Adding upstream version 1.34.4.

Signed-off-by: Daniel Baumann <daniel@debian.org>
2025-05-24 07:26:29 +02:00 · 2025-05-24 07:26:29 +02:00 · 4978089aab
commit 4978089aab
parent e393c3af3f
4963 changed files with 677545 additions and 0 deletions
--- a/plugins/inputs/radius/README.md
+++ b/plugins/inputs/radius/README.md
@ -0,0 +1,48 @@
+# Radius Input Plugin
+
+The Radius plugin collects radius authentication response times.
+
+## Global configuration options <!-- @/docs/includes/plugin_config.md -->
+
+In addition to the plugin-specific configuration settings, plugins support
+additional global and plugin configuration settings. These settings are used to
+modify metrics, tags, and field or create aliases and configure ordering, etc.
+See the [CONFIGURATION.md][CONFIGURATION.md] for more details.
+
+[CONFIGURATION.md]: ../../../docs/CONFIGURATION.md#plugins
+
+## Configuration
+
+```toml @sample.conf
+[[inputs.radius]]
+  ## An array of Server IPs and ports to gather from. If none specified, defaults to localhost.
+  servers = ["127.0.0.1:1812","hostname.domain.com:1812"]
+
+  ## Credentials for radius authentication.
+  username = "myuser"
+  password = "mypassword"
+  secret = "mysecret"
+
+  ## Request source server IP, normally the server running telegraf.
+  ## This corresponds to Radius' NAS-IP-Address.
+  # request_ip = "127.0.0.1"
+
+  ## Maximum time to receive response.
+  # response_timeout = "5s"
+```
+
+## Metrics
+
+- radius
+  - tags:
+    - response_code
+    - source
+    - source_port
+  - fields:
+    - responsetime_ms (int64)
+
+## Example Output
+
+```text
+radius,response_code=Access-Accept,source=hostname.com,source_port=1812 responsetime_ms=311i 1677526200000000000
+```
--- a/plugins/inputs/radius/radius.go
+++ b/plugins/inputs/radius/radius.go
@ -0,0 +1,158 @@
+//go:generate ../../../tools/readme_config_includer/generator
+package radius
+
+import (
+	"context"
+	_ "embed"
+	"errors"
+	"fmt"
+	"net"
+	"sync"
+	"time"
+
+	"layeh.com/radius"
+	"layeh.com/radius/rfc2865"
+
+	"github.com/influxdata/telegraf"
+	"github.com/influxdata/telegraf/config"
+	"github.com/influxdata/telegraf/plugins/inputs"
+)
+
+//go:embed sample.conf
+var sampleConfig string
+
+type Radius struct {
+	Servers         []string        `toml:"servers"`
+	Username        config.Secret   `toml:"username"`
+	Password        config.Secret   `toml:"password"`
+	Secret          config.Secret   `toml:"secret"`
+	ResponseTimeout config.Duration `toml:"response_timeout"`
+	RequestIP       string          `toml:"request_ip"`
+	Log             telegraf.Logger `toml:"-"`
+	client          radius.Client
+}
+
+func (*Radius) SampleConfig() string {
+	return sampleConfig
+}
+
+func (r *Radius) Init() error {
+	if len(r.Servers) == 0 {
+		r.Servers = []string{"127.0.0.1:1812"}
+	}
+
+	r.client = radius.Client{
+		Retry: 0,
+	}
+
+	if r.RequestIP == "" {
+		r.RequestIP = "127.0.0.1"
+	}
+	if net.ParseIP(r.RequestIP) == nil {
+		return fmt.Errorf("invalid ip address provided for request_ip: %s", r.RequestIP)
+	}
+
+	return nil
+}
+
+func (r *Radius) Gather(acc telegraf.Accumulator) error {
+	var wg sync.WaitGroup
+
+	for _, server := range r.Servers {
+		wg.Add(1)
+		go func(server string) {
+			defer wg.Done()
+			acc.AddError(r.pollServer(acc, server))
+		}(server)
+	}
+
+	wg.Wait()
+	return nil
+}
+
+func (r *Radius) pollServer(acc telegraf.Accumulator, server string) error {
+	// Create the fields for this metric
+	host, port, err := net.SplitHostPort(server)
+	if err != nil {
+		return fmt.Errorf("splitting host and port failed: %w", err)
+	}
+	tags := map[string]string{"source": host, "source_port": port}
+	fields := make(map[string]interface{})
+
+	secret, err := r.Secret.Get()
+	if err != nil {
+		return fmt.Errorf("getting secret failed: %w", err)
+	}
+	defer secret.Destroy()
+
+	username, err := r.Username.Get()
+	if err != nil {
+		return fmt.Errorf("getting username failed: %w", err)
+	}
+	defer username.Destroy()
+
+	password, err := r.Password.Get()
+	if err != nil {
+		return fmt.Errorf("getting password failed: %w", err)
+	}
+	defer password.Destroy()
+
+	// Create the radius packet with PAP authentication
+	packet := radius.New(radius.CodeAccessRequest, secret.Bytes())
+	if err := rfc2865.UserName_Set(packet, username.Bytes()); err != nil {
+		return fmt.Errorf("setting username for radius auth failed: %w", err)
+	}
+
+	// The radius client requires the password in a buffer with capacity being
+	// a multiple of 16 for internal operations. To not expose the password we
+	// grow the (potentially protected) buffer to the required capacity.
+	capacity := password.Size()
+	if capacity%16 != 0 {
+		password.Grow(capacity + 16 - capacity%16)
+	}
+
+	if err := rfc2865.UserPassword_Set(packet, password.Bytes()[:capacity]); err != nil {
+		return fmt.Errorf("setting password for radius auth failed: %w", err)
+	}
+
+	if r.RequestIP != "" {
+		if err := rfc2865.NASIPAddress_Set(packet, net.ParseIP(r.RequestIP)); err != nil {
+			return fmt.Errorf("setting NAS IP address for radius auth failed: %w", err)
+		}
+	}
+
+	// Do the radius request
+	ctx := context.Background()
+	if r.ResponseTimeout > 0 {
+		var cancel context.CancelFunc
+		ctx, cancel = context.WithTimeout(ctx, time.Duration(r.ResponseTimeout))
+		defer cancel()
+	}
+
+	startTime := time.Now()
+	response, err := r.client.Exchange(ctx, packet, server)
+	duration := time.Since(startTime)
+
+	if err != nil {
+		if !errors.Is(err, context.DeadlineExceeded) {
+			return err
+		}
+		fields["responsetime_ms"] = time.Duration(r.ResponseTimeout).Milliseconds()
+		tags["response_code"] = "timeout"
+	} else if response.Code != radius.CodeAccessAccept {
+		fields["responsetime_ms"] = time.Duration(r.ResponseTimeout).Milliseconds()
+		tags["response_code"] = response.Code.String()
+	} else {
+		fields["responsetime_ms"] = duration.Milliseconds()
+		tags["response_code"] = response.Code.String()
+	}
+
+	acc.AddFields("radius", fields, tags)
+	return nil
+}
+
+func init() {
+	inputs.Add("radius", func() telegraf.Input {
+		return &Radius{ResponseTimeout: config.Duration(time.Second * 5)}
+	})
+}
--- a/plugins/inputs/radius/radius_test.go
+++ b/plugins/inputs/radius/radius_test.go
@ -0,0 +1,345 @@
+package radius
+
+import (
+	"errors"
+	"net"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	"github.com/testcontainers/testcontainers-go/wait"
+	"layeh.com/radius"
+	"layeh.com/radius/rfc2865"
+
+	"github.com/influxdata/telegraf/config"
+	"github.com/influxdata/telegraf/testutil"
+)
+
+func TestRadiusLocal(t *testing.T) {
+	handler := func(w radius.ResponseWriter, r *radius.Request) {
+		username := rfc2865.UserName_GetString(r.Packet)
+		password := rfc2865.UserPassword_GetString(r.Packet)
+
+		var code radius.Code
+		if username == "testusername" && password == "testpassword" {
+			code = radius.CodeAccessAccept
+		} else {
+			code = radius.CodeAccessReject
+		}
+		if err := w.Write(r.Response(code)); err != nil {
+			require.NoError(t, err, "failed writing radius server response")
+		}
+	}
+
+	// Setup a connection to be able to get a random port
+	conn, err := net.ListenPacket("udp4", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer conn.Close()
+	addr := conn.LocalAddr().String()
+	host, port, err := net.SplitHostPort(addr)
+	require.NoError(t, err)
+
+	server := radius.PacketServer{
+		Handler:      radius.HandlerFunc(handler),
+		SecretSource: radius.StaticSecretSource([]byte(`testsecret`)),
+		Addr:         addr,
+	}
+
+	go func() {
+		if err := server.Serve(conn); err != nil {
+			if !errors.Is(err, radius.ErrServerShutdown) {
+				t.Errorf("Local radius server failed: %v", err)
+				return
+			}
+		}
+	}()
+
+	plugin := &Radius{
+		Servers:  []string{addr},
+		Username: config.NewSecret([]byte(`testusername`)),
+		Password: config.NewSecret([]byte(`testpassword`)),
+		Secret:   config.NewSecret([]byte(`testsecret`)),
+		Log:      testutil.Logger{},
+	}
+	require.NoError(t, plugin.Init())
+
+	var acc testutil.Accumulator
+	require.NoError(t, acc.GatherError(plugin.Gather))
+
+	if !acc.HasMeasurement("radius") {
+		t.Errorf("acc.HasMeasurement: expected radius")
+	}
+	require.True(t, acc.HasTag("radius", "source"))
+	require.True(t, acc.HasTag("radius", "source_port"))
+	require.True(t, acc.HasTag("radius", "response_code"))
+	require.Equal(t, host, acc.TagValue("radius", "source"))
+	require.Equal(t, port, acc.TagValue("radius", "source_port"))
+	require.Equal(t, radius.CodeAccessAccept.String(), acc.TagValue("radius", "response_code"))
+	require.True(t, acc.HasInt64Field("radius", "responsetime_ms"))
+
+	if err := server.Shutdown(t.Context()); err != nil {
+		require.NoError(t, err, "failed to properly shutdown local radius server")
+	}
+}
+
+func TestRadiusNASIP(t *testing.T) {
+	handler := func(w radius.ResponseWriter, r *radius.Request) {
+		username := rfc2865.UserName_GetString(r.Packet)
+		password := rfc2865.UserPassword_GetString(r.Packet)
+		ip := rfc2865.NASIPAddress_Get(r.Packet)
+
+		var code radius.Code
+		if username == "testusername" && password == "testpassword" &&
+			ip.Equal(net.ParseIP("127.0.0.1")) {
+			code = radius.CodeAccessAccept
+		} else {
+			code = radius.CodeAccessReject
+		}
+		if err := w.Write(r.Response(code)); err != nil {
+			require.NoError(t, err, "failed writing radius server response")
+		}
+	}
+
+	// Setup a connection to be able to get a random port
+	conn, err := net.ListenPacket("udp4", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer conn.Close()
+	addr := conn.LocalAddr().String()
+	host, port, err := net.SplitHostPort(addr)
+	require.NoError(t, err)
+
+	server := radius.PacketServer{
+		Handler:      radius.HandlerFunc(handler),
+		SecretSource: radius.StaticSecretSource([]byte(`testsecret`)),
+		Addr:         addr,
+	}
+
+	go func() {
+		if err := server.Serve(conn); err != nil {
+			if !errors.Is(err, radius.ErrServerShutdown) {
+				t.Errorf("Local radius server failed: %v", err)
+				return
+			}
+		}
+	}()
+
+	plugin := &Radius{
+		Servers:   []string{addr},
+		Username:  config.NewSecret([]byte(`testusername`)),
+		Password:  config.NewSecret([]byte(`testpassword`)),
+		Secret:    config.NewSecret([]byte(`testsecret`)),
+		Log:       testutil.Logger{},
+		RequestIP: "127.0.0.1",
+	}
+	require.NoError(t, plugin.Init())
+
+	var acc testutil.Accumulator
+	require.NoError(t, acc.GatherError(plugin.Gather))
+
+	if !acc.HasMeasurement("radius") {
+		t.Errorf("acc.HasMeasurement: expected radius")
+	}
+	require.True(t, acc.HasTag("radius", "source"))
+	require.True(t, acc.HasTag("radius", "source_port"))
+	require.True(t, acc.HasTag("radius", "response_code"))
+	require.Equal(t, host, acc.TagValue("radius", "source"))
+	require.Equal(t, port, acc.TagValue("radius", "source_port"))
+	require.Equal(t, radius.CodeAccessAccept.String(), acc.TagValue("radius", "response_code"))
+	require.True(t, acc.HasInt64Field("radius", "responsetime_ms"))
+
+	if err := server.Shutdown(t.Context()); err != nil {
+		require.NoError(t, err, "failed to properly shutdown local radius server")
+	}
+}
+
+func TestInvalidRequestIP(t *testing.T) {
+	plugin := &Radius{
+		Servers:   []string{"127.0.0.1"},
+		Username:  config.NewSecret([]byte(`testusername`)),
+		Password:  config.NewSecret([]byte(`testpassword`)),
+		Secret:    config.NewSecret([]byte(`testsecret`)),
+		Log:       testutil.Logger{},
+		RequestIP: "foobar",
+	}
+	require.Error(t, plugin.Init())
+}
+
+func TestRadiusIntegration(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping integration test in short mode")
+	}
+
+	testdata, err := filepath.Abs("testdata/raddb/clients.conf")
+	require.NoError(t, err, "determining absolute path of test-data clients.conf failed")
+	testdataa, err := filepath.Abs("testdata/raddb/mods-config/files/authorize")
+	require.NoError(t, err, "determining absolute path of test-data authorize failed")
+	testdataaa, err := filepath.Abs("testdata/raddb/radiusd.conf")
+	require.NoError(t, err, "determining absolute path of test-data radiusd.conf failed")
+
+	container := testutil.Container{
+		Image:        "freeradius/freeradius-server",
+		ExposedPorts: []string{"1812/udp"},
+		Files: map[string]string{
+			"/etc/raddb/clients.conf":                testdata,
+			"/etc/raddb/mods-config/files/authorize": testdataa,
+			"/etc/raddb/radiusd.conf":                testdataaa,
+		},
+		WaitingFor: wait.ForAll(
+			wait.ForLog("Ready to process requests"),
+		),
+	}
+	err = container.Start()
+	require.NoError(t, err, "failed to start container")
+	defer container.Terminate()
+
+	port := container.Ports["1812"]
+
+	// Define the testset
+	var testset = []struct {
+		name               string
+		testingTimeout     config.Duration
+		expectedSource     string
+		expectedSourcePort string
+		serverToTest       string
+		expectSuccess      bool
+		usedPassword       string
+	}{
+		{
+			name:               "timeout_5s",
+			testingTimeout:     config.Duration(time.Second * 5),
+			expectedSource:     container.Address,
+			expectedSourcePort: port,
+			serverToTest:       container.Address + ":" + port,
+			expectSuccess:      true,
+			usedPassword:       "testpassword",
+		},
+		{
+			name:               "timeout_0s",
+			testingTimeout:     config.Duration(0),
+			expectedSource:     container.Address,
+			expectedSourcePort: port,
+			serverToTest:       container.Address + ":" + port,
+			expectSuccess:      true,
+			usedPassword:       "testpassword",
+		},
+		{
+			name:               "wrong_pw",
+			testingTimeout:     config.Duration(time.Second * 5),
+			expectedSource:     container.Address,
+			expectedSourcePort: port,
+			serverToTest:       container.Address + ":" + port,
+			expectSuccess:      false,
+			usedPassword:       "wrongpass",
+		},
+		{
+			name:               "unreachable",
+			testingTimeout:     config.Duration(5),
+			expectedSource:     "unreachable.unreachable.com",
+			expectedSourcePort: "7777",
+			serverToTest:       "unreachable.unreachable.com:7777",
+			expectSuccess:      false,
+			usedPassword:       "testpassword",
+		},
+	}
+
+	for _, tt := range testset {
+		t.Run(tt.name, func(t *testing.T) {
+			// Setup the plugin-under-test
+			plugin := &Radius{
+				ResponseTimeout: tt.testingTimeout,
+				Servers:         []string{tt.serverToTest},
+				Username:        config.NewSecret([]byte(`testusername`)),
+				Password:        config.NewSecret([]byte(tt.usedPassword)),
+				Secret:          config.NewSecret([]byte(`testsecret`)),
+				Log:             testutil.Logger{},
+			}
+			var acc testutil.Accumulator
+
+			// Startup the plugin
+			require.NoError(t, plugin.Init())
+
+			// Gather
+			require.NoError(t, plugin.Gather(&acc))
+			require.Empty(t, acc.Errors)
+
+			if !acc.HasMeasurement("radius") {
+				t.Errorf("acc.HasMeasurement: expected radius")
+			}
+			require.True(t, acc.HasTag("radius", "source"))
+			require.True(t, acc.HasTag("radius", "source_port"))
+			require.True(t, acc.HasTag("radius", "response_code"))
+			require.Equal(t, tt.expectedSource, acc.TagValue("radius", "source"))
+			require.Equal(t, tt.expectedSourcePort, acc.TagValue("radius", "source_port"))
+			require.True(t, acc.HasInt64Field("radius", "responsetime_ms"), true)
+			if tt.expectSuccess {
+				require.Equal(t, radius.CodeAccessAccept.String(), acc.TagValue("radius", "response_code"))
+			} else {
+				require.NotEqual(t, radius.CodeAccessAccept.String(), acc.TagValue("radius", "response_code"))
+			}
+
+			if tt.name == "unreachable" {
+				require.Equal(t, time.Duration(tt.testingTimeout).Milliseconds(), acc.Metrics[0].Fields["responsetime_ms"])
+			}
+		})
+	}
+}
+
+func TestRadiusIntegrationInvalidSourceIP(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping integration test in short mode")
+	}
+
+	clients, err := filepath.Abs("testdata/invalidSourceIP/clients.conf")
+	require.NoError(t, err, "determining absolute path of test-data clients.conf failed")
+	authorize, err := filepath.Abs("testdata/invalidSourceIP/mods-config/files/authorize")
+	require.NoError(t, err, "determining absolute path of test-data authorize failed")
+	radiusd, err := filepath.Abs("testdata/invalidSourceIP/radiusd.conf")
+	require.NoError(t, err, "determining absolute path of test-data radiusd.conf failed")
+
+	container := testutil.Container{
+		Image:        "freeradius/freeradius-server",
+		ExposedPorts: []string{"1812/udp"},
+		Files: map[string]string{
+			"/etc/raddb/clients.conf":                clients,
+			"/etc/raddb/mods-config/files/authorize": authorize,
+			"/etc/raddb/radiusd.conf":                radiusd,
+		},
+		WaitingFor: wait.ForAll(
+			wait.ForLog("Ready to process requests"),
+		),
+	}
+	err = container.Start()
+	require.NoError(t, err, "failed to start container")
+	defer container.Terminate()
+
+	port := container.Ports["1812"]
+	plugin := &Radius{
+		ResponseTimeout: config.Duration(time.Second * 1),
+		Servers:         []string{container.Address + ":" + port},
+		Username:        config.NewSecret([]byte(`testusername`)),
+		Password:        config.NewSecret([]byte(`testpassword`)),
+		Secret:          config.NewSecret([]byte(`testsecret`)),
+		Log:             testutil.Logger{},
+	}
+
+	expected := testutil.MustMetric(
+		"radius",
+		map[string]string{
+			"source":        container.Address,
+			"source_port":   port,
+			"response_code": "timeout",
+		},
+		map[string]interface{}{
+			"responsetime_ms": 1000,
+		},
+		time.Time{},
+	)
+
+	var acc testutil.Accumulator
+	require.NoError(t, plugin.Init())
+	require.NoError(t, plugin.Gather(&acc))
+	metrics := acc.GetTelegrafMetrics()
+	require.Len(t, metrics, 1)
+	testutil.RequireMetricEqual(t, expected, metrics[0], testutil.IgnoreTime())
+}
--- a/plugins/inputs/radius/sample.conf
+++ b/plugins/inputs/radius/sample.conf
@ -0,0 +1,15 @@
+[[inputs.radius]]
+  ## An array of Server IPs and ports to gather from. If none specified, defaults to localhost.
+  servers = ["127.0.0.1:1812","hostname.domain.com:1812"]
+
+  ## Credentials for radius authentication.
+  username = "myuser"
+  password = "mypassword"
+  secret = "mysecret"
+
+  ## Request source server IP, normally the server running telegraf.
+  ## This corresponds to Radius' NAS-IP-Address.
+  # request_ip = "127.0.0.1"
+
+  ## Maximum time to receive response.
+  # response_timeout = "5s"
--- a/plugins/inputs/radius/testdata/invalidSourceIP/clients.conf
+++ b/plugins/inputs/radius/testdata/invalidSourceIP/clients.conf
@ -0,0 +1,4 @@
+client localtest {
+	ipaddr = 10.123.123.0/24
+	secret = testsecret
+}
--- a/plugins/inputs/radius/testdata/invalidSourceIP/mods-config/files/authorize
+++ b/plugins/inputs/radius/testdata/invalidSourceIP/mods-config/files/authorize
@ -0,0 +1 @@
+testusername	Cleartext-Password := "testpassword"
--- a/plugins/inputs/radius/testdata/invalidSourceIP/radiusd.conf
+++ b/plugins/inputs/radius/testdata/invalidSourceIP/radiusd.conf
@ -0,0 +1,118 @@
+prefix = /usr
+exec_prefix = /usr
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = /var/log/freeradius
+raddbdir = /etc/freeradius
+radacctdir = ${logdir}/radacct
+
+name = freeradius
+
+confdir = ${raddbdir}
+modconfdir = ${confdir}/mods-config
+certdir = ${confdir}/certs
+cadir   = ${confdir}/certs
+run_dir = ${localstatedir}/run/${name}
+
+db_dir = ${raddbdir}
+
+libdir = /usr/lib/freeradius
+
+pidfile = ${run_dir}/${name}.pid
+
+
+max_request_time = 30
+
+cleanup_delay = 5
+
+max_requests = 16384
+
+hostname_lookups = no
+
+
+log {
+	destination = stdout
+
+	colourise = yes
+
+	file = ${logdir}/radius.log
+
+	syslog_facility = daemon
+
+	stripped_names = no
+
+	auth = yes
+
+
+
+	auth_badpass = yes
+	auth_goodpass = yes
+
+
+	msg_denied = "You are already logged in - access denied"
+
+}
+
+checkrad = ${sbindir}/checkrad
+
+ENV {
+
+
+}
+
+security {
+
+	user = freerad
+	group = freerad
+
+	allow_core_dumps = no
+
+	max_attributes = 200
+
+	reject_delay = 1
+
+	status_server = yes
+
+
+}
+
+proxy_requests  = yes
+$INCLUDE proxy.conf
+
+
+
+$INCLUDE clients.conf
+
+
+thread pool {
+	start_servers = 5
+
+	max_servers = 32
+
+	min_spare_servers = 3
+	max_spare_servers = 10
+
+
+	max_requests_per_server = 0
+
+
+	auto_limit_acct = no
+}
+
+
+modules {
+
+
+	$INCLUDE mods-enabled/
+}
+
+instantiate {
+
+}
+
+policy {
+	$INCLUDE policy.d/
+}
+
+$INCLUDE sites-enabled/
--- a/plugins/inputs/radius/testdata/raddb/clients.conf
+++ b/plugins/inputs/radius/testdata/raddb/clients.conf
@ -0,0 +1,4 @@
+client localtest {
+	ipaddr = 0.0.0.0/0
+	secret = testsecret
+}
--- a/plugins/inputs/radius/testdata/raddb/mods-config/files/authorize
+++ b/plugins/inputs/radius/testdata/raddb/mods-config/files/authorize
@ -0,0 +1 @@
+testusername	Cleartext-Password := "testpassword"
--- a/plugins/inputs/radius/testdata/raddb/radiusd.conf
+++ b/plugins/inputs/radius/testdata/raddb/radiusd.conf
@ -0,0 +1,118 @@
+prefix = /usr
+exec_prefix = /usr
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = /var/log/freeradius
+raddbdir = /etc/freeradius
+radacctdir = ${logdir}/radacct
+
+name = freeradius
+
+confdir = ${raddbdir}
+modconfdir = ${confdir}/mods-config
+certdir = ${confdir}/certs
+cadir   = ${confdir}/certs
+run_dir = ${localstatedir}/run/${name}
+
+db_dir = ${raddbdir}
+
+libdir = /usr/lib/freeradius
+
+pidfile = ${run_dir}/${name}.pid
+
+
+max_request_time = 30
+
+cleanup_delay = 5
+
+max_requests = 16384
+
+hostname_lookups = no
+
+
+log {
+	destination = stdout 
+
+	colourise = yes
+
+	file = ${logdir}/radius.log
+
+	syslog_facility = daemon
+
+	stripped_names = no
+
+	auth = yes
+
+
+
+	auth_badpass = yes
+	auth_goodpass = yes
+
+
+	msg_denied = "You are already logged in - access denied"
+
+}
+
+checkrad = ${sbindir}/checkrad
+
+ENV {
+
+
+}
+
+security {
+
+	user = freerad
+	group = freerad
+
+	allow_core_dumps = no
+
+	max_attributes = 200
+
+	reject_delay = 1
+
+	status_server = yes
+
+
+}
+
+proxy_requests  = yes
+$INCLUDE proxy.conf
+
+
+
+$INCLUDE clients.conf
+
+
+thread pool {
+	start_servers = 5
+
+	max_servers = 32
+
+	min_spare_servers = 3
+	max_spare_servers = 10
+
+
+	max_requests_per_server = 0
+
+
+	auto_limit_acct = no
+}
+
+
+modules {
+
+
+	$INCLUDE mods-enabled/
+}
+
+instantiate {
+
+}
+
+policy {
+	$INCLUDE policy.d/
+}
+
+$INCLUDE sites-enabled/
				`@ -0,0 +1 @@`
				`testusername Cleartext-Password := "testpassword"`