#  The shared secret use to "encrypt" and "sign" packets between #  the NAS and FreeRADIUS.  You MUST change this secret from the #  default, otherwise it's not a secret any more! # #  The secret can be any string, up to 8k characters in length. # #  Control codes can be entered vi octal encoding, #	e.g. "\101\102" == "AB" #  Quotation marks can be entered by escaping them, #	e.g. "foo\"bar" # #  A note on security:  The security of the RADIUS protocol #  depends COMPLETELY on this secret!  We recommend using a #  shared secret that is composed of: # #	upper case letters #	lower case letters #	numbers # #  And is at LEAST 8 characters long, preferably 16 characters in #  length.  The secret MUST be random, and should not be words, #  phrase, or anything else that is recognizable. # #  The default secret below is only for testing, and should #  not be used in any real environment.

#  Old-style clients do not send a Message-Authenticator #  in an Access-Request.  RFC 5080 suggests that all clients #  SHOULD include it in an Access-Request.  The configuration #  item below allows the server to require it.  If a client #  is required to include a Message-Authenticator and it does #  not, then the packet will be silently discarded. # #  allowed values: yes, no

	#  The short name is used as an alias for the fully qualified #  domain name, or the IP address. # #  It is accepted for compatibility with 1.x, but it is no #  longer necessary in 2.0

	# the following three fields are optional, but may be used by # checkrad.pl for simultaneous use checks # # # The nastype tells 'checkrad.pl' which NAS-specific method to #  use to query the NAS for simultaneous use. # #  Permitted NAS types are: # #	cisco #	computone #	livingston #	max40xx #	netserver #	pathras #	patton #	portslave #	tc #	usrhiper #	other		# for all other types

#  You can now specify one secret for a network of clients. #  When a client request comes in, the BEST match is chosen. #  i.e. The entry from the smallest possible network. # #client 192.168.0.0/24 { #	secret		= testing123-1 #	shortname	= private-network-1 #} # #client 192.168.0.0/16 { #	secret		= testing123-2 #	shortname	= private-network-2 #} #client 10.10.10.10 { #	# secret and password are mapped through the "secrets" file. #	secret      = testing123 #	shortname   = liv1 #       # the following three fields are optional, but may be used by #       # checkrad.pl for simultaneous usage checks #	nastype     = livingston #	login       = !root #	password    = someadminpas

# IPv6 Client #client ::1 { #	secret		= testing123 #	shortname	= localhost #} # # All IPv6 Site-local clients #client fe80::/16 { #	secret		= testing123 #	shortname	= localhost #} #client some.host.org { #	secret		= testing123 #	shortname	= localhost #}

# "alice" Cleartext-Password := "passme" Auth-Type := Reject
# "alice" Cleartext-Password := "passme" Auth-Type := Accept

#	This file contains authentication security and configuration #	information for each user.  Accounting requests are NOT processed #	through this file.  Instead, see 'acct_users', in this directory. 
因为这个文件不包含其他模块，是一个独立的文件。但是如果你改了比如 sites-enabled/default 这个虚拟服务器，比如authorize模块中启用了unix，这样系统用户也可以被当做用户名和密码使用，而且只匹配系统的，如果用户文件中也定义了，并不会以文件中的内容为准。：q 这个文件包含了每个用户的认证安全和配置信息。记账请求并不包含这这里，如果找记账信息，你可以去看 acct_usrs 那个文件。

#	The first field is the user's name and can be up to #	253 characters in length.  This is followed (on the same line) with #	the list of authentication requirements for that user.  This can #	include password, comm server name, comm server port number, protocol #	type (perhaps set by the "hints" file), and huntgroup name (set by #	the "huntgroups" file).

 第一个区域是用户名【最常253个字符】，而且在通银行需要表示认证请求信息，可以是密码，通用服务器名称，通用服务器端口，协议类型，huntgroup名称等。

 #	If you are not sure why a particular reply is being sent by the #	server, then run the server in debugging mode (radiusd -X), and #	you will see which entries in this file are matched. # #	When an authentication request is received from the comm server, #	these values are tested. Only the first match is used unless the #	"Fall-Through" variable is set to "Yes". #

当认证请求过来时，只有第一个值匹配才能继续，除非 Fall-Through 变量设置成 Yes，可以继续检查请求包中的内容，直到找到匹配的为止。

注意啦，Fall-Through 如果没设置的话，那就是 No 了~~~  #	A special user named "DEFAULT" matches on all usernames. #	You can have several DEFAULT entries. All entries are processed #	in the order they appear in this file. The first entry that #	matches the login-request will stop processing unless you use #	the Fall-Through variable. # #	If you use the database support to turn this file into a .db or .dbm #	file, the DEFAULT entries _have_ to be at the end of this file and #	you can't have multiple entries for one username.  注意啦，如果你使用数据库，比如db或者mdb文件，只有这个文件末的值有用，你不能给一个用户多个值  #	Indented (with the tab character) lines following the first #	line indicate the configuration values to be passed back to #	the comm server to allow the initiation of a user session. #	This can include things like the PPP configuration values #	or the host to log the user onto. # #	You can include another `users' file with `$INCLUDE users.other'

# Deny access for a specific user.  Note that this entry MUST # be before any other 'Auth-Type' attribute which results in the user # being authenticated. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #lameuser	Auth-Type := Reject #		Reply-Message = "Your account has been disabled."

# Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULT	Group == "disabled", Auth-Type := Reject #		Reply-Message = "Your account has been disabled." #

# This is a complete entry for "steve". Note that there is no Fall-Through # entry so that no DEFAULT entry will be used, and the user will NOT # get any attributes in addition to the ones listed here. # #steve	Cleartext-Password := "testing" #	Service-Type = Framed-User, #	Framed-Protocol = PPP, #	Framed-IP-Address = 172.16.3.33, #	Framed-IP-Netmask = 255.255.255.0, #	Framed-Routing = Broadcast-Listen, #	Framed-Filter-Id = "std.ppp", #	Framed-MTU = 1500, #	Framed-Compression = Van-Jacobsen-TCP-IP

# This is an entry for a user with a space in their name. # Note the double quotes surrounding the name. # #"John Doe"	Cleartext-Password := "hello" #		Reply-Message = "Hello, %{User-Name}"

# Dial user back and telnet to the default host for that port # #Deg	Cleartext-Password := "ge55ged" #	Service-Type = Callback-Login-User, #	Login-IP-Host = 0.0.0.0, #	Callback-Number = "9,5551212", #	Login-Service = Telnet, #	Login-TCP-Port = Telnet # # Another complete entry. After the user "dialbk" has logged in, the # connection will be broken and the user will be dialed back after which # he will get a connection to the host "timeshare1". # #dialbk	Cleartext-Password := "callme" #	Service-Type = Callback-Login-User, #	Login-IP-Host = timeshare1, #	Login-Service = PortMaster, #	Callback-Number = "9,1-800-555-1212" # # user "swilson" will only get a static IP number if he logs in with # a framed protocol on a terminal server in Alphen (see the huntgroups file). # # Note that by setting "Fall-Through", other attributes will be added from # the following DEFAULT entries # #swilson	Service-Type == Framed-User, Huntgroup-Name == "alphen" #		Framed-IP-Address = 192.168.1.65, # Fall-Through = Yes # # If the user logs in as 'username.shell', then authenticate them # using the default method, give them shell access, and stop processing # the rest of the file. # #DEFAULT	Suffix == ".shell" #		Service-Type = Login-User, #		Login-Service = Telnet, #		Login-IP-Host = your.shell.machine 

下面包含了一些默认的属性，默认用户都会包含，但是注意，用户名永远不会取代原来的用户名称

# The rest of this file contains the several DEFAULT entries. # DEFAULT entries match with all login names. # Note that DEFAULT entries can also Fall-Through (see first entry). # A name-value pair from a DEFAULT entry will _NEVER_ override # an already existing name-value pair. # # # Set up different IP address pools for the terminal servers. # Note that the "+" behind the IP address means that this is the "base" # IP address. The Port-Id (S0, S1 etc) will be added to it. # #DEFAULT	Service-Type == Framed-User, Huntgroup-Name == "alphen" #		Framed-IP-Address = 192.168.1.32+, #		Fall-Through = Yes #DEFAULT	Service-Type == Framed-User, Huntgroup-Name == "delft" #		Framed-IP-Address = 192.168.2.32+, #		Fall-Through = Yes # # Sample defaults for all framed connections. # #DEFAULT	Service-Type == Framed-User #	Framed-IP-Address = 255.255.255.254, #	Framed-MTU = 576, #	Service-Type = Framed-User, #	Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected #	by the terminal server in which case there may not be a "P" suffix. #	The terminal server sends "Framed-Protocol = PPP" for auto PPP. #

DEFAULT	Framed-Protocol == PPP
	Framed-Protocol = PPP,
	Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT	Hint == "CSLIP" Framed-Protocol = SLIP,
	Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT	Hint == "SLIP" Framed-Protocol = SLIP # # Last default: rlogin to our main server. # #DEFAULT #	Service-Type = Login-User, #	Login-Service = Rlogin, #	Login-IP-Host = shellbox.ispdomain.com # # # # Last default: shell on the local terminal server. # # # DEFAULT # 	Service-Type = Administrative-User # On no match, the user is denied access.