FreeRADIUS Virtual Hosts Configuration

######################################################################
#
#
As of 2.0.0, FreeRADIUS supports virtual hosts using the
#
"server" section, and configuration directives.
#
#
Virtual hosts should be put into the "sites-available"
#
directory. Soft links should be created in the "sites-enabled"
#
directory to these files. This is done in a normal installation.
#
#
If you are using 802.1X (EAP) authentication, please see also
#
the "inner-tunnel" virtual server. You will likely have to edit
#
that, too, for authentication to work.
#
#
$Id: 1c971b91af0989695896f7dbd31ae8befbafca76 $
#
######################################################################
#
#
Read "man radiusd" before editing this file. See the section
#
titled DEBUGGING. It outlines a method where you can quickly
#
obtain the configuration you want, without running into
#
trouble. See also "man unlang", which documents the format
#
of this file.
#
#
This configuration is designed to work in the widest possible
#
set of circumstances, with the widest possible number of
#
authentication methods. This means that in general, you should
#
need to make very few changes to this file.
#
#
The best way to configure the server for your local system
#
is to CAREFULLY edit this file. Most attempts to make large
#
edits to this file will BREAK THE SERVER. Any edits should
#
be small, and tested by running the server with "radiusd -X".
#
Once the edits have been verified to work, save a copy of these
#
configuration files somewhere. (e.g. as a "tar" file). Then,
#
make more edits, and test, as above.
#
#
There are many "commented out" references to modules such
#
as ldap, sql, etc. These references serve as place-holders.
#
If you need the functionality of that module, then configure
#
it in radiusd.conf, and un-comment the references to it in
#
this file. In most cases, those small changes will result
#
in the server being able to connect to the DB, and to
#
authenticate users.
#
######################################################################
server default {
#
# If you want the server to listen on additional addresses, or on
# additional ports, you can use multiple "listen" sections.
#
# Each section make the server listen for only one type of packet,
# therefore authentication and accounting have to be configured in
# different sections.
#
# The server ignore all "listen" section if you are using '-i' and '-p'
# on the command line.
#
listen {
# Type of packets to listen for.
# Allowed values are:

#
auth
listen for authentication packets
#
acct
listen for accounting packets
#
proxy IP to use for sending proxied packets
#
detail Read from the detail file. For examples, see
#
raddb/sites-available/copy-acct-to-home-server
#
status listen for Status-Server packets. For examples,
#
see raddb/sites-available/status
#
coa
listen for CoA-Request and Disconnect-Request
#
packets. For examples, see the file
#
raddb/sites-available/coa
#
type = auth
#
#
#
#
#
#
#
#
#
#
#
Note: "type = proxy" lets you control the source IP used for
proxying packets, with some limitations:
* A proxy listener CANNOT be used in a virtual server section.
* You should probably set "port = 0".
* Any "clients" configuration will be ignored.
See also proxy.conf, and the "src_ipaddr" configuration entry
in the sample "home_server" section. When you specify the
source IP address for packets sent to a home server, the
proxy listeners are automatically created.
# ipaddr/ipv4addr/ipv6addr - IP address on which to listen.

# Out of several options the first one will be used.
#
#
IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr)
#
IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr)
#
hostname
(radius.example.com,
#
A record for ipv4addr,
#
AAAA record for ipv6addr,
#
A or AAAA record for ipaddr)
#
wildcard
(*)
#
# ipv4addr = *
# ipv6addr = *
ipaddr = *
# Port on which to listen.
#
integer port number (1812)
#
0 means "use /etc/services for the proper port"
port = 0
# Some systems support binding to an interface, in addition

# to the IP address. This feature isn't strictly necessary,
# but for sites with many IP addresses on one interface,
# it's useful to say "listen on all addresses for eth0".
#
# If your system does not support this feature, you will
# get an error if you try to use it.
#
interface = eth0
# Per-socket lists of clients. This is a very useful feature.
#
# The name here is a reference to a section elsewhere in

# radiusd.conf, or clients.conf. Having the name as
# a reference allows multiple sockets to use the same
# set of clients.
#
# If this configuration is used, then the global list of clients
# is IGNORED for this "listen" section. Take care configuring
# this feature, to ensure you don't accidentally disable a
# client you need.
#
# See clients.conf for the configuration of "per_socket_clients".
#
clients = per_socket_clients
#
# Connection limiting for sockets with "proto = tcp".
#
# This section is ignored for other kinds of sockets.
#
limit {
#
# Limit the number of simultaneous TCP connections to the socket
#
# The default is 16.
# Setting this to 0 means "no limit"
max_connections = 16
# The per-socket "max_requests" option does not exist.
#
# The lifetime, in seconds, of a TCP connection. After
# this lifetime, the connection will be closed.
#
# Setting this to 0 means "forever".
lifetime = 0
#
# The idle timeout, in seconds, of a TCP connection.
# If no packets have been received over the connection for
# this time, the connection will be closed.
#
# Setting this to 0 means "no timeout".
#
# We STRONGLY RECOMMEND that you set an idle timeout.
#
idle_timeout = 30
}
}
#
# This second "listen" section is for listening on the accounting
# port, too.
#
listen {
ipaddr = *
#
ipv6addr = ::
port = 0
type = acct
#
interface = eth0
#
limit {
#
#
#
#
#
#
#
#
#
#
#
The number of packets received can be rate limited via the

"max_pps" configuration item. When it is set, the server
tracks the total number of packets received in the previous
second. If the count is greater than "max_pps", then the
new packet is silently discarded. This helps the server
deal with overload situations.
The packets/s counter is tracked in a sliding window. This
means that the pps calculation is done for the second
before the current packet was received. NOT for the current
wall-clock second, and NOT for the previous wall-clock second
.
#
# Useful values are 0 (no limit), or 100 to 10000.
# Values lower than 100 will likely cause the server to ignore
# normal traffic. Few systems are capable of handling more tha
n
# 10K packets/s.
#
# It is most useful for accounting systems. Set it to 50%
# more than the normal accounting load, and you can be sure tha
t
#
# the server will never get overloaded

#
max_pps = 0
#
#
#
# Only for "proto = tcp". These are ignored for "udp" sockets.
#
idle_timeout = 0
lifetime = 0
max_connections = 0
}
}
# IPv6 versions of the above - read their full config to understand options
listen {
type = auth
ipv6addr = :: # any. ::1 == localhost
port = 0
#
interface = eth0
#
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
#
interface = eth0
#
limit {
#
#
max_pps = 0
idle_timeout = 0
#
#
lifetime = 0
max_connections = 0
}
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# Any changes made here should also be made to the "inner-tunnel"
# virtual server.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# Take a User-Name, and perform some checks on it, for spaces and other
# invalid characters. If the User-Name appears invalid, reject the
# request.
#
# See policy.d/filter for the definition of the filter_username policy.
#
#filter_username
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
preprocess
update request {
Huntgroup-Name := "%{sql:select groupname from radhuntgroup wher
e nasipaddress='%{NAS-IP-Address}'}"
}
if ("%{sql:INSERT INTO radprotologs (datetime, username, protomsg, nasip
, nasportid) VALUES (SYSDATE,'%{User-Name}','Access-Request' ,'%{NAS-IP-Address}
' ,'%{NAS-Port-Id}')}") {
ok
}
if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f
]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}
-%{6}}"
}
}
else {
noop
}
#
#
#
#
If you intend to use CUI and you require that the Operator-Name
be set for CUI generation and you want to generate CUI also
for your local clients then uncomment the operator-name
below and set the operator-name for your clients in clients.conf
operator-name
#
# If you want to generate CUI for some clients that do not
# send proper CUI requests, then uncomment the
# cui below and set "add_cui = yes" for these clients in clients.conf
cui
#
# If you want to have a log of authentication requests,
# un-comment the following line.
auth_log
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
digest
#
# The WiMAX specification says that the Calling-Station-Id
# is 6 octets of the MAC. This definition conflicts with
# RFC 3580, and all common RADIUS practices. Un-commenting
# the "wimax" module here means that it will fix the
# Calling-Station-Id attribute to the normal format as
# specified in RFC 3580 Section 3.21
wimax
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
IPASS
#
#
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
ntdomain
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request

# attribute list to the EAP type from the packet.
#
# As of 2.0, the EAP module returns "ok" in the authorize stage
# for TTLS and PEAP. In 1.x, it never returned "ok" here, so
# this change is compatible with older configurations.
#
# The example below uses module failover to avoid querying all
# of the following modules if the EAP module returns "ok".
# Therefore, your LDAP and/or SQL servers will not be queried
# for the many packets that go back and forth to set up TTLS
# or PEAP. The load on those servers will therefore be reduced.
#
#eap {
#
ok = return
#}
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# passwd module in radiusd.conf.
#
unix
#
# Read the 'users' file
#files
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
-sql
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'smbpasswd' module.
smbpasswd
#
# The ldap module reads passwords from the LDAP database.
-ldap
#
# Enforce daily limits on time spent logged in.
daily
#
expiration
logintime
#
#
#
#
#
#
If no other module has claimed responsibility for

authentication, then try to use PAP. This allows the
other modules listed above to add a "known good" password
to the request, and to do nothing else. The PAP module
will then see that password, and use it to do PAP
# authentication.
#
# This module should be listed last, so that the other modules
# get a chance to set Auth-Type for themselves.
#
pap
#
#
#
}
#
#
#
#
#
#
#
#
#
#
# If "status_server = yes", then Status-Server messages are passed
# through the following section, and ONLY the following section.
# This permits you to do DB queries, for example. If the modules
# listed here return "fail", then NO response is sent.
#
Autz-Type Status-Server {
}
Authentication.
This section lists which modules are available for authentication.
Note that it does NOT mean 'try each module in order'. It means
that a module from the 'authorize' section adds a configuration
attribute 'Auth-Type := FOO'. That authentication type is then
used to pick the appropriate module from the list below.
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user (Auth-Type := Reject),
# or to or forcibly accept the user (Auth-Type := Accept).
#
# Note that Auth-Type := Accept will NOT work with EAP.
#
# Please do not put "unlang" configurations into the "authenticate"
# section. Put them in the "post-auth" section instead. That's what
# the post-auth section is for.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
#Auth-Type CHAP {
#
#}
chap
#
# MSCHAP authentication.
#Auth-Type MS-CHAP {
#
mschap
#}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
#digest
#
# Pluggable Authentication Modules.
pam
#
#
#
# Uncomment it if you want to use ldap for authentication

#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
#
# We do NOT recommend using this. LDAP servers are databases.
# They are NOT authentication servers. FreeRADIUS is an
# authentication server, and knows what to do with authentication.
# LDAP servers do not.
#
Auth-Type LDAP {
ldap
}
#
# Allow EAP authentication.
eap
#
#
#
#
#
#
#
#
#
}
#
# The older configurations sent a number of attributes in
# Access-Challenge packets, which wasn't strictly correct.
# If you want to filter out these attributes, uncomment
# the following lines.
#
Auth-Type eap {
eap {
handled = 1
}
if (handled && (Response-Packet-Type == Access-Challenge)) {
attr_filter.access_challenge.post-auth
handled # override the "updated" code from attr_filter
}
}
#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f
]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}
-%{6}}"
}
}
else {
noop
}
#
# Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
# into a single 64bit counter Acct-[Input|Output]-Octets64.
#
acct_counters64
#
#
#
#
#
#
#
#
#
#
#
#
#
#
Session start times are *implied* in RADIUS.

The NAS never sends a "start time". Instead, it sends
a start packet, *possibly* with an Acct-Delay-Time.
The server is supposed to conclude that the start time
was "Acct-Delay-Time" seconds in the past.
The code below creates an explicit start time, which can
then be used in other modules. It will be *mostly* correct.
Any errors are due to the 1-second resolution of RADIUS,
and the possibility that the time on the NAS may be off.
The start time is: NOW - delay - session_length
#
update request {
#
FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Sess
ion-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
#
}
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique
#
#
#
#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
IPASS
suffix
ntdomain
#
# Read the 'acct_users' file
files
#
# Accounting. Log the accounting data.
#
accounting {
# Update accounting packet by adding the CUI attribute
# recorded from the corresponding Access-Accept
# use it only if your NAS boxes do not support CUI themselves
#
cui
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
#
daily
# Update the wtmp file

#
# If you don't use "radlast", you can delete this line.
unix
#
#
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
radutmp
sradutmp
# Return an address to the IP Pool when we see a stop record.

main_pool
#
# Log traffic to an SQL database.
#
# See "Accounting queries" in sql.conf
-sql
update control {
VIM-Plan-Limit-Type = "%{sql:SELECT value FROM radgroupcheck WHE

RE attribute='VIM-Plan-Limit-Type' AND groupname=(SELECT groupname FROM raduserg
roup WHERE username='%{request:User-Name}') }"
}
update request {
Huntgroup-Name := "%{sql:select groupname from radhuntgroup wher
e nasipaddress='%{NAS-IP-Address}'}"
}
#Protocol Logging for Acc-Start and Acc-Stop
if ("%{Acct-Status-Type}" == "Start") {
if ("%{sql:INSERT INTO radprotologs (datetime,acctstarttime,user
name,protomsg,details,nasip,acctsessionid,acctuniqueid,nasportid,nasporttype,acc
tsessiontime,acctauthentic,acctinoutoctets,acctoutputoctets,callingstationid,acc
tterminatecause,framedipaddress,framedprotocol,framedipv6prefix,servicetype) VAL
UES (SYSDATE,SYSDATE,'%{User-Name}','Accounting-Request','Accounting Start','%{N
AS-IP-Address}','%{Acct-Session-Id}','%{Acct-Unique-Session-Id}','%{NAS-Port-Id}
','%{NAS-Port-Type}','%{Acct-Session-Time}','%{Acct-Authentic}','0','0','%{Calli
ng-Station-Id}','','%{Framed-IP-Address}','%{Framed-Protocol}','%{Framed-IPv6-Pr
efix}','%{Service-Type}') }") {
ok
}
if ("%{sql:UPDATE onlinesubscriber SET status = 'Online' WHERE u
sername = '%{User-Name}' }") {
ok
}
if("%{sql:UPDATE BB_USERS SET NAS_ID=(SELECT ID FROM NAS WHERE N
ASNAME='%{NAS-IP-Address}' ) WHERE USER_NAME='%{User-Name}'}"){
ok
}
}
if ("%{Acct-Status-Type}" == "Stop") {
if ("%{sql:INSERT INTO radprotologs (datetime, acctstoptime, us
ername, protomsg, details, nasip, acctsessionid, acctuniqueid, nasportid, nasp
orttype,acctsessiontime, acctauthentic, acctinoutoctets, acctoutputoctets, calli
ngstationid, acctterminatecause, framedipaddress, framedprotocol, framedipv6pre
fix ,servicetype) VALUES (SYSDATE,SYSDATE,'%{User-Name}' ,'Accounting-Request' ,
'Accounting Stop' ,'%{NAS-IP-Address}' ,'%{Acct-Session-Id}' ,'%{Acct-Unique-Se
ssion-Id}','%{NAS-Port-Id}' ,'%{NAS-Port-Type}' ,'%{Acct-Session-Time}' , '%{Acc
t-Authentic}' , '%{Acct-Input-Octets}' ,'%{Acct-Output-Octets}' ,'%{Calling-Stat
ion-Id}' , '%{Acct-Terminate-Cause}' , '%{Framed-IP-Address}' , '%{Framed-Protoc
ol}' ,'%{Framed-IPv6-Prefix}' ,'%{Service-Type}')}") {
ok
}
if ("%{sql:UPDATE onlinesubscriber SET status = 'Offline' WHERE
username = '%{User-Name}' }") {
ok
}
if(control:VIM-Plan-Limit-Type){
switch "%{control:VIM-Plan-Limit-Type}"{
case V {
#Calculate the used bytes
if("%{sql: SELECT value FROM radcheck WHERE attribute= 'VIM-FUPQuota-Depleted-Flag' AND username='%{User-Name}'}" == "Yes"){
update control {
VIM-Used-Bytes := "%{sql:SELECT SUM(acctoutputoc
tets + acctinputoctets) FROM radacct WHERE username='%{request:User-Name}' AND a
cctsessionid = '%{Acct-Session-Id}' }"
}
#Set Used Bytes
if ("%{sql:UPDATE radcheck SET value = '%{control:VIM-Us
ed-Bytes}' WHERE attribute = 'VIM-Used-Bytes' AND username = '%{User-Name}' }
") {
ok
}
update control {
Mikrotik-Xmit-Limit := "%{sql:SELECT value FROM
radcheck WHERE attribute='Mikrotik-Xmit-Limit' AND username='%{request:User-Name
}' }"
VIM-Used-Bytes := "%{sql:SELECT value FROM radch
eck WHERE attribute='VIM-Used-Bytes' AND username='%{request:User-Name}' }"
}
if ("%{sql:UPDATE radcheck SET value = '%{control:Mikrot
ik-Xmit-Limit}'- '%{control:VIM-Used-Bytes}' WHERE attribute = 'Mikrotik-Xmit-L

imit' AND username = '%{User-Name}' } ") {
ok
}
if ("%{sql:UPDATE radcheck SET value = '0' WHERE attribu
te = 'VIM-Used-Bytes' AND username = '%{User-Name}' } ") {
ok
}
}
}
case T {
#calculation of Time
update control {
VIM-Avail-Time := "%{sql
: SELECT acctsessiontime FROM radacct WHERE username='%{request:User-Name}' AND
acctsessionid = '%{Acct-Session-Id}'}"
VIM-Subscriber-Activatio
n-Time := "%{sql: SELECT value FROM radcheck WHERE username='%{request:User-Name
}' AND attribute = 'VIM-Avail-Time'}"
}
if("%{sql:Update radcheck SET value = '%{control
:VIM-Subscriber-Activation-Time}'-'%{control:VIM-Avail-Time}' WHERE attribute =
'VIM-Avail-Time' AND username = '%{User-Name}'}") {
ok
}
}
}
}
}
#Sending CoA for Volume and Time based plans
if ("%{Acct-Status-Type}" == "Interim-Update") {
if ("%{sql:INSERT INTO radprotologs (datetime, acctstoptime, use
rname, protomsg, details, nasip, acctsessionid, acctuniqueid, nasportid, naspo
rttype,acctsessiontime, acctauthentic, acctinoutoctets, acctoutputoctets, callin
gstationid, acctterminatecause, framedipaddress, framedprotocol, framedipv6pref
ix ,servicetype) VALUES (SYSDATE,SYSDATE,'%{User-Name}' ,'Accounting-Request' ,
'Interim Update' ,'%{NAS-IP-Address}' ,'%{Acct-Session-Id}' ,'%{Acct-Unique-Sess
ion-Id}','%{NAS-Port-Id}' ,'%{NAS-Port-Type}' ,'%{Acct-Session-Time}' , '%{AcctAuthentic}' , '%{Acct-Input-Octets}' ,'%{Acct-Output-Octets}' ,'%{Calling-Statio
n-Id}' , '%{Acct-Terminate-Cause}' , '%{Framed-IP-Address}' , '%{Framed-Protocol
}' ,'%{Framed-IPv6-Prefix}' ,'%{Service-Type}') }") {
ok
}
if("%{sql:UPDATE radcheck SET value = '%{Acct-Output-Octets}' +
'%{Acct-Input-Octets}' WHERE username = '%{User-Name}' AND attribute= 'VIM-Used
-Bytes'}") {
ok
}
switch "%{control:VIM-Plan-Limit-Type}" {
case V {
if("%{sql:SELECT value FROM radcheck
WHERE attribute='VIM-Avail-Bytes' AND username='%{request:User-Name}' }" < "%{s
ql:SELECT value FROM radcheck WHERE attribute='VIM-Used-Bytes' AND username='%{r
equest:User-Name}' }") {
"%{exec:/usr/local/etc/raddb/dis
connect.sh %{User-Name} %{NAS-IP-Address}} "
if ("%{sql:INSERT INTO radprotol
ogs (datetime, acctstoptime, username, protomsg, details, nasip, acctsessionid

, acctuniqueid, nasportid, nasporttype,acctsessiontime, acctauthentic, acctinou
toctets, acctoutputoctets, callingstationid, acctterminatecause, framedipaddress
, framedprotocol, framedipv6prefix ,servicetype) VALUES (SYSDATE,SYSDATE,'%{Use
r-Name}' ,'POD' , 'Interim Update' ,'%{NAS-IP-Address}' ,'%{Acct-Session-Id}' ,'
%{Acct-Unique-Session-Id}','%{NAS-Port-Id}' ,'%{NAS-Port-Type}' ,'%{Acct-Session
-Time}' , '%{Acct-Authentic}' , '%{Acct-Input-Octets}' ,'%{Acct-Output-Octets}'
,'%{Calling-Station-Id}' , '%{Acct-Terminate-Cause}' , '%{Framed-IP-Address}' ,
'%{Framed-Protocol}' ,'%{Framed-IPv6-Prefix}' ,'%{Service-Type}') }") {
ok
}
}
}
case T {
#calculation of Time
update control {
VIM-Avail-Time := "%{sql
: SELECT acctsessiontime FROM radacct WHERE username='%{request:User-Name}' AND
acctsessionid = '%{Acct-Session-Id}'}"
VIM-Subscriber-Activatio
n-Time := "%{sql: SELECT value FROM radcheck WHERE username='%{request:User-Name
}' AND attribute = 'VIM-Avail-Time'}"
}
if("%{sql:Update radcheck SET value = '%{control
:VIM-Subscriber-Activation-Time}'-'%{control:VIM-Avail-Time}' WHERE attribute =
'VIM-Avail-Time' AND username = '%{User-Name}'}") {
ok
}
if("%{sql:SELECT TO_NUMBER(VALUE) VALUE FROM RAD
CHECK WHERE ATTRIBUTE='VIM-Avail-Time' AND username='%{request:User-Name}' AND V
ALUE <= 0 }"){
"%{exec:/usr/local/etc/raddb/dis
connect.sh %{User-Name} %{NAS-IP-Address}} "
if ("%{sql:INSERT INTO radprotol
ogs (datetime, acctstoptime, username, protomsg, details, nasip, acctsessionid
, acctuniqueid, nasportid, nasporttype,acctsessiontime, acctauthentic, acctinou
toctets, acctoutputoctets, callingstationid, acctterminatecause, framedipaddress
, framedprotocol, framedipv6prefix ,servicetype) VALUES (SYSDATE,SYSDATE,'%{Use
r-Name}' ,'Time-Period-Expired' , 'Interim Update' ,'%{NAS-IP-Address}' ,'%{Acct
-Session-Id}' ,'%{Acct-Unique-Session-Id}','%{NAS-Port-Id}' ,'%{NAS-Port-Type}'
,'%{Acct-Session-Time}' , '%{Acct-Authentic}' , '%{Acct-Input-Octets}' ,'%{AcctOutput-Octets}' ,'%{Calling-Station-Id}' , '%{Acct-Terminate-Cause}' , '%{Framed
-IP-Address}' , '%{Framed-Protocol}' ,'%{Framed-IPv6-Prefix}' ,'%{Service-Type}'
) }") {
ok
}
}
}
}
}
}
#Session-Timeout
if ("%{Acct-Status-Type}" == "Session-Timeout") {

ok
}
ok
}
case V {
update control {
}
#Set Used Bytes
") {
ok
}
update control {
}' }"
}
ok
}
ok
}
}
}
}
}
}
#Idle-Timeout
if ("%{Acct-Status-Type}" == "Idle-Timeout") {

ok
}
ok
}
case V {
update control {
}
#Set Used Bytes
") {
ok
}
update control {
}' }"
}
ok
}
ok
}
}
}
}
}
}
#
# If you receive stop packets with zero session length,
# they will NOT be logged in the database. The SQL module
# will print a message (only in debugging mode), and will
# return "noop".
#
# You can ignore these packets by uncommenting the following
#
#
#
# three lines. Otherwise, the server will not respond to the

# accounting request, and the NAS will retransmit.
#
if (noop) {
ok
}
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
sql_log
# Cisco VoIP specific bulk accounting

pgsql-voip
# For Exec-Program and Exec-Program-Wait
exec
# Filter attributes from the accounting response.
attr_filter.accounting_response
#
#
#
}
#
# See "Autz-Type Status-Server" for how this works.
#
Acct-Type Status-Server {
}
# Session database, used for checking Simultaneous-Use. Either the radutmp

# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
#radutmp
#
# See "Simultaneous Use Checking Queries" in sql.conf
sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
#
# If you need to have a State attribute, you can
# add it here. e.g. for later CoA-Request with
# State, and Service-Type = Authorize-Only.
#
#
if (!&reply:State) {
#
update reply {
#
State := "0x%{randstr:16h}"
#
}
#
}
#
# For EAP-TTLS and PEAP, add the cached attributes to the reply.
# The "session-state" attributes are automatically cached when

# an Access-Challenge is sent, and automatically retrieved
# when an Access-Request is received.
#
# The session-state attributes are automatically deleted after
# an Access-Reject or Access-Accept is sent.
#
update {
&reply: += &session-state:
}
#
# Get an address from the IP Pool.

main_pool
# Create the CUI value and add the attribute to Access-Accept.

# Uncomment the line below if *returning* the CUI.
cui
#
# If you want to have a log of authentication replies,
# un-comment the following line, and enable the
# 'detail reply_log' module.
reply_log
#
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in sql.conf
-sql
#Huntgroup check
if("%{sql:select COUNT(*) from radhuntgroup where nasipaddress='%{NAS-IP
-Address}'}" == 0) {
#Huntgroup not found
update control {
VIM-Internal-Failure := "Invalid Huntgroup : %{N
AS-IP-Address} "
}
update reply {
Reply-Message := "Invalid Huntgroup : %{NAS-IP-A
ddress} "
}
reject
}
#Date Check
if("%{sql: SELECT STATUS FROM RADIUS_USER_DTL WHERE USER_NAME='%
{User-Name}'}" == 'A'){
if( "%{sql: SELECT case when trunc(END_DATE + 1) < SYSDA
TE AND DOWNGRADED IS NULL then 'false' else 'true' end as response FROM RADIUS
_USER_DTL WHERE USER_NAME='%{User-Name}' }" == 'false'){
if("%{sql:UPDATE BB_CONTRACT_DT
L SET STATUS='E',LAST_ACTION_ID=3,LAST_UPD_BY='-2',LAST_UPD_DATE=SYSDATE,DISCONN
ECT_DATE=SYSDATE WHERE CONTRACT_ID='%{sql: SELECT CONTRACT_ID FROM RADIUS_USER_
DTL WHERE USER_NAME='%{User-Name}'}' AND CUSTOMER_ID='%{sql: SELECT CUSTOMER_ID
FROM RADIUS_USER_DTL WHERE USER_NAME='%{User-Name}'}'}"){
ok
}
if("%{sql:UPDATE BB_CUSTOMER_DTL SET STATUS='I',
LAST_UPD_BY='-2',LAST_UPD_DATE=SYSDATE WHERE CUSTOMER_ID='%{sql: SELECT CUSTOMER
_ID FROM RADIUS_USER_DTL WHERE USER_NAME='%{User-Name}'}'}"){

ok
}
if ("%{sql:INSERT INTO radprotologs (datetime,us
ername,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%
{User-Name}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{N
AS-Port-Id}' , 'Plan Date Expired')} ") {
ok
}
update control {
VIM-Internal-Fai
lure := "Plan Date Expired"
}
update reply {
Reply-Message :=
"Plan Date Expired"
}
reject
}
}
else {
{User-Name}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{N
AS-Port-Id}' , 'Plan Status Expired')} ") {
ok
}
update reply {
Reply-Message := "Plan S
tatus Expired"
}
reject
}
#Simultaneous User Check
if( "%{sql: SELECT COUNT(*) from radacct WHERE username = '%{Use
r-Name}' AND acctstoptime IS NULL}" > 0){
if ("%{sql:INSERT INTO radprotologs (datetime,username,p
rotomsg,nasip, callingstationid, nasportid,details) VALUES ( SYSDATE, '%{User-Na
me}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{NAS-PortId}' , 'Simultaneous Login Detected')} ") {
ok
}
update control {
VIM-Internal-Failure :=
"Simultaneous Login Detected "
}
update reply {
Reply-Message := "Simult
aneous Login Detected "
}
reject
}
#mac check
if(control:VIM-Enable-MAC-Auth == "Yes") {
if( "%{sql:SELECT * from radusermacmap W
HERE username = '%{User-Name}' AND macaddress='0' }" ) {
if ("%{sql:UPDATE raduse
rmacmap SET macaddress = '%{Calling-Station-Id}', LAST_UPDATED_BY='-2' WHERE us
ername='%{User-Name}' } ") {
ok
}
}
else {
if( "%{sql:SELEC
T * FROM ( WITH DATA AS ( SELECT MACADDRESS from RADUSERMACMAP WHERE USERNAME=
'%{User-Name}' ) SELECT trim(regexp_substr(MACADDRESS, '[^,]+', 1, LEVEL)) MACAD
DRESS FROM DATA CONNECT BY instr(MACADDRESS, ',', 1, LEVEL - 1) > 0) WHERE MACAD
DRESS='%{calling-Station-Id}' }"){
ok
}
else {
if("%{sql:INSERT
INTO radprotologs (datetime,username,protomsg,nasip, callingstationid, nasporti
d,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}'
,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'Mac-Auth-Failed')} ") {
ok
}
update control {
VIM-Internal-Failure := "MAC Authentication Failed "
}
update reply {
Reply-Message := "MAC Authentication Failed "
}
reject
}
}
}
#FUP user Validation
switch "%{control:VIM-Plan-Limit-Type}"
{
case V {
if("%{sql:SELECT
TO_NUMBER(VALUE) VALUE FROM RADCHECK WHERE ATTRIBUTE='Mikrotik-Xmit-Limit' AND
username='%{request:User-Name}' AND VALUE <= 0 }" ){
if("%{sql: SELECT STATUS FROM RADIUS_USER_DTL WHERE USER_NAME='%{User-Name}'}" !
= 'A'){
update reply {
Reply-Message := "Plan Volume Expired"
}
reject
}
else {
if("%{sql:UPDATE BB_CONTRACT_DTL SET STATUS='E',LAST_ACTION_ID=7,LAST_UPD_BY='-
1',LAST_UPD_DATE=SYSDATE,DISCONNECT_DATE=SYSDATE WHERE CONTRACT_ID='%{sql: SELE

CT CONTRACT_ID FROM RADIUS_USER_DTL WHERE USER_NAME='%{User-Name}'}' AND CUSTOME
R_ID='%{sql: SELECT CUSTOMER_ID FROM RADIUS_USER_DTL WHERE USER_NAME='%{User-Nam
e}'}'}"){
ok
}
if ("%{sql:INSERT INTO radprotologs (datetime,username,protomsg,nasip, callingst
ationid, nasportid,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%
{NAS-IP-Address}' ,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'Plan Date Expire
d')} ") {
ok
}
update control {
VIM-Internal-Failure := "Plan Volume Expired"
}
update reply {
Reply-Message := "Plan Volume Expired"
}
reject
}
}
}
case T {
if("%{sql:SELECT TO_NUMB
ER(VALUE) VALUE FROM RADCHECK WHERE ATTRIBUTE='VIM-Avail-Time' AND username='%{r
equest:User-Name}' AND VALUE <= 0 }"){
if ("%{sql:INSER
T INTO radprotologs (datetime,username,protomsg,nasip, callingstationid, nasport
id,details) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}
' ,'%{Calling-Station-Id}', '%{NAS-Port-Id}' , 'Plan Time Expired')} ") {
ok
}
update reply {
Reply-Message := "Plan Time Expired"
}
reject
}
}
}
}
#NAS IP Authentication-Yes
if(control:VIM-Enable-NASIP-Auth == "Yes") {
if("%{sql: SELECT * from radcheck WHERE username
= '%{User-Name}' AND attribute = 'NAS-IP-Address' AND value = '1'}"){

if("%{sql:UPDATE radcheck SET value='%{N
AS-IP-Address}' WHERE username = '%{User-Name}' AND attribute = 'NAS-IP-Address'
AND value = '1' }"){
ok
}
if("%{sql:UPDATE BB_USERS SET NAS_ID=(SE
LECT ID FROM NAS WHERE NASNAME='%{NAS-IP-Address}' ) WHERE USER_NAME='%{User-Nam
e}'}"){
ok
}
}
else {
if( "%{sql: SELECT value from ra
dcheck WHERE username = '%{User-Name}' AND attribute = 'NAS-IP-Address'}" == "%{
NAS-IP-Address}"){
ok
}
else {
if ("%{sql:INSERT INTO radprotologs (dat
etime,username,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYS
DATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Calling-Station-Id
}', '%{NAS-Port-Id}' , 'NAS IP Authentication Failed')} ") {
ok
}
update control {
VIM-Internal-Fai
lure := "NAS IP Authentication Failed "
}
update reply {
Reply-Message :=
"NAS IP Authentication Falied "
}
reject
}
}
}
#NAS IP Authentication-No
if(control:VIM-Enable-NASIP-Auth == "No") {
if ("%{sql:INSERT INTO radprotologs (dat
etime,username,protomsg,nasip, callingstationid, nasportid,details) VALUES ( SYS
DATE, '%{User-Name}', 'Access-Free-NAS-IP-Address','%{NAS-IP-Address}' ,'%{Calli
ng-Station-Id}', '%{NAS-Port-Id}' , 'Free-NAS-IP-Address')} ") {
ok
}
}
#NAS Port Authentication
if(control:VIM-Enable-NASPORT-Auth == "Yes") {
if("%{sql: SELECT * from radcheck WHERE username
= '%{User-Name}' AND attribute = 'NAS-Port-Id' AND value = '1'}"){
if("%{sql:UPDATE
radcheck SET value='%{NAS-Port-Id}' WHERE username = '%{User-Name}' AND attribu
te = 'NAS-Port-Id' AND value = '1' }"){
ok
}
}
else {
if( "%{sql: SELECT value from ra
dcheck WHERE username = '%{User-Name}' AND attribute = 'NAS-Port-Id'}" == "%{NAS
-Port-Id}"){
ok
}
else {
if ("%{sql:INSERT INTO r
adprotologs (datetime,username,protomsg,nasip, callingstationid, nasportid,detai
ls) VALUES ( SYSDATE, '%{User-Name}', 'Access-Reject','%{NAS-IP-Address}' ,'%{Ca
lling-Station-Id}', '%{NAS-Port-Id}' , 'NAS Port Authentication Failed')} ") {
ok
}
update control {
VIM-Internal-Fai
lure := "NAS Port Authentication Failed "
}
update reply {
Reply-Message :=
"NAS Port Authentication Failed "
}
reject
}
}
}
#NAS Port Authentication
if(control:VIM-Enable-NASPORT-Auth == "No") {
{User-Name}', 'Access-Free-NAS-Port-Id','%{NAS-IP-Address}' ,'%{Calling-StationId}', '%{NAS-Port-Id}' , 'Free-NAS-Port-Id')} ") {
ok
}
}
#Check and enforce policies for Unlimited and FUP limits
case V {
if("%{sql: SELECT value FROM radcheck WH
ERE attribute= 'VIM-FUP-Quota-Depleted-Flag' AND username='%{User-Name}'}" == "Y
es"){
update reply {
Mikrotik-Rate-Limit = "%
{control:VIM-Uplink-Speed}/%{control:VIM-Downlink-Speed}"
Mikrotik-Xmit-Limit ="%{
control:Mikrotik-Xmit-Limit}"
Mikrotik-Recv-Limit ="%{
control:Mikrotik-Xmit-Limit}"
Session-Timeout = "%{con
trol:VIM-Session-Timeout}"
Idle-Timeout = "%{contro
l:VIM-Idle-Timeout}"
Framed-Pool = "%{control
:Framed-Pool}"
Framed-IPv6-Pool = "%{co
ntrol:Framed-IPv6-Pool}"
}
}
}
case U {
update reply {
Mikrotik-Rate-Li
mit = "%{control:VIM-Uplink-Speed}/%{control:VIM-Downlink-Speed}"
Session-Timeout
= "%{control:VIM-Session-Timeout}"
Idle-Timeout = "
%{control:VIM-Idle-Timeout}"
Framed-Pool = "%
{control:Framed-Pool}"
Framed-IPv6-Pool
= "%{control:Framed-IPv6-Pool}"
}
}
case T {
if("%{sql:SELECT TO_NUMBER(VALUE) VALUE
FROM RADCHECK WHERE ATTRIBUTE='VIM-Avail-Time' AND username='%{request:User-Name
}' AND VALUE >= '86400'}" ){
update reply {
Mikrotik-Rate-Li
Session-Timeout
Idle-Timeout = "
Framed-Pool = "%
Framed-IPv6-Pool
}
}
else{
update reply {
Mikrotik-Rate-Li
Session-Timeout
= "%{control:VIM-Avail-Time}"
Idle-Timeout = "
Framed-Pool = "%
Framed-IPv6-Pool
}
}
}
case P {
update reply {
Mikrotik-Address
-List = "%{sql:select groupname from radusergroup where username='%{request:User
-Name}'}"
Session-Timeout
Idle-Timeout = "
Framed-Pool = "%
}
}
}
}
#New mac
if(control:VIM-Enable-MAC-Auth == "No"){
if("%{sql:SELECT * from RADUSERMACMAP WH
ERE USERNAME='%{User-Name}' AND MACADDRESS=' ' }" ) {
if ("%{sql:UPDATE raduse
rmacmap SET macaddress = '%{Calling-Station-Id}' WHERE username='%{User-Name}' }
") {
ok
}
}
if("%{sql:SELECT * from radusermacmap WHERE user
name = '%{User-Name}' AND macaddress != ' ' }" ){
if ("%{sql:UPDATE radusermacmap
SET macaddress = '%{Calling-Station-Id}' WHERE username='%{User-Name}' } ") {
ok
}
}
}
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
sql_log
#
# Un-comment the following if you want to modify the user's object
# in LDAP after a successful login.
#
ldap
# For Exec-Program and Exec-Program-Wait
exec
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
Calculate the various WiMAX keys. In order for this to work,

you will need to define the WiMAX NAI, usually via
update request {
WiMAX-MN-NAI = "%{User-Name}"
}
If you want various keys to be calculated, you will need to
update the reply with "template" values. The module will see
this, and replace the template values with the correct ones
taken from the cryptographic calculations. e.g.
update reply {
WiMAX-FA-RK-Key = 0x00
#
WiMAX-MSK = "%{EAP-MSK}"
#
}
#
# You may want to delete the MS-MPPE-*-Keys from the reply,
# as some WiMAX clients behave badly when those attributes
# are included. See "raddb/modules/wimax", configuration
# entry "delete_mppe_keys" for more information.
#
wimax
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
If there is a client certificate (EAP-TLS, sometimes PEAP

and TTLS), then some attributes are filled out after the
certificate verification has been performed. These fields
MAY be available during the authentication, or they may be
available only in the "post-auth" section.
The first set of attributes contains information about the
issuing certificate which is being used. The second
contains information about the client certificate (if
available).
update reply {
Reply-Message
Reply-Message
Reply-Message
Reply-Message
Reply-Message
Reply-Message
+=
+=
+=
+=
+=
+=
"%{TLS-Cert-Serial}"
"%{TLS-Cert-Expiration}"
"%{TLS-Cert-Subject}"
"%{TLS-Cert-Issuer}"
"%{TLS-Cert-Common-Name}"
"%{TLS-Cert-Subject-Alt-Name-Email}"
Reply-Message
Reply-Message
Reply-Message
Reply-Message
Reply-Message
Reply-Message
+=
+=
+=
+=
+=
+=
"%{TLS-Client-Cert-Serial}"
"%{TLS-Client-Cert-Expiration}"
"%{TLS-Client-Cert-Subject}"
"%{TLS-Client-Cert-Issuer}"
"%{TLS-Client-Cert-Common-Name}"
"%{TLS-Client-Cert-Subject-Alt-Name-Email}"
}
# Insert class attribute (with unique value) into response,
# aids matching auth and acct records, and protects against duplicate
# Acct-Session-Id. Note: Only works if the NAS has implemented
# RFC 2865 behaviour for the class attribute, AND if the NAS
# supports long Class attributes. Many older or cheap NASes
# only support 16-octet Class attributes.
insert_acct_class
#
#
#
#
#
#
#
if
MacSEC requires the use of EAP-Key-Name. However, we don't

want to send it for all EAP sessions. Therefore, the EAP
modules put required data into the EAP-Session-Id attribute.
This attribute is never put into a request or reply packet.
Uncomment the next few lines to copy the required data into
the EAP-Key-Name attribute
(&reply:EAP-Session-Id) {
update reply {
EAP-Key-Name := &reply:EAP-Session-Id
}
}
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# Add the ldap module name (or instance) if you have set
# 'edir_account_policy_check = yes' in the ldap module configuration
#
# The "session-state" attributes are not available here.
#
Post-Auth-Type REJECT {
update control {
VIM-Internal-Fai
lure := "Authentication Failed for Username: %{User-Name} With PASSWORD: %{UserPassword}"
}
update reply {
Reply-Message :=
"Incorrect Username or Password"
}
# log failed authentications in SQL, too.
-sql
attr_filter.access_reject
if("%{sql:INSERT INTO radprotologs (datetime,use
rname,protomsg,nasip,nasportid,details,callingstationid) VALUES(SYSDATE,'%{UserName}' , 'Access-Reject' ,'%{NAS-IP-Address}' ,'%{NAS-Port-Id}' , '%{control:VIM
-Internal-Failure}', '%{Calling-Station-Id}') }") {
ok
}
# Insert EAP-Failure message if the request was
# rejected by policy instead of because of an
# authentication failure
eap
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
}
}
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
#pre-proxy {
# Before proxing the request add an Operator-Name attribute identifying
# if the operator-name is found for this client.
# No need to uncomment this if you have already enabled this in
# the authorize section.
#
operator-name
# The client requests the CUI by sending a CUI attribute
# containing one zero byte.

# Uncomment the line below if *requesting* the CUI.
cui
# Uncomment the following line if you want to change attributes

# as defined in the preproxy_users file.
files
# Uncomment the following line if you want to filter requests

# sent to remote servers based on the rules defined in the
# 'attrs.pre-proxy' file.
attr_filter.pre-proxy
#
#}
# If you want to have a log of packets proxied to a home

# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
pre_proxy_log
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
#post-proxy {
# If you want to have a log of replies from a home server,

# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
post_proxy_log
# Uncomment the following line if you want to filter replies from

# remote proxies based on the rules defined in the 'attrs' file.
attr_filter.post-proxy
#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
#eap
#
#
#
#
#
#
#
#
#
#
#
#
If the server tries to proxy a request and fails, then the

request is processed through the modules in this section.
The main use of this section is to permit robust proxying
of accounting packets. The server can be configured to
proxy accounting packets as part of normal processing.
Then, if the home server goes down, accounting packets can
be logged to a local "detail" file, for processing with
radrelay. When the home server comes back up, radrelay
will read the detail file, and send the packets to the
home server.
#
#
#
#}
}
#
# With this configuration, the server always responds to
# Accounting-Requests from the NAS, but only writes
# accounting packets to disk if the home server is down.
#
Post-Proxy-Type Fail-Accounting {
detail
}

FreeRADIUS Virtual Hosts Configuration

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FreeRADIUS Virtual Hosts Configuration

Uploaded by

Copyright:

Available Formats

######################################################################

# Allowed values are:

# ipaddr/ipv4addr/ipv6addr - IP address on which to listen.

# Some systems support binding to an interface, in addition

# The name here is a reference to a section elsewhere in

The number of packets received can be rate limited via the

# the server will never get overloaded

# It also sets the EAP-Type attribute in the request

If no other module has claimed responsibility for

# Uncomment it if you want to use ldap for authentication

Session start times are *implied* in RADIUS.

# Update the wtmp file

# Return an address to the IP Pool when we see a stop record.

VIM-Plan-Limit-Type = "%{sql:SELECT value FROM radgroupcheck WHE

ik-Xmit-Limit}'- '%{control:VIM-Used-Bytes}' WHERE attribute = 'Mikrotik-Xmit-L

ogs (datetime, acctstoptime, username, protomsg, details, nasip, acctsessionid

ssion-Id}','%{NAS-Port-Id}' ,'%{NAS-Port-Type}' ,'%{Acct-Session-Time}' , '%{Acc

'Accounting Stop' ,'%{NAS-IP-Address}' ,'%{Acct-Session-Id}' ,'%{Acct-Unique-Se

# three lines. Otherwise, the server will not respond to the

# Cisco VoIP specific bulk accounting

# Session database, used for checking Simultaneous-Use. Either the radutmp

# The "session-state" attributes are automatically cached when

# Get an address from the IP Pool.

# Create the CUI value and add the attribute to Access-Accept.

_ID FROM RADIUS_USER_DTL WHERE USER_NAME='%{User-Name}'}'}"){

1',LAST_UPD_DATE=SYSDATE,DISCONNECT_DATE=SYSDATE WHERE CONTRACT_ID='%{sql: SELE

= '%{User-Name}' AND attribute = 'NAS-IP-Address' AND value = '1'}"){

Calculate the various WiMAX keys. In order for this to work,

If there is a client certificate (EAP-TLS, sometimes PEAP

MacSEC requires the use of EAP-Key-Name. However, we don't

# containing one zero byte.

# Uncomment the following line if you want to change attributes

# Uncomment the following line if you want to filter requests

# If you want to have a log of packets proxied to a home

# If you want to have a log of replies from a home server,

# Uncomment the following line if you want to filter replies from

If the server tries to proxy a request and fails, then the

You might also like

Session start times are implied in RADIUS.