Ticket #19801: default

File default, 18.9 KB (added by gacelweb@…, 3 years ago)

file default in /etc/freeradius2/sites

Line 
1######################################################################
2#
3#       As of 2.0.0, FreeRADIUS supports virtual hosts using the
4#       "server" section, and configuration directives.
5#
6#       Virtual hosts should be put into the "sites-available"
7#       directory.  Soft links should be created in the "sites-enabled"
8#       directory to these files.  This is done in a normal installation.
9#
10#       If you are using 802.1X (EAP) authentication, please see also
11#       the "inner-tunnel" virtual server.  You wll likely have to edit
12#       that, too, for authentication to work.
13#
14#       $Id: dd12b60efa3b9e2da32ac23833ac9299a19c43d1 $
15#
16######################################################################
17#
18#       Read "man radiusd" before editing this file.  See the section
19#       titled DEBUGGING.  It outlines a method where you can quickly
20#       obtain the configuration you want, without running into
21#       trouble.  See also "man unlang", which documents the format
22#       of this file.
23#
24#       This configuration is designed to work in the widest possible
25#       set of circumstances, with the widest possible number of
26#       authentication methods.  This means that in general, you should
27#       need to make very few changes to this file.
28#
29#       The best way to configure the server for your local system
30#       is to CAREFULLY edit this file.  Most attempts to make large
31#       edits to this file will BREAK THE SERVER.  Any edits should
32#       be small, and tested by running the server with "radiusd -X".
33#       Once the edits have been verified to work, save a copy of these
34#       configuration files somewhere.  (e.g. as a "tar" file).  Then,
35#       make more edits, and test, as above.
36#
37#       There are many "commented out" references to modules such
38#       as ldap, sql, etc.  These references serve as place-holders.
39#       If you need the functionality of that module, then configure
40#       it in radiusd.conf, and un-comment the references to it in
41#       this file.  In most cases, those small changes will result
42#       in the server being able to connect to the DB, and to
43#       authenticate users.
44#
45######################################################################
46
47#
48#       In 1.x, the "authorize", etc. sections were global in
49#       radiusd.conf.  As of 2.0, they SHOULD be in a server section.
50#
51#       The server section with no virtual server name is the "default"
52#       section.  It is used when no server name is specified.
53#
54#       We don't indent the rest of this file, because doing so
55#       would make it harder to read.
56#
57
58#  Authorization. First preprocess (hints and huntgroups files),
59#  then realms, and finally look in the "users" file.
60#
61#  Any changes made here should also be made to the "inner-tunnel"
62#  virtual server.
63#
64#  The order of the realm modules will determine the order that
65#  we try to find a matching realm.
66#
67#  Make *sure* that 'preprocess' comes before any realm if you
68#  need to setup hints for the remote radius server
69authorize {
70        #
71        #  Security settings.  Take a User-Name, and do some simple
72        #  checks on it, for spaces and other invalid characters.  If
73        #  it looks like the user is trying to play games, reject it.
74        #
75        #  This should probably be enabled by default.
76        #
77        #  See policy.conf for the definition of the filter_username policy.
78        #
79#       filter_username
80
81        #
82        #  The preprocess module takes care of sanitizing some bizarre
83        #  attributes in the request, and turning them into attributes
84        #  which are more standard.
85        #
86        #  It takes care of processing the 'raddb/hints' and the
87        #  'raddb/huntgroups' files.
88#       preprocess
89
90        #
91        #  If you want to have a log of authentication requests,
92        #  un-comment the following line, and the 'detail auth_log'
93        #  section, above.
94#       auth_log
95
96        #
97        #  The chap module will set 'Auth-Type := CHAP' if we are
98        #  handling a CHAP request and Auth-Type has not already been set
99#       chap
100
101        #
102        #  If the users are logging in with an MS-CHAP-Challenge
103        #  attribute for authentication, the mschap module will find
104        #  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
105        #  to the request, which will cause the server to then use
106        #  the mschap module for authentication.
107#       mschap
108
109        #
110        #  If you have a Cisco SIP server authenticating against
111        #  FreeRADIUS, uncomment the following line, and the 'digest'
112        #  line in the 'authenticate' section.
113#       digest
114
115        #
116        #  The WiMAX specification says that the Calling-Station-Id
117        #  is 6 octets of the MAC.  This definition conflicts with
118        #  RFC 3580, and all common RADIUS practices.  Un-commenting
119        #  the "wimax" module here means that it will fix the
120        #  Calling-Station-Id attribute to the normal format as
121        #  specified in RFC 3580 Section 3.21
122#       wimax
123
124        #
125        #  Look for IPASS style 'realm/', and if not found, look for
126        #  '@realm', and decide whether or not to proxy, based on
127        #  that.
128#       IPASS
129
130        #
131        #  If you are using multiple kinds of realms, you probably
132        #  want to set "ignore_null = yes" for all of them.
133        #  Otherwise, when the first style of realm doesn't match,
134        #  the other styles won't be checked.
135        #
136#       suffix
137#       ntdomain
138
139        #
140        #  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
141        #  authentication.
142        #
143        #  It also sets the EAP-Type attribute in the request
144        #  attribute list to the EAP type from the packet.
145        #
146        #  As of 2.0, the EAP module returns "ok" in the authorize stage
147        #  for TTLS and PEAP.  In 1.x, it never returned "ok" here, so
148        #  this change is compatible with older configurations.
149        #
150        #  The example below uses module failover to avoid querying all
151        #  of the following modules if the EAP module returns "ok".
152        #  Therefore, your LDAP and/or SQL servers will not be queried
153        #  for the many packets that go back and forth to set up TTLS
154        #  or PEAP.  The load on those servers will therefore be reduced.
155        #
156        eap {
157                ok = return
158        }
159
160        reject
161
162        #
163        #  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
164        #  using the system API's to get the password.  If you want
165        #  to read /etc/passwd or /etc/shadow directly, see the
166        #  passwd module in radiusd.conf.
167        #
168#       unix
169
170        #
171        #  Read the 'users' file
172        files
173
174        #
175        #  Look in an SQL database.  The schema of the database
176        #  is meant to mirror the "users" file.
177        #
178        #  See "Authorization Queries" in sql.conf
179#       sql
180
181        #
182        #  If you are using /etc/smbpasswd, and are also doing
183        #  mschap authentication, the un-comment this line, and
184        #  configure the 'smbpasswd' module.
185#       smbpasswd
186
187        #
188        #  The ldap module will set Auth-Type to LDAP if it has not
189        #  already been set
190#       ldap
191
192        #
193        #  Enforce daily limits on time spent logged in.
194#       daily
195
196        #
197        # Use the checkval module
198#       checkval
199
200#       expiration
201#       logintime
202
203        #
204        #  If no other module has claimed responsibility for
205        #  authentication, then try to use PAP.  This allows the
206        #  other modules listed above to add a "known good" password
207        #  to the request, and to do nothing else.  The PAP module
208        #  will then see that password, and use it to do PAP
209        #  authentication.
210        #
211        #  This module should be listed last, so that the other modules
212        #  get a chance to set Auth-Type for themselves.
213        #
214        pap
215
216        #
217        #  If "status_server = yes", then Status-Server messages are passed
218        #  through the following section, and ONLY the following section.
219        #  This permits you to do DB queries, for example.  If the modules
220        #  listed here return "fail", then NO response is sent.
221        #
222#       Autz-Type Status-Server {
223#
224#       }
225}
226
227
228#  Authentication.
229#
230#
231#  This section lists which modules are available for authentication.
232#  Note that it does NOT mean 'try each module in order'.  It means
233#  that a module from the 'authorize' section adds a configuration
234#  attribute 'Auth-Type := FOO'.  That authentication type is then
235#  used to pick the apropriate module from the list below.
236#
237
238#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
239#  will figure it out on its own, and will do the right thing.  The
240#  most common side effect of erroneously setting the Auth-Type
241#  attribute is that one authentication method will work, but the
242#  others will not.
243#
244#  The common reasons to set the Auth-Type attribute by hand
245#  is to either forcibly reject the user (Auth-Type := Reject),
246#  or to or forcibly accept the user (Auth-Type := Accept).
247#
248#  Note that Auth-Type := Accept will NOT work with EAP.
249#
250#  Please do not put "unlang" configurations into the "authenticate"
251#  section.  Put them in the "post-auth" section instead.  That's what
252#  the post-auth section is for.
253#
254authenticate {
255        #
256        #  PAP authentication, when a back-end database listed
257        #  in the 'authorize' section supplies a password.  The
258        #  password can be clear-text, or encrypted.
259        Auth-Type PAP {
260                pap
261        }
262
263        #
264        #  Most people want CHAP authentication
265        #  A back-end database listed in the 'authorize' section
266        #  MUST supply a CLEAR TEXT password.  Encrypted passwords
267        #  won't work.
268        Auth-Type CHAP {
269                chap
270        }
271
272        #
273        #  MSCHAP authentication.
274        Auth-Type MS-CHAP {
275                mschap
276        }
277
278        #
279        #  If you have a Cisco SIP server authenticating against
280        #  FreeRADIUS, uncomment the following line, and the 'digest'
281        #  line in the 'authorize' section.
282#       digest
283
284        #
285        #  Pluggable Authentication Modules.
286#       pam
287
288        #
289        #  See 'man getpwent' for information on how the 'unix'
290        #  module checks the users password.  Note that packets
291        #  containing CHAP-Password attributes CANNOT be authenticated
292        #  against /etc/passwd!  See the FAQ for details.
293        #
294        #  For normal "crypt" authentication, the "pap" module should
295        #  be used instead of the "unix" module.  The "unix" module should
296        #  be used for authentication ONLY for compatibility with legacy
297        #  FreeRADIUS configurations.
298        #
299#       unix
300
301        # Uncomment it if you want to use ldap for authentication
302        #
303        # Note that this means "check plain-text password against
304        # the ldap database", which means that EAP won't work,
305        # as it does not supply a plain-text password.
306#       Auth-Type LDAP {
307#               ldap
308#       }
309
310        #
311        #  Allow EAP authentication.
312        eap
313
314        #
315        #  The older configurations sent a number of attributes in
316        #  Access-Challenge packets, which wasn't strictly correct.
317        #  If you want to filter out these attributes, uncomment
318        #  the following lines.
319        #
320#       Auth-Type eap {
321#               eap {
322#                       handled = 1 
323#               }
324#               if (handled && (Response-Packet-Type == Access-Challenge)) {
325#                       attr_filter.access_challenge.post-auth
326#                       handled  # override the "updated" code from attr_filter
327#               }
328#       }
329}
330
331
332#
333#  Pre-accounting.  Decide which accounting type to use.
334#
335#preacct {
336#       preprocess
337
338        #
339        #  Session start times are *implied* in RADIUS.
340        #  The NAS never sends a "start time".  Instead, it sends
341        #  a start packet, *possibly* with an Acct-Delay-Time.
342        #  The server is supposed to conclude that the start time
343        #  was "Acct-Delay-Time" seconds in the past.
344        #
345        #  The code below creates an explicit start time, which can
346        #  then be used in other modules.
347        #
348        #  The start time is: NOW - delay - session_length
349        #
350
351#         update request {
352#               FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
353#       }
354
355
356        #
357        #  Ensure that we have a semi-unique identifier for every
358        #  request, and many NAS boxes are broken.
359#       acct_unique
360
361        #
362        #  Look for IPASS-style 'realm/', and if not found, look for
363        #  '@realm', and decide whether or not to proxy, based on
364        #  that.
365        #
366        #  Accounting requests are generally proxied to the same
367        #  home server as authentication requests.
368#       IPASS
369#       suffix
370#       ntdomain
371
372        #
373        #  Read the 'acct_users' file
374#       files
375#}
376
377#
378#  Accounting.  Log the accounting data.
379#
380accounting {
381        #
382        #  Create a 'detail'ed log of the packets.
383        #  Note that accounting requests which are proxied
384        #  are also logged in the detail file.
385#       detail
386#       daily
387
388        #  Update the wtmp file
389        #
390        #  If you don't use "radlast", you can delete this line.
391#       unix
392
393        #
394        #  For Simultaneous-Use tracking.
395        #
396        #  Due to packet losses in the network, the data here
397        #  may be incorrect.  There is little we can do about it.
398#       radutmp
399#       sradutmp
400
401        #  Return an address to the IP Pool when we see a stop record.
402#       main_pool
403
404        #
405        #  Log traffic to an SQL database.
406        #
407        #  See "Accounting queries" in sql.conf
408#       sql
409
410        #
411        #  If you receive stop packets with zero session length,
412        #  they will NOT be logged in the database.  The SQL module
413        #  will print a message (only in debugging mode), and will
414        #  return "noop".
415        #
416        #  You can ignore these packets by uncommenting the following
417        #  three lines.  Otherwise, the server will not respond to the
418        #  accounting request, and the NAS will retransmit.
419        #
420#       if (noop) {
421#               ok
422#       }
423
424        #
425        #  Instead of sending the query to the SQL server,
426        #  write it into a log file.
427        #
428#       sql_log
429
430        #  Cisco VoIP specific bulk accounting
431#       pgsql-voip
432
433        # For Exec-Program and Exec-Program-Wait
434        exec
435
436        #  Filter attributes from the accounting response.
437        #attr_filter.accounting_response
438
439        #
440        #  See "Autz-Type Status-Server" for how this works.
441        #
442#       Acct-Type Status-Server {
443#
444#       }
445}
446
447
448#  Session database, used for checking Simultaneous-Use. Either the radutmp
449#  or rlm_sql module can handle this.
450#  The rlm_sql module is *much* faster
451session {
452        radutmp
453
454        #
455        #  See "Simultaneous Use Checking Queries" in sql.conf
456#       sql
457}
458
459
460#  Post-Authentication
461#  Once we KNOW that the user has been authenticated, there are
462#  additional steps we can take.
463#post-auth {
464        #  Get an address from the IP Pool.
465#       main_pool
466
467        #
468        #  If you want to have a log of authentication replies,
469        #  un-comment the following line, and the 'detail reply_log'
470        #  section, above.
471#       reply_log
472
473        #
474        #  After authenticating the user, do another SQL query.
475        #
476        #  See "Authentication Logging Queries" in sql.conf
477#       sql
478
479        #
480        #  Instead of sending the query to the SQL server,
481        #  write it into a log file.
482        #
483#       sql_log
484
485        #
486        #  Un-comment the following if you have set
487        #  'edir_account_policy_check = yes' in the ldap module sub-section of
488        #  the 'modules' section.
489        #
490#       ldap
491
492        # For Exec-Program and Exec-Program-Wait
493#       exec
494
495        #
496        #  Calculate the various WiMAX keys.  In order for this to work,
497        #  you will need to define the WiMAX NAI, usually via
498        #
499        #       update request {
500        #              WiMAX-MN-NAI = "%{User-Name}"
501        #       }
502        #
503        #  If you want various keys to be calculated, you will need to
504        #  update the reply with "template" values.  The module will see
505        #  this, and replace the template values with the correct ones
506        #  taken from the cryptographic calculations.  e.g.
507        #
508        #       update reply {
509        #               WiMAX-FA-RK-Key = 0x00
510        #               WiMAX-MSK = "%{EAP-MSK}"
511        #       }
512        #
513        #  You may want to delete the MS-MPPE-*-Keys from the reply,
514        #  as some WiMAX clients behave badly when those attributes
515        #  are included.  See "raddb/modules/wimax", configuration
516        #  entry "delete_mppe_keys" for more information.
517        #
518#       wimax
519
520        #  If there is a client certificate (EAP-TLS, sometimes PEAP
521        #  and TTLS), then some attributes are filled out after the
522        #  certificate verification has been performed.  These fields
523        #  MAY be available during the authentication, or they may be
524        #  available only in the "post-auth" section.
525        #
526        #  The first set of attributes contains information about the
527        #  issuing certificate which is being used.  The second
528        #  contains information about the client certificate (if
529        #  available).
530#
531#       update reply {
532#              Reply-Message += "%{TLS-Cert-Serial}"
533#              Reply-Message += "%{TLS-Cert-Expiration}"
534#              Reply-Message += "%{TLS-Cert-Subject}"
535#              Reply-Message += "%{TLS-Cert-Issuer}"
536#              Reply-Message += "%{TLS-Cert-Common-Name}"
537#              Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
538#
539#              Reply-Message += "%{TLS-Client-Cert-Serial}"
540#              Reply-Message += "%{TLS-Client-Cert-Expiration}"
541#              Reply-Message += "%{TLS-Client-Cert-Subject}"
542#              Reply-Message += "%{TLS-Client-Cert-Issuer}"
543#              Reply-Message += "%{TLS-Client-Cert-Common-Name}"
544#              Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
545#       }
546
547        #  MacSEC requires the use of EAP-Key-Name.  However, we don't
548        #  want to send it for all EAP sessions.  Therefore, the EAP
549        #  modules put required data into the EAP-Session-Id attribute.
550        #  This attribute is never put into a request or reply packet.
551        #
552        #  Uncomment the next few lines to copy the required data into
553        #  the EAP-Key-Name attribute
554#       if (reply:EAP-Session-Id) {
555#               update reply {
556#                       EAP-Key-Name := "%{reply:EAP-Session-Id}"
557#               }
558#       }
559
560        #  If the WiMAX module did it's work, you may want to do more
561        #  things here, like delete the MS-MPPE-*-Key attributes.
562        #
563        #       if (updated) {
564        #               update reply {
565        #                       MS-MPPE-Recv-Key !* 0x00
566        #                       MS-MPPE-Send-Key !* 0x00
567        #               }
568        #       }
569
570        #
571        #  Access-Reject packets are sent through the REJECT sub-section of the
572        #  post-auth section.
573        #
574        #  Add the ldap module name (or instance) if you have set
575        #  'edir_account_policy_check = yes' in the ldap module configuration
576        #
577#       Post-Auth-Type REJECT {
578#               # log failed authentications in SQL, too.
579#               sql
580
581                # Insert EAP-Failure message if the request was
582                # rejected by policy instead of because of an
583                # authentication failure
584#               eap
585
586#               attr_filter.access_reject
587#       }
588#}
589
590#
591#  When the server decides to proxy a request to a home server,
592#  the proxied request is first passed through the pre-proxy
593#  stage.  This stage can re-write the request, or decide to
594#  cancel the proxy.
595#
596#  Only a few modules currently have this method.
597#
598#pre-proxy {
599#       attr_rewrite
600
601        #  Uncomment the following line if you want to change attributes
602        #  as defined in the preproxy_users file.
603#       files
604
605        #  Uncomment the following line if you want to filter requests
606        #  sent to remote servers based on the rules defined in the
607        #  'attrs.pre-proxy' file.
608#       attr_filter.pre-proxy
609
610        #  If you want to have a log of packets proxied to a home
611        #  server, un-comment the following line, and the
612        #  'detail pre_proxy_log' section, above.
613#       pre_proxy_log
614#}
615
616#
617#  When the server receives a reply to a request it proxied
618#  to a home server, the request may be massaged here, in the
619#  post-proxy stage.
620#
621#post-proxy {
622
623        #  If you want to have a log of replies from a home server,
624        #  un-comment the following line, and the 'detail post_proxy_log'
625        #  section, above.
626#       post_proxy_log
627
628#       attr_rewrite
629
630        #  Uncomment the following line if you want to filter replies from
631        #  remote proxies based on the rules defined in the 'attrs' file.
632#       attr_filter.post-proxy
633
634        #
635        #  If you are proxying LEAP, you MUST configure the EAP
636        #  module, and you MUST list it here, in the post-proxy
637        #  stage.
638        #
639        #  You MUST also use the 'nostrip' option in the 'realm'
640        #  configuration.  Otherwise, the User-Name attribute
641        #  in the proxied request will not match the user name
642        #  hidden inside of the EAP packet, and the end server will
643        #  reject the EAP request.
644        #
645#       eap
646
647        #
648        #  If the server tries to proxy a request and fails, then the
649        #  request is processed through the modules in this section.
650        #
651        #  The main use of this section is to permit robust proxying
652        #  of accounting packets.  The server can be configured to
653        #  proxy accounting packets as part of normal processing.
654        #  Then, if the home server goes down, accounting packets can
655        #  be logged to a local "detail" file, for processing with
656        #  radrelay.  When the home server comes back up, radrelay
657        #  will read the detail file, and send the packets to the
658        #  home server.
659        #
660        #  With this configuration, the server always responds to
661        #  Accounting-Requests from the NAS, but only writes
662        #  accounting packets to disk if the home server is down.
663        #
664#       Post-Proxy-Type Fail {
665#                       detail
666#       }
667#}
668