FreeRADIUS is an open-source product with all the benefits of open-source software that includes flexibility, scalibility, and cost-effectivness. FreeRADIUS has many features not found in other free and commercial versions. Some of these features are:
* Access based on huntgroups.
-* Multiple DEFAULT entries in raddb/users file.
+* Multiple DEFAULT entries in `users` file.
* All users file entries can optionally `fall through`.
* Caches all config files in-memory.
* Supports Simultaneous-Use = X parameter to prevent double logins.
=== Can I permit access to any user regardless of password?
-Yes. Edit the raddb/users file with the following entry on the first line (top of the file). This entry accepts everybody on to the network.
+Yes. Edit the `users` file with the following entry on the first line (top of the file). This entry accepts everybody on to the network.
DEFAULT Auth-Type := Accept
Depending on your internal network configuration, you may need to set up internal routes for those addresses, and if you don't want them to do anything besides SMTP and POP3 within your network, you'll have to set up ACLs on your dialup interfaces allowing only ports 25 and 110 through.
-User entry in raddb/users file example
+User entry in `users` file example
[%collapsible]
====
DEFAULT Huntgroup-Name ="somehunt", Auth-Type=PAM, Pam-Auth="radhunt", Simultaneous-Use=1
Fall-Through = Yes
-With this method, I have NO users on /etc/password and NO need for lots of lines on /etc/raddb/users. time to search for a db enabled pam_listfile module
+With this method, I have NO users on /etc/password and NO need for lots of lines on `users`. time to search for a db enabled pam_listfile module
=== Is the RADIUS server broken after an upgrade?
== Why does PAP authentication work but CHAP fails?
-You're not using plaintext passwords in the raddb/users file or other password store. The CHAP protocol requires a plaintext password on the radius server side, for PAP it doesn't matter.
+You're not using plaintext passwords in the `users` file or other password store. The CHAP protocol requires a plaintext password on the radius server side, for PAP it doesn't matter.
To use CHAP, each user entry must shown in this format:
* `ps auxH`
-== I can't get RADIUS to pick up changes in the raddb/users.
+== I can't get RADIUS to pick up changes in the `users`.
The server reads the config files once at startup. This is very efficient, but you need to tell the server somehow to re-read its config files after you made a change. This can be done by sending the server a SIGHUP (signal '1' on almost if not all UNIX systems). The server writes its PID in
`/var/run/radiusd.pid`, so a simple UNIX command to do this would be:
kill -1 `cat /var/run/radiusd.pid`
-Some people are tempted to do this every 5 minutes so that changes come through automatically. That is not a good idea it takes some time to re-read the config files and the server may drop a few authentication requests at that time. A better idea is to use a so-called "timestamp file" and only send a SIGHUP if the raddb/users file changed since the last time. See the example SIGHUP script.
+Some people are tempted to do this every 5 minutes so that changes come through automatically. That is not a good idea it takes some time to re-read the config files and the server may drop a few authentication requests at that time. A better idea is to use a so-called "timestamp file" and only send a SIGHUP if the `users` file changed since the last time. See the example SIGHUP script.
.SIGHUP script
[%collapsible]
====
-=== Do I need the commas in the raddb/users file?
+=== Do I need the commas in the `users` file?
-Yes. Commas link lists of attributes together and must be present for the data to be parsed properly. The general format for a raddb/users file entry is:
+Yes. Commas link lists of attributes together and must be present for the data to be parsed properly. The general format for a `users` file entry is:
name Check-Item = Value, ..., Check-Item = Value
Reply-Item = Value,
* Commas go *between* Reply-Items.
* The last line of the reply-item list ends *without* a comma.
-Check-Items are used to match attributes in a request packet or to set server parameters. Reply-Items are used to set attributes which are to go in the reply packet. So things like Simultaneous-Use go on the first line of a raddb/users file entry and Framed-IP-Address goes on any following line.
+Check-Items are used to match attributes in a request packet or to set server parameters. Reply-Items are used to set attributes which are to go in the reply packet. So things like Simultaneous-Use go on the first line of a `users` file entry and Framed-IP-Address goes on any following line.
=== Why are all the Incoming Authentication-Request passwords corrupt?
foo Auth-Type := Reject
Reply-Message = "foo is not allowed to dial-in"
-The following entry denies access to a group of users. The same restrictions as above on location in the raddb/users file also apply:
+The following entry denies access to a group of users. The same restrictions as above on location in the `users` file also apply:
DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled"
The filename can be absolute, and begin with `/`. That usage is not recommended.
-If the filename does not begin with `/`, it is a relative filename. The module reads the file which is relative to the current file being processed. For example, if the current file is `/etc/raddb/mods-config/files/users` and that file contains a directive `$INCLUDE next`, the file which will be read is `/etc/raddb/mods-config/files/next`.
+If the filename does not begin with `/`, it is a relative filename. The module reads the file which is relative to the current file being processed. For example, if the current file is `mods-config/files/users` and that file contains a directive `$INCLUDE next`, the file which will be read is `mods-config/files/next`.
The `$INCLUDE` can be nested to any depth, subject only to available memory. The module does not cross-reference `$INCLUDE` files, so it is possible for a file to `$INCLUDE` itself in an infinite loop. This practice is not recommended. When this misconfiguration happens, the server will run out of memory processing the file, and then exit.
projects / thirdparty / freeradius-server.git / commitdiff
