# wimax.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with 
# a simple WiMAX system. You can then add and change features.
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
Foreground
LogStdout
LogDir		.
DbDir		.
# User a lower trace level in production systems:
Trace 		4

# AuthPort specifies the port to list on for authentication requests
# Can be a numeric port number or a service name from /etc/services
# Defaults to 1645. You can specify multiple comma-separated ports
AuthPort	1812

# AcctPort specifies the port to list on for accounting requests
# Can be a numeric port number or a service name from /etc/services
# Defaults to 1646. You can specify multiple comma-separated ports
AcctPort	1813

# On Unix you can control the actual user that the server runs as
# provided it starts as a suitable priveleged user. You can specifiy
# unix user name or UID here
#User radius
# or group name/GID
#Group radius


# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client 1.1.1.1>
	Secret	secret
	DupInterval 0
</Client>

<Client DEFAULT>
	Secret	mysecret
	DupInterval 0
</Client>


# This works with the sample SQL tables created by 
# goodies/wimax.sql
# test with goodies/wimaxtest as a simple test client
<Realm DEFAULT>
       # Implement MS Revocation List using a table in the SQL database
       # Other modules such as SQl can be used. Required by Alcatel-Lucent
       AuthByPolicy ContinueWhileAccept
       <AuthBy SQL>
		# Details for accessing the SQL database that contains
		# user/device passwords, Device-Sessions etc.
		# This should match the username created in wimax.sql
		DBSource dbi:mysql:wimax
		DBUsername	mikem
		DBAuth		fred
		NoEAP
		Blacklist
		AuthenticateAttribute Calling-Station-Id
		AuthSelect select reason from blacklist where nai=%0
       </AuthBy>

	<AuthBy WIMAX>
		# Details for accessing the SQL database that contains
		# user/device passwords, Device-Sessions etc.
		# This should match the username created in wimax.sql
		DBSource dbi:mysql:wimax
		DBUsername	mikem
		DBAuth		fred

		# The max lifetime of eack key, in seconds.
		# Defaults to 3600 seconds (1 hour)
		#KeyLifetime 3600

		# If WiMAX-DHCPv4-Server or WiMAX-DHCPv6-Server are set
		# in the reply, AuthBY WIMAX wil automatically generate
		# a DHCP key for that address, and wil provide that key
		# if the DHCP server later asks for it
		AddToReplyIfNotExist WiMAX-DHCPv4-Server=1.2.3.4

		# Indicates whether to honour various hotlining options
		# If any are set, and the subscription has a hotlineprofile
		# then appropriate columns will be returned from the 
		# hotlineprofiles table
		# They are also used to set the Hotlining capabilities
		# in WiMAX-Capability
		ProfileHotlining
		#RulebasedHotlining
		HTTPRedirectionHotlining
		IPRedirectionHotlining

		# WiMAX is required to handle at least TTLS
		# We can handle any tpe that generates MSK and EMSK
		EAPType TTLS, TLS, PEAP, MSCHAP-V2, PSK, PAX, FAST, SIM, AKA
		EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
		EAPTLS_CertificateFile %D/certificates/cert-srv.pem
		EAPTLS_CertificateType PEM
		EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
		EAPTLS_PrivateKeyPassword whatever

		# Try to match a certificate CN against an attribute in the 
		# incoming request. If matched, return the match else undef
		# Called like EAPTLS_CommonNameHook($cn, $username, $identity, $p)
		# This example attempts to match the CN against the 
		# Calling-Station-Id, as rewuired by some WiMAX devices.
		# EAPTLS_CommonNameHook sub {my $cn = $_[0]; my $p = $_[3]; return $cn if $cn eq $p->get_attr('Calling-Station-Id'); return undef;}

		# IF HAPassword is defined, the the HA must send this password
		# in requests sent to this HAAA. The HA must be configured to
		# send this password, otherwise its requests will be REJECTed
#		HAPassword mysecret

		# You can alter the authentication query with AuthSelect, and
		# process extra columns with AuthColumnDef. Replies attrs
		# WiMAX-Packet-Flow-Descriptor and WiMAX-QoS-Descriptor will be 
		# converted from ASCII to binary format.
		#AuthSelect select subscription.psk, subscription.cui, subscription.hotlineprofile, replyprofile.reply from subscription,replyprofile  where subscription.nai=? and replyprofile.profile=subscription.replyprofile
		#AuthColumnDef	  3,GENERIC,reply

		# You can add support for simple accounting using
                # AcctSQLStatement the same as AuthBy SQL
		#AccountingTable	ACCOUNTING
		#AcctColumnDef	USERNAME,User-Name
		# etc....

		# You can customise other SQL queries using during WiMAX
                # processing with GetCachedKeyQuery, GetHotlineProfileQuery,
		# GetQosProfileQuery.

		# MSKInMPPEKeys Forces the MSK to be encoded in 
		# MS-MPPE-Send-Key and MS-MPPE-Recv-Key, as well as 
		# the usual WiMAX-MSK reply attributes. This is required 
		# by some non-compliant clients, such as some Alcatel-Lucent 
		# devices.
		#MSKInMPPEKeys 1
	</AuthBy>

</Realm>