# filename = </path/><section>
#}
attr_filter attr_filter.pre-proxy {
- key = "%{Realm}"
+ key = Realm
filename = ${modconfdir}/${.:name}/pre-proxy
}
attr_filter attr_filter.post-proxy {
- key = "%{Realm}"
+ key = Realm
filename = ${modconfdir}/${.:name}/post-proxy
}
attr_filter attr_filter.access_reject {
- key = "%{User-Name}"
+ key = User-Name
filename = ${modconfdir}/${.:name}/access_reject
}
attr_filter attr_filter.access_challenge {
- key = "%{User-Name}"
+ key = User-Name
filename = ${modconfdir}/${.:name}/access_challenge
}
attr_filter attr_filter.accounting_response {
- key = "%{User-Name}"
+ key = User-Name
filename = ${modconfdir}/${.:name}/accounting_response
}
```
# relative = no
}
delay delay_reject {
- delay = "%{&reply.FreeRADIUS-Response-Delay || 1}"
+ delay = "%{reply.FreeRADIUS-Response-Delay || 1}"
relative = yes
}
```
-
-### pre_proxy
-
-This module logs packets proxied to a home server.
-
-NOTE: You will need to call it before rlm_radius is used for
-proxying. See the example in `raddb/sites-available/default`.
-
-
-
-
-
-### post_proxy
-
-This module logs response packets from a home server.
-
-NOTE: You will need to call it after rlm_radius is used for proxying.
-See the example in `raddb/sites-available/default`.
-
-
-
== Default Configuration
```
filename = "${radacctdir}/%{Net.Src.IP}/reply-detail-%Y-%m-%d"
permissions = 0600
}
-detail pre_proxy_log {
- filename = "${radacctdir}/%{Net.Src.IP}/pre-proxy-detail-%Y-%m-%d"
- permissions = 0600
-# suppress {
-# User-Password
-# }
-}
-detail post_proxy_log {
- filename = "${radacctdir}/%{Net.Src.IP}/post-proxy-detail-%Y-%m-%d"
- permissions = 0600
-}
```
// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
The DHCPv4 module is used as a relay.
-For reach request, you should set `&control.Net.Dst.IP` and maybe
-`&control.Net.Dst.Port` to the address of the next DHCPv4 server or
+For reach request, you should set `control.Net.Dst.IP` and maybe
+`control.Net.Dst.Port` to the address of the next DHCPv4 server or
relay.
Packets MUST also have a `Gateway-IP-Address` option, otherwise
--- /dev/null
+
+== Default Configuration
+
+```
+```
+
+// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// This documentation was developed by Network RADIUS SAS.
If the home server does not respond to proxied packets, the
module starts pinging the home server with these packets.
+Disable status checks by deleting this section, or by
+commenting it out.
+
type:: You can specify any type of request packet here,
e.g. 'Access-Request', 'Accounting-Request' or
-`Status-Server` packet contents are fixed and cannot
-be edited.
-
-For other packet types, you can set the contents
-here. The section MUST be set over
-"&request.<attribute> = value", and anything else
-will cause a parse error.
+The packet contents can be set here.
We RECOMMEND that you use packet contents which
lets the other end easily tell that they are not
"real" packets from a NAS.
-The example here is for Access-Request. The
-contents will vary by other packet types.
+The example here is for Status-Server. The
+contents will vary by other packet types. The
+Message-Authenticator attribute will be added
+automatically, and does not need to be specified
+here.
-The module will automatically update the contents
-of the Event-Timestamp attribute to be the time
-when the packet is sent. The module will also
-automatically add a Proxy-State attribute.
+If the Event-Timestamp attribute is added, it will
+be updated each time the packet is sent.
-WARNING: Do NOT do SQL queries, LDAP queries, dynamic
-expansions, etc. in this section. The contents are
-created when a connection is opened, and are not
-changeable after that.
+WARNING: Do NOT do SQL queries, LDAP queries,
+dynamic expansions, etc. in this section. The
+contents of the packet are created when a
+connection is opened, and are not changeable after
+that.
revive_interval = 3600
status_check {
type = Status-Server
-# update request {
-# &User-Name := "test-user"
-# &User-Password := "this-is-not-a-real-password"
-# &NAS-Identifier := "Status check. Are you alive?"
-# &Event-Timestamp = 0
-# }
+ update {
+ User-Name := "test-user"
+ NAS-Identifier := "Status check. Are you alive?"
+ Event-Timestamp = 0
+ }
}
file {
filename = ${logdir}/packets.bin
--- /dev/null
+
+== Default Configuration
+
+```
+```
+
+// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// This documentation was developed by Network RADIUS SAS.
it will be `redundant_sql`. You can then use this expansion
just like any other:
- &reply.Filter-Id := "%redundant_sql( ... )"
+ reply.Filter-Id := "%redundant_sql( ... )"
In this example, the expansion is done via module `sql1`, and if
that expansion fails, using module `sql2`.
|===
| Option | Description
| `header` | Where to write out HTTP headers included in the response.
- Must resolve to a leaf attribute i.e. &reply.REST-HTTP-Header.
+ Must resolve to a leaf attribute i.e. `reply.REST-HTTP-Header`.
If unspecified, headers will be discarded.
Values will be in the format '<header>: <value>'.
| `force_to` | Force the response to be decoded with this decoder.
--- /dev/null
+
+== Default Configuration
+
+```
+```
+
+// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// This documentation was developed by Network RADIUS SAS.
== Default Configuration
```
-# `&control.TOTP.Secret`
-# `&control.TOTP.Key`
-# `&request.TOTP.From-User`
+# `control.TOTP.Secret`
+# `control.TOTP.Key`
+# `request.TOTP.From-User`
# https://linux.die.net/man/1/qrencode
totp {
time_step = 30
File to read unbound configuration details from.
-filename = "${raddbdir}/mods-config/unbound/default.conf"
+filename = "${confdir}/mods-config/unbound/default.conf"
Timeout for unbound queries.
```
winbind {
- username = "%{&Stripped-User-Name || &User-Name}"
+ username = "%{Stripped-User-Name || User-Name}"
# domain = ""
group {
- search_username = "%{&Stripped-User-Name || &User-Name}"
+ search_username = "%{Stripped-User-Name || User-Name}"
# add_domain = yes
}
reuse {
split:: If true, the authorize method of `rlm_yubikey` will attempt to split the
value of `link:https://freeradius.org/rfc/rfc2865.html#User-Password[User-Password]`, into the user's password, and the OTP token.
-NOTE: If enabled and successful, the value of `&request.User-Password` will be
-truncated and `&request.Vendor-Specific.Yubicon.Yubikey-OTP` will be added.
+NOTE: If enabled and successful, the value of `request.User-Password` will be
+truncated and `request.Vendor-Specific.Yubicon.Yubikey-OTP` will be added.
[options="header,autowidth"]
|===
| Attributes | Description
-| `&control.Vendor-Specific.Yubicon.Yubikey-Key` | The AES key used to decrypt the OTP data.
+| `control.Vendor-Specific.Yubicon.Yubikey-Key` | The AES key used to decrypt the OTP data.
The `Yubikey-Public-Id` and/or User-Name
attributes may be used to retrieve the key.
The value is a `16-byte` binary blob.
-| `&control.Vendor-Specific.Yubicon.Yubikey-Counter` | This is compared with the counter in the OTP
+| `control.Vendor-Specific.Yubicon.Yubikey-Counter` | This is compared with the counter in the OTP
data and used to prevent replay attacks.
This attribute will also be available in
the request list after successful decryption.
[options="header,autowidth"]
|===
| Attributes | Description
-| `&request.Vendor-Specific.Yubicon.Yubikey-Public-ID` | The public portion of the OTP string.
+| `request.Vendor-Specific.Yubicon.Yubikey-Public-ID` | The public portion of the OTP string.
The value is a `id_len` modhex string.
|===
[options="header,autowidth"]
|===
| Attributes | Description
-| `&request.Vendor-Specific.Yubicon.Yubikey-OTP` | The OTP portion of `link:https://freeradius.org/rfc/rfc2865.html#User-Password[User-Password]`.
+| `request.Vendor-Specific.Yubicon.Yubikey-OTP` | The OTP portion of `link:https://freeradius.org/rfc/rfc2865.html#User-Password[User-Password]`.
|===
These attributes are available after authentication (if successful):
[options="header,autowidth"]
|===
| Attributes | Description
-| `&request.Vendor-Specific.Yubicon.Yubikey-Private-ID` | The encrypted ID included in OTP data,
+| `request.Vendor-Specific.Yubicon.Yubikey-Private-ID` | The encrypted ID included in OTP data,
should be verified for increased security.
The value is a `6-byte` binary blob.
-| `&request.Vendor-Specific.Yubicon.Yubikey-Counter` | The last counter value (should be recorded).
+| `request.Vendor-Specific.Yubicon.Yubikey-Counter` | The last counter value (should be recorded).
The value is a concatenation of the 16-bit
session count & `8-bit` use count which form a
`24-bit` monotonically strictly increasing
integer (until the individual count ceilings
are hit)
-| `&request.Vendor-Specific.Yubicon.Yubikey-Timestamp` | Token's internal clock (mainly useful for debugging).
+| `request.Vendor-Specific.Yubicon.Yubikey-Timestamp` | Token's internal clock (mainly useful for debugging).
The value is a 24-bit increasing `integer @ 8 Hz`
with rollover which is randomly initialized each session.
-| `&request.Vendor-Specific.Yubicon.Yubikey-Random` | Randomly generated value from the token.
+| `request.Vendor-Specific.Yubicon.Yubikey-Random` | Randomly generated value from the token.
The value is a 16-bit integer.
|===
recv Access-Request {
radius
if (ok) {
- &reply.Packet-Type := Access-Accept
+ reply.Packet-Type := Access-Accept
}
}
send Access-Accept {
-= FreeRADIUS v4 Server Configuration File
+
+
+
+
+= FreeRADIUS server configuration file - 4.0
Read `man radiusd` before editing this file. See the section
titled DEBUGGING. It outlines a method where you can quickly
follows:
...
-&User-Password = "<<< secret >>>"
+User-Password = "<<< secret >>>"
...
Note that secret values are tracked across string
-expansions, string modifications, concatenations, etc.!
-i.e. if a User-Password is placed into a Reply-Message,
-then the value of the Reply-Message is also marked
-"secret".
+expansions, string modifications, concatenations, etc.
+i.e. if a `link:https://freeradius.org/rfc/rfc2865.html#User-Password[User-Password]` is placed into a `link:https://freeradius.org/rfc/rfc2865.html#Reply-Message[Reply-Message]`,
+then the value of the `link:https://freeradius.org/rfc/rfc2865.html#Reply-Message[Reply-Message]` will also be marked
+as "secret".
This configuration is disabled by default. It is extremely
important for administrators to be able to debug user
== Default Configuration
```
-prefix = /Users/alandekok/git/wrapper//install
+prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
== Default Configuration
```
-prefix = /Users/alandekok/git/wrapper//install
+prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
quickly obtain the configuration you want, without running into
trouble. See also "man unlang", which documents the format of this
file. And finally, the debug output can be complex. Please read
-https://wiki.freeradius.org/radiusd-X to understand that output.
+https://wiki.freeradius.org/radiusd-X[debugging] to understand that output.
The best way to configure the server for your local system is to
*carefully* edit this file. Most attempts to make large edits to
documentation. If you need the functionality of that module, then:
* configure the module in xref:reference:raddb/mods-available/index.adoc[mods-available/]
- * enable the module in `mods-enabled`. e.g. for LDAP, do: `cd mods-enabled;ln -s ../mods-available/ldap`
+ * enable the module in `mods-enabled/`. e.g. for LDAP, do: `cd mods-enabled;ln -s ../mods-available/ldap`
* uncomment the references to it in this file.
In most cases, those small changes will result in the server being
See raddb/sites-available/dhcp for instructions on how to configure
the DHCP server.
-## The Virtual Server
+
The DHCP functionality goes into a virtual server.
```
-## The Virtual Server
+
+
+## The DHCPv6 Virtual Server
```
server dhcpv6 {
-```
-# This is a virtual server that handles DNS.
-```
+
+= The DNS Virtual Server
+
+The `dns` virtual server is an example of using `dns` style functionality in FreeRADIUS.
+
## The Virtual Server
This is the `dns` virtual server.
--- /dev/null
+```
+
+== Default Configuration
+
+```
+```
+
+// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// This documentation was developed by Network RADIUS SAS.
-= LDAP Content Synchronization Operation
Sample virtual server for receiving entries from an LDAP directory
using the https://tools.ietf.org/html/rfc4533[RFC 4533] (LDAP Content Synchronization Operation) in
server control, or a directory implementing Persistent Search as
described in https://tools.ietf.org/id/draft-ietf-ldapext-psearch-03.txt
+
Persistent searches work in a similar way to normal searches except
they continue running indefinitely. We continue to receive notifications
of changes (add, delete, modify) to entries that would have been returned
Note: Each of the three implementations of LDAP synchronisation behave
differently:
+
== https://tools.ietf.org/html/rfc4533[RFC 4533]
This provides a robust mechanism to allow clients to maintain a
received only contains the DN, or, if the deletion is reported as part of
the initial refresh phase it may only be the UUID.
+
== Active Directory
Active Directory will only provide updates from the time the query started;
ASCII authentication equivalent to PAP.
Alternatively, if extra data is required, set
-reply.Authentication-Status := Getdata
+reply.Packet-Type := ::Authentication-GetData
to request the extra data, which will be in User-Message in
the next packet (if the client provides it)
```
send Authorization-Pass-Add {
- reply.Authorization-Status := Pass-Add
reply.Server-Message := "authorization-response-server"
reply.Data := "authorization-response-data"
reply.Argument-List := "key1=var1"
```
send Authorization-Pass-Reply {
- reply.Authorization-Status := Pass-Repl
reply.Server-Message := "authorization-response-server"
reply.Data := "authorization-response-data"
reply.Argument-List := "key1=var1"
```
send Authorization-Fail {
- reply.Authorization-Status := Fail
+
}
```
}
```
+
+### Accounting "type" Sections
+
+Each type of accounting packet is run through its own
+section. The section MUST return "ok" to indicate that
+it successfully handled the accounting data.
+
+The "ok" return code is typically set automatically when
+an accounting module succeeds in its work. The explicit
+"ok" here is just so that the default configuration will
+return success for all accounting packets.
+
First packet for a session
```
accounting Start {
+ ok
}
```
Updates a previous start
```
accounting Watchdog-Update {
+ ok
}
```
Updates a session
```
accounting Watchdog {
+ ok
}
```
Stops a session
```
accounting Stop {
+ ok
}
```
-### Send
+### Send Responses
```
send Accounting-Success {
private_key_file = ${certdir}/server.pem
```
-If Private key & Certificate are located in
-the same file, then private_key_file &
+If Private key and Certificate are located in
+the same file, then the private_key_file and
certificate_file must contain the same file
name.
Check the Certificate Revocation List
1) Copy CA certificates and CRLs to same directory.
-2) Execute 'c_rehash <CA certs&CRLs Directory>'.
+2) Execute `c_rehash /path/to/cert/directory`.
'c_rehash' is OpenSSL's command.
3) uncomment the line below.
5) Restart radiusd
projects / thirdparty / freeradius-server.git / commitdiff
