Radius Config
-
Upload
lumbhani-vishal -
Category
Documents
-
view
270 -
download
0
description
Transcript of Radius Config
-
7/17/2019 Radius Config
1/29
######################################################################## As of 2.0.0, FreeRADIUS supports virtual hosts using the# "server" section, and configuration directives.## Virtual hosts should be put into the "sites-available"# directory. Soft links should be created in the "sites-enabled"# directory to these files. This is done in a normal installation.## If you are using 802.1X (EAP) authentication, please see also# the "inner-tunnel" virtual server. You will likely have to edit# that, too, for authentication to work.## $Id: 1c971b91af0989695896f7dbd31ae8befbafca76 $######################################################################### Read "man radiusd" before editing this file. See the section# titled DEBUGGING. It outlines a method where you can quickly# obtain the configuration you want, without running into# trouble. See also "man unlang", which documents the format# of this file.## This configuration is designed to work in the widest possible
# set of circumstances, with the widest possible number of# authentication methods. This means that in general, you should# need to make very few changes to this file.## The best way to configure the server for your local system# is to CAREFULLY edit this file. Most attempts to make large# edits to this file will BREAK THE SERVER. Any edits should# be small, and tested by running the server with "radiusd -X".# Once the edits have been verified to work, save a copy of these# configuration files somewhere. (e.g. as a "tar" file). Then,# make more edits, and test, as above.## There are many "commented out" references to modules such
# as ldap, sql, etc. These references serve as place-holders.# If you need the functionality of that module, then configure# it in radiusd.conf, and un-comment the references to it in# this file. In most cases, those small changes will result# in the server being able to connect to the DB, and to# authenticate users.#######################################################################
server default {## If you want the server to listen on additional addresses, or on# additional ports, you can use multiple "listen" sections.
## Each section make the server listen for only one type of packet,# therefore authentication and accounting have to be configured in# different sections.## The server ignore all "listen" section if you are using '-i' and '-p'# on the command line.#listen {
# Type of packets to listen for.
-
7/17/2019 Radius Config
2/29
# Allowed values are:# auth listen for authentication packets# acct listen for accounting packets# proxy IP to use for sending proxied packets# detail Read from the detail file. For examples, see# raddb/sites-available/copy-acct-to-home-server# status listen for Status-Server packets. For examples,# see raddb/sites-available/status# coa listen for CoA-Request and Disconnect-Request# packets. For examples, see the file# raddb/sites-available/coa#type = auth
# Note: "type = proxy" lets you control the source IP used for# proxying packets, with some limitations:## * A proxy listener CANNOT be used in a virtual server section.# * You should probably set "port = 0".# * Any "clients" configuration will be ignored.## See also proxy.conf, and the "src_ipaddr" configuration entry# in the sample "home_server" section. When you specify the# source IP address for packets sent to a home server, the
# proxy listeners are automatically created.
# ipaddr/ipv4addr/ipv6addr - IP address on which to listen.# Out of several options the first one will be used.## Allowed values are:# IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr)# IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr)# hostname (radius.example.com,# A record for ipv4addr,# AAAA record for ipv6addr,# A or AAAA record for ipaddr)# wildcard (*)
## ipv4addr = *# ipv6addr = *ipaddr = *
# Port on which to listen.# Allowed values are:# integer port number (1812)# 0 means "use /etc/services for the proper port"port = 0
# Some systems support binding to an interface, in addition# to the IP address. This feature isn't strictly necessary,
# but for sites with many IP addresses on one interface,# it's useful to say "listen on all addresses for eth0".## If your system does not support this feature, you will# get an error if you try to use it.#
# interface = eth0
# Per-socket lists of clients. This is a very useful feature.#
-
7/17/2019 Radius Config
3/29
# The name here is a reference to a section elsewhere in# radiusd.conf, or clients.conf. Having the name as# a reference allows multiple sockets to use the same# set of clients.## If this configuration is used, then the global list of clients# is IGNORED for this "listen" section. Take care configuring# this feature, to ensure you don't accidentally disable a# client you need.## See clients.conf for the configuration of "per_socket_clients".#
# clients = per_socket_clients
## Connection limiting for sockets with "proto = tcp".## This section is ignored for other kinds of sockets.#limit { # # Limit the number of simultaneous TCP connections to the socket # # The default is 16.
# Setting this to 0 means "no limit" max_connections = 16
# The per-socket "max_requests" option does not exist.
# # The lifetime, in seconds, of a TCP connection. After # this lifetime, the connection will be closed. # # Setting this to 0 means "forever". lifetime = 0
#
# The idle timeout, in seconds, of a TCP connection. # If no packets have been received over the connection for # this time, the connection will be closed. # # Setting this to 0 means "no timeout". # # We STRONGLY RECOMMEND that you set an idle timeout. # idle_timeout = 30}
}
#
# This second "listen" section is for listening on the accounting# port, too.#listen {
ipaddr = *# ipv6addr = ::
port = 0type = acct
# interface = eth0# clients = per_socket_clients
-
7/17/2019 Radius Config
4/29
limit {# The number of packets received can be rate limited via the# "max_pps" configuration item. When it is set, the server# tracks the total number of packets received in the previous# second. If the count is greater than "max_pps", then the# new packet is silently discarded. This helps the server# deal with overload situations.## The packets/s counter is tracked in a sliding window. This# means that the pps calculation is done for the second# before the current packet was received. NOT for the current# wall-clock second, and NOT for the previous wall-clock second
.## Useful values are 0 (no limit), or 100 to 10000.# Values lower than 100 will likely cause the server to ignore# normal traffic. Few systems are capable of handling more tha
n# 10K packets/s.## It is most useful for accounting systems. Set it to 50%# more than the normal accounting load, and you can be sure tha
t
# the server will never get overloaded## max_pps = 0
# Only for "proto = tcp". These are ignored for "udp" sockets.#
# idle_timeout = 0# lifetime = 0# max_connections = 0
}}
# IPv6 versions of the above - read their full config to understand options
listen {type = authipv6addr = :: # any. ::1 == localhostport = 0
# interface = eth0# clients = per_socket_clients
limit { max_connections = 16 lifetime = 0 idle_timeout = 30}
}
listen {ipv6addr = ::port = 0type = acct
# interface = eth0# clients = per_socket_clients
limit {# max_pps = 0# idle_timeout = 0
-
7/17/2019 Radius Config
5/29
# lifetime = 0# max_connections = 0
}}
# Authorization. First preprocess (hints and huntgroups files),# then realms, and finally look in the "users" file.## Any changes made here should also be made to the "inner-tunnel"# virtual server.## The order of the realm modules will determine the order that# we try to find a matching realm.## Make *sure* that 'preprocess' comes before any realm if you# need to setup hints for the remote radius serverauthorize {
## Take a User-Name, and perform some checks on it, for spaces and other# invalid characters. If the User-Name appears invalid, reject the# request.## See policy.d/filter for the definition of the filter_username policy.#
#filter_username
## The preprocess module takes care of sanitizing some bizarre# attributes in the request, and turning them into attributes# which are more standard.## It takes care of processing the 'raddb/hints' and the# 'raddb/huntgroups' files.preprocess
update request { Huntgroup-Name := "%{sql:select groupname from radhuntgroup wher
e nasipaddress='%{NAS-IP-Address}'}" }
if ("%{sql:INSERT INTO radprotologs (datetime, username, protomsg, nasip, nasportid) VALUES (SYSDATE,'%{User-Name}','Access-Request' ,'%{NAS-IP-Address}' ,'%{NAS-Port-Id}')}") { ok }
if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ update request { Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
} } else { noop }
# If you intend to use CUI and you require that the Operator-Name# be set for CUI generation and you want to generate CUI also# for your local clients then uncomment the operator-name# below and set the operator-name for your clients in clients.conf
-
7/17/2019 Radius Config
6/29
# operator-name
## If you want to generate CUI for some clients that do not# send proper CUI requests, then uncomment the# cui below and set "add_cui = yes" for these clients in clients.conf
# cui
## If you want to have a log of authentication requests,# un-comment the following line.
# auth_log
## The chap module will set 'Auth-Type := CHAP' if we are# handling a CHAP request and Auth-Type has not already been setchap
## If the users are logging in with an MS-CHAP-Challenge# attribute for authentication, the mschap module will find# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'# to the request, which will cause the server to then use# the mschap module for authentication.
# mschap
## If you have a Cisco SIP server authenticating against# FreeRADIUS, uncomment the following line, and the 'digest'# line in the 'authenticate' section.
# digest
## The WiMAX specification says that the Calling-Station-Id# is 6 octets of the MAC. This definition conflicts with# RFC 3580, and all common RADIUS practices. Un-commenting# the "wimax" module here means that it will fix the
# Calling-Station-Id attribute to the normal format as# specified in RFC 3580 Section 3.21# wimax
## Look for IPASS style 'realm/', and if not found, look for# '@realm', and decide whether or not to proxy, based on# that.
# IPASS
## If you are using multiple kinds of realms, you probably# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,# the other styles won't be checked.#
# suffix# ntdomain
## This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP# authentication.#
-
7/17/2019 Radius Config
7/29
# It also sets the EAP-Type attribute in the request# attribute list to the EAP type from the packet.## As of 2.0, the EAP module returns "ok" in the authorize stage# for TTLS and PEAP. In 1.x, it never returned "ok" here, so# this change is compatible with older configurations.## The example below uses module failover to avoid querying all# of the following modules if the EAP module returns "ok".# Therefore, your LDAP and/or SQL servers will not be queried# for the many packets that go back and forth to set up TTLS# or PEAP. The load on those servers will therefore be reduced.##eap {# ok = return#}
## Pull crypt'd passwords from /etc/passwd or /etc/shadow,# using the system API's to get the password. If you want# to read /etc/passwd or /etc/shadow directly, see the# passwd module in radiusd.conf.#
# unix
## Read the 'users' file#files
## Look in an SQL database. The schema of the database# is meant to mirror the "users" file.## See "Authorization Queries" in sql.conf-sql
#
# If you are using /etc/smbpasswd, and are also doing# mschap authentication, the un-comment this line, and# configure the 'smbpasswd' module.
# smbpasswd
## The ldap module reads passwords from the LDAP database.
# -ldap
## Enforce daily limits on time spent logged in.
# daily
#expirationlogintime
## If no other module has claimed responsibility for# authentication, then try to use PAP. This allows the# other modules listed above to add a "known good" password# to the request, and to do nothing else. The PAP module# will then see that password, and use it to do PAP
-
7/17/2019 Radius Config
8/29
# authentication.## This module should be listed last, so that the other modules# get a chance to set Auth-Type for themselves.#pap
## If "status_server = yes", then Status-Server messages are passed# through the following section, and ONLY the following section.# This permits you to do DB queries, for example. If the modules# listed here return "fail", then NO response is sent.#
# Autz-Type Status-Server {## }}
# Authentication.### This section lists which modules are available for authentication.# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration# attribute 'Auth-Type := FOO'. That authentication type is then# used to pick the appropriate module from the list below.#
# In general, you SHOULD NOT set the Auth-Type attribute. The server# will figure it out on its own, and will do the right thing. The# most common side effect of erroneously setting the Auth-Type# attribute is that one authentication method will work, but the# others will not.## The common reasons to set the Auth-Type attribute by hand# is to either forcibly reject the user (Auth-Type := Reject),
# or to or forcibly accept the user (Auth-Type := Accept).## Note that Auth-Type := Accept will NOT work with EAP.## Please do not put "unlang" configurations into the "authenticate"# section. Put them in the "post-auth" section instead. That's what# the post-auth section is for.#authenticate {
## PAP authentication, when a back-end database listed# in the 'authorize' section supplies a password. The# password can be clear-text, or encrypted.
Auth-Type PAP {pap
}
## Most people want CHAP authentication# A back-end database listed in the 'authorize' section# MUST supply a CLEAR TEXT password. Encrypted passwords# won't work.#Auth-Type CHAP {
-
7/17/2019 Radius Config
9/29
# chap#}
## MSCHAP authentication.#Auth-Type MS-CHAP {# mschap#}
## If you have a Cisco SIP server authenticating against# FreeRADIUS, uncomment the following line, and the 'digest'# line in the 'authorize' section.#digest
## Pluggable Authentication Modules.pam
# Uncomment it if you want to use ldap for authentication## Note that this means "check plain-text password against# the ldap database", which means that EAP won't work,# as it does not supply a plain-text password.
## We do NOT recommend using this. LDAP servers are databases.# They are NOT authentication servers. FreeRADIUS is an# authentication server, and knows what to do with authentication.# LDAP servers do not.#
# Auth-Type LDAP {# ldap# }
## Allow EAP authentication.eap
## The older configurations sent a number of attributes in# Access-Challenge packets, which wasn't strictly correct.# If you want to filter out these attributes, uncomment# the following lines.#
# Auth-Type eap {# eap {# handled = 1# }# if (handled && (Response-Packet-Type == Access-Challenge)) {# attr_filter.access_challenge.post-auth
# handled # override the "updated" code from attr_filter# }# }}
## Pre-accounting. Decide which accounting type to use.#preacct {
-
7/17/2019 Radius Config
10/29
preprocessif (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f
]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ update request { Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } }
else { noop }
## Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets# into a single 64bit counter Acct-[Input|Output]-Octets64.#
# acct_counters64
## Session start times are *implied* in RADIUS.# The NAS never sends a "start time". Instead, it sends# a start packet, *possibly* with an Acct-Delay-Time.# The server is supposed to conclude that the start time# was "Acct-Delay-Time" seconds in the past.
## The code below creates an explicit start time, which can# then be used in other modules. It will be *mostly* correct.# Any errors are due to the 1-second resolution of RADIUS,# and the possibility that the time on the NAS may be off.## The start time is: NOW - delay - session_length#
# update request {# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"# }
## Ensure that we have a semi-unique identifier for every# request, and many NAS boxes are broken.acct_unique
## Look for IPASS-style 'realm/', and if not found, look for# '@realm', and decide whether or not to proxy, based on# that.## Accounting requests are generally proxied to the same
# home server as authentication requests.# IPASS# suffix# ntdomain
## Read the 'acct_users' filefiles
}
-
7/17/2019 Radius Config
11/29
## Accounting. Log the accounting data.#accounting {
# Update accounting packet by adding the CUI attribute# recorded from the corresponding Access-Accept# use it only if your NAS boxes do not support CUI themselves
# cui## Create a 'detail'ed log of the packets.# Note that accounting requests which are proxied# are also logged in the detail file.detail
# daily
# Update the wtmp file## If you don't use "radlast", you can delete this line.
# unix
## For Simultaneous-Use tracking.## Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.# radutmp# sradutmp
# Return an address to the IP Pool when we see a stop record.# main_pool
## Log traffic to an SQL database.## See "Accounting queries" in sql.conf-sqlupdate control {
VIM-Plan-Limit-Type = "%{sql:SELECT value FROM radgroupcheck WHERE attribute='VIM-Plan-Limit-Type' AND groupname=(SELECT groupname FROM radusergroup WHERE username='%{request:User-Name}') }"
}
update request { Huntgroup-Name := "%{sql:select groupname from radhuntgroup where nasipaddress='%{NAS-IP-Address}'}" }
#Protocol Logging for Acc-Start and Acc-Stop
if ("%{Acct-Status-Type}" == "Start") {
if ("%{sql:INSERT INTO radprotologs (datetime,acctstarttime,username,protomsg,details,nasip,acctsessionid,acctuniqueid,nasportid,nasporttype,acctsessiontime,acctauthentic,acctinoutoctets,acctoutputoctets,callingstationid,acctterminatecause,framedipaddress,framedprotocol,framedipv6prefix,servicetype) VALUES (SYSDATE,SYSDATE,'%{User-Name}','Accounting-Request','Accounting Start','%{NAS-IP-Address}','%{Acct-Session-Id}','%{Acct-Unique-Session-Id}','%{NAS-Port-Id}','%{NAS-Port-Type}','%{Acct-Session-Time}','%{Acct-Authentic}','0','0','%{Calling-Station-Id}','','%{Framed-IP-Address}','%{Framed-Protocol}','%{Framed-IPv6-Pr
-
7/17/2019 Radius Config
12/29
efix}','%{Service-Type}') }") { ok }
if ("%{sql:UPDATE onlinesubscriber SET status = 'Online' WHERE username = '%{User-Name}' }") { ok }
if("%{sql:UPDATE BB_USERS SET NAS_ID=(SELECT ID FROM NAS WHERE NASNAME='%{NAS-IP-Address}' ) WHERE USER_NAME='%{User-Name}'}"){
ok}
}if ("%{Acct-Status-Type}" == "Stop") {
if ("%{sql:INSERT INTO radprotologs (datetime, acctstoptime, username, protomsg, details, nasip, acctsessionid, acctuniqueid, nasportid, nasporttype,acctsessiontime, acctauthentic, acctinoutoctets, acctoutputoctets, callingstationid, acctterminatecause, framedipaddress, framedprotocol, framedipv6prefix ,servicetype) VALUES (SYSDATE,SYSDATE,'%{User-Name}' ,'Accounting-Request' ,'Accounting Stop' ,'%{NAS-IP-Address}' ,'%{Acct-Session-Id}' ,'%{Acct-Unique-Session-Id}','%{NAS-Port-Id}' ,'%{NAS-Port-Type}' ,'%{Acct-Session-Time}' , '%{Acct-Authentic}' , '%{Acct-Input-Octets}' ,'%{Acct-Output-Octets}' ,'%{Calling-Stat
ion-Id}' , '%{Acct-Terminate-Cause}' , '%{Framed-IP-Address}' , '%{Framed-Protocol}' ,'%{Framed-IPv6-Prefix}' ,'%{Service-Type}')}") { ok }
if ("%{sql:UPDATE onlinesubscriber SET status = 'Offline' WHEREusername = '%{User-Name}' }") { ok
}
if(control:VIM-Plan-Limit-Type){
switch "%{control:VIM-Plan-Limit-Type}"{ case V {
#Calculate the used bytesif("%{sql: SELECT value FROM radcheck WHERE attribute= 'VIM-FUP-Quota-Depleted-Flag' AND username='%{User-Name}'}" == "Yes"){
update control { VIM-Used-Bytes := "%{sql:SELECT SUM(acctoutputoc
tets + acctinputoctets) FROM radacct WHERE username='%{request:User-Name}' AND acctsessionid = '%{Acct-Session-Id}' }" }
#Set Used Bytesif ("%{sql:UPDATE radcheck SET value = '%{control:VIM-Us
ed-Bytes}' WHERE attribute = 'VIM-Used-Bytes' AND username = '%{User-Name}' }") {
ok}
update control { Mikrotik-Xmit-Limit := "%{sql:SELECT value FROM
radcheck WHERE attribute='Mikrotik-Xmit-Limit' AND username='%{request:User-Name}' }"
VIM-Used-Bytes := "%{sql:SELECT value FROM radcheck WHERE attribute='VIM-Used-Bytes' AND username='%{request:User-Name}' }"
}if ("%{sql:UPDATE radcheck SET value = '%{control:Mikrot
-
7/17/2019 Radius Config
13/29
ik-Xmit-Limit}'- '%{control:VIM-Used-Bytes}' WHERE attribute = 'Mikrotik-Xmit-Limit' AND username = '%{User-Name}' } ") {
ok}
if ("%{sql:UPDATE radcheck SET value = '0' WHERE attribute = 'VIM-Used-Bytes' AND username = '%{User-Name}' } ") {
ok}
}}
case T {#calculation of Timeupdate control {
VIM-Avail-Time := "%{sql: SELECT acctsessiontime FROM radacct WHERE username='%{request:User-Name}' ANDacctsessionid = '%{Acct-Session-Id}'}"
VIM-Subscriber-Activation-Time := "%{sql: SELECT value FROM radcheck WHERE username='%{request:User-Name}' AND attribute = 'VIM-Avail-Time'}"
}if("%{sql:Update radcheck SET value = '%{control
:VIM-Subscriber-Activation-Time}'-'%{control:VIM-Avail-Time}' WHERE attribute ='VIM-Avail-Time' AND username = '%{User-Name}'}") {
ok}}}
}}#Sending CoA for Volume and Time based plansif ("%{Acct-Status-Type}" == "Interim-Update") {
if ("%{sql:INSERT INTO radprotologs (datetime, acctstoptime, username, protomsg, details, nasip, acctsessionid, acctuniqueid, nasportid, nasporttype,acctsessiontime, acctauthentic, acctinoutoctets, acctoutputoctets, callingstationid, acctterminatecause, framedipaddress, framedprotocol, framedipv6prefix ,servicetype) VALUES (SYSDATE,SYSDATE,'%{User-Name}' ,'Accounting-Request' ,
'Interim Update' ,'%{NAS-IP-Address}' ,'%{Acct-Session-Id}' ,'%{Acct-Unique-Session-Id}','%{NAS-Port-Id}' ,'%{NAS-Port-Type}' ,'%{Acct-Session-Time}' , '%{Acct-Authentic}' , '%{Acct-Input-Octets}' ,'%{Acct-Output-Octets}' ,'%{Calling-Station-Id}' , '%{Acct-Terminate-Cause}' , '%{Framed-IP-Address}' , '%{Framed-Protocol}' ,'%{Framed-IPv6-Prefix}' ,'%{Service-Type}') }") { ok }
if("%{sql:UPDATE radcheck SET value = '%{Acct-Output-Octets}' +'%{Acct-Input-Octets}' WHERE username = '%{User-Name}' AND attribute= 'VIM-Used-Bytes'}") {
ok}
if(control:VIM-Plan-Limit-Type){switch "%{control:VIM-Plan-Limit-Type}" {
case V { if("%{sql:SELECT value FROM radcheck
WHERE attribute='VIM-Avail-Bytes' AND username='%{request:User-Name}' }" < "%{sql:SELECT value FROM radcheck WHERE attribute='VIM-Used-Bytes' AND username='%{request:User-Name}' }") {
"%{exec:/usr/local/etc/raddb/disconnect.sh %{User-Name} %{NAS-IP-Address}} "
if ("%{sql:INSERT INTO radprotol
-
7/17/2019 Radius Config
14/29
ogs (datetime, acctstoptime, username, protomsg, details, nasip, acctsessionid, acctuniqueid, nasportid, nasporttype,acctsessiontime, acctauthentic, acctinoutoctets, acctoutputoctets, callingstationid, acctterminatecause, framedipaddress, framedprotocol, framedipv6prefix ,servicetype) VALUES (SYSDATE,SYSDATE,'%{User-Name}' ,'POD' , 'Interim Update' ,'%{NAS-IP-Address}' ,'%{Acct-Session-Id}' ,'%{Acct-Unique-Session-Id}','%{NAS-Port-Id}' ,'%{NAS-Port-Type}' ,'%{Acct-Session-Time}' , '%{Acct-Authentic}' , '%{Acct-Input-Octets}' ,'%{Acct-Output-Octets}','%{Calling-Station-Id}' , '%{Acct-Terminate-Cause}' , '%{Framed-IP-Address}' ,'%{Framed-Protocol}' ,'%{Framed-IPv6-Prefix}' ,'%{Service-Type}') }") { ok }
} }
case T {#calculation of Timeupdate control {
VIM-Avail-Time := "%{sql: SELECT acctsessiontime FROM radacct WHERE username='%{request:User-Name}' ANDacctsessionid = '%{Acct-Session-Id}'}"
VIM-Subscriber-Activation-Time := "%{sql: SELECT value FROM radcheck WHERE username='%{request:User-Name}' AND attribute = 'VIM-Avail-Time'}"
}if("%{sql:Update radcheck SET value = '%{control
:VIM-Subscriber-Activation-Time}'-'%{control:VIM-Avail-Time}' WHERE attribute ='VIM-Avail-Time' AND username = '%{User-Name}'}") { ok
}if("%{sql:SELECT TO_NUMBER(VALUE) VALUE FROM RAD
CHECK WHERE ATTRIBUTE='VIM-Avail-Time' AND username='%{request:User-Name}' AND VALUE
-
7/17/2019 Radius Config
15/29
ssion-Id}','%{NAS-Port-Id}' ,'%{NAS-Port-Type}' ,'%{Acct-Session-Time}' , '%{Acct-Authentic}' , '%{Acct-Input-Octets}' ,'%{Acct-Output-Octets}' ,'%{Calling-Station-Id}' , '%{Acct-Terminate-Cause}' , '%{Framed-IP-Address}' , '%{Framed-Protocol}' ,'%{Framed-IPv6-Prefix}' ,'%{Service-Type}')}") { ok }
if ("%{sql:UPDATE onlinesubscriber SET status = 'Offline' WHEREusername = '%{User-Name}' }") { ok
}
if(control:VIM-Plan-Limit-Type){
switch "%{control:VIM-Plan-Limit-Type}"{ case V {#Calculate the used bytesif("%{sql: SELECT value FROM radcheck WHERE attribute= 'VIM-FUP-
Quota-Depleted-Flag' AND username='%{User-Name}'}" == "Yes"){update control {
VIM-Used-Bytes := "%{sql:SELECT SUM(acctoutputoctets + acctinputoctets) FROM radacct WHERE username='%{request:User-Name}' AND acctsessionid = '%{Acct-Session-Id}' }" }
#Set Used Bytes
if ("%{sql:UPDATE radcheck SET value = '%{control:VIM-Used-Bytes}' WHERE attribute = 'VIM-Used-Bytes' AND username = '%{User-Name}' }") {
ok}
update control { Mikrotik-Xmit-Limit := "%{sql:SELECT value FROM
radcheck WHERE attribute='Mikrotik-Xmit-Limit' AND username='%{request:User-Name}' }"
VIM-Used-Bytes := "%{sql:SELECT value FROM radcheck WHERE attribute='VIM-Used-Bytes' AND username='%{request:User-Name}' }"
}
if ("%{sql:UPDATE radcheck SET value = '%{control:Mikrotik-Xmit-Limit}'- '%{control:VIM-Used-Bytes}' WHERE attribute = 'Mikrotik-Xmit-Limit' AND username = '%{User-Name}' } ") {
ok}
if ("%{sql:UPDATE radcheck SET value = '0' WHERE attribute = 'VIM-Used-Bytes' AND username = '%{User-Name}' } ") {
ok}
}}
}
}}#Idle-Timeoutif ("%{Acct-Status-Type}" == "Idle-Timeout") {
if ("%{sql:INSERT INTO radprotologs (datetime, acctstoptime, username, protomsg, details, nasip, acctsessionid, acctuniqueid, nasportid, nasporttype,acctsessiontime, acctauthentic, acctinoutoctets, acctoutputoctets, callingstationid, acctterminatecause, framedipaddress, framedprotocol, framedipv6prefix ,servicetype) VALUES (SYSDATE,SYSDATE,'%{User-Name}' ,'Accounting-Request' ,
-
7/17/2019 Radius Config
16/29
'Accounting Stop' ,'%{NAS-IP-Address}' ,'%{Acct-Session-Id}' ,'%{Acct-Unique-Session-Id}','%{NAS-Port-Id}' ,'%{NAS-Port-Type}' ,'%{Acct-Session-Time}' , '%{Acct-Authentic}' , '%{Acct-Input-Octets}' ,'%{Acct-Output-Octets}' ,'%{Calling-Station-Id}' , '%{Acct-Terminate-Cause}' , '%{Framed-IP-Address}' , '%{Framed-Protocol}' ,'%{Framed-IPv6-Prefix}' ,'%{Service-Type}')}") { ok }
if ("%{sql:UPDATE onlinesubscriber SET status = 'Offline' WHEREusername = '%{User-Name}' }") { ok
}
if(control:VIM-Plan-Limit-Type){
switch "%{control:VIM-Plan-Limit-Type}"{ case V {#Calculate the used bytesif("%{sql: SELECT value FROM radcheck WHERE attribute= 'VIM-FUP-
Quota-Depleted-Flag' AND username='%{User-Name}'}" == "Yes"){update control {
VIM-Used-Bytes := "%{sql:SELECT SUM(acctoutputoctets + acctinputoctets) FROM radacct WHERE username='%{request:User-Name}' AND acctsessionid = '%{Acct-Session-Id}' }" }
#Set Used Bytesif ("%{sql:UPDATE radcheck SET value = '%{control:VIM-Used-Bytes}' WHERE attribute = 'VIM-Used-Bytes' AND username = '%{User-Name}' }") {
ok}
update control { Mikrotik-Xmit-Limit := "%{sql:SELECT value FROM
radcheck WHERE attribute='Mikrotik-Xmit-Limit' AND username='%{request:User-Name}' }"
VIM-Used-Bytes := "%{sql:SELECT value FROM radcheck WHERE attribute='VIM-Used-Bytes' AND username='%{request:User-Name}' }"
}if ("%{sql:UPDATE radcheck SET value = '%{control:Mikrotik-Xmit-Limit}'- '%{control:VIM-Used-Bytes}' WHERE attribute = 'Mikrotik-Xmit-Limit' AND username = '%{User-Name}' } ") {
ok}
if ("%{sql:UPDATE radcheck SET value = '0' WHERE attribute = 'VIM-Used-Bytes' AND username = '%{User-Name}' } ") {
ok}
}}
}}
}## If you receive stop packets with zero session length,# they will NOT be logged in the database. The SQL module# will print a message (only in debugging mode), and will# return "noop".## You can ignore these packets by uncommenting the following
-
7/17/2019 Radius Config
17/29
# three lines. Otherwise, the server will not respond to the# accounting request, and the NAS will retransmit.#
# if (noop) {# ok# }
## Instead of sending the query to the SQL server,# write it into a log file.#
# sql_log
# Cisco VoIP specific bulk accounting# pgsql-voip
# For Exec-Program and Exec-Program-Waitexec
# Filter attributes from the accounting response.attr_filter.accounting_response
## See "Autz-Type Status-Server" for how this works.
## Acct-Type Status-Server {## }}
# Session database, used for checking Simultaneous-Use. Either the radutmp# or rlm_sql module can handle this.# The rlm_sql module is *much* fastersession {
#radutmp
## See "Simultaneous Use Checking Queries" in sql.confsql
}
# Post-Authentication# Once we KNOW that the user has been authenticated, there are# additional steps we can take.post-auth {
## If you need to have a State attribute, you can# add it here. e.g. for later CoA-Request with
# State, and Service-Type = Authorize-Only.#
# if (!&reply:State) {# update reply {# State := "0x%{randstr:16h}"# }# }
## For EAP-TTLS and PEAP, add the cached attributes to the reply.
-
7/17/2019 Radius Config
18/29
# The "session-state" attributes are automatically cached when# an Access-Challenge is sent, and automatically retrieved# when an Access-Request is received.## The session-state attributes are automatically deleted after# an Access-Reject or Access-Accept is sent.#update {
&reply: += &session-state:}
# Get an address from the IP Pool.# main_pool
# Create the CUI value and add the attribute to Access-Accept.# Uncomment the line below if *returning* the CUI.
# cui
## If you want to have a log of authentication replies,# un-comment the following line, and enable the# 'detail reply_log' module.
# reply_log
## After authenticating the user, do another SQL query.## See "Authentication Logging Queries" in sql.conf-sql#Huntgroup checkif("%{sql:select COUNT(*) from radhuntgroup where nasipaddress='%{NAS-IP
-Address}'}" == 0) {#Huntgroup not foundupdate control {
VIM-Internal-Failure := "Invalid Huntgroup : %{NAS-IP-Address} "
}update reply {Reply-Message := "Invalid Huntgroup : %{NAS-IP-A
ddress} "}
reject}
#Date Checkif("%{sql: SELECT STATUS FROM RADIUS_USER_DTL WHERE USER_NAME='%
{User-Name}'}" == 'A'){if( "%{sql: SELECT case when trunc(END_DATE + 1) < SYSDA
TE AND DOWNGRADED IS NULL then 'false' else 'true' end as response FROM RADIUS
_USER_DTL WHERE USER_NAME='%{User-Name}' }" == 'false'){if("%{sql:UPDATE BB_CONTRACT_DT
L SET STATUS='E',LAST_ACTION_ID=3,LAST_UPD_BY='-2',LAST_UPD_DATE=SYSDATE,DISCONNECT_DATE=SYSDATE WHERE CONTRACT_ID='%{sql: SELECT CONTRACT_ID FROM RADIUS_USER_DTL WHERE USER_NAME='%{User-Name}'}' AND CUSTOMER_ID='%{sql: SELECT CUSTOMER_IDFROM RADIUS_USER_DTL WHERE USER_NAME='%{User-Name}'}'}"){
ok}
if("%{sql:UPDATE BB_CUSTOMER_DTL SET STATUS='I',LAST_UPD_BY='-2',LAST_UPD_DATE=SYSDATE WHERE CUSTOMER_ID='%{sql: SELECT CUSTOMER
-
7/17/2019 Radius Config
19/29
_ID FROM RADIUS_USER_DTL WHERE USER_NAME='%{User-Name}'}'}"){ok
}if ("%{sql:INSERT INTO radprotologs (datetime,us
ername,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'Plan Date Expired')} ") {
ok}update control {
VIM-Internal-Failure := "Plan Date Expired"
}update reply {
Reply-Message :="Plan Date Expired"
}reject
}}else {
if ("%{sql:INSERT INTO radprotologs (datetime,username,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{N
AS-Port-Id}' , 'Plan Status Expired')} ") { ok}
update reply {Reply-Message := "Plan S
tatus Expired"
}reject
}#Simultaneous User Check
if( "%{sql: SELECT COUNT(*) from radacct WHERE username = '%{User-Name}' AND acctstoptime IS NULL}" > 0){
if ("%{sql:INSERT INTO radprotologs (datetime,username,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'Simultaneous Login Detected')} ") {
ok}update control {
VIM-Internal-Failure :="Simultaneous Login Detected "
}update reply {
Reply-Message := "Simultaneous Login Detected "
}reject
}#mac check
if(control:VIM-Enable-MAC-Auth == "Yes") {if( "%{sql:SELECT * from radusermacmap W
HERE username = '%{User-Name}' AND macaddress='0' }" ) {if ("%{sql:UPDATE raduse
rmacmap SET macaddress = '%{Calling-Station-Id}', LAST_UPDATED_BY='-2' WHERE username='%{User-Name}' } ") {
-
7/17/2019 Radius Config
20/29
ok}
}else {
if( "%{sql:SELECT * FROM ( WITH DATA AS ( SELECT MACADDRESS from RADUSERMACMAP WHERE USERNAME='%{User-Name}' ) SELECT trim(regexp_substr(MACADDRESS, '[^,]+', 1, LEVEL)) MACADDRESS FROM DATA CONNECT BY instr(MACADDRESS, ',', 1, LEVEL - 1) > 0) WHERE MACADDRESS='%{calling-Station-Id}' }"){
ok}
else {if("%{sql:INSERT
INTO radprotologs (datetime,username,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}','%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'Mac-Auth-Failed')} ") {
ok}update control {
VIM-Internal-Failure := "MAC Authentication Failed " }update reply {
Reply-Message := "MAC Authentication Failed "}
reject}
}}
#FUP user Validation
if(control:VIM-Plan-Limit-Type){switch "%{control:VIM-Plan-Limit-Type}"{
case V {if("%{sql:SELECT
TO_NUMBER(VALUE) VALUE FROM RADCHECK WHERE ATTRIBUTE='Mikrotik-Xmit-Limit' ANDusername='%{request:User-Name}' AND VALUE
-
7/17/2019 Radius Config
21/29
1',LAST_UPD_DATE=SYSDATE,DISCONNECT_DATE=SYSDATE WHERE CONTRACT_ID='%{sql: SELECT CONTRACT_ID FROM RADIUS_USER_DTL WHERE USER_NAME='%{User-Name}'}' AND CUSTOMER_ID='%{sql: SELECT CUSTOMER_ID FROM RADIUS_USER_DTL WHERE USER_NAME='%{User-Name}'}'}"){
ok
}
if ("%{sql:INSERT INTO radprotologs (datetime,username,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'Plan Date Expired')} ") {
ok
}
update control {
VIM-Internal-Failure := "Plan Volume Expired"
}
update reply {
Reply-Message := "Plan Volume Expired"
}
reject}
}}case T {
if("%{sql:SELECT TO_NUMBER(VALUE) VALUE FROM RADCHECK WHERE ATTRIBUTE='VIM-Avail-Time' AND username='%{r
equest:User-Name}' AND VALUE
-
7/17/2019 Radius Config
22/29
= '%{User-Name}' AND attribute = 'NAS-IP-Address' AND value = '1'}"){if("%{sql:UPDATE radcheck SET value='%{N
AS-IP-Address}' WHERE username = '%{User-Name}' AND attribute = 'NAS-IP-Address'AND value = '1' }"){
ok}if("%{sql:UPDATE BB_USERS SET NAS_ID=(SE
LECT ID FROM NAS WHERE NASNAME='%{NAS-IP-Address}' ) WHERE USER_NAME='%{User-Name}'}"){
ok}
}else {
if( "%{sql: SELECT value from radcheck WHERE username = '%{User-Name}' AND attribute = 'NAS-IP-Address'}" == "%{NAS-IP-Address}"){
ok}
else {if ("%{sql:INSERT INTO radprotologs (dat
etime,username,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'NAS IP Authentication Failed')} ") {
ok
} update control {VIM-Internal-Fai
lure := "NAS IP Authentication Failed "}
update reply {Reply-Message :=
"NAS IP Authentication Falied "}
reject}
}}
#NAS IP Authentication-Noif(control:VIM-Enable-NASIP-Auth == "No") {
if ("%{sql:INSERT INTO radprotologs (datetime,username,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Free-NAS-IP-Address','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'Free-NAS-IP-Address')} ") {
ok }
}
#NAS Port Authentication
if(control:VIM-Enable-NASPORT-Auth == "Yes") {if("%{sql: SELECT * from radcheck WHERE username
= '%{User-Name}' AND attribute = 'NAS-Port-Id' AND value = '1'}"){if("%{sql:UPDATE
radcheck SET value='%{NAS-Port-Id}' WHERE username = '%{User-Name}' AND attribute = 'NAS-Port-Id' AND value = '1' }"){
ok}
}
-
7/17/2019 Radius Config
23/29
else {if( "%{sql: SELECT value from ra
dcheck WHERE username = '%{User-Name}' AND attribute = 'NAS-Port-Id'}" == "%{NAS-Port-Id}"){
ok}
else {if ("%{sql:INSERT INTO r
adprotologs (datetime,username,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'NAS Port Authentication Failed')} ") {
ok}
update control {VIM-Internal-Fai
lure := "NAS Port Authentication Failed "}
update reply {Reply-Message :=
"NAS Port Authentication Failed "}
reject}
}
}#NAS Port Authentication
if(control:VIM-Enable-NASPORT-Auth == "No") {if ("%{sql:INSERT INTO radprotologs (datetime,us
ername,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Free-NAS-Port-Id','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'Free-NAS-Port-Id')} ") {
ok}
}#Check and enforce policies for Unlimited and FUP limitsif(control:VIM-Plan-Limit-Type){
switch "%{control:VIM-Plan-Limit-Type}"{case V {
if("%{sql: SELECT value FROM radcheck WHERE attribute= 'VIM-FUP-Quota-Depleted-Flag' AND username='%{User-Name}'}" == "Yes"){
update reply {Mikrotik-Rate-Limit = "%
{control:VIM-Uplink-Speed}/%{control:VIM-Downlink-Speed}"Mikrotik-Xmit-Limit ="%{
control:Mikrotik-Xmit-Limit}"
Mikrotik-Recv-Limit ="%{control:Mikrotik-Xmit-Limit}"
Session-Timeout = "%{control:VIM-Session-Timeout}"
Idle-Timeout = "%{control:VIM-Idle-Timeout}"
Framed-Pool = "%{control:Framed-Pool}"
Framed-IPv6-Pool = "%{control:Framed-IPv6-Pool}"
-
7/17/2019 Radius Config
24/29
}}}
case U {update reply {
Mikrotik-Rate-Limit = "%{control:VIM-Uplink-Speed}/%{control:VIM-Downlink-Speed}"
Session-Timeout= "%{control:VIM-Session-Timeout}"
Idle-Timeout = "%{control:VIM-Idle-Timeout}"
Framed-Pool = "%{control:Framed-Pool}"
Framed-IPv6-Pool= "%{control:Framed-IPv6-Pool}"
}}
case T {if("%{sql:SELECT TO_NUMBER(VALUE) VALUE
FROM RADCHECK WHERE ATTRIBUTE='VIM-Avail-Time' AND username='%{request:User-Name}' AND VALUE >= '86400'}" ){
update reply {Mikrotik-Rate-Li
mit = "%{control:VIM-Uplink-Speed}/%{control:VIM-Downlink-Speed}"
Session-Timeout= "%{control:VIM-Session-Timeout}"Idle-Timeout = "
%{control:VIM-Idle-Timeout}"Framed-Pool = "%
{control:Framed-Pool}"Framed-IPv6-Pool
= "%{control:Framed-IPv6-Pool}"}
}else{
update reply { Mikrotik-Rate-Li
mit = "%{control:VIM-Uplink-Speed}/%{control:VIM-Downlink-Speed}"Session-Timeout= "%{control:VIM-Avail-Time}"
Idle-Timeout = "%{control:VIM-Idle-Timeout}"
Framed-Pool = "%{control:Framed-Pool}"
Framed-IPv6-Pool= "%{control:Framed-IPv6-Pool}"
}}
}case P {
update reply {Mikrotik-Address
-List = "%{sql:select groupname from radusergroup where username='%{request:User-Name}'}"
Session-Timeout= "%{control:VIM-Session-Timeout}"
-
7/17/2019 Radius Config
25/29
Idle-Timeout = "%{control:VIM-Idle-Timeout}"
Framed-Pool = "%{control:Framed-Pool}"
}}
}}#New mac
if(control:VIM-Enable-MAC-Auth == "No"){if("%{sql:SELECT * from RADUSERMACMAP WH
ERE USERNAME='%{User-Name}' AND MACADDRESS=' ' }" ) {if ("%{sql:UPDATE raduse
rmacmap SET macaddress = '%{Calling-Station-Id}' WHERE username='%{User-Name}' }") {
ok}
}if("%{sql:SELECT * from radusermacmap WHERE user
name = '%{User-Name}' AND macaddress != ' ' }" ){if ("%{sql:UPDATE radusermacmap
SET macaddress = '%{Calling-Station-Id}' WHERE username='%{User-Name}' } ") {
ok }}
}
## Instead of sending the query to the SQL server,# write it into a log file.#
# sql_log
#
# Un-comment the following if you want to modify the user's object# in LDAP after a successful login.#
# ldap
# For Exec-Program and Exec-Program-Waitexec
## Calculate the various WiMAX keys. In order for this to work,# you will need to define the WiMAX NAI, usually via## update request {
# WiMAX-MN-NAI = "%{User-Name}"# }## If you want various keys to be calculated, you will need to# update the reply with "template" values. The module will see# this, and replace the template values with the correct ones# taken from the cryptographic calculations. e.g.## update reply {# WiMAX-FA-RK-Key = 0x00
-
7/17/2019 Radius Config
26/29
# WiMAX-MSK = "%{EAP-MSK}"# }## You may want to delete the MS-MPPE-*-Keys from the reply,# as some WiMAX clients behave badly when those attributes# are included. See "raddb/modules/wimax", configuration# entry "delete_mppe_keys" for more information.#
# wimax
# If there is a client certificate (EAP-TLS, sometimes PEAP# and TTLS), then some attributes are filled out after the# certificate verification has been performed. These fields# MAY be available during the authentication, or they may be# available only in the "post-auth" section.## The first set of attributes contains information about the# issuing certificate which is being used. The second# contains information about the client certificate (if# available).
## update reply {# Reply-Message += "%{TLS-Cert-Serial}"
# Reply-Message += "%{TLS-Cert-Expiration}"# Reply-Message += "%{TLS-Cert-Subject}"# Reply-Message += "%{TLS-Cert-Issuer}"# Reply-Message += "%{TLS-Cert-Common-Name}"# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"## Reply-Message += "%{TLS-Client-Cert-Serial}"# Reply-Message += "%{TLS-Client-Cert-Expiration}"# Reply-Message += "%{TLS-Client-Cert-Subject}"# Reply-Message += "%{TLS-Client-Cert-Issuer}"# Reply-Message += "%{TLS-Client-Cert-Common-Name}"# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"# }
# Insert class attribute (with unique value) into response,# aids matching auth and acct records, and protects against duplicate# Acct-Session-Id. Note: Only works if the NAS has implemented# RFC 2865 behaviour for the class attribute, AND if the NAS# supports long Class attributes. Many older or cheap NASes# only support 16-octet Class attributes.
# insert_acct_class
# MacSEC requires the use of EAP-Key-Name. However, we don't# want to send it for all EAP sessions. Therefore, the EAP# modules put required data into the EAP-Session-Id attribute.# This attribute is never put into a request or reply packet.
## Uncomment the next few lines to copy the required data into# the EAP-Key-Name attribute
# if (&reply:EAP-Session-Id) {# update reply {# EAP-Key-Name := &reply:EAP-Session-Id# }# }
# Remove reply message if the response contains an EAP-Message
-
7/17/2019 Radius Config
27/29
remove_reply_message_if_eap
## Access-Reject packets are sent through the REJECT sub-section of the# post-auth section.## Add the ldap module name (or instance) if you have set# 'edir_account_policy_check = yes' in the ldap module configuration## The "session-state" attributes are not available here.#Post-Auth-Type REJECT {
update control {VIM-Internal-Fai
lure := "Authentication Failed for Username: %{User-Name} With PASSWORD: %{User-Password}"
}update reply {
Reply-Message :="Incorrect Username or Password"
}
# log failed authentications in SQL, too.
-sqlattr_filter.access_rejectif("%{sql:INSERT INTO radprotologs (datetime,use
rname,protomsg,nasip,nasportid,details,callingstationid) VALUES(SYSDATE,'%{User-Name}' , 'Access-Reject' ,'%{NAS-IP-Address}' ,'%{NAS-Port-Id}' , '%{control:VIM-Internal-Failure}', '%{Calling-Station-Id}') }") {
ok}
# Insert EAP-Failure message if the request was# rejected by policy instead of because of an# authentication failure
eap
# Remove reply message if the response contains an EAP-Messageremove_reply_message_if_eap
}}
## When the server decides to proxy a request to a home server,# the proxied request is first passed through the pre-proxy# stage. This stage can re-write the request, or decide to# cancel the proxy.#
# Only a few modules currently have this method.##pre-proxy {
# Before proxing the request add an Operator-Name attribute identifying# if the operator-name is found for this client.# No need to uncomment this if you have already enabled this in# the authorize section.
# operator-name
# The client requests the CUI by sending a CUI attribute
-
7/17/2019 Radius Config
28/29
# containing one zero byte.# Uncomment the line below if *requesting* the CUI.
# cui
# Uncomment the following line if you want to change attributes# as defined in the preproxy_users file.
# files
# Uncomment the following line if you want to filter requests# sent to remote servers based on the rules defined in the# 'attrs.pre-proxy' file.
# attr_filter.pre-proxy
# If you want to have a log of packets proxied to a home# server, un-comment the following line, and the# 'detail pre_proxy_log' section, above.
# pre_proxy_log#}
## When the server receives a reply to a request it proxied# to a home server, the request may be massaged here, in the# post-proxy stage.#
#post-proxy {
# If you want to have a log of replies from a home server,# un-comment the following line, and the 'detail post_proxy_log'# section, above.
# post_proxy_log
# Uncomment the following line if you want to filter replies from# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter.post-proxy
## If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy# stage.## You MUST also use the 'nostrip' option in the 'realm'# configuration. Otherwise, the User-Name attribute# in the proxied request will not match the user name# hidden inside of the EAP packet, and the end server will# reject the EAP request.##eap
## If the server tries to proxy a request and fails, then the
# request is processed through the modules in this section.## The main use of this section is to permit robust proxying# of accounting packets. The server can be configured to# proxy accounting packets as part of normal processing.# Then, if the home server goes down, accounting packets can# be logged to a local "detail" file, for processing with# radrelay. When the home server comes back up, radrelay# will read the detail file, and send the packets to the# home server.
-
7/17/2019 Radius Config
29/29
## With this configuration, the server always responds to# Accounting-Requests from the NAS, but only writes# accounting packets to disk if the home server is down.#
# Post-Proxy-Type Fail-Accounting {# detail# }#}}