PNG  IHDRQgAMA a cHRMz&u0`:pQ<bKGDgmIDATxwUﹻ& ^CX(J I@ "% (** BX +*i"]j(IH{~R)[~>h{}gy)I$Ij .I$I$ʊy@}x.: $I$Ii}VZPC)I$IF ^0ʐJ$I$Q^}{"r=OzI$gRZeC.IOvH eKX $IMpxsk.쒷/&r[޳<v| .I~)@$updYRa$I |M.e JaֶpSYR6j>h%IRز if&uJ)M$I vLi=H;7UJ,],X$I1AҒJ$ XY XzI@GNҥRT)E@;]K*Mw;#5_wOn~\ DC&$(A5 RRFkvIR}l!RytRl;~^ǷJj اy뷦BZJr&ӥ8Pjw~vnv X^(I;4R=P[3]J,]ȏ~:3?[ a&e)`e*P[4]T=Cq6R[ ~ޤrXR Հg(t_HZ-Hg M$ãmL5R uk*`%C-E6/%[t X.{8P9Z.vkXŐKjgKZHg(aK9ڦmKjѺm_ \#$5,)-  61eJ,5m| r'= &ڡd%-]J on Xm|{ RҞe $eڧY XYrԮ-a7RK6h>n$5AVڴi*ֆK)mѦtmr1p| q:흺,)Oi*ֺK)ܬ֦K-5r3>0ԔHjJئEZj,%re~/z%jVMڸmrt)3]J,T K֦OvԒgii*bKiNO~%PW0=dii2tJ9Jݕ{7"I P9JKTbu,%r"6RKU}Ij2HKZXJ,妝 XYrP ެ24c%i^IK|.H,%rb:XRl1X4Pe/`x&P8Pj28Mzsx2r\zRPz4J}yP[g=L) .Q[6RjWgp FIH*-`IMRaK9TXcq*I y[jE>cw%gLRԕiFCj-ďa`#e~I j,%r,)?[gp FI˨mnWX#>mʔ XA DZf9,nKҲzIZXJ,L#kiPz4JZF,I,`61%2s $,VOϚ2/UFJfy7K> X+6 STXIeJILzMfKm LRaK9%|4p9LwJI!`NsiazĔ)%- XMq>pk$-$Q2x#N ؎-QR}ᶦHZډ)J,l#i@yn3LN`;nڔ XuX5pF)m|^0(>BHF9(cզEerJI rg7 4I@z0\JIi䵙RR0s;$s6eJ,`n 䂦0a)S)A 1eJ,堌#635RIgpNHuTH_SԕqVe ` &S)>p;S$魁eKIuX`I4춒o}`m$1":PI<[v9^\pTJjriRŭ P{#{R2,`)e-`mgj~1ϣLKam7&U\j/3mJ,`F;M'䱀 .KR#)yhTq;pcK9(q!w?uRR,n.yw*UXj#\]ɱ(qv2=RqfB#iJmmL<]Y͙#$5 uTU7ӦXR+q,`I}qL'`6Kͷ6r,]0S$- [RKR3oiRE|nӦXR.(i:LDLTJjY%o:)6rxzҒqTJjh㞦I.$YR.ʼnGZ\ֿf:%55 I˼!6dKxm4E"mG_ s? .e*?LRfK9%q#uh$)i3ULRfK9yxm܌bj84$i1U^@Wbm4uJ,ҪA>_Ij?1v32[gLRD96oTaR׿N7%L2 NT,`)7&ƝL*꽙yp_$M2#AS,`)7$rkTA29_Iye"|/0t)$n XT2`YJ;6Jx".e<`$) PI$5V4]29SRI>~=@j]lp2`K9Jaai^" Ԋ29ORI%:XV5]JmN9]H;1UC39NI%Xe78t)a;Oi Ҙ>Xt"~G>_mn:%|~ޅ_+]$o)@ǀ{hgN;IK6G&rp)T2i୦KJuv*T=TOSV>(~D>dm,I*Ɛ:R#ۙNI%D>G.n$o;+#RR!.eU˽TRI28t)1LWϚ>IJa3oFbu&:tJ*(F7y0ZR ^p'Ii L24x| XRI%ۄ>S1]Jy[zL$adB7.eh4%%누>WETf+3IR:I3Xה)3אOۦSRO'ٺ)S}"qOr[B7ϙ.edG)^ETR"RtRݜh0}LFVӦDB^k_JDj\=LS(Iv─aTeZ%eUAM-0;~˃@i|l @S4y72>sX-vA}ϛBI!ݎߨWl*)3{'Y|iSlEڻ(5KtSI$Uv02,~ԩ~x;P4ցCrO%tyn425:KMlD ^4JRxSهF_}شJTS6uj+ﷸk$eZO%G*^V2u3EMj3k%)okI]dT)URKDS 7~m@TJR~荪fT"֛L \sM -0T KfJz+nإKr L&j()[E&I ߴ>e FW_kJR|!O:5/2跌3T-'|zX ryp0JS ~^F>-2< `*%ZFP)bSn"L :)+pʷf(pO3TMW$~>@~ū:TAIsV1}S2<%ޟM?@iT ,Eūoz%i~g|`wS(]oȤ8)$ ntu`өe`6yPl IzMI{ʣzʨ )IZ2= ld:5+請M$-ї;U>_gsY$ÁN5WzWfIZ)-yuXIfp~S*IZdt;t>KūKR|$#LcԀ+2\;kJ`]YǔM1B)UbG"IRߊ<xܾӔJ0Z='Y嵤 Leveg)$znV-º^3Ւof#0Tfk^Zs[*I꯳3{)ˬW4Ւ4 OdpbZRS|*I 55#"&-IvT&/윚Ye:i$ 9{LkuRe[I~_\ؠ%>GL$iY8 9ܕ"S`kS.IlC;Ҏ4x&>u_0JLr<J2(^$5L s=MgV ~,Iju> 7r2)^=G$1:3G< `J3~&IR% 6Tx/rIj3O< ʔ&#f_yXJiގNSz; Tx(i8%#4 ~AS+IjerIUrIj362v885+IjAhK__5X%nV%Iͳ-y|7XV2v4fzo_68"S/I-qbf; LkF)KSM$ Ms>K WNV}^`-큧32ŒVؙGdu,^^m%6~Nn&͓3ŒVZMsRpfEW%IwdǀLm[7W&bIRL@Q|)* i ImsIMmKmyV`i$G+R 0tV'!V)֏28vU7͒vHꦼtxꗞT ;S}7Mf+fIRHNZUkUx5SAJㄌ9MqμAIRi|j5)o*^'<$TwI1hEU^c_j?Е$%d`z cyf,XO IJnTgA UXRD }{H}^S,P5V2\Xx`pZ|Yk:$e ~ @nWL.j+ϝYb퇪bZ BVu)u/IJ_ 1[p.p60bC >|X91P:N\!5qUB}5a5ja `ubcVxYt1N0Zzl4]7­gKj]?4ϻ *[bg$)+À*x쳀ogO$~,5 زUS9 lq3+5mgw@np1sso Ӻ=|N6 /g(Wv7U;zωM=wk,0uTg_`_P`uz?2yI!b`kĸSo+Qx%!\οe|އԁKS-s6pu_(ֿ$i++T8=eY; צP+phxWQv*|p1. ά. XRkIQYP,drZ | B%wP|S5`~́@i޾ E;Չaw{o'Q?%iL{u D?N1BD!owPHReFZ* k_-~{E9b-~P`fE{AܶBJAFO wx6Rox5 K5=WwehS8 (JClJ~ p+Fi;ŗo+:bD#g(C"wA^ r.F8L;dzdIHUX݆ϞXg )IFqem%I4dj&ppT{'{HOx( Rk6^C٫O.)3:s(۳(Z?~ٻ89zmT"PLtw䥈5&b<8GZ-Y&K?e8,`I6e(֍xb83 `rzXj)F=l($Ij 2*(F?h(/9ik:I`m#p3MgLaKjc/U#n5S# m(^)=y=đx8ŬI[U]~SцA4p$-F i(R,7Cx;X=cI>{Km\ o(Tv2vx2qiiDJN,Ҏ!1f 5quBj1!8 rDFd(!WQl,gSkL1Bxg''՞^ǘ;pQ P(c_ IRujg(Wz bs#P­rz> k c&nB=q+ؔXn#r5)co*Ũ+G?7< |PQӣ'G`uOd>%Mctz# Ԫڞ&7CaQ~N'-P.W`Oedp03C!IZcIAMPUۀ5J<\u~+{9(FbbyAeBhOSܳ1 bÈT#ŠyDžs,`5}DC-`̞%r&ڙa87QWWp6e7 Rϫ/oY ꇅ Nܶըtc!LA T7V4Jsū I-0Pxz7QNF_iZgúWkG83 0eWr9 X]㾮݁#Jˢ C}0=3ݱtBi]_ &{{[/o[~ \q鯜00٩|cD3=4B_b RYb$óBRsf&lLX#M*C_L܄:gx)WΘsGSbuL rF$9';\4Ɍq'n[%p.Q`u hNb`eCQyQ|l_C>Lb꟟3hSb #xNxSs^ 88|Mz)}:](vbۢamŖ࿥ 0)Q7@0=?^k(*J}3ibkFn HjB׻NO z x}7p 0tfDX.lwgȔhԾŲ }6g E |LkLZteu+=q\Iv0쮑)QٵpH8/2?Σo>Jvppho~f>%bMM}\//":PTc(v9v!gոQ )UfVG+! 35{=x\2+ki,y$~A1iC6#)vC5^>+gǵ@1Hy٪7u;p psϰu/S <aʸGu'tD1ԝI<pg|6j'p:tպhX{o(7v],*}6a_ wXRk,O]Lܳ~Vo45rp"N5k;m{rZbΦ${#)`(Ŵg,;j%6j.pyYT?}-kBDc3qA`NWQū20/^AZW%NQ MI.X#P#,^Ebc&?XR tAV|Y.1!؅⨉ccww>ivl(JT~ u`ٵDm q)+Ri x/x8cyFO!/*!/&,7<.N,YDŽ&ܑQF1Bz)FPʛ?5d 6`kQձ λc؎%582Y&nD_$Je4>a?! ͨ|ȎWZSsv8 j(I&yj Jb5m?HWp=g}G3#|I,5v珿] H~R3@B[☉9Ox~oMy=J;xUVoj bUsl_35t-(ՃɼRB7U!qc+x4H_Qo֮$[GO<4`&č\GOc[.[*Af%mG/ ňM/r W/Nw~B1U3J?P&Y )`ѓZ1p]^l“W#)lWZilUQu`-m|xĐ,_ƪ|9i:_{*(3Gѧ}UoD+>m_?VPۅ15&}2|/pIOʵ> GZ9cmíتmnz)yߐbD >e}:) r|@R5qVSA10C%E_'^8cR7O;6[eKePGϦX7jb}OTGO^jn*媓7nGMC t,k31Rb (vyܴʭ!iTh8~ZYZp(qsRL ?b}cŨʊGO^!rPJO15MJ[c&~Z`"ѓޔH1C&^|Ш|rʼ,AwĴ?b5)tLU)F| &g٣O]oqSUjy(x<Ϳ3 .FSkoYg2 \_#wj{u'rQ>o;%n|F*O_L"e9umDds?.fuuQbIWz |4\0 sb;OvxOSs; G%T4gFRurj(֍ڑb uԖKDu1MK{1^ q; C=6\8FR艇!%\YÔU| 88m)֓NcLve C6z;o&X x59:q61Z(T7>C?gcļxѐ Z oo-08jہ x,`' ҔOcRlf~`jj".Nv+sM_]Zk g( UOPyεx%pUh2(@il0ݽQXxppx-NS( WO+轾 nFߢ3M<;z)FBZjciu/QoF 7R¥ ZFLF~#ȣߨ^<쩡ݛкvџ))ME>ώx4m#!-m!L;vv#~Y[đKmx9.[,UFS CVkZ +ߟrY٧IZd/ioi$%͝ب_ֶX3ܫhNU ZZgk=]=bbJS[wjU()*I =ώ:}-蹞lUj:1}MWm=̛ _ ¾,8{__m{_PVK^n3esw5ӫh#$-q=A̟> ,^I}P^J$qY~Q[ Xq9{#&T.^GVj__RKpn,b=`żY@^՝;z{paVKkQXj/)y TIc&F;FBG7wg ZZDG!x r_tƢ!}i/V=M/#nB8 XxЫ ^@CR<{䤭YCN)eKOSƟa $&g[i3.C6xrOc8TI;o hH6P&L{@q6[ Gzp^71j(l`J}]e6X☉#͕ ׈$AB1Vjh㭦IRsqFBjwQ_7Xk>y"N=MB0 ,C #o6MRc0|$)ف"1!ixY<B9mx `,tA>)5ػQ?jQ?cn>YZe Tisvh# GMމȇp:ԴVuږ8ɼH]C.5C!UV;F`mbBk LTMvPʍϤj?ԯ/Qr1NB`9s"s TYsz &9S%U԰> {<ؿSMxB|H\3@!U| k']$U+> |HHMLޢ?V9iD!-@x TIî%6Z*9X@HMW#?nN ,oe6?tQwڱ.]-y':mW0#!J82qFjH -`ѓ&M0u Uγmxϵ^-_\])@0Rt.8/?ٰCY]x}=sD3ojަЫNuS%U}ԤwHH>ڗjܷ_3gN q7[q2la*ArǓԖ+p8/RGM ]jacd(JhWko6ڎbj]i5Bj3+3!\j1UZLsLTv8HHmup<>gKMJj0@H%,W΃7R) ">c, xixј^ aܖ>H[i.UIHc U1=yW\=S*GR~)AF=`&2h`DzT󑓶J+?W+}C%P:|0H܆}-<;OC[~o.$~i}~HQ TvXΈr=b}$vizL4:ȰT|4~*!oXQR6Lk+#t/g lԁߖ[Jڶ_N$k*". xsxX7jRVbAAʯKҎU3)zSNN _'s?f)6X!%ssAkʱ>qƷb hg %n ~p1REGMHH=BJiy[<5 ǁJҖgKR*倳e~HUy)Ag,K)`Vw6bRR:qL#\rclK/$sh*$ 6덤 KԖc 3Z9=Ɣ=o>X Ώ"1 )a`SJJ6k(<c e{%kϊP+SL'TcMJWRm ŏ"w)qc ef꒵i?b7b('"2r%~HUS1\<(`1Wx9=8HY9m:X18bgD1u ~|H;K-Uep,, C1 RV.MR5άh,tWO8WC$ XRVsQS]3GJ|12 [vM :k#~tH30Rf-HYݺ-`I9%lIDTm\ S{]9gOڒMNCV\G*2JRŨ;Rҏ^ڽ̱mq1Eu?To3I)y^#jJw^Ńj^vvlB_⋌P4x>0$c>K†Aļ9s_VjTt0l#m>E-,,x,-W)سo&96RE XR.6bXw+)GAEvL)͞K4$p=Ũi_ѱOjb HY/+@θH9޼]Nԥ%n{ &zjT? Ty) s^ULlb,PiTf^<À] 62R^V7)S!nllS6~͝V}-=%* ʻ>G DnK<y&>LPy7'r=Hj 9V`[c"*^8HpcO8bnU`4JȪAƋ#1_\ XϘHPRgik(~G~0DAA_2p|J묭a2\NCr]M_0 ^T%e#vD^%xy-n}-E\3aS%yN!r_{ )sAw ڼp1pEAk~v<:`'ӭ^5 ArXOI驻T (dk)_\ PuA*BY]yB"l\ey hH*tbK)3 IKZ򹞋XjN n *n>k]X_d!ryBH ]*R 0(#'7 %es9??ښFC,ՁQPjARJ\Ρw K#jahgw;2$l*) %Xq5!U᢯6Re] |0[__64ch&_}iL8KEgҎ7 M/\`|.p,~`a=BR?xܐrQ8K XR2M8f ?`sgWS%" Ԉ 7R%$ N}?QL1|-эټwIZ%pvL3Hk>,ImgW7{E xPHx73RA @RS CC !\ȟ5IXR^ZxHл$Q[ŝ40 (>+ _C >BRt<,TrT {O/H+˟Pl6 I B)/VC<6a2~(XwV4gnXR ϱ5ǀHٻ?tw똤Eyxp{#WK qG%5],(0ӈH HZ])ג=K1j&G(FbM@)%I` XRg ʔ KZG(vP,<`[ Kn^ SJRsAʠ5xՅF`0&RbV tx:EaUE/{fi2;.IAwW8/tTxAGOoN?G}l L(n`Zv?pB8K_gI+ܗ #i?ޙ.) p$utc ~DžfՈEo3l/)I-U?aԅ^jxArA ΧX}DmZ@QLےbTXGd.^|xKHR{|ΕW_h] IJ`[G9{).y) 0X YA1]qp?p_k+J*Y@HI>^?gt.06Rn ,` ?);p pSF9ZXLBJPWjgQ|&)7! HjQt<| ؅W5 x W HIzYoVMGP Hjn`+\(dNW)F+IrS[|/a`K|ͻ0Hj{R,Q=\ (F}\WR)AgSG`IsnAR=|8$}G(vC$)s FBJ?]_u XRvύ6z ŨG[36-T9HzpW̞ú Xg큽=7CufzI$)ki^qk-) 0H*N` QZkk]/tnnsI^Gu't=7$ Z;{8^jB% IItRQS7[ϭ3 $_OQJ`7!]W"W,)Iy W AJA;KWG`IY{8k$I$^%9.^(`N|LJ%@$I}ֽp=FB*xN=gI?Q{٥4B)mw $Igc~dZ@G9K X?7)aK%݅K$IZ-`IpC U6$I\0>!9k} Xa IIS0H$I H ?1R.Чj:4~Rw@p$IrA*u}WjWFPJ$I➓/6#! LӾ+ X36x8J |+L;v$Io4301R20M I$-E}@,pS^ޟR[/s¹'0H$IKyfŸfVOπFT*a$I>He~VY/3R/)>d$I>28`Cjw,n@FU*9ttf$I~<;=/4RD~@ X-ѕzἱI$: ԍR a@b X{+Qxuq$IЛzo /~3\8ڒ4BN7$IҀj V]n18H$IYFBj3̵̚ja pp $Is/3R Ӻ-Yj+L;.0ŔI$Av? #!5"aʄj}UKmɽH$IjCYs?h$IDl843.v}m7UiI=&=0Lg0$I4: embe` eQbm0u? $IT!Sƍ'-sv)s#C0:XB2a w I$zbww{."pPzO =Ɔ\[ o($Iaw]`E).Kvi:L*#gР7[$IyGPI=@R 4yR~̮´cg I$I/<tPͽ hDgo 94Z^k盇΄8I56^W$I^0̜N?4*H`237}g+hxoq)SJ@p|` $I%>-hO0eO>\ԣNߌZD6R=K ~n($I$y3D>o4b#px2$yڪtzW~a $I~?x'BwwpH$IZݑnC㧄Pc_9sO gwJ=l1:mKB>Ab<4Lp$Ib o1ZQ@85b̍ S'F,Fe,^I$IjEdù{l4 8Ys_s Z8.x m"+{~?q,Z D!I$ϻ'|XhB)=…']M>5 rgotԎ 獽PH$IjIPhh)n#cÔqA'ug5qwU&rF|1E%I$%]!'3AFD/;Ck_`9 v!ٴtPV;x`'*bQa w I$Ix5 FC3D_~A_#O݆DvV?<qw+I$I{=Z8".#RIYyjǪ=fDl9%M,a8$I$Ywi[7ݍFe$s1ՋBVA?`]#!oz4zjLJo8$I$%@3jAa4(o ;p,,dya=F9ً[LSPH$IJYЉ+3> 5"39aZ<ñh!{TpBGkj}Sp $IlvF.F$I z< '\K*qq.f<2Y!S"-\I$IYwčjF$ w9 \ߪB.1v!Ʊ?+r:^!I$BϹB H"B;L'G[ 4U#5>੐)|#o0aڱ$I>}k&1`U#V?YsV x>{t1[I~D&(I$I/{H0fw"q"y%4 IXyE~M3 8XψL}qE$I[> nD?~sf ]o΁ cT6"?'_Ἣ $I>~.f|'!N?⟩0G KkXZE]ޡ;/&?k OۘH$IRۀwXӨ<7@PnS04aӶp.:@\IWQJ6sS%I$e5ڑv`3:x';wq_vpgHyXZ 3gЂ7{{EuԹn±}$I$8t;b|591nءQ"P6O5i }iR̈́%Q̄p!I䮢]O{H$IRϻ9s֧ a=`- aB\X0"+5"C1Hb?߮3x3&gşggl_hZ^,`5?ߎvĸ%̀M!OZC2#0x LJ0 Gw$I$I}<{Eb+y;iI,`ܚF:5ܛA8-O-|8K7s|#Z8a&><a&/VtbtLʌI$I$I$I$I$I$IRjDD%tEXtdate:create2022-05-31T04:40:26+00:00!Î%tEXtdate:modify2022-05-31T04:40:26+00:00|{2IENDB`Mini Shell

HOME


Mini Shell 1.0
DIR:/usr/share/doc/proftpd/contrib/
Upload File :
Current File : //usr/share/doc/proftpd/contrib/mod_radius.html
<!DOCTYPE html>
<html>
<head>
<title>ProFTPD module mod_radius</title>
</head>

<body bgcolor=white>

<hr>
<center>
<h2><b>ProFTPD module <code>mod_radius</code></b></h2>
</center>
<hr><br>

This module is contained in the <code>mod_radius.c</code> file for
ProFTPD 1.3.<i>x</i>, and is not compiled by default.  Installation
instructions are discussed <a href="#Installation">here</a>.

<p>
This module is used to authenticate users using the <code>RADIUS</code>
protocol.  It can also be used to do logging via <code>RADIUS</code> accounting
packets.  A more in-depth discussion of the <a href="#Usage">usage</a> of this
module follows the configuration directive documentation.

<p>
The most current version of <code>mod_radius</code> is distributed with the
ProFTPD source code.

<h2>Author</h2>
<p>
Please contact TJ Saunders &lt;tj <i>at</i> castaglia.org&gt; with any
questions, concerns, or suggestions regarding this module.

<h2>Thanks</h2>
<p>
<i>2002-06-26</i>: Thanks to Josh Wilsdon &lt;josh <i>at</i> wizard.ca&gt;
for correcting a bad assumption in the code that caused data corruption under
some circumstances.

<p>
<i>2002-12-18</i>: Many thanks to Steffen Clausjuergens &lt;stcl <i>at</i> clausjuergens.de&gt; for helping to track down several bugs with accounting packets.

<p>
<i>2003-03-20</i>: Many thanks to Boris Kovalenko &lt;boris <i>at</i> tagnet.ru &gt; for testing many versions of the VSA code.

<h2>Directives</h2>
<ul>
  <li><a href="#RadiusAcctServer">RadiusAcctServer</a>
  <li><a href="#RadiusAuthServer">RadiusAuthServer</a>
  <li><a href="#RadiusEngine">RadiusEngine</a>
  <li><a href="#RadiusGroupInfo">RadiusGroupInfo</a>
  <li><a href="#RadiusLog">RadiusLog</a>
  <li><a href="#RadiusNASIdentifier">RadiusNASIdentifier</a>
  <li><a href="#RadiusOptions">RadiusOptions</a>
  <li><a href="#RadiusQuotaInfo">RadiusQuotaInfo</a>
  <li><a href="#RadiusRealm">RadiusRealm</a>
  <li><a href="#RadiusUserInfo">RadiusUserInfo</a>
  <li><a href="#RadiusVendor">RadiusVendor</a>
</ul>

<hr>
<h3><a name="RadiusAcctServer">RadiusAcctServer</a></h3>
<strong>Syntax:</strong> RadiusAcctServer <em>server[:port] shared-secret [timeout]</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_radius<br>
<strong>Compatibility:</strong> 1.2.5rc2 and later

<p>
The <code>RadiusAcctServer</code> is used to specify a RADIUS server to be
used for accounting.  The <em>server</em> parameter may be either an
IP address or a DNS hostname.  If not specified, the port used will be
the IANA-registered 1813.  The optional <em>timeout</em> parameter is used
to tell <code>mod_radius</code> how long to wait for a response from the
server; it defaults to 30 seconds.

<p>
Multiple <code>RadiusAcctServer</code>s may be configured; each will be
tried, in order of appearance in the configuration file, until
that server times out or <code>mod_radius</code> receives a response.

<p>
If no <code>RadiusAcctServer</code>s are configured, <code>mod_radius</code>
will not use RADIUS for accounting.

<p>
See also: <a href="#RadiusAuthServer">RadiusAuthServer</a>

<p>
<hr>
<h3><a name="RadiusAuthServer">RadiusAuthServer</a></h3>
<strong>Syntax:</strong> RadiusAuthServer <em>server[:port] shared-secret [timeout]</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_radius<br>
<strong>Compatibility:</strong> 1.2.5rc2 and later

<p>
The <code>RadiusAuthServer</code> is used to specify a RADIUS server to be
used for authentication.  The <em>server</em> parameter may be either an
IP address or a DNS hostname.  If not specified, the port used will be
the IANA-registered 1812.  The optional <em>timeout</em> parameter is used
to tell <code>mod_radius</code> how long to wait for a response from the
server; it defaults to 30 seconds.

<p>
Multiple <code>RadiusAuthServer</code>s may be configured; each will be
tried, in order of appearance in the configuration file, until
that server times out or <code>mod_radius</code> receives a response.

<p>
If no <code>RadiusAuthServer</code>s are configured, <code>mod_radius</code>
will not use RADIUS for authentication.

<p>
See also: <a href="#RadiusAcctServer">RadiusAcctServer</a>

<p>
<hr>
<h3><a name="RadiusEngine">RadiusEngine</a></h3>
<strong>Syntax:</strong> RadiusEngine <em>on|off</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_radius<br>
<strong>Compatibility:</strong> 1.2.5rc2 and later

<p>
The <code>RadiusEngine</code> directive enables or disables the module's
runtime RADIUS engine.  If it is set to <em>off</em> this module does no
RADIUS authentication or accounting at all. Use this directive to disable the
module instead of commenting out all <code>mod_radius</code> directives.

<p>
<hr>
<h3><a name="RadiusGroupInfo">RadiusGroupInfo</a></h3>
<strong>Syntax:</strong> RadiusGroupInfo <em>primary-group-name suppl-group-names suppl-group-ids</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_radius<br>
<strong>Compatibility:</strong> 1.2.9rc1 and later

<p>
The <code>RadiusGroupInfo</code> directive is used to configure group membership
information used for every user authenticated via RADIUS.  The
<em>primary-group-name</em> parameter is used to configure the name that
matches the user's GID (which can be configured via the
<code>RadiusUserInfo</code> directive).  The <em>suppl-group-names</em> and
<em>suppl-group-ids</em> parameters are used to specify supplemental group
membership for each user; the number of names and IDs must match if these
parameters, each a comma-delimited list, are used.  As many of ProFTPD's
directives can operate based on group names, these textual group names may
be important.

<p>
In order to support RADIUS servers that may use custom attributes in their
<code>Access-Accept</code> response packets to supply user information back
to the RADIUS client (<code>mod_radius</code> in this case), this directive
allows the following syntax for some of its parameters:
<pre>
  $(<i>attribute-id</i>:<i>default-value</i>)
</pre>
where the enclosing <code>$()</code> signals that the parameter is to
be supplied by the RADIUS server, <code><i>attribute-id</i></code> is the
Vendor Specific Attribute (VSA) ID for which to search in the response packet,
and <code><i>default-value</i></code> is the value to use in case the requested
attribute is not present in the response packet.  See the
<code>RadiusVendor</code> directive description for more information about
VSAs.

<p>
See Also:
  <a href="#RadiusUserInfo"><code>RadiusUserInfo</code></a>,
  <a href="#RadiusVendor"><code>RadiusVendor</code></a>

<p>
<hr>
<h3><a name="RadiusLog">RadiusLog</a></h3>
<strong>Syntax:</strong> RadiusLog <em>file|&quot;none&quot;</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_radius<br>
<strong>Compatibility:</strong> 1.2.5rc2 and later

<p>
The <code>RadiusLog</code> directive is used to specify a log file for
<code>mod_radius</code> reporting and debugging, and can be done a per-server
basis.  The <em>file</em> parameter must be the full path to the file to use for
logging.  Note that this path must <b>not</b> be to a world-writeable
directory and, unless <code>AllowLogSymlinks</code> is explicitly set to
<em>on</em> (generally a bad idea), the path must <b>not</b> be a symbolic
link.

<p>
If <em>file</em> is &quot;none&quot;, no logging will be done at all; this
setting can be used to override a <code>RadiusLog</code> setting inherited from
a <code>&lt;Global&gt;</code> context.

<p>
<hr>
<h3><a name="RadiusNASIdentifier">RadiusNASIdentifier</a></h3>
<strong>Syntax:</strong> RadiusNASIdentifier <em>id</em><br>
<strong>Default:</strong> RadiusNASIdentifier ftp<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_radius<br>
<strong>Compatibility:</strong> 1.3.1rc2 and later

<p>
The <code>RadiusNASIdentifier</code> directive configures an NAS
<em>identifier</em> string that will be in the constructed RADIUS packets.
By default, the NAS identifier is &quot;ftp&quot; for FTP sessions, and
&quot;ssh2&quot; for SFTP/SCP sessions (via the <code>mod_sftp</code> module).

<p>
Example:
<pre>
  RadiusNASIdentifier customID
</pre>

<p>
<hr>
<h3><a name="RadiusOptions">RadiusOptions</a></h3>
<strong>Syntax:</strong> RadiusOptions <em>opt1 ...</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_radius<br>
<strong>Compatibility:</strong> 1.3.6rc1 and later

<p>
The <code>RadiusOptions</code> directive is used to configure various optional
behavior of <code>mod_radius</code>.

<p>
For example:
<pre>
  RadiusOptions RequireMAC IgnoreReplyMessage
</pre>

<p>
The currently implemented options are:
<ul>
  <li><code>IgnoreClass</code><br>
    <p>
    Some RADIUS servers will send the <code>Class</code> attribute in their
    <code>Access-Accept</code> response, containing a value that should be
    sent in every accounting requesting.  To tell <code>mod_radius</code> to
    ignore/not send this <code>Class</code> attribute, use this option.

    <p>
    <b>Note</b> that this option first appeared in
    <code>proftpd-1.3.6rc1</code>.
  </li>

  <p>
  <li><code>IgnoreReplyMessage</code><br>
    <p>
    Some RADIUS servers will send the <code>Reply-Message</code> attribute in
    their <code>Access-Accept</code> and <code>Access-Reject</code> responses,
    containing messages that should be displayed to the connecting user.
    To tell <code>mod_radius</code> to ignore/not display these
    <code>Reply-Message</code> attributes, use this option.

    <p>
    <b>Note</b> that this option first appeared in
    <code>proftpd-1.3.6rc1</code>.
  </li>

  <p>
  <li><code>IgnoreIdleTimeout</code><br>
    <p>
    Some RADIUS servers will send the <code>Idle-Timeout</code> attribute in
    their <code>Access-Accept</code> response, containing a timeout value to
    be used for idle sessions.  To tell <code>mod_radius</code> to ignore/not
    use this <code>Idle-Timeout</code> value, use this option.

    <p>
    <b>Note</b> that this option first appeared in
    <code>proftpd-1.3.6rc1</code>.
  </li>

  <p>
  <li><code>IgnoreSessionTimeout</code><br>
    <p>
    Some RADIUS servers will send the <code>Session-Timeout</code> attribute in
    their <code>Access-Accept</code> response, containing a timeout value to
    be used for maximum session durations.  To tell <code>mod_radius</code> to
    ignore/not use this <code>Session-Timeout</code> value, use this option.

    <p>
    <b>Note</b> that this option first appeared in
    <code>proftpd-1.3.6rc1</code>.
  </li>

  <p>
  <li><code>RequireMAC</code><br>
    <p>
    Some RADIUS servers will send the <code>Message-Authenticator</code>
    attribute in their <code>Access-Accept</code> and <code>Access-Reject</code>
    responses, used for protecting against spoof attacks.  Some RADIUS servers,
    though, do not use this attribute.  To be very secure, and to tell
    <code>mod_radius</code> to <b>require</b> the use of this attribute, use
    this option.

    <p>
    <b>Note</b> that this option first appeared in
    <code>proftpd-1.3.6rc1</code>.
  </li>
</ul>

<p>
<hr>
<h3><a name="RadiusQuotaInfo">RadiusQuotaInfo</a></h3>
<strong>Syntax:</strong> RadiusQuotaInfo <em>per-sess limit-type bytes-in bytes-out bytes-xfer files-in files-out files-xfer</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_radius<br>
<strong>Compatibility:</strong> 1.3.0rc1 and later

<p>
The <code>RadiusQuotaInfo</code> directive is used to configure quota
information used for every user.  This information will be used,
in conjunction with the <code>mod_quotatab_radius</code> module, for
provisioning per-user quota information via RADIUS.

<p>
In order to support RADIUS servers that may use custom attributes in their
<code>Access-Accept</code> response packets to supply user information back
to the RADIUS client (<code>mod_radius</code> in this case), this directive
allows the following syntax for some of its parameters:
<pre>
  $(<i>attribute-id</i>:<i>default-value</i>)
</pre>
where the enclosing <code>$()</code> signals that the parameter is to
be supplied by the RADIUS server, <code><i>attribute-id</i></code> is the
Vendor Specific Attribute (VSA) ID for which to search in the response packet,
and <code><i>default-value</i></code> is the value to use in case the requested
attribute is not present in the response packet.  See the
<code>RadiusVendor</code> directive description for more information about
VSAs.

<p>
The <code>RadiusQuotaInfo</code> directive can be used to configure unchanging
numbers, rather than custom attributes, if need be.

<p>
An example configuration might look like:
<pre>
  &lt;IfModule mod_quotatab_radius.c&gt;
    QuotaLimitTable radius:
    QuotaTallyTable file:/home/tj/proftpd/devel/build/cvs/etc/ftpquota.tallytab

    # mod_radius attributes
    RadiusEngine on
    RadiusAuthServer localhost:1812 testing123 5
    RadiusLog /var/ftpd/log/radius.log

    # This sets unchanging quota limit values, rather than using custom attributes 
    # from a RADIUS server
    RadiusQuotaInfo false soft 3.0 2.0 1.0 7 8 9

  &lt;/IfModule&gt;
</pre>

<p>
See Also: <a href="#RadiusVendor"><code>RadiusVendor</code></a>

<p>
<hr>
<h3><a name="RadiusRealm">RadiusRealm</a></h3>
<strong>Syntax:</strong> RadiusRealm <em>realm</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_radius<br>
<strong>Compatibility:</strong> 1.2.5rc2 and later

<p>
The <code>RadiusRealm</code> directive configures a <em>realm</em> string
that will be added to the username in the constructed RADIUS packets.

<p>
Example:
<pre>
  RadiusRealm .castaglia.org
</pre>

<p>
<hr>
<h3><a name="RadiusUserInfo">RadiusUserInfo</a></h3>
<strong>Syntax:</strong> RadiusUserInfo <em>uid gid home shell</em><br>
<strong>Default:</strong> None<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_radius<br>
<strong>Compatibility:</strong> 1.2.5rc2 and later

<p>
The <code>RadiusUserInfo</code> directive is used to configure login
information used for every user authenticated via RADIUS.  Group membership
information can be configured by using the <code>RadiusGroupInfo</code>
directive.

<p>
In order to support RADIUS servers that may use custom attributes in their
<code>Access-Accept</code> response packets to supply user information back
to the RADIUS client (<code>mod_radius</code> in this case), this directive
allows the following syntax for some of its parameters:
<pre>
  $(<i>attribute-id</i>:<i>default-value</i>)
</pre>
where the enclosing <code>$()</code> signals that the parameter is to
be supplied by the RADIUS server, <code><i>attribute-id</i></code> is the
Vendor Specific Attribute (VSA) ID for which to search in the response packet,
and <code><i>default-value</i></code> is the value to use in case the requested
attribute is not present in the response packet.  See the
<code>RadiusVendor</code> directive description for more information about
VSAs.

<p>
If <code>RadiusUserInfo</code> is not used, <code>mod_radius</code> will
perform pure &quot;yes/no&quot; authentication only, in the style of PAM.
The information that would have been configured via this directive will
be pulled from other sources (<i>e.g.</i> <code>/etc/passwd</code>,
<code>AuthUserFile</code>s, MySQL tables, etc).

<p>
See Also:
  <a href="#RadiusGroupInfo"><code>RadiusGroupInfo</code></a>,
  <a href="#RadiusVendor"><code>RadiusVendor</code></a>

<p>
<hr>
<h3><a name="RadiusVendor">RadiusVendor</a></h3>
<strong>Syntax:</strong> RadiusVendor <em>name id</em><br>
<strong>Default:</strong> RadiusVendor Unix 4<br>
<strong>Context:</strong> server config, <code>&lt;VirtualHost&gt;</code>, <code>&lt;Global&gt;</code><br>
<strong>Module:</strong> mod_radius<br>
<strong>Compatibility:</strong> 1.2.9rc1 and later

<p>
The <code>RadiusVendor</code> directive is used to configure the vendor name
and ID for which <code>mod_radius</code> will search when it looks for
vendor-specific attributes in RADIUS response packets.

<p>
Earlier versions of <code>mod_radius</code> could be configured to look up
custom RADIUS attributes by normal RADIUS attribute type IDs.  However,
those normal IDs can only be from 0 to 255, putting a limit on the number
of such custom attributes.  Fortunately, the RADIUS RFCs define a specific
attribute ID, 26, for vendor-specific attributes.  The values for such
attributes contains an ID for the specific vendor, and then the vendor-specific
attribute.  The vendor IDs come from the IANA's enterprise numbers hierarchy:
<pre>
  <a href="http://www.iana.org/assignments/enterprise-numbers">http://www.iana.org/assignments/enterprise-numbers</a>
</pre>

<p>
By default, <code>mod_radius</code> will look for a vendor ID of 4 (Unix);
this configuration directive is used to tell <code>mod_radius</code> to
expect a different vendor.

<p>
<hr>
<h2><a name="Usage">Usage</a></h2>
Strong authentication is in demand for Internet services.  For many, this
means using the <b>RADIUS</b> (<b>R</b>emote <b>A</b>uthentication
<b>D</b>ial-<b>I</b>n <b>U</b>ser <b>S</b>ervice) protocol.

<p>  
However, there are caveats to using RADIUS for authentication.  RADIUS
packets are sent in the clear, which means that they can easily be sniffed.
First, <b><i>do not</i></b> have your authenticating RADIUS servers exposed
to the Internet; keep them protected within your LAN.  Second, it is
<i>highly recommended</i> to use separate RADIUS servers for each of your
services.

<p>
<b>RADIUS Authentication</b><br>
The RADIUS protocol can be used for answering the question &quot;Should this
user be allowed to login?&quot;  However, the &quot;yes/no&quot; answer is not
everything that <code>proftpd</code> needs to log a user in; the server also
requires the UID and GID to use for the authenticated user, home directory,
and shell.  This information is usually not available from the RADIUS servers,
which means that using RADIUS to provide all the necessary login information
can be problematic.  The <code>RadiusUserInfo</code> directive is meant to be
used to address this issue, to provide the missing information.

<p>
In those cases where the RADIUS servers <i>can</i> provide that additional
login information, via custom attributes, the <code>RadiusUserInfo</code>
directive can also be used obtain that information as well.

<p>
<b>RADIUS Accounting</b><br>
While RADIUS is primarily used for authentication, the protocol also allows
for accounting of user activities.  The <code>mod_radius</code> module
makes use of this ability, using RADIUS accounting packets to transmit the
following data:
<ul>
  <li><b>Acct-Authentic</b>: How the user was authenticated (<i>e.g.</i>
    locally, or via RADIUS)<br>
  </li>
  <br>

  <li><b>Acct-Session-Id</b>: The process ID of the FTP session<br>
  </li>
  <br>

  <li><b>Acct-Session-Time</b>: The duration of the FTP session, in seconds<br>
  </li>
  <br>

  <li><b>Acct-Input-Octets</b>: The number of bytes uploaded (includes
    appending to files)<br>
  </li>
  <br>

  <li><b>Acct-Output-Octets</b>: The number of bytes downloaded<br>
  </li>
  <br>

  <li><b>Acct-Terminate-Cause</b>: The reason the session ended<br>
  </li>
  <br>

  <li><b>Event-Timestamp</b>: The number of seconds since the Unix epoch<br>
  </li>
  <br>
</ul>
Merely configuring a <code>RadiusAcctServer</code> enables the module's
accounting capabilities.

<p>
<b>Common Attributes</b><br>
The following RADIUS attributes are sent with every RADIUS packet generated
by <code>mod_radius</code>:
<ul>
  <li><b>User-Name</b>: The name of the logging-in user<br>
  </li>
  <br>

  <li><b>NAS-Identifier</b>: &quot;ftp&quot; (or &quot;ssh2&quot; for SFTP/SCP sessions)<br>
  </li>
  <br>

  <li><b>NAS-IP-Address</b> <i>or</i> <b>NAS-IPv6-Address</b>: IP address of server<br>
  </li>
  <br>

  <li><b>NAS-Port</b>: Port of server<br>
  </li>
  <br>

  <li><b>NAS-Port-Type</b>: Always <code>Virtual</code>.<br>
  </li>
  <br>

  <li><b>Calling-Station-Id</b>: IP address of connecting client<br>
  </li>
  <br>

  <li><b>Message-Authenticator</b>: MAC of request, per RFC 3579<br>
  </li>
  <br>
</ul>

<p>
<hr>
<h2><a name="Installation">Installation</a></h2>
The <code>mod_radius</code> module is distributed with ProFTPD.  Simply follow
the normal steps for using third-party modules in ProFTPD:
<pre>
  $ ./configure --enable-openssl --with-modules=mod_radius
</pre>
To build <code>mod_radius</code> as a DSO module:
<pre>
  $ ./configure --enable-dso --enable-openssl --with-shared=mod_radius
</pre>
Then follow the usual steps:
<pre>
  $ make 
  $ make install
</pre>

<p>
Alternatively, if your <code>proftpd</code> was compiled with DSO support, you
can use the <code>prxs</code> tool to build <code>mod_radius</code> as a shared
module:
<pre>
  $ prxs -c -i -d mod_radius.c
</pre>

<p>
<b>Logging</b><br>
The <code>mod_radius</code> module supports different forms of logging.  The
main module logging is done via the <code>RadiusLog</code> directive.  For
debugging purposes, the module also uses <a href="../howto/Tracing.html">trace logging</a>, via the module-specific log channels:
<ul>
  <li>radius
</ul>
Thus for trace logging, to aid in debugging, you would use the following in
your <code>proftpd.conf</code>:
<pre>
  TraceLog /path/to/radius-trace.log
  Trace radius:20
</pre>
This trace logging can generate large files; it is intended for debugging
use only, and should be removed from any production configuration.

<p><a name="FAQ">
<b>Frequently Asked Questions</b><br>

<p><a name="SELinuxUDP">
<font color=red>Question</font>: Why is ProFTPD trying to open UDP sockets
that are blocked by my SELinux policies?<br>
<font color=blue>Answer</font>: The RADIUS protocol uses UDP, and thus using
the <code>mod_radius</code> module means that ProFTPD will open UDP sockets.
In terms of SELinux policies, RADIUS is very similar to NIS in its use of
UDP, and thus to allow these RADIUS UDP sockets, you can use:
<pre>
$ setsebool -P nis_enabled 1
</pre>

<p>
<hr>
<font size=2><b><i>
&copy; Copyright 2000-2021 TJ Saunders<br>
 All Rights Reserved<br>
</i></b></font>
<hr>

</body>
</html>