From fbe1f6c5b065a7a46db825c5d4ba7301ae8eb7cc Mon Sep 17 00:00:00 2001 From: eri451 Date: Sun, 7 Apr 2019 22:54:41 +0200 Subject: [PATCH] enable freeradius for authless eap wifi --- hosts/containers/radius/configuration.nix | 3 + hosts/containers/radius/freeradius/acct_users | 23 + hosts/containers/radius/freeradius/attrs | 129 +++ .../radius/freeradius/attrs.access_challenge | 19 + .../radius/freeradius/attrs.access_reject | 17 + .../freeradius/attrs.accounting_response | 15 + .../radius/freeradius/attrs.pre-proxy | 62 ++ .../containers/radius/freeradius/certs/ca.key | 30 + .../containers/radius/freeradius/certs/ca.pem | 23 + hosts/containers/radius/freeradius/certs/dh | 5 + .../radius/freeradius/certs/server.csr | 18 + .../radius/freeradius/certs/server.key | 30 + .../radius/freeradius/certs/server.pem | 22 + .../containers/radius/freeradius/clients.conf | 246 +++++ hosts/containers/radius/freeradius/dictionary | 32 + hosts/containers/radius/freeradius/eap.conf | 688 ++++++++++++++ .../radius/freeradius/experimental.conf | 450 +++++++++ hosts/containers/radius/freeradius/hints | 77 ++ hosts/containers/radius/freeradius/huntgroups | 46 + .../containers/radius/freeradius/ldap.attrmap | 76 ++ .../radius/freeradius/modules/acct_unique | 17 + .../radius/freeradius/modules/always | 31 + .../radius/freeradius/modules/attr_filter | 48 + .../radius/freeradius/modules/attr_rewrite | 46 + .../radius/freeradius/modules/cache | 77 ++ .../containers/radius/freeradius/modules/chap | 11 + .../radius/freeradius/modules/checkval | 44 + .../radius/freeradius/modules/counter | 82 ++ .../containers/radius/freeradius/modules/cui | 25 + .../radius/freeradius/modules/detail | 93 ++ .../freeradius/modules/detail.example.com | 27 + .../radius/freeradius/modules/detail.log | 75 ++ .../radius/freeradius/modules/dhcp_sqlippool | 33 + .../radius/freeradius/modules/digest | 13 + .../radius/freeradius/modules/dynamic_clients | 32 + .../containers/radius/freeradius/modules/echo | 123 +++ .../radius/freeradius/modules/etc_group | 28 + .../containers/radius/freeradius/modules/exec | 30 + .../radius/freeradius/modules/expiration | 19 + .../containers/radius/freeradius/modules/expr | 20 + .../radius/freeradius/modules/files | 46 + .../radius/freeradius/modules/inner-eap | 161 ++++ .../radius/freeradius/modules/ippool | 75 ++ .../containers/radius/freeradius/modules/krb5 | 11 + .../containers/radius/freeradius/modules/ldap | 197 ++++ .../radius/freeradius/modules/linelog | 105 +++ .../radius/freeradius/modules/logintime | 31 + .../radius/freeradius/modules/mac2ip | 25 + .../radius/freeradius/modules/mac2vlan | 18 + .../radius/freeradius/modules/mschap | 87 ++ .../radius/freeradius/modules/ntlm_auth | 12 + .../radius/freeradius/modules/opendirectory | 13 + .../containers/radius/freeradius/modules/otp | 78 ++ .../containers/radius/freeradius/modules/pam | 26 + .../containers/radius/freeradius/modules/pap | 22 + .../radius/freeradius/modules/passwd | 55 ++ .../containers/radius/freeradius/modules/perl | 58 ++ .../radius/freeradius/modules/policy | 21 + .../radius/freeradius/modules/preprocess | 58 ++ .../radius/freeradius/modules/radrelay | 26 + .../radius/freeradius/modules/radutmp | 53 ++ .../radius/freeradius/modules/realm | 46 + .../radius/freeradius/modules/redis | 35 + .../radius/freeradius/modules/rediswho | 28 + .../radius/freeradius/modules/replicate | 40 + .../radius/freeradius/modules/smbpasswd | 16 + .../radius/freeradius/modules/smsotp | 50 + .../containers/radius/freeradius/modules/soh | 4 + .../radius/freeradius/modules/sql_log | 92 ++ .../modules/sqlcounter_expire_on_login | 37 + .../radius/freeradius/modules/sradutmp | 16 + .../containers/radius/freeradius/modules/unix | 25 + .../radius/freeradius/modules/wimax | 112 +++ .../containers/radius/freeradius/policy.conf | 283 ++++++ hosts/containers/radius/freeradius/policy.txt | 185 ++++ .../radius/freeradius/preproxy_users | 31 + hosts/containers/radius/freeradius/proxy.conf | 759 +++++++++++++++ .../containers/radius/freeradius/radiusd.conf | 865 ++++++++++++++++++ .../radius/freeradius/sites-available/README | 335 +++++++ .../freeradius/sites-available/buffered-sql | 129 +++ .../radius/freeradius/sites-available/coa | 43 + .../freeradius/sites-available/control-socket | 73 ++ .../sites-available/copy-acct-to-home-server | 171 ++++ .../sites-available/decoupled-accounting | 140 +++ .../radius/freeradius/sites-available/default | 661 +++++++++++++ .../sites-available/default.DEFAULT | 660 +++++++++++++ .../radius/freeradius/sites-available/dhcp | 283 ++++++ .../freeradius/sites-available/dhcp.relay | 65 ++ .../sites-available/dynamic-clients | 224 +++++ .../radius/freeradius/sites-available/example | 122 +++ .../freeradius/sites-available/inner-tunnel | 421 +++++++++ .../sites-available/inner-tunnel.DEFAULT | 421 +++++++++ .../freeradius/sites-available/originate-coa | 190 ++++ .../sites-available/proxy-inner-tunnel | 47 + .../sites-available/robust-proxy-accounting | 167 ++++ .../radius/freeradius/sites-available/soh | 34 + .../radius/freeradius/sites-available/status | 127 +++ .../sites-available/virtual.example.com | 26 + .../radius/freeradius/sites-available/vmps | 98 ++ hosts/containers/radius/freeradius/sql.conf | 115 +++ .../radius/freeradius/sqlippool.conf | 67 ++ .../radius/freeradius/templates.conf | 108 +++ hosts/containers/radius/freeradius/users | 213 +++++ 103 files changed, 11627 insertions(+) create mode 100644 hosts/containers/radius/freeradius/acct_users create mode 100644 hosts/containers/radius/freeradius/attrs create mode 100644 hosts/containers/radius/freeradius/attrs.access_challenge create mode 100644 hosts/containers/radius/freeradius/attrs.access_reject create mode 100644 hosts/containers/radius/freeradius/attrs.accounting_response create mode 100644 hosts/containers/radius/freeradius/attrs.pre-proxy create mode 100644 hosts/containers/radius/freeradius/certs/ca.key create mode 100644 hosts/containers/radius/freeradius/certs/ca.pem create mode 100644 hosts/containers/radius/freeradius/certs/dh create mode 100644 hosts/containers/radius/freeradius/certs/server.csr create mode 100644 hosts/containers/radius/freeradius/certs/server.key create mode 100644 hosts/containers/radius/freeradius/certs/server.pem create mode 100644 hosts/containers/radius/freeradius/clients.conf create mode 100644 hosts/containers/radius/freeradius/dictionary create mode 100644 hosts/containers/radius/freeradius/eap.conf create mode 100644 hosts/containers/radius/freeradius/experimental.conf create mode 100644 hosts/containers/radius/freeradius/hints create mode 100644 hosts/containers/radius/freeradius/huntgroups create mode 100644 hosts/containers/radius/freeradius/ldap.attrmap create mode 100644 hosts/containers/radius/freeradius/modules/acct_unique create mode 100644 hosts/containers/radius/freeradius/modules/always create mode 100644 hosts/containers/radius/freeradius/modules/attr_filter create mode 100644 hosts/containers/radius/freeradius/modules/attr_rewrite create mode 100644 hosts/containers/radius/freeradius/modules/cache create mode 100644 hosts/containers/radius/freeradius/modules/chap create mode 100644 hosts/containers/radius/freeradius/modules/checkval create mode 100644 hosts/containers/radius/freeradius/modules/counter create mode 100644 hosts/containers/radius/freeradius/modules/cui create mode 100644 hosts/containers/radius/freeradius/modules/detail create mode 100644 hosts/containers/radius/freeradius/modules/detail.example.com create mode 100644 hosts/containers/radius/freeradius/modules/detail.log create mode 100644 hosts/containers/radius/freeradius/modules/dhcp_sqlippool create mode 100644 hosts/containers/radius/freeradius/modules/digest create mode 100644 hosts/containers/radius/freeradius/modules/dynamic_clients create mode 100644 hosts/containers/radius/freeradius/modules/echo create mode 100644 hosts/containers/radius/freeradius/modules/etc_group create mode 100644 hosts/containers/radius/freeradius/modules/exec create mode 100644 hosts/containers/radius/freeradius/modules/expiration create mode 100644 hosts/containers/radius/freeradius/modules/expr create mode 100644 hosts/containers/radius/freeradius/modules/files create mode 100644 hosts/containers/radius/freeradius/modules/inner-eap create mode 100644 hosts/containers/radius/freeradius/modules/ippool create mode 100644 hosts/containers/radius/freeradius/modules/krb5 create mode 100644 hosts/containers/radius/freeradius/modules/ldap create mode 100644 hosts/containers/radius/freeradius/modules/linelog create mode 100644 hosts/containers/radius/freeradius/modules/logintime create mode 100644 hosts/containers/radius/freeradius/modules/mac2ip create mode 100644 hosts/containers/radius/freeradius/modules/mac2vlan create mode 100644 hosts/containers/radius/freeradius/modules/mschap create mode 100644 hosts/containers/radius/freeradius/modules/ntlm_auth create mode 100644 hosts/containers/radius/freeradius/modules/opendirectory create mode 100644 hosts/containers/radius/freeradius/modules/otp create mode 100644 hosts/containers/radius/freeradius/modules/pam create mode 100644 hosts/containers/radius/freeradius/modules/pap create mode 100644 hosts/containers/radius/freeradius/modules/passwd create mode 100644 hosts/containers/radius/freeradius/modules/perl create mode 100644 hosts/containers/radius/freeradius/modules/policy create mode 100644 hosts/containers/radius/freeradius/modules/preprocess create mode 100644 hosts/containers/radius/freeradius/modules/radrelay create mode 100644 hosts/containers/radius/freeradius/modules/radutmp create mode 100644 hosts/containers/radius/freeradius/modules/realm create mode 100644 hosts/containers/radius/freeradius/modules/redis create mode 100644 hosts/containers/radius/freeradius/modules/rediswho create mode 100644 hosts/containers/radius/freeradius/modules/replicate create mode 100644 hosts/containers/radius/freeradius/modules/smbpasswd create mode 100644 hosts/containers/radius/freeradius/modules/smsotp create mode 100644 hosts/containers/radius/freeradius/modules/soh create mode 100644 hosts/containers/radius/freeradius/modules/sql_log create mode 100644 hosts/containers/radius/freeradius/modules/sqlcounter_expire_on_login create mode 100644 hosts/containers/radius/freeradius/modules/sradutmp create mode 100644 hosts/containers/radius/freeradius/modules/unix create mode 100644 hosts/containers/radius/freeradius/modules/wimax create mode 100644 hosts/containers/radius/freeradius/policy.conf create mode 100644 hosts/containers/radius/freeradius/policy.txt create mode 100644 hosts/containers/radius/freeradius/preproxy_users create mode 100644 hosts/containers/radius/freeradius/proxy.conf create mode 100644 hosts/containers/radius/freeradius/radiusd.conf create mode 100644 hosts/containers/radius/freeradius/sites-available/README create mode 100644 hosts/containers/radius/freeradius/sites-available/buffered-sql create mode 100644 hosts/containers/radius/freeradius/sites-available/coa create mode 100644 hosts/containers/radius/freeradius/sites-available/control-socket create mode 100644 hosts/containers/radius/freeradius/sites-available/copy-acct-to-home-server create mode 100644 hosts/containers/radius/freeradius/sites-available/decoupled-accounting create mode 100644 hosts/containers/radius/freeradius/sites-available/default create mode 100644 hosts/containers/radius/freeradius/sites-available/default.DEFAULT create mode 100644 hosts/containers/radius/freeradius/sites-available/dhcp create mode 100644 hosts/containers/radius/freeradius/sites-available/dhcp.relay create mode 100644 hosts/containers/radius/freeradius/sites-available/dynamic-clients create mode 100644 hosts/containers/radius/freeradius/sites-available/example create mode 100644 hosts/containers/radius/freeradius/sites-available/inner-tunnel create mode 100644 hosts/containers/radius/freeradius/sites-available/inner-tunnel.DEFAULT create mode 100644 hosts/containers/radius/freeradius/sites-available/originate-coa create mode 100644 hosts/containers/radius/freeradius/sites-available/proxy-inner-tunnel create mode 100644 hosts/containers/radius/freeradius/sites-available/robust-proxy-accounting create mode 100644 hosts/containers/radius/freeradius/sites-available/soh create mode 100644 hosts/containers/radius/freeradius/sites-available/status create mode 100644 hosts/containers/radius/freeradius/sites-available/virtual.example.com create mode 100644 hosts/containers/radius/freeradius/sites-available/vmps create mode 100644 hosts/containers/radius/freeradius/sql.conf create mode 100644 hosts/containers/radius/freeradius/sqlippool.conf create mode 100644 hosts/containers/radius/freeradius/templates.conf create mode 100644 hosts/containers/radius/freeradius/users diff --git a/hosts/containers/radius/configuration.nix b/hosts/containers/radius/configuration.nix index 5ad11a5b..2c8d715f 100644 --- a/hosts/containers/radius/configuration.nix +++ b/hosts/containers/radius/configuration.nix @@ -38,6 +38,9 @@ git freeradius ]; + services.freeradius.enable = true; + services.freeradius.configDir = "/root/nix-config/hosts/container/radius/"; + # Create a few files early before packing tarball for Proxmox # architecture/OS detection. system.extraSystemBuilderCmds = diff --git a/hosts/containers/radius/freeradius/acct_users b/hosts/containers/radius/freeradius/acct_users new file mode 100644 index 00000000..219a6672 --- /dev/null +++ b/hosts/containers/radius/freeradius/acct_users @@ -0,0 +1,23 @@ +# +# $Id: fafac849a0f0519cdaf7acf2ef51c8b36a5a6255 $ +# +# This is like the 'users' file, but it is processed only for +# accounting packets. +# + +# Select between different accounting methods based for example on the +# Realm, the Huntgroup-Name or any combinaison of the attribute/value +# pairs contained in an accounting packet. +# +#DEFAULT Realm == "foo.net", Acct-Type := sql_log.foo +# +#DEFAULT Huntgroup-Name == "wifi", Acct-Type := sql_log.wifi +# +#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := sql_log.other +# +#DEFAULT Acct-Status-Type == Start, Acct-Type := sql_log.start + +# Replace the User-Name with the Stripped-User-Name, if it exists. +# +#DEFAULT +# User-Name := "%{Stripped-User-Name:-%{User-Name}}" diff --git a/hosts/containers/radius/freeradius/attrs b/hosts/containers/radius/freeradius/attrs new file mode 100644 index 00000000..596294d5 --- /dev/null +++ b/hosts/containers/radius/freeradius/attrs @@ -0,0 +1,129 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: 76c644b100656f8bd45e768b13cbcf140ce5a770 $ +# +# This file contains security and configuration information +# for each realm. The first field is the realm name and +# can be up to 253 characters in length. This is followed (on +# the next line) with the list of filter rules to be used to +# decide what attributes and/or values we allow proxy servers +# to pass to the NAS for this realm. +# +# When a proxy-reply packet is received from a home server, +# these attributes and values are tested. Only the first match +# is used unless the "Fall-Through" variable is set to "Yes". +# In that case the rules defined in the DEFAULT case are +# processed as well. +# +# A special realm named "DEFAULT" matches on all realm names. +# You can have only one DEFAULT entry. All entries are processed +# in the order they appear in this file. The first entry that +# matches the login-request will stop processing unless you use +# the Fall-Through variable. +# +# Indented (with the tab character) lines following the first +# line indicate the filter rules. +# +# You can include another `attrs' file with `$INCLUDE attrs.other' +# + +# +# This is a complete entry for realm "fisp". Note that there is no +# Fall-Through entry so that no DEFAULT entry will be used, and the +# server will NOT allow any other a/v pairs other than the ones +# listed here. +# +# These rules allow: +# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear ) +# o PPP sessions ( no SLIP, CSLIP, etc. ) +# o dynamic ip assignment ( can't assign a static ip ) +# o an idle timeout value set to 600 seconds (10 min) or less +# o a max session time set to 28800 seconds (8 hours) or less +# +#fisp +# Service-Type == Framed-User, +# Framed-Protocol == PPP, +# Framed-IP-Address == 255.255.255.254, +# Idle-Timeout <= 600, +# Session-Timeout <= 28800 + +# +# This is a complete entry for realm "tisp". Note that there is no +# Fall-Through entry so that no DEFAULT entry will be used, and the +# server will NOT allow any other a/v pairs other than the ones +# listed here. +# +# These rules allow: +# o Only Login-User Service-Type ( no framed/ppp sessions ) +# o Telnet sessions only ( no rlogin, tcp-clear ) +# o Login hosts of either 192.168.1.1 or 192.168.1.2 +# +#tisp +# Service-Type == Login-User, +# Login-Service == Telnet, +# Login-TCP-Port == 23, +# Login-IP-Host == 192.168.1.1, +# Login-IP-Host == 192.168.1.2 + +# +# The following example can be used for a home server which is only +# allowed to supply a Reply-Message, a Session-Timeout attribute of +# maximum 86400, a Idle-Timeout attribute of maximum 600 and a +# Acct-Interim-Interval attribute between 300 and 3600. +# All other attributes sent back will be filtered out. +# +#strictrealm +# Reply-Message =* ANY, +# Session-Timeout <= 86400, +# Idle-Timeout <= 600, +# Acct-Interim-Interval >= 300, +# Acct-Interim-Interval <= 3600 + +# +# This is a complete entry for realm "spamrealm". Fall-Through is used, +# so that the DEFAULT filter rules are used in addition to these. +# +# These rules allow: +# o Force the application of Filter-ID attribute to be returned +# in the proxy reply, whether the proxy sent it or not. +# o The standard DEFAULT rules as defined below +# +#spamrealm +# Framed-Filter-Id := "nosmtp.in", +# Fall-Through = Yes + +# +# The rest of this file contains the DEFAULT entry. +# DEFAULT matches with all realm names. (except if the realm previously +# matched an entry with no Fall-Through) +# + +DEFAULT + Service-Type == Framed-User, + Service-Type == Login-User, + Login-Service == Telnet, + Login-Service == Rlogin, + Login-Service == TCP-Clear, + Login-TCP-Port <= 65536, + Framed-IP-Address == 255.255.255.254, + Framed-IP-Netmask == 255.255.255.255, + Framed-Protocol == PPP, + Framed-Protocol == SLIP, + Framed-Compression == Van-Jacobson-TCP-IP, + Framed-MTU >= 576, + Framed-Filter-ID =* ANY, + Reply-Message =* ANY, + Proxy-State =* ANY, + EAP-Message =* ANY, + Message-Authenticator =* ANY, + MS-MPPE-Recv-Key =* ANY, + MS-MPPE-Send-Key =* ANY, + MS-CHAP-MPPE-Keys =* ANY, + State =* ANY, + Session-Timeout <= 28800, + Idle-Timeout <= 600, + Calling-Station-Id =* ANY, + Operator-Name =* ANY, + Port-Limit <= 2 diff --git a/hosts/containers/radius/freeradius/attrs.access_challenge b/hosts/containers/radius/freeradius/attrs.access_challenge new file mode 100644 index 00000000..0a845ff2 --- /dev/null +++ b/hosts/containers/radius/freeradius/attrs.access_challenge @@ -0,0 +1,19 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: 78ea54e83f4a998797f16a8c564b5c2f32642adc $ +# +# This configuration file is used to remove almost all of the +# attributes From an Access-Challenge message. The RFC's say +# that an Access-Challenge packet can contain only a few +# attributes. We enforce that here. +# +DEFAULT + EAP-Message =* ANY, + State =* ANY, + Message-Authenticator =* ANY, + Reply-Message =* ANY, + Proxy-State =* ANY, + Session-Timeout =* ANY, + Idle-Timeout =* ANY diff --git a/hosts/containers/radius/freeradius/attrs.access_reject b/hosts/containers/radius/freeradius/attrs.access_reject new file mode 100644 index 00000000..1f086982 --- /dev/null +++ b/hosts/containers/radius/freeradius/attrs.access_reject @@ -0,0 +1,17 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: e263d504cfdc5cf5db00fa6aacf2bd148a7623fc $ +# +# This configuration file is used to remove almost all of the attributes +# From an Access-Reject message. The RFC's say that an Access-Reject +# packet can contain only a few attributes. We enforce that here. +# +DEFAULT + EAP-Message =* ANY, + State =* ANY, + Message-Authenticator =* ANY, + Reply-Message =* ANY, + MS-CHAP-Error =* ANY, + Proxy-State =* ANY diff --git a/hosts/containers/radius/freeradius/attrs.accounting_response b/hosts/containers/radius/freeradius/attrs.accounting_response new file mode 100644 index 00000000..eb72eec1 --- /dev/null +++ b/hosts/containers/radius/freeradius/attrs.accounting_response @@ -0,0 +1,15 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: 3746ce4da3d58fcdd0b777a93e599045353c27ac $ +# +# This configuration file is used to remove almost all of the attributes +# From an Accounting-Response message. The RFC's say that an +# Accounting-Response packet can contain only a few attributes. +# We enforce that here. +# +DEFAULT + Vendor-Specific =* ANY, + Message-Authenticator =* ANY, + Proxy-State =* ANY diff --git a/hosts/containers/radius/freeradius/attrs.pre-proxy b/hosts/containers/radius/freeradius/attrs.pre-proxy new file mode 100644 index 00000000..786a341a --- /dev/null +++ b/hosts/containers/radius/freeradius/attrs.pre-proxy @@ -0,0 +1,62 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: 8c601cf205f9d85b75c1ec7fc8e816e7341a5ba4 $ +# +# This file contains security and configuration information +# for each realm. It can be used be an rlm_attr_filter module +# instance to filter attributes before sending packets to the +# home server of a realm. +# +# When a packet is sent to a home server, these attributes +# and values are tested. Only the first match is used unless +# the "Fall-Through" variable is set to "Yes". In that case +# the rules defined in the DEFAULT case are processed as well. +# +# A special realm named "DEFAULT" matches on all realm names. +# You can have only one DEFAULT entry. All entries are processed +# in the order they appear in this file. The first entry that +# matches the login-request will stop processing unless you use +# the Fall-Through variable. +# +# The first line indicates the realm to which the rules apply. +# Indented (with the tab character) lines following the first +# line indicate the filter rules. +# + +# This is a complete entry for 'nochap' realm. It allows to send very +# basic attributes to the home server. Note that there is no Fall-Through +# entry so that no DEFAULT entry will be used. Only the listed attributes +# will be sent in the packet, all other attributes will be filtered out. +# +#nochap +# User-Name =* ANY, +# User-Password =* ANY, +# NAS-Ip-Address =* ANY, +# NAS-Identifier =* ANY + +# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type +# if its value is different from 'Ethernet'. Then the default rules are +# applied. +# +#brokenas +# NAS-Port-Type == Ethernet +# Fall-Through = Yes + +# The rest of this file contains the DEFAULT entry. +# DEFAULT matches with all realm names. + +DEFAULT + User-Name =* ANY, + User-Password =* ANY, + CHAP-Password =* ANY, + CHAP-Challenge =* ANY, + MS-CHAP-Challenge =* ANY, + MS-CHAP-Response =* ANY, + EAP-Message =* ANY, + Message-Authenticator =* ANY, + State =* ANY, + NAS-IP-Address =* ANY, + NAS-Identifier =* ANY, + Proxy-State =* ANY diff --git a/hosts/containers/radius/freeradius/certs/ca.key b/hosts/containers/radius/freeradius/certs/ca.key new file mode 100644 index 00000000..8c510809 --- /dev/null +++ b/hosts/containers/radius/freeradius/certs/ca.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,3AD0523FFE8CE8B72DF17107DF07836B + +e0kcoXFr/E2N762180rPOSAeXsWDY2Ej2iv3XD7VYblSK0ChdXfdGmIqoauUlwIn +K6WQ9E6tZFkYtnjFK3Sf7npjqqH8vYA0JewEBoLgA5/upA/ZYXZNXGqF5Xqs0q78 +314bOFsCy3Mb034OBPemQ8QY2zjsKvQJBQkzEujNDUfnSE7nKP7lZHIVhIeO8ec0 +GfjQ1sE4hACGhINdLdjZAT0UIxYgW8LARbaGt23H6SKOlVvCobCjzetRckVYBdt5 +8+m6Unx6z9L938koqUgbN8CJVv6FT5Sgk0fYJCRCEMKuMTDluSEAPFctKetn7eVy +mZY7WaxkbUZhGv4v9+VPuKmCfjlquMK9nKBQskOJNF4fiiWH17920K1hye513+iY +Q7GyTMywZqgirIjzusbeacXQ7MtZmlVlbIlwx2mh0edD73wQ1u42Wbhnxv1Sd4+M +57WGefprxh7XtX3G92joVIRt8Em+tsYnhZ0LdKEChIX6Fnrewr/uWdKcCjazksLX +fi1KVyDa4VVfZzgYRBxMXLBRY4l8g/JMRXI6pOEigzkpfnhVQS/pVWTTf35cJyMw +YSsWs9J8WzNb37SuZqNnKPcZCaf8F66TEeu4jigMtjgt1LwXo2biPUwsyiVq/VCT +pnfJho9OHVfDmplETeanpXTn902Z4ji173iFGe8E1MCqUARiHwtSFIHyCKCKvX7Z +9MnydV75V/JlvL4Tp+x/+h6HKjeDkdQW1kL469DOtvVJLN2nxq969m0ztIntj98B +UVNNQjIbwbVq2JQBdd3jDiDtFGPu+cZmX5/+boxb/Q0hHthf9Z/XfMiQUHyTOUI1 +LSOaH2tp0r1N0/C5BxNaqPaauyXEK4S96/YR071rjjWQBiF2qXQHOC3pjSFdrvVb +tZaqNbSvNgxqJhU8u5gf/fKOtMK2XMjzkk8E8jcwAY4gU3c72N17xlBRA2H9FM7B +DfjzNRcyCD39jyM+gfiudczBgarmonMQlTt153cR7UvZ3zZ7YmVWvSQ1hxy0deuT +OqfpSR/lgoIaXEW1igdyaMlXPetnTCMi1CaTzD7A80yJeWpK6abOxGk5O9mwwpUu +02YMas9ETsbnElMscQTYPpDui/0ZXX9gjNEpP03ZEkixr++QUkN3EA76A+i06GDE +3R+4W1GFn8uRrnruyciSR+e/S7g4M5Q99c7QCp9CdsPGKKMe681hj7SqylToNSwB +9DKNo+3QIIRupxkYcpyZBLnofRqiKbd3pcdnAUO6/15WBoiz0sqDnSbUIKf4eWmO +nzRVaA9cJ/6RF3hZ7++om/vbX7rskthZeGGvwZpRNIqwBsA0lHLZ5inB/dsChRTy +oMBX6zcPIyUWo9e0NOJqYTMmsBVA1QeAywzAJo/jRWL6mA8NT/97KizqYS1ZlcjU +PhT/v80l5hWrOzB+URZkBOo3ygkntScj/gxqLsisdrHP9YbOIkhRWSBWzWXGywXy +8PqoOZF1NB2pTuSP7z0THtxKn4B/mq15Lg+26YZgauVWlf8MY8FOOaDBeRGyJ9W7 +pbqktLIQ0zPRfF+CGVmTC62Bfcsb+DNXowvgU5DlN8hJ0rMmJYbcyJyWmwyWWKtX +-----END RSA PRIVATE KEY----- diff --git a/hosts/containers/radius/freeradius/certs/ca.pem b/hosts/containers/radius/freeradius/certs/ca.pem new file mode 100644 index 00000000..5561b3bb --- /dev/null +++ b/hosts/containers/radius/freeradius/certs/ca.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID5TCCAs2gAwIBAgIJAKA5akuqlUzKMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD +VQQGEwJERTEQMA4GA1UECAwHU2FjaHNlbjEQMA4GA1UEBwwHRHJlc2RlbjENMAsG +A1UECgwEQzNEMjENMAsGA1UECwwEQzNEMjEaMBgGA1UEAwwRcmFkaXVzLmhxLmMz +ZDIuZGUxGzAZBgkqhkiG9w0BCQEWDG1haWxAYzNkMi5kZTAeFw0xNTA2MDYxOTA5 +MjFaFw0yNTA2MDMxOTA5MjFaMIGIMQswCQYDVQQGEwJERTEQMA4GA1UECAwHU2Fj +aHNlbjEQMA4GA1UEBwwHRHJlc2RlbjENMAsGA1UECgwEQzNEMjENMAsGA1UECwwE +QzNEMjEaMBgGA1UEAwwRcmFkaXVzLmhxLmMzZDIuZGUxGzAZBgkqhkiG9w0BCQEW +DG1haWxAYzNkMi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPRR +Xf+pocIFjZGeSuo+LM7/lqnQ96Pc2g9cTXlxoeCFP1akwYUzDl1ZqvUZsC3hKKkB +EjmI2VB4rjIgT9Z/57aQ7jYYp1B6ivQDapKSqpKFL6s0VzDljrzOmxvGQFXyV88X +TiMkwmtmS2Bj62poWhSlpQk9sPaioz8SDrJtBxM9fNSbM1ED9rRXGWlSwEVBzeUp +YaNWYCc3CPYLIhNZmtFhAhNmzw/tIx5+MRa/hkEarbyToZ7EceTMJ4KflBBLXQzY +s2PLYkRbZMBUlRM7HDZVx6F8OPusnG1luB2LX/kQCvYuFk6BiBdussOFLD0swdtd +rK820j6dIAJbbxSfy90CAwEAAaNQME4wHQYDVR0OBBYEFDHshd+TNUAwSY0+cpaH +HDQaOXwnMB8GA1UdIwQYMBaAFDHshd+TNUAwSY0+cpaHHDQaOXwnMAwGA1UdEwQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBADc7I4dtsIhSN0jDs0iavwBT13a1sslp +e2gwDdcTh0xAVmmrq84JY6uIoMjLrx+roE3vn+oLHP8qrlw4snbOc0mo04o2lMza +DepLQoBtnMNaUTSOHt1avvP8bhFTE0c0MlFAInC1MpqO5mtRwpays/f1Hc+iEOmx +o3iHLpdKpeEfFxFZVNsJKva/A2DlLVqTdH/UvTdnoxwvSRzzEBP3plqdNSFsg5XZ +oGNSsoNT6k2cFjQtxRdrKk+qggbPuPbTC5fXWOTlu4A2eVmW0XfT4eZ9z8QRe7dA +uGOcC1XiDLmIon9q5KIH3k3TiL5hELJu2BvatxJaOpwGR1pbcooZaI0= +-----END CERTIFICATE----- diff --git a/hosts/containers/radius/freeradius/certs/dh b/hosts/containers/radius/freeradius/certs/dh new file mode 100644 index 00000000..6b693b0d --- /dev/null +++ b/hosts/containers/radius/freeradius/certs/dh @@ -0,0 +1,5 @@ +-----BEGIN DH PARAMETERS----- +MIGHAoGBAKNmmoE+doPb+VmQlXOqsXcVX5ciwWyf+QsdEVyyic6fZUMWbAvFwDN1 +hnT5HbpWkCnwU5H27st8+SluOMGfjiwmhtn5TZqX1b0bOWH+UeT1iRLBaClZNNCx +MDWIVbk1cpnNszsMPGhjMrQwN06bZFPwFBS8+smgrDnQoN1BkPPjAgEC +-----END DH PARAMETERS----- diff --git a/hosts/containers/radius/freeradius/certs/server.csr b/hosts/containers/radius/freeradius/certs/server.csr new file mode 100644 index 00000000..6fe33889 --- /dev/null +++ b/hosts/containers/radius/freeradius/certs/server.csr @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIC1jCCAb4CAQAwgZAxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdTYWNoc2VuMRAw +DgYDVQQHDAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0wCwYDVQQLDARDM0QyMSIw +IAYDVQQDDBlhbnliZXJ0LnJhZGl1cy5ocS5jM2QyLmRlMRswGQYJKoZIhvcNAQkB +FgxtYWlsQGMzZDIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm +yrdjj+J2xzLeALYQWfYdMPN+qXeEKMU4HkGhyUPAAbKRI5uXPg1XYbt4BCbKe4ZM +w/0bnHRkzubj1dvpwL5X8ziaoYixVvsO85gg7bL/6tBosbiRz7Z9eg1n8YXqCdCY +rtJX/Yqk/R7pqCe8y3vj7q5cRaSb24l0yJzbQGX15PeDkcHBdqIYLwctm004tsC3 +NBR5yyA2Wh7jlXTPL9KyJhEM7RfXKtMtn3Oe06TlRBUvmt8qBgPu7uEnHFK/E8lO +yK3CYl2i2FuvEfmO5V5zekhD2wdWhzvaL0bjaoBZEf6VxtWcQWVBOXEH9+39DWrn +ukPf/XhKQp3pPKctUUBBAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAE4GoYZ/w +Jf4rSuS6j/Sq4v4pUIoU3tZd3UvjG5jj34XZFvTNzKHdazS7VYyFjukMPSv+WljV +v2v6xn62RjRHXvRu4/fXBvyAcxdQngf892BYGTVxB3OMVE1JCyc2xARh6gcOvrfC +wwOIYw4Wc5xZ8JjmhK/9zyuVVSOEcV03LY7kSYFrwTgs/k/+Cv2Myimlc+n0r76/ +iDHU+8R0O/yD5dkDdJ/GFr9d09OoF+6WQc9pRVloHxQut9YS0C5P03+Xw9CUhRGB +L7n+k6eqzE2Fi43nTqb9KrBaTi/RdYht1DdaVxgJ1n/INqaeORqiAjyAmvuooBTF +jSbFtdKfURnjOQ== +-----END CERTIFICATE REQUEST----- diff --git a/hosts/containers/radius/freeradius/certs/server.key b/hosts/containers/radius/freeradius/certs/server.key new file mode 100644 index 00000000..c84b8f3a --- /dev/null +++ b/hosts/containers/radius/freeradius/certs/server.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,D5409971E41EA7511A983B7756144C03 + +77B64GyVzF3TkltnC8nZaZENB1zCl626Bi3NcjpszsIw/LnOC8bn2MjiEQwoNXOI +GxcjUSyzB9v++/qMbvPIQ2hJXd7aayu0OWbLoFjyISqQDZhxMNwTlr0ZPppH2LoC +HXQV8BKSMkxN2SMNyLdZt6pfpKtyOBUKoy7jDCCiaTEamvGtGKyhgQZVpyPrz8lS +BFpUR2czPggFu8WsJ5jov7k7rEkuUMFvsNDRajRMwSzr9z6ESmEc9AavB9/t1TZ8 +M9eEgp65QUBcDzDVvP05pjwF+4wgqabC41k3EMiA2LLlFIn5Bvamq1Sj3DLdWIQE +fzgw8NM2JRF3CZdFt/rAVoCIcpNx7kcWu8UCpdHYmlB+VwIYnrUWngT5kaMp2vvu +B235/QffgANfB560dIP4Z2CnZI1SLyhTJPLTmwO/XWOtuoQso5nfxtHNq/IwrUA1 +jxedKG9AkBQQPsHAErZnxoFotK//zyggx6S41SjnMFWr1PrscU3mA+A+UvwLP7Bu +gmw1oIDWL3sZ5B7KQJ2FC6ryjyoQiSI/AK8Gk0Ryhf1oUhgguxUDnWSKqrxEoeHJ +S635pYjlDVyhU3ct9BWbFBOzdYPZBIQHPfB/lvmbl6lsFA5oOgCvZHDrBSytiSIc +0k5cjhhQanvPRVu8ulIiHNnMFGuvX1rzh0im4IrITK7YtHj65I1gCIU4gFrfXk6T +QtPZoaa5F4VV5BdyljF7t+yFzVthrbPb/MVjWJgC4j40fICmA8x5TTl//HGg41AN +yJcn3295GlTQ/EagxEfWAiy38+1IGwTsNFFHxaTYGoIMON06HTegFH39MmTOBl2G +mmk4d+m/A3KEZ1Le16xZCc7QjQRwMUMzHk4w3FfvkKSDj4Li8xFbKv4zUrXx++Q7 +mm5owtMWrit7bAbDli9hpGe+AsQGXIsHPC3i/wsm64niWiTcBK3TO5sF/3n0nNVb +MkdVA9OaBpXG8XjHdK62HylaOHpyNB7kEhRjcTT2EKZZ10DcQpPDvJhx8lkvauww +ubVZHBPqIXdI/L7H/6hqyxe0S0IPtoQpgEr/1lyUWQZtiDyFrQ1ySCY1HGwXtmWa +fUP6TyZQogdND8GhzhEFY4J/FWUM8k5VowzuxYnUGEKKERDwDaQwNRoi+L9fiiKh +nNmTOHCIoxCfN9+H8sVtPiliPr1x4G3aeegsEJfKnmDP5gyj02tOYb2IpqhSsdCZ +qXQ2AuUq42dq5YeQA0KVRD6hiK9L+sO5BSCrr2dtF6SAK+00/CL42EP2ee+C65kW +ksxGssmtGrcjcIW9niHx9acGTgDJ6nBK9zawQkNkF8pr8GUNyAsY5+nGy3H4EsO0 +XtszaUyT/xnSwZV+OGLIRP10lCiWPtU+Axay3DjUrxmbzzWZ3XmIbNRrYN2gxZ3b +eA1QJE2kFwmZfngDqTu9uACHINwegj9juCDCOHLYF3shiOgqEsRypCaTYfZKoZY6 +feelUSD5Xs86ezKO2KxU1Pan9pZCnKUtJ+lpmlqyQIB+DEKJpNabHIXECMIwnxzK +ftpahPFJDFWqguh1BeFZTCtb9qlDcXLMFac9aTMoK5KWQ3ed9gucvKHUm6G57zB8 +-----END RSA PRIVATE KEY----- diff --git a/hosts/containers/radius/freeradius/certs/server.pem b/hosts/containers/radius/freeradius/certs/server.pem new file mode 100644 index 00000000..8ebfc291 --- /dev/null +++ b/hosts/containers/radius/freeradius/certs/server.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDjjCCAnYCAQEwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAkRFMRAwDgYD +VQQIDAdTYWNoc2VuMRAwDgYDVQQHDAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0w +CwYDVQQLDARDM0QyMRowGAYDVQQDDBFyYWRpdXMuaHEuYzNkMi5kZTEbMBkGCSqG +SIb3DQEJARYMbWFpbEBjM2QyLmRlMB4XDTE1MDYwNjE5MTAzNloXDTI1MDYwMzE5 +MTAzNlowgZAxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdTYWNoc2VuMRAwDgYDVQQH +DAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0wCwYDVQQLDARDM0QyMSIwIAYDVQQD +DBlhbnliZXJ0LnJhZGl1cy5ocS5jM2QyLmRlMRswGQYJKoZIhvcNAQkBFgxtYWls +QGMzZDIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmyrdjj+J2 +xzLeALYQWfYdMPN+qXeEKMU4HkGhyUPAAbKRI5uXPg1XYbt4BCbKe4ZMw/0bnHRk +zubj1dvpwL5X8ziaoYixVvsO85gg7bL/6tBosbiRz7Z9eg1n8YXqCdCYrtJX/Yqk +/R7pqCe8y3vj7q5cRaSb24l0yJzbQGX15PeDkcHBdqIYLwctm004tsC3NBR5yyA2 +Wh7jlXTPL9KyJhEM7RfXKtMtn3Oe06TlRBUvmt8qBgPu7uEnHFK/E8lOyK3CYl2i +2FuvEfmO5V5zekhD2wdWhzvaL0bjaoBZEf6VxtWcQWVBOXEH9+39DWrnukPf/XhK +Qp3pPKctUUBBAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJdpPd8HTJwOfjD0COUw +NBlPh7amQeASg0Gzz6w1NFZtVkUrnlp638pjsMsi6ldwwmNyWY5VA9TwwDTOxm9X +CacG2tEirGwIHsrOo4BBMSrMu7V2ts+IIv92C5kgmFU2vbs2jKquepKt4zsOfwd2 +X+5qF/5qr3BkOIE6pc00IE9rRyzcE0KvaEEVHlvc/oS8f2F8lYRpJNjFNmW1jKs9 +TaLQWG7a0Wy97IWk1kcW5XymjAq4UJjcbPWm+zZVUJq21wlHHLnkbP6KeqY0RE7R +wyq3yVAZTzXimfmwiQgGFA8P5pwrYkXcA342J+IgeblRgsT/6Lirfyd05ctQc3yL +NBU= +-----END CERTIFICATE----- diff --git a/hosts/containers/radius/freeradius/clients.conf b/hosts/containers/radius/freeradius/clients.conf new file mode 100644 index 00000000..87611eb8 --- /dev/null +++ b/hosts/containers/radius/freeradius/clients.conf @@ -0,0 +1,246 @@ +# -*- text -*- +## +## clients.conf -- client configuration directives +## +## $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $ + +####################################################################### +# +# Define RADIUS clients (usually a NAS, Access Point, etc.). + +# +# Defines a RADIUS client. +# +# '127.0.0.1' is another name for 'localhost'. It is enabled by default, +# to allow testing of the server after an initial installation. If you +# are not going to be permitting RADIUS queries from localhost, we suggest +# that you delete, or comment out, this entry. +# +# + +# +# Each client has a "short name" that is used to distinguish it from +# other clients. +# +# In version 1.x, the string after the word "client" was the IP +# address of the client. In 2.0, the IP address is configured via +# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x +# format is still accepted. +# +client localhost { + # Allowed values are: + # dotted quad (1.2.3.4) + # hostname (radius.example.com) + ipaddr = 127.0.0.1 + + # OR, you can use an IPv6 address, but not both + # at the same time. +# ipv6addr = :: # any. ::1 == localhost + + # + # A note on DNS: We STRONGLY recommend using IP addresses + # rather than host names. Using host names means that the + # server will do DNS lookups when it starts, making it + # dependent on DNS. i.e. If anything goes wrong with DNS, + # the server won't start! + # + # The server also looks up the IP address from DNS once, and + # only once, when it starts. If the DNS record is later + # updated, the server WILL NOT see that update. + # + + # One client definition can be applied to an entire network. + # e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and + # "netmask = 8" + # + # If not specified, the default netmask is 32 (i.e. /32) + # + # We do NOT recommend using anything other than 32. There + # are usually other, better ways to achieve the same goal. + # Using netmasks of other than 32 can cause security issues. + # + # You can specify overlapping networks (127/8 and 127.0/16) + # In that case, the smallest possible network will be used + # as the "best match" for the client. + # + # Clients can also be defined dynamically at run time, based + # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier, + # etc. + # See raddb/sites-available/dynamic-clients for details. + # + +# netmask = 32 + + # + # The shared secret use to "encrypt" and "sign" packets between + # the NAS and FreeRADIUS. You MUST change this secret from the + # default, otherwise it's not a secret any more! + # + # The secret can be any string, up to 8k characters in length. + # + # Control codes can be entered vi octal encoding, + # e.g. "\101\102" == "AB" + # Quotation marks can be entered by escaping them, + # e.g. "foo\"bar" + # + # A note on security: The security of the RADIUS protocol + # depends COMPLETELY on this secret! We recommend using a + # shared secret that is composed of: + # + # upper case letters + # lower case letters + # numbers + # + # And is at LEAST 8 characters long, preferably 16 characters in + # length. The secret MUST be random, and should not be words, + # phrase, or anything else that is recognizable. + # + # The default secret below is only for testing, and should + # not be used in any real environment. + # + secret = testing123 + + # + # Old-style clients do not send a Message-Authenticator + # in an Access-Request. RFC 5080 suggests that all clients + # SHOULD include it in an Access-Request. The configuration + # item below allows the server to require it. If a client + # is required to include a Message-Authenticator and it does + # not, then the packet will be silently discarded. + # + # allowed values: yes, no + require_message_authenticator = no + + # + # The short name is used as an alias for the fully qualified + # domain name, or the IP address. + # + # It is accepted for compatibility with 1.x, but it is no + # longer necessary in 2.0 + # +# shortname = localhost + + # + # the following three fields are optional, but may be used by + # checkrad.pl for simultaneous use checks + # + + # + # The nastype tells 'checkrad.pl' which NAS-specific method to + # use to query the NAS for simultaneous use. + # + # Permitted NAS types are: + # + # cisco + # computone + # livingston + # juniper + # max40xx + # multitech + # netserver + # pathras + # patton + # portslave + # tc + # usrhiper + # other # for all other types + + # + nastype = other # localhost isn't usually a NAS... + + # + # The following two configurations are for future use. + # The 'naspasswd' file is currently used to store the NAS + # login name and password, which is used by checkrad.pl + # when querying the NAS for simultaneous use. + # +# login = !root +# password = someadminpas + + # + # As of 2.0, clients can also be tied to a virtual server. + # This is done by setting the "virtual_server" configuration + # item, as in the example below. + # +# virtual_server = home1 + + # + # A pointer to the "home_server_pool" OR a "home_server" + # section that contains the CoA configuration for this + # client. For an example of a coa home server or pool, + # see raddb/sites-available/originate-coa +# coa_server = coa +} + +# IPv6 Client +#client ::1 { +# secret = testing123 +# shortname = localhost +#} +# +# All IPv6 Site-local clients +#client fe80::/16 { +# secret = testing123 +# shortname = localhost +#} + +#client some.host.org { +# secret = testing123 +# shortname = localhost +#} + +# +# You can now specify one secret for a network of clients. +# When a client request comes in, the BEST match is chosen. +# i.e. The entry from the smallest possible network. +# +#client 192.168.0.0/24 { +# secret = testing123-1 +# shortname = private-network-1 +#} +# +#client 192.168.0.0/16 { +# secret = testing123-2 +# shortname = private-network-2 +#} + + +#client 10.10.10.10 { +# # secret and password are mapped through the "secrets" file. +# secret = testing123 +# shortname = liv1 +# # the following three fields are optional, but may be used by +# # checkrad.pl for simultaneous usage checks +# nastype = livingston +# login = !root +# password = someadminpas +#} + +####################################################################### +# +# Per-socket client lists. The configuration entries are exactly +# the same as above, but they are nested inside of a section. +# +# You can have as many per-socket client lists as you have "listen" +# sections, or you can re-use a list among multiple "listen" sections. +# +# Un-comment this section, and edit a "listen" section to add: +# "clients = per_socket_clients". That IP address/port combination +# will then accept ONLY the clients listed in this section. +# +#clients per_socket_clients { +# client 192.168.3.4 { +# secret = testing123 +# } +#} + +### ### ### C3D2 ### ### ### + +client 0.0.0.0/0 { + secret = public + nastype = other + require_message_authenticator = no +} + +### ### ### C3D2 ### ### ### +# EOF diff --git a/hosts/containers/radius/freeradius/dictionary b/hosts/containers/radius/freeradius/dictionary new file mode 100644 index 00000000..99c42d78 --- /dev/null +++ b/hosts/containers/radius/freeradius/dictionary @@ -0,0 +1,32 @@ +# +# This is the master dictionary file, which references the +# pre-defined dictionary files included with the server. +# +# Any new/changed attributes MUST be placed in this file, as +# the pre-defined dictionaries SHOULD NOT be edited. +# +# $Id: ceb31c82feb869972588f60fe6ace2fc1db70224 $ +# + +# +# The filename given here should be an absolute path. +# +$INCLUDE /usr/share/freeradius/dictionary + +# +# Place additional attributes or $INCLUDEs here. They will +# over-ride the definitions in the pre-defined dictionaries. +# +# See the 'man' page for 'dictionary' for information on +# the format of the dictionary files. + +# +# If you want to add entries to the dictionary file, +# which are NOT going to be placed in a RADIUS packet, +# add them here. The numbers you pick should be between +# 3000 and 4000. +# + +#ATTRIBUTE My-Local-String 3000 string +#ATTRIBUTE My-Local-IPAddr 3001 ipaddr +#ATTRIBUTE My-Local-Integer 3002 integer diff --git a/hosts/containers/radius/freeradius/eap.conf b/hosts/containers/radius/freeradius/eap.conf new file mode 100644 index 00000000..c77826e6 --- /dev/null +++ b/hosts/containers/radius/freeradius/eap.conf @@ -0,0 +1,688 @@ +# -*- text -*- +## +## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) +## +## $Id: 95bebe4d25ef13871fb201ba540ed008078dab07 $ + +####################################################################### +# +# Whatever you do, do NOT set 'Auth-Type := EAP'. The server +# is smart enough to figure this out on its own. The most +# common side effect of setting 'Auth-Type := EAP' is that the +# users then cannot use ANY other authentication method. +# +# EAP types NOT listed here may be supported via the "eap2" module. +# See experimental.conf for documentation. +# + eap { + # Invoke the default supported EAP type when + # EAP-Identity response is received. + # + # The incoming EAP messages DO NOT specify which EAP + # type they will be using, so it MUST be set here. + # + # For now, only one default EAP type may be used at a time. + # + # If the EAP-Type attribute is set by another module, + # then that EAP type takes precedence over the + # default type configured here. + # + default_eap_type = ttls + + # A list is maintained to correlate EAP-Response + # packets with EAP-Request packets. After a + # configurable length of time, entries in the list + # expire, and are deleted. + # + timer_expire = 60 + + # There are many EAP types, but the server has support + # for only a limited subset. If the server receives + # a request for an EAP type it does not support, then + # it normally rejects the request. By setting this + # configuration to "yes", you can tell the server to + # instead keep processing the request. Another module + # MUST then be configured to proxy the request to + # another RADIUS server which supports that EAP type. + # + # If another module is NOT configured to handle the + # request, then the request will still end up being + # rejected. + ignore_unknown_eap_types = no + + # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given + # a User-Name attribute in an Access-Accept, it copies one + # more byte than it should. + # + # We can work around it by configurably adding an extra + # zero byte. + cisco_accounting_username_bug = no + + # + # Help prevent DoS attacks by limiting the number of + # sessions that the server is tracking. For simplicity, + # this is taken from the "max_requests" directive in + # radiusd.conf. + max_sessions = ${max_requests} + + # Supported EAP-types + + # + # We do NOT recommend using EAP-MD5 authentication + # for wireless connections. It is insecure, and does + # not provide for dynamic WEP keys. + # + md5 { + } + + # Cisco LEAP + # + # We do not recommend using LEAP in new deployments. See: + # http://www.securiteam.com/tools/5TP012ACKE.html + # + # Cisco LEAP uses the MS-CHAP algorithm (but not + # the MS-CHAP attributes) to perform it's authentication. + # + # As a result, LEAP *requires* access to the plain-text + # User-Password, or the NT-Password attributes. + # 'System' authentication is impossible with LEAP. + # + leap { + } + + # Generic Token Card. + # + # Currently, this is only permitted inside of EAP-TTLS, + # or EAP-PEAP. The module "challenges" the user with + # text, and the response from the user is taken to be + # the User-Password. + # + # Proxying the tunneled EAP-GTC session is a bad idea, + # the users password will go over the wire in plain-text, + # for anyone to see. + # + gtc { + # The default challenge, which many clients + # ignore.. + #challenge = "Password: " + + # The plain-text response which comes back + # is put into a User-Password attribute, + # and passed to another module for + # authentication. This allows the EAP-GTC + # response to be checked against plain-text, + # or crypt'd passwords. + # + # If you say "Local" instead of "PAP", then + # the module will look for a User-Password + # configured for the request, and do the + # authentication itself. + # + auth_type = PAP + } + + ## EAP-TLS + # + # See raddb/certs/README for additional comments + # on certificates. + # + # If OpenSSL was not found at the time the server was + # built, the "tls", "ttls", and "peap" sections will + # be ignored. + # + # Otherwise, when the server first starts in debugging + # mode, test certificates will be created. See the + # "make_cert_command" below for details, and the README + # file in raddb/certs + # + # These test certificates SHOULD NOT be used in a normal + # deployment. They are created only to make it easier + # to install the server, and to perform some simple + # tests with EAP-TLS, TTLS, or PEAP. + # + # See also: + # + # http://www.dslreports.com/forum/remark,9286052~mode=flat + # + # Note that you should NOT use a globally known CA here! + # e.g. using a Verisign cert as a "known CA" means that + # ANYONE who has a certificate signed by them can + # authenticate via EAP-TLS! This is likely not what you want. + tls { + # + # These is used to simplify later configurations. + # + certdir = ${confdir}/certs + cadir = ${confdir}/certs + + private_key_password = c3d2 + private_key_file = ${certdir}/server.key + + # If Private key & Certificate are located in + # the same file, then private_key_file & + # certificate_file must contain the same file + # name. + # + # If CA_file (below) is not used, then the + # certificate_file below MUST include not + # only the server certificate, but ALSO all + # of the CA certificates used to sign the + # server certificate. + certificate_file = ${certdir}/server.pem + + # Trusted Root CA list + # + # ALL of the CA's in this list will be trusted + # to issue client certificates for authentication. + # + # In general, you should use self-signed + # certificates for 802.1x (EAP) authentication. + # In that case, this CA file should contain + # *one* CA certificate. + # + # This parameter is used only for EAP-TLS, + # when you issue client certificates. If you do + # not use client certificates, and you do not want + # to permit EAP-TLS authentication, then delete + # this configuration item. + CA_file = ${cadir}/ca.pem + + # + # For DH cipher suites to work, you have to + # run OpenSSL to create the DH file first: + # + # openssl dhparam -out certs/dh 1024 + # + dh_file = ${certdir}/dh + random_file = /dev/urandom + + + # + # This can never exceed the size of a RADIUS + # packet (4096 bytes), and is preferably half + # that, to accomodate other attributes in + # RADIUS packet. On most APs the MAX packet + # length is configured between 1500 - 1600 + # In these cases, fragment size should be + # 1024 or less. + # + fragment_size = 1024 + + # include_length is a flag which is + # by default set to yes If set to + # yes, Total Length of the message is + # included in EVERY packet we send. + # If set to no, Total Length of the + # message is included ONLY in the + # First packet of a fragment series. + # + # include_length = yes + + # Check the Certificate Revocation List + # + # 1) Copy CA certificates and CRLs to same directory. + # 2) Execute 'c_rehash '. + # 'c_rehash' is OpenSSL's command. + # 3) uncomment the line below. + # 5) Restart radiusd + # check_crl = yes + CA_path = ${cadir} + + # + # If check_cert_issuer is set, the value will + # be checked against the DN of the issuer in + # the client certificate. If the values do not + # match, the cerficate verification will fail, + # rejecting the user. + # + # In 2.1.10 and later, this check can be done + # more generally by checking the value of the + # TLS-Client-Cert-Issuer attribute. This check + # can be done via any mechanism you choose. + # + # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" + + # + # If check_cert_cn is set, the value will + # be xlat'ed and checked against the CN + # in the client certificate. If the values + # do not match, the certificate verification + # will fail rejecting the user. + # + # This check is done only if the previous + # "check_cert_issuer" is not set, or if + # the check succeeds. + # + # In 2.1.10 and later, this check can be done + # more generally by checking the value of the + # TLS-Client-Cert-CN attribute. This check + # can be done via any mechanism you choose. + # + # check_cert_cn = %{User-Name} + # + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". + cipher_list = "DEFAULT" + + # + # As part of checking a client certificate, the EAP-TLS + # sets some attributes such as TLS-Client-Cert-CN. This + # virtual server has access to these attributes, and can + # be used to accept or reject the request. + # + # virtual_server = check-eap-tls + + # This command creates the initial "snake oil" + # certificates when the server is run as root, + # and via "radiusd -X". + # + # As of 2.1.11, it *also* checks the server + # certificate for validity, including expiration. + # This means that radiusd will refuse to start + # when the certificate has expired. The alternative + # is to have the 802.1X clients refuse to connect + # when they discover the certificate has expired. + # + # Debugging client issues is hard, so it's better + # for the server to print out an error message, + # and refuse to start. + # + make_cert_command = "${certdir}/bootstrap" + + # + # Elliptical cryptography configuration + # + # Only for OpenSSL >= 0.9.8.f + # + ecdh_curve = "prime256v1" + + # + # Session resumption / fast reauthentication + # cache. + # + # The cache contains the following information: + # + # session Id - unique identifier, managed by SSL + # User-Name - from the Access-Accept + # Stripped-User-Name - from the Access-Request + # Cached-Session-Policy - from the Access-Accept + # + # The "Cached-Session-Policy" is the name of a + # policy which should be applied to the cached + # session. This policy can be used to assign + # VLANs, IP addresses, etc. It serves as a useful + # way to re-apply the policy from the original + # Access-Accept to the subsequent Access-Accept + # for the cached session. + # + # On session resumption, these attributes are + # copied from the cache, and placed into the + # reply list. + # + # You probably also want "use_tunneled_reply = yes" + # when using fast session resumption. + # + cache { + # + # Enable it. The default is "no". + # Deleting the entire "cache" subsection + # Also disables caching. + # + # You can disallow resumption for a + # particular user by adding the following + # attribute to the control item list: + # + # Allow-Session-Resumption = No + # + # If "enable = no" below, you CANNOT + # enable resumption for just one user + # by setting the above attribute to "yes". + # + enable = no + + # + # Lifetime of the cached entries, in hours. + # The sessions will be deleted after this + # time. + # + lifetime = 24 # hours + + # + # The maximum number of entries in the + # cache. Set to "0" for "infinite". + # + # This could be set to the number of users + # who are logged in... which can be a LOT. + # + max_entries = 255 + } + + # + # As of version 2.1.10, client certificates can be + # validated via an external command. This allows + # dynamic CRLs or OCSP to be used. + # + # This configuration is commented out in the + # default configuration. Uncomment it, and configure + # the correct paths below to enable it. + # + verify { + # A temporary directory where the client + # certificates are stored. This directory + # MUST be owned by the UID of the server, + # and MUST not be accessible by any other + # users. When the server starts, it will do + # "chmod go-rwx" on the directory, for + # security reasons. The directory MUST + # exist when the server starts. + # + # You should also delete all of the files + # in the directory when the server starts. + # tmpdir = /tmp/radiusd + + # The command used to verify the client cert. + # We recommend using the OpenSSL command-line + # tool. + # + # The ${..CA_path} text is a reference to + # the CA_path variable defined above. + # + # The %{TLS-Client-Cert-Filename} is the name + # of the temporary file containing the cert + # in PEM format. This file is automatically + # deleted by the server when the command + # returns. + # client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}" + } + + # + # OCSP Configuration + # Certificates can be verified against an OCSP + # Responder. This makes it possible to immediately + # revoke certificates without the distribution of + # new Certificate Revokation Lists (CRLs). + # + ocsp { + # + # Enable it. The default is "no". + # Deleting the entire "ocsp" subsection + # Also disables ocsp checking + # + enable = no + + # + # The OCSP Responder URL can be automatically + # extracted from the certificate in question. + # To override the OCSP Responder URL set + # "override_cert_url = yes". + # + override_cert_url = yes + + # + # If the OCSP Responder address is not + # extracted from the certificate, the + # URL can be defined here. + + # + # Limitation: Currently the HTTP + # Request is not sending the "Host: " + # information to the web-server. This + # can be a problem if the OCSP + # Responder is running as a vhost. + # + url = "http://127.0.0.1/ocsp/" + + # + # If the OCSP Responder can not cope with nonce + # in the request, then it can be disabled here. + # + # For security reasons, disabling this option + # is not recommended as nonce protects against + # replay attacks. + # + # Note that Microsoft AD Certificate Services OCSP + # Responder does not enable nonce by default. It is + # more secure to enable nonce on the responder than + # to disable it in the query here. + # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx + # + # use_nonce = yes + + # + # Number of seconds before giving up waiting + # for OCSP response. 0 uses system default. + # + # timeout = 0 + + # + # Normally an error in querying the OCSP + # responder (no response from server, server did + # not understand the request, etc) will result in + # a validation failure. + # + # To treat these errors as 'soft' failures and + # still accept the certificate, enable this + # option. + # + # Warning: this may enable clients with revoked + # certificates to connect if the OCSP responder + # is not available. Use with caution. + # + # softfail = no + } + } + + # The TTLS module implements the EAP-TTLS protocol, + # which can be described as EAP inside of Diameter, + # inside of TLS, inside of EAP, inside of RADIUS... + # + # Surprisingly, it works quite well. + # + # The TTLS module needs the TLS module to be installed + # and configured, in order to use the TLS tunnel + # inside of the EAP packet. You will still need to + # configure the TLS module, even if you do not want + # to deploy EAP-TLS in your network. Users will not + # be able to request EAP-TLS, as it requires them to + # have a client certificate. EAP-TTLS does not + # require a client certificate. + # + # You can make TTLS require a client cert by setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # + ttls { + # The tunneled EAP session needs a default + # EAP type which is separate from the one for + # the non-tunneled EAP module. Inside of the + # TTLS tunnel, we recommend using EAP-MD5. + # If the request does not contain an EAP + # conversation, then this configuration entry + # is ignored. + default_eap_type = md5 + + # The tunneled authentication request does + # not usually contain useful attributes + # like 'Calling-Station-Id', etc. These + # attributes are outside of the tunnel, + # and normally unavailable to the tunneled + # authentication request. + # + # By setting this configuration entry to + # 'yes', any attribute which NOT in the + # tunneled authentication request, but + # which IS available outside of the tunnel, + # is copied to the tunneled request. + # + # allowed values: {no, yes} + copy_request_to_tunnel = no + + # The reply attributes sent to the NAS are + # usually based on the name of the user + # 'outside' of the tunnel (usually + # 'anonymous'). If you want to send the + # reply attributes based on the user name + # inside of the tunnel, then set this + # configuration entry to 'yes', and the reply + # to the NAS will be taken from the reply to + # the tunneled request. + # + # allowed values: {no, yes} + use_tunneled_reply = no + + # + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # If this entry is commented out, the inner + # tunneled request will be sent through + # the virtual server that processed the + # outer requests. + # + virtual_server = "inner-tunnel" + + # This has the same meaning as the + # same field in the "tls" module, above. + # The default value here is "yes". + # include_length = yes + } + + ################################################## + # + # !!!!! WARNINGS for Windows compatibility !!!!! + # + ################################################## + # + # If you see the server send an Access-Challenge, + # and the client never sends another Access-Request, + # then + # + # STOP! + # + # The server certificate has to have special OID's + # in it, or else the Microsoft clients will silently + # fail. See the "scripts/xpextensions" file for + # details, and the following page: + # + # http://support.microsoft.com/kb/814394/en-us + # + # For additional Windows XP SP2 issues, see: + # + # http://support.microsoft.com/kb/885453/en-us + # + # + # If is still doesn't work, and you're using Samba, + # you may be encountering a Samba bug. See: + # + # https://bugzilla.samba.org/show_bug.cgi?id=6563 + # + # Note that we do not necessarily agree with their + # explanation... but the fix does appear to work. + # + ################################################## + + # + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TLS/PEAP tunnel, we + # recommend using EAP-MS-CHAPv2. + # + # The PEAP module needs the TLS module to be installed + # and configured, in order to use the TLS tunnel + # inside of the EAP packet. You will still need to + # configure the TLS module, even if you do not want + # to deploy EAP-TLS in your network. Users will not + # be able to request EAP-TLS, as it requires them to + # have a client certificate. EAP-PEAP does not + # require a client certificate. + # + # + # You can make PEAP require a client cert by setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # + peap { + # The tunneled EAP session needs a default + # EAP type which is separate from the one for + # the non-tunneled EAP module. Inside of the + # PEAP tunnel, we recommend using MS-CHAPv2, + # as that is the default type supported by + # Windows clients. + default_eap_type = mschapv2 + + # the PEAP module also has these configuration + # items, which are the same as for TTLS. + copy_request_to_tunnel = no + use_tunneled_reply = no + + # When the tunneled session is proxied, the + # home server may not understand EAP-MSCHAP-V2. + # Set this entry to "no" to proxy the tunneled + # EAP-MSCHAP-V2 as normal MSCHAPv2. + # proxy_tunneled_request_as_eap = yes + + # + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # If this entry is commented out, the inner + # tunneled request will be sent through + # the virtual server that processed the + # outer requests. + # + virtual_server = "inner-tunnel" + + # This option enables support for MS-SoH + # see doc/SoH.txt for more info. + # It is disabled by default. + # +# soh = yes + + # + # The SoH reply will be turned into a request which + # can be sent to a specific virtual server: + # +# soh_virtual_server = "soh-server" + } + + # + # This takes no configuration. + # + # Note that it is the EAP MS-CHAPv2 sub-module, not + # the main 'mschap' module. + # + # Note also that in order for this sub-module to work, + # the main 'mschap' module MUST ALSO be configured. + # + # This module is the *Microsoft* implementation of MS-CHAPv2 + # in EAP. There is another (incompatible) implementation + # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not + # currently support. + # + mschapv2 { + # Prior to version 2.1.11, the module never + # sent the MS-CHAP-Error message to the + # client. This worked, but it had issues + # when the cached password was wrong. The + # server *should* send "E=691 R=0" to the + # client, which tells it to prompt the user + # for a new password. + # + # The default is to behave as in 2.1.10 and + # earlier, which is known to work. If you + # set "send_error = yes", then the error + # message will be sent back to the client. + # This *may* help some clients work better, + # but *may* also cause other clients to stop + # working. + # +# send_error = no + } + } diff --git a/hosts/containers/radius/freeradius/experimental.conf b/hosts/containers/radius/freeradius/experimental.conf new file mode 100644 index 00000000..b58c2c73 --- /dev/null +++ b/hosts/containers/radius/freeradius/experimental.conf @@ -0,0 +1,450 @@ +# +# This file contains the configuration for experimental modules. +# +# By default, it is NOT included in the build. +# +# $Id: 3db2f300329829b4810b00d3181f13bbac10ccd0 $ +# + + # Configuration for the Python module. + # + # Where radiusd is a Python module, radiusd.py, and the + # function 'authorize' is called. Here is a dummy piece + # of code: + # + # def authorize(params): + # print params + # return (5, ('Reply-Message', 'banned')) + # + # The RADIUS value-pairs are passed as a tuple of tuple + # pairs as the first argument, e.g. (('attribute1', + # 'value1'), ('attribute2', 'value2')) + # + # The function return is a tuple with the first element + # being the return value of the function. + # The 5 corresponds to RLM_MODULE_USERLOCK. I plan to + # write the return values as Python symbols to avoid + # confusion. + # + # The remaining tuple members are the string form of + # value-pairs which are passed on to pairmake(). + # + python { + mod_instantiate = radiusd_test + func_instantiate = instantiate + + mod_authorize = radiusd_test + func_authorize = authorize + + mod_accounting = radiusd_test + func_accounting = accounting + + mod_pre_proxy = radiusd_test + func_pre_proxy = pre_proxy + + mod_post_proxy = radiusd_test + func_post_proxy = post_proxy + + mod_post_auth = radiusd_test + func_post_auth = post_auth + + mod_recv_coa = radiusd_test + func_recv_coa = recv_coa + + mod_send_coa = radiusd_test + func_send_coa = send_coa + + mod_detach = radiusd_test + func_detach = detach + } + + + # Configuration for the example module. Uncommenting it will cause it + # to get loaded and initialized, but should have no real effect as long + # it is not referencened in one of the autz/auth/preacct/acct sections + example { + # Boolean variable. + # allowed values: {no, yes} + boolean = yes + + # An integer, of any value. + integer = 16 + + # A string. + string = "This is an example configuration string" + + # An IP address, either in dotted quad (1.2.3.4) or hostname + # (example.com) + ipaddr = 127.0.0.1 + + # A subsection + mysubsection { + anotherinteger = 1000 + # They nest + deeply nested { + string = "This is a different string" + } + } + } + + # + # To create a dbm users file, do: + # + # cat test.users | rlm_dbm_parser -f /etc/raddb/users_db + # + # Then add 'dbm' in 'authorize' section. + # + # Note that even if the file has a ".db" or ".dbm" extension, + # you may have to specify it here without that extension. This + # is because the DBM libraries "helpfully" add a ".db" to the + # filename, but don't check if it's already there. + # + dbm { + usersfile = ${confdir}/users_db + } + + # + # Perform NT-Domain authentication. This only works + # with PAP authentication. That is, Authentication-Request + # packets containing a User-Password attribute. + # + # To use it, add 'smb' into the 'authenticate' section, + # and then in another module (usually the 'users' file), + # set 'Auth-Type := SMB' + # + # WARNING: this module is not only experimental, it's also + # a security threat. It's not recommended to use it until + # it gets fixed. + # + smb { + server = ntdomain.server.example.com + backup = backup.server.example.com + domain = NTDOMAIN + } + + # See doc/rlm_fastusers before using this + # module or changing these values. + # + fastusers { + usersfile = ${confdir}/users_fast + hashsize = 1000 + compat = no + # Reload the hash every 600 seconds (10mins) + hash_reload = 600 + } + + # Caching module + # + # Should be added in the post-auth section (after all other modules) + # and in the authorize section (before any other modules) + # + # authorize { + # caching { + # ok = return + # } + # [... other modules ...] + # } + # post-auth { + # [... other modules ...] + # caching + # } + # + # The caching module will cache the Auth-Type and reply items + # and send them back on any subsequent requests for the same key + # + # Configuration: + # + # filename: The gdbm file to use for the cache database + # (can be memory mapped for more speed) + # + # key: A string to xlat and use as a key. For instance, + # "%{Acct-Unique-Session-Id}" + # + # post-auth: If we find a cached entry, set the post-auth to that value + # + # cache-ttl: The time to cache the entry. The same time format + # as the counter module apply here. + # num[hdwm] where: + # h: hours, d: days, w: weeks, m: months + # If the letter is ommited days will be assumed. + # e.g. 1d == one day + # + # cache-size: The gdbm cache size to request (default 1000) + # + # hit-ratio: If set to non-zero we print out statistical + # information after so many cache requests + # + # cache-rejects: Do we also cache rejects, or not? (default 'yes') + # + caching { + filename = ${db_dir}/db.cache + cache-ttl = 1d + hit-ratio = 1000 + key = "%{Acct-Unique-Session-Id}" + #post-auth = "" + # cache-size = 2000 + # cache-rejects = yes + } + + + # Simple module for logging of Account packets to radiusd.log + # You need to declare it in the accounting section for it to work + acctlog { + acctlog_update = "" + acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})" + acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds" + acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online" + acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline" + } + + # Another implementation of the EAP module. + # + # This module requires the libeap.so file from the hostap + # software (http://hostap.epitest.fi/hostapd/). It has been + # tested on the development version of hostapd (0.6.1) ONLY. + # + # In order to use it, you MUST build a "libeap.so" in hostapd, + # which is not done by default. + # + # You MUST also edit the file: src/modules/rlm_eap2/Makefile + # to point to the location of the hostap include files. + # + # This module CANNOT be used in the same way as the current + # FreeRADIUS "eap" module. There is NO way to look inside of + # a tunneled request. There is NO way to proxy a tunneled + # request. There is NO way to even look at the user name inside + # of the tunneled request. There is NO way to control the + # choice of EAP types inside of the tunnel. You MUST force + # the server to choose "eap2" for authentication, because this + # module has no "authorize" section. + # + # If you want to use this module for experimentation, please + # post your comments to the freeradius-devel list: + # + # http://lists.freeradius.org/mailman/listinfo/freeradius-devel + # + # If you want to use this module in a production (i.e. real-world) + # environment: + # + # !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!! + # + # The module needs additional work to make it ready for + # production use.. Please supply patches, or sponsor the + # work by hiring a developer. Do NOT ask when the work will + # be done, because there is no plan to finish this module + # unless there is demand for it. + # + eap2 { + # EAP types are chosen in the order that they are + # listed in this section. There is no "default_eap_type" + # as with rlm_eap. Instead, the *first* EAP type is + # used as the default type. + # + peap { + } + + ttls { + } + + # This is the ONLY EAP type that has any configuration. + # All other EAP types have no configuration. + # + tls { + ca_cert = ${confdir}/certs/ca.pem + server_cert = ${confdir}/certs/server.pem + private_key_file = ${confdir}/certs/server.pem + private_key_password = whatever + } + + # + # These next two methods do not supply keying material. + # + md5 { + } + + mschapv2 { + } + + fast { + pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f + eap_fast_a_id = xxxxxx + eap_fast_a_id_info = my_server + eap_fast_prov = 3 + pac_key_lifetime = 604800 # 7 days + pac_key_refresh_tim = 86400 + } + + # LEAP is NOT supported by this module. + # Use the "eap" module instead. + + # For other methods that MIGHT work, see the + # configuration of hostap. The methods are statically + # linked in at compile time, and cannot be controlled + # here. + } + + # Configuration for experimental EAP types. The sub-sections + # can be copied into eap.conf. + eap { + ikev2 { + + # Server auth type + # Allowed values are: + # cert - for certificate based server authentication, + # other required settings for this type are + # 'private_key_file' and 'certificate_file' + # secret - for shared secret based server authentication, + # other required settings for this type is 'id' + # Default value of this option is 'secret' + # server_authtype=cert + + # Allowed default client auth types + # Allowed values are: + # secret - for shared secret based client authentication + # cert - for certificate based client authentication + # both - shared secret and certificate is allowed + # none - authentication will always fail + # Default value for this option is 'both'. This option could + # be overwritten within 'usersfile' file by EAP-IKEv2-Auth + # option. + # default_authtype = both + + # path to trusted CA certificate file + CA_file="/path/to/CA/cacert.pem" + + # path to CRL file, if not set, then there will be no + # checks against CRL + # crl_file="/path/to/crl.pem" + + # path to file with user settings + # + # Note that this file is read ONLY on module initialization! + # + # default ${confdir}/eap_ikev2_users + # usersfile=${confdir}/eap_ikev2_users + +# +# Sample "eap_ikev2_users" file entry: +# +#username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne" + +## where: +## username - client user name from IKE-AUTH (IDr) or CommonName +## from x509 certificate +## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload +## allowable attributes for EAP-IKEv2-IDType: +## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN +## DER_ASN1_GN KEY_ID +## EAP-IKEv2-Secret - shared secret +## EAP-IKEv2-AuthType - optional parameter which defines expected client auth +## type. Allowed values are: secret,cert,both,none. +## For the meaning of this values, please see the +## description of 'default_authtype'. +## This attribute can overwrite 'default_authtype' value. + + + + # path to file with server private key + private_key_file="/path/to/srv-private-key.pem" + + # password to private key file + private_key_password="passwd" + + # path to file with server certificate + certificate_file="/path/to/srv-cert.pem" + + # server identity string + id="deMaio" + + # Server identity type. Allowed values are: + # IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN, + # KEY_ID + # Default value is: KEY_ID + # id_type = KEY_ID + + + # MTU (default: 1398) + # fragment_size = 1398 + + # maximal allowed number of resends SA_INIT after receiving + # 'invalid KEY' notification (default 3) + # DH_counter_max = 3 + + # option which is used to control whenever send CERT REQ + # payload or not. + # Allowed values for this option are "yes" or "no". + #Default value is "no". + # certreq = "yes" + + # option which cotrols fast reconnect capability. + # Allowed valuse for this option are "yes" or "no". + # Default value is "yes". + # enable_fast_reauth = "no" + + # option which is used to control performing of DH exchange + # during fast rekeying protocol run. + # Allowed values for this option are "yes" or "no". + # Default value is "no" + # fast_DH_exchange = "yes" + + # Option which is used to set up expiration time of inactive + # IKEv2 session. + # After selected period of time (in seconds), inactive + # session data will be deleted. + # Default value of this option is set to 900 seconds + # fast_timer_expire = 900 + + # list of server proposals of available cryptographic + # suites + proposals { + # proposal number #1 + proposal { + + # Supported transforms types: encryption, + # prf, integrity, dhgroup. For multiple + # transforms just simple repeat key (i.e. + # integity). + + # encryption algorithm + # supported algorithms: + # null,3des,aes_128_cbc,aes_192_cbc, + # aes_256_cbc,idea + # blowfish:n, where n range from 8 to 448 bits, + # step 8 bits + # cast:n, where n range from 40 to 128 bits, + # step 8 bits + encryption = 3des + + # pseudo random function. Supported prf's: + # hmac_md5, hmac_sha1, hmac_tiger + prf = hmac_sha1 + + # integrity algorithm. Supported algorithms: + # hmac_md5_96, hmac_sha1_96,des_mac + integrity = hmac_sha1_96 + integrity = hmac_md5_96 + + # Diffie-Hellman groups: + # modp768, modp1024, modp1536, modp2048, + # modp3072, modp4096, modp6144, modp8192 + dhgroup = modp2048 + } + + # proposal number #2 + proposal { + encryption = 3des + prf = hmac_md5 + integrity = hmac_md5_96 + dhgroup = modp1024 + } + + # proposal number #3 + proposal { + encryption=3des + prf=hmac_md5 + integrity=hmac_md5_96 + dhgroup=modp2048 + } + } + } + } diff --git a/hosts/containers/radius/freeradius/hints b/hosts/containers/radius/freeradius/hints new file mode 100644 index 00000000..87306ad4 --- /dev/null +++ b/hosts/containers/radius/freeradius/hints @@ -0,0 +1,77 @@ +# hints +# +# The hints file. This file is used to match +# a request, and then add attributes to it. This +# process allows a user to login as "bob.ppp" (for example), +# and receive a PPP connection, even if the NAS doesn't +# ask for PPP. The "hints" file is used to match the +# ".ppp" portion of the username, and to add a set of +# "user requested PPP" attributes to the request. +# +# Matching can take place with the the Prefix and Suffix +# attributes, just like in the "users" file. +# These attributes operate ONLY on the username, though. +# +# Note that the attributes that are set for each +# entry are _NOT_ passed back to the terminal server. +# Instead they are added to the information that has +# been _SENT_ by the terminal server. +# +# This extra information can be used in the users file to +# match on. Usually this is done in the DEFAULT entries, +# of which there can be more than one. +# +# In addition a matching entry can transform a username +# for authentication purposes if the "Strip-User-Name" +# variable is set to Yes in an entry (default is Yes). +# +# A special non-protocol name-value pair called "Hint" +# can be set to match on in the "users" file. +# +# The following is how most ISPs want to set this up. +# +# Version: $Id: f92ffb9f1e5bd0509b2e0e5e015001fda52bdfc3 $ +# + + +DEFAULT Suffix == ".ppp", Strip-User-Name = Yes + Hint = "PPP", + Service-Type = Framed-User, + Framed-Protocol = PPP + +DEFAULT Suffix == ".slip", Strip-User-Name = Yes + Hint = "SLIP", + Service-Type = Framed-User, + Framed-Protocol = SLIP + +DEFAULT Suffix == ".cslip", Strip-User-Name = Yes + Hint = "CSLIP", + Service-Type = Framed-User, + Framed-Protocol = SLIP, + Framed-Compression = Van-Jacobson-TCP-IP + +###################################################################### +# +# These entries are old, and commented out by default. +# They confuse too many people when "Peter" logs in, and the +# server thinks that the user "eter" is asking for PPP. +# +#DEFAULT Prefix == "U", Strip-User-Name = No +# Hint = "UUCP" + +#DEFAULT Prefix == "P", Strip-User-Name = Yes +# Hint = "PPP", +# Service-Type = Framed-User, +# Framed-Protocol = PPP + +#DEFAULT Prefix == "S", Strip-User-Name = Yes +# Hint = "SLIP", +# Service-Type = Framed-User, +# Framed-Protocol = SLIP + +#DEFAULT Prefix == "C", Strip-User-Name = Yes +# Hint = "CSLIP", +# Service-Type = Framed-User, +# Framed-Protocol = SLIP, +# Framed-Compression = Van-Jacobson-TCP-IP + diff --git a/hosts/containers/radius/freeradius/huntgroups b/hosts/containers/radius/freeradius/huntgroups new file mode 100644 index 00000000..96169b63 --- /dev/null +++ b/hosts/containers/radius/freeradius/huntgroups @@ -0,0 +1,46 @@ +# +# huntgroups This file defines the `huntgroups' that you have. A +# huntgroup is defined by specifying the IP address of +# the NAS and possibly a port range. Port can be identified +# as just one port, or a range (from-to), and multiple ports +# or ranges of ports must be seperated by a comma. For +# example: 1,2,3-8 +# +# Matching is done while RADIUS scans the user file; if it +# includes the selection criterium "Huntgroup-Name == XXX" +# the huntgroup is looked up in this file to see if it +# matches. There can be multiple definitions of the same +# huntgroup; the first one that matches will be used. +# +# This file can also be used to define restricted access +# to certain huntgroups. The second and following lines +# define the access restrictions (based on username and +# UNIX usergroup) for the huntgroup. +# + +# +# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name +# called Alphen that matches on all three terminal servers. +# +#alphen NAS-IP-Address == 192.168.2.5 +#alphen NAS-IP-Address == 192.168.2.6 +#alphen NAS-IP-Address == 192.168.2.7 + +# +# The POP in Delft consists of only one terminal server. +# +#delft NAS-IP-Address == 192.168.3.5 + +# +# Ports 0-7 on the first terminal server in Alphen are connected to +# a huntgroup that is for business users only. Note that only one +# of the username or groupname has to match to get access (OR/OR). +# +# Note that this huntgroup is a subset of the "alphen" huntgroup. +# +#business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 0-7 +# User-Name = rogerl, +# User-Name = henks, +# Group = business, +# Group = staff + diff --git a/hosts/containers/radius/freeradius/ldap.attrmap b/hosts/containers/radius/freeradius/ldap.attrmap new file mode 100644 index 00000000..5bbfcd5b --- /dev/null +++ b/hosts/containers/radius/freeradius/ldap.attrmap @@ -0,0 +1,76 @@ +# +# Mapping of RADIUS dictionary attributes to LDAP directory attributes +# to be used by LDAP authentication and authorization module (rlm_ldap) +# +# Format: +# ItemType RADIUS-Attribute-Name ldapAttributeName [operator] +# +# Where: +# ItemType = checkItem or replyItem +# RADIUS-Attribute-Name = attribute name in RADIUS dictionary +# ldapAttributeName = attribute name in LDAP schema +# operator = optional, and may not be present. +# If not present, defaults to "==" for checkItems, +# and "=" for replyItems. +# If present, the operator here should be one +# of the same operators as defined in the "users"3 +# file ("man users", or "man 5 users"). +# If an operator is present in the value of the +# LDAP entry (i.e. ":=foo"), then it over-rides +# both the default, and any operator given here. +# +# If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies +# a LDAP attribute which can be used to store any RADIUS +# attribute/value-pair in LDAP directory. +# +# You should edit this file to suit it to your needs. +# + +checkItem $GENERIC$ radiusCheckItem +replyItem $GENERIC$ radiusReplyItem + +checkItem Auth-Type radiusAuthType +checkItem Simultaneous-Use radiusSimultaneousUse +checkItem Called-Station-Id radiusCalledStationId +checkItem Calling-Station-Id radiusCallingStationId +checkItem LM-Password lmPassword +checkItem NT-Password ntPassword +checkItem LM-Password sambaLmPassword +checkItem NT-Password sambaNtPassword +checkItem LM-Password dBCSPwd +checkitem Password-With-Header userPassword +checkItem SMB-Account-CTRL-TEXT acctFlags +checkItem Expiration radiusExpiration +checkItem NAS-IP-Address radiusNASIpAddress + +replyItem Service-Type radiusServiceType +replyItem Framed-Protocol radiusFramedProtocol +replyItem Framed-IP-Address radiusFramedIPAddress +replyItem Framed-IP-Netmask radiusFramedIPNetmask +replyItem Framed-Route radiusFramedRoute +replyItem Framed-Routing radiusFramedRouting +replyItem Filter-Id radiusFilterId +replyItem Framed-MTU radiusFramedMTU +replyItem Framed-Compression radiusFramedCompression +replyItem Login-IP-Host radiusLoginIPHost +replyItem Login-Service radiusLoginService +replyItem Login-TCP-Port radiusLoginTCPPort +replyItem Callback-Number radiusCallbackNumber +replyItem Callback-Id radiusCallbackId +replyItem Framed-IPX-Network radiusFramedIPXNetwork +replyItem Class radiusClass +replyItem Session-Timeout radiusSessionTimeout +replyItem Idle-Timeout radiusIdleTimeout +replyItem Termination-Action radiusTerminationAction +replyItem Login-LAT-Service radiusLoginLATService +replyItem Login-LAT-Node radiusLoginLATNode +replyItem Login-LAT-Group radiusLoginLATGroup +replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink +replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork +replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone +replyItem Port-Limit radiusPortLimit +replyItem Login-LAT-Port radiusLoginLATPort +replyItem Reply-Message radiusReplyMessage +replyItem Tunnel-Type radiusTunnelType +replyItem Tunnel-Medium-Type radiusTunnelMediumType +replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId diff --git a/hosts/containers/radius/freeradius/modules/acct_unique b/hosts/containers/radius/freeradius/modules/acct_unique new file mode 100644 index 00000000..f8226743 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/acct_unique @@ -0,0 +1,17 @@ +# -*- text -*- +# +# $Id: cfd89eb1bf690b605892969ebd922e6885f24fcc $ + +# +# Create a unique accounting session Id. Many NASes re-use +# or repeat values for Acct-Session-Id, causing no end of +# confusion. +# +# This module will add a (probably) unique session id +# to an accounting packet based on the attributes listed +# below found in the packet. See doc/rlm_acct_unique for +# more information. +# +acct_unique { + key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" +} diff --git a/hosts/containers/radius/freeradius/modules/always b/hosts/containers/radius/freeradius/modules/always new file mode 100644 index 00000000..58f8a580 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/always @@ -0,0 +1,31 @@ +# -*- text -*- +# +# $Id: c28187f05d4f0416442203b016feb7e2b818716f $ + +# +# The "always" module is here for debugging purposes. Each +# instance simply returns the same result, always, without +# doing anything. +always fail { + rcode = fail +} +always reject { + rcode = reject +} +always noop { + rcode = noop +} +always handled { + rcode = handled +} +always updated { + rcode = updated +} +always notfound { + rcode = notfound +} +always ok { + rcode = ok + simulcount = 0 + mpp = no +} diff --git a/hosts/containers/radius/freeradius/modules/attr_filter b/hosts/containers/radius/freeradius/modules/attr_filter new file mode 100644 index 00000000..87f236b0 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/attr_filter @@ -0,0 +1,48 @@ +# -*- text -*- +# +# $Id: acb28a9c587526a22f9310ade21d6a480a0bfe28 $ + +# +# This file defines a number of instances of the "attr_filter" module. +# + +# attr_filter - filters the attributes received in replies from +# proxied servers, to make sure we send back to our RADIUS client +# only allowed attributes. +attr_filter attr_filter.post-proxy { + attrsfile = ${confdir}/attrs +} + +# attr_filter - filters the attributes in the packets we send to +# the RADIUS home servers. +attr_filter attr_filter.pre-proxy { + attrsfile = ${confdir}/attrs.pre-proxy +} + +# Enforce RFC requirements on the contents of Access-Reject +# packets. See the comments at the top of the file for +# more details. +# +attr_filter attr_filter.access_reject { + key = %{User-Name} + attrsfile = ${confdir}/attrs.access_reject +} + +# Enforce RFC requirements on the contents of Access-Reject +# packets. See the comments at the top of the file for +# more details. +# +attr_filter attr_filter.access_challenge { + key = %{User-Name} + attrsfile = ${confdir}/attrs.access_challenge +} + + +# Enforce RFC requirements on the contents of the +# Accounting-Response packets. See the comments at the +# top of the file for more details. +# +attr_filter attr_filter.accounting_response { + key = %{User-Name} + attrsfile = ${confdir}/attrs.accounting_response +} diff --git a/hosts/containers/radius/freeradius/modules/attr_rewrite b/hosts/containers/radius/freeradius/modules/attr_rewrite new file mode 100644 index 00000000..bf9461d4 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/attr_rewrite @@ -0,0 +1,46 @@ +# -*- text -*- +# +# $Id: 8fb93224288061781980a156d541f5283abee1a0 $ + +# rewrite arbitrary packets. Useful in accounting and authorization. +# +# As of 2.0, much of the functionality of this module is in "unlang". +# You should probably investigate using that before trying to use +# the "attr_rewrite" module. +# +# +# The module can also use the Rewrite-Rule attribute. If it +# is set and matches the name of the module instance, then +# that module instance will be the only one which runs. +# +# Also if new_attribute is set to yes then a new attribute +# will be created containing the value replacewith and it +# will be added to searchin (packet, reply, proxy, +# proxy_reply or config). +# +# searchfor,ignore_case and max_matches will be ignored in that case. +# +# Backreferences are supported. +# %{0} will contain the string the whole match +# %{1} to %{8} will contain the contents of the 1st to +# the 8th parentheses +# +# If max_matches is greater than one, the backreferences will +# correspond to the first attributed that matched. + +# +attr_rewrite sanecallerid { + attribute = Called-Station-Id + # may be "packet", "reply", "proxy", "proxy_reply" or "config" + searchin = packet + searchfor = "[+ ]" + replacewith = "" + ignore_case = no + new_attribute = no + max_matches = 10 + + ## If set to yes then the replace string will be + ## appended to the original string + append = no +} + diff --git a/hosts/containers/radius/freeradius/modules/cache b/hosts/containers/radius/freeradius/modules/cache new file mode 100644 index 00000000..252a454d --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/cache @@ -0,0 +1,77 @@ +# -*- text -*- +# +# $Id: da4a099beae8eeb3bfe5f70f20523a4258f7f0cd $ + +# +# A module to cache attributes. The idea is that you can look +# up information in a database, and then cache it. Repeated +# requests for the same information will then have the cached +# values added to the request. +# +# The module can cache a fixed set of attributes per key. +# It can be listed in "authorize", "post-auth", "pre-proxy" +# and "post-proxy". +# +# If you want different things cached for authorize and post-auth, +# you will need to define two instances of the "cache" module. +# +# The module returns "ok" if it found a cache entry. +# The module returns "updated" if it added a new cache entry. +# The module returns "noop" if it did nothing. +# +cache { + # The key used to index the cache. It is dynamically expanded + # at run time. + key = "%{User-Name}" + + # The TTL of cache entries, in seconds. Entries older than this + # will be expired. + # + # You can set the TTL per cache entry, but adding a control + # variable "Cache-TTL". The value there will over-ride this one. + # Setting a Cache-TTL of 0 means "delete this entry". + # + # This value should be between 10 and 86400. + ttl = 10 + + # A timestamp used to flush the cache, via + # + # radmin -e "set module config cache epoch 123456789" + # + # Where last value is a 32-bit Unix timestamp. Cache entries + # older than this are expired, and new entries added. + # + # You should ALWAYS leave it as "epoch = 0" here. + epoch = 0 + + # The module can also operate in status-only mode where it will + # not add new cache entries, or merge existing ones. + # + # To enable set the control variable "Cache-Status-Only" to "yes" + # The module will return "ok" if it found a cache entry. + # The module will return "notfound" if it failed to find a cache entry, + # or the entry had expired. + # + # Note: expired entries will still be removed. + + # If yes the following attributes will be added to the request list: + # * Cache-Entry-Hits - The number of times this entry has been + # retrieved. + add-stats = no + + # The list of attributes to cache for a particular key. + # Each key gets the same set of cached attributes. + # The attributes are dynamically expanded at run time. + # + # You can specify which list the attribute goes into by + # prefixing the attribute name with the list. This allows + # you to update multiple lists with one configuration. + # + # If no list is specified the request list will be updated. + update { + # list:Attr-Name + reply:Reply-Message += "I'm the cached reply from %t" + + control:Class := 0x010203 + } +} diff --git a/hosts/containers/radius/freeradius/modules/chap b/hosts/containers/radius/freeradius/modules/chap new file mode 100644 index 00000000..97d965b7 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/chap @@ -0,0 +1,11 @@ +# -*- text -*- +# +# $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $ + +# CHAP module +# +# To authenticate requests containing a CHAP-Password attribute. +# +chap { + # no configuration +} diff --git a/hosts/containers/radius/freeradius/modules/checkval b/hosts/containers/radius/freeradius/modules/checkval new file mode 100644 index 00000000..f4a368cf --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/checkval @@ -0,0 +1,44 @@ +# -*- text -*- +# +# $Id: ed26e571e8f0bcf3bf586ceb16d0cdff182f5017 $ + +# A simple value checking module +# +# As of 2.0, much of the functionality of this module is in "unlang". +# You should probably investigate using that before trying to use +# the "checkval" module. +# +# It can be used to check if an attribute value in the request +# matches a (possibly multi valued) attribute in the check +# items This can be used for example for caller-id +# authentication. For the module to run, both the request +# attribute and the check items attribute must exist +# +# i.e. +# A user has an ldap entry with 2 radiusCallingStationId +# attributes with values "12345678" and "12345679". If we +# enable rlm_checkval, then any request which contains a +# Calling-Station-Id with one of those two values will be +# accepted. Requests with other values for +# Calling-Station-Id will be rejected. +# +# Regular expressions in the check attribute value are allowed +# as long as the operator is '=~' +# +checkval { + # The attribute to look for in the request + item-name = Calling-Station-Id + + # The attribute to look for in check items. Can be multi valued + check-name = Calling-Station-Id + + # The data type. Can be + # string,integer,ipaddr,date,abinary,octets + data-type = string + + # If set to yes and we dont find the item-name attribute in the + # request then we send back a reject + # DEFAULT is no + #notfound-reject = no +} + diff --git a/hosts/containers/radius/freeradius/modules/counter b/hosts/containers/radius/freeradius/modules/counter new file mode 100644 index 00000000..d9962da6 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/counter @@ -0,0 +1,82 @@ +# -*- text -*- +# +# $Id: 2dad39a25c676821c6e602881e5bec52d738abfd $ + +# counter module: +# This module takes an attribute (count-attribute). +# It also takes a key, and creates a counter for each unique +# key. The count is incremented when accounting packets are +# received by the server. The value of the increment depends +# on the attribute type. +# If the attribute is Acct-Session-Time or of an integer type we add +# the value of the attribute. If it is anything else we increase the +# counter by one. +# +# The 'reset' parameter defines when the counters are all reset to +# zero. It can be hourly, daily, weekly, monthly or never. +# +# hourly: Reset on 00:00 of every hour +# daily: Reset on 00:00:00 every day +# weekly: Reset on 00:00:00 on sunday +# monthly: Reset on 00:00:00 of the first day of each month +# +# It can also be user defined. It should be of the form: +# num[hdwm] where: +# h: hours, d: days, w: weeks, m: months +# If the letter is ommited days will be assumed. In example: +# reset = 10h (reset every 10 hours) +# reset = 12 (reset every 12 days) +# +# +# The check-name attribute defines an attribute which will be +# registered by the counter module and can be used to set the +# maximum allowed value for the counter after which the user +# is rejected. +# Something like: +# +# DEFAULT Max-Daily-Session := 36000 +# Fall-Through = 1 +# +# You should add the counter module in the instantiate +# section so that it registers check-name before the files +# module reads the users file. +# +# If check-name is set and the user is to be rejected then we +# send back a Reply-Message and we log a Failure-Message in +# the radius.log +# +# If the count attribute is Acct-Session-Time then on each +# login we send back the remaining online time as a +# Session-Timeout attribute ELSE and if the reply-name is +# set, we send back that attribute. The reply-name attribute +# MUST be of an integer type. +# +# The counter-name can also be used instead of using the check-name +# like below: +# +# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject +# Reply-Message = "You've used up more than one hour today" +# +# The allowed-servicetype attribute can be used to only take +# into account specific sessions. For example if a user first +# logs in through a login menu and then selects ppp there will +# be two sessions. One for Login-User and one for Framed-User +# service type. We only need to take into account the second one. +# +# The module should be added in the instantiate, authorize and +# accounting sections. Make sure that in the authorize +# section it comes after any module which sets the +# 'check-name' attribute. +# +counter daily { + filename = ${db_dir}/db.daily + key = User-Name + count-attribute = Acct-Session-Time + reset = daily + counter-name = Daily-Session-Time + check-name = Max-Daily-Session + reply-name = Session-Timeout + allowed-servicetype = Framed-User + cache-size = 5000 +} + diff --git a/hosts/containers/radius/freeradius/modules/cui b/hosts/containers/radius/freeradius/modules/cui new file mode 100644 index 00000000..02481548 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/cui @@ -0,0 +1,25 @@ +# -*- text -*- +# +# $Id: 246461369a25c17feae3168bb66050203d4b8a34 $ + +# +# Write Chargeable-User-Identity to the database. +# +# Schema raddb/sql/mysql/cui.sql +# Queries raddb/sql/mysql/cui.conf +# +sql cui { + database = "mysql" + driver = "rlm_sql_${database}" + server = "localhost" + login = "db_login_name" + password = "db_password" + radius_db = "db_name" +# sqltrace = yes +# sqltracefile = ${logdir}/cuitrace.sql + num_sql_socks = 5 + connect_failure_retry_delay = 60 + cui_table = "cui" + sql_user_name = "%{User-Name}" +#$INCLUDE sql/${database}/cui.conf +} diff --git a/hosts/containers/radius/freeradius/modules/detail b/hosts/containers/radius/freeradius/modules/detail new file mode 100644 index 00000000..a50bea33 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/detail @@ -0,0 +1,93 @@ +# -*- text -*- +# +# $Id: 2e68d065ec93d0644cf7e931d97fdfac4e2be552 $ + +# Write a detailed log of all accounting records received. +# +detail { + # Note that we do NOT use NAS-IP-Address here, as + # that attribute MAY BE from the originating NAS, and + # NOT from the proxy which actually sent us the + # request. + # + # The following line creates a new detail file for + # every radius client (by IP address or hostname). + # In addition, a new detail file is created every + # day, so that the detail file doesn't have to go + # through a 'log rotation' + # + # If your detail files are large, you may also want + # to add a ':%H' (see doc/variables.txt) to the end + # of it, to create a new detail file every hour, e.g.: + # + # ..../detail-%Y%m%d:%H + # + # This will create a new detail file for every hour. + # + # If you are reading detail files via the "listen" section + # (e.g. as in raddb/sites-available/robust-proxy-accounting), + # you MUST use a unique directory for each combination of a + # detail file writer, and reader. That is, there can only + # be ONE "listen" section reading detail files from a + # particular directory. + # + detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d + + # + # If you are using radrelay, delete the above line for "detailfile", + # and use this one instead: + # +# detailfile = ${radacctdir}/detail + + # + # The Unix-style permissions on the 'detail' file. + # + # The detail file often contains secret or private + # information about users. So by keeping the file + # permissions restrictive, we can prevent unwanted + # people from seeing that information. + detailperm = 0600 + + # The Unix group of the log file. + # + # The user that the server runs as must be in the specified + # system group otherwise this will fail to work. + # +# group = freerad + + # + # Every entry in the detail file has a header which + # is a timestamp. By default, we use the ctime + # format (see "man ctime" for details). + # + # The header can be customized by editing this + # string. See "doc/variables.txt" for a description + # of what can be put here. + # + header = "%t" + + # + # Uncomment this line if the detail file reader will be + # reading this detail file. + # +# locking = yes + + # + # Log the Packet src/dst IP/port. This is disabled by + # default, as that information isn't used by many people. + # +# log_packet_header = yes + + # + # Certain attributes such as User-Password may be + # "sensitive", so they should not be printed in the + # detail file. This section lists the attributes + # that should be suppressed. + # + # The attributes should be listed one to a line. + # + #suppress { + # User-Password + #} + +} diff --git a/hosts/containers/radius/freeradius/modules/detail.example.com b/hosts/containers/radius/freeradius/modules/detail.example.com new file mode 100644 index 00000000..9af26cbc --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/detail.example.com @@ -0,0 +1,27 @@ +# -*- text -*- +# +# Detail file writer, used in the following examples: +# +# raddb/sites-available/robust-proxy-accounting +# raddb/sites-available/decoupled-accounting +# +# Note that this module can write detail files that are read by +# only ONE "listen" section. If you use BOTH of the examples +# above, you will need to define TWO "detail" modules. +# +# e.g. detail1.example.com && detail2.example.com +# +# +# We write *multiple* detail files here. They will be processed by +# the detail "listen" section in the order that they were created. +# The directory containing these files should NOT be used for any +# other purposes. i.e. It should have NO other files in it. +# +# Writing multiple detail enables the server to process the pieces +# in smaller chunks. This helps in certain catastrophic corner cases. +# +# $Id: af7e3452fdd49ed6a3cd379c2a4d90e17f34532f $ +# +detail detail.example.com { + detailfile = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G +} diff --git a/hosts/containers/radius/freeradius/modules/detail.log b/hosts/containers/radius/freeradius/modules/detail.log new file mode 100644 index 00000000..dd97f88d --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/detail.log @@ -0,0 +1,75 @@ +# -*- text -*- +# +# $Id: c36dce75c6d41b7470bd177a27ed96d3fe3dafe5 $ + +# +# More examples of doing detail logs. + +# +# Many people want to log authentication requests. +# Rather than modifying the server core to print out more +# messages, we can use a different instance of the 'detail' +# module, to log the authentication requests to a file. +# +# You will also need to un-comment the 'auth_log' line +# in the 'authorize' section, below. +# +detail auth_log { + detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + detailperm = 0600 + + # You may also strip out passwords completely + suppress { + User-Password + } +} + +# +# This module logs authentication reply packets sent +# to a NAS. Both Access-Accept and Access-Reject packets +# are logged. +# +# You will also need to un-comment the 'reply_log' line +# in the 'post-auth' section, below. +# +detail reply_log { + detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d + + detailperm = 0600 +} + +# +# This module logs packets proxied to a home server. +# +# You will also need to un-comment the 'pre_proxy_log' line +# in the 'pre-proxy' section, below. +# +detail pre_proxy_log { + detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + detailperm = 0600 + + # You may also strip out passwords completely + #suppress { + # User-Password + #} +} + +# +# This module logs response packets from a home server. +# +# You will also need to un-comment the 'post_proxy_log' line +# in the 'post-proxy' section, below. +# +detail post_proxy_log { + detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d + + detailperm = 0600 +} diff --git a/hosts/containers/radius/freeradius/modules/dhcp_sqlippool b/hosts/containers/radius/freeradius/modules/dhcp_sqlippool new file mode 100644 index 00000000..65fa2a54 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/dhcp_sqlippool @@ -0,0 +1,33 @@ +## Configuration for DHCP to use SQL IP Pools. +## +## See sqlippool.conf for common configuration explanation +## +## $Id: 39358b222d016d62e5cf6e8c77fd214cc7614feb $ + +sqlippool dhcp_sqlippool { + sql-instance-name = "sql" + + ippool_table = "radippool" + + lease-duration = 7200 + + # Client's MAC address is mapped to Calling-Station-Id in policy.conf + pool-key = "%{Calling-Station-Id}" + + # For now, it only works with MySQL. + # This line is commented by default to enable clean startup when you + # don't have freeradius-mysql installed. Uncomment this line if you + # use this module. + #$INCLUDE ${confdir}/sql/mysql/ippool-dhcp.conf + + sqlippool_log_exists = "DHCP: Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" + + sqlippool_log_success = "DHCP: Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" + + sqlippool_log_clear = "DHCP: Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})" + + sqlippool_log_failed = "DHCP: IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" + + sqlippool_log_nopool = "DHCP: No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" + +} diff --git a/hosts/containers/radius/freeradius/modules/digest b/hosts/containers/radius/freeradius/modules/digest new file mode 100644 index 00000000..af52017c --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/digest @@ -0,0 +1,13 @@ +# -*- text -*- +# +# $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $ + +# +# The 'digest' module currently has no configuration. +# +# "Digest" authentication against a Cisco SIP server. +# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details +# on performing digest authentication for Cisco SIP servers. +# +digest { +} diff --git a/hosts/containers/radius/freeradius/modules/dynamic_clients b/hosts/containers/radius/freeradius/modules/dynamic_clients new file mode 100644 index 00000000..581c9390 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/dynamic_clients @@ -0,0 +1,32 @@ +# -*- text -*- +# +# $Id: bf047be5c7b48f2f021981a6abf4199d888fc3ee $ + +# This module loads RADIUS clients as needed, rather than when the server +# starts. +# +# There are no configuration entries for this module. Instead, it +# relies on the "client" configuration. You must: +# +# 1) link raddb/sites-enabled/dyanmic_clients to +# raddb/sites-available/dyanmic_clients +# +# 2) Define a client network/mask (see top of the above file) +# +# 3) uncomment the "directory" entry in that client definition +# +# 4) list "dynamic_clients" in the "authorize" section of the +# "dynamic_clients' virtual server. The default example already +# does this. +# +# 5) put files into the above directory, one per IP. +# e.g. file "192.168.1.1" should contain a normal client definition +# for a client with IP address 192.168.1.1. +# +# For more documentation, see the file: +# +# raddb/sites-available/dynamic-clients +# +dynamic_clients { + +} diff --git a/hosts/containers/radius/freeradius/modules/echo b/hosts/containers/radius/freeradius/modules/echo new file mode 100644 index 00000000..9c07d294 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/echo @@ -0,0 +1,123 @@ +# -*- text -*- +# +# $Id: 0ca6bd8d27c25bf4f84fd27f97323b8961814d77 $ + +# +# This is a more general example of the execute module. +# +# This one is called "echo". +# +# Attribute-Name = `%{echo:/path/to/program args}` +# +# If you wish to execute an external program in more than +# one section (e.g. 'authorize', 'pre_proxy', etc), then it +# is probably best to define a different instance of the +# 'exec' module for every section. +# +# The return value of the program run determines the result +# of the exec instance call as follows: +# (See doc/configurable_failover for details) +# +# < 0 : fail the module failed +# = 0 : ok the module succeeded +# = 1 : reject the module rejected the user +# = 2 : fail the module failed +# = 3 : ok the module succeeded +# = 4 : handled the module has done everything to handle the request +# = 5 : invalid the user's configuration entry was invalid +# = 6 : userlock the user was locked out +# = 7 : notfound the user was not found +# = 8 : noop the module did nothing +# = 9 : updated the module updated information in the request +# > 9 : fail the module failed +# +exec echo { + # + # Wait for the program to finish. + # + # If we do NOT wait, then the program is "fire and + # forget", and any output attributes from it are ignored. + # + # If we are looking for the program to output + # attributes, and want to add those attributes to the + # request, then we MUST wait for the program to + # finish, and therefore set 'wait=yes' + # + # allowed values: {no, yes} + wait = yes + + # + # The name of the program to execute, and it's + # arguments. Dynamic translation is done on this + # field, so things like the following example will + # work. + # + program = "/bin/echo %{User-Name}" + + # + # The attributes which are placed into the + # environment variables for the program. + # + # Allowed values are: + # + # request attributes from the request + # config attributes from the configuration items list + # reply attributes from the reply + # proxy-request attributes from the proxy request + # proxy-reply attributes from the proxy reply + # + # Note that some attributes may not exist at some + # stages. e.g. There may be no proxy-reply + # attributes if this module is used in the + # 'authorize' section. + # + input_pairs = request + + # + # Where to place the output attributes (if any) from + # the executed program. The values allowed, and the + # restrictions as to availability, are the same as + # for the input_pairs. + # + output_pairs = reply + + # + # When to execute the program. If the packet + # type does NOT match what's listed here, then + # the module does NOT execute the program. + # + # For a list of allowed packet types, see + # the 'dictionary' file, and look for VALUEs + # of the Packet-Type attribute. + # + # By default, the module executes on ANY packet. + # Un-comment out the following line to tell the + # module to execute only if an Access-Accept is + # being sent to the NAS. + # + #packet_type = Access-Accept + + # + # Should we escape the environment variables? + # + # If this is set, all the RADIUS attributes + # are capitalised and dashes replaced with + # underscores. Also, RADIUS values are surrounded + # with double-quotes. + # + # That is to say: User-Name=BobUser => USER_NAME="BobUser" + shell_escape = yes + + + # + # How long should we wait for the program to finish? + # + # Default is 10 seconds, which should be plenty for nearly + # anything. Range is 1 to 30 seconds. You are strongly + # encouraged to NOT increase this value. Decreasing can + # be used to cause authentication to fail sooner when you + # know it's going to fail anyway due to the time taken, + # thereby saving resources. + # + #timeout = 10 +} diff --git a/hosts/containers/radius/freeradius/modules/etc_group b/hosts/containers/radius/freeradius/modules/etc_group new file mode 100644 index 00000000..aea6faa1 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/etc_group @@ -0,0 +1,28 @@ +# -*- text -*- +# +# $Id: 614c52b82b3e12fab54313aecb5c1120559781f3 $ + +# "passwd" configuration, for the /etc/group file. Adds a Etc-Group-Name +# attribute for every group that the user is member of. +# +# You will have to define the Etc-Group-Name in the 'dictionary' file +# as a 'string' type. +# +# The Group and Group-Name attributes are automatically created by +# the Unix module, and do checking against /etc/group automatically. +# This means that you CANNOT use Group or Group-Name to do any other +# kind of grouping in the server. You MUST define a new group +# attribute. +# +# i.e. this module should NOT be used as-is, but should be edited to +# point to a different group file. +# +passwd etc_group { + filename = /etc/group + format = "=Etc-Group-Name:::*,User-Name" + hashsize = 50 + ignorenislike = yes + allowmultiplekeys = yes + delimiter = ":" +} + diff --git a/hosts/containers/radius/freeradius/modules/exec b/hosts/containers/radius/freeradius/modules/exec new file mode 100644 index 00000000..470b9cbd --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/exec @@ -0,0 +1,30 @@ +# -*- text -*- +# +# $Id: 5f21e4350f091ed51813865a31b2796c4b487f9f $ + +# +# Execute external programs +# +# This module is useful only for 'xlat'. To use it, +# put 'exec' into the 'instantiate' section. You can then +# do dynamic translation of attributes like: +# +# Attribute-Name = `%{exec:/path/to/program args}` +# +# The value of the attribute will be replaced with the output +# of the program which is executed. Due to RADIUS protocol +# limitations, any output over 253 bytes will be ignored. +# +# The RADIUS attributes from the user request will be placed +# into environment variables of the executed program, as +# described in "man unlang" and in doc/variables.txt +# +# See also "echo" for more sample configuration. +# +exec { + wait = no + input_pairs = request + shell_escape = yes + output = none + timeout = 10 +} diff --git a/hosts/containers/radius/freeradius/modules/expiration b/hosts/containers/radius/freeradius/modules/expiration new file mode 100644 index 00000000..18f2667c --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/expiration @@ -0,0 +1,19 @@ +# -*- text -*- +# +# $Id: 8bbd88973459d82f3967135c66a5b566fffc130a $ + +# +# The expiration module. This handles the Expiration attribute +# It should be included in the *end* of the authorize section +# in order to handle user Expiration. It should also be included +# in the instantiate section in order to register the Expiration +# compare function +# +expiration { + # + # The Reply-Message which will be sent back in case the + # account has expired. Dynamic substitution is supported + # + reply-message = "Password Has Expired\r\n" + #reply-message = "Your account has expired, %{User-Name}\r\n" +} diff --git a/hosts/containers/radius/freeradius/modules/expr b/hosts/containers/radius/freeradius/modules/expr new file mode 100644 index 00000000..9b2513d5 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/expr @@ -0,0 +1,20 @@ +# -*- text -*- +# +# $Id: 6caeb9bccb3310d76f0c527afa58d10432359ee5 $ + +# +# The 'expression' module currently has no configuration. +# +# This module is useful only for 'xlat'. To use it, +# put 'expr' into the 'instantiate' section. You can then +# do dynamic translation of attributes like: +# +# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}` +# +# The value of the attribute will be replaced with the output +# of the program which is executed. Due to RADIUS protocol +# limitations, any output over 253 bytes will be ignored. +# +# The module also registers a few paircompare functions +expr { +} diff --git a/hosts/containers/radius/freeradius/modules/files b/hosts/containers/radius/freeradius/modules/files new file mode 100644 index 00000000..8a411178 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/files @@ -0,0 +1,46 @@ +# -*- text -*- +# +# $Id: e0198d85b2d14fa7b75b0e8c1bf6427c4bd89058 $ + +# Livingston-style 'users' file +# +files { + # The default key attribute to use for matches. The content + # of this attribute is used to match the "name" of the + # entry. + #key = "%{%{Stripped-User-Name}:-%{User-Name}}" + + usersfile = ${confdir}/users + acctusersfile = ${confdir}/acct_users + preproxy_usersfile = ${confdir}/preproxy_users + + # If you want to use the old Cistron 'users' file + # with FreeRADIUS, you should change the next line + # to 'compat = cistron'. You can the copy your 'users' + # file from Cistron. + compat = no +} + +# An example which defines a second instance of the "files" module. +# This instance is named "second_files". In order for it to be used +# in a virtual server, it needs to be listed as "second_files" +# inside of the "authorize" section (or other section). If you just +# list "files", that will refer to the configuration defined above. +# + +# The two names here mean: +# "files" - this is a configuration for the "rlm_files" module +# "second_files" - this is a named configuration, which isn't +# the default configuration. +files second_files { + #key = "%{%{Stripped-User-Name}:-%{User-Name}}" + + # The names here don't matter. They just need to be different + # from the names for the "files" configuration above. If they + # are the same, then this configuration will end up being the + # same as the one above. + usersfile = ${confdir}/second_users + acctusersfile = ${confdir}/second_acct_users + preproxy_usersfile = ${confdir}/second_preproxy_users +} + diff --git a/hosts/containers/radius/freeradius/modules/inner-eap b/hosts/containers/radius/freeradius/modules/inner-eap new file mode 100644 index 00000000..6f550976 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/inner-eap @@ -0,0 +1,161 @@ +# -*- text -*- +# +# $Id: 0a26c9c1672823e46219d831e2be18890450c2a7 $ + +# +# Sample configuration for an EAP module that occurs *inside* +# of a tunneled method. It is used to limit the EAP types that +# can occur inside of the inner tunnel. +# +# See also raddb/sites-available/inner-tunnel +# +# To use this module, edit raddb/sites-available/inner-tunnel, and +# replace the references to "eap" with "inner-eap". +# +# See raddb/eap.conf for full documentation on the meaning of the +# configuration entries here. +# +eap inner-eap { + # This is the best choice for PEAP. + default_eap_type = mschapv2 + timer_expire = 60 + + # This should be the same as the outer eap "max sessions" + max_sessions = 2048 + + # Supported EAP-types + md5 { + } + + gtc { + # The default challenge, which many clients + # ignore.. + #challenge = "Password: " + + auth_type = PAP + } + + mschapv2 { + } + + # No TTLS or PEAP configuration should be listed here. + + ## EAP-TLS + # + # You SHOULD use different certificates than are used + # for the outer EAP configuration! + # + # Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental. + # + tls { + # + # These is used to simplify later configurations. + # + certdir = ${confdir}/certs + cadir = ${confdir}/certs + + private_key_password = whatever + private_key_file = ${certdir}/server.pem + + # If Private key & Certificate are located in + # the same file, then private_key_file & + # certificate_file must contain the same file + # name. + # + # If CA_file (below) is not used, then the + # certificate_file below MUST include not + # only the server certificate, but ALSO all + # of the CA certificates used to sign the + # server certificate. + certificate_file = ${certdir}/server.pem + + # Trusted Root CA list + # + # ALL of the CA's in this list will be trusted + # to issue client certificates for authentication. + # + # In general, you should use self-signed + # certificates for 802.1x (EAP) authentication. + # In that case, this CA file should contain + # *one* CA certificate. + # + # This parameter is used only for EAP-TLS, + # when you issue client certificates. If you do + # not use client certificates, and you do not want + # to permit EAP-TLS authentication, then delete + # this configuration item. + CA_file = ${cadir}/ca.pem + + # + # For DH cipher suites to work, you have to + # run OpenSSL to create the DH file first: + # + # openssl dhparam -out certs/dh 1024 + # + dh_file = ${certdir}/dh + random_file = ${certdir}/random + + # + # This can never exceed the size of a RADIUS + # packet (4096 bytes), and is preferably half + # that, to accomodate other attributes in + # RADIUS packet. On most APs the MAX packet + # length is configured between 1500 - 1600 + # In these cases, fragment size should be + # 1024 or less. + # + # fragment_size = 1024 + + # include_length is a flag which is + # by default set to yes If set to + # yes, Total Length of the message is + # included in EVERY packet we send. + # If set to no, Total Length of the + # message is included ONLY in the + # First packet of a fragment series. + # + # include_length = yes + + # Check the Certificate Revocation List + # + # 1) Copy CA certificates and CRLs to same directory. + # 2) Execute 'c_rehash '. + # 'c_rehash' is OpenSSL's command. + # 3) uncomment the line below. + # 5) Restart radiusd + # check_crl = yes + # CA_path = /path/to/directory/with/ca_certs/and/crls/ + + # + # If check_cert_issuer is set, the value will + # be checked against the DN of the issuer in + # the client certificate. If the values do not + # match, the cerficate verification will fail, + # rejecting the user. + # + # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" + + # + # If check_cert_cn is set, the value will + # be xlat'ed and checked against the CN + # in the client certificate. If the values + # do not match, the certificate verification + # will fail rejecting the user. + # + # This check is done only if the previous + # "check_cert_issuer" is not set, or if + # the check succeeds. + # + # check_cert_cn = %{User-Name} + # + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". + cipher_list = "DEFAULT" + + # + # The session resumption / fast reauthentication + # cache CANNOT be used for inner sessions. + # + } +} diff --git a/hosts/containers/radius/freeradius/modules/ippool b/hosts/containers/radius/freeradius/modules/ippool new file mode 100644 index 00000000..6d181e72 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/ippool @@ -0,0 +1,75 @@ +# -*- text -*- +# +# $Id: 05561cf37fe71142adc97410daba3ae08a1cb68c $ + +# Do server side ip pool management. Should be added in +# post-auth and accounting sections. +# +# The module also requires the existance of the Pool-Name +# attribute. That way the administrator can add the Pool-Name +# attribute in the user profiles and use different pools for +# different users. The Pool-Name attribute is a *check* item +# not a reply item. +# +# The Pool-Name should be set to the ippool module instance +# name or to DEFAULT to match any module. + +# +# Example: +# radiusd.conf: ippool students { [...] } +# ippool teachers { [...] } +# users file : DEFAULT Group == students, Pool-Name := "students" +# DEFAULT Group == teachers, Pool-Name := "teachers" +# DEFAULT Group == other, Pool-Name := "DEFAULT" +# +# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST ********* +# ********* THEN ERASE THE DB FILES ********* +# +ippool main_pool { + + # range-start,range-stop: + # The start and end ip addresses for this pool. + range-start = 192.168.1.1 + range-stop = 192.168.3.254 + + # netmask: + # The network mask used for this pool. + netmask = 255.255.255.0 + + # cache-size: + # The gdbm cache size for the db files. Should + # be equal to the number of ip's available in + # the ip pool + cache-size = 800 + + # session-db: + # The main db file used to allocate addresses. + session-db = ${db_dir}/db.ippool + + # ip-index: + # Helper db index file used in multilink + ip-index = ${db_dir}/db.ipindex + + # override: + # If set, the Framed-IP-Address already in the + # reply (if any) will be discarded, and replaced + # with a Framed-IP-Address assigned here. + override = no + + # maximum-timeout: + # Specifies the maximum time in seconds that an + # entry may be active. If set to zero, means + # "no timeout". The default value is 0 + maximum-timeout = 0 + + # key: + # The key to use for the session database (which + # holds the allocated ip's) normally it should + # just be the nas ip/port (which is the default). + # + # If your NAS sends the same value of NAS-Port + # all requests, the key should be based on some + # other attribute that is in ALL requests, AND + # is unique to each machine needing an IP address. + #key = "%{NAS-IP-Address} %{NAS-Port}" +} diff --git a/hosts/containers/radius/freeradius/modules/krb5 b/hosts/containers/radius/freeradius/modules/krb5 new file mode 100644 index 00000000..37c6209a --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/krb5 @@ -0,0 +1,11 @@ +# -*- text -*- +# +# $Id: 81d1cf2cad2c5dd919acdc993f4484673d80121e $ + +# +# Kerberos. See doc/rlm_krb5 for minimal docs. +# +krb5 { + keytab = /path/to/keytab + service_principal = name_of_principle +} diff --git a/hosts/containers/radius/freeradius/modules/ldap b/hosts/containers/radius/freeradius/modules/ldap new file mode 100644 index 00000000..c62f3a65 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/ldap @@ -0,0 +1,197 @@ +# -*- text -*- +# +# $Id: d13892634e4a8458c942ce170f59f98521dce500 $ + +# Lightweight Directory Access Protocol (LDAP) +# +# This module definition allows you to use LDAP for +# authorization and authentication. +# +# See raddb/sites-available/default for reference to the +# ldap module in the authorize and authenticate sections. +# +# However, LDAP can be used for authentication ONLY when the +# Access-Request packet contains a clear-text User-Password +# attribute. LDAP authentication will NOT work for any other +# authentication method. +# +# This means that LDAP servers don't understand EAP. If you +# force "Auth-Type = LDAP", and then send the server a +# request containing EAP authentication, then authentication +# WILL NOT WORK. +# +# The solution is to use the default configuration, which does +# work. +# +# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We +# really can't emphasize this enough. +# +ldap { + # + # Note that this needs to match the name in the LDAP + # server certificate, if you're using ldaps. + server = "ldap.your.domain" + #identity = "cn=admin,o=My Org,c=UA" + #password = mypass + basedn = "o=My Org,c=UA" + filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" + #base_filter = "(objectclass=radiusprofile)" + + # How many connections to keep open to the LDAP server. + # This saves time over opening a new LDAP socket for + # every authentication request. + ldap_connections_number = 5 + + # How many times the connection can be used before + # being re-established. This is useful for things + # like load balancers, which may exhibit sticky + # behaviour without it. (0) is unlimited. + max_uses = 0 + + # Port to connect on, defaults to 389. Setting this to + # 636 will enable LDAPS if start_tls (see below) is not + # able to be used. + #port = 389 + + # seconds to wait for LDAP query to finish. default: 20 + timeout = 4 + + # seconds LDAP server has to process the query (server-side + # time limit). default: 20 + # + # LDAP_OPT_TIMELIMIT is set to this value. + timelimit = 3 + + # + # seconds to wait for response of the server. (network + # failures) default: 10 + # + # LDAP_OPT_NETWORK_TIMEOUT is set to this value. + net_timeout = 1 + + # + # This subsection configures the tls related items + # that control how FreeRADIUS connects to an LDAP + # server. It contains all of the "tls_*" configuration + # entries used in older versions of FreeRADIUS. Those + # configuration entries can still be used, but we recommend + # using these. + # + tls { + # Set this to 'yes' to use TLS encrypted connections + # to the LDAP database by using the StartTLS extended + # operation. + # + # The StartTLS operation is supposed to be + # used with normal ldap connections instead of + # using ldaps (port 636) connections + start_tls = no + + # cacertfile = /path/to/cacert.pem + # cacertdir = /path/to/ca/dir/ + # certfile = /path/to/radius.crt + # keyfile = /path/to/radius.key + # randfile = /path/to/rnd + + # Certificate Verification requirements. Can be: + # "never" (don't even bother trying) + # "allow" (try, but don't fail if the cerificate + # can't be verified) + # "demand" (fail if the certificate doesn't verify.) + # + # The default is "allow" + # require_cert = "demand" + } + + # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" + # profile_attribute = "radiusProfileDn" + # access_attr = "dialupAccess" + + # Mapping of RADIUS dictionary attributes to LDAP + # directory attributes. + dictionary_mapping = ${confdir}/ldap.attrmap + + # Set password_attribute = nspmPassword to get the + # user's password from a Novell eDirectory + # backend. This will work ONLY IF FreeRADIUS has been + # built with the --with-edir configure option. + # + # See also the following links: + # + # http://www.novell.com/coolsolutions/appnote/16745.html + # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html + # + # Novell may require TLS encrypted sessions before returning + # the user's password. + # + # password_attribute = userPassword + + # Un-comment the following to disable Novell + # eDirectory account policy check and intruder + # detection. This will work *only if* FreeRADIUS is + # configured to build with --with-edir option. + # + edir_account_policy_check = no + + # + # Group membership checking. Disabled by default. + # + # groupname_attribute = cn + # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" + # groupmembership_attribute = radiusGroupName + + # compare_check_items = yes + # do_xlat = yes + # access_attr_used_for_allow = yes + + # + # The following two configuration items are for Active Directory + # compatibility. If you see the helpful "operations error" + # being returned to the LDAP module, uncomment the next + # two lines. + # + # chase_referrals = yes + # rebind = yes + + # + # By default, if the packet contains a User-Password, + # and no other module is configured to handle the + # authentication, the LDAP module sets itself to do + # LDAP bind for authentication. + # + # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. + # + # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). + # + # You can disable this behavior by setting the following + # configuration entry to "no". + # + # allowed values: {no, yes} + # set_auth_type = yes + + # ldap_debug: debug flag for LDAP SDK + # (see OpenLDAP documentation). Set this to enable + # huge amounts of LDAP debugging on the screen. + # You should only use this if you are an LDAP expert. + # + # default: 0x0000 (no debugging messages) + # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) + #ldap_debug = 0x0028 + + # + # Keepalive configuration. This MAY NOT be supported by your + # LDAP library. If these configuration entries appear in the + # output of "radiusd -X", then they are supported. Otherwise, + # they are unsupported, and changing them will do nothing. + # + keepalive { + # LDAP_OPT_X_KEEPALIVE_IDLE + idle = 60 + + # LDAP_OPT_X_KEEPALIVE_PROBES + probes = 3 + + # LDAP_OPT_X_KEEPALIVE_INTERVAL + interval = 3 + } +} diff --git a/hosts/containers/radius/freeradius/modules/linelog b/hosts/containers/radius/freeradius/modules/linelog new file mode 100644 index 00000000..478b4fa2 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/linelog @@ -0,0 +1,105 @@ +# -*- text -*- +# +# $Id: a57741ac3fa5f884ed64d896da3807af5d2a6b99 $ + +# +# The "linelog" module will log one line of text to a file. +# Both the filename and the line of text are dynamically expanded. +# +# We STRONGLY suggest that you do not use data from the +# packet as part of the filename. +# +linelog { + # + # The file where the logs will go. + # + # If the filename is "syslog", then the log messages will + # go to syslog. + filename = ${logdir}/linelog + + # + # The Unix-style permissions on the log file. + # + # Depending on format string, the log file may contain secret or + # private information about users. Keep the file permissions as + # restrictive as possible. + permissions = 0600 + + # + # The Unix group of the log file. + # + # The user that freeradius runs as must be in the specified + # group, otherwise it will not be possible to set the group. + # + # group = freerad + + # + # If logging via syslog, the facility can be set here. Otherwise + # the syslog_facility option in radiusd.conf will be used. + # + # syslog_facility = daemon + + # + # The default format string. + format = "This is a log message for %{User-Name}" + + # + # This next line can be omitted. If it is omitted, then + # the log message is static, and is always given by "format", + # above. + # + # If it is defined, then the string is dynamically expanded, + # and the result is used to find another configuration entry + # here, with the given name. That name is then used as the + # format string. + # + # If the configuration entry cannot be found, then no log + # message is printed. + # + # i.e. You can have many log messages in one "linelog" module. + # If this two-step expansion did not exist, you would have + # needed to configure one "linelog" module for each log message. + + # + # Reference the Packet-Type (Access-Request, etc.) If it doesn't + # exist, reference the "format" entry, above. + reference = "%{%{Packet-Type}:-format}" + + # + # Followed by a series of log messages. + Access-Request = "Requested access: %{User-Name}" + Access-Reject = "Rejected access: %{User-Name}" + Access-Challenge = "Sent challenge: %{User-Name}" + + # + # The log messages can be grouped into sections and + # sub-sections, too. The "reference" item needs to have a "." + # for every section. e.g. reference = foo.bar will reference + # the "foo" section, "bar" configuration item. + # + + # + # Used if: reference = "foo.bar". + foo { + bar = "Example log. Please ignore" + } + + # + # Another example: + # reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" + # + Accounting-Request { + Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})" + Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds" + + # Don't log anything for these packets. + Alive = "" + + Accounting-On = "NAS %C (%{NAS-IP-Address}) just came online" + Accounting-Off = "NAS %C (%{NAS-IP-Address}) just went offline" + + # don't log anything for other Acct-Status-Types. + unknown = "" + } + +} diff --git a/hosts/containers/radius/freeradius/modules/logintime b/hosts/containers/radius/freeradius/modules/logintime new file mode 100644 index 00000000..58fa3e7b --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/logintime @@ -0,0 +1,31 @@ +# -*- text -*- +# +# $Id: 26691a93664c464f49394773e04d3b2ed565d142 $ + +# The logintime module. This handles the Login-Time, +# Current-Time, and Time-Of-Day attributes. It should be +# included in the *end* of the authorize section in order to +# handle Login-Time checks. It should also be included in the +# instantiate section in order to register the Current-Time +# and Time-Of-Day comparison functions. +# +# When the Login-Time attribute is set to some value, and the +# user has bene permitted to log in, a Session-Timeout is +# calculated based on the remaining time. See "doc/README". +# +logintime { + # + # The Reply-Message which will be sent back in case + # the account is calling outside of the allowed + # timespan. Dynamic substitution is supported. + # + reply-message = "You are calling outside your allowed timespan\r\n" + #reply-message = "Outside allowed timespan (%{control:Login-Time}), %{User-Name}\r\n" + + # The minimum timeout (in seconds) a user is allowed + # to have. If the calculated timeout is lower we don't + # allow the logon. Some NASes do not handle values + # lower than 60 seconds well. + minimum-timeout = 60 +} + diff --git a/hosts/containers/radius/freeradius/modules/mac2ip b/hosts/containers/radius/freeradius/modules/mac2ip new file mode 100644 index 00000000..655d4b6d --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/mac2ip @@ -0,0 +1,25 @@ +# -*- text -*- +# +# $Id: 793d5690e1d4520bb3db1d9900d6be09da2587ae $ + +###################################################################### +# +# This next section is a sample configuration for the "passwd" +# module, that reads flat-text files. +# +# The file is in the format , +# +# 00:01:02:03:04:05,192.168.1.100 +# 01:01:02:03:04:05,192.168.1.101 +# 02:01:02:03:04:05,192.168.1.102 +# +# This lets you perform simple static IP assignments from a flat-text +# file. You will have to define lease times yourself. +# +###################################################################### + +passwd mac2ip { + filename = ${confdir}/mac2ip + format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address" + delimiter = "," +} diff --git a/hosts/containers/radius/freeradius/modules/mac2vlan b/hosts/containers/radius/freeradius/modules/mac2vlan new file mode 100644 index 00000000..61ee40f7 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/mac2vlan @@ -0,0 +1,18 @@ +# -*- text -*- +# +# $Id: bdfef238076bb1ea16c494bf6e22f1d2af848b62 $ + +# A simple file to map a MAC address to a VLAN. +# +# The file should be in the format MAC,VLAN +# the VLAN name cannot have spaces in it, for example: +# +# 00:01:02:03:04:05,VLAN1 +# 03:04:05:06:07:08,VLAN2 +# ... +# +passwd mac2vlan { + filename = ${confdir}/mac2vlan + format = "*VMPS-Mac:=VMPS-VLAN-Name" + delimiter = "," +} diff --git a/hosts/containers/radius/freeradius/modules/mschap b/hosts/containers/radius/freeradius/modules/mschap new file mode 100644 index 00000000..bd6dc344 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/mschap @@ -0,0 +1,87 @@ +# -*- text -*- +# +# $Id: 9e016a09a158f55bbc9b48876f0cb2b776b4cd96 $ + +# Microsoft CHAP authentication +# +# This module supports MS-CHAP and MS-CHAPv2 authentication. +# It also enforces the SMB-Account-Ctrl attribute. +# +mschap { + # + # If you are using /etc/smbpasswd, see the 'passwd' + # module for an example of how to use /etc/smbpasswd + + # if use_mppe is not set to no mschap will + # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and + # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 + # +# use_mppe = no + + # if mppe is enabled require_encryption makes + # encryption moderate + # +# require_encryption = yes + + # require_strong always requires 128 bit key + # encryption + # +# require_strong = yes + + # Windows sends us a username in the form of + # DOMAIN\user, but sends the challenge response + # based on only the user portion. This hack + # corrects for that incorrect behavior. + # +# with_ntdomain_hack = no + + # The module can perform authentication itself, OR + # use a Windows Domain Controller. This configuration + # directive tells the module to call the ntlm_auth + # program, which will do the authentication, and return + # the NT-Key. Note that you MUST have "winbindd" and + # "nmbd" running on the local machine for ntlm_auth + # to work. See the ntlm_auth program documentation + # for details. + # + # If ntlm_auth is configured below, then the mschap + # module will call ntlm_auth for every MS-CHAP + # authentication request. If there is a cleartext + # or NT hashed password available, you can set + # "MS-CHAP-Use-NTLM-Auth := No" in the control items, + # and the mschap module will do the authentication itself, + # without calling ntlm_auth. + # + # Be VERY careful when editing the following line! + # + # You can also try setting the user name as: + # + # ... --username=%{mschap:User-Name} ... + # + # In that case, the mschap module will look at the User-Name + # attribute, and do prefix/suffix checks in order to obtain + # the "best" user name for the request. + # +# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" + + # The default is to wait 10 seconds for ntlm_auth to + # complete. This is a long time, and if it's taking that + # long then you likely have other problems in your domain. + # The length of time can be decreased with the following + # option, which can save clients waiting if your ntlm_auth + # usually finishes quicker. Range 1 to 10 seconds. + # +# ntlm_auth_timeout = 10 + + # For Apple Server, when running on the same machine as + # Open Directory. It has no effect on other systems. + # +# use_open_directory = yes + + # On failure, set (or not) the MS-CHAP error code saying + # "retries allowed". +# allow_retry = yes + + # An optional retry message. +# retry_msg = "Re-enter (or reset) the password" +} diff --git a/hosts/containers/radius/freeradius/modules/ntlm_auth b/hosts/containers/radius/freeradius/modules/ntlm_auth new file mode 100644 index 00000000..9ee11aa7 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/ntlm_auth @@ -0,0 +1,12 @@ +# +# For testing ntlm_auth authentication with PAP. +# +# If you have problems with authentication failing, even when the +# password is good, it may be a bug in Samba: +# +# https://bugzilla.samba.org/show_bug.cgi?id=6563 +# +exec ntlm_auth { + wait = yes + program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" +} diff --git a/hosts/containers/radius/freeradius/modules/opendirectory b/hosts/containers/radius/freeradius/modules/opendirectory new file mode 100644 index 00000000..10dd5077 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/opendirectory @@ -0,0 +1,13 @@ +# -*- text -*- +# +# $Id: 2a44ef695f4eaf6f1c461b3d92fda54e9b910f9e $ + +# This module is only used when the server is running on the same +# system as OpenDirectory. The configuration of the module is hard-coded +# by Apple, and cannot be changed here. +# +# There are no configuration entries for this module. +# +opendirectory { + +} diff --git a/hosts/containers/radius/freeradius/modules/otp b/hosts/containers/radius/freeradius/modules/otp new file mode 100644 index 00000000..3ae59e16 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/otp @@ -0,0 +1,78 @@ +# +# Configuration for the OTP module. +# + +# This module allows you to use various handheld OTP tokens +# for authentication (Auth-Type := otp). These tokens are +# available from various vendors. +# +# It works in conjunction with otpd, which implements token +# management and OTP verification functions; and lsmd or gsmd, +# which implements synchronous state management functions. +# otpd, lsmd and gsmd are available from TRI-D Systems: +# + +# You must list this module in BOTH the authorize and authenticate +# sections in order to use it. +otp { + # otpd rendezvous point. + # (default: /var/run/otpd/socket) + #otpd_rp = /var/run/otpd/socket + + # Text to use for the challenge. The '%' character is + # disallowed, except that you MUST have a single "%s" + # sequence in the string; the challenge itself is + # inserted there. (default "Challenge: %s\n Response: ") + #challenge_prompt = "Challenge: %s\n Response: " + + # Length of the challenge. Most tokens probably support a + # max of 8 digits. (range: 5-32 digits, default 6) + #challenge_length = 6 + + # Maximum time, in seconds, that a challenge is valid. + # (The user must respond to a challenge within this time.) + # It is also the minimal time between consecutive async mode + # authentications, a necessary restriction due to an inherent + # weakness of the RADIUS protocol which allows replay attacks. + # (default: 30) + #challenge_delay = 30 + + # Whether or not to allow asynchronous ("pure" challenge/ + # response) mode authentication. Since sync mode is much more + # usable, and all reasonable tokens support it, the typical + # use of async mode is to allow resync of event based tokens. + # But because of the vulnerability of async mode with some tokens, + # you probably want to disable this and require that out-of-sync + # users resync from specifically secured terminals. + # See the otpd docs for more info. + # (default: no) + #allow_async = no + + # Whether or not to allow synchronous mode authentication. + # When using otpd with lsmd, it is *CRITICALLY IMPORTANT* + # that if your OTP users can authenticate to multiple RADIUS + # servers, this must be "yes" for the primary/default server, + # and "no" for the others. This is because lsmd does not + # share state information across multiple servers. Using "yes" + # on all your RADIUS servers would allow replay attacks! + # Also, for event based tokens, the user will be out of sync + # on the "other" servers. In order to use "yes" on all your + # servers, you must either use gsmd, which synchronizes state + # globally, or implement your own state synchronization method. + # (default: yes) + #allow_sync = yes + + # If both allow_async and allow_sync are "yes", a challenge is + # always presented to the user. This is incompatible with NAS's + # that can't present or don't handle Access-Challenge's, e.g. + # PPTP servers. Even though a challenge is presented, the user + # can still enter their synchronous passcode. + + # The following are MPPE settings. Note that MS-CHAP (v1) is + # strongly discouraged. All possible values are listed as + # {value = meaning}. Default values are first. + #mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden} + #mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40} + #mschap_mppe = {2 = required, 1 = optional, 0 = forbidden} + #mschap_mppe_bits = {2 = 128} +} diff --git a/hosts/containers/radius/freeradius/modules/pam b/hosts/containers/radius/freeradius/modules/pam new file mode 100644 index 00000000..a31dfdaa --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/pam @@ -0,0 +1,26 @@ +# -*- text -*- +# +# $Id: f4a91a948637bb2f42f613ed9faa6f9ae9ae6099 $ + + +# Pluggable Authentication Modules +# +# For Linux, see: +# http://www.kernel.org/pub/linux/libs/pam/index.html +# +# WARNING: On many systems, the system PAM libraries have +# memory leaks! We STRONGLY SUGGEST that you do not +# use PAM for authentication, due to those memory leaks. +# +pam { + # + # The name to use for PAM authentication. + # PAM looks in /etc/pam.d/${pam_auth_name} + # for it's configuration. See 'redhat/radiusd-pam' + # for a sample PAM configuration file. + # + # Note that any Pam-Auth attribute set in the 'authorize' + # section will over-ride this one. + # + pam_auth = radiusd +} diff --git a/hosts/containers/radius/freeradius/modules/pap b/hosts/containers/radius/freeradius/modules/pap new file mode 100644 index 00000000..46768e31 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/pap @@ -0,0 +1,22 @@ +# -*- text -*- +# +# $Id: 5c7d29d654bea9c076d6434f32795c2b2d002757 $ + +# PAP module to authenticate users based on their stored password +# +# Supports multiple encryption/hash schemes. See "man rlm_pap" +# for details. +# +# The "auto_header" configuration item can be set to "yes". +# In this case, the module will look inside of the User-Password +# attribute for the headers {crypt}, {clear}, etc., and will +# automatically create the attribute on the right-hand side, +# with the correct value. It will also automatically handle +# Base-64 encoded data, hex strings, and binary data. +# +# For instructions on creating the various types of passwords, see: +# +# http://www.openldap.org/faq/data/cache/347.html +pap { + auto_header = no +} diff --git a/hosts/containers/radius/freeradius/modules/passwd b/hosts/containers/radius/freeradius/modules/passwd new file mode 100644 index 00000000..78507817 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/passwd @@ -0,0 +1,55 @@ +# -*- text -*- +# +# $Id: cc37ca0d7eaf9887720eccc2de0ecb75a51117c8 $ + +# passwd module allows to do authorization via any passwd-like +# file and to extract any attributes from these files. +# +# See the "smbpasswd" and "etc_group" files for more examples. +# +# parameters are: +# filename - path to filename +# +# format - format for filename record. This parameters +# correlates record in the passwd file and RADIUS +# attributes. +# +# Field marked as '*' is a key field. That is, the parameter +# with this name from the request is used to search for +# the record from passwd file +# +# Attributes marked as '=' are added to reply_items instead +# of default configure_itmes +# +# Attributes marked as '~' are added to request_items +# +# Field marked as ',' may contain a comma separated list +# of attributes. +# +# hashsize - hashtable size. Setting it to 0 is no longer permitted +# A future version of the server will have the module +# automatically determine the hash size. Having it set +# manually should not be necessary. +# +# allowmultiplekeys - if many records for a key are allowed +# +# ignorenislike - ignore NIS-related records +# +# delimiter - symbol to use as a field separator in passwd file, +# for format ':' symbol is always used. '\0', '\n' are +# not allowed +# + +# An example configuration for using /etc/passwd. +# +# This is an example which will NOT WORK if you have shadow passwords, +# NIS, etc. The "unix" module is normally responsible for reading +# system passwords. You should use it instead of this example. +# +passwd etc_passwd { + filename = /etc/passwd + format = "*User-Name:Crypt-Password:" + hashsize = 100 + ignorenislike = no + allowmultiplekeys = no +} diff --git a/hosts/containers/radius/freeradius/modules/perl b/hosts/containers/radius/freeradius/modules/perl new file mode 100644 index 00000000..b63a87f9 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/perl @@ -0,0 +1,58 @@ +# -*- text -*- +# +# $Id: 69ad3076119ec814518a6db45eec4bc41dc090f7 $ + +# Persistent, embedded Perl interpreter. +# +perl { + # + # The Perl script to execute on authorize, authenticate, + # accounting, xlat, etc. This is very similar to using + # 'rlm_exec' module, but it is persistent, and therefore + # faster. + # + module = ${confdir}/example.pl + + # + # The following hashes are given to the module and + # filled with value-pairs (Attribute names and values) + # + # %RAD_CHECK Check items + # %RAD_REQUEST Attributes from the request + # %RAD_REPLY Attributes for the reply + # + # The return codes from functions in the perl_script + # are passed directly back to the server. These + # codes are defined in doc/configurable_failover, + # src/include/modules.h (RLM_MODULE_REJECT, etc), + # and are pre-defined in the 'example.pl' program + # which is included. + # + + # + # List of functions in the module to call. + # Uncomment and change if you want to use function + # names other than the defaults. + # + #func_authenticate = authenticate + #func_authorize = authorize + #func_preacct = preacct + #func_accounting = accounting + #func_checksimul = checksimul + #func_pre_proxy = pre_proxy + #func_post_proxy = post_proxy + #func_post_auth = post_auth + #func_recv_coa = recv_coa + #func_send_coa = send_coa + #func_xlat = xlat + #func_detach = detach + + # + # Uncomment the following lines if you wish + # to use separate functions for Start and Stop + # accounting packets. In that case, the + # func_accounting function is not called. + # + #func_start_accounting = accounting_start + #func_stop_accounting = accounting_stop +} diff --git a/hosts/containers/radius/freeradius/modules/policy b/hosts/containers/radius/freeradius/modules/policy new file mode 100644 index 00000000..f6428163 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/policy @@ -0,0 +1,21 @@ +# -*- text -*- +# +# $Id: 9b1b111ce70dbfd4ce25cdd2774d5878dbea7023 $ + +# +# Module implementing a DIFFERENT policy language. +# The syntax here is NOT "unlang", but something else. +# +# See the "raddb/policy.txt" file for documentation and examples. +# There isn't much else in the way of documentation, sorry. +# +policy { + # The only configuration item is a filename containing + # the policies to execute. + # + # When "policy" is listed in a section (e.g. "authorize"), + # it will run a policy named for that section. + # + filename = ${confdir}/policy.txt +} + diff --git a/hosts/containers/radius/freeradius/modules/preprocess b/hosts/containers/radius/freeradius/modules/preprocess new file mode 100644 index 00000000..266c206b --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/preprocess @@ -0,0 +1,58 @@ +# -*- text -*- +# +# $Id: e00aa85a9bd924b3a79c034f6f5d4d7d9a98c208 $ + +# Preprocess the incoming RADIUS request, before handing it off +# to other modules. +# +# This module processes the 'huntgroups' and 'hints' files. +# In addition, it re-writes some weird attributes created +# by some NASes, and converts the attributes into a form which +# is a little more standard. +# +preprocess { + huntgroups = ${confdir}/huntgroups + hints = ${confdir}/hints + + # This hack changes Ascend's wierd port numberings + # to standard 0-??? port numbers so that the "+" works + # for IP address assignments. + with_ascend_hack = no + ascend_channels_per_line = 23 + + # Windows NT machines often authenticate themselves as + # NT_DOMAIN\username + # + # If this is set to 'yes', then the NT_DOMAIN portion + # of the user-name is silently discarded. + # + # This configuration entry SHOULD NOT be used. + # See the "realms" module for a better way to handle + # NT domains. + with_ntdomain_hack = no + + # Specialix Jetstream 8500 24 port access server. + # + # If the user name is 10 characters or longer, a "/" + # and the excess characters after the 10th are + # appended to the user name. + # + # If you're not running that NAS, you don't need + # this hack. + with_specialix_jetstream_hack = no + + # Cisco (and Quintum in Cisco mode) sends it's VSA attributes + # with the attribute name *again* in the string, like: + # + # H323-Attribute = "h323-attribute=value". + # + # If this configuration item is set to 'yes', then + # the redundant data in the the attribute text is stripped + # out. The result is: + # + # H323-Attribute = "value" + # + # If you're not running a Cisco or Quintum NAS, you don't + # need this hack. + with_cisco_vsa_hack = no +} diff --git a/hosts/containers/radius/freeradius/modules/radrelay b/hosts/containers/radius/freeradius/modules/radrelay new file mode 100644 index 00000000..a29106fc --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/radrelay @@ -0,0 +1,26 @@ +# -*- text -*- +# +# $Id: dede42698a19413b524a1a68b7ea312aa8a506aa $ + +# Write "detail" files which can be read by radrelay. +# This module should be used only by a server which receives +# Accounting-Request packets from the network. +# +# It should NOT be used in the radrelay.conf file. +# +# Use it by adding "radrelay" to the "accounting" section: +# +# accounting { +# ... +# radrelay +# ... +# } +# +detail radrelay { + detailfile = ${radacctdir}/detail + + locking = yes + + # The other directives from the main detail module + # can be used here, but they're not required. +} diff --git a/hosts/containers/radius/freeradius/modules/radutmp b/hosts/containers/radius/freeradius/modules/radutmp new file mode 100644 index 00000000..af729f36 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/radutmp @@ -0,0 +1,53 @@ +# -*- text -*- +# +# $Id: 3ad88cde616ce041f0dcc87858950daafdd3d336 $ + +# Write a 'utmp' style file, of which users are currently +# logged in, and where they've logged in from. +# +# This file is used mainly for Simultaneous-Use checking, +# and also 'radwho', to see who's currently logged in. +# +radutmp { + # Where the file is stored. It's not a log file, + # so it doesn't need rotating. + # + filename = ${logdir}/radutmp + + # The field in the packet to key on for the + # 'user' name, If you have other fields which you want + # to use to key on to control Simultaneous-Use, + # then you can use them here. + # + # Note, however, that the size of the field in the + # 'utmp' data structure is small, around 32 + # characters, so that will limit the possible choices + # of keys. + # + # You may want instead: %{Stripped-User-Name:-%{User-Name}} + username = %{User-Name} + + + # Whether or not we want to treat "user" the same + # as "USER", or "User". Some systems have problems + # with case sensitivity, so this should be set to + # 'no' to enable the comparisons of the key attribute + # to be case insensitive. + # + case_sensitive = yes + + # Accounting information may be lost, so the user MAY + # have logged off of the NAS, but we haven't noticed. + # If so, we can verify this information with the NAS, + # + # If we want to believe the 'utmp' file, then this + # configuration entry can be set to 'no'. + # + check_with_nas = yes + + # Set the file permissions, as the contents of this file + # are usually private. + perm = 0600 + + callerid = "yes" +} diff --git a/hosts/containers/radius/freeradius/modules/realm b/hosts/containers/radius/freeradius/modules/realm new file mode 100644 index 00000000..ff34898b --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/realm @@ -0,0 +1,46 @@ +# -*- text -*- +# +# $Id: 95d9f2b98de1b33346c6129aa7e88a901248cd4d $ + +# Realm module, for proxying. +# +# You can have multiple instances of the realm module to +# support multiple realm syntaxs at the same time. The +# search order is defined by the order that the modules are listed +# in the authorize and preacct sections. +# +# Four config options: +# format - must be "prefix" or "suffix" +# The special cases of "DEFAULT" +# and "NULL" are allowed, too. +# delimiter - must be a single character + +# 'realm/username' +# +# Using this entry, IPASS users have their realm set to "IPASS". +realm IPASS { + format = prefix + delimiter = "/" +} + +# 'username@realm' +# +realm suffix { + format = suffix + delimiter = "@" +} + +# 'username%realm' +# +realm realmpercent { + format = suffix + delimiter = "%" +} + +# +# 'domain\user' +# +realm ntdomain { + format = prefix + delimiter = "\\" +} diff --git a/hosts/containers/radius/freeradius/modules/redis b/hosts/containers/radius/freeradius/modules/redis new file mode 100644 index 00000000..fafe6138 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/redis @@ -0,0 +1,35 @@ +# -*- text -*- +# +# $Id: d7605d9888607aa6451ab24450cebfd7bc9d4437 $ + +# +# Configuration file for the "redis" module. This module does nothing +# Other than provide connections to a redis database, and a %{redis: ...} +# expansion. +# +redis { + # Host where the redis server is located. + # We recommend using ONLY 127.0.0.1 ! + hostname = 127.0.0.1 + + # The default port. + port = 6379 + + # The password used to authenticate to the server. + # We recommend using a strong password. +# password = thisisreallysecretandhardtoguess + + # The number of connections to open to the database. + num_connections = 20 + + # If a connection fails, retry after this time. + connect_failure_retry_delay = 60 + + # Set the maximum lifetime for one connection. + # Use 0 for "lives forever" + lifetime = 86400 + + # Set the maximum queries used for one connection. + # Use 0 for "no limit" + max_queries = 0 +} \ No newline at end of file diff --git a/hosts/containers/radius/freeradius/modules/rediswho b/hosts/containers/radius/freeradius/modules/rediswho new file mode 100644 index 00000000..12d0e41c --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/rediswho @@ -0,0 +1,28 @@ +# -*- text -*- +# +# $Id: e16550c9991a5e76a77f349cfa5b82d5163f172e $ + +# +# Configuration file for the "rediswho" module. +# +rediswho { + # How many sessions to keep track of per user. + # If there are more than this number, older sessions are deleted. + trim-count = 15 + + # Expiry time in seconds. Any sessions which have not received + # an update in this time will be automatically expired. + expire-time = 86400 + + start-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" + start-trim = "LTRIM %{User-Name} 0 ${trim-count}" + start-expire = "EXPIRE %{User-Name} ${expire-time}" + + alive-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" + alive-trim = "LTRIM %{User-Name} 0 ${trim-count}" + alive-expire = "EXPIRE %{User-Name} ${expire-time}" + + stop-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" + stop-trim = "LTRIM %{User-Name} 0 ${trim-count}" + stop-expire = "EXPIRE %{User-Name} ${expire-time}" +} diff --git a/hosts/containers/radius/freeradius/modules/replicate b/hosts/containers/radius/freeradius/modules/replicate new file mode 100644 index 00000000..6df4523c --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/replicate @@ -0,0 +1,40 @@ +# Replicate packet(s) to a home server. +# +# This module will open a new socket for each packet, and "clone" +# the incoming packet to the destination realm (i.e. home server). +# +# Use it by setting "Replicate-To-Realm = name" in the control list, +# just like Proxy-To-Realm. The configurations for the two attributes +# are identical. The realm must exist, the home_server_pool must exist, +# and the home_server must exist. +# +# The only difference is that the "replicate" module sends requests +# and does not expect a reply. Any reply is ignored. +# +# Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time. +# +# To use this module, list "replicate" in the "authorize" or +# "accounting" section. Then, ensure that Replicate-To-Realm is set. +# The contents of the "packet" attribute list will be sent to the +# home server. The usual load-balancing, etc. features of the home +# server will be used. +# +# "radmin" can be used to mark home servers alive/dead, in order to +# enable/disable replication to specific servers. +# +# Packets can be replicated to multiple destinations. Just set +# Replicate-To-Realm multiple times. One packet will be sent for +# each of the Replicate-To-Realm attribute in the "control" list. +# +# If no packets are sent, the module returns "noop". If at least one +# packet is sent, the module returns "ok". If an error occurs, the +# module returns "fail" +# +# Note that replication does NOT change any of the packet statistics. +# If you use "radmin" to look at the statistics for a home server, +# the replicated packets will cause NO counters to increment. This +# is not a bug, this is how replication works. +# +replicate { + +} diff --git a/hosts/containers/radius/freeradius/modules/smbpasswd b/hosts/containers/radius/freeradius/modules/smbpasswd new file mode 100644 index 00000000..fb8512f9 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/smbpasswd @@ -0,0 +1,16 @@ +# -*- text -*- +# +# $Id: 74e64047302d7d8f575672617e8a213aaf5a32d3 $ + +# An example configuration for using /etc/smbpasswd. +# +# See the "passwd" file for documentation on the configuration items +# for this module. +# +passwd smbpasswd { + filename = /etc/smbpasswd + format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" + hashsize = 100 + ignorenislike = no + allowmultiplekeys = no +} diff --git a/hosts/containers/radius/freeradius/modules/smsotp b/hosts/containers/radius/freeradius/modules/smsotp new file mode 100644 index 00000000..113fe7c7 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/smsotp @@ -0,0 +1,50 @@ +# -*- text -*- +# +# $Id: 0a339b4a1b9f1eafeb05992f2643497e802e2a49 $ + +# SMS One-time Password system. +# +# This module will extend FreeRadius with a socks interface to create and +# validate One-Time-Passwords. The program for that creates the socket +# and interacts with this module is not included here. +# +# The module does not check the User-Password, this should be done with +# the "pap" module. See the example below. +# +# The module must be used in the "authorize" section to set +# Auth-Type properly. The first time through, the module is called +# in the "authenticate" section to authenticate the user password, and +# to send the challenge. The second time through, it authenticates +# the response to the challenge. e.g.: +# +# authorize { +# ... +# smsotp +# ... +# } +# +# authenticate { +# ... +# Auth-Type smsotp { +# pap +# smsotp +# } +# +# Auth-Type smsotp-reply { +# smsotp +# } +# ... +# } +# +smsotp { + # The location of the socket. + socket = "/var/run/smsotp_socket" + + # Defines the challenge message that will be send to the + # NAS. Default is "Enter Mobile PIN" } + challenge_message = "Enter Mobile PIN:" + + # Defines the Auth-Type section that is run for the response to + # the challenge. Default is "smsotp-reply". + challenge_type = "smsotp-reply" +} diff --git a/hosts/containers/radius/freeradius/modules/soh b/hosts/containers/radius/freeradius/modules/soh new file mode 100644 index 00000000..d125ce48 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/soh @@ -0,0 +1,4 @@ +# SoH module +soh { + dhcp = yes +} diff --git a/hosts/containers/radius/freeradius/modules/sql_log b/hosts/containers/radius/freeradius/modules/sql_log new file mode 100644 index 00000000..c91a7b6b --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/sql_log @@ -0,0 +1,92 @@ +# -*- text -*- +# +# $Id: 3e6bf2104f74ffad8866eb69459a94f623601130 $ + +# +# The rlm_sql_log module appends the SQL queries in a log +# file which is read later by the radsqlrelay program. +# +# This module only performs the dynamic expansion of the +# variables found in the SQL statements. No operation is +# executed on the database server. (this could be done +# later by an external program) That means the module is +# useful only with non-"SELECT" statements. +# +# See rlm_sql_log(5) manpage. +# +# This same functionality could also be implemented by logging +# to a "detail" file, reading that, and then writing to SQL. +# See raddb/sites-available/buffered-sql for an example. +# +sql_log { + path = "${radacctdir}/sql-relay" + acct_table = "radacct" + postauth_table = "radpostauth" + sql_user_name = "%{%{User-Name}:-DEFAULT}" + + # + # Setting this to "yes" will allow UTF-8 characters to be + # written to the log file. Otherwise, they are escaped + # as being potentially invalid. + # + utf8 = no + + # + # The names here are taken from the Acct-Status-Type names. + # Just add another entry here for Accounting-On, + # Accounting-Off, etc. + # + Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ + NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ + AcctSessionTime, AcctTerminateCause) VALUES \ + ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ + '%{Framed-IP-Address}', '%S', '0', '0', '');" + + Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ + NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ + AcctSessionTime, AcctTerminateCause) VALUES \ + ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ + '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \ + '%{Acct-Terminate-Cause}');" + + Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ + NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ + AcctSessionTime, AcctTerminateCause) VALUES \ + ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ + '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');" + + # The same as "Alive" + Interim-Update = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ + NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ + AcctSessionTime, AcctTerminateCause) VALUES \ + ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ + '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');" + + Post-Auth = "INSERT INTO ${postauth_table} \ + (username, pass, reply, authdate) VALUES \ + ('%{User-Name}', '%{User-Password:-Chap-Password}', \ + '%{reply:Packet-Type}', '%S');" + + Accounting-On = "UPDATE ${acct_table} \ + SET \ + acctstoptime = '%S', \ + acctsessiontime = unix_timestamp('%S') - \ + unix_timestamp(acctstarttime), \ + acctterminatecause = '%{Acct-Terminate-Cause}', \ + acctstopdelay = %{%{Acct-Delay-Time}:-0} \ + WHERE acctstoptime IS NULL \ + AND nasipaddress = '%{NAS-IP-Address}' \ + AND acctstarttime <= '%S'"" + + Accounting-Off = "UPDATE ${acct_table} \ + SET \ + acctstoptime = '%S', \ + acctsessiontime = unix_timestamp('%S') - \ + unix_timestamp(acctstarttime), \ + acctterminatecause = '%{Acct-Terminate-Cause}', \ + acctstopdelay = %{%{Acct-Delay-Time}:-0} \ + WHERE acctstoptime IS NULL \ + AND nasipaddress = '%{NAS-IP-Address}' \ + AND acctstarttime <= '%S'"" +} + diff --git a/hosts/containers/radius/freeradius/modules/sqlcounter_expire_on_login b/hosts/containers/radius/freeradius/modules/sqlcounter_expire_on_login new file mode 100644 index 00000000..f73627e9 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/sqlcounter_expire_on_login @@ -0,0 +1,37 @@ +# -*- text -*- +# +# $Id: c950169307009b088b2c31274f496ffe38e8a793 $ + +# +# Set an account to expire T seconds after first login. +# Requires the Expire-After attribute to be set, in seconds. +# You may need to edit raddb/dictionary to add the Expire-After +# attribute. +# +# This example is for MySQL. Other SQL variants should be similar. +# +# For versions prior to 2.1.11, this module defined the following +# expansion strings: +# +# %k key_name +# %S sqlmod_inst +# +# These SHOULD NOT be used. If these are used in your configuration, +# they should be replaced by the following strings, which will work +# identically to the previous ones: +# +# %k ${key} +# %S ${sqlmod-inst} +# +sqlcounter expire_on_login { + counter-name = Expire-After-Initial-Login + check-name = Expire-After + sqlmod-inst = sql + key = User-Name + reset = never + query = "SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \ + FROM radacct \ + WHERE UserName='%{${key}}' \ + ORDER BY acctstarttime \ + LIMIT 1;" +} diff --git a/hosts/containers/radius/freeradius/modules/sradutmp b/hosts/containers/radius/freeradius/modules/sradutmp new file mode 100644 index 00000000..16fe0202 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/sradutmp @@ -0,0 +1,16 @@ +# -*- text -*- +# +# $Id: a7700bac6aaa93940c784f1b6df08b61eb77a1a3 $ + +# "Safe" radutmp - does not contain caller ID, so it can be +# world-readable, and radwho can work for normal users, without +# exposing any information that isn't already exposed by who(1). +# +# This is another 'instance' of the radutmp module, but it is given +# then name "sradutmp" to identify it later in the "accounting" +# section. +radutmp sradutmp { + filename = ${logdir}/sradutmp + perm = 0644 + callerid = "no" +} diff --git a/hosts/containers/radius/freeradius/modules/unix b/hosts/containers/radius/freeradius/modules/unix new file mode 100644 index 00000000..a5798d58 --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/unix @@ -0,0 +1,25 @@ +# -*- text -*- +# +# $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $ + +# Unix /etc/passwd style authentication +# +# This module calls the system functions to get the "known good" +# password. This password is usually in the "crypt" form, and is +# incompatible with CHAP, MS-CHAP, PEAP, etc. +# +# If passwords are in /etc/shadow, you will need to set the "group" +# configuration in radiusd.conf. Look for "shadow", and follow the +# instructions there. +# +unix { + # + # The location of the "wtmp" file. + # The only use for 'radlast'. If you don't use + # 'radlast', then you can comment out this item. + # + # Note that the radwtmp file may get large! You should + # rotate it (cp /dev/null radwtmp), or just not use it. + # + radwtmp = ${logdir}/radwtmp +} diff --git a/hosts/containers/radius/freeradius/modules/wimax b/hosts/containers/radius/freeradius/modules/wimax new file mode 100644 index 00000000..7ab5c4fc --- /dev/null +++ b/hosts/containers/radius/freeradius/modules/wimax @@ -0,0 +1,112 @@ +# +# The WiMAX module currently takes no configuration. +# +# It should be listed in the "authorize" and "preacct" sections. +# This enables the module to fix the horrible binary version +# of Calling-Station-Id to the normal format, as specified in +# RFC 3580, Section 3.21. +# +# In order to calculate the various WiMAX keys, the module should +# be listed in the "post-auth" section. If EAP authentication +# has been used, AND the EAP method derives MSK and EMSK, then +# the various WiMAX keys can be calculated. +# +# Some useful things to remember: +# +# WiMAX-MSK = EAP MSK, but is 64 octets. +# +# MIP-RK-1 = HMAC-SHA256(ESMK, "miprk@wimaxforum.org" | 0x00020001) +# MIP-RK-2 = HMAC-SHA256(ESMK, MIP-RK-1 | "miprk@wimaxforum.org" | 0x00020002) +# MIP-RK = MIP-RK-1 | MIP-RK-2 +# +# MIP-SPI = first 4 octets of HMAC-SHA256(MIP-RK, "SPI CMIP PMIP") +# plus some magic... you've got to track *all* MIP-SPI's +# on your system! +# +# SPI-CMIP4 = MIP-SPI +# SPI-PMIP4 = MIP-SPI + 1 +# SPI-CMIP6 = MIP-SPI + 2 +# +# MN-NAI is the Mobile node NAI. You have to create it, and put +# it into the request or reply as something like: +# +# WiMAX-MN-NAI = "%{User-Name}" +# +# You will also have to have the appropriate IP address (v4 or v6) +# in order to calculate the keys below. +# +# Lifetimes are derived from Session-Timeout. It needs to be set +# to some useful number. +# +# The hash function below H() is HMAC-SHA1. +# +# +# MN-HA-CMIP4 = H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI) +# +# Where HA-IPv4 is WiMAX-hHA-IP-MIP4 +# or maybe WiMAX-vHA-IP-MIP4 +# +# Which goes into WiMAX-MN-hHA-MIP4-Key +# or maybe WiMAX-RRQ-MN-HA-Key +# or maybe even WiMAX-vHA-MIP4-Key +# +# The corresponding SPI is SPI-CMIP4, which is MIP-SPI, +# +# which goes into WiMAX-MN-hHA-MIP4-SPI +# or maybe WiMAX-RRQ-MN-HA-SPI +# or even WiMAX-MN-vHA-MIP4-SPI +# +# MN-HA-PMIP4 = H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI) +# MN-HA-CMIP6 = H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI) +# +# both with similar comments to above for MN-HA-CMIP4. +# +# In order to tell which one to use (CMIP4, PMIP4, or CMIP6), +# you have to set WiMAX-IP-Technology in the reply to one of +# the appropriate values. +# +# +# FA-RK = H(MIP-RK, "FA-RK") +# +# MN-FA = H(FA-RK, "MN FA" | FA-IP | MN-NAI) +# +# Where does the FA-IP come from? No idea... +# +# +# The next two keys (HA-RK and FA-HA) are not generated +# for every authentication request, but only on demand. +# +# HA-RK = 160-bit random number assigned by the AAA server +# to a specific HA. +# +# FA-HA = H(HA-RK, "FA-HA" | HA-IPv4 | FA-CoAv4 | SPI) +# +# where HA-IPv4 is as above. +# and FA-CoAv4 address of the FA as seen by the HA +# and SPI is the relevant SPI for the HA-RK. +# +# DHCP-RK = 160-bit random number assigned by the AAA server +# to a specific DHCP server. vDHCP-RK is the same +# thing. +# +wimax { + # + # Some WiMAX equipement requires that the MS-MPPE-*-Key + # attributes are sent in the Access-Accept, in addition to + # the WiMAX-MSK attribute. + # + # Other WiMAX equipment request that the MS-MPPE-*-Key + # attributes are NOT sent in the Access-Accept. + # + # By default, the EAP modules sends MS-MPPE-*-Key attributes. + # The default virtual server (raddb/sites-available/default) + # contains examples of adding the WiMAX-MSK. + # + # This configuration option makes the WiMAX module delete + # the MS-MPPE-*-Key attributes. The default is to leave + # them in place. + # + # If the keys are deleted (by setting this to "yes"), then + # the WiMAX-MSK attribute is automatically added to the reply. + delete_mppe_keys = no +} diff --git a/hosts/containers/radius/freeradius/policy.conf b/hosts/containers/radius/freeradius/policy.conf new file mode 100644 index 00000000..4b80c212 --- /dev/null +++ b/hosts/containers/radius/freeradius/policy.conf @@ -0,0 +1,283 @@ +# -*- text -*- +## +## policy.conf -- FreeRADIUS server configuration file. +## +## http://www.freeradius.org/ +## $Id: 2668b29e3eee8eb9bfb9fbe33a6752314ac49632 $ +## + +# +# Policies are virtual modules, similar to those defined in the +# "instantate" section of radiusd.conf. +# +# Defining a policy here means that it can be referenced in multiple +# places as a *name*, rather than as a series of conditions to match, +# and actions to take. +# +# Policies are something like subroutines in a normal language, but +# they cannot be called recursively. They MUST be defined in order. +# If policy A calls policy B, then B MUST be defined before A. +# +policy { + # + # Forbid all EAP types. + # + forbid_eap { + if (EAP-Message) { + reject + } + } + + # + # Forbid all non-EAP types outside of an EAP tunnel. + # + permit_only_eap { + if (!EAP-Message) { + # We MAY be inside of a TTLS tunnel. + # PEAP and EAP-FAST require EAP inside of + # the tunnel, so this check is OK. + # If so, then there MUST be an outer EAP message. + if (!"%{outer.request:EAP-Message}") { + reject + } + } + } + + # + # Forbid all attempts to login via realms. + # + deny_realms { + if (User-Name =~ /@|\\/) { + reject + } + } + + # + # If you want the server to pretend that it is dead, + # then use the "do_not_respond" policy. + # + do_not_respond { + update control { + Response-Packet-Type := Do-Not-Respond + } + + handled + } + + # + # Force some sanity on User-Name. This helps to avoid issues + # issues where the back-end database is "forgiving" about + # what constitutes a user name. + # + filter_username { + # + # reject mixed case + # e.g. "UseRNaMe" + # + if (User-Name != "%{tolower:%{User-Name}}") { + reject + } + + # + # reject all whitespace + # e.g. "user@ site.com", or "us er", or " user", or "user " + # + if (User-Name =~ / /) { + update reply { + Reply-Message += "Rejected: Username contains whitespace" + } + reject + } + + # + # reject Multiple @'s + # e.g. "user@site.com@site.com" + # + if(User-Name =~ /@.*@/ ) { + update reply { + Reply-Message += "Rejected: Multiple @ in username" + } + reject + } + + # + # reject double dots + # e.g. "user@site..com" + # + if (User-Name =~ /\\.\\./ ) { + update reply { + Reply-Message += "Rejected: Username comtains ..s" + } + reject + } + + # + # must have at least 1 string-dot-string after @ + # e.g. "user@site.com" + # + if (User-Name !~ /@(.+)\\.(.+)$/) { + update reply { + Reply-Message += "Rejected: Realm does not have at least one dot seperator" + } + reject + } + + # + # Realm ends with a dot + # e.g. "user@site.com." + # + if (User-Name =~ /\\.$/) { + update reply { + Reply-Message += "Rejected: Realm ends with a dot" + } + reject + } + + # + # Realm begins with a dot + # e.g. "user@.site.com" + # + if (User-Name =~ /@\\./) { + update reply { + Reply-Message += "Rejected: Realm begins with a dot" + } + reject + } + } + + # + # The following policies are for the Chargeable-User-Identity + # (CUI) configuration. + # + + # + # The client indicates it can do CUI by sending a CUI attribute + # containing one zero byte + # + cui_authorize { + update request { + Chargeable-User-Identity:='\\000' + } + } + + # + # Add a CUI attribute based on the User-Name, and a secret key + # known only to this server. + # + cui_postauth { + if (FreeRadius-Proxied-To == 127.0.0.1) { + if (outer.request:Chargeable-User-Identity) { + update outer.reply { + Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}" + } + } + } + else { + if (Chargeable-User-Identity) { + update reply { + Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}" + } + } + } + } + + # + # If there is a CUI attribute in the reply, add it to the DB. + # + cui_updatedb { + if (reply:Chargeable-User-Identity) { + cui + } + } + + # + # If we had stored a CUI for the User, add it to the request. + # + cui_accounting { + # + # If the CUI isn't in the packet, see if we can find it + # in the DB. + # + if (!Chargeable-User-Identity) { + update request { + Chargeable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}" + } + } + + # + # If it exists now, then write out when we last saw + # this CUI. + # + if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) { + cui + } + } + + # + # Normalize the MAC Addresses in the Calling/Called-Station-Id + # + mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2}) + + # Add "rewrite.called_station_id" in the "authorize" and "preacct" + # sections. + rewrite.called_station_id { + if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) { + update request { + Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" + } + + # SSID component? + if ("%{8}") { + update request { + Called-Station-Id := "%{Called-Station-Id}:%{8}" + } + } + updated + } + else { + noop + } + } + + # Add "rewrite.calling_station_id" in the "authorize" and "preacct" + # sections. + rewrite.calling_station_id { + if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) { + update request { + Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" + } + updated + } + else { + noop + } + } + + # Assign compatibility data to request for sqlippool + dhcp_sqlippool.post-auth { + + + # Do some minor hacks to the request so that it looks + # like a RADIUS request to the SQL IP Pool module. + update request { + User-Name = "DHCP-%{DHCP-Client-Hardware-Address}" + Calling-Station-Id = "%{DHCP-Client-Hardware-Address}" + NAS-IP-Address = "%{%{DHCP-Gateway-IP-Address}:-127.0.0.1}" + Acct-Status-Type = Start + } + + # Call the actual module + # + # Uncomment this in order to really call it! +# dhcp_sqlippool + fail + + # Convert Framed-IP-Address to DHCP, but only if we + # actually allocated an address. + if (ok) { + update reply { + DHCP-Your-IP-Address = "%{reply:Framed-IP-Address}" + } + } + } +} diff --git a/hosts/containers/radius/freeradius/policy.txt b/hosts/containers/radius/freeradius/policy.txt new file mode 100644 index 00000000..99d10ffc --- /dev/null +++ b/hosts/containers/radius/freeradius/policy.txt @@ -0,0 +1,185 @@ +# +# Sample of a policy language for rlm_policy. +# +# This is NOT the "unlang" policy, and has NO RELATION to "unlang"! +# The syntax is different, and the functionality is different. +# + +# As of 2.0.0, the new configuration "un-language" is better +# tested, has more features, and is better integrated into the +# server than the rlm_policy module. rlm_policy is deprecated, +# and will likely be removed in a future release. +# +# There is no documentation other than this file. +# +# The syntax is odd, but it sort of works. +# +# A number of sites are using it in production servers, +# so it appears to be stable. However, we cannot answer +# questions about it, because we use "unlang", instead of +# this file. +# +# $Id: 1f62c55ae236dc9359764f4729f7ea4a8d36e2df $ +# +# Debugging statements +# +#debug print_tokens # as we're parsing this file +debug print_policy # once the file has been parsed + +# Using this requires code edits to rlm_policy/evaluate.c +#debug evaluate # print limited information during evaluation + +# +# A named policy. +# +policy 3pm { +if (Time-Of-Day < "15:00") { + # + # The general form of edits to the attribute lists: + # + # name s-operator { + # Attribute-Name = Value + # } + # + # name is: request, reply, control, proxy-request, proxy-reply + # + # s-operator is operator for section, not attributes: + # + # = append, using operators from attributes + # .= append attributes, ignoring operators from attributes + # ^= add to head of list + # ^== add BEFORE matching attribute + # ^. append + # ^.= append BEFORE matching attribute + # $= add AFTER (same as =) + # $== add AFTER matching attribute + # $. add after (same as .=) + # $.= add after matching + # + # If the above explanation confuses you, don't ask. Try various + # configurations to see what happens. The results are difficult + # to explain, but easy to understand once you see them in action. + # + # The "matching attribute" text above refers to the syntax: + # + # name s-operator (match) { + # Attribute-Name = Value + # } + # + # Where "match" is something like: User-Name == "bob" + # + # This lets you insert/edit/update attributes by selected + # position, which can be useful. + # + reply .= { + # Use ARAP-Password for testing because it's an attribute + # no one cares about. + ARAP-Password = "< 15:00" + } +} + +} + +# +# A named policy, executed during the "authorize" phase, +# because it's named "authorize". +# +policy authorize { + if (CHAP-Password) { + if (!CHAP-Challenge) { + print "Adding CHAP-Challenge = %{request:Packet-Authentication-Vector}\n" + + # + # Append all attributes to the specified list. + # The per-attribute operators MUST be '=' + # + request .= { + CHAP-Challenge = "%{request:Packet-Authentication-Vector}" + } + } + + # + # Use per-attribute operators to do override, replace, etc. + # It's "control", not "check items", because "check items" + # is a hold-over from the "users" file, and we no longer like that. + # + control = { + Auth-Type := CHAP + } + } + +# +# This could just as well be "%{ldap: query...}" =~ ... +# +# if ("%{User-Name}" =~ "^(b)") { +# reply .= { +# Arap-Password = "Hello, %{1}" +# } +# } + + # + # Execute "3pm", as if it was in-line here. + # +# call 3pm +} + +###################################################################### +# +# The following entries are for example purposes only. +# + +# Insert the attribute at the top of the list. +# +#reply ^= { +# Attribute1 += "Value1" +#} + + +# Insert attribute1 before Attribute2 if found, otherwise it behaves +# like ^= +#reply ^== ( Attribute2 == "Value2" ) { +# Attribute1 += "Value1" +#} + +# ^. and ^.= have the same difference as .= and = +# namely they append the attribute list instead of looking at the +# attribute operators. +# +# Otherwise they are the same. + +# Motivation: +# +# Cisco NAS's will kick users who assign a VRF after assigning an IP +# address. The VRF must come first. +# +# A sample policy to fix this is: +# +policy add_inter_vrf { + # + # If there's a matching lcp:..., + # then add the vrf entry before it. + # + reply ^== ( reply:Cisco-Avpair =~ "lcp:interface-config") { + Cisco-Avpair += "lcp:interface-config=ip vrf forwarding CHL-PRIVATE" + } + + # + # If there's no ip address thingy, + # add ip unnumbered after the vrf stuff. + # + if (!reply:Cisco-Avpair =~ "lcp:interface-config=ip address.*") { + reply $== (reply:Cisco-AVpair == "lcp:interface-config=ip vrf forwarding CHL-PRIVATE") { + Cisco-Avpair += "lcp:interface-config=ip unnumbered l10" + } + } + + # + # No IP address assigned through RADIUS, tell the Cisco + # NAS to assign it from it's own private IP pool. + # + if (!reply:Framed-IP-Address =* "") { + reply = { + Cisco-Avpair += "ip:addr-pool=privatepool" + } + } +} diff --git a/hosts/containers/radius/freeradius/preproxy_users b/hosts/containers/radius/freeradius/preproxy_users new file mode 100644 index 00000000..6b198c94 --- /dev/null +++ b/hosts/containers/radius/freeradius/preproxy_users @@ -0,0 +1,31 @@ +# +# Configuration file for the rlm_files module. +# Please see rlm_files(5) manpage for more information. +# +# $Id: 0f5d15ad8b2e96a4d65808ac949793aab5c1c639 $ +# +# This file is similar to the "users" file. The check items +# are compared against the request, but the "reply" items are +# used to update the proxied packet, not the reply to the NAS. +# +# You can use this file to re-write requests which are about to +# be sent to a home server. +# + +# +# Requests destinated to realm "extisp" are sent to a RADIUS +# home server hosted by an other company which doesn't know about +# the IP addresses of our NASes. Therefore we replace the value of +# the NAS-IP-Address attribute by a unique value we communicated +# to them. +# +#DEFAULT Realm == "extisp" +# NAS-IP-Address := 10.1.2.3 + +# +# For all proxied packets, set the User-Name in the proxied packet +# to the Stripped-User-Name, if it exists. If not, set it to the +# User-Name from the original request. +# +#DEFAULT +# User-Name := `%{Stripped-User-Name:-%{User-Name}}` diff --git a/hosts/containers/radius/freeradius/proxy.conf b/hosts/containers/radius/freeradius/proxy.conf new file mode 100644 index 00000000..f50f1ee0 --- /dev/null +++ b/hosts/containers/radius/freeradius/proxy.conf @@ -0,0 +1,759 @@ +# -*- text -*- +## +## proxy.conf -- proxy radius and realm configuration directives +## +## $Id: 413fc1438f266669a8e8913307f465da190c1ce8 $ + +####################################################################### +# +# Proxy server configuration +# +# This entry controls the servers behaviour towards ALL other servers +# to which it sends proxy requests. +# +proxy server { + # + # Note that as of 2.0, the "synchronous", "retry_delay", + # "retry_count", and "dead_time" have all been deprecated. + # For backwards compatibility, they are are still accepted + # by the server, but they ONLY apply to the old-style realm + # configuration. i.e. realms with "authhost" and/or "accthost" + # entries. + # + # i.e. "retry_delay" and "retry_count" have been replaced + # with per-home-server configuration. See the "home_server" + # example below for details. + # + # i.e. "dead_time" has been replaced with a per-home-server + # "revive_interval". We strongly recommend that this not + # be used, however. The new method is much better. + + # + # In 2.0, the server is always "synchronous", and setting + # "synchronous = no" is impossible. This simplifies the + # server and increases the stability of the network. + # However, it means that the server (i.e. proxy) NEVER + # originates packets. It proxies packets ONLY when it receives + # a packet or a re-transmission from the NAS. If the NAS never + # re-transmits, the proxy never re-transmits, either. This can + # affect fail-over, where a packet does *not* fail over to a + # second home server.. because the NAS never retransmits the + # packet. + # + # If you need to set "synchronous = no", please send a + # message to the list + # explaining why this feature is vital for your network. + + # + # If a realm exists, but there are no live home servers for + # it, we can fall back to using the "DEFAULT" realm. This is + # most useful for accounting, where the server can proxy + # accounting requests to home servers, but if they're down, + # use a DEFAULT realm that is LOCAL (i.e. accthost = LOCAL), + # and then store the packets in the "detail" file. That data + # can be later proxied to the home servers by radrelay, when + # those home servers come back up again. + + # Setting this to "yes" may have issues for authentication. + # i.e. If you are proxying for two different ISP's, and then + # act as a general dial-up for Gric. If one of the first two + # ISP's has their RADIUS server go down, you do NOT want to + # proxy those requests to GRIC. Instead, you probably want + # to just drop the requests on the floor. In that case, set + # this value to 'no'. + # + # allowed values: {yes, no} + # + default_fallback = no + +} + +####################################################################### +# +# Configuration for the proxy realms. +# +# As of 2.0. the old-style "realms" file is deprecated, and is not +# used by FreeRADIUS. +# +# As of 2.0, the "realm" configuration has changed. Instead of +# specifying "authhost" and "accthost" in a realm section, the home +# servers are specified seperately in a "home_server" section. For +# backwards compatibility, you can still use the "authhost" and +# "accthost" directives. If you only have one home server for a +# realm, it is easier to use the old-style configuration. +# +# However, if you have multiple servers for a realm, we STRONGLY +# suggest moving to the new-style configuration. +# +# +# Load-balancing and failover between home servers is handled via +# a "home_server_pool" section. +# +# Finally, The "realm" section defines the realm, some options, and +# indicates which server pool should be used for the realm. +# +# This change means that simple configurations now require multiple +# sections to define a realm. However, complex configurations +# are much simpler than before, as multiple realms can share the same +# server pool. +# +# That is, realms point to server pools, and server pools point to +# home servers. Multiple realms can point to one server pool. One +# server pool can point to multiple home servers. Each home server +# can appear in one or more pools. +# + +###################################################################### +# +# This section defines a "Home Server" which is another RADIUS +# server that gets sent proxied requests. In earlier versions +# of FreeRADIUS, home servers were defined in "realm" sections, +# which was awkward. In 2.0, they have been made independent +# from realms, which is better for a number of reasons. +# +home_server localhost { + # + # Home servers can be sent Access-Request packets + # or Accounting-Request packets. + # + # Allowed values are: + # auth - Handles Access-Request packets + # acct - Handles Accounting-Request packets + # auth+acct - Handles Access-Request packets at "port", + # and Accounting-Request packets at "port + 1" + # coa - Handles CoA-Request and Disconnect-Request packets. + # See also raddb/sites-available/originate-coa + type = auth + + # + # Configure ONE OF the following entries: + # + # IPv4 address + # + ipaddr = 127.0.0.1 + + # OR IPv6 address + # ipv6addr = ::1 + + # OR virtual server + # virtual_server = foo + + # Note that while both ipaddr and ipv6addr will accept + # both addresses and host names, we do NOT recommend + # using host names. When you specify a host name, the + # server has to do a DNS lookup to find the IP address + # of the home server. If the DNS server is slow or + # unresponsive, it means that FreeRADIUS will NOT be + # able to determine the address, and will therefore NOT + # start. + # + # Also, the mapping of host name to address is done ONCE + # when the server starts. If DNS is later updated to + # change the address, FreeRADIUS will NOT discover that + # until after a re-start, or a HUP. + # + # If you specify a virtual_server here, then requests + # will be proxied internally to that virtual server. + # These requests CANNOT be proxied again, however. The + # intent is to have the local server handle packets + # when all home servers are dead. + # + # Requests proxied to a virtual server will be passed + # through the pre-proxy and post-proxy sections, just + # like any other request. See also the sample "realm" + # configuration, below. + # + # None of the rest of the home_server configuration is used + # for the "virtual_server" configuration. + + # + # The port to which packets are sent. + # + # Usually 1812 for type "auth", and 1813 for type "acct". + # Older servers may use 1645 and 1646. + # Use 3799 for type "coa" + # + port = 1812 + + # + # The shared secret use to "encrypt" and "sign" packets between + # FreeRADIUS and the home server. + # + # The secret can be any string, up to 8k characters in length. + # + # Control codes can be entered vi octal encoding, + # e.g. "\101\102" == "AB" + # Quotation marks can be entered by escaping them, + # e.g. "foo\"bar" + # Spaces or other "special" characters can be entered + # by putting quotes around the string. + # e.g. "foo bar" + # "foo;bar" + # + secret = testing123 + + ############################################################ + # + # The rest of the configuration items listed here are optional, + # and do not have to appear in every home server definition. + # + ############################################################ + + # + # You can optionally specify the source IP address used when + # proxying requests to this home server. When the src_ipaddr + # it set, the server will automatically create a proxy + # listener for that IP address. + # + # If you specify this field for one home server, you will + # likely need to specify it for ALL home servers. + # + # If you don't care about the source IP address, leave this + # entry commented. + # +# src_ipaddr = 127.0.0.1 + + # RFC 5080 suggests that all clients SHOULD include it in an + # Access-Request. The configuration item below tells the + # proxying server (i.e. this one) whether or not the home + # server requires a Message-Authenticator attribute. If it + # is required (value set to "yes"), then all Access-Request + # packets sent to that home server will have a + # Message-Authenticator attribute. + # + # We STRONGLY recommend that this flag be set to "yes" + # for ALL home servers. Doing so will have no performance + # impact on the proxy or on the home servers. It will, + # however, allow administrators to detect problems earlier. + # + # allowed values: yes, no + require_message_authenticator = yes + + # + # If the home server does not respond to a request within + # this time, this server will initiate "zombie_period". + # + # The response window is large because responses MAY be slow, + # especially when proxying across the Internet. + # + # Useful range of values: 5 to 60 + response_window = 20 + + # + # If you want the old behavior of the server rejecting + # proxied requests after "response_window" timeout, set + # the following configuration item to "yes". + # + # This configuration WILL be removed in a future release + # If you believe you need it, email the freeradius-users + # list, and explain why it should stay in the server. + # +# no_response_fail = no + + # + # If the home server does not respond to ANY packets during + # the "zombie period", it will be considered to be dead. + # + # A home server that is marked "zombie" will be used for + # proxying as a low priority. If there are live servers, + # they will always be preferred to a zombie. Requests will + # be proxied to a zombie server ONLY when there are no + # live servers. + # + # Any request that is proxied to a home server will continue + # to be sent to that home server until the home server is + # marked dead. At that point, it will fail over to another + # server, if a live server is available. If none is available, + # then the "post-proxy-type fail" handler will be called. + # + # If "status_check" below is something other than "none", then + # the server will start sending status checks at the start of + # the zombie period. It will continue sending status checks + # until the home server is marked "alive". + # + # Useful range of values: 20 to 120 + zombie_period = 40 + + ############################################################ + # + # As of 2.0, FreeRADIUS supports RADIUS layer "status + # checks". These are used by a proxy server to see if a home + # server is alive. + # + # These status packets are sent ONLY if the proxying server + # believes that the home server is dead. They are NOT sent + # if the proxying server believes that the home server is + # alive. They are NOT sent if the proxying server is not + # proxying packets. + # + # If the home server responds to the status check packet, + # then it is marked alive again, and is returned to use. + # + ############################################################ + + # + # Some home servers do not support status checks via the + # Status-Server packet. Others may not have a "test" user + # configured that can be used to query the server, to see if + # it is alive. For those servers, we have NO WAY of knowing + # when it becomes alive again. Therefore, after the server + # has been marked dead, we wait a period of time, and mark + # it alive again, in the hope that it has come back to + # life. + # + # If it has NOT come back to life, then FreeRADIUS will wait + # for "zombie_period" before marking it dead again. During + # the "zombie_period", ALL AUTHENTICATIONS WILL FAIL, because + # the home server is still dead. There is NOTHING that can + # be done about this, other than to enable the status checks, + # as documented below. + # + # e.g. if "zombie_period" is 40 seconds, and "revive_interval" + # is 300 seconds, the for 40 seconds out of every 340, or about + # 10% of the time, all authentications will fail. + # + # If the "zombie_period" and "revive_interval" configurations + # are set smaller, than it is possible for up to 50% of + # authentications to fail. + # + # As a result, we recommend enabling status checks, and + # we do NOT recommend using "revive_interval". + # + # The "revive_interval" is used ONLY if the "status_check" + # entry below is "none". Otherwise, it will not be used, + # and should be deleted. + # + # Useful range of values: 60 to 3600 + revive_interval = 120 + + # + # The proxying server (i.e. this one) can do periodic status + # checks to see if a dead home server has come back alive. + # + # If set to "none", then the other configuration items listed + # below are not used, and the "revive_interval" time is used + # instead. + # + # If set to "status-server", the Status-Server packets are + # sent. Many RADIUS servers support Status-Server. If a + # server does not support it, please contact the server + # vendor and request that they add it. + # + # If set to "request", then Access-Request, or Accounting-Request + # packets are sent, depending on the "type" entry above (auth/acct). + # + # Allowed values: none, status-server, request + status_check = status-server + + # + # If the home server does not support Status-Server packets, + # then the server can still send Access-Request or + # Accounting-Request packets, with a pre-defined user name. + # + # This practice is NOT recommended, as it may potentially let + # users gain network access by using these "test" accounts! + # + # If it is used, we recommend that the home server ALWAYS + # respond to these Access-Request status checks with + # Access-Reject. The status check just needs an answer, it + # does not need an Access-Accept. + # + # For Accounting-Request status checks, only the username + # needs to be set. The rest of the accounting attribute are + # set to default values. The home server that receives these + # accounting packets SHOULD NOT treat them like normal user + # accounting packets. i.e It should probably NOT log them to + # a database. + # + # username = "test_user_please_reject_me" + # password = "this is really secret" + + # + # Configure the interval between sending status check packets. + # + # Setting it too low increases the probability of spurious + # fail-over and fallback attempts. + # + # Useful range of values: 6 to 120 + check_interval = 30 + + # + # Configure the number of status checks in a row that the + # home server needs to respond to before it is marked alive. + # + # If you want to mark a home server as alive after a short + # time period of being responsive, it is best to use a small + # "check_interval", and a large value for + # "num_answers_to_alive". Using a long "check_interval" and + # a small number for "num_answers_to_alive" increases the + # probability of spurious fail-over and fallback attempts. + # + # Useful range of values: 3 to 10 + num_answers_to_alive = 3 + + # + # Limit the total number of outstanding packets to the home + # server. + # + # if ((#request sent) - (#requests received)) > max_outstanding + # then stop sending more packets to the home server + # + # This lets us gracefully fall over when the home server + # is overloaded. + max_outstanding = 65536 + + # + # The configuration items in the next sub-section are used ONLY + # when "type = coa". It is ignored for all other type of home + # servers. + # + # See RFC 5080 for the definitions of the following terms. + # RAND is a function (internal to FreeRADIUS) returning + # random numbers between -0.1 and +0.1 + # + # First Re-transmit occurs after: + # + # RT = IRT + RAND*IRT + # + # Subsequent Re-transmits occur after: + # + # RT = 2 * RTprev + RAND * RTprev + # + # Re-trasnmits are capped at: + # + # if (MRT && (RT > MRT)) RT = MRT + RAND * MRT + # + # For a maximum number of attempts: MRC + # + # For a maximum (total) period of time: MRD. + # + coa { + # Initial retransmit interval: 1..5 + irt = 2 + + # Maximum Retransmit Timeout: 1..30 (0 == no maximum) + mrt = 16 + + # Maximum Retransmit Count: 1..20 (0 == retransmit forever) + mrc = 5 + + # Maximum Retransmit Duration: 5..60 + mrd = 30 + } +} + +# Sample virtual home server. +# +# +#home_server virtual.example.com { +# virtual_server = virtual.example.com +#} + +###################################################################### +# +# This section defines a pool of home servers that is used +# for fail-over and load-balancing. In earlier versions of +# FreeRADIUS, fail-over and load-balancing were defined per-realm. +# As a result, if a server had 5 home servers, each of which served +# the same 10 realms, you would need 50 "realm" entries. +# +# In version 2.0, you would need 5 "home_server" sections, +# 10 'realm" sections, and one "home_server_pool" section to tie the +# two together. +# +home_server_pool my_auth_failover { + # + # The type of this pool controls how home servers are chosen. + # + # fail-over - the request is sent to the first live + # home server in the list. i.e. If the first home server + # is marked "dead", the second one is chosen, etc. + # + # load-balance - the least busy home server is chosen, + # where "least busy" is counted by taking the number of + # requests sent to that home server, and subtracting the + # number of responses received from that home server. + # + # If there are two or more servers with the same low + # load, then one of those servers is chosen at random. + # This configuration is most similar to the old + # "round-robin" method, though it is not exactly the same. + # + # Note that load balancing does not work well with EAP, + # as EAP requires packets for an EAP conversation to be + # sent to the same home server. The load balancing method + # does not keep state in between packets, meaning that + # EAP packets for the same conversation may be sent to + # different home servers. This will prevent EAP from + # working. + # + # For non-EAP authentication methods, and for accounting + # packets, we recommend using "load-balance". It will + # ensure the highest availability for your network. + # + # client-balance - the home server is chosen by hashing the + # source IP address of the packet. If that home server + # is down, the next one in the list is used, just as + # with "fail-over". + # + # There is no way of predicting which source IP will map + # to which home server. + # + # This configuration is most useful to do simple load + # balancing for EAP sessions, as the EAP session will + # always be sent to the same home server. + # + # client-port-balance - the home server is chosen by hashing + # the source IP address and source port of the packet. + # If that home server is down, the next one in the list + # is used, just as with "fail-over". + # + # This method provides slightly better load balancing + # for EAP sessions than "client-balance". However, it + # also means that authentication and accounting packets + # for the same session MAY go to different home servers. + # + # keyed-balance - the home server is chosen by hashing (FNV) + # the contents of the Load-Balance-Key attribute from the + # control items. The request is then sent to home server + # chosen by taking: + # + # server = (hash % num_servers_in_pool). + # + # If there is no Load-Balance-Key in the control items, + # the load balancing method is identical to "load-balance". + # + # For most non-EAP authentication methods, The User-Name + # attribute provides a good key. An "unlang" policy can + # be used to copy the User-Name to the Load-Balance-Key + # attribute. This method may not work for EAP sessions, + # as the User-Name outside of the TLS tunnel is often + # static, e.g. "anonymous@realm". + # + # + # The default type is fail-over. + type = fail-over + + # + # A virtual_server may be specified here. If so, the + # "pre-proxy" and "post-proxy" sections are called when + # the request is proxied, and when a response is received. + # + # This lets you have one policy for all requests that are proxied + # to a home server. This policy is completely independent of + # any policies used to receive, or process the request. + # + #virtual_server = pre_post_proxy_for_pool + + # + # Next, a list of one or more home servers. The names + # of the home servers are NOT the hostnames, but the names + # of the sections. (e.g. home_server foo {...} has name "foo". + # + # Note that ALL home servers listed here have to be of the same + # type. i.e. they all have to be "auth", or they all have to + # be "acct", or the all have to be "auth+acct". + # + home_server = localhost + + # Additional home servers can be listed. + # There is NO LIMIT to the number of home servers that can + # be listed, though using more than 10 or so will become + # difficult to manage. + # + # home_server = foo.example.com + # home_server = bar.example.com + # home_server = baz.example.com + # home_server = ... + + + # + # If ALL home servers are dead, then this "fallback" home server + # is used. If set, it takes precedence over any realm-based + # fallback, such as the DEFAULT realm. + # + # For reasons of stability, this home server SHOULD be a virtual + # server. Otherwise, the fallback may itself be dead! + # + #fallback = virtual.example.com +} + +###################################################################### +# +# +# This section defines a new-style "realm". Note the in version 2.0, +# there are many fewer configuration items than in 1.x for a realm. +# +# Automatic proxying is done via the "realms" module (see "man +# rlm_realm"). To manually proxy the request put this entry in the +# "users" file: + +# +# +#DEFAULT Proxy-To-Realm := "realm_name" +# +# +realm example.com { + # + # Realms point to pools of home servers. +# + # For authentication, the "auth_pool" configuration item + # should point to a "home_server_pool" that was previously + # defined. All of the home servers in the "auth_pool" must + # be of type "auth". + # + # For accounting, the "acct_pool" configuration item + # should point to a "home_server_pool" that was previously + # defined. All of the home servers in the "acct_pool" must + # be of type "acct". + # + # If you have a "home_server_pool" where all of the home servers + # are of type "auth+acct", you can just use the "pool" + # configuration item, instead of specifying both "auth_pool" + # and "acct_pool". + + auth_pool = my_auth_failover +# acct_pool = acct + + # + # Normally, when an incoming User-Name is matched against the + # realm, the realm name is "stripped" off, and the "stripped" + # user name is used to perform matches. + # + # e.g. User-Name = "bob@example.com" will result in two new + # attributes being created by the "realms" module: + # + # Stripped-User-Name = "bob" + # Realm = "example.com" + # + # The Stripped-User-Name is then used as a key in the "users" + # file, for example. + # + # If you do not want this to happen, uncomment "nostrip" below. + # + # nostrip + + # There are no more configuration entries for a realm. +} + + +# +# This is a sample entry for iPass. +# Note that you have to define "ipass_auth_pool" and +# "ipass_acct_pool", along with home_servers for them, too. +# +#realm IPASS { +# nostrip +# +# auth_pool = ipass_auth_pool +# acct_pool = ipass_acct_pool +#} + +# +# This realm is used mainly to cancel proxying. You can have +# the "realm suffix" module configured to proxy all requests for +# a realm, and then later cancel the proxying, based on other +# configuration. +# +# For example, you want to terminate PEAP or EAP-TTLS locally, +# you can add the following to the "users" file: +# +# DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL +# +realm LOCAL { + # If we do not specify a server pool, the realm is LOCAL, and + # requests are not proxied to it. +} + +# +# This realm is for requests which don't have an explicit realm +# prefix or suffix. User names like "bob" will match this one. +# +#realm NULL { +# authhost = radius.company.com:1600 +# accthost = radius.company.com:1601 +# secret = testing123 +#} + +# +# This realm is for ALL OTHER requests. +# +#realm DEFAULT { +# authhost = radius.company.com:1600 +# accthost = radius.company.com:1601 +# secret = testing123 +#} + + +# This realm "proxies" requests internally to a virtual server. +# The pre-proxy and post-proxy sections are run just as with any +# other kind of home server. The virtual server then receives +# the request, and replies, just as with any other packet. +# +# Once proxied internally like this, the request CANNOT be proxied +# internally or externally. +# +#realm virtual.example.com { +# virtual_server = virtual.example.com +#} +# + +# +# Regular expressions may also be used as realm names. If these are used, +# then the "find matching realm" process is as follows: +# +# 1) Look for a non-regex realm with an *exact* match for the name. +# If found, it is used in preference to any regex matching realm. +# +# 2) Look for a regex realm, in the order that they are listed +# in the configuration files. Any regex match is performed in +# a case-insensitive fashion. +# +# 3) If no realm is found, return the DEFAULT realm, if any. +# +# The order of the realms matters in step (2). For example, defining +# two realms ".*\.example.net$" and ".*\.test\.example\.net$" will result in +# the second realm NEVER matching. This is because all of the realms +# which match the second regex also match the first one. Since the +# first regex matches, it is returned. +# +# The solution is to list the realms in the opposite order,. e.g. +# ".*\.test\.example.net$", followed by ".*\.example\.net$". +# +# +# Some helpful rules: +# +# - always place a '~' character at the start of the realm name. +# This signifies that it is a regex match, and not an exact match +# for the realm. +# +# - place the regex in double quotes. This helps the configuration +# file parser ignore any "special" characters in the regex. +# Yes, this rule is different than the normal "unlang" rules for +# regular expressions. That may be fixed in a future release. +# +# - use two back-slashes '\\' whenever you need one backslash in the +# regex. e.g. "~.*\\.example\\.net$", and not "~\.example\.net$". +# This is because the regex is in a double-quoted string, and normal +# rules apply for double-quoted strings. +# +# - If you are matching domain names, use two backslashes in front of +# every '.' (dot or period). This is because '.' has special meaning +# in a regular expression: match any character. If you do not do this, +# then "~.*.example.net$" will match "fooXexampleYnet", which is likely +# not what you want +# +# - If you are matching domain names, put a '$' at the end of the regex +# that matches the domain name. This tells the regex matching code +# that the realm ENDS with the domain name, so it does not match +# realms with the domain name in the middle. e.g. "~.*\\.example\\.net" +# will match "test.example.netFOO", which is likely not what you want. +# Using "~(.*\\.)example\\.net$" is better. +# +# The more regex realms that are defined, the more time it takes to +# process them. You should define as few regex realms as possible +# in order to maximize server performance. +# +#realm "~(.*\\.)*example\\.net$" { +# auth_pool = my_auth_failover +#} diff --git a/hosts/containers/radius/freeradius/radiusd.conf b/hosts/containers/radius/freeradius/radiusd.conf new file mode 100644 index 00000000..9020886d --- /dev/null +++ b/hosts/containers/radius/freeradius/radiusd.conf @@ -0,0 +1,865 @@ +# -*- text -*- +## +## radiusd.conf -- FreeRADIUS server configuration file. +## +## http://www.freeradius.org/ +## $Id: 201b70b31b5bb4c2ef98c102690daa3462d5e1e3 $ +## + +###################################################################### +# +# Read "man radiusd" before editing this file. See the section +# titled DEBUGGING. It outlines a method where you can quickly +# obtain the configuration you want, without running into +# trouble. +# +# Run the server in debugging mode, and READ the output. +# +# $ radiusd -X +# +# We cannot emphasize this point strongly enough. The vast +# majority of problems can be solved by carefully reading the +# debugging output, which includes warnings about common issues, +# and suggestions for how they may be fixed. +# +# There may be a lot of output, but look carefully for words like: +# "warning", "error", "reject", or "failure". The messages there +# will usually be enough to guide you to a solution. +# +# If you are going to ask a question on the mailing list, then +# explain what you are trying to do, and include the output from +# debugging mode (radiusd -X). Failure to do so means that all +# of the responses to your question will be people telling you +# to "post the output of radiusd -X". + +###################################################################### +# +# The location of other config files and logfiles are declared +# in this file. +# +# Also general configuration for modules can be done in this +# file, it is exported through the API to modules that ask for +# it. +# +# See "man radiusd.conf" for documentation on the format of this +# file. Note that the individual configuration items are NOT +# documented in that "man" page. They are only documented here, +# in the comments. +# +# As of 2.0.0, FreeRADIUS supports a simple processing language +# in the "authorize", "authenticate", "accounting", etc. sections. +# See "man unlang" for details. +# + +prefix = /usr +exec_prefix = /usr +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = /var/log/freeradius +raddbdir = /etc/freeradius +radacctdir = ${logdir}/radacct + +# +# name of the running server. See also the "-n" command-line option. +name = freeradius + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/${name} + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# +# libdir: Where to find the rlm_* modules. +# +# This should be automatically set at configuration time. +# +# If the server builds and installs, but fails at execution time +# with an 'undefined symbol' error, then you can use the libdir +# directive to work around the problem. +# +# The cause is usually that a library has been installed on your +# system in a place where the dynamic linker CANNOT find it. When +# executing as root (or another user), your personal environment MAY +# be set up to allow the dynamic linker to find the library. When +# executing as a daemon, FreeRADIUS MAY NOT have the same +# personalized configuration. +# +# To work around the problem, find out which library contains that symbol, +# and add the directory containing that library to the end of 'libdir', +# with a colon separating the directory names. NO spaces are allowed. +# +# e.g. libdir = /usr/local/lib:/opt/package/lib +# +# You can also try setting the LD_LIBRARY_PATH environment variable +# in a script which starts the server. +# +# If that does not work, then you can re-configure and re-build the +# server to NOT use shared libraries, via: +# +# ./configure --disable-shared +# make +# make install +# +libdir = /usr/lib/freeradius + +# pidfile: Where to place the PID of the RADIUS server. +# +# The server may be signalled while it's running by using this +# file. +# +# This file is written when ONLY running in daemon mode. +# +# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` +# +pidfile = ${run_dir}/${name}.pid + +# chroot: directory where the server does "chroot". +# +# The chroot is done very early in the process of starting the server. +# After the chroot has been performed it switches to the "user" listed +# below (which MUST be specified). If "group" is specified, it switchs +# to that group, too. Any other groups listed for the specified "user" +# in "/etc/group" are also added as part of this process. +# +# The current working directory (chdir / cd) is left *outside* of the +# chroot until all of the modules have been initialized. This allows +# the "raddb" directory to be left outside of the chroot. Once the +# modules have been initialized, it does a "chdir" to ${logdir}. This +# means that it should be impossible to break out of the chroot. +# +# If you are worried about security issues related to this use of chdir, +# then simply ensure that the "raddb" directory is inside of the chroot, +# end be sure to do "cd raddb" BEFORE starting the server. +# +# If the server is statically linked, then the only files that have +# to exist in the chroot are ${run_dir} and ${logdir}. If you do the +# "cd raddb" as discussed above, then the "raddb" directory has to be +# inside of the chroot directory, too. +# +#chroot = /path/to/chroot/directory + +# user/group: The name (or #number) of the user/group to run radiusd as. +# +# If these are commented out, the server will run as the user/group +# that started it. In order to change to a different user/group, you +# MUST be root ( or have root privleges ) to start the server. +# +# We STRONGLY recommend that you run the server with as few permissions +# as possible. That is, if you're not using shadow passwords, the +# user and group items below should be set to radius'. +# +# NOTE that some kernels refuse to setgid(group) when the value of +# (unsigned)group is above 60000; don't use group nobody on these systems! +# +# On systems with shadow passwords, you might have to set 'group = shadow' +# for the server to be able to read the shadow password file. If you can +# authenticate users while in debug mode, but not in daemon mode, it may be +# that the debugging mode server is running as a user that can read the +# shadow info, and the user listed below can not. +# +# The server will also try to use "initgroups" to read /etc/groups. +# It will join all groups where "user" is a member. This can allow +# for some finer-grained access controls. +# +user = freerad +group = freerad + +# panic_action: Command to execute if the server dies unexpectedly. +# +# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT. +# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS. +# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART. +# +# The panic action is a command which will be executed if the server +# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS, +# SIGABRT or SIGFPE. +# +# This can be used to start an interactive debugging session so +# that information regarding the current state of the server can +# be acquired. +# +# The following string substitutions are available: +# - %e The currently executing program e.g. /sbin/radiusd +# - %p The PID of the currently executing program e.g. 12345 +# +# Standard ${} substitutions are also allowed. +# +# An example panic action for opening an interactive session in GDB would be: +# +#panic_action = "gdb %e %p" +# +# Again, don't use that on a production system. +# +# An example panic action for opening an automated session in GDB would be: +# +#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p > ${logdir}/gdb-%e-%p.log 2>&1" +# +# That command can be used on a production system. +# + +# max_request_time: The maximum time (in seconds) to handle a request. +# +# Requests which take more time than this to process may be killed, and +# a REJECT message is returned. +# +# WARNING: If you notice that requests take a long time to be handled, +# then this MAY INDICATE a bug in the server, in one of the modules +# used to handle a request, OR in your local configuration. +# +# This problem is most often seen when using an SQL database. If it takes +# more than a second or two to receive an answer from the SQL database, +# then it probably means that you haven't indexed the database. See your +# SQL server documentation for more information. +# +# Useful range of values: 5 to 120 +# +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +# a reply which was sent to the NAS. +# +# The RADIUS request is normally cached internally for a short period +# of time, after the reply is sent to the NAS. The reply packet may be +# lost in the network, and the NAS will not see it. The NAS will then +# re-send the request, and the server will respond quickly with the +# cached reply. +# +# If this value is set too low, then duplicate requests from the NAS +# MAY NOT be detected, and will instead be handled as seperate requests. +# +# If this value is set too high, then the server will cache too many +# requests, and some new requests may get blocked. (See 'max_requests'.) +# +# Useful range of values: 2 to 10 +# +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +# track of. This should be 256 multiplied by the number of clients. +# e.g. With 4 clients, this number should be 1024. +# +# If this number is too low, then when the server becomes busy, +# it will not respond to any new requests, until the 'cleanup_delay' +# time has passed, and it has removed the old requests. +# +# If this number is set too high, then the server will use a bit more +# memory for no real benefit. +# +# If you aren't sure what it should be set to, it's better to set it +# too high than too low. Setting it to 1000 per client is probably +# the highest it should be. +# +# Useful range of values: 256 to infinity +# +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +# replies out from that address. This directive is most useful for +# hosts with multiple IP addresses on one interface. +# +# If you want the server to listen on additional addresses, or on +# additionnal ports, you can use multiple "listen" sections. +# +# Each section make the server listen for only one type of packet, +# therefore authentication and accounting have to be configured in +# different sections. +# +# The server ignore all "listen" section if you are using '-i' and '-p' +# on the command line. +# +listen { + # Type of packets to listen for. + # Allowed values are: + # auth listen for authentication packets + # acct listen for accounting packets + # proxy IP to use for sending proxied packets + # detail Read from the detail file. For examples, see + # raddb/sites-available/copy-acct-to-home-server + # status listen for Status-Server packets. For examples, + # see raddb/sites-available/status + # coa listen for CoA-Request and Disconnect-Request + # packets. For examples, see the file + # raddb/sites-available/coa + # + type = auth + + # Note: "type = proxy" lets you control the source IP used for + # proxying packets, with some limitations: + # + # * A proxy listener CANNOT be used in a virtual server section. + # * You should probably set "port = 0". + # * Any "clients" configuration will be ignored. + # + # See also proxy.conf, and the "src_ipaddr" configuration entry + # in the sample "home_server" section. When you specify the + # source IP address for packets sent to a home server, the + # proxy listeners are automatically created. + + # IP address on which to listen. + # Allowed values are: + # dotted quad (1.2.3.4) + # hostname (radius.example.com) + # wildcard (*) + ipaddr = * + + # OR, you can use an IPv6 address, but not both + # at the same time. +# ipv6addr = :: # any. ::1 == localhost + + # Port on which to listen. + # Allowed values are: + # integer port number (1812) + # 0 means "use /etc/services for the proper port" + port = 0 + + # Some systems support binding to an interface, in addition + # to the IP address. This feature isn't strictly necessary, + # but for sites with many IP addresses on one interface, + # it's useful to say "listen on all addresses for eth0". + # + # If your system does not support this feature, you will + # get an error if you try to use it. + # +# interface = eth0 + + # Per-socket lists of clients. This is a very useful feature. + # + # The name here is a reference to a section elsewhere in + # radiusd.conf, or clients.conf. Having the name as + # a reference allows multiple sockets to use the same + # set of clients. + # + # If this configuration is used, then the global list of clients + # is IGNORED for this "listen" section. Take care configuring + # this feature, to ensure you don't accidentally disable a + # client you need. + # + # See clients.conf for the configuration of "per_socket_clients". + # +# clients = per_socket_clients +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + ipaddr = * +# ipv6addr = :: + port = 0 + type = acct +# interface = eth0 +# clients = per_socket_clients +} + +# hostname_lookups: Log the names of clients or just their IP addresses +# e.g., www.freeradius.org (on) or 206.47.27.232 (off). +# +# The default is 'off' because it would be overall better for the net +# if people had to knowingly turn this feature on, since enabling it +# means that each client request will result in AT LEAST one lookup +# request to the nameserver. Enabling hostname_lookups will also +# mean that your server may stop randomly for 30 seconds from time +# to time, if the DNS requests take too long. +# +# Turning hostname lookups off also means that the server won't block +# for 30 seconds, if it sees an IP address which has no name associated +# with it. +# +# allowed values: {no, yes} +# +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +# if you're debugging a problem with the server. +# +# allowed values: {no, yes} +# +allow_core_dumps = no + +# Regular expressions +# +# These items are set at configure time. If they're set to "yes", +# then setting them to "no" turns off regular expression support. +# +# If they're set to "no" at configure time, then setting them to "yes" +# WILL NOT WORK. It will give you an error. +# +regular_expressions = yes +extended_expressions = yes + +# +# Logging section. The various "log_*" configuration items +# will eventually be moved here. +# +log { + # + # Destination for log messages. This can be one of: + # + # files - log to "file", as defined below. + # syslog - to syslog (see also the "syslog_facility", below. + # stdout - standard output + # stderr - standard error. + # + # The command-line option "-X" over-rides this option, and forces + # logging to go to stdout. + # + destination = files + + # + # The logging messages for the server are appended to the + # tail of this file if destination == "files" + # + # If the server is running in debugging mode, this file is + # NOT used. + # + file = ${logdir}/radius.log + + # + # If this configuration parameter is set, then log messages for + # a *request* go to this file, rather than to radius.log. + # + # i.e. This is a log file per request, once the server has accepted + # the request as being from a valid client. Messages that are + # not associated with a request still go to radius.log. + # + # Not all log messages in the server core have been updated to use + # this new internal API. As a result, some messages will still + # go to radius.log. Please submit patches to fix this behavior. + # + # The file name is expanded dynamically. You should ONLY user + # server-side attributes for the filename (e.g. things you control). + # Using this feature MAY also slow down the server substantially, + # especially if you do thinks like SQL calls as part of the + # expansion of the filename. + # + # The name of the log file should use attributes that don't change + # over the lifetime of a request, such as User-Name, + # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log + # messages will be distributed over multiple files. + # + # Logging can be enabled for an individual request by a special + # dynamic expansion macro: %{debug: 1}, where the debug level + # for this request is set to '1' (or 2, 3, etc.). e.g. + # + # ... + # update control { + # Tmp-String-0 = "%{debug:1}" + # } + # ... + # + # The attribute that the value is assigned to is unimportant, + # and should be a "throw-away" attribute with no side effects. + # + #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log + + # + # Which syslog facility to use, if ${destination} == "syslog" + # + # The exact values permitted here are OS-dependent. You probably + # don't want to change this. + # + syslog_facility = daemon + + # Log the full User-Name attribute, as it was found in the request. + # + # allowed values: {no, yes} + # + stripped_names = no + + # Log authentication requests to the log file. + # + # allowed values: {no, yes} + # + auth = no + + # Log passwords with the authentication requests. + # auth_badpass - logs password if it's rejected + # auth_goodpass - logs password if it's correct + # + # allowed values: {no, yes} + # + auth_badpass = no + auth_goodpass = no + + # Log additional text at the end of the "Login OK" messages. + # for these to work, the "auth" and "auth_goopass" or "auth_badpass" + # configurations above have to be set to "yes". + # + # The strings below are dynamically expanded, which means that + # you can put anything you want in them. However, note that + # this expansion can be slow, and can negatively impact server + # performance. + # +# msg_goodpass = "" +# msg_badpass = "" +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# SECURITY CONFIGURATION +# +# There may be multiple methods of attacking on the server. This +# section holds the configuration items which minimize the impact +# of those attacks +# +security { + # + # max_attributes: The maximum number of attributes + # permitted in a RADIUS packet. Packets which have MORE + # than this number of attributes in them will be dropped. + # + # If this number is set too low, then no RADIUS packets + # will be accepted. + # + # If this number is set too high, then an attacker may be + # able to send a small number of packets which will cause + # the server to use all available memory on the machine. + # + # Setting this number to 0 means "allow any number of attributes" + max_attributes = 200 + + # + # reject_delay: When sending an Access-Reject, it can be + # delayed for a few seconds. This may help slow down a DoS + # attack. It also helps to slow down people trying to brute-force + # crack a users password. + # + # Setting this number to 0 means "send rejects immediately" + # + # If this number is set higher than 'cleanup_delay', then the + # rejects will be sent at 'cleanup_delay' time, when the request + # is deleted from the internal cache of requests. + # + # Useful ranges: 1 to 5 + reject_delay = 1 + + # + # status_server: Whether or not the server will respond + # to Status-Server requests. + # + # When sent a Status-Server message, the server responds with + # an Access-Accept or Accounting-Response packet. + # + # This is mainly useful for administrators who want to "ping" + # the server, without adding test users, or creating fake + # accounting packets. + # + # It's also useful when a NAS marks a RADIUS server "dead". + # The NAS can periodically "ping" the server with a Status-Server + # packet. If the server responds, it must be alive, and the + # NAS can start using it for real requests. + # + # See also raddb/sites-available/status + # + status_server = yes + + # + # allow_vulnerable_openssl: Allow the server to start with + # versions of OpenSSL known to have critical vulnerabilities. + # + # This check is based on the version number reported by libssl + # and may not reflect patches applied to libssl by + # distribution maintainers. + # + allow_vulnerable_openssl = no +} + +# PROXY CONFIGURATION +# +# proxy_requests: Turns proxying of RADIUS requests on or off. +# +# The server has proxying turned on by default. If your system is NOT +# set up to proxy requests to another server, then you can turn proxying +# off here. This will save a small amount of resources on the server. +# +# If you have proxying turned off, and your configuration files say +# to proxy a request, then an error message will be logged. +# +# To disable proxying, change the "yes" to "no", and comment the +# $INCLUDE line. +# +# allowed values: {no, yes} +# +proxy_requests = no +$INCLUDE proxy.conf + + +# CLIENTS CONFIGURATION +# +# Client configuration is defined in "clients.conf". +# + +# The 'clients.conf' file contains all of the information from the old +# 'clients' and 'naslist' configuration files. We recommend that you +# do NOT use 'client's or 'naslist', although they are still +# supported. +# +# Anything listed in 'clients.conf' will take precedence over the +# information from the old-style configuration files. +# +$INCLUDE clients.conf + + +# THREAD POOL CONFIGURATION +# +# The thread pool is a long-lived group of threads which +# take turns (round-robin) handling any incoming requests. +# +# You probably want to have a few spare threads around, +# so that high-load situations can be handled immediately. If you +# don't have any spare threads, then the request handling will +# be delayed while a new thread is created, and added to the pool. +# +# You probably don't want too many spare threads around, +# otherwise they'll be sitting there taking up resources, and +# not doing anything productive. +# +# The numbers given below should be adequate for most situations. +# +thread pool { + # Number of servers to start initially --- should be a reasonable + # ballpark figure. + start_servers = 5 + + # Limit on the total number of servers running. + # + # If this limit is ever reached, clients will be LOCKED OUT, so it + # should NOT BE SET TOO LOW. It is intended mainly as a brake to + # keep a runaway server from taking the system with it as it spirals + # down... + # + # You may find that the server is regularly reaching the + # 'max_servers' number of threads, and that increasing + # 'max_servers' doesn't seem to make much difference. + # + # If this is the case, then the problem is MOST LIKELY that + # your back-end databases are taking too long to respond, and + # are preventing the server from responding in a timely manner. + # + # The solution is NOT do keep increasing the 'max_servers' + # value, but instead to fix the underlying cause of the + # problem: slow database, or 'hostname_lookups=yes'. + # + # For more information, see 'max_request_time', above. + # + max_servers = 32 + + # Server-pool size regulation. Rather than making you guess + # how many servers you need, FreeRADIUS dynamically adapts to + # the load it sees, that is, it tries to maintain enough + # servers to handle the current load, plus a few spare + # servers to handle transient load spikes. + # + # It does this by periodically checking how many servers are + # waiting for a request. If there are fewer than + # min_spare_servers, it creates a new spare. If there are + # more than max_spare_servers, some of the spares die off. + # The default values are probably OK for most sites. + # + min_spare_servers = 3 + max_spare_servers = 10 + + # When the server receives a packet, it places it onto an + # internal queue, where the worker threads (configured above) + # pick it up for processing. The maximum size of that queue + # is given here. + # + # When the queue is full, any new packets will be silently + # discarded. + # + # The most common cause of the queue being full is that the + # server is dependent on a slow database, and it has received + # a large "spike" of traffic. When that happens, there is + # very little you can do other than make sure the server + # receives less traffic, or make sure that the database can + # handle the load. + # +# max_queue_size = 65536 + + # There may be memory leaks or resource allocation problems with + # the server. If so, set this value to 300 or so, so that the + # resources will be cleaned up periodically. + # + # This should only be necessary if there are serious bugs in the + # server which have not yet been fixed. + # + # '0' is a special value meaning 'infinity', or 'the servers never + # exit' + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +# +# The names and configuration of each module is located in this section. +# +# After the modules are defined here, they may be referred to by name, +# in other sections of this configuration file. +# +modules { + # + # Each module has a configuration as follows: + # + # name [ instance ] { + # config_item = value + # ... + # } + # + # The 'name' is used to load the 'rlm_name' library + # which implements the functionality of the module. + # + # The 'instance' is optional. To have two different instances + # of a module, it first must be referred to by 'name'. + # The different copies of the module are then created by + # inventing two 'instance' names, e.g. 'instance1' and 'instance2' + # + # The instance names can then be used in later configuration + # INSTEAD of the original 'name'. See the 'radutmp' configuration + # for an example. + # + + # + # As of 2.0.5, most of the module configurations are in a + # sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/ + # are loaded. The modules are initialized ONLY if they are + # referenced in a processing section, such as authorize, + # authenticate, accounting, pre/post-proxy, etc. + # + $INCLUDE ${confdir}/modules/ + + # Extensible Authentication Protocol + # + # For all EAP related authentications. + # Now in another file, because it is very large. + # + $INCLUDE eap.conf + + # Include another file that has the SQL-related configuration. + # This is another file only because it tends to be big. + # +# $INCLUDE sql.conf + + # + # This module is an SQL enabled version of the counter module. + # + # Rather than maintaining seperate (GDBM) databases of + # accounting info for each counter, this module uses the data + # stored in the raddacct table by the sql modules. This + # module NEVER does any database INSERTs or UPDATEs. It is + # totally dependent on the SQL module to process Accounting + # packets. + # +# $INCLUDE sql/mysql/counter.conf + + # + # IP addresses managed in an SQL table. + # +# $INCLUDE sqlippool.conf +} + +# Instantiation +# +# This section orders the loading of the modules. Modules +# listed here will get loaded BEFORE the later sections like +# authorize, authenticate, etc. get examined. +# +# This section is not strictly needed. When a section like +# authorize refers to a module, it's automatically loaded and +# initialized. However, some modules may not be listed in any +# of the following sections, so they can be listed here. +# +# Also, listing modules here ensures that you have control over +# the order in which they are initalized. If one module needs +# something defined by another module, you can list them in order +# here, and ensure that the configuration will be OK. +# +instantiate { + # + # Allows the execution of external scripts. + # The entire command line (and output) must fit into 253 bytes. + # + # e.g. Framed-Pool = `%{exec:/bin/echo foo}` + exec + + # + # The expression module doesn't do authorization, + # authentication, or accounting. It only does dynamic + # translation, of the form: + # + # Session-Timeout = `%{expr:2 + 3}` + # + # This module needs to be instantiated, but CANNOT be + # listed in any other section. See 'doc/rlm_expr' for + # more information. + # + # rlm_expr is also responsible for registering many + # other xlat functions such as md5, sha1 and lc. + # + # We do not recommend removing it's listing here. + expr + + # + # We add the counter module here so that it registers + # the check-name attribute before any module which sets + # it +# daily + expiration + logintime + + # subsections here can be thought of as "virtual" modules. + # + # e.g. If you have two redundant SQL servers, and you want to + # use them in the authorize and accounting sections, you could + # place a "redundant" block in each section, containing the + # exact same text. Or, you could uncomment the following + # lines, and list "redundant_sql" in the authorize and + # accounting sections. + # + #redundant redundant_sql { + # sql1 + # sql2 + #} +} + +###################################################################### +# +# Policies that can be applied in multiple places are listed +# globally. That way, they can be defined once, and referred +# to multiple times. +# +###################################################################### +$INCLUDE policy.conf + +###################################################################### +# +# Load virtual servers. +# +# This next $INCLUDE line loads files in the directory that +# match the regular expression: /[a-zA-Z0-9_.]+/ +# +# It allows you to define new virtual servers simply by placing +# a file into the raddb/sites-enabled/ directory. +# +$INCLUDE sites-enabled/ + +###################################################################### +# +# All of the other configuration sections like "authorize {}", +# "authenticate {}", "accounting {}", have been moved to the +# the file: +# +# raddb/sites-available/default +# +# This is the "default" virtual server that has the same +# configuration as in version 1.0.x and 1.1.x. The default +# installation enables this virtual server. You should +# edit it to create policies for your local site. +# +# For more documentation on virtual servers, see: +# +# raddb/sites-available/README +# +###################################################################### diff --git a/hosts/containers/radius/freeradius/sites-available/README b/hosts/containers/radius/freeradius/sites-available/README new file mode 100644 index 00000000..55036f0a --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/README @@ -0,0 +1,335 @@ +1. Virtual Servers. + + FreeRADIUS 2.0 supports virtual servers. This is probably the +single largest change that is NOT backwards compatible with 1.x. + + The virtual servers do NOT have to be set up with the +"sites-available" and "sites-enabled" directories. You can still have +one "radiusd.conf" file, and put the server configuration there: + + ... + server { + authorize { + ... + } + authenticate { + ... + } + ... + } + ... + + The power of virtual servers lies in their ability to separate +policies. A policy can be placed into a virtual server, where it is +guaranteed to affect only the requests that are passed through that +virtual server. In 1.x, the policies were global, and it sometimes +took much effort to write a policy so that it only applied in certain +limited situations. + + +2. What do we mean by "virtual server"? + + + A virtual server is a (nearly complete) RADIUS server, just like a +configuration for FreeRADIUS 1.x. However, FreeRADIUS can now run +multiple virtual servers at the same time. The virtual servers can +even proxy requests to each other! + + The simplest way to create a virtual server is to take the all of +the request processing sections from radius.conf, ("authorize" , +"authenticate", etc.) and wrap them in a "server {}" block, as above. + + You can create another virtual server by: + + 1) defining a new "server foo {...}" section in radiusd.conf + 2) Putting the normal "authorize", etc. sections inside of it + 3) Adding a "listen" section *inside* of the "server" section. + + e.g. + + ... + server foo { + listen { + ipaddr = 127.0.0.1 + port = 2000 + type = auth + } + + authorize { + update control { + Cleartext-Password := "bob" + } + pap + } + + authenticate { + pap + } + } + ... + + With that text added to "radiusd.conf", run the server in debugging +mode (radiusd -X), and in another terminal window, type: + +$ radtest bob bob localhost:2000 0 testing123 + + You should see the server return an Access-Accept. + + +3. Capabilities and limitations + + + The only sub-sections that can appear in a virtual server section +are: + + listen + client + authorize + authenticate + post-auth + pre-proxy + post-proxy + preacct + accounting + session + + All other configuration parameters (modules, etc.) are global. + + Inside of a virtual server, the authorize, etc. sections have their +normal meaning, and can contain anything that an authorize section +could contain in 1.x. + + When a "listen" section is inside of a virtual server definition, it +means that all requests sent to that IP/port will be processed through +the virtual server. There cannot be two "listen" sections with the +same IP address and port number. + + When a "client" section is inside of a virtual server definition, it +means that that client is known only to the "listen" sections that are +also inside of that virtual server. Not only is this client +definition available only to this virtual server, but the details of +the client configuration is also available only to this virtual +server. + + i.e. Two virtual servers can listen on different IP address and +ports, but both can have a client with IP address 127.0.0.1. The +shared secret for that client can be different for each virtual +server. + + +4. More complex "listen" capabilities + + The "listen" sections have a few additional configuration items that +were not in 1.x, and were not mentioned above. These configuration +items enable almost any mapping of IP / port to clients to virtual +servers. + + The configuration items are: + + virtual_server = + + If set, all requests sent to this IP / port are processed + through the named virtual server. + + This directive can be used only for "listen" sections + that are global. i.e. It CANNOT be used if the + "listen" section is inside of a virtual server. + + clients = + + If set, the "listen" section looks for a "clients" section: + + clients { + ... + } + + It looks inside of that named "clients" section for + "client" subsections, at least one of which must + exist. Each client in that section is added to the + list of known clients for this IP / port. No other + clients are known. + + If it is set, it over-rides the list of clients (if + any) in the same virtual server. Note that the + clients are NOT additive! + + If it is not set, then the clients from the current + virtual server (if any) are used. If there are no + clients in this virtual server, then the global + clients are used. + + i.e. The most specific directive is used: + * configuration in this "listen" section + * clients in the same virtual server + * global clients + + The directives are also *exclusive*, not *additive*. + If you have one client in a virtual server, and + another client referenced from a "listen" section, + then that "listen" section will ONLY use the second + client. It will NOT use both clients. + + +5. More complex "client" capabilities + + The "client" sections have a few additional configuration items that +were not in 1.x, and were not mentioned above. These configuration +items enable almost any mapping of IP / port to clients to virtual +servers. + + The configuration items are: + + virtual_server = + + If set, all requests from this client are processed + through the named virtual server. + + This directive can be used only for "client" sections + that are global. i.e. It CANNOT be used if the + "client" section is inside of a virtual server. + + If the "listen" section has a "server" entry, and a matching +client is found ALSO with a "server" entry, then the clients server is +used for that request. + + +6. Worked examples + + + Listening on one socket, and mapping requests from two clients to +two different servers. + + listen { + ... + } + client one { + ... + virtual_server = server_one + } + client two { + ... + virtual_server = server_two + } + server server_one { + authorize { + ... + } + ... + } + server server_two { + authorize { + ... + } + ... + } + + This could also be done as: + + + listen { + ... + virtual_server = server_one + } + client one { + ... + } + client two { + ... + virtual_server = server_two + } + server server_one { + authorize { + ... + } + ... + } + server server_two { + authorize { + ... + } + ... + } + + In this case, the default server for the socket is "server_one", so +there is no need to set that in the client "one" configuration. The +"server_two" configuration for client "two" over-rides the default +setting for the socket. + + Note that the following configuration will NOT work: + + listen { + ... + virtual_server = server_one + } + client one { + ... + } + server server_one { + authorize { + ... + } + ... + } + server server_two { + client two { + ... + } + authorize { + ... + } + ... + } + + In this example, client "two" is hidden inside of the virtual +server, where the "listen" section cannot find it. + + +7. Outlined examples + + This section outlines a number of examples, with alternatives. + + One server, multiple sockets + - multiple "listen" sections in a "server" section + + one server per client + - define multiple servers + - have a global "listen" section + - have multiple global "clients", each with "virtual_server = X" + + two servers, each with their own sockets + - define multiple servers + - put "client" sections into each "server" + - put a "listen" section into each "server" + + Each server can list the same client IP, and the secret + can be different + + two sockets, sharing a list of clients, but pointing to different servers + - define global "listen" sections + - in each, set "virtual_server = X" + - in each, set "clients = Y" + - define "clients Y" section, containing multiple clients. + + This also means that you can have a third socket, which + doesn't share any of these clients. + + +8. How to decide what to do + + + If you want *completely* separate policies for a socket or a client, +then create a separate virtual server. Then, map the request to that +server by setting configuration entries in a "listen" section or in a +"client" section. + + Start off with the common cases first. If most of the clients +and/or sockets get a particular policy, make that policy the default. +Configure it without paying attention to the sockets or clients you +want to add later, and without adding a second virtual server. Once +it works, then add the second virtual server. + + If you want to re-use the previously defined sockets with the second +virtual server, then you will need one or more global "client" +sections. Those clients will contain a "virtual_server = ..." entry +that will direct requests from those clients to the appropriate +virtual server. diff --git a/hosts/containers/radius/freeradius/sites-available/buffered-sql b/hosts/containers/radius/freeradius/sites-available/buffered-sql new file mode 100644 index 00000000..cdfcfca0 --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/buffered-sql @@ -0,0 +1,129 @@ +# -*- text -*- +###################################################################### +# +# In 2.0.0, radrelay functionality is integrated into the +# server core. This virtual server gives an example of +# using radrelay functionality inside of the server. +# +# In this example, the detail file is read, and the data +# is put into SQL. This configuration is used when a RADIUS +# server on this machine is receiving accounting packets, +# and writing them to the detail file. +# +# The purpose of this virtual server is to de-couple the storage +# of long-term accounting data in SQL from "live" information +# needed by the RADIUS server as it is running. +# +# The benefit of this approach is that for a busy server, the +# overhead of performing SQL qeuries may be significant. Also, +# if the SQL databases are large (as is typical for ones storing +# months of data), the INSERTs and UPDATEs may take a relatively +# long time. Rather than slowing down the RADIUS server by +# having it interact with a database, you can just log the +# packets to a detail file, and then read that file later at a +# time when the RADIUS server is typically lightly loaded. +# +# If you use on virtual server to log to the detail file, +# and another virtual server (i.e. this one) to read from +# the detail file, then this process will happen automatically. +# A sudden spike of RADIUS traffic means that the detail file +# will grow in size, and the server will be able to handle +# large volumes of traffic quickly. When the traffic dies down, +# the server will have time to read the detail file, and insert +# the data into a long-term SQL database. +# +# $Id: 3f64cbb500cdda5014157e4776e871419f0b64df $ +# +###################################################################### + +server buffered-sql { + listen { + type = detail + + # The location where the detail file is located. + # This should be on local disk, and NOT on an NFS + # mounted location! + filename = "${radacctdir}/detail-*" + + # + # The server can read accounting packets from the + # detail file much more quickly than those packets + # can be written to a database. If the database is + # overloaded, then bad things can happen. + # + # The server will keep track of how long it takes to + # process an entry from the detail file. It will + # then pause between handling entries. This pause + # allows databases to "catch up", and gives the + # server time to notice that other packets may have + # arrived. + # + # The pause is calculated dynamically, to ensure that + # the load due to reading the detail files is limited + # to a small percentage of CPU time. The + # "load_factor" configuration item is a number + # between 1 and 100. The server will try to keep the + # percentage of time taken by "detail" file entries + # to "load_factor" percentage of the CPU time. + # + # If the "load_factor" is set to 100, then the server + # will read packets as fast as it can, usually + # causing databases to go into overload. + # + load_factor = 10 + + # + # Set the interval for polling the detail file. + # If the detail file doesn't exist, the server will + # wake up, and poll for it every N seconds. + # + # Useful range of values: 1 to 60 + poll_interval = 1 + + # + # Set the retry interval for when the home server + # does not respond. The current packet will be + # sent repeatedly, at this interval, until the + # home server responds. + # + # Useful range of values: 5 to 30 + retry_interval = 30 + + } + + # + # Pre-accounting. Decide which accounting type to use. + # + preacct { + preprocess + + # + # Ensure that we have a semi-unique identifier for every + # request, and many NAS boxes are broken. + acct_unique + + # + # Read the 'acct_users' file. This isn't always + # necessary, and can be deleted if you do not use it. + files + } + + # + # Accounting. Log the accounting data. + # + accounting { + # + # Log traffic to an SQL database. + # + # See "Accounting queries" in sql.conf + # sql + + + # Cisco VoIP specific bulk accounting + # pgsql-voip + + } + + # The requests are not being proxied, so no pre/post-proxy + # sections are necessary. +} diff --git a/hosts/containers/radius/freeradius/sites-available/coa b/hosts/containers/radius/freeradius/sites-available/coa new file mode 100644 index 00000000..8aaa492c --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/coa @@ -0,0 +1,43 @@ +# -*- text -*- +###################################################################### +# +# Sample virtual server for receiving a CoA or Disconnect-Request packet. +# + +# Listen on the CoA port. +# +# This uses the normal set of clients, with the same secret as for +# authentication and accounting. +# +listen { + type = coa + ipaddr = * + port = 3799 + server = coa +} + +server coa { + # When a packet is received, it is processed through the + # recv-coa section. This applies to *both* CoA-Request and + # Disconnect-Request packets. + recv-coa { + # CoA && Disconnect packets can be proxied in the same + # way as authentication or accounting packets. + # Just set Proxy-To-Realm, or Home-Server-Pool, and the + # packets will be proxied. + + # Insert your own policies here. + ok + } + + # When a packet is sent, it is processed through the + # recv-coa section. This applies to *both* CoA-Request and + # Disconnect-Request packets. + send-coa { + # Sample module. + ok + } + + # You can use pre-proxy and post-proxy sections here, too. + # They will be processed for sending && receiving proxy packets. +} diff --git a/hosts/containers/radius/freeradius/sites-available/control-socket b/hosts/containers/radius/freeradius/sites-available/control-socket new file mode 100644 index 00000000..4675e1e7 --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/control-socket @@ -0,0 +1,73 @@ +# -*- text -*- +###################################################################### +# +# Control socket interface. +# +# In the future, we will add username/password checking for +# connections to the control socket. We will also add +# command authorization, where the commands entered by the +# administrator are run through a virtual server before +# they are executed. +# +# For now, anyone who has permission to connect to the socket +# has nearly complete control over the server. Be warned! +# +# This functionality is NOT enabled by default. +# +# See also the "radmin" program, which is used to communicate +# with the server over the control socket. +# +# $Id: 6a6f2b9428713083720b145d12c90b9747510ec1 $ +# +###################################################################### +listen { + # + # Listen on the control socket. + # + type = control + + # + # Socket location. + # + # This file is created with the server's uid and gid. + # It's permissions are r/w for that user and group, and + # no permissions for "other" users. These permissions form + # minimal security, and should not be relied on. + # + socket = ${run_dir}/${name}.sock + + # + # The following two parameters perform authentication and + # authorization of connections to the control socket. + # + # If not set, then ANYONE can connect to the control socket, + # and have complete control over the server. This is likely + # not what you want. + # + # One, or both, of "uid" and "gid" should be set. If set, the + # corresponding value is checked. Unauthorized users result + # in an error message in the log file, and the connection is + # closed. + # + + # + # Name of user that is allowed to connect to the control socket. + # +# uid = radius + + # + # Name of group that is allowed to connect to the control socket. + # +# gid = radius + + # + # Access mode. + # + # This can be used to give *some* administrators access to + # monitor the system, but not to change it. + # + # ro = read only access (default) + # rw = read/write access. + # +# mode = rw +} diff --git a/hosts/containers/radius/freeradius/sites-available/copy-acct-to-home-server b/hosts/containers/radius/freeradius/sites-available/copy-acct-to-home-server new file mode 100644 index 00000000..e8c95c9f --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/copy-acct-to-home-server @@ -0,0 +1,171 @@ +# -*- text -*- +###################################################################### +# +# In 2.0.0, radrelay functionality is integrated into the +# server core. This virtual server gives an example of +# using radrelay functionality inside of the server. +# +# In this example, the detail file is read, and the packets +# are proxied to a home server. You will have to configure +# realms, home_server_pool, and home_server in proxy.conf +# for this to work. +# +# The purpose of this virtual server is to enable duplication +# of information across a load-balanced, or fail-over set of +# servers. For example, if a group of clients lists two +# home servers (primary, secondary), then RADIUS accounting +# messages will go only to one server at a time. This file +# configures a server (primary, secondary) to send copies of +# the accounting information to each other. +# +# That way, each server has the same set of information, and +# can make the same decision about the user. +# +# $Id: 5f9a522f0b02178a956f63145b6b43c427260ce0 $ +# +###################################################################### + +server copy-acct-to-home-server { + listen { + type = detail + + ###################################################### + # + # !!!! WARNING !!!! + # + # The detail file reader acts just like a NAS. + # + # This means that if accounting fails, the packet + # is re-tried FOREVER. It is YOUR responsibility + # to write an accounting policy that returns "ok" + # if the packet was processed properly, "fail" on + # a database error, AND "ok" if you want to ignore + # the packet (e.g. no Acct-Status-Type). + # + # Neither the detail file write OR the detail file + # reader look at the contents of the packets. They + # just either dump the packet verbatim to the file, + # or read it verbatim from the file and pass it to + # the server. + # + ###################################################### + + + # The location where the detail file is located. + # This should be on local disk, and NOT on an NFS + # mounted location! + # + # On most systems, this should support file globbing + # e.g. "${radacctdir}/detail-*:*" + # This lets you write many smaller detail files as in + # the example in radiusd.conf: ".../detail-%Y%m%d:%H" + # Writing many small files is often better than writing + # one large file. File globbing also means that with + # a common naming scheme for detail files, then you can + # have many detail file writers, and only one reader. + filename = ${radacctdir}/detail + + # + # The server can read accounting packets from the + # detail file much more quickly than those packets + # can be written to a database. If the database is + # overloaded, then bad things can happen. + # + # The server will keep track of how long it takes to + # process an entry from the detail file. It will + # then pause between handling entries. This pause + # allows databases to "catch up", and gives the + # server time to notice that other packets may have + # arrived. + # + # The pause is calculated dynamically, to ensure that + # the load due to reading the detail files is limited + # to a small percentage of CPU time. The + # "load_factor" configuration item is a number + # between 1 and 100. The server will try to keep the + # percentage of time taken by "detail" file entries + # to "load_factor" percentage of the CPU time. + # + # If the "load_factor" is set to 100, then the server + # will read packets as fast as it can, usually + # causing databases to go into overload. + # + load_factor = 10 + } + + # + # Pre-accounting. Decide which accounting type to use. + # + preacct { + preprocess + + # Since we're just proxying, we don't need acct_unique. + + # + # Look for IPASS-style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. + # + # Accounting requests are generally proxied to the same + # home server as authentication requests. + # IPASS + suffix + # ntdomain + + # + # Read the 'acct_users' file. This isn't always + # necessary, and can be deleted if you do not use it. + files + } + + # + # Accounting. Log the accounting data. + # + accounting { + # + # Since we're proxying, we don't log anything + # locally. Ensure that the accounting section + # "succeeds" by forcing an "ok" return. + ok + } + + + # + # When the server decides to proxy a request to a home server, + # the proxied request is first passed through the pre-proxy + # stage. This stage can re-write the request, or decide to + # cancel the proxy. + # + # Only a few modules currently have this method. + # + pre-proxy { + # attr_rewrite + + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section in radiusd.conf. + # pre_proxy_log + } + + # + # When the server receives a reply to a request it proxied + # to a home server, the request may be massaged here, in the + # post-proxy stage. + # + post-proxy { + # + + # If you want to have a log of replies from a home + # server, un-comment the following line, and the + # 'detail post_proxy_log' section in radiusd.conf. + # post_proxy_log + + # attr_rewrite + + # Uncomment the following line if you want to filter + # replies from remote proxies based on the rules + # defined in the 'attrs' file. + + # attr_filter + } +} diff --git a/hosts/containers/radius/freeradius/sites-available/decoupled-accounting b/hosts/containers/radius/freeradius/sites-available/decoupled-accounting new file mode 100644 index 00000000..a9119312 --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/decoupled-accounting @@ -0,0 +1,140 @@ +# -*- text -*- +###################################################################### +# +# This is a sample configuration for "decoupled" accounting. +# "Decoupled" accounting is where the accounting packets are +# NOT written "live" to the back-end database. This method +# can only be used if you are not interested in "live" +# accounting. i.e. Where you can tolerate delays that may be +# a few seconds, before accounting packets get written to +# the DB. +# +# Oddly enough, this method can speed up the processing of +# accounting packets, as all database activity is serialized. +# +# This file is NOT meant to be used as-is. It needs to be +# edited to match your local configuration. +# +# $Id: 199258dd7f3b3a5f3ce23d0a82798b256c85af66 $ +# +###################################################################### + +# Define a virtual server to write the accounting packets. +# Any "listen" section that listens on an accounting port should +# set "virtual_server = write-detail.example.com +server write_detail.example.com { + accounting { + # + # Write the "detail" files. + # + # See raddb/modules/detail.example.com for more info. + detail.example.com + } + + # That's it! +} + +# Define a virtual server to process the accounting packets. +server read-detail.example.com { + # Read accounting packets from the detail file(s) for + # the home server. + listen { + type = detail + filename = "${radacctdir}/detail.example.com/detail-*:*" + load_factor = 10 + } + + # All packets read from the detail file are processed through + # the preacct && accounting sections. + # + # The following text is copied verbatim from sites-available/default. + # You should edit it for your own local configuration. + +# +# Pre-accounting. Decide which accounting type to use. +# +preacct { + preprocess + + # + # Ensure that we have a semi-unique identifier for every + # request, and many NAS boxes are broken. + acct_unique + + # + # Look for IPASS-style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. + # + # Accounting requests are generally proxied to the same + # home server as authentication requests. +# IPASS + suffix +# ntdomain + + # + # Read the 'acct_users' file + files +} + +# +# Accounting. Log the accounting data. +# +accounting { + # + # Create a 'detail'ed log of the packets. + # Note that accounting requests which are proxied + # are also logged in the detail file. + detail +# daily + + # Update the wtmp file + # + # If you don't use "radlast", you can delete this line. + unix + + # + # For Simultaneous-Use tracking. + # + # Due to packet losses in the network, the data here + # may be incorrect. There is little we can do about it. + radutmp +# sradutmp + + # Return an address to the IP Pool when we see a stop record. +# main_pool + + # + # Log traffic to an SQL database. + # + # NOTE! You will have to ensure that any accounting packets + # NOT handled by the SQL module (e.g. "stop with zero session length" + # result in the accounting section still returning "ok". + # + # Otherwise, the server will think that the accounting packet + # was NOT handled properly, and will keep trying to process it + # through this virtual server! + # + # See "Accounting queries" in sql.conf +# sql + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # Cisco VoIP specific bulk accounting +# pgsql-voip + + # Filter attributes from the accounting response. + attr_filter.accounting_response + + # + # See "Autz-Type Status-Server" for how this works. + # +# Acct-Type Status-Server { +# +# } +} +} diff --git a/hosts/containers/radius/freeradius/sites-available/default b/hosts/containers/radius/freeradius/sites-available/default new file mode 100644 index 00000000..48c26aad --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/default @@ -0,0 +1,661 @@ +###################################################################### +# +# As of 2.0.0, FreeRADIUS supports virtual hosts using the +# "server" section, and configuration directives. +# +# Virtual hosts should be put into the "sites-available" +# directory. Soft links should be created in the "sites-enabled" +# directory to these files. This is done in a normal installation. +# +# If you are using 802.1X (EAP) authentication, please see also +# the "inner-tunnel" virtual server. You wll likely have to edit +# that, too, for authentication to work. +# +# $Id: 520ccbc90f3a09cd6a80e1e3b16000b7ba94d884 $ +# +###################################################################### +# +# Read "man radiusd" before editing this file. See the section +# titled DEBUGGING. It outlines a method where you can quickly +# obtain the configuration you want, without running into +# trouble. See also "man unlang", which documents the format +# of this file. +# +# This configuration is designed to work in the widest possible +# set of circumstances, with the widest possible number of +# authentication methods. This means that in general, you should +# need to make very few changes to this file. +# +# The best way to configure the server for your local system +# is to CAREFULLY edit this file. Most attempts to make large +# edits to this file will BREAK THE SERVER. Any edits should +# be small, and tested by running the server with "radiusd -X". +# Once the edits have been verified to work, save a copy of these +# configuration files somewhere. (e.g. as a "tar" file). Then, +# make more edits, and test, as above. +# +# There are many "commented out" references to modules such +# as ldap, sql, etc. These references serve as place-holders. +# If you need the functionality of that module, then configure +# it in radiusd.conf, and un-comment the references to it in +# this file. In most cases, those small changes will result +# in the server being able to connect to the DB, and to +# authenticate users. +# +###################################################################### + +# +# In 1.x, the "authorize", etc. sections were global in +# radiusd.conf. As of 2.0, they SHOULD be in a server section. +# +# The server section with no virtual server name is the "default" +# section. It is used when no server name is specified. +# +# We don't indent the rest of this file, because doing so +# would make it harder to read. +# + +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# Any changes made here should also be made to the "inner-tunnel" +# virtual server. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +authorize { + # + # Security settings. Take a User-Name, and do some simple + # checks on it, for spaces and other invalid characters. If + # it looks like the user is trying to play games, reject it. + # + # This should probably be enabled by default. + # + # See policy.conf for the definition of the filter_username policy. + # +# filter_username + + # + # The preprocess module takes care of sanitizing some bizarre + # attributes in the request, and turning them into attributes + # which are more standard. + # + # It takes care of processing the 'raddb/hints' and the + # 'raddb/huntgroups' files. + preprocess + + # + # If you want to have a log of authentication requests, + # un-comment the following line, and the 'detail auth_log' + # section, above. +# auth_log + + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set + chap + + # + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. + mschap + + # + # If you have a Cisco SIP server authenticating against + # FreeRADIUS, uncomment the following line, and the 'digest' + # line in the 'authenticate' section. + digest + + # + # The WiMAX specification says that the Calling-Station-Id + # is 6 octets of the MAC. This definition conflicts with + # RFC 3580, and all common RADIUS practices. Un-commenting + # the "wimax" module here means that it will fix the + # Calling-Station-Id attribute to the normal format as + # specified in RFC 3580 Section 3.21 +# wimax + + # + # Look for IPASS style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. +# IPASS + + # + # If you are using multiple kinds of realms, you probably + # want to set "ignore_null = yes" for all of them. + # Otherwise, when the first style of realm doesn't match, + # the other styles won't be checked. + # + suffix +# ntdomain + + # + # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP + # authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + # + # As of 2.0, the EAP module returns "ok" in the authorize stage + # for TTLS and PEAP. In 1.x, it never returned "ok" here, so + # this change is compatible with older configurations. + # + # The example below uses module failover to avoid querying all + # of the following modules if the EAP module returns "ok". + # Therefore, your LDAP and/or SQL servers will not be queried + # for the many packets that go back and forth to set up TTLS + # or PEAP. The load on those servers will therefore be reduced. + # + eap { + ok = return + } + + # + # Pull crypt'd passwords from /etc/passwd or /etc/shadow, + # using the system API's to get the password. If you want + # to read /etc/passwd or /etc/shadow directly, see the + # passwd module in radiusd.conf. + # +# unix + + # + # Read the 'users' file + files + + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in sql.conf +# sql + + # + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # configure the 'smbpasswd' module. +# smbpasswd + + # + # The ldap module will set Auth-Type to LDAP if it has not + # already been set +# ldap + + # + # Enforce daily limits on time spent logged in. +# daily + + # + # Use the checkval module +# checkval + + expiration + logintime + + # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password + # to the request, and to do nothing else. The PAP module + # will then see that password, and use it to do PAP + # authentication. + # + # This module should be listed last, so that the other modules + # get a chance to set Auth-Type for themselves. + # + pap + + # + # If "status_server = yes", then Status-Server messages are passed + # through the following section, and ONLY the following section. + # This permits you to do DB queries, for example. If the modules + # listed here return "fail", then NO response is sent. + # +# Autz-Type Status-Server { +# +# } +} + + +# Authentication. +# +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the apropriate module from the list below. +# + +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user (Auth-Type := Reject), +# or to or forcibly accept the user (Auth-Type := Accept). +# +# Note that Auth-Type := Accept will NOT work with EAP. +# +# Please do not put "unlang" configurations into the "authenticate" +# section. Put them in the "post-auth" section instead. That's what +# the post-auth section is for. +# +authenticate { + # + # PAP authentication, when a back-end database listed + # in the 'authorize' section supplies a password. The + # password can be clear-text, or encrypted. + Auth-Type PAP { + pap + } + + # + # Most people want CHAP authentication + # A back-end database listed in the 'authorize' section + # MUST supply a CLEAR TEXT password. Encrypted passwords + # won't work. + Auth-Type CHAP { + chap + } + + # + # MSCHAP authentication. + Auth-Type MS-CHAP { + mschap + } + + # + # If you have a Cisco SIP server authenticating against + # FreeRADIUS, uncomment the following line, and the 'digest' + # line in the 'authorize' section. + digest + + # + # Pluggable Authentication Modules. +# pam + + # + # See 'man getpwent' for information on how the 'unix' + # module checks the users password. Note that packets + # containing CHAP-Password attributes CANNOT be authenticated + # against /etc/passwd! See the FAQ for details. + # + # For normal "crypt" authentication, the "pap" module should + # be used instead of the "unix" module. The "unix" module should + # be used for authentication ONLY for compatibility with legacy + # FreeRADIUS configurations. + # + unix + + # Uncomment it if you want to use ldap for authentication + # + # Note that this means "check plain-text password against + # the ldap database", which means that EAP won't work, + # as it does not supply a plain-text password. +# Auth-Type LDAP { +# ldap +# } + + # + # Allow EAP authentication. + eap + + # + # The older configurations sent a number of attributes in + # Access-Challenge packets, which wasn't strictly correct. + # If you want to filter out these attributes, uncomment + # the following lines. + # +# Auth-Type eap { +# eap { +# handled = 1 +# } +# if (handled && (Response-Packet-Type == Access-Challenge)) { +# attr_filter.access_challenge.post-auth +# handled # override the "updated" code from attr_filter +# } +# } +} + + +# +# Pre-accounting. Decide which accounting type to use. +# +preacct { + preprocess + + # + # Session start times are *implied* in RADIUS. + # The NAS never sends a "start time". Instead, it sends + # a start packet, *possibly* with an Acct-Delay-Time. + # The server is supposed to conclude that the start time + # was "Acct-Delay-Time" seconds in the past. + # + # The code below creates an explicit start time, which can + # then be used in other modules. + # + # The start time is: NOW - delay - session_length + # + +# update request { +# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" +# } + + + # + # Ensure that we have a semi-unique identifier for every + # request, and many NAS boxes are broken. + acct_unique + + # + # Look for IPASS-style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. + # + # Accounting requests are generally proxied to the same + # home server as authentication requests. +# IPASS + suffix +# ntdomain + + # + # Read the 'acct_users' file + files +} + +# +# Accounting. Log the accounting data. +# +accounting { + # + # Create a 'detail'ed log of the packets. + # Note that accounting requests which are proxied + # are also logged in the detail file. + detail +# daily + + # Update the wtmp file + # + # If you don't use "radlast", you can delete this line. +# unix + + # + # For Simultaneous-Use tracking. + # + # Due to packet losses in the network, the data here + # may be incorrect. There is little we can do about it. +# radutmp +# sradutmp + + # Return an address to the IP Pool when we see a stop record. +# main_pool + + # + # Log traffic to an SQL database. + # + # See "Accounting queries" in sql.conf +# sql + + # + # If you receive stop packets with zero session length, + # they will NOT be logged in the database. The SQL module + # will print a message (only in debugging mode), and will + # return "noop". + # + # You can ignore these packets by uncommenting the following + # three lines. Otherwise, the server will not respond to the + # accounting request, and the NAS will retransmit. + # +# if (noop) { +# ok +# } + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # Cisco VoIP specific bulk accounting +# pgsql-voip + + # For Exec-Program and Exec-Program-Wait + exec + + # Filter attributes from the accounting response. + attr_filter.accounting_response + + # + # See "Autz-Type Status-Server" for how this works. + # +# Acct-Type Status-Server { +# +# } +} + + +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +session { + radutmp + + # + # See "Simultaneous Use Checking Queries" in sql.conf +# sql +} + + +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +post-auth { + # Get an address from the IP Pool. +# main_pool + + # + # If you want to have a log of authentication replies, + # un-comment the following line, and the 'detail reply_log' + # section, above. +# reply_log + + # + # After authenticating the user, do another SQL query. + # + # See "Authentication Logging Queries" in sql.conf +# sql + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # + # Un-comment the following if you have set + # 'edir_account_policy_check = yes' in the ldap module sub-section of + # the 'modules' section. + # +# ldap + + # For Exec-Program and Exec-Program-Wait + exec + + # + # Calculate the various WiMAX keys. In order for this to work, + # you will need to define the WiMAX NAI, usually via + # + # update request { + # WiMAX-MN-NAI = "%{User-Name}" + # } + # + # If you want various keys to be calculated, you will need to + # update the reply with "template" values. The module will see + # this, and replace the template values with the correct ones + # taken from the cryptographic calculations. e.g. + # + # update reply { + # WiMAX-FA-RK-Key = 0x00 + # WiMAX-MSK = "%{EAP-MSK}" + # } + # + # You may want to delete the MS-MPPE-*-Keys from the reply, + # as some WiMAX clients behave badly when those attributes + # are included. See "raddb/modules/wimax", configuration + # entry "delete_mppe_keys" for more information. + # +# wimax + + # If there is a client certificate (EAP-TLS, sometimes PEAP + # and TTLS), then some attributes are filled out after the + # certificate verification has been performed. These fields + # MAY be available during the authentication, or they may be + # available only in the "post-auth" section. + # + # The first set of attributes contains information about the + # issuing certificate which is being used. The second + # contains information about the client certificate (if + # available). +# +# update reply { +# Reply-Message += "%{TLS-Cert-Serial}" +# Reply-Message += "%{TLS-Cert-Expiration}" +# Reply-Message += "%{TLS-Cert-Subject}" +# Reply-Message += "%{TLS-Cert-Issuer}" +# Reply-Message += "%{TLS-Cert-Common-Name}" +# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" +# +# Reply-Message += "%{TLS-Client-Cert-Serial}" +# Reply-Message += "%{TLS-Client-Cert-Expiration}" +# Reply-Message += "%{TLS-Client-Cert-Subject}" +# Reply-Message += "%{TLS-Client-Cert-Issuer}" +# Reply-Message += "%{TLS-Client-Cert-Common-Name}" +# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" +# } + + # MacSEC requires the use of EAP-Key-Name. However, we don't + # want to send it for all EAP sessions. Therefore, the EAP + # modules put required data into the EAP-Session-Id attribute. + # This attribute is never put into a request or reply packet. + # + # Uncomment the next few lines to copy the required data into + # the EAP-Key-Name attribute +# if (reply:EAP-Session-Id) { +# update reply { +# EAP-Key-Name := "%{reply:EAP-Session-Id}" +# } +# } + + # If the WiMAX module did it's work, you may want to do more + # things here, like delete the MS-MPPE-*-Key attributes. + # + # if (updated) { + # update reply { + # MS-MPPE-Recv-Key !* 0x00 + # MS-MPPE-Send-Key !* 0x00 + # } + # } + + # + # Access-Reject packets are sent through the REJECT sub-section of the + # post-auth section. + # + # Add the ldap module name (or instance) if you have set + # 'edir_account_policy_check = yes' in the ldap module configuration + # + Post-Auth-Type REJECT { + # log failed authentications in SQL, too. +# sql + + attr_filter.access_reject + } +} + +# +# When the server decides to proxy a request to a home server, +# the proxied request is first passed through the pre-proxy +# stage. This stage can re-write the request, or decide to +# cancel the proxy. +# +# Only a few modules currently have this method. +# +pre-proxy { +# attr_rewrite + + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +# files + + # Uncomment the following line if you want to filter requests + # sent to remote servers based on the rules defined in the + # 'attrs.pre-proxy' file. +# attr_filter.pre-proxy + + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. +# pre_proxy_log +} + +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +post-proxy { + + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. +# post_proxy_log + +# attr_rewrite + + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. +# attr_filter.post-proxy + + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # + eap + + # + # If the server tries to proxy a request and fails, then the + # request is processed through the modules in this section. + # + # The main use of this section is to permit robust proxying + # of accounting packets. The server can be configured to + # proxy accounting packets as part of normal processing. + # Then, if the home server goes down, accounting packets can + # be logged to a local "detail" file, for processing with + # radrelay. When the home server comes back up, radrelay + # will read the detail file, and send the packets to the + # home server. + # + # With this configuration, the server always responds to + # Accounting-Requests from the NAS, but only writes + # accounting packets to disk if the home server is down. + # +# Post-Proxy-Type Fail { +# detail +# } +} + diff --git a/hosts/containers/radius/freeradius/sites-available/default.DEFAULT b/hosts/containers/radius/freeradius/sites-available/default.DEFAULT new file mode 100644 index 00000000..50299025 --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/default.DEFAULT @@ -0,0 +1,660 @@ +###################################################################### +# +# As of 2.0.0, FreeRADIUS supports virtual hosts using the +# "server" section, and configuration directives. +# +# Virtual hosts should be put into the "sites-available" +# directory. Soft links should be created in the "sites-enabled" +# directory to these files. This is done in a normal installation. +# +# If you are using 802.1X (EAP) authentication, please see also +# the "inner-tunnel" virtual server. You wll likely have to edit +# that, too, for authentication to work. +# +# $Id: 520ccbc90f3a09cd6a80e1e3b16000b7ba94d884 $ +# +###################################################################### +# +# Read "man radiusd" before editing this file. See the section +# titled DEBUGGING. It outlines a method where you can quickly +# obtain the configuration you want, without running into +# trouble. See also "man unlang", which documents the format +# of this file. +# +# This configuration is designed to work in the widest possible +# set of circumstances, with the widest possible number of +# authentication methods. This means that in general, you should +# need to make very few changes to this file. +# +# The best way to configure the server for your local system +# is to CAREFULLY edit this file. Most attempts to make large +# edits to this file will BREAK THE SERVER. Any edits should +# be small, and tested by running the server with "radiusd -X". +# Once the edits have been verified to work, save a copy of these +# configuration files somewhere. (e.g. as a "tar" file). Then, +# make more edits, and test, as above. +# +# There are many "commented out" references to modules such +# as ldap, sql, etc. These references serve as place-holders. +# If you need the functionality of that module, then configure +# it in radiusd.conf, and un-comment the references to it in +# this file. In most cases, those small changes will result +# in the server being able to connect to the DB, and to +# authenticate users. +# +###################################################################### + +# +# In 1.x, the "authorize", etc. sections were global in +# radiusd.conf. As of 2.0, they SHOULD be in a server section. +# +# The server section with no virtual server name is the "default" +# section. It is used when no server name is specified. +# +# We don't indent the rest of this file, because doing so +# would make it harder to read. +# + +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# Any changes made here should also be made to the "inner-tunnel" +# virtual server. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +authorize { + # + # Security settings. Take a User-Name, and do some simple + # checks on it, for spaces and other invalid characters. If + # it looks like the user is trying to play games, reject it. + # + # This should probably be enabled by default. + # + # See policy.conf for the definition of the filter_username policy. + # +# filter_username + + # + # The preprocess module takes care of sanitizing some bizarre + # attributes in the request, and turning them into attributes + # which are more standard. + # + # It takes care of processing the 'raddb/hints' and the + # 'raddb/huntgroups' files. + preprocess + + # + # If you want to have a log of authentication requests, + # un-comment the following line, and the 'detail auth_log' + # section, above. +# auth_log + + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set + chap + + # + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. + mschap + + # + # If you have a Cisco SIP server authenticating against + # FreeRADIUS, uncomment the following line, and the 'digest' + # line in the 'authenticate' section. + digest + + # + # The WiMAX specification says that the Calling-Station-Id + # is 6 octets of the MAC. This definition conflicts with + # RFC 3580, and all common RADIUS practices. Un-commenting + # the "wimax" module here means that it will fix the + # Calling-Station-Id attribute to the normal format as + # specified in RFC 3580 Section 3.21 +# wimax + + # + # Look for IPASS style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. +# IPASS + + # + # If you are using multiple kinds of realms, you probably + # want to set "ignore_null = yes" for all of them. + # Otherwise, when the first style of realm doesn't match, + # the other styles won't be checked. + # + suffix +# ntdomain + + # + # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP + # authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + # + # As of 2.0, the EAP module returns "ok" in the authorize stage + # for TTLS and PEAP. In 1.x, it never returned "ok" here, so + # this change is compatible with older configurations. + # + # The example below uses module failover to avoid querying all + # of the following modules if the EAP module returns "ok". + # Therefore, your LDAP and/or SQL servers will not be queried + # for the many packets that go back and forth to set up TTLS + # or PEAP. The load on those servers will therefore be reduced. + # + eap { + ok = return + } + + # + # Pull crypt'd passwords from /etc/passwd or /etc/shadow, + # using the system API's to get the password. If you want + # to read /etc/passwd or /etc/shadow directly, see the + # passwd module in radiusd.conf. + # +# unix + + # + # Read the 'users' file + files + + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in sql.conf +# sql + + # + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # configure the 'smbpasswd' module. +# smbpasswd + + # + # The ldap module will set Auth-Type to LDAP if it has not + # already been set +# ldap + + # + # Enforce daily limits on time spent logged in. +# daily + + # + # Use the checkval module +# checkval + + expiration + logintime + + # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password + # to the request, and to do nothing else. The PAP module + # will then see that password, and use it to do PAP + # authentication. + # + # This module should be listed last, so that the other modules + # get a chance to set Auth-Type for themselves. + # + pap + + # + # If "status_server = yes", then Status-Server messages are passed + # through the following section, and ONLY the following section. + # This permits you to do DB queries, for example. If the modules + # listed here return "fail", then NO response is sent. + # +# Autz-Type Status-Server { +# +# } +} + + +# Authentication. +# +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the apropriate module from the list below. +# + +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user (Auth-Type := Reject), +# or to or forcibly accept the user (Auth-Type := Accept). +# +# Note that Auth-Type := Accept will NOT work with EAP. +# +# Please do not put "unlang" configurations into the "authenticate" +# section. Put them in the "post-auth" section instead. That's what +# the post-auth section is for. +# +authenticate { + # + # PAP authentication, when a back-end database listed + # in the 'authorize' section supplies a password. The + # password can be clear-text, or encrypted. + Auth-Type PAP { + pap + } + + # + # Most people want CHAP authentication + # A back-end database listed in the 'authorize' section + # MUST supply a CLEAR TEXT password. Encrypted passwords + # won't work. + Auth-Type CHAP { + chap + } + + # + # MSCHAP authentication. + Auth-Type MS-CHAP { + mschap + } + + # + # If you have a Cisco SIP server authenticating against + # FreeRADIUS, uncomment the following line, and the 'digest' + # line in the 'authorize' section. + digest + + # + # Pluggable Authentication Modules. +# pam + + # + # See 'man getpwent' for information on how the 'unix' + # module checks the users password. Note that packets + # containing CHAP-Password attributes CANNOT be authenticated + # against /etc/passwd! See the FAQ for details. + # + # For normal "crypt" authentication, the "pap" module should + # be used instead of the "unix" module. The "unix" module should + # be used for authentication ONLY for compatibility with legacy + # FreeRADIUS configurations. + # + unix + + # Uncomment it if you want to use ldap for authentication + # + # Note that this means "check plain-text password against + # the ldap database", which means that EAP won't work, + # as it does not supply a plain-text password. +# Auth-Type LDAP { +# ldap +# } + + # + # Allow EAP authentication. + eap + + # + # The older configurations sent a number of attributes in + # Access-Challenge packets, which wasn't strictly correct. + # If you want to filter out these attributes, uncomment + # the following lines. + # +# Auth-Type eap { +# eap { +# handled = 1 +# } +# if (handled && (Response-Packet-Type == Access-Challenge)) { +# attr_filter.access_challenge.post-auth +# handled # override the "updated" code from attr_filter +# } +# } +} + + +# +# Pre-accounting. Decide which accounting type to use. +# +preacct { + preprocess + + # + # Session start times are *implied* in RADIUS. + # The NAS never sends a "start time". Instead, it sends + # a start packet, *possibly* with an Acct-Delay-Time. + # The server is supposed to conclude that the start time + # was "Acct-Delay-Time" seconds in the past. + # + # The code below creates an explicit start time, which can + # then be used in other modules. + # + # The start time is: NOW - delay - session_length + # + +# update request { +# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" +# } + + + # + # Ensure that we have a semi-unique identifier for every + # request, and many NAS boxes are broken. + acct_unique + + # + # Look for IPASS-style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. + # + # Accounting requests are generally proxied to the same + # home server as authentication requests. +# IPASS + suffix +# ntdomain + + # + # Read the 'acct_users' file + files +} + +# +# Accounting. Log the accounting data. +# +accounting { + # + # Create a 'detail'ed log of the packets. + # Note that accounting requests which are proxied + # are also logged in the detail file. + detail +# daily + + # Update the wtmp file + # + # If you don't use "radlast", you can delete this line. +# unix + + # + # For Simultaneous-Use tracking. + # + # Due to packet losses in the network, the data here + # may be incorrect. There is little we can do about it. +# radutmp +# sradutmp + + # Return an address to the IP Pool when we see a stop record. +# main_pool + + # + # Log traffic to an SQL database. + # + # See "Accounting queries" in sql.conf +# sql + + # + # If you receive stop packets with zero session length, + # they will NOT be logged in the database. The SQL module + # will print a message (only in debugging mode), and will + # return "noop". + # + # You can ignore these packets by uncommenting the following + # three lines. Otherwise, the server will not respond to the + # accounting request, and the NAS will retransmit. + # +# if (noop) { +# ok +# } + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # Cisco VoIP specific bulk accounting +# pgsql-voip + + # For Exec-Program and Exec-Program-Wait + exec + + # Filter attributes from the accounting response. + attr_filter.accounting_response + + # + # See "Autz-Type Status-Server" for how this works. + # +# Acct-Type Status-Server { +# +# } +} + + +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +session { + radutmp + + # + # See "Simultaneous Use Checking Queries" in sql.conf +# sql +} + + +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +post-auth { + # Get an address from the IP Pool. +# main_pool + + # + # If you want to have a log of authentication replies, + # un-comment the following line, and the 'detail reply_log' + # section, above. +# reply_log + + # + # After authenticating the user, do another SQL query. + # + # See "Authentication Logging Queries" in sql.conf +# sql + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # + # Un-comment the following if you have set + # 'edir_account_policy_check = yes' in the ldap module sub-section of + # the 'modules' section. + # +# ldap + + # For Exec-Program and Exec-Program-Wait + exec + + # + # Calculate the various WiMAX keys. In order for this to work, + # you will need to define the WiMAX NAI, usually via + # + # update request { + # WiMAX-MN-NAI = "%{User-Name}" + # } + # + # If you want various keys to be calculated, you will need to + # update the reply with "template" values. The module will see + # this, and replace the template values with the correct ones + # taken from the cryptographic calculations. e.g. + # + # update reply { + # WiMAX-FA-RK-Key = 0x00 + # WiMAX-MSK = "%{EAP-MSK}" + # } + # + # You may want to delete the MS-MPPE-*-Keys from the reply, + # as some WiMAX clients behave badly when those attributes + # are included. See "raddb/modules/wimax", configuration + # entry "delete_mppe_keys" for more information. + # +# wimax + + # If there is a client certificate (EAP-TLS, sometimes PEAP + # and TTLS), then some attributes are filled out after the + # certificate verification has been performed. These fields + # MAY be available during the authentication, or they may be + # available only in the "post-auth" section. + # + # The first set of attributes contains information about the + # issuing certificate which is being used. The second + # contains information about the client certificate (if + # available). +# +# update reply { +# Reply-Message += "%{TLS-Cert-Serial}" +# Reply-Message += "%{TLS-Cert-Expiration}" +# Reply-Message += "%{TLS-Cert-Subject}" +# Reply-Message += "%{TLS-Cert-Issuer}" +# Reply-Message += "%{TLS-Cert-Common-Name}" +# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" +# +# Reply-Message += "%{TLS-Client-Cert-Serial}" +# Reply-Message += "%{TLS-Client-Cert-Expiration}" +# Reply-Message += "%{TLS-Client-Cert-Subject}" +# Reply-Message += "%{TLS-Client-Cert-Issuer}" +# Reply-Message += "%{TLS-Client-Cert-Common-Name}" +# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" +# } + + # MacSEC requires the use of EAP-Key-Name. However, we don't + # want to send it for all EAP sessions. Therefore, the EAP + # modules put required data into the EAP-Session-Id attribute. + # This attribute is never put into a request or reply packet. + # + # Uncomment the next few lines to copy the required data into + # the EAP-Key-Name attribute +# if (reply:EAP-Session-Id) { +# update reply { +# EAP-Key-Name := "%{reply:EAP-Session-Id}" +# } +# } + + # If the WiMAX module did it's work, you may want to do more + # things here, like delete the MS-MPPE-*-Key attributes. + # + # if (updated) { + # update reply { + # MS-MPPE-Recv-Key !* 0x00 + # MS-MPPE-Send-Key !* 0x00 + # } + # } + + # + # Access-Reject packets are sent through the REJECT sub-section of the + # post-auth section. + # + # Add the ldap module name (or instance) if you have set + # 'edir_account_policy_check = yes' in the ldap module configuration + # + Post-Auth-Type REJECT { + # log failed authentications in SQL, too. +# sql + attr_filter.access_reject + } +} + +# +# When the server decides to proxy a request to a home server, +# the proxied request is first passed through the pre-proxy +# stage. This stage can re-write the request, or decide to +# cancel the proxy. +# +# Only a few modules currently have this method. +# +pre-proxy { +# attr_rewrite + + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +# files + + # Uncomment the following line if you want to filter requests + # sent to remote servers based on the rules defined in the + # 'attrs.pre-proxy' file. +# attr_filter.pre-proxy + + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. +# pre_proxy_log +} + +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +post-proxy { + + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. +# post_proxy_log + +# attr_rewrite + + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. +# attr_filter.post-proxy + + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # + eap + + # + # If the server tries to proxy a request and fails, then the + # request is processed through the modules in this section. + # + # The main use of this section is to permit robust proxying + # of accounting packets. The server can be configured to + # proxy accounting packets as part of normal processing. + # Then, if the home server goes down, accounting packets can + # be logged to a local "detail" file, for processing with + # radrelay. When the home server comes back up, radrelay + # will read the detail file, and send the packets to the + # home server. + # + # With this configuration, the server always responds to + # Accounting-Requests from the NAS, but only writes + # accounting packets to disk if the home server is down. + # +# Post-Proxy-Type Fail { +# detail +# } +} + diff --git a/hosts/containers/radius/freeradius/sites-available/dhcp b/hosts/containers/radius/freeradius/sites-available/dhcp new file mode 100644 index 00000000..4ac07de4 --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/dhcp @@ -0,0 +1,283 @@ +# -*- text -*- +###################################################################### +# +# This is a virtual server that handles DHCP. +# +# !!!! WARNING !!!! +# +# This code is experimental, and SHOULD NOT be used in a +# production system. It is intended for validation and +# experimentation ONLY. +# +# In order for this to work, you will need to run configure: +# +# $ ./configure --with-dhcp +# $ make +# $ vi share/dictionary +# +# ## Un-comment the line containing $INCLUDE dictionary.dhcp +# ## Then, save the file. +# +# $ make install +# +# DHCP is NOT enabled by default. +# +# The goal of this effort is to get the code in front of +# people who are interested in another DHCP server. +# We NEED FEEDBACK, patches, bug reports, etc. Especially patches! +# +# Please contribute, or this work will be nothing more than +# a curiosity. +# +# +# Q: What does it do? +# A: It allows the server to receive DHCP packets, and to +# respond with static, pre-configured DHCP responses. +# +# Q: Does it do static/dynamic IP assignment? +# A: No. Or, maybe. Try it and see. +# +# Q: Does it read ISC configuration or lease files? +# A: No. Please submit patches. +# +# Q: Does it have DHCP feature X? +# A: No. Please submit patches. +# +# Q: Does it support option 82? +# A: Yes. +# +# Q: Does it support other options? +# A: Maybe. See dictionary.dhcp. Please submit patches. +# +# Q: It doesn't seem to do much of anything! +# A: Exactly. +# +# $Id: 33da1f10a67dd38b889300bc998737a268ef0948 $ +# +###################################################################### + +# +# The DHCP functionality goes into a virtual server. +# +server dhcp { + +# Define a DHCP socket. +# +# The default port below is 6700, so you don't break your network. +# If you want it to do real DHCP, change this to 67, and good luck! +# +# You can also bind the DHCP socket to an interface. +# See below, and raddb/radiusd.conf for examples. +# +# This lets you run *one* DHCP server instance and have it listen on +# multiple interfaces, each with a separate policy. +# +# If you have multiple interfaces, it is a good idea to bind the +# listen section to an interface. You will also need one listen +# section per interface. +# +# FreeBSD does *not* support binding sockets to interfaces. Therefore, +# if you have multiple interfaces, broadcasts may go out of the wrong +# one, or even all interfaces. The solution is to use the "setfib" command. +# If you have a network "10.10.0/24" on LAN1, you will need to do: +# +# Pick any IP on the 10.10.0/24 network +# $ setfib 1 route add default 10.10.0.1 +# +# Edit /etc/rc.local, and add a line: +# setfib 1 /path/to/radiusd +# +# The kern must be built with the following options: +# options ROUTETABLES=2 +# or any value larger than 2. +# +# The other only solution is to update FreeRADIUS to use BPF sockets. +# + + # So that we only specify these values once, and then + # use them in all of the listen sections. + port = 6700 + ipaddr = 127.0.0.1 + interface = lo0 + + # When the machine is not Linux, or has only one network + # interface, use the following listener. It receives + # broadcast *and* unicast packets. + listen { + type = dhcp + + ipaddr = * + port = ${..port} + interface = ${..interface} + + # The DHCP server defaults to allowing broadcast packets. + # Set this to "no" only when the server receives *all* packets + # from a relay agent. i.e. when *no* clients are on the same + # LAN as the DHCP server. + # + # It's set to "no" here for testing. + broadcast = no + } + + # When the machine is Linux and has multiple network interfaces, use + # the following two listeners instead of the one above. + + # Listen for broadcasts on a specific interface. + listen { + type = dhcp + ipaddr = 255.255.255.255 + port = ${..port} + interface = ${..interface} + + # + # The source IP for unicast packets is chosen from the first + # one of the following items which returns a valid IP + # address: + # + # src_ipaddr + # ipaddr + # reply:DHCP-Server-IP-Address + # reply:DHCP-DHCP-Server-Identifier + # + # For now, use the parent's "ipaddr", not the one + # in this listen section + # + src_ipaddr = ${..ipaddr} + } + + # Listen for unicasts on an IP, but not bound to any interface. + # This allows Linux systems to receive packets on interface X + # when the IP is associated with interface Y. + # + # Then, define which interface the packets go out of, via + # "src_interface". This means that the outbound packets + # get sent via the correct interface. + listen { + type = dhcp + ipaddr = ${..ipaddr} + port = ${..port} + + # + # When sending unicast responses, this interface is + # used as the source interface. If unset, the value + # is taken from the "interface" field in this + # section. + # + # This interface is also used when adding ARP entries. + # FreeRADIUS doesn't open "raw" network sockets to send + # unicast DHCP responses on the local network. Instead, + # it updates the ARP table for this interface with the + # MAX and IP of the DHCP client. The server can then + # send a normal UDP unicast socket. + # + # NOTE: The server MUST be running as "root" in order + # to update the ARP table. Or, it must have the + # apropriate capabilities added to it after it starts up. + # + src_interface = ${..interface} + } + +# Packets received on the socket will be processed through one +# of the following sections, named after the DHCP packet type. +# See dictionary.dhcp for the packet types. +dhcp DHCP-Discover { + update reply { + DHCP-Message-Type = DHCP-Offer + } + + # The contents here are invented. Change them! + update reply { + DHCP-Domain-Name-Server = 127.0.0.1 + DHCP-Domain-Name-Server = 127.0.0.2 + DHCP-Subnet-Mask = 255.255.255.0 + DHCP-Router-Address = 192.168.1.1 + DHCP-IP-Address-Lease-Time = 86400 + DHCP-DHCP-Server-Identifier = 192.168.1.1 + } + + # Do a simple mapping of MAC to assigned IP. + # + # See below for the definition of the "mac2ip" + # module. + # + #mac2ip + + # If the MAC wasn't found in that list, do something else. + # You could call a Perl, Python, or Java script here. + + #if (notfound) { + # ... + #} + + # Or, allocate IPs from the DHCP pool in SQL. +# dhcp_sqlippool + + ok +} + +dhcp DHCP-Request { + update reply { + DHCP-Message-Type = DHCP-Ack + } + + # The contents here are invented. Change them! + update reply { + DHCP-Domain-Name-Server = 127.0.0.1 + DHCP-Domain-Name-Server = 127.0.0.2 + DHCP-Subnet-Mask = 255.255.255.0 + DHCP-Router-Address = 192.168.1.1 + DHCP-IP-Address-Lease-Time = 86400 + DHCP-DHCP-Server-Identifier = 192.168.1.1 + } + + # Do a simple mapping of MAC to assigned IP. + # + # See below for the definition of the "mac2ip" + # module. + # + #mac2ip + + # If the MAC wasn't found in that list, do something else. + # You could call a Perl, Python, or Java script here. + + #if (notfound) { + # ... + #} + + # Or, allocate IPs from the DHCP pool in SQL. +# dhcp_sqlippool + + ok +} + +# If there's no named section for the packet type, then the packet +# is processed through this section. +dhcp { + # send a DHCP NAK. + reject +} + + +} + +###################################################################### +# +# This next section is a sample configuration for the "passwd" +# module, that reads flat-text files. It should go into +# radiusd.conf, in the "modules" section. +# +# The file is in the format , +# +# 00:01:02:03:04:05,192.168.1.100 +# 01:01:02:03:04:05,192.168.1.101 +# 02:01:02:03:04:05,192.168.1.102 +# +# This lets you perform simple static IP assignment. +# +###################################################################### + +#passwd mac2ip { +# filename = ${confdir}/mac2ip +# format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address" +# delimiter = "," +#} diff --git a/hosts/containers/radius/freeradius/sites-available/dhcp.relay b/hosts/containers/radius/freeradius/sites-available/dhcp.relay new file mode 100644 index 00000000..c78b15d8 --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/dhcp.relay @@ -0,0 +1,65 @@ +# -*- text -*- +###################################################################### +# +# This is a virtual server that handles DHCP relaying +# +# Only one server can listen on a socket, so you cannot +# do DHCP relaying && run a DHCP server at the same time. +# +###################################################################### + +server dhcp.eth1 { + # When the machine is not Linux, or has only one network interface, use + # the following listener: + listen { + # Listen for broadcasts + unicast on eth1 + ipaddr = * + port = 67 + type = dhcp + interface = eth1 + } + # When the machine is Linux and has multiple network interfaces, use + # the following listeners instead: + listen { + # Listen for broadcasts on eth1 + ipaddr = 255.255.255.255 + port = 67 + type = dhcp + interface = eth1 + } + listen { + # Listen for unicast on our IP address, not bound to any + # interface but telling on which interface to forward the + # packets to. + ipaddr = 192.0.100.2 + port = 67 + type = dhcp + arp_interface = eth1 + } + + # Packets received on the socket will be processed through one + # of the following sections, named after the DHCP packet type. + # See dictionary.dhcp for the packet types. + dhcp DHCP-Discover { + update config { + # IP Address of the DHCP server + DHCP-Relay-To-IP-Address := 192.0.1.2 + } + update request { + # IP Address of the DHCP relay (eth1) + DHCP-Gateway-IP-Address := 192.0.100.2 + } + ok + } + + dhcp DHCP-Request { + update config { + # IP Address of the DHCP server + DHCP-Relay-To-IP-Address := 192.0.1.2 + } + update request { + DHCP-Gateway-IP-Address := 192.0.100.2 + } + ok + } +} diff --git a/hosts/containers/radius/freeradius/sites-available/dynamic-clients b/hosts/containers/radius/freeradius/sites-available/dynamic-clients new file mode 100644 index 00000000..8a8f7672 --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/dynamic-clients @@ -0,0 +1,224 @@ +# -*- text -*- +###################################################################### +# +# Sample configuration file for dynamically updating the list +# of RADIUS clients at run time. +# +# Everything is keyed off of a client "network". (e.g. 192.168/16) +# This configuration lets the server know that clients within +# that network are defined dynamically. +# +# When the server receives a packet from an unknown IP address +# within that network, it tries to find a dynamic definition +# for that client. If the definition is found, the IP address +# (and other configuration) is added to the server's internal +# cache of "known clients", with a configurable lifetime. +# +# Further packets from that IP address result in the client +# definition being found in the cache. Once the lifetime is +# reached, the client definition is deleted, and any new requests +# from that client are looked up as above. +# +# If the dynamic definition is not found, then the request is +# treated as if it came from an unknown client. i.e. It is +# silently discarded. +# +# As part of protection from Denial of Service (DoS) attacks, +# the server will add only one new client per second. This CANNOT +# be changed, and is NOT configurable. +# +# $Id: f8c3cc4ddd4a8e6434911fbcc444715f4ac95912 $ +# +###################################################################### + +# +# Define a network where clients may be dynamically defined. +client dynamic { + ipaddr = 192.168.0.0 + + # + # You MUST specify a netmask! + # IPv4 /32 or IPv6 /128 are NOT allowed! + netmask = 16 + + # + # Any other configuration normally found in a "client" + # entry can be used here. + + # + # A shared secret does NOT have to be defined. It can + # be left out. + + # + # Define the virtual server used to discover dynamic clients. + dynamic_clients = dynamic_client_server + + # + # The directory where client definitions are stored. This + # needs to be used ONLY if the client definitions are stored + # in flat-text files. Each file in that directory should be + # ONE and only one client definition. The name of the file + # should be the IP address of the client. + # + # If you are storing clients in SQL, this entry should not + # be used. +# directory = ${confdir}/dynamic-clients/ + + # + # Define the lifetime (in seconds) for dynamic clients. + # They will be cached for this lifetime, and deleted afterwards. + # + # If the lifetime is "0", then the dynamic client is never + # deleted. The only way to delete the client is to re-start + # the server. + lifetime = 3600 +} + +# +# This is the virtual server referenced above by "dynamic_clients". +server dynamic_client_server { + + # + # The only contents of the virtual server is the "authorize" section. + authorize { + + # + # Put any modules you want here. SQL, LDAP, "exec", + # Perl, etc. The only requirements is that the + # attributes MUST go into the control item list. + # + # The request that is processed through this section + # is EMPTY. There are NO attributes. The request is fake, + # and is NOT the packet that triggered the lookup of + # the dynamic client. + # + # The ONLY piece of useful information is either + # + # Packet-Src-IP-Address (IPv4 clients) + # Packet-Src-IPv6-Address (IPv6 clients) + # + # The attributes used to define a dynamic client mirror + # the configuration items in the "client" structure. + # + + # + # Example 1: Hard-code a client IP. This example is + # useless, but it documents the attributes + # you need. + # + update control { + + # + # Echo the IP address of the client. + FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" + + # require_message_authenticator + FreeRADIUS-Client-Require-MA = no + + # secret + FreeRADIUS-Client-Secret = "testing123" + + # shortname + FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}" + + # nastype + FreeRADIUS-Client-NAS-Type = "other" + + # virtual_server + # + # This can ONLY be used if the network client + # definition (e.g. "client dynamic" above) has + # NO virtual_server defined. + # + # If the network client definition does have a + # virtual_server defined, then that is used, + # and there is no need to define this attribute. + # + FreeRADIUS-Client-Virtual-Server = "something" + + } + + # + # Example 2: Read the clients from "clients" files + # in a directory. + # + + # This requires you to uncomment the + # "directory" configuration in the + # "client dynamic" configuration above, + # and then put one file per IP address in + # that directory. + # + dynamic_clients + + # + # Example 3: Look the clients up in SQL. + # + # This requires the SQL module to be configured, of course. + if ("%{sql: SELECT nasname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}") { + update control { + # + # Echo the IP. + FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" + + # + # Do multiple SELECT statements to grab + # the various definitions. + FreeRADIUS-Client-Shortname = "%{sql: SELECT shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}" + + FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}" + + FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}" + + FreeRADIUS-Client-Virtual-Server = "%{sql: SELECT server FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}" + } + + } + + # Do an LDAP lookup in the elements OU, check to see if + # the Packet-Src-IP-Address object has a "ou" + # attribute, if it does continue. Change "ACME.COM" to + # the real OU of your organization. + # + # Assuming the following schema: + # + # OU=Elements,OU=Radius,DC=ACME,DC=COM + # + # Elements will hold a record of every NAS in your + # Network. Create Group objects based on the IP + # Address of the NAS and set the "Location" or "l" + # attribute to the NAS Huntgroup the NAS belongs to + # allow them to be centrally managed in LDAP. + # + # e.g. CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM + # + # With a "l" value of "CiscoRTR" for a Cisco Router + # that has a NAS-IP-Address or Source-IP-Address of + # 10.1.2.3. + # + # And with a "ou" value of the shared secret password + # for the NAS element. ie "password" + if ("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}") { + update control { + FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" + + # Set the Client-Shortname to be the Location + # "l" just like in the Huntgroups, but this + # time to the shortname. + + FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}" + + # Lookup and set the Shared Secret based on + # the "ou" attribute. + FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}" + } + } + + # + # Tell the caller that the client was defined properly. + # + # If the authorize section does NOT return "ok", then + # the new client is ignored. + ok + } +} diff --git a/hosts/containers/radius/freeradius/sites-available/example b/hosts/containers/radius/freeradius/sites-available/example new file mode 100644 index 00000000..f42b4cd2 --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/example @@ -0,0 +1,122 @@ +###################################################################### +# +# An example virtual server configuration. +# +# $Id: 89950303b94d5763ebd96744500b7a00da186c08 $ +# +###################################################################### + + +# +# This client will be available to any "listen" section that +# are defined outside of a virtual server section. However, +# when the server receives a packet from this client, the +# request will be processed through the "example" virtual +# server, as the "client" section contains a configuration item +# to that effect. +# +# Note that this client will be able to send requests to any +# port defined in a global "listen" section. It will NOT, +# however, be able to send requests to a port defined in a +# "listen" section that is contained in a "server" section. +# +# With careful matching of configurations, you should be able +# to: +# +# - Define one authentication port, but process each client +# through a separate virtual server. +# +# - define multiple authentication ports, each with a private +# list of clients. +# +# - define multiple authentication ports, each of which may +# have the same client listed, but with different shared +# secrets +# +# FYI: We use an address in the 192.0.2.* space for this example, +# as RFC 3330 says that that /24 range is used for documenation +# and examples, and should not appear on the net. You shouldn't +# use it for anything, either. +# +client 192.0.2.10 { + shortname = example-client + secret = testing123 + virtual_server = example +} + +###################################################################### +# +# An example virtual server. It starts off with "server name {" +# The "name" is used to reference this server from a "listen" +# or "client" section. +# +###################################################################### +server example { + # + # Listen on 192.0.2.1:1812 for Access-Requests + # + # When the server receives a packet, it is processed + # through the "authorize", etc. sections listed here, + # NOT the global ones the "default" site. + # + listen { + ipaddr = 192.0.2.1 + port = 1821 + type = auth + } + + # + # This client is listed within the "server" section, + # and is therefore known ONLY to the socket defined + # in the "listen" section above. If the client IP + # sends a request to a different socket, the server + # will treat it as an unknown client, and will not + # respond. + # + # In contrast, the client listed at the top of this file + # is outside of any "server" section, and is therefore + # global in scope. It can send packets to any port + # defined in a global "listen" section. It CANNOT send + # packets to the listen section defined above, though. + # + # Note that you don't have to have a "virtual_server = example" + # line here, as the client is encapsulated within + # the "server" section. + # + client 192.0.2.9 { + shortname = example-client + secret = testing123 + } + + authorize { + # + # Some example policies. See "man unlang" for more. + # + if ("%{User-Name}" == "bob") { + update control { + Cleartext-Password := "bob" + } + } + + # + # And then reject the user. The next line requires + # that the "always reject {}" section is defined in + # the "modules" section of radiusd.conf. + # + reject + } + + authenticate { + + } + + post-auth { + + Post-Auth-Type Reject { + update reply { + Reply-Message = "This is only an example." + } + } + } + +} diff --git a/hosts/containers/radius/freeradius/sites-available/inner-tunnel b/hosts/containers/radius/freeradius/sites-available/inner-tunnel new file mode 100644 index 00000000..7625325b --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/inner-tunnel @@ -0,0 +1,421 @@ +# -*- text -*- +###################################################################### +# +# This is a virtual server that handles *only* inner tunnel +# requests for EAP-TTLS and PEAP types. +# +# $Id: bb0b93bc9cc9ade4e78725ea113d6f228937fef7 $ +# +###################################################################### + +server inner-tunnel { + +# +# This next section is here to allow testing of the "inner-tunnel" +# authentication methods, independently from the "default" server. +# It is listening on "localhost", so that it can only be used from +# the same machine. +# +# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123 +# +# If it works, you have configured the inner tunnel correctly. To check +# if PEAP will work, use: +# +# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123 +# +# If that works, PEAP should work. If that command doesn't work, then +# +# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS. +# +# Do NOT do any PEAP tests. It won't help. Instead, concentrate +# on fixing the inner tunnel configuration. DO NOTHING ELSE. +# +listen { + ipaddr = 127.0.0.1 + port = 18120 + type = auth +} + + +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +authorize { + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set + chap + + # + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. + mschap + + # + # Pull crypt'd passwords from /etc/passwd or /etc/shadow, + # using the system API's to get the password. If you want + # to read /etc/passwd or /etc/shadow directly, see the + # passwd module, above. + # +# unix + + # + # Look for IPASS style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. +# IPASS + + # + # If you are using multiple kinds of realms, you probably + # want to set "ignore_null = yes" for all of them. + # Otherwise, when the first style of realm doesn't match, + # the other styles won't be checked. + # + # Note that proxying the inner tunnel authentication means + # that the user MAY use one identity in the outer session + # (e.g. "anonymous", and a different one here + # (e.g. "user@example.com"). The inner session will then be + # proxied elsewhere for authentication. If you are not + # careful, this means that the user can cause you to forward + # the authentication to another RADIUS server, and have the + # accounting logs *not* sent to the other server. This makes + # it difficult to bill people for their network activity. + # + suffix +# ntdomain + + # + # The "suffix" module takes care of stripping the domain + # (e.g. "@example.com") from the User-Name attribute, and the + # next few lines ensure that the request is not proxied. + # + # If you want the inner tunnel request to be proxied, delete + # the next few lines. + # + update control { + Proxy-To-Realm := LOCAL + } + + # + # This module takes care of EAP-MSCHAPv2 authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + # + # The example below uses module failover to avoid querying all + # of the following modules if the EAP module returns "ok". + # Therefore, your LDAP and/or SQL servers will not be queried + # for the many packets that go back and forth to set up TTLS + # or PEAP. The load on those servers will therefore be reduced. + # + eap { + ok = return + } + + # + # Read the 'users' file + files + + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in sql.conf +# sql + + # + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # configure the 'etc_smbpasswd' module, above. +# etc_smbpasswd + + # + # The ldap module will set Auth-Type to LDAP if it has not + # already been set +# ldap + + # + # Enforce daily limits on time spent logged in. +# daily + + # + # Use the checkval module +# checkval + + expiration + logintime + + # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password + # to the request, and to do nothing else. The PAP module + # will then see that password, and use it to do PAP + # authentication. + # + # This module should be listed last, so that the other modules + # get a chance to set Auth-Type for themselves. + # + pap +} + + +# Authentication. +# +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the apropriate module from the list below. +# + +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user, or forcibly accept him. +# +authenticate { + # + # PAP authentication, when a back-end database listed + # in the 'authorize' section supplies a password. The + # password can be clear-text, or encrypted. + Auth-Type PAP { + pap + } + + # + # Most people want CHAP authentication + # A back-end database listed in the 'authorize' section + # MUST supply a CLEAR TEXT password. Encrypted passwords + # won't work. + Auth-Type CHAP { + chap + } + + # + # MSCHAP authentication. + Auth-Type MS-CHAP { + mschap + } + + # + # Pluggable Authentication Modules. +# pam + + # + # See 'man getpwent' for information on how the 'unix' + # module checks the users password. Note that packets + # containing CHAP-Password attributes CANNOT be authenticated + # against /etc/passwd! See the FAQ for details. + # + unix + + # Uncomment it if you want to use ldap for authentication + # + # Note that this means "check plain-text password against + # the ldap database", which means that EAP won't work, + # as it does not supply a plain-text password. +# Auth-Type LDAP { +# ldap +# } + + # + # Allow EAP authentication. + eap +} + +###################################################################### +# +# There are no accounting requests inside of EAP-TTLS or PEAP +# tunnels. +# +###################################################################### + + +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +session { + radutmp + + # + # See "Simultaneous Use Checking Queries" in sql.conf +# sql +} + + +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +post-auth { + # Note that we do NOT assign IP addresses here. + # If you try to assign IP addresses for EAP authentication types, + # it WILL NOT WORK. You MUST use DHCP. + + # + # If you want to have a log of authentication replies, + # un-comment the following line, and the 'detail reply_log' + # section, above. +# reply_log + + # + # After authenticating the user, do another SQL query. + # + # See "Authentication Logging Queries" in sql.conf +# sql + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # + # Un-comment the following if you have set + # 'edir_account_policy_check = yes' in the ldap module sub-section of + # the 'modules' section. + # +# ldap + + # + # Access-Reject packets are sent through the REJECT sub-section of the + # post-auth section. + # + # Add the ldap module name (or instance) if you have set + # 'edir_account_policy_check = yes' in the ldap module configuration + # + Post-Auth-Type REJECT { + # log failed authentications in SQL, too. +# sql + attr_filter.access_reject + } + + # + # The example policy below updates the outer tunnel reply + # (usually Access-Accept) with the User-Name from the inner + # tunnel User-Name. Since this section is processed in the + # context of the inner tunnel, "request" here means "inner + # tunnel request", and "outer.reply" means "outer tunnel + # reply attributes". + # + # This example is most useful when the outer session contains + # a User-Name of "anonymous@....", or a MAC address. If it + # is enabled, the NAS SHOULD use the inner tunnel User-Name + # in subsequent accounting packets. This makes it easier to + # track user sessions, as they will all be based on the real + # name, and not on "anonymous". + # + # The problem with doing this is that it ALSO exposes the + # real user name to any intermediate proxies. People use + # "anonymous" identifiers outside of the tunnel for a very + # good reason: it gives them more privacy. Setting the reply + # to contain the real user name removes ALL privacy from + # their session. + # + # If you want privacy to remain, see the + # Chargeable-User-Identity attribute from RFC 4372. In order + # to use that attribute, you will have to allocate a + # per-session identifier for the user, and store it in a + # long-term database (e.g. SQL). You should also use that + # attribute INSTEAD of the configuration below. + # + #update outer.reply { + # User-Name = "%{request:User-Name}" + #} + +} + +# +# When the server decides to proxy a request to a home server, +# the proxied request is first passed through the pre-proxy +# stage. This stage can re-write the request, or decide to +# cancel the proxy. +# +# Only a few modules currently have this method. +# +pre-proxy { +# attr_rewrite + + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +# files + + # Uncomment the following line if you want to filter requests + # sent to remote servers based on the rules defined in the + # 'attrs.pre-proxy' file. +# attr_filter.pre-proxy + + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. +# pre_proxy_log +} + +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +post-proxy { + + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. +# post_proxy_log + +# attr_rewrite + + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. +# attr_filter.post-proxy + + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # + eap + + # + # If the server tries to proxy a request and fails, then the + # request is processed through the modules in this section. + # + # The main use of this section is to permit robust proxying + # of accounting packets. The server can be configured to + # proxy accounting packets as part of normal processing. + # Then, if the home server goes down, accounting packets can + # be logged to a local "detail" file, for processing with + # radrelay. When the home server comes back up, radrelay + # will read the detail file, and send the packets to the + # home server. + # + # With this configuration, the server always responds to + # Accounting-Requests from the NAS, but only writes + # accounting packets to disk if the home server is down. + # +# Post-Proxy-Type Fail { +# detail +# } + +} + +} # inner-tunnel server block diff --git a/hosts/containers/radius/freeradius/sites-available/inner-tunnel.DEFAULT b/hosts/containers/radius/freeradius/sites-available/inner-tunnel.DEFAULT new file mode 100644 index 00000000..7625325b --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/inner-tunnel.DEFAULT @@ -0,0 +1,421 @@ +# -*- text -*- +###################################################################### +# +# This is a virtual server that handles *only* inner tunnel +# requests for EAP-TTLS and PEAP types. +# +# $Id: bb0b93bc9cc9ade4e78725ea113d6f228937fef7 $ +# +###################################################################### + +server inner-tunnel { + +# +# This next section is here to allow testing of the "inner-tunnel" +# authentication methods, independently from the "default" server. +# It is listening on "localhost", so that it can only be used from +# the same machine. +# +# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123 +# +# If it works, you have configured the inner tunnel correctly. To check +# if PEAP will work, use: +# +# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123 +# +# If that works, PEAP should work. If that command doesn't work, then +# +# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS. +# +# Do NOT do any PEAP tests. It won't help. Instead, concentrate +# on fixing the inner tunnel configuration. DO NOTHING ELSE. +# +listen { + ipaddr = 127.0.0.1 + port = 18120 + type = auth +} + + +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +authorize { + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set + chap + + # + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. + mschap + + # + # Pull crypt'd passwords from /etc/passwd or /etc/shadow, + # using the system API's to get the password. If you want + # to read /etc/passwd or /etc/shadow directly, see the + # passwd module, above. + # +# unix + + # + # Look for IPASS style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. +# IPASS + + # + # If you are using multiple kinds of realms, you probably + # want to set "ignore_null = yes" for all of them. + # Otherwise, when the first style of realm doesn't match, + # the other styles won't be checked. + # + # Note that proxying the inner tunnel authentication means + # that the user MAY use one identity in the outer session + # (e.g. "anonymous", and a different one here + # (e.g. "user@example.com"). The inner session will then be + # proxied elsewhere for authentication. If you are not + # careful, this means that the user can cause you to forward + # the authentication to another RADIUS server, and have the + # accounting logs *not* sent to the other server. This makes + # it difficult to bill people for their network activity. + # + suffix +# ntdomain + + # + # The "suffix" module takes care of stripping the domain + # (e.g. "@example.com") from the User-Name attribute, and the + # next few lines ensure that the request is not proxied. + # + # If you want the inner tunnel request to be proxied, delete + # the next few lines. + # + update control { + Proxy-To-Realm := LOCAL + } + + # + # This module takes care of EAP-MSCHAPv2 authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + # + # The example below uses module failover to avoid querying all + # of the following modules if the EAP module returns "ok". + # Therefore, your LDAP and/or SQL servers will not be queried + # for the many packets that go back and forth to set up TTLS + # or PEAP. The load on those servers will therefore be reduced. + # + eap { + ok = return + } + + # + # Read the 'users' file + files + + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in sql.conf +# sql + + # + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # configure the 'etc_smbpasswd' module, above. +# etc_smbpasswd + + # + # The ldap module will set Auth-Type to LDAP if it has not + # already been set +# ldap + + # + # Enforce daily limits on time spent logged in. +# daily + + # + # Use the checkval module +# checkval + + expiration + logintime + + # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password + # to the request, and to do nothing else. The PAP module + # will then see that password, and use it to do PAP + # authentication. + # + # This module should be listed last, so that the other modules + # get a chance to set Auth-Type for themselves. + # + pap +} + + +# Authentication. +# +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the apropriate module from the list below. +# + +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user, or forcibly accept him. +# +authenticate { + # + # PAP authentication, when a back-end database listed + # in the 'authorize' section supplies a password. The + # password can be clear-text, or encrypted. + Auth-Type PAP { + pap + } + + # + # Most people want CHAP authentication + # A back-end database listed in the 'authorize' section + # MUST supply a CLEAR TEXT password. Encrypted passwords + # won't work. + Auth-Type CHAP { + chap + } + + # + # MSCHAP authentication. + Auth-Type MS-CHAP { + mschap + } + + # + # Pluggable Authentication Modules. +# pam + + # + # See 'man getpwent' for information on how the 'unix' + # module checks the users password. Note that packets + # containing CHAP-Password attributes CANNOT be authenticated + # against /etc/passwd! See the FAQ for details. + # + unix + + # Uncomment it if you want to use ldap for authentication + # + # Note that this means "check plain-text password against + # the ldap database", which means that EAP won't work, + # as it does not supply a plain-text password. +# Auth-Type LDAP { +# ldap +# } + + # + # Allow EAP authentication. + eap +} + +###################################################################### +# +# There are no accounting requests inside of EAP-TTLS or PEAP +# tunnels. +# +###################################################################### + + +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +session { + radutmp + + # + # See "Simultaneous Use Checking Queries" in sql.conf +# sql +} + + +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +post-auth { + # Note that we do NOT assign IP addresses here. + # If you try to assign IP addresses for EAP authentication types, + # it WILL NOT WORK. You MUST use DHCP. + + # + # If you want to have a log of authentication replies, + # un-comment the following line, and the 'detail reply_log' + # section, above. +# reply_log + + # + # After authenticating the user, do another SQL query. + # + # See "Authentication Logging Queries" in sql.conf +# sql + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # + # Un-comment the following if you have set + # 'edir_account_policy_check = yes' in the ldap module sub-section of + # the 'modules' section. + # +# ldap + + # + # Access-Reject packets are sent through the REJECT sub-section of the + # post-auth section. + # + # Add the ldap module name (or instance) if you have set + # 'edir_account_policy_check = yes' in the ldap module configuration + # + Post-Auth-Type REJECT { + # log failed authentications in SQL, too. +# sql + attr_filter.access_reject + } + + # + # The example policy below updates the outer tunnel reply + # (usually Access-Accept) with the User-Name from the inner + # tunnel User-Name. Since this section is processed in the + # context of the inner tunnel, "request" here means "inner + # tunnel request", and "outer.reply" means "outer tunnel + # reply attributes". + # + # This example is most useful when the outer session contains + # a User-Name of "anonymous@....", or a MAC address. If it + # is enabled, the NAS SHOULD use the inner tunnel User-Name + # in subsequent accounting packets. This makes it easier to + # track user sessions, as they will all be based on the real + # name, and not on "anonymous". + # + # The problem with doing this is that it ALSO exposes the + # real user name to any intermediate proxies. People use + # "anonymous" identifiers outside of the tunnel for a very + # good reason: it gives them more privacy. Setting the reply + # to contain the real user name removes ALL privacy from + # their session. + # + # If you want privacy to remain, see the + # Chargeable-User-Identity attribute from RFC 4372. In order + # to use that attribute, you will have to allocate a + # per-session identifier for the user, and store it in a + # long-term database (e.g. SQL). You should also use that + # attribute INSTEAD of the configuration below. + # + #update outer.reply { + # User-Name = "%{request:User-Name}" + #} + +} + +# +# When the server decides to proxy a request to a home server, +# the proxied request is first passed through the pre-proxy +# stage. This stage can re-write the request, or decide to +# cancel the proxy. +# +# Only a few modules currently have this method. +# +pre-proxy { +# attr_rewrite + + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +# files + + # Uncomment the following line if you want to filter requests + # sent to remote servers based on the rules defined in the + # 'attrs.pre-proxy' file. +# attr_filter.pre-proxy + + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. +# pre_proxy_log +} + +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +post-proxy { + + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. +# post_proxy_log + +# attr_rewrite + + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. +# attr_filter.post-proxy + + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # + eap + + # + # If the server tries to proxy a request and fails, then the + # request is processed through the modules in this section. + # + # The main use of this section is to permit robust proxying + # of accounting packets. The server can be configured to + # proxy accounting packets as part of normal processing. + # Then, if the home server goes down, accounting packets can + # be logged to a local "detail" file, for processing with + # radrelay. When the home server comes back up, radrelay + # will read the detail file, and send the packets to the + # home server. + # + # With this configuration, the server always responds to + # Accounting-Requests from the NAS, but only writes + # accounting packets to disk if the home server is down. + # +# Post-Proxy-Type Fail { +# detail +# } + +} + +} # inner-tunnel server block diff --git a/hosts/containers/radius/freeradius/sites-available/originate-coa b/hosts/containers/radius/freeradius/sites-available/originate-coa new file mode 100644 index 00000000..68fd0697 --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/originate-coa @@ -0,0 +1,190 @@ +# -*- text -*- +###################################################################### +# +# The server can originate Change of Authorization (CoA) or +# Disconnect request packets. These packets are used to dynamically +# change the parameters of a users session (bandwidth, etc.), or +# to forcibly disconnect the user. +# +# There are some caveats. Not all NAS vendors support this +# functionality. Even for the ones that do, it may be difficult to +# find out what needs to go into a CoA-Request or Disconnect-Request +# packet. All we can suggest is to read the NAS documentation +# available from the vendor. That documentation SHOULD describe +# what information their equipment needs to see in a CoA packet. +# +# This information is usually a list of attributes such as: +# +# NAS-IP-Address (or NAS-IPv6 address) +# NAS-Identifier +# User-Name +# Acct-Session-Id +# +# CoA packets can be originated when a normal Access-Request or +# Accounting-Request packet is received. Simply update the +# "coa" list: +# +# update coa { +# User-Name = "%{User-Name}" +# Acct-Session-Id = "%{Acct-Session-Id}" +# NAS-IP-Address = "%{NAS-IP-Address}" +# } +# +# And the CoA packet will be sent. You can also send Disconnect +# packets by using "update disconnect { ...". +# +# This "update coa" entry can be placed in any section (authorize, +# preacct, etc.), EXCEPT for pre-proxy and post-proxy. The CoA +# packets CANNOT be sent if the original request has been proxied. +# +# The CoA functionality works best when the RADIUS server and +# the NAS receiving CoA packets are on the same network. +# +# If "update coa { ... " is used, and then later it becomes necessary +# to not send a CoA request, the following example can suppress the +# CoA packet: +# +# update control { +# Send-CoA-Request = No +# } +# +# The default destination of a CoA packet is the NAS (or client) +# the sent the original Access-Request or Accounting-Request. See +# raddb/clients.conf for a "coa_server" configuration that ties +# a client to a specific home server, or to a home server pool. +# +# If you need to send the packet to a different destination, update +# the "coa" list with one of: +# +# Packet-Dst-IP-Address = ... +# Packet-Dst-IPv6-Address = ... +# Home-Server-Pool = ... +# +# That specifies an Ipv4 or IPv6 address, or a home server pool +# (such as the "coa" pool example below). This use is not +# recommended, however, It is much better to point the client +# configuration directly at the CoA server/pool, as outlined +# earlier. +# +# If the CoA port is non-standard, you can also set: +# +# Packet-Dst-Port +# +# to have the value of the port. +# +###################################################################### + +# +# When CoA packets are sent to a NAS, the NAS is acting as a +# server (see RFC 5176). i.e. it has a type (accepts CoA and/or +# Disconnect packets), an IP address (or IPv6 address), a +# destination port, and a shared secret. +# +# This information *cannot* go into a "client" section. In the future, +# FreeRADIUS will be able to receive, and to proxy CoA packets. +# Having the CoA configuration as below means that we can later do +# load-balancing, fail-over, etc. of CoA servers. If the CoA +# configuration went into a "client" section, it would be impossible +# to do proper proxying of CoA requests. +# +home_server localhost-coa { + type = coa + + # + # Note that a home server of type "coa" MUST be a real NAS, + # with an ipaddr or ipv6addr. It CANNOT point to a virtual + # server. + # + ipaddr = 127.0.0.1 + port = 3799 + + # This secret SHOULD NOT be the same as the shared + # secret in a "client" section. + secret = testing1234 + + # CoA specific parameters. See raddb/proxy.conf for details. + coa { + irt = 2 + mrt = 16 + mrc = 5 + mrd = 30 + } +} + +# +# CoA servers can be put into pools, just like normal servers. +# +home_server_pool coa { + type = fail-over + + # Point to the CoA server above. + home_server = localhost-coa + + # CoA requests are run through the pre-proxy section. + # CoA responses are run through the post-proxy section. + virtual_server = originate-coa.example.com + + # + # Home server pools of type "coa" cannot (currently) have + # a "fallback" configuration. + # +} + +# +# When this virtual server is run, the original request has FINISHED +# processing. i.e. the reply has already been sent to the NAS. +# You can access the attributes in the original packet, reply, and +# control items, but changing them will have NO EFFECT. +# +# The CoA packet is in the "proxy-request" attribute list. +# The CoA reply (if any) is in the "proxy-reply" attribute list. +# +server originate-coa.example.com { + pre-proxy { + update proxy-request { + NAS-IP-Address = 127.0.0.1 + } + } + + # + # Handle the responses here. + # + post-proxy { + switch "%{proxy-reply:Packet-Type}" { + case CoA-ACK { + ok + } + + case CoA-NAK { + # the NAS didn't like the CoA request + ok + } + + case Disconnect-ACK { + ok + } + + case Disconnect-NAK { + # the NAS didn't like the Disconnect request + ok + } + + # Invalid packet type. This shouldn't happen. + case { + fail + } + } + + # + # These methods are run when there is NO response + # to the request. + # + Post-Proxy-Type Fail-CoA { + ok + } + + Post-Proxy-Type Fail-Disconnect { + ok + } + } +} diff --git a/hosts/containers/radius/freeradius/sites-available/proxy-inner-tunnel b/hosts/containers/radius/freeradius/sites-available/proxy-inner-tunnel new file mode 100644 index 00000000..2a9e02bf --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/proxy-inner-tunnel @@ -0,0 +1,47 @@ +# -*- text -*- +###################################################################### +# +# This is a virtual server that handles *only* inner tunnel +# requests for EAP-TTLS and PEAP types. +# +# $Id: 1ce4137d5f93ff65a92ebaac676690cc718846ad $ +# +###################################################################### + +server proxy-inner-tunnel { + +# +# This example is very simple. All inner tunnel requests get +# proxied to another RADIUS server. +# +authorize { + # + # Do other things here, as necessary. + # + # e.g. run the "realms" module, to decide how to proxy + # the inner tunnel request. + # + + update control { + # You should update this to be one of your realms. + Proxy-To-Realm := "example.com" + } +} + +authenticate { + # + # This is necessary so that the inner tunnel EAP-MSCHAPv2 + # method can be called. That method takes care of turning + # EAP-MSCHAPv2 into plain MS-CHAPv2, if necessary. + eap +} + +post-proxy { + # + # This is necessary for LEAP, or if you set: + # + # proxy_tunneled_request_as_eap = no + # + eap +} +} diff --git a/hosts/containers/radius/freeradius/sites-available/robust-proxy-accounting b/hosts/containers/radius/freeradius/sites-available/robust-proxy-accounting new file mode 100644 index 00000000..a24e0b63 --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/robust-proxy-accounting @@ -0,0 +1,167 @@ +# -*- text -*- +###################################################################### +# +# This is a sample configuration for robust proxy accounting. +# accounting packets are proxied, OR logged locally if all +# home servers are down. When the home servers come back up, +# the accounting packets are forwarded. +# +# This method enables the server to proxy all packets to the +# home servers when they're up, AND to avoid writing to the +# detail file in most situations. +# +# In most situations, proxying of accounting messages is done +# in a "pass-through" fashion. If the home server does not +# respond, then the proxy server does not respond to the NAS. +# That means that the NAS must retransmit packets, sometimes +# forever. This example shows how the proxy server can still +# respond to the NAS, even if all home servers are down. +# +# This configuration could be done MUCH more simply if ALL +# packets were written to the detail file. But that would +# involve a lot more disk writes, which may not be a good idea. +# +# This file is NOT meant to be used as-is. It needs to be +# edited to match your local configuration. +# +# $Id: 9bf86978db676ef16f6062f4d359385e291cc930 $ +# +###################################################################### + +# (1) Define two home servers. +home_server home1.example.com { + type = acct + ipaddr = 192.0.2.10 + port = 1813 + secret = testing123 + + # Mark this home server alive ONLY when it starts being responsive + status_check = request + username = "test_user_status_check" + + # Set the response timeout aggressively low. + # You MAY have to increase this, depending on tests with + # your local installation. + response_window = 6 +} + +home_server home2.example.com { + type = acct + ipaddr = 192.0.2.20 + port = 1813 + secret = testing123 + + # Mark this home server alive ONLY when it starts being responsive + status_check = request + username = "test_user_status_check" + + # Set the response timeout aggressively low. + # You MAY have to increase this, depending on tests with + # your local installation. + response_window = 6 +} + +# (2) Define a virtual server to be used when both of the +# home servers are down. +home_server acct_detail.example.com { + virtual_server = acct_detail.example.com +} + +# Put all of the servers into a pool. +home_server_pool acct_pool.example.com { + type = load-balance # other types are OK, too. + + home_server = home1.example.com + home_server = home2.example.com + # add more home_server's here. + + # If all home servers are down, try a home server that + # is a local virtual server. + fallback = acct_detail.example.com + + # for pre/post-proxy policies + virtual_server = home.example.com +} + +# (3) Define a realm for these home servers. +# It should NOT be used as part of normal proxying decisions! +realm acct_realm.example.com { + acct_pool = acct_pool.example.com +} + +# (4) Define a detail file writer. +# See raddb/modules/detail.example.com + +# (5) Define the virtual server to write the packets to the detail file +# This will be called when ALL home servers are down, because of the +# "fallback" configuration in the home server pool. +server acct_detail.example.com { + accounting { + detail.example.com + } +} + +# (6) Define a virtual server to handle pre/post-proxy re-writing +server home.example.com { + pre-proxy { + # Insert pre-proxy rules here + } + + post-proxy { + # Insert post-proxy rules here + + # This will be called when the CURRENT packet failed + # to be proxied. This may happen when one home server + # suddenly goes down, even though another home server + # may be alive. + # + # i.e. the current request has run out of time, so it + # cannot fail over to another (possibly) alive server. + # + # We want to respond to the NAS, so that it can stop + # re-sending the packet. We write the packet to the + # "detail" file, where it will be read, and sent to + # another home server. + # + Post-Proxy-Type Fail { + detail.example.com + } + } + + + # Read accounting packets from the detail file(s) for + # the home server. + # + # Note that you can have only ONE "listen" section reading + # detail files from a particular directory. That is why the + # destination host name is used as part of the directory name + # below. Having two "listen" sections reading detail files + # from the same directory WILL cause problems. The packets + # may be read by one, the other, or both "listen" sections. + listen { + type = detail + filename = "${radacctdir}/detail.example.com/detail-*:*" + load_factor = 10 + } + + # All packets read from the detail file are proxied back to + # the home servers. + # + # The normal pre/post-proxy rules are applied to them, too. + # + # If the home servers are STILL down, then the server stops + # reading the detail file, and queues the packets for a later + # retransmission. The Post-Proxy-Type "Fail" handler is NOT + # called. + # + # When the home servers come back up, the packets are forwarded, + # and the detail file processed as normal. + accounting { + # You may want accounting policies here... + + update control { + Proxy-To-Realm := "acct_realm.example.com" + } + } + +} diff --git a/hosts/containers/radius/freeradius/sites-available/soh b/hosts/containers/radius/freeradius/sites-available/soh new file mode 100644 index 00000000..9196e5b3 --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/soh @@ -0,0 +1,34 @@ +# This is a simple server for the MS SoH requests generated by the +# peap module - see "eap.conf" for more info + +# Requests are ONLY passed through the authorize section, and cannot +# current be proxied (in any event, the radius attributes used are +# internal). + +server soh-server { + authorize { + if (SoH-Supported == no) { + # client NAKed our request for SoH - not supported, or turned off + update config { + Auth-Type = Accept + } + } + else { + # client replied; check something - this is a local policy issue! + if (SoH-MS-Windows-Health-Status =~ /antivirus (warn|error) /) { + update config { + Auth-Type = Reject + } + update reply { + Reply-Message = "You must have antivirus enabled & installed!" + } + } + else { + update config { + Auth-Type = Accept + } + } + } + } +} + diff --git a/hosts/containers/radius/freeradius/sites-available/status b/hosts/containers/radius/freeradius/sites-available/status new file mode 100644 index 00000000..dd6672f6 --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/status @@ -0,0 +1,127 @@ +# -*- text -*- +###################################################################### +# +# A virtual server to handle ONLY Status-Server packets. +# +# Server statistics can be queried with a properly formatted +# Status-Server request. See dictionary.freeradius for comments. +# +# If radiusd.conf has "status_server = yes", then any client +# will be able to send a Status-Server packet to any port +# (listen section type "auth", "acct", or "status"), and the +# server will respond. +# +# If radiusd.conf has "status_server = no", then the server will +# ignore Status-Server packets to "auth" and "acct" ports. It +# will respond only if the Status-Server packet is sent to a +# "status" port. +# +# The server statistics are available ONLY on socket of type +# "status". Qeuries for statistics sent to any other port +# are ignored. +# +# Similarly, a socket of type "status" will not process +# authentication or accounting packets. This is for security. +# +# $Id: 4e4f4179911adf96ca375a860d65903b86becade $ +# +###################################################################### + +server status { + listen { + # ONLY Status-Server is allowed to this port. + # ALL other packets are ignored. + type = status + + ipaddr = 127.0.0.1 + port = 18121 + } + + # + # We recommend that you list ONLY management clients here. + # i.e. NOT your NASes or Access Points, and for an ISP, + # DEFINITELY not any RADIUS servers that are proxying packets + # to you. + # + # If you do NOT list a client here, then any client that is + # globally defined (i.e. all of them) will be able to query + # these statistics. + # + # Do you really want your partners seeing the internal details + # of what your RADIUS server is doing? + # + client admin { + ipaddr = 127.0.0.1 + secret = adminsecret + } + + # + # Simple authorize section. The "Autz-Type Status-Server" + # section will work here, too. See "raddb/sites-available/default". + authorize { + ok + + # respond to the Status-Server request. + Autz-Type Status-Server { + ok + } + } +} + +# Statistics can be queried via a number of methods: +# +# All packets received/sent by the server (1 = auth, 2 = acct) +# FreeRADIUS-Statistics-Type = 3 +# +# All packets proxied by the server (4 = proxy-auth, 8 = proxy-acct) +# FreeRADIUS-Statistics-Type = 12 +# +# All packets sent && received: +# FreeRADIUS-Statistics-Type = 15 +# +# Internal server statistics: +# FreeRADIUS-Statistics-Type = 16 +# +# All packets for a particular client (globally defined) +# FreeRADIUS-Statistics-Type = 35 +# FreeRADIUS-Stats-Client-IP-Address = 192.168.1.1 +# +# All packets for a client attached to a "listen" ip/port +# FreeRADIUS-Statistics-Type = 35 +# FreeRADIUS-Stats-Client-IP-Address = 192.168.1.1 +# FreeRADIUS-Stats-Server-IP-Address = 127.0.0.1 +# FreeRADIUS-Stats-Server-Port = 1812 +# +# All packets for a "listen" IP/port +# FreeRADIUS-Statistics-Type = 67 +# FreeRADIUS-Stats-Server-IP-Address = 127.0.0.1 +# FreeRADIUS-Stats-Server-Port = 1812 +# +# All packets for a home server IP / port +# FreeRADIUS-Statistics-Type = 131 +# FreeRADIUS-Stats-Server-IP-Address = 192.168.1.2 +# FreeRADIUS-Stats-Server-Port = 1812 + +# +# You can also get exponentially weighted moving averages of +# response times (in usec) of home servers. Just set the config +# item "historic_average_window" in a home_server section. +# +# By default it is zero (don't calculate it). Useful values +# are between 100, and 10,000. The server will calculate and +# remember the moving average for this window, and for 10 times +# that window. +# + +# +# Some of this could have been simplified. e.g. the proxy-auth and +# proxy-acct bits aren't completely necessary. But using them permits +# the server to be queried for ALL inbound && outbound packets at once. +# This gives a good snapshot of what the server is doing. +# +# Due to internal limitations, the statistics might not be exactly up +# to date. Do not expect all of the numbers to add up perfectly. +# The Status-Server packets are also counted in the total requests && +# responses. The responses are counted only AFTER the response has +# been sent. +# diff --git a/hosts/containers/radius/freeradius/sites-available/virtual.example.com b/hosts/containers/radius/freeradius/sites-available/virtual.example.com new file mode 100644 index 00000000..14ed1824 --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/virtual.example.com @@ -0,0 +1,26 @@ +# -*- text -*- +###################################################################### +# +# Sample virtual server for internally proxied requests. +# +# See the "realm virtual.example.com" example in "proxy.conf". +# +# $Id: d8eff1c615627fdb5ac1d82a67b03f620de3a7a9 $ +# +###################################################################### + +# +# Sample contents: just do everything that the default configuration does. +# +# You WILL want to edit this to your local needs. We suggest copying +# the "default" file here, and then editing it. That way, any +# changes to the 'default" file will not affect this virtual server, +# and vice-versa. +# +# When this virtual server receives the request, the original +# attributes can be accessed as "outer.request", "outer.control", etc. +# See "man unlang" for more details. +# +server virtual.example.com { +$INCLUDE ${confdir}/sites-available/default +} diff --git a/hosts/containers/radius/freeradius/sites-available/vmps b/hosts/containers/radius/freeradius/sites-available/vmps new file mode 100644 index 00000000..c27b3269 --- /dev/null +++ b/hosts/containers/radius/freeradius/sites-available/vmps @@ -0,0 +1,98 @@ +# -*- text -*- +###################################################################### +# +# As of version 2.0.0, the server also supports the VMPS +# protocol. +# +# $Id: 13f4e955799583b1b8f843e8965465178ff6038f $ +# +###################################################################### + +server vmps { + listen { + # VMPS sockets only support IPv4 addresses. + ipaddr = * + + # Port on which to listen. + # Allowed values are: + # integer port number + # 1589 is the default VMPS port. + port = 1589 + + # Type of packets to listen for. Here, it is VMPS. + type = vmps + + # Some systems support binding to an interface, in addition + # to the IP address. This feature isn't strictly necessary, + # but for sites with many IP addresses on one interface, + # it's useful to say "listen on all addresses for + # eth0". + # + # If your system does not support this feature, you will + # get an error if you try to use it. + # + # interface = eth0 + } + + # If you have switches that are allowed to send VMPS, but NOT + # RADIUS packets, then list them here as "client" sections. + # + # Note that for compatibility with RADIUS, you still have to + # list a "secret" for each client, though that secret will not + # be used for anything. + + + # And the REAL contents. This section is just like the + # "post-auth" section of radiusd.conf. In fact, it calls the + # "post-auth" component of the modules that are listed here. + # But it's called "vmps" to highlight that it's for VMPS. + # + vmps { + # + # Some requests may not have a MAC address. Try to + # create one using other attributes. + if (!VMPS-Mac) { + if (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) { + update request { + VMPS-Mac = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}" + } + } + else { + update request { + VMPS-Mac = "%{VMPS-Cookie}" + } + } + } + + # Do a simple mapping of MAC to VLAN. + # + # See radiusd.conf for the definition of the "mac2vlan" + # module. + # + #mac2vlan + + # required VMPS reply attributes + update reply { + VMPS-Packet-Type = VMPS-Join-Response + VMPS-Cookie = "%{VMPS-Mac}" + + VMPS-VLAN-Name = "please_use_real_vlan_here" + + # + # If you have VLAN's in a database, you can select + # the VLAN name based on the MAC address. + # + #VMPS-VLAN-Name = "%{sql:select ... where mac='%{VMPS-Mac}'}" + } + + # correct reply packet type for reconfirmation requests + # + if (VMPS-Packet-Type == VMPS-Reconfirm-Request){ + update reply { + VMPS-Packet-Type := VMPS-Reconfirm-Response + } + } + } + + # Proxying of VMPS requests is NOT supported. +} diff --git a/hosts/containers/radius/freeradius/sql.conf b/hosts/containers/radius/freeradius/sql.conf new file mode 100644 index 00000000..724c38c8 --- /dev/null +++ b/hosts/containers/radius/freeradius/sql.conf @@ -0,0 +1,115 @@ +# -*- text -*- +## +## sql.conf -- SQL modules +## +## $Id: 6f346ec9f1d12190f132da20537f99607df71760 $ + +###################################################################### +# +# Configuration for the SQL module +# +# The database schemas and queries are located in subdirectories: +# +# sql/DB/schema.sql Schema +# sql/DB/dialup.conf Basic dialup (including policy) queries +# sql/DB/counter.conf counter +# sql/DB/ippool.conf IP Pools in SQL +# sql/DB/ippool.sql schema for IP pools. +# +# Where "DB" is mysql, mssql, oracle, or postgresql. +# + +sql { + # + # Set the database to one of: + # + # mysql, mssql, oracle, postgresql + # + database = "mysql" + + # + # Which FreeRADIUS driver to use. + # + driver = "rlm_sql_${database}" + + # Connection info: + server = "localhost" + #port = 3306 + login = "radius" + password = "radpass" + + # Database table configuration for everything except Oracle + radius_db = "radius" + # If you are using Oracle then use this instead + # radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))" + + # If you want both stop and start records logged to the + # same SQL table, leave this as is. If you want them in + # different tables, put the start table in acct_table1 + # and stop table in acct_table2 + acct_table1 = "radacct" + acct_table2 = "radacct" + + # Allow for storing data after authentication + postauth_table = "radpostauth" + + authcheck_table = "radcheck" + authreply_table = "radreply" + + groupcheck_table = "radgroupcheck" + groupreply_table = "radgroupreply" + + # Table to keep group info + usergroup_table = "radusergroup" + + # If set to 'yes' (default) we read the group tables + # If set to 'no' the user MUST have Fall-Through = Yes in the radreply table + # read_groups = yes + + # Remove stale session if checkrad does not see a double login + deletestalesessions = yes + + # Print all SQL statements when in debug mode (-x) + sqltrace = no + sqltracefile = ${logdir}/sqltrace.sql + + # number of sql connections to make to server + # + # Setting this to LESS than the number of threads means + # that some threads may starve, and you will see errors + # like "No connections available and at max connection limit" + # + # Setting this to MORE than the number of threads means + # that there are more connections than necessary. + # + num_sql_socks = ${thread[pool].max_servers} + + # number of seconds to dely retrying on a failed database + # connection (per_socket) + connect_failure_retry_delay = 60 + + # lifetime of an SQL socket. If you are having network issues + # such as TCP sessions expiring, you may need to set the socket + # lifetime. If set to non-zero, any open connections will be + # closed "lifetime" seconds after they were first opened. + lifetime = 0 + + # Maximum number of queries used by an SQL socket. If you are + # having issues with SQL sockets lasting "too long", you can + # limit the number of queries performed over one socket. After + # "max_qeuries", the socket will be closed. Use 0 for "no limit". + max_queries = 0 + + # Set to 'yes' to read radius clients from the database ('nas' table) + # Clients will ONLY be read on server startup. For performance + # and security reasons, finding clients via SQL queries CANNOT + # be done "live" while the server is running. + # + #readclients = yes + + # Table to keep radius client info + nas_table = "nas" + + # Read driver-specific configuration + $INCLUDE sql/${database}/dialup.conf +} diff --git a/hosts/containers/radius/freeradius/sqlippool.conf b/hosts/containers/radius/freeradius/sqlippool.conf new file mode 100644 index 00000000..ddbfc46f --- /dev/null +++ b/hosts/containers/radius/freeradius/sqlippool.conf @@ -0,0 +1,67 @@ +## Configuration for the SQL based IP Pool module (rlm_sqlippool) +## +## The database schemas are available at: +## +## raddb/sql/DB/ippool.sql +## +## $Id: 94fabc032f681407e9e6141d85ac1841c0b6d28b $ + +sqlippool { + + ######################################### + ## SQL instance to use (from sql.conf) ## + ## + ## If you have multiple sql instances, such as "sql sql1 {...}", + ## use the *instance* name here: sql1. + ######################################### + sql-instance-name = "sql" + + ## SQL table to use for ippool range and lease info + ippool_table = "radippool" + + ## IP lease duration. (Leases expire even if Acct Stop packet is lost) + lease-duration = 3600 + + ## Attribute which should be considered unique per NAS + ## Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS) + ## Using Calling-Station-Id works for NAS that send fixed NAS-Port + ## ONLY change this if you know what you are doing! + pool-key = "%{NAS-Port}" + # pool-key = "%{Calling-Station-Id}" + + ################################################################ + # + # WARNING: MySQL has certain limitations that means it can + # hand out the same IP address to 2 different users. + # + # We suggest using an SQL DB with proper transaction + # support, such as PostgreSQL, or using MySQL + # with InnoDB. + # + ################################################################ + + # + # Use the same database as configured in the "sql" module, "database" + # configuration item. Change the "postgresql" name below to be the + # same as the "database" field of the SQL module referred to in the + # "sql-instance-name", above. + # +$INCLUDE sql/postgresql/ippool.conf + + ## Logging configuration. (Comment out to disable logging) + sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} \ + (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" + + sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} \ + (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" + + sqlippool_log_clear = "Released IP %{Framed-IP-Address}\ + (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})" + + sqlippool_log_failed = "IP Allocation FAILED from %{control:Pool-Name} \ + (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" + + sqlippool_log_nopool = "No Pool-Name defined \ + (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" + +} diff --git a/hosts/containers/radius/freeradius/templates.conf b/hosts/containers/radius/freeradius/templates.conf new file mode 100644 index 00000000..645d2c38 --- /dev/null +++ b/hosts/containers/radius/freeradius/templates.conf @@ -0,0 +1,108 @@ +# -*- text -*- +## +## templates.conf -- configurations to be used in multiple places +## +## $Id: c26e7d3945427350ebe8995f6c197efaecec5eb4 $ + +###################################################################### +# +# Version 2.0 has a useful new feature called "templates". +# +# Use templates by adding a line in radiusd.conf: +# +# $INCLUDE templates.conf +# +# The goal of the templates is to have common configuration located +# in this file, and to list only the *differences* in the individual +# sections. This feature is most useful for sections like "clients" +# or "home_servers", where many may be defined, and each one has +# similar repeated configuration. +# +# Something similar to templates can be done by putting common +# configuration into separate files, and using "$INCLUDE file...", +# but this is more flexible, and simpler to understand. It's also +# cheaper for the server, because "$INCLUDE" makes a copy of the +# configuration for inclusion, and templates are simply referenced. +# +# The templates are defined in the "templates" section, so that they +# do not affect the rest of the server configuration. +# +# A section can reference a template by using "$template name" +# +templates { + # + # The contents of the templates section are other + # configuration sections that would normally go into + # the configuration files. + # + + # + # This is a default template for the "home_server" section. + # Note that there is no name for the section. + # + # Any configuration item that is valid for a "home_server" + # section is also valid here. When a "home_server" section + # is defined in proxy.conf, this section is referenced as + # the template. + # + # Configuration items that are explicitly listed in a + # "home_server" section of proxy.conf are used in + # preference to the configuration items listed here. + # + # However, if a configuration item is NOT listed in a + # "home_server" section of proxy.conf, then the value here + # is used. + # + # This functionality lets you put common configuration into + # a template, and to put only the unique configuration + # items in "proxy.conf". Each section in proxy.conf can + # then contain a line "$template home_server", which will + # cause it to reference this template. + # + home_server { + response_window = 20 + zombie_period = 40 + revive_interval = 120 + # + # Etc. + } + + # + # You can also have named templates. For example, if you + # are proxying to 3 different home servers all at the same + # site, with identical configurations (other than IP + # addresses), you can use this named template. + # + + # Then, each "home_server" section in "proxy.conf" would + # only list the IP address of that home server, and a + # line saying + # + # $template example_com + # + # That would tell FreeRADIUS to look in the section below + # for the rest of the configuration items. + # + # For various reasons, you shouldn't have a "." in the template + # name. Doing so means that the server will be unable to find + # the template. + # + example_com { + type = auth + port = 1812 + secret = testing123 + response_window = 20 + # + # Etc... + } + + # + # You can have templates for other sections, too, but they + # seem to be most useful for home_servers. + # + # For now, you can use templates only for sections in + # radiusd.conf, not sub-sections. So you still have to use + # the "$INCLUDE file.." method for things like defining + # multiple "sql" modules, each with similar configuration. + # +} diff --git a/hosts/containers/radius/freeradius/users b/hosts/containers/radius/freeradius/users new file mode 100644 index 00000000..a4d49e09 --- /dev/null +++ b/hosts/containers/radius/freeradius/users @@ -0,0 +1,213 @@ +# +# Please read the documentation file ../doc/processing_users_file, +# or 'man 5 users' (after installing the server) for more information. +# +# This file contains authentication security and configuration +# information for each user. Accounting requests are NOT processed +# through this file. Instead, see 'acct_users', in this directory. +# +# The first field is the user's name and can be up to +# 253 characters in length. This is followed (on the same line) with +# the list of authentication requirements for that user. This can +# include password, comm server name, comm server port number, protocol +# type (perhaps set by the "hints" file), and huntgroup name (set by +# the "huntgroups" file). +# +# If you are not sure why a particular reply is being sent by the +# server, then run the server in debugging mode (radiusd -X), and +# you will see which entries in this file are matched. +# +# When an authentication request is received from the comm server, +# these values are tested. Only the first match is used unless the +# "Fall-Through" variable is set to "Yes". +# +# A special user named "DEFAULT" matches on all usernames. +# You can have several DEFAULT entries. All entries are processed +# in the order they appear in this file. The first entry that +# matches the login-request will stop processing unless you use +# the Fall-Through variable. +# +# If you use the database support to turn this file into a .db or .dbm +# file, the DEFAULT entries _have_ to be at the end of this file and +# you can't have multiple entries for one username. +# +# Indented (with the tab character) lines following the first +# line indicate the configuration values to be passed back to +# the comm server to allow the initiation of a user session. +# This can include things like the PPP configuration values +# or the host to log the user onto. +# +# You can include another `users' file with `$INCLUDE users.other' +# + +# +# For a list of RADIUS attributes, and links to their definitions, +# see: +# +# http://www.freeradius.org/rfc/attributes.html +# + +# +# Deny access for a specific user. Note that this entry MUST +# be before any other 'Auth-Type' attribute which results in the user +# being authenticated. +# +# Note that there is NO 'Fall-Through' attribute, so the user will not +# be given any additional resources. +# +#lameuser Auth-Type := Reject +# Reply-Message = "Your account has been disabled." + +# +# Deny access for a group of users. +# +# Note that there is NO 'Fall-Through' attribute, so the user will not +# be given any additional resources. +# +#DEFAULT Group == "disabled", Auth-Type := Reject +# Reply-Message = "Your account has been disabled." +# + +# +# This is a complete entry for "steve". Note that there is no Fall-Through +# entry so that no DEFAULT entry will be used, and the user will NOT +# get any attributes in addition to the ones listed here. +# +#steve Cleartext-Password := "testing" +# Service-Type = Framed-User, +# Framed-Protocol = PPP, +# Framed-IP-Address = 172.16.3.33, +# Framed-IP-Netmask = 255.255.255.0, +# Framed-Routing = Broadcast-Listen, +# Framed-Filter-Id = "std.ppp", +# Framed-MTU = 1500, +# Framed-Compression = Van-Jacobsen-TCP-IP + +# +# This is an entry for a user with a space in their name. +# Note the double quotes surrounding the name. +# +#"John Doe" Cleartext-Password := "hello" +# Reply-Message = "Hello, %{User-Name}" + +# +# Dial user back and telnet to the default host for that port +# +#Deg Cleartext-Password := "ge55ged" +# Service-Type = Callback-Login-User, +# Login-IP-Host = 0.0.0.0, +# Callback-Number = "9,5551212", +# Login-Service = Telnet, +# Login-TCP-Port = Telnet + +# +# Another complete entry. After the user "dialbk" has logged in, the +# connection will be broken and the user will be dialed back after which +# he will get a connection to the host "timeshare1". +# +#dialbk Cleartext-Password := "callme" +# Service-Type = Callback-Login-User, +# Login-IP-Host = timeshare1, +# Login-Service = PortMaster, +# Callback-Number = "9,1-800-555-1212" + +# +# user "swilson" will only get a static IP number if he logs in with +# a framed protocol on a terminal server in Alphen (see the huntgroups file). +# +# Note that by setting "Fall-Through", other attributes will be added from +# the following DEFAULT entries +# +#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen" +# Framed-IP-Address = 192.168.1.65, +# Fall-Through = Yes + +# +# If the user logs in as 'username.shell', then authenticate them +# using the default method, give them shell access, and stop processing +# the rest of the file. +# +#DEFAULT Suffix == ".shell" +# Service-Type = Login-User, +# Login-Service = Telnet, +# Login-IP-Host = your.shell.machine + + +# +# The rest of this file contains the several DEFAULT entries. +# DEFAULT entries match with all login names. +# Note that DEFAULT entries can also Fall-Through (see first entry). +# A name-value pair from a DEFAULT entry will _NEVER_ override +# an already existing name-value pair. +# + +# +# Set up different IP address pools for the terminal servers. +# Note that the "+" behind the IP address means that this is the "base" +# IP address. The Port-Id (S0, S1 etc) will be added to it. +# +#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen" +# Framed-IP-Address = 192.168.1.32+, +# Fall-Through = Yes + +#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft" +# Framed-IP-Address = 192.168.2.32+, +# Fall-Through = Yes + +# +# Sample defaults for all framed connections. +# +#DEFAULT Service-Type == Framed-User +# Framed-IP-Address = 255.255.255.254, +# Framed-MTU = 576, +# Service-Type = Framed-User, +# Fall-Through = Yes + +# +# Default for PPP: dynamic IP address, PPP mode, VJ-compression. +# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected +# by the terminal server in which case there may not be a "P" suffix. +# The terminal server sends "Framed-Protocol = PPP" for auto PPP. +# +DEFAULT Framed-Protocol == PPP + Framed-Protocol = PPP, + Framed-Compression = Van-Jacobson-TCP-IP + +# +# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. +# +DEFAULT Hint == "CSLIP" + Framed-Protocol = SLIP, + Framed-Compression = Van-Jacobson-TCP-IP + +# +# Default for SLIP: dynamic IP address, SLIP mode. +# +DEFAULT Hint == "SLIP" + Framed-Protocol = SLIP + +# +# Last default: rlogin to our main server. +# +#DEFAULT +# Service-Type = Login-User, +# Login-Service = Rlogin, +# Login-IP-Host = shellbox.ispdomain.com + +# # +# # Last default: shell on the local terminal server. +# # +# DEFAULT +# Service-Type = Administrative-User + +# On no match, the user is denied access. + +### ### ### C3D2 ### ### ### + +anonymous Cleartext-Password := \"anonymous\" + +#/ wildcard, accept any credentials +DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Auth-Type := Accept + +### ### ### C3D2 ### ### ### +# EOF