| Return | Description
| `ok` | if a cache entry was found.
| `notfound` | if no cache entry was found.
+| `fail` | if the cache was unavailable.
|===
cache.load:: Load an existing cache entry and merge it into the request.
| Return | Description
| `updated` | if a cache entry was found and loaded.
| `notfound` | if no cache entry was found.
+| `fail` | if the cache was unavailable.
|===
-cache.store:: Perform an upset against the data store. (Not affect the existing
-request).
+cache.update:: Perform an upsert against the data store, updating the entry TTL
[options="header,autowidth"]
|===
| Return | Description
| `updated` | if we added cache entry.
-| `noop` | if a cache entry ready exists.
+| `fail` | if the cache was unavailable.
+|===
+
+cache.store:: Inserts data into the cache if, and only if, it is not already present
+Will not update the entry TTL.
+
+[options="header,autowidth"]
+|===
+| Return | Description
+| `updated` | we created or updated a cache entry.
+| `noop` | if a cache entry aready existed.
+| `fail` | if the cache was unavailable.
|===
cache.clear:: Delete cache entry from the data store without checking if the entry
[options="header,autowidth"]
|===
| Return | Description
-| `ok` | if we found and remove a entry.
+| `ok` | if we found and removed a entry.
| `notfound` | if no cache entry was found.
+| `fail` | if the cache was unavailable.
|===
cache.ttl:: Change the TTL on an existing entry.
| Return | Description
| `updated` | if we found entry and updated the ttl.
| `notfound` | if no cache entry was found.
+| `fail` | if the cache was unavailable.
|===
### Examples
filename:: The old `users` style file is now located here.
-If no other filenames are specified, the module uses this file.
+## An instance of the `files` module for use in processing accounting packets
-Optional files
-
-The following filenames are optional.
-
-
-recv_filename:: The file to run in any "recv" section
-
-send_filename:: The file to run in any "send" section
-
-auth_filename:: The file to run in any "authenticate" section
-
-acct_filename:: The file to run in any "recv Accounting-Request" section
== Default Configuration
moddir = ${modconfdir}/${.:instance}
# key = "%{&Stripped-User-Name || &User-Name}"
filename = ${moddir}/authorize
-# recv_filename = ${moddir}/recv
-# send_filename = ${moddir}/send
-# auth_filename = ${moddir}/authenticate
-# acct_filename = ${moddir}/accounting
+}
+files files_accounting {
+# key = "%{&Stripped-User-Name || &User-Name}"
+ filename = ${modconfdir}/files/accounting
}
```
section name to set default destination requests/lists
for `<fr attr>s` with no list qualifiers.
+These attribute maps are applied _before_ any profiles, meaning that
+the values here can be referenced in profiles using expansions.
+
NOTE: LDAP attribute names should be single quoted unless you want
the name to be derived from an xlat expansion, or an attribute ref.
password_attribute:: Which attribute in the request should be used as
the password when performing user binds.
+Note that Active Directory will allow unauthenticated user binds by default!
+
+You can fix this by choosing the "ADSI Edit" command from the Server Manager's Tools menu.
+Then, open the Configuration subtree, and then open the properties of the `CN=Directory
+Service, CN=Windows NT, CN=Services, CN=Configuration` object. Modify the
+`msDS-Other-Settings` attribute, and add a new entry for `DenyUnauthenticatedBind=1`.
+
scope:: Search scope, may be `base`, `one`, `sub' or `children`.
+expect_password:: When set to no, disable warnings for missing password
+attributes in user objects returned from LDAP. This is useful for
+ISP environments where some subscribers have passwords set, and others
+do not (e.g. mixed IPoE and PPPoE).
+
+
+
### User membership checking
+skip_on_suspend::
+
+Don't process user groups if the user has been suspended.
+If set to 'no', groups will still be processed.
+
+Groups are never processed for disabled users.
+
+Defaults to 'yes'.
+
+
+
### User profiles
RADIUS profile objects contain sets of attributes to insert into the request.
-attribute_suspended: The LDAP attribute containing profile DNs to apply
+attribute_suspend: The LDAP attribute containing profile DNs to apply
in addition to the default profile above, when the user account is in
the suspended state
### %ldap.uri.escape(...}
-Escape a string for use in an LDAP filter or DN.
+Escape a string for use in an LDAP filter or DN. The value will then be marked as safe for use
+in LDAP URIs and DNs, and will not be escaped or modified.
.Return: _string_
"The LDAP url is ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29"
```
+### %ldap.uri.safe(...}
+
+Mark a string as safe for use in an LDAP filter or DN. Values marked as safe for use in LDAP
+URIs will not be escaped or modified, and will be allowed in places where dynamic values are
+usually prohibited.
+
+.Return: _string_
+
+.Example
+
+[source,unlang]
+----
+&my-int := "%ldap.profile(ldap://%ldap.uri.safe(%{LDAP-Host}):%ldap.uri.safe(%{LDAP-Port})/ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
+----
+
### %ldap.uri.unescape(...)
Unescape a string for use in an LDAP filter or DN.
# access_positive = yes
# access_value_negate = 'false'
# access_value_suspend = 'suspended'
+# expect_password = no
}
group {
base_dn = "${..base_dn}"
# cache_attribute = 'LDAP-Cached-Membership'
# allow_dangling_group_ref = 'no'
group_attribute = "${..:instance}-Group"
+ skip_on_suspend = 'yes'
}
profile {
# filter = '(objectclass=radiusprofile)'
# scope = 'base'
# default = 'cn=radprofile,dc=example,dc=org'
# attribute = 'radiusProfileDn'
-# attribute_suspended = 'radiusProfileDn'
+# attribute_suspend = 'radiusProfileDn'
}
accounting {
reference = "%tolower(type.%{Acct-Status-Type})"
Don't log anything for other `link:https://freeradius.org/rfc/rfc2866.html#Acct-Status-Type[Acct-Status-Type]` 's.
+
+## Authentication success / failure logging
+
+A set of sample module instances which can replace the previous builtin auth log messages
+
+The destination settings here pick up from the main radiusd.conf values, but can be
+amended if these logs need to be sent to a different destination.
+
+
+
+
+
+
+
+
+
== Default Configuration
```
unknown = "NAS %{Net.Src.IP} (%{&NAS-IP-Address || &NAS-IPv6-Address}) sent unknown Acct-Status-Type %{Acct-Status-Type}"
}
}
+linelog log_auth_access_accept {
+ destination = ${log.destination}
+ file {
+ filename = ${log.file}
+ }
+ syslog {
+ facility = ${log.syslog_facility}
+ severity = notice
+ }
+ format = "Login OK: [%{User-Name}] (from %client(shortname) port %{NAS-Port} cli %{Calling-Station-Id})"
+}
+linelog log_auth_access_reject {
+ destination = ${log.destination}
+ file {
+ filename = ${log.file}
+ }
+ syslog {
+ facility = ${log.syslog_facility}
+ severity = notice
+ }
+ format = "Login incorrect (%{Module-Failure-Message}): [%{User-Name}] (from %client(shortname) port %{NAS-Port} cli %{Calling-Station-Id})"
+}
+linelog log_auth_authentication_pass {
+ destination = ${log.destination}
+ file {
+ filename = ${log.file}
+ }
+ syslog {
+ facility = ${log.syslog_facility}
+ severity = notice
+ }
+ format = "Login OK: [%{User-Name}] (from client %client(shortname))"
+}
+linelog log_auth_authentication_fail {
+ destination = ${log.destination}
+ file {
+ filename = ${log.file}
+ }
+ syslog {
+ facility = ${log.syslog_facility}
+ severity = notice
+ }
+ format = "Login incorrect (%{Module-Failure-Message}): [%{User-Name}] (from %client(shortname))"
+}
```
mppe_encryption_policy = &Vendor-Specific.Microsoft.MPPE-Encryption-Policy
mppe_encryption_types = &Vendor-Specific.Microsoft.MPPE-Encryption-Types
chap2_cpw = &Vendor-Specific.Microsoft.CHAP2-CPW
- chap_nt_enc_pw = & Vendor-Specific.Microsoft.CHAP-NT-Enc-PW
+ chap_nt_enc_pw = &Vendor-Specific.Microsoft.CHAP-NT-Enc-PW
}
# attributes {
# username = &User-Name
NOTE: It is important to understand the difference between the `link:https://freeradius.org/rfc/rfc2865.html#User-Password[User-Password]`
and `Password.Cleartext` attributes. The `Password.Cleartext` attribute is
-the *"known good"* password for the user. Simply supplying the Cleart-ext-Password
-to the server will result in most authentication methods working. The `link:https://freeradius.org/rfc/rfc2865.html#User-Password[User-Password]`
+the *"known good"* password for the user. Simply supplying the `Password.Cleartext`
+to the server will result in most authentication methods working. The `link:https://freeradius.org/rfc/rfc2865.html#User-Password[User-Password]`
attribute is the password as typed in by the user on their private machine.
The two are not the same, and should be treated very differently. That is, you should
generally not use the `link:https://freeradius.org/rfc/rfc2865.html#User-Password[User-Password]` attribute anywhere in the RADIUS configuration.
+[NOTE]
+====
+See `raddb/global.d/python` for configuration items that affect the
+python interpreter globally, such as the Python path.
+====
+
+
+
## Configuration Settings
The Python API `threading.local()` may be used store thread
+username_attribute:: Which attribute in the request should be used as
+the user's username when performing SMTP authentication.
+
+
+
+password_attribute:: Which attribute in the request should be used as
+the user's password when performing SMTP authentication.
+
+
+
username:: User name to use when sending emails. Can be a fixed
string or an attribute. Leave unset if authentication is not
required to send emails.
}
uri = "smtp://192.0.20.1/"
timeout = 5s
+# username_attribute = &User-Name
+# password_attribute = &User-Password
# username = "user"
# password = "secret"
template_directory = raddb/mods_config/smtp
+read_profiles:: Read the user profile attributes from the database.
+
+Following `check` and `reply` item handling and, depending on the `read_groups` option
+and `Fall-Through` value, groups processing, the SQL module will treat values of the
+`User-Profile` attributes in the control list as additional groups that the user belongs
+to and repeat the group `check` and `reply` processing.
+
+If set to `yes`, we process the user profiles unless `Fall-Through = no` in the reply list.
+If set to `no`, we do not process the user profiles unless `Fall-Through = yes` in the reply list.
+
+Default is `yes`.
+
+
logfile:: Write SQL queries to a logfile.
This is potentially useful for tracing issues with authorization queries.
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
# read_groups = yes
+# read_profile = yes
# logfile = ${logdir}/sqllog.sql
# query_timeout = 5
pool {
reset_period_start_name:: The name of the attribute which is used to store the
time that the current reset period started.
-The default is `&control.${.:instance}-Start`
+The default is `&control.${.:instance}-Reset-Start`
Note because we are counting seconds, this attribute is of type `uint64`, and not `date`.
reset_period_end_name:: The name of the attribute which is used to store the
time that the current reset period will end.
-The default is `&control.${.:instance}-End`
+The default is `&control.${.:instance}-Reset-End`
Note because we are counting seconds, this attribute is of type `uint64`, and not `date`.
-counter_name:: Name of the `check` attribute to use to access the counter in
-the `users` file or SQL `radcheck` or `radgroupcheck` tables.
+counter_name:: Name of the attribute to add to the `control` list with the current
+value of the counter.
After the sqlcounter module has run, the counter attribute will exist.
+check_name:: Name of the attribute containing the limit to compare the counter to.
+
+reply_name:: Name of the attribute to populate with the remaining session time.
+e.g. `&reply.Session-Timeout`. If the attribute already exists and contains
+a lower value, then it will not be updated.
+
+reply_message_name:: Name of the attribute into which a message should be placed
+if the limit has been exceeded for the counter.
+
+auto_extend:: If set to `yes` and the remaining session time goes past the time for
+the next counter reset, the value in the `reply_name` attribute will be set to
+the time to the next reset plus the value of the `check_name` attribute.
+This is most useful if the limit is a time based one, and, for example,
+`link:https://freeradius.org/rfc/rfc2865.html#Session-Timeout[Session-Timeout]` is the `reply_name` attribute. If there is sufficient allocation
+left for the session to get to the next counter period, the user will not have
+to re-authenticate before they have used their allocation for the next counter period.
+
+utc:: Use UTC for calculating the period start and end values.
## Configuration Settings
counter_name = &control.Daily-Session-Time
check_name = &control.Max-Daily-Session
reply_name = &reply.Session-Timeout
+ auto_extend = yes
key = "%{&Stripped-User-Name || &User-Name}"
+ reply_message_name = &Reply-Message
reset = daily
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}
counter_name = &Monthly-Session-Time
check_name = &control.Max-Monthly-Session
reply_name = &reply.Session-Timeout
+ auto_extend = yes
key = &User-Name
reset = monthly
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
-pool_name: The attribute in the `control` list which contains the pool name.
+pool_name: The attribute which contains the pool name.
For RADIUS the owner will likely be specified by:
- * `%{radius.Calling-Station-Id}` which binds the lease to the mac address
+ * `%{Calling-Station-Id}` which binds the lease to the mac address
of the user's device. For RADIUS this is almost always the better
option as it can allow the user's device to move between NAS.
- * `%{radius.NAS-Port}` which binds the lease to a given port on the NAS.
+ * `%{NAS-Port}` which binds the lease to a given port on the NAS.
i.e. any device on that port can modify the lease. This should only
be used when the port is constant for the length of the session
(nearly everywhere except 802.11 wireless).
For DHCPv4 the owner will likely be specified by:
- * `%{dhcpv4.Client-Hardware-Address}` which binds the lease to the
+ * `%{Client-Hardware-Address}` which binds the lease to the
mac address of the user's device.
- * `%{&dhcpv4.Client-Identifier || &dhcpv4.Client-Hardware-Address}`
+ * `%{&Client-Identifier || &Client-Hardware-Address}`
which binds the lease to either the custom identifier set by the
DHCP client, or if this is absent, the mac address of the user's
device.
One example would be `%{Vendor-Specific.ADSL-Forum.Agent-Circuit-ID}.%{Calling-Station-Id}`.`
- owner = "%{radius.Vendor-Specific.ADSL-Forum.Agent-Circuit-ID}.%{radius.Calling-Station-Id}"
+ owner = "%{Vendor-Specific.ADSL-Forum.Agent-Circuit-ID}.%{Calling-Station-Id}"
requested_address:: The IP address being renewed or released.
-For RADIUS the requested_address will almost always be `%{radius.Framed-IP-Address}`.
+For RADIUS the requested_address will almost always be `%{Framed-IP-Address}`.
For DHCPv4 the requested_address will almost always be
-`%{&dhcpv4.Requested-IP-Address || &dhcpv4.Client-IP-Address}`.
+`%{&Requested-IP-Address || &Client-IP-Address}`.
to lease queries.
- gateway = "%{dhcpv4.Gateway-IP-Address}"
+ gateway = "%{Gateway-IP-Address}"
.Load the queries from a separate file.
ippool_table = "fr_ippool"
lease_duration = 3600
offer_duration = 60
- pool_name = IP-Pool.Name
- allocated_address_attr = radius.Framed-IP-Address
- owner = "%{radius.Calling-Station-ID}"
-# owner = "%{&dhcpv4.Client-Identifier || &dhcpv4.Client-Hardware-Address}"
- requested_address = "%{radius.Framed-IP-Address}"
-# requested_address = "%{&dhcpv4.Requested-IP-Address || &dhcpv4.Client-IP-Address}"
- gateway = "%{&radius.NAS-Identifier || &radius.NAS-IP-Address}"
+ pool_name = &control.IP-Pool.Name
+ allocated_address_attr = &reply.Framed-IP-Address
+ owner = "%{Calling-Station-ID}"
+# owner = "%{&Client-Identifier || &Client-Hardware-Address}"
+ requested_address = "%{Framed-IP-Address}"
+# requested_address = "%{&Requested-IP-Address || &Client-IP-Address}"
+ gateway = "%{&NAS-Identifier || &NAS-IP-Address}"
$INCLUDE ${modconfdir}/sql/ippool/${dialect}/queries.conf
}
```
+lookforward_steps:: How many steps forward in time we look for a matching OTP.
+
+
+
lookback_interval:: Time delta between steps.
Cannot be larger than `time_step`
time_step = 30
otp_length = 6
lookback_steps = 1
+ lookforward_steps = 0
lookback_interval = 30
}
```
%unpack(<data>, <offset>, <data_type>[, <repeat>])
-The arguments are three fields:
+The arguments are three or four fields:
data::
# NOTE: This functionality is NOT enabled by default.
# See also the "radmin" program, which is used to communicate
# with the server over the control socket.
-server control {
+server control-socket-server {
namespace = control
listen {
transport = unix
configurations These references serve as place-holders, and as
documentation. If you need the functionality of that module, then:
- * configure the module in link:../mods-available/index.adoc[mods-available/]
+ * configure the module in link:../../../../../../mods-available/index.adoc[mods-available/]
* enable the module in `mods-enabled`. e.g. for LDAP, do: `cd mods-enabled;ln -s ../mods-available/ldap`
* uncomment the references to it in this file.
Uncomment the next bit in order to have a log of
authentication requests. For more information, see
-link:../mods-available/detail.log.adoc[mods-available/detail.log].
+link:../../../../../../mods-available/detail.log.adoc[mods-available/detail.log].
The `Auth-Type` attribute would need to be set to
`proxy-example.com`. The home servers MUST be defined in
-link:../mods-available/radius.adoc[mods-available/radius].
+link:../../../../../../mods-available/radius.adoc[mods-available/radius].
If you want to have a log of authentication replies,
uncomment the following line. This is defined in
-link:../mods-available/detail.log.adoc[mods-available/detail.log].
+link:../../../../../../mods-available/detail.log.adoc[mods-available/detail.log].
-Instead of sending the query to the SQL server in
-real-time, write it into a log file to be picked up and
-sent to the database later.
-
-
-
Uncomment the following if you want to modify the
user's object in LDAP after a successful login.
You may want to delete the `MS-MPPE-*-Keys` from the
reply, as some WiMAX clients behave badly when those
attributes are included. See the configuration entry
-`delete_mppe_keys` in link:../mods-available/wimax.adoc[mods-available/wimax] for
+`delete_mppe_keys` in link:../../../../../../mods-available/wimax.adoc[mods-available/wimax] for
more information.
+Call an instance of `linelog` to log the authentication success
+- equivalent to the previous log `auth = yes` option in v3.
+See `mods-enabled/linelog` for message formats and destinations.
+
+
+
Remove `link:https://freeradius.org/rfc/rfc2865.html#Reply-Message[Reply-Message]` if the response contains an
`link:https://freeradius.org/rfc/rfc2869.html#EAP-Message[EAP-Message]` attribute. Some NAS equipment will
automatically convert the `link:https://freeradius.org/rfc/rfc2865.html#Reply-Message[Reply-Message]` to an "EAP
+Call an instance of `linelog` to log the authentication failure
+- equivalent to the previous log `auth = yes` option in v3.
+See `mods-enabled/linelog` for message formats and destinations.
+
+
+
Remove `link:https://freeradius.org/rfc/rfc2865.html#Reply-Message[Reply-Message]` if the response contains an
`link:https://freeradius.org/rfc/rfc2869.html#EAP-Message[EAP-Message]` attribute. Some NAS equipment will
automatically convert the `link:https://freeradius.org/rfc/rfc2865.html#Reply-Message[Reply-Message]` to an "EAP
accounting type to use.
+
Merge Acct-[Input|Output]-Gigawords and
Acct-[Input-Output]-Octets into a single 64-bit
counter, Acct-[Input|Output]-Octets64.
+
+
Ensure that we have a semi-unique identifier for every
request, as many NAS boxes are broken.
-Read the 'acct_users' file.
+Read the 'accounting' file.
Session start
+Log traffic to an SQL database.
+
+See "Accounting Queries" in link:../../../../../../mods-available/sql.adoc[mods-available/sql].
+
+
+
+Refresh leases when we see a start.
+
+Ensure that &control.IP-Pool.Name is set to determine which
+pool of IPs are used. Set this in `recv Accounting-Request` so
+it is available for all the accounting sections.
+
Session stop
+Log traffic to an SQL database.
+
+
+
+If you receive stop packets with zero session length,
+they will NOT be logged in the database. The SQL
+module will print a message (only in debugging mode),
+and will return "noop".
+
+You can ignore these packets by uncommenting the
+following three lines. Otherwise, the server will not
+respond to the accounting request, and the NAS will
+retransmit.
+
+
+
+Return an address to the IP Pool when we see a stop record.
+
Session is still alive
+Log traffic to an SQL database.
+
+
+
+Refresh leases when we see an alive.
+
The NAS has just booted up.
+Record that the NAS has booted to an SQL database
+
+
+
+Return all addresses related to this NAS to the IP Pool
+
The NAS is about to go down
+Record that the NAS is shutting down to an SQL database
+
+
+
+Return all addresses related to this NAS to the IP Pool
+
Session failed to do something
Update the wtmp file.
-If you don't use "radlast", you can delete this line.
+This is only relevant if you use "radlast".
-Refresh leases when we see a start or alive. Return an address to
-the IP Pool when we see a stop record.
-
-Ensure that &control.IP-Pool.Name is set to determine which
-pool of IPs are used.
-
-
-
-Log traffic to an SQL database.
-
-See "Accounting Queries" in link:../mods-available/sql.adoc[mods-available/sql].
-
-
-
-If you receive stop packets with zero session length,
-they will NOT be logged in the database. The SQL
-module will print a message (only in debugging mode),
-and will return "noop".
-
-You can ignore these packets by uncommenting the
-following three lines. Otherwise, the server will not
-respond to the accounting request, and the NAS will
-retransmit.
-
-
-
-Instead of sending the query to the SQL server in
-real-time, write it into a log file to be picked up and
-sent to the database later.
-
-
-
Cisco VoIP specific bulk accounting.
# cui
# reply_log
-sql
-# sql_log
# ldap
# &request.WiMAX-MN-NAI = "%{User-Name}"
# &reply += {
# if (&reply.EAP-Session-Id) {
# &reply.EAP-Key-Name := &reply.EAP-Session-Id
# }
+# log_auth_access_accept
remove_reply_message_if_eap
}
send Access-Reject {
-sql
attr_filter.access_reject
eap
+# log_auth_access_reject
remove_reply_message_if_eap
delay_reject
}
recv Accounting-Request {
+ do_not_respond
+ return
# acct_counters64
# &request.FreeRADIUS-Acct-Session-Start-Time = "%{(&Event-Timestamp || %l) - &Acct-Session-Time - &Acct-Delay-Time}"
if (!&Event-Timestamp) {
- &request.Event-Timestamp := %{%l - &Acct-Delay-Time}
+ &request.Event-Timestamp := %{%l() - &Acct-Delay-Time}
+ } elsif (!&Acct-Delay-Time && &request.Event-Timestamp && (&request.Event-Timestamp < %l())) {
+ &request.Acct-Delay-Time := %{%l() - &Event-Timestamp}
}
acct_unique
- files
+ files_accounting
}
accounting Start {
+ -sql
+# sqlippool
}
accounting Stop {
+ -sql
+# if (noop) {
+# ok
+# }
+# sqlippool
}
accounting Interim-Update {
+ -sql
+# sqlippool
}
accounting Accounting-On {
+ -sql
+# sqlippool
}
accounting Accounting-Off {
+ -sql
+# sqlippool
}
accounting Failed {
}
# cui
detail
# daily
- unix
+# unix
# radutmp
# sradutmp
-# sqlippool
- -sql
-# if (noop) {
-# ok
-# }
-# sql_log
# pgsql-voip
attr_filter.accounting_response
}
This is the `dns` virtual server.
-It is (for now) only a toy. It only decodes nested attributes, which `unlang`
-cannot (yet) handle well. It only handles a few types of RRs. You have to manually
-do pretty much everything necessary to make DNS "work". There's no DB integration.
-
It's not meant to be fast. Don't use it as a root server, or as a server for an ISP
with millions of users. But it should be able to do thousands to tens of thousands
of queries per second, without really trying hard.
It's meant to be a _flexible_ DNS server. Want to give different answers to VoIP phones
-and desktops? It can do that.
+and desktops, or other types of split horizon? It can do that.
+
+Because DNS uses the &Header.Rcode to communicate the result of a query (instead of opcode)
+the DNS state machine works differently to other protocols.
+
+Requests will pass through the following processing sections:
+- A `recv { ... }` section matching the opcode. e.g. `recv Query { ... }`. Query processing
+ and response formulation should be done here.
+ If this section returns anything other than `ok` or `updated`, a &reply.Header.Rcode value is
+ set.
+- An `error { ... }` section matching &reply.Header.Rcode. e.g. `error Server-Fail { ... }`.
+ If the `recv { ... }` section produced a &reply.Header.Rcode value other than `No-Error`
+ and a `error { ... } section matching the &reply.Header.Rcode is provided, it is executed.
+ Error sections are intended only for simplifying logging, and as such, the rcode of the section is ignored.
+ Error sections can manipulate the reply, e.g. setting a new value for &reply.Header.Rcode, but
+ this will not cause additional `error { ... }` section to be executed.
+- A `send { ... }` section matching the opcode. e.g. `send Query-Response { ... }`. This can be
+ used for general massaging of the reply. Return codes are ignored.
namespace:: The protocol / dictionary to use.
== Default Configuration
```
-server DNS {
+server dns {
namespace = dns
listen {
- type = query
+ type = Query
transport = udp
udp {
ipaddr = *
- port = 5300
+ port = 53
}
}
recv Query {
+ if (&Question[0].Name == 'foo.example.com') {
+ &reply.Resource-Record := {
+ &Name = 'foo.example.com'
+ &Type = A
+ &Class = ::Internet
+ &TTL = 0
+ &Type.A.IP = 127.0.0.1
+ }
+ }
ok
}
send Query-Response {
+Call an instance of `linelog` to log the authentication success
+- equivalent to the previous log `auth = yes` option in v3.
+See `mods-enabled/linelog` for message formats and destinations.
+
+
+
Access-Reject packets are sent through the REJECT sub-section of the
post-auth section.
log failed authentications in SQL, too.
+Call an instance of `linelog` to log the authentication failure
+- equivalent to the previous log `auth = yes` option in v3.
+See `mods-enabled/linelog` for message formats and destinations.
+
+
+
+
Let the outer session know which module failed, and why.
# sql_log
# ldap
# use_tunneled_reply
+# log_auth_result
}
send Access-Reject {
-sql
+# log_auth_result
attr_filter.access_reject
&outer.session-state.Module-Failure-Message := &request.Module-Failure-Message
}
testing against that server.
+The main module is the proto module, even though we're
+operating in the RADIUS namespace.
+
+
+
This is a valid Packet-Type for the current `namespace`
server load {
namespace = radius
listen load {
+ proto = load
type = Access-Request
transport = step
step {
parallel = 25
}
}
-}
recv Access-Request {
accept
}
+Call an instance of `linelog` to log the authentication success
+- equivalent to the previous log `auth = yes` option in v3.
+See `mods-enabled/linelog` for message formats and destinations.
+
+
+
+
+Call an instance of `linelog` to log the authentication failure
+- equivalent to the previous log `auth = yes` option in v3.
+See `mods-enabled/linelog` for message formats and destinations.
+
+
With ASCII methods, GetUser and GetPass typically send a prompt
for the client to present to the user.
}
send Authentication-Pass {
&reply.Server-Message := "Hello %{User-Name}"
+# log_auth_authentication_pass
}
send Authentication-Fail {
&reply.Server-Message := "Failed login!"
+# log_auth_authentication_fail
}
send Authentication-GetUser {
&reply.Server-Message := "Username:"
projects / thirdparty / freeradius-server.git / commitdiff
