
severity.

Channel options modify the data flowing through the channel:

@table @code
@item print-pid
Add the process @sc{id} of the process generating the logging information.
@item print-cons
Also send the logging information to the system console.
@item print-category
Add the category name to the logging information.
@item print-priority
@itemx print-level
Add the priority name to the logging information.
@item print-milliseconds
Print timestamp with milliseconds.
@item prefix-hook
Declares the name of Rewrite function used as logging prefix hook for that
channel (@pxref{hooks}). This overrides any global prefix hook.
@item suffix-hook
Declares the name of Rewrite function used as logging suffix hook for that
channel (@pxref{hooks}). This overrides any global suffix hook.
@end table

@comment **L4***************************************************************
@node logging example
@subsubsection Example of the @code{logging} statement
@exindex @command{logging} statement

@smallexample
logging @{
        channel default @{
                file "radius.log";
                print-category yes;
                print-priority yes;
        @};
        channel info @{
                file "radius.info";
                print-pid yes;
                print-cons yes;
                print-priority yes;
        @};
        channel notice @{
                syslog auth.notice;
        @};

        category auth @{
                print-auth yes;
                print-failed-pass yes;
        @};
        category notice @{
                channel notice;
        @};
        category info @{
                channel info;
        @};
        category debug @{
                channel info;
                level radiusd=1,files;
        @};

        category *.!debug @{
                channel default;
        @};
@};
@end smallexample

@comment **L3***************************************************************
@node auth
@subsection @code{auth} statement
@cindex Authentication service parameters
@cindex Customizing authentication server
@kwindex auth 
@kwindex listen
@kwindex port
@kwindex max-requests 
@kwindex time-to-live 
@kwindex request-cleanup-delay
@kwindex detail
@kwindex strip-names
@kwindex checkrad-assume-logged
@kwindex password-expire-warning
@kwindex compare-atribute-flag
@subheading Syntax:

@smallexample
auth @{
        listen ( @var{addr-list} | no ); 
        forward @var{addr-list}; 
        port @var{number} ; 
        max-requests @var{number} ; 
        time-to-live @var{number} ; 
        request-cleanup-delay @var{number} ; 
        detail @var{bool} ; 
        strip-names @var{bool} ; 
        checkrad-assume-logged @var{bool} ; 
        password-expire-warning @var{number} ; 
        compare-atribute-flag @var{character} ; 
        trace-rules @var{bool} ; 
        reject-malformed-names @var{bool} ; 
@} ;
@end smallexample

@subheading Usage:
The @code{auth} statement configures the parameters of the authentication
service.

@subheading @code{listen} statement

This statement determines on which addresses radiusd will listen for incoming
authentication requests. Its argument is a comma-separated list of items
in the form @var{ip}:@var{port-number}. @var{ip} can be either an IP
address in familiar ``dotted-quad'' notation or a
hostname. :@var{port-number} part may be omitted, in which case the
default authentication port is assumed.

If the @code{listen} statement is omitted, radiusd will accept incoming
requests from any interface on the machine.

The special value @code{no} disables listening for authentication
requests.

The following example configures radius to listen for the incoming
requests on the default authentication port on the address 10.10.10.1
and on port 1645 on address 10.10.11.2.

@smallexample
listen 10.10.10.1, 10.10.11.2:1645;
@end smallexample

@subheading @code{forward} statement

This statement enables @dfn{forwarding} of the requests to the given
set of servers. Forwarding is an experimental feature of GNU Radius,
it differs from proxying in that the requests are sent to the remote
server (or servers) @emph{and} processed locally. The remote server
is not expected to reply.

This mode is intended primarily for debugging purposes. It could also
be useful in some very complex and unusual configurations. 

@subheading Numeric statements

@table @code
@item port
Sets the number of which @sc{udp} port to listen on for the
authentication requests.

@item max-requests
Sets the maximum number of authentication requests in the queue. Any
surplus requests will be discarded.

@item time-to-live
Sets the request time-to-live in seconds. The time-to-live is the time
to wait for the completion of the request. If the request job isn't
completed within this interval of time it is cleared, the corresponding
child process killed and the request removed from the queue.

@item request-cleanup-delay
Sets the request cleanup delay in seconds, i.e. determines how long will
the completed authentication request reside in the queue.

@item password-expire-warning
Sets the time interval for password expiration warning. If user's
password expires within given number of seconds, radiusd will send
a warning along with authentication-acknowledge response. Default
is 0.
@end table

@subheading Boolean statements

@table @code

@item detail
When set to true, @command{radiusd} will produce the detailed log of each
received packet in the file @file{radacct/@var{nasname}/detail.auth}. The
format of such log files is identical to the format of detailed
accounting files (@pxref{Detailed Request Accounting}).

@item strip-names
Determines whether @command{radiusd} should strip any prefixes/suffixes
off the username before logging.

@item checkrad-assume-logged
@xref{mlc}, for the description of this setting. It is accepted in
@code{auth} for compatibility with previous versions of GNU Radius.  

@item trace-rules
Enables tracing of the configuration rules that were matched during
processing of each received authentication request. @xref{Rule
Tracing}, for detailed information about this mode.

@item reject-malformed-names
Enables sending access-reject replies for the access-accept requests
that contain an invalid value in @attr{User-Name} attribute. By default
such requests are discarded without answering. See the description of
@code{username-chars} (@pxref{option,username-chars,Option statement}).

@end table

@subheading Character statement

@table @code
@item compare-attribute-flag
The argument to this statement is a character from @samp{1} through
@samp{9}. This statement modifies the request comparison method for
authentication requests. @xref{Extended Comparison}, for a detailed
description of its usage.

@end table


@comment **L3***************************************************************
@node acct
@subsection @code{acct} statement
@cindex Accounting service parameters
@cindex Customizing accounting service
@kwindex acct statement 
@kwindex listen
@kwindex port 
@kwindex max-requests 
@kwindex time-to-live 
@kwindex request-cleanup-delay
@kwindex detail
@kwindex compare-atribute-flag

@subheading Syntax:
@smallexample
acct @{
        listen ( @var{addr-list} | no ); 
        forward @var{addr-list} ; 
        port @var{number} ; 
        detail @var{bool}; 
        system @var{bool};
        max-requests @var{number} ; 
        time-to-live @var{number} ; 
        request-cleanup-delay @var{number} ; 
        compare-atribute-flag @var{character} ; 
        trace-rules @var{bool} ; 
@} ;
@end smallexample

@subheading Usage:

The @code{acct} statement configures the parameters of the accounting
service.

@subheading @code{listen} statement

This statement determines on which addresses radiusd will listen for incoming
accounting requests. Its argument is a comma-separated list of items
in the form @var{ip}:@var{port-number}. @var{ip} can be either an IP
address in familiar ``dotted-quad'' notation or a
hostname. :@var{port-number} part may be omitted, in which case the
default accounting port is assumed.

If the @code{listen} statement is omitted, radiusd will accept incoming
requests from any interface on the machine.

The special value @code{no} disables listening for accounting
requests.

The following example configures radius to listen for the incoming
requests on the default accounting port on the address 10.10.10.1
and on port 1646 on address 10.10.11.2.

@smallexample
listen 10.10.10.1, 10.10.11.2:1646;
@end smallexample

@subheading @code{forward} statement

This statement enables @dfn{forwarding} of the requests to the given
set of servers. Forwarding is an experimental feature of GNU Radius,
it differs from proxying in that the requests are sent to the remote
server (or servers) @emph{and} processed locally. The remote server
is not expected to reply.

This mode is intended primarily for debugging purposes. It could also
be useful in some very complex and unusual configurations. 

@subheading Numeric statements

@table @code
@item port 
Sets the number of which port to listen for the authentication requests.

@item max-requests 
Sets the maximum number of accounting requests in the queue. Any
surplus requests will be discarded.

@item time-to-live
Sets the request time-to-live in seconds. The time-to-live is the time
to wait for the completion of the request. If the request job isn't
completed within this interval of time it is cleared, the corresponding
child process killed and the request removed from the queue.

@item request-cleanup-delay 
Sets the request cleanup delay in seconds, i.e. determines how long will
the completed account request reside in the queue.

@end table

@subheading Boolean statements

@table @code
@item detail
When set to @code{no}, disables detailed accounting
(@pxref{Detailed Request Accounting}). 

@item system
When set to @code{no}, disables system accounting (@pxref{System
Accounting}). Notice, that this will disable simultaneous use checking
as well, unless you supply an alternative @sc{mlc} method (currently
@sc{sql}, @xref{Multiple Login Checking}, for the detailed discussion
of this). 

@item trace-rules
Enables tracing of the configuration rules that were matched during
processing of each received accounting request. @xref{Rule
Tracing}, for detailed information about this mode.
@end table

@subheading Character statement

@table @code
@item compare-attribute-flag
The argument to this statement is a character from @samp{1} through
@samp{9}. This statement modifies the request comparison method for
authentication requests. @xref{Extended Comparison}, for a detailed
description of its usage.

@end table

@comment **L3***************************************************************
@node usedbm
@subsection @code{usedbm} statement
@cindex DBM: enabling
@cindex Enabling DBM
@kwindex usedbm