radiusd.conf
# tous les commentaires ont ete supprimes : # prefix = /usr/local/freeradius exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log log_destination = files libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 listen { ipaddr = 147.173.1.26 port = 0 type = auth } listen { ipaddr = 147.173.1.26 port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { syslog_facility = daemon } log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { auto_header = no } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { } ldap ldap { server = "ldap-neel.grenoble.cnrs.fr" identity = "cn=radius,dc=grenoble,dc=cnrs,dc=fr" password = admin-pwd basedn = "dc=grenoble,dc=cnrs,dc=fr" filter = "(|(|(uid=%{Stripped-User-Name:-%{User-Name}})(mail=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@grenoble.cnrs.fr))" base_filter = "(objectclass=radiusprofile)" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${raddbdir}/ldap.attrmap auto_header = yes groupname_attribute = radiusGroupName #groupmembership_filter = "(|(&(uid=%{Stripped-User-Name:-%{User-Name}}))(&(aliasMail=%{Stripped-User-Name:-%{User-Name}})))(objectclass=radiusProfile)" groupmembership_filter = "(|(|(uid=%{Stripped-User-Name:-%{User-Name}})(mail=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@grenoble.cnrs.fr))" groupmembership_attribute = radiusGroupName } realm IPASS { format = prefix delimiter = "/" } realm suffix { format = suffix delimiter = "@" } realm realmpercent { format = suffix delimiter = "%" } realm ntdomain { format = prefix delimiter = "\\" } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } attr_rewrite addtunneltype { attribute = Tunnel-Type searchin = proxy_reply searchfor = "[+ ]" replacewith = "VLAN" new_attribute = yes } attr_rewrite addtunnelmediumtype { attribute = Tunnel-Medium-Type searchin = proxy_reply searchfor = "[+ ]" replacewith = "IEEE-802" new_attribute = yes } attr_rewrite addvlanmcbt { attribute = Tunnel-Private-Group-ID searchin = proxy_reply searchfor = "[+ ]" replacewith = "244" new_attribute = yes } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 header = "%t" } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter attr_filter.post-proxy { attrsfile = ${confdir}/attrs } attr_filter attr_filter.pre-proxy { attrsfile = ${confdir}/attrs.pre-proxy } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } expiration { reply-message = "Password Has Expired\r\n" } logintime { reply-message = "You are calling outside your allowed timespan\r\n" minimum-timeout = 60 } exec { wait = yes input_pairs = request shell_escape = yes output = none } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply shell_escape = yes } logintime { } } instantiate { exec expr expiration logintime } authorize { preprocess chap mschap unix suffix eap files Autz-Type LDAP { ldap } expiration logintime pap } authenticate { Auth-Type LDAP { ldap } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp sql } session { radutmp } post-auth { } pre-proxy { files } post-proxy { Post-Proxy-Type post.proxy.mcbt { addtunneltype addtunnelmediumtype addvlanmcbt } eap }