组成

—— 该部分将介绍配置文件的文件格式，以及相关语法。

The format of the configuration files is line-based text. Each configuration setting must be on a separate line.

配置语言 | Unlang Policy Language | https://www.freeradius.org/documentation/freeradius-server/3.2.8/unlang/index.html

The file format is built around three basic elements:

• variable assignment,
• variable and module references,
• and sections.

Comment

Comments are allowed and are easily identified with the use of the # (hash) character: any text following a # character is considered to be a comment and is thus ignored by the parser.

Whitespace

Spaces, tabs, and blank lines do not have any meaning and are also ignored by the parser.

Line Break

Unintentional line breaks can be canceled by placing a back-slash (\) as the last character on the broken line.

Variable Assignment

• FreeRADIUS usually has predefined variable names with predefined meanings.
• Variables are assigned values. The values can be integers, strings, file names, etc.
• As with most systems, single and double-quoted strings can be used. Spaces and other characters can also be used in strings.
• The double quotes mean that the string can be dynamically expanded.

Variable Reference

• Variable references are used when multiple variables contain the same value.

Module Reference

• either cause the server to load a shared module
• or call the module when the server receives a packet.

Section

mygroup "optional instance name" {
    foo = bar
    other = "my ${foo}"
}

client bar {
    ipaddr = 192.0.2.200
    secret = very_secret
}

$INCLUDE 引入模块

$INCLUDE other.conf

• Included files that begin with a / are absolute paths.
• Otherwise, the path is relative to the current file.

构造

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius/3.0
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir   = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
hostname_lookups = no

unlang {
}

log {
	destination = files
	colourise = yes
	file = ${logdir}/radius.log
	syslog_facility = daemon
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
	msg_denied = "You are already logged in - access denied"
}

checkrad = ${sbindir}/checkrad

ENV {
}

security {
	user = freerad
	group = freerad
	allow_core_dumps = no
	max_attributes = 200
	reject_delay = 1
	status_server = yes
	require_message_authenticator = auto
	limit_proxy_state = auto
}

proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf

thread pool {
	start_servers = 5
	max_servers = 32
	min_spare_servers = 3
	max_spare_servers = 10
	max_requests_per_server = 0
	auto_limit_acct = no
}

modules {
	$INCLUDE mods-enabled/
}

instantiate {
}

policy {
	$INCLUDE policy.d/
}

$INCLUDE sites-enabled/

性质

变量 | Variables

user, group, max_requests, ……

在 radiusd.conf 中，相关变量及参数具体详细功能描述，参考文档即可。

日志 | Log

destination, file, auth, msg_badpass, ……

在 radiusd.conf 中，相关变量及参数具体详细功能描述，参考文档即可。

安全 | Security

max_attributes, reject_delay, ……

在 radiusd.conf 中，相关变量及参数具体详细功能描述，参考文档即可。

线程 | Thread

start_servers, max_servers, ……

在 radiusd.conf 中，相关变量及参数具体详细功能描述，参考文档即可。

模块 | Modules

In 2.0 and subsequent versions, the configuration for the modules is located in separate files in the raddb/modules directory. Use of the 2.0 configuration is recommended, as is keeping this section as small as possible.

The module is made up of:

• the module name, such as pap, chap, or detail.
• Each module configuration contains zero or more variable definitions. The definitions are specific to that module and are not shared across different modules.
• Modules may also have subsections. The subsections are specific to a particular module and are not shared across modules.
• Modules can have specific instances. A module instance is a version of the module that shares the same functionality but uses a different configuration.

module {
    variable = value
    foo {
        bar = hello
    }
}

模块加载顺序 | instantiate

• When module instantiation order matters, the names of modules to be loaded must be listed in the correct order in the this subsection.
• The instantiate subsection also directs the server to load modules that are not directly referenced in any other section.

应用

最小化 radiusd.conf 配置

根据文档：

• Listen on an IP address and port
• Accept packets from a known client
• Not use any plug-in modules
• Set the authentication to Accept

listen {
    type = auth
    ipaddr = *
    port = 0
}
client localhost { 
    # allow packets from 127.0.0.1
    ipaddr = 127.0.0.1
    secret = testing123
}
modules { 
    # We don’t use any modules
}
authorize { 
    # return Access-Accept for PAP and CHAP
    update control {
        Auth-Type := Accept
    }
}

radiusd -X -n small

This configuration takes any localhost Access-Request that contains a PAP or CHAP authentication method and returns an Access-Accept.