{
# radiusd.conf -- FreeRADIUS server configuration file.
#
#  http://www.freeradius.org/
#
#	The location of other config files and
#	logfiles are declared in this file
#
#	Also general configuration for modules can be done
#	in this file, it is exported through the API to
#	modules that ask for it.
#
#	The configuration variables defined here are of the form $\{foo\}
#	They are local to this file, and do not change from request to
#	request.
#
#	The per-request variables are of the form %\{Attribute-Name\}, and
#	are taken from the values of the attribute in the incoming
#	request.  See 'doc/variables.txt' for more information.
}
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = $\{localstatedir\}/log/radius
raddbdir = $\{sysconfdir\}/raddb
radacctdir = $\{logdir\}/radacct

confdir = $\{raddbdir\}
run_dir = $\{localstatedir\}/run/radiusd
log_file = $\{logdir\}/radius.log
{
# libdir: Where to find the rlm_* modules.
#
#	This should be automatically set at configuration time.
#
#	If the server builds and installs, but fails at execution time
#	with an 'undefined symbol' error, then you can use the libdir
#	directive to work around the problem.
#
#	The cause is usually that a library has been installed on your
#	system in a place where the dynamic linker CANNOT find it.  When
#	executing as root (or another user), your personal environment MAY
#	be set up to allow the dynamic linker to find the library.  When
#	executing as a daemon, FreeRADIUS MAY NOT have the same
#	personalized configuration.
#
#	To work around the problem, find out which library contains that symbol,
#	and add the directory containing that library to the end of 'libdir',
#	with a colon separating the directory names.  NO spaces are allowed.
#
#	e.g. libdir = /usr/local/lib:/opt/package/lib
#
#	You can also try setting the LD_LIBRARY_PATH environment variable
#	in a script which starts the server.
#
#	If that does not work, then you can re-configure and re-build the
#	server to NOT use shared libraries, via:
#
#	./configure --disable-shared
#	make
#	make install
}
libdir = /usr/lib
{
#  pidfile: Where to place the PID of the RADIUS server.
#
#  The server may be signalled while it's running by using this
#  file.
#
#  This file is written when ONLY running in daemon mode.
#
#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
}
pidfile = $\{run_dir\}/radiusd.pid
{
# user/group: The name (or #number) of the user/group to run radiusd as.
#
#	If these are commented out, the server will run as the user/group
#	that started it.  In order to change to a different user/group, you
#	MUST be root ( or have root privleges ) to start the server.
#
#	We STRONGLY recommend that you run the server with as few permissions
#	as possible.  That is, if you're not using shadow passwords, the
#	user and group items below should be set to 'nobody'.
#
#	On SCO (ODT 3) use "user = nouser" and "group = nogroup".
#
#  NOTE that some kernels refuse to setgid(group) when the value of
#  (unsigned)group is above 60000; don't use group nobody on these systems!
#
#  On systems with shadow passwords, you might have to set 'group = shadow'
#  for the server to be able to read the shadow password file.  If you can
#  authenticate users while in debug mode, but not in daemon mode, it may be
#  that the debugging mode server is running as a user that can read the
#  shadow info, and the user listed below can not.
}
user = root
group = root
{
#  max_request_time: The maximum time (in seconds) to handle a request.
#
#  Requests which take more time than this to process may be killed, and
#  a REJECT message is returned.
#
#  WARNING: If you notice that requests take a long time to be handled,
#  then this MAY INDICATE a bug in the server, in one of the modules
#  used to handle a request, OR in your local configuration.
#
#  This problem is most often seen when using an SQL database.  If it takes
#  more than a second or two to receive an answer from the SQL database,
#  then it probably means that you haven't indexed the database.  See your
#  SQL server documentation for more information.
#
#  Useful range of values: 5 to 120
}
max_request_time = 30
{
#  delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
#  to be handled, then maybe the server should delete it.
#
#  If you're running in threaded, or thread pool mode, this setting
#  should probably be 'no'.  Setting it to 'yes' when using a threaded
#  server MAY cause the server to crash!
}
delete_blocked_requests = no
{
#  cleanup_delay: The time to wait (in seconds) before cleaning up
#  a reply which was sent to the NAS.
#
#  The RADIUS request is normally cached internally for a short period
#  of time, after the reply is sent to the NAS.  The reply packet may be
#  lost in the network, and the NAS will not see it.  The NAS will then
#  re-send the request, and the server will respond quickly with the
#  cached reply.
#
#  If this value is set too low, then duplicate requests from the NAS
#  MAY NOT be detected, and will instead be handled as seperate requests.
#
#  If this value is set too high, then the server will cache too many
#  requests, and some new requests may get blocked.  (See 'max_requests'.)
#
#  Useful range of values: 2 to 10
}
cleanup_delay = 5
{
#  max_requests: The maximum number of requests which the server keeps
#  track of.  This should be 256 multiplied by the number of clients.
#  e.g. With 4 clients, this number should be 1024.
#
#  If this number is too low, then when the server becomes busy,
#  it will not respond to any new requests, until the 'cleanup_delay'
#  time has passed, and it has removed the old requests.
#
#  If this number is set too high, then the server will use a bit more
#  memory for no real benefit.
#
#  If you aren't sure what it should be set to, it's better to set it
#  too high than too low.  Setting it to 1000 per client is probably
#  the highest it should be.
#
#  Useful range of values: 256 to infinity
}
max_requests = 1024
{
#  listen: Make the server listen on a particular IP address, and send
#  replies out from that address. This directive is most useful for
#  hosts with multiple IP addresses on one interface.
#
#  If you want the server to listen on additional addresses, or on
#  additionnal ports, you can use multiple "listen" sections.
#
#  Each section make the server listen for only one type of packet,
#  therefore authentication and accounting have to be configured in
#  different sections.
#
#  The server ignore all "listen" section if you are using '-i' and '-p'
#  on the command line.
}
listen \{
    type = auth
    ipaddr = *
    port = 0
\}
listen \{
    type = acct
    ipaddr = *
    port = 0
\}
{
#  hostname_lookups: Log the names of clients or just their IP addresses
#  e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
#  The default is 'off' because it would be overall better for the net
#  if people had to knowingly turn this feature on, since enabling it
#  means that each client request will result in AT LEAST one lookup
#  request to the nameserver.   Enabling hostname_lookups will also
#  mean that your server may stop randomly for 30 seconds from time
#  to time, if the DNS requests take too long.
#
#  Turning hostname lookups off also means that the server won't block
#  for 30 seconds, if it sees an IP address which has no name associated
#  with it.
#
#  allowed values: \{no, yes\}
}
hostname_lookups = no
{
#  Core dumps are a bad thing.  This should only be set to 'yes'
#  if you're debugging a problem with the server.
#
#  allowed values: \{no, yes\}
}
allow_core_dumps = no
{
#  Regular expressions
#
#  These items are set at configure time.  If they're set to "yes",
#  then setting them to "no" turns off regular expression support.
#
#  If they're set to "no" at configure time, then setting them to "yes"
#  WILL NOT WORK.  It will give you an error.
}
regular_expressions = yes
extended_expressions = yes
{
#  Log the full User-Name attribute, as it was found in the request.
#
# allowed values: \{no, yes\}
}
log_stripped_names = no
{
#  Log authentication requests to the log file.
#
#  allowed values: \{no, yes\}
}
log_auth = no
{
#  Log passwords with the authentication requests.
#  log_auth_badpass  - logs password if it's rejected
#  log_auth_goodpass - logs password if it's correct
#
#  allowed values: \{no, yes\}
}
log_auth_badpass = no
log_auth_goodpass = no
{
# usercollide:  Turn "username collision" code on and off.  See the
# "doc/duplicate-users" file
#
#  WARNING
#  !!!!!!!  Setting this to "yes" may result in the server behaving
#  !!!!!!!  strangely.  The "username collision" code will ONLY work
#  !!!!!!!  with clear-text passwords.  Even then, it may not do what
#  !!!!!!!  you want, or what you expect.
#  !!!!!!!
#  !!!!!!!  We STRONGLY RECOMMEND that you do not use this feature,
#  !!!!!!!  and that you find another way of acheiving the same goal.
#  !!!!!!!
#  !!!!!!!  e,g. module fail-over.  See 'doc/configurable_failover'
#  WARNING
}
usercollide = no
{
# lower_user / lower_pass:  
# Lower case the username/password "before" or "after"
# attempting to authenticate.  
#
#  If "before", the server will first modify the request and then try
#  to auth the user.  If "after", the server will first auth using the
#  values provided by the user.  If that fails it will reprocess the
#  request after modifying it as you specify below.
#
#  This is as close as we can get to case insensitivity.  It is the
#  admin's job to ensure that the username on the auth db side is
#  *also* lowercase to make this work
#
# Default is 'no' (don't lowercase values)
# Valid values = "before" / "after" / "no"
}
lower_user = no
lower_pass = no
{
# nospace_user / nospace_pass:
#
#  Some users like to enter spaces in their username or password
#  incorrectly.  To save yourself the tech support call, you can
#  eliminate those spaces here:
#
# Default is 'no' (don't remove spaces)
# Valid values = "before" / "after" / "no" (explanation above)
}
nospace_user = no
nospace_pass = no
{
#  The program to execute to do concurrency checks.
}
checkrad = $\{sbindir\}/checkrad
