Configuration Files
/etc/freeradius/3.0/sites-enabled/default/etc/freeradius/3.0/mods-enabled/eap/etc/freeradius/3.0/clients.conf/etc/freeradius/3.0/radiusd.conf
This page contains full examples of the configuration files that are modified on the setup page.
While some large sections were deleted, including lengthy explanatory comments, many commented out statements have been preserved (most are commented out by default).
Any values enclosed in angle brackets ( <> ) need to be replaced with values specific to your environment.
/etc/freeradius/3.0/sites-enabled/default
server default {
listen {
type = auth
ipaddr = *
port = <authentication_port>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = <accounting_port>
type = acct
limit {
}
}
authorize {
filter_username
# filter_password
preprocess
# operator-name
# cui
# auth_log
# chap
# mschap
# digest
# wimax
# IPASS
suffix
# ntdomain
eap {
ok = return
# updated = return
}
# unix
files
# -sql
# smbpasswd
# -ldap
# daily
expiration
logintime
# pap
# Autz-Type Status-Server {
#
# }
}
authenticate {
# Auth-Type PAP {
# pap
# }
# Auth-Type CHAP {
# chap
# }
# Auth-Type MS-CHAP {
# mschap
# }
# mschap
# digest
# pam
# Auth-Type LDAP {
# ldap
# }
eap
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled && (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the "updated" code from attr_filter
# }
# }
}
preacct {
preprocess
# acct_counters64
# update request {
# &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
# }
acct_unique
# IPASS
suffix
# ntdomain
files
}
accounting {
detail
unix
# radutmp
# sradutmp
# main_pool
# -sql
# if (noop) {
# ok
# }
# pgsql-voip
exec
attr_filter.accounting_response
# Acct-Type Status-Server {
#
# }
}
session {
# radutmp
# sql
}
post-auth {
# if (!&reply:State) {
# update reply {
# State := "0x%{randstr:16h}"
# }
# }
update {
&reply: += &session-state:
}
# main_pool
# cui
# reply_log
# -sql
# ldap
exec
# wimax
#
# update reply {
# Reply-Message += "%{TLS-Cert-Serial}"
# Reply-Message += "%{TLS-Cert-Expiration}"
# Reply-Message += "%{TLS-Cert-Subject}"
# Reply-Message += "%{TLS-Cert-Issuer}"
# Reply-Message += "%{TLS-Cert-Common-Name}"
# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
#
# Reply-Message += "%{TLS-Client-Cert-Serial}"
# Reply-Message += "%{TLS-Client-Cert-Expiration}"
# Reply-Message += "%{TLS-Client-Cert-Subject}"
# Reply-Message += "%{TLS-Client-Cert-Issuer}"
# Reply-Message += "%{TLS-Client-Cert-Common-Name}"
# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
# }
# insert_acct_class
# if (&reply:EAP-Session-Id) {
# update reply {
# EAP-Key-Name := &reply:EAP-Session-Id
# }
# }
remove_reply_message_if_eap
Post-Auth-Type REJECT {
# -sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
# remove_reply_message_if_eap
# attr_filter.access_challenge.post-auth
}
}
pre-proxy {
# operator-name
# cui
# files
# attr_filter.pre-proxy
# pre_proxy_log
}
post-proxy {
# post_proxy_log
# attr_filter.post-proxy
eap
# Post-Proxy-Type Fail-Accounting {
# detail
# }
}
}
/etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
tls-config tls-common {
private_key_password = <password_specified_in_server.cnf>
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
ca_file = ${cadir}/cacrl.pem
# auto_chain = yes
# psk_identity = "test"
# psk_hexphrase = "036363823"
dh_file = ${certdir}/dh
random_file = /dev/random
# fragment_size = 1024
# include_length = yes
check_crl = yes
# check_all_crl = yes
ca_path = ${cadir}
# allow_expired_crl = no
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
check_cert_cn = %{User-Name}
cipher_list = "HIGH"
cipher_server_preference = yes
# disable_tlsv1_2 = no
# disable_tlsv1_1 = yes
# disable_tlsv1 = yes
tls_min_version = "1.2"
tls_max_version = "1.2"
ecdh_curve = "secp384r1"
cache {
enable = no
lifetime = 24 # hours
#name = "EAP module"
#persist_dir = "${logdir}/tlscache"
}
verify {
# skip_if_ocsp_ok = no
# tmpdir = /tmp/radiusd
# client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
# use_nonce = yes
# timeout = 0
# softfail = no
}
}
tls {
tls = tls-common
# virtual_server = check-eap-tls
}
}
/etc/freeradius/3.0/clients.conf
client router {
ipaddr = <ip_address>
secret = <shared_secret>
}
/etc/freeradius/3.0/radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius/3.0
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
correct_escapes = true
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
hostname_lookups = no
log {
destination = files
colourise = yes
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
# msg_goodpass = ""
# msg_badpass = ""
msg_denied = "You are already logged in - access denied"
}
checkrad = ${sbindir}/checkrad
security {
# chroot = /path/to/chroot/directory
user = freerad
group = freerad
allow_core_dumps = no
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = no
#$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
# max_queue_size = 65536
max_requests_per_server = 0
auto_limit_acct = no
}
#$INCLUDE trigger.conf
modules {
$INCLUDE mods-enabled/
}
instantiate {
# daily
}
policy {
$INCLUDE policy.d/
}
$INCLUDE sites-enabled/