#################################################################
# Change the four values below to make this config file support #
# the authPort and acctPort you need.                           #
#################################################################

DefineGlobalVar auPort 1812
DefineGlobalVar acPort 1813

AuthPort 1812 
AcctPort 1813 

################################################
# Your Should Not Need To Edit Below This Line #
################################################
Foreground

LogStdout

SnmpgetProg /usr/bin/snmpget

LogDir  /var/log/radius

PidFile /var/run/radiusd_au%{GlobalVar:auPort}-ac%{GlobalVar:acPort}-radiusd.pid

DbDir /usr/local/raddb

LogFile %L/%Y%m%d_au%{GlobalVar:auPort}-ac%{GlobalVar:acPort}.logfile

include %D/conf/clients.cfg

# User a lower trace level in production systems,
Trace   6
#Trace  3


# Handlers start here.
# Note: the order of Handlers matters. The first Handler
# that matches the request is chosen.
#

# Process keep-alive messages here to keep them separate from
# real wimax authentication
#
<Handler User-Name=KeepAliveUserNameAndPassword>
	Identifier keep-alive-handler
	<AuthBy INTERNAL>
		Identifier keep-alive-authby

		# *Result values can be tailored for required response
		AuthResult REJECT
		AcctResult ACCEPT
		DefaultResult IGNORE
	</AuthBy>
</Handler>


# Handle TTLS phase 2 (inner) authentication. This is where the real username
# and password/MSCHAP are available.
#
<Handler TunnelledByTTLS=1>
	Identifier wimax-inner-handler
	# If check attributes are needed from outer request, add them here.
	#
	AddToRequest Service-Type = %{OuterRequest:Service-Type}
	<AuthBy FILE>
		#Indentifier wimax-inner-file-authby
		Filename %D/users

		# Never try to lookup user DEFAULT
		NoDefault
		NoDefaultIfFound
		# Always lookup user without realm part
		UsernameMatchesWithoutRealm

		# Return the realm username as Chargeable-User-Identity
		#AuthSelect select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, VALIDFROM, VALIDTO, USERNAME from RADUSERS where USERNAME=%0
		#AuthColumnDef 0,Chargeable-User-Identity,reply
	</AuthBy>
</Handler>

# This Handler matches the rest of the requests. The rest should be WiMAX.
# This Handler takes care of establishing TTLS TLS tunnel, phase 1 (outer)
# authentication, and returning WiMAX attributes. The user authentication
# is done by the phase 2 (inner) authentication Handler
#
<Handler>
	Identifier wimax-outer-handler
	<AuthBy WIMAX>
		Identifier wimax-outer-authby

		EAPType TTLS
		#EAPType PEAP
		EAPTLS_CAFile %D/certificates/demoCA/cacert.pem 
		EAPTLS_CertificateFile %D/certificates/cert-srv.pem 
		EAPTLS_CertificateType PEM 
		EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem 
		EAPTLS_PrivateKeyPassword whatever 

		# The max lifetime of eack key, in seconds.
		# Defaults to 3600 seconds (1 hour)
		KeyLifetime 43200

		# IF HAPassword is defined, the the HA must send this password
		# in requests sent to this HAAA. The HA must be configured to
		# send this password, otherwise its requests will be REJECTed
		#HAPassword W1M@X#03!2011
		HAPassword wimax123

		# MSKInMPPEKeys Forces the MSK to be encoded in 
		# MS-MPPE-Send-Key and MS-MPPE-Recv-Key, as well as 
		# the usual WiMAX-MSK reply attributes. This is required 
		# by some non-compliant clients, such as some Alcatel-Lucent 
		# devices.
		#MSKInMPPEKeys 1
	</AuthBy>
</Handler>