configure.texi

gnu 的radius服务器很好用的

@subheading Example

@smallexample
ALIAS User-Password Password
@end smallexample

@comment **L3***************************************************************
@node PROPERTY
@subsection PROPERTY statement
@kwindex PROPERTY
@subheading Syntax
@smallexample
PROPERTY  @var{name}  @var{flags}
PROPERTY  @var{name}  +@var{flags} [-@var{flags} ...]
@end smallexample

@subheading Usage
The @code{PROPERTY} statement redefines property flags for attribute
@var{name}. The attribute must be defined, otherwise an error occurs.
The @code{PROPERTY} statement has two forms. In first form, it takes
a single argument, representing new property flags for the attribute.
In its second form it takes any number of arguments, each of them
preceeded by @samp{+} sign, inidicating addition of properties, or
by @samp{-} sign, indicating removal of these.

@xref{ATTRIBUTE}, for the discussion of attribute property flags.

@subheading Example

The following example defines that the attribute @attr{User-Password}
may be used only on left-hand side of a @file{raddb/users} entry, and
that it is transmitted in encrypted form.

@smallexample
PROPERTY  User-Password [L-----]E
@end smallexample

@noindent
Next example illustrates adding and removing attribute properties:

@smallexample
PROPERTY  My-Attrib     +P -=
@end smallexample

@noindent
it adds propagation bit (@samp{P}) and removes @samp{replace}
additivity from @attr{My-Attrib} attribute.


@comment **L3***************************************************************
@node VALUE
@subsection VALUE Statement
@kwindex VALUE 

@subheading Syntax
@smallexample
VALUE   Attribute-Translation       Value-Translation       @var{number}
@end smallexample

@subheading Usage
The @code{VALUE} statement assigns a translation string to a given
value of an integer attribute. @code{Attribute-Translation} specifies
the attribute and the @code{Value-Translation} specifies the name
assigned to the value @var{number} of this attribute.

@subheading Example

The following assigns the translation string @samp{Login-User} to
the value 1 of the attribute @samp{Service-Type}.

@smallexample
VALUE  Service-Type  Login-User  1
@end smallexample

@comment *L2****************************************************************
@node clients file
@section Clients List --- @file{raddb/clients}
@cindex @file{clients} file
@cindex @file{raddb/clients} file

The @file{raddb/clients} lists @NAS{}es which are allowed to make
authentication requests. As usual, the @samp{#} character introduces a
comment. Each record in the file consists of two fields, separated
by whitespace. The fields are:

@table @asis
@item NAS name
Specifies a hostname or @IP{} of the @NAS{}.
@item Key
Lists the encryption key shared between the server and this @NAS{}.
@end table

If the set of @NAS{}es share the same encryption key, there are two
ways to list it in @file{raddb/clients}. First, if these @NAS{}es
lie in a single network, you can specify this network address in
@code{NAS name} field, e.g.:

@smallexample
10.10.10.0/27   seCRet
@end smallexample

Notice also that specifying full netmask after the @samp{/} character is
also allowed, so that the above example could also be written as follows:

@smallexample
10.10.10.0/255.255.255.224   seCRet
@end smallexample

Otherwise, the keyword DEFAULT may be used as @code{NAS name}. This
notation will match any @IP{}, so it should be used with caution.

@menu
* Example: clients example.     An example of clients file.
@end menu

@comment **L3***************************************************************
@node clients example
@subsection Example of @file{clients} file
@exindex @file{clients} file

@smallexample
# This is a list of clients which are allowed to make authentication 
# requests.
# Each record consists of two fields:
#       i.  Valid hostname.
#       ii. The shared encryption key for this hostname. 
#
#Client Name            Key
#----------------       -------------------
myhost.dom.ain          guessme         
merlin                  emrys           
11.10.10.10             secRet
@end smallexample

@comment *L2****************************************************************
@node  naslist file
@section NAS List --- @file{raddb/naslist}
@cindex @file{naslist} file
@cindex @file{raddb/naslist} file
@cindex MAX Ascend, broken passwords

The @file{raddb/naslist} file contains a list of @NAS{}es known to the Radius
server. Each record in the file consist of the following four fields,
the first two being mandatory, the last two being optional:

@table @asis
@item NAS name
Specifies either a hostname or @IP{} for a single @NAS{} or a CIDR net block
address for a set of @NAS{}es. The word @samp{DEFAULT} may
be used in this field to match any @NAS{}. @footnote{Logins from DEFAULT @NAS{}es are not reflected in SNMP variables.}

@item Short Name
This field defines a short name under which this @NAS{} will be listed
in logfiles. The short name is also used as a name of the subdirectory
where the detailed logs are stored.

@item Type
Specifies the type of this @NAS{}. Using this value @command{radiusd}
determines the way to query @NAS{} about the presence of a given user on it
(@pxref{Multiple Login Checking}).
The two special types: @samp{true} and @samp{false}, can be used to
disable @NAS{} querying. When the type field contains @samp{true},
@command{radiusd} assumes the user is logged in to the @NAS{}, when it
contains @samp{false}, @command{radiusd} assumes the user @emph{is not}
logged in. Otherwise, the type
is used as a link to @file{nastypes} entry (@pxref{nastypes file}).

If this field is not present @samp{true} is assumed.

@item Arguments
Additional arguments describing the @NAS{}. Multiple arguments
must be separated by commas. No intervening whitespace is allowed in
this field.
@end table

There are two groups of nas arguments: @dfn{nas-specific} arguments and
@dfn{nas-querying} arguments. @dfn{Nas-specific} arguments are used to
modify a behavior of @command{radiusd} when sending or receiving the
information to or from a particular @NAS{}.

@dfn{Nas-querying} arguments control the way @command{radiusd} queries
a @NAS{} for confirmation of a user's session (@pxref{Multiple Login Checking}). These arguments override the ones specified in 
@file{nastypes} and can thus be used to override the default
values.

The @dfn{nas-specific} arguments currently implemented are:

@table @asis
@item broken_pass
This is a boolean argument that controls the encryption of user
passwords, longer than 16 octets. By default, @command{radiusd} uses
method specified by @sc{rfc 2865}. However some @NAS{}es, most notably
@sc{max a}scend series, implement a broken method of encoding long
passwords. This flag instructs @command{radiusd} to use broken method
of password encryption for the given @NAS{}.

@item compare-auth-flag=@var{flag}
Instructs radius to use attributes marked with a given user-defined flag
when comparing authentication requests. It overrides
@code{compare-attribute-flag} (@pxref{auth}) for this particular @NAS{}.
@xref{Extended Comparison}, for a detailed description of its usage.

@item compare-acct-flag=@var{flag}
Instructs radius to use attributes marked with a given user-defined flag
when comparing accounting requests. It overrides
@code{compare-attribute-flag} (@pxref{acct}) for this particular @NAS{}.
@xref{Extended Comparison}, for a detailed description of its usage.
@end table

@xref{Checking Duplicates}, for general description of request
comparison methods.

For the list of nas-querying arguments,
@xref{nastypes file,,Full list of allowed arguments}.

@menu
* Example: naslist example.     Example of @file{naslist} file.
@end menu

@comment **L3***************************************************************
@node naslist example
@subsection Example of @file{naslist} file
@exindex @file{naslist} file

@smallexample
# raddb/naslist: contains a list of Network Access Servers 
#
# Each record consists of following fields:
#
#       i.      A valid hostname or IP address for the client.
#       ii.     The short name to use in the logfiles for this NAS.
#       iii.    Type of device. Valid values are `true', `false' and
#               those defined in raddb/nastypes file.

# NAS Name              Short Name      Type
#----------------       ----------      ----
myhost.dom.ain          myhost          unix
merlin                  merlin          max 
11.10.10.10             arthur          livingston
@end smallexample

@comment *L2****************************************************************
@node nastypes file
@section NAS Types --- @file{raddb/nastypes}
@cindex @file{nastypes} file

The @file{raddb/nastypes} file describes the ways to
query @NAS{}es about active user sessions.

@menu
* Syntax: nastypes syntax.      Syntax described.
* Example: nastypes example.    Example of nastypes file.
* Predefined NAS Types::        @NAS{} types defined in standard nastypes file.
@end menu

@comment **L3***************************************************************
@node nastypes syntax
@subsection Syntax of @file{raddb/nastypes}
@cindex @file{nastypes} file, syntax of
@cindex Syntax of @file{nastypes}
@UNREVISED{}

@heading Syntax
Each record consists of three fields separated by any amount of
whitespace. The fields are:

@table @asis
@item Type
Type of the @NAS{} which is described in this record.
@item Method
Method to use to query a @NAS{} of given type.
@item Arguments
Arguments to pass to this method. Each argument is a pair
@var{arg}=@var{value}, where @var{arg} is its name and @var{value} is
a value assigned to it. The list of predefined argument names follows.
Note, that no intervening whitespace is allowed in this
field.
@end table

@heading Methods

Version @value{VERSION} of GNU Radius supports following querying methods:
finger, snmp, external and guile. @FIXME{Describe these fully}.

@heading Arguments

In the discussion below @var{n} means numeric and @var{s} string value.

The following arguments are predefined:

@subheading Common for all methods

@table @asis
@item function=@var{s}
Specifies the check function to use with this method
(@pxref{Login Verification Functions}).
This argument must be present. For description of how this function is
applied, see @ref{Multiple Login Checking}.
@item port=@var{n}
Use port number @var{n} instead of the default for the given method.
@end table

@subheading Method snmp

@table @asis

@item password=@var{s}
Use community @var{s} instead of the default. This argument must be
present.
@item retries=@var{n}
Retry @var{n} times before giving up.
@item timeout=@var{n}
Timeout @var{n} seconds on each retry.
@end table

@subheading Method finger

@table @asis
@item timeout=@var{n}
Give up if the @NAS{} does not respond within @var{n} seconds.
@item notcp
@itemx tcp=0
Disable the use of T/TCP for hosts with a broken TCP implementation.
@item arg=@var{subst}
Send @var{subst} to finger, instead of username. @var{subst} must be
one of @dfn{macro variables}, described below.
@end table

@subheading Macro variables

The following macro-variables are recognized and substituted when
encountered in the @var{value} pair of an argument:
@FIXME{Describe new syntax for extendable strings. Notice, that the
use of old meta-characters is deprecated.}

@table @samp
@item %u
Expands to username.
@item %s
Expands to session id.
@item %d
Expands to session id converted to decimal representation.
@item %p
Expands to port number.
@item %P
Expands to port number + 1.
@end table

@comment **L3***************************************************************
@node nastypes example
@subsection Example of nastypes file.
@exindex @file{nastypes} file

Note, that in the following example the long lines are
broken into several lines for readability.

@smallexample
# Type     Method          Args
# ----     ------          ----
unix       finger       function=check_unix
max-f      finger       function=check_max_finger
max        snmp         oid=.1.3.6.1.4.1.529.12.3.1.4.%d,
                        function=check_snmp_u
as5300-f   finger       function=check_as5300_finger
as5300     snmp         oid=.1.3.6.1.4.1.9.9.150.1.1.3.1.2.%d,
                        function=check_snmp_u
livingston snmp         oid=.1.3.6.1.4.1.307.3.2.1.1.1.5.%P,
                        function=check_snmp_s
@end smallexample

@comment **L3***************************************************************
@node Predefined NAS Types
@subsection Standard @NAS{} types
@cindex NAS types, standard

The @file{nastypes} shipped with version @value{VERSION} of GNU Radius
defines following @NAS{} types:

@table @asis
@item unix --- UNIX boxes running Finger
This type suits for @sc{unix} boxes running finger service able to return information
about dial-up users active on them. To enable finger checking of a unix
host add following to your @file{naslist} file:
@smallexample
@group
#Hostname       Shortname   Type
#--------       ---------   ----
nas.name        T           unix
@end group
@end smallexample

@item max-f --- MAX Ascend with Finger
Use this type if you have MAX Ascend terminal server that answers finger
queries. The @file{naslist} entry for such @NAS{} will look like:

@smallexample
@group
#Hostname