I want my freeradius to send Access-Reject packet with Reply-Message in it,
so that NAS can alert user in some fancy way when authentication fails.
But, it's not working so far.
When authentication succeeds, my freeradius sends Access-Accept packet
with Reply-Message in it, but this is not the way I want it to be.
According to RFC, Access-Reject packet MAY contain Reply-Message.
I have searched this ML, and found out that freeradius normally contain
Reply-Message in Access-Reject packet if Reply-Message is configured.
So my question is:
Why my freeradius doesn't put Reply-Message into Access-Reject packet, and
how can I fix this problem?
I have attached some logs below.
I really need help.
Any information would be greatly appreciated.
Regards,
Takeru
-----------------------------------
[version]
[EMAIL PROTECTED] raddb]# radiusd -v
radiusd: FreeRADIUS Version 0.5, for host i686-redhat-linux-gnu, built on Apr 4
2002 at 04:33:11
[users]
[EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-address = 192.168.200.1,
Framed-IP-Netmask = 255.255.255.0,
Session-Timeout = 30,
Reply-Message="1111111111111111111111111111111",
[radius.conf]
[EMAIL PROTECTED] raddb]# more radiusd.conf
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id: radiusd.conf.in,v 1.87 2002/03/14 18:47:06 aland Exp $
##
# The location of other config files and
# logfiles are declared in this file
#
# Also general configuration for modules can be done
# in this file, it is exported through the API to
# modules that ask for it.
#
# The configuration variables defined here are of the form ${foo}
# They are local to this file, and do not change from request to
# request.
#
# The per-request variables are of the form %{Attribute-Name}, and
# are taken from the values of the attribute in the incoming
# request. See 'doc/variables.txt' for more information.
# Stuff from autoconf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that symbol,
# and add the directory containing that library to the end of 'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = /usr/lib
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd.pid`
#
pidfile = ${run_dir}/radiusd.pid
# user/group: The name (or #number) of the user/group to run radiusd as.
#
# We STRONGLY recommend that you run the server with as few permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to 'nobody'.
#
# On SCO (ODT 3) use "user = nouser" and "group = nogroup".
#
# NOTE that some kernels refuse to setgid(group)
# when the value of (unsigned)group is above 60000;
# don't use group nobody on these systems!
#
# On systems with shadow passwords, you might have to set 'group = shadow'
# for the server to be able to read the shadow password file. If you can
# authenticate users while in debug mode, but not in normal use, it may be
# because the debugged server is running as a user that can read the shadow
# info, and the user listed below can not.
#
user = root
group = root
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
# to be handled, then maybe the server should delete it.
#
# If you're running in threaded, or thread pool mode, this setting
# should probably be 'no'. Setting it to 'yes' when using a threaded
# server MAY cause the server to crash!
#
delete_blocked_requests = no
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 1024
# bind_address: Make the server listen on a particular IP address, and
# send replies out from that address. This directive is most useful
# for machines with multiple IP addresses on one interface.
#
# It can either contain "*", or an IP address, or a fully qualified
# Internet domain name. The default is "*"
#
bind_address = *
# port: Allows you to bind FreeRADIUS to a specific port.
#
# The default port that most NAS boxes use is 1645, which is historical.
# RFC 2138 defines 1812 to be the new port. Many new servers and
# NAS boxes use 1812, which can create interoperability problems.
#
# The port is defined here to be 0 so that the server will pick up
# the machine's local configuration for the radius port, as defined
# in /etc/services.
#
# If you want to use the default RADIUS port as defined on your server,
# (usually through 'grep radius /etc/services') set this to 0 (zero).
#
# A port given on the command-line via '-p' over-rides this one.
#
port = 1645
# Which program to execute check doing concurrency checks.
checkrad = ${sbindir}/checkrad
# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
# The default is 'off' because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
# Turning hostname lookups off also means that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no
# Regular expressions
#
# These items are set at configure time. If they're set to "yes",
# then setting them to "no" turns off regular expression support.
#
# If they're set to "no" at configure time, then setting them to "yes"
# WILL NOT WORK. It will give you an error.
#
regular_expressions = yes
extended_expressions = yes
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
log_stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
log_auth = no
# Log passwords with the authentication requests.
# log_auth_badpass - logs password if it's rejected
# log_auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
log_auth_badpass = no
log_auth_goodpass = no
# usercollide: Turn "username collision" code on and off. See the
# "doc/duplicate-users" file
#
usercollide = no
# lower_user / lower_pass:
# Lowercase the username/password "before" or "after"
# attempting to authenticate.
#
# If "before", the server will first modify the request
# and then try to auth the user. If "after", the server
# will first auth using the values provided by the
# user. If that fails it will reprocess the request
# after modifying it as you specify below.
#
# This is as close as we can get to case insensitivity. It is
# the admin's job to ensure that the username on the auth
# db side is *also* lowercase to make this work
#
# Default is 'no' (don't lowercase values)
# Valid values = "before" / "after" / "no"
#
lower_user = no
lower_pass = no
# nospace_user / nospace_pass:
# Some users like to enter spaces in their username or
# password incorrectly. To save yourself the tech support
# call, you can eliminate those spaces here:
#
# Default is 'no' (don't remove spaces)
# Valid values = "before" / "after" / "no" (explanation above)
#
nospace_user = no
nospace_pass = no
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
# section holds the configuration items which minimize the impact
# of those attacks
#
security {
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no radius packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the RADIUS server to use all available memory.
#
# Setting this number to 0 means "allow any number of attributes"
max_attributes = 200
#
# delayed_reject: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to brute-force
# crack a users password.
#
# Setting this number to 0 means "send rejects immediately"
#
# If this number is set higher than "cleanup_delay", then the
# rejects will be sent after 'cleanup_delay".
#
# Useful ranges: 1 to 5
reject_delay = 0
}
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf". If you don't
# use the "clients.conf", you can comment the following. The use of
# "clients.conf" is recommended over the old "clients", though both
# are supported.
#
$INCLUDE ${confdir}/clients.conf
# SNMP CONFIGURATION
#
# Snmp configuration is only valid if you enabled SNMP support when
# you compiled radiusd.
#
$INCLUDE ${confdir}/snmp.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
max_servers = 32
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10
# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}
modules {
pam {
#
# The name to use for PAM authentication.
# PAM looks in /etc/pam.d/${pam_auth_name}
# for it's configuration. See 'redhat/radiusd-pam'
# for a sample PAM configuration file.
#
# Note that any Pam-Auth attribute set in the 'users'
# file over-rides this one.
#
pam_auth = radiusd
}
unix {
#
# Cache /etc/passwd, /etc/shadow, and /etc/group
#
# The default is to cache them.
#
# For FreeBSD, you do NOT want to enable the cache,
# as it's password lookups are done via a database.
#
# allowed values: {no, yes}
cache = no
# Reload the cache every 600 seconds (10mins). 0 to disable.
cache_reload = 600
#
# Define the locations of the normal passwd, shadow, and
# group files.
#
# 'shadow' is commented out by default, because not all
# systems have shadow passwords.
#
# To force the module to use the system password functions,
# instead of reading the files, comment out the 'passwd'
# and 'shadow' configuration entries. This is required
# for some systems, like FreeBSD.
#
passwd = /etc/passwd
# shadow = /etc/shadow
group = /etc/group
#
# Where the 'wtmp' file is located.
# This will be moved to it's own module soon..
#
radwtmp = ${logdir}/radwtmp
}
# EAP module for all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
# default_eap_type = md5
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
# timer_expire = 60
# Supported EAP-types
md5 {
}
## FIXME: EAP-TLS is highly experimental EAP-Type at the moment.
# Please give feedback.
#tls {
# private_key_password = password
# private_key_file = /path/filename
# Sometimes Private key & Certificate are located
# in the same file, then private_key_file & certificate_fi
le
# must contain the same file name.
# certificate_file = /path/filename
# Trusted Root CA list
# CA_file = /path/filename
# dh_file = /path/filename
# random_file = /path/filename
#
# This can never exceed MAX_RADIUS_LEN (4096)
# preferably half the MAX_RADIUS_LEN, to
# accomodate other attributes in RADIUS packet.
# On most APs the MAX packet length is configured
# between 1500 - 1600. In these cases, fragment
# size should be <= 1024.
# fragment_size = 1024
#
# include_length is a flag which is by default set to yes
# If set to yes, Total Length of the message is included
# in EVERY packet we send.
# If set to no, Total Length of the message is included
# ONLY in the First packet of a fragment series.
# include_length = yes
#}
}
# This module supports SAMBA passwd file authorization
# and MS-CHAP, MS-CHAPv2 authentication
mschap {
# if given passwd shows location of
# SAMBA passwd file
# passwd = /etc/smbpasswd
# authtype value, if present, will be used
# to overwrite (or add) Auth-Type during
# authorization. Normally should be MS-CHAP
authtype = MS-CHAP
# if ignore_password set to yes mschap will
# ignore password set by any other module during
# authorization and will always use password file
# ignore_password = yes
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
# use_mppe = no
# if mppe is enabled require_encryption makes
# encryption moderate
# require_encryption = yes
# require_strong always requires 128 bit key
# encryption
# require_strong = yes
}
# PAP module to authenticate users based on their stored password
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
# md5: MD5 ecnryption
# sha1: SHA1 encryption. Not yet implemented
# DEFAULT: crypt
#pap {
# encryption_scheme = crypt
#}
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type = LDAP)
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap {
server = "ldap.your.domain"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "o=My Org,c=UA"
# authtype = "MS-CHAP"
filter = "(uid=%u)"
start_tls = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_group = "cn=clients,ou=dialup,o=My Org,c=UA"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = "{clear}"
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(membe
r=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}
)))"
timeout = 4
timelimit = 3
net_timeout = 1
}
# You can have multiple instances of the realm module to
# support multiple realm syntaxs at the same time. The
# search order is defined the order in the authorize and
# preacct blocks after the module config block.
#
# Two config options:
# format - must be 'prefix' or 'suffix'
# delimiter - must be a single character
#
# '[EMAIL PROTECTED]'
#
realm suffix {
format = suffix
delimiter = "@"
}
# 'realm/username'
#
# Using this entry, IPASS users have their realm set to "IPASS".
realm realmslash {
format = prefix
delimiter = "/"
}
# 'username%realm'
realm realmpercent {
format = suffix
delimiter = "%"
}
# rewrite arbitrary packets. Useful in accounting and authorization.
## FIXME: This is highly experimental at the moment. Please give
## feedback.
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be "packet", "reply", or "config"
# searchin = packet
# searchfor = "[+ ]"
# replacewith = ""
# ignore_case = no
# max_matches = 10
#}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
with_ntdomain_hack = no
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no
# Cisco sends it's VSA attributes with the attribute
# name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco NAS, you don't need
# this hack.
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
# See README.rlm_fastusers before using this
# module or changing these values.
fastusers {
usersfile = ${confdir}/users_fast
hashsize = 1000
compat = no
# Reload the hash every 600 seconds (10mins)
hash_reload = 600
}
detail {
# Note that we do NOT use NAS-IP-Address here, as that
# attribute MAY BE from the originating NAS, and NOT
# from the proxy which actually sent us the request.
# The Client-IP-Address attribute is ALWAYS the address
# of the client which sent us the request.
#
detailfile = ${radacctdir}/%{Client-IP-Address}/detail
detailperm = 0600
}
# This module will add a (probably) unique session id
# to an accounting packet based on the attributes listed
# below found in the packet. see doc/README.rlm_acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Add
ress, NAS-Port-Id"
}
# Include another file that has SQL-related stuff in it.
# This is another file solely because it tends to be big.
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
perm = 0600
callerid = "yes"
}
# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another instance of the radutmp module, but it is given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter {
attrsfile = ${confdir}/attrs
}
# This module takes an attribute (count-attribute), which MUST
# be an 'integer' or 'time' attribute. It also takes a key,
# and creates a counter for each unique key. The count is
# incremented when accounting packets are received by the
# server. The value of the increment is the value of the
# count-attribute.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, monthly or never.
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the leter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
# The counter-name is the name of the attribute in the 'users'
# file used to access that counter. e.g.
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
counter {
filename = ${raddbdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
# The "always" module is here for debugging purposes. Each instance simp
ly
# returns the same result, always, without doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
# ANSI X9.9 token support. Not included by default.
# $INCLUDE ${confdir}/x99.conf
# Configuration for the Python module. EXPERIMENTAL!
#
# Where radiusd is a Python module, radiusd.py, and the
# function 'authorize' is called. Here is a dummy piece
# of code:
#
# def authorize(params):
# print params
# return (5, ('Reply-Message', 'banned'))
#
# The RADIUS value-pairs are passed as a tuple of tuple
# pairs as the first argument, e.g. (('attribute1',
# 'value1'), ('attribute2', 'value2'))
#
# The function return is a tuple with the first element
# being the return value of the function.
# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
# write the return values as Python symbols to avoid
# confusion.
#
# The remaining tuple members are the string form of
# value-pairs which are passed on to pairmake().
#
python {
mod_authorize = radiusd
func_authorize = authorize
}
# Configuration for the example module. Uncommenting it will cause it
# to get loaded and initialized, but should have no real effect as long
# it is not referencened in one of the autz/auth/preacct/acct sections
example {
# Boolean variable.
# allowed values: {no, yes}
boolean = yes
# An integer, of any value.
integer = 16
# A string.
string = "This is an example configuration string"
# An IP address, either in dotted quad (1.2.3.4) or hostname
# (example.com)
ipaddr = 127.0.0.1
# A subsection
mysubsection {
anotherinteger = 1000
# They nest
deeply nested {
string = "This is a different string"
}
}
}
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
# The order of the realm modules will determine the order that
# we try to find a matching realm.
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
preprocess
# counter
# attr_filter
# eap
suffix
files
# mschap
}
# Authentication.
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that you have to have a module from the 'authorize' section add
# a configuration attribute 'Auth-Type := FOO'. That authentication type
# is then used to pick the apropriate module from the list below.
authenticate {
# pam
unix
# ldap
# mschap
# eap
}
# Pre-accounting. Look for proxy realm in order of realms, then
# acct_users file, then preprocess (hints file).
preacct {
suffix
files
preprocess
}
# Accounting. Log to detail file, and to the radwtmp file, and maintain
# radutmp.
accounting {
# acct_unique
detail
# counter
unix
radutmp
# sradutmp
}
# Session database, used for checking Simultaneous-Use. The radutmp module
# handles this
session {
radutmp
}
[EMAIL PROTECTED] raddb]#
_________________________________________________________________
あなたのPCを守るために定期的なセキュリティ対策を。マイクロソフト セキュリ
ティ情報センター http://www.microsoft.com/japan/protect/hm.asp
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- Re: Access-Reject has no Reply-Message 野村 建
- Re: Access-Reject has no Reply-Message Thor Spruyt
- Re: Access-Reject has no Reply-Message Alan DeKok
