# windows.cfg # # Example Radiator configuration file. # This very simple file will allow you to get started with # a simple system on Windows. You can then add and change features. # We suggest you start simple, prove to yourself that it # works and then develop a more complicated configuration. # # This example is expected to be installed in # c:\Program Files\Radiator\radius.cfg # It will authenticate from a standard users file in # c:\Program Files\Radiator\users # it will log debug and other messages to # c:\Program Files\Radiator\logfile # and log accounting to a file in # c:\Program Files\Radiator\detail # (of course you can change all these by editing this config file if you wish) # # It will accept requests from any client and try to handle requests # for any realm. # And it will print out what its doing in great detail to the log file. # # See radius.cfg for more complete examples of features and # syntax, and refer to the reference manual for a complete description # of all the features and syntax. # # You should consider this file to be a starting point only # $Id: windows.cfg,v 1.1 2003/03/27 09:41:28 mikem Exp $ Foreground LogStdout LogDir c:/Program Files/Radiator DbDir c:/Program Files/Radiator # This will log at DEBUG level: very verbose # User a lower trace level in production systems, typically use 3 Trace 4 # You will probably want to add other Clients to suit your site, # one for each NAS you want to work with. This will work # at least with radpwtst running on the local machine Secret mysecret DupInterval 0 # Authenticate all realms with this # Look up user details in a flat file # Change DBSource, DBUsername, DBAuth for your database # See the reference manual. You will also have to # change the one in below # so its the same DBSource dbi:ODBC:radmin DBUsername radmin DBAuth radminpw # Never look up the DEFAULT user NoDefault # You can add to or change these if you want, but you # will probably want to change the database schema first AccountingTable RADUSAGE AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef DNIS,Called-Station-Id # AcctColumnDef CALLINGSTATIONID,Calling-Station-Id # This updates the time and octets left # for this user AcctSQLStatement update RADUSERS set TIMELEFT=TIMELEFT-0%{Acct-Session-Time}, OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets}, OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n' # These are the classic things to add to each users # reply to allow a PPP dialup session. It may be # different for your NAS. This will add some # reply items to everyone's reply AddToReply Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Framed-Compression = Van-Jacobson-TCP-IP # If you intend to use rcrypt reversible encryption # for passwords in your Radmin database, you must # RcryptKey here to be the same secret key you # defined in your Radmin Site.pm, and also set # PasswordFormat in your Site.pm. # RcryptKey mysecret # If you intend to use Unix encryption in your database, # you will need to set EncryptedPasssword here, # as well as setting PasswordFormat in your Site.pm # EncryptedPassword # You can change the max bad login count from the default # of 5 with something like # MaxBadLogins 10 # This clause logs all authentication successes and failures to the RADAUTHLOG table # Suitable for use with RAdmin version 1.6 or later # This database spec usually should be exactly the same # as in above DBSource dbi:ODBC:radmin DBUsername radmin DBAuth radminpw LogSuccess SuccessQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values (%t, '%n', 1) LogFailure FailureQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE, REASON) values (%t, '%n', 0, %1) # Log accounting to a detail file. %D is replaced by DbDir above AcctLogFileName %D/detail # Specifies the TCP port to use. Defaults to 9048 #Port %{GlobalVar:serverhttpport} Port 9048 # ServerHTTP saves for viewing the last LogMaxLines log entries # at or below this trace level. Trace 4 # LogMaxLines specifies the max number of recent log messages that are # saved. Defaults to 500. If you set this to 0, then no # logger will be created for ServerHTTP, slightly improving performance #LogMaxLines 1000 # BindAddress allows you to bind to a different network address # for multihomed hosts. Defaults to 0.0.0.0 #BindAddress 203.63.154.29, 127.0.0.1 # You can have one or more AuthBy clauses or AuthBy parameters # to specify how to authenticate HTTP connections. AuthByPolicy is also # supported. If the last AuthBy returns ACCEPT, the connection # is accepted. If the last AuthBy returns IGNORE, or there are # no AuthBy, then fall back to the hardwired Username and # Password parameters # If the authenticated user has a Management-Policy-Id reply item, # it will be used # as that users privilege level, instead of DefaultPrivilegeLevel. # # Filename %D/users # # This is the fallback username and password that clients must LOGIN as # if there are no AuthBy clauses, or if they return IGNORE # If there are no AuthBys (or the last returns IGNORE) and there is no # Username, you can connect to this interface anonymously (not # recommended except for testing in secure enviromnents). Username mikem # Password can be plaintext or any of the encrypted formats such as # {crypt}....., {nthash}....., {SHA}...., {SSHA}....., {mysql}...., # {msssql}...., {dechpwd}...., {MD5}......, {clear}.... Password fred # Controls the ServerHTTP users privilege level if # a per-user Management-Policy-Id is not available from a successful # authentication from the AuthBy list. # The privilege level is a bitmask. The following privilege levels are # defined, and may be logically or'd together # 0 means no access, including no login permission. # 1 means viewing basic status only. # 2 means ability to reset the server # 4 means the ability to edit and change the running config (but not # save it) # 8 means the ability to save changes to the configuration # 15 means all privileges # Defaults to 1 DefaultPrivilegeLevel 15 # Clients let you limit which clients you will accept connects from # You can specify one or more comma or space separated IP addresses # Use this parameter to make your server more secure by limiting # which clients can connect. #Clients 127.0.0.2, 203.63.154.29 # This one limits access to the same host that Radiator runs on: Clients 127.0.0.1 # If AuditTrail is defined, all editing operations and changes will be # logged to the file (as well as to the normal log file at trace level 3) AuditTrail %D/audit.txt # Like most loggers, you can enable LogMicroseconds to get # microsecond accuracy in log messages. Requires the # Time::HiRes module from CPAN. #LogMicroseconds # Specifies the maximum time before the user has to log in again # Defaults to 1 hour #SessionTimeout 3600 # You can force SSL connections, and use all the standard TLS # certificate and verification mechanisms # UseSSL 1 TLS_CAFile ./certificates/demoCA/cacert.pem TLS_CertificateFile ./certificates/cert-srv.pem TLS_CertificateType PEM TLS_PrivateKeyFile ./certificates/cert-srv.pem TLS_PrivateKeyPassword whatever #TLS_RequireClientCert #TLS_ExpectedPeerName .+ #TLS_SubjectAltNameURI .*open.com.au #TLS_CRLCheck #TLS_CRLFile %D/certificates/revocations.pem #TLS_CRLFile %D/certificates/revocations2.pem # Users that log in to the Server HTTP interface can be logged with an # AuthLog clause: Filename %L/authlog # If a page is requested but not found in the set of built-in pages # PageNotFoundHook is called to try to handle the request. # PageNotFoundHook is passed the requested URI and a reference to the # ServerHTTP connection. If it can handle the request, it returns an # array of ($httpcode, $content, @httpheaders) else undef. #PageNotFoundHook sub {return (200, "your HTML content");} # Specifies the TCP port to use. Defaults to 9048 #Port 7777 Port 7777 #Port %{GlobalVar:monitorport} # BindAddress allows you to bind to a different network address # for multihomed hosts. Defaults to 0.0.0.0 #BindAddress 203.63.154.29, 127.0.0.1 # You can have one or more AuthBy clauses or AuthBy parameters # to specify how to authenticate connections. AuthByPolicy is also # supported. If the last AuthBy returns ACCEPT, the connection # is accepted. If the last AuthBy returns IGNORE, or there are # no AuthBy, then fall back to the hardwired Username and # Password parameters # # Filename ./users # # This is the fallback username and password that clients must LOGIN as # if there are no AuthBy clauses, or they return IGNORE Username mikem Password fred # IF you set TraceOnly, connections through this Monitor are # prevented from getting statistics, or getting or setting # configuration data, or restarting the server # TraceOnly # Clients let you specify which clients you will accept connects from # You can specify one or more comma or space separated IP addresses #Clients 127.0.0.2, 203.63.154.29 # Like most loggers, you can enable LogMicroseconds to get # microsecond accuracy in log messages. Requires the # Time::HiRes module from CPAN. #LogMicroseconds