451 lines
13 KiB
Plaintext
451 lines
13 KiB
Plaintext
#
|
|
# This file contains the configuration for experimental modules.
|
|
#
|
|
# By default, it is NOT included in the build.
|
|
#
|
|
# $Id: 3db2f300329829b4810b00d3181f13bbac10ccd0 $
|
|
#
|
|
|
|
# Configuration for the Python module.
|
|
#
|
|
# Where radiusd is a Python module, radiusd.py, and the
|
|
# function 'authorize' is called. Here is a dummy piece
|
|
# of code:
|
|
#
|
|
# def authorize(params):
|
|
# print params
|
|
# return (5, ('Reply-Message', 'banned'))
|
|
#
|
|
# The RADIUS value-pairs are passed as a tuple of tuple
|
|
# pairs as the first argument, e.g. (('attribute1',
|
|
# 'value1'), ('attribute2', 'value2'))
|
|
#
|
|
# The function return is a tuple with the first element
|
|
# being the return value of the function.
|
|
# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
|
|
# write the return values as Python symbols to avoid
|
|
# confusion.
|
|
#
|
|
# The remaining tuple members are the string form of
|
|
# value-pairs which are passed on to pairmake().
|
|
#
|
|
python {
|
|
mod_instantiate = radiusd_test
|
|
func_instantiate = instantiate
|
|
|
|
mod_authorize = radiusd_test
|
|
func_authorize = authorize
|
|
|
|
mod_accounting = radiusd_test
|
|
func_accounting = accounting
|
|
|
|
mod_pre_proxy = radiusd_test
|
|
func_pre_proxy = pre_proxy
|
|
|
|
mod_post_proxy = radiusd_test
|
|
func_post_proxy = post_proxy
|
|
|
|
mod_post_auth = radiusd_test
|
|
func_post_auth = post_auth
|
|
|
|
mod_recv_coa = radiusd_test
|
|
func_recv_coa = recv_coa
|
|
|
|
mod_send_coa = radiusd_test
|
|
func_send_coa = send_coa
|
|
|
|
mod_detach = radiusd_test
|
|
func_detach = detach
|
|
}
|
|
|
|
|
|
# Configuration for the example module. Uncommenting it will cause it
|
|
# to get loaded and initialized, but should have no real effect as long
|
|
# it is not referencened in one of the autz/auth/preacct/acct sections
|
|
example {
|
|
# Boolean variable.
|
|
# allowed values: {no, yes}
|
|
boolean = yes
|
|
|
|
# An integer, of any value.
|
|
integer = 16
|
|
|
|
# A string.
|
|
string = "This is an example configuration string"
|
|
|
|
# An IP address, either in dotted quad (1.2.3.4) or hostname
|
|
# (example.com)
|
|
ipaddr = 127.0.0.1
|
|
|
|
# A subsection
|
|
mysubsection {
|
|
anotherinteger = 1000
|
|
# They nest
|
|
deeply nested {
|
|
string = "This is a different string"
|
|
}
|
|
}
|
|
}
|
|
|
|
#
|
|
# To create a dbm users file, do:
|
|
#
|
|
# cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
|
|
#
|
|
# Then add 'dbm' in 'authorize' section.
|
|
#
|
|
# Note that even if the file has a ".db" or ".dbm" extension,
|
|
# you may have to specify it here without that extension. This
|
|
# is because the DBM libraries "helpfully" add a ".db" to the
|
|
# filename, but don't check if it's already there.
|
|
#
|
|
dbm {
|
|
usersfile = ${confdir}/users_db
|
|
}
|
|
|
|
#
|
|
# Perform NT-Domain authentication. This only works
|
|
# with PAP authentication. That is, Authentication-Request
|
|
# packets containing a User-Password attribute.
|
|
#
|
|
# To use it, add 'smb' into the 'authenticate' section,
|
|
# and then in another module (usually the 'users' file),
|
|
# set 'Auth-Type := SMB'
|
|
#
|
|
# WARNING: this module is not only experimental, it's also
|
|
# a security threat. It's not recommended to use it until
|
|
# it gets fixed.
|
|
#
|
|
smb {
|
|
server = ntdomain.server.example.com
|
|
backup = backup.server.example.com
|
|
domain = NTDOMAIN
|
|
}
|
|
|
|
# See doc/rlm_fastusers before using this
|
|
# module or changing these values.
|
|
#
|
|
fastusers {
|
|
usersfile = ${confdir}/users_fast
|
|
hashsize = 1000
|
|
compat = no
|
|
# Reload the hash every 600 seconds (10mins)
|
|
hash_reload = 600
|
|
}
|
|
|
|
# Caching module
|
|
#
|
|
# Should be added in the post-auth section (after all other modules)
|
|
# and in the authorize section (before any other modules)
|
|
#
|
|
# authorize {
|
|
# caching {
|
|
# ok = return
|
|
# }
|
|
# [... other modules ...]
|
|
# }
|
|
# post-auth {
|
|
# [... other modules ...]
|
|
# caching
|
|
# }
|
|
#
|
|
# The caching module will cache the Auth-Type and reply items
|
|
# and send them back on any subsequent requests for the same key
|
|
#
|
|
# Configuration:
|
|
#
|
|
# filename: The gdbm file to use for the cache database
|
|
# (can be memory mapped for more speed)
|
|
#
|
|
# key: A string to xlat and use as a key. For instance,
|
|
# "%{Acct-Unique-Session-Id}"
|
|
#
|
|
# post-auth: If we find a cached entry, set the post-auth to that value
|
|
#
|
|
# cache-ttl: The time to cache the entry. The same time format
|
|
# as the counter module apply here.
|
|
# num[hdwm] where:
|
|
# h: hours, d: days, w: weeks, m: months
|
|
# If the letter is ommited days will be assumed.
|
|
# e.g. 1d == one day
|
|
#
|
|
# cache-size: The gdbm cache size to request (default 1000)
|
|
#
|
|
# hit-ratio: If set to non-zero we print out statistical
|
|
# information after so many cache requests
|
|
#
|
|
# cache-rejects: Do we also cache rejects, or not? (default 'yes')
|
|
#
|
|
caching {
|
|
filename = ${db_dir}/db.cache
|
|
cache-ttl = 1d
|
|
hit-ratio = 1000
|
|
key = "%{Acct-Unique-Session-Id}"
|
|
#post-auth = ""
|
|
# cache-size = 2000
|
|
# cache-rejects = yes
|
|
}
|
|
|
|
|
|
# Simple module for logging of Account packets to radiusd.log
|
|
# You need to declare it in the accounting section for it to work
|
|
acctlog {
|
|
acctlog_update = ""
|
|
acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
|
|
acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
|
|
acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online"
|
|
acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline"
|
|
}
|
|
|
|
# Another implementation of the EAP module.
|
|
#
|
|
# This module requires the libeap.so file from the hostap
|
|
# software (http://hostap.epitest.fi/hostapd/). It has been
|
|
# tested on the development version of hostapd (0.6.1) ONLY.
|
|
#
|
|
# In order to use it, you MUST build a "libeap.so" in hostapd,
|
|
# which is not done by default.
|
|
#
|
|
# You MUST also edit the file: src/modules/rlm_eap2/Makefile
|
|
# to point to the location of the hostap include files.
|
|
#
|
|
# This module CANNOT be used in the same way as the current
|
|
# FreeRADIUS "eap" module. There is NO way to look inside of
|
|
# a tunneled request. There is NO way to proxy a tunneled
|
|
# request. There is NO way to even look at the user name inside
|
|
# of the tunneled request. There is NO way to control the
|
|
# choice of EAP types inside of the tunnel. You MUST force
|
|
# the server to choose "eap2" for authentication, because this
|
|
# module has no "authorize" section.
|
|
#
|
|
# If you want to use this module for experimentation, please
|
|
# post your comments to the freeradius-devel list:
|
|
#
|
|
# http://lists.freeradius.org/mailman/listinfo/freeradius-devel
|
|
#
|
|
# If you want to use this module in a production (i.e. real-world)
|
|
# environment:
|
|
#
|
|
# !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!!
|
|
#
|
|
# The module needs additional work to make it ready for
|
|
# production use.. Please supply patches, or sponsor the
|
|
# work by hiring a developer. Do NOT ask when the work will
|
|
# be done, because there is no plan to finish this module
|
|
# unless there is demand for it.
|
|
#
|
|
eap2 {
|
|
# EAP types are chosen in the order that they are
|
|
# listed in this section. There is no "default_eap_type"
|
|
# as with rlm_eap. Instead, the *first* EAP type is
|
|
# used as the default type.
|
|
#
|
|
peap {
|
|
}
|
|
|
|
ttls {
|
|
}
|
|
|
|
# This is the ONLY EAP type that has any configuration.
|
|
# All other EAP types have no configuration.
|
|
#
|
|
tls {
|
|
ca_cert = ${confdir}/certs/ca.pem
|
|
server_cert = ${confdir}/certs/server.pem
|
|
private_key_file = ${confdir}/certs/server.pem
|
|
private_key_password = whatever
|
|
}
|
|
|
|
#
|
|
# These next two methods do not supply keying material.
|
|
#
|
|
md5 {
|
|
}
|
|
|
|
mschapv2 {
|
|
}
|
|
|
|
fast {
|
|
pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f
|
|
eap_fast_a_id = xxxxxx
|
|
eap_fast_a_id_info = my_server
|
|
eap_fast_prov = 3
|
|
pac_key_lifetime = 604800 # 7 days
|
|
pac_key_refresh_tim = 86400
|
|
}
|
|
|
|
# LEAP is NOT supported by this module.
|
|
# Use the "eap" module instead.
|
|
|
|
# For other methods that MIGHT work, see the
|
|
# configuration of hostap. The methods are statically
|
|
# linked in at compile time, and cannot be controlled
|
|
# here.
|
|
}
|
|
|
|
# Configuration for experimental EAP types. The sub-sections
|
|
# can be copied into eap.conf.
|
|
eap {
|
|
ikev2 {
|
|
|
|
# Server auth type
|
|
# Allowed values are:
|
|
# cert - for certificate based server authentication,
|
|
# other required settings for this type are
|
|
# 'private_key_file' and 'certificate_file'
|
|
# secret - for shared secret based server authentication,
|
|
# other required settings for this type is 'id'
|
|
# Default value of this option is 'secret'
|
|
# server_authtype=cert
|
|
|
|
# Allowed default client auth types
|
|
# Allowed values are:
|
|
# secret - for shared secret based client authentication
|
|
# cert - for certificate based client authentication
|
|
# both - shared secret and certificate is allowed
|
|
# none - authentication will always fail
|
|
# Default value for this option is 'both'. This option could
|
|
# be overwritten within 'usersfile' file by EAP-IKEv2-Auth
|
|
# option.
|
|
# default_authtype = both
|
|
|
|
# path to trusted CA certificate file
|
|
CA_file="/path/to/CA/cacert.pem"
|
|
|
|
# path to CRL file, if not set, then there will be no
|
|
# checks against CRL
|
|
# crl_file="/path/to/crl.pem"
|
|
|
|
# path to file with user settings
|
|
#
|
|
# Note that this file is read ONLY on module initialization!
|
|
#
|
|
# default ${confdir}/eap_ikev2_users
|
|
# usersfile=${confdir}/eap_ikev2_users
|
|
|
|
#
|
|
# Sample "eap_ikev2_users" file entry:
|
|
#
|
|
#username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne"
|
|
|
|
## where:
|
|
## username - client user name from IKE-AUTH (IDr) or CommonName
|
|
## from x509 certificate
|
|
## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload
|
|
## allowable attributes for EAP-IKEv2-IDType:
|
|
## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN
|
|
## DER_ASN1_GN KEY_ID
|
|
## EAP-IKEv2-Secret - shared secret
|
|
## EAP-IKEv2-AuthType - optional parameter which defines expected client auth
|
|
## type. Allowed values are: secret,cert,both,none.
|
|
## For the meaning of this values, please see the
|
|
## description of 'default_authtype'.
|
|
## This attribute can overwrite 'default_authtype' value.
|
|
|
|
|
|
|
|
# path to file with server private key
|
|
private_key_file="/path/to/srv-private-key.pem"
|
|
|
|
# password to private key file
|
|
private_key_password="passwd"
|
|
|
|
# path to file with server certificate
|
|
certificate_file="/path/to/srv-cert.pem"
|
|
|
|
# server identity string
|
|
id="deMaio"
|
|
|
|
# Server identity type. Allowed values are:
|
|
# IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN,
|
|
# KEY_ID
|
|
# Default value is: KEY_ID
|
|
# id_type = KEY_ID
|
|
|
|
|
|
# MTU (default: 1398)
|
|
# fragment_size = 1398
|
|
|
|
# maximal allowed number of resends SA_INIT after receiving
|
|
# 'invalid KEY' notification (default 3)
|
|
# DH_counter_max = 3
|
|
|
|
# option which is used to control whenever send CERT REQ
|
|
# payload or not.
|
|
# Allowed values for this option are "yes" or "no".
|
|
#Default value is "no".
|
|
# certreq = "yes"
|
|
|
|
# option which cotrols fast reconnect capability.
|
|
# Allowed valuse for this option are "yes" or "no".
|
|
# Default value is "yes".
|
|
# enable_fast_reauth = "no"
|
|
|
|
# option which is used to control performing of DH exchange
|
|
# during fast rekeying protocol run.
|
|
# Allowed values for this option are "yes" or "no".
|
|
# Default value is "no"
|
|
# fast_DH_exchange = "yes"
|
|
|
|
# Option which is used to set up expiration time of inactive
|
|
# IKEv2 session.
|
|
# After selected period of time (in seconds), inactive
|
|
# session data will be deleted.
|
|
# Default value of this option is set to 900 seconds
|
|
# fast_timer_expire = 900
|
|
|
|
# list of server proposals of available cryptographic
|
|
# suites
|
|
proposals {
|
|
# proposal number #1
|
|
proposal {
|
|
|
|
# Supported transforms types: encryption,
|
|
# prf, integrity, dhgroup. For multiple
|
|
# transforms just simple repeat key (i.e.
|
|
# integity).
|
|
|
|
# encryption algorithm
|
|
# supported algorithms:
|
|
# null,3des,aes_128_cbc,aes_192_cbc,
|
|
# aes_256_cbc,idea
|
|
# blowfish:n, where n range from 8 to 448 bits,
|
|
# step 8 bits
|
|
# cast:n, where n range from 40 to 128 bits,
|
|
# step 8 bits
|
|
encryption = 3des
|
|
|
|
# pseudo random function. Supported prf's:
|
|
# hmac_md5, hmac_sha1, hmac_tiger
|
|
prf = hmac_sha1
|
|
|
|
# integrity algorithm. Supported algorithms:
|
|
# hmac_md5_96, hmac_sha1_96,des_mac
|
|
integrity = hmac_sha1_96
|
|
integrity = hmac_md5_96
|
|
|
|
# Diffie-Hellman groups:
|
|
# modp768, modp1024, modp1536, modp2048,
|
|
# modp3072, modp4096, modp6144, modp8192
|
|
dhgroup = modp2048
|
|
}
|
|
|
|
# proposal number #2
|
|
proposal {
|
|
encryption = 3des
|
|
prf = hmac_md5
|
|
integrity = hmac_md5_96
|
|
dhgroup = modp1024
|
|
}
|
|
|
|
# proposal number #3
|
|
proposal {
|
|
encryption=3des
|
|
prf=hmac_md5
|
|
integrity=hmac_md5_96
|
|
dhgroup=modp2048
|
|
}
|
|
}
|
|
}
|
|
}
|