If you already have CA and server certificates, rename (or delete) this
directory, and create a new `certs` directory containing your
certificates. Note that the `make install` command will NOT over-write
-your existing `raddb/certs` directory, which means that the
+your existing `certs` directory, which means that the
`bootstrap` command will not be run.
== New Installations
Once the final certificates have been created, you can delete the
`bootstrap` command from this directory, and delete the
`make_cert_command` configuration from the `tls` sub-section of
-`raddb/mods-available/eap`.
+`mods-available/eap`.
If you do not want to enable EAP-TLS, PEAP, or EAP-TTLS, then delete the
-relevant sub-sections from the `raddb/mods-available/eap` file.
+relevant sub-sections from the `mods-available/eap` file.
== Root Certificate
them, it will stop doing EAP. The most visible effect is that the client
starts EAP, gets a few `Access-Challenge` packets, and then a little while
later re-starts EAP. If this happens, see the FAQ, and the comments in
- `raddb/mods-available/eap` for how to fix it.
+ `mods-available/eap` for how to fix it.
* Windows requires the root certificates to be on the client PC. If it
doesn’t have them, you will see the same issue as above.
You must:
-1. Link `raddb/sites-enabled/dynamic_clients` to `raddb/sites-available/dynamic_clients`.
+1. Link `sites-enabled/dynamic_clients` to xref:reference:raddb/sites-available/dynamic_clients.adoc[sites-available/dynamic_clients].
-2. Define a client network/mask (see the top of `raddb/sites-enabled/dynamic_clients).
+2. Define a client network/mask (see the top of `sites-enabled/dynamic_clients).
3. Uncomment the `directory` entry in that client definition.
a normal client definition
for a client with IP address `192.0.2.1`.
-NOTE: For more documentation, see the file `raddb/sites-available/dynamic-clients`
+NOTE: For more documentation, see the file xref:reference:raddb/sites-available/dynamic-clients.adoc[sites-available/dynamic-clients]
}
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
module to do the bulk of the work, but has custom schemas and
queries.
- * Schema is in `raddb/sql/cui/<DB>/schema.sql`
- * Queries are in `raddb/sql/cui/<DB>/queries.conf`
+ * Schema is in `sql/cui/<DB>/schema.sql`
+ * Queries are in `sql/cui/<DB>/queries.conf`
}
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
This will create a new `detail` file for every hour.
If you are reading detail files via the `listen { ... }` section
-(e.g. as in `raddb/sites-available/robust-proxy-accounting`),
+(e.g. as in xref:reference:raddb/sites-available/robust-proxy-accounting.adoc[sites-available/robust-proxy-accounting]),
you MUST use a unique directory for each combination of a `detail`
file writer, and reader.
}
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
Detail file writer, used in the following examples:
- * `raddb/sites-available/robust-proxy-accounting`
- * `raddb/sites-available/decoupled-accounting`
+ * xref:reference:raddb/sites-available/robust-proxy-accounting.adoc[sites-available/robust-proxy-accounting]
+ * xref:reference:raddb/sites-available/decoupled-accounting.adoc[sites-available/decoupled-accounting]
NOTE: This module can write detail files that are read by
only ONE `listen { ... }` section. If you use BOTH of the examples
}
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
authentication requests to one or more files.
NOTE: You will also need to un-comment the `auth_log` line in the
-`recv Access-Request` section of `raddb/sites-enabled/default`.
+`recv Access-Request` section of `sites-enabled/default`.
Both `link:https://freeradius.org/rfc/rfc2865.html#Access-Accept[Access-Accept]` and `link:https://freeradius.org/rfc/rfc2865.html#Access-Reject[Access-Reject]` packets are logged.
NOTE: You will also need to un-comment the 'reply_log' line in the
-`send Access-Accept` section of `raddb/sites-enabled/default`.
+`send Access-Accept` section of `sites-enabled/default`.
}
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
type:: Only EAP types listed below with a `type = <EAP-Type>` pair will be allowed.
+In addition, setting `type = md5` will load the configuration section `md5 { ... }`.
+There is no need to "comment out" the entire configuration section for EAP types
+which are not used. Instead, simply comment out or delete the `type = ..` entry
+for that EAP method, and the entire configuration section will be ignored.
+
If the `control.EAP-Type` attribute is set, then that is used to form the list of
allowed EAP types, with the first instance being the default type and others also
being allowed.
-
### EAP-PWD (Secure password-based authentication)
In v4, the "known good" password is taken from the `request.control.Password.Cleartext` list,
## Common TLS configuration for TLS-based EAP types
-See `raddb/certs/index.adoc` for additional comments on certificates.
+See `certs/index.adoc` for additional comments on certificates.
If OpenSSL was not found at the time the server was built, the `tls`,
`ttls`, and `peap` sections will be ignored.
If you do not currently have certificates signed by a trusted CA you
may use the 'snakeoil' certificates. Included with the server in
-`raddb/certs`.
+`certs`.
If these certificates have not been auto-generated:
# type = sim
md5 {
}
-# pwd {
-# group = 19
-# server_id = theserver@example.com
-# fragment_size = 1020
-# }
+ pwd {
+ group = 19
+ server_id = theserver@example.com
+ fragment_size = 1020
+ }
gtc {
# challenge = "Password: "
auth_type = PAP
}
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
module that occurs *inside* of a tunneled method. It is used to limit
the `EAP` types that can occur inside of the inner tunnel.
-See also `raddb/sites-available/inner-tunnel`
+See also xref:reference:raddb/sites-available/inner-tunnel.adoc[sites-available/inner-tunnel]
See the `eap` module for full documentation on the meaning of these
configuration entries.
}
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
= Files Module
-The `users` file as located in `raddb/mods-config/files/authorize`. (Livingston-style format).
+The `users` file as located in `mods-config/files/authorize`. (Livingston-style format).
-See the xref:reference:raddb/mods-config/files/users.adoc[users] file for information
+See the raddb/mods-config/files/users.adoc file for information
on the format of the input file, and how it operates.
}
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
on the data type. It will be a hash table, rbtree or
patricia trie store depending on the data type of the key.
+Any `key` which is passed to the `kv` functions
+(`%kv.write()`, `%kv.read()`, or `%kv.delete()`) must be
+the same data type as is given in `key_type`.
+
max_entries:: Maximum entries allowed.
```
kv {
key_type = string
-# max_entries = 0
+# max_entries = 1024
}
```
+dn_attribute:: Where to cache the user's DN for use in authentication.
+
+
+
### User membership checking
%ldap.profile(my_profile)
----
-
== Default Configuration
```
# access_value_negate = 'false'
# access_value_suspend = 'suspended'
# expect_password = no
+# dn_attribute = 'LDAP-UserDN'
}
group {
base_dn = "${..base_dn}"
#}
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
The `perl` module processes attributes through a Perl interpreter.
- * Please see the `raddb/mods-config/perl/example.pl` sample.
+ * Please see the `mods-config/perl/example.pl` sample.
* Please see http://www.perl.org/docs.html for more information about the
Perl language.
}
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
[NOTE]
====
-See `raddb/global.d/python` for configuration items that affect the
+See `global.d/python` for configuration items that affect the
python interpreter globally, such as the Python path.
====
}
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
Set an account to expire T seconds after first login. Requires the `Expire-After`
attribute to be set, in seconds.
-NOTE: You may need to edit `raddb/dictionary` to add the `Expire-After` attribute.
+NOTE: You may need to edit `dictionary` to add the `Expire-After` attribute.
}
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
The module `sqlippool` provide configuration for the SQL based IP Pool module.
-NOTE: The database schemas are available at `raddb/sql/ippool/<DB>/schema.sql`.
+NOTE: The database schemas are available at `sql/ippool/<DB>/schema.sql`.
## Configuration Settings
-sql_module_instance:: SQL instance to use (from `raddb/mods-available/sql`)
+sql_module_instance:: SQL instance to use (from xref:reference:raddb/mods-available/sql.adoc[mods-available/sql])
If you have multiple sql instances, such as `sql sql1 {...}`,
use the *instance* name here: `sql1`.
}
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
## Syntax
-To use it, add it to the `raddb/mods-enabled/` directory. Then,
+To use it, add it to the `mods-enabled/` directory. Then,
use it on the right-hand side of a variable assignment.
%unpack(<data>, <offset>, <data_type>[, <repeat>])
}
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
By default, the EAP modules sends `MS-MPPE-*-Key` attributes.
-The default virtual server (`raddb/sites-available/default`)
+The default virtual server (xref:reference:raddb/sites-available/default.adoc[sites-available/default])
contains examples of adding the `WiMAX-MSK`.
This configuration option makes the WiMAX module delete
}
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
Have been moved to the the file:
-`raddb/sites-available/default`
+`sites-available/default`
This is the `default` virtual server that has the same
configuration as in version 1.0.x and 1.1.x. The default
For more documentation on virtual servers, see:
-`raddb/sites-available/index.adoc`
+`sites-available/index.adoc`
== Default Configuration
just replace `radrelay`, you will need to add additional
configuration.
-See `raddb/sites-available/copy-acct-to-home-server` for a
+See `sites-available/copy-acct-to-home-server` for a
more complete example. That example is intended to be run
as part of a larger RADIUS configuration, where the server
also listens on ports 1812, etc. The example given here
filename:: The filename here should be the same as the one used by the
main `radiusd` program.
-It writes the file using the `detail` module (see `raddb/modules/detail`).
+It writes the file using the `detail` module (see `modules/detail`).
Accounting-Request packet (which will be from the
"detail" reader above.
-See also `raddb/sites-available/copy-acct-to-home-server`
+See also `sites-available/copy-acct-to-home-server`
for additional description.
is running. It doesn't matter if the link is up, or if the host system
is running. If the FreeRADIUS daemon is down, then we want to know ASAP.
-NOTE: See also `raddb/trigger.conf`. There are BFD-specific triggers
+NOTE: See also `trigger.conf`. There are BFD-specific triggers
which are executed when the link is started, goes up, down, or is
administratively down.
```
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
is running. It doesn't matter if the link is up, or if the host system
is running. If the FreeRADIUS daemon is down, then we want to know ASAP.
-NOTE: See also `raddb/trigger.conf`. There are BFD-specific triggers
+NOTE: See also `trigger.conf`. There are BFD-specific triggers
which are executed when the link is started, goes up, down, or is
administratively down.
```
-## Timeouts
+## Finally
-A virtual server can have a `catch timeout` section. The format and
-contents are the same as the normal `catch timeout`.
-
-This section limits the total processing time for a request. The
-values given here should be less than `request.timeout`.
-
-When a request reaches `request.timeout`, it is forcibly stopped.
-No further processing takes place.
-
-When a request reaches the time specified in this `timeout` section,
-all normal processing is stopped. The `timeout` section is then run.
-
-This configuration allows the server to take action when a request
-is taking too long. For example, it could write a failure message
-to a log file.
-
-The `timeout` section can contain any `unlang` keyword, including
-`call`, and other `timeout` sections. If you need to have a
-"timeout for the timeout", then just add anoither `timeout` section
-inside of this one.
-
-Note that `request.timeout` still applies. So the timeout value
-given here should be less than the value given by
-`request.timeout`.
+If a `finally` section is defined, then all packets will be processed
+through it.
+This includes packets whose processing has been stopped due to reaching
+`request.timeout`. Such packets can be detected by testing for the
+`timeout` rcode.
+The `finally` section can be used as a common logging section for
+all packets, allowing their final state to be captured.
```
-# catch timeout {
-# do_logging_here
-# ...
+#finally {
+# if (timeout) {
+# logging relating to timeouts
+# return
# }
+```
+```
+# normal packet logging
+#}
}
```
```
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
```
if (!MAC-Address) {
if (Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) {
- request.MAC-Address = "%regex.match(1):%regex.match(2):%regex.match(3):%regex.match(4):%regex.match(5):%regex.match(6)"
+ request.MAC-Address = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
}
else {
request.MAC-Address = Cookie
Do a simple mapping of MAC to VLAN.
-See `raddb/mods-available/mac2vlan` for the definition of the "mac2vlan"
+See xref:reference:raddb/mods-available/mac2vlan.adoc[mods-available/mac2vlan] for the definition of the "mac2vlan"
module.
```
```
```
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
#
# You must:
#
-# 1. Link `raddb/sites-enabled/dynamic_clients` to `raddb/sites-available/dynamic_clients`.
+# 1. Link `sites-enabled/dynamic_clients` to `sites-available/dynamic_clients`.
#
-# 2. Define a client network/mask (see the top of `raddb/sites-enabled/dynamic_clients).
+# 2. Define a client network/mask (see the top of `sites-enabled/dynamic_clients).
#
# 3. Uncomment the `directory` entry in that client definition.
#
# a normal client definition
# for a client with IP address `192.0.2.1`.
#
-# NOTE: For more documentation, see the file `raddb/sites-available/dynamic-clients`
+# NOTE: For more documentation, see the file `sites-available/dynamic-clients`
#
#
# module to do the bulk of the work, but has custom schemas and
# queries.
#
-# * Schema is in `raddb/sql/cui/<DB>/schema.sql`
-# * Queries are in `raddb/sql/cui/<DB>/queries.conf`
+# * Schema is in `sql/cui/<DB>/schema.sql`
+# * Queries are in `sql/cui/<DB>/queries.conf`
#
#
# This will create a new `detail` file for every hour.
#
# If you are reading detail files via the `listen { ... }` section
- # (e.g. as in `raddb/sites-available/robust-proxy-accounting`),
+ # (e.g. as in `sites-available/robust-proxy-accounting`),
# you MUST use a unique directory for each combination of a `detail`
# file writer, and reader.
#
#
# Detail file writer, used in the following examples:
#
-# * `raddb/sites-available/robust-proxy-accounting`
-# * `raddb/sites-available/decoupled-accounting`
+# * `sites-available/robust-proxy-accounting`
+# * `sites-available/decoupled-accounting`
#
# NOTE: This module can write detail files that are read by
# only ONE `listen { ... }` section. If you use BOTH of the examples
# authentication requests to one or more files.
#
# NOTE: You will also need to un-comment the `auth_log` line in the
-# `recv Access-Request` section of `raddb/sites-enabled/default`.
+# `recv Access-Request` section of `sites-enabled/default`.
#
detail auth_log {
filename = "${radacctdir}/%{Net.Src.IP}/auth-detail-%Y-%m-%d"
# Both `Access-Accept` and `Access-Reject` packets are logged.
#
# NOTE: You will also need to un-comment the 'reply_log' line in the
-# `send Access-Accept` section of `raddb/sites-enabled/default`.
+# `send Access-Accept` section of `sites-enabled/default`.
#
detail reply_log {
filename = "${radacctdir}/%{Net.Src.IP}/reply-detail-%Y-%m-%d"
#
# ## Common TLS configuration for TLS-based EAP types
#
- # See `raddb/certs/index.adoc` for additional comments on certificates.
+ # See `certs/index.adoc` for additional comments on certificates.
#
# If OpenSSL was not found at the time the server was built, the `tls`,
# `ttls`, and `peap` sections will be ignored.
#
# If you do not currently have certificates signed by a trusted CA you
# may use the 'snakeoil' certificates. Included with the server in
- # `raddb/certs`.
+ # `certs`.
#
# If these certificates have not been auto-generated:
#
# module that occurs *inside* of a tunneled method. It is used to limit
# the `EAP` types that can occur inside of the inner tunnel.
#
-# See also `raddb/sites-available/inner-tunnel`
+# See also `sites-available/inner-tunnel`
#
# See the `eap` module for full documentation on the meaning of these
# configuration entries.
#
# = Files Module
#
-# The `users` file as located in `raddb/mods-config/files/authorize`. (Livingston-style format).
+# The `users` file as located in `mods-config/files/authorize`. (Livingston-style format).
#
# See the raddb/mods-config/files/users.adoc file for information
# on the format of the input file, and how it operates.
#
# The `perl` module processes attributes through a Perl interpreter.
#
-# * Please see the `raddb/mods-config/perl/example.pl` sample.
+# * Please see the `mods-config/perl/example.pl` sample.
# * Please see http://www.perl.org/docs.html for more information about the
# Perl language.
#
#
# [NOTE]
# ====
-# See `raddb/global.d/python` for configuration items that affect the
+# See `global.d/python` for configuration items that affect the
# python interpreter globally, such as the Python path.
# ====
#
# Set an account to expire T seconds after first login. Requires the `Expire-After`
# attribute to be set, in seconds.
#
-# NOTE: You may need to edit `raddb/dictionary` to add the `Expire-After` attribute.
+# NOTE: You may need to edit `dictionary` to add the `Expire-After` attribute.
#
sqlcounter expire_on_login {
sql_module_instance = sql
#
# The module `sqlippool` provide configuration for the SQL based IP Pool module.
#
-# NOTE: The database schemas are available at `raddb/sql/ippool/<DB>/schema.sql`.
+# NOTE: The database schemas are available at `sql/ippool/<DB>/schema.sql`.
#
# ## Configuration Settings
#
sqlippool {
#
- # sql_module_instance:: SQL instance to use (from `raddb/mods-available/sql`)
+ # sql_module_instance:: SQL instance to use (from `mods-available/sql`)
#
# If you have multiple sql instances, such as `sql sql1 {...}`,
# use the *instance* name here: `sql1`.
#
# ## Syntax
#
-# To use it, add it to the `raddb/mods-enabled/` directory. Then,
+# To use it, add it to the `mods-enabled/` directory. Then,
# use it on the right-hand side of a variable assignment.
#
# %unpack(<data>, <offset>, <data_type>[, <repeat>])
#
# By default, the EAP modules sends `MS-MPPE-*-Key` attributes.
#
- # The default virtual server (`raddb/sites-available/default`)
+ # The default virtual server (`sites-available/default`)
# contains examples of adding the `WiMAX-MSK`.
#
# This configuration option makes the WiMAX module delete
#
# Have been moved to the the file:
#
-# `raddb/sites-available/default`
+# `sites-available/default`
#
# This is the `default` virtual server that has the same
# configuration as in version 1.0.x and 1.1.x. The default
#
# For more documentation on virtual servers, see:
#
-# `raddb/sites-available/index.adoc`
+# `sites-available/index.adoc`
#
$INCLUDE sites-enabled/
# just replace `radrelay`, you will need to add additional
# configuration.
#
-# See `raddb/sites-available/copy-acct-to-home-server` for a
+# See `sites-available/copy-acct-to-home-server` for a
# more complete example. That example is intended to be run
# as part of a larger RADIUS configuration, where the server
# also listens on ports 1812, etc. The example given here
# filename:: The filename here should be the same as the one used by the
# main `radiusd` program.
#
- # It writes the file using the `detail` module (see `raddb/modules/detail`).
+ # It writes the file using the `detail` module (see `modules/detail`).
#
filename = ${radacctdir}/detail
# Accounting-Request packet (which will be from the
# "detail" reader above.
#
- # See also `raddb/sites-available/copy-acct-to-home-server`
+ # See also `sites-available/copy-acct-to-home-server`
# for additional description.
#
recv Accounting-Request {
# is running. It doesn't matter if the link is up, or if the host system
# is running. If the FreeRADIUS daemon is down, then we want to know ASAP.
#
-# NOTE: See also `raddb/trigger.conf`. There are BFD-specific triggers
+# NOTE: See also `trigger.conf`. There are BFD-specific triggers
# which are executed when the link is started, goes up, down, or is
# administratively down.
#
#
# Do a simple mapping of MAC to VLAN.
#
- # See `raddb/mods-available/mac2vlan` for the definition of the "mac2vlan"
+ # See `mods-available/mac2vlan` for the definition of the "mac2vlan"
# module.
#
# mac2vlan
projects / thirdparty / freeradius-server.git / commitdiff
