diff options
Diffstat (limited to 'roles/space_server/files')
| -rw-r--r-- | roles/space_server/files/radius/radiusd.conf | 184 | 
1 files changed, 149 insertions, 35 deletions
| diff --git a/roles/space_server/files/radius/radiusd.conf b/roles/space_server/files/radius/radiusd.conf index b345830..921e009 100644 --- a/roles/space_server/files/radius/radiusd.conf +++ b/roles/space_server/files/radius/radiusd.conf @@ -1,17 +1,41 @@  # -*- text -*-  ## -## radiusd.conf	-- FreeRADIUS server configuration file - 3.0.15 +## radiusd.conf	-- FreeRADIUS server configuration file - 3.0.21  ##  ##	http://www.freeradius.org/ -##	$Id: a83c1f6874e69df8692ebce57174bf0dd52fd502 $ +##	$Id: e8aee3c00193127177cd65e31156c1d0f4b124d3 $  ##  ######################################################################  # -#	Read "man radiusd" before editing this file.  See the section -#	titled DEBUGGING.  It outlines a method where you can quickly -#	obtain the configuration you want, without running into -#	trouble. +#	The format of this (and other) configuration file is +#	documented in "man unlang".  There are also READMEs in many +#	subdirectories: +# +#	  raddb/README.rst +#		How to upgrade from v2. +# +#	  raddb/mods-available/README.rst +#		How to use mods-available / mods-enabled. +#		All of the modules are in individual files, +#		along with configuration items and full documentation. +# +#	  raddb/sites-available/README +#		virtual servers, "listen" sections, clients, etc. +#		The "sites-available" directory contains many +#		worked examples of common configurations. +# +#	  raddb/certs/README +#		How to create certificates for EAP or RadSec. +# +#	Every configuration item in the server is documented +#	extensively in the comments in the example configuration +#	files. +# +#	Before editing this (or any other) configuration file, PLEASE +#	read "man radiusd".  See the section titled DEBUGGING.  It +#	outlines a method where you can quickly create the +#	configuration you want, with minimal effort.  #  #	Run the server in debugging mode, and READ the output.  # @@ -26,30 +50,36 @@  #	"warning", "error", "reject", or "failure".  The messages there  #	will usually be enough to guide you to a solution.  # +#	More documentation on "radiusd -X" is available on the wiki: +#		https://wiki.freeradius.org/radiusd-X +#  #	If you are going to ask a question on the mailing list, then  #	explain what you are trying to do, and include the output from  #	debugging mode (radiusd -X).  Failure to do so means that all  #	of the responses to your question will be people telling you  #	to "post the output of radiusd -X". - -######################################################################  # -#  	The location of other config files and logfiles are declared -#  	in this file. +#	Guidelines for posting to the mailing list are on the wiki: +#		https://wiki.freeradius.org/list-help +# +#	Please read those guidelines before posting to the list.  # -#  	Also general configuration for modules can be done in this -#  	file, it is exported through the API to modules that ask for -#  	it. +#	Further documentation is available in the "doc" directory +#	of the server distribution, or on the wiki at: +#		https://wiki.freeradius.org/  # -#	See "man radiusd.conf" for documentation on the format of this -#	file.  Note that the individual configuration items are NOT -#	documented in that "man" page.  They are only documented here, -#	in the comments. +#	New users to RADIUS should read the Technical Guide.  That guide +#	explains how RADIUS works, how FreeRADIUS works, and what each +#	part of a RADIUS system does.  It is not just "configure FreeRADIUS"! +#		https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf  # -#	The "unlang" policy language can be used to create complex -#	if / else policies.  See "man unlang" for details. +#	More documentation on dictionaries, modules, unlang, etc. is also +#	available on the Network RADIUS web site: +#		https://networkradius.com/freeradius-documentation/  # +###################################################################### +  prefix = /usr  exec_prefix = /usr  sysconfdir = /etc @@ -207,7 +237,7 @@ max_request_time = 30  #  If this value is set too high, then the server will cache too many  #  requests, and some new requests may get blocked.  (See 'max_requests'.)  # -#  Useful range of values: 2 to 10 +#  Useful range of values: 2 to 30  #  cleanup_delay = 5 @@ -297,12 +327,31 @@ log {  	#  	stripped_names = no -	#  Log authentication requests to the log file. +	#  Log all (accept and reject) authentication results to the log file. +	# +	#  This is the same as setting "auth_accept = yes" and +	#  "auth_reject = yes"  	#  	#  allowed values: {no, yes}  	#  	auth = yes +	#  Log Access-Accept results to the log file. +	# +	#  This is only used if "auth = no" +	# +	#  allowed values: {no, yes} +	# +#	auth_accept = no + +	#  Log Access-Reject results to the log file. +	# +	#  This is only used if "auth = no" +	# +	#  allowed values: {no, yes} +	# +#	auth_reject = no +  	#  Log passwords with the authentication requests.  	#  auth_badpass  - logs password if it's rejected  	#  auth_goodpass - logs password if it's correct @@ -332,6 +381,60 @@ log {  #  The program to execute to do concurrency checks.  checkrad = ${sbindir}/checkrad +# +#  ENVIRONMENT VARIABLES +# +#  You can reference environment variables using an expansion like +#  `$ENV{PATH}`.  However it is sometimes useful to be able to also set +#  environment variables.  This section lets you do that. +# +#  The main purpose of this section is to allow administrators to keep +#  RADIUS-specific configuration in the RADIUS configuration files. +#  For example, if you need to set an environment variable which is +#  used by a module.  You could put that variable into a shell script, +#  but that's awkward.  Instead, just list it here. +# +#  Note that these environment variables are set AFTER the +#  configuration file is loaded.  So you cannot set FOO here, and +#  expect to reference it via `$ENV{FOO}` in another configuration file. +#  You should instead just use a normal configuration variable for +#  that. +# +ENV { +	# +	#  Set environment varable `FOO` to value '/bar/baz'. +	# +	#  NOTE: Note that you MUST use '='.  You CANNOT use '+=' to append +	#  values. +	# +#	FOO = '/bar/baz' + +	# +	#  Delete environment variable `BAR`. +	# +#	BAR + +	# +	#  `LD_PRELOAD` is special.  It is normally set before the +	#  application runs, and is interpreted by the dynamic linker. +	#  Which means you cannot set it inside of an application, and +	#  expect it to load libraries. +	# +	#  Since this functionality is useful, we extend it here. +	# +	#  You can set +	# +	#  LD_PRELOAD = /path/to/library.so +	# +	#  and the server will load the named libraries.  Multiple +	#  libraries can be loaded by specificing multiple individual +	#  `LD_PRELOAD` entries. +	# +	# +#	LD_PRELOAD = /path/to/library1.so +#	LD_PRELOAD = /path/to/library2.so +} +  # SECURITY CONFIGURATION  #  #  There may be multiple methods of attacking on the server.  This @@ -541,7 +644,7 @@ thread pool {  	#  	#  For more information, see 'max_request_time', above.  	# -	max_servers = 32 +	max_servers = 8  	#  Server-pool size regulation.  Rather than making you guess  	#  how many servers you need, FreeRADIUS dynamically adapts to @@ -575,12 +678,8 @@ thread pool {  	#  #	max_queue_size = 65536 -	#  There may be memory leaks or resource allocation problems with -	#  the server.  If so, set this value to 300 or so, so that the -	#  resources will be cleaned up periodically. -	# -	#  This should only be necessary if there are serious bugs in the -	#  server which have not yet been fixed. +	#  Clean up old threads periodically.  For no reason other than +	#  it might be useful.  	#  	#  '0' is a special value meaning 'infinity', or 'the servers never  	#  exit' @@ -647,6 +746,21 @@ modules {  	#  	# +	#  Some modules have ordering issues.  e.g. "sqlippool" uses +	#  the configuration from "sql".  In that case, the "sql" +	#  module must be read off of disk before the "sqlippool". +	#  However, the directory inclusion below just reads the +	#  directory from start to finish.  Which means that the +	#  modules are read off of disk randomly. +	# +	#  As of 3.0.18, you can list individual modules *before* the +	#  directory inclusion.  Those modules will be loaded first. +	#  Then, when the directory is read, those modules will be +	#  skipped and not read twice. +	# +#	$INCLUDE mods-enabled/sql + +	#  	#  As of 3.0, modules are in mods-enabled/.  Files matching  	#  the regex /[a-zA-Z0-9_.]+/ are loaded.  The modules are  	#  initialized ONLY if they are referenced in a processing @@ -658,14 +772,14 @@ modules {  # Instantiation  # -#  This section orders the loading of the modules.  Modules -#  listed here will get loaded BEFORE the later sections like -#  authorize, authenticate, etc. get examined. +#  This section sets the instantiation order of the modules.  listed +#  here will get started up BEFORE the sections like authorize, +#  authenticate, etc. get examined.  # -#  This section is not strictly needed.  When a section like -#  authorize refers to a module, it's automatically loaded and -#  initialized.  However, some modules may not be listed in any -#  of the following sections, so they can be listed here. +#  This section is not strictly needed.  When a section like authorize +#  refers to a module, the module is automatically loaded and +#  initialized.  However, some modules may not be listed in any of the +#  processing sections, so they should be listed here.  #  #  Also, listing modules here ensures that you have control over  #  the order in which they are initialized.  If one module needs | 
