# radius.cfg
#
# This is a very simple radius.cfg that you can use to get started.
# only the most important parameters are set here. The full set
# of parameters can be seen in radius.cfg in the top of the distribution tree.
#
# As it stands, it will authenticate a single client and a 
# single realm from a flat file
# database, and save the accounting info to a single details file.
#
# Author: Mike McCauley (mikem@open.com.au)
# Copyright (C) 1997 Open System Consultants
# $Id: radius.cfg,v 1.3 1999/01/28 05:13:52 mikem Exp $

#Foreground
#Trace 5

AuthPort 1812
AcctPort 1813

#
# Some problem on Linux(SLES) with Perl and ownership of /proc/self/exe link 
#
#User radiusd
#Group radiusd

# Set this to the directory where your logfile and details file are to go
LogDir /var/log/radius

# Set this to the database directory. It should contain these files:
# users           The user database
# dictionary      The dictionary for your NAS
DbDir /etc/radiator

#
# Read client details  (IP,Secret,TACAC+ Key, PrehandlerHook)
#
Include %D/readclients.pl|

# This clause defines a single client to listen to
<Client DEFAULT>
        Secret   thesharedsecret
</Client>


# This clause handles all users from all realms by looking them up
<ServerTACACSPLUS>
        Key ciscodefault

        GroupMemberAttr T-GROUP
#
        AuthorizeGroup all permit service=shell 
        AuthorizeGroup all permit service=exec cmd=.* cmd-arg=.*
        AuthorizeGroup all permitreplace service=ciscowlc role1=MONITOR 
#
        AuthorizeGroup ops permit service=shell 
        AuthorizeGroup ops deny service=exec cmd=dir cmd-arg=.*
        AuthorizeGroup ops permit service=exec cmd=.* cmd-arg=.*
        AuthorizeGroup ops permitreplace service=ciscowlc role1=ALL 
#
        AuthorizeGroup console deny service=shell 
#
        AuthorizeGroup reject permitreplace service=exec status=fail
#
        AuthorizeGroup readonly permit service=shell cmd=enable cmd-args=.*
        AuthorizeGroup readonly permit service=shell cmd=exit cmd-args=.*
        AuthorizeGroup readonly deny service=shell cmd=show cmd-args=run.*
        AuthorizeGroup readonly deny service=shell cmd=show cmd-args=start.*
        AuthorizeGroup readonly permit service=shell cmd=show cmd-args=.*
        AuthorizeGroup readonly permit service=shell cmd=write cmd-args=terminal
        AuthorizeGroup readonly deny service=shell

        # Mark request as TACACS+ request
        AddToRequest Request-Protocol=TACACS+

</ServerTACACSPLUS>
#
# Authentication for PAM
#
<AuthBy PAM>
        Identifier PAMAuthentication
        Service radiusd
</AuthBy>
#
# Authorise users based on Attributes
#
<AuthBy FILE>
        Identifier EapTLS
        Filename %D/EapTLSUsers
        EAPType TLS
        EAPTLS_CAPath /etc/ssl/certs
        EAPTLS_CertificateFile %D/servercert.pem
        EAPTLS_CertificateType PEM
        EAPTLS_PrivateKeyFile %D/serverkey.pem
        EAPTLS_PrivateKeyPassword password

        EAPTLS_MaxFragmentSize 1000

</AuthBy>
#
# Authorise users based on Attributes
#
<AuthBy FILE>
        Identifier UserFilter
        Filename %D/users
</AuthBy>
#
# Authorise users based on Attributes
#
<AuthBy FILE>
        Identifier UserHTTPFilter
        Filename %D/HTTPusers
</AuthBy>
#
# Log authentication attempts
#
<AuthLog FILE>
        Identifier LogEapTLSAuthentication
        Filename %L/EapTLSauthlog
        LogSuccess 1
        LogFailure 1
        SuccessFormat %B| Permitted %{Request:USER-PRINCIPAL-NAME} access to %N from %{Request:Calling-Station-Id} using %{Request:Request-Protocol}
        FailureFormat %B| Denied %{Request:USER-PRINCIPAL-NAME} access to %N from %{Request:Calling-Station-Id} using %{Request:Request-Protocol}
</AuthLog>
#
# Log HTTP authentication attempts
#
<AuthLog FILE>
        Identifier LogHTTPAuthentication
        Filename %L/authlog
        LogSuccess 1
        LogFailure 1
        SuccessFormat %B| Permitted %u(%{Request:Service-Type}) access to %N from %{Request:Calling-Station-Id} using HTTP(s)
        FailureFormat %B| Denied %u(%{Request:Service-Type}) access to %N from %{Request:Calling-Station-Id} using HTTP(s)
</AuthLog>
#
# Log authentication attempts
#
<AuthLog FILE>
        Identifier LogAuthentication
        Filename %L/authlog
        LogSuccess 1
        LogFailure 1
        SuccessFormat %B| Permitted %u(%{Request:Service-Type}) access to %N from %{Request:Calling-Station-Id} using %{Request:Request-Protocol}
        FailureFormat %B| Denied %u(%{Request:Service-Type}) access to %N from %{Request:Calling-Station-Id} using %{Request:Request-Protocol}
</AuthLog>
#
# Authenticate Wlan users with certificates
#
<Handler Device-Class=Wlan>
        # Mark request as Radius request if not already set by TACACS+
        AddToRequestIfNotExist Request-Protocol=EapTLS
        AuthByPolicy ContinueUntilReject
        AuthBy EapTLS
        AuthLog LogEapTLSAuthentication
        AcctLogFileName %L/detail
</Handler>
#
# Authenticate Internal users against Windows domain
#
<Handler>
        # Add reply attribute for tacacs authorisation (copy of request attribute set via ldap)
        AddToReplyIfNotExist T-GROUP=%{Request:T-GROUP}
        # Mark request as Radius request if not already set by TACACS+
        AddToRequestIfNotExist Request-Protocol=Radius
        AuthByPolicy ContinueUntilReject
        AuthBy UserFilter
        AuthBy PAMAuthentication
        AuthLog LogAuthentication
        # Log accounting to the detail file in LogDir
        AcctLogFileName %L/detail
</Handler>
#
<ServerHTTP>
        DefaultPrivilegeLevel 15
        AuthByPolicy ContinueUntilReject
        AuthBy UserHTTPFilter
        AuthBy PAMAuthentication
        AuthLog LogHTTPAuthentication
        AuditTrail %L/auditlog
        SessionTimeout 600
        Port 9443
        UseSSL
        TLS_CAPath /etc/ssl/certs
        TLS_CertificateFile /etc/ssl/certs/radius1-cert.pem
        TLS_PrivateKeyFile /etc/ssl/certs/radius1-key.pem
        TLS_PrivateKeyPassword password
        TLS_CertificateType PEM
</ServerHTTP>