summaryrefslogtreecommitdiffstats
path: root/raddb/radiusd.conf.in
diff options
context:
space:
mode:
Diffstat (limited to 'raddb/radiusd.conf.in')
-rw-r--r--raddb/radiusd.conf.in902
1 files changed, 902 insertions, 0 deletions
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
new file mode 100644
index 0000000..79603c9
--- /dev/null
+++ b/raddb/radiusd.conf.in
@@ -0,0 +1,902 @@
+# -*- text -*-
+##
+## radiusd.conf -- FreeRADIUS server configuration file - @RADIUSD_VERSION_STRING@
+##
+## http://www.freeradius.org/
+## $Id$
+##
+
+######################################################################
+#
+# The format of this (and other) configuration file is
+# documented in "man unlang". There are also READMEs in many
+# subdirectories:
+#
+# raddb/README.rst
+# How to upgrade from v2.
+#
+# raddb/mods-available/README.rst
+# How to use mods-available / mods-enabled.
+# All of the modules are in individual files,
+# along with configuration items and full documentation.
+#
+# raddb/sites-available/README
+# virtual servers, "listen" sections, clients, etc.
+# The "sites-available" directory contains many
+# worked examples of common configurations.
+#
+# raddb/certs/README.md
+# How to create certificates for EAP or RadSec.
+#
+# Every configuration item in the server is documented
+# extensively in the comments in the example configuration
+# files.
+#
+# Before editing this (or any other) configuration file, PLEASE
+# read "man radiusd". See the section titled DEBUGGING. It
+# outlines a method where you can quickly create the
+# configuration you want, with minimal effort.
+#
+# Run the server in debugging mode, and READ the output.
+#
+# $ radiusd -X
+#
+# We cannot emphasize this point strongly enough. The vast
+# majority of problems can be solved by carefully reading the
+# debugging output, which includes warnings about common issues,
+# and suggestions for how they may be fixed.
+#
+# There may be a lot of output, but look carefully for words like:
+# "warning", "error", "reject", or "failure". The messages there
+# will usually be enough to guide you to a solution.
+#
+# More documentation on "radiusd -X" is available on the wiki:
+# https://wiki.freeradius.org/radiusd-X
+#
+# If you are going to ask a question on the mailing list, then
+# explain what you are trying to do, and include the output from
+# debugging mode (radiusd -X). Failure to do so means that all
+# of the responses to your question will be people telling you
+# to "post the output of radiusd -X".
+#
+# Guidelines for posting to the mailing list are on the wiki:
+# https://wiki.freeradius.org/list-help
+#
+# Please read those guidelines before posting to the list.
+#
+# Further documentation is available in the "doc" directory
+# of the server distribution, or on the wiki at:
+# https://wiki.freeradius.org/
+#
+# New users to RADIUS should read the Technical Guide. That guide
+# explains how RADIUS works, how FreeRADIUS works, and what each
+# part of a RADIUS system does. It is not just "configure FreeRADIUS"!
+# https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf
+#
+# More documentation on dictionaries, modules, unlang, etc. is also
+# available on the Network RADIUS web site:
+# https://networkradius.com/freeradius-documentation/
+#
+
+######################################################################
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+sysconfdir = @sysconfdir@
+localstatedir = @localstatedir@
+sbindir = @sbindir@
+logdir = @logdir@
+raddbdir = @raddbdir@
+radacctdir = @radacctdir@
+
+#
+# name of the running server. See also the "-n" command-line option.
+name = radiusd
+
+# Location of config and logfiles.
+confdir = ${raddbdir}
+modconfdir = ${confdir}/mods-config
+certdir = ${confdir}/certs
+cadir = ${confdir}/certs
+run_dir = ${localstatedir}/run/${name}
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+#
+# libdir: Where to find the rlm_* modules.
+#
+# This should be automatically set at configuration time.
+#
+# If the server builds and installs, but fails at execution time
+# with an 'undefined symbol' error, then you can use the libdir
+# directive to work around the problem.
+#
+# The cause is usually that a library has been installed on your
+# system in a place where the dynamic linker CANNOT find it. When
+# executing as root (or another user), your personal environment MAY
+# be set up to allow the dynamic linker to find the library. When
+# executing as a daemon, FreeRADIUS MAY NOT have the same
+# personalized configuration.
+#
+# To work around the problem, find out which library contains that symbol,
+# and add the directory containing that library to the end of 'libdir',
+# with a colon separating the directory names. NO spaces are allowed.
+#
+# e.g. libdir = /usr/local/lib:/opt/package/lib
+#
+# You can also try setting the LD_LIBRARY_PATH environment variable
+# in a script which starts the server.
+#
+# If that does not work, then you can re-configure and re-build the
+# server to NOT use shared libraries, via:
+#
+# ./configure --disable-shared
+# make
+# make install
+#
+libdir = @libdir@
+
+# pidfile: Where to place the PID of the RADIUS server.
+#
+# The server may be signalled while it's running by using this
+# file.
+#
+# This file is written when ONLY running in daemon mode.
+#
+# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
+#
+pidfile = ${run_dir}/${name}.pid
+
+# panic_action: Command to execute if the server dies unexpectedly.
+#
+# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
+# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
+# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
+#
+# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
+# PATTACH CAN BE USED AS AN ATTACK VECTOR.
+#
+# The panic action is a command which will be executed if the server
+# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
+# SIGABRT or SIGFPE.
+#
+# This can be used to start an interactive debugging session so
+# that information regarding the current state of the server can
+# be acquired.
+#
+# The following string substitutions are available:
+# - %e The currently executing program e.g. /sbin/radiusd
+# - %p The PID of the currently executing program e.g. 12345
+#
+# Standard ${} substitutions are also allowed.
+#
+# An example panic action for opening an interactive session in GDB would be:
+#
+#panic_action = "gdb %e %p"
+#
+# Again, don't use that on a production system.
+#
+# An example panic action for opening an automated session in GDB would be:
+#
+#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
+#
+# That command can be used on a production system.
+#
+
+# max_request_time: The maximum time (in seconds) to handle a request.
+#
+# Requests which take more time than this to process may be killed, and
+# a REJECT message is returned.
+#
+# WARNING: If you notice that requests take a long time to be handled,
+# then this MAY INDICATE a bug in the server, in one of the modules
+# used to handle a request, OR in your local configuration.
+#
+# This problem is most often seen when using an SQL database. If it takes
+# more than a second or two to receive an answer from the SQL database,
+# then it probably means that you haven't indexed the database. See your
+# SQL server documentation for more information.
+#
+# Useful range of values: 5 to 120
+#
+max_request_time = 30
+
+# cleanup_delay: The time to wait (in seconds) before cleaning up
+# a reply which was sent to the NAS.
+#
+# The RADIUS request is normally cached internally for a short period
+# of time, after the reply is sent to the NAS. The reply packet may be
+# lost in the network, and the NAS will not see it. The NAS will then
+# re-send the request, and the server will respond quickly with the
+# cached reply.
+#
+# If this value is set too low, then duplicate requests from the NAS
+# MAY NOT be detected, and will instead be handled as separate requests.
+#
+# If this value is set too high, then the server will cache too many
+# requests, and some new requests may get blocked. (See 'max_requests'.)
+#
+# Useful range of values: 2 to 30
+#
+cleanup_delay = 5
+
+# max_requests: The maximum number of requests which the server keeps
+# track of. This should be 256 multiplied by the number of clients.
+# e.g. With 4 clients, this number should be 1024.
+#
+# If this number is too low, then when the server becomes busy,
+# it will not respond to any new requests, until the 'cleanup_delay'
+# time has passed, and it has removed the old requests.
+#
+# If this number is set too high, then the server will use a bit more
+# memory for no real benefit.
+#
+# If you aren't sure what it should be set to, it's better to set it
+# too high than too low. Setting it to 1000 per client is probably
+# the highest it should be.
+#
+# Useful range of values: 256 to infinity
+#
+max_requests = 16384
+
+# hostname_lookups: Log the names of clients or just their IP addresses
+# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
+#
+# The default is 'off' because it would be overall better for the net
+# if people had to knowingly turn this feature on, since enabling it
+# means that each client request will result in AT LEAST one lookup
+# request to the nameserver. Enabling hostname_lookups will also
+# mean that your server may stop randomly for 30 seconds from time
+# to time, if the DNS requests take too long.
+#
+# Turning hostname lookups off also means that the server won't block
+# for 30 seconds, if it sees an IP address which has no name associated
+# with it.
+#
+# allowed values: {no, yes}
+#
+hostname_lookups = no
+
+#
+# Run a "Post-Auth-Type Client-Lost" section. This ONLY happens when
+# the server sends an Access-Challenge, and then client does not
+# respond to it. The goal is to allow administrators to log
+# something when the client does not respond.
+#
+# See sites-available/default, "Post-Auth-Type Client-Lost" for more
+# information.
+#
+#postauth_client_lost = no
+
+#
+# Logging section. The various "log_*" configuration items
+# will eventually be moved here.
+#
+log {
+ #
+ # Destination for log messages. This can be one of:
+ #
+ # files - log to "file", as defined below.
+ # syslog - to syslog (see also the "syslog_facility", below.
+ # stdout - standard output
+ # stderr - standard error.
+ #
+ # The command-line option "-X" over-rides this option, and forces
+ # logging to go to stdout.
+ #
+ destination = files
+
+ #
+ # Highlight important messages sent to stderr and stdout.
+ #
+ # Option will be ignored (disabled) if output if TERM is not
+ # an xterm or output is not to a TTY.
+ #
+ colourise = yes
+
+ #
+ # The logging messages for the server are appended to the
+ # tail of this file if destination == "files"
+ #
+ # If the server is running in debugging mode, this file is
+ # NOT used.
+ #
+ file = ${logdir}/radius.log
+
+ #
+ # Which syslog facility to use, if ${destination} == "syslog"
+ #
+ # The exact values permitted here are OS-dependent. You probably
+ # don't want to change this.
+ #
+ syslog_facility = daemon
+
+ # Log the full User-Name attribute, as it was found in the request.
+ #
+ # allowed values: {no, yes}
+ #
+ stripped_names = no
+
+ # Log all (accept and reject) authentication results to the log file.
+ #
+ # This is the same as setting "auth_accept = yes" and
+ # "auth_reject = yes"
+ #
+ # allowed values: {no, yes}
+ #
+ auth = no
+
+ # Log Access-Accept results to the log file.
+ #
+ # This is only used if "auth = no"
+ #
+ # allowed values: {no, yes}
+ #
+# auth_accept = no
+
+ # Log Access-Reject results to the log file.
+ #
+ # This is only used if "auth = no"
+ #
+ # allowed values: {no, yes}
+ #
+# auth_reject = no
+
+ # Log passwords with the authentication requests.
+ # auth_badpass - logs password if it's rejected
+ # auth_goodpass - logs password if it's correct
+ #
+ # allowed values: {no, yes}
+ #
+ auth_badpass = no
+ auth_goodpass = no
+
+ # Log additional text at the end of the "Login OK" messages.
+ # for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
+ # configurations above have to be set to "yes".
+ #
+ # The strings below are dynamically expanded, which means that
+ # you can put anything you want in them. However, note that
+ # this expansion can be slow, and can negatively impact server
+ # performance.
+ #
+# msg_goodpass = ""
+# msg_badpass = ""
+
+ # The message when the user exceeds the Simultaneous-Use limit.
+ #
+ msg_denied = "You are already logged in - access denied"
+
+ # Suppress "secret" attributes when printing them in debug mode.
+ #
+ # Secrets are NOT tracked across xlat expansions. If your
+ # configuration puts secrets into other strings, they will
+ # still get printed.
+ #
+ # Setting this to "yes" means that the server prints
+ #
+ # <<< secret >>>
+ #
+ # instead of the value, for attriburtes which contain secret
+ # information. e.g. User-Name, Tunnel-Password, etc.
+ #
+ # This configuration is disabled by default. It is extremely
+ # important for administrators to be able to debug user logins
+ # by seeing what is actually being sent.
+ #
+# suppress_secrets = no
+}
+
+# The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#
+# ENVIRONMENT VARIABLES
+#
+# You can reference environment variables using an expansion like
+# `$ENV{PATH}`. However it is sometimes useful to be able to also set
+# environment variables. This section lets you do that.
+#
+# The main purpose of this section is to allow administrators to keep
+# RADIUS-specific configuration in the RADIUS configuration files.
+# For example, if you need to set an environment variable which is
+# used by a module. You could put that variable into a shell script,
+# but that's awkward. Instead, just list it here.
+#
+# Note that these environment variables are set AFTER the
+# configuration file is loaded. So you cannot set FOO here, and
+# expect to reference it via `$ENV{FOO}` in another configuration file.
+# You should instead just use a normal configuration variable for
+# that.
+#
+ENV {
+ #
+ # Set environment varable `FOO` to value '/bar/baz'.
+ #
+ # NOTE: Note that you MUST use '='. You CANNOT use '+=' to append
+ # values.
+ #
+# FOO = '/bar/baz'
+
+ #
+ # Delete environment variable `BAR`.
+ #
+# BAR
+
+ #
+ # `LD_PRELOAD` is special. It is normally set before the
+ # application runs, and is interpreted by the dynamic linker.
+ # Which means you cannot set it inside of an application, and
+ # expect it to load libraries.
+ #
+ # Since this functionality is useful, we extend it here.
+ #
+ # You can set
+ #
+ # LD_PRELOAD = /path/to/library.so
+ #
+ # and the server will load the named libraries. Multiple
+ # libraries can be loaded by specificing multiple individual
+ # `LD_PRELOAD` entries.
+ #
+ #
+# LD_PRELOAD = /path/to/library1.so
+# LD_PRELOAD = /path/to/library2.so
+}
+
+# SECURITY CONFIGURATION
+#
+# There may be multiple methods of attacking on the server. This
+# section holds the configuration items which minimize the impact
+# of those attacks
+#
+security {
+ # chroot: directory where the server does "chroot".
+ #
+ # The chroot is done very early in the process of starting
+ # the server. After the chroot has been performed it
+ # switches to the "user" listed below (which MUST be
+ # specified). If "group" is specified, it switches to that
+ # group, too. Any other groups listed for the specified
+ # "user" in "/etc/group" are also added as part of this
+ # process.
+ #
+ # The current working directory (chdir / cd) is left
+ # *outside* of the chroot until all of the modules have been
+ # initialized. This allows the "raddb" directory to be left
+ # outside of the chroot. Once the modules have been
+ # initialized, it does a "chdir" to ${logdir}. This means
+ # that it should be impossible to break out of the chroot.
+ #
+ # If you are worried about security issues related to this
+ # use of chdir, then simply ensure that the "raddb" directory
+ # is inside of the chroot, end be sure to do "cd raddb"
+ # BEFORE starting the server.
+ #
+ # If the server is statically linked, then the only files
+ # that have to exist in the chroot are ${run_dir} and
+ # ${logdir}. If you do the "cd raddb" as discussed above,
+ # then the "raddb" directory has to be inside of the chroot
+ # directory, too.
+ #
+# chroot = /path/to/chroot/directory
+
+ # user/group: The name (or #number) of the user/group to run radiusd as.
+ #
+ # If these are commented out, the server will run as the
+ # user/group that started it. In order to change to a
+ # different user/group, you MUST be root ( or have root
+ # privileges ) to start the server.
+ #
+ # We STRONGLY recommend that you run the server with as few
+ # permissions as possible. That is, if you're not using
+ # shadow passwords, the user and group items below should be
+ # set to radius'.
+ #
+ # NOTE that some kernels refuse to setgid(group) when the
+ # value of (unsigned)group is above 60000; don't use group
+ # "nobody" on these systems!
+ #
+ # On systems with shadow passwords, you might have to set
+ # 'group = shadow' for the server to be able to read the
+ # shadow password file. If you can authenticate users while
+ # in debug mode, but not in daemon mode, it may be that the
+ # debugging mode server is running as a user that can read
+ # the shadow info, and the user listed below can not.
+ #
+ # The server will also try to use "initgroups" to read
+ # /etc/groups. It will join all groups where "user" is a
+ # member. This can allow for some finer-grained access
+ # controls.
+ #
+# user = radius
+# group = radius
+
+ # Core dumps are a bad thing. This should only be set to
+ # 'yes' if you're debugging a problem with the server.
+ #
+ # allowed values: {no, yes}
+ #
+ allow_core_dumps = no
+
+ #
+ # max_attributes: The maximum number of attributes
+ # permitted in a RADIUS packet. Packets which have MORE
+ # than this number of attributes in them will be dropped.
+ #
+ # If this number is set too low, then no RADIUS packets
+ # will be accepted.
+ #
+ # If this number is set too high, then an attacker may be
+ # able to send a small number of packets which will cause
+ # the server to use all available memory on the machine.
+ #
+ # Setting this number to 0 means "allow any number of attributes"
+ max_attributes = 200
+
+ #
+ # reject_delay: When sending an Access-Reject, it can be
+ # delayed for a few seconds. This may help slow down a DoS
+ # attack. It also helps to slow down people trying to brute-force
+ # crack a users password.
+ #
+ # Setting this number to 0 means "send rejects immediately"
+ #
+ # If this number is set higher than 'cleanup_delay', then the
+ # rejects will be sent at 'cleanup_delay' time, when the request
+ # is deleted from the internal cache of requests.
+ #
+ # This number can be a decimal, e.g. 3.4
+ #
+ # Useful ranges: 1 to 5
+ reject_delay = 1
+
+ #
+ # status_server: Whether or not the server will respond
+ # to Status-Server requests.
+ #
+ # When sent a Status-Server message, the server responds with
+ # an Access-Accept or Accounting-Response packet.
+ #
+ # This is mainly useful for administrators who want to "ping"
+ # the server, without adding test users, or creating fake
+ # accounting packets.
+ #
+ # It's also useful when a NAS marks a RADIUS server "dead".
+ # The NAS can periodically "ping" the server with a Status-Server
+ # packet. If the server responds, it must be alive, and the
+ # NAS can start using it for real requests.
+ #
+ # See also raddb/sites-available/status
+ #
+ status_server = yes
+
+@openssl_version_check_config@
+}
+
+# PROXY CONFIGURATION
+#
+# proxy_requests: Turns proxying of RADIUS requests on or off.
+#
+# The server has proxying turned on by default. If your system is NOT
+# set up to proxy requests to another server, then you can turn proxying
+# off here. This will save a small amount of resources on the server.
+#
+# If you have proxying turned off, and your configuration files say
+# to proxy a request, then an error message will be logged.
+#
+# To disable proxying, change the "yes" to "no", and comment the
+# $INCLUDE line.
+#
+# allowed values: {no, yes}
+#
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+
+# CLIENTS CONFIGURATION
+#
+# Client configuration is defined in "clients.conf".
+#
+
+# The 'clients.conf' file contains all of the information from the old
+# 'clients' and 'naslist' configuration files. We recommend that you
+# do NOT use 'client's or 'naslist', although they are still
+# supported.
+#
+# Anything listed in 'clients.conf' will take precedence over the
+# information from the old-style configuration files.
+#
+$INCLUDE clients.conf
+
+
+# THREAD POOL CONFIGURATION
+#
+# The thread pool is a long-lived group of threads which
+# take turns (round-robin) handling any incoming requests.
+#
+# You probably want to have a few spare threads around,
+# so that high-load situations can be handled immediately. If you
+# don't have any spare threads, then the request handling will
+# be delayed while a new thread is created, and added to the pool.
+#
+# You probably don't want too many spare threads around,
+# otherwise they'll be sitting there taking up resources, and
+# not doing anything productive.
+#
+# The numbers given below should be adequate for most situations.
+#
+thread pool {
+ # Number of servers to start initially --- should be a reasonable
+ # ballpark figure.
+ start_servers = 5
+
+ # Limit on the total number of servers running.
+ #
+ # If this limit is ever reached, clients will be LOCKED OUT, so it
+ # should NOT BE SET TOO LOW. It is intended mainly as a brake to
+ # keep a runaway server from taking the system with it as it spirals
+ # down...
+ #
+ # You may find that the server is regularly reaching the
+ # 'max_servers' number of threads, and that increasing
+ # 'max_servers' doesn't seem to make much difference.
+ #
+ # If this is the case, then the problem is MOST LIKELY that
+ # your back-end databases are taking too long to respond, and
+ # are preventing the server from responding in a timely manner.
+ #
+ # The solution is NOT do keep increasing the 'max_servers'
+ # value, but instead to fix the underlying cause of the
+ # problem: slow database, or 'hostname_lookups=yes'.
+ #
+ # For more information, see 'max_request_time', above.
+ #
+ max_servers = 32
+
+ # Server-pool size regulation. Rather than making you guess
+ # how many servers you need, FreeRADIUS dynamically adapts to
+ # the load it sees, that is, it tries to maintain enough
+ # servers to handle the current load, plus a few spare
+ # servers to handle transient load spikes.
+ #
+ # It does this by periodically checking how many servers are
+ # waiting for a request. If there are fewer than
+ # min_spare_servers, it creates a new spare. If there are
+ # more than max_spare_servers, some of the spares die off.
+ # The default values are probably OK for most sites.
+ #
+ min_spare_servers = 3
+ max_spare_servers = 10
+
+ # When the server receives a packet, it places it onto an
+ # internal queue, where the worker threads (configured above)
+ # pick it up for processing. The maximum size of that queue
+ # is given here.
+ #
+ # When the queue is full, any new packets will be silently
+ # discarded.
+ #
+ # The most common cause of the queue being full is that the
+ # server is dependent on a slow database, and it has received
+ # a large "spike" of traffic. When that happens, there is
+ # very little you can do other than make sure the server
+ # receives less traffic, or make sure that the database can
+ # handle the load.
+ #
+# max_queue_size = 65536
+
+ # Clean up old threads periodically. For no reason other than
+ # it might be useful.
+ #
+ # '0' is a special value meaning 'infinity', or 'the servers never
+ # exit'
+ max_requests_per_server = 0
+
+ # Automatically limit the number of accounting requests.
+ # This configuration item tracks how many requests per second
+ # the server can handle. It does this by tracking the
+ # packets/s received by the server for processing, and
+ # comparing that to the packets/s handled by the child
+ # threads.
+ #
+
+ # If the received PPS is larger than the processed PPS, *and*
+ # the queue is more than half full, then new accounting
+ # requests are probabilistically discarded. This lowers the
+ # number of packets that the server needs to process. Over
+ # time, the server will "catch up" with the traffic.
+ #
+ # Throwing away accounting packets is usually safe and low
+ # impact. The NAS will retransmit them in a few seconds, or
+ # even a few minutes. Vendors should read RFC 5080 Section 2.2.1
+ # to see how accounting packets should be retransmitted. Using
+ # any other method is likely to cause network meltdowns.
+ #
+ auto_limit_acct = no
+}
+
+######################################################################
+#
+# SNMP notifications. Uncomment the following line to enable
+# snmptraps. Note that you MUST also configure the full path
+# to the "snmptrap" command in the "trigger.conf" file.
+#
+#$INCLUDE trigger.conf
+
+# MODULE CONFIGURATION
+#
+# The names and configuration of each module is located in this section.
+#
+# After the modules are defined here, they may be referred to by name,
+# in other sections of this configuration file.
+#
+modules {
+ #
+ # Each module has a configuration as follows:
+ #
+ # name [ instance ] {
+ # config_item = value
+ # ...
+ # }
+ #
+ # The 'name' is used to load the 'rlm_name' library
+ # which implements the functionality of the module.
+ #
+ # The 'instance' is optional. To have two different instances
+ # of a module, it first must be referred to by 'name'.
+ # The different copies of the module are then created by
+ # inventing two 'instance' names, e.g. 'instance1' and 'instance2'
+ #
+ # The instance names can then be used in later configuration
+ # INSTEAD of the original 'name'. See the 'radutmp' configuration
+ # for an example.
+ #
+
+ #
+ # Some modules have ordering issues. e.g. "sqlippool" uses
+ # the configuration from "sql". In that case, the "sql"
+ # module must be read off of disk before the "sqlippool".
+ # However, the directory inclusion below just reads the
+ # directory from start to finish. Which means that the
+ # modules are read off of disk randomly.
+ #
+ # You can list individual modules *before* the directory
+ # inclusion. Those modules will be loaded first. Then, when
+ # the directory is read, those modules will be skipped and
+ # not read twice.
+ #
+# $INCLUDE mods-enabled/sql
+
+ #
+ # All modules are in ther mods-enabled/ directory. Files
+ # matching the regex /[a-zA-Z0-9_.]+/ are read. The
+ # modules are initialized ONLY if they are referenced in a
+ # processing section, such as authorize, authenticate,
+ # accounting, pre/post-proxy, etc.
+ #
+ $INCLUDE mods-enabled/
+}
+
+# Instantiation
+#
+# This section sets the instantiation order of the modules. listed
+# here will get started up BEFORE the sections like authorize,
+# authenticate, etc. get examined.
+#
+# This section is not strictly needed. When a section like authorize
+# refers to a module, the module is automatically loaded and
+# initialized. However, some modules may not be listed in any of the
+# processing sections, so they should be listed here.
+#
+# Also, listing modules here ensures that you have control over
+# the order in which they are initialized. If one module needs
+# something defined by another module, you can list them in order
+# here, and ensure that the configuration will be OK.
+#
+# After the modules listed here have been loaded, all of the modules
+# in the "mods-enabled" directory will be loaded. Loading the
+# "mods-enabled" directory means that unlike Version 2, you usually
+# don't need to list modules here.
+#
+instantiate {
+ #
+ # We list the counter module here so that it registers
+ # the check_name attribute before any module which sets
+ # it
+# daily
+
+ # subsections here can be thought of as "virtual" modules.
+ #
+ # e.g. If you have two redundant SQL servers, and you want to
+ # use them in the authorize and accounting sections, you could
+ # place a "redundant" block in each section, containing the
+ # exact same text. Or, you could uncomment the following
+ # lines, and list "redundant_sql" in the authorize and
+ # accounting sections.
+ #
+ # The "virtual" module defined here can also be used with
+ # dynamic expansions, under a few conditions:
+ #
+ # * The section is "redundant", or "load-balance", or
+ # "redundant-load-balance"
+ # * The section contains modules ONLY, and no sub-sections
+ # * all modules in the section are using the same rlm_
+ # driver, e.g. They are all sql, or all ldap, etc.
+ #
+ # When those conditions are satisfied, the server will
+ # automatically register a dynamic expansion, using the
+ # name of the "virtual" module. In the example below,
+ # it will be "redundant_sql". You can then use this expansion
+ # just like any other:
+ #
+ # update reply {
+ # Filter-Id := "%{redundant_sql: ... }"
+ # }
+ #
+ # In this example, the expansion is done via module "sql1",
+ # and if that expansion fails, using module "sql2".
+ #
+ # For best results, configure the "pool" subsection of the
+ # module so that "retry_delay" is non-zero. That will allow
+ # the redundant block to quickly ignore all "down" SQL
+ # databases. If instead we have "retry_delay = 0", then
+ # every time the redundant block is used, the server will try
+ # to open a connection to every "down" database, causing
+ # problems.
+ #
+ #redundant redundant_sql {
+ # sql1
+ # sql2
+ #}
+}
+
+######################################################################
+#
+# Policies are virtual modules, similar to those defined in the
+# "instantiate" section above.
+#
+# Defining a policy in one of the policy.d files means that it can be
+# referenced in multiple places as a *name*, rather than as a series of
+# conditions to match, and actions to take.
+#
+# Policies are something like subroutines in a normal language, but
+# they cannot be called recursively. They MUST be defined in order.
+# If policy A calls policy B, then B MUST be defined before A.
+#
+######################################################################
+policy {
+ $INCLUDE policy.d/
+}
+
+######################################################################
+#
+# Load virtual servers.
+#
+# This next $INCLUDE line loads files in the directory that
+# match the regular expression: /[a-zA-Z0-9_.]+/
+#
+# It allows you to define new virtual servers simply by placing
+# a file into the raddb/sites-enabled/ directory.
+#
+$INCLUDE sites-enabled/
+
+######################################################################
+#
+# All of the other configuration sections like "authorize {}",
+# "authenticate {}", "accounting {}", have been moved to the
+# the file:
+#
+# raddb/sites-available/default
+#
+# This is the "default" virtual server that has the same
+# configuration as in version 1.0.x and 1.1.x. The default
+# installation enables this virtual server. You should
+# edit it to create policies for your local site.
+#
+# For more documentation on virtual servers, see:
+#
+# raddb/sites-available/README
+#
+######################################################################