Skip to content

Latest commit

 

History

History
114 lines (70 loc) · 2.87 KB

templates.conf.adoc

File metadata and controls

114 lines (70 loc) · 2.87 KB

Templates

Templates are configurations that can be used in multiple places.

Use templates by adding a line in radiusd.conf:

$INCLUDE templates.conf

The goal of the templates is to have common configuration located in this file, and to list only the differences in the individual sections. This feature is most useful for sections like clients where many may be defined, and each one has similar repeated configuration.

Something similar to templates can be done by putting common configuration into separate files, and using $INCLUDE file…​, but templates are more flexible, and simpler to understand. It’s also cheaper for the server, because $INCLUDE makes a copy of the configuration for inclusion, whereas templates are simply referenced.

The templates are defined in the templates section so that they do not affect the rest of the server configuration. The actual contents of the templates section are other configuration sections that would normally go into the main configuration files.

Within the main server configuration, a section can reference a template by using $template name.

For now, you can use templates only for sections in radiusd.conf, not sub-sections. So you still have to use the $INCLUDE file…​ method for things like defining multiple "sql" modules, each with similar configuration.

Template example

Define the main template section:

Unlike v3, Access-Request log configuration is different for each listen section. Templates can be used to regain a global configuration. Simply configure the following section as you like, and then in every Access-Request subsection, put:

Access-Request {
    $template Access-Request
}

then enable templates.conf as described above.

stripped_names

Log the full User-Name attribute, as it was found in the request.

Allowed values: {no, yes}

auth

Log authentication requests to the log file.

Allowed values: {no, yes}

Should we log passwords with the authentication requests?

auth_badpass

logs password if it’s rejected

auth_goodpass

logs password if it’s correct

Allowed values: {no, yes}

Log additional text at the end of the "Login OK" messages. for these to work, the "auth" and "auth_goodpass" or "auth_badpass" configurations above have to be set to "yes".

The strings below are dynamically expanded, which means that you can put anything you want in them. However, note that this expansion can be slow, and can negatively impact server performance.

msg_goodpass

text to log after a correct password

msg_badpass

text to log after an incorrect password

msg_denied

The message when the user exceeds the Simultaneous-Use limit.

Default Configuration

templates {
	Access-Request {
		stripped_names = no
		auth = no
		auth_badpass = no
		auth_goodpass = no
		msg_goodpass = ""
		msg_badpass = ""
		msg_denied = "You are already logged in - access denied"
	}
}