# radiator.conf-radius-internal
#
# Sample Radiator configuration file for Linux and other Unix type
# platforms.
#
# Copy this file to Radiator configuration directory
# and name it as /etc/radiator/radiator.conf
#
# This configuration will accept or reject authentication attempts
# based on the RADIUS client IP address. All accounting messages will
# be accepted.
#
# Authentication requests received from IP address 127.0.0.1
# will be accepted. Requests from any other IP address will
# be rejected.
#
# The shared RADIUS secret is: mysecret
#
# See log file parameters below locations of different logs Radiator
# creates.
#
# You should consider this file to be a starting point only
# $Id$

# Use 4 for debug logging
###Trace           3
Trace           4

# Additional configuration files go to DbDir. LogDir sets the value of
# %L and contains log files for Radiator, authentication results and
# accounting messages
DbDir       /etc/radiator
LogDir      /var/log/radiator
LogFile     %L/radiator.log

# Put additional information to Radiator log file
LogMicroseconds
LogTraceId

# Any custom dictionaries should go in DbDir
DictionaryFile /opt/radiator/radiator/dictionary

# No pidfile needed when started as systemd service
PidFile

# Make IPv6 and IPv4 listen sockets completely separate
# Bind only to IPv4 wildcard address
###BindV6Only
BindAddress     0.0.0.0
AuthPort        1645,1812
AcctPort        1646,1813

# Read possible license configuration parameters from this file
LicenseFile %D/license.conf

#####################################################################
# RADIUS request logging
#####################################################################
# This auth logger logs both success and failure to a file. Ignored
# attempts are also logged.
<AuthLog FILE>
    Identifier authlog-file

    Filename %L/authentication.log
    LogSuccess
    LogFailure
    LogIgnore

    SuccessFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' \
                  handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' \
                  called-station='%{Called-Station-Id}' result='OK'
    FailureFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' \
                  handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' \
                  called-station='%{Called-Station-Id}' reason='%1' result='FAIL'
    IgnoreFormat  %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' \
                  handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' \
                  called-station='%{Called-Station-Id}' reason='%1' result='IGNORE'
</AuthLog>

# This acct logger logs accounting requests
<AcctLog FILE>
    Identifier acctlog-file

    Filename %L/accounting.log
    LogFormat %l trace_id='%2'  user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' \
              handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' \
              called-station='%{Called-Station-Id}' session-id=%'{Acct-Session-Id}' \
              status='%{Acct-Status-Type}' duration='%{Acct-Session-Time}' octets-in='%{Acct-Input-Octets}' \
              octets-out='%{Acct-Output-Octets}' framed-ip='%{Framed-IP-Address}'
</AcctLog>

#####################################################################
# Clients
#####################################################################
# Requests originating from the loopback IP address
<Client 127.0.0.1>
    Identifier loopback-client
    Secret mysecret
</Client>

# Match all the other IP addresses
###<Client DEFAULT>
###    Identifier default-client
###    Secret mysecret
###</Client>

#####################################################################
# Handlers
#####################################################################
# Handler to requests originating from the loopback IP address
#<Handler Client-Identifier=loopback-client>
#    Identifier loopback-handler
#
#    <AuthBy INTERNAL>
#        Identifier auth-internal-accept
#        AuthResult   ACCEPT
#        AcctResult   ACCEPT
#    </AuthBy>
#
#    # Log result
#    AuthLog authlog-file
#    # Log accounting
#    AcctLog acctlog-file
#</Handler>
#
## Reject everything else
#<Handler>
#    Identifier default-handler
#
#    <AuthBy INTERNAL>
#        Identifier auth-internal-reject
#        AuthResult   REJECT
#        AcctResult   ACCEPT
#
#        # This sets reject reason for AuthLog
#        RejectReason Handled and rejected by default-handler
#    </AuthBy>
#
#    # Log result
#    AuthLog authlog-file
#    # Log accounting
#    AcctLog acctlog-file
#
#    # Pass the reject reason to the RADIUS client as Reply-Message
#    RejectHasReason
#</Handler>

<Handler>
	Identifier Okta-Handler
	AuthByPolicy ContinueWhileAccept
	AuthByPolicy ContinueUntilAcceptOrChallenge
	
	<AuthBy RADIUS>
		Identifier Auth-Radius
		# Okta Agent
		Secret xxxx
		
		Asynchronous
	
		<Host XXX.XXX.XXX.XXX>
			AuthPort 1901
			# AcctPort not existin but not able di disable it
			AcctPort 
			RetryTimeout 15
		</Host>
	</AuthBy>
	
	# Return reply attributes based on user groups
	<AuthBy FILE>
		Identifier Auth-FILE-groups
		Filename %D/groups
	</AuthBy>

	AuthLog authlog-file
	AcctLog acctlog-file
</Handler>