radiusd-example.txt

linux1.0内核的源代码,欢迎大家使用

#
#  Snmp configuration is only valid if SNMP support was enabled
#  at compile time.
#
#  To enable SNMP querying of the server, set the value of the
#  'snmp' attribute to 'yes'
#
snmp	= no
$INCLUDE  ${confdir}/snmp.conf


# THREAD POOL CONFIGURATION
#
#  The thread pool is a long-lived group of threads which
#  take turns (round-robin) handling any incoming requests.
#
#  You probably want to have a few spare threads around,
#  so that high-load situations can be handled immediately.  If you
#  don't have any spare threads, then the request handling will
#  be delayed while a new thread is created, and added to the pool.
#
#  You probably don't want too many spare threads around,
#  otherwise they'll be sitting there taking up resources, and
#  not doing anything productive.
#
#  The numbers given below should be adequate for most situations.
#
thread pool {
	#  Number of servers to start initially --- should be a reasonable
	#  ballpark figure.
	start_servers = 5

	#  Limit on the total number of servers running.
	#
	#  If this limit is ever reached, clients will be LOCKED OUT, so it
	#  should NOT BE SET TOO LOW.  It is intended mainly as a brake to
	#  keep a runaway server from taking the system with it as it spirals
	#  down...
	#
	#  You may find that the server is regularly reaching the
	#  'max_servers' number of threads, and that increasing
	#  'max_servers' doesn't seem to make much difference.
	#
	#  If this is the case, then the problem is MOST LIKELY that
	#  your back-end databases are taking too long to respond, and
	#  are preventing the server from responding in a timely manner.
	#
	#  The solution is NOT do keep increasing the 'max_servers'
	#  value, but instead to fix the underlying cause of the
	#  problem: slow database, or 'hostname_lookups=yes'.
	#
	#  For more information, see 'max_request_time', above.
	#
	max_servers = 32

	#  Server-pool size regulation.  Rather than making you guess
	#  how many servers you need, FreeRADIUS dynamically adapts to
	#  the load it sees, that is, it tries to maintain enough
	#  servers to handle the current load, plus a few spare
	#  servers to handle transient load spikes.
	#
	#  It does this by periodically checking how many servers are
	#  waiting for a request.  If there are fewer than
	#  min_spare_servers, it creates a new spare.  If there are
	#  more than max_spare_servers, some of the spares die off.
	#  The default values are probably OK for most sites.
	#
	min_spare_servers = 3
	max_spare_servers = 10

	#  There may be memory leaks or resource allocation problems with
	#  the server.  If so, set this value to 300 or so, so that the
	#  resources will be cleaned up periodically.
	#
	#  This should only be necessary if there are serious bugs in the
	#  server which have not yet been fixed.
	#
	#  '0' is a special value meaning 'infinity', or 'the servers never
	#  exit'
	max_requests_per_server = 0
}

# MODULE CONFIGURATION
#
#  The names and configuration of each module is located in this section.
#
#  After the modules are defined here, they may be referred to by name,
#  in other sections of this configuration file.
#
modules {
	#
	#  Each module has a configuration as follows:
	#
	#	name [ instance ] {
	#		config_item = value
	#		...
	#	}
	#
	#  The 'name' is used to load the 'rlm_name' library
	#  which implements the functionality of the module.
	#
	#  The 'instance' is optional.  To have two different instances
	#  of a module, it first must be referred to by 'name'.
	#  The different copies of the module are then created by
	#  inventing two 'instance' names, e.g. 'instance1' and 'instance2'
	#
	#  The instance names can then be used in later configuration
	#  INSTEAD of the original 'name'.  See the 'radutmp' configuration
	#  below for an example.
	#

	# PAP module to authenticate users based on their stored password
	#
	#  Supports multiple encryption schemes
	#  clear: Clear text
	#  crypt: Unix crypt
	#    md5: MD5 ecnryption
	#   sha1: SHA1 encryption.
	#  DEFAULT: crypt
	pap {
		encryption_scheme = crypt
	}

	# CHAP module
	#
	#  To authenticate requests containing a CHAP-Password attribute.
	#
	chap {
		authtype = CHAP
	}

	# Pluggable Authentication Modules
	#
	#  For Linux, see:
	#	http://www.kernel.org/pub/linux/libs/pam/index.html
	#
	pam {
		#
		#  The name to use for PAM authentication.
		#  PAM looks in /etc/pam.d/${pam_auth_name}
		#  for it's configuration.  See 'redhat/radiusd-pam'
		#  for a sample PAM configuration file.
		#
		#  Note that any Pam-Auth attribute set in the 'authorize'
		#  section will over-ride this one.
		#
		pam_auth = radiusd
	}

	# Unix /etc/passwd style authentication
	#
	unix {
		#
		#  Cache /etc/passwd, /etc/shadow, and /etc/group
		#
		#  The default is to NOT cache them.
		#
		#  For FreeBSD, you do NOT want to enable the cache,
		#  as it's password lookups are done via a database, so
		#  set this value to 'no'.
		#
		#  Some systems (e.g. RedHat Linux with pam_pwbd) can
		#  take *seconds* to check a password, from a passwd
		#  file containing 1000's of entries.  For those systems,
		#  you should set the cache value to 'yes', and set
		#  the locations of the 'passwd', 'shadow', and 'group'
		#  files, below.
		#
		# allowed values: {no, yes}
		cache = no

		# Reload the cache every 600 seconds (10mins). 0 to disable.
		cache_reload = 600

		#
		#  Define the locations of the normal passwd, shadow, and
		#  group files.
		#
		#  'shadow' is commented out by default, because not all
		#  systems have shadow passwords.
		#
		#  To force the module to use the system password functions,
		#  instead of reading the files, leave the following entries
		#  commented out.
		#
		#  This is required for some systems, like FreeBSD,
		#  and Mac OSX.
		#
		#	passwd = /etc/passwd
		#	shadow = /etc/shadow
		#	group = /etc/group


		#
		#  Where the 'wtmp' file is located.
		#  This should be moved to it's own module soon.
		#
		#  The only use for 'radlast'.  If you don't use
		#  'radlast', then you can comment out this item.
		#
		radwtmp = ${logdir}/radwtmp
	}

	#  Extensible Authentication Protocol
	#
	#  For all EAP related authentications 
	eap {
		#  Invoke the default supported EAP type when
		#  EAP-Identity response is received.
		#
		#  The incoming EAP messages MAY NOT specify which EAP
		#  type they will be using, so it MUST be set here.
		#
		#  For now, only one default EAP type may be used at a time.
		#
		default_eap_type = md5

		# Default expiry time to clean the EAP list,
		# It is maintained to correlate the
		# EAP-response for each EAP-request sent.
		timer_expire     = 60

		# Supported EAP-types
		md5 {
		}

	        sim {
	 	}

		# Cisco LEAP
		#
		#  Cisco LEAP uses the MS-CHAP algorithm (but not
		#  the MS-CHAP attributes) to perform it's authentication.
		#
		#  As a result, LEAP *requires* access to the plain-text
		#  User-Password, or the NT-Password attributes.
		#  'System' authentication is impossible with LEAP.
		#
		leap {
		}

		## EAP-TLS is highly experimental EAP-Type at the moment.  
		#	Please give feedback on the mailing list.
		#tls {
		#	private_key_password = password
		#	private_key_file = /path/filename

		#	If Private key & Certificate are located in the
		#	same file, then private_key_file & certificate_file
		#	must contain the same file name.
		#	certificate_file = /path/filename

		#	Trusted Root CA list
			#CA_file = /path/filename

		#	dh_file = /path/filename
			#random_file = /path/filename
		#
		# 	This can never exceed MAX_RADIUS_LEN (4096)
		#	preferably half the MAX_RADIUS_LEN, to
		#	accomodate other attributes in RADIUS packet.
		#	On most APs the MAX packet length is configured
		#	between 1500 - 1600. In these cases, fragment
		#	size should be <= 1024.
		#
		#		fragment_size = 1024

		#	include_length is a flag which is by default set to yes
		#	If set to yes, Total Length of the message is included
		#	in EVERY packet we send.
		#	If set to no, Total Length of the message is included
		#	ONLY in the First packet of a fragment series.
		#
		#		include_length = yes
		#}
	}

	# Microsoft CHAP authentication
	#
	#  This module supports MS-CHAP and MS-CHAPv2 authentication.
	#  It also enforces the SMB-Account-Ctrl attribute.
	#
	mschap {
		#
		#  As of 0.9, the mschap module does NOT support
		#  reading from /etc/smbpasswd.
		#
		#  If you are using /etc/smbpasswd, see the 'passwd'
		#  module for an example of how to use /etc/smbpasswd

		# authtype value, if present, will be used
		# to overwrite (or add) Auth-Type during
		# authorization. Normally should be MS-CHAP
		authtype = MS-CHAP
		
		# if use_mppe is not set to no mschap will
		# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
		# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
		#	use_mppe = no

		# if mppe is enabled require_encryption makes
		# encryption moderate
		#	require_encryption = yes

		# require_strong always requires 128 bit key
		# encryption
		#	require_strong = yes
	}

	# Lightweight Directory Access Protocol (LDAP)
	#
	#  This module definition allows you to use LDAP for
	#  authorization and authentication (Auth-Type := LDAP)
	#
	#  See doc/rlm_ldap for description of configuration options 
	#  and sample authorize{} and authenticate{} blocks 
	ldap {
		server = "ldap.your.domain"
		# identity = "cn=admin,o=My Org,c=UA"
		# password = mypass
		basedn = "o=My Org,c=UA"
		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

		# set this to 'yes' to use TLS encrypted connections
		# to the LDAP database by using the StartTLS extended
		# operation.
		# The StartTLS operation is supposed to be used with normal
		# ldap connections instead of using ldaps (port 689) connections
		start_tls = no

		# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
		# profile_attribute = "radiusProfileDn"
		access_attr = "dialupAccess"

		# Mapping of RADIUS dictionary attributes to LDAP
		# directory attributes.
		dictionary_mapping = ${raddbdir}/ldap.attrmap

		ldap_connections_number = 5
		# password_header = "{clear}"
		# password_attribute = userPassword
		# groupname_attribute = cn
		# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
		# groupmembership_attribute = radiusGroupName
		timeout = 4
		timelimit = 3
		net_timeout = 1
		# compare_check_items = yes
		# access_attr_used_for_allow = yes
	}

	# passwd module allows to do authorization via any passwd-like
	# file and to extract any attributes from these modules
	#
	# parameters are:
	#   filename - path to filename
	#   format - format for filename record. This parameters
	#            correlates record in the passwd file and RADIUS
	#            attributes.
	#
	#            Field marked as '*' is key field. That is, the parameter
	#            with this name from the request is used to search for
	#            the record from passwd file
	#            Attribute marked as '=' is added to reply_itmes instead
	#            of default configure_itmes
	#	     Attribute marked as '~' is added to request_items
	#
	#            Field marked as ',' may contain a comma separated list
	#            of attributes.
	#   authtype - if record found this Auth-Type is used to authenticate
	#            user
	#   hashsize - hashtable size. If 0 or not specified records are not
	#            stored in memory and file is red on every request.
	#   allowmultiplekeys - if few records for every key are allowed
	#   ignorenislike - ignore NIS-related records
	#   delimiter - symbol to use as a field separator in passwd file,
	#            for format ':' symbol is always used. '\0', '\n' are
        #	     not allowed 
	#

	#  An example configuration for using /etc/smbpasswd.
	#
	#passwd etc_smbpasswd {
	#	filename = /etc/smbpasswd
	#	format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
	#	authtype = MS-CHAP
	#	hashsize = 100
	#	ignorenislike = no
	#	allowmultiplekeys = no
	#}

	#  Similar configuration, for the /etc/group file. Adds a Group-Name
	#  attribute for every group that the user is member of.