other versions
- wheezy 2.1.12+dfsg-1.2
- wheezy-backports 2.2.5+dfsg-0.1~bpo70+1
- jessie 2.2.5+dfsg-0.2
- testing 3.0.12+dfsg-5
- unstable 3.0.12+dfsg-5
other sections
USERS(5) | FreeRADIUS user authorization file | USERS(5) |
NAME¶
users - user authorization file for the FreeRADIUS serverDESCRIPTION¶
The users file resides in the RADIUS database directory, by default /etc/raddb. It contains a series of configuration directives which are used by the files module to decide how to authorize and authenticate each user request.CAVEATS¶
The special username DEFAULT matches any usernames.OPERATORS¶
Additional operators other than = may be used for the attributes in either the check item, or reply item list. The following is a list of operators, and their meaning.- Attribute = Value
- Not allowed as a check item for RADIUS protocol attributes.
It is allowed for server configuration attributes (Auth-Type, etc), and
sets the value of on attribute, only if there is no other item of the same
attribute.
- Attribute := Value
- Always matches as a check item, and replaces in the
configuration items any attribute of the same name. If no attribute of
that name appears in the request, then this attribute is added.
- Attribute == Value
- As a check item, it matches if the named attribute is
present in the request, AND has the given value.
- Attribute += Value
- Always matches as a check item, and adds the current
attribute with value to the list of configuration items.
- Attribute != Value
- As a check item, matches if the given attribute is in the
request, AND does not have the given value.
- Attribute > Value
- As a check item, it matches if the request contains an
attribute with a value greater than the one given.
- Attribute >= Value
- As a check item, it matches if the request contains an
attribute with a value greater than, or equal to the one given.
- Attribute < Value
- As a check item, it matches if the request contains an
attribute with a value less than the one given.
- Attribute <= Value
- As a check item, it matches if the request contains an
attribute with a value less than, or equal to the one given.
- Attribute =~ Expression
- As a check item, it matches if the request contains an
attribute which matches the given regular expression. This operator may
only be applied to string attributes.
- Attribute !~ Expression
- As a check item, it matches if the request contains an
attribute which does not match the given regular expression. This operator
may only be applied to string attributes.
- Attribute =* Value
- As a check item, it matches if the request contains the
named attribute, no matter what the value is.
- Attribute !* Value
- As a check item, it matches if the request does not contain
the named attribute, no matter what the value is.
EXAMPLES¶
bob Cleartext-Password := "hello"
Requests containing the User-Name attribute,
with value "bob", will be authenticated using the "known
good" password "hello". There are no reply items, so the reply
will be empty.
DEFAULT Auth-Type = SystemFall-Through = Yes
For all users reaching this entry, perform
authentication against the system, unless Auth-Type has already been set.
Also, process any following entries which may match.
DEFAULT Service-Type == Framed-User, Framed-Protocol == PPPService-Type = Framed-User,Framed-Protocol = PPP,Fall-Through = Yes
If the request packet contains the attributes
Service-Type and Framed-Protocol, with the given values, then include those
attributes in the reply.
That is, give the user what they ask for. This entry also shows how to specify
multiple reply items.
HINTS¶
Run the server in debugging mode ( -X), and use the radclient program to send it test packets which you think will match specific entries. The server will print out which entries were matched for that request, so you can verify your expectations. This should be the FIRST thing you do if you suspect problems with the file.FILES¶
/etc/raddb/usersSEE ALSO¶
radclient(1), radiusd(8), dictionary(5), naslist(5)AUTHOR¶
The FreeRADIUS team.04 Jan 2004 |