## Configuration Settings
-default_eap_type::: Invoke the default supported EAP type when `EAP-Identity`
+default_eap_type:: The default EAP submodule to invoke when an `EAP-Identity`
response is received.
-The incoming EAP messages *DO NOT* specify which EAP type they will be using,
-so it MUST be set here.
+If a `default_eap_type` value is not provided, enabled EAP submodules will be
+queried to determine if they recognise the provided EAP-Identity.
+If no submodules recognise the identity, the first `type` value listed below
+will be used.
-For now, only one default EAP type may be used at a time.
+If the `control.EAP-Type` attribute is set, then that EAP type takes precedence
+over any configured or inferred EAP-Type.
-If the `EAP-Type` attribute is set by another module, then that EAP
-type takes precedence over the default type configured here.
+It is generally recommended to NOT set `default_eap_type`, and instead order
+the `type` configuration items appropriately.
-cisco_accounting_username_bug::
-
-Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given a `link:https://freeradius.org/rfc/rfc2865.html#User-Name[User-Name]`
-attribute in an `link:https://freeradius.org/rfc/rfc2865.html#Access-Accept[Access-Accept]`, it copies one more byte than it should.
-
-We can work around it by using this configuration option to add an extra zero byte.
-
-
-
## Allowed EAP-types
type:: Only EAP types listed below with a `type = <EAP-Type>` pair will be allowed.
ecdh_curve:: Elliptical cryptography configuration.
-Only for OpenSSL >= 0.9.8.f
+Should be a colon-separated list of curve names.
+
+For supported curve names, please run the command:
+
+openssl ecparam -list_curves
TODO
```
-### %{sim_id_method:...}
+### %(aka_sim_id_method:...)
TODO
TODO
```
-### %{sim_id_type:...}
+### %(aka_sim_id_type:...)
TODO
```
eap {
- default_eap_type = md5
+# default_eap_type = md5
ignore_unknown_eap_types = no
type = md5
# type = pwd
+### RADIUS Configuration
+
+All of the configuration for processing RADIUS packets goes here.
+
+
+#### Access-Request subsection
+
+This section contains configuration which is
+specific to processing `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets.
+
+Similar sections can be added, but are not
+necessary for Accounting-Request (and other)
+packets. At this time, there is no configuration
+needed for other packet types.
+
+
+log:: Logging configuration for `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets
+
+In v3, the `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging was
+configured in the main `radiusd.conf` file,
+in the main `log` subsection. That
+limitation meant that the configuration was
+global to FreeRADIUS. i.e. you could not
+have different `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging for
+different virtual server.
+
+The extra configuration in v4 allows for
+increased flexibility.
+
+
+stripped_names:: Log the full
+`link:https://freeradius.org/rfc/rfc2865.html#User-Name[User-Name]` attribute, as it was
+found in the request.
+
+allowed values: {no, yes}
+
+
+
+auth:: Log authentication requests
+to the log file.
+
+allowed values: {no, yes}
+
+
+
+auth_goodpass:: Log "good"
+passwords with the authentication
+requests.
+
+allowed values: {no, yes}
+
+
+
+auth_badpass:: Log "bad"
+passwords with the authentication
+requests.
+
+allowed values: {no, yes}
+
+
+
+msg_goodpass::
+msg_badpass::
+
+Log additional text at the end of the "Login OK" messages.
+for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
+configurations above have to be set to "yes".
+
+The strings below are dynamically expanded, which means that
+you can put anything you want in them. However, note that
+this expansion can be slow, and can negatively impact server
+performance.
+
+
+
+msg_denied::
+
+The message when the user exceeds the Simultaneous-Use limit.
+
+
+
+session:: Controls how ongoing
+(multi-round) sessions are handled
+
+This section is primarily useful for EAP.
+It controls the number of EAP
+authentication attempts that can occur
+concurrently.
+
+
+max:: The maximum number of ongoing sessions
+
+
+
+timeout:: How long to wait before expiring a
+session.
+
+The timer starts when a response
+with a state value is sent. The
+timer stops when a request
+containing the previously sent
+state value is received.
+
+
+
+There is currently no configuration for other packet types.
+
+
+
### The listen section
The `listen` sections in v4 are very different from the
-#### Access-Request subsection
-
-This section contains configuration which is
-specific to processing `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets.
-
-Similar sections can be added, but are not
-necessary for Accounting-Request (and other)
-packets. At this time, there is no configuration
-needed for other packet types.
-
-
-log:: Logging configuration for `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets
-
-In v3, the `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging was
-configured in the main `radiusd.conf` file,
-in the main `log` subsection. That
-limitation meant that the configuration was
-global to FreeRADIUS. i.e. you could not
-have different `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging for
-different virtual server.
-
-The extra configuration in v4 allows for
-increased flexibility.
-
-
-stripped_names:: Log the full
-`link:https://freeradius.org/rfc/rfc2865.html#User-Name[User-Name]` attribute, as it was
-found in the request.
-
-allowed values: {no, yes}
-
-
-
-auth:: Log authentication requests
-to the log file.
-
-allowed values: {no, yes}
-
-
-
-auth_goodpass:: Log "good"
-passwords with the authentication
-requests.
-
-allowed values: {no, yes}
-
-
-
-auth_badpass:: Log "bad"
-passwords with the authentication
-requests.
-
-allowed values: {no, yes}
-
-
-
-msg_goodpass::
-msg_badpass::
-
-Log additional text at the end of the "Login OK" messages.
-for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
-configurations above have to be set to "yes".
-
-The strings below are dynamically expanded, which means that
-you can put anything you want in them. However, note that
-this expansion can be slow, and can negatively impact server
-performance.
-
-
-
-msg_denied::
-
-The message when the user exceeds the Simultaneous-Use limit.
-
-
-
-session:: Controls how ongoing
-(multi-round) sessions are handled
-
-This section is primarily useful for EAP.
-It controls the number of EAP
-authentication attempts that can occur
-concurrently.
-
-
-max:: The maximum number of ongoing sessions
-
-
-
-timeout:: How long to wait before expiring a
-session.
-
-The timer starts when a response
-with a state value is sent. The
-timer stops when a request
-containing the previously sent
-state value is received.
-
-
-
As with v3, "ipaddr", "ipv4addr", and "ipv6addr"
-#### Access-Request subsection
-
-This section contains configuration which is
-specific to processing `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets.
-
-Similar sections can be added, but are not
-necessary for Accounting-Request (and other)
-packets. At this time, there is no configuration
-needed for other packet types.
-
-
-log:: Logging configuration for `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets
-
-In v3, the `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging was
-configured in the main `radiusd.conf` file,
-in the main `log` subsection. That
-limitation meant that the configuration was
-global to FreeRADIUS. i.e. you could not
-have different `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging for
-different virtual server.
-
-The extra configuration in v4 allows for
-increased flexibility.
-
-stripped_names:: Log the full
-`link:https://freeradius.org/rfc/rfc2865.html#User-Name[User-Name]` attribute, as it was
-found in the request.
-
-allowed values: {no, yes}
-
-
-auth:: Log authentication requests
-to the log file.
-
-allowed values: {no, yes}
-
-
-auth_goodpass:: Log "good"
-passwords with the authentication
-requests.
-
-allowed values: {no, yes}
-
-
-auth_badpass:: Log "bad"
-passwords with the authentication
-requests.
-
-allowed values: {no, yes}
-
-
-Log additional text at the end of the "Login OK" messages.
-for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
-configurations above have to be set to "yes".
-
-The strings below are dynamically expanded, which means that
-you can put anything you want in them. However, note that
-this expansion can be slow, and can negatively impact server
-performance.
-
-
-The message when the user exceeds the Simultaneous-Use limit.
-
-
-
-session:: Controls how ongoing
-(multi-round) sessions are handled
-
-This section is primarily useful for EAP.
-It controls the number of EAP
-authentication attempts that can occur
-concurrently.
-
-
-max:: The maximum number of ongoing sessions
-
-
-timeout:: How long to wait before expiring a
-session.
-
-The timer starts when a response
-with a state value is sent. The
-timer stops when a request
-containing the previously sent
-state value is received.
-
-
-
### Listen for Accounting-Request packets
```
server default {
namespace = radius
+ radius {
+ Access-Request {
+ log {
+ stripped_names = no
+ auth = no
+ auth_goodpass = no
+ auth_badpass = no
+# msg_goodpass = ""
+# msg_badpass = ""
+ msg_denied = "You are already logged in - access denied"
+ }
+ session {
+# max = 4096
+# timeout = 15
+ }
+ }
+ }
listen {
type = Access-Request
type = Status-Server
# deny = 127.0.0/24
}
}
- Access-Request {
- log {
- stripped_names = no
- auth = no
- auth_goodpass = no
- auth_badpass = no
-# msg_goodpass = ""
-# msg_badpass = ""
- msg_denied = "You are already logged in - access denied"
- }
- session {
-# max = 4096
-# timeout = 15
- }
- }
}
listen {
type = Access-Request
# deny = 127.0.0/24
}
}
- Access-Request {
- log {
- stripped_names = no
- auth = no
- auth_badpass = no
- auth_goodpass = no
-# msg_goodpass = ""
-# msg_badpass = ""
- msg_denied = "You are already logged in - access denied"
- }
- session {
-# max = 4096
-# timeout = 15
- }
- }
}
listen {
type = Accounting-Request
In v4, all "server" sections MUST start with a "namespace"
parameter. This tells the server which protocol is being used.
+RADIUS, or DHCPv4, or any other protocol supported by the server.
+
This virtual server will read detail files from the
-This has to be listed first, sorry.
-
-The value given here must match the `namespace` of
-the virtual server which originally created the
-detail files.
-
-
-
Types of packets we are reading.
-What transports are being used to read detail
-files. For now, only "file" is supported.
-
-Future releases will allow reading "detail"
-style information from sockets or streams.
+There is no need to specify a transport.
+The default is `file`, which is the only
+one supported.
-All packets read by the detail listener are processed through the
-'recv' section. Note that there is no second name to the section.
+The detail file reader runs the normal RADIUS / DHCP / etc. processing sections.
-All successful packets sent by the detail listener are processed through the
-'send ok' section. Note that the name is the same for all packet types.
-
If the listener is configured with 'track = yes', then the entry in
the detail file is marked up as being "done". Subsequent re-reads
of the same detail file (e.g. on server restart) will skip the
-All failed packets sent by the detail listener are processed through the
-'send fail' section. Note that the name is the same for all packet types.
+All failed packets sent by the detail listener should be processed
+through the 'send Do-Not-Respond' section.
If the listener is configured with 'track = yes', then the packet
will be retransmitted by the detail file reader, until the packet
configuration.
-
-Note that unlike other listeners, there is no "send Do-Not-Respond"
-section. You should just return "fail" instead.
-
-
-
== Default Configuration
```
# This virtual server gives an example of reading the detail
# file for the v4 configuration.
server detail {
- namespace = detail
+ namespace = radius
directory = ${radacctdir}/detail
listen {
- dictionary = radius
type = Accounting-Request
- transport = file
# priority = 1
file {
filename = "${...directory}/detail-*"
}
}
}
-recv {
+recv Accounting-Request {
update request {
&Acct-Delay-Time := "%{expr:%{%{Acct-Delay-Time}:-0} + %c - %{%(integer:%{Event-Timestamp}):-%(integer:%{Packet-Original-Timestamp})}}"
}
ok
}
-send ok {
+send Accounting-Response {
ok
}
-send fail {
+send Do-Not-Respond {
ok
}
} # virtual server "detail"