"Fossies" - the Fresh Open Source Software Archive

Member "freeradius-server-3.0.23/raddb/radiusd.conf.in" (10 Jun 2021, 31639 Bytes) of package /linux/misc/freeradius-server-3.0.23.tar.bz2:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 # -*- text -*-
    2 ##
    3 ## radiusd.conf	-- FreeRADIUS server configuration file - @RADIUSD_VERSION_STRING@
    4 ##
    5 ##	http://www.freeradius.org/
    6 ##	$Id: 7d7b0c01274d81a0c5c6e0c0827907af6768af11 $
    7 ##
    8 
    9 ######################################################################
   10 #
   11 #	The format of this (and other) configuration file is
   12 #	documented in "man unlang".  There are also READMEs in many
   13 #	subdirectories:
   14 #
   15 #	  raddb/README.rst
   16 #		How to upgrade from v2.
   17 #
   18 #	  raddb/mods-available/README.rst
   19 #		How to use mods-available / mods-enabled.
   20 #		All of the modules are in individual files,
   21 #		along with configuration items and full documentation.
   22 #
   23 #	  raddb/sites-available/README
   24 #		virtual servers, "listen" sections, clients, etc.
   25 #		The "sites-available" directory contains many
   26 #		worked examples of common configurations.
   27 #
   28 #	  raddb/certs/README.md
   29 #		How to create certificates for EAP or RadSec.
   30 #
   31 #	Every configuration item in the server is documented
   32 #	extensively in the comments in the example configuration
   33 #	files.
   34 #
   35 #	Before editing this (or any other) configuration file, PLEASE
   36 #	read "man radiusd".  See the section titled DEBUGGING.  It
   37 #	outlines a method where you can quickly create the
   38 #	configuration you want, with minimal effort.
   39 #
   40 #	Run the server in debugging mode, and READ the output.
   41 #
   42 #		$ radiusd -X
   43 #
   44 #	We cannot emphasize this point strongly enough.  The vast
   45 #	majority of problems can be solved by carefully reading the
   46 #	debugging output, which includes warnings about common issues,
   47 #	and suggestions for how they may be fixed.
   48 #
   49 #	There may be a lot of output, but look carefully for words like:
   50 #	"warning", "error", "reject", or "failure".  The messages there
   51 #	will usually be enough to guide you to a solution.
   52 #
   53 #	More documentation on "radiusd -X" is available on the wiki:
   54 #		https://wiki.freeradius.org/radiusd-X
   55 #
   56 #	If you are going to ask a question on the mailing list, then
   57 #	explain what you are trying to do, and include the output from
   58 #	debugging mode (radiusd -X).  Failure to do so means that all
   59 #	of the responses to your question will be people telling you
   60 #	to "post the output of radiusd -X".
   61 #
   62 #	Guidelines for posting to the mailing list are on the wiki:
   63 #		https://wiki.freeradius.org/list-help
   64 #
   65 #	Please read those guidelines before posting to the list.
   66 #
   67 #	Further documentation is available in the "doc" directory
   68 #	of the server distribution, or on the wiki at:
   69 #		https://wiki.freeradius.org/
   70 #
   71 #	New users to RADIUS should read the Technical Guide.  That guide
   72 #	explains how RADIUS works, how FreeRADIUS works, and what each
   73 #	part of a RADIUS system does.  It is not just "configure FreeRADIUS"!
   74 #		https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf
   75 #
   76 #	More documentation on dictionaries, modules, unlang, etc. is also
   77 #	available on the Network RADIUS web site:
   78 #		https://networkradius.com/freeradius-documentation/
   79 #
   80 
   81 ######################################################################
   82 
   83 prefix = @prefix@
   84 exec_prefix = @exec_prefix@
   85 sysconfdir = @sysconfdir@
   86 localstatedir = @localstatedir@
   87 sbindir = @sbindir@
   88 logdir = @logdir@
   89 raddbdir = @raddbdir@
   90 radacctdir = @radacctdir@
   91 
   92 #
   93 #  name of the running server.  See also the "-n" command-line option.
   94 name = radiusd
   95 
   96 #  Location of config and logfiles.
   97 confdir = ${raddbdir}
   98 modconfdir = ${confdir}/mods-config
   99 certdir = ${confdir}/certs
  100 cadir   = ${confdir}/certs
  101 run_dir = ${localstatedir}/run/${name}
  102 
  103 # Should likely be ${localstatedir}/lib/radiusd
  104 db_dir = ${raddbdir}
  105 
  106 #
  107 # libdir: Where to find the rlm_* modules.
  108 #
  109 #   This should be automatically set at configuration time.
  110 #
  111 #   If the server builds and installs, but fails at execution time
  112 #   with an 'undefined symbol' error, then you can use the libdir
  113 #   directive to work around the problem.
  114 #
  115 #   The cause is usually that a library has been installed on your
  116 #   system in a place where the dynamic linker CANNOT find it.  When
  117 #   executing as root (or another user), your personal environment MAY
  118 #   be set up to allow the dynamic linker to find the library.  When
  119 #   executing as a daemon, FreeRADIUS MAY NOT have the same
  120 #   personalized configuration.
  121 #
  122 #   To work around the problem, find out which library contains that symbol,
  123 #   and add the directory containing that library to the end of 'libdir',
  124 #   with a colon separating the directory names.  NO spaces are allowed.
  125 #
  126 #   e.g. libdir = /usr/local/lib:/opt/package/lib
  127 #
  128 #   You can also try setting the LD_LIBRARY_PATH environment variable
  129 #   in a script which starts the server.
  130 #
  131 #   If that does not work, then you can re-configure and re-build the
  132 #   server to NOT use shared libraries, via:
  133 #
  134 #	./configure --disable-shared
  135 #	make
  136 #	make install
  137 #
  138 libdir = @libdir@
  139 
  140 #  pidfile: Where to place the PID of the RADIUS server.
  141 #
  142 #  The server may be signalled while it's running by using this
  143 #  file.
  144 #
  145 #  This file is written when ONLY running in daemon mode.
  146 #
  147 #  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
  148 #
  149 pidfile = ${run_dir}/${name}.pid
  150 
  151 #
  152 #  correct_escapes: use correct backslash escaping
  153 #
  154 #  Prior to version 3.0.5, the handling of backslashes was a little
  155 #  awkward, i.e. "wrong".  In some cases, to get one backslash into
  156 #  a regex, you had to put 4 in the config files.
  157 #
  158 #  Version 3.0.5 fixes that.  However, for backwards compatibility,
  159 #  the new method of escaping is DISABLED BY DEFAULT.  This means
  160 #  that upgrading to 3.0.5 won't break your configuration.
  161 #
  162 #  If you don't have double backslashes (i.e. \\) in your configuration,
  163 #  this won't matter to you.  If you do have them, fix that to use only
  164 #  one backslash, and then set "correct_escapes = true".
  165 #
  166 #  You can check for this by doing:
  167 #
  168 #	$ grep '\\\\' $(find raddb -type f -print)
  169 #
  170 correct_escapes = true
  171 
  172 #  panic_action: Command to execute if the server dies unexpectedly.
  173 #
  174 #  FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
  175 #  AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
  176 #  AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
  177 #
  178 #  THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
  179 #  PATTACH CAN BE USED AS AN ATTACK VECTOR.
  180 #
  181 #  The panic action is a command which will be executed if the server
  182 #  receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
  183 #  SIGABRT or SIGFPE.
  184 #
  185 #  This can be used to start an interactive debugging session so
  186 #  that information regarding the current state of the server can
  187 #  be acquired.
  188 #
  189 #  The following string substitutions are available:
  190 #  - %e   The currently executing program e.g. /sbin/radiusd
  191 #  - %p   The PID of the currently executing program e.g. 12345
  192 #
  193 #  Standard ${} substitutions are also allowed.
  194 #
  195 #  An example panic action for opening an interactive session in GDB would be:
  196 #
  197 #panic_action = "gdb %e %p"
  198 #
  199 #  Again, don't use that on a production system.
  200 #
  201 #  An example panic action for opening an automated session in GDB would be:
  202 #
  203 #panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
  204 #
  205 #  That command can be used on a production system.
  206 #
  207 
  208 #  max_request_time: The maximum time (in seconds) to handle a request.
  209 #
  210 #  Requests which take more time than this to process may be killed, and
  211 #  a REJECT message is returned.
  212 #
  213 #  WARNING: If you notice that requests take a long time to be handled,
  214 #  then this MAY INDICATE a bug in the server, in one of the modules
  215 #  used to handle a request, OR in your local configuration.
  216 #
  217 #  This problem is most often seen when using an SQL database.  If it takes
  218 #  more than a second or two to receive an answer from the SQL database,
  219 #  then it probably means that you haven't indexed the database.  See your
  220 #  SQL server documentation for more information.
  221 #
  222 #  Useful range of values: 5 to 120
  223 #
  224 max_request_time = 30
  225 
  226 #  cleanup_delay: The time to wait (in seconds) before cleaning up
  227 #  a reply which was sent to the NAS.
  228 #
  229 #  The RADIUS request is normally cached internally for a short period
  230 #  of time, after the reply is sent to the NAS.  The reply packet may be
  231 #  lost in the network, and the NAS will not see it.  The NAS will then
  232 #  re-send the request, and the server will respond quickly with the
  233 #  cached reply.
  234 #
  235 #  If this value is set too low, then duplicate requests from the NAS
  236 #  MAY NOT be detected, and will instead be handled as separate requests.
  237 #
  238 #  If this value is set too high, then the server will cache too many
  239 #  requests, and some new requests may get blocked.  (See 'max_requests'.)
  240 #
  241 #  Useful range of values: 2 to 30
  242 #
  243 cleanup_delay = 5
  244 
  245 #  max_requests: The maximum number of requests which the server keeps
  246 #  track of.  This should be 256 multiplied by the number of clients.
  247 #  e.g. With 4 clients, this number should be 1024.
  248 #
  249 #  If this number is too low, then when the server becomes busy,
  250 #  it will not respond to any new requests, until the 'cleanup_delay'
  251 #  time has passed, and it has removed the old requests.
  252 #
  253 #  If this number is set too high, then the server will use a bit more
  254 #  memory for no real benefit.
  255 #
  256 #  If you aren't sure what it should be set to, it's better to set it
  257 #  too high than too low.  Setting it to 1000 per client is probably
  258 #  the highest it should be.
  259 #
  260 #  Useful range of values: 256 to infinity
  261 #
  262 max_requests = 16384
  263 
  264 #  hostname_lookups: Log the names of clients or just their IP addresses
  265 #  e.g., www.freeradius.org (on) or 206.47.27.232 (off).
  266 #
  267 #  The default is 'off' because it would be overall better for the net
  268 #  if people had to knowingly turn this feature on, since enabling it
  269 #  means that each client request will result in AT LEAST one lookup
  270 #  request to the nameserver.   Enabling hostname_lookups will also
  271 #  mean that your server may stop randomly for 30 seconds from time
  272 #  to time, if the DNS requests take too long.
  273 #
  274 #  Turning hostname lookups off also means that the server won't block
  275 #  for 30 seconds, if it sees an IP address which has no name associated
  276 #  with it.
  277 #
  278 #  allowed values: {no, yes}
  279 #
  280 hostname_lookups = no
  281 
  282 #
  283 #  Run a "Post-Auth-Type Client-Lost" section.  This ONLY happens when
  284 #  the server sends an Access-Challenge, and then client does not
  285 #  respond to it.  The goal is to allow administrators to log
  286 #  something when the client does not respond.
  287 #
  288 #  See sites-available/default, "Post-Auth-Type Client-Lost" for more
  289 #  information.
  290 #
  291 #postauth_client_lost = no
  292 
  293 #
  294 #  Logging section.  The various "log_*" configuration items
  295 #  will eventually be moved here.
  296 #
  297 log {
  298 	#
  299 	#  Destination for log messages.  This can be one of:
  300 	#
  301 	#	files - log to "file", as defined below.
  302 	#	syslog - to syslog (see also the "syslog_facility", below.
  303 	#	stdout - standard output
  304 	#	stderr - standard error.
  305 	#
  306 	#  The command-line option "-X" over-rides this option, and forces
  307 	#  logging to go to stdout.
  308 	#
  309 	destination = files
  310 
  311 	#
  312 	#  Highlight important messages sent to stderr and stdout.
  313 	#
  314 	#  Option will be ignored (disabled) if output if TERM is not
  315 	#  an xterm or output is not to a TTY.
  316 	#
  317 	colourise = yes
  318 
  319 	#
  320 	#  The logging messages for the server are appended to the
  321 	#  tail of this file if destination == "files"
  322 	#
  323 	#  If the server is running in debugging mode, this file is
  324 	#  NOT used.
  325 	#
  326 	file = ${logdir}/radius.log
  327 
  328 	#
  329 	#  Which syslog facility to use, if ${destination} == "syslog"
  330 	#
  331 	#  The exact values permitted here are OS-dependent.  You probably
  332 	#  don't want to change this.
  333 	#
  334 	syslog_facility = daemon
  335 
  336 	#  Log the full User-Name attribute, as it was found in the request.
  337 	#
  338 	# allowed values: {no, yes}
  339 	#
  340 	stripped_names = no
  341 
  342 	#  Log all (accept and reject) authentication results to the log file.
  343 	#
  344 	#  This is the same as setting "auth_accept = yes" and
  345 	#  "auth_reject = yes"
  346 	#
  347 	#  allowed values: {no, yes}
  348 	#
  349 	auth = no
  350 
  351 	#  Log Access-Accept results to the log file.
  352 	#
  353 	#  This is only used if "auth = no"
  354 	#
  355 	#  allowed values: {no, yes}
  356 	#
  357 #	auth_accept = no
  358 
  359 	#  Log Access-Reject results to the log file.
  360 	#
  361 	#  This is only used if "auth = no"
  362 	#
  363 	#  allowed values: {no, yes}
  364 	#
  365 #	auth_reject = no
  366 
  367 	#  Log passwords with the authentication requests.
  368 	#  auth_badpass  - logs password if it's rejected
  369 	#  auth_goodpass - logs password if it's correct
  370 	#
  371 	#  allowed values: {no, yes}
  372 	#
  373 	auth_badpass = no
  374 	auth_goodpass = no
  375 
  376 	#  Log additional text at the end of the "Login OK" messages.
  377 	#  for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
  378 	#  configurations above have to be set to "yes".
  379 	#
  380 	#  The strings below are dynamically expanded, which means that
  381 	#  you can put anything you want in them.  However, note that
  382 	#  this expansion can be slow, and can negatively impact server
  383 	#  performance.
  384 	#
  385 #	msg_goodpass = ""
  386 #	msg_badpass = ""
  387 
  388 	#  The message when the user exceeds the Simultaneous-Use limit.
  389 	#
  390 	msg_denied = "You are already logged in - access denied"
  391 
  392 	#  Suppress "secret" attributes when printing them in debug mode.
  393 	#
  394 	#  Secrets are NOT tracked across xlat expansions.  If your
  395 	#  configuration puts secrets into other strings, they will
  396 	#  still get printed.
  397 	#
  398 	#  Setting this to "yes" means that the server prints
  399 	#
  400 	#	<<< secret >>>
  401 	#
  402 	#  instead of the value, for attriburtes which contain secret
  403 	#  information.  e.g. User-Name, Tunnel-Password, etc.
  404 	#
  405 	#  This configuration is disabled by default.  It is extremely
  406 	#  important for administrators to be able to debug user logins
  407 	#  by seeing what is actually being sent.
  408 	#
  409 #	suppress_secrets = no
  410 }
  411 
  412 #  The program to execute to do concurrency checks.
  413 checkrad = ${sbindir}/checkrad
  414 
  415 #
  416 #  ENVIRONMENT VARIABLES
  417 #
  418 #  You can reference environment variables using an expansion like
  419 #  `$ENV{PATH}`.  However it is sometimes useful to be able to also set
  420 #  environment variables.  This section lets you do that.
  421 #
  422 #  The main purpose of this section is to allow administrators to keep
  423 #  RADIUS-specific configuration in the RADIUS configuration files.
  424 #  For example, if you need to set an environment variable which is
  425 #  used by a module.  You could put that variable into a shell script,
  426 #  but that's awkward.  Instead, just list it here.
  427 #
  428 #  Note that these environment variables are set AFTER the
  429 #  configuration file is loaded.  So you cannot set FOO here, and
  430 #  expect to reference it via `$ENV{FOO}` in another configuration file.
  431 #  You should instead just use a normal configuration variable for
  432 #  that.
  433 #
  434 ENV {
  435 	#
  436 	#  Set environment varable `FOO` to value '/bar/baz'.
  437 	#
  438 	#  NOTE: Note that you MUST use '='.  You CANNOT use '+=' to append
  439 	#  values.
  440 	#
  441 #	FOO = '/bar/baz'
  442 
  443 	#
  444 	#  Delete environment variable `BAR`.
  445 	#
  446 #	BAR
  447 
  448 	#
  449 	#  `LD_PRELOAD` is special.  It is normally set before the
  450 	#  application runs, and is interpreted by the dynamic linker.
  451 	#  Which means you cannot set it inside of an application, and
  452 	#  expect it to load libraries.
  453 	#
  454 	#  Since this functionality is useful, we extend it here.
  455 	#
  456 	#  You can set
  457 	#
  458 	#  LD_PRELOAD = /path/to/library.so
  459 	#
  460 	#  and the server will load the named libraries.  Multiple
  461 	#  libraries can be loaded by specificing multiple individual
  462 	#  `LD_PRELOAD` entries.
  463 	#
  464 	#
  465 #	LD_PRELOAD = /path/to/library1.so
  466 #	LD_PRELOAD = /path/to/library2.so
  467 }
  468 
  469 # SECURITY CONFIGURATION
  470 #
  471 #  There may be multiple methods of attacking on the server.  This
  472 #  section holds the configuration items which minimize the impact
  473 #  of those attacks
  474 #
  475 security {
  476 	#  chroot: directory where the server does "chroot".
  477 	#
  478 	#  The chroot is done very early in the process of starting
  479 	#  the server.  After the chroot has been performed it
  480 	#  switches to the "user" listed below (which MUST be
  481 	#  specified).  If "group" is specified, it switches to that
  482 	#  group, too.  Any other groups listed for the specified
  483 	#  "user" in "/etc/group" are also added as part of this
  484 	#  process.
  485 	#
  486 	#  The current working directory (chdir / cd) is left
  487 	#  *outside* of the chroot until all of the modules have been
  488 	#  initialized.  This allows the "raddb" directory to be left
  489 	#  outside of the chroot.  Once the modules have been
  490 	#  initialized, it does a "chdir" to ${logdir}.  This means
  491 	#  that it should be impossible to break out of the chroot.
  492 	#
  493 	#  If you are worried about security issues related to this
  494 	#  use of chdir, then simply ensure that the "raddb" directory
  495 	#  is inside of the chroot, end be sure to do "cd raddb"
  496 	#  BEFORE starting the server.
  497 	#
  498 	#  If the server is statically linked, then the only files
  499 	#  that have to exist in the chroot are ${run_dir} and
  500 	#  ${logdir}.  If you do the "cd raddb" as discussed above,
  501 	#  then the "raddb" directory has to be inside of the chroot
  502 	#  directory, too.
  503 	#
  504 #	chroot = /path/to/chroot/directory
  505 
  506 	# user/group: The name (or #number) of the user/group to run radiusd as.
  507 	#
  508 	#   If these are commented out, the server will run as the
  509 	#   user/group that started it.  In order to change to a
  510 	#   different user/group, you MUST be root ( or have root
  511 	#   privileges ) to start the server.
  512 	#
  513 	#   We STRONGLY recommend that you run the server with as few
  514 	#   permissions as possible.  That is, if you're not using
  515 	#   shadow passwords, the user and group items below should be
  516 	#   set to radius'.
  517 	#
  518 	#  NOTE that some kernels refuse to setgid(group) when the
  519 	#  value of (unsigned)group is above 60000; don't use group
  520 	#  "nobody" on these systems!
  521 	#
  522 	#  On systems with shadow passwords, you might have to set
  523 	#  'group = shadow' for the server to be able to read the
  524 	#  shadow password file.  If you can authenticate users while
  525 	#  in debug mode, but not in daemon mode, it may be that the
  526 	#  debugging mode server is running as a user that can read
  527 	#  the shadow info, and the user listed below can not.
  528 	#
  529 	#  The server will also try to use "initgroups" to read
  530 	#  /etc/groups.  It will join all groups where "user" is a
  531 	#  member.  This can allow for some finer-grained access
  532 	#  controls.
  533 	#
  534 #	user = radius
  535 #	group = radius
  536 
  537 	#  Core dumps are a bad thing.  This should only be set to
  538 	#  'yes' if you're debugging a problem with the server.
  539 	#
  540 	#  allowed values: {no, yes}
  541 	#
  542 	allow_core_dumps = no
  543 
  544 	#
  545 	#  max_attributes: The maximum number of attributes
  546 	#  permitted in a RADIUS packet.  Packets which have MORE
  547 	#  than this number of attributes in them will be dropped.
  548 	#
  549 	#  If this number is set too low, then no RADIUS packets
  550 	#  will be accepted.
  551 	#
  552 	#  If this number is set too high, then an attacker may be
  553 	#  able to send a small number of packets which will cause
  554 	#  the server to use all available memory on the machine.
  555 	#
  556 	#  Setting this number to 0 means "allow any number of attributes"
  557 	max_attributes = 200
  558 
  559 	#
  560 	#  reject_delay: When sending an Access-Reject, it can be
  561 	#  delayed for a few seconds.  This may help slow down a DoS
  562 	#  attack.  It also helps to slow down people trying to brute-force
  563 	#  crack a users password.
  564 	#
  565 	#  Setting this number to 0 means "send rejects immediately"
  566 	#
  567 	#  If this number is set higher than 'cleanup_delay', then the
  568 	#  rejects will be sent at 'cleanup_delay' time, when the request
  569 	#  is deleted from the internal cache of requests.
  570 	#
  571 	#  As of Version 3.0.5, "reject_delay" has sub-second resolution.
  572 	#  e.g. "reject_delay =  1.4" seconds is possible.
  573 	#
  574 	#  Useful ranges: 1 to 5
  575 	reject_delay = 1
  576 
  577 	#
  578 	#  status_server: Whether or not the server will respond
  579 	#  to Status-Server requests.
  580 	#
  581 	#  When sent a Status-Server message, the server responds with
  582 	#  an Access-Accept or Accounting-Response packet.
  583 	#
  584 	#  This is mainly useful for administrators who want to "ping"
  585 	#  the server, without adding test users, or creating fake
  586 	#  accounting packets.
  587 	#
  588 	#  It's also useful when a NAS marks a RADIUS server "dead".
  589 	#  The NAS can periodically "ping" the server with a Status-Server
  590 	#  packet.  If the server responds, it must be alive, and the
  591 	#  NAS can start using it for real requests.
  592 	#
  593 	#  See also raddb/sites-available/status
  594 	#
  595 	status_server = yes
  596 
  597 @openssl_version_check_config@
  598 }
  599 
  600 # PROXY CONFIGURATION
  601 #
  602 #  proxy_requests: Turns proxying of RADIUS requests on or off.
  603 #
  604 #  The server has proxying turned on by default.  If your system is NOT
  605 #  set up to proxy requests to another server, then you can turn proxying
  606 #  off here.  This will save a small amount of resources on the server.
  607 #
  608 #  If you have proxying turned off, and your configuration files say
  609 #  to proxy a request, then an error message will be logged.
  610 #
  611 #  To disable proxying, change the "yes" to "no", and comment the
  612 #  $INCLUDE line.
  613 #
  614 #  allowed values: {no, yes}
  615 #
  616 proxy_requests  = yes
  617 $INCLUDE proxy.conf
  618 
  619 
  620 # CLIENTS CONFIGURATION
  621 #
  622 #  Client configuration is defined in "clients.conf".
  623 #
  624 
  625 #  The 'clients.conf' file contains all of the information from the old
  626 #  'clients' and 'naslist' configuration files.  We recommend that you
  627 #  do NOT use 'client's or 'naslist', although they are still
  628 #  supported.
  629 #
  630 #  Anything listed in 'clients.conf' will take precedence over the
  631 #  information from the old-style configuration files.
  632 #
  633 $INCLUDE clients.conf
  634 
  635 
  636 # THREAD POOL CONFIGURATION
  637 #
  638 #  The thread pool is a long-lived group of threads which
  639 #  take turns (round-robin) handling any incoming requests.
  640 #
  641 #  You probably want to have a few spare threads around,
  642 #  so that high-load situations can be handled immediately.  If you
  643 #  don't have any spare threads, then the request handling will
  644 #  be delayed while a new thread is created, and added to the pool.
  645 #
  646 #  You probably don't want too many spare threads around,
  647 #  otherwise they'll be sitting there taking up resources, and
  648 #  not doing anything productive.
  649 #
  650 #  The numbers given below should be adequate for most situations.
  651 #
  652 thread pool {
  653 	#  Number of servers to start initially --- should be a reasonable
  654 	#  ballpark figure.
  655 	start_servers = 5
  656 
  657 	#  Limit on the total number of servers running.
  658 	#
  659 	#  If this limit is ever reached, clients will be LOCKED OUT, so it
  660 	#  should NOT BE SET TOO LOW.  It is intended mainly as a brake to
  661 	#  keep a runaway server from taking the system with it as it spirals
  662 	#  down...
  663 	#
  664 	#  You may find that the server is regularly reaching the
  665 	#  'max_servers' number of threads, and that increasing
  666 	#  'max_servers' doesn't seem to make much difference.
  667 	#
  668 	#  If this is the case, then the problem is MOST LIKELY that
  669 	#  your back-end databases are taking too long to respond, and
  670 	#  are preventing the server from responding in a timely manner.
  671 	#
  672 	#  The solution is NOT do keep increasing the 'max_servers'
  673 	#  value, but instead to fix the underlying cause of the
  674 	#  problem: slow database, or 'hostname_lookups=yes'.
  675 	#
  676 	#  For more information, see 'max_request_time', above.
  677 	#
  678 	max_servers = 32
  679 
  680 	#  Server-pool size regulation.  Rather than making you guess
  681 	#  how many servers you need, FreeRADIUS dynamically adapts to
  682 	#  the load it sees, that is, it tries to maintain enough
  683 	#  servers to handle the current load, plus a few spare
  684 	#  servers to handle transient load spikes.
  685 	#
  686 	#  It does this by periodically checking how many servers are
  687 	#  waiting for a request.  If there are fewer than
  688 	#  min_spare_servers, it creates a new spare.  If there are
  689 	#  more than max_spare_servers, some of the spares die off.
  690 	#  The default values are probably OK for most sites.
  691 	#
  692 	min_spare_servers = 3
  693 	max_spare_servers = 10
  694 
  695 	#  When the server receives a packet, it places it onto an
  696 	#  internal queue, where the worker threads (configured above)
  697 	#  pick it up for processing.  The maximum size of that queue
  698 	#  is given here.
  699 	#
  700 	#  When the queue is full, any new packets will be silently
  701 	#  discarded.
  702 	#
  703 	#  The most common cause of the queue being full is that the
  704 	#  server is dependent on a slow database, and it has received
  705 	#  a large "spike" of traffic.  When that happens, there is
  706 	#  very little you can do other than make sure the server
  707 	#  receives less traffic, or make sure that the database can
  708 	#  handle the load.
  709 	#
  710 #	max_queue_size = 65536
  711 
  712 	#  Clean up old threads periodically.  For no reason other than
  713 	#  it might be useful.
  714 	#
  715 	#  '0' is a special value meaning 'infinity', or 'the servers never
  716 	#  exit'
  717 	max_requests_per_server = 0
  718 
  719 	#  Automatically limit the number of accounting requests.
  720 	#  This configuration item tracks how many requests per second
  721 	#  the server can handle.  It does this by tracking the
  722 	#  packets/s received by the server for processing, and
  723 	#  comparing that to the packets/s handled by the child
  724 	#  threads.
  725 	#
  726 
  727 	#  If the received PPS is larger than the processed PPS, *and*
  728 	#  the queue is more than half full, then new accounting
  729 	#  requests are probabilistically discarded.  This lowers the
  730 	#  number of packets that the server needs to process.  Over
  731 	#  time, the server will "catch up" with the traffic.
  732 	#
  733 	#  Throwing away accounting packets is usually safe and low
  734 	#  impact.  The NAS will retransmit them in a few seconds, or
  735 	#  even a few minutes.  Vendors should read RFC 5080 Section 2.2.1
  736 	#  to see how accounting packets should be retransmitted.  Using
  737 	#  any other method is likely to cause network meltdowns.
  738 	#
  739 	auto_limit_acct = no
  740 }
  741 
  742 ######################################################################
  743 #
  744 #  SNMP notifications.  Uncomment the following line to enable
  745 #  snmptraps.  Note that you MUST also configure the full path
  746 #  to the "snmptrap" command in the "trigger.conf" file.
  747 #
  748 #$INCLUDE trigger.conf
  749 
  750 # MODULE CONFIGURATION
  751 #
  752 #  The names and configuration of each module is located in this section.
  753 #
  754 #  After the modules are defined here, they may be referred to by name,
  755 #  in other sections of this configuration file.
  756 #
  757 modules {
  758 	#
  759 	#  Each module has a configuration as follows:
  760 	#
  761 	#	name [ instance ] {
  762 	#		config_item = value
  763 	#		...
  764 	#	}
  765 	#
  766 	#  The 'name' is used to load the 'rlm_name' library
  767 	#  which implements the functionality of the module.
  768 	#
  769 	#  The 'instance' is optional.  To have two different instances
  770 	#  of a module, it first must be referred to by 'name'.
  771 	#  The different copies of the module are then created by
  772 	#  inventing two 'instance' names, e.g. 'instance1' and 'instance2'
  773 	#
  774 	#  The instance names can then be used in later configuration
  775 	#  INSTEAD of the original 'name'.  See the 'radutmp' configuration
  776 	#  for an example.
  777 	#
  778 
  779 	#
  780 	#  Some modules have ordering issues.  e.g. "sqlippool" uses
  781 	#  the configuration from "sql".  In that case, the "sql"
  782 	#  module must be read off of disk before the "sqlippool".
  783 	#  However, the directory inclusion below just reads the
  784 	#  directory from start to finish.  Which means that the
  785 	#  modules are read off of disk randomly.
  786 	#
  787 	#  As of 3.0.18, you can list individual modules *before* the
  788 	#  directory inclusion.  Those modules will be loaded first.
  789 	#  Then, when the directory is read, those modules will be
  790 	#  skipped and not read twice.
  791 	#
  792 #	$INCLUDE mods-enabled/sql
  793 
  794 	#
  795 	#  As of 3.0, modules are in mods-enabled/.  Files matching
  796 	#  the regex /[a-zA-Z0-9_.]+/ are loaded.  The modules are
  797 	#  initialized ONLY if they are referenced in a processing
  798 	#  section, such as authorize, authenticate, accounting,
  799 	#  pre/post-proxy, etc.
  800 	#
  801 	$INCLUDE mods-enabled/
  802 }
  803 
  804 # Instantiation
  805 #
  806 #  This section sets the instantiation order of the modules.  listed
  807 #  here will get started up BEFORE the sections like authorize,
  808 #  authenticate, etc. get examined.
  809 #
  810 #  This section is not strictly needed.  When a section like authorize
  811 #  refers to a module, the module is automatically loaded and
  812 #  initialized.  However, some modules may not be listed in any of the
  813 #  processing sections, so they should be listed here.
  814 #
  815 #  Also, listing modules here ensures that you have control over
  816 #  the order in which they are initialized.  If one module needs
  817 #  something defined by another module, you can list them in order
  818 #  here, and ensure that the configuration will be OK.
  819 #
  820 #  After the modules listed here have been loaded, all of the modules
  821 #  in the "mods-enabled" directory will be loaded.  Loading the
  822 #  "mods-enabled" directory means that unlike Version 2, you usually
  823 #  don't need to list modules here.
  824 #
  825 instantiate {
  826 	#
  827 	# We list the counter module here so that it registers
  828 	# the check_name attribute before any module which sets
  829 	# it
  830 #	daily
  831 
  832 	# subsections here can be thought of as "virtual" modules.
  833 	#
  834 	# e.g. If you have two redundant SQL servers, and you want to
  835 	# use them in the authorize and accounting sections, you could
  836 	# place a "redundant" block in each section, containing the
  837 	# exact same text.  Or, you could uncomment the following
  838 	# lines, and list "redundant_sql" in the authorize and
  839 	# accounting sections.
  840 	#
  841 	#  The "virtual" module defined here can also be used with
  842 	#  dynamic expansions, under a few conditions:
  843 	#
  844 	#  * The section is "redundant", or "load-balance", or
  845 	#    "redundant-load-balance"
  846 	#  * The section contains modules ONLY, and no sub-sections
  847 	#  * all modules in the section are using the same rlm_
  848 	#    driver, e.g. They are all sql, or all ldap, etc.
  849 	#
  850 	#  When those conditions are satisfied, the server will
  851 	#  automatically register a dynamic expansion, using the
  852 	#  name of the "virtual" module.  In the example below,
  853 	#  it will be "redundant_sql".  You can then use this expansion
  854 	#  just like any other:
  855 	#
  856 	#	update reply {
  857 	#		Filter-Id := "%{redundant_sql: ... }"
  858 	#	}
  859 	#
  860 	#  In this example, the expansion is done via module "sql1",
  861 	#  and if that expansion fails, using module "sql2".
  862 	#
  863 	#  For best results, configure the "pool" subsection of the
  864 	#  module so that "retry_delay" is non-zero.  That will allow
  865 	#  the redundant block to quickly ignore all "down" SQL
  866 	#  databases.  If instead we have "retry_delay = 0", then
  867 	#  every time the redundant block is used, the server will try
  868 	#  to open a connection to every "down" database, causing
  869 	#  problems.
  870 	#
  871 	#redundant redundant_sql {
  872 	#	sql1
  873 	#	sql2
  874 	#}
  875 }
  876 
  877 ######################################################################
  878 #
  879 #  Policies are virtual modules, similar to those defined in the
  880 #  "instantiate" section above.
  881 #
  882 #  Defining a policy in one of the policy.d files means that it can be
  883 #  referenced in multiple places as a *name*, rather than as a series of
  884 #  conditions to match, and actions to take.
  885 #
  886 #  Policies are something like subroutines in a normal language, but
  887 #  they cannot be called recursively. They MUST be defined in order.
  888 #  If policy A calls policy B, then B MUST be defined before A.
  889 #
  890 ######################################################################
  891 policy {
  892 	$INCLUDE policy.d/
  893 }
  894 
  895 ######################################################################
  896 #
  897 #	Load virtual servers.
  898 #
  899 #	This next $INCLUDE line loads files in the directory that
  900 #	match the regular expression: /[a-zA-Z0-9_.]+/
  901 #
  902 #	It allows you to define new virtual servers simply by placing
  903 #	a file into the raddb/sites-enabled/ directory.
  904 #
  905 $INCLUDE sites-enabled/
  906 
  907 ######################################################################
  908 #
  909 #	All of the other configuration sections like "authorize {}",
  910 #	"authenticate {}", "accounting {}", have been moved to the
  911 #	the file:
  912 #
  913 #		raddb/sites-available/default
  914 #
  915 #	This is the "default" virtual server that has the same
  916 #	configuration as in version 1.0.x and 1.1.x.  The default
  917 #	installation enables this virtual server.  You should
  918 #	edit it to create policies for your local site.
  919 #
  920 #	For more documentation on virtual servers, see:
  921 #
  922 #		raddb/sites-available/README
  923 #
  924 ######################################################################