[root@wifi_radiusdproxy_16 raddb]# cat users
Please read the documentation file ../doc/processing_users_file,
This file contains authentication security and configuration
through this file. Instead, see 'acct_users', in this directory.
The first field is the user's name and can be up to
characters in length. This is followed (on the same line) with
the list of authentication requirements for that user. This can
include password, comm server name, comm server port number, protocol
type (perhaps set by the "hints" file), and huntgroup name (set by
the "huntgroups" file).
If you are not sure why a particular reply is being sent by the
server, then run the server in debugging mode (radiusd -X), and
you will see which entries in this file are matched.
When an authentication request is received from the comm server,
these values are tested. Only the first match is used unless the
"Fall-Through" variable is set to "Yes".
A special user named "DEFAULT" matches on all usernames.
You can have several DEFAULT entries. All entries are processed
in the order they appear in this file. The first entry that
matches the login-request will stop processing unless you use
the Fall-Through variable.
If you use the database support to turn this file into a .db or .dbm
file, the DEFAULT entries _have_ to be at the end of this file and
you can't have multiple entries for one username.
Indented (with the tab character) lines following the first
line indicate the configuration values to be passed back to
the comm server to allow the initiation of a user session.
This can include things like the PPP configuration values
or the host to log the user onto.
You can include another `users' file with `$INCLUDE users.other'
#
For a list of RADIUS attributes, and links to their definitions,
see:
#
Deny access for a specific user. Note that this entry MUST
be before any other 'Auth-Type' attribute which results in the user
being authenticated.
Note that there is NO 'Fall-Through' attribute, so the user will not
be given any additional resources.
#lameuser Auth-Type := Reject
Reply-Message = "Your account has been disabled."
Deny access for a group of users.
Note that there is NO 'Fall-Through' attribute, so the user will not
be given any additional resources.
#DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
#
This is a complete entry for "steve". Note that there is no Fall-Through
entry so that no DEFAULT entry will be used, and the user will NOT
get any attributes in addition to the ones listed here.
#steve Cleartext-Password := "testing"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = ,
Framed-Compression = Van-Jacobsen-TCP-IP
This is an entry for a user with a space in their name.
Note the double quotes surrounding the name.
#"John Doe" Cleartext-Password := "hello"
Reply-Message = "Hello, %{User-Name}"
Dial user back and telnet to the default host for that port
#Deg Cleartext-Password := "ge55ged"
Service-Type = Callback-Login-User,
Login-IP-Host = 0.0.0.0,
Callback-Number = "9,5551212",
Login-Service = Telnet,
Login-TCP-Port = Telnet
Another complete entry. After the user "dialbk" has logged in, the
connection will be broken and the user will be dialed back after which
he will get a connection to the host "timeshare1".
#dialbk Cleartext-Password := "callme"
Service-Type = Callback-Login-User,
Login-IP-Host = timeshare1,
Login-Service = PortMaster,
Callback-Number = "9,1-800-555-1212"
user "swilson" will only get a static IP number if he logs in with
a framed protocol on a terminal server in Alphen (see the huntgroups file).
Note that by setting "Fall-Through", other attributes will be added from
the following DEFAULT entries
#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"
Framed-IP-Address = 192.168.1.65,
Fall-Through = Yes
If the user logs in as 'username.shell', then authenticate them
using the default method, give them shell access, and stop processing
the rest of the file.
#DEFAULT Suffix == ".shell"
Service-Type = Login-User,
Login-Service = Telnet,
Login-IP-Host = your.shell.machine
The rest of this file contains the several DEFAULT entries.
DEFAULT entries match with all login names.
Note that DEFAULT entries can also Fall-Through (see first entry).
A name-value pair from a DEFAULT entry will _NEVER_ override
an already existing name-value pair.
#
Set up different IP address pools for the terminal servers.
Note that the "+" behind the IP address means that this is the "base"
IP address. The Port-Id (S0, S1 etc) will be added to it.
#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen"
Framed-IP-Address = 192.168.1.32+,
Fall-Through = Yes
#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft"
Framed-IP-Address = 192.168.2.32+,
Fall-Through = Yes
Sample defaults for all framed connections.
#DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = ,
Service-Type = Framed-User,
Fall-Through = Yes
Default for PPP: dynamic IP address, PPP mode, VJ-compression.
NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
by the terminal server in which case there may not be a "P" suffix.
The terminal server sends "Framed-Protocol = PPP" for auto PPP.
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
Default for SLIP: dynamic IP address, SLIP mode.
#DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
Last default: rlogin to our main server.
#DEFAULT
Service-Type = Login-User,
Login-Service = Rlogin,
Login-IP-Host = shellbox.ispdomain.com
#
# Last default: shell on the local terminal server.
#
DEFAULT
Service-Type = Administrative-User
On no match, the user is denied access.
DEFAULT Auth-Type := "Accept"
Reply-Message = "Bypass Success Auth User For Remote AAA Fail."