Go to the first, previous, next, last section, table of contents.

Radius Configuration Files

This chapter describes the configuration files used by GNU Radius package.

These files are normally found in /usr/local/etc/raddb directory, which is defined at configuration time, although their location can be specified at runtime. In the discussion below we will refer to this directory by `raddb'. See section Naming Conventions.

config file: Run-time configuration options.
dictionary file: Radius dictionary.
clients file: Clients lists the NASes that are allowed to communicate with radius.
naslist file: The naslist file keeps general information about the NASes.
nastypes file: Information about how to query the NASes about active user sessions.
hints file: Important user information that is common for the users whose names match some pattern.
huntgroups file: Group users by the NAS (and, possibly, a port number) they come from.
realms file: Communication with remote radius servers
users file: User profile.
access.deny file: List of users which are denied access.
sqlserver file: SQL server configuration.
rewrite file: Rewrite functions allow to change the input packets.
menus file: Menus allow user to select the type of service.
Macro Substitution: Macros which are expanded by the actual attribute values.

Run-Time Configuration Options -- `raddb/config'

radiusd uses the configuration values from the following sources (in order of increasing precedence):

Compiled-in defaults
`raddb/config' file.
Command line arguments

This order of precedence applies only on startup. When re-reading of the configuration is initiated either by SIGHUP signal or by SNMP channel any changes in the config file take precedence over command line arguments, since `raddb/config' is the only way to change configuration of the running program.

This chapter discusses the `raddb/config' file in detail.

The `raddb/config' consists of statements and comments. Statements end with a semicolon. Many statements contain a block of sub-statements which also terminate with a semicolon.

Comments can be written in shell, C, or C++ constructs, i.e. any of the following represent a valid comment:

    # A shell comment
    /* A C-style
     * multi-line comment
     */
    // A C++-style comment

These are the basic statements:

option: Option block: set the global program options.
logging: Fine-tune the logging.
auth: Configure authentication service.
acct: Configure accounting service.
proxy: Configure proxy service.
usedbm: Enable the DBM feature.
snmp: Configure SNMP service.
guile: Configure Guile interface.
message: Configure server reply messages.

`option` block

Syntax:

    option {
            [ source-ip number ; ]
            [ max-requests number ; ]
            [ exec-program-user string ; ]
            [ username-chars string ; ]
            [ log-dir string ; ]
            [ acct-dir string ; ]
    } ;

Usage

The option block defines the global options to be used by radiusd.

Numeric statements

source-ip: Sets the source IP address. When this statement is not present, the IP address of the first available network interface on the machine will be used as source.
max-requests: Sets the maximum number of the requests in queue.

String statements

exec-program-user: Sets effective user id for the programs executed as a result of Exec-Program and Exec-Program-Wait. The effective group id will be retrieved from the `/etc/passwd' entry for the given user.
username-chars: Determines characters that are valid within a username. The alphanumeric characters are always allowed in a username, it is not necessary to specify them in this statement. By default the following characters are allowed in a username: `.-_!@#$%^&\/"'.
log-dir: Specifies the logging directory.
acct-dir: Specifies the accounting directory.

`logging` block

Syntax:

    logging {
            [ category category_spec {
                    [ channel channel_name ; ]
                    [ print-auth bool ; ]
                    [ print-pass bool ; ]
                    [ print-failed-pass bool ; ]
                    [ level debug_level ; ]
            } ; ]
            [ channel channel_name {
                   (  file string ;
                    | syslog facility . priority ; )
                    [ print-pid bool ; ]
                    [ print-category bool ; ]
                    [ print-cons bool ; ]
                    [ print-level bool ; ]
                    [ print-priority bool ; ]
            }; ]
    } ;

Usage

The logging statement describes the course followed by radiusd's logging information.

category: category statement.
channel: channel statement.
logging example: Example of the logging statement.

`category` statement

Each line of logging information generated by radiusd has an associated category. The logging statement allows each category of output to be controlled independently of the others. The logging category is defined by category name and a severity. category name determines what part of radiusd daemon is allowed to send its logging information to this channel. It can be any of main, auth, acct, proxy, snmp. priority determines the minimum priority of the messages displayed by this channel. The priorities in ascending order are: debug, info, notice, warn, err, crit, alert, emerg.

The full category specification, category_spec, can take any of the following three forms:

category_name: Print the messages of given category.
priority: Print messages of all categories, abridged by given priority. If the priority is prefixed with `=', only messages with given priority will be displayed. If it is prefixed with `!', the messages with priority other than the specified will be displayed. Otherwise, the messages with priorities equal to or greater than the specified will be displayed.
category_name . priority: Print the messages of given category, abridged by given priority. The priority may be prefixed with either `=' or `!' as described above.

Additional category options valid for auth category are:

print-auth: Log individual authentications.
print-pass: Include passwords for successful authentications. It is very insecure, since all users' passwords will be echoed in the logfile. This option is provided only for debugging purposes.
print-failed-pass: Include passwords for failed authentications.

`channel` statement

Channels represent methods for recording logging information. Each channel has a unique name, and any categories which specify that name in a channel statement will use that channel.

radiusd can write logging information to files or send it to syslog. The file statement sends the channel's output to the named file (see section Naming Conventions). The syslog statement sends the channel's output to syslog with the specified facility and severity.

Channel options modify the data flowing through the channel:

print-pid: Add the process ID of the process generating the logging information.
print-cons: Also send the logging information to the system console.
print-category: Add the category name to the logging information.
print-priority
print-level: Add the priority name to the logging information.

Example of the `logging` statement

    logging {
            channel default {
                    file "radius.log";
                    print-category yes;
                    print-priority yes;
            };
            channel info {
                    file "radius.info";
                    print-pid yes;
                    print-cons yes;
                    print-priority yes;
            };
            channel notice {
                    syslog auth.notice;
            };
    
            category auth {
                    print-auth yes;
                    print-failed-pass yes;
            };
            category notice {
                    channel notice;
            };
            category info {
                    channel info;
            };
            category debug {
                    channel info;
                    level radiusd=1,files;
            };
    
            category *.!debug {
                    channel default;
            };
    };

`auth` statement

Syntax:

    auth {
            [ listen addr-list ; ]
            [ port number ; ]
            [ spawn bool ; ]
            [ max-requests number ; ]
            [ time-to-live number ; ]
            [ request-cleanup-delay number ; ]
            [ detail bool ; ]
            [ strip-names bool ; ]
            [ checkrad-assume-logged bool ; ]
            [ password-expire-warning number ; ]
    } ;

Usage:

The auth statement configures the parameters of the authentication service.

listen statement

This statement determines on which addresses radiusd will listen for incoming authentication requests. Its argument is a comma-separated list of items in the form ip:port-number. ip can be either an IP address in familiar "dotted-quad" notation or a hostname. :port-number part may be omitted, in which case the default authentication port is assumed.

If the listen statement is omitted, radiusd will accept incoming requests from any interface on the machine.

Numeric statements

port: Sets the number of UDP port to listen on for the authentication requests.
max-requests: Sets the maximum number of authentication requests in the queue. Any surplus requests will be discarded.
time-to-live: Sets the request time-to-live in seconds. The time-to-live is the time to wait for the completion of the request. If the request job isn't completed within this interval of time it is cleared, the corresponding child process killed and the request removed from the queue.
request-cleanup-delay: Sets the request cleanup delay in seconds, i.e. determines how long will the completed authentication request reside in the queue.
password-expire-warning: Sets the time interval for password expiration warning. If user's password expires within given number of seconds, radiusd will send a warning along with authentication-acknowledge response. Default is 0.

Boolean statements

spawn: Determines if radiusd should spawn a child to process the request.
detail: When set to true, radiusd will produce the detailed log of each received packet in the file `radacct/NASNAME/detail.auth'. (see section Naming Conventions).
strip-names: Determines whether radiusd should strip any prefixes/suffixes off the username before logging.
checkrad-assume-logged: radiusd consults the value of this variable when the NAS does not responds to checkrad queries (see section Checking Simultaneous Logins). If this variable is set to yes, the daemon will proceed as if the NAS returned "yes", i.e. it will assume the user is logged in. Otherwise radiusd assumes the user is not logged in.

`acct` statement

Syntax:

    acct {
            [ listen addr-list ; ]
            [ port number ; ]
            [ spawn bool ; ]
            [ detail bool; ]
            [ max-requests number ; ]
            [ time-to-live number ; ]
            [ request-cleanup-delay number ; ]
    } ;

Usage:

The acct statement configures the parameters of the accounting service.

listen statement

This statement determines on which addresses radiusd will listen for incoming accounting requests. Its argument is a comma-separated list of items in the form ip:port-number. ip can be either an IP address in familiar "dotted-quad" notation or a hostname. :port-number part may be omitted, in which case the default accounting port is assumed.

If the listen statement is omitted, radiusd will accept incoming requests from any interface on the machine.

Numeric statements

port: Sets the port number to listen for the authentication requests.
max-requests: Sets the maximum number of accounting requests in the queue. Any surplus requests will be discarded.
time-to-live: Sets the request time-to-live in seconds. The time-to-live is the time to wait for the completion of the request. If the request job isn't completed within this interval of time it is cleared, the corresponding child process killed and the request removed from the queue.
request-cleanup-delay: Sets the request cleanup delay in seconds, i.e. determines how long will the completed account request reside in the queue.

Boolean statements

spawn: Determines if radiusd should spawn a child to process the request.
detail: When set to false, disables detailed accounting (see section Detailed Request Accounting).

`proxy` statement

Syntax:

    proxy {
            [ max-requests number ; ]
            [ request-cleanup-delay number ; ]
    } ;

Usage:

The proxy statement configures the parameters of the proxy service.

Numeric statements

max-requests: Sets the maximum number of accounting requests in the queue. Any surplus requests will be discarded.
request-cleanup-delay: Sets the request cleanup delay in seconds, i.e. determines how long will the completed account request reside in the queue.

`usedbm` statement

Syntax:

    usedbm ( yes | no ) ;

Usage

The usedbm statement determines whether the DBM support should be enabled.

no: Do not use DBM support at all.
yes: Use only the DBM database and ignore `raddb/users'.

`snmp` statement

Syntax:

    snmp {
            [ port portno ; ]
            [ spawn bool ; ]
            [ max-requests number ; ]
            [ time-to-live number ; ]
            [ request-cleanup-delay number ; ]
            [ ident string ; ]
            [ community name ( rw | ro ) ; ]
            [ network name network [ network ... ] ; ]
            [ acl {
                    [ allow network_name community_name ; ]
                    [ deny network_name ; ]
            } ; ]
    };

Usage

The snmp statement configures the SNMP service.

Numeric statements

port: Sets the port number to listen for the SNMP requests.
max-requests: Sets the maximum number of SNMP requests in the queue. Any surplus requests will be discarded.
time-to-live: Sets the request time-to-live in seconds. The time-to-live is the time to wait for the completion of the request. If the request job isn't completed within this interval of time it is cleared, the corresponding child process killed and the request removed from the queue.
request-cleanup-delay: Sets the request cleanup delay in seconds, i.e. determines how long will the completed SNMP request reside in the queue.

Boolean statements

spawn: Determines if radiusd should spawn a child to process the SNMP request.

String statements

ident: Sets the SNMP server identification string.

Community and network definitions

community name ( rw | ro ): Defines the community name as read-write (rw) or read-only (ro).
network name network [ network ... ]: Groups several networks or hosts under one logical network name.

Access-Control List definitions

allow network_name community_name: allow hosts from the group network_name access to community community_name.
deny NETWORK_NAME: Deny access to SNMP service from any host in the group network_name.

`guile` statement

The guile statement allows to configure server interface with Guile.

Syntax

    guile {
            [ debug bool ; ]
            [ load-path string ; ]
            [ load string ; ]
    };

Usage

Boolean statements

debug: When set to yes, enables debugging evaluator and backtraces on Guile scripts.

String statements

load-path: Add specified pathname to %load-path variable.
load: Load the specified source file on startup.

For the detailed description of Guile extensions interface, See section Guile.

`message` statement

The message statement allows to set up the messages that are returned to the user with authentication-response packets.

Syntax

    message {
            [ account-closed string ; ]
            [ password-expired string ; ]
            [ password-expire-warning string ; ]
            [ access-denied string ; ]
            [ realm-quota string ; ]
            [ multiple-login string ; ]
            [ second-login string ; ]
            [ timespan-violation string ; ]
    };

All variables in message block take a string argument. In string you can use the usual C backslash notation to represent non-printable characters. The use of %C{} and %R{} sequences is also allowed (see section Macro Substitution).

String statements

account-closed

This message will be returned to the user whose account is administratively closed.

password-expired

This message will be returned to the user whose password has expired.

password-expire-warning

This is a warning message that will be returned along with an authentication-acknowledge packet for the user whose password will expire in less than n seconds. The value of n is set by password-expire-warning variable in auth block. See section auth statement. In this string, you can use the %R{Password-Expire-Days} substitution, to represent the actual number of days left to the expiration date. The default is

    Password Will Expire in %R{Password-Expire-Days} Days\r\n

access-denied

This message is returned to the user who supplies an incorrect password or a not-existent user-name as his authentication credentials.

realm-quota

This message is returned when the user is trying to log in using a realm, and number of users that are currently logged in from this realm reaches maximum value. For a description of realms, See section Realms.

multiple-login

This message is returned to the user, who has logged in more than allowed number of times. For description of how to set the maximum number of concurrent logins, see section Simultaneous-Use.

second-login

This is a special case of multiple-login, which is used when the user's login limit is 1.

timespan-violation

This message is returned to the user who is trying to login outside of allowed time interval. For description of how to limit user's login time, see section Login-Time.

Dictionary of Attributes -- `raddb/dictionary'

The dictionary file `raddb/dictionary' defines the symbolic names for radius attributes and their values (see section Attributes). The file consists of a series of statements. Each statement occupies one line.

In the detailed discussion below we use the following meta-syntactic characters:

number

Denotes a decimal, octal or hexagesimal number. Usual C conventions are honored, i.e. if number starts with `0x' or `0X' it is read as a hex number, if it starts with `0' it is read as an octal number, otherwise it is read as a decimal one.

type

Denotes an attribute type. These are valid attribute types:

string: A string type.
integer: An integer type.
ipaddr: IP address in a dotted-quad form.
date: A date in the format: "MON DD CCYY", where MON is the usual three-character abbreviation, DD is day of month (1-31), CCYY is the year, including the century.

There are following kinds of statements:

Comment: Introducing a comment line.
$INCLUDE: Include a file.
VENDOR: Define a vendor-id.
ATTRIBUTE: Define an attribute translation.
VALUE: Define a value translation.

Comments

Comments are introduced by a pound sign (`#'). Everything starting from the first occurrence of `#' up to the end of line is ignored.

$INCLUDE Statement

Syntax

    $INCLUDE `filename'

Usage

The $INCLUDE statement causes the contents of the file `filename' to be read in and processed. The file is looked up in the Radius database directory. See section Radius Configuration Files.

VENDOR Statement

Syntax

    VENDOR  Vendor-Name     number

Usage

A VENDOR statement defines the symbolic name for a Vendor-Id. This name can subsequently be used in ATTRIBUTE statements to define Vendor-Specific attribute translations. See section Vendor-Specific.

Example

    VENDOR          Livingston      307

ATTRIBUTE statement

Syntax

    ATTRIBUTE  name  number  type [vendor [flags]]

Usage

The ATTRIBUTE statement defines the translation for an attribute. Its parts have the following meaning:

name: The attribute name.
number: The attribute ID (number).
type: The attribute type.
vendor: Vendor name for vendor-specific attributes. For usual attributes this field is empty or contains a dash (`-').
flags: Flags, defining attribute properties (see section Attributes).

The attribute property flags consist of a sequence of letters, whose meaning is determined by the following rules: (2)

The attribute usage is described by three pairs of symbols, enclosed in square brackets. Each pair describes how the attribute can be used in each of three configuration files. The first pair corresponds to `raddb/users', the second one corresponds to `raddb/hints', and the third one corresponds to `raddb/huntgroups'. Within each pair, the letter `L' in first position means that the attribute is allowed in LHS of a rule. The letter `R' in second position means that the attribute is allowed in RHS of a rule. The absense of any of these letters is indicated by dash (`-'). Thus, the following usage specification:
```
            [L--RLR]
```
means that the attribute may be used in LHS of a rule in `raddb/users', in RHS of a rule in `raddb/hints', and in both sides of a rule in `raddb/huntgroups'.
The attribute additivity is described by one of the following letters:

=
Additivity = Replace
+
Additivity = Append
N
Additivity = None
The presence of letter `P' in property flags raises the propagation bit.

Example

    ATTRIBUTE  Service-Type  6 integer - [LR-RLR]=P

This statement assigns the translation string `Service-Type' to the attribute number 6. It allows the use of this attribute in any part of matching rules, except in LHS of a `raddb/hints' rule. The additivity of Service-Type is set to `Replace'. The attribute will be propagated through the proxy chain.

VALUE Statement

Syntax

    VALUE   Attribute-Translation       Value-Translation       number

Usage

The VALUE statement assigns a translation string to a given value of an integer attribute. Attribute-Translation specifies the attribute and the Value-Translation specifies the name assigned to the value number of this attribute.

Example

The following assigns the translation string `Login-User' to the value 1 of the attribute `Service-Type'.

    VALUE           Service-Type            Login-User              1

Clients List -- `raddb/clients'

The `raddb/clients' lists NASes which are allowed to make authentication requests. As usual, the `#' character introduces a comment. Each record in the file consists of two fields, separated by whitespace. The fields are:

NAS name: Specifies a hostname or IP address of the NAS.
Key: Lists the encryption key shared between the server and this NAS.

Example: An example of clients file.

Example of `clients' file

    # This is a list of clients which are allowed to make authentication 
    # requests.
    # Each record consists of two fields:
    #       i.  Valid hostname.
    #       ii. The shared encryption key for this hostname. 
    #
    #Client Name            Key
    #----------------       -------------------
    myhost.dom.ain          guessme         
    merlin                  emrys           
    11.10.10.10             secRet

NAS List -- `raddb/naslist'

The `raddb/naslist' file contains a list of NASes known to the Radius server. Each record in the file consist of three fields:

NAS name: Specifies a hostname or IP address of the NAS. The word `DEFAULT' may be used in this field to match any NAS. (3)
Short Name: This field defines a short name under which this NAS will be listed in logfiles. The short name is also used as a name of the subdirectory where the detailed logs are stored.
Type: Specifies the type of this NAS. Using this value radiusd determines the way to query NAS about the presence of a given user on it (see section Checking Simultaneous Logins). The two special types: `true' and `false', can be used to disable NAS querying. When the type field contains `true', radiusd assumes the user is logged in to the NAS, when it contains `false', radiusd assumes the user is not logged in. Otherwise, the type is used as a link to `nastypes' entry (see section NAS Types -- `raddb/nastypes').
Arguments: Additional arguments describing the NAS. Multiple arguments must be separated by commas. No intervening whitespace is allowed in this field.

There are two groups of nas arguments: nas-specific arguments and nas-querying arguments. Nas-specific arguments are used to modify a behavior of radiusd when sending or receiving the information to or from a particular NAS.

Nas-querying arguments control the way radiusd queries a NAS for confirmation of a user's session (see section Checking Simultaneous Logins). These arguments override the ones specified in `nastypes' and can thus be used to override the default values.

The nas-specific arguments currently implemented are:

broken_pass: This is a boolean argument that controls the encryption of user passwords, longer than 16 octets. By default, radiusd uses method specified by RFC 2865. However some NASes, most notably MAX Ascend series, implement a broken method of encoding long passwords. This flag instructs radiusd to use broken method of password encryption for the given NAS.

For the list of nas-querying arguments, See section NAS Types -- `raddb/nastypes'.

Example: Example of `naslist' file.

Example of `naslist' file

    # raddb/naslist: contains a list of Network Access Servers 
    #
    # Each record consists of following fields:
    #
    #       i.      A valid hostname or IP address for the client.
    #       ii.     The short name to use in the logfiles for this NAS.
    #       iii.    Type of device. Valid values are `true', `false' and
    #               those defined in raddb/nastypes file.
    
    # NAS Name              Short Name      Type
    #----------------       ----------      ----
    myhost.dom.ain          myhost          unix
    merlin                  merlin          max 
    11.10.10.10             arthur          livingston

NAS Types -- `raddb/nastypes'

The `raddb/nastypes' file describes the ways to query NASes about active user sessions.

Syntax: Syntax described.
Example: Example of nastypes file.
Predefined NAS Types: NAS types defined in standard nastypes file.

Syntax of `raddb/nastypes'

Syntax

Each record consists of three fields separated by any amount of whitespace. The fields are:

Type: Type of the NAS which is described in this record.
Method: Method to use to query a NAS of given type.
Arguments: Arguments to pass to this method. Each argument is a pair arg=value, where arg is its name and value is a value assigned to it. The list of predefined argument names follows. Please note, that no intervening whitespace is allowed in this field.

Methods

Version 0.96 of GNU Radius supports two querying methods: finger and snmp.

Arguments

In the discussion below n means numeric and s string value.

The following arguments are predefined:

Common for all methods

function=s: Specifies the check function to use with this method (see section Login Verification Functions). This argument must be present. For description of how this function is applied, see section Checking Simultaneous Logins.
port=n: Use port number n instead of the default for the given method.

Method snmp

password=s: Use community s instead of the default. This argument must be present.
retries=n: Retry n times before giving up.
timeout=n: Timeout n seconds on each retry.

Method finger

timeout=n: Give up if the NAS does not respond within n seconds.
notcp
tcp=0: Disable the use of T/TCP for hosts with a broken TCP implementation.
arg=subst: Send subst to finger, instead of username. subst must be one of macro variables, described below.

Macro variables

The following macro-variables are recognized and substituted when encountered in the value pair of an argument:

`%u ': Expands to username.
`%s ': Expands to session id.
`%d ': Expands to session id converted to decimal representation.
`%p ': Expands to port number.
`%P ': Expands to port number + 1.

Example of nastypes file.

Please note, that in the following example the long lines are broken into several lines for readability.

    # Type     Method          Args
    # ----     ------          ----
    unix       finger       function=check_unix
    max-f      finger       function=check_max_finger
    max        snmp         oid=.1.3.6.1.4.1.529.12.3.1.4.%d,
                            function=check_snmp_u
    as5300-f   finger       function=check_as5300_finger
    as5300     snmp         oid=.1.3.6.1.4.1.9.9.150.1.1.3.1.2.%d,
                            function=check_snmp_u
    livingston snmp         oid=.1.3.6.1.4.1.307.3.2.1.1.1.5.%P,
                            function=check_snmp_s

Standard NAS types

The `nastypes' shipped with version 0.96 of GNU Radius defines following NAS types:

unix -- UNIX boxes running Finger

This type suits for UNIX boxes running finger service able to return information about dial-up users active on them. To enable finger checking of a unix host add following to your `naslist' file:

    #Hostname       Shortname   Type
    #--------       ---------   ----
    nas.name        T           unix

max-f -- MAX Ascend with Finger

Use this type if you have MAX Ascend terminal server that answers finger queries. The `naslist' entry for such NAS will look like:

    #Hostname       Shortname   Type  Flags
    #--------       ---------   ----  -----
    nas.name        T           max-f broken_pass

Please note the use of broken_pass flag. It is needed for most MAX Ascend servers (see section NAS List -- `raddb/naslist').

max -- MAX Ascend, answering SNMP

Use this type if you have MAX Ascend terminal server that answers SNMP queries. The `naslist' entry for such NAS will look like:

    #Hostname       Shortname   Type  Flags
    #--------       ---------   ----  -----
    nas.name        T           max-f broken_pass,community=comm

Replace comm with your actual SNMP community name.

as5300-f -- Cisco AS5300 running finger

as5300 -- Cisco AS5300 answering SNMP

livingston -- Livingston Portmaster

Type livingston queries portmaster using SNMP.

Request Processing Hints -- `raddb/hints'

The `raddb/hints' file is used to modify the contents of the incoming request depending on the username. For a detailed description of this, See section Hints.

The file contains data in Matching Rule format (see section Matching Rule).

The only attributes that can be used in the check list are:

Suffix
Prefix
Group
User-ID

Example: An example of `hints' file.

Example of `hints' file

    ## If the username starts with `U', append the UUCP hint 
    DEFAULT         Prefix = "U", Strip-User-Name = No
                    Hint = "UUCP"
    ## If the username ends with `.slip', append the SLIP service data
    ## and remove the suffix from the user name.
    DEFAULT         Suffix = ".slip",
                       Strip-User-Name = Yes
                    Hint = "SLIP",
                       Service-Type = Framed-User,
                       Framed-Protocol = SLIP

Huntgroups -- `raddb/huntgroups'

The `raddb/huntgroups' contains the definitions of the huntgroups. For a detailed description of huntgroup concept, See section Huntgroups.

The file contains data in Matching Rule format (see section Matching Rule).

Example: An example of the `huntgroups' file.

Example of `huntgroups' file.

    ## This defines the packet rewriting function for the server 11.10.10.11
    DEFAULT NAS-IP-Address = 11.10.10.11, Rewrite-Function = "max_fixup"
            NULL

List of Proxy Realms -- `raddb/realms'

The `raddb/realms' file lists remote Radius servers that are allowed to communicate with the local Radius server (see section Proxying).

Each record consists of up to three fields, separated by whitespace. Two of them are mandatory. The fields are:

Realm name

Specifies the name of the realm being defined, i.e. part of the login name after the `@' symbol. The special realm name `NOREALM' defines the empty realm, the name `DEFAULT' defines the default realm (see section Realms).

Remote server

Specifies the remote server to which the requests for this realm should be forwarded. The syntax for this field is

    servername[:auth-port[:acct-port]]

Optional auth-port and acct-port are the authentication and accounting port numbers. If acct-port is omitted, it is computed as auth-port + 1. If auth-port is omitted, the default authentication port number is used.

Flags (optional)

The flags meaningful in `raddb/realms' are

strip: Boolean value. Controls whether the realm name should be stripped off the username before forwarding the request to the remote server. Setting strip enables stripping, setting nostrip disables it. Default is to always strip user names.
quota=num: Set maximum number of concurrent logins allowed from this realm to the given value (num).

Example: An example of `realms' file.

Example of `realms' file

Example 1.

    # Realm                 Remote server[:port]            flags
    #----------------       ---------------------           --------
    that.net                radius.that.net                 nostrip
    dom.ain                 server.dom.ain:3000             strip,quota=20

Example 2.

    # Realm                 Remote server[:port]            flags
    #----------------       ---------------------           --------
    NOREALM                 radius.server.net               
    that.net                radius.that.net                 nostrip
    dom.ain                 server.dom.ain:3000             strip,quota=20

User Profiles -- `raddb/users'

File `raddb/users' contains the list of User Profiles. For a description of its purpose, See section User Profiles.

Example: An example of `users' file.

Example of `users' file

    ## The following entry is matched when the user appends ``.ppp'' to his
    ## username when logging in.
    ## The suffix is removed from the user name, then the password is
    ## looked up in the SQL database.
    ## Users may log in at any time. They get PPP service.
    DEFAULT Suffix = ".ppp",
                    Auth-Type = SQL,
                    Login-Time = "Al",
                    Simultaneous-Use = 1,
                    Strip-User-Name = Yes
            Service-Type = Framed-User,
                    Framed-Protocol = PPP
    
    ## This is for SLIP users.
    ## This entry is matched when the auth request matches ``SLIP'' hint
    DEFAULT Hint = "SLIP",
                    Auth-Type = Mysql
            Service-Type = Framed-User
                    Framed-Protocol = SLIP
    
    ## The following authenticates users using system passwd files.
    ## The users are allowed to log in from 7:55 to 23:05 on any weekday,
    ## except the weekend, and from 07:55 to 12:00 on Sunday.
    ## Only one login is allowed per user.
    ## The program telauth is used to further check the authentication
    ## information and provide the reply pairs
    ## Note the use of backslashes to split a long line.
    DEFAULT Auth-Type = System,
                    Login-Time = "Wk0755-2305,Su0755-1200",
                    Simultaneous-Use = 1
            Exec-Program-Wait = "/usr/local/sbin/telauth \
                                 %C{User-Name} \
                                 %C{Calling-Station-Id} \
                                 %C{NAS-IP-Address} \
                                 %C{NAS-Port-Id}"
    
    ## This particular user is authenticated via PAM. He is presented a
    ## choice from `raddb/menus/menu1' file.
    gray    Auth-Type = Pam
            Menu = menu1

List of Blocked Users -- `raddb/access.deny'

The `raddb/access.deny' file contains a list of user names which are not allowed to log in via Radius. Each user name is listed on a separate line. As usual, the `#' character introduces an end-of-line comment.

SQL Configuration -- `raddb/sqlserver'

The `raddb/sqlserver' file configures the connection to SQL server.

The file uses simple line-oriented `keyword -- value' format. Comments are introduced by `#' character.

The `sqlserver' statements can logically be subdivided into following groups: SQL Client Parameters, configuring the connection between SQL client and the server, Authentication Server Parameters, Authorization Parameters, and Accounting server parameters.

SQL Client Parameters

These parameters configure various aspects of connection between SQL client and the server.

interface iface-type: Specifies the SQL interface to use. Currently supported values for iface-type are mysql and postgres. Depending on this, the default communication port number is set: it is 3306 for interface mysql and 5432 for interface postgres. Use of this statement is only meaningful when the package was configured with both --with-mysql and --with-postgres option.
server string: Specifies the hostname or IP address of the SQL server.
port number: Sets the SQL communicaton port number. It can be omitted if your server uses the default port.
login string: Sets the SQL user login name.
password password: Sets the SQL user password.
keepopen bool: Specify whether radiusd should try to keep the connection open. When set to no (the default), radiusd will open new connection before the transaction and close it right after finishing it. We recommend setting keepopen to yes for heavily loaded servers, since opening the new connection can take a substantial amount of time and slow down the operation considerably.
idle_timeout number: Set idle timeout in seconds for an open SQL connection. The connection is closed if it remains inactive longer that this amount of time.

Authentication Server Parameters

These parameters configure the SQL authentication. The general syntax is:

doauth bool: When set to yes, enables authentication via SQL. All auth_ keywords are ignored if doauth is set to no.
auth_max_connections bool: Specifies the maximum number of authentication SQL connections to keep open. This parameter is ignored if keepopen is set to no.
auth_db string: Specifies the name of the database containing authentication information.
auth_query string: Specifies the SQL query to be used to obtain user's password from the database. The query should return exactly one string value -- the password.
group_query string: Specifies the query that retrieves the list of user groups the user belongs to. This query is used when Group or Group-Name attribute appears in the LHS of a user's or hint's profile.

Example of Authentication Server Parameters

Let's suppose the authentication information is kept in the tables passwd and groups.

The passwd table contains user passwords. A user is allowed to have different passwords for different services. The table structure is:

    CREATE TABLE passwd (
      user_name           varchar(32) binary default '' not null,
      service             char(16) default 'Framed-PPP' not null,
      password            char(64) 
    );

Additionally, the table groups contains information about user groups a particular user belongs to. Its structure is:

    CREATE TABLE groups (
      user_name           char(32) binary default '' not null,
      user_group          char(32) 
    );

The queries used to retrieve the information from these tables will then look like:

    auth_query  SELECT password
                FROM passwd
                WHERE user_name = '%C{User-Name}'
                AND service = '%C{Auth-Data}'
    
    group_query SELECT user_group
                FROM groups
                WHERE user_name = '%C{User-Name}'

It is supposed, that the information about the particular service a user is wishing to obtain, will be kept in Auth-Data attribute in LHS of a user's profile.

Authorization Parameters

These parameters define queries used to retrieve the authorization information from the SQL database. All the queries refer to the authentication database.

check_attr_query string

This query must return a list of triplets:

    attr-name, attr-value, opcode

The query is executed before comparing the request with the profile entry. The values returned by the query are added to LHS of the entry. opcode here means one of valid operation codes: `=', `!=', `<', `>', `<=', `>='.

reply_attr_query string

This query must return pairs:

    attr-name, attr-value

The query is executed after a successful match, the values it returns are added to the RHS list of the matched entry, and are therefore returned to the NAS in the reply packet.

Example of Authorization Parameters

Suppose your attribute information is stored in a SQL table of the following structure:

    CREATE TABLE attrib (
      user_name varchar(32) default '' not null,
      attr      char(32) default '' not null,
      value     char(128),
      op enum("=", "!=", "<", ">", "<=", ">=") default null
    );

Each row of the table contains the attribute-value pair for a given user. If op field is NULL, the row describes LHS (check) pair. Otherwise, it describes a RHS (reply) pair. The authorization queries for this table will look as follows:

    check_attr_query  SELECT attr,value,op \
                      FROM attrib \
                      WHERE user_name='%u' \
                      AND op IS NOT NULL
    
    reply_attr_query  SELECT attr,value \
                      FROM attrib \
                      WHERE user_name='%u' \
                      AND op IS NULL

Now, let's suppose the `raddb/users' contains only one entry:

    DEFAULT Auth-Type = SQL
            Service-Type = Framed-User

And the attrib table contains following rows:

=10.10.10.11 @tab NULL

user_name	attr	value	op
`jsmith`	`NAS-IP-Address`	`10.10.10.1`
`jsmith`	`NAS-Port-Id`	`20`	`<=`
`jsmith`	`Framed-Protocol`	`PPP`	`NULL`
`jsmith`	`Framed-IP-Address`

Then, when the user jsmith is trying to authenticate, the following happens:

Radius finds the matching entry (DEFAULT) in the `raddb/users'.
It queries the database using the check_attr_query. The triplets it returns are then added to the LHS of the profile entry. Thus, the LHS will contain:
```
    Auth-Type = SQL,
    NAS-IP-Address = 10.10.10.1,
    NAS-Port-Id <= 20
```
Radius compares the incoming request with the LHS pairs thus obtained. If the comparison fails, it rejects the authentication. Please note, that the Auth-Type attributes itself triggers execution of auth_query, described in the previous section.
After a successful authentication, Radius queries the database, using reply_attr_query, and adds its return to the list of RHS pairs. The RHS pairs will then be:
```
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Framed-IP-Address = 10.10.10.11
```
This list is returned to the NAS along with the authentication accept packet.

Thus, this configuration allows the user jsmith to use only NAS 10.10.10.1, ports from 1 to 20 inclusive. If the user meets these conditions, he is allowed to use PPP service, and is assigned IP address 10.10.10.11.

Accounting Parameters

To perform the SQL accounting radiusd needs to know the database where it is to store the accounting information. This information is supplied by the following statements:

doacct bool: When set to yes enables SQL accounting. All acct_ keywords are ignored if doacct is set to no.
acct_db string: Specifies the name of the database where the accounting information is to be stored.
acct_max_connections number: Specifies the maximum number of accounting SQL connections to keep open. This parameter is ignored if keepopen is set to no.

Further, radiusd needs to know which information it is to store into the database and when. Each of five accounting request types (see section Accounting Requests) has a SQL query associated with it. Thus, when radius receives an accounting request, it determines the query to use by the value of Acct-Status-Type attribute.

Following statemens define the accounting queries:

acct_start_query string: Specifies the SQL query to be used when Session Start Packet is received. Typically, this would be some INSERT statement (see section Writing SQL Accounting Query Templates).
acct_stop_query string: Specifies the SQL query to be used when Session Stop Packet is received. Typically, this would be some UPDATE statement.
acct_stop_query string: Specifies the SQL query to be executed upon arrival of a Keepalive Packet. Typically, this would be some UPDATE statement.
acct_nasup_query string: Specifies the SQL query to be used upon arrival of an Accounting Off Packet.
acct_nasdown_query string: Specifies the SQL query to be used when a NAS sends Accounting On Packet.

None of these queries should return any values.

Queries: Writing SQL acounting query templates.

Writing SQL Accounting Query Templates

Let's suppose you have an accounting table of the following structure:

    CREATE TABLE calls (
      status              int(3),
      user_name           char(32),
      event_date_time     datetime DEFAULT '0000-00-00 00:00:00' NOT NULL,
      nas_ip_address      char(17),
      nas_port_id         int(6),
      acct_session_id     char(16) DEFAULT '' NOT NULL,
      acct_session_time   int(11),
      acct_input_octets   int(11),
      acct_output_octets  int(11),
      connect_term_reason int(4),
      framed_ip_address   char(17),
      called_station_id   char(32),
      calling_station_id  char(32)
    );

On receiving the Session Start Packet we would insert a record into this table with status set to 1. At this point the columns acct_session_time, acct_input_octets, acct_output_octets as well as connect_term_reason are unknown, so we will set them to 0:

    # Query to be used on session start
    acct_start_query     INSERT INTO calls \
                         VALUES(%C{Acct-Status-Type},\
                                '%u',\
                                '%G',\
                                '%C{NAS-IP-Address}',\
                                %C{NAS-Port-Id},\
                                '%C{Acct-Session-Id}',\
                                0,\
                                0,\
                                0,\
                                0,\
                                '%C{Framed-IP-Address}',\
                                '%C{Called-Station-Id}',\
                                '%C{Calling-Station-Id}')

Then, when the Session Stop Packet request arrives we will look up the record having status = 1, user_name matching the value of User-Name attribute, and acct_session_id matching that of Acct-Session-Id attribute. Once the record is found, we will update it, setting

    status = 2
    acct_session_time = value of Acct-Session-Time attribute
    acct_input_octets = value of Acct-Input-Octets attribute
    acct_output_octets = value of Acct-Output-Octets attribute
    connect_term_reason = value of Acct-Terminate-Cause attribute

Thus, every record with status = 1 will represent the active session and every record with status = 2 will represent the finished and correctly closed record. The constructed acct_stop_query is then:

    # Query to be used on session end
    acct_stop_query      UPDATE calls \
                         SET status=%C{Acct-Status-Type},\
                             acct_session_time=%C{Acct-Session-Time},\
                             acct_input_octets=%C{Acct-Input-Octets},\
                             acct_output_octets=%C{Acct-Output-Octets},\
                             connect_term_reason=%C{Acct-Terminate-Cause} \
                         WHERE user_name='%C{User-Name}' \
                         AND status = 1 \
                         AND acct_session_id='%C{Acct-Session-Id}'

Upon receiving a Keepalive Packet we will update the information stored with acct_start_query:

    acct_alive_query  UPDATE calls \
                      SET acct_session_time=%C{Acct-Session-Time},\
                          acct_input_octets=%C{Acct-Input-Octets},\
                          acct_output_octets=%C{Acct-Output-Octets},\
                          framed_ip_address=%C{Framed-IP-Address} \
                      WHERE user_name='%C{User-Name}' \
                      AND status = 1 \
                      AND acct_session_id='%C{Acct-Session-Id}'

Further, there may be times when it is necessary to bring some NAS down. To correctly close the currently active sessions on this NAS we will define a acct_nasdown_query so that it would set status column to 2 and update acct_session_time in all records having status = 1 and nas_ip_address equal to IP address of the NAS. Thus, all sessions on a given NAS will be closed correctly when it brought down. The acct_session_time can be computed as difference between the current time and the time stored in event_date_time column:

    # Query to be used when a NAS goes down, i.e. when it sends 
    # Accounting-Off packet
    acct_nasdown_query UPDATE calls \
                       SET status=2,\
                           acct_session_time=unix_timestamp(now())-\
                                   unix_timestamp(event_date_time) \
                       WHERE status=1 \
                       AND nas_ip_address='%C{NAS-IP-Address}'

We have not covered only one case: when a NAS crashes, e.g. due to a power failure. In this case it does not have a time to send Accounting-Off request and all its records remain open. But when the power supply is restored, the NAS will send an Accounting On packet, so we define a acct_nasup_query to set status column to 3 and update acct_session_time in all open records belonging to this NAS. Thus we will know that each record having status = 3 represents a crashed session. The query constructed will be:

    # Query to be used when a NAS goes up, i.e. when it sends 
    # Accounting-On packet
    acct_nasup_query   UPDATE calls \
                       SET status=3,\
                           acct_session_time=unix_timestamp(now())-\
                                   unix_timestamp(event_date_time) \
                       WHERE status=1 \
                       AND nas_ip_address='%C{NAS-IP-Address}'

Rewrite functions -- `raddb/rewrite'

The file `raddb/rewrite' contains definitions of Rewrite extension functions. For information regarding Rewrite extension language See section Rewrite.

Login Menus -- `raddb/menus'

The menus is a way to allow user the choice between various services he could be provided. The menu functionality is enabled when Radius is compiled with --enable-livingston-menus option.

A user is presented a menu after it is authenticated if the RHS of his profile record consists of a single A/V pair in the form:

    Menu = <menu-name>

The menu files are stored in directory `raddb/menus'.

Syntax: A menu file syntax.
Example: An example of menu files.

A menu file syntax.

A menu file is a text file containing a menu declaration and any number of choice descriptions. The menus can be nested to an arbitrary depth.

A comment is introduced by a `#' character. All characters from this one up to the end of line are discarded.

The menu declaration is contained between the words `menu' and `end'. Each of these must be the only word on a line and must start in column 1.

Choice descriptions follow the menu declaration. Each description starts with a line containing choice identifier. A choice identifier is an arbitrary word identifying this choice, or a word `DEFAULT'. It is followed by comma-separated list of A/V pairs which will be returned to the server when a user selects this choice.

An example of menu files

Single-Level Menu

Suppose the following file is stored under `raddb/menus/menu1':

    menu
            *** Welcome EEE user! ***
    Please select an option:
    
            1. Start CSLIP session
            2. Start PPP session
            3. Quit
    
            Option:
    end
    # CSLIP choice
    # Framed-IP-Address of 255.255.255.254 indicates that the NAS should
    # select an address for the user from its own IP pool.
    1
            Service-Type = Framed-User,
            Framed-Protocol = SLIP,
            Framed-IP-Address = 255.255.255.254,
            Termination-Menu = "menu1"
    # PPP choice
    2
            Service-Type = Framed-User,
            Framed-Protocol = PPP,
            Framed-IP-Address = 255.255.255.254,
            Termination-Menu = "menu1"
    # A special menu EXIT means abort the session
    3
            Menu = "EXIT"
    # Return to this menu if no valid choice have been entered 
    DEFAULT
            Menu = "menu1"

Now, suppose the `raddb/users' contains the following profile entry:

    DEFAULT Auth-Type = System
            Menu = "menu1"

and user `jsmith' has a valid system account and tries to log in from some NAS. Upon authenticating the user, the Radius server sees that his reply pairs contain the Menu attribute. Radius then sends Access-Challenge packet to the NAS with the text of the menu in it. The `jsmith' then sees on his terminal:

            *** Welcome EEE user! ***
    Please select an option:
    
            1. Start CSLIP session
            2. Start PPP session
            3. Quit
    
            Option:

He then enters `2'. The NAS sends the Access-Request packet to the server, which sees that user wishes to use option 2 and replies to the NAS with an Access-Accept packet containing the following attributes:

            Service-Type = Framed-User,
            Framed-Protocol = PPP,
            Framed-IP-Address = 255.255.255.254,
            Termination-Menu = "menu1"

The Termination-Menu in this list makes sure the same process will continue when `jsmith' logs out, i.e. he will be presented the same menu again until he enters choice `3' which will disconnect him.

Nested menus

In this example, the `other' choice refers to the menu above.

    menu
            *** Welcome here! ***
    Please enter an option:
            ppp     ---     Start PPP session
            telnet  ---     Begin guest login session
            other   ---     Select other option
    
            Enter your choice:
    end
    ppp
            Service-Type = Framed-User,
            Framed-Protocol = PPP
    telnet
            Service-Type = Login-User,
            Login-IP-Host = 10.11.11.7,
            Login-Service = Telnet,
            Login-TCP-Port = 23
    other
            Menu = "menu1"
    DEFAULT
            menu = "menu2"

Macro Substitution

Some statements in the configuration files need to use the actual values of the attributes supplied with the request. These are:

Exec-Program and Exec-Program-Wait assignments in `users' database
SQL query templates in `sqlserver'

In these statements the following macros are replaced by the value of corresponding attributes:

%Cnum: (num is a decimal number). This variable is replaced by the value of attribute number `num'. The attribute is looked up in the incoming request pairlist.
%C{attr-name}: This is replaced by the value of attribute named `attr-name'. The attribute is looked up in the incoming request pairlist.
%Rnum: (num is a decimal number). This variable is replaced by the value of attribute number `num'. The attribute is looked up in the reply pairlist.
%R{attr-name}: This is replaced by the value of attribute named `attr-name'. The attribute is looked up in the reply pairlist.
%D: This is replaced by current date/time (localtime).
%G: This is replaced by current date/time in GMT.

The "`{}' form" allows to specify default value for the substitution. The default value will be used when no such attribute is encountered in the pairlist. The syntax for specifying the default value resembles that of shell environment variables.

The substitution %C{attr-name:-defval} is expanded to the value of attr-name attribute, if it is present in the request pairlist, and to defval otherwise. For example:

            %C{Acct-Session-Time:-0}

will return the value of Acct-Session-Time attribute or 0 if it doesn't exist in the request pairlist.

The substitition %C{attr-name:=defval} is expanded to the value of attr-name attribute. If this attribute is not present in the request pairlist, it will be created and assigned the value defval. E.g.:

            %C{Acct-Session-Time:=0}

The substitution %C{attr-name:?message} is expanded to the value of attr-name attribute, if it is present. Otherwise the diagnostic message "attr-name: message" is issued to the log error channel, and string "message" is returned.

The substitition %C{attr-name:+retval} is expanded to empty string if the attribute attr-name is present in the referenced pairlist. Othervise it is expanded to retval.

You can also use the following shortcuts:

%p: Port number
%n: NAS IP address
%f: Framed IP address
%u: User name
%c: Callback-Number
%i: Calling-Station-Id
%t: MTU
%a: Protocol (SLIP/PPP)
%s: Speed (Connect-Info attribute)

Go to the first, previous, next, last section, table of contents.