CONFIGURATION FILES
From FreeRADIUS Wiki
Contents |
CONFIGURATION FILES
For every file there is a fully commented example file included, that explains what is does, and how to use it. Read those sample files too! Again, many of the configuration files are ONLY documented in the comments included in the files. Reading the configuration files is REQUIRED to fully understand how to create complex configurations of the server.
CLIENTS
Make sure the clients (portmasters, Linux with portslave etc) are set up to use the host FreeRADIUS is running on as authentication and accounting host. Configure these clients to use a "radius secret password". For every client, also enter this "secret password" into the file /etc/raddb/clients.conf
NASLIST
Every NAS (Network Access Server, also known as terminal server) should have an entry in this file with an abbreviated name and the type of NAS it is. Currently FreeRADIUS supports the following NAS types:
| Terminal Server | Type in naslist |
|---|---|
| 3Com/USR Hiper Arc Total Control | usrhiper |
| 3Com/USR NetServer | netserver |
| 3Com/USR TotalControl | tc |
| Ascend Max 4000 family | max40xx |
| Ascend MaxTNT | ascend |
| Cisco Access Server family | cisco |
| Cistron PortSlave | portslave |
| Computone PowerRack | computone |
| Cyclades PathRAS | pathras |
| Livingston PortMaster | livingston |
| Multitech CommPlete Server | multitech |
| Patton 2800 family | patton |
Usually this is the same list as in the "clients" file, but not every NAS is a client and not every client is a NAS (this will start to make sense if you use radius proxy servers).
NASPASSWD
If ”checkrad” needs to login on your terminal server to check who is on line on a certain port (i.e. it's not possible to use SNMP or finger) you need to define a login name and password here.
This is normally ONLY needed for USR/3Com Total Control, NetServer and Cyclades PathRAS terminal servers!
HINTS
Customise the /etc/raddb/hints file. This file is used to give users a different login type based on a prefix/suffix of their login name. For example, logging in as "user" may result in a rlogin session to a Unix system, and logging in as "Puser" could start a PPP session.
HUNTGROUPS
This is the /etc/raddb/huntgroups file. Here you can define different huntgroups. These can be used to:
- restrict access to certain huntgroups to certain users/groups of users (define this in the huntgroups file itself)
- match a login name with a huntgroup in /etc/raddb/users. One use for this is to give a user a static IP address based on the huntgroup / Point of Presence the user dials in to.
USERS
With the original RADIUS server, every user had to be defined in this file. There could be one default entry, where you could for example define that a user not in the radius file would be checked against the UNIX password file and on successful login would get a PPP connection.
In the new style file, you can define multiple DEFAULT entries. All entries are processed in the order as they appear in the users file. If an entry matches the user name, radiusd will stop scanning the users file unless the attribute "Fall-Through = Yes" is set.
You can uses spaces in user names by escaping them with \ or by using quotes. For example, "joe user" or joe\ user.
FreeRADIUS does not trim any spaces from a user name received from the portmaster (livingston does, in perl notation, $user =~ s/\s+.*//;)
NEW RADIUS ATTRIBUTES (used in the USERS file).
| Name | Type | Description |
|---|---|---|
| Simultaneous-Use | integer | Max. number of concurrent logins |
| Fall-Through | integer | Yes/No |
| Login-Time | string | Defines when user may login. |
| Current-Time | string | Allows you to perform time-based checks when a request is received. |
Login-Time defines the time span a user may login to the system. The format of a so-called time string is like the format used by UUCP. A time string may be a list of simple time strings separated by "|" or ",".
Each simple time string must begin with a day definition. That can be just one day, multiple days, or a range of days separated by a hyphen. A day is Mo, Tu, We, Th, Fr, Sa or Su, or Wk for Mo-Fr. "Any" or "Al" means all days.
After that a range of hours follows in hhmm-hhmm format. For example:
"Wk2305-0855,Sa,Su2305-1655".
radiusd calculates the number of seconds left in the time span, and sets the Session-Timeout to that number of seconds. So if someone's Login-Time is "Al0800-1800" and she logs in at 17:30, Session-Timeout is set to 1800 seconds so that she is kicked off at 18:00.