#Created by McNealy and Caporossi
#Creation Date:	03-09-2010
#Last Edited:	03-09-2010

#moved to Verisign cert all but devnet.



#Foreground
#LogStdout
LogDir		c:\Program Files\Radiator\logs	
DbDir			c:\Program Files\Radiator
LogFile		%L/%m%d%y.log
DictionaryFile	%D/dictionary
PidFile		%D/radiusd.pid



AuthPort 1812
AcctPort 1813

Trace 		3

<Client 192.168.242.1>
        Identifier              vpn
        Secret                  secret
        DupInterval             2
        NasType                 Cisco
        SNMPCommunity           private
        IgnoreAcctSignature     1
</Client>

<Client 192.168.203.203>
        Identifier              hal
        Secret                  secret
        DupInterval             2
        NasType                 unknown
        IgnoreAcctSignature     1
</Client>

PreClientHook file:"%D/scripts/acct_adjustment.pl"

<Client 10.24.97.0/24>
        IdenticalClients 10.24.238.41,10.24.238.42
        Secret                  secret
        Identifier              wlan
        DupInterval             2
        NasType                 Cisco
        SNMPCommunity           private
        IgnoreAcctSignature     1
</Client>

<Client 10.24.97.50>
        IdenticalClients 10.24.97.200,10.24.97.201
        Secret                  secret
        Identifier              wlan
        DupInterval             2
        NasType                 Aruba
        SNMPCommunity           private
        IgnoreAcctSignature     1
</Client>

<Client DEFAULT>
        Identifier              NST-devices
        Secret                  secret
        DupInterval             2
        NasType                 Cisco
        SNMPCommunity           private
        IgnoreAcctSignature     1
</Client>

<StatsLog FILE>
	# This is the time interval in seconds between each statistics dump
	# Default is 600 seconds (10 minutes)
	Interval 60

	# Statistics will be appended to Filename
	# The default filename is %L/statistics. dash means stdout
	# special formatting characters are honoured
#	Filename -

	# You can specify your own format for each line
	# %0, %1 etc are replaced by each statistic, in alphabetical order
	# of their name.This example just logs the time, object type, id and 
	# average responseTime
#	Format %0:%1:%2:%23

	# Each set of statistics is preceded by a header line, which by
	# default is a # followed by the name of each data column (for the
	# use of various numeric pprocessing packages, such as Excel.
	# You can set your own header format.
	# You can prevent any headers being written by setting
	# Header to be an empty string.
#	Header #time:type:id:responsetime
</StatsLog>


#<Log FILE>
#	Identifier debugging
#	Trace 4
#	LogMicroseconds
#	Filename %L/%m%d%y.debug.log
#</Log>

<Handler Request-Type = Accounting-Request, Acct-Status-Type=/start|stop/i>
	PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
	AddToRequest Connect-Info=%{Client:Identifier},Ascend-Authen-Alias=%h
	StripFromRequest Class
	<AuthBy RADIUS>
		Host radacct.blah.com
		#Changed DNS per Chris D. 09/19/2008
		#Host radacct.blah.com
		Secret secret
		AcctPort 1813
		Retries 10
		AcctFailedLogFileName %L/%{Client:Identifier}/%m%d%y.log.missed
	</AuthBy>
	AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
</Handler>

<AuthBy INTERNAL>
	Identifier			AcctStartStopOnly
	AcctStartResult			ACCEPT
	AcctStopResult			ACCEPT
	AcctAliveResult			IGNORE
</AuthBy>


<Handler TunnelledByPEAP=1>
        AuthByPolicy ContinueUntilAccept
        RewriteUsername s/(.*)\\(.*)/$2/
        <AuthBy LSA>
                Domain domain
                #Group Domain Users
                #DomainController zulu
                EAPType MSCHAP-V2
        </AuthBy>
        AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
        #PostAuthHook file:"%D/scripts/eap_anon_hook.pl"
        PostProcessingHook file:"%D/scripts/eap_acct_username.pl"
</Handler>

<Handler TunnelledByTTLS=1>
      AuthByPolicy ContinueUntilAccept

      # Strip realm if in MSN format
      RewriteUsername s/(.*)\\(.*)/$2/

        #AuthBy LDAPAuthentication

        <AuthBy LSA>
                Domain domain
                #Group Domain Users
                #DomainController zulu
                EAPType MSCHAP-V2
        </AuthBy>

      <AuthBy UNIX>
               GroupFilename %D/group
               # anonymous-PEAP must be in here:
               Filename %D/radauth_pass.wlan
       </AuthBy>

        AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
        #PostAuthHook file:"%D/scripts/eap_anon_hook.pl"
        PostProcessingHook file:"%D/scripts/eap_acct_username.pl"
</Handler>


<Handler Client-Identifier=wlan,Called-Station-Id=/devnet/i>
        AuthByPolicy ContinueUntilAccept
        AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
        StripFromRequest Class

        <AuthBy FILE>
                Filename %D/users
                EAPType PEAP,TTLS
                EAPTLS_CAFile %D/certificates/production/dc1_ca.cer
                EAPTLS_CertificateFile %D/certificates/production/%h_dc1.pem
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile %D/certificates/production/%h_dc1.pem
                EAPTLS_PrivateKeyPassword secret
                EAPTLS_VerifyDepth 3
                EAPTLS_MaxFragmentSize 1000
                AutoMPPEKeys
                SSLeayTrace 4
                EAPTLS_PEAPVersion 1
                EAPTLS_PEAPBrokenV1Label
        </AuthBy>

        #PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
        AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
</Handler>

<Handler Client-Identifier=wlan>
        AuthByPolicy ContinueUntilAccept
        AddToRequestIfNotExist Framed-IP-Address=%{Calling-Station-Id}
        StripFromRequest Class

        <AuthBy FILE>
                Filename %D/users
                EAPType PEAP,TTLS
                EAPTLS_CAFile %D/certificates/production/verisign-combo.crt
                EAPTLS_CertificateFile %D/certificates/production/%h.pem
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile %D/certificates/production/%h.pem
                EAPTLS_PrivateKeyPassword secret
                EAPTLS_VerifyDepth 3
                EAPTLS_MaxFragmentSize 1000
                AutoMPPEKeys
                SSLeayTrace 4
                EAPTLS_PEAPVersion 1
                EAPTLS_PEAPBrokenV1Label
        </AuthBy>

        #PreProcessingHook file:"%D/scripts/eap_anon_hook.pl"
        AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
</Handler>


<Handler Client-Identifier=NST-devices>
        AuthByPolicy ContinueUntilAccept
        #AuthByPolicy ContinueAlways
        #AuthByPolicy ContinueWhileIgnore      # Default
        <AuthBy UNIX>
                #GroupFilename %D/group
                Filename %D/passwd.nst
        </AuthBy>
        #AddToReply Service-Type = "Administrative-User"
        #AddToReply cisco-avpair = "shell:priv-lvl=15"

        #syslog functions not available on win32
        #AuthLog authlogger
        # Log accounting to a detail file
        AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
</Handler>

<Handler Client-Identifier=vpn>
	AuthByPolicy ContinueAlways
	# AuthByPolicy ContinueWhileIgnore      # Default

	AddToRequestIfNotExist Calling-Station-Id=%{Tunnel-Client-Endpoint}

	<AuthBy UNIX>
		GroupFilename %D/group
		Filename %D/radauth_pass.vpn
	</AuthBy>

	#syslog functions not available on win32
	#AuthLog authlogger

	# Log accounting to a detail file
	AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
</Handler>

<Handler Client-Identifier=hal>
	AuthByPolicy ContinueUntilAccept
	<AuthBy UNIX>
		GroupFilename %D/group
		Filename %D/passwd.nagios
	</AuthBy>
	AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
</Handler>