# Request sources
#
# For each 'port' you specify here, the server creates an UDP socket, by
# default bound to the wildcard address 0.0.0.0. You an supply a list of
# addresses as well; the server will then take one from the list in order for
# each socket that it creates.

source (port=1812,
	port=1813),


# Module interfaces
#
# These definitions link the names that can be called in the behaviour file to
# subprocesses implementing the OpenRADIIUS module interface.
#
# Each interface must at least specify a name by which it can be called in the
# behaviour file and one or more processes to run to handle requests. It can
# also specify a request attribute filter, a response attribute filter, format
# flags (binary, ASCII), two parameters that specify whether and how the module
# supports out of order processing (window, jobticket), and a timeout.


# Change this if you run a different database. Must match your behaviour file.

include configuration.postgres,


# Uncomment this if you want to run a proxy. 'Trusted' means that the remote
# server is allowed to add any attribute it wants to your reply list. You 
# can restrict it by replacing the 'recvattr=Any' line with a list of specific
# attributes.

interface (name="Trustedproxy",
	   sendattr="rep:Target-Server",
	   sendattr="req:RAD-Code",
	   sendattr="req:RAD-ATR:Any",		# send: wildcards must be last
	   prog="radclient -C",
	   recvattr="rep:RAD-ATR:Any",
	   recvattr="rep:RAD-Code",
	   flags=Ascii + Short-Attr,
	   window=256,
	   jobticket="Radclient-Query-Id",
	   timeout=300),			# Max time for module to reply.
	   					# For async interfaces (window
						# > 1) this is the lifetime of
						# the oldest request. It's
						# essentially a subprocess 
						# watchdog, not a timeout for 
						# individual requests.


# MSCHAP authenticator

interface (name="Mschap",
	   sendattr="str", 
	   sendattr="rep:clear-password", 
	   prog="mschap",
	   timeout=15),


# Uncomment this if you run multi-step authentication protocols that involve
# statekeeping across RADIUS requests. All pseudo-attributes in the PERSIST
# space will be sent to the module and received to the request list. Required
# for EAP.

interface (name="Memory",
	   sendattr="op",
	   sendattr="key",
	   sendattr="req:PERSIST:Any",
	   prog="memory -d",
	   recvattr="req:PERSIST:Any",
	   recvattr="rep:key",
	   timeout=5),


# TLS-based EAP types

interface (name="Tls", 
	   sendattr="Transaction-Id",
	   sendattr="Response-TLS-Flags",
	   sendattr="Response-TLS-Data",
	   sendattr="Framed-MTU",
	   sendattr="TLS-Action",
	   sendattr="TLS-Payload",
	   prog="eaptls -d -s 37481301 -c",
	   pidattr="Pid-Tls",			
	   timeout=5),

interface (name="Ttls", 
	   sendattr="Transaction-Id",
	   sendattr="Response-TTLS-Flags",
	   sendattr="Response-TTLS-Data",
	   sendattr="Framed-MTU",
	   sendattr="TLS-Action",
	   sendattr="TLS-Payload",
	   prog="eaptls -d -s 37482101 -td -p 35880000 -l ttls#keying#material",
	   pidattr="Pid-Tls",			
	   timeout=5),

interface (name="Peap", 
	   sendattr="Transaction-Id",
	   sendattr="Response-PEAP-Flags",
	   sendattr="Response-PEAP-Data",
	   sendattr="Framed-MTU",
	   sendattr="TLS-Action",
	   sendattr="TLS-Payload",
	   prog="eaptls -s 37482501 -tr",
	   # prog="eaptls -d -s 37482501 -tr -l client#PEAP#encryption -k 128 -i 64",
	   pidattr="Pid-Tls",			
	   timeout=5),


# Miscellaneous

interface (name="Ascdebug",
	   prog="radlogger",
	   flags=Ascii + Double-Backslash,
	   timeout=60),

interface (name="Bindebug",
	   prog="debug",
	   timeout=60),


# Keys generated at startup for signing State and Class attributes

REQ:Process-Secret = random 8,
REQ:Server-Secret = random 8,		

# You should replace the random Server-Secret with static key that's valid for
# the lifetime of the current configuration. That's better because it's not
# necessary to invalidate all accounting generated during an earlier server
# run.

