+++ /dev/null
-
-
-
-
-= Control socket interface.
-
-```
-# In the future, we will add username/password checking for
-# connections to the control socket. We will also add
-# command authorization, where the commands entered by the
-# administrator are run through a virtual server before
-# they are executed.
-```
-
-```
-# For now, anyone who has permission to connect to the socket
-# has nearly complete control over the server. Be warned!
-```
-
-```
-# NOTE: This functionality is NOT enabled by default.
-```
-
-```
-# See also the "radmin" program, which is used to communicate
-# with the server over the control socket.
-```
-
-```
-server control {
-```
-
-namespace:: Determine the current scope as a control service.
-
-```
- namespace = control
-
-```
-
-All configuration related to the control interface.
-
-```
- listen {
-```
-
-transport:: Define which communication channel.
-
-```
- transport = unix
-
-```
-
-UNIX socket-file as communication channel.
-
-```
- unix {
-```
-
-filename:: Socket location.
-
-Most operating systems (other than Linux), do not respect
-permissions set on socket files.
-
-To work around this issue, we ensure the
-permissions on the directory containing the socket,
-are sufficiently restrictive to only allow access
-by the FreeRADIUS user, or the gid below (if set).
-
-It is recommended to house the socket in its own
-sub-directory. FreeRADIUS will create this sub-directory
-if it doesn't exist and set the appropriate ownership and
-permissions.
-
-```
- filename = ${run_dir}/control/${name}.sock
-
-```
-
-peercred:: It is enabled by default, and offers an additional layer
-of security. When enabled FreeRADIUS will check the euid and
-egid of the process connecting to the control socket.
-
-The client process is allowed to connect if any of the following
-are true:
-
-- The client processes' euid is 0 (root).
-- The client processes' euid matches FreeRADIUS' euid.
-- gid is set (below), and the client processes' egid matches the
- configured gid.
-
-NOTE: With peercred enabled, auxiliary groups of the client process
-are not considered. If you have multiple users and need to control
-control socket authorization via group membership, you should set
-`peercred = no`, and rely on filesystem permissions for enforcement.
-
-```
-# peercred = no
-
-```
-
-uid:: Name of user who is allowed to connect to the control socket.
-
-```
-# uid = radius
-
-```
-
-gid:: Name of group that is allowed to connect to the control socket.
-
-```
-# gid = radius
-
-```
-
-mode:: Access mode.
-
-This can be used to give *some* administrators access to
-monitor the system, but not to change it.
-
-ro = read only access (default)
-rw = read/write access.
-
-```
- mode = rw
- }
-
-```
-@todo - add "limit" section
-```
- }
-
-```
-
-These don't do anything for now
-
-```
- recv {
- ok
- }
-
- send {
- ok
- }
-}
-```
-
-== Default Configuration
-
-```
-```
-
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
-// This documentation was developed by Network RADIUS SAS.
+++ /dev/null
-
-```
-# This is a virtual server that handles DHCP.
-```
-
-See raddb/mods-available/dhcp_sqlippool for the IP Pool configuration.
-
-See raddb/policy.d/dhcp_sqlippool for the "glue" code that allows
-the RADIUS based "sqlippool" module to be used for DHCP.
-
-See raddb/mods-config/sql/ippool/ for the schemas.
-
-See raddb/sites-available/dhcp for instructions on how to configure
-the DHCP server.
-
-
-
-
-The DHCP functionality goes into a virtual server.
-
-```
-server dhcp {
- namespace = dhcpv4
-
-```
-Define a DHCP socket.
-
-The default port below is 6700, so you don't break your network.
-If you want it to do real DHCP, change this to 67, and good luck!
-
-You can also bind the DHCP socket to an interface.
-See below, and raddb/radiusd.conf for examples.
-
-This lets you run *one* DHCP server instance and have it listen on
-multiple interfaces, each with a separate policy.
-
-If you have multiple interfaces, it is a good idea to bind the
-listen section to an interface. You will also need one listen
-section per interface.
-
-```
-listen {
- type = DHCP-Discover
- type = DHCP-Request
- type = DHCP-Inform
- type = DHCP-Release
- type = DHCP-Decline
- type = DHCP-Lease-Query
-
- transport = udp
-
- udp {
-```
-IP address to listen on. Will usually be the IP of the
-interface, or 0.0.0.0
-```
- ipaddr = 127.0.0.1
-
-```
-The port should be 67 for a production network. Don't set
-it to 67 on a production network unless you really know
-what you're doing. Even if nothing is configured below, the
-server may still NAK legitimate responses from clients.
-```
- port = 6700
-
-```
-Interface name we are listening on. See comments above.
-```
-# interface = lo0
-
-```
-source IP address for unicast packets sent by the
-DHCP server.
-
-The source IP for unicast packets is chosen from the first
-one of the following items which returns a valid IP
-address:
-
- src_ipaddr
- ipaddr
- reply:DHCP-Server-IP-Address
- reply:DHCP-DHCP-Server-Identifier
-
-```
- src_ipaddr = 127.0.0.1
-
-```
-The DHCP server defaults to allowing broadcast packets.
-Set this to "no" only when the server receives *all* packets
-from a relay agent. i.e. when *no* clients are on the same
-LAN as the DHCP server.
-
-It's set to "no" here for testing. It will usually want to
-be "yes" in production, unless you are only dealing with
-relayed packets.
-```
- broadcast = no
-
-```
-On Linux if you're running the server as non-root, you
-will need to do:
-
-sudo setcap cap_net_admin=ei /path/to/radiusd
-
-This will allow the server to set ARP table entries
-for newly allocated IPs
-```
- }
-}
-
-```
-
-If there is no `client` entry in a DHCPv4 virtual server, it will
-automatically create and use a "0/0" client.
-
-If there is one or more clients defined in a DHCPv4 virtual server,
-they will be used to limit source IP addresses for DHCPv4 packets.
-Only packets from known clients or networks will be accepted.
-
-If a `client` is defined, you should list all subnets used for end
-user machines, along with all DHCPv4 gateways that send packets to
-the server.
-
-```
-#client private {
-```
- ipaddr = 192.168.0.0/16
-```
-#}
-
-```
-Packets received on the socket will be processed through one
-of the following sections, named after the DHCP packet type.
-See dictionary.dhcpv4 for the packet types.
-
-Return packets will be sent to, in preference order:
- DHCP-Gateway-IP-Address
- DHCP-Client-IP-Address
- DHCP-Your-IP-Address
-At least one of these attributes should be set at the end of each
-section for a response to be sent.
-
-```
-recv DHCP-Discover {
-
-```
-Set the type of packet to send in reply.
-
-The server will look at the DHCP-Message-Type attribute to
-determine which type of packet to send in reply. Common
-values would be DHCP-Offer, DHCP-Ack or DHCP-NAK. See
-dictionary.dhcp for all the possible values.
-
-DHCP-Do-Not-Respond can be used to tell the server to not
-respond.
-
-In the event that DHCP-Message-Type is not set then the
-server will fall back to determining the type of reply
-based on the rcode of this section.
-
-```
- update reply {
- &DHCP-Message-Type = DHCP-Offer
- }
-
-```
-The contents here are invented. Change them!
-```
- update reply {
- &DHCP-Domain-Name-Server = 127.0.0.1
- &DHCP-Domain-Name-Server = 127.0.0.2
- &DHCP-Subnet-Mask = 255.255.255.0
- &DHCP-Router-Address = 192.0.2.1
- &DHCP-IP-Address-Lease-Time = 86400
- &DHCP-DHCP-Server-Identifier = 192.0.2.1
- }
-
-```
-Do a simple mapping of MAC to assigned IP.
-
-See below for the definition of the "mac2ip"
-module.
-
-mac2ip
-
-If the MAC wasn't found in that list, do something else.
-You could call a Perl, Python, or Java script here.
-
-if (notfound) {
-...
-}
-
-Or, allocate IPs from the DHCP pool in SQL. You may need to
-set the pool name here if you haven't set it elsewhere.
-```
-# update control {
-# &Pool-Name := "local"
-# }
-# dhcp_sqlippool
-
-```
-If DHCP-Message-Type is not set, returning "ok" or
-"updated" from this section will respond with a DHCP-Offer
-message.
-
-Other rcodes will tell the server to not return any response.
-```
- ok
-}
-
-recv DHCP-Request {
-
-```
-Response packet type. See DHCP-Discover section above.
-```
- update reply {
- &DHCP-Message-Type = DHCP-Ack
- }
-
-```
-The contents here are invented. Change them!
-```
- update reply {
- &DHCP-Domain-Name-Server = 127.0.0.1
- &DHCP-Domain-Name-Server = 127.0.0.2
- &DHCP-Subnet-Mask = 255.255.255.0
- &DHCP-Router-Address = 192.0.2.1
- &DHCP-IP-Address-Lease-Time = 86400
- &DHCP-DHCP-Server-Identifier = 192.0.2.1
- }
-
-```
-Do a simple mapping of MAC to assigned IP.
-
-See below for the definition of the "mac2ip"
-module.
-
-mac2ip
-
-If the MAC wasn't found in that list, do something else.
-You could call a Perl, Python, or Java script here.
-
-if (notfound) {
-...
-}
-
-Or, allocate IPs from the DHCP pool in SQL. You may need to
-set the pool name here if you haven't set it elsewhere.
-```
-# update control {
-# &Pool-Name := "local"
-# }
-# dhcp_sqlippool
-
-```
-If DHCP-Message-Type is not set, returning "ok" or
-"updated" from this section will respond with a DHCP-Ack
-packet.
-
-"handled" will not return a packet, all other rcodes will
-send back a DHCP-NAK.
-```
- ok
-}
-
-```
-
-Other DHCP packet types
-
-There should be a separate section for each DHCP message type.
-By default this configuration will ignore them all. Any packet type
-not defined here will be responded to with a DHCP-NAK.
-
-```
-recv DHCP-Decline {
- update reply {
- &DHCP-Message-Type = DHCP-Do-Not-Respond
- }
- reject
-}
-
-recv DHCP-Inform {
- update reply {
- &DHCP-Message-Type = DHCP-Do-Not-Respond
- }
- reject
-}
-
-```
-
-For Windows 7 boxes
-
-```
-#recv DHCP-Inform {
-# update reply {
-# Packet-Dst-Port = 67
-# DHCP-Message-Type = DHCP-ACK
-# DHCP-DHCP-Server-Identifier = "%{Packet-Dst-IP-Address}"
-# DHCP-Site-specific-28 = 0x0a00
-# }
-# ok
-#}
-
-recv DHCP-Release {
- update reply {
- &DHCP-Message-Type = DHCP-Do-Not-Respond
- }
- reject
-}
-
-recv DHCP-Lease-Query {
-```
-The thing being queried for is implicit
-in the packets.
-
-has MAC, asking for IP, etc.
-```
- if (&DHCP-Client-Hardware-Address) {
-```
-look up MAC in database
-```
- }
-
-```
-has IP, asking for MAC, etc.
-```
- elsif (&DHCP-Your-IP-Address) {
-```
-look up IP in database
-```
- }
-
-```
-has host name, asking for IP, MAC, etc.
-```
- elsif (&DHCP-Client-Identifier) {
-```
-look up identifier in database
-```
- }
- else {
- update reply {
- &DHCP-Message-Type = DHCP-Lease-Unknown
- }
-
- ok
-
-```
-stop processing
-```
- return
- }
-
-```
-
-We presume that the database lookup returns "notfound"
-if it can't find anything.
-
-```
- if (notfound) {
- update reply {
- &DHCP-Message-Type = DHCP-Lease-Unknown
- }
- ok
- return
- }
-
-```
-
-Add more logic here. Is the lease inactive?
-If so, respond with DHCP-Lease-Unassigned.
-
-Otherwise, respond with DHCP-Lease-Active
-
-
-
-Also be sure to return ALL information about
-the lease.
-
-
-
-The reply types are:
-
-DHCP-Lease-Unknown
-DHCP-Lease-Active
-DHCP-Lease-Unassigned
-
-```
- update reply {
- &DHCP-Message-Type = DHCP-Lease-Unassigned
- }
-
-}
-
-}
-
-```
-
-This next section is a sample configuration for the "passwd"
-module, that reads flat-text files. It should go into
-radiusd.conf, in the "modules" section.
-
-The file is in the format <mac>,<ip>
-
-```
-# 00:01:02:03:04:05,192.0.2.100
-# 01:01:02:03:04:05,192.0.2.101
-# 02:01:02:03:04:05,192.0.2.102
-```
-
-This lets you perform simple static IP assignment.
-
-There is a preconfigured "mac2ip" module setup in
-mods-available/mac2ip. To use it do:
-
- # cd raddb/
- # ln -s ../mods-available/mac2ip mods-enabled/mac2ip
- # mkdir mods-config/passwd
-
-Then create the file mods-config/passwd/mac2ip with the above
-format.
-
-
-This is an example only - see mods-available/mac2ip instead; do
-not uncomment these lines here.
-
-```
-#passwd mac2ip {
-# filename = ${confdir}/mac2ip
-# format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
-# delimiter = ","
-#}
-```
-
-== Default Configuration
-
-```
-```
-
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
-// This documentation was developed by Network RADIUS SAS.
+++ /dev/null
-
-This virtual server controls caching of TLS sessions.
-
-When a TLS session is used, the server will automatically create
-the following attributes in the session-state list. These attributes
-are the ones for the *server* certificate.
-
-```
-# TLS-Cert-Serial
-# TLS-Cert-Expiration
-# TLS-Cert-Subject
-# TLS-Cert-Issuer
-# TLS-Cert-Common-Name
-# TLS-Cert-Subject-Alt-Name-Email
-```
-
-If a client certificate is required (e.g. EAP-TLS or sometimes PEAP / TTLS),
-the following attributes are also created in the session-state list:
-
-```
-# TLS-Client-Cert-Serial
-# TLS-Client-Cert-Expiration
-# TLS-Client-Cert-Subject
-# TLS-Client-Cert-Issuer
-# TLS-Client-Cert-Common-Name
-# TLS-Client-Cert-Subject-Alt-Name-Email
-```
-
-
-
-```
-server tls-cache {
- namespace = tls_cache
-
-```
-
-This section is run whenever the server needs to read an
-entry from the TLS session cache.
-
-It should read the attribute &session-state.TLS-Session-Data
-from the cache, along with any other attributes which
-were in the cache
-
-On success it should return 'ok' or 'updated'.
-
-The return code has no real effect on session processing
-and will just cause the server to emit a warning.
-
-```
- load tls-session {
- update control {
- Cache-Allow-Insert := no
- }
- cache_tls_session
- }
-
-```
-
-This section is run whenever the server needs to write an
-entry to the TLS session cache.
-
-It should write the attribute &session-state.Session-Data
-to the cache, along with any other attributes which
-need to be cached.
-
-On success it should return 'ok' or 'updated'.
-
-The return code has no real effect on session processing
-and will just cause the server to emit a warning.
-
-```
- store tls-session {
- update control {
- Cache-TTL := 0
- }
- cache_tls_session
- }
-
-```
-
-This section is run whenever the server needs to delete an
-entry from the TLS session cache.
-
-On success it should return 'ok', 'updated', 'noop' or 'notfound'
-
-The return code has no real effect on session processing
-and will just cause the server to emit a warning.
-
-```
- clear tls-session {
- update control {
- Cache-TTL := 0
- Cache-Allow-Insert := no
- }
- cache_tls_session
- }
-
-```
-
-This section is run after certificate attributes are added
-to the request list, and before performing OCSP validation.
-
-It should read the attribute &control.TLS-OCSP-Cert-Valid
-from the cache.
-
-On success it should return 'ok', 'updated', 'noop' or 'notfound'
-To force OCSP validation failure, it should return 'reject'.
-
-```
- load ocsp-state {
- update control {
- Cache-Allow-Insert := no
- }
- cache_ocsp
- }
-
-```
-
-This section is run after OCSP validation has completed.
-
-It should write the attribute &reply.TLS-OCSP-Cert-Valid
-to the cache.
-
-On success it should return 'ok' or 'updated'.
-
-The return code has no real effect on session processing
-and will just cause the server to emit a warning.
-
-```
- store ocsp-state {
- update control {
- Cache-TTL := "%{expr:&reply.TLS-OCSP-Next-Update * -1}"
- Cache-Allow-Merge := no
- }
- cache_ocsp
- }
-}
-```
-
-== Default Configuration
-
-```
-```
-
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
-// This documentation was developed by Network RADIUS SAS.
projects / thirdparty / freeradius-server.git / commitdiff
