nix-config/hosts/containers/radius/freeradius/experimental.conf

451 lines
13 KiB
Plaintext

#
# This file contains the configuration for experimental modules.
#
# By default, it is NOT included in the build.
#
# $Id: 3db2f300329829b4810b00d3181f13bbac10ccd0 $
#
# Configuration for the Python module.
#
# Where radiusd is a Python module, radiusd.py, and the
# function 'authorize' is called. Here is a dummy piece
# of code:
#
# def authorize(params):
# print params
# return (5, ('Reply-Message', 'banned'))
#
# The RADIUS value-pairs are passed as a tuple of tuple
# pairs as the first argument, e.g. (('attribute1',
# 'value1'), ('attribute2', 'value2'))
#
# The function return is a tuple with the first element
# being the return value of the function.
# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
# write the return values as Python symbols to avoid
# confusion.
#
# The remaining tuple members are the string form of
# value-pairs which are passed on to pairmake().
#
python {
mod_instantiate = radiusd_test
func_instantiate = instantiate
mod_authorize = radiusd_test
func_authorize = authorize
mod_accounting = radiusd_test
func_accounting = accounting
mod_pre_proxy = radiusd_test
func_pre_proxy = pre_proxy
mod_post_proxy = radiusd_test
func_post_proxy = post_proxy
mod_post_auth = radiusd_test
func_post_auth = post_auth
mod_recv_coa = radiusd_test
func_recv_coa = recv_coa
mod_send_coa = radiusd_test
func_send_coa = send_coa
mod_detach = radiusd_test
func_detach = detach
}
# Configuration for the example module. Uncommenting it will cause it
# to get loaded and initialized, but should have no real effect as long
# it is not referencened in one of the autz/auth/preacct/acct sections
example {
# Boolean variable.
# allowed values: {no, yes}
boolean = yes
# An integer, of any value.
integer = 16
# A string.
string = "This is an example configuration string"
# An IP address, either in dotted quad (1.2.3.4) or hostname
# (example.com)
ipaddr = 127.0.0.1
# A subsection
mysubsection {
anotherinteger = 1000
# They nest
deeply nested {
string = "This is a different string"
}
}
}
#
# To create a dbm users file, do:
#
# cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
#
# Then add 'dbm' in 'authorize' section.
#
# Note that even if the file has a ".db" or ".dbm" extension,
# you may have to specify it here without that extension. This
# is because the DBM libraries "helpfully" add a ".db" to the
# filename, but don't check if it's already there.
#
dbm {
usersfile = ${confdir}/users_db
}
#
# Perform NT-Domain authentication. This only works
# with PAP authentication. That is, Authentication-Request
# packets containing a User-Password attribute.
#
# To use it, add 'smb' into the 'authenticate' section,
# and then in another module (usually the 'users' file),
# set 'Auth-Type := SMB'
#
# WARNING: this module is not only experimental, it's also
# a security threat. It's not recommended to use it until
# it gets fixed.
#
smb {
server = ntdomain.server.example.com
backup = backup.server.example.com
domain = NTDOMAIN
}
# See doc/rlm_fastusers before using this
# module or changing these values.
#
fastusers {
usersfile = ${confdir}/users_fast
hashsize = 1000
compat = no
# Reload the hash every 600 seconds (10mins)
hash_reload = 600
}
# Caching module
#
# Should be added in the post-auth section (after all other modules)
# and in the authorize section (before any other modules)
#
# authorize {
# caching {
# ok = return
# }
# [... other modules ...]
# }
# post-auth {
# [... other modules ...]
# caching
# }
#
# The caching module will cache the Auth-Type and reply items
# and send them back on any subsequent requests for the same key
#
# Configuration:
#
# filename: The gdbm file to use for the cache database
# (can be memory mapped for more speed)
#
# key: A string to xlat and use as a key. For instance,
# "%{Acct-Unique-Session-Id}"
#
# post-auth: If we find a cached entry, set the post-auth to that value
#
# cache-ttl: The time to cache the entry. The same time format
# as the counter module apply here.
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed.
# e.g. 1d == one day
#
# cache-size: The gdbm cache size to request (default 1000)
#
# hit-ratio: If set to non-zero we print out statistical
# information after so many cache requests
#
# cache-rejects: Do we also cache rejects, or not? (default 'yes')
#
caching {
filename = ${db_dir}/db.cache
cache-ttl = 1d
hit-ratio = 1000
key = "%{Acct-Unique-Session-Id}"
#post-auth = ""
# cache-size = 2000
# cache-rejects = yes
}
# Simple module for logging of Account packets to radiusd.log
# You need to declare it in the accounting section for it to work
acctlog {
acctlog_update = ""
acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online"
acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline"
}
# Another implementation of the EAP module.
#
# This module requires the libeap.so file from the hostap
# software (http://hostap.epitest.fi/hostapd/). It has been
# tested on the development version of hostapd (0.6.1) ONLY.
#
# In order to use it, you MUST build a "libeap.so" in hostapd,
# which is not done by default.
#
# You MUST also edit the file: src/modules/rlm_eap2/Makefile
# to point to the location of the hostap include files.
#
# This module CANNOT be used in the same way as the current
# FreeRADIUS "eap" module. There is NO way to look inside of
# a tunneled request. There is NO way to proxy a tunneled
# request. There is NO way to even look at the user name inside
# of the tunneled request. There is NO way to control the
# choice of EAP types inside of the tunnel. You MUST force
# the server to choose "eap2" for authentication, because this
# module has no "authorize" section.
#
# If you want to use this module for experimentation, please
# post your comments to the freeradius-devel list:
#
# http://lists.freeradius.org/mailman/listinfo/freeradius-devel
#
# If you want to use this module in a production (i.e. real-world)
# environment:
#
# !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!!
#
# The module needs additional work to make it ready for
# production use.. Please supply patches, or sponsor the
# work by hiring a developer. Do NOT ask when the work will
# be done, because there is no plan to finish this module
# unless there is demand for it.
#
eap2 {
# EAP types are chosen in the order that they are
# listed in this section. There is no "default_eap_type"
# as with rlm_eap. Instead, the *first* EAP type is
# used as the default type.
#
peap {
}
ttls {
}
# This is the ONLY EAP type that has any configuration.
# All other EAP types have no configuration.
#
tls {
ca_cert = ${confdir}/certs/ca.pem
server_cert = ${confdir}/certs/server.pem
private_key_file = ${confdir}/certs/server.pem
private_key_password = whatever
}
#
# These next two methods do not supply keying material.
#
md5 {
}
mschapv2 {
}
fast {
pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f
eap_fast_a_id = xxxxxx
eap_fast_a_id_info = my_server
eap_fast_prov = 3
pac_key_lifetime = 604800 # 7 days
pac_key_refresh_tim = 86400
}
# LEAP is NOT supported by this module.
# Use the "eap" module instead.
# For other methods that MIGHT work, see the
# configuration of hostap. The methods are statically
# linked in at compile time, and cannot be controlled
# here.
}
# Configuration for experimental EAP types. The sub-sections
# can be copied into eap.conf.
eap {
ikev2 {
# Server auth type
# Allowed values are:
# cert - for certificate based server authentication,
# other required settings for this type are
# 'private_key_file' and 'certificate_file'
# secret - for shared secret based server authentication,
# other required settings for this type is 'id'
# Default value of this option is 'secret'
# server_authtype=cert
# Allowed default client auth types
# Allowed values are:
# secret - for shared secret based client authentication
# cert - for certificate based client authentication
# both - shared secret and certificate is allowed
# none - authentication will always fail
# Default value for this option is 'both'. This option could
# be overwritten within 'usersfile' file by EAP-IKEv2-Auth
# option.
# default_authtype = both
# path to trusted CA certificate file
CA_file="/path/to/CA/cacert.pem"
# path to CRL file, if not set, then there will be no
# checks against CRL
# crl_file="/path/to/crl.pem"
# path to file with user settings
#
# Note that this file is read ONLY on module initialization!
#
# default ${confdir}/eap_ikev2_users
# usersfile=${confdir}/eap_ikev2_users
#
# Sample "eap_ikev2_users" file entry:
#
#username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne"
## where:
## username - client user name from IKE-AUTH (IDr) or CommonName
## from x509 certificate
## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload
## allowable attributes for EAP-IKEv2-IDType:
## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN
## DER_ASN1_GN KEY_ID
## EAP-IKEv2-Secret - shared secret
## EAP-IKEv2-AuthType - optional parameter which defines expected client auth
## type. Allowed values are: secret,cert,both,none.
## For the meaning of this values, please see the
## description of 'default_authtype'.
## This attribute can overwrite 'default_authtype' value.
# path to file with server private key
private_key_file="/path/to/srv-private-key.pem"
# password to private key file
private_key_password="passwd"
# path to file with server certificate
certificate_file="/path/to/srv-cert.pem"
# server identity string
id="deMaio"
# Server identity type. Allowed values are:
# IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN,
# KEY_ID
# Default value is: KEY_ID
# id_type = KEY_ID
# MTU (default: 1398)
# fragment_size = 1398
# maximal allowed number of resends SA_INIT after receiving
# 'invalid KEY' notification (default 3)
# DH_counter_max = 3
# option which is used to control whenever send CERT REQ
# payload or not.
# Allowed values for this option are "yes" or "no".
#Default value is "no".
# certreq = "yes"
# option which cotrols fast reconnect capability.
# Allowed valuse for this option are "yes" or "no".
# Default value is "yes".
# enable_fast_reauth = "no"
# option which is used to control performing of DH exchange
# during fast rekeying protocol run.
# Allowed values for this option are "yes" or "no".
# Default value is "no"
# fast_DH_exchange = "yes"
# Option which is used to set up expiration time of inactive
# IKEv2 session.
# After selected period of time (in seconds), inactive
# session data will be deleted.
# Default value of this option is set to 900 seconds
# fast_timer_expire = 900
# list of server proposals of available cryptographic
# suites
proposals {
# proposal number #1
proposal {
# Supported transforms types: encryption,
# prf, integrity, dhgroup. For multiple
# transforms just simple repeat key (i.e.
# integity).
# encryption algorithm
# supported algorithms:
# null,3des,aes_128_cbc,aes_192_cbc,
# aes_256_cbc,idea
# blowfish:n, where n range from 8 to 448 bits,
# step 8 bits
# cast:n, where n range from 40 to 128 bits,
# step 8 bits
encryption = 3des
# pseudo random function. Supported prf's:
# hmac_md5, hmac_sha1, hmac_tiger
prf = hmac_sha1
# integrity algorithm. Supported algorithms:
# hmac_md5_96, hmac_sha1_96,des_mac
integrity = hmac_sha1_96
integrity = hmac_md5_96
# Diffie-Hellman groups:
# modp768, modp1024, modp1536, modp2048,
# modp3072, modp4096, modp6144, modp8192
dhgroup = modp2048
}
# proposal number #2
proposal {
encryption = 3des
prf = hmac_md5
integrity = hmac_md5_96
dhgroup = modp1024
}
# proposal number #3
proposal {
encryption=3des
prf=hmac_md5
integrity=hmac_md5_96
dhgroup=modp2048
}
}
}
}