Skip to content

Ubuntu22.04LTS の FreeRadius で認証ログを有効化する

以前に Ubuntu22.04LTS に FreeRadius をインストールする というメモを書きました。 Ubuntu22.04LTS の場合、FreeRadius 本体の設定ファイルは /etc/freeradius/3.0/radiusd.conf に存在します。 このファイルを「コメントを除外」「認証ログを有効化」すると以下のようになります。 (log 内の authauth_badpassauth_goodpassyes に設定しています)

ログ有効化した設定例

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
cat << EOF > /etc/freeradius/3.0/radiusd.conf
# -*- text -*-

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius/3.0
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir   = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
correct_escapes = true
#panic_action = "gdb %e %p"
#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
hostname_lookups = no
#postauth_client_lost = no

log {
    destination = files
    colourise = yes
    file = ${logdir}/radius.log
    syslog_facility = daemon
    stripped_names = no
    auth = yes
    auth_accept = yes
    auth_reject = yes
    auth_badpass = yes
    auth_goodpass = yes
#   msg_goodpass = ""
#   msg_badpass = ""
    msg_denied = "You are already logged in - access denied"
#   suppress_secrets = no
}

checkrad = ${sbindir}/checkrad

ENV {
#   LD_PRELOAD = /path/to/library1.so
#   LD_PRELOAD = /path/to/library2.so
}

security {
#   chroot = /path/to/chroot/directory
    user = freerad
    group = freerad
    allow_core_dumps = no
    max_attributes = 200
    reject_delay = 1
    status_server = yes
}

proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf

thread pool {
    start_servers = 5
    max_servers = 32
    min_spare_servers = 3
    max_spare_servers = 10
#   max_queue_size = 65536
    max_requests_per_server = 0
    auto_limit_acct = no
}

#$INCLUDE trigger.conf

modules {
#   $INCLUDE mods-enabled/sql
    $INCLUDE mods-enabled/
}

instantiate {
#   daily
}

policy {
    $INCLUDE policy.d/
}

$INCLUDE sites-enabled/
EOF

参考

デフォルトの /etc/freeradius/3.0/radiusd.conf (コメント除外版)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# -*- text -*-

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius/3.0
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir   = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
correct_escapes = true
#panic_action = "gdb %e %p"
#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
hostname_lookups = no
#postauth_client_lost = no

log {
    destination = files
    colourise = yes
    file = ${logdir}/radius.log
    syslog_facility = daemon
    stripped_names = no
    auth = no
#   auth_accept = no
#   auth_reject = no
    auth_badpass = no
    auth_goodpass = no
#   msg_goodpass = ""
#   msg_badpass = ""
    msg_denied = "You are already logged in - access denied"
#   suppress_secrets = no
}

checkrad = ${sbindir}/checkrad

ENV {
#   LD_PRELOAD = /path/to/library1.so
#   LD_PRELOAD = /path/to/library2.so
}

security {
#   chroot = /path/to/chroot/directory
    user = freerad
    group = freerad
    allow_core_dumps = no
    max_attributes = 200
    reject_delay = 1
    status_server = yes
}

proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf

thread pool {
    start_servers = 5
    max_servers = 32
    min_spare_servers = 3
    max_spare_servers = 10
#   max_queue_size = 65536
    max_requests_per_server = 0
    auto_limit_acct = no
}

#$INCLUDE trigger.conf

modules {
#   $INCLUDE mods-enabled/sql
    $INCLUDE mods-enabled/
}

instantiate {
#   daily
}

policy {
    $INCLUDE policy.d/
}

$INCLUDE sites-enabled/

デフォルトの /etc/freeradius/3.0/radiusd.conf

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
# -*- text -*-
##
## radiusd.conf -- FreeRADIUS server configuration file - 3.0.26
##
##  http://www.freeradius.org/
##  $Id$
##

######################################################################
#
#   The format of this (and other) configuration file is
#   documented in "man unlang".  There are also READMEs in many
#   subdirectories:
#
#     raddb/README.rst
#       How to upgrade from v2.
#
#     raddb/mods-available/README.rst
#       How to use mods-available / mods-enabled.
#       All of the modules are in individual files,
#       along with configuration items and full documentation.
#
#     raddb/sites-available/README
#       virtual servers, "listen" sections, clients, etc.
#       The "sites-available" directory contains many
#       worked examples of common configurations.
#
#     raddb/certs/README.md
#       How to create certificates for EAP or RadSec.
#
#   Every configuration item in the server is documented
#   extensively in the comments in the example configuration
#   files.
#
#   Before editing this (or any other) configuration file, PLEASE
#   read "man radiusd".  See the section titled DEBUGGING.  It
#   outlines a method where you can quickly create the
#   configuration you want, with minimal effort.
#
#   Run the server in debugging mode, and READ the output.
#
#       $ radiusd -X
#
#   We cannot emphasize this point strongly enough.  The vast
#   majority of problems can be solved by carefully reading the
#   debugging output, which includes warnings about common issues,
#   and suggestions for how they may be fixed.
#
#   There may be a lot of output, but look carefully for words like:
#   "warning", "error", "reject", or "failure".  The messages there
#   will usually be enough to guide you to a solution.
#
#   More documentation on "radiusd -X" is available on the wiki:
#       https://wiki.freeradius.org/radiusd-X
#
#   If you are going to ask a question on the mailing list, then
#   explain what you are trying to do, and include the output from
#   debugging mode (radiusd -X).  Failure to do so means that all
#   of the responses to your question will be people telling you
#   to "post the output of radiusd -X".
#
#   Guidelines for posting to the mailing list are on the wiki:
#       https://wiki.freeradius.org/list-help
#
#   Please read those guidelines before posting to the list.
#
#   Further documentation is available in the "doc" directory
#   of the server distribution, or on the wiki at:
#       https://wiki.freeradius.org/
#
#   New users to RADIUS should read the Technical Guide.  That guide
#   explains how RADIUS works, how FreeRADIUS works, and what each
#   part of a RADIUS system does.  It is not just "configure FreeRADIUS"!
#       https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf
#
#   More documentation on dictionaries, modules, unlang, etc. is also
#   available on the Network RADIUS web site:
#       https://networkradius.com/freeradius-documentation/
#

######################################################################

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius/3.0
radacctdir = ${logdir}/radacct

#
#  name of the running server.  See also the "-n" command-line option.
name = freeradius

#  Location of config and logfiles.
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir   = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}

# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}

#
# libdir: Where to find the rlm_* modules.
#
#   This should be automatically set at configuration time.
#
#   If the server builds and installs, but fails at execution time
#   with an 'undefined symbol' error, then you can use the libdir
#   directive to work around the problem.
#
#   The cause is usually that a library has been installed on your
#   system in a place where the dynamic linker CANNOT find it.  When
#   executing as root (or another user), your personal environment MAY
#   be set up to allow the dynamic linker to find the library.  When
#   executing as a daemon, FreeRADIUS MAY NOT have the same
#   personalized configuration.
#
#   To work around the problem, find out which library contains that symbol,
#   and add the directory containing that library to the end of 'libdir',
#   with a colon separating the directory names.  NO spaces are allowed.
#
#   e.g. libdir = /usr/local/lib:/opt/package/lib
#
#   You can also try setting the LD_LIBRARY_PATH environment variable
#   in a script which starts the server.
#
#   If that does not work, then you can re-configure and re-build the
#   server to NOT use shared libraries, via:
#
#   ./configure --disable-shared
#   make
#   make install
#
libdir = /usr/lib/freeradius

#  pidfile: Where to place the PID of the RADIUS server.
#
#  The server may be signalled while it's running by using this
#  file.
#
#  This file is written when ONLY running in daemon mode.
#
#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/${name}.pid

#
#  correct_escapes: use correct backslash escaping
#
#  Prior to version 3.0.5, the handling of backslashes was a little
#  awkward, i.e. "wrong".  In some cases, to get one backslash into
#  a regex, you had to put 4 in the config files.
#
#  Version 3.0.5 fixes that.  However, for backwards compatibility,
#  the new method of escaping is DISABLED BY DEFAULT.  This means
#  that upgrading to 3.0.5 won't break your configuration.
#
#  If you don't have double backslashes (i.e. \\) in your configuration,
#  this won't matter to you.  If you do have them, fix that to use only
#  one backslash, and then set "correct_escapes = true".
#
#  You can check for this by doing:
#
#   $ grep '\\\\' $(find raddb -type f -print)
#
correct_escapes = true

#  panic_action: Command to execute if the server dies unexpectedly.
#
#  FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
#  AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
#  AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
#
#  THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
#  PATTACH CAN BE USED AS AN ATTACK VECTOR.
#
#  The panic action is a command which will be executed if the server
#  receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
#  SIGABRT or SIGFPE.
#
#  This can be used to start an interactive debugging session so
#  that information regarding the current state of the server can
#  be acquired.
#
#  The following string substitutions are available:
#  - %e   The currently executing program e.g. /sbin/radiusd
#  - %p   The PID of the currently executing program e.g. 12345
#
#  Standard ${} substitutions are also allowed.
#
#  An example panic action for opening an interactive session in GDB would be:
#
#panic_action = "gdb %e %p"
#
#  Again, don't use that on a production system.
#
#  An example panic action for opening an automated session in GDB would be:
#
#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
#
#  That command can be used on a production system.
#

#  max_request_time: The maximum time (in seconds) to handle a request.
#
#  Requests which take more time than this to process may be killed, and
#  a REJECT message is returned.
#
#  WARNING: If you notice that requests take a long time to be handled,
#  then this MAY INDICATE a bug in the server, in one of the modules
#  used to handle a request, OR in your local configuration.
#
#  This problem is most often seen when using an SQL database.  If it takes
#  more than a second or two to receive an answer from the SQL database,
#  then it probably means that you haven't indexed the database.  See your
#  SQL server documentation for more information.
#
#  Useful range of values: 5 to 120
#
max_request_time = 30

#  cleanup_delay: The time to wait (in seconds) before cleaning up
#  a reply which was sent to the NAS.
#
#  The RADIUS request is normally cached internally for a short period
#  of time, after the reply is sent to the NAS.  The reply packet may be
#  lost in the network, and the NAS will not see it.  The NAS will then
#  re-send the request, and the server will respond quickly with the
#  cached reply.
#
#  If this value is set too low, then duplicate requests from the NAS
#  MAY NOT be detected, and will instead be handled as separate requests.
#
#  If this value is set too high, then the server will cache too many
#  requests, and some new requests may get blocked.  (See 'max_requests'.)
#
#  Useful range of values: 2 to 30
#
cleanup_delay = 5

#  max_requests: The maximum number of requests which the server keeps
#  track of.  This should be 256 multiplied by the number of clients.
#  e.g. With 4 clients, this number should be 1024.
#
#  If this number is too low, then when the server becomes busy,
#  it will not respond to any new requests, until the 'cleanup_delay'
#  time has passed, and it has removed the old requests.
#
#  If this number is set too high, then the server will use a bit more
#  memory for no real benefit.
#
#  If you aren't sure what it should be set to, it's better to set it
#  too high than too low.  Setting it to 1000 per client is probably
#  the highest it should be.
#
#  Useful range of values: 256 to infinity
#
max_requests = 16384

#  hostname_lookups: Log the names of clients or just their IP addresses
#  e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
#  The default is 'off' because it would be overall better for the net
#  if people had to knowingly turn this feature on, since enabling it
#  means that each client request will result in AT LEAST one lookup
#  request to the nameserver.   Enabling hostname_lookups will also
#  mean that your server may stop randomly for 30 seconds from time
#  to time, if the DNS requests take too long.
#
#  Turning hostname lookups off also means that the server won't block
#  for 30 seconds, if it sees an IP address which has no name associated
#  with it.
#
#  allowed values: {no, yes}
#
hostname_lookups = no

#
#  Run a "Post-Auth-Type Client-Lost" section.  This ONLY happens when
#  the server sends an Access-Challenge, and then client does not
#  respond to it.  The goal is to allow administrators to log
#  something when the client does not respond.
#
#  See sites-available/default, "Post-Auth-Type Client-Lost" for more
#  information.
#
#postauth_client_lost = no

#
#  Logging section.  The various "log_*" configuration items
#  will eventually be moved here.
#
log {
    #
    #  Destination for log messages.  This can be one of:
    #
    #   files - log to "file", as defined below.
    #   syslog - to syslog (see also the "syslog_facility", below.
    #   stdout - standard output
    #   stderr - standard error.
    #
    #  The command-line option "-X" over-rides this option, and forces
    #  logging to go to stdout.
    #
    destination = files

    #
    #  Highlight important messages sent to stderr and stdout.
    #
    #  Option will be ignored (disabled) if output if TERM is not
    #  an xterm or output is not to a TTY.
    #
    colourise = yes

    #
    #  The logging messages for the server are appended to the
    #  tail of this file if destination == "files"
    #
    #  If the server is running in debugging mode, this file is
    #  NOT used.
    #
    file = ${logdir}/radius.log

    #
    #  Which syslog facility to use, if ${destination} == "syslog"
    #
    #  The exact values permitted here are OS-dependent.  You probably
    #  don't want to change this.
    #
    syslog_facility = daemon

    #  Log the full User-Name attribute, as it was found in the request.
    #
    # allowed values: {no, yes}
    #
    stripped_names = no

    #  Log all (accept and reject) authentication results to the log file.
    #
    #  This is the same as setting "auth_accept = yes" and
    #  "auth_reject = yes"
    #
    #  allowed values: {no, yes}
    #
    auth = no

    #  Log Access-Accept results to the log file.
    #
    #  This is only used if "auth = no"
    #
    #  allowed values: {no, yes}
    #
#   auth_accept = no

    #  Log Access-Reject results to the log file.
    #
    #  This is only used if "auth = no"
    #
    #  allowed values: {no, yes}
    #
#   auth_reject = no

    #  Log passwords with the authentication requests.
    #  auth_badpass  - logs password if it's rejected
    #  auth_goodpass - logs password if it's correct
    #
    #  allowed values: {no, yes}
    #
    auth_badpass = no
    auth_goodpass = no

    #  Log additional text at the end of the "Login OK" messages.
    #  for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
    #  configurations above have to be set to "yes".
    #
    #  The strings below are dynamically expanded, which means that
    #  you can put anything you want in them.  However, note that
    #  this expansion can be slow, and can negatively impact server
    #  performance.
    #
#   msg_goodpass = ""
#   msg_badpass = ""

    #  The message when the user exceeds the Simultaneous-Use limit.
    #
    msg_denied = "You are already logged in - access denied"

    #  Suppress "secret" attributes when printing them in debug mode.
    #
    #  Secrets are NOT tracked across xlat expansions.  If your
    #  configuration puts secrets into other strings, they will
    #  still get printed.
    #
    #  Setting this to "yes" means that the server prints
    #
    #   <<< secret >>>
    #
    #  instead of the value, for attriburtes which contain secret
    #  information.  e.g. User-Name, Tunnel-Password, etc.
    #
    #  This configuration is disabled by default.  It is extremely
    #  important for administrators to be able to debug user logins
    #  by seeing what is actually being sent.
    #
#   suppress_secrets = no
}

#  The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad

#
#  ENVIRONMENT VARIABLES
#
#  You can reference environment variables using an expansion like
#  `$ENV{PATH}`.  However it is sometimes useful to be able to also set
#  environment variables.  This section lets you do that.
#
#  The main purpose of this section is to allow administrators to keep
#  RADIUS-specific configuration in the RADIUS configuration files.
#  For example, if you need to set an environment variable which is
#  used by a module.  You could put that variable into a shell script,
#  but that's awkward.  Instead, just list it here.
#
#  Note that these environment variables are set AFTER the
#  configuration file is loaded.  So you cannot set FOO here, and
#  expect to reference it via `$ENV{FOO}` in another configuration file.
#  You should instead just use a normal configuration variable for
#  that.
#
ENV {
    #
    #  Set environment varable `FOO` to value '/bar/baz'.
    #
    #  NOTE: Note that you MUST use '='.  You CANNOT use '+=' to append
    #  values.
    #
#   FOO = '/bar/baz'

    #
    #  Delete environment variable `BAR`.
    #
#   BAR

    #
    #  `LD_PRELOAD` is special.  It is normally set before the
    #  application runs, and is interpreted by the dynamic linker.
    #  Which means you cannot set it inside of an application, and
    #  expect it to load libraries.
    #
    #  Since this functionality is useful, we extend it here.
    #
    #  You can set
    #
    #  LD_PRELOAD = /path/to/library.so
    #
    #  and the server will load the named libraries.  Multiple
    #  libraries can be loaded by specificing multiple individual
    #  `LD_PRELOAD` entries.
    #
    #
#   LD_PRELOAD = /path/to/library1.so
#   LD_PRELOAD = /path/to/library2.so
}

# SECURITY CONFIGURATION
#
#  There may be multiple methods of attacking on the server.  This
#  section holds the configuration items which minimize the impact
#  of those attacks
#
security {
    #  chroot: directory where the server does "chroot".
    #
    #  The chroot is done very early in the process of starting
    #  the server.  After the chroot has been performed it
    #  switches to the "user" listed below (which MUST be
    #  specified).  If "group" is specified, it switches to that
    #  group, too.  Any other groups listed for the specified
    #  "user" in "/etc/group" are also added as part of this
    #  process.
    #
    #  The current working directory (chdir / cd) is left
    #  *outside* of the chroot until all of the modules have been
    #  initialized.  This allows the "raddb" directory to be left
    #  outside of the chroot.  Once the modules have been
    #  initialized, it does a "chdir" to ${logdir}.  This means
    #  that it should be impossible to break out of the chroot.
    #
    #  If you are worried about security issues related to this
    #  use of chdir, then simply ensure that the "raddb" directory
    #  is inside of the chroot, end be sure to do "cd raddb"
    #  BEFORE starting the server.
    #
    #  If the server is statically linked, then the only files
    #  that have to exist in the chroot are ${run_dir} and
    #  ${logdir}.  If you do the "cd raddb" as discussed above,
    #  then the "raddb" directory has to be inside of the chroot
    #  directory, too.
    #
#   chroot = /path/to/chroot/directory

    # user/group: The name (or #number) of the user/group to run radiusd as.
    #
    #   If these are commented out, the server will run as the
    #   user/group that started it.  In order to change to a
    #   different user/group, you MUST be root ( or have root
    #   privileges ) to start the server.
    #
    #   We STRONGLY recommend that you run the server with as few
    #   permissions as possible.  That is, if you're not using
    #   shadow passwords, the user and group items below should be
    #   set to radius'.
    #
    #  NOTE that some kernels refuse to setgid(group) when the
    #  value of (unsigned)group is above 60000; don't use group
    #  "nobody" on these systems!
    #
    #  On systems with shadow passwords, you might have to set
    #  'group = shadow' for the server to be able to read the
    #  shadow password file.  If you can authenticate users while
    #  in debug mode, but not in daemon mode, it may be that the
    #  debugging mode server is running as a user that can read
    #  the shadow info, and the user listed below can not.
    #
    #  The server will also try to use "initgroups" to read
    #  /etc/groups.  It will join all groups where "user" is a
    #  member.  This can allow for some finer-grained access
    #  controls.
    #
    user = freerad
    group = freerad

    #  Core dumps are a bad thing.  This should only be set to
    #  'yes' if you're debugging a problem with the server.
    #
    #  allowed values: {no, yes}
    #
    allow_core_dumps = no

    #
    #  max_attributes: The maximum number of attributes
    #  permitted in a RADIUS packet.  Packets which have MORE
    #  than this number of attributes in them will be dropped.
    #
    #  If this number is set too low, then no RADIUS packets
    #  will be accepted.
    #
    #  If this number is set too high, then an attacker may be
    #  able to send a small number of packets which will cause
    #  the server to use all available memory on the machine.
    #
    #  Setting this number to 0 means "allow any number of attributes"
    max_attributes = 200

    #
    #  reject_delay: When sending an Access-Reject, it can be
    #  delayed for a few seconds.  This may help slow down a DoS
    #  attack.  It also helps to slow down people trying to brute-force
    #  crack a users password.
    #
    #  Setting this number to 0 means "send rejects immediately"
    #
    #  If this number is set higher than 'cleanup_delay', then the
    #  rejects will be sent at 'cleanup_delay' time, when the request
    #  is deleted from the internal cache of requests.
    #
    #  This number can be a decimal, e.g. 3.4
    #
    #  Useful ranges: 1 to 5
    reject_delay = 1

    #
    #  status_server: Whether or not the server will respond
    #  to Status-Server requests.
    #
    #  When sent a Status-Server message, the server responds with
    #  an Access-Accept or Accounting-Response packet.
    #
    #  This is mainly useful for administrators who want to "ping"
    #  the server, without adding test users, or creating fake
    #  accounting packets.
    #
    #  It's also useful when a NAS marks a RADIUS server "dead".
    #  The NAS can periodically "ping" the server with a Status-Server
    #  packet.  If the server responds, it must be alive, and the
    #  NAS can start using it for real requests.
    #
    #  See also raddb/sites-available/status
    #
    status_server = yes


}

# PROXY CONFIGURATION
#
#  proxy_requests: Turns proxying of RADIUS requests on or off.
#
#  The server has proxying turned on by default.  If your system is NOT
#  set up to proxy requests to another server, then you can turn proxying
#  off here.  This will save a small amount of resources on the server.
#
#  If you have proxying turned off, and your configuration files say
#  to proxy a request, then an error message will be logged.
#
#  To disable proxying, change the "yes" to "no", and comment the
#  $INCLUDE line.
#
#  allowed values: {no, yes}
#
proxy_requests  = yes
$INCLUDE proxy.conf


# CLIENTS CONFIGURATION
#
#  Client configuration is defined in "clients.conf".
#

#  The 'clients.conf' file contains all of the information from the old
#  'clients' and 'naslist' configuration files.  We recommend that you
#  do NOT use 'client's or 'naslist', although they are still
#  supported.
#
#  Anything listed in 'clients.conf' will take precedence over the
#  information from the old-style configuration files.
#
$INCLUDE clients.conf


# THREAD POOL CONFIGURATION
#
#  The thread pool is a long-lived group of threads which
#  take turns (round-robin) handling any incoming requests.
#
#  You probably want to have a few spare threads around,
#  so that high-load situations can be handled immediately.  If you
#  don't have any spare threads, then the request handling will
#  be delayed while a new thread is created, and added to the pool.
#
#  You probably don't want too many spare threads around,
#  otherwise they'll be sitting there taking up resources, and
#  not doing anything productive.
#
#  The numbers given below should be adequate for most situations.
#
thread pool {
    #  Number of servers to start initially --- should be a reasonable
    #  ballpark figure.
    start_servers = 5

    #  Limit on the total number of servers running.
    #
    #  If this limit is ever reached, clients will be LOCKED OUT, so it
    #  should NOT BE SET TOO LOW.  It is intended mainly as a brake to
    #  keep a runaway server from taking the system with it as it spirals
    #  down...
    #
    #  You may find that the server is regularly reaching the
    #  'max_servers' number of threads, and that increasing
    #  'max_servers' doesn't seem to make much difference.
    #
    #  If this is the case, then the problem is MOST LIKELY that
    #  your back-end databases are taking too long to respond, and
    #  are preventing the server from responding in a timely manner.
    #
    #  The solution is NOT do keep increasing the 'max_servers'
    #  value, but instead to fix the underlying cause of the
    #  problem: slow database, or 'hostname_lookups=yes'.
    #
    #  For more information, see 'max_request_time', above.
    #
    max_servers = 32

    #  Server-pool size regulation.  Rather than making you guess
    #  how many servers you need, FreeRADIUS dynamically adapts to
    #  the load it sees, that is, it tries to maintain enough
    #  servers to handle the current load, plus a few spare
    #  servers to handle transient load spikes.
    #
    #  It does this by periodically checking how many servers are
    #  waiting for a request.  If there are fewer than
    #  min_spare_servers, it creates a new spare.  If there are
    #  more than max_spare_servers, some of the spares die off.
    #  The default values are probably OK for most sites.
    #
    min_spare_servers = 3
    max_spare_servers = 10

    #  When the server receives a packet, it places it onto an
    #  internal queue, where the worker threads (configured above)
    #  pick it up for processing.  The maximum size of that queue
    #  is given here.
    #
    #  When the queue is full, any new packets will be silently
    #  discarded.
    #
    #  The most common cause of the queue being full is that the
    #  server is dependent on a slow database, and it has received
    #  a large "spike" of traffic.  When that happens, there is
    #  very little you can do other than make sure the server
    #  receives less traffic, or make sure that the database can
    #  handle the load.
    #
#   max_queue_size = 65536

    #  Clean up old threads periodically.  For no reason other than
    #  it might be useful.
    #
    #  '0' is a special value meaning 'infinity', or 'the servers never
    #  exit'
    max_requests_per_server = 0

    #  Automatically limit the number of accounting requests.
    #  This configuration item tracks how many requests per second
    #  the server can handle.  It does this by tracking the
    #  packets/s received by the server for processing, and
    #  comparing that to the packets/s handled by the child
    #  threads.
    #

    #  If the received PPS is larger than the processed PPS, *and*
    #  the queue is more than half full, then new accounting
    #  requests are probabilistically discarded.  This lowers the
    #  number of packets that the server needs to process.  Over
    #  time, the server will "catch up" with the traffic.
    #
    #  Throwing away accounting packets is usually safe and low
    #  impact.  The NAS will retransmit them in a few seconds, or
    #  even a few minutes.  Vendors should read RFC 5080 Section 2.2.1
    #  to see how accounting packets should be retransmitted.  Using
    #  any other method is likely to cause network meltdowns.
    #
    auto_limit_acct = no
}

######################################################################
#
#  SNMP notifications.  Uncomment the following line to enable
#  snmptraps.  Note that you MUST also configure the full path
#  to the "snmptrap" command in the "trigger.conf" file.
#
#$INCLUDE trigger.conf

# MODULE CONFIGURATION
#
#  The names and configuration of each module is located in this section.
#
#  After the modules are defined here, they may be referred to by name,
#  in other sections of this configuration file.
#
modules {
    #
    #  Each module has a configuration as follows:
    #
    #   name [ instance ] {
    #       config_item = value
    #       ...
    #   }
    #
    #  The 'name' is used to load the 'rlm_name' library
    #  which implements the functionality of the module.
    #
    #  The 'instance' is optional.  To have two different instances
    #  of a module, it first must be referred to by 'name'.
    #  The different copies of the module are then created by
    #  inventing two 'instance' names, e.g. 'instance1' and 'instance2'
    #
    #  The instance names can then be used in later configuration
    #  INSTEAD of the original 'name'.  See the 'radutmp' configuration
    #  for an example.
    #

    #
    #  Some modules have ordering issues.  e.g. "sqlippool" uses
    #  the configuration from "sql".  In that case, the "sql"
    #  module must be read off of disk before the "sqlippool".
    #  However, the directory inclusion below just reads the
    #  directory from start to finish.  Which means that the
    #  modules are read off of disk randomly.
    #
    #  You can list individual modules *before* the directory
    #  inclusion.  Those modules will be loaded first.  Then, when
    #  the directory is read, those modules will be skipped and
    #  not read twice.
    #
#   $INCLUDE mods-enabled/sql

    #
    #  All modules are in ther mods-enabled/ directory.  Files
    #  matching the regex /[a-zA-Z0-9_.]+/ are read.  The
    #  modules are initialized ONLY if they are referenced in a
    #  processing section, such as authorize, authenticate,
    #  accounting, pre/post-proxy, etc.
    #
    $INCLUDE mods-enabled/
}

# Instantiation
#
#  This section sets the instantiation order of the modules.  listed
#  here will get started up BEFORE the sections like authorize,
#  authenticate, etc. get examined.
#
#  This section is not strictly needed.  When a section like authorize
#  refers to a module, the module is automatically loaded and
#  initialized.  However, some modules may not be listed in any of the
#  processing sections, so they should be listed here.
#
#  Also, listing modules here ensures that you have control over
#  the order in which they are initialized.  If one module needs
#  something defined by another module, you can list them in order
#  here, and ensure that the configuration will be OK.
#
#  After the modules listed here have been loaded, all of the modules
#  in the "mods-enabled" directory will be loaded.  Loading the
#  "mods-enabled" directory means that unlike Version 2, you usually
#  don't need to list modules here.
#
instantiate {
    #
    # We list the counter module here so that it registers
    # the check_name attribute before any module which sets
    # it
#   daily

    # subsections here can be thought of as "virtual" modules.
    #
    # e.g. If you have two redundant SQL servers, and you want to
    # use them in the authorize and accounting sections, you could
    # place a "redundant" block in each section, containing the
    # exact same text.  Or, you could uncomment the following
    # lines, and list "redundant_sql" in the authorize and
    # accounting sections.
    #
    #  The "virtual" module defined here can also be used with
    #  dynamic expansions, under a few conditions:
    #
    #  * The section is "redundant", or "load-balance", or
    #    "redundant-load-balance"
    #  * The section contains modules ONLY, and no sub-sections
    #  * all modules in the section are using the same rlm_
    #    driver, e.g. They are all sql, or all ldap, etc.
    #
    #  When those conditions are satisfied, the server will
    #  automatically register a dynamic expansion, using the
    #  name of the "virtual" module.  In the example below,
    #  it will be "redundant_sql".  You can then use this expansion
    #  just like any other:
    #
    #   update reply {
    #       Filter-Id := "%{redundant_sql: ... }"
    #   }
    #
    #  In this example, the expansion is done via module "sql1",
    #  and if that expansion fails, using module "sql2".
    #
    #  For best results, configure the "pool" subsection of the
    #  module so that "retry_delay" is non-zero.  That will allow
    #  the redundant block to quickly ignore all "down" SQL
    #  databases.  If instead we have "retry_delay = 0", then
    #  every time the redundant block is used, the server will try
    #  to open a connection to every "down" database, causing
    #  problems.
    #
    #redundant redundant_sql {
    #   sql1
    #   sql2
    #}
}

######################################################################
#
#  Policies are virtual modules, similar to those defined in the
#  "instantiate" section above.
#
#  Defining a policy in one of the policy.d files means that it can be
#  referenced in multiple places as a *name*, rather than as a series of
#  conditions to match, and actions to take.
#
#  Policies are something like subroutines in a normal language, but
#  they cannot be called recursively. They MUST be defined in order.
#  If policy A calls policy B, then B MUST be defined before A.
#
######################################################################
policy {
    $INCLUDE policy.d/
}

######################################################################
#
#   Load virtual servers.
#
#   This next $INCLUDE line loads files in the directory that
#   match the regular expression: /[a-zA-Z0-9_.]+/
#
#   It allows you to define new virtual servers simply by placing
#   a file into the raddb/sites-enabled/ directory.
#
$INCLUDE sites-enabled/

######################################################################
#
#   All of the other configuration sections like "authorize {}",
#   "authenticate {}", "accounting {}", have been moved to the
#   the file:
#
#       raddb/sites-available/default
#
#   This is the "default" virtual server that has the same
#   configuration as in version 1.0.x and 1.1.x.  The default
#   installation enables this virtual server.  You should
#   edit it to create policies for your local site.
#
#   For more documentation on virtual servers, see:
#
#       raddb/sites-available/README
#
######################################################################