**** xref:raddb/mods-available/yubikey.adoc[Yubikey]
*** xref:raddb/sites-available/index.adoc[Virtual Servers]
-**** xref:raddb/sites-available/arp.adoc[ARP Virtual Server]
-**** xref:raddb/sites-available/bfd.adoc[BFD - Bidirectional Forwarding Detection]
-**** xref:raddb/sites-available/buffered-sql.adoc[Buffered SQL]
-**** xref:raddb/sites-available/challenge.adoc[Challenge]
-**** xref:raddb/sites-available/channel_bindings.adoc[Channel Bindings]
-**** xref:raddb/sites-available/check-eap-tls.adoc[Check EAP-TLS]
-**** xref:raddb/sites-available/coa.adoc[CoA]
-**** xref:raddb/sites-available/control-socket.adoc[Control Socket Interface.]
-**** xref:raddb/sites-available/copy-acct-to-home-server.adoc[Copy ACCT to Home Server]
-**** xref:raddb/sites-available/decoupled-accounting.adoc[Decoupled Accounting]
-**** xref:raddb/sites-available/detail.adoc[Detail]
-**** xref:raddb/sites-available/dhcp.adoc[Dhcp]
-**** xref:raddb/sites-available/dhcp.relay.adoc[Dhcp Relay]
-**** xref:raddb/sites-available/dynamic-clients.adoc[Dynamic Clients]
-**** xref:raddb/sites-available/example.adoc[Example]
-**** xref:raddb/sites-available/inner-tunnel.adoc[Inner Tunnel]
+**** xref:raddb/sites-available/arp.adoc[ARP]
+**** xref:raddb/sites-available/bfd.adoc[BFD]
+**** xref:raddb/sites-available/control-socket.adoc[Control Sockt]
+**** xref:raddb/sites-available/dhcp.adoc[DHCPv4]
+***** xref:raddb/sites-available/dhcp.relay.adoc[Relay]
+**** xref:raddb/sites-available/dhcpv6.adoc[DHCPv6]
+**** xref:raddb/sites-available/dns.adoc[DNS]
**** xref:raddb/sites-available/ldap_sync.adoc[LDAP Sync]
-**** xref:raddb/sites-available/originate-coa.adoc[Originate CoA-Request packets]
-**** xref:raddb/sites-available/proxy-inner-tunnel.adoc[Proxy Inner Tunnel]
-**** xref:raddb/sites-available/radius-acct.adoc[Radius Acct]
-**** xref:raddb/sites-available/robust-proxy-accounting.adoc[Robust Proxy Accounting]
+
+**** xref:raddb/sites-available/default.adoc[RADIUS]
+***** xref:raddb/sites-available/buffered-sql.adoc[Buffered SQL]
+***** xref:raddb/sites-available/challenge.adoc[Challenge]
+***** xref:raddb/sites-available/coa.adoc[CoA]
+***** xref:raddb/sites-available/copy-acct-to-home-server.adoc[Copy Acct to Home Server]
+***** xref:raddb/sites-available/decoupled-accounting.adoc[Decoupled Accounting]
+***** xref:raddb/sites-available/detail.adoc[Detail]
+***** xref:raddb/sites-available/inner-tunnel.adoc[EAP Inner Tunnel]
+***** xref:raddb/sites-available/virtual.example.com.adoc[Internal Proxying]
+***** xref:raddb/sites-available/originate-coa.adoc[Originate CoA-Request]
+***** xref:raddb/sites-available/robust-proxy-accounting.adoc[Robust Proxy Accounting]
+***** xref:raddb/sites-available/proxy-inner-tunnel.adoc[Proxy Inner Tunnel]
+
**** xref:raddb/sites-available/status.adoc[Status]
-**** xref:raddb/sites-available/tacacs.adoc[Tacacs]
-**** xref:raddb/sites-available/default.adoc[The default Virtual Server]
-**** xref:raddb/sites-available/tls-cache.adoc[TLS Cache]
+**** xref:raddb/sites-available/tacacs.adoc[TACACS+]
**** xref:raddb/sites-available/tls.adoc[TLS]
-**** xref:raddb/sites-available/virtual.example.com.adoc[virtual.example.com]
+***** xref:raddb/sites-available/tls-cache.adoc[TLS Cache]
**** xref:raddb/sites-available/vmps.adoc[VMPS]
-**** xref:raddb/experimental.conf.adoc[Experimental modules]
-*** xref:raddb/clients.conf.adoc[Client Definitions]
+**** xref:raddb/sites-available/dynamic-clients.adoc[Dynamic Clients]
+
+*** xref:raddb/clients.conf.adoc[Clients]
*** xref:raddb/debug.conf.adoc[Debugging configuration]
*** xref:raddb/dictionary.adoc[Local dictionary definitions]
*** xref:raddb/radrelay.conf.adoc[Radrelay Configuration]
+++ /dev/null
-
-
-
-
-= Experimental modules
-
-This file contains the configuration for experimental modules.
-
-By default, it is *not* included in the build.
-
-
-
-## Example module configuration
-
-Configuration for the example module. Even if this modules is
-loaded and initialised, it should have no real effect as long
-it is not referenced in one of the virtual server sections.
-
-
-
-boolean:: Boolean variable.
-
-Allowed values: `no` or `yes`
-
-
-
-integer:: An integer, of any value:
-
-
-
-string:: A string.
-
-
-
-ipaddr::
-
-An IP address, either in dotted quad (`1.2.3.4`) or
-hostname (`example.com`).
-
-
-
-mysubsection::
-
-A subsection.
-
-
-anotherinteger::
-
-
-
-deeply { ... }::
-
-Subsections nest.
-
-
-
-## Other experimental modules
-
-Instantiate a few instances of the idn module
-
-
-
-.section without name.
-
-
-
-
-.more commonly known as...
-
-
-
-.another one.
-
-
-== Default Configuration
-
-```
-example {
- boolean = yes
- integer = 16
- string = "This is an example configuration string"
- ipaddr = 127.0.0.1
- mysubsection {
- anotherinteger = 1000
- deeply nested {
- string = "This is a different string"
- }
- }
-}
-idn {
-}
-idn idna {
-}
-idn idna_lenient {
- UseSTD3ASCIIRules = no
-}
-```
-
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
-// This documentation was developed by Network RADIUS SAS.
* xref:raddb/clients.conf.adoc[clients.conf]
* xref:raddb/debug.conf.adoc[debug.conf]
-* xref:raddb/experimental.conf.adoc[experimental.conf]
* xref:raddb/panic.gdb.adoc[panic.gdb]
* xref:raddb/radrelay.conf.adoc[radrelay.conf]
* xref:raddb/templates.conf.adoc[templates.conf]
+++ /dev/null
-
-A virtual server which is used to validate channel-bindings.
-
-
-```
-server channel_bindings {
-```
-
-Only the "recv Access-Request" section is needed.
-
-```
- recv Access-Request {
-```
-In general this section should include a policy for each type
-of channel binding that may be in use. For example each lower
-layer such as GSS-EAP (https://tools.ietf.org/html/rfc7055[RFC 7055]) or IEEE 802.11I is likely to
-need a separate channel binding policy.
-```
- }
-}
-```
-
-== Default Configuration
-
-```
-```
-
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
-// This documentation was developed by Network RADIUS SAS.
+++ /dev/null
-
-
-This virtual server allows EAP-TLS to reject access requests
-based on some attributes of the certificates involved.
-
-To use this virtual server, you must enable it in the tls
-section of mods-enabled/eap as well as adding a link to this
-file in sites-enabled/.
-
-
-Value-pairs that are available for checking include these
-attributes in the session-state list:
-
- TLS-Client-Cert-Subject
- TLS-Client-Cert-Issuer
- TLS-Client-Cert-Common-Name
- TLS-Client-Cert-Subject-Alt-Name-Email
-
-To see a full list of attributes, run the server in debug mode
-with this virtual server configured, and look at the attributes
-passed in to this virtual server.
-
-
-This virtual server is also useful when using EAP-TLS as it is
-only called once, just before the final Accept is about to be
-returned from eap, whereas the outer authorize section is called
-multiple times for each challenge / response. For this reason,
-here may be a good location to put authentication logging, and
-modules that check for further authorization, especially if they
-hit external services such as sql or ldap.
-
-
-
-Authorize - this is the only section required.
-
-To accept the access request, set Auth-Type = ::Accept, otherwise
-set it to Reject.
-
-
-
-By default, we just accept the request:
-
-
-
-Check the client certificate matches a string, and reject otherwise
-
-
-
-
-Check the client certificate common name against the supplied User-Name
-
-
-
-This is a convenient place to call LDAP, for example, when using
-EAP-TLS, as it will only be called once, after all certificates as
-part of the EAP-TLS challenge process have been verified.
-
-An example could be to use LDAP to check that the connecting host, as
-well as presenting a valid certificate, is also in a group based on
-the User-Name (assuming this contains the service principal name).
-Settings such as the following could be used in the ldap module
-configuration:
-
-basedn = "dc=example, dc=com"
-filter = "(servicePrincipalName=%{User-Name})"
-base_filter = "(objectClass=computer)"
-groupname_attribute = cn
-groupmembership_filter = "(&(objectClass=group)(member=%{control.Ldap-UserDn}))"
-
-
-
-
-Now let's test membership of an LDAP group (the ldap bind user will
-need permission to read this group membership):
-
-
-
-or, to be more specific, you could use the group's full DN:
-if (!(Ldap-Group == "CN=Permitted-Laptops,OU=Groups,DC=example,DC=org")) {
-
-
-This may be a better place to call the files modules when using
-EAP-TLS, as it will only be called once, after the challenge-response
-iteration has completed.
-
-
-
-
-Log all request attributes, plus TLS certificate details, to the
-auth_log file. Again, this is just once per connection request, so
-may be preferable than in the outer authorize section. It is
-suggested that 'auth_log' also be in the outer post-auth and
-Post-Auth REJECT sections to log reply packet details, too.
-
-
-
-
-== Default Configuration
-
-```
-server check-eap-tls {
-recv Access-Request {
- &control.Auth-Type := ::Accept
-# if ("%{session-state.TLS-Client-Cert-Common-Name}" == 'client.example.com') {
-# &control.Auth-Type := ::Accept
-# }
-# else {
-# &control.Auth-Type := ::Reject
-# &reply.Reply-Message := "Your certificate is not valid."
-# }
-# if (&User-Name == "host/%{session-state.TLS-Client-Cert-Common-Name}") {
-# &control.Auth-Type := ::Accept
-# }
-# else {
-# &control.Auth-Type := ::Reject
-# }
-# ldap
-# if (!(Ldap-Group == "Permitted-Laptops")) {
-# &control.Auth-Type := ::Reject
-# }
-# files
- auth_log
-}
-}
-```
-
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
-// This documentation was developed by Network RADIUS SAS.
+++ /dev/null
-
-```
-# An example virtual server configuration.
-```
-
-
-
-
-```
-# This client will be available to any "listen" section that
-# are defined outside of a virtual server section. However,
-# when the server receives a packet from this client, the
-# request will be processed through the "example" virtual
-# server, as the "client" section contains a configuration item
-# to that effect.
-```
-
-```
-# Note that this client will be able to send requests to any
-# port defined in a global "listen" section. It will NOT,
-# however, be able to send requests to a port defined in a
-# "listen" section that is contained in a "server" section.
-```
-
-```
-# With careful matching of configurations, you should be able
-# to:
-```
-
-```
-# - Define one authentication port, but process each client
-# through a separate virtual server.
-```
-
-```
-# - define multiple authentication ports, each with a private
-# list of clients.
-```
-
-```
-# - define multiple authentication ports, each of which may
-# have the same client listed, but with different shared
-# secrets
-```
-
-```
-# FYI: We use an address in the 192.0.2.* space for this example,
-# as https://tools.ietf.org/html/rfc3330[RFC 3330] says that that /24 range is used for documentation
-# and examples, and should not appear on the net. You shouldn't
-# use it for anything, either.
-```
-
-
-```
-client 192.0.2.10 {
- shortname = example-client
- secret = testing123
- virtual_server = example
-}
-
-```
-
-```
-# An example virtual server. It starts off with "server name {"
-# The "name" is used to reference this server from a "listen"
-# or "client" section.
-```
-
-```
-server example {
-```
-
-Listen on 192.0.2.1:1812 for Access-Requests
-
-When the server receives a packet, it is processed
-through the "recv ...", etc. sections listed here,
-NOT the global ones the "default" site.
-
-```
- listen {
- ipaddr = 192.0.2.1
- port = 1821
- type = auth
- }
-
-```
-
-This client is listed within the "server" section,
-and is therefore known ONLY to the socket defined
-in the "listen" section above. If the client IP
-sends a request to a different socket, the server
-will treat it as an unknown client, and will not
-respond.
-
-In contrast, the client listed at the top of this file
-is outside of any "server" section, and is therefore
-global in scope. It can send packets to any port
-defined in a global "listen" section. It CANNOT send
-packets to the listen section defined above, though.
-
-Note that you don't have to have a "virtual_server = example"
-line here, as the client is encapsulated within
-the "server" section.
-
-```
- client 192.0.2.9 {
- shortname = example-client
- secret = testing123
- }
-
- recv Access-Request {
-```
-
-Some example policies. See "man unlang" for more.
-
-```
- if (User-Name == "bob") {
- control.Password.Cleartext := "bob"
- }
-
-```
-
-And then reject the user. The next line requires
-that the "always reject {}" section is defined in
-the "modules" section of radiusd.conf.
-
-```
- reject
- }
-
- send Access-Accept {
-
- }
-
- send Access-Reject {
- reply.Reply-Message = "This is only an example."
- }
-
-}
-```
-
-== Default Configuration
-
-```
-```
-
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
-// This documentation was developed by Network RADIUS SAS.
* xref:raddb/sites-available/bfd.adoc[bfd]
* xref:raddb/sites-available/buffered-sql.adoc[buffered sql]
* xref:raddb/sites-available/challenge.adoc[challenge]
-* xref:raddb/sites-available/channel_bindings.adoc[channel_bindings]
-* xref:raddb/sites-available/check-eap-tls.adoc[check eap tls]
* xref:raddb/sites-available/coa.adoc[coa]
* xref:raddb/sites-available/control-socket.adoc[control socket]
* xref:raddb/sites-available/copy-acct-to-home-server.adoc[copy acct to home server]
* xref:raddb/sites-available/dhcp.adoc[dhcp]
* xref:raddb/sites-available/dhcp.relay.adoc[dhcp relay]
* xref:raddb/sites-available/dynamic-clients.adoc[dynamic clients]
-* xref:raddb/sites-available/example.adoc[example]
* xref:raddb/sites-available/inner-tunnel.adoc[inner tunnel]
* xref:raddb/sites-available/ldap_sync.adoc[ldap_sync]
* xref:raddb/sites-available/originate-coa.adoc[originate coa]
* xref:raddb/sites-available/proxy-inner-tunnel.adoc[proxy inner tunnel]
-* xref:raddb/sites-available/radius-acct.adoc[radius acct]
* xref:raddb/sites-available/robust-proxy-accounting.adoc[robust proxy accounting]
* xref:raddb/sites-available/status.adoc[status]
* xref:raddb/sites-available/tacacs.adoc[tacacs]
+++ /dev/null
-
-Tiny virtual server for the new server processing sections.
-
-Proxying is not yet possible.
-
-Acct-Type { } is no longer supported.
-
-```
-server radius-acct {
-namespace = radius
-
-```
-
-This is all the same as before
-
-```
-listen {
- type = acct
- ipaddr = *
- port = 3000
-
-}
-
-```
-
-"preacct"
-
-```
-recv Accounting-Request {
- ok
-}
-
-```
-
-"accounting"
-
-```
-send Accounting-Response {
- ok
-}
-
-} # server radius-acct
-```
-
-== Default Configuration
-
-```
-```
-
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
-// This documentation was developed by Network RADIUS SAS.
#
# The list of files to install.
#
-LOCAL_FILES := clients.conf dictionary experimental.conf \
+LOCAL_FILES := clients.conf dictionary \
radiusd.conf trigger.conf panic.gdb
DEFAULT_SITES := default inner-tunnel
+++ /dev/null
-# -*- text -*-
-#
-#
-# $Id$
-
-#######################################################################
-#
-# = Experimental modules
-#
-# This file contains the configuration for experimental modules.
-#
-# By default, it is *not* included in the build.
-#
-
-#
-# ## Example module configuration
-#
-# Configuration for the example module. Even if this modules is
-# loaded and initialised, it should have no real effect as long
-# it is not referenced in one of the virtual server sections.
-#
-
-example {
- #
- # boolean:: Boolean variable.
- #
- # Allowed values: `no` or `yes`
- #
- boolean = yes
-
- #
- # integer:: An integer, of any value:
- #
- integer = 16
-
- #
- # string:: A string.
- #
- string = "This is an example configuration string"
-
- #
- # ipaddr::
- #
- # An IP address, either in dotted quad (`1.2.3.4`) or
- # hostname (`example.com`).
- #
- ipaddr = 127.0.0.1
-
- #
- # mysubsection::
- #
- # A subsection.
- #
- mysubsection {
- #
- # anotherinteger::
- #
- anotherinteger = 1000
-
- #
- # deeply { ... }::
- #
- # Subsections nest.
- #
- deeply nested {
- string = "This is a different string"
- }
- }
-}
-
-#
-# ## Other experimental modules
-#
-# Instantiate a few instances of the idn module
-#
-
-#
-# .section without name.
-#
-idn {
-
-}
-
-#
-# .more commonly known as...
-#
-idn idna {
-}
-
-#
-# .another one.
-#
-idn idna_lenient {
- UseSTD3ASCIIRules = no
-}
+++ /dev/null
-#
-# A virtual server which is used to validate channel-bindings.
-#
-# $Id$
-#
-server channel_bindings {
- #
- # Only the "recv Access-Request" section is needed.
- #
- recv Access-Request {
- # In general this section should include a policy for each type
- # of channel binding that may be in use. For example each lower
- # layer such as GSS-EAP (RFC 7055) or IEEE 802.11I is likely to
- # need a separate channel binding policy.
- }
-}
+++ /dev/null
-######################################################################
-#
-# An example virtual server configuration.
-#
-# $Id$
-#
-######################################################################
-
-#
-# This client will be available to any "listen" section that
-# are defined outside of a virtual server section. However,
-# when the server receives a packet from this client, the
-# request will be processed through the "example" virtual
-# server, as the "client" section contains a configuration item
-# to that effect.
-#
-# Note that this client will be able to send requests to any
-# port defined in a global "listen" section. It will NOT,
-# however, be able to send requests to a port defined in a
-# "listen" section that is contained in a "server" section.
-#
-# With careful matching of configurations, you should be able
-# to:
-#
-# - Define one authentication port, but process each client
-# through a separate virtual server.
-#
-# - define multiple authentication ports, each with a private
-# list of clients.
-#
-# - define multiple authentication ports, each of which may
-# have the same client listed, but with different shared
-# secrets
-#
-# FYI: We use an address in the 192.0.2.* space for this example,
-# as RFC 3330 says that that /24 range is used for documentation
-# and examples, and should not appear on the net. You shouldn't
-# use it for anything, either.
-#
-
-client 192.0.2.10 {
- shortname = example-client
- secret = testing123
- virtual_server = example
-}
-
-######################################################################
-#
-# An example virtual server. It starts off with "server name {"
-# The "name" is used to reference this server from a "listen"
-# or "client" section.
-#
-######################################################################
-server example {
- #
- # Listen on 192.0.2.1:1812 for Access-Requests
- #
- # When the server receives a packet, it is processed
- # through the "recv ...", etc. sections listed here,
- # NOT the global ones the "default" site.
- #
- listen {
- ipaddr = 192.0.2.1
- port = 1821
- type = auth
- }
-
- #
- # This client is listed within the "server" section,
- # and is therefore known ONLY to the socket defined
- # in the "listen" section above. If the client IP
- # sends a request to a different socket, the server
- # will treat it as an unknown client, and will not
- # respond.
- #
- # In contrast, the client listed at the top of this file
- # is outside of any "server" section, and is therefore
- # global in scope. It can send packets to any port
- # defined in a global "listen" section. It CANNOT send
- # packets to the listen section defined above, though.
- #
- # Note that you don't have to have a "virtual_server = example"
- # line here, as the client is encapsulated within
- # the "server" section.
- #
- client 192.0.2.9 {
- shortname = example-client
- secret = testing123
- }
-
- recv Access-Request {
- #
- # Some example policies. See "man unlang" for more.
- #
- if (User-Name == "bob") {
- control.Password.Cleartext := "bob"
- }
-
- #
- # And then reject the user. The next line requires
- # that the "always reject {}" section is defined in
- # the "modules" section of radiusd.conf.
- #
- reject
- }
-
- send Access-Accept {
-
- }
-
- send Access-Reject {
- reply.Reply-Message = "This is only an example."
- }
-
-}
+++ /dev/null
-#
-# Tiny virtual server for the new server processing sections.
-#
-# Proxying is not yet possible.
-#
-# Acct-Type { } is no longer supported.
-#
-server radius-acct {
-namespace = radius
-
-#
-# This is all the same as before
-#
-listen {
- type = acct
- ipaddr = *
- port = 3000
-
-}
-
-#
-# "preacct"
-#
-recv Accounting-Request {
- ok
-}
-
-
-#
-# "accounting"
-#
-send Accounting-Response {
- ok
-}
-
-} # server radius-acct
projects / thirdparty / freeradius-server.git / commitdiff
