+++ /dev/null
-
-== Default Configuration
-
-```
-```
-
-// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
-// This documentation was developed by Network RADIUS SAS.
+++ /dev/null
-
-== Default Configuration
-
-```
-```
-
-// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
-// This documentation was developed by Network RADIUS SAS.
#
# == Syntax
#
-#always <name> {
+##always <name> {
#
# rcode:: Return code.
#
# | `updated` | Indicate that the request has been updated.
# |===
#
-# rcode = <value>
+## rcode = <value>
#
# simulcount::
# If an instance of this module is listed in a `session {}`
# section, this simulates a user having `<integer>` number of sessions.
#
-# simulcount = <integer>
+## simulcount = <integer>
#
# mpp::
# If an instance is listed in a `session {}` section, this
# simulates the user having multilink sessions.
#
-# mpp = <integer>
-#}
+## mpp = <integer>
+##}
#
# == xlat for peeking and poking the status
#
# The configuration items are:
#
-#attr_filter attr_filter.<section> {
+##attr_filter attr_filter.<section> {
#
# key:: The `key` to use for filter the packets.
#
-# key = "<value>"
+## key = "<value>"
#
# relaxed:: Only move attribute if it passed all rules, or if the config says we
# should copy unmatched attributes.
#
-# relaxed = no
+## relaxed = no
#
# filename:: The `filename` with the attributes to filter.
#
-# filename = </path/><section>
-#}
+## filename = </path/><section>
+##}
#
# == Configuration Settings
#
# This module authenticates requests containing a `CHAP-Password` attribute.
#
+# NOTE: You should never send CHAP-Password in RADIUS/UDP packets. CHAP
+# is secure ONLY when used inside of TTLS.
+#
# CHAP authentication requires access to the Password.Cleartext for the user.
#
# Standard Unix system authentication or passwords encrypted via `crypt()`
#
# e.g:
#
+# ```
# %base64.encode(%cipher_encrypt(<plaintext>))
# %cipher_decrypt(%base64.decode(<ciphertext>))
+# ```
#
-# NOTE: The supported versions are determined _entirely_ by the version of OpenSSL used, we
-# pass the name of the digest off to OpenSSL and it tells _us_ whether it's valid/supported
+# NOTE: The supported versions are determined _entirely_ by the version of OpenSSL used, FreeRADIUS
+# simply passes the name of the digest off to OpenSSL and it tells _us_ whether it's valid/supported
# or not.
#
-# OpenSSL >= 1.0.0 should support at least:
+# OpenSSL should support at least:
#
# * `md2` (not recommended)
# * `md4` (not recommended)
# * `sha256` (the default)
# * `sha384`
# * `sha512`
-#
-# OpenSSL >= 1.1.1 also supports the `sha3` family of digest functions.
-#
# * `sha3_224`
# * `sha3_256`
# * `sha3_384`
# Parameters for the OAEP RSA padding scheme.
#
oaep {
-# oaep_digest = "sha256"
-# mgf1_digest = "sha256"
-# label = ""
+## oaep_digest = "sha256"
+## mgf1_digest = "sha256"
+## label = ""
}
#
# Only base CRL distribution points should be listed here. Deltas
# which they refer to will automatically be fetched.
#
-# url = http://example.com/ca.crl
-# url = ldap://ldap.example.com/cn=example%20CA,dc=example,dc=com?certificateRevocationList;binary
+## url = http://example.com/ca.crl
+## url = ldap://ldap.example.com/cn=example%20CA,dc=example,dc=com?certificateRevocationList;binary
#
# retry_delay:: How long to wait before retrying a fetch failure.
#
# The CSV map can be used in a `map` section, as in the following example.
#
+# ```
# map csv User-Name {
# Attribute-Name := field1
# Attribute-Name := field2
# ...
# }
+# ```
#
# The argument to "map" is dynamically expanded. The result is taken
# as a string, and is used as the value of the "key". The key is
#
# Configuration items are in the format:
#
+ # ```
# <fr attr> <op> <csv field>
+ # ```
#
# Where:
#
# as given the key` field above. For example, the map could
# look like this:
#
+ # ```
# map csv User-Name {
# reply.Reply-Message := 'color'
# my-integer := 'count'
- # }
+ # }
+ # ```
#
# This map does the same operations as the key / update
# fields given above. The benefit here is that the key can
# ====
# For dialect `mysql` and `postgresql` the following information should be provided:
#
-# server = "localhost"
-# port = 3306
-# login = "radius"
-# password = "radpass"
-# radius_db = "radius"
+## server = "localhost"
+## port = 3306
+## login = "radius"
+## password = "radpass"
+## radius_db = "radius"
# ====
#
#
# NOTE: The attributes should be listed one to a line.
#
-# suppress {
-# User-Password
-# }
+## suppress {
+## User-Password
+## }
}
#
# Then place the following configuration into the "recv Access-Request" section:
#
+# ```
# recv Access-Request {
# ...
# rewrite_called_station_id
# control.PSK-Identity := "bob"
# control.Pre-Shared-Key := "this-is-super-secret"
# }
-#
# }
+# ```
#
# Alternatively, you can read control.PSK-Identity and
# control.Pre-Shared-Key from a database. Just do that before
#
# Then create an "authenticate dpsk" section which calls the "dpsk" module:
#
+# ```
# authenticate dpsk {
# dpsk
# if (updated) {
# ... cache reply.PSK-Identity
# }
# }
+# ```
#
# In the "authenticate" section, the module will return
#
#
# PSKs can also be stored in a CSV file. The format of the file is:
#
+ # ```
# identity,psk,mac
+ # ```
#
# If there are commas in a field, then the field can be
# double quoted: "psk".
# server does not have to be reloaded when the file changes. Instead,
# the file can be generated, and then moved into place atomically:
#
+ # ```
# create csv file > psk.csv.new
# mv psk.csv.new psk.csv
+ # ```
#
# Any process which writes a new "psk.csv" file MUST NOT
# write to the file directly, as that will cause the dpsk
type = ttls
type = mschapv2
type = peap
-# type = fast
-# type = aka
-# type = sim
+## type = fast
+## type = aka
+## type = sim
#
# === EAP-MD5
# You will have to define the `Etc-Group-Name` in the `dictionary` file,
# as a `string` type. For example:
#
-# ATTRIBUTE Etc-Group-Name string 3020
-#
-# We cannot use the `Group` attribute here. The `Group` attribute is
-# automatically created by the `unix` module, and checked against
-# `/etc/group` automatically. Which means that the `Group` attribute
-# has a pre-defined meaning, and you *cannot* use it for this module.
+# ```
+# DEFINE Etc-Group-Name string
+# ```
#
csv etc_group {
filename = ${modconfdir}/csv/${.:instance}
# `Calling-Station-Id`, the above `pool1` configuration can be
# modified with one addition:
#
+# ```
# load-balance pool1 Calling-Station-Id {
# ...
# }
+# ```
#
# See the `load-balance` keyword documentation for more information.
#
# server to run the `radius` module. The simplest way to do this is
# to add a section:
#
+# ```
# authenticate proxy {
# pool1
# }
+# ```
#
# And then set `Auth-Type := proxy`. See the sites-available/proxy
# example for more information.
#
# In v3, we have:
#
+# ```
# home_server radius1 {
# type = auth+acct
# ipaddr = 192.0.2.1
# port = 1812
# secret = testing123
# }
+# ```
#
# This translates to the `radius` module, with name `home1`, and the following contents.
#
#
# On Linux, you may need to do:
#
+# ```
# $ setcap cap_net_raw+ep ${bindir}/radiusd
+# ```
#
-# In order for the `icmp` module to bind to a "raw" socket.
+# In order to allow the `icmp` module to bind to a raw socket.
#
#
# `"500"` rather than `"500ms"` for time values, and raw byte
# counts rather than `"1M"` for sizes.
#
-# properties {
-# "ssl.engine.id" = "pkcs11"
-# "socket.keepalive.enable" = "true"
-# }
+## properties {
+## "ssl.engine.id" = "pkcs11"
+## "socket.keepalive.enable" = "true"
+## }
#
# Each declared topic also accepts its own `properties { }`
# block for per-topic librdkafka settings that aren't named
# knobs:
#
- # topic {
- # radius-accounting {
- # request_required_acks = -1
- # properties {
- # "compression.codec" = "lz4"
- # }
- # }
- # }
+## topic {
+## radius-accounting {
+## request_required_acks = -1
+## properties {
+## "compression.codec" = "lz4"
+## }
+## }
+## }
}
#
# section and the topic is inferred from the section's packet type.
# For example:
#
+# ```
# recv Accounting-Request {
# kafka # publishes to topic "Accounting-Request"
# }
+# ```
#
# This is tidy when you name topics after packet types; if you don't,
# stick with the explicit `kafka.produce.<topic>` form. Either way,
# different topics can publish different shapes from one module
# instance:
#
+# ```
# kafka {
# server = "localhost:9092"
# topic {
# }
# }
# }
+# ```
#
# In a virtual server:
#
+# ```
# recv Accounting-Request {
# kafka.produce.radius-accounting
# }
# recv Access-Request {
# kafka.produce.radius-auth
# }
+# ```
#
# `value` is required per topic. `key` is optional; when omitted,
# librdkafka picks a partition according to the configured
# key and payload). It returns `true` on successful delivery and
# `false` on failure:
#
+# ```
# send Accounting-Response {
# if (!%kafka.produce('radius-accounting', %json.encode(&request.[*]))) {
# reject
# }
# }
+# ```
#
# As with the method, the topic argument must name a declared topic.
#
# section of your `radiusd.conf` file:
#
# [source, unlang]
+# ----
# Auth-Type Kerberos {
# krb5
# }
# However, the cache module stores _attributes_, and _lists of
# attributes_.
#
-# In contrast, the `kv` module stores _values_. e.g. ipv4addr,
-# uint32, etc. The use-case for the `kv` module is to store a small
+# In contrast, the `kv` module stores _values_. e.g. `ipv4addr`,
+# `uint32`, etc. The use-case for the `kv` module is to store a small
# number of simple values that can be shared across multiple threads.
#
# == Functions
# Group membership can be queried by using the above "ldapsearch" string,
# and adding "memberof" qualifiers. For ActiveDirectory, use:
#
+ # ```
# ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))'
+ # ```
#
# Where 'user' is the user as above, and 'group' is the group you are querying for.
# ====
#
# Values should be in the format:
#
+ # ```
# <fr attr> <op> <value>
+ # ```
#
# Where:
#
#
# Configuration items are in the format:
#
+ # ```
# <fr attr> <op> <ldap attr>
+ # ```
#
# Where:
#
#
update {
control.Password.With-Header += 'userPassword'
-# control.Password.NT := 'ntPassword'
-# reply.Reply-Message := 'radiusReplyMessage'
-# reply.Tunnel-Type := 'radiusTunnelType'
-# reply.Tunnel-Medium-Type := 'radiusTunnelMediumType'
-# reply.Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
+## control.Password.NT := 'ntPassword'
+## reply.Reply-Message := 'radiusReplyMessage'
+## reply.Tunnel-Type := 'radiusTunnelType'
+## reply.Tunnel-Medium-Type := 'radiusTunnelMediumType'
+## reply.Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
# NOTE: Where only a list is specified as the RADIUS attribute,
# the value of the LDAP attribute is parsed as a valuepair
#
# NOTE: If `start_tls = yes`, then fill up those such options with the certificate information.
#
-# ca_file = ${certdir}/cacert.pem
-# ca_path = ${certdir}
-# certificate_file = /path/to/radius.crt
-# private_key_file = /path/to/radius.key
-# random_file = /dev/urandom
+## ca_file = ${certdir}/cacert.pem
+## ca_path = ${certdir}
+## certificate_file = /path/to/radius.crt
+## private_key_file = /path/to/radius.key
+## random_file = /dev/urandom
#
# require_cert:: Certificate Verification requirements.
# Reusing the same name means that this policy will be used instead
# of the module.
#
-#@policy ldap {
-# timeout 1s {
-# ldap
-# }
-#}
+##@policy ldap {
+## timeout 1s {
+## ldap
+## }
+##}
#
# file. Each instance of the module can send log messages to one,
# and only one, destination.
#
+# You should probably use the `linelog` message instead of this one.
+#
# NOTE: Multiple `logtee`s modules may be used for any given request.
# The `logtee` modules will not affect normal logging output.
# i.e. This logging is *in addition* to any other logging that is
# done by the server.
#
+
#
# == Configuration Settings
#
reconnection_delay = 1.0
#
- # .File as the destination for log output
+ # file:: Configuration for 'file' destination
#
file {
#
}
#
- # .UNIX socket-file as the destination for log outputx
+ # unix:: configuration for Unix sockets
#
unix {
#
}
#
- # .TCP-server as the destination for log output
+ # tcp: configuration for TCP sockets
#
tcp {
#
}
#
- # .UDP-server as the destination for log output
+ # udp: configuration for UDP sockets
#
udp {
#
}
#
- # .Pass Change
+ # passchange:: Control parameters for changing passwords via MS-CHAP.
+ #
+ # NOTE: This functionality should only be used inside of PEAP. Anything else
+ # is insecure.
#
passchange {
#
#
# Uncomment the three lines below, and change the path to `ntlm_auth.
#
-# ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
-# ntlm_auth_username = "username: %mschap('User-Name')"
-# ntlm_auth_domain = "nt-domain: %mschap('NT-Domain')"
+## ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
+## ntlm_auth_username = "username: %mschap('User-Name')"
+## ntlm_auth_domain = "nt-domain: %mschap('NT-Domain')"
#
# local_cpw::
#
# TIP: We give both examples here, but *only one should be used*.
#
-# local_cpw = %exec('/path/to/script', %mschap('User-Name'), %{MS-CHAP-New-Cleartext-Password})
-# local_cpw = %sql("UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{User-Name}' and attribute='Password.NT'")
+## local_cpw = %exec('/path/to/script', %mschap('User-Name'), %{MS-CHAP-New-Cleartext-Password})
+## local_cpw = %sql("UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{User-Name}' and attribute='Password.NT'")
}
# retry_msg = "Re-enter (or reset) the password"
#
- # .Attributes
+ # attributes:: the list of attributes used by the mschap module
#
# The `mschap` module needs to be configured with which attributes contain
# MS-CHAP data in the request and which should be used for MS-CHAP data
# TACACS+ does not have any inherent support for MPPE keys or password
# changing using MSCHAP.
#
-# attributes {
-# username = User-Name
-# chap_challenge = MS-CHAP-Challenge
-# chap_response = MS-CHAP-Response
-# chap2_response = MS-CHAP2-Response
+## attributes {
+## username = User-Name
+## chap_challenge = MS-CHAP-Challenge
+## chap_response = MS-CHAP-Response
+## chap2_response = MS-CHAP2-Response
#
# TACACS+ puts the MS-CHAP2-Success information in the Data field,
# but we call it MS-CHAP2-Success for simplicity.
# See the ALIAS definition in dictionary/tacacs/dictionary.freeradius.internal
#
-# chap2_success = MS-CHAP2-Success
+## chap2_success = MS-CHAP2-Success
#
# Similarly, TACACS+ puts the MS-CHAP-Error into the Server-Message
# field.
#
-# chap_error = MS-CHAP-Error
-# }
+## chap_error = MS-CHAP-Error
+## }
}
# In order to allow NTLM passwords, you may need to run the following
# command on the OpenDirectory machine:
#
+# ```
# dscl -u diradmin -p /LDAPv3/127.0.0.1 -append /Config/dirserv apple-enabled-auth-mech SMB-NTLM2v
+# ```
#
#
# Attributes can be set by assigning values to the array entries of leaf
# nodes. E.g.
#
+# ```
# $p->{'reply'}{'foo'}[0] = 'baa'
+# ```
#
# In addition, the Perl array functions `push`, `pop`, `shift` and `unshift`
# can be used to add or remove instances of attributes.
# The return codes from functions in the `perl_script` are passed directly back
# to the server. These codes are defined in `mods-config/example.pl`
#
+# WARN:: The Perl module is slow compared to `unlang`. The only reason to use
+# Perl is when you need to use a third-party API that is only accessible via
+# a Perl library.
+#
#
# == Configuration Settings
#
# These options cause the old FreeRADIUS v3 default subroutine
# names to be used
-# func_recv_access_request = authorize
-# func_recv_accounting_request = preacct
-# func_send = postauth
+## func_recv_access_request = authorize
+## func_recv_accounting_request = preacct
+## func_send = postauth
#
# config { ... }::
# $RAD_PERLCONF{'sub-config'}->{'name'}
# ----
#
-# config {
-# name = "value"
-# sub-config {
-# name = "value of name from config.sub-config"
-# }
-# }
+## config {
+## name = "value"
+## sub-config {
+## name = "value of name from config.sub-config"
+## }
+## }
}
# Similarly, `mod_recv_access_request` or `mod_recv` can be used to
# load the function from a module other than the one specified in the
# `module` option.
-
-#
-# Please see the file global.d/python for server-global configuration
-# items which control the Python path.
#
+# WARN:: The Python module is slow compared to `unlang`. The only reason to use
+# Python is when you need to use a third-party API that is only accessible via
+# a Python library.
+# == Global Configuration
#
-# [NOTE]
-# ====
-# See `global.d/python` for configuration items that affect the
-# python interpreter globally, such as the Python path.
-# ====
+# Please see the file `global.d/python` for server-global configuration
+# items which control the Python path.
#
#
# func_detach = detach
#
- # config { ... }::
+ # config { ... }:: Define configuration items which are accessible to the Python script.
#
# You can define configuration items (and nested sub-sections) in python `config { ... }`
# section. These items will be accessible in the Python script through `freeradius.config`
- # dict for instance:
+ # dict as read-only items.
#
# e.g:
#
# freeradius.config['sub-config']['name']
# ----
#
-# config {
-# name = "value"
-# sub-config {
-# name = "value of name from config.sub-config"
-# }
-# }
+## config {
+## name = "value"
+## sub-config {
+## name = "value of name from config.sub-config"
+## }
+## }
}
#
# The TCP configuration is identical to the `udp` configuration.
#
-# tcp {
-# ...
-# }
+ tcp {
+ # copy configuration items here
+ }
#
# == Connection trunking
#
# === Accounting-On
#
-# Accounting-On {
-# insert = ""
-# trim = ""
-# expire = ""
-# }
+## Accounting-On {
+## insert = ""
+## trim = ""
+## expire = ""
+## }
#
# === Accounting-Off
#
-# Accounting-Off {
-# insert = ""
-# trim = ""
-# expire = ""
-# }
+## Accounting-Off {
+## insert = ""
+## trim = ""
+## expire = ""
+## }
#
# === Failed
#
-# Failed {
-# insert = ""
-# trim = ""
-# expire = ""
-# }
+## Failed {
+## insert = ""
+## trim = ""
+## expire = ""
+## }
}
# The `redundant_sql` module handles SQL expansions in a redundant manner.
#
#
-# This configuration can be thought of as a `virtual` module.
+# This configuration is a `virtual` module.
#
# e.g. If you have two redundant SQL servers, and you want to use
# them in the recv and accounting sections, you could place a
#
tls {
#
- # .Certificate validation options
+ # Certificate validation options
#
# Specifies how the certificate(s) presented by the HTTPS server being contacted
# are validated, and which certificates (if any) to send to the HTTPS server.
#
# The contents of the keylog file allows wireshark captures to be decrypted for debugging purposes.
#
- # NOTE:: keylog_file is not expanded at runtime.
+ # NOTE: keylog_file is not expanded at runtime.
#
# keylog_file = '/path/to/keylog_file'
}
#
tls {
#
- # .Certificate validation options
+ # Certificate validation options
#
# Specifies how the certificate(s) presented by the
# SMTP server are validated, and which certificates
# intermediary signing CAs, shallowest (direct signee of the certificate_file)
# to deepest (signed directly by the root CA).
#
-# certificate_file = /path/to/radius.pem
+# certificate_file = /path/to/radius.pem
#
# ca_file:: PEM formatted file containing the chain
# most common way of validating the certificate
# presented by an SMTP server.
#
-# ca_file = "${certdir}/cacert.pem"
+# ca_file = "${certdir}/cacert.pem"
#
# ca_issuer_file:: PEM formatted file containing the
# by other intermediary CAs, or root CAs, in the
# trusted certificate chain.
#
-# ca_issuer_file = "${certdir}/caissuer.pem"
+# ca_issuer_file = "${certdir}/caissuer.pem"
#
# ca_path:: A directory containing multiple root CA certs named by their hash.
#
- # See the OpenSSL documentation for more details:
- # - https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_default_verify_paths.html
- # - https://www.openssl.org/docs/man1.1.1/man1/c_rehash.html
- #
# This configuration option should only be used when the SMTP server being contacted
# is not known ahead of time (using a URL from an external source), and/or the CA used
# to sign the SMTP server certificate is unknown.
# will be the operating system's set of trusted CAs. This will be visible in the debug
# output when FreeRADIUS starts.
#
-# ca_path = "${certdir}"
+# ca_path = "${certdir}"
#
# private_key_file:: PEM formatted file containing the private key for the specified `certificate_file`
#
# This item must be specified if `certificate_file` is being used.
#
-# private_key_file = /path/to/radius.key
+# private_key_file = /path/to/radius.key
#
# private_key_password:: Password used to decrypt the `private_key_file`.
#
# random_file:: Source of random data used for various cryptographic functions.
#
-# random_file = /dev/urandom
+# random_file = /dev/urandom
#
# check_cert:: Server certificate verification requirements.
# be automatically added to the email. Only the list of
# `recipients` will be used.
#
-# recipients = SMTP-Recipients[*]
-# recipients = SMTP-TO[*]
-# recipients = SMTP-CC[*]
-# recipients = SMTP-BCC[*]
+## recipients = SMTP-Recipients[*]
+## recipients = SMTP-TO[*]
+## recipients = SMTP-CC[*]
+## recipients = SMTP-BCC[*]
#
# to:: Set the body `TO` header.
#
# .Connection info:
#
-# server = "localhost"
-# port = 3306
-# login = "radius"
-# password = "radpass"
+## server = "localhost"
+## port = 3306
+## login = "radius"
+## password = "radpass"
#
# radius_db:: Database table configuration for everything.
# query_number_attribute = 'Query-Number'
#
- # .Read database-specific queries.
+ # Database-specific queries.
#
# Not all drivers ship with `query.conf` or `schema.sql` files. For those which don't,
# please create them and contribute them back to the project.
#
# Configuration explanation.
#
+# ```
# sqlcounter <name> {
+# ```
#
# sql_module_instance:: Holds the instance of the `sql` module to use when
# querying the SQL database.
# (usually for failover situations), you can specify which module has access to
# the Accounting Data (`radacct table`).
#
+# ```
# sql_module_instance = sql_foo
+# ```
#
# reset:: Defines when the counters are all reset to zero.
#
# The `query` parameter specifies the SQL query used to get the current Counter value
# from the database.
#
+# ```
# key = "%{Stripped-User-Name || User-Name}"
+# ```
#
# reset_period_start_name:: The name of the attribute which is used to store the
# time that the current reset period started.
sql_module_instance = sql
dialect = ${modules.sql.dialect}
-# reset_period_start_name = control.${.:instance}-Reset-Start
-# reset_period_end_name = control.${.:instance}-Reset-End
+## reset_period_start_name = control.${.:instance}-Reset-Start
+## reset_period_end_name = control.${.:instance}-Reset-End
counter_name = control.Daily-Session-Time
check_name = control.Max-Daily-Session
reply_name = reply.Session-Timeout
# gateway = "%{Gateway-IP-Address}"
#
- # .Load the queries from a separate file.
+ # Load the queries from a separate file.
#
$INCLUDE ${modconfdir}/sql/ippool/${dialect}/queries.conf
}
#
# = Time-based One-Time Passwords (TOTP)
#
-# Defined in `rfc6238`, and used in Google Authenticator.
+# Defined in `RFC6238`, and used in Google Authenticator, among others.
#
# This module can only be used in the "authenticate" section.
#
# intended to be used where the local administrator knows the TOTP
# secret key, and user has an authenticator app on their phone.
#
-# NOTE: Also that while you can use the Google "chart" APIs to
+# WARN:: Also that while you can use the Google "chart" APIs to
# generate a QR code, doing this will give the secret to Google!
#
# Administrators should instead install a tool such as "qrcode"
#
# filename:: The libunbound configuration file.
#
- # filename = "${confdir}/mods-config/unbound/default.conf"
+# filename = "${confdir}/mods-config/unbound/default.conf"
#
- # timeoit:: For unbound queries.
+ # timeout:: For unbound queries.
#
- # timeout = 3000
+# timeout = 3000
#
# resolvconf:: resolv.conf file to instruct unbound to load
# This is NOT RECOMMENDED. A local caching DNS server will
# substantially improve performance.
#
- # resolvconf = "/etc/resolv.conf"
+# resolvconf = "/etc/resolv.conf"
#
# hosts:: hosts file to load data from.
#
# Defaults to not set.
#
- # hosts = "/etc/hosts"
+# hosts = "/etc/hosts"
}
#
#
# A function based on the instance name can be used to perform DNS lookups.
#
-# %dns(<owner>, <record type>[, <limit>])
+# %dns(<owner>, <record type>[, <limit>])
#
# You must quote the parameters, e.g. `'example.com'`.
#
# The above example will perform an `MX` lookup on `example.com`, and
# will return just the first result.
#
-# NOTE:: The DNS queries are blocking! A slow (or unavailable) DNS
+# NOTE: The DNS queries are blocking! A slow (or unavailable) DNS
# server can completely destroy the performance of FreeRADIUS.
#
# The module also registers a Unix group expansion, where it is possible
# to check if the user is a member of a particular Unix group.
#
-# if (%unix.group(admin)) { ...
+# ```
+# if (%unix.group(admin)) { ...
+# ```
#
# The expansion returns `true` if the `User-Name` is a membber of the given
# group, and `false` otherwise.
# `Calling-Station-Id` attribute to the normal format as
# specified in RFC 3580 Section 3.21.
#
+# ```
# recv Access-Request {
# ...
# wimax
# ...
# }
+# ```
#
# == send Access-Accept
#
# has been used, AND the EAP method derives MSK and EMSK, then
# the various WiMAX keys can be calculated.
#
+# ```
# send Access-Accept {
# ...
#
#
# ...
# }
+# ```
#
# == Miscellaneous
#
#
# You have to create it, and put it into the request or reply as something like:
#
-# WiMAX-MN-NAI = User-Name}
+# ```
+# WiMAX-MN-NAI = User-Name
+# ```
#
# You will also have to have the appropriate IP address (`v4` or `v6`)
# in order to calculate the keys below.
#######################################################################
#
-# = WinModule
+# = Winbind
#
# The `winbind` module authenticate PAP passwords against Microsoft Active
# Directory or Samba, via the winbind API.
}
#
- # .Reusable Handles
+ # reuse:: Maintain long-term connections to the windbind server.
#
# Reusable connection handles are allocated in blocks. These
# parameters allow for tuning how that is done.
#
yubikey {
#
- # id_length:: The length (number of ASCII bytes) of the Public-ID portion
- # of the OTP string.
+ # id_length:: The length (number of ASCII bytes) of the Public-ID
+ # portion of the OTP string.
#
# Yubikey defaults to a 6 byte ID (2 * 6 = 12)
#
# id_length = 12
#
- # split:: If true, the authorize method of `rlm_yubikey` will attempt to split the
- # value of `User-Password`, into the user's password, and the OTP token.
+ # split:: If true, the authorize method of `rlm_yubikey` will
+ # attempt to split the value of `User-Password`, into the user's
+ # password, and the OTP token.
#
- # NOTE: If enabled and successful, the value of `request.User-Password` will be
- # truncated and `request.Vendor-Specific.Yubicon.Yubikey-OTP` will be added.
+ # NOTE: If enabled and successful, the value of
+ # `request.User-Password` will be truncated and
+ # `request.Vendor-Specific.Yubicon.Yubikey-OTP` will be added.
#
# split = yes
#
# decrypt:: Whether tokens will be decrypted and processed locally.
#
- # In the `recv Access-Request` section, this module should be placed before the
- # persistent storage module.
+ # In the `recv Access-Request` section, this module should be placed
+ # before the persistent storage module.
#
# The following authenticate section should be added:
#
# }
# ----
#
- # If two factor authentication (password concatenated with OTP) is required, split
- # configuration should be set to yes and the pap module should be uncommented.
+ # If two factor authentication (password concatenated with OTP) is
+ # required, split configuration should be set to yes and the pap
+ # module should be uncommented.
#
- # Each account will need a password added (either using attribute `Password.Cleartext`,
- # `SSHA-Password`, etc.).
+ # Each account will need a password added (either using attribute
+ # `Password.Cleartext`, `SSHA-Password`, etc.).
#
- # The module itself does not provide persistent storage as
- # this would duplicate functionality already in the server.
+ # The module itself does not provide persistent storage as this
+ # would duplicate functionality already in the server.
#
- # Yubikey authentication needs two attributes retrieved from persistent storage:
+ # Yubikey authentication needs two attributes retrieved from
+ # persistent storage:
#
# [options="header,autowidth"]
# |===
# the request list after successful decryption.
# |===
#
- # NOTE: `Vendor-Specific.Yubicon.Yubikey-Counter` isn't strictly required, but the server will generate
- # warnings if it's not present when `yubikey.authenticate` is called.
+ # NOTE: `Vendor-Specific.Yubicon.Yubikey-Counter` isn't strictly
+ # required, but the server will generate warnings if it's not
+ # present when `yubikey.authenticate` is called.
#
# These attributes are available after `authorization`:
#
# | `request.Vendor-Specific.Yubicon.Yubikey-OTP` | The OTP portion of `User-Password`.
# |===
#
- # These attributes are available after authentication (if successful):
+ # These attributes are available after authentication (if
+ # successful):
#
# [options="header,autowidth"]
# |===
decrypt = no
#
- # validate:: Validation mode - Tokens will be validated against a Yubicloud server.
+ # validate:: Validation mode - Tokens will be validated against a
+ # Yubicloud server.
#
validate = no
# | `%s` | Placeholder for the token string itself.
# |===
#
- # NOTE: If no URLs are listed, will default to the default URLs in the
- # ykclient library, which point to the yubico validation servers.
+ # NOTE: If no URLs are listed, will default to the default URLs in
+ # the ykclient library, which point to the yubico validation
+ # servers.
#
servers {
# uri = 'http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
#
# start:: Connections to create during module instantiation.
#
- # If the server cannot create specified number of
- # connections during instantiation it will exit.
- # Set to `0` to allow the server to start without the
- # external service being available.
+ # If the server cannot create specified number of connections
+ # during instantiation it will exit. Set to `0` to allow the
+ # server to start without the external service being available.
#
start = 0
#
# max:: Maximum number of connections.
#
- # If these connections are all in use and a new one
- # is requested, the request will NOT get a connection.
+ # If these connections are all in use and a new one is requested,
+ # the request will NOT get a connection.
#
- # Setting `max` to *LESS* than the number of threads means
- # that some threads may starve, and you will see errors
- # like _No connections available and at max connection limit_.
+ # Setting `max` to *LESS* than the number of threads means that
+ # some threads may starve, and you will see errors like _No
+ # connections available and at max connection limit_.
#
- # Setting `max` to MORE than the number of threads means
- # that there are more connections than necessary.
+ # Setting `max` to MORE than the number of threads means that
+ # there are more connections than necessary.
#
- # If `max` is not specified, then it defaults to the number
- # of workers configured.
+ # If `max` is not specified, then it defaults to the number of
+ # workers configured.
#
# max =
#
uses = 0
#
- # retry_delay:: The number of seconds to wait after the server tries
- # to open a connection, and fails.
+ # retry_delay:: The number of seconds to wait after the server
+ # tries to open a connection, and fails.
#
# During this time, no new connections will be opened.
#
#
# idle_timeout:: The idle timeout (in seconds).
#
- # A connection which is unused for this length of time will be closed.
+ # A connection which is unused for this length of time will be
+ # closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
#
#
# spread:: Enable LRU (Least Recently Used).
#
- # The `yubico` library uses `curl` multi-handles. If the multi-handle is reused
- # before all requests are completed the connections are re-established.
+ # The `yubico` library uses `curl` multi-handles. If the
+ # multi-handle is reused before all requests are completed the
+ # connections are re-established.
#
- # The cost of re-establishing the connections is greater than the benefit of
- # maintaining a small pool of connections or optimising for link latency.
+ # The cost of re-establishing the connections is greater than the
+ # benefit of maintaining a small pool of connections or optimising
+ # for link latency.
#
spread = yes
#
# [NOTE]
# ====
- # All configuration settings are enforced. If a connection is closed because of
- # `idle_timeout`, `uses`, or `lifetime`, then the total
- # number of connections MAY fall below `min`.
+ # All configuration settings are enforced. If a connection is
+ # closed because of `idle_timeout`, `uses`, or `lifetime`, then
+ # the total number of connections MAY fall below `min`.
#
- # When that happens, it will open a new connection. It will also log a *WARNING* message.
+ # When that happens, it will open a new connection. It will also
+ # log a *WARNING* message.
#
# The solution is to either lower the "min" connections, or
# increase lifetime/idle_timeout.
projects / thirdparty / freeradius-server.git / commitdiff
