From 30671c89460abef279679f23be59f5a0d0df7d20 Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Fri, 19 Jun 2020 18:08:07 +0200 Subject: space_server: radius: update radiusd.conf --- roles/space_server/files/radius/radiusd.conf | 184 ++++++++++++++++++++++----- 1 file changed, 149 insertions(+), 35 deletions(-) (limited to 'roles/space_server') diff --git a/roles/space_server/files/radius/radiusd.conf b/roles/space_server/files/radius/radiusd.conf index b345830..921e009 100644 --- a/roles/space_server/files/radius/radiusd.conf +++ b/roles/space_server/files/radius/radiusd.conf @@ -1,17 +1,41 @@ # -*- text -*- ## -## radiusd.conf -- FreeRADIUS server configuration file - 3.0.15 +## radiusd.conf -- FreeRADIUS server configuration file - 3.0.21 ## ## http://www.freeradius.org/ -## $Id: a83c1f6874e69df8692ebce57174bf0dd52fd502 $ +## $Id: e8aee3c00193127177cd65e31156c1d0f4b124d3 $ ## ###################################################################### # -# Read "man radiusd" before editing this file. See the section -# titled DEBUGGING. It outlines a method where you can quickly -# obtain the configuration you want, without running into -# trouble. +# The format of this (and other) configuration file is +# documented in "man unlang". There are also READMEs in many +# subdirectories: +# +# raddb/README.rst +# How to upgrade from v2. +# +# raddb/mods-available/README.rst +# How to use mods-available / mods-enabled. +# All of the modules are in individual files, +# along with configuration items and full documentation. +# +# raddb/sites-available/README +# virtual servers, "listen" sections, clients, etc. +# The "sites-available" directory contains many +# worked examples of common configurations. +# +# raddb/certs/README +# How to create certificates for EAP or RadSec. +# +# Every configuration item in the server is documented +# extensively in the comments in the example configuration +# files. +# +# Before editing this (or any other) configuration file, PLEASE +# read "man radiusd". See the section titled DEBUGGING. It +# outlines a method where you can quickly create the +# configuration you want, with minimal effort. # # Run the server in debugging mode, and READ the output. # @@ -26,30 +50,36 @@ # "warning", "error", "reject", or "failure". The messages there # will usually be enough to guide you to a solution. # +# More documentation on "radiusd -X" is available on the wiki: +# https://wiki.freeradius.org/radiusd-X +# # If you are going to ask a question on the mailing list, then # explain what you are trying to do, and include the output from # debugging mode (radiusd -X). Failure to do so means that all # of the responses to your question will be people telling you # to "post the output of radiusd -X". - -###################################################################### # -# The location of other config files and logfiles are declared -# in this file. +# Guidelines for posting to the mailing list are on the wiki: +# https://wiki.freeradius.org/list-help +# +# Please read those guidelines before posting to the list. # -# Also general configuration for modules can be done in this -# file, it is exported through the API to modules that ask for -# it. +# Further documentation is available in the "doc" directory +# of the server distribution, or on the wiki at: +# https://wiki.freeradius.org/ # -# See "man radiusd.conf" for documentation on the format of this -# file. Note that the individual configuration items are NOT -# documented in that "man" page. They are only documented here, -# in the comments. +# New users to RADIUS should read the Technical Guide. That guide +# explains how RADIUS works, how FreeRADIUS works, and what each +# part of a RADIUS system does. It is not just "configure FreeRADIUS"! +# https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf # -# The "unlang" policy language can be used to create complex -# if / else policies. See "man unlang" for details. +# More documentation on dictionaries, modules, unlang, etc. is also +# available on the Network RADIUS web site: +# https://networkradius.com/freeradius-documentation/ # +###################################################################### + prefix = /usr exec_prefix = /usr sysconfdir = /etc @@ -207,7 +237,7 @@ max_request_time = 30 # If this value is set too high, then the server will cache too many # requests, and some new requests may get blocked. (See 'max_requests'.) # -# Useful range of values: 2 to 10 +# Useful range of values: 2 to 30 # cleanup_delay = 5 @@ -297,12 +327,31 @@ log { # stripped_names = no - # Log authentication requests to the log file. + # Log all (accept and reject) authentication results to the log file. + # + # This is the same as setting "auth_accept = yes" and + # "auth_reject = yes" # # allowed values: {no, yes} # auth = yes + # Log Access-Accept results to the log file. + # + # This is only used if "auth = no" + # + # allowed values: {no, yes} + # +# auth_accept = no + + # Log Access-Reject results to the log file. + # + # This is only used if "auth = no" + # + # allowed values: {no, yes} + # +# auth_reject = no + # Log passwords with the authentication requests. # auth_badpass - logs password if it's rejected # auth_goodpass - logs password if it's correct @@ -332,6 +381,60 @@ log { # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad +# +# ENVIRONMENT VARIABLES +# +# You can reference environment variables using an expansion like +# `$ENV{PATH}`. However it is sometimes useful to be able to also set +# environment variables. This section lets you do that. +# +# The main purpose of this section is to allow administrators to keep +# RADIUS-specific configuration in the RADIUS configuration files. +# For example, if you need to set an environment variable which is +# used by a module. You could put that variable into a shell script, +# but that's awkward. Instead, just list it here. +# +# Note that these environment variables are set AFTER the +# configuration file is loaded. So you cannot set FOO here, and +# expect to reference it via `$ENV{FOO}` in another configuration file. +# You should instead just use a normal configuration variable for +# that. +# +ENV { + # + # Set environment varable `FOO` to value '/bar/baz'. + # + # NOTE: Note that you MUST use '='. You CANNOT use '+=' to append + # values. + # +# FOO = '/bar/baz' + + # + # Delete environment variable `BAR`. + # +# BAR + + # + # `LD_PRELOAD` is special. It is normally set before the + # application runs, and is interpreted by the dynamic linker. + # Which means you cannot set it inside of an application, and + # expect it to load libraries. + # + # Since this functionality is useful, we extend it here. + # + # You can set + # + # LD_PRELOAD = /path/to/library.so + # + # and the server will load the named libraries. Multiple + # libraries can be loaded by specificing multiple individual + # `LD_PRELOAD` entries. + # + # +# LD_PRELOAD = /path/to/library1.so +# LD_PRELOAD = /path/to/library2.so +} + # SECURITY CONFIGURATION # # There may be multiple methods of attacking on the server. This @@ -541,7 +644,7 @@ thread pool { # # For more information, see 'max_request_time', above. # - max_servers = 32 + max_servers = 8 # Server-pool size regulation. Rather than making you guess # how many servers you need, FreeRADIUS dynamically adapts to @@ -575,12 +678,8 @@ thread pool { # # max_queue_size = 65536 - # There may be memory leaks or resource allocation problems with - # the server. If so, set this value to 300 or so, so that the - # resources will be cleaned up periodically. - # - # This should only be necessary if there are serious bugs in the - # server which have not yet been fixed. + # Clean up old threads periodically. For no reason other than + # it might be useful. # # '0' is a special value meaning 'infinity', or 'the servers never # exit' @@ -646,6 +745,21 @@ modules { # for an example. # + # + # Some modules have ordering issues. e.g. "sqlippool" uses + # the configuration from "sql". In that case, the "sql" + # module must be read off of disk before the "sqlippool". + # However, the directory inclusion below just reads the + # directory from start to finish. Which means that the + # modules are read off of disk randomly. + # + # As of 3.0.18, you can list individual modules *before* the + # directory inclusion. Those modules will be loaded first. + # Then, when the directory is read, those modules will be + # skipped and not read twice. + # +# $INCLUDE mods-enabled/sql + # # As of 3.0, modules are in mods-enabled/. Files matching # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are @@ -658,14 +772,14 @@ modules { # Instantiation # -# This section orders the loading of the modules. Modules -# listed here will get loaded BEFORE the later sections like -# authorize, authenticate, etc. get examined. +# This section sets the instantiation order of the modules. listed +# here will get started up BEFORE the sections like authorize, +# authenticate, etc. get examined. # -# This section is not strictly needed. When a section like -# authorize refers to a module, it's automatically loaded and -# initialized. However, some modules may not be listed in any -# of the following sections, so they can be listed here. +# This section is not strictly needed. When a section like authorize +# refers to a module, the module is automatically loaded and +# initialized. However, some modules may not be listed in any of the +# processing sections, so they should be listed here. # # Also, listing modules here ensures that you have control over # the order in which they are initialized. If one module needs -- cgit v1.2.1