Compare commits
5 Commits
master
...
container/
Author | SHA1 | Date |
---|---|---|
Eri - | 1d32924d85 | |
Eri - | 6946bbd224 | |
Eri - | a1490e209a | |
Eri - | fbe1f6c5b0 | |
Eri - | 0b59c8cf5b |
|
@ -0,0 +1,71 @@
|
||||||
|
# Edit this configuration file to define what should be installed on
|
||||||
|
# your system. Help is available in the configuration.nix(5) man page
|
||||||
|
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||||
|
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
c3d2 = {
|
||||||
|
isInHq = true;
|
||||||
|
hq.interface = "eth0";
|
||||||
|
};
|
||||||
|
networking = {
|
||||||
|
hostName = "radius";
|
||||||
|
interfaces.eth0.useDHCP = lib.mkForce true;
|
||||||
|
};
|
||||||
|
|
||||||
|
imports =
|
||||||
|
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||||
|
];
|
||||||
|
nix.useSandbox = false;
|
||||||
|
nix.maxJobs = lib.mkDefault 4;
|
||||||
|
|
||||||
|
boot.isContainer = true;
|
||||||
|
# /sbin/init
|
||||||
|
boot.loader.initScript.enable = true;
|
||||||
|
boot.loader.grub.enable = false;
|
||||||
|
#boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"];
|
||||||
|
|
||||||
|
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
|
||||||
|
|
||||||
|
networking.hostName = "nixbert"; # Define your hostname.
|
||||||
|
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||||
|
networking.useNetworkd = true;
|
||||||
|
|
||||||
|
# Set your time zone.
|
||||||
|
time.timeZone = "Europe/Berlin";
|
||||||
|
# Select internationalisation properties.
|
||||||
|
i18n = {
|
||||||
|
defaultLocale = "en_US.UTF-8";
|
||||||
|
supportedLocales = lib.mkForce [ "en_US.UTF-8/UTF-8" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# List packages installed in system profile. To search, run:
|
||||||
|
# $ nix search wget
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
wget vim
|
||||||
|
git freeradius
|
||||||
|
];
|
||||||
|
|
||||||
|
services.freeradius.enable = true;
|
||||||
|
services.freeradius.configDir = "/root/nix-config/hosts/containers/radius/freeradius";
|
||||||
|
|
||||||
|
services.openssh.enable = true;
|
||||||
|
|
||||||
|
# Create a few files early before packing tarball for Proxmox
|
||||||
|
# architecture/OS detection.
|
||||||
|
system.extraSystemBuilderCmds =
|
||||||
|
''
|
||||||
|
mkdir -m 0755 -p $out/bin
|
||||||
|
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
|
||||||
|
mkdir -m 0755 -p $out/sbin
|
||||||
|
ln -s ../init $out/sbin/init
|
||||||
|
'';
|
||||||
|
|
||||||
|
# This value determines the NixOS release with which your system is to be
|
||||||
|
# compatible, in order to avoid breaking some software such as database
|
||||||
|
# servers. You should change this only after NixOS release notes say you
|
||||||
|
# should.
|
||||||
|
system.stateVersion = "18.09"; # Did you read the comment?
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
#
|
||||||
|
# $Id: fafac849a0f0519cdaf7acf2ef51c8b36a5a6255 $
|
||||||
|
#
|
||||||
|
# This is like the 'users' file, but it is processed only for
|
||||||
|
# accounting packets.
|
||||||
|
#
|
||||||
|
|
||||||
|
# Select between different accounting methods based for example on the
|
||||||
|
# Realm, the Huntgroup-Name or any combinaison of the attribute/value
|
||||||
|
# pairs contained in an accounting packet.
|
||||||
|
#
|
||||||
|
#DEFAULT Realm == "foo.net", Acct-Type := sql_log.foo
|
||||||
|
#
|
||||||
|
#DEFAULT Huntgroup-Name == "wifi", Acct-Type := sql_log.wifi
|
||||||
|
#
|
||||||
|
#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := sql_log.other
|
||||||
|
#
|
||||||
|
#DEFAULT Acct-Status-Type == Start, Acct-Type := sql_log.start
|
||||||
|
|
||||||
|
# Replace the User-Name with the Stripped-User-Name, if it exists.
|
||||||
|
#
|
||||||
|
#DEFAULT
|
||||||
|
# User-Name := "%{Stripped-User-Name:-%{User-Name}}"
|
|
@ -0,0 +1,129 @@
|
||||||
|
#
|
||||||
|
# Configuration file for the rlm_attr_filter module.
|
||||||
|
# Please see rlm_attr_filter(5) manpage for more information.
|
||||||
|
#
|
||||||
|
# $Id: 76c644b100656f8bd45e768b13cbcf140ce5a770 $
|
||||||
|
#
|
||||||
|
# This file contains security and configuration information
|
||||||
|
# for each realm. The first field is the realm name and
|
||||||
|
# can be up to 253 characters in length. This is followed (on
|
||||||
|
# the next line) with the list of filter rules to be used to
|
||||||
|
# decide what attributes and/or values we allow proxy servers
|
||||||
|
# to pass to the NAS for this realm.
|
||||||
|
#
|
||||||
|
# When a proxy-reply packet is received from a home server,
|
||||||
|
# these attributes and values are tested. Only the first match
|
||||||
|
# is used unless the "Fall-Through" variable is set to "Yes".
|
||||||
|
# In that case the rules defined in the DEFAULT case are
|
||||||
|
# processed as well.
|
||||||
|
#
|
||||||
|
# A special realm named "DEFAULT" matches on all realm names.
|
||||||
|
# You can have only one DEFAULT entry. All entries are processed
|
||||||
|
# in the order they appear in this file. The first entry that
|
||||||
|
# matches the login-request will stop processing unless you use
|
||||||
|
# the Fall-Through variable.
|
||||||
|
#
|
||||||
|
# Indented (with the tab character) lines following the first
|
||||||
|
# line indicate the filter rules.
|
||||||
|
#
|
||||||
|
# You can include another `attrs' file with `$INCLUDE attrs.other'
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# This is a complete entry for realm "fisp". Note that there is no
|
||||||
|
# Fall-Through entry so that no DEFAULT entry will be used, and the
|
||||||
|
# server will NOT allow any other a/v pairs other than the ones
|
||||||
|
# listed here.
|
||||||
|
#
|
||||||
|
# These rules allow:
|
||||||
|
# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear )
|
||||||
|
# o PPP sessions ( no SLIP, CSLIP, etc. )
|
||||||
|
# o dynamic ip assignment ( can't assign a static ip )
|
||||||
|
# o an idle timeout value set to 600 seconds (10 min) or less
|
||||||
|
# o a max session time set to 28800 seconds (8 hours) or less
|
||||||
|
#
|
||||||
|
#fisp
|
||||||
|
# Service-Type == Framed-User,
|
||||||
|
# Framed-Protocol == PPP,
|
||||||
|
# Framed-IP-Address == 255.255.255.254,
|
||||||
|
# Idle-Timeout <= 600,
|
||||||
|
# Session-Timeout <= 28800
|
||||||
|
|
||||||
|
#
|
||||||
|
# This is a complete entry for realm "tisp". Note that there is no
|
||||||
|
# Fall-Through entry so that no DEFAULT entry will be used, and the
|
||||||
|
# server will NOT allow any other a/v pairs other than the ones
|
||||||
|
# listed here.
|
||||||
|
#
|
||||||
|
# These rules allow:
|
||||||
|
# o Only Login-User Service-Type ( no framed/ppp sessions )
|
||||||
|
# o Telnet sessions only ( no rlogin, tcp-clear )
|
||||||
|
# o Login hosts of either 192.168.1.1 or 192.168.1.2
|
||||||
|
#
|
||||||
|
#tisp
|
||||||
|
# Service-Type == Login-User,
|
||||||
|
# Login-Service == Telnet,
|
||||||
|
# Login-TCP-Port == 23,
|
||||||
|
# Login-IP-Host == 192.168.1.1,
|
||||||
|
# Login-IP-Host == 192.168.1.2
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following example can be used for a home server which is only
|
||||||
|
# allowed to supply a Reply-Message, a Session-Timeout attribute of
|
||||||
|
# maximum 86400, a Idle-Timeout attribute of maximum 600 and a
|
||||||
|
# Acct-Interim-Interval attribute between 300 and 3600.
|
||||||
|
# All other attributes sent back will be filtered out.
|
||||||
|
#
|
||||||
|
#strictrealm
|
||||||
|
# Reply-Message =* ANY,
|
||||||
|
# Session-Timeout <= 86400,
|
||||||
|
# Idle-Timeout <= 600,
|
||||||
|
# Acct-Interim-Interval >= 300,
|
||||||
|
# Acct-Interim-Interval <= 3600
|
||||||
|
|
||||||
|
#
|
||||||
|
# This is a complete entry for realm "spamrealm". Fall-Through is used,
|
||||||
|
# so that the DEFAULT filter rules are used in addition to these.
|
||||||
|
#
|
||||||
|
# These rules allow:
|
||||||
|
# o Force the application of Filter-ID attribute to be returned
|
||||||
|
# in the proxy reply, whether the proxy sent it or not.
|
||||||
|
# o The standard DEFAULT rules as defined below
|
||||||
|
#
|
||||||
|
#spamrealm
|
||||||
|
# Framed-Filter-Id := "nosmtp.in",
|
||||||
|
# Fall-Through = Yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# The rest of this file contains the DEFAULT entry.
|
||||||
|
# DEFAULT matches with all realm names. (except if the realm previously
|
||||||
|
# matched an entry with no Fall-Through)
|
||||||
|
#
|
||||||
|
|
||||||
|
DEFAULT
|
||||||
|
Service-Type == Framed-User,
|
||||||
|
Service-Type == Login-User,
|
||||||
|
Login-Service == Telnet,
|
||||||
|
Login-Service == Rlogin,
|
||||||
|
Login-Service == TCP-Clear,
|
||||||
|
Login-TCP-Port <= 65536,
|
||||||
|
Framed-IP-Address == 255.255.255.254,
|
||||||
|
Framed-IP-Netmask == 255.255.255.255,
|
||||||
|
Framed-Protocol == PPP,
|
||||||
|
Framed-Protocol == SLIP,
|
||||||
|
Framed-Compression == Van-Jacobson-TCP-IP,
|
||||||
|
Framed-MTU >= 576,
|
||||||
|
Framed-Filter-ID =* ANY,
|
||||||
|
Reply-Message =* ANY,
|
||||||
|
Proxy-State =* ANY,
|
||||||
|
EAP-Message =* ANY,
|
||||||
|
Message-Authenticator =* ANY,
|
||||||
|
MS-MPPE-Recv-Key =* ANY,
|
||||||
|
MS-MPPE-Send-Key =* ANY,
|
||||||
|
MS-CHAP-MPPE-Keys =* ANY,
|
||||||
|
State =* ANY,
|
||||||
|
Session-Timeout <= 28800,
|
||||||
|
Idle-Timeout <= 600,
|
||||||
|
Calling-Station-Id =* ANY,
|
||||||
|
Operator-Name =* ANY,
|
||||||
|
Port-Limit <= 2
|
|
@ -0,0 +1,19 @@
|
||||||
|
#
|
||||||
|
# Configuration file for the rlm_attr_filter module.
|
||||||
|
# Please see rlm_attr_filter(5) manpage for more information.
|
||||||
|
#
|
||||||
|
# $Id: 78ea54e83f4a998797f16a8c564b5c2f32642adc $
|
||||||
|
#
|
||||||
|
# This configuration file is used to remove almost all of the
|
||||||
|
# attributes From an Access-Challenge message. The RFC's say
|
||||||
|
# that an Access-Challenge packet can contain only a few
|
||||||
|
# attributes. We enforce that here.
|
||||||
|
#
|
||||||
|
DEFAULT
|
||||||
|
EAP-Message =* ANY,
|
||||||
|
State =* ANY,
|
||||||
|
Message-Authenticator =* ANY,
|
||||||
|
Reply-Message =* ANY,
|
||||||
|
Proxy-State =* ANY,
|
||||||
|
Session-Timeout =* ANY,
|
||||||
|
Idle-Timeout =* ANY
|
|
@ -0,0 +1,17 @@
|
||||||
|
#
|
||||||
|
# Configuration file for the rlm_attr_filter module.
|
||||||
|
# Please see rlm_attr_filter(5) manpage for more information.
|
||||||
|
#
|
||||||
|
# $Id: e263d504cfdc5cf5db00fa6aacf2bd148a7623fc $
|
||||||
|
#
|
||||||
|
# This configuration file is used to remove almost all of the attributes
|
||||||
|
# From an Access-Reject message. The RFC's say that an Access-Reject
|
||||||
|
# packet can contain only a few attributes. We enforce that here.
|
||||||
|
#
|
||||||
|
DEFAULT
|
||||||
|
EAP-Message =* ANY,
|
||||||
|
State =* ANY,
|
||||||
|
Message-Authenticator =* ANY,
|
||||||
|
Reply-Message =* ANY,
|
||||||
|
MS-CHAP-Error =* ANY,
|
||||||
|
Proxy-State =* ANY
|
|
@ -0,0 +1,15 @@
|
||||||
|
#
|
||||||
|
# Configuration file for the rlm_attr_filter module.
|
||||||
|
# Please see rlm_attr_filter(5) manpage for more information.
|
||||||
|
#
|
||||||
|
# $Id: 3746ce4da3d58fcdd0b777a93e599045353c27ac $
|
||||||
|
#
|
||||||
|
# This configuration file is used to remove almost all of the attributes
|
||||||
|
# From an Accounting-Response message. The RFC's say that an
|
||||||
|
# Accounting-Response packet can contain only a few attributes.
|
||||||
|
# We enforce that here.
|
||||||
|
#
|
||||||
|
DEFAULT
|
||||||
|
Vendor-Specific =* ANY,
|
||||||
|
Message-Authenticator =* ANY,
|
||||||
|
Proxy-State =* ANY
|
|
@ -0,0 +1,62 @@
|
||||||
|
#
|
||||||
|
# Configuration file for the rlm_attr_filter module.
|
||||||
|
# Please see rlm_attr_filter(5) manpage for more information.
|
||||||
|
#
|
||||||
|
# $Id: 8c601cf205f9d85b75c1ec7fc8e816e7341a5ba4 $
|
||||||
|
#
|
||||||
|
# This file contains security and configuration information
|
||||||
|
# for each realm. It can be used be an rlm_attr_filter module
|
||||||
|
# instance to filter attributes before sending packets to the
|
||||||
|
# home server of a realm.
|
||||||
|
#
|
||||||
|
# When a packet is sent to a home server, these attributes
|
||||||
|
# and values are tested. Only the first match is used unless
|
||||||
|
# the "Fall-Through" variable is set to "Yes". In that case
|
||||||
|
# the rules defined in the DEFAULT case are processed as well.
|
||||||
|
#
|
||||||
|
# A special realm named "DEFAULT" matches on all realm names.
|
||||||
|
# You can have only one DEFAULT entry. All entries are processed
|
||||||
|
# in the order they appear in this file. The first entry that
|
||||||
|
# matches the login-request will stop processing unless you use
|
||||||
|
# the Fall-Through variable.
|
||||||
|
#
|
||||||
|
# The first line indicates the realm to which the rules apply.
|
||||||
|
# Indented (with the tab character) lines following the first
|
||||||
|
# line indicate the filter rules.
|
||||||
|
#
|
||||||
|
|
||||||
|
# This is a complete entry for 'nochap' realm. It allows to send very
|
||||||
|
# basic attributes to the home server. Note that there is no Fall-Through
|
||||||
|
# entry so that no DEFAULT entry will be used. Only the listed attributes
|
||||||
|
# will be sent in the packet, all other attributes will be filtered out.
|
||||||
|
#
|
||||||
|
#nochap
|
||||||
|
# User-Name =* ANY,
|
||||||
|
# User-Password =* ANY,
|
||||||
|
# NAS-Ip-Address =* ANY,
|
||||||
|
# NAS-Identifier =* ANY
|
||||||
|
|
||||||
|
# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type
|
||||||
|
# if its value is different from 'Ethernet'. Then the default rules are
|
||||||
|
# applied.
|
||||||
|
#
|
||||||
|
#brokenas
|
||||||
|
# NAS-Port-Type == Ethernet
|
||||||
|
# Fall-Through = Yes
|
||||||
|
|
||||||
|
# The rest of this file contains the DEFAULT entry.
|
||||||
|
# DEFAULT matches with all realm names.
|
||||||
|
|
||||||
|
DEFAULT
|
||||||
|
User-Name =* ANY,
|
||||||
|
User-Password =* ANY,
|
||||||
|
CHAP-Password =* ANY,
|
||||||
|
CHAP-Challenge =* ANY,
|
||||||
|
MS-CHAP-Challenge =* ANY,
|
||||||
|
MS-CHAP-Response =* ANY,
|
||||||
|
EAP-Message =* ANY,
|
||||||
|
Message-Authenticator =* ANY,
|
||||||
|
State =* ANY,
|
||||||
|
NAS-IP-Address =* ANY,
|
||||||
|
NAS-Identifier =* ANY,
|
||||||
|
Proxy-State =* ANY
|
|
@ -0,0 +1,30 @@
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
Proc-Type: 4,ENCRYPTED
|
||||||
|
DEK-Info: AES-256-CBC,3AD0523FFE8CE8B72DF17107DF07836B
|
||||||
|
|
||||||
|
e0kcoXFr/E2N762180rPOSAeXsWDY2Ej2iv3XD7VYblSK0ChdXfdGmIqoauUlwIn
|
||||||
|
K6WQ9E6tZFkYtnjFK3Sf7npjqqH8vYA0JewEBoLgA5/upA/ZYXZNXGqF5Xqs0q78
|
||||||
|
314bOFsCy3Mb034OBPemQ8QY2zjsKvQJBQkzEujNDUfnSE7nKP7lZHIVhIeO8ec0
|
||||||
|
GfjQ1sE4hACGhINdLdjZAT0UIxYgW8LARbaGt23H6SKOlVvCobCjzetRckVYBdt5
|
||||||
|
8+m6Unx6z9L938koqUgbN8CJVv6FT5Sgk0fYJCRCEMKuMTDluSEAPFctKetn7eVy
|
||||||
|
mZY7WaxkbUZhGv4v9+VPuKmCfjlquMK9nKBQskOJNF4fiiWH17920K1hye513+iY
|
||||||
|
Q7GyTMywZqgirIjzusbeacXQ7MtZmlVlbIlwx2mh0edD73wQ1u42Wbhnxv1Sd4+M
|
||||||
|
57WGefprxh7XtX3G92joVIRt8Em+tsYnhZ0LdKEChIX6Fnrewr/uWdKcCjazksLX
|
||||||
|
fi1KVyDa4VVfZzgYRBxMXLBRY4l8g/JMRXI6pOEigzkpfnhVQS/pVWTTf35cJyMw
|
||||||
|
YSsWs9J8WzNb37SuZqNnKPcZCaf8F66TEeu4jigMtjgt1LwXo2biPUwsyiVq/VCT
|
||||||
|
pnfJho9OHVfDmplETeanpXTn902Z4ji173iFGe8E1MCqUARiHwtSFIHyCKCKvX7Z
|
||||||
|
9MnydV75V/JlvL4Tp+x/+h6HKjeDkdQW1kL469DOtvVJLN2nxq969m0ztIntj98B
|
||||||
|
UVNNQjIbwbVq2JQBdd3jDiDtFGPu+cZmX5/+boxb/Q0hHthf9Z/XfMiQUHyTOUI1
|
||||||
|
LSOaH2tp0r1N0/C5BxNaqPaauyXEK4S96/YR071rjjWQBiF2qXQHOC3pjSFdrvVb
|
||||||
|
tZaqNbSvNgxqJhU8u5gf/fKOtMK2XMjzkk8E8jcwAY4gU3c72N17xlBRA2H9FM7B
|
||||||
|
DfjzNRcyCD39jyM+gfiudczBgarmonMQlTt153cR7UvZ3zZ7YmVWvSQ1hxy0deuT
|
||||||
|
OqfpSR/lgoIaXEW1igdyaMlXPetnTCMi1CaTzD7A80yJeWpK6abOxGk5O9mwwpUu
|
||||||
|
02YMas9ETsbnElMscQTYPpDui/0ZXX9gjNEpP03ZEkixr++QUkN3EA76A+i06GDE
|
||||||
|
3R+4W1GFn8uRrnruyciSR+e/S7g4M5Q99c7QCp9CdsPGKKMe681hj7SqylToNSwB
|
||||||
|
9DKNo+3QIIRupxkYcpyZBLnofRqiKbd3pcdnAUO6/15WBoiz0sqDnSbUIKf4eWmO
|
||||||
|
nzRVaA9cJ/6RF3hZ7++om/vbX7rskthZeGGvwZpRNIqwBsA0lHLZ5inB/dsChRTy
|
||||||
|
oMBX6zcPIyUWo9e0NOJqYTMmsBVA1QeAywzAJo/jRWL6mA8NT/97KizqYS1ZlcjU
|
||||||
|
PhT/v80l5hWrOzB+URZkBOo3ygkntScj/gxqLsisdrHP9YbOIkhRWSBWzWXGywXy
|
||||||
|
8PqoOZF1NB2pTuSP7z0THtxKn4B/mq15Lg+26YZgauVWlf8MY8FOOaDBeRGyJ9W7
|
||||||
|
pbqktLIQ0zPRfF+CGVmTC62Bfcsb+DNXowvgU5DlN8hJ0rMmJYbcyJyWmwyWWKtX
|
||||||
|
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,23 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIID5TCCAs2gAwIBAgIJAKA5akuqlUzKMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD
|
||||||
|
VQQGEwJERTEQMA4GA1UECAwHU2FjaHNlbjEQMA4GA1UEBwwHRHJlc2RlbjENMAsG
|
||||||
|
A1UECgwEQzNEMjENMAsGA1UECwwEQzNEMjEaMBgGA1UEAwwRcmFkaXVzLmhxLmMz
|
||||||
|
ZDIuZGUxGzAZBgkqhkiG9w0BCQEWDG1haWxAYzNkMi5kZTAeFw0xNTA2MDYxOTA5
|
||||||
|
MjFaFw0yNTA2MDMxOTA5MjFaMIGIMQswCQYDVQQGEwJERTEQMA4GA1UECAwHU2Fj
|
||||||
|
aHNlbjEQMA4GA1UEBwwHRHJlc2RlbjENMAsGA1UECgwEQzNEMjENMAsGA1UECwwE
|
||||||
|
QzNEMjEaMBgGA1UEAwwRcmFkaXVzLmhxLmMzZDIuZGUxGzAZBgkqhkiG9w0BCQEW
|
||||||
|
DG1haWxAYzNkMi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPRR
|
||||||
|
Xf+pocIFjZGeSuo+LM7/lqnQ96Pc2g9cTXlxoeCFP1akwYUzDl1ZqvUZsC3hKKkB
|
||||||
|
EjmI2VB4rjIgT9Z/57aQ7jYYp1B6ivQDapKSqpKFL6s0VzDljrzOmxvGQFXyV88X
|
||||||
|
TiMkwmtmS2Bj62poWhSlpQk9sPaioz8SDrJtBxM9fNSbM1ED9rRXGWlSwEVBzeUp
|
||||||
|
YaNWYCc3CPYLIhNZmtFhAhNmzw/tIx5+MRa/hkEarbyToZ7EceTMJ4KflBBLXQzY
|
||||||
|
s2PLYkRbZMBUlRM7HDZVx6F8OPusnG1luB2LX/kQCvYuFk6BiBdussOFLD0swdtd
|
||||||
|
rK820j6dIAJbbxSfy90CAwEAAaNQME4wHQYDVR0OBBYEFDHshd+TNUAwSY0+cpaH
|
||||||
|
HDQaOXwnMB8GA1UdIwQYMBaAFDHshd+TNUAwSY0+cpaHHDQaOXwnMAwGA1UdEwQF
|
||||||
|
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBADc7I4dtsIhSN0jDs0iavwBT13a1sslp
|
||||||
|
e2gwDdcTh0xAVmmrq84JY6uIoMjLrx+roE3vn+oLHP8qrlw4snbOc0mo04o2lMza
|
||||||
|
DepLQoBtnMNaUTSOHt1avvP8bhFTE0c0MlFAInC1MpqO5mtRwpays/f1Hc+iEOmx
|
||||||
|
o3iHLpdKpeEfFxFZVNsJKva/A2DlLVqTdH/UvTdnoxwvSRzzEBP3plqdNSFsg5XZ
|
||||||
|
oGNSsoNT6k2cFjQtxRdrKk+qggbPuPbTC5fXWOTlu4A2eVmW0XfT4eZ9z8QRe7dA
|
||||||
|
uGOcC1XiDLmIon9q5KIH3k3TiL5hELJu2BvatxJaOpwGR1pbcooZaI0=
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,5 @@
|
||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
MIGHAoGBAKNmmoE+doPb+VmQlXOqsXcVX5ciwWyf+QsdEVyyic6fZUMWbAvFwDN1
|
||||||
|
hnT5HbpWkCnwU5H27st8+SluOMGfjiwmhtn5TZqX1b0bOWH+UeT1iRLBaClZNNCx
|
||||||
|
MDWIVbk1cpnNszsMPGhjMrQwN06bZFPwFBS8+smgrDnQoN1BkPPjAgEC
|
||||||
|
-----END DH PARAMETERS-----
|
|
@ -0,0 +1,18 @@
|
||||||
|
-----BEGIN CERTIFICATE REQUEST-----
|
||||||
|
MIIC1jCCAb4CAQAwgZAxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdTYWNoc2VuMRAw
|
||||||
|
DgYDVQQHDAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0wCwYDVQQLDARDM0QyMSIw
|
||||||
|
IAYDVQQDDBlhbnliZXJ0LnJhZGl1cy5ocS5jM2QyLmRlMRswGQYJKoZIhvcNAQkB
|
||||||
|
FgxtYWlsQGMzZDIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm
|
||||||
|
yrdjj+J2xzLeALYQWfYdMPN+qXeEKMU4HkGhyUPAAbKRI5uXPg1XYbt4BCbKe4ZM
|
||||||
|
w/0bnHRkzubj1dvpwL5X8ziaoYixVvsO85gg7bL/6tBosbiRz7Z9eg1n8YXqCdCY
|
||||||
|
rtJX/Yqk/R7pqCe8y3vj7q5cRaSb24l0yJzbQGX15PeDkcHBdqIYLwctm004tsC3
|
||||||
|
NBR5yyA2Wh7jlXTPL9KyJhEM7RfXKtMtn3Oe06TlRBUvmt8qBgPu7uEnHFK/E8lO
|
||||||
|
yK3CYl2i2FuvEfmO5V5zekhD2wdWhzvaL0bjaoBZEf6VxtWcQWVBOXEH9+39DWrn
|
||||||
|
ukPf/XhKQp3pPKctUUBBAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAE4GoYZ/w
|
||||||
|
Jf4rSuS6j/Sq4v4pUIoU3tZd3UvjG5jj34XZFvTNzKHdazS7VYyFjukMPSv+WljV
|
||||||
|
v2v6xn62RjRHXvRu4/fXBvyAcxdQngf892BYGTVxB3OMVE1JCyc2xARh6gcOvrfC
|
||||||
|
wwOIYw4Wc5xZ8JjmhK/9zyuVVSOEcV03LY7kSYFrwTgs/k/+Cv2Myimlc+n0r76/
|
||||||
|
iDHU+8R0O/yD5dkDdJ/GFr9d09OoF+6WQc9pRVloHxQut9YS0C5P03+Xw9CUhRGB
|
||||||
|
L7n+k6eqzE2Fi43nTqb9KrBaTi/RdYht1DdaVxgJ1n/INqaeORqiAjyAmvuooBTF
|
||||||
|
jSbFtdKfURnjOQ==
|
||||||
|
-----END CERTIFICATE REQUEST-----
|
|
@ -0,0 +1,30 @@
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
Proc-Type: 4,ENCRYPTED
|
||||||
|
DEK-Info: AES-256-CBC,D5409971E41EA7511A983B7756144C03
|
||||||
|
|
||||||
|
77B64GyVzF3TkltnC8nZaZENB1zCl626Bi3NcjpszsIw/LnOC8bn2MjiEQwoNXOI
|
||||||
|
GxcjUSyzB9v++/qMbvPIQ2hJXd7aayu0OWbLoFjyISqQDZhxMNwTlr0ZPppH2LoC
|
||||||
|
HXQV8BKSMkxN2SMNyLdZt6pfpKtyOBUKoy7jDCCiaTEamvGtGKyhgQZVpyPrz8lS
|
||||||
|
BFpUR2czPggFu8WsJ5jov7k7rEkuUMFvsNDRajRMwSzr9z6ESmEc9AavB9/t1TZ8
|
||||||
|
M9eEgp65QUBcDzDVvP05pjwF+4wgqabC41k3EMiA2LLlFIn5Bvamq1Sj3DLdWIQE
|
||||||
|
fzgw8NM2JRF3CZdFt/rAVoCIcpNx7kcWu8UCpdHYmlB+VwIYnrUWngT5kaMp2vvu
|
||||||
|
B235/QffgANfB560dIP4Z2CnZI1SLyhTJPLTmwO/XWOtuoQso5nfxtHNq/IwrUA1
|
||||||
|
jxedKG9AkBQQPsHAErZnxoFotK//zyggx6S41SjnMFWr1PrscU3mA+A+UvwLP7Bu
|
||||||
|
gmw1oIDWL3sZ5B7KQJ2FC6ryjyoQiSI/AK8Gk0Ryhf1oUhgguxUDnWSKqrxEoeHJ
|
||||||
|
S635pYjlDVyhU3ct9BWbFBOzdYPZBIQHPfB/lvmbl6lsFA5oOgCvZHDrBSytiSIc
|
||||||
|
0k5cjhhQanvPRVu8ulIiHNnMFGuvX1rzh0im4IrITK7YtHj65I1gCIU4gFrfXk6T
|
||||||
|
QtPZoaa5F4VV5BdyljF7t+yFzVthrbPb/MVjWJgC4j40fICmA8x5TTl//HGg41AN
|
||||||
|
yJcn3295GlTQ/EagxEfWAiy38+1IGwTsNFFHxaTYGoIMON06HTegFH39MmTOBl2G
|
||||||
|
mmk4d+m/A3KEZ1Le16xZCc7QjQRwMUMzHk4w3FfvkKSDj4Li8xFbKv4zUrXx++Q7
|
||||||
|
mm5owtMWrit7bAbDli9hpGe+AsQGXIsHPC3i/wsm64niWiTcBK3TO5sF/3n0nNVb
|
||||||
|
MkdVA9OaBpXG8XjHdK62HylaOHpyNB7kEhRjcTT2EKZZ10DcQpPDvJhx8lkvauww
|
||||||
|
ubVZHBPqIXdI/L7H/6hqyxe0S0IPtoQpgEr/1lyUWQZtiDyFrQ1ySCY1HGwXtmWa
|
||||||
|
fUP6TyZQogdND8GhzhEFY4J/FWUM8k5VowzuxYnUGEKKERDwDaQwNRoi+L9fiiKh
|
||||||
|
nNmTOHCIoxCfN9+H8sVtPiliPr1x4G3aeegsEJfKnmDP5gyj02tOYb2IpqhSsdCZ
|
||||||
|
qXQ2AuUq42dq5YeQA0KVRD6hiK9L+sO5BSCrr2dtF6SAK+00/CL42EP2ee+C65kW
|
||||||
|
ksxGssmtGrcjcIW9niHx9acGTgDJ6nBK9zawQkNkF8pr8GUNyAsY5+nGy3H4EsO0
|
||||||
|
XtszaUyT/xnSwZV+OGLIRP10lCiWPtU+Axay3DjUrxmbzzWZ3XmIbNRrYN2gxZ3b
|
||||||
|
eA1QJE2kFwmZfngDqTu9uACHINwegj9juCDCOHLYF3shiOgqEsRypCaTYfZKoZY6
|
||||||
|
feelUSD5Xs86ezKO2KxU1Pan9pZCnKUtJ+lpmlqyQIB+DEKJpNabHIXECMIwnxzK
|
||||||
|
ftpahPFJDFWqguh1BeFZTCtb9qlDcXLMFac9aTMoK5KWQ3ed9gucvKHUm6G57zB8
|
||||||
|
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,22 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDjjCCAnYCAQEwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAkRFMRAwDgYD
|
||||||
|
VQQIDAdTYWNoc2VuMRAwDgYDVQQHDAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0w
|
||||||
|
CwYDVQQLDARDM0QyMRowGAYDVQQDDBFyYWRpdXMuaHEuYzNkMi5kZTEbMBkGCSqG
|
||||||
|
SIb3DQEJARYMbWFpbEBjM2QyLmRlMB4XDTE1MDYwNjE5MTAzNloXDTI1MDYwMzE5
|
||||||
|
MTAzNlowgZAxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdTYWNoc2VuMRAwDgYDVQQH
|
||||||
|
DAdEcmVzZGVuMQ0wCwYDVQQKDARDM0QyMQ0wCwYDVQQLDARDM0QyMSIwIAYDVQQD
|
||||||
|
DBlhbnliZXJ0LnJhZGl1cy5ocS5jM2QyLmRlMRswGQYJKoZIhvcNAQkBFgxtYWls
|
||||||
|
QGMzZDIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmyrdjj+J2
|
||||||
|
xzLeALYQWfYdMPN+qXeEKMU4HkGhyUPAAbKRI5uXPg1XYbt4BCbKe4ZMw/0bnHRk
|
||||||
|
zubj1dvpwL5X8ziaoYixVvsO85gg7bL/6tBosbiRz7Z9eg1n8YXqCdCYrtJX/Yqk
|
||||||
|
/R7pqCe8y3vj7q5cRaSb24l0yJzbQGX15PeDkcHBdqIYLwctm004tsC3NBR5yyA2
|
||||||
|
Wh7jlXTPL9KyJhEM7RfXKtMtn3Oe06TlRBUvmt8qBgPu7uEnHFK/E8lOyK3CYl2i
|
||||||
|
2FuvEfmO5V5zekhD2wdWhzvaL0bjaoBZEf6VxtWcQWVBOXEH9+39DWrnukPf/XhK
|
||||||
|
Qp3pPKctUUBBAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJdpPd8HTJwOfjD0COUw
|
||||||
|
NBlPh7amQeASg0Gzz6w1NFZtVkUrnlp638pjsMsi6ldwwmNyWY5VA9TwwDTOxm9X
|
||||||
|
CacG2tEirGwIHsrOo4BBMSrMu7V2ts+IIv92C5kgmFU2vbs2jKquepKt4zsOfwd2
|
||||||
|
X+5qF/5qr3BkOIE6pc00IE9rRyzcE0KvaEEVHlvc/oS8f2F8lYRpJNjFNmW1jKs9
|
||||||
|
TaLQWG7a0Wy97IWk1kcW5XymjAq4UJjcbPWm+zZVUJq21wlHHLnkbP6KeqY0RE7R
|
||||||
|
wyq3yVAZTzXimfmwiQgGFA8P5pwrYkXcA342J+IgeblRgsT/6Lirfyd05ctQc3yL
|
||||||
|
NBU=
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,247 @@
|
||||||
|
# -*- text -*-
|
||||||
|
##
|
||||||
|
## clients.conf -- client configuration directives
|
||||||
|
##
|
||||||
|
## $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $
|
||||||
|
|
||||||
|
#######################################################################
|
||||||
|
#
|
||||||
|
# Define RADIUS clients (usually a NAS, Access Point, etc.).
|
||||||
|
|
||||||
|
#
|
||||||
|
# Defines a RADIUS client.
|
||||||
|
#
|
||||||
|
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
|
||||||
|
# to allow testing of the server after an initial installation. If you
|
||||||
|
# are not going to be permitting RADIUS queries from localhost, we suggest
|
||||||
|
# that you delete, or comment out, this entry.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Each client has a "short name" that is used to distinguish it from
|
||||||
|
# other clients.
|
||||||
|
#
|
||||||
|
# In version 1.x, the string after the word "client" was the IP
|
||||||
|
# address of the client. In 2.0, the IP address is configured via
|
||||||
|
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
|
||||||
|
# format is still accepted.
|
||||||
|
#
|
||||||
|
client localhost {
|
||||||
|
# Allowed values are:
|
||||||
|
# dotted quad (1.2.3.4)
|
||||||
|
# hostname (radius.example.com)
|
||||||
|
ipaddr = 127.0.0.1
|
||||||
|
|
||||||
|
# OR, you can use an IPv6 address, but not both
|
||||||
|
# at the same time.
|
||||||
|
# ipv6addr = :: # any. ::1 == localhost
|
||||||
|
|
||||||
|
#
|
||||||
|
# A note on DNS: We STRONGLY recommend using IP addresses
|
||||||
|
# rather than host names. Using host names means that the
|
||||||
|
# server will do DNS lookups when it starts, making it
|
||||||
|
# dependent on DNS. i.e. If anything goes wrong with DNS,
|
||||||
|
# the server won't start!
|
||||||
|
#
|
||||||
|
# The server also looks up the IP address from DNS once, and
|
||||||
|
# only once, when it starts. If the DNS record is later
|
||||||
|
# updated, the server WILL NOT see that update.
|
||||||
|
#
|
||||||
|
|
||||||
|
# One client definition can be applied to an entire network.
|
||||||
|
# e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
|
||||||
|
# "netmask = 8"
|
||||||
|
#
|
||||||
|
# If not specified, the default netmask is 32 (i.e. /32)
|
||||||
|
#
|
||||||
|
# We do NOT recommend using anything other than 32. There
|
||||||
|
# are usually other, better ways to achieve the same goal.
|
||||||
|
# Using netmasks of other than 32 can cause security issues.
|
||||||
|
#
|
||||||
|
# You can specify overlapping networks (127/8 and 127.0/16)
|
||||||
|
# In that case, the smallest possible network will be used
|
||||||
|
# as the "best match" for the client.
|
||||||
|
#
|
||||||
|
# Clients can also be defined dynamically at run time, based
|
||||||
|
# on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
|
||||||
|
# etc.
|
||||||
|
# See raddb/sites-available/dynamic-clients for details.
|
||||||
|
#
|
||||||
|
|
||||||
|
# netmask = 32
|
||||||
|
|
||||||
|
#
|
||||||
|
# The shared secret use to "encrypt" and "sign" packets between
|
||||||
|
# the NAS and FreeRADIUS. You MUST change this secret from the
|
||||||
|
# default, otherwise it's not a secret any more!
|
||||||
|
#
|
||||||
|
# The secret can be any string, up to 8k characters in length.
|
||||||
|
#
|
||||||
|
# Control codes can be entered vi octal encoding,
|
||||||
|
# e.g. "\101\102" == "AB"
|
||||||
|
# Quotation marks can be entered by escaping them,
|
||||||
|
# e.g. "foo\"bar"
|
||||||
|
#
|
||||||
|
# A note on security: The security of the RADIUS protocol
|
||||||
|
# depends COMPLETELY on this secret! We recommend using a
|
||||||
|
# shared secret that is composed of:
|
||||||
|
#
|
||||||
|
# upper case letters
|
||||||
|
# lower case letters
|
||||||
|
# numbers
|
||||||
|
#
|
||||||
|
# And is at LEAST 8 characters long, preferably 16 characters in
|
||||||
|
# length. The secret MUST be random, and should not be words,
|
||||||
|
# phrase, or anything else that is recognizable.
|
||||||
|
#
|
||||||
|
# The default secret below is only for testing, and should
|
||||||
|
# not be used in any real environment.
|
||||||
|
#
|
||||||
|
secret = testing123
|
||||||
|
|
||||||
|
#
|
||||||
|
# Old-style clients do not send a Message-Authenticator
|
||||||
|
# in an Access-Request. RFC 5080 suggests that all clients
|
||||||
|
# SHOULD include it in an Access-Request. The configuration
|
||||||
|
# item below allows the server to require it. If a client
|
||||||
|
# is required to include a Message-Authenticator and it does
|
||||||
|
# not, then the packet will be silently discarded.
|
||||||
|
#
|
||||||
|
# allowed values: yes, no
|
||||||
|
require_message_authenticator = no
|
||||||
|
|
||||||
|
#
|
||||||
|
# The short name is used as an alias for the fully qualified
|
||||||
|
# domain name, or the IP address.
|
||||||
|
#
|
||||||
|
# It is accepted for compatibility with 1.x, but it is no
|
||||||
|
# longer necessary in 2.0
|
||||||
|
#
|
||||||
|
# shortname = localhost
|
||||||
|
|
||||||
|
#
|
||||||
|
# the following three fields are optional, but may be used by
|
||||||
|
# checkrad.pl for simultaneous use checks
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# The nastype tells 'checkrad.pl' which NAS-specific method to
|
||||||
|
# use to query the NAS for simultaneous use.
|
||||||
|
#
|
||||||
|
# Permitted NAS types are:
|
||||||
|
#
|
||||||
|
# cisco
|
||||||
|
# computone
|
||||||
|
# livingston
|
||||||
|
# juniper
|
||||||
|
# max40xx
|
||||||
|
# multitech
|
||||||
|
# netserver
|
||||||
|
# pathras
|
||||||
|
# patton
|
||||||
|
# portslave
|
||||||
|
# tc
|
||||||
|
# usrhiper
|
||||||
|
# other # for all other types
|
||||||
|
|
||||||
|
#
|
||||||
|
nastype = other # localhost isn't usually a NAS...
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following two configurations are for future use.
|
||||||
|
# The 'naspasswd' file is currently used to store the NAS
|
||||||
|
# login name and password, which is used by checkrad.pl
|
||||||
|
# when querying the NAS for simultaneous use.
|
||||||
|
#
|
||||||
|
# login = !root
|
||||||
|
# password = someadminpas
|
||||||
|
|
||||||
|
#
|
||||||
|
# As of 2.0, clients can also be tied to a virtual server.
|
||||||
|
# This is done by setting the "virtual_server" configuration
|
||||||
|
# item, as in the example below.
|
||||||
|
#
|
||||||
|
# virtual_server = home1
|
||||||
|
|
||||||
|
#
|
||||||
|
# A pointer to the "home_server_pool" OR a "home_server"
|
||||||
|
# section that contains the CoA configuration for this
|
||||||
|
# client. For an example of a coa home server or pool,
|
||||||
|
# see raddb/sites-available/originate-coa
|
||||||
|
# coa_server = coa
|
||||||
|
}
|
||||||
|
|
||||||
|
# IPv6 Client
|
||||||
|
#client ::1 {
|
||||||
|
# secret = testing123
|
||||||
|
# shortname = localhost
|
||||||
|
#}
|
||||||
|
#
|
||||||
|
# All IPv6 Site-local clients
|
||||||
|
#client fe80::/16 {
|
||||||
|
# secret = testing123
|
||||||
|
# shortname = localhost
|
||||||
|
#}
|
||||||
|
|
||||||
|
#client some.host.org {
|
||||||
|
# secret = testing123
|
||||||
|
# shortname = localhost
|
||||||
|
#}
|
||||||
|
|
||||||
|
#
|
||||||
|
# You can now specify one secret for a network of clients.
|
||||||
|
# When a client request comes in, the BEST match is chosen.
|
||||||
|
# i.e. The entry from the smallest possible network.
|
||||||
|
#
|
||||||
|
#client 192.168.0.0/24 {
|
||||||
|
# secret = testing123-1
|
||||||
|
# shortname = private-network-1
|
||||||
|
#}
|
||||||
|
#
|
||||||
|
#client 192.168.0.0/16 {
|
||||||
|
# secret = testing123-2
|
||||||
|
# shortname = private-network-2
|
||||||
|
#}
|
||||||
|
|
||||||
|
|
||||||
|
#client 10.10.10.10 {
|
||||||
|
# # secret and password are mapped through the "secrets" file.
|
||||||
|
# secret = testing123
|
||||||
|
# shortname = liv1
|
||||||
|
# # the following three fields are optional, but may be used by
|
||||||
|
# # checkrad.pl for simultaneous usage checks
|
||||||
|
# nastype = livingston
|
||||||
|
# login = !root
|
||||||
|
# password = someadminpas
|
||||||
|
#}
|
||||||
|
|
||||||
|
#######################################################################
|
||||||
|
#
|
||||||
|
# Per-socket client lists. The configuration entries are exactly
|
||||||
|
# the same as above, but they are nested inside of a section.
|
||||||
|
#
|
||||||
|
# You can have as many per-socket client lists as you have "listen"
|
||||||
|
# sections, or you can re-use a list among multiple "listen" sections.
|
||||||
|
#
|
||||||
|
# Un-comment this section, and edit a "listen" section to add:
|
||||||
|
# "clients = per_socket_clients". That IP address/port combination
|
||||||
|
# will then accept ONLY the clients listed in this section.
|
||||||
|
#
|
||||||
|
#clients per_socket_clients {
|
||||||
|
# client 192.168.3.4 {
|
||||||
|
# secret = testing123
|
||||||
|
# }
|
||||||
|
#}
|
||||||
|
|
||||||
|
### ### ### C3D2 ### ### ###
|
||||||
|
|
||||||
|
client any {
|
||||||
|
ipaddr 0.0.0.0/0
|
||||||
|
secret = public
|
||||||
|
nastype = other
|
||||||
|
require_message_authenticator = no
|
||||||
|
}
|
||||||
|
|
||||||
|
### ### ### C3D2 ### ### ###
|
||||||
|
# EOF
|
|
@ -0,0 +1,32 @@
|
||||||
|
#
|
||||||
|
# This is the master dictionary file, which references the
|
||||||
|
# pre-defined dictionary files included with the server.
|
||||||
|
#
|
||||||
|
# Any new/changed attributes MUST be placed in this file, as
|
||||||
|
# the pre-defined dictionaries SHOULD NOT be edited.
|
||||||
|
#
|
||||||
|
# $Id: ceb31c82feb869972588f60fe6ace2fc1db70224 $
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# The filename given here should be an absolute path.
|
||||||
|
#
|
||||||
|
$INCLUDE /usr/share/freeradius/dictionary
|
||||||
|
|
||||||
|
#
|
||||||
|
# Place additional attributes or $INCLUDEs here. They will
|
||||||
|
# over-ride the definitions in the pre-defined dictionaries.
|
||||||
|
#
|
||||||
|
# See the 'man' page for 'dictionary' for information on
|
||||||
|
# the format of the dictionary files.
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you want to add entries to the dictionary file,
|
||||||
|
# which are NOT going to be placed in a RADIUS packet,
|
||||||
|
# add them here. The numbers you pick should be between
|
||||||
|
# 3000 and 4000.
|
||||||
|
#
|
||||||
|
|
||||||
|
#ATTRIBUTE My-Local-String 3000 string
|
||||||
|
#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
|
||||||
|
#ATTRIBUTE My-Local-Integer 3002 integer
|
|
@ -0,0 +1,688 @@
|
||||||
|
# -*- text -*-
|
||||||
|
##
|
||||||
|
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
|
||||||
|
##
|
||||||
|
## $Id: 95bebe4d25ef13871fb201ba540ed008078dab07 $
|
||||||
|
|
||||||
|
#######################################################################
|
||||||
|
#
|
||||||
|
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
|
||||||
|
# is smart enough to figure this out on its own. The most
|
||||||
|
# common side effect of setting 'Auth-Type := EAP' is that the
|
||||||
|
# users then cannot use ANY other authentication method.
|
||||||
|
#
|
||||||
|
# EAP types NOT listed here may be supported via the "eap2" module.
|
||||||
|
# See experimental.conf for documentation.
|
||||||
|
#
|
||||||
|
eap {
|
||||||
|
# Invoke the default supported EAP type when
|
||||||
|
# EAP-Identity response is received.
|
||||||
|
#
|
||||||
|
# The incoming EAP messages DO NOT specify which EAP
|
||||||
|
# type they will be using, so it MUST be set here.
|
||||||
|
#
|
||||||
|
# For now, only one default EAP type may be used at a time.
|
||||||
|
#
|
||||||
|
# If the EAP-Type attribute is set by another module,
|
||||||
|
# then that EAP type takes precedence over the
|
||||||
|
# default type configured here.
|
||||||
|
#
|
||||||
|
default_eap_type = ttls
|
||||||
|
|
||||||
|
# A list is maintained to correlate EAP-Response
|
||||||
|
# packets with EAP-Request packets. After a
|
||||||
|
# configurable length of time, entries in the list
|
||||||
|
# expire, and are deleted.
|
||||||
|
#
|
||||||
|
timer_expire = 60
|
||||||
|
|
||||||
|
# There are many EAP types, but the server has support
|
||||||
|
# for only a limited subset. If the server receives
|
||||||
|
# a request for an EAP type it does not support, then
|
||||||
|
# it normally rejects the request. By setting this
|
||||||
|
# configuration to "yes", you can tell the server to
|
||||||
|
# instead keep processing the request. Another module
|
||||||
|
# MUST then be configured to proxy the request to
|
||||||
|
# another RADIUS server which supports that EAP type.
|
||||||
|
#
|
||||||
|
# If another module is NOT configured to handle the
|
||||||
|
# request, then the request will still end up being
|
||||||
|
# rejected.
|
||||||
|
ignore_unknown_eap_types = no
|
||||||
|
|
||||||
|
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
|
||||||
|
# a User-Name attribute in an Access-Accept, it copies one
|
||||||
|
# more byte than it should.
|
||||||
|
#
|
||||||
|
# We can work around it by configurably adding an extra
|
||||||
|
# zero byte.
|
||||||
|
cisco_accounting_username_bug = no
|
||||||
|
|
||||||
|
#
|
||||||
|
# Help prevent DoS attacks by limiting the number of
|
||||||
|
# sessions that the server is tracking. For simplicity,
|
||||||
|
# this is taken from the "max_requests" directive in
|
||||||
|
# radiusd.conf.
|
||||||
|
max_sessions = ${max_requests}
|
||||||
|
|
||||||
|
# Supported EAP-types
|
||||||
|
|
||||||
|
#
|
||||||
|
# We do NOT recommend using EAP-MD5 authentication
|
||||||
|
# for wireless connections. It is insecure, and does
|
||||||
|
# not provide for dynamic WEP keys.
|
||||||
|
#
|
||||||
|
md5 {
|
||||||
|
}
|
||||||
|
|
||||||
|
# Cisco LEAP
|
||||||
|
#
|
||||||
|
# We do not recommend using LEAP in new deployments. See:
|
||||||
|
# http://www.securiteam.com/tools/5TP012ACKE.html
|
||||||
|
#
|
||||||
|
# Cisco LEAP uses the MS-CHAP algorithm (but not
|
||||||
|
# the MS-CHAP attributes) to perform it's authentication.
|
||||||
|
#
|
||||||
|
# As a result, LEAP *requires* access to the plain-text
|
||||||
|
# User-Password, or the NT-Password attributes.
|
||||||
|
# 'System' authentication is impossible with LEAP.
|
||||||
|
#
|
||||||
|
leap {
|
||||||
|
}
|
||||||
|
|
||||||
|
# Generic Token Card.
|
||||||
|
#
|
||||||
|
# Currently, this is only permitted inside of EAP-TTLS,
|
||||||
|
# or EAP-PEAP. The module "challenges" the user with
|
||||||
|
# text, and the response from the user is taken to be
|
||||||
|
# the User-Password.
|
||||||
|
#
|
||||||
|
# Proxying the tunneled EAP-GTC session is a bad idea,
|
||||||
|
# the users password will go over the wire in plain-text,
|
||||||
|
# for anyone to see.
|
||||||
|
#
|
||||||
|
gtc {
|
||||||
|
# The default challenge, which many clients
|
||||||
|
# ignore..
|
||||||
|
#challenge = "Password: "
|
||||||
|
|
||||||
|
# The plain-text response which comes back
|
||||||
|
# is put into a User-Password attribute,
|
||||||
|
# and passed to another module for
|
||||||
|
# authentication. This allows the EAP-GTC
|
||||||
|
# response to be checked against plain-text,
|
||||||
|
# or crypt'd passwords.
|
||||||
|
#
|
||||||
|
# If you say "Local" instead of "PAP", then
|
||||||
|
# the module will look for a User-Password
|
||||||
|
# configured for the request, and do the
|
||||||
|
# authentication itself.
|
||||||
|
#
|
||||||
|
auth_type = PAP
|
||||||
|
}
|
||||||
|
|
||||||
|
## EAP-TLS
|
||||||
|
#
|
||||||
|
# See raddb/certs/README for additional comments
|
||||||
|
# on certificates.
|
||||||
|
#
|
||||||
|
# If OpenSSL was not found at the time the server was
|
||||||
|
# built, the "tls", "ttls", and "peap" sections will
|
||||||
|
# be ignored.
|
||||||
|
#
|
||||||
|
# Otherwise, when the server first starts in debugging
|
||||||
|
# mode, test certificates will be created. See the
|
||||||
|
# "make_cert_command" below for details, and the README
|
||||||
|
# file in raddb/certs
|
||||||
|
#
|
||||||
|
# These test certificates SHOULD NOT be used in a normal
|
||||||
|
# deployment. They are created only to make it easier
|
||||||
|
# to install the server, and to perform some simple
|
||||||
|
# tests with EAP-TLS, TTLS, or PEAP.
|
||||||
|
#
|
||||||
|
# See also:
|
||||||
|
#
|
||||||
|
# http://www.dslreports.com/forum/remark,9286052~mode=flat
|
||||||
|
#
|
||||||
|
# Note that you should NOT use a globally known CA here!
|
||||||
|
# e.g. using a Verisign cert as a "known CA" means that
|
||||||
|
# ANYONE who has a certificate signed by them can
|
||||||
|
# authenticate via EAP-TLS! This is likely not what you want.
|
||||||
|
tls {
|
||||||
|
#
|
||||||
|
# These is used to simplify later configurations.
|
||||||
|
#
|
||||||
|
certdir = ${confdir}/certs
|
||||||
|
cadir = ${confdir}/certs
|
||||||
|
|
||||||
|
private_key_password = c3d2
|
||||||
|
private_key_file = ${certdir}/server.key
|
||||||
|
|
||||||
|
# If Private key & Certificate are located in
|
||||||
|
# the same file, then private_key_file &
|
||||||
|
# certificate_file must contain the same file
|
||||||
|
# name.
|
||||||
|
#
|
||||||
|
# If CA_file (below) is not used, then the
|
||||||
|
# certificate_file below MUST include not
|
||||||
|
# only the server certificate, but ALSO all
|
||||||
|
# of the CA certificates used to sign the
|
||||||
|
# server certificate.
|
||||||
|
certificate_file = ${certdir}/server.pem
|
||||||
|
|
||||||
|
# Trusted Root CA list
|
||||||
|
#
|
||||||
|
# ALL of the CA's in this list will be trusted
|
||||||
|
# to issue client certificates for authentication.
|
||||||
|
#
|
||||||
|
# In general, you should use self-signed
|
||||||
|
# certificates for 802.1x (EAP) authentication.
|
||||||
|
# In that case, this CA file should contain
|
||||||
|
# *one* CA certificate.
|
||||||
|
#
|
||||||
|
# This parameter is used only for EAP-TLS,
|
||||||
|
# when you issue client certificates. If you do
|
||||||
|
# not use client certificates, and you do not want
|
||||||
|
# to permit EAP-TLS authentication, then delete
|
||||||
|
# this configuration item.
|
||||||
|
CA_file = ${cadir}/ca.pem
|
||||||
|
|
||||||
|
#
|
||||||
|
# For DH cipher suites to work, you have to
|
||||||
|
# run OpenSSL to create the DH file first:
|
||||||
|
#
|
||||||
|
# openssl dhparam -out certs/dh 1024
|
||||||
|
#
|
||||||
|
dh_file = ${certdir}/dh
|
||||||
|
random_file = /dev/urandom
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# This can never exceed the size of a RADIUS
|
||||||
|
# packet (4096 bytes), and is preferably half
|
||||||
|
# that, to accomodate other attributes in
|
||||||
|
# RADIUS packet. On most APs the MAX packet
|
||||||
|
# length is configured between 1500 - 1600
|
||||||
|
# In these cases, fragment size should be
|
||||||
|
# 1024 or less.
|
||||||
|
#
|
||||||
|
fragment_size = 1024
|
||||||
|
|
||||||
|
# include_length is a flag which is
|
||||||
|
# by default set to yes If set to
|
||||||
|
# yes, Total Length of the message is
|
||||||
|
# included in EVERY packet we send.
|
||||||
|
# If set to no, Total Length of the
|
||||||
|
# message is included ONLY in the
|
||||||
|
# First packet of a fragment series.
|
||||||
|
#
|
||||||
|
# include_length = yes
|
||||||
|
|
||||||
|
# Check the Certificate Revocation List
|
||||||
|
#
|
||||||
|
# 1) Copy CA certificates and CRLs to same directory.
|
||||||
|
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
|
||||||
|
# 'c_rehash' is OpenSSL's command.
|
||||||
|
# 3) uncomment the line below.
|
||||||
|
# 5) Restart radiusd
|
||||||
|
# check_crl = yes
|
||||||
|
CA_path = ${cadir}
|
||||||
|
|
||||||
|
#
|
||||||
|
# If check_cert_issuer is set, the value will
|
||||||
|
# be checked against the DN of the issuer in
|
||||||
|
# the client certificate. If the values do not
|
||||||
|
# match, the cerficate verification will fail,
|
||||||
|
# rejecting the user.
|
||||||
|
#
|
||||||
|
# In 2.1.10 and later, this check can be done
|
||||||
|
# more generally by checking the value of the
|
||||||
|
# TLS-Client-Cert-Issuer attribute. This check
|
||||||
|
# can be done via any mechanism you choose.
|
||||||
|
#
|
||||||
|
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
|
||||||
|
|
||||||
|
#
|
||||||
|
# If check_cert_cn is set, the value will
|
||||||
|
# be xlat'ed and checked against the CN
|
||||||
|
# in the client certificate. If the values
|
||||||
|
# do not match, the certificate verification
|
||||||
|
# will fail rejecting the user.
|
||||||
|
#
|
||||||
|
# This check is done only if the previous
|
||||||
|
# "check_cert_issuer" is not set, or if
|
||||||
|
# the check succeeds.
|
||||||
|
#
|
||||||
|
# In 2.1.10 and later, this check can be done
|
||||||
|
# more generally by checking the value of the
|
||||||
|
# TLS-Client-Cert-CN attribute. This check
|
||||||
|
# can be done via any mechanism you choose.
|
||||||
|
#
|
||||||
|
# check_cert_cn = %{User-Name}
|
||||||
|
#
|
||||||
|
# Set this option to specify the allowed
|
||||||
|
# TLS cipher suites. The format is listed
|
||||||
|
# in "man 1 ciphers".
|
||||||
|
cipher_list = "DEFAULT"
|
||||||
|
|
||||||
|
#
|
||||||
|
# As part of checking a client certificate, the EAP-TLS
|
||||||
|
# sets some attributes such as TLS-Client-Cert-CN. This
|
||||||
|
# virtual server has access to these attributes, and can
|
||||||
|
# be used to accept or reject the request.
|
||||||
|
#
|
||||||
|
# virtual_server = check-eap-tls
|
||||||
|
|
||||||
|
# This command creates the initial "snake oil"
|
||||||
|
# certificates when the server is run as root,
|
||||||
|
# and via "radiusd -X".
|
||||||
|
#
|
||||||
|
# As of 2.1.11, it *also* checks the server
|
||||||
|
# certificate for validity, including expiration.
|
||||||
|
# This means that radiusd will refuse to start
|
||||||
|
# when the certificate has expired. The alternative
|
||||||
|
# is to have the 802.1X clients refuse to connect
|
||||||
|
# when they discover the certificate has expired.
|
||||||
|
#
|
||||||
|
# Debugging client issues is hard, so it's better
|
||||||
|
# for the server to print out an error message,
|
||||||
|
# and refuse to start.
|
||||||
|
#
|
||||||
|
make_cert_command = "${certdir}/bootstrap"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Elliptical cryptography configuration
|
||||||
|
#
|
||||||
|
# Only for OpenSSL >= 0.9.8.f
|
||||||
|
#
|
||||||
|
ecdh_curve = "prime256v1"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Session resumption / fast reauthentication
|
||||||
|
# cache.
|
||||||
|
#
|
||||||
|
# The cache contains the following information:
|
||||||
|
#
|
||||||
|
# session Id - unique identifier, managed by SSL
|
||||||
|
# User-Name - from the Access-Accept
|
||||||
|
# Stripped-User-Name - from the Access-Request
|
||||||
|
# Cached-Session-Policy - from the Access-Accept
|
||||||
|
#
|
||||||
|
# The "Cached-Session-Policy" is the name of a
|
||||||
|
# policy which should be applied to the cached
|
||||||
|
# session. This policy can be used to assign
|
||||||
|
# VLANs, IP addresses, etc. It serves as a useful
|
||||||
|
# way to re-apply the policy from the original
|
||||||
|
# Access-Accept to the subsequent Access-Accept
|
||||||
|
# for the cached session.
|
||||||
|
#
|
||||||
|
# On session resumption, these attributes are
|
||||||
|
# copied from the cache, and placed into the
|
||||||
|
# reply list.
|
||||||
|
#
|
||||||
|
# You probably also want "use_tunneled_reply = yes"
|
||||||
|
# when using fast session resumption.
|
||||||
|
#
|
||||||
|
cache {
|
||||||
|
#
|
||||||
|
# Enable it. The default is "no".
|
||||||
|
# Deleting the entire "cache" subsection
|
||||||
|
# Also disables caching.
|
||||||
|
#
|
||||||
|
# You can disallow resumption for a
|
||||||
|
# particular user by adding the following
|
||||||
|
# attribute to the control item list:
|
||||||
|
#
|
||||||
|
# Allow-Session-Resumption = No
|
||||||
|
#
|
||||||
|
# If "enable = no" below, you CANNOT
|
||||||
|
# enable resumption for just one user
|
||||||
|
# by setting the above attribute to "yes".
|
||||||
|
#
|
||||||
|
enable = no
|
||||||
|
|
||||||
|
#
|
||||||
|
# Lifetime of the cached entries, in hours.
|
||||||
|
# The sessions will be deleted after this
|
||||||
|
# time.
|
||||||
|
#
|
||||||
|
lifetime = 24 # hours
|
||||||
|
|
||||||
|
#
|
||||||
|
# The maximum number of entries in the
|
||||||
|
# cache. Set to "0" for "infinite".
|
||||||
|
#
|
||||||
|
# This could be set to the number of users
|
||||||
|
# who are logged in... which can be a LOT.
|
||||||
|
#
|
||||||
|
max_entries = 255
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# As of version 2.1.10, client certificates can be
|
||||||
|
# validated via an external command. This allows
|
||||||
|
# dynamic CRLs or OCSP to be used.
|
||||||
|
#
|
||||||
|
# This configuration is commented out in the
|
||||||
|
# default configuration. Uncomment it, and configure
|
||||||
|
# the correct paths below to enable it.
|
||||||
|
#
|
||||||
|
verify {
|
||||||
|
# A temporary directory where the client
|
||||||
|
# certificates are stored. This directory
|
||||||
|
# MUST be owned by the UID of the server,
|
||||||
|
# and MUST not be accessible by any other
|
||||||
|
# users. When the server starts, it will do
|
||||||
|
# "chmod go-rwx" on the directory, for
|
||||||
|
# security reasons. The directory MUST
|
||||||
|
# exist when the server starts.
|
||||||
|
#
|
||||||
|
# You should also delete all of the files
|
||||||
|
# in the directory when the server starts.
|
||||||
|
# tmpdir = /tmp/radiusd
|
||||||
|
|
||||||
|
# The command used to verify the client cert.
|
||||||
|
# We recommend using the OpenSSL command-line
|
||||||
|
# tool.
|
||||||
|
#
|
||||||
|
# The ${..CA_path} text is a reference to
|
||||||
|
# the CA_path variable defined above.
|
||||||
|
#
|
||||||
|
# The %{TLS-Client-Cert-Filename} is the name
|
||||||
|
# of the temporary file containing the cert
|
||||||
|
# in PEM format. This file is automatically
|
||||||
|
# deleted by the server when the command
|
||||||
|
# returns.
|
||||||
|
# client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# OCSP Configuration
|
||||||
|
# Certificates can be verified against an OCSP
|
||||||
|
# Responder. This makes it possible to immediately
|
||||||
|
# revoke certificates without the distribution of
|
||||||
|
# new Certificate Revokation Lists (CRLs).
|
||||||
|
#
|
||||||
|
ocsp {
|
||||||
|
#
|
||||||
|
# Enable it. The default is "no".
|
||||||
|
# Deleting the entire "ocsp" subsection
|
||||||
|
# Also disables ocsp checking
|
||||||
|
#
|
||||||
|
enable = no
|
||||||
|
|
||||||
|
#
|
||||||
|
# The OCSP Responder URL can be automatically
|
||||||
|
# extracted from the certificate in question.
|
||||||
|
# To override the OCSP Responder URL set
|
||||||
|
# "override_cert_url = yes".
|
||||||
|
#
|
||||||
|
override_cert_url = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the OCSP Responder address is not
|
||||||
|
# extracted from the certificate, the
|
||||||
|
# URL can be defined here.
|
||||||
|
|
||||||
|
#
|
||||||
|
# Limitation: Currently the HTTP
|
||||||
|
# Request is not sending the "Host: "
|
||||||
|
# information to the web-server. This
|
||||||
|
# can be a problem if the OCSP
|
||||||
|
# Responder is running as a vhost.
|
||||||
|
#
|
||||||
|
url = "http://127.0.0.1/ocsp/"
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the OCSP Responder can not cope with nonce
|
||||||
|
# in the request, then it can be disabled here.
|
||||||
|
#
|
||||||
|
# For security reasons, disabling this option
|
||||||
|
# is not recommended as nonce protects against
|
||||||
|
# replay attacks.
|
||||||
|
#
|
||||||
|
# Note that Microsoft AD Certificate Services OCSP
|
||||||
|
# Responder does not enable nonce by default. It is
|
||||||
|
# more secure to enable nonce on the responder than
|
||||||
|
# to disable it in the query here.
|
||||||
|
# See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
|
||||||
|
#
|
||||||
|
# use_nonce = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# Number of seconds before giving up waiting
|
||||||
|
# for OCSP response. 0 uses system default.
|
||||||
|
#
|
||||||
|
# timeout = 0
|
||||||
|
|
||||||
|
#
|
||||||
|
# Normally an error in querying the OCSP
|
||||||
|
# responder (no response from server, server did
|
||||||
|
# not understand the request, etc) will result in
|
||||||
|
# a validation failure.
|
||||||
|
#
|
||||||
|
# To treat these errors as 'soft' failures and
|
||||||
|
# still accept the certificate, enable this
|
||||||
|
# option.
|
||||||
|
#
|
||||||
|
# Warning: this may enable clients with revoked
|
||||||
|
# certificates to connect if the OCSP responder
|
||||||
|
# is not available. Use with caution.
|
||||||
|
#
|
||||||
|
# softfail = no
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# The TTLS module implements the EAP-TTLS protocol,
|
||||||
|
# which can be described as EAP inside of Diameter,
|
||||||
|
# inside of TLS, inside of EAP, inside of RADIUS...
|
||||||
|
#
|
||||||
|
# Surprisingly, it works quite well.
|
||||||
|
#
|
||||||
|
# The TTLS module needs the TLS module to be installed
|
||||||
|
# and configured, in order to use the TLS tunnel
|
||||||
|
# inside of the EAP packet. You will still need to
|
||||||
|
# configure the TLS module, even if you do not want
|
||||||
|
# to deploy EAP-TLS in your network. Users will not
|
||||||
|
# be able to request EAP-TLS, as it requires them to
|
||||||
|
# have a client certificate. EAP-TTLS does not
|
||||||
|
# require a client certificate.
|
||||||
|
#
|
||||||
|
# You can make TTLS require a client cert by setting
|
||||||
|
#
|
||||||
|
# EAP-TLS-Require-Client-Cert = Yes
|
||||||
|
#
|
||||||
|
# in the control items for a request.
|
||||||
|
#
|
||||||
|
ttls {
|
||||||
|
# The tunneled EAP session needs a default
|
||||||
|
# EAP type which is separate from the one for
|
||||||
|
# the non-tunneled EAP module. Inside of the
|
||||||
|
# TTLS tunnel, we recommend using EAP-MD5.
|
||||||
|
# If the request does not contain an EAP
|
||||||
|
# conversation, then this configuration entry
|
||||||
|
# is ignored.
|
||||||
|
default_eap_type = md5
|
||||||
|
|
||||||
|
# The tunneled authentication request does
|
||||||
|
# not usually contain useful attributes
|
||||||
|
# like 'Calling-Station-Id', etc. These
|
||||||
|
# attributes are outside of the tunnel,
|
||||||
|
# and normally unavailable to the tunneled
|
||||||
|
# authentication request.
|
||||||
|
#
|
||||||
|
# By setting this configuration entry to
|
||||||
|
# 'yes', any attribute which NOT in the
|
||||||
|
# tunneled authentication request, but
|
||||||
|
# which IS available outside of the tunnel,
|
||||||
|
# is copied to the tunneled request.
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
copy_request_to_tunnel = no
|
||||||
|
|
||||||
|
# The reply attributes sent to the NAS are
|
||||||
|
# usually based on the name of the user
|
||||||
|
# 'outside' of the tunnel (usually
|
||||||
|
# 'anonymous'). If you want to send the
|
||||||
|
# reply attributes based on the user name
|
||||||
|
# inside of the tunnel, then set this
|
||||||
|
# configuration entry to 'yes', and the reply
|
||||||
|
# to the NAS will be taken from the reply to
|
||||||
|
# the tunneled request.
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
use_tunneled_reply = no
|
||||||
|
|
||||||
|
#
|
||||||
|
# The inner tunneled request can be sent
|
||||||
|
# through a virtual server constructed
|
||||||
|
# specifically for this purpose.
|
||||||
|
#
|
||||||
|
# If this entry is commented out, the inner
|
||||||
|
# tunneled request will be sent through
|
||||||
|
# the virtual server that processed the
|
||||||
|
# outer requests.
|
||||||
|
#
|
||||||
|
virtual_server = "inner-tunnel"
|
||||||
|
|
||||||
|
# This has the same meaning as the
|
||||||
|
# same field in the "tls" module, above.
|
||||||
|
# The default value here is "yes".
|
||||||
|
# include_length = yes
|
||||||
|
}
|
||||||
|
|
||||||
|
##################################################
|
||||||
|
#
|
||||||
|
# !!!!! WARNINGS for Windows compatibility !!!!!
|
||||||
|
#
|
||||||
|
##################################################
|
||||||
|
#
|
||||||
|
# If you see the server send an Access-Challenge,
|
||||||
|
# and the client never sends another Access-Request,
|
||||||
|
# then
|
||||||
|
#
|
||||||
|
# STOP!
|
||||||
|
#
|
||||||
|
# The server certificate has to have special OID's
|
||||||
|
# in it, or else the Microsoft clients will silently
|
||||||
|
# fail. See the "scripts/xpextensions" file for
|
||||||
|
# details, and the following page:
|
||||||
|
#
|
||||||
|
# http://support.microsoft.com/kb/814394/en-us
|
||||||
|
#
|
||||||
|
# For additional Windows XP SP2 issues, see:
|
||||||
|
#
|
||||||
|
# http://support.microsoft.com/kb/885453/en-us
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# If is still doesn't work, and you're using Samba,
|
||||||
|
# you may be encountering a Samba bug. See:
|
||||||
|
#
|
||||||
|
# https://bugzilla.samba.org/show_bug.cgi?id=6563
|
||||||
|
#
|
||||||
|
# Note that we do not necessarily agree with their
|
||||||
|
# explanation... but the fix does appear to work.
|
||||||
|
#
|
||||||
|
##################################################
|
||||||
|
|
||||||
|
#
|
||||||
|
# The tunneled EAP session needs a default EAP type
|
||||||
|
# which is separate from the one for the non-tunneled
|
||||||
|
# EAP module. Inside of the TLS/PEAP tunnel, we
|
||||||
|
# recommend using EAP-MS-CHAPv2.
|
||||||
|
#
|
||||||
|
# The PEAP module needs the TLS module to be installed
|
||||||
|
# and configured, in order to use the TLS tunnel
|
||||||
|
# inside of the EAP packet. You will still need to
|
||||||
|
# configure the TLS module, even if you do not want
|
||||||
|
# to deploy EAP-TLS in your network. Users will not
|
||||||
|
# be able to request EAP-TLS, as it requires them to
|
||||||
|
# have a client certificate. EAP-PEAP does not
|
||||||
|
# require a client certificate.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# You can make PEAP require a client cert by setting
|
||||||
|
#
|
||||||
|
# EAP-TLS-Require-Client-Cert = Yes
|
||||||
|
#
|
||||||
|
# in the control items for a request.
|
||||||
|
#
|
||||||
|
peap {
|
||||||
|
# The tunneled EAP session needs a default
|
||||||
|
# EAP type which is separate from the one for
|
||||||
|
# the non-tunneled EAP module. Inside of the
|
||||||
|
# PEAP tunnel, we recommend using MS-CHAPv2,
|
||||||
|
# as that is the default type supported by
|
||||||
|
# Windows clients.
|
||||||
|
default_eap_type = mschapv2
|
||||||
|
|
||||||
|
# the PEAP module also has these configuration
|
||||||
|
# items, which are the same as for TTLS.
|
||||||
|
copy_request_to_tunnel = no
|
||||||
|
use_tunneled_reply = no
|
||||||
|
|
||||||
|
# When the tunneled session is proxied, the
|
||||||
|
# home server may not understand EAP-MSCHAP-V2.
|
||||||
|
# Set this entry to "no" to proxy the tunneled
|
||||||
|
# EAP-MSCHAP-V2 as normal MSCHAPv2.
|
||||||
|
# proxy_tunneled_request_as_eap = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# The inner tunneled request can be sent
|
||||||
|
# through a virtual server constructed
|
||||||
|
# specifically for this purpose.
|
||||||
|
#
|
||||||
|
# If this entry is commented out, the inner
|
||||||
|
# tunneled request will be sent through
|
||||||
|
# the virtual server that processed the
|
||||||
|
# outer requests.
|
||||||
|
#
|
||||||
|
virtual_server = "inner-tunnel"
|
||||||
|
|
||||||
|
# This option enables support for MS-SoH
|
||||||
|
# see doc/SoH.txt for more info.
|
||||||
|
# It is disabled by default.
|
||||||
|
#
|
||||||
|
# soh = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# The SoH reply will be turned into a request which
|
||||||
|
# can be sent to a specific virtual server:
|
||||||
|
#
|
||||||
|
# soh_virtual_server = "soh-server"
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This takes no configuration.
|
||||||
|
#
|
||||||
|
# Note that it is the EAP MS-CHAPv2 sub-module, not
|
||||||
|
# the main 'mschap' module.
|
||||||
|
#
|
||||||
|
# Note also that in order for this sub-module to work,
|
||||||
|
# the main 'mschap' module MUST ALSO be configured.
|
||||||
|
#
|
||||||
|
# This module is the *Microsoft* implementation of MS-CHAPv2
|
||||||
|
# in EAP. There is another (incompatible) implementation
|
||||||
|
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
|
||||||
|
# currently support.
|
||||||
|
#
|
||||||
|
mschapv2 {
|
||||||
|
# Prior to version 2.1.11, the module never
|
||||||
|
# sent the MS-CHAP-Error message to the
|
||||||
|
# client. This worked, but it had issues
|
||||||
|
# when the cached password was wrong. The
|
||||||
|
# server *should* send "E=691 R=0" to the
|
||||||
|
# client, which tells it to prompt the user
|
||||||
|
# for a new password.
|
||||||
|
#
|
||||||
|
# The default is to behave as in 2.1.10 and
|
||||||
|
# earlier, which is known to work. If you
|
||||||
|
# set "send_error = yes", then the error
|
||||||
|
# message will be sent back to the client.
|
||||||
|
# This *may* help some clients work better,
|
||||||
|
# but *may* also cause other clients to stop
|
||||||
|
# working.
|
||||||
|
#
|
||||||
|
# send_error = no
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,450 @@
|
||||||
|
#
|
||||||
|
# This file contains the configuration for experimental modules.
|
||||||
|
#
|
||||||
|
# By default, it is NOT included in the build.
|
||||||
|
#
|
||||||
|
# $Id: 3db2f300329829b4810b00d3181f13bbac10ccd0 $
|
||||||
|
#
|
||||||
|
|
||||||
|
# Configuration for the Python module.
|
||||||
|
#
|
||||||
|
# Where radiusd is a Python module, radiusd.py, and the
|
||||||
|
# function 'authorize' is called. Here is a dummy piece
|
||||||
|
# of code:
|
||||||
|
#
|
||||||
|
# def authorize(params):
|
||||||
|
# print params
|
||||||
|
# return (5, ('Reply-Message', 'banned'))
|
||||||
|
#
|
||||||
|
# The RADIUS value-pairs are passed as a tuple of tuple
|
||||||
|
# pairs as the first argument, e.g. (('attribute1',
|
||||||
|
# 'value1'), ('attribute2', 'value2'))
|
||||||
|
#
|
||||||
|
# The function return is a tuple with the first element
|
||||||
|
# being the return value of the function.
|
||||||
|
# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
|
||||||
|
# write the return values as Python symbols to avoid
|
||||||
|
# confusion.
|
||||||
|
#
|
||||||
|
# The remaining tuple members are the string form of
|
||||||
|
# value-pairs which are passed on to pairmake().
|
||||||
|
#
|
||||||
|
python {
|
||||||
|
mod_instantiate = radiusd_test
|
||||||
|
func_instantiate = instantiate
|
||||||
|
|
||||||
|
mod_authorize = radiusd_test
|
||||||
|
func_authorize = authorize
|
||||||
|
|
||||||
|
mod_accounting = radiusd_test
|
||||||
|
func_accounting = accounting
|
||||||
|
|
||||||
|
mod_pre_proxy = radiusd_test
|
||||||
|
func_pre_proxy = pre_proxy
|
||||||
|
|
||||||
|
mod_post_proxy = radiusd_test
|
||||||
|
func_post_proxy = post_proxy
|
||||||
|
|
||||||
|
mod_post_auth = radiusd_test
|
||||||
|
func_post_auth = post_auth
|
||||||
|
|
||||||
|
mod_recv_coa = radiusd_test
|
||||||
|
func_recv_coa = recv_coa
|
||||||
|
|
||||||
|
mod_send_coa = radiusd_test
|
||||||
|
func_send_coa = send_coa
|
||||||
|
|
||||||
|
mod_detach = radiusd_test
|
||||||
|
func_detach = detach
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Configuration for the example module. Uncommenting it will cause it
|
||||||
|
# to get loaded and initialized, but should have no real effect as long
|
||||||
|
# it is not referencened in one of the autz/auth/preacct/acct sections
|
||||||
|
example {
|
||||||
|
# Boolean variable.
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
boolean = yes
|
||||||
|
|
||||||
|
# An integer, of any value.
|
||||||
|
integer = 16
|
||||||
|
|
||||||
|
# A string.
|
||||||
|
string = "This is an example configuration string"
|
||||||
|
|
||||||
|
# An IP address, either in dotted quad (1.2.3.4) or hostname
|
||||||
|
# (example.com)
|
||||||
|
ipaddr = 127.0.0.1
|
||||||
|
|
||||||
|
# A subsection
|
||||||
|
mysubsection {
|
||||||
|
anotherinteger = 1000
|
||||||
|
# They nest
|
||||||
|
deeply nested {
|
||||||
|
string = "This is a different string"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# To create a dbm users file, do:
|
||||||
|
#
|
||||||
|
# cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
|
||||||
|
#
|
||||||
|
# Then add 'dbm' in 'authorize' section.
|
||||||
|
#
|
||||||
|
# Note that even if the file has a ".db" or ".dbm" extension,
|
||||||
|
# you may have to specify it here without that extension. This
|
||||||
|
# is because the DBM libraries "helpfully" add a ".db" to the
|
||||||
|
# filename, but don't check if it's already there.
|
||||||
|
#
|
||||||
|
dbm {
|
||||||
|
usersfile = ${confdir}/users_db
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Perform NT-Domain authentication. This only works
|
||||||
|
# with PAP authentication. That is, Authentication-Request
|
||||||
|
# packets containing a User-Password attribute.
|
||||||
|
#
|
||||||
|
# To use it, add 'smb' into the 'authenticate' section,
|
||||||
|
# and then in another module (usually the 'users' file),
|
||||||
|
# set 'Auth-Type := SMB'
|
||||||
|
#
|
||||||
|
# WARNING: this module is not only experimental, it's also
|
||||||
|
# a security threat. It's not recommended to use it until
|
||||||
|
# it gets fixed.
|
||||||
|
#
|
||||||
|
smb {
|
||||||
|
server = ntdomain.server.example.com
|
||||||
|
backup = backup.server.example.com
|
||||||
|
domain = NTDOMAIN
|
||||||
|
}
|
||||||
|
|
||||||
|
# See doc/rlm_fastusers before using this
|
||||||
|
# module or changing these values.
|
||||||
|
#
|
||||||
|
fastusers {
|
||||||
|
usersfile = ${confdir}/users_fast
|
||||||
|
hashsize = 1000
|
||||||
|
compat = no
|
||||||
|
# Reload the hash every 600 seconds (10mins)
|
||||||
|
hash_reload = 600
|
||||||
|
}
|
||||||
|
|
||||||
|
# Caching module
|
||||||
|
#
|
||||||
|
# Should be added in the post-auth section (after all other modules)
|
||||||
|
# and in the authorize section (before any other modules)
|
||||||
|
#
|
||||||
|
# authorize {
|
||||||
|
# caching {
|
||||||
|
# ok = return
|
||||||
|
# }
|
||||||
|
# [... other modules ...]
|
||||||
|
# }
|
||||||
|
# post-auth {
|
||||||
|
# [... other modules ...]
|
||||||
|
# caching
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# The caching module will cache the Auth-Type and reply items
|
||||||
|
# and send them back on any subsequent requests for the same key
|
||||||
|
#
|
||||||
|
# Configuration:
|
||||||
|
#
|
||||||
|
# filename: The gdbm file to use for the cache database
|
||||||
|
# (can be memory mapped for more speed)
|
||||||
|
#
|
||||||
|
# key: A string to xlat and use as a key. For instance,
|
||||||
|
# "%{Acct-Unique-Session-Id}"
|
||||||
|
#
|
||||||
|
# post-auth: If we find a cached entry, set the post-auth to that value
|
||||||
|
#
|
||||||
|
# cache-ttl: The time to cache the entry. The same time format
|
||||||
|
# as the counter module apply here.
|
||||||
|
# num[hdwm] where:
|
||||||
|
# h: hours, d: days, w: weeks, m: months
|
||||||
|
# If the letter is ommited days will be assumed.
|
||||||
|
# e.g. 1d == one day
|
||||||
|
#
|
||||||
|
# cache-size: The gdbm cache size to request (default 1000)
|
||||||
|
#
|
||||||
|
# hit-ratio: If set to non-zero we print out statistical
|
||||||
|
# information after so many cache requests
|
||||||
|
#
|
||||||
|
# cache-rejects: Do we also cache rejects, or not? (default 'yes')
|
||||||
|
#
|
||||||
|
caching {
|
||||||
|
filename = ${db_dir}/db.cache
|
||||||
|
cache-ttl = 1d
|
||||||
|
hit-ratio = 1000
|
||||||
|
key = "%{Acct-Unique-Session-Id}"
|
||||||
|
#post-auth = ""
|
||||||
|
# cache-size = 2000
|
||||||
|
# cache-rejects = yes
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Simple module for logging of Account packets to radiusd.log
|
||||||
|
# You need to declare it in the accounting section for it to work
|
||||||
|
acctlog {
|
||||||
|
acctlog_update = ""
|
||||||
|
acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
|
||||||
|
acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
|
||||||
|
acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online"
|
||||||
|
acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Another implementation of the EAP module.
|
||||||
|
#
|
||||||
|
# This module requires the libeap.so file from the hostap
|
||||||
|
# software (http://hostap.epitest.fi/hostapd/). It has been
|
||||||
|
# tested on the development version of hostapd (0.6.1) ONLY.
|
||||||
|
#
|
||||||
|
# In order to use it, you MUST build a "libeap.so" in hostapd,
|
||||||
|
# which is not done by default.
|
||||||
|
#
|
||||||
|
# You MUST also edit the file: src/modules/rlm_eap2/Makefile
|
||||||
|
# to point to the location of the hostap include files.
|
||||||
|
#
|
||||||
|
# This module CANNOT be used in the same way as the current
|
||||||
|
# FreeRADIUS "eap" module. There is NO way to look inside of
|
||||||
|
# a tunneled request. There is NO way to proxy a tunneled
|
||||||
|
# request. There is NO way to even look at the user name inside
|
||||||
|
# of the tunneled request. There is NO way to control the
|
||||||
|
# choice of EAP types inside of the tunnel. You MUST force
|
||||||
|
# the server to choose "eap2" for authentication, because this
|
||||||
|
# module has no "authorize" section.
|
||||||
|
#
|
||||||
|
# If you want to use this module for experimentation, please
|
||||||
|
# post your comments to the freeradius-devel list:
|
||||||
|
#
|
||||||
|
# http://lists.freeradius.org/mailman/listinfo/freeradius-devel
|
||||||
|
#
|
||||||
|
# If you want to use this module in a production (i.e. real-world)
|
||||||
|
# environment:
|
||||||
|
#
|
||||||
|
# !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!!
|
||||||
|
#
|
||||||
|
# The module needs additional work to make it ready for
|
||||||
|
# production use.. Please supply patches, or sponsor the
|
||||||
|
# work by hiring a developer. Do NOT ask when the work will
|
||||||
|
# be done, because there is no plan to finish this module
|
||||||
|
# unless there is demand for it.
|
||||||
|
#
|
||||||
|
eap2 {
|
||||||
|
# EAP types are chosen in the order that they are
|
||||||
|
# listed in this section. There is no "default_eap_type"
|
||||||
|
# as with rlm_eap. Instead, the *first* EAP type is
|
||||||
|
# used as the default type.
|
||||||
|
#
|
||||||
|
peap {
|
||||||
|
}
|
||||||
|
|
||||||
|
ttls {
|
||||||
|
}
|
||||||
|
|
||||||
|
# This is the ONLY EAP type that has any configuration.
|
||||||
|
# All other EAP types have no configuration.
|
||||||
|
#
|
||||||
|
tls {
|
||||||
|
ca_cert = ${confdir}/certs/ca.pem
|
||||||
|
server_cert = ${confdir}/certs/server.pem
|
||||||
|
private_key_file = ${confdir}/certs/server.pem
|
||||||
|
private_key_password = whatever
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# These next two methods do not supply keying material.
|
||||||
|
#
|
||||||
|
md5 {
|
||||||
|
}
|
||||||
|
|
||||||
|
mschapv2 {
|
||||||
|
}
|
||||||
|
|
||||||
|
fast {
|
||||||
|
pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f
|
||||||
|
eap_fast_a_id = xxxxxx
|
||||||
|
eap_fast_a_id_info = my_server
|
||||||
|
eap_fast_prov = 3
|
||||||
|
pac_key_lifetime = 604800 # 7 days
|
||||||
|
pac_key_refresh_tim = 86400
|
||||||
|
}
|
||||||
|
|
||||||
|
# LEAP is NOT supported by this module.
|
||||||
|
# Use the "eap" module instead.
|
||||||
|
|
||||||
|
# For other methods that MIGHT work, see the
|
||||||
|
# configuration of hostap. The methods are statically
|
||||||
|
# linked in at compile time, and cannot be controlled
|
||||||
|
# here.
|
||||||
|
}
|
||||||
|
|
||||||
|
# Configuration for experimental EAP types. The sub-sections
|
||||||
|
# can be copied into eap.conf.
|
||||||
|
eap {
|
||||||
|
ikev2 {
|
||||||
|
|
||||||
|
# Server auth type
|
||||||
|
# Allowed values are:
|
||||||
|
# cert - for certificate based server authentication,
|
||||||
|
# other required settings for this type are
|
||||||
|
# 'private_key_file' and 'certificate_file'
|
||||||
|
# secret - for shared secret based server authentication,
|
||||||
|
# other required settings for this type is 'id'
|
||||||
|
# Default value of this option is 'secret'
|
||||||
|
# server_authtype=cert
|
||||||
|
|
||||||
|
# Allowed default client auth types
|
||||||
|
# Allowed values are:
|
||||||
|
# secret - for shared secret based client authentication
|
||||||
|
# cert - for certificate based client authentication
|
||||||
|
# both - shared secret and certificate is allowed
|
||||||
|
# none - authentication will always fail
|
||||||
|
# Default value for this option is 'both'. This option could
|
||||||
|
# be overwritten within 'usersfile' file by EAP-IKEv2-Auth
|
||||||
|
# option.
|
||||||
|
# default_authtype = both
|
||||||
|
|
||||||
|
# path to trusted CA certificate file
|
||||||
|
CA_file="/path/to/CA/cacert.pem"
|
||||||
|
|
||||||
|
# path to CRL file, if not set, then there will be no
|
||||||
|
# checks against CRL
|
||||||
|
# crl_file="/path/to/crl.pem"
|
||||||
|
|
||||||
|
# path to file with user settings
|
||||||
|
#
|
||||||
|
# Note that this file is read ONLY on module initialization!
|
||||||
|
#
|
||||||
|
# default ${confdir}/eap_ikev2_users
|
||||||
|
# usersfile=${confdir}/eap_ikev2_users
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sample "eap_ikev2_users" file entry:
|
||||||
|
#
|
||||||
|
#username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne"
|
||||||
|
|
||||||
|
## where:
|
||||||
|
## username - client user name from IKE-AUTH (IDr) or CommonName
|
||||||
|
## from x509 certificate
|
||||||
|
## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload
|
||||||
|
## allowable attributes for EAP-IKEv2-IDType:
|
||||||
|
## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN
|
||||||
|
## DER_ASN1_GN KEY_ID
|
||||||
|
## EAP-IKEv2-Secret - shared secret
|
||||||
|
## EAP-IKEv2-AuthType - optional parameter which defines expected client auth
|
||||||
|
## type. Allowed values are: secret,cert,both,none.
|
||||||
|
## For the meaning of this values, please see the
|
||||||
|
## description of 'default_authtype'.
|
||||||
|
## This attribute can overwrite 'default_authtype' value.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# path to file with server private key
|
||||||
|
private_key_file="/path/to/srv-private-key.pem"
|
||||||
|
|
||||||
|
# password to private key file
|
||||||
|
private_key_password="passwd"
|
||||||
|
|
||||||
|
# path to file with server certificate
|
||||||
|
certificate_file="/path/to/srv-cert.pem"
|
||||||
|
|
||||||
|
# server identity string
|
||||||
|
id="deMaio"
|
||||||
|
|
||||||
|
# Server identity type. Allowed values are:
|
||||||
|
# IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN,
|
||||||
|
# KEY_ID
|
||||||
|
# Default value is: KEY_ID
|
||||||
|
# id_type = KEY_ID
|
||||||
|
|
||||||
|
|
||||||
|
# MTU (default: 1398)
|
||||||
|
# fragment_size = 1398
|
||||||
|
|
||||||
|
# maximal allowed number of resends SA_INIT after receiving
|
||||||
|
# 'invalid KEY' notification (default 3)
|
||||||
|
# DH_counter_max = 3
|
||||||
|
|
||||||
|
# option which is used to control whenever send CERT REQ
|
||||||
|
# payload or not.
|
||||||
|
# Allowed values for this option are "yes" or "no".
|
||||||
|
#Default value is "no".
|
||||||
|
# certreq = "yes"
|
||||||
|
|
||||||
|
# option which cotrols fast reconnect capability.
|
||||||
|
# Allowed valuse for this option are "yes" or "no".
|
||||||
|
# Default value is "yes".
|
||||||
|
# enable_fast_reauth = "no"
|
||||||
|
|
||||||
|
# option which is used to control performing of DH exchange
|
||||||
|
# during fast rekeying protocol run.
|
||||||
|
# Allowed values for this option are "yes" or "no".
|
||||||
|
# Default value is "no"
|
||||||
|
# fast_DH_exchange = "yes"
|
||||||
|
|
||||||
|
# Option which is used to set up expiration time of inactive
|
||||||
|
# IKEv2 session.
|
||||||
|
# After selected period of time (in seconds), inactive
|
||||||
|
# session data will be deleted.
|
||||||
|
# Default value of this option is set to 900 seconds
|
||||||
|
# fast_timer_expire = 900
|
||||||
|
|
||||||
|
# list of server proposals of available cryptographic
|
||||||
|
# suites
|
||||||
|
proposals {
|
||||||
|
# proposal number #1
|
||||||
|
proposal {
|
||||||
|
|
||||||
|
# Supported transforms types: encryption,
|
||||||
|
# prf, integrity, dhgroup. For multiple
|
||||||
|
# transforms just simple repeat key (i.e.
|
||||||
|
# integity).
|
||||||
|
|
||||||
|
# encryption algorithm
|
||||||
|
# supported algorithms:
|
||||||
|
# null,3des,aes_128_cbc,aes_192_cbc,
|
||||||
|
# aes_256_cbc,idea
|
||||||
|
# blowfish:n, where n range from 8 to 448 bits,
|
||||||
|
# step 8 bits
|
||||||
|
# cast:n, where n range from 40 to 128 bits,
|
||||||
|
# step 8 bits
|
||||||
|
encryption = 3des
|
||||||
|
|
||||||
|
# pseudo random function. Supported prf's:
|
||||||
|
# hmac_md5, hmac_sha1, hmac_tiger
|
||||||
|
prf = hmac_sha1
|
||||||
|
|
||||||
|
# integrity algorithm. Supported algorithms:
|
||||||
|
# hmac_md5_96, hmac_sha1_96,des_mac
|
||||||
|
integrity = hmac_sha1_96
|
||||||
|
integrity = hmac_md5_96
|
||||||
|
|
||||||
|
# Diffie-Hellman groups:
|
||||||
|
# modp768, modp1024, modp1536, modp2048,
|
||||||
|
# modp3072, modp4096, modp6144, modp8192
|
||||||
|
dhgroup = modp2048
|
||||||
|
}
|
||||||
|
|
||||||
|
# proposal number #2
|
||||||
|
proposal {
|
||||||
|
encryption = 3des
|
||||||
|
prf = hmac_md5
|
||||||
|
integrity = hmac_md5_96
|
||||||
|
dhgroup = modp1024
|
||||||
|
}
|
||||||
|
|
||||||
|
# proposal number #3
|
||||||
|
proposal {
|
||||||
|
encryption=3des
|
||||||
|
prf=hmac_md5
|
||||||
|
integrity=hmac_md5_96
|
||||||
|
dhgroup=modp2048
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,77 @@
|
||||||
|
# hints
|
||||||
|
#
|
||||||
|
# The hints file. This file is used to match
|
||||||
|
# a request, and then add attributes to it. This
|
||||||
|
# process allows a user to login as "bob.ppp" (for example),
|
||||||
|
# and receive a PPP connection, even if the NAS doesn't
|
||||||
|
# ask for PPP. The "hints" file is used to match the
|
||||||
|
# ".ppp" portion of the username, and to add a set of
|
||||||
|
# "user requested PPP" attributes to the request.
|
||||||
|
#
|
||||||
|
# Matching can take place with the the Prefix and Suffix
|
||||||
|
# attributes, just like in the "users" file.
|
||||||
|
# These attributes operate ONLY on the username, though.
|
||||||
|
#
|
||||||
|
# Note that the attributes that are set for each
|
||||||
|
# entry are _NOT_ passed back to the terminal server.
|
||||||
|
# Instead they are added to the information that has
|
||||||
|
# been _SENT_ by the terminal server.
|
||||||
|
#
|
||||||
|
# This extra information can be used in the users file to
|
||||||
|
# match on. Usually this is done in the DEFAULT entries,
|
||||||
|
# of which there can be more than one.
|
||||||
|
#
|
||||||
|
# In addition a matching entry can transform a username
|
||||||
|
# for authentication purposes if the "Strip-User-Name"
|
||||||
|
# variable is set to Yes in an entry (default is Yes).
|
||||||
|
#
|
||||||
|
# A special non-protocol name-value pair called "Hint"
|
||||||
|
# can be set to match on in the "users" file.
|
||||||
|
#
|
||||||
|
# The following is how most ISPs want to set this up.
|
||||||
|
#
|
||||||
|
# Version: $Id: f92ffb9f1e5bd0509b2e0e5e015001fda52bdfc3 $
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
DEFAULT Suffix == ".ppp", Strip-User-Name = Yes
|
||||||
|
Hint = "PPP",
|
||||||
|
Service-Type = Framed-User,
|
||||||
|
Framed-Protocol = PPP
|
||||||
|
|
||||||
|
DEFAULT Suffix == ".slip", Strip-User-Name = Yes
|
||||||
|
Hint = "SLIP",
|
||||||
|
Service-Type = Framed-User,
|
||||||
|
Framed-Protocol = SLIP
|
||||||
|
|
||||||
|
DEFAULT Suffix == ".cslip", Strip-User-Name = Yes
|
||||||
|
Hint = "CSLIP",
|
||||||
|
Service-Type = Framed-User,
|
||||||
|
Framed-Protocol = SLIP,
|
||||||
|
Framed-Compression = Van-Jacobson-TCP-IP
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# These entries are old, and commented out by default.
|
||||||
|
# They confuse too many people when "Peter" logs in, and the
|
||||||
|
# server thinks that the user "eter" is asking for PPP.
|
||||||
|
#
|
||||||
|
#DEFAULT Prefix == "U", Strip-User-Name = No
|
||||||
|
# Hint = "UUCP"
|
||||||
|
|
||||||
|
#DEFAULT Prefix == "P", Strip-User-Name = Yes
|
||||||
|
# Hint = "PPP",
|
||||||
|
# Service-Type = Framed-User,
|
||||||
|
# Framed-Protocol = PPP
|
||||||
|
|
||||||
|
#DEFAULT Prefix == "S", Strip-User-Name = Yes
|
||||||
|
# Hint = "SLIP",
|
||||||
|
# Service-Type = Framed-User,
|
||||||
|
# Framed-Protocol = SLIP
|
||||||
|
|
||||||
|
#DEFAULT Prefix == "C", Strip-User-Name = Yes
|
||||||
|
# Hint = "CSLIP",
|
||||||
|
# Service-Type = Framed-User,
|
||||||
|
# Framed-Protocol = SLIP,
|
||||||
|
# Framed-Compression = Van-Jacobson-TCP-IP
|
||||||
|
|
|
@ -0,0 +1,46 @@
|
||||||
|
#
|
||||||
|
# huntgroups This file defines the `huntgroups' that you have. A
|
||||||
|
# huntgroup is defined by specifying the IP address of
|
||||||
|
# the NAS and possibly a port range. Port can be identified
|
||||||
|
# as just one port, or a range (from-to), and multiple ports
|
||||||
|
# or ranges of ports must be seperated by a comma. For
|
||||||
|
# example: 1,2,3-8
|
||||||
|
#
|
||||||
|
# Matching is done while RADIUS scans the user file; if it
|
||||||
|
# includes the selection criterium "Huntgroup-Name == XXX"
|
||||||
|
# the huntgroup is looked up in this file to see if it
|
||||||
|
# matches. There can be multiple definitions of the same
|
||||||
|
# huntgroup; the first one that matches will be used.
|
||||||
|
#
|
||||||
|
# This file can also be used to define restricted access
|
||||||
|
# to certain huntgroups. The second and following lines
|
||||||
|
# define the access restrictions (based on username and
|
||||||
|
# UNIX usergroup) for the huntgroup.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name
|
||||||
|
# called Alphen that matches on all three terminal servers.
|
||||||
|
#
|
||||||
|
#alphen NAS-IP-Address == 192.168.2.5
|
||||||
|
#alphen NAS-IP-Address == 192.168.2.6
|
||||||
|
#alphen NAS-IP-Address == 192.168.2.7
|
||||||
|
|
||||||
|
#
|
||||||
|
# The POP in Delft consists of only one terminal server.
|
||||||
|
#
|
||||||
|
#delft NAS-IP-Address == 192.168.3.5
|
||||||
|
|
||||||
|
#
|
||||||
|
# Ports 0-7 on the first terminal server in Alphen are connected to
|
||||||
|
# a huntgroup that is for business users only. Note that only one
|
||||||
|
# of the username or groupname has to match to get access (OR/OR).
|
||||||
|
#
|
||||||
|
# Note that this huntgroup is a subset of the "alphen" huntgroup.
|
||||||
|
#
|
||||||
|
#business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 0-7
|
||||||
|
# User-Name = rogerl,
|
||||||
|
# User-Name = henks,
|
||||||
|
# Group = business,
|
||||||
|
# Group = staff
|
||||||
|
|
|
@ -0,0 +1,76 @@
|
||||||
|
#
|
||||||
|
# Mapping of RADIUS dictionary attributes to LDAP directory attributes
|
||||||
|
# to be used by LDAP authentication and authorization module (rlm_ldap)
|
||||||
|
#
|
||||||
|
# Format:
|
||||||
|
# ItemType RADIUS-Attribute-Name ldapAttributeName [operator]
|
||||||
|
#
|
||||||
|
# Where:
|
||||||
|
# ItemType = checkItem or replyItem
|
||||||
|
# RADIUS-Attribute-Name = attribute name in RADIUS dictionary
|
||||||
|
# ldapAttributeName = attribute name in LDAP schema
|
||||||
|
# operator = optional, and may not be present.
|
||||||
|
# If not present, defaults to "==" for checkItems,
|
||||||
|
# and "=" for replyItems.
|
||||||
|
# If present, the operator here should be one
|
||||||
|
# of the same operators as defined in the "users"3
|
||||||
|
# file ("man users", or "man 5 users").
|
||||||
|
# If an operator is present in the value of the
|
||||||
|
# LDAP entry (i.e. ":=foo"), then it over-rides
|
||||||
|
# both the default, and any operator given here.
|
||||||
|
#
|
||||||
|
# If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies
|
||||||
|
# a LDAP attribute which can be used to store any RADIUS
|
||||||
|
# attribute/value-pair in LDAP directory.
|
||||||
|
#
|
||||||
|
# You should edit this file to suit it to your needs.
|
||||||
|
#
|
||||||
|
|
||||||
|
checkItem $GENERIC$ radiusCheckItem
|
||||||
|
replyItem $GENERIC$ radiusReplyItem
|
||||||
|
|
||||||
|
checkItem Auth-Type radiusAuthType
|
||||||
|
checkItem Simultaneous-Use radiusSimultaneousUse
|
||||||
|
checkItem Called-Station-Id radiusCalledStationId
|
||||||
|
checkItem Calling-Station-Id radiusCallingStationId
|
||||||
|
checkItem LM-Password lmPassword
|
||||||
|
checkItem NT-Password ntPassword
|
||||||
|
checkItem LM-Password sambaLmPassword
|
||||||
|
checkItem NT-Password sambaNtPassword
|
||||||
|
checkItem LM-Password dBCSPwd
|
||||||
|
checkitem Password-With-Header userPassword
|
||||||
|
checkItem SMB-Account-CTRL-TEXT acctFlags
|
||||||
|
checkItem Expiration radiusExpiration
|
||||||
|
checkItem NAS-IP-Address radiusNASIpAddress
|
||||||
|
|
||||||
|
replyItem Service-Type radiusServiceType
|
||||||
|
replyItem Framed-Protocol radiusFramedProtocol
|
||||||
|
replyItem Framed-IP-Address radiusFramedIPAddress
|
||||||
|
replyItem Framed-IP-Netmask radiusFramedIPNetmask
|
||||||
|
replyItem Framed-Route radiusFramedRoute
|
||||||
|
replyItem Framed-Routing radiusFramedRouting
|
||||||
|
replyItem Filter-Id radiusFilterId
|
||||||
|
replyItem Framed-MTU radiusFramedMTU
|
||||||
|
replyItem Framed-Compression radiusFramedCompression
|
||||||
|
replyItem Login-IP-Host radiusLoginIPHost
|
||||||
|
replyItem Login-Service radiusLoginService
|
||||||
|
replyItem Login-TCP-Port radiusLoginTCPPort
|
||||||
|
replyItem Callback-Number radiusCallbackNumber
|
||||||
|
replyItem Callback-Id radiusCallbackId
|
||||||
|
replyItem Framed-IPX-Network radiusFramedIPXNetwork
|
||||||
|
replyItem Class radiusClass
|
||||||
|
replyItem Session-Timeout radiusSessionTimeout
|
||||||
|
replyItem Idle-Timeout radiusIdleTimeout
|
||||||
|
replyItem Termination-Action radiusTerminationAction
|
||||||
|
replyItem Login-LAT-Service radiusLoginLATService
|
||||||
|
replyItem Login-LAT-Node radiusLoginLATNode
|
||||||
|
replyItem Login-LAT-Group radiusLoginLATGroup
|
||||||
|
replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink
|
||||||
|
replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork
|
||||||
|
replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone
|
||||||
|
replyItem Port-Limit radiusPortLimit
|
||||||
|
replyItem Login-LAT-Port radiusLoginLATPort
|
||||||
|
replyItem Reply-Message radiusReplyMessage
|
||||||
|
replyItem Tunnel-Type radiusTunnelType
|
||||||
|
replyItem Tunnel-Medium-Type radiusTunnelMediumType
|
||||||
|
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
|
|
@ -0,0 +1,17 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: cfd89eb1bf690b605892969ebd922e6885f24fcc $
|
||||||
|
|
||||||
|
#
|
||||||
|
# Create a unique accounting session Id. Many NASes re-use
|
||||||
|
# or repeat values for Acct-Session-Id, causing no end of
|
||||||
|
# confusion.
|
||||||
|
#
|
||||||
|
# This module will add a (probably) unique session id
|
||||||
|
# to an accounting packet based on the attributes listed
|
||||||
|
# below found in the packet. See doc/rlm_acct_unique for
|
||||||
|
# more information.
|
||||||
|
#
|
||||||
|
acct_unique {
|
||||||
|
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
|
||||||
|
}
|
|
@ -0,0 +1,31 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: c28187f05d4f0416442203b016feb7e2b818716f $
|
||||||
|
|
||||||
|
#
|
||||||
|
# The "always" module is here for debugging purposes. Each
|
||||||
|
# instance simply returns the same result, always, without
|
||||||
|
# doing anything.
|
||||||
|
always fail {
|
||||||
|
rcode = fail
|
||||||
|
}
|
||||||
|
always reject {
|
||||||
|
rcode = reject
|
||||||
|
}
|
||||||
|
always noop {
|
||||||
|
rcode = noop
|
||||||
|
}
|
||||||
|
always handled {
|
||||||
|
rcode = handled
|
||||||
|
}
|
||||||
|
always updated {
|
||||||
|
rcode = updated
|
||||||
|
}
|
||||||
|
always notfound {
|
||||||
|
rcode = notfound
|
||||||
|
}
|
||||||
|
always ok {
|
||||||
|
rcode = ok
|
||||||
|
simulcount = 0
|
||||||
|
mpp = no
|
||||||
|
}
|
|
@ -0,0 +1,48 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: acb28a9c587526a22f9310ade21d6a480a0bfe28 $
|
||||||
|
|
||||||
|
#
|
||||||
|
# This file defines a number of instances of the "attr_filter" module.
|
||||||
|
#
|
||||||
|
|
||||||
|
# attr_filter - filters the attributes received in replies from
|
||||||
|
# proxied servers, to make sure we send back to our RADIUS client
|
||||||
|
# only allowed attributes.
|
||||||
|
attr_filter attr_filter.post-proxy {
|
||||||
|
attrsfile = ${confdir}/attrs
|
||||||
|
}
|
||||||
|
|
||||||
|
# attr_filter - filters the attributes in the packets we send to
|
||||||
|
# the RADIUS home servers.
|
||||||
|
attr_filter attr_filter.pre-proxy {
|
||||||
|
attrsfile = ${confdir}/attrs.pre-proxy
|
||||||
|
}
|
||||||
|
|
||||||
|
# Enforce RFC requirements on the contents of Access-Reject
|
||||||
|
# packets. See the comments at the top of the file for
|
||||||
|
# more details.
|
||||||
|
#
|
||||||
|
attr_filter attr_filter.access_reject {
|
||||||
|
key = %{User-Name}
|
||||||
|
attrsfile = ${confdir}/attrs.access_reject
|
||||||
|
}
|
||||||
|
|
||||||
|
# Enforce RFC requirements on the contents of Access-Reject
|
||||||
|
# packets. See the comments at the top of the file for
|
||||||
|
# more details.
|
||||||
|
#
|
||||||
|
attr_filter attr_filter.access_challenge {
|
||||||
|
key = %{User-Name}
|
||||||
|
attrsfile = ${confdir}/attrs.access_challenge
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Enforce RFC requirements on the contents of the
|
||||||
|
# Accounting-Response packets. See the comments at the
|
||||||
|
# top of the file for more details.
|
||||||
|
#
|
||||||
|
attr_filter attr_filter.accounting_response {
|
||||||
|
key = %{User-Name}
|
||||||
|
attrsfile = ${confdir}/attrs.accounting_response
|
||||||
|
}
|
|
@ -0,0 +1,46 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 8fb93224288061781980a156d541f5283abee1a0 $
|
||||||
|
|
||||||
|
# rewrite arbitrary packets. Useful in accounting and authorization.
|
||||||
|
#
|
||||||
|
# As of 2.0, much of the functionality of this module is in "unlang".
|
||||||
|
# You should probably investigate using that before trying to use
|
||||||
|
# the "attr_rewrite" module.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# The module can also use the Rewrite-Rule attribute. If it
|
||||||
|
# is set and matches the name of the module instance, then
|
||||||
|
# that module instance will be the only one which runs.
|
||||||
|
#
|
||||||
|
# Also if new_attribute is set to yes then a new attribute
|
||||||
|
# will be created containing the value replacewith and it
|
||||||
|
# will be added to searchin (packet, reply, proxy,
|
||||||
|
# proxy_reply or config).
|
||||||
|
#
|
||||||
|
# searchfor,ignore_case and max_matches will be ignored in that case.
|
||||||
|
#
|
||||||
|
# Backreferences are supported.
|
||||||
|
# %{0} will contain the string the whole match
|
||||||
|
# %{1} to %{8} will contain the contents of the 1st to
|
||||||
|
# the 8th parentheses
|
||||||
|
#
|
||||||
|
# If max_matches is greater than one, the backreferences will
|
||||||
|
# correspond to the first attributed that matched.
|
||||||
|
|
||||||
|
#
|
||||||
|
attr_rewrite sanecallerid {
|
||||||
|
attribute = Called-Station-Id
|
||||||
|
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
|
||||||
|
searchin = packet
|
||||||
|
searchfor = "[+ ]"
|
||||||
|
replacewith = ""
|
||||||
|
ignore_case = no
|
||||||
|
new_attribute = no
|
||||||
|
max_matches = 10
|
||||||
|
|
||||||
|
## If set to yes then the replace string will be
|
||||||
|
## appended to the original string
|
||||||
|
append = no
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,77 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: da4a099beae8eeb3bfe5f70f20523a4258f7f0cd $
|
||||||
|
|
||||||
|
#
|
||||||
|
# A module to cache attributes. The idea is that you can look
|
||||||
|
# up information in a database, and then cache it. Repeated
|
||||||
|
# requests for the same information will then have the cached
|
||||||
|
# values added to the request.
|
||||||
|
#
|
||||||
|
# The module can cache a fixed set of attributes per key.
|
||||||
|
# It can be listed in "authorize", "post-auth", "pre-proxy"
|
||||||
|
# and "post-proxy".
|
||||||
|
#
|
||||||
|
# If you want different things cached for authorize and post-auth,
|
||||||
|
# you will need to define two instances of the "cache" module.
|
||||||
|
#
|
||||||
|
# The module returns "ok" if it found a cache entry.
|
||||||
|
# The module returns "updated" if it added a new cache entry.
|
||||||
|
# The module returns "noop" if it did nothing.
|
||||||
|
#
|
||||||
|
cache {
|
||||||
|
# The key used to index the cache. It is dynamically expanded
|
||||||
|
# at run time.
|
||||||
|
key = "%{User-Name}"
|
||||||
|
|
||||||
|
# The TTL of cache entries, in seconds. Entries older than this
|
||||||
|
# will be expired.
|
||||||
|
#
|
||||||
|
# You can set the TTL per cache entry, but adding a control
|
||||||
|
# variable "Cache-TTL". The value there will over-ride this one.
|
||||||
|
# Setting a Cache-TTL of 0 means "delete this entry".
|
||||||
|
#
|
||||||
|
# This value should be between 10 and 86400.
|
||||||
|
ttl = 10
|
||||||
|
|
||||||
|
# A timestamp used to flush the cache, via
|
||||||
|
#
|
||||||
|
# radmin -e "set module config cache epoch 123456789"
|
||||||
|
#
|
||||||
|
# Where last value is a 32-bit Unix timestamp. Cache entries
|
||||||
|
# older than this are expired, and new entries added.
|
||||||
|
#
|
||||||
|
# You should ALWAYS leave it as "epoch = 0" here.
|
||||||
|
epoch = 0
|
||||||
|
|
||||||
|
# The module can also operate in status-only mode where it will
|
||||||
|
# not add new cache entries, or merge existing ones.
|
||||||
|
#
|
||||||
|
# To enable set the control variable "Cache-Status-Only" to "yes"
|
||||||
|
# The module will return "ok" if it found a cache entry.
|
||||||
|
# The module will return "notfound" if it failed to find a cache entry,
|
||||||
|
# or the entry had expired.
|
||||||
|
#
|
||||||
|
# Note: expired entries will still be removed.
|
||||||
|
|
||||||
|
# If yes the following attributes will be added to the request list:
|
||||||
|
# * Cache-Entry-Hits - The number of times this entry has been
|
||||||
|
# retrieved.
|
||||||
|
add-stats = no
|
||||||
|
|
||||||
|
# The list of attributes to cache for a particular key.
|
||||||
|
# Each key gets the same set of cached attributes.
|
||||||
|
# The attributes are dynamically expanded at run time.
|
||||||
|
#
|
||||||
|
# You can specify which list the attribute goes into by
|
||||||
|
# prefixing the attribute name with the list. This allows
|
||||||
|
# you to update multiple lists with one configuration.
|
||||||
|
#
|
||||||
|
# If no list is specified the request list will be updated.
|
||||||
|
update {
|
||||||
|
# list:Attr-Name
|
||||||
|
reply:Reply-Message += "I'm the cached reply from %t"
|
||||||
|
|
||||||
|
control:Class := 0x010203
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,11 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $
|
||||||
|
|
||||||
|
# CHAP module
|
||||||
|
#
|
||||||
|
# To authenticate requests containing a CHAP-Password attribute.
|
||||||
|
#
|
||||||
|
chap {
|
||||||
|
# no configuration
|
||||||
|
}
|
|
@ -0,0 +1,44 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: ed26e571e8f0bcf3bf586ceb16d0cdff182f5017 $
|
||||||
|
|
||||||
|
# A simple value checking module
|
||||||
|
#
|
||||||
|
# As of 2.0, much of the functionality of this module is in "unlang".
|
||||||
|
# You should probably investigate using that before trying to use
|
||||||
|
# the "checkval" module.
|
||||||
|
#
|
||||||
|
# It can be used to check if an attribute value in the request
|
||||||
|
# matches a (possibly multi valued) attribute in the check
|
||||||
|
# items This can be used for example for caller-id
|
||||||
|
# authentication. For the module to run, both the request
|
||||||
|
# attribute and the check items attribute must exist
|
||||||
|
#
|
||||||
|
# i.e.
|
||||||
|
# A user has an ldap entry with 2 radiusCallingStationId
|
||||||
|
# attributes with values "12345678" and "12345679". If we
|
||||||
|
# enable rlm_checkval, then any request which contains a
|
||||||
|
# Calling-Station-Id with one of those two values will be
|
||||||
|
# accepted. Requests with other values for
|
||||||
|
# Calling-Station-Id will be rejected.
|
||||||
|
#
|
||||||
|
# Regular expressions in the check attribute value are allowed
|
||||||
|
# as long as the operator is '=~'
|
||||||
|
#
|
||||||
|
checkval {
|
||||||
|
# The attribute to look for in the request
|
||||||
|
item-name = Calling-Station-Id
|
||||||
|
|
||||||
|
# The attribute to look for in check items. Can be multi valued
|
||||||
|
check-name = Calling-Station-Id
|
||||||
|
|
||||||
|
# The data type. Can be
|
||||||
|
# string,integer,ipaddr,date,abinary,octets
|
||||||
|
data-type = string
|
||||||
|
|
||||||
|
# If set to yes and we dont find the item-name attribute in the
|
||||||
|
# request then we send back a reject
|
||||||
|
# DEFAULT is no
|
||||||
|
#notfound-reject = no
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,82 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 2dad39a25c676821c6e602881e5bec52d738abfd $
|
||||||
|
|
||||||
|
# counter module:
|
||||||
|
# This module takes an attribute (count-attribute).
|
||||||
|
# It also takes a key, and creates a counter for each unique
|
||||||
|
# key. The count is incremented when accounting packets are
|
||||||
|
# received by the server. The value of the increment depends
|
||||||
|
# on the attribute type.
|
||||||
|
# If the attribute is Acct-Session-Time or of an integer type we add
|
||||||
|
# the value of the attribute. If it is anything else we increase the
|
||||||
|
# counter by one.
|
||||||
|
#
|
||||||
|
# The 'reset' parameter defines when the counters are all reset to
|
||||||
|
# zero. It can be hourly, daily, weekly, monthly or never.
|
||||||
|
#
|
||||||
|
# hourly: Reset on 00:00 of every hour
|
||||||
|
# daily: Reset on 00:00:00 every day
|
||||||
|
# weekly: Reset on 00:00:00 on sunday
|
||||||
|
# monthly: Reset on 00:00:00 of the first day of each month
|
||||||
|
#
|
||||||
|
# It can also be user defined. It should be of the form:
|
||||||
|
# num[hdwm] where:
|
||||||
|
# h: hours, d: days, w: weeks, m: months
|
||||||
|
# If the letter is ommited days will be assumed. In example:
|
||||||
|
# reset = 10h (reset every 10 hours)
|
||||||
|
# reset = 12 (reset every 12 days)
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# The check-name attribute defines an attribute which will be
|
||||||
|
# registered by the counter module and can be used to set the
|
||||||
|
# maximum allowed value for the counter after which the user
|
||||||
|
# is rejected.
|
||||||
|
# Something like:
|
||||||
|
#
|
||||||
|
# DEFAULT Max-Daily-Session := 36000
|
||||||
|
# Fall-Through = 1
|
||||||
|
#
|
||||||
|
# You should add the counter module in the instantiate
|
||||||
|
# section so that it registers check-name before the files
|
||||||
|
# module reads the users file.
|
||||||
|
#
|
||||||
|
# If check-name is set and the user is to be rejected then we
|
||||||
|
# send back a Reply-Message and we log a Failure-Message in
|
||||||
|
# the radius.log
|
||||||
|
#
|
||||||
|
# If the count attribute is Acct-Session-Time then on each
|
||||||
|
# login we send back the remaining online time as a
|
||||||
|
# Session-Timeout attribute ELSE and if the reply-name is
|
||||||
|
# set, we send back that attribute. The reply-name attribute
|
||||||
|
# MUST be of an integer type.
|
||||||
|
#
|
||||||
|
# The counter-name can also be used instead of using the check-name
|
||||||
|
# like below:
|
||||||
|
#
|
||||||
|
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
|
||||||
|
# Reply-Message = "You've used up more than one hour today"
|
||||||
|
#
|
||||||
|
# The allowed-servicetype attribute can be used to only take
|
||||||
|
# into account specific sessions. For example if a user first
|
||||||
|
# logs in through a login menu and then selects ppp there will
|
||||||
|
# be two sessions. One for Login-User and one for Framed-User
|
||||||
|
# service type. We only need to take into account the second one.
|
||||||
|
#
|
||||||
|
# The module should be added in the instantiate, authorize and
|
||||||
|
# accounting sections. Make sure that in the authorize
|
||||||
|
# section it comes after any module which sets the
|
||||||
|
# 'check-name' attribute.
|
||||||
|
#
|
||||||
|
counter daily {
|
||||||
|
filename = ${db_dir}/db.daily
|
||||||
|
key = User-Name
|
||||||
|
count-attribute = Acct-Session-Time
|
||||||
|
reset = daily
|
||||||
|
counter-name = Daily-Session-Time
|
||||||
|
check-name = Max-Daily-Session
|
||||||
|
reply-name = Session-Timeout
|
||||||
|
allowed-servicetype = Framed-User
|
||||||
|
cache-size = 5000
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 246461369a25c17feae3168bb66050203d4b8a34 $
|
||||||
|
|
||||||
|
#
|
||||||
|
# Write Chargeable-User-Identity to the database.
|
||||||
|
#
|
||||||
|
# Schema raddb/sql/mysql/cui.sql
|
||||||
|
# Queries raddb/sql/mysql/cui.conf
|
||||||
|
#
|
||||||
|
sql cui {
|
||||||
|
database = "mysql"
|
||||||
|
driver = "rlm_sql_${database}"
|
||||||
|
server = "localhost"
|
||||||
|
login = "db_login_name"
|
||||||
|
password = "db_password"
|
||||||
|
radius_db = "db_name"
|
||||||
|
# sqltrace = yes
|
||||||
|
# sqltracefile = ${logdir}/cuitrace.sql
|
||||||
|
num_sql_socks = 5
|
||||||
|
connect_failure_retry_delay = 60
|
||||||
|
cui_table = "cui"
|
||||||
|
sql_user_name = "%{User-Name}"
|
||||||
|
#$INCLUDE sql/${database}/cui.conf
|
||||||
|
}
|
|
@ -0,0 +1,93 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 2e68d065ec93d0644cf7e931d97fdfac4e2be552 $
|
||||||
|
|
||||||
|
# Write a detailed log of all accounting records received.
|
||||||
|
#
|
||||||
|
detail {
|
||||||
|
# Note that we do NOT use NAS-IP-Address here, as
|
||||||
|
# that attribute MAY BE from the originating NAS, and
|
||||||
|
# NOT from the proxy which actually sent us the
|
||||||
|
# request.
|
||||||
|
#
|
||||||
|
# The following line creates a new detail file for
|
||||||
|
# every radius client (by IP address or hostname).
|
||||||
|
# In addition, a new detail file is created every
|
||||||
|
# day, so that the detail file doesn't have to go
|
||||||
|
# through a 'log rotation'
|
||||||
|
#
|
||||||
|
# If your detail files are large, you may also want
|
||||||
|
# to add a ':%H' (see doc/variables.txt) to the end
|
||||||
|
# of it, to create a new detail file every hour, e.g.:
|
||||||
|
#
|
||||||
|
# ..../detail-%Y%m%d:%H
|
||||||
|
#
|
||||||
|
# This will create a new detail file for every hour.
|
||||||
|
#
|
||||||
|
# If you are reading detail files via the "listen" section
|
||||||
|
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
|
||||||
|
# you MUST use a unique directory for each combination of a
|
||||||
|
# detail file writer, and reader. That is, there can only
|
||||||
|
# be ONE "listen" section reading detail files from a
|
||||||
|
# particular directory.
|
||||||
|
#
|
||||||
|
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you are using radrelay, delete the above line for "detailfile",
|
||||||
|
# and use this one instead:
|
||||||
|
#
|
||||||
|
# detailfile = ${radacctdir}/detail
|
||||||
|
|
||||||
|
#
|
||||||
|
# The Unix-style permissions on the 'detail' file.
|
||||||
|
#
|
||||||
|
# The detail file often contains secret or private
|
||||||
|
# information about users. So by keeping the file
|
||||||
|
# permissions restrictive, we can prevent unwanted
|
||||||
|
# people from seeing that information.
|
||||||
|
detailperm = 0600
|
||||||
|
|
||||||
|
# The Unix group of the log file.
|
||||||
|
#
|
||||||
|
# The user that the server runs as must be in the specified
|
||||||
|
# system group otherwise this will fail to work.
|
||||||
|
#
|
||||||
|
# group = freerad
|
||||||
|
|
||||||
|
#
|
||||||
|
# Every entry in the detail file has a header which
|
||||||
|
# is a timestamp. By default, we use the ctime
|
||||||
|
# format (see "man ctime" for details).
|
||||||
|
#
|
||||||
|
# The header can be customized by editing this
|
||||||
|
# string. See "doc/variables.txt" for a description
|
||||||
|
# of what can be put here.
|
||||||
|
#
|
||||||
|
header = "%t"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Uncomment this line if the detail file reader will be
|
||||||
|
# reading this detail file.
|
||||||
|
#
|
||||||
|
# locking = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# Log the Packet src/dst IP/port. This is disabled by
|
||||||
|
# default, as that information isn't used by many people.
|
||||||
|
#
|
||||||
|
# log_packet_header = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# Certain attributes such as User-Password may be
|
||||||
|
# "sensitive", so they should not be printed in the
|
||||||
|
# detail file. This section lists the attributes
|
||||||
|
# that should be suppressed.
|
||||||
|
#
|
||||||
|
# The attributes should be listed one to a line.
|
||||||
|
#
|
||||||
|
#suppress {
|
||||||
|
# User-Password
|
||||||
|
#}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,27 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# Detail file writer, used in the following examples:
|
||||||
|
#
|
||||||
|
# raddb/sites-available/robust-proxy-accounting
|
||||||
|
# raddb/sites-available/decoupled-accounting
|
||||||
|
#
|
||||||
|
# Note that this module can write detail files that are read by
|
||||||
|
# only ONE "listen" section. If you use BOTH of the examples
|
||||||
|
# above, you will need to define TWO "detail" modules.
|
||||||
|
#
|
||||||
|
# e.g. detail1.example.com && detail2.example.com
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# We write *multiple* detail files here. They will be processed by
|
||||||
|
# the detail "listen" section in the order that they were created.
|
||||||
|
# The directory containing these files should NOT be used for any
|
||||||
|
# other purposes. i.e. It should have NO other files in it.
|
||||||
|
#
|
||||||
|
# Writing multiple detail enables the server to process the pieces
|
||||||
|
# in smaller chunks. This helps in certain catastrophic corner cases.
|
||||||
|
#
|
||||||
|
# $Id: af7e3452fdd49ed6a3cd379c2a4d90e17f34532f $
|
||||||
|
#
|
||||||
|
detail detail.example.com {
|
||||||
|
detailfile = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G
|
||||||
|
}
|
|
@ -0,0 +1,75 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: c36dce75c6d41b7470bd177a27ed96d3fe3dafe5 $
|
||||||
|
|
||||||
|
#
|
||||||
|
# More examples of doing detail logs.
|
||||||
|
|
||||||
|
#
|
||||||
|
# Many people want to log authentication requests.
|
||||||
|
# Rather than modifying the server core to print out more
|
||||||
|
# messages, we can use a different instance of the 'detail'
|
||||||
|
# module, to log the authentication requests to a file.
|
||||||
|
#
|
||||||
|
# You will also need to un-comment the 'auth_log' line
|
||||||
|
# in the 'authorize' section, below.
|
||||||
|
#
|
||||||
|
detail auth_log {
|
||||||
|
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
|
||||||
|
|
||||||
|
#
|
||||||
|
# This MUST be 0600, otherwise anyone can read
|
||||||
|
# the users passwords!
|
||||||
|
detailperm = 0600
|
||||||
|
|
||||||
|
# You may also strip out passwords completely
|
||||||
|
suppress {
|
||||||
|
User-Password
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This module logs authentication reply packets sent
|
||||||
|
# to a NAS. Both Access-Accept and Access-Reject packets
|
||||||
|
# are logged.
|
||||||
|
#
|
||||||
|
# You will also need to un-comment the 'reply_log' line
|
||||||
|
# in the 'post-auth' section, below.
|
||||||
|
#
|
||||||
|
detail reply_log {
|
||||||
|
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
|
||||||
|
|
||||||
|
detailperm = 0600
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This module logs packets proxied to a home server.
|
||||||
|
#
|
||||||
|
# You will also need to un-comment the 'pre_proxy_log' line
|
||||||
|
# in the 'pre-proxy' section, below.
|
||||||
|
#
|
||||||
|
detail pre_proxy_log {
|
||||||
|
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
|
||||||
|
|
||||||
|
#
|
||||||
|
# This MUST be 0600, otherwise anyone can read
|
||||||
|
# the users passwords!
|
||||||
|
detailperm = 0600
|
||||||
|
|
||||||
|
# You may also strip out passwords completely
|
||||||
|
#suppress {
|
||||||
|
# User-Password
|
||||||
|
#}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This module logs response packets from a home server.
|
||||||
|
#
|
||||||
|
# You will also need to un-comment the 'post_proxy_log' line
|
||||||
|
# in the 'post-proxy' section, below.
|
||||||
|
#
|
||||||
|
detail post_proxy_log {
|
||||||
|
detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
|
||||||
|
|
||||||
|
detailperm = 0600
|
||||||
|
}
|
|
@ -0,0 +1,33 @@
|
||||||
|
## Configuration for DHCP to use SQL IP Pools.
|
||||||
|
##
|
||||||
|
## See sqlippool.conf for common configuration explanation
|
||||||
|
##
|
||||||
|
## $Id: 39358b222d016d62e5cf6e8c77fd214cc7614feb $
|
||||||
|
|
||||||
|
sqlippool dhcp_sqlippool {
|
||||||
|
sql-instance-name = "sql"
|
||||||
|
|
||||||
|
ippool_table = "radippool"
|
||||||
|
|
||||||
|
lease-duration = 7200
|
||||||
|
|
||||||
|
# Client's MAC address is mapped to Calling-Station-Id in policy.conf
|
||||||
|
pool-key = "%{Calling-Station-Id}"
|
||||||
|
|
||||||
|
# For now, it only works with MySQL.
|
||||||
|
# This line is commented by default to enable clean startup when you
|
||||||
|
# don't have freeradius-mysql installed. Uncomment this line if you
|
||||||
|
# use this module.
|
||||||
|
#$INCLUDE ${confdir}/sql/mysql/ippool-dhcp.conf
|
||||||
|
|
||||||
|
sqlippool_log_exists = "DHCP: Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
|
||||||
|
|
||||||
|
sqlippool_log_success = "DHCP: Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
|
||||||
|
|
||||||
|
sqlippool_log_clear = "DHCP: Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
|
||||||
|
|
||||||
|
sqlippool_log_failed = "DHCP: IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
|
||||||
|
|
||||||
|
sqlippool_log_nopool = "DHCP: No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,13 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $
|
||||||
|
|
||||||
|
#
|
||||||
|
# The 'digest' module currently has no configuration.
|
||||||
|
#
|
||||||
|
# "Digest" authentication against a Cisco SIP server.
|
||||||
|
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
|
||||||
|
# on performing digest authentication for Cisco SIP servers.
|
||||||
|
#
|
||||||
|
digest {
|
||||||
|
}
|
|
@ -0,0 +1,32 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: bf047be5c7b48f2f021981a6abf4199d888fc3ee $
|
||||||
|
|
||||||
|
# This module loads RADIUS clients as needed, rather than when the server
|
||||||
|
# starts.
|
||||||
|
#
|
||||||
|
# There are no configuration entries for this module. Instead, it
|
||||||
|
# relies on the "client" configuration. You must:
|
||||||
|
#
|
||||||
|
# 1) link raddb/sites-enabled/dyanmic_clients to
|
||||||
|
# raddb/sites-available/dyanmic_clients
|
||||||
|
#
|
||||||
|
# 2) Define a client network/mask (see top of the above file)
|
||||||
|
#
|
||||||
|
# 3) uncomment the "directory" entry in that client definition
|
||||||
|
#
|
||||||
|
# 4) list "dynamic_clients" in the "authorize" section of the
|
||||||
|
# "dynamic_clients' virtual server. The default example already
|
||||||
|
# does this.
|
||||||
|
#
|
||||||
|
# 5) put files into the above directory, one per IP.
|
||||||
|
# e.g. file "192.168.1.1" should contain a normal client definition
|
||||||
|
# for a client with IP address 192.168.1.1.
|
||||||
|
#
|
||||||
|
# For more documentation, see the file:
|
||||||
|
#
|
||||||
|
# raddb/sites-available/dynamic-clients
|
||||||
|
#
|
||||||
|
dynamic_clients {
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,123 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 0ca6bd8d27c25bf4f84fd27f97323b8961814d77 $
|
||||||
|
|
||||||
|
#
|
||||||
|
# This is a more general example of the execute module.
|
||||||
|
#
|
||||||
|
# This one is called "echo".
|
||||||
|
#
|
||||||
|
# Attribute-Name = `%{echo:/path/to/program args}`
|
||||||
|
#
|
||||||
|
# If you wish to execute an external program in more than
|
||||||
|
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
|
||||||
|
# is probably best to define a different instance of the
|
||||||
|
# 'exec' module for every section.
|
||||||
|
#
|
||||||
|
# The return value of the program run determines the result
|
||||||
|
# of the exec instance call as follows:
|
||||||
|
# (See doc/configurable_failover for details)
|
||||||
|
#
|
||||||
|
# < 0 : fail the module failed
|
||||||
|
# = 0 : ok the module succeeded
|
||||||
|
# = 1 : reject the module rejected the user
|
||||||
|
# = 2 : fail the module failed
|
||||||
|
# = 3 : ok the module succeeded
|
||||||
|
# = 4 : handled the module has done everything to handle the request
|
||||||
|
# = 5 : invalid the user's configuration entry was invalid
|
||||||
|
# = 6 : userlock the user was locked out
|
||||||
|
# = 7 : notfound the user was not found
|
||||||
|
# = 8 : noop the module did nothing
|
||||||
|
# = 9 : updated the module updated information in the request
|
||||||
|
# > 9 : fail the module failed
|
||||||
|
#
|
||||||
|
exec echo {
|
||||||
|
#
|
||||||
|
# Wait for the program to finish.
|
||||||
|
#
|
||||||
|
# If we do NOT wait, then the program is "fire and
|
||||||
|
# forget", and any output attributes from it are ignored.
|
||||||
|
#
|
||||||
|
# If we are looking for the program to output
|
||||||
|
# attributes, and want to add those attributes to the
|
||||||
|
# request, then we MUST wait for the program to
|
||||||
|
# finish, and therefore set 'wait=yes'
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
wait = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# The name of the program to execute, and it's
|
||||||
|
# arguments. Dynamic translation is done on this
|
||||||
|
# field, so things like the following example will
|
||||||
|
# work.
|
||||||
|
#
|
||||||
|
program = "/bin/echo %{User-Name}"
|
||||||
|
|
||||||
|
#
|
||||||
|
# The attributes which are placed into the
|
||||||
|
# environment variables for the program.
|
||||||
|
#
|
||||||
|
# Allowed values are:
|
||||||
|
#
|
||||||
|
# request attributes from the request
|
||||||
|
# config attributes from the configuration items list
|
||||||
|
# reply attributes from the reply
|
||||||
|
# proxy-request attributes from the proxy request
|
||||||
|
# proxy-reply attributes from the proxy reply
|
||||||
|
#
|
||||||
|
# Note that some attributes may not exist at some
|
||||||
|
# stages. e.g. There may be no proxy-reply
|
||||||
|
# attributes if this module is used in the
|
||||||
|
# 'authorize' section.
|
||||||
|
#
|
||||||
|
input_pairs = request
|
||||||
|
|
||||||
|
#
|
||||||
|
# Where to place the output attributes (if any) from
|
||||||
|
# the executed program. The values allowed, and the
|
||||||
|
# restrictions as to availability, are the same as
|
||||||
|
# for the input_pairs.
|
||||||
|
#
|
||||||
|
output_pairs = reply
|
||||||
|
|
||||||
|
#
|
||||||
|
# When to execute the program. If the packet
|
||||||
|
# type does NOT match what's listed here, then
|
||||||
|
# the module does NOT execute the program.
|
||||||
|
#
|
||||||
|
# For a list of allowed packet types, see
|
||||||
|
# the 'dictionary' file, and look for VALUEs
|
||||||
|
# of the Packet-Type attribute.
|
||||||
|
#
|
||||||
|
# By default, the module executes on ANY packet.
|
||||||
|
# Un-comment out the following line to tell the
|
||||||
|
# module to execute only if an Access-Accept is
|
||||||
|
# being sent to the NAS.
|
||||||
|
#
|
||||||
|
#packet_type = Access-Accept
|
||||||
|
|
||||||
|
#
|
||||||
|
# Should we escape the environment variables?
|
||||||
|
#
|
||||||
|
# If this is set, all the RADIUS attributes
|
||||||
|
# are capitalised and dashes replaced with
|
||||||
|
# underscores. Also, RADIUS values are surrounded
|
||||||
|
# with double-quotes.
|
||||||
|
#
|
||||||
|
# That is to say: User-Name=BobUser => USER_NAME="BobUser"
|
||||||
|
shell_escape = yes
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# How long should we wait for the program to finish?
|
||||||
|
#
|
||||||
|
# Default is 10 seconds, which should be plenty for nearly
|
||||||
|
# anything. Range is 1 to 30 seconds. You are strongly
|
||||||
|
# encouraged to NOT increase this value. Decreasing can
|
||||||
|
# be used to cause authentication to fail sooner when you
|
||||||
|
# know it's going to fail anyway due to the time taken,
|
||||||
|
# thereby saving resources.
|
||||||
|
#
|
||||||
|
#timeout = 10
|
||||||
|
}
|
|
@ -0,0 +1,28 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 614c52b82b3e12fab54313aecb5c1120559781f3 $
|
||||||
|
|
||||||
|
# "passwd" configuration, for the /etc/group file. Adds a Etc-Group-Name
|
||||||
|
# attribute for every group that the user is member of.
|
||||||
|
#
|
||||||
|
# You will have to define the Etc-Group-Name in the 'dictionary' file
|
||||||
|
# as a 'string' type.
|
||||||
|
#
|
||||||
|
# The Group and Group-Name attributes are automatically created by
|
||||||
|
# the Unix module, and do checking against /etc/group automatically.
|
||||||
|
# This means that you CANNOT use Group or Group-Name to do any other
|
||||||
|
# kind of grouping in the server. You MUST define a new group
|
||||||
|
# attribute.
|
||||||
|
#
|
||||||
|
# i.e. this module should NOT be used as-is, but should be edited to
|
||||||
|
# point to a different group file.
|
||||||
|
#
|
||||||
|
passwd etc_group {
|
||||||
|
filename = /etc/group
|
||||||
|
format = "=Etc-Group-Name:::*,User-Name"
|
||||||
|
hashsize = 50
|
||||||
|
ignorenislike = yes
|
||||||
|
allowmultiplekeys = yes
|
||||||
|
delimiter = ":"
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 5f21e4350f091ed51813865a31b2796c4b487f9f $
|
||||||
|
|
||||||
|
#
|
||||||
|
# Execute external programs
|
||||||
|
#
|
||||||
|
# This module is useful only for 'xlat'. To use it,
|
||||||
|
# put 'exec' into the 'instantiate' section. You can then
|
||||||
|
# do dynamic translation of attributes like:
|
||||||
|
#
|
||||||
|
# Attribute-Name = `%{exec:/path/to/program args}`
|
||||||
|
#
|
||||||
|
# The value of the attribute will be replaced with the output
|
||||||
|
# of the program which is executed. Due to RADIUS protocol
|
||||||
|
# limitations, any output over 253 bytes will be ignored.
|
||||||
|
#
|
||||||
|
# The RADIUS attributes from the user request will be placed
|
||||||
|
# into environment variables of the executed program, as
|
||||||
|
# described in "man unlang" and in doc/variables.txt
|
||||||
|
#
|
||||||
|
# See also "echo" for more sample configuration.
|
||||||
|
#
|
||||||
|
exec {
|
||||||
|
wait = no
|
||||||
|
input_pairs = request
|
||||||
|
shell_escape = yes
|
||||||
|
output = none
|
||||||
|
timeout = 10
|
||||||
|
}
|
|
@ -0,0 +1,19 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 8bbd88973459d82f3967135c66a5b566fffc130a $
|
||||||
|
|
||||||
|
#
|
||||||
|
# The expiration module. This handles the Expiration attribute
|
||||||
|
# It should be included in the *end* of the authorize section
|
||||||
|
# in order to handle user Expiration. It should also be included
|
||||||
|
# in the instantiate section in order to register the Expiration
|
||||||
|
# compare function
|
||||||
|
#
|
||||||
|
expiration {
|
||||||
|
#
|
||||||
|
# The Reply-Message which will be sent back in case the
|
||||||
|
# account has expired. Dynamic substitution is supported
|
||||||
|
#
|
||||||
|
reply-message = "Password Has Expired\r\n"
|
||||||
|
#reply-message = "Your account has expired, %{User-Name}\r\n"
|
||||||
|
}
|
|
@ -0,0 +1,20 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 6caeb9bccb3310d76f0c527afa58d10432359ee5 $
|
||||||
|
|
||||||
|
#
|
||||||
|
# The 'expression' module currently has no configuration.
|
||||||
|
#
|
||||||
|
# This module is useful only for 'xlat'. To use it,
|
||||||
|
# put 'expr' into the 'instantiate' section. You can then
|
||||||
|
# do dynamic translation of attributes like:
|
||||||
|
#
|
||||||
|
# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
|
||||||
|
#
|
||||||
|
# The value of the attribute will be replaced with the output
|
||||||
|
# of the program which is executed. Due to RADIUS protocol
|
||||||
|
# limitations, any output over 253 bytes will be ignored.
|
||||||
|
#
|
||||||
|
# The module also registers a few paircompare functions
|
||||||
|
expr {
|
||||||
|
}
|
|
@ -0,0 +1,46 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: e0198d85b2d14fa7b75b0e8c1bf6427c4bd89058 $
|
||||||
|
|
||||||
|
# Livingston-style 'users' file
|
||||||
|
#
|
||||||
|
files {
|
||||||
|
# The default key attribute to use for matches. The content
|
||||||
|
# of this attribute is used to match the "name" of the
|
||||||
|
# entry.
|
||||||
|
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
|
||||||
|
|
||||||
|
usersfile = ${confdir}/users
|
||||||
|
acctusersfile = ${confdir}/acct_users
|
||||||
|
preproxy_usersfile = ${confdir}/preproxy_users
|
||||||
|
|
||||||
|
# If you want to use the old Cistron 'users' file
|
||||||
|
# with FreeRADIUS, you should change the next line
|
||||||
|
# to 'compat = cistron'. You can the copy your 'users'
|
||||||
|
# file from Cistron.
|
||||||
|
compat = no
|
||||||
|
}
|
||||||
|
|
||||||
|
# An example which defines a second instance of the "files" module.
|
||||||
|
# This instance is named "second_files". In order for it to be used
|
||||||
|
# in a virtual server, it needs to be listed as "second_files"
|
||||||
|
# inside of the "authorize" section (or other section). If you just
|
||||||
|
# list "files", that will refer to the configuration defined above.
|
||||||
|
#
|
||||||
|
|
||||||
|
# The two names here mean:
|
||||||
|
# "files" - this is a configuration for the "rlm_files" module
|
||||||
|
# "second_files" - this is a named configuration, which isn't
|
||||||
|
# the default configuration.
|
||||||
|
files second_files {
|
||||||
|
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
|
||||||
|
|
||||||
|
# The names here don't matter. They just need to be different
|
||||||
|
# from the names for the "files" configuration above. If they
|
||||||
|
# are the same, then this configuration will end up being the
|
||||||
|
# same as the one above.
|
||||||
|
usersfile = ${confdir}/second_users
|
||||||
|
acctusersfile = ${confdir}/second_acct_users
|
||||||
|
preproxy_usersfile = ${confdir}/second_preproxy_users
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,161 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 0a26c9c1672823e46219d831e2be18890450c2a7 $
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sample configuration for an EAP module that occurs *inside*
|
||||||
|
# of a tunneled method. It is used to limit the EAP types that
|
||||||
|
# can occur inside of the inner tunnel.
|
||||||
|
#
|
||||||
|
# See also raddb/sites-available/inner-tunnel
|
||||||
|
#
|
||||||
|
# To use this module, edit raddb/sites-available/inner-tunnel, and
|
||||||
|
# replace the references to "eap" with "inner-eap".
|
||||||
|
#
|
||||||
|
# See raddb/eap.conf for full documentation on the meaning of the
|
||||||
|
# configuration entries here.
|
||||||
|
#
|
||||||
|
eap inner-eap {
|
||||||
|
# This is the best choice for PEAP.
|
||||||
|
default_eap_type = mschapv2
|
||||||
|
timer_expire = 60
|
||||||
|
|
||||||
|
# This should be the same as the outer eap "max sessions"
|
||||||
|
max_sessions = 2048
|
||||||
|
|
||||||
|
# Supported EAP-types
|
||||||
|
md5 {
|
||||||
|
}
|
||||||
|
|
||||||
|
gtc {
|
||||||
|
# The default challenge, which many clients
|
||||||
|
# ignore..
|
||||||
|
#challenge = "Password: "
|
||||||
|
|
||||||
|
auth_type = PAP
|
||||||
|
}
|
||||||
|
|
||||||
|
mschapv2 {
|
||||||
|
}
|
||||||
|
|
||||||
|
# No TTLS or PEAP configuration should be listed here.
|
||||||
|
|
||||||
|
## EAP-TLS
|
||||||
|
#
|
||||||
|
# You SHOULD use different certificates than are used
|
||||||
|
# for the outer EAP configuration!
|
||||||
|
#
|
||||||
|
# Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.
|
||||||
|
#
|
||||||
|
tls {
|
||||||
|
#
|
||||||
|
# These is used to simplify later configurations.
|
||||||
|
#
|
||||||
|
certdir = ${confdir}/certs
|
||||||
|
cadir = ${confdir}/certs
|
||||||
|
|
||||||
|
private_key_password = whatever
|
||||||
|
private_key_file = ${certdir}/server.pem
|
||||||
|
|
||||||
|
# If Private key & Certificate are located in
|
||||||
|
# the same file, then private_key_file &
|
||||||
|
# certificate_file must contain the same file
|
||||||
|
# name.
|
||||||
|
#
|
||||||
|
# If CA_file (below) is not used, then the
|
||||||
|
# certificate_file below MUST include not
|
||||||
|
# only the server certificate, but ALSO all
|
||||||
|
# of the CA certificates used to sign the
|
||||||
|
# server certificate.
|
||||||
|
certificate_file = ${certdir}/server.pem
|
||||||
|
|
||||||
|
# Trusted Root CA list
|
||||||
|
#
|
||||||
|
# ALL of the CA's in this list will be trusted
|
||||||
|
# to issue client certificates for authentication.
|
||||||
|
#
|
||||||
|
# In general, you should use self-signed
|
||||||
|
# certificates for 802.1x (EAP) authentication.
|
||||||
|
# In that case, this CA file should contain
|
||||||
|
# *one* CA certificate.
|
||||||
|
#
|
||||||
|
# This parameter is used only for EAP-TLS,
|
||||||
|
# when you issue client certificates. If you do
|
||||||
|
# not use client certificates, and you do not want
|
||||||
|
# to permit EAP-TLS authentication, then delete
|
||||||
|
# this configuration item.
|
||||||
|
CA_file = ${cadir}/ca.pem
|
||||||
|
|
||||||
|
#
|
||||||
|
# For DH cipher suites to work, you have to
|
||||||
|
# run OpenSSL to create the DH file first:
|
||||||
|
#
|
||||||
|
# openssl dhparam -out certs/dh 1024
|
||||||
|
#
|
||||||
|
dh_file = ${certdir}/dh
|
||||||
|
random_file = ${certdir}/random
|
||||||
|
|
||||||
|
#
|
||||||
|
# This can never exceed the size of a RADIUS
|
||||||
|
# packet (4096 bytes), and is preferably half
|
||||||
|
# that, to accomodate other attributes in
|
||||||
|
# RADIUS packet. On most APs the MAX packet
|
||||||
|
# length is configured between 1500 - 1600
|
||||||
|
# In these cases, fragment size should be
|
||||||
|
# 1024 or less.
|
||||||
|
#
|
||||||
|
# fragment_size = 1024
|
||||||
|
|
||||||
|
# include_length is a flag which is
|
||||||
|
# by default set to yes If set to
|
||||||
|
# yes, Total Length of the message is
|
||||||
|
# included in EVERY packet we send.
|
||||||
|
# If set to no, Total Length of the
|
||||||
|
# message is included ONLY in the
|
||||||
|
# First packet of a fragment series.
|
||||||
|
#
|
||||||
|
# include_length = yes
|
||||||
|
|
||||||
|
# Check the Certificate Revocation List
|
||||||
|
#
|
||||||
|
# 1) Copy CA certificates and CRLs to same directory.
|
||||||
|
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
|
||||||
|
# 'c_rehash' is OpenSSL's command.
|
||||||
|
# 3) uncomment the line below.
|
||||||
|
# 5) Restart radiusd
|
||||||
|
# check_crl = yes
|
||||||
|
# CA_path = /path/to/directory/with/ca_certs/and/crls/
|
||||||
|
|
||||||
|
#
|
||||||
|
# If check_cert_issuer is set, the value will
|
||||||
|
# be checked against the DN of the issuer in
|
||||||
|
# the client certificate. If the values do not
|
||||||
|
# match, the cerficate verification will fail,
|
||||||
|
# rejecting the user.
|
||||||
|
#
|
||||||
|
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
|
||||||
|
|
||||||
|
#
|
||||||
|
# If check_cert_cn is set, the value will
|
||||||
|
# be xlat'ed and checked against the CN
|
||||||
|
# in the client certificate. If the values
|
||||||
|
# do not match, the certificate verification
|
||||||
|
# will fail rejecting the user.
|
||||||
|
#
|
||||||
|
# This check is done only if the previous
|
||||||
|
# "check_cert_issuer" is not set, or if
|
||||||
|
# the check succeeds.
|
||||||
|
#
|
||||||
|
# check_cert_cn = %{User-Name}
|
||||||
|
#
|
||||||
|
# Set this option to specify the allowed
|
||||||
|
# TLS cipher suites. The format is listed
|
||||||
|
# in "man 1 ciphers".
|
||||||
|
cipher_list = "DEFAULT"
|
||||||
|
|
||||||
|
#
|
||||||
|
# The session resumption / fast reauthentication
|
||||||
|
# cache CANNOT be used for inner sessions.
|
||||||
|
#
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,75 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 05561cf37fe71142adc97410daba3ae08a1cb68c $
|
||||||
|
|
||||||
|
# Do server side ip pool management. Should be added in
|
||||||
|
# post-auth and accounting sections.
|
||||||
|
#
|
||||||
|
# The module also requires the existance of the Pool-Name
|
||||||
|
# attribute. That way the administrator can add the Pool-Name
|
||||||
|
# attribute in the user profiles and use different pools for
|
||||||
|
# different users. The Pool-Name attribute is a *check* item
|
||||||
|
# not a reply item.
|
||||||
|
#
|
||||||
|
# The Pool-Name should be set to the ippool module instance
|
||||||
|
# name or to DEFAULT to match any module.
|
||||||
|
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
# radiusd.conf: ippool students { [...] }
|
||||||
|
# ippool teachers { [...] }
|
||||||
|
# users file : DEFAULT Group == students, Pool-Name := "students"
|
||||||
|
# DEFAULT Group == teachers, Pool-Name := "teachers"
|
||||||
|
# DEFAULT Group == other, Pool-Name := "DEFAULT"
|
||||||
|
#
|
||||||
|
# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *********
|
||||||
|
# ********* THEN ERASE THE DB FILES *********
|
||||||
|
#
|
||||||
|
ippool main_pool {
|
||||||
|
|
||||||
|
# range-start,range-stop:
|
||||||
|
# The start and end ip addresses for this pool.
|
||||||
|
range-start = 192.168.1.1
|
||||||
|
range-stop = 192.168.3.254
|
||||||
|
|
||||||
|
# netmask:
|
||||||
|
# The network mask used for this pool.
|
||||||
|
netmask = 255.255.255.0
|
||||||
|
|
||||||
|
# cache-size:
|
||||||
|
# The gdbm cache size for the db files. Should
|
||||||
|
# be equal to the number of ip's available in
|
||||||
|
# the ip pool
|
||||||
|
cache-size = 800
|
||||||
|
|
||||||
|
# session-db:
|
||||||
|
# The main db file used to allocate addresses.
|
||||||
|
session-db = ${db_dir}/db.ippool
|
||||||
|
|
||||||
|
# ip-index:
|
||||||
|
# Helper db index file used in multilink
|
||||||
|
ip-index = ${db_dir}/db.ipindex
|
||||||
|
|
||||||
|
# override:
|
||||||
|
# If set, the Framed-IP-Address already in the
|
||||||
|
# reply (if any) will be discarded, and replaced
|
||||||
|
# with a Framed-IP-Address assigned here.
|
||||||
|
override = no
|
||||||
|
|
||||||
|
# maximum-timeout:
|
||||||
|
# Specifies the maximum time in seconds that an
|
||||||
|
# entry may be active. If set to zero, means
|
||||||
|
# "no timeout". The default value is 0
|
||||||
|
maximum-timeout = 0
|
||||||
|
|
||||||
|
# key:
|
||||||
|
# The key to use for the session database (which
|
||||||
|
# holds the allocated ip's) normally it should
|
||||||
|
# just be the nas ip/port (which is the default).
|
||||||
|
#
|
||||||
|
# If your NAS sends the same value of NAS-Port
|
||||||
|
# all requests, the key should be based on some
|
||||||
|
# other attribute that is in ALL requests, AND
|
||||||
|
# is unique to each machine needing an IP address.
|
||||||
|
#key = "%{NAS-IP-Address} %{NAS-Port}"
|
||||||
|
}
|
|
@ -0,0 +1,11 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 81d1cf2cad2c5dd919acdc993f4484673d80121e $
|
||||||
|
|
||||||
|
#
|
||||||
|
# Kerberos. See doc/rlm_krb5 for minimal docs.
|
||||||
|
#
|
||||||
|
krb5 {
|
||||||
|
keytab = /path/to/keytab
|
||||||
|
service_principal = name_of_principle
|
||||||
|
}
|
|
@ -0,0 +1,197 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: d13892634e4a8458c942ce170f59f98521dce500 $
|
||||||
|
|
||||||
|
# Lightweight Directory Access Protocol (LDAP)
|
||||||
|
#
|
||||||
|
# This module definition allows you to use LDAP for
|
||||||
|
# authorization and authentication.
|
||||||
|
#
|
||||||
|
# See raddb/sites-available/default for reference to the
|
||||||
|
# ldap module in the authorize and authenticate sections.
|
||||||
|
#
|
||||||
|
# However, LDAP can be used for authentication ONLY when the
|
||||||
|
# Access-Request packet contains a clear-text User-Password
|
||||||
|
# attribute. LDAP authentication will NOT work for any other
|
||||||
|
# authentication method.
|
||||||
|
#
|
||||||
|
# This means that LDAP servers don't understand EAP. If you
|
||||||
|
# force "Auth-Type = LDAP", and then send the server a
|
||||||
|
# request containing EAP authentication, then authentication
|
||||||
|
# WILL NOT WORK.
|
||||||
|
#
|
||||||
|
# The solution is to use the default configuration, which does
|
||||||
|
# work.
|
||||||
|
#
|
||||||
|
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
|
||||||
|
# really can't emphasize this enough.
|
||||||
|
#
|
||||||
|
ldap {
|
||||||
|
#
|
||||||
|
# Note that this needs to match the name in the LDAP
|
||||||
|
# server certificate, if you're using ldaps.
|
||||||
|
server = "ldap.your.domain"
|
||||||
|
#identity = "cn=admin,o=My Org,c=UA"
|
||||||
|
#password = mypass
|
||||||
|
basedn = "o=My Org,c=UA"
|
||||||
|
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
|
||||||
|
#base_filter = "(objectclass=radiusprofile)"
|
||||||
|
|
||||||
|
# How many connections to keep open to the LDAP server.
|
||||||
|
# This saves time over opening a new LDAP socket for
|
||||||
|
# every authentication request.
|
||||||
|
ldap_connections_number = 5
|
||||||
|
|
||||||
|
# How many times the connection can be used before
|
||||||
|
# being re-established. This is useful for things
|
||||||
|
# like load balancers, which may exhibit sticky
|
||||||
|
# behaviour without it. (0) is unlimited.
|
||||||
|
max_uses = 0
|
||||||
|
|
||||||
|
# Port to connect on, defaults to 389. Setting this to
|
||||||
|
# 636 will enable LDAPS if start_tls (see below) is not
|
||||||
|
# able to be used.
|
||||||
|
#port = 389
|
||||||
|
|
||||||
|
# seconds to wait for LDAP query to finish. default: 20
|
||||||
|
timeout = 4
|
||||||
|
|
||||||
|
# seconds LDAP server has to process the query (server-side
|
||||||
|
# time limit). default: 20
|
||||||
|
#
|
||||||
|
# LDAP_OPT_TIMELIMIT is set to this value.
|
||||||
|
timelimit = 3
|
||||||
|
|
||||||
|
#
|
||||||
|
# seconds to wait for response of the server. (network
|
||||||
|
# failures) default: 10
|
||||||
|
#
|
||||||
|
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
|
||||||
|
net_timeout = 1
|
||||||
|
|
||||||
|
#
|
||||||
|
# This subsection configures the tls related items
|
||||||
|
# that control how FreeRADIUS connects to an LDAP
|
||||||
|
# server. It contains all of the "tls_*" configuration
|
||||||
|
# entries used in older versions of FreeRADIUS. Those
|
||||||
|
# configuration entries can still be used, but we recommend
|
||||||
|
# using these.
|
||||||
|
#
|
||||||
|
tls {
|
||||||
|
# Set this to 'yes' to use TLS encrypted connections
|
||||||
|
# to the LDAP database by using the StartTLS extended
|
||||||
|
# operation.
|
||||||
|
#
|
||||||
|
# The StartTLS operation is supposed to be
|
||||||
|
# used with normal ldap connections instead of
|
||||||
|
# using ldaps (port 636) connections
|
||||||
|
start_tls = no
|
||||||
|
|
||||||
|
# cacertfile = /path/to/cacert.pem
|
||||||
|
# cacertdir = /path/to/ca/dir/
|
||||||
|
# certfile = /path/to/radius.crt
|
||||||
|
# keyfile = /path/to/radius.key
|
||||||
|
# randfile = /path/to/rnd
|
||||||
|
|
||||||
|
# Certificate Verification requirements. Can be:
|
||||||
|
# "never" (don't even bother trying)
|
||||||
|
# "allow" (try, but don't fail if the cerificate
|
||||||
|
# can't be verified)
|
||||||
|
# "demand" (fail if the certificate doesn't verify.)
|
||||||
|
#
|
||||||
|
# The default is "allow"
|
||||||
|
# require_cert = "demand"
|
||||||
|
}
|
||||||
|
|
||||||
|
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
|
||||||
|
# profile_attribute = "radiusProfileDn"
|
||||||
|
# access_attr = "dialupAccess"
|
||||||
|
|
||||||
|
# Mapping of RADIUS dictionary attributes to LDAP
|
||||||
|
# directory attributes.
|
||||||
|
dictionary_mapping = ${confdir}/ldap.attrmap
|
||||||
|
|
||||||
|
# Set password_attribute = nspmPassword to get the
|
||||||
|
# user's password from a Novell eDirectory
|
||||||
|
# backend. This will work ONLY IF FreeRADIUS has been
|
||||||
|
# built with the --with-edir configure option.
|
||||||
|
#
|
||||||
|
# See also the following links:
|
||||||
|
#
|
||||||
|
# http://www.novell.com/coolsolutions/appnote/16745.html
|
||||||
|
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
|
||||||
|
#
|
||||||
|
# Novell may require TLS encrypted sessions before returning
|
||||||
|
# the user's password.
|
||||||
|
#
|
||||||
|
# password_attribute = userPassword
|
||||||
|
|
||||||
|
# Un-comment the following to disable Novell
|
||||||
|
# eDirectory account policy check and intruder
|
||||||
|
# detection. This will work *only if* FreeRADIUS is
|
||||||
|
# configured to build with --with-edir option.
|
||||||
|
#
|
||||||
|
edir_account_policy_check = no
|
||||||
|
|
||||||
|
#
|
||||||
|
# Group membership checking. Disabled by default.
|
||||||
|
#
|
||||||
|
# groupname_attribute = cn
|
||||||
|
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
|
||||||
|
# groupmembership_attribute = radiusGroupName
|
||||||
|
|
||||||
|
# compare_check_items = yes
|
||||||
|
# do_xlat = yes
|
||||||
|
# access_attr_used_for_allow = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following two configuration items are for Active Directory
|
||||||
|
# compatibility. If you see the helpful "operations error"
|
||||||
|
# being returned to the LDAP module, uncomment the next
|
||||||
|
# two lines.
|
||||||
|
#
|
||||||
|
# chase_referrals = yes
|
||||||
|
# rebind = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# By default, if the packet contains a User-Password,
|
||||||
|
# and no other module is configured to handle the
|
||||||
|
# authentication, the LDAP module sets itself to do
|
||||||
|
# LDAP bind for authentication.
|
||||||
|
#
|
||||||
|
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
|
||||||
|
#
|
||||||
|
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
|
||||||
|
#
|
||||||
|
# You can disable this behavior by setting the following
|
||||||
|
# configuration entry to "no".
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
# set_auth_type = yes
|
||||||
|
|
||||||
|
# ldap_debug: debug flag for LDAP SDK
|
||||||
|
# (see OpenLDAP documentation). Set this to enable
|
||||||
|
# huge amounts of LDAP debugging on the screen.
|
||||||
|
# You should only use this if you are an LDAP expert.
|
||||||
|
#
|
||||||
|
# default: 0x0000 (no debugging messages)
|
||||||
|
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
|
||||||
|
#ldap_debug = 0x0028
|
||||||
|
|
||||||
|
#
|
||||||
|
# Keepalive configuration. This MAY NOT be supported by your
|
||||||
|
# LDAP library. If these configuration entries appear in the
|
||||||
|
# output of "radiusd -X", then they are supported. Otherwise,
|
||||||
|
# they are unsupported, and changing them will do nothing.
|
||||||
|
#
|
||||||
|
keepalive {
|
||||||
|
# LDAP_OPT_X_KEEPALIVE_IDLE
|
||||||
|
idle = 60
|
||||||
|
|
||||||
|
# LDAP_OPT_X_KEEPALIVE_PROBES
|
||||||
|
probes = 3
|
||||||
|
|
||||||
|
# LDAP_OPT_X_KEEPALIVE_INTERVAL
|
||||||
|
interval = 3
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,105 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: a57741ac3fa5f884ed64d896da3807af5d2a6b99 $
|
||||||
|
|
||||||
|
#
|
||||||
|
# The "linelog" module will log one line of text to a file.
|
||||||
|
# Both the filename and the line of text are dynamically expanded.
|
||||||
|
#
|
||||||
|
# We STRONGLY suggest that you do not use data from the
|
||||||
|
# packet as part of the filename.
|
||||||
|
#
|
||||||
|
linelog {
|
||||||
|
#
|
||||||
|
# The file where the logs will go.
|
||||||
|
#
|
||||||
|
# If the filename is "syslog", then the log messages will
|
||||||
|
# go to syslog.
|
||||||
|
filename = ${logdir}/linelog
|
||||||
|
|
||||||
|
#
|
||||||
|
# The Unix-style permissions on the log file.
|
||||||
|
#
|
||||||
|
# Depending on format string, the log file may contain secret or
|
||||||
|
# private information about users. Keep the file permissions as
|
||||||
|
# restrictive as possible.
|
||||||
|
permissions = 0600
|
||||||
|
|
||||||
|
#
|
||||||
|
# The Unix group of the log file.
|
||||||
|
#
|
||||||
|
# The user that freeradius runs as must be in the specified
|
||||||
|
# group, otherwise it will not be possible to set the group.
|
||||||
|
#
|
||||||
|
# group = freerad
|
||||||
|
|
||||||
|
#
|
||||||
|
# If logging via syslog, the facility can be set here. Otherwise
|
||||||
|
# the syslog_facility option in radiusd.conf will be used.
|
||||||
|
#
|
||||||
|
# syslog_facility = daemon
|
||||||
|
|
||||||
|
#
|
||||||
|
# The default format string.
|
||||||
|
format = "This is a log message for %{User-Name}"
|
||||||
|
|
||||||
|
#
|
||||||
|
# This next line can be omitted. If it is omitted, then
|
||||||
|
# the log message is static, and is always given by "format",
|
||||||
|
# above.
|
||||||
|
#
|
||||||
|
# If it is defined, then the string is dynamically expanded,
|
||||||
|
# and the result is used to find another configuration entry
|
||||||
|
# here, with the given name. That name is then used as the
|
||||||
|
# format string.
|
||||||
|
#
|
||||||
|
# If the configuration entry cannot be found, then no log
|
||||||
|
# message is printed.
|
||||||
|
#
|
||||||
|
# i.e. You can have many log messages in one "linelog" module.
|
||||||
|
# If this two-step expansion did not exist, you would have
|
||||||
|
# needed to configure one "linelog" module for each log message.
|
||||||
|
|
||||||
|
#
|
||||||
|
# Reference the Packet-Type (Access-Request, etc.) If it doesn't
|
||||||
|
# exist, reference the "format" entry, above.
|
||||||
|
reference = "%{%{Packet-Type}:-format}"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Followed by a series of log messages.
|
||||||
|
Access-Request = "Requested access: %{User-Name}"
|
||||||
|
Access-Reject = "Rejected access: %{User-Name}"
|
||||||
|
Access-Challenge = "Sent challenge: %{User-Name}"
|
||||||
|
|
||||||
|
#
|
||||||
|
# The log messages can be grouped into sections and
|
||||||
|
# sub-sections, too. The "reference" item needs to have a "."
|
||||||
|
# for every section. e.g. reference = foo.bar will reference
|
||||||
|
# the "foo" section, "bar" configuration item.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Used if: reference = "foo.bar".
|
||||||
|
foo {
|
||||||
|
bar = "Example log. Please ignore"
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Another example:
|
||||||
|
# reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
|
||||||
|
#
|
||||||
|
Accounting-Request {
|
||||||
|
Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
|
||||||
|
Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
|
||||||
|
|
||||||
|
# Don't log anything for these packets.
|
||||||
|
Alive = ""
|
||||||
|
|
||||||
|
Accounting-On = "NAS %C (%{NAS-IP-Address}) just came online"
|
||||||
|
Accounting-Off = "NAS %C (%{NAS-IP-Address}) just went offline"
|
||||||
|
|
||||||
|
# don't log anything for other Acct-Status-Types.
|
||||||
|
unknown = ""
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,31 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 26691a93664c464f49394773e04d3b2ed565d142 $
|
||||||
|
|
||||||
|
# The logintime module. This handles the Login-Time,
|
||||||
|
# Current-Time, and Time-Of-Day attributes. It should be
|
||||||
|
# included in the *end* of the authorize section in order to
|
||||||
|
# handle Login-Time checks. It should also be included in the
|
||||||
|
# instantiate section in order to register the Current-Time
|
||||||
|
# and Time-Of-Day comparison functions.
|
||||||
|
#
|
||||||
|
# When the Login-Time attribute is set to some value, and the
|
||||||
|
# user has bene permitted to log in, a Session-Timeout is
|
||||||
|
# calculated based on the remaining time. See "doc/README".
|
||||||
|
#
|
||||||
|
logintime {
|
||||||
|
#
|
||||||
|
# The Reply-Message which will be sent back in case
|
||||||
|
# the account is calling outside of the allowed
|
||||||
|
# timespan. Dynamic substitution is supported.
|
||||||
|
#
|
||||||
|
reply-message = "You are calling outside your allowed timespan\r\n"
|
||||||
|
#reply-message = "Outside allowed timespan (%{control:Login-Time}), %{User-Name}\r\n"
|
||||||
|
|
||||||
|
# The minimum timeout (in seconds) a user is allowed
|
||||||
|
# to have. If the calculated timeout is lower we don't
|
||||||
|
# allow the logon. Some NASes do not handle values
|
||||||
|
# lower than 60 seconds well.
|
||||||
|
minimum-timeout = 60
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 793d5690e1d4520bb3db1d9900d6be09da2587ae $
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# This next section is a sample configuration for the "passwd"
|
||||||
|
# module, that reads flat-text files.
|
||||||
|
#
|
||||||
|
# The file is in the format <mac>,<ip>
|
||||||
|
#
|
||||||
|
# 00:01:02:03:04:05,192.168.1.100
|
||||||
|
# 01:01:02:03:04:05,192.168.1.101
|
||||||
|
# 02:01:02:03:04:05,192.168.1.102
|
||||||
|
#
|
||||||
|
# This lets you perform simple static IP assignments from a flat-text
|
||||||
|
# file. You will have to define lease times yourself.
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
passwd mac2ip {
|
||||||
|
filename = ${confdir}/mac2ip
|
||||||
|
format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
|
||||||
|
delimiter = ","
|
||||||
|
}
|
|
@ -0,0 +1,18 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: bdfef238076bb1ea16c494bf6e22f1d2af848b62 $
|
||||||
|
|
||||||
|
# A simple file to map a MAC address to a VLAN.
|
||||||
|
#
|
||||||
|
# The file should be in the format MAC,VLAN
|
||||||
|
# the VLAN name cannot have spaces in it, for example:
|
||||||
|
#
|
||||||
|
# 00:01:02:03:04:05,VLAN1
|
||||||
|
# 03:04:05:06:07:08,VLAN2
|
||||||
|
# ...
|
||||||
|
#
|
||||||
|
passwd mac2vlan {
|
||||||
|
filename = ${confdir}/mac2vlan
|
||||||
|
format = "*VMPS-Mac:=VMPS-VLAN-Name"
|
||||||
|
delimiter = ","
|
||||||
|
}
|
|
@ -0,0 +1,87 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 9e016a09a158f55bbc9b48876f0cb2b776b4cd96 $
|
||||||
|
|
||||||
|
# Microsoft CHAP authentication
|
||||||
|
#
|
||||||
|
# This module supports MS-CHAP and MS-CHAPv2 authentication.
|
||||||
|
# It also enforces the SMB-Account-Ctrl attribute.
|
||||||
|
#
|
||||||
|
mschap {
|
||||||
|
#
|
||||||
|
# If you are using /etc/smbpasswd, see the 'passwd'
|
||||||
|
# module for an example of how to use /etc/smbpasswd
|
||||||
|
|
||||||
|
# if use_mppe is not set to no mschap will
|
||||||
|
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
|
||||||
|
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
|
||||||
|
#
|
||||||
|
# use_mppe = no
|
||||||
|
|
||||||
|
# if mppe is enabled require_encryption makes
|
||||||
|
# encryption moderate
|
||||||
|
#
|
||||||
|
# require_encryption = yes
|
||||||
|
|
||||||
|
# require_strong always requires 128 bit key
|
||||||
|
# encryption
|
||||||
|
#
|
||||||
|
# require_strong = yes
|
||||||
|
|
||||||
|
# Windows sends us a username in the form of
|
||||||
|
# DOMAIN\user, but sends the challenge response
|
||||||
|
# based on only the user portion. This hack
|
||||||
|
# corrects for that incorrect behavior.
|
||||||
|
#
|
||||||
|
# with_ntdomain_hack = no
|
||||||
|
|
||||||
|
# The module can perform authentication itself, OR
|
||||||
|
# use a Windows Domain Controller. This configuration
|
||||||
|
# directive tells the module to call the ntlm_auth
|
||||||
|
# program, which will do the authentication, and return
|
||||||
|
# the NT-Key. Note that you MUST have "winbindd" and
|
||||||
|
# "nmbd" running on the local machine for ntlm_auth
|
||||||
|
# to work. See the ntlm_auth program documentation
|
||||||
|
# for details.
|
||||||
|
#
|
||||||
|
# If ntlm_auth is configured below, then the mschap
|
||||||
|
# module will call ntlm_auth for every MS-CHAP
|
||||||
|
# authentication request. If there is a cleartext
|
||||||
|
# or NT hashed password available, you can set
|
||||||
|
# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
|
||||||
|
# and the mschap module will do the authentication itself,
|
||||||
|
# without calling ntlm_auth.
|
||||||
|
#
|
||||||
|
# Be VERY careful when editing the following line!
|
||||||
|
#
|
||||||
|
# You can also try setting the user name as:
|
||||||
|
#
|
||||||
|
# ... --username=%{mschap:User-Name} ...
|
||||||
|
#
|
||||||
|
# In that case, the mschap module will look at the User-Name
|
||||||
|
# attribute, and do prefix/suffix checks in order to obtain
|
||||||
|
# the "best" user name for the request.
|
||||||
|
#
|
||||||
|
# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
|
||||||
|
|
||||||
|
# The default is to wait 10 seconds for ntlm_auth to
|
||||||
|
# complete. This is a long time, and if it's taking that
|
||||||
|
# long then you likely have other problems in your domain.
|
||||||
|
# The length of time can be decreased with the following
|
||||||
|
# option, which can save clients waiting if your ntlm_auth
|
||||||
|
# usually finishes quicker. Range 1 to 10 seconds.
|
||||||
|
#
|
||||||
|
# ntlm_auth_timeout = 10
|
||||||
|
|
||||||
|
# For Apple Server, when running on the same machine as
|
||||||
|
# Open Directory. It has no effect on other systems.
|
||||||
|
#
|
||||||
|
# use_open_directory = yes
|
||||||
|
|
||||||
|
# On failure, set (or not) the MS-CHAP error code saying
|
||||||
|
# "retries allowed".
|
||||||
|
# allow_retry = yes
|
||||||
|
|
||||||
|
# An optional retry message.
|
||||||
|
# retry_msg = "Re-enter (or reset) the password"
|
||||||
|
}
|
|
@ -0,0 +1,12 @@
|
||||||
|
#
|
||||||
|
# For testing ntlm_auth authentication with PAP.
|
||||||
|
#
|
||||||
|
# If you have problems with authentication failing, even when the
|
||||||
|
# password is good, it may be a bug in Samba:
|
||||||
|
#
|
||||||
|
# https://bugzilla.samba.org/show_bug.cgi?id=6563
|
||||||
|
#
|
||||||
|
exec ntlm_auth {
|
||||||
|
wait = yes
|
||||||
|
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
|
||||||
|
}
|
|
@ -0,0 +1,13 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 2a44ef695f4eaf6f1c461b3d92fda54e9b910f9e $
|
||||||
|
|
||||||
|
# This module is only used when the server is running on the same
|
||||||
|
# system as OpenDirectory. The configuration of the module is hard-coded
|
||||||
|
# by Apple, and cannot be changed here.
|
||||||
|
#
|
||||||
|
# There are no configuration entries for this module.
|
||||||
|
#
|
||||||
|
opendirectory {
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,78 @@
|
||||||
|
#
|
||||||
|
# Configuration for the OTP module.
|
||||||
|
#
|
||||||
|
|
||||||
|
# This module allows you to use various handheld OTP tokens
|
||||||
|
# for authentication (Auth-Type := otp). These tokens are
|
||||||
|
# available from various vendors.
|
||||||
|
#
|
||||||
|
# It works in conjunction with otpd, which implements token
|
||||||
|
# management and OTP verification functions; and lsmd or gsmd,
|
||||||
|
# which implements synchronous state management functions.
|
||||||
|
# otpd, lsmd and gsmd are available from TRI-D Systems:
|
||||||
|
# <http://www.tri-dsystems.com/>
|
||||||
|
|
||||||
|
# You must list this module in BOTH the authorize and authenticate
|
||||||
|
# sections in order to use it.
|
||||||
|
otp {
|
||||||
|
# otpd rendezvous point.
|
||||||
|
# (default: /var/run/otpd/socket)
|
||||||
|
#otpd_rp = /var/run/otpd/socket
|
||||||
|
|
||||||
|
# Text to use for the challenge. The '%' character is
|
||||||
|
# disallowed, except that you MUST have a single "%s"
|
||||||
|
# sequence in the string; the challenge itself is
|
||||||
|
# inserted there. (default "Challenge: %s\n Response: ")
|
||||||
|
#challenge_prompt = "Challenge: %s\n Response: "
|
||||||
|
|
||||||
|
# Length of the challenge. Most tokens probably support a
|
||||||
|
# max of 8 digits. (range: 5-32 digits, default 6)
|
||||||
|
#challenge_length = 6
|
||||||
|
|
||||||
|
# Maximum time, in seconds, that a challenge is valid.
|
||||||
|
# (The user must respond to a challenge within this time.)
|
||||||
|
# It is also the minimal time between consecutive async mode
|
||||||
|
# authentications, a necessary restriction due to an inherent
|
||||||
|
# weakness of the RADIUS protocol which allows replay attacks.
|
||||||
|
# (default: 30)
|
||||||
|
#challenge_delay = 30
|
||||||
|
|
||||||
|
# Whether or not to allow asynchronous ("pure" challenge/
|
||||||
|
# response) mode authentication. Since sync mode is much more
|
||||||
|
# usable, and all reasonable tokens support it, the typical
|
||||||
|
# use of async mode is to allow resync of event based tokens.
|
||||||
|
# But because of the vulnerability of async mode with some tokens,
|
||||||
|
# you probably want to disable this and require that out-of-sync
|
||||||
|
# users resync from specifically secured terminals.
|
||||||
|
# See the otpd docs for more info.
|
||||||
|
# (default: no)
|
||||||
|
#allow_async = no
|
||||||
|
|
||||||
|
# Whether or not to allow synchronous mode authentication.
|
||||||
|
# When using otpd with lsmd, it is *CRITICALLY IMPORTANT*
|
||||||
|
# that if your OTP users can authenticate to multiple RADIUS
|
||||||
|
# servers, this must be "yes" for the primary/default server,
|
||||||
|
# and "no" for the others. This is because lsmd does not
|
||||||
|
# share state information across multiple servers. Using "yes"
|
||||||
|
# on all your RADIUS servers would allow replay attacks!
|
||||||
|
# Also, for event based tokens, the user will be out of sync
|
||||||
|
# on the "other" servers. In order to use "yes" on all your
|
||||||
|
# servers, you must either use gsmd, which synchronizes state
|
||||||
|
# globally, or implement your own state synchronization method.
|
||||||
|
# (default: yes)
|
||||||
|
#allow_sync = yes
|
||||||
|
|
||||||
|
# If both allow_async and allow_sync are "yes", a challenge is
|
||||||
|
# always presented to the user. This is incompatible with NAS's
|
||||||
|
# that can't present or don't handle Access-Challenge's, e.g.
|
||||||
|
# PPTP servers. Even though a challenge is presented, the user
|
||||||
|
# can still enter their synchronous passcode.
|
||||||
|
|
||||||
|
# The following are MPPE settings. Note that MS-CHAP (v1) is
|
||||||
|
# strongly discouraged. All possible values are listed as
|
||||||
|
# {value = meaning}. Default values are first.
|
||||||
|
#mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden}
|
||||||
|
#mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40}
|
||||||
|
#mschap_mppe = {2 = required, 1 = optional, 0 = forbidden}
|
||||||
|
#mschap_mppe_bits = {2 = 128}
|
||||||
|
}
|
|
@ -0,0 +1,26 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: f4a91a948637bb2f42f613ed9faa6f9ae9ae6099 $
|
||||||
|
|
||||||
|
|
||||||
|
# Pluggable Authentication Modules
|
||||||
|
#
|
||||||
|
# For Linux, see:
|
||||||
|
# http://www.kernel.org/pub/linux/libs/pam/index.html
|
||||||
|
#
|
||||||
|
# WARNING: On many systems, the system PAM libraries have
|
||||||
|
# memory leaks! We STRONGLY SUGGEST that you do not
|
||||||
|
# use PAM for authentication, due to those memory leaks.
|
||||||
|
#
|
||||||
|
pam {
|
||||||
|
#
|
||||||
|
# The name to use for PAM authentication.
|
||||||
|
# PAM looks in /etc/pam.d/${pam_auth_name}
|
||||||
|
# for it's configuration. See 'redhat/radiusd-pam'
|
||||||
|
# for a sample PAM configuration file.
|
||||||
|
#
|
||||||
|
# Note that any Pam-Auth attribute set in the 'authorize'
|
||||||
|
# section will over-ride this one.
|
||||||
|
#
|
||||||
|
pam_auth = radiusd
|
||||||
|
}
|
|
@ -0,0 +1,22 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 5c7d29d654bea9c076d6434f32795c2b2d002757 $
|
||||||
|
|
||||||
|
# PAP module to authenticate users based on their stored password
|
||||||
|
#
|
||||||
|
# Supports multiple encryption/hash schemes. See "man rlm_pap"
|
||||||
|
# for details.
|
||||||
|
#
|
||||||
|
# The "auto_header" configuration item can be set to "yes".
|
||||||
|
# In this case, the module will look inside of the User-Password
|
||||||
|
# attribute for the headers {crypt}, {clear}, etc., and will
|
||||||
|
# automatically create the attribute on the right-hand side,
|
||||||
|
# with the correct value. It will also automatically handle
|
||||||
|
# Base-64 encoded data, hex strings, and binary data.
|
||||||
|
#
|
||||||
|
# For instructions on creating the various types of passwords, see:
|
||||||
|
#
|
||||||
|
# http://www.openldap.org/faq/data/cache/347.html
|
||||||
|
pap {
|
||||||
|
auto_header = no
|
||||||
|
}
|
|
@ -0,0 +1,55 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: cc37ca0d7eaf9887720eccc2de0ecb75a51117c8 $
|
||||||
|
|
||||||
|
# passwd module allows to do authorization via any passwd-like
|
||||||
|
# file and to extract any attributes from these files.
|
||||||
|
#
|
||||||
|
# See the "smbpasswd" and "etc_group" files for more examples.
|
||||||
|
#
|
||||||
|
# parameters are:
|
||||||
|
# filename - path to filename
|
||||||
|
#
|
||||||
|
# format - format for filename record. This parameters
|
||||||
|
# correlates record in the passwd file and RADIUS
|
||||||
|
# attributes.
|
||||||
|
#
|
||||||
|
# Field marked as '*' is a key field. That is, the parameter
|
||||||
|
# with this name from the request is used to search for
|
||||||
|
# the record from passwd file
|
||||||
|
#
|
||||||
|
# Attributes marked as '=' are added to reply_items instead
|
||||||
|
# of default configure_itmes
|
||||||
|
#
|
||||||
|
# Attributes marked as '~' are added to request_items
|
||||||
|
#
|
||||||
|
# Field marked as ',' may contain a comma separated list
|
||||||
|
# of attributes.
|
||||||
|
#
|
||||||
|
# hashsize - hashtable size. Setting it to 0 is no longer permitted
|
||||||
|
# A future version of the server will have the module
|
||||||
|
# automatically determine the hash size. Having it set
|
||||||
|
# manually should not be necessary.
|
||||||
|
#
|
||||||
|
# allowmultiplekeys - if many records for a key are allowed
|
||||||
|
#
|
||||||
|
# ignorenislike - ignore NIS-related records
|
||||||
|
#
|
||||||
|
# delimiter - symbol to use as a field separator in passwd file,
|
||||||
|
# for format ':' symbol is always used. '\0', '\n' are
|
||||||
|
# not allowed
|
||||||
|
#
|
||||||
|
|
||||||
|
# An example configuration for using /etc/passwd.
|
||||||
|
#
|
||||||
|
# This is an example which will NOT WORK if you have shadow passwords,
|
||||||
|
# NIS, etc. The "unix" module is normally responsible for reading
|
||||||
|
# system passwords. You should use it instead of this example.
|
||||||
|
#
|
||||||
|
passwd etc_passwd {
|
||||||
|
filename = /etc/passwd
|
||||||
|
format = "*User-Name:Crypt-Password:"
|
||||||
|
hashsize = 100
|
||||||
|
ignorenislike = no
|
||||||
|
allowmultiplekeys = no
|
||||||
|
}
|
|
@ -0,0 +1,58 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 69ad3076119ec814518a6db45eec4bc41dc090f7 $
|
||||||
|
|
||||||
|
# Persistent, embedded Perl interpreter.
|
||||||
|
#
|
||||||
|
perl {
|
||||||
|
#
|
||||||
|
# The Perl script to execute on authorize, authenticate,
|
||||||
|
# accounting, xlat, etc. This is very similar to using
|
||||||
|
# 'rlm_exec' module, but it is persistent, and therefore
|
||||||
|
# faster.
|
||||||
|
#
|
||||||
|
module = ${confdir}/example.pl
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following hashes are given to the module and
|
||||||
|
# filled with value-pairs (Attribute names and values)
|
||||||
|
#
|
||||||
|
# %RAD_CHECK Check items
|
||||||
|
# %RAD_REQUEST Attributes from the request
|
||||||
|
# %RAD_REPLY Attributes for the reply
|
||||||
|
#
|
||||||
|
# The return codes from functions in the perl_script
|
||||||
|
# are passed directly back to the server. These
|
||||||
|
# codes are defined in doc/configurable_failover,
|
||||||
|
# src/include/modules.h (RLM_MODULE_REJECT, etc),
|
||||||
|
# and are pre-defined in the 'example.pl' program
|
||||||
|
# which is included.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# List of functions in the module to call.
|
||||||
|
# Uncomment and change if you want to use function
|
||||||
|
# names other than the defaults.
|
||||||
|
#
|
||||||
|
#func_authenticate = authenticate
|
||||||
|
#func_authorize = authorize
|
||||||
|
#func_preacct = preacct
|
||||||
|
#func_accounting = accounting
|
||||||
|
#func_checksimul = checksimul
|
||||||
|
#func_pre_proxy = pre_proxy
|
||||||
|
#func_post_proxy = post_proxy
|
||||||
|
#func_post_auth = post_auth
|
||||||
|
#func_recv_coa = recv_coa
|
||||||
|
#func_send_coa = send_coa
|
||||||
|
#func_xlat = xlat
|
||||||
|
#func_detach = detach
|
||||||
|
|
||||||
|
#
|
||||||
|
# Uncomment the following lines if you wish
|
||||||
|
# to use separate functions for Start and Stop
|
||||||
|
# accounting packets. In that case, the
|
||||||
|
# func_accounting function is not called.
|
||||||
|
#
|
||||||
|
#func_start_accounting = accounting_start
|
||||||
|
#func_stop_accounting = accounting_stop
|
||||||
|
}
|
|
@ -0,0 +1,21 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 9b1b111ce70dbfd4ce25cdd2774d5878dbea7023 $
|
||||||
|
|
||||||
|
#
|
||||||
|
# Module implementing a DIFFERENT policy language.
|
||||||
|
# The syntax here is NOT "unlang", but something else.
|
||||||
|
#
|
||||||
|
# See the "raddb/policy.txt" file for documentation and examples.
|
||||||
|
# There isn't much else in the way of documentation, sorry.
|
||||||
|
#
|
||||||
|
policy {
|
||||||
|
# The only configuration item is a filename containing
|
||||||
|
# the policies to execute.
|
||||||
|
#
|
||||||
|
# When "policy" is listed in a section (e.g. "authorize"),
|
||||||
|
# it will run a policy named for that section.
|
||||||
|
#
|
||||||
|
filename = ${confdir}/policy.txt
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,58 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: e00aa85a9bd924b3a79c034f6f5d4d7d9a98c208 $
|
||||||
|
|
||||||
|
# Preprocess the incoming RADIUS request, before handing it off
|
||||||
|
# to other modules.
|
||||||
|
#
|
||||||
|
# This module processes the 'huntgroups' and 'hints' files.
|
||||||
|
# In addition, it re-writes some weird attributes created
|
||||||
|
# by some NASes, and converts the attributes into a form which
|
||||||
|
# is a little more standard.
|
||||||
|
#
|
||||||
|
preprocess {
|
||||||
|
huntgroups = ${confdir}/huntgroups
|
||||||
|
hints = ${confdir}/hints
|
||||||
|
|
||||||
|
# This hack changes Ascend's wierd port numberings
|
||||||
|
# to standard 0-??? port numbers so that the "+" works
|
||||||
|
# for IP address assignments.
|
||||||
|
with_ascend_hack = no
|
||||||
|
ascend_channels_per_line = 23
|
||||||
|
|
||||||
|
# Windows NT machines often authenticate themselves as
|
||||||
|
# NT_DOMAIN\username
|
||||||
|
#
|
||||||
|
# If this is set to 'yes', then the NT_DOMAIN portion
|
||||||
|
# of the user-name is silently discarded.
|
||||||
|
#
|
||||||
|
# This configuration entry SHOULD NOT be used.
|
||||||
|
# See the "realms" module for a better way to handle
|
||||||
|
# NT domains.
|
||||||
|
with_ntdomain_hack = no
|
||||||
|
|
||||||
|
# Specialix Jetstream 8500 24 port access server.
|
||||||
|
#
|
||||||
|
# If the user name is 10 characters or longer, a "/"
|
||||||
|
# and the excess characters after the 10th are
|
||||||
|
# appended to the user name.
|
||||||
|
#
|
||||||
|
# If you're not running that NAS, you don't need
|
||||||
|
# this hack.
|
||||||
|
with_specialix_jetstream_hack = no
|
||||||
|
|
||||||
|
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
|
||||||
|
# with the attribute name *again* in the string, like:
|
||||||
|
#
|
||||||
|
# H323-Attribute = "h323-attribute=value".
|
||||||
|
#
|
||||||
|
# If this configuration item is set to 'yes', then
|
||||||
|
# the redundant data in the the attribute text is stripped
|
||||||
|
# out. The result is:
|
||||||
|
#
|
||||||
|
# H323-Attribute = "value"
|
||||||
|
#
|
||||||
|
# If you're not running a Cisco or Quintum NAS, you don't
|
||||||
|
# need this hack.
|
||||||
|
with_cisco_vsa_hack = no
|
||||||
|
}
|
|
@ -0,0 +1,26 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: dede42698a19413b524a1a68b7ea312aa8a506aa $
|
||||||
|
|
||||||
|
# Write "detail" files which can be read by radrelay.
|
||||||
|
# This module should be used only by a server which receives
|
||||||
|
# Accounting-Request packets from the network.
|
||||||
|
#
|
||||||
|
# It should NOT be used in the radrelay.conf file.
|
||||||
|
#
|
||||||
|
# Use it by adding "radrelay" to the "accounting" section:
|
||||||
|
#
|
||||||
|
# accounting {
|
||||||
|
# ...
|
||||||
|
# radrelay
|
||||||
|
# ...
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
detail radrelay {
|
||||||
|
detailfile = ${radacctdir}/detail
|
||||||
|
|
||||||
|
locking = yes
|
||||||
|
|
||||||
|
# The other directives from the main detail module
|
||||||
|
# can be used here, but they're not required.
|
||||||
|
}
|
|
@ -0,0 +1,53 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 3ad88cde616ce041f0dcc87858950daafdd3d336 $
|
||||||
|
|
||||||
|
# Write a 'utmp' style file, of which users are currently
|
||||||
|
# logged in, and where they've logged in from.
|
||||||
|
#
|
||||||
|
# This file is used mainly for Simultaneous-Use checking,
|
||||||
|
# and also 'radwho', to see who's currently logged in.
|
||||||
|
#
|
||||||
|
radutmp {
|
||||||
|
# Where the file is stored. It's not a log file,
|
||||||
|
# so it doesn't need rotating.
|
||||||
|
#
|
||||||
|
filename = ${logdir}/radutmp
|
||||||
|
|
||||||
|
# The field in the packet to key on for the
|
||||||
|
# 'user' name, If you have other fields which you want
|
||||||
|
# to use to key on to control Simultaneous-Use,
|
||||||
|
# then you can use them here.
|
||||||
|
#
|
||||||
|
# Note, however, that the size of the field in the
|
||||||
|
# 'utmp' data structure is small, around 32
|
||||||
|
# characters, so that will limit the possible choices
|
||||||
|
# of keys.
|
||||||
|
#
|
||||||
|
# You may want instead: %{Stripped-User-Name:-%{User-Name}}
|
||||||
|
username = %{User-Name}
|
||||||
|
|
||||||
|
|
||||||
|
# Whether or not we want to treat "user" the same
|
||||||
|
# as "USER", or "User". Some systems have problems
|
||||||
|
# with case sensitivity, so this should be set to
|
||||||
|
# 'no' to enable the comparisons of the key attribute
|
||||||
|
# to be case insensitive.
|
||||||
|
#
|
||||||
|
case_sensitive = yes
|
||||||
|
|
||||||
|
# Accounting information may be lost, so the user MAY
|
||||||
|
# have logged off of the NAS, but we haven't noticed.
|
||||||
|
# If so, we can verify this information with the NAS,
|
||||||
|
#
|
||||||
|
# If we want to believe the 'utmp' file, then this
|
||||||
|
# configuration entry can be set to 'no'.
|
||||||
|
#
|
||||||
|
check_with_nas = yes
|
||||||
|
|
||||||
|
# Set the file permissions, as the contents of this file
|
||||||
|
# are usually private.
|
||||||
|
perm = 0600
|
||||||
|
|
||||||
|
callerid = "yes"
|
||||||
|
}
|
|
@ -0,0 +1,46 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 95d9f2b98de1b33346c6129aa7e88a901248cd4d $
|
||||||
|
|
||||||
|
# Realm module, for proxying.
|
||||||
|
#
|
||||||
|
# You can have multiple instances of the realm module to
|
||||||
|
# support multiple realm syntaxs at the same time. The
|
||||||
|
# search order is defined by the order that the modules are listed
|
||||||
|
# in the authorize and preacct sections.
|
||||||
|
#
|
||||||
|
# Four config options:
|
||||||
|
# format - must be "prefix" or "suffix"
|
||||||
|
# The special cases of "DEFAULT"
|
||||||
|
# and "NULL" are allowed, too.
|
||||||
|
# delimiter - must be a single character
|
||||||
|
|
||||||
|
# 'realm/username'
|
||||||
|
#
|
||||||
|
# Using this entry, IPASS users have their realm set to "IPASS".
|
||||||
|
realm IPASS {
|
||||||
|
format = prefix
|
||||||
|
delimiter = "/"
|
||||||
|
}
|
||||||
|
|
||||||
|
# 'username@realm'
|
||||||
|
#
|
||||||
|
realm suffix {
|
||||||
|
format = suffix
|
||||||
|
delimiter = "@"
|
||||||
|
}
|
||||||
|
|
||||||
|
# 'username%realm'
|
||||||
|
#
|
||||||
|
realm realmpercent {
|
||||||
|
format = suffix
|
||||||
|
delimiter = "%"
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# 'domain\user'
|
||||||
|
#
|
||||||
|
realm ntdomain {
|
||||||
|
format = prefix
|
||||||
|
delimiter = "\\"
|
||||||
|
}
|
|
@ -0,0 +1,35 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: d7605d9888607aa6451ab24450cebfd7bc9d4437 $
|
||||||
|
|
||||||
|
#
|
||||||
|
# Configuration file for the "redis" module. This module does nothing
|
||||||
|
# Other than provide connections to a redis database, and a %{redis: ...}
|
||||||
|
# expansion.
|
||||||
|
#
|
||||||
|
redis {
|
||||||
|
# Host where the redis server is located.
|
||||||
|
# We recommend using ONLY 127.0.0.1 !
|
||||||
|
hostname = 127.0.0.1
|
||||||
|
|
||||||
|
# The default port.
|
||||||
|
port = 6379
|
||||||
|
|
||||||
|
# The password used to authenticate to the server.
|
||||||
|
# We recommend using a strong password.
|
||||||
|
# password = thisisreallysecretandhardtoguess
|
||||||
|
|
||||||
|
# The number of connections to open to the database.
|
||||||
|
num_connections = 20
|
||||||
|
|
||||||
|
# If a connection fails, retry after this time.
|
||||||
|
connect_failure_retry_delay = 60
|
||||||
|
|
||||||
|
# Set the maximum lifetime for one connection.
|
||||||
|
# Use 0 for "lives forever"
|
||||||
|
lifetime = 86400
|
||||||
|
|
||||||
|
# Set the maximum queries used for one connection.
|
||||||
|
# Use 0 for "no limit"
|
||||||
|
max_queries = 0
|
||||||
|
}
|
|
@ -0,0 +1,28 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: e16550c9991a5e76a77f349cfa5b82d5163f172e $
|
||||||
|
|
||||||
|
#
|
||||||
|
# Configuration file for the "rediswho" module.
|
||||||
|
#
|
||||||
|
rediswho {
|
||||||
|
# How many sessions to keep track of per user.
|
||||||
|
# If there are more than this number, older sessions are deleted.
|
||||||
|
trim-count = 15
|
||||||
|
|
||||||
|
# Expiry time in seconds. Any sessions which have not received
|
||||||
|
# an update in this time will be automatically expired.
|
||||||
|
expire-time = 86400
|
||||||
|
|
||||||
|
start-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
|
||||||
|
start-trim = "LTRIM %{User-Name} 0 ${trim-count}"
|
||||||
|
start-expire = "EXPIRE %{User-Name} ${expire-time}"
|
||||||
|
|
||||||
|
alive-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
|
||||||
|
alive-trim = "LTRIM %{User-Name} 0 ${trim-count}"
|
||||||
|
alive-expire = "EXPIRE %{User-Name} ${expire-time}"
|
||||||
|
|
||||||
|
stop-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
|
||||||
|
stop-trim = "LTRIM %{User-Name} 0 ${trim-count}"
|
||||||
|
stop-expire = "EXPIRE %{User-Name} ${expire-time}"
|
||||||
|
}
|
|
@ -0,0 +1,40 @@
|
||||||
|
# Replicate packet(s) to a home server.
|
||||||
|
#
|
||||||
|
# This module will open a new socket for each packet, and "clone"
|
||||||
|
# the incoming packet to the destination realm (i.e. home server).
|
||||||
|
#
|
||||||
|
# Use it by setting "Replicate-To-Realm = name" in the control list,
|
||||||
|
# just like Proxy-To-Realm. The configurations for the two attributes
|
||||||
|
# are identical. The realm must exist, the home_server_pool must exist,
|
||||||
|
# and the home_server must exist.
|
||||||
|
#
|
||||||
|
# The only difference is that the "replicate" module sends requests
|
||||||
|
# and does not expect a reply. Any reply is ignored.
|
||||||
|
#
|
||||||
|
# Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time.
|
||||||
|
#
|
||||||
|
# To use this module, list "replicate" in the "authorize" or
|
||||||
|
# "accounting" section. Then, ensure that Replicate-To-Realm is set.
|
||||||
|
# The contents of the "packet" attribute list will be sent to the
|
||||||
|
# home server. The usual load-balancing, etc. features of the home
|
||||||
|
# server will be used.
|
||||||
|
#
|
||||||
|
# "radmin" can be used to mark home servers alive/dead, in order to
|
||||||
|
# enable/disable replication to specific servers.
|
||||||
|
#
|
||||||
|
# Packets can be replicated to multiple destinations. Just set
|
||||||
|
# Replicate-To-Realm multiple times. One packet will be sent for
|
||||||
|
# each of the Replicate-To-Realm attribute in the "control" list.
|
||||||
|
#
|
||||||
|
# If no packets are sent, the module returns "noop". If at least one
|
||||||
|
# packet is sent, the module returns "ok". If an error occurs, the
|
||||||
|
# module returns "fail"
|
||||||
|
#
|
||||||
|
# Note that replication does NOT change any of the packet statistics.
|
||||||
|
# If you use "radmin" to look at the statistics for a home server,
|
||||||
|
# the replicated packets will cause NO counters to increment. This
|
||||||
|
# is not a bug, this is how replication works.
|
||||||
|
#
|
||||||
|
replicate {
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,16 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 74e64047302d7d8f575672617e8a213aaf5a32d3 $
|
||||||
|
|
||||||
|
# An example configuration for using /etc/smbpasswd.
|
||||||
|
#
|
||||||
|
# See the "passwd" file for documentation on the configuration items
|
||||||
|
# for this module.
|
||||||
|
#
|
||||||
|
passwd smbpasswd {
|
||||||
|
filename = /etc/smbpasswd
|
||||||
|
format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
|
||||||
|
hashsize = 100
|
||||||
|
ignorenislike = no
|
||||||
|
allowmultiplekeys = no
|
||||||
|
}
|
|
@ -0,0 +1,50 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 0a339b4a1b9f1eafeb05992f2643497e802e2a49 $
|
||||||
|
|
||||||
|
# SMS One-time Password system.
|
||||||
|
#
|
||||||
|
# This module will extend FreeRadius with a socks interface to create and
|
||||||
|
# validate One-Time-Passwords. The program for that creates the socket
|
||||||
|
# and interacts with this module is not included here.
|
||||||
|
#
|
||||||
|
# The module does not check the User-Password, this should be done with
|
||||||
|
# the "pap" module. See the example below.
|
||||||
|
#
|
||||||
|
# The module must be used in the "authorize" section to set
|
||||||
|
# Auth-Type properly. The first time through, the module is called
|
||||||
|
# in the "authenticate" section to authenticate the user password, and
|
||||||
|
# to send the challenge. The second time through, it authenticates
|
||||||
|
# the response to the challenge. e.g.:
|
||||||
|
#
|
||||||
|
# authorize {
|
||||||
|
# ...
|
||||||
|
# smsotp
|
||||||
|
# ...
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# authenticate {
|
||||||
|
# ...
|
||||||
|
# Auth-Type smsotp {
|
||||||
|
# pap
|
||||||
|
# smsotp
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# Auth-Type smsotp-reply {
|
||||||
|
# smsotp
|
||||||
|
# }
|
||||||
|
# ...
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
smsotp {
|
||||||
|
# The location of the socket.
|
||||||
|
socket = "/var/run/smsotp_socket"
|
||||||
|
|
||||||
|
# Defines the challenge message that will be send to the
|
||||||
|
# NAS. Default is "Enter Mobile PIN" }
|
||||||
|
challenge_message = "Enter Mobile PIN:"
|
||||||
|
|
||||||
|
# Defines the Auth-Type section that is run for the response to
|
||||||
|
# the challenge. Default is "smsotp-reply".
|
||||||
|
challenge_type = "smsotp-reply"
|
||||||
|
}
|
|
@ -0,0 +1,4 @@
|
||||||
|
# SoH module
|
||||||
|
soh {
|
||||||
|
dhcp = yes
|
||||||
|
}
|
|
@ -0,0 +1,92 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 3e6bf2104f74ffad8866eb69459a94f623601130 $
|
||||||
|
|
||||||
|
#
|
||||||
|
# The rlm_sql_log module appends the SQL queries in a log
|
||||||
|
# file which is read later by the radsqlrelay program.
|
||||||
|
#
|
||||||
|
# This module only performs the dynamic expansion of the
|
||||||
|
# variables found in the SQL statements. No operation is
|
||||||
|
# executed on the database server. (this could be done
|
||||||
|
# later by an external program) That means the module is
|
||||||
|
# useful only with non-"SELECT" statements.
|
||||||
|
#
|
||||||
|
# See rlm_sql_log(5) manpage.
|
||||||
|
#
|
||||||
|
# This same functionality could also be implemented by logging
|
||||||
|
# to a "detail" file, reading that, and then writing to SQL.
|
||||||
|
# See raddb/sites-available/buffered-sql for an example.
|
||||||
|
#
|
||||||
|
sql_log {
|
||||||
|
path = "${radacctdir}/sql-relay"
|
||||||
|
acct_table = "radacct"
|
||||||
|
postauth_table = "radpostauth"
|
||||||
|
sql_user_name = "%{%{User-Name}:-DEFAULT}"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Setting this to "yes" will allow UTF-8 characters to be
|
||||||
|
# written to the log file. Otherwise, they are escaped
|
||||||
|
# as being potentially invalid.
|
||||||
|
#
|
||||||
|
utf8 = no
|
||||||
|
|
||||||
|
#
|
||||||
|
# The names here are taken from the Acct-Status-Type names.
|
||||||
|
# Just add another entry here for Accounting-On,
|
||||||
|
# Accounting-Off, etc.
|
||||||
|
#
|
||||||
|
Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
|
||||||
|
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
|
||||||
|
AcctSessionTime, AcctTerminateCause) VALUES \
|
||||||
|
('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
|
||||||
|
'%{Framed-IP-Address}', '%S', '0', '0', '');"
|
||||||
|
|
||||||
|
Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
|
||||||
|
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
|
||||||
|
AcctSessionTime, AcctTerminateCause) VALUES \
|
||||||
|
('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
|
||||||
|
'%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \
|
||||||
|
'%{Acct-Terminate-Cause}');"
|
||||||
|
|
||||||
|
Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
|
||||||
|
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
|
||||||
|
AcctSessionTime, AcctTerminateCause) VALUES \
|
||||||
|
('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
|
||||||
|
'%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
|
||||||
|
|
||||||
|
# The same as "Alive"
|
||||||
|
Interim-Update = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
|
||||||
|
NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
|
||||||
|
AcctSessionTime, AcctTerminateCause) VALUES \
|
||||||
|
('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
|
||||||
|
'%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
|
||||||
|
|
||||||
|
Post-Auth = "INSERT INTO ${postauth_table} \
|
||||||
|
(username, pass, reply, authdate) VALUES \
|
||||||
|
('%{User-Name}', '%{User-Password:-Chap-Password}', \
|
||||||
|
'%{reply:Packet-Type}', '%S');"
|
||||||
|
|
||||||
|
Accounting-On = "UPDATE ${acct_table} \
|
||||||
|
SET \
|
||||||
|
acctstoptime = '%S', \
|
||||||
|
acctsessiontime = unix_timestamp('%S') - \
|
||||||
|
unix_timestamp(acctstarttime), \
|
||||||
|
acctterminatecause = '%{Acct-Terminate-Cause}', \
|
||||||
|
acctstopdelay = %{%{Acct-Delay-Time}:-0} \
|
||||||
|
WHERE acctstoptime IS NULL \
|
||||||
|
AND nasipaddress = '%{NAS-IP-Address}' \
|
||||||
|
AND acctstarttime <= '%S'""
|
||||||
|
|
||||||
|
Accounting-Off = "UPDATE ${acct_table} \
|
||||||
|
SET \
|
||||||
|
acctstoptime = '%S', \
|
||||||
|
acctsessiontime = unix_timestamp('%S') - \
|
||||||
|
unix_timestamp(acctstarttime), \
|
||||||
|
acctterminatecause = '%{Acct-Terminate-Cause}', \
|
||||||
|
acctstopdelay = %{%{Acct-Delay-Time}:-0} \
|
||||||
|
WHERE acctstoptime IS NULL \
|
||||||
|
AND nasipaddress = '%{NAS-IP-Address}' \
|
||||||
|
AND acctstarttime <= '%S'""
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,37 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: c950169307009b088b2c31274f496ffe38e8a793 $
|
||||||
|
|
||||||
|
#
|
||||||
|
# Set an account to expire T seconds after first login.
|
||||||
|
# Requires the Expire-After attribute to be set, in seconds.
|
||||||
|
# You may need to edit raddb/dictionary to add the Expire-After
|
||||||
|
# attribute.
|
||||||
|
#
|
||||||
|
# This example is for MySQL. Other SQL variants should be similar.
|
||||||
|
#
|
||||||
|
# For versions prior to 2.1.11, this module defined the following
|
||||||
|
# expansion strings:
|
||||||
|
#
|
||||||
|
# %k key_name
|
||||||
|
# %S sqlmod_inst
|
||||||
|
#
|
||||||
|
# These SHOULD NOT be used. If these are used in your configuration,
|
||||||
|
# they should be replaced by the following strings, which will work
|
||||||
|
# identically to the previous ones:
|
||||||
|
#
|
||||||
|
# %k ${key}
|
||||||
|
# %S ${sqlmod-inst}
|
||||||
|
#
|
||||||
|
sqlcounter expire_on_login {
|
||||||
|
counter-name = Expire-After-Initial-Login
|
||||||
|
check-name = Expire-After
|
||||||
|
sqlmod-inst = sql
|
||||||
|
key = User-Name
|
||||||
|
reset = never
|
||||||
|
query = "SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
|
||||||
|
FROM radacct \
|
||||||
|
WHERE UserName='%{${key}}' \
|
||||||
|
ORDER BY acctstarttime \
|
||||||
|
LIMIT 1;"
|
||||||
|
}
|
|
@ -0,0 +1,16 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: a7700bac6aaa93940c784f1b6df08b61eb77a1a3 $
|
||||||
|
|
||||||
|
# "Safe" radutmp - does not contain caller ID, so it can be
|
||||||
|
# world-readable, and radwho can work for normal users, without
|
||||||
|
# exposing any information that isn't already exposed by who(1).
|
||||||
|
#
|
||||||
|
# This is another 'instance' of the radutmp module, but it is given
|
||||||
|
# then name "sradutmp" to identify it later in the "accounting"
|
||||||
|
# section.
|
||||||
|
radutmp sradutmp {
|
||||||
|
filename = ${logdir}/sradutmp
|
||||||
|
perm = 0644
|
||||||
|
callerid = "no"
|
||||||
|
}
|
|
@ -0,0 +1,25 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $
|
||||||
|
|
||||||
|
# Unix /etc/passwd style authentication
|
||||||
|
#
|
||||||
|
# This module calls the system functions to get the "known good"
|
||||||
|
# password. This password is usually in the "crypt" form, and is
|
||||||
|
# incompatible with CHAP, MS-CHAP, PEAP, etc.
|
||||||
|
#
|
||||||
|
# If passwords are in /etc/shadow, you will need to set the "group"
|
||||||
|
# configuration in radiusd.conf. Look for "shadow", and follow the
|
||||||
|
# instructions there.
|
||||||
|
#
|
||||||
|
unix {
|
||||||
|
#
|
||||||
|
# The location of the "wtmp" file.
|
||||||
|
# The only use for 'radlast'. If you don't use
|
||||||
|
# 'radlast', then you can comment out this item.
|
||||||
|
#
|
||||||
|
# Note that the radwtmp file may get large! You should
|
||||||
|
# rotate it (cp /dev/null radwtmp), or just not use it.
|
||||||
|
#
|
||||||
|
radwtmp = ${logdir}/radwtmp
|
||||||
|
}
|
|
@ -0,0 +1,112 @@
|
||||||
|
#
|
||||||
|
# The WiMAX module currently takes no configuration.
|
||||||
|
#
|
||||||
|
# It should be listed in the "authorize" and "preacct" sections.
|
||||||
|
# This enables the module to fix the horrible binary version
|
||||||
|
# of Calling-Station-Id to the normal format, as specified in
|
||||||
|
# RFC 3580, Section 3.21.
|
||||||
|
#
|
||||||
|
# In order to calculate the various WiMAX keys, the module should
|
||||||
|
# be listed in the "post-auth" section. If EAP authentication
|
||||||
|
# has been used, AND the EAP method derives MSK and EMSK, then
|
||||||
|
# the various WiMAX keys can be calculated.
|
||||||
|
#
|
||||||
|
# Some useful things to remember:
|
||||||
|
#
|
||||||
|
# WiMAX-MSK = EAP MSK, but is 64 octets.
|
||||||
|
#
|
||||||
|
# MIP-RK-1 = HMAC-SHA256(ESMK, "miprk@wimaxforum.org" | 0x00020001)
|
||||||
|
# MIP-RK-2 = HMAC-SHA256(ESMK, MIP-RK-1 | "miprk@wimaxforum.org" | 0x00020002)
|
||||||
|
# MIP-RK = MIP-RK-1 | MIP-RK-2
|
||||||
|
#
|
||||||
|
# MIP-SPI = first 4 octets of HMAC-SHA256(MIP-RK, "SPI CMIP PMIP")
|
||||||
|
# plus some magic... you've got to track *all* MIP-SPI's
|
||||||
|
# on your system!
|
||||||
|
#
|
||||||
|
# SPI-CMIP4 = MIP-SPI
|
||||||
|
# SPI-PMIP4 = MIP-SPI + 1
|
||||||
|
# SPI-CMIP6 = MIP-SPI + 2
|
||||||
|
#
|
||||||
|
# MN-NAI is the Mobile node NAI. You have to create it, and put
|
||||||
|
# it into the request or reply as something like:
|
||||||
|
#
|
||||||
|
# WiMAX-MN-NAI = "%{User-Name}"
|
||||||
|
#
|
||||||
|
# You will also have to have the appropriate IP address (v4 or v6)
|
||||||
|
# in order to calculate the keys below.
|
||||||
|
#
|
||||||
|
# Lifetimes are derived from Session-Timeout. It needs to be set
|
||||||
|
# to some useful number.
|
||||||
|
#
|
||||||
|
# The hash function below H() is HMAC-SHA1.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# MN-HA-CMIP4 = H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI)
|
||||||
|
#
|
||||||
|
# Where HA-IPv4 is WiMAX-hHA-IP-MIP4
|
||||||
|
# or maybe WiMAX-vHA-IP-MIP4
|
||||||
|
#
|
||||||
|
# Which goes into WiMAX-MN-hHA-MIP4-Key
|
||||||
|
# or maybe WiMAX-RRQ-MN-HA-Key
|
||||||
|
# or maybe even WiMAX-vHA-MIP4-Key
|
||||||
|
#
|
||||||
|
# The corresponding SPI is SPI-CMIP4, which is MIP-SPI,
|
||||||
|
#
|
||||||
|
# which goes into WiMAX-MN-hHA-MIP4-SPI
|
||||||
|
# or maybe WiMAX-RRQ-MN-HA-SPI
|
||||||
|
# or even WiMAX-MN-vHA-MIP4-SPI
|
||||||
|
#
|
||||||
|
# MN-HA-PMIP4 = H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI)
|
||||||
|
# MN-HA-CMIP6 = H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI)
|
||||||
|
#
|
||||||
|
# both with similar comments to above for MN-HA-CMIP4.
|
||||||
|
#
|
||||||
|
# In order to tell which one to use (CMIP4, PMIP4, or CMIP6),
|
||||||
|
# you have to set WiMAX-IP-Technology in the reply to one of
|
||||||
|
# the appropriate values.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# FA-RK = H(MIP-RK, "FA-RK")
|
||||||
|
#
|
||||||
|
# MN-FA = H(FA-RK, "MN FA" | FA-IP | MN-NAI)
|
||||||
|
#
|
||||||
|
# Where does the FA-IP come from? No idea...
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# The next two keys (HA-RK and FA-HA) are not generated
|
||||||
|
# for every authentication request, but only on demand.
|
||||||
|
#
|
||||||
|
# HA-RK = 160-bit random number assigned by the AAA server
|
||||||
|
# to a specific HA.
|
||||||
|
#
|
||||||
|
# FA-HA = H(HA-RK, "FA-HA" | HA-IPv4 | FA-CoAv4 | SPI)
|
||||||
|
#
|
||||||
|
# where HA-IPv4 is as above.
|
||||||
|
# and FA-CoAv4 address of the FA as seen by the HA
|
||||||
|
# and SPI is the relevant SPI for the HA-RK.
|
||||||
|
#
|
||||||
|
# DHCP-RK = 160-bit random number assigned by the AAA server
|
||||||
|
# to a specific DHCP server. vDHCP-RK is the same
|
||||||
|
# thing.
|
||||||
|
#
|
||||||
|
wimax {
|
||||||
|
#
|
||||||
|
# Some WiMAX equipement requires that the MS-MPPE-*-Key
|
||||||
|
# attributes are sent in the Access-Accept, in addition to
|
||||||
|
# the WiMAX-MSK attribute.
|
||||||
|
#
|
||||||
|
# Other WiMAX equipment request that the MS-MPPE-*-Key
|
||||||
|
# attributes are NOT sent in the Access-Accept.
|
||||||
|
#
|
||||||
|
# By default, the EAP modules sends MS-MPPE-*-Key attributes.
|
||||||
|
# The default virtual server (raddb/sites-available/default)
|
||||||
|
# contains examples of adding the WiMAX-MSK.
|
||||||
|
#
|
||||||
|
# This configuration option makes the WiMAX module delete
|
||||||
|
# the MS-MPPE-*-Key attributes. The default is to leave
|
||||||
|
# them in place.
|
||||||
|
#
|
||||||
|
# If the keys are deleted (by setting this to "yes"), then
|
||||||
|
# the WiMAX-MSK attribute is automatically added to the reply.
|
||||||
|
delete_mppe_keys = no
|
||||||
|
}
|
|
@ -0,0 +1,283 @@
|
||||||
|
# -*- text -*-
|
||||||
|
##
|
||||||
|
## policy.conf -- FreeRADIUS server configuration file.
|
||||||
|
##
|
||||||
|
## http://www.freeradius.org/
|
||||||
|
## $Id: 2668b29e3eee8eb9bfb9fbe33a6752314ac49632 $
|
||||||
|
##
|
||||||
|
|
||||||
|
#
|
||||||
|
# Policies are virtual modules, similar to those defined in the
|
||||||
|
# "instantate" section of radiusd.conf.
|
||||||
|
#
|
||||||
|
# Defining a policy here means that it can be referenced in multiple
|
||||||
|
# places as a *name*, rather than as a series of conditions to match,
|
||||||
|
# and actions to take.
|
||||||
|
#
|
||||||
|
# Policies are something like subroutines in a normal language, but
|
||||||
|
# they cannot be called recursively. They MUST be defined in order.
|
||||||
|
# If policy A calls policy B, then B MUST be defined before A.
|
||||||
|
#
|
||||||
|
policy {
|
||||||
|
#
|
||||||
|
# Forbid all EAP types.
|
||||||
|
#
|
||||||
|
forbid_eap {
|
||||||
|
if (EAP-Message) {
|
||||||
|
reject
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Forbid all non-EAP types outside of an EAP tunnel.
|
||||||
|
#
|
||||||
|
permit_only_eap {
|
||||||
|
if (!EAP-Message) {
|
||||||
|
# We MAY be inside of a TTLS tunnel.
|
||||||
|
# PEAP and EAP-FAST require EAP inside of
|
||||||
|
# the tunnel, so this check is OK.
|
||||||
|
# If so, then there MUST be an outer EAP message.
|
||||||
|
if (!"%{outer.request:EAP-Message}") {
|
||||||
|
reject
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Forbid all attempts to login via realms.
|
||||||
|
#
|
||||||
|
deny_realms {
|
||||||
|
if (User-Name =~ /@|\\/) {
|
||||||
|
reject
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you want the server to pretend that it is dead,
|
||||||
|
# then use the "do_not_respond" policy.
|
||||||
|
#
|
||||||
|
do_not_respond {
|
||||||
|
update control {
|
||||||
|
Response-Packet-Type := Do-Not-Respond
|
||||||
|
}
|
||||||
|
|
||||||
|
handled
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Force some sanity on User-Name. This helps to avoid issues
|
||||||
|
# issues where the back-end database is "forgiving" about
|
||||||
|
# what constitutes a user name.
|
||||||
|
#
|
||||||
|
filter_username {
|
||||||
|
#
|
||||||
|
# reject mixed case
|
||||||
|
# e.g. "UseRNaMe"
|
||||||
|
#
|
||||||
|
if (User-Name != "%{tolower:%{User-Name}}") {
|
||||||
|
reject
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# reject all whitespace
|
||||||
|
# e.g. "user@ site.com", or "us er", or " user", or "user "
|
||||||
|
#
|
||||||
|
if (User-Name =~ / /) {
|
||||||
|
update reply {
|
||||||
|
Reply-Message += "Rejected: Username contains whitespace"
|
||||||
|
}
|
||||||
|
reject
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# reject Multiple @'s
|
||||||
|
# e.g. "user@site.com@site.com"
|
||||||
|
#
|
||||||
|
if(User-Name =~ /@.*@/ ) {
|
||||||
|
update reply {
|
||||||
|
Reply-Message += "Rejected: Multiple @ in username"
|
||||||
|
}
|
||||||
|
reject
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# reject double dots
|
||||||
|
# e.g. "user@site..com"
|
||||||
|
#
|
||||||
|
if (User-Name =~ /\\.\\./ ) {
|
||||||
|
update reply {
|
||||||
|
Reply-Message += "Rejected: Username comtains ..s"
|
||||||
|
}
|
||||||
|
reject
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# must have at least 1 string-dot-string after @
|
||||||
|
# e.g. "user@site.com"
|
||||||
|
#
|
||||||
|
if (User-Name !~ /@(.+)\\.(.+)$/) {
|
||||||
|
update reply {
|
||||||
|
Reply-Message += "Rejected: Realm does not have at least one dot seperator"
|
||||||
|
}
|
||||||
|
reject
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Realm ends with a dot
|
||||||
|
# e.g. "user@site.com."
|
||||||
|
#
|
||||||
|
if (User-Name =~ /\\.$/) {
|
||||||
|
update reply {
|
||||||
|
Reply-Message += "Rejected: Realm ends with a dot"
|
||||||
|
}
|
||||||
|
reject
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Realm begins with a dot
|
||||||
|
# e.g. "user@.site.com"
|
||||||
|
#
|
||||||
|
if (User-Name =~ /@\\./) {
|
||||||
|
update reply {
|
||||||
|
Reply-Message += "Rejected: Realm begins with a dot"
|
||||||
|
}
|
||||||
|
reject
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following policies are for the Chargeable-User-Identity
|
||||||
|
# (CUI) configuration.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# The client indicates it can do CUI by sending a CUI attribute
|
||||||
|
# containing one zero byte
|
||||||
|
#
|
||||||
|
cui_authorize {
|
||||||
|
update request {
|
||||||
|
Chargeable-User-Identity:='\\000'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Add a CUI attribute based on the User-Name, and a secret key
|
||||||
|
# known only to this server.
|
||||||
|
#
|
||||||
|
cui_postauth {
|
||||||
|
if (FreeRadius-Proxied-To == 127.0.0.1) {
|
||||||
|
if (outer.request:Chargeable-User-Identity) {
|
||||||
|
update outer.reply {
|
||||||
|
Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
if (Chargeable-User-Identity) {
|
||||||
|
update reply {
|
||||||
|
Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# If there is a CUI attribute in the reply, add it to the DB.
|
||||||
|
#
|
||||||
|
cui_updatedb {
|
||||||
|
if (reply:Chargeable-User-Identity) {
|
||||||
|
cui
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# If we had stored a CUI for the User, add it to the request.
|
||||||
|
#
|
||||||
|
cui_accounting {
|
||||||
|
#
|
||||||
|
# If the CUI isn't in the packet, see if we can find it
|
||||||
|
# in the DB.
|
||||||
|
#
|
||||||
|
if (!Chargeable-User-Identity) {
|
||||||
|
update request {
|
||||||
|
Chargeable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# If it exists now, then write out when we last saw
|
||||||
|
# this CUI.
|
||||||
|
#
|
||||||
|
if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) {
|
||||||
|
cui
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Normalize the MAC Addresses in the Calling/Called-Station-Id
|
||||||
|
#
|
||||||
|
mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})
|
||||||
|
|
||||||
|
# Add "rewrite.called_station_id" in the "authorize" and "preacct"
|
||||||
|
# sections.
|
||||||
|
rewrite.called_station_id {
|
||||||
|
if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
|
||||||
|
update request {
|
||||||
|
Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# SSID component?
|
||||||
|
if ("%{8}") {
|
||||||
|
update request {
|
||||||
|
Called-Station-Id := "%{Called-Station-Id}:%{8}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
updated
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
noop
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Add "rewrite.calling_station_id" in the "authorize" and "preacct"
|
||||||
|
# sections.
|
||||||
|
rewrite.calling_station_id {
|
||||||
|
if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {
|
||||||
|
update request {
|
||||||
|
Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
|
||||||
|
}
|
||||||
|
updated
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
noop
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Assign compatibility data to request for sqlippool
|
||||||
|
dhcp_sqlippool.post-auth {
|
||||||
|
|
||||||
|
|
||||||
|
# Do some minor hacks to the request so that it looks
|
||||||
|
# like a RADIUS request to the SQL IP Pool module.
|
||||||
|
update request {
|
||||||
|
User-Name = "DHCP-%{DHCP-Client-Hardware-Address}"
|
||||||
|
Calling-Station-Id = "%{DHCP-Client-Hardware-Address}"
|
||||||
|
NAS-IP-Address = "%{%{DHCP-Gateway-IP-Address}:-127.0.0.1}"
|
||||||
|
Acct-Status-Type = Start
|
||||||
|
}
|
||||||
|
|
||||||
|
# Call the actual module
|
||||||
|
#
|
||||||
|
# Uncomment this in order to really call it!
|
||||||
|
# dhcp_sqlippool
|
||||||
|
fail
|
||||||
|
|
||||||
|
# Convert Framed-IP-Address to DHCP, but only if we
|
||||||
|
# actually allocated an address.
|
||||||
|
if (ok) {
|
||||||
|
update reply {
|
||||||
|
DHCP-Your-IP-Address = "%{reply:Framed-IP-Address}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,185 @@
|
||||||
|
#
|
||||||
|
# Sample of a policy language for rlm_policy.
|
||||||
|
#
|
||||||
|
# This is NOT the "unlang" policy, and has NO RELATION to "unlang"!
|
||||||
|
# The syntax is different, and the functionality is different.
|
||||||
|
#
|
||||||
|
|
||||||
|
# As of 2.0.0, the new configuration "un-language" is better
|
||||||
|
# tested, has more features, and is better integrated into the
|
||||||
|
# server than the rlm_policy module. rlm_policy is deprecated,
|
||||||
|
# and will likely be removed in a future release.
|
||||||
|
#
|
||||||
|
# There is no documentation other than this file.
|
||||||
|
#
|
||||||
|
# The syntax is odd, but it sort of works.
|
||||||
|
#
|
||||||
|
# A number of sites are using it in production servers,
|
||||||
|
# so it appears to be stable. However, we cannot answer
|
||||||
|
# questions about it, because we use "unlang", instead of
|
||||||
|
# this file.
|
||||||
|
#
|
||||||
|
# $Id: 1f62c55ae236dc9359764f4729f7ea4a8d36e2df $
|
||||||
|
#
|
||||||
|
# Debugging statements
|
||||||
|
#
|
||||||
|
#debug print_tokens # as we're parsing this file
|
||||||
|
debug print_policy # once the file has been parsed
|
||||||
|
|
||||||
|
# Using this requires code edits to rlm_policy/evaluate.c
|
||||||
|
#debug evaluate # print limited information during evaluation
|
||||||
|
|
||||||
|
#
|
||||||
|
# A named policy.
|
||||||
|
#
|
||||||
|
policy 3pm {
|
||||||
|
if (Time-Of-Day < "15:00") {
|
||||||
|
#
|
||||||
|
# The general form of edits to the attribute lists:
|
||||||
|
#
|
||||||
|
# name s-operator {
|
||||||
|
# Attribute-Name = Value
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# name is: request, reply, control, proxy-request, proxy-reply
|
||||||
|
#
|
||||||
|
# s-operator is operator for section, not attributes:
|
||||||
|
#
|
||||||
|
# = append, using operators from attributes
|
||||||
|
# .= append attributes, ignoring operators from attributes
|
||||||
|
# ^= add to head of list
|
||||||
|
# ^== add BEFORE matching attribute
|
||||||
|
# ^. append
|
||||||
|
# ^.= append BEFORE matching attribute
|
||||||
|
# $= add AFTER (same as =)
|
||||||
|
# $== add AFTER matching attribute
|
||||||
|
# $. add after (same as .=)
|
||||||
|
# $.= add after matching
|
||||||
|
#
|
||||||
|
# If the above explanation confuses you, don't ask. Try various
|
||||||
|
# configurations to see what happens. The results are difficult
|
||||||
|
# to explain, but easy to understand once you see them in action.
|
||||||
|
#
|
||||||
|
# The "matching attribute" text above refers to the syntax:
|
||||||
|
#
|
||||||
|
# name s-operator (match) {
|
||||||
|
# Attribute-Name = Value
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# Where "match" is something like: User-Name == "bob"
|
||||||
|
#
|
||||||
|
# This lets you insert/edit/update attributes by selected
|
||||||
|
# position, which can be useful.
|
||||||
|
#
|
||||||
|
reply .= {
|
||||||
|
# Use ARAP-Password for testing because it's an attribute
|
||||||
|
# no one cares about.
|
||||||
|
ARAP-Password = "< 15:00"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# A named policy, executed during the "authorize" phase,
|
||||||
|
# because it's named "authorize".
|
||||||
|
#
|
||||||
|
policy authorize {
|
||||||
|
if (CHAP-Password) {
|
||||||
|
if (!CHAP-Challenge) {
|
||||||
|
print "Adding CHAP-Challenge = %{request:Packet-Authentication-Vector}\n"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Append all attributes to the specified list.
|
||||||
|
# The per-attribute operators MUST be '='
|
||||||
|
#
|
||||||
|
request .= {
|
||||||
|
CHAP-Challenge = "%{request:Packet-Authentication-Vector}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Use per-attribute operators to do override, replace, etc.
|
||||||
|
# It's "control", not "check items", because "check items"
|
||||||
|
# is a hold-over from the "users" file, and we no longer like that.
|
||||||
|
#
|
||||||
|
control = {
|
||||||
|
Auth-Type := CHAP
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This could just as well be "%{ldap: query...}" =~ ...
|
||||||
|
#
|
||||||
|
# if ("%{User-Name}" =~ "^(b)") {
|
||||||
|
# reply .= {
|
||||||
|
# Arap-Password = "Hello, %{1}"
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
|
||||||
|
#
|
||||||
|
# Execute "3pm", as if it was in-line here.
|
||||||
|
#
|
||||||
|
# call 3pm
|
||||||
|
}
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# The following entries are for example purposes only.
|
||||||
|
#
|
||||||
|
|
||||||
|
# Insert the attribute at the top of the list.
|
||||||
|
#
|
||||||
|
#reply ^= {
|
||||||
|
# Attribute1 += "Value1"
|
||||||
|
#}
|
||||||
|
|
||||||
|
|
||||||
|
# Insert attribute1 before Attribute2 if found, otherwise it behaves
|
||||||
|
# like ^=
|
||||||
|
#reply ^== ( Attribute2 == "Value2" ) {
|
||||||
|
# Attribute1 += "Value1"
|
||||||
|
#}
|
||||||
|
|
||||||
|
# ^. and ^.= have the same difference as .= and =
|
||||||
|
# namely they append the attribute list instead of looking at the
|
||||||
|
# attribute operators.
|
||||||
|
#
|
||||||
|
# Otherwise they are the same.
|
||||||
|
|
||||||
|
# Motivation:
|
||||||
|
#
|
||||||
|
# Cisco NAS's will kick users who assign a VRF after assigning an IP
|
||||||
|
# address. The VRF must come first.
|
||||||
|
#
|
||||||
|
# A sample policy to fix this is:
|
||||||
|
#
|
||||||
|
policy add_inter_vrf {
|
||||||
|
#
|
||||||
|
# If there's a matching lcp:...,
|
||||||
|
# then add the vrf entry before it.
|
||||||
|
#
|
||||||
|
reply ^== ( reply:Cisco-Avpair =~ "lcp:interface-config") {
|
||||||
|
Cisco-Avpair += "lcp:interface-config=ip vrf forwarding CHL-PRIVATE"
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# If there's no ip address thingy,
|
||||||
|
# add ip unnumbered after the vrf stuff.
|
||||||
|
#
|
||||||
|
if (!reply:Cisco-Avpair =~ "lcp:interface-config=ip address.*") {
|
||||||
|
reply $== (reply:Cisco-AVpair == "lcp:interface-config=ip vrf forwarding CHL-PRIVATE") {
|
||||||
|
Cisco-Avpair += "lcp:interface-config=ip unnumbered l10"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# No IP address assigned through RADIUS, tell the Cisco
|
||||||
|
# NAS to assign it from it's own private IP pool.
|
||||||
|
#
|
||||||
|
if (!reply:Framed-IP-Address =* "") {
|
||||||
|
reply = {
|
||||||
|
Cisco-Avpair += "ip:addr-pool=privatepool"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,31 @@
|
||||||
|
#
|
||||||
|
# Configuration file for the rlm_files module.
|
||||||
|
# Please see rlm_files(5) manpage for more information.
|
||||||
|
#
|
||||||
|
# $Id: 0f5d15ad8b2e96a4d65808ac949793aab5c1c639 $
|
||||||
|
#
|
||||||
|
# This file is similar to the "users" file. The check items
|
||||||
|
# are compared against the request, but the "reply" items are
|
||||||
|
# used to update the proxied packet, not the reply to the NAS.
|
||||||
|
#
|
||||||
|
# You can use this file to re-write requests which are about to
|
||||||
|
# be sent to a home server.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Requests destinated to realm "extisp" are sent to a RADIUS
|
||||||
|
# home server hosted by an other company which doesn't know about
|
||||||
|
# the IP addresses of our NASes. Therefore we replace the value of
|
||||||
|
# the NAS-IP-Address attribute by a unique value we communicated
|
||||||
|
# to them.
|
||||||
|
#
|
||||||
|
#DEFAULT Realm == "extisp"
|
||||||
|
# NAS-IP-Address := 10.1.2.3
|
||||||
|
|
||||||
|
#
|
||||||
|
# For all proxied packets, set the User-Name in the proxied packet
|
||||||
|
# to the Stripped-User-Name, if it exists. If not, set it to the
|
||||||
|
# User-Name from the original request.
|
||||||
|
#
|
||||||
|
#DEFAULT
|
||||||
|
# User-Name := `%{Stripped-User-Name:-%{User-Name}}`
|
|
@ -0,0 +1,759 @@
|
||||||
|
# -*- text -*-
|
||||||
|
##
|
||||||
|
## proxy.conf -- proxy radius and realm configuration directives
|
||||||
|
##
|
||||||
|
## $Id: 413fc1438f266669a8e8913307f465da190c1ce8 $
|
||||||
|
|
||||||
|
#######################################################################
|
||||||
|
#
|
||||||
|
# Proxy server configuration
|
||||||
|
#
|
||||||
|
# This entry controls the servers behaviour towards ALL other servers
|
||||||
|
# to which it sends proxy requests.
|
||||||
|
#
|
||||||
|
proxy server {
|
||||||
|
#
|
||||||
|
# Note that as of 2.0, the "synchronous", "retry_delay",
|
||||||
|
# "retry_count", and "dead_time" have all been deprecated.
|
||||||
|
# For backwards compatibility, they are are still accepted
|
||||||
|
# by the server, but they ONLY apply to the old-style realm
|
||||||
|
# configuration. i.e. realms with "authhost" and/or "accthost"
|
||||||
|
# entries.
|
||||||
|
#
|
||||||
|
# i.e. "retry_delay" and "retry_count" have been replaced
|
||||||
|
# with per-home-server configuration. See the "home_server"
|
||||||
|
# example below for details.
|
||||||
|
#
|
||||||
|
# i.e. "dead_time" has been replaced with a per-home-server
|
||||||
|
# "revive_interval". We strongly recommend that this not
|
||||||
|
# be used, however. The new method is much better.
|
||||||
|
|
||||||
|
#
|
||||||
|
# In 2.0, the server is always "synchronous", and setting
|
||||||
|
# "synchronous = no" is impossible. This simplifies the
|
||||||
|
# server and increases the stability of the network.
|
||||||
|
# However, it means that the server (i.e. proxy) NEVER
|
||||||
|
# originates packets. It proxies packets ONLY when it receives
|
||||||
|
# a packet or a re-transmission from the NAS. If the NAS never
|
||||||
|
# re-transmits, the proxy never re-transmits, either. This can
|
||||||
|
# affect fail-over, where a packet does *not* fail over to a
|
||||||
|
# second home server.. because the NAS never retransmits the
|
||||||
|
# packet.
|
||||||
|
#
|
||||||
|
# If you need to set "synchronous = no", please send a
|
||||||
|
# message to the list <freeradius-users@lists.freeradius.org>
|
||||||
|
# explaining why this feature is vital for your network.
|
||||||
|
|
||||||
|
#
|
||||||
|
# If a realm exists, but there are no live home servers for
|
||||||
|
# it, we can fall back to using the "DEFAULT" realm. This is
|
||||||
|
# most useful for accounting, where the server can proxy
|
||||||
|
# accounting requests to home servers, but if they're down,
|
||||||
|
# use a DEFAULT realm that is LOCAL (i.e. accthost = LOCAL),
|
||||||
|
# and then store the packets in the "detail" file. That data
|
||||||
|
# can be later proxied to the home servers by radrelay, when
|
||||||
|
# those home servers come back up again.
|
||||||
|
|
||||||
|
# Setting this to "yes" may have issues for authentication.
|
||||||
|
# i.e. If you are proxying for two different ISP's, and then
|
||||||
|
# act as a general dial-up for Gric. If one of the first two
|
||||||
|
# ISP's has their RADIUS server go down, you do NOT want to
|
||||||
|
# proxy those requests to GRIC. Instead, you probably want
|
||||||
|
# to just drop the requests on the floor. In that case, set
|
||||||
|
# this value to 'no'.
|
||||||
|
#
|
||||||
|
# allowed values: {yes, no}
|
||||||
|
#
|
||||||
|
default_fallback = no
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
#######################################################################
|
||||||
|
#
|
||||||
|
# Configuration for the proxy realms.
|
||||||
|
#
|
||||||
|
# As of 2.0. the old-style "realms" file is deprecated, and is not
|
||||||
|
# used by FreeRADIUS.
|
||||||
|
#
|
||||||
|
# As of 2.0, the "realm" configuration has changed. Instead of
|
||||||
|
# specifying "authhost" and "accthost" in a realm section, the home
|
||||||
|
# servers are specified seperately in a "home_server" section. For
|
||||||
|
# backwards compatibility, you can still use the "authhost" and
|
||||||
|
# "accthost" directives. If you only have one home server for a
|
||||||
|
# realm, it is easier to use the old-style configuration.
|
||||||
|
#
|
||||||
|
# However, if you have multiple servers for a realm, we STRONGLY
|
||||||
|
# suggest moving to the new-style configuration.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Load-balancing and failover between home servers is handled via
|
||||||
|
# a "home_server_pool" section.
|
||||||
|
#
|
||||||
|
# Finally, The "realm" section defines the realm, some options, and
|
||||||
|
# indicates which server pool should be used for the realm.
|
||||||
|
#
|
||||||
|
# This change means that simple configurations now require multiple
|
||||||
|
# sections to define a realm. However, complex configurations
|
||||||
|
# are much simpler than before, as multiple realms can share the same
|
||||||
|
# server pool.
|
||||||
|
#
|
||||||
|
# That is, realms point to server pools, and server pools point to
|
||||||
|
# home servers. Multiple realms can point to one server pool. One
|
||||||
|
# server pool can point to multiple home servers. Each home server
|
||||||
|
# can appear in one or more pools.
|
||||||
|
#
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# This section defines a "Home Server" which is another RADIUS
|
||||||
|
# server that gets sent proxied requests. In earlier versions
|
||||||
|
# of FreeRADIUS, home servers were defined in "realm" sections,
|
||||||
|
# which was awkward. In 2.0, they have been made independent
|
||||||
|
# from realms, which is better for a number of reasons.
|
||||||
|
#
|
||||||
|
home_server localhost {
|
||||||
|
#
|
||||||
|
# Home servers can be sent Access-Request packets
|
||||||
|
# or Accounting-Request packets.
|
||||||
|
#
|
||||||
|
# Allowed values are:
|
||||||
|
# auth - Handles Access-Request packets
|
||||||
|
# acct - Handles Accounting-Request packets
|
||||||
|
# auth+acct - Handles Access-Request packets at "port",
|
||||||
|
# and Accounting-Request packets at "port + 1"
|
||||||
|
# coa - Handles CoA-Request and Disconnect-Request packets.
|
||||||
|
# See also raddb/sites-available/originate-coa
|
||||||
|
type = auth
|
||||||
|
|
||||||
|
#
|
||||||
|
# Configure ONE OF the following entries:
|
||||||
|
#
|
||||||
|
# IPv4 address
|
||||||
|
#
|
||||||
|
ipaddr = 127.0.0.1
|
||||||
|
|
||||||
|
# OR IPv6 address
|
||||||
|
# ipv6addr = ::1
|
||||||
|
|
||||||
|
# OR virtual server
|
||||||
|
# virtual_server = foo
|
||||||
|
|
||||||
|
# Note that while both ipaddr and ipv6addr will accept
|
||||||
|
# both addresses and host names, we do NOT recommend
|
||||||
|
# using host names. When you specify a host name, the
|
||||||
|
# server has to do a DNS lookup to find the IP address
|
||||||
|
# of the home server. If the DNS server is slow or
|
||||||
|
# unresponsive, it means that FreeRADIUS will NOT be
|
||||||
|
# able to determine the address, and will therefore NOT
|
||||||
|
# start.
|
||||||
|
#
|
||||||
|
# Also, the mapping of host name to address is done ONCE
|
||||||
|
# when the server starts. If DNS is later updated to
|
||||||
|
# change the address, FreeRADIUS will NOT discover that
|
||||||
|
# until after a re-start, or a HUP.
|
||||||
|
#
|
||||||
|
# If you specify a virtual_server here, then requests
|
||||||
|
# will be proxied internally to that virtual server.
|
||||||
|
# These requests CANNOT be proxied again, however. The
|
||||||
|
# intent is to have the local server handle packets
|
||||||
|
# when all home servers are dead.
|
||||||
|
#
|
||||||
|
# Requests proxied to a virtual server will be passed
|
||||||
|
# through the pre-proxy and post-proxy sections, just
|
||||||
|
# like any other request. See also the sample "realm"
|
||||||
|
# configuration, below.
|
||||||
|
#
|
||||||
|
# None of the rest of the home_server configuration is used
|
||||||
|
# for the "virtual_server" configuration.
|
||||||
|
|
||||||
|
#
|
||||||
|
# The port to which packets are sent.
|
||||||
|
#
|
||||||
|
# Usually 1812 for type "auth", and 1813 for type "acct".
|
||||||
|
# Older servers may use 1645 and 1646.
|
||||||
|
# Use 3799 for type "coa"
|
||||||
|
#
|
||||||
|
port = 1812
|
||||||
|
|
||||||
|
#
|
||||||
|
# The shared secret use to "encrypt" and "sign" packets between
|
||||||
|
# FreeRADIUS and the home server.
|
||||||
|
#
|
||||||
|
# The secret can be any string, up to 8k characters in length.
|
||||||
|
#
|
||||||
|
# Control codes can be entered vi octal encoding,
|
||||||
|
# e.g. "\101\102" == "AB"
|
||||||
|
# Quotation marks can be entered by escaping them,
|
||||||
|
# e.g. "foo\"bar"
|
||||||
|
# Spaces or other "special" characters can be entered
|
||||||
|
# by putting quotes around the string.
|
||||||
|
# e.g. "foo bar"
|
||||||
|
# "foo;bar"
|
||||||
|
#
|
||||||
|
secret = testing123
|
||||||
|
|
||||||
|
############################################################
|
||||||
|
#
|
||||||
|
# The rest of the configuration items listed here are optional,
|
||||||
|
# and do not have to appear in every home server definition.
|
||||||
|
#
|
||||||
|
############################################################
|
||||||
|
|
||||||
|
#
|
||||||
|
# You can optionally specify the source IP address used when
|
||||||
|
# proxying requests to this home server. When the src_ipaddr
|
||||||
|
# it set, the server will automatically create a proxy
|
||||||
|
# listener for that IP address.
|
||||||
|
#
|
||||||
|
# If you specify this field for one home server, you will
|
||||||
|
# likely need to specify it for ALL home servers.
|
||||||
|
#
|
||||||
|
# If you don't care about the source IP address, leave this
|
||||||
|
# entry commented.
|
||||||
|
#
|
||||||
|
# src_ipaddr = 127.0.0.1
|
||||||
|
|
||||||
|
# RFC 5080 suggests that all clients SHOULD include it in an
|
||||||
|
# Access-Request. The configuration item below tells the
|
||||||
|
# proxying server (i.e. this one) whether or not the home
|
||||||
|
# server requires a Message-Authenticator attribute. If it
|
||||||
|
# is required (value set to "yes"), then all Access-Request
|
||||||
|
# packets sent to that home server will have a
|
||||||
|
# Message-Authenticator attribute.
|
||||||
|
#
|
||||||
|
# We STRONGLY recommend that this flag be set to "yes"
|
||||||
|
# for ALL home servers. Doing so will have no performance
|
||||||
|
# impact on the proxy or on the home servers. It will,
|
||||||
|
# however, allow administrators to detect problems earlier.
|
||||||
|
#
|
||||||
|
# allowed values: yes, no
|
||||||
|
require_message_authenticator = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the home server does not respond to a request within
|
||||||
|
# this time, this server will initiate "zombie_period".
|
||||||
|
#
|
||||||
|
# The response window is large because responses MAY be slow,
|
||||||
|
# especially when proxying across the Internet.
|
||||||
|
#
|
||||||
|
# Useful range of values: 5 to 60
|
||||||
|
response_window = 20
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you want the old behavior of the server rejecting
|
||||||
|
# proxied requests after "response_window" timeout, set
|
||||||
|
# the following configuration item to "yes".
|
||||||
|
#
|
||||||
|
# This configuration WILL be removed in a future release
|
||||||
|
# If you believe you need it, email the freeradius-users
|
||||||
|
# list, and explain why it should stay in the server.
|
||||||
|
#
|
||||||
|
# no_response_fail = no
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the home server does not respond to ANY packets during
|
||||||
|
# the "zombie period", it will be considered to be dead.
|
||||||
|
#
|
||||||
|
# A home server that is marked "zombie" will be used for
|
||||||
|
# proxying as a low priority. If there are live servers,
|
||||||
|
# they will always be preferred to a zombie. Requests will
|
||||||
|
# be proxied to a zombie server ONLY when there are no
|
||||||
|
# live servers.
|
||||||
|
#
|
||||||
|
# Any request that is proxied to a home server will continue
|
||||||
|
# to be sent to that home server until the home server is
|
||||||
|
# marked dead. At that point, it will fail over to another
|
||||||
|
# server, if a live server is available. If none is available,
|
||||||
|
# then the "post-proxy-type fail" handler will be called.
|
||||||
|
#
|
||||||
|
# If "status_check" below is something other than "none", then
|
||||||
|
# the server will start sending status checks at the start of
|
||||||
|
# the zombie period. It will continue sending status checks
|
||||||
|
# until the home server is marked "alive".
|
||||||
|
#
|
||||||
|
# Useful range of values: 20 to 120
|
||||||
|
zombie_period = 40
|
||||||
|
|
||||||
|
############################################################
|
||||||
|
#
|
||||||
|
# As of 2.0, FreeRADIUS supports RADIUS layer "status
|
||||||
|
# checks". These are used by a proxy server to see if a home
|
||||||
|
# server is alive.
|
||||||
|
#
|
||||||
|
# These status packets are sent ONLY if the proxying server
|
||||||
|
# believes that the home server is dead. They are NOT sent
|
||||||
|
# if the proxying server believes that the home server is
|
||||||
|
# alive. They are NOT sent if the proxying server is not
|
||||||
|
# proxying packets.
|
||||||
|
#
|
||||||
|
# If the home server responds to the status check packet,
|
||||||
|
# then it is marked alive again, and is returned to use.
|
||||||
|
#
|
||||||
|
############################################################
|
||||||
|
|
||||||
|
#
|
||||||
|
# Some home servers do not support status checks via the
|
||||||
|
# Status-Server packet. Others may not have a "test" user
|
||||||
|
# configured that can be used to query the server, to see if
|
||||||
|
# it is alive. For those servers, we have NO WAY of knowing
|
||||||
|
# when it becomes alive again. Therefore, after the server
|
||||||
|
# has been marked dead, we wait a period of time, and mark
|
||||||
|
# it alive again, in the hope that it has come back to
|
||||||
|
# life.
|
||||||
|
#
|
||||||
|
# If it has NOT come back to life, then FreeRADIUS will wait
|
||||||
|
# for "zombie_period" before marking it dead again. During
|
||||||
|
# the "zombie_period", ALL AUTHENTICATIONS WILL FAIL, because
|
||||||
|
# the home server is still dead. There is NOTHING that can
|
||||||
|
# be done about this, other than to enable the status checks,
|
||||||
|
# as documented below.
|
||||||
|
#
|
||||||
|
# e.g. if "zombie_period" is 40 seconds, and "revive_interval"
|
||||||
|
# is 300 seconds, the for 40 seconds out of every 340, or about
|
||||||
|
# 10% of the time, all authentications will fail.
|
||||||
|
#
|
||||||
|
# If the "zombie_period" and "revive_interval" configurations
|
||||||
|
# are set smaller, than it is possible for up to 50% of
|
||||||
|
# authentications to fail.
|
||||||
|
#
|
||||||
|
# As a result, we recommend enabling status checks, and
|
||||||
|
# we do NOT recommend using "revive_interval".
|
||||||
|
#
|
||||||
|
# The "revive_interval" is used ONLY if the "status_check"
|
||||||
|
# entry below is "none". Otherwise, it will not be used,
|
||||||
|
# and should be deleted.
|
||||||
|
#
|
||||||
|
# Useful range of values: 60 to 3600
|
||||||
|
revive_interval = 120
|
||||||
|
|
||||||
|
#
|
||||||
|
# The proxying server (i.e. this one) can do periodic status
|
||||||
|
# checks to see if a dead home server has come back alive.
|
||||||
|
#
|
||||||
|
# If set to "none", then the other configuration items listed
|
||||||
|
# below are not used, and the "revive_interval" time is used
|
||||||
|
# instead.
|
||||||
|
#
|
||||||
|
# If set to "status-server", the Status-Server packets are
|
||||||
|
# sent. Many RADIUS servers support Status-Server. If a
|
||||||
|
# server does not support it, please contact the server
|
||||||
|
# vendor and request that they add it.
|
||||||
|
#
|
||||||
|
# If set to "request", then Access-Request, or Accounting-Request
|
||||||
|
# packets are sent, depending on the "type" entry above (auth/acct).
|
||||||
|
#
|
||||||
|
# Allowed values: none, status-server, request
|
||||||
|
status_check = status-server
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the home server does not support Status-Server packets,
|
||||||
|
# then the server can still send Access-Request or
|
||||||
|
# Accounting-Request packets, with a pre-defined user name.
|
||||||
|
#
|
||||||
|
# This practice is NOT recommended, as it may potentially let
|
||||||
|
# users gain network access by using these "test" accounts!
|
||||||
|
#
|
||||||
|
# If it is used, we recommend that the home server ALWAYS
|
||||||
|
# respond to these Access-Request status checks with
|
||||||
|
# Access-Reject. The status check just needs an answer, it
|
||||||
|
# does not need an Access-Accept.
|
||||||
|
#
|
||||||
|
# For Accounting-Request status checks, only the username
|
||||||
|
# needs to be set. The rest of the accounting attribute are
|
||||||
|
# set to default values. The home server that receives these
|
||||||
|
# accounting packets SHOULD NOT treat them like normal user
|
||||||
|
# accounting packets. i.e It should probably NOT log them to
|
||||||
|
# a database.
|
||||||
|
#
|
||||||
|
# username = "test_user_please_reject_me"
|
||||||
|
# password = "this is really secret"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Configure the interval between sending status check packets.
|
||||||
|
#
|
||||||
|
# Setting it too low increases the probability of spurious
|
||||||
|
# fail-over and fallback attempts.
|
||||||
|
#
|
||||||
|
# Useful range of values: 6 to 120
|
||||||
|
check_interval = 30
|
||||||
|
|
||||||
|
#
|
||||||
|
# Configure the number of status checks in a row that the
|
||||||
|
# home server needs to respond to before it is marked alive.
|
||||||
|
#
|
||||||
|
# If you want to mark a home server as alive after a short
|
||||||
|
# time period of being responsive, it is best to use a small
|
||||||
|
# "check_interval", and a large value for
|
||||||
|
# "num_answers_to_alive". Using a long "check_interval" and
|
||||||
|
# a small number for "num_answers_to_alive" increases the
|
||||||
|
# probability of spurious fail-over and fallback attempts.
|
||||||
|
#
|
||||||
|
# Useful range of values: 3 to 10
|
||||||
|
num_answers_to_alive = 3
|
||||||
|
|
||||||
|
#
|
||||||
|
# Limit the total number of outstanding packets to the home
|
||||||
|
# server.
|
||||||
|
#
|
||||||
|
# if ((#request sent) - (#requests received)) > max_outstanding
|
||||||
|
# then stop sending more packets to the home server
|
||||||
|
#
|
||||||
|
# This lets us gracefully fall over when the home server
|
||||||
|
# is overloaded.
|
||||||
|
max_outstanding = 65536
|
||||||
|
|
||||||
|
#
|
||||||
|
# The configuration items in the next sub-section are used ONLY
|
||||||
|
# when "type = coa". It is ignored for all other type of home
|
||||||
|
# servers.
|
||||||
|
#
|
||||||
|
# See RFC 5080 for the definitions of the following terms.
|
||||||
|
# RAND is a function (internal to FreeRADIUS) returning
|
||||||
|
# random numbers between -0.1 and +0.1
|
||||||
|
#
|
||||||
|
# First Re-transmit occurs after:
|
||||||
|
#
|
||||||
|
# RT = IRT + RAND*IRT
|
||||||
|
#
|
||||||
|
# Subsequent Re-transmits occur after:
|
||||||
|
#
|
||||||
|
# RT = 2 * RTprev + RAND * RTprev
|
||||||
|
#
|
||||||
|
# Re-trasnmits are capped at:
|
||||||
|
#
|
||||||
|
# if (MRT && (RT > MRT)) RT = MRT + RAND * MRT
|
||||||
|
#
|
||||||
|
# For a maximum number of attempts: MRC
|
||||||
|
#
|
||||||
|
# For a maximum (total) period of time: MRD.
|
||||||
|
#
|
||||||
|
coa {
|
||||||
|
# Initial retransmit interval: 1..5
|
||||||
|
irt = 2
|
||||||
|
|
||||||
|
# Maximum Retransmit Timeout: 1..30 (0 == no maximum)
|
||||||
|
mrt = 16
|
||||||
|
|
||||||
|
# Maximum Retransmit Count: 1..20 (0 == retransmit forever)
|
||||||
|
mrc = 5
|
||||||
|
|
||||||
|
# Maximum Retransmit Duration: 5..60
|
||||||
|
mrd = 30
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Sample virtual home server.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
#home_server virtual.example.com {
|
||||||
|
# virtual_server = virtual.example.com
|
||||||
|
#}
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# This section defines a pool of home servers that is used
|
||||||
|
# for fail-over and load-balancing. In earlier versions of
|
||||||
|
# FreeRADIUS, fail-over and load-balancing were defined per-realm.
|
||||||
|
# As a result, if a server had 5 home servers, each of which served
|
||||||
|
# the same 10 realms, you would need 50 "realm" entries.
|
||||||
|
#
|
||||||
|
# In version 2.0, you would need 5 "home_server" sections,
|
||||||
|
# 10 'realm" sections, and one "home_server_pool" section to tie the
|
||||||
|
# two together.
|
||||||
|
#
|
||||||
|
home_server_pool my_auth_failover {
|
||||||
|
#
|
||||||
|
# The type of this pool controls how home servers are chosen.
|
||||||
|
#
|
||||||
|
# fail-over - the request is sent to the first live
|
||||||
|
# home server in the list. i.e. If the first home server
|
||||||
|
# is marked "dead", the second one is chosen, etc.
|
||||||
|
#
|
||||||
|
# load-balance - the least busy home server is chosen,
|
||||||
|
# where "least busy" is counted by taking the number of
|
||||||
|
# requests sent to that home server, and subtracting the
|
||||||
|
# number of responses received from that home server.
|
||||||
|
#
|
||||||
|
# If there are two or more servers with the same low
|
||||||
|
# load, then one of those servers is chosen at random.
|
||||||
|
# This configuration is most similar to the old
|
||||||
|
# "round-robin" method, though it is not exactly the same.
|
||||||
|
#
|
||||||
|
# Note that load balancing does not work well with EAP,
|
||||||
|
# as EAP requires packets for an EAP conversation to be
|
||||||
|
# sent to the same home server. The load balancing method
|
||||||
|
# does not keep state in between packets, meaning that
|
||||||
|
# EAP packets for the same conversation may be sent to
|
||||||
|
# different home servers. This will prevent EAP from
|
||||||
|
# working.
|
||||||
|
#
|
||||||
|
# For non-EAP authentication methods, and for accounting
|
||||||
|
# packets, we recommend using "load-balance". It will
|
||||||
|
# ensure the highest availability for your network.
|
||||||
|
#
|
||||||
|
# client-balance - the home server is chosen by hashing the
|
||||||
|
# source IP address of the packet. If that home server
|
||||||
|
# is down, the next one in the list is used, just as
|
||||||
|
# with "fail-over".
|
||||||
|
#
|
||||||
|
# There is no way of predicting which source IP will map
|
||||||
|
# to which home server.
|
||||||
|
#
|
||||||
|
# This configuration is most useful to do simple load
|
||||||
|
# balancing for EAP sessions, as the EAP session will
|
||||||
|
# always be sent to the same home server.
|
||||||
|
#
|
||||||
|
# client-port-balance - the home server is chosen by hashing
|
||||||
|
# the source IP address and source port of the packet.
|
||||||
|
# If that home server is down, the next one in the list
|
||||||
|
# is used, just as with "fail-over".
|
||||||
|
#
|
||||||
|
# This method provides slightly better load balancing
|
||||||
|
# for EAP sessions than "client-balance". However, it
|
||||||
|
# also means that authentication and accounting packets
|
||||||
|
# for the same session MAY go to different home servers.
|
||||||
|
#
|
||||||
|
# keyed-balance - the home server is chosen by hashing (FNV)
|
||||||
|
# the contents of the Load-Balance-Key attribute from the
|
||||||
|
# control items. The request is then sent to home server
|
||||||
|
# chosen by taking:
|
||||||
|
#
|
||||||
|
# server = (hash % num_servers_in_pool).
|
||||||
|
#
|
||||||
|
# If there is no Load-Balance-Key in the control items,
|
||||||
|
# the load balancing method is identical to "load-balance".
|
||||||
|
#
|
||||||
|
# For most non-EAP authentication methods, The User-Name
|
||||||
|
# attribute provides a good key. An "unlang" policy can
|
||||||
|
# be used to copy the User-Name to the Load-Balance-Key
|
||||||
|
# attribute. This method may not work for EAP sessions,
|
||||||
|
# as the User-Name outside of the TLS tunnel is often
|
||||||
|
# static, e.g. "anonymous@realm".
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# The default type is fail-over.
|
||||||
|
type = fail-over
|
||||||
|
|
||||||
|
#
|
||||||
|
# A virtual_server may be specified here. If so, the
|
||||||
|
# "pre-proxy" and "post-proxy" sections are called when
|
||||||
|
# the request is proxied, and when a response is received.
|
||||||
|
#
|
||||||
|
# This lets you have one policy for all requests that are proxied
|
||||||
|
# to a home server. This policy is completely independent of
|
||||||
|
# any policies used to receive, or process the request.
|
||||||
|
#
|
||||||
|
#virtual_server = pre_post_proxy_for_pool
|
||||||
|
|
||||||
|
#
|
||||||
|
# Next, a list of one or more home servers. The names
|
||||||
|
# of the home servers are NOT the hostnames, but the names
|
||||||
|
# of the sections. (e.g. home_server foo {...} has name "foo".
|
||||||
|
#
|
||||||
|
# Note that ALL home servers listed here have to be of the same
|
||||||
|
# type. i.e. they all have to be "auth", or they all have to
|
||||||
|
# be "acct", or the all have to be "auth+acct".
|
||||||
|
#
|
||||||
|
home_server = localhost
|
||||||
|
|
||||||
|
# Additional home servers can be listed.
|
||||||
|
# There is NO LIMIT to the number of home servers that can
|
||||||
|
# be listed, though using more than 10 or so will become
|
||||||
|
# difficult to manage.
|
||||||
|
#
|
||||||
|
# home_server = foo.example.com
|
||||||
|
# home_server = bar.example.com
|
||||||
|
# home_server = baz.example.com
|
||||||
|
# home_server = ...
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# If ALL home servers are dead, then this "fallback" home server
|
||||||
|
# is used. If set, it takes precedence over any realm-based
|
||||||
|
# fallback, such as the DEFAULT realm.
|
||||||
|
#
|
||||||
|
# For reasons of stability, this home server SHOULD be a virtual
|
||||||
|
# server. Otherwise, the fallback may itself be dead!
|
||||||
|
#
|
||||||
|
#fallback = virtual.example.com
|
||||||
|
}
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# This section defines a new-style "realm". Note the in version 2.0,
|
||||||
|
# there are many fewer configuration items than in 1.x for a realm.
|
||||||
|
#
|
||||||
|
# Automatic proxying is done via the "realms" module (see "man
|
||||||
|
# rlm_realm"). To manually proxy the request put this entry in the
|
||||||
|
# "users" file:
|
||||||
|
|
||||||
|
#
|
||||||
|
#
|
||||||
|
#DEFAULT Proxy-To-Realm := "realm_name"
|
||||||
|
#
|
||||||
|
#
|
||||||
|
realm example.com {
|
||||||
|
#
|
||||||
|
# Realms point to pools of home servers.
|
||||||
|
#
|
||||||
|
# For authentication, the "auth_pool" configuration item
|
||||||
|
# should point to a "home_server_pool" that was previously
|
||||||
|
# defined. All of the home servers in the "auth_pool" must
|
||||||
|
# be of type "auth".
|
||||||
|
#
|
||||||
|
# For accounting, the "acct_pool" configuration item
|
||||||
|
# should point to a "home_server_pool" that was previously
|
||||||
|
# defined. All of the home servers in the "acct_pool" must
|
||||||
|
# be of type "acct".
|
||||||
|
#
|
||||||
|
# If you have a "home_server_pool" where all of the home servers
|
||||||
|
# are of type "auth+acct", you can just use the "pool"
|
||||||
|
# configuration item, instead of specifying both "auth_pool"
|
||||||
|
# and "acct_pool".
|
||||||
|
|
||||||
|
auth_pool = my_auth_failover
|
||||||
|
# acct_pool = acct
|
||||||
|
|
||||||
|
#
|
||||||
|
# Normally, when an incoming User-Name is matched against the
|
||||||
|
# realm, the realm name is "stripped" off, and the "stripped"
|
||||||
|
# user name is used to perform matches.
|
||||||
|
#
|
||||||
|
# e.g. User-Name = "bob@example.com" will result in two new
|
||||||
|
# attributes being created by the "realms" module:
|
||||||
|
#
|
||||||
|
# Stripped-User-Name = "bob"
|
||||||
|
# Realm = "example.com"
|
||||||
|
#
|
||||||
|
# The Stripped-User-Name is then used as a key in the "users"
|
||||||
|
# file, for example.
|
||||||
|
#
|
||||||
|
# If you do not want this to happen, uncomment "nostrip" below.
|
||||||
|
#
|
||||||
|
# nostrip
|
||||||
|
|
||||||
|
# There are no more configuration entries for a realm.
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# This is a sample entry for iPass.
|
||||||
|
# Note that you have to define "ipass_auth_pool" and
|
||||||
|
# "ipass_acct_pool", along with home_servers for them, too.
|
||||||
|
#
|
||||||
|
#realm IPASS {
|
||||||
|
# nostrip
|
||||||
|
#
|
||||||
|
# auth_pool = ipass_auth_pool
|
||||||
|
# acct_pool = ipass_acct_pool
|
||||||
|
#}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This realm is used mainly to cancel proxying. You can have
|
||||||
|
# the "realm suffix" module configured to proxy all requests for
|
||||||
|
# a realm, and then later cancel the proxying, based on other
|
||||||
|
# configuration.
|
||||||
|
#
|
||||||
|
# For example, you want to terminate PEAP or EAP-TTLS locally,
|
||||||
|
# you can add the following to the "users" file:
|
||||||
|
#
|
||||||
|
# DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL
|
||||||
|
#
|
||||||
|
realm LOCAL {
|
||||||
|
# If we do not specify a server pool, the realm is LOCAL, and
|
||||||
|
# requests are not proxied to it.
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This realm is for requests which don't have an explicit realm
|
||||||
|
# prefix or suffix. User names like "bob" will match this one.
|
||||||
|
#
|
||||||
|
#realm NULL {
|
||||||
|
# authhost = radius.company.com:1600
|
||||||
|
# accthost = radius.company.com:1601
|
||||||
|
# secret = testing123
|
||||||
|
#}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This realm is for ALL OTHER requests.
|
||||||
|
#
|
||||||
|
#realm DEFAULT {
|
||||||
|
# authhost = radius.company.com:1600
|
||||||
|
# accthost = radius.company.com:1601
|
||||||
|
# secret = testing123
|
||||||
|
#}
|
||||||
|
|
||||||
|
|
||||||
|
# This realm "proxies" requests internally to a virtual server.
|
||||||
|
# The pre-proxy and post-proxy sections are run just as with any
|
||||||
|
# other kind of home server. The virtual server then receives
|
||||||
|
# the request, and replies, just as with any other packet.
|
||||||
|
#
|
||||||
|
# Once proxied internally like this, the request CANNOT be proxied
|
||||||
|
# internally or externally.
|
||||||
|
#
|
||||||
|
#realm virtual.example.com {
|
||||||
|
# virtual_server = virtual.example.com
|
||||||
|
#}
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Regular expressions may also be used as realm names. If these are used,
|
||||||
|
# then the "find matching realm" process is as follows:
|
||||||
|
#
|
||||||
|
# 1) Look for a non-regex realm with an *exact* match for the name.
|
||||||
|
# If found, it is used in preference to any regex matching realm.
|
||||||
|
#
|
||||||
|
# 2) Look for a regex realm, in the order that they are listed
|
||||||
|
# in the configuration files. Any regex match is performed in
|
||||||
|
# a case-insensitive fashion.
|
||||||
|
#
|
||||||
|
# 3) If no realm is found, return the DEFAULT realm, if any.
|
||||||
|
#
|
||||||
|
# The order of the realms matters in step (2). For example, defining
|
||||||
|
# two realms ".*\.example.net$" and ".*\.test\.example\.net$" will result in
|
||||||
|
# the second realm NEVER matching. This is because all of the realms
|
||||||
|
# which match the second regex also match the first one. Since the
|
||||||
|
# first regex matches, it is returned.
|
||||||
|
#
|
||||||
|
# The solution is to list the realms in the opposite order,. e.g.
|
||||||
|
# ".*\.test\.example.net$", followed by ".*\.example\.net$".
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Some helpful rules:
|
||||||
|
#
|
||||||
|
# - always place a '~' character at the start of the realm name.
|
||||||
|
# This signifies that it is a regex match, and not an exact match
|
||||||
|
# for the realm.
|
||||||
|
#
|
||||||
|
# - place the regex in double quotes. This helps the configuration
|
||||||
|
# file parser ignore any "special" characters in the regex.
|
||||||
|
# Yes, this rule is different than the normal "unlang" rules for
|
||||||
|
# regular expressions. That may be fixed in a future release.
|
||||||
|
#
|
||||||
|
# - use two back-slashes '\\' whenever you need one backslash in the
|
||||||
|
# regex. e.g. "~.*\\.example\\.net$", and not "~\.example\.net$".
|
||||||
|
# This is because the regex is in a double-quoted string, and normal
|
||||||
|
# rules apply for double-quoted strings.
|
||||||
|
#
|
||||||
|
# - If you are matching domain names, use two backslashes in front of
|
||||||
|
# every '.' (dot or period). This is because '.' has special meaning
|
||||||
|
# in a regular expression: match any character. If you do not do this,
|
||||||
|
# then "~.*.example.net$" will match "fooXexampleYnet", which is likely
|
||||||
|
# not what you want
|
||||||
|
#
|
||||||
|
# - If you are matching domain names, put a '$' at the end of the regex
|
||||||
|
# that matches the domain name. This tells the regex matching code
|
||||||
|
# that the realm ENDS with the domain name, so it does not match
|
||||||
|
# realms with the domain name in the middle. e.g. "~.*\\.example\\.net"
|
||||||
|
# will match "test.example.netFOO", which is likely not what you want.
|
||||||
|
# Using "~(.*\\.)example\\.net$" is better.
|
||||||
|
#
|
||||||
|
# The more regex realms that are defined, the more time it takes to
|
||||||
|
# process them. You should define as few regex realms as possible
|
||||||
|
# in order to maximize server performance.
|
||||||
|
#
|
||||||
|
#realm "~(.*\\.)*example\\.net$" {
|
||||||
|
# auth_pool = my_auth_failover
|
||||||
|
#}
|
|
@ -0,0 +1,865 @@
|
||||||
|
# -*- text -*-
|
||||||
|
##
|
||||||
|
## radiusd.conf -- FreeRADIUS server configuration file.
|
||||||
|
##
|
||||||
|
## http://www.freeradius.org/
|
||||||
|
## $Id: 201b70b31b5bb4c2ef98c102690daa3462d5e1e3 $
|
||||||
|
##
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# Read "man radiusd" before editing this file. See the section
|
||||||
|
# titled DEBUGGING. It outlines a method where you can quickly
|
||||||
|
# obtain the configuration you want, without running into
|
||||||
|
# trouble.
|
||||||
|
#
|
||||||
|
# Run the server in debugging mode, and READ the output.
|
||||||
|
#
|
||||||
|
# $ radiusd -X
|
||||||
|
#
|
||||||
|
# We cannot emphasize this point strongly enough. The vast
|
||||||
|
# majority of problems can be solved by carefully reading the
|
||||||
|
# debugging output, which includes warnings about common issues,
|
||||||
|
# and suggestions for how they may be fixed.
|
||||||
|
#
|
||||||
|
# There may be a lot of output, but look carefully for words like:
|
||||||
|
# "warning", "error", "reject", or "failure". The messages there
|
||||||
|
# will usually be enough to guide you to a solution.
|
||||||
|
#
|
||||||
|
# If you are going to ask a question on the mailing list, then
|
||||||
|
# explain what you are trying to do, and include the output from
|
||||||
|
# debugging mode (radiusd -X). Failure to do so means that all
|
||||||
|
# of the responses to your question will be people telling you
|
||||||
|
# to "post the output of radiusd -X".
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# The location of other config files and logfiles are declared
|
||||||
|
# in this file.
|
||||||
|
#
|
||||||
|
# Also general configuration for modules can be done in this
|
||||||
|
# file, it is exported through the API to modules that ask for
|
||||||
|
# it.
|
||||||
|
#
|
||||||
|
# See "man radiusd.conf" for documentation on the format of this
|
||||||
|
# file. Note that the individual configuration items are NOT
|
||||||
|
# documented in that "man" page. They are only documented here,
|
||||||
|
# in the comments.
|
||||||
|
#
|
||||||
|
# As of 2.0.0, FreeRADIUS supports a simple processing language
|
||||||
|
# in the "authorize", "authenticate", "accounting", etc. sections.
|
||||||
|
# See "man unlang" for details.
|
||||||
|
#
|
||||||
|
|
||||||
|
prefix = /usr
|
||||||
|
exec_prefix = /usr
|
||||||
|
sysconfdir = /etc
|
||||||
|
localstatedir = /var
|
||||||
|
sbindir = ${exec_prefix}/sbin
|
||||||
|
logdir = /var/log/freeradius
|
||||||
|
raddbdir = /etc/freeradius
|
||||||
|
radacctdir = ${logdir}/radacct
|
||||||
|
|
||||||
|
#
|
||||||
|
# name of the running server. See also the "-n" command-line option.
|
||||||
|
name = freeradius
|
||||||
|
|
||||||
|
# Location of config and logfiles.
|
||||||
|
confdir = ${raddbdir}
|
||||||
|
run_dir = ${localstatedir}/run/${name}
|
||||||
|
|
||||||
|
# Should likely be ${localstatedir}/lib/radiusd
|
||||||
|
db_dir = ${raddbdir}
|
||||||
|
|
||||||
|
#
|
||||||
|
# libdir: Where to find the rlm_* modules.
|
||||||
|
#
|
||||||
|
# This should be automatically set at configuration time.
|
||||||
|
#
|
||||||
|
# If the server builds and installs, but fails at execution time
|
||||||
|
# with an 'undefined symbol' error, then you can use the libdir
|
||||||
|
# directive to work around the problem.
|
||||||
|
#
|
||||||
|
# The cause is usually that a library has been installed on your
|
||||||
|
# system in a place where the dynamic linker CANNOT find it. When
|
||||||
|
# executing as root (or another user), your personal environment MAY
|
||||||
|
# be set up to allow the dynamic linker to find the library. When
|
||||||
|
# executing as a daemon, FreeRADIUS MAY NOT have the same
|
||||||
|
# personalized configuration.
|
||||||
|
#
|
||||||
|
# To work around the problem, find out which library contains that symbol,
|
||||||
|
# and add the directory containing that library to the end of 'libdir',
|
||||||
|
# with a colon separating the directory names. NO spaces are allowed.
|
||||||
|
#
|
||||||
|
# e.g. libdir = /usr/local/lib:/opt/package/lib
|
||||||
|
#
|
||||||
|
# You can also try setting the LD_LIBRARY_PATH environment variable
|
||||||
|
# in a script which starts the server.
|
||||||
|
#
|
||||||
|
# If that does not work, then you can re-configure and re-build the
|
||||||
|
# server to NOT use shared libraries, via:
|
||||||
|
#
|
||||||
|
# ./configure --disable-shared
|
||||||
|
# make
|
||||||
|
# make install
|
||||||
|
#
|
||||||
|
libdir = /usr/lib/freeradius
|
||||||
|
|
||||||
|
# pidfile: Where to place the PID of the RADIUS server.
|
||||||
|
#
|
||||||
|
# The server may be signalled while it's running by using this
|
||||||
|
# file.
|
||||||
|
#
|
||||||
|
# This file is written when ONLY running in daemon mode.
|
||||||
|
#
|
||||||
|
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
|
||||||
|
#
|
||||||
|
pidfile = ${run_dir}/${name}.pid
|
||||||
|
|
||||||
|
# chroot: directory where the server does "chroot".
|
||||||
|
#
|
||||||
|
# The chroot is done very early in the process of starting the server.
|
||||||
|
# After the chroot has been performed it switches to the "user" listed
|
||||||
|
# below (which MUST be specified). If "group" is specified, it switchs
|
||||||
|
# to that group, too. Any other groups listed for the specified "user"
|
||||||
|
# in "/etc/group" are also added as part of this process.
|
||||||
|
#
|
||||||
|
# The current working directory (chdir / cd) is left *outside* of the
|
||||||
|
# chroot until all of the modules have been initialized. This allows
|
||||||
|
# the "raddb" directory to be left outside of the chroot. Once the
|
||||||
|
# modules have been initialized, it does a "chdir" to ${logdir}. This
|
||||||
|
# means that it should be impossible to break out of the chroot.
|
||||||
|
#
|
||||||
|
# If you are worried about security issues related to this use of chdir,
|
||||||
|
# then simply ensure that the "raddb" directory is inside of the chroot,
|
||||||
|
# end be sure to do "cd raddb" BEFORE starting the server.
|
||||||
|
#
|
||||||
|
# If the server is statically linked, then the only files that have
|
||||||
|
# to exist in the chroot are ${run_dir} and ${logdir}. If you do the
|
||||||
|
# "cd raddb" as discussed above, then the "raddb" directory has to be
|
||||||
|
# inside of the chroot directory, too.
|
||||||
|
#
|
||||||
|
#chroot = /path/to/chroot/directory
|
||||||
|
|
||||||
|
# user/group: The name (or #number) of the user/group to run radiusd as.
|
||||||
|
#
|
||||||
|
# If these are commented out, the server will run as the user/group
|
||||||
|
# that started it. In order to change to a different user/group, you
|
||||||
|
# MUST be root ( or have root privleges ) to start the server.
|
||||||
|
#
|
||||||
|
# We STRONGLY recommend that you run the server with as few permissions
|
||||||
|
# as possible. That is, if you're not using shadow passwords, the
|
||||||
|
# user and group items below should be set to radius'.
|
||||||
|
#
|
||||||
|
# NOTE that some kernels refuse to setgid(group) when the value of
|
||||||
|
# (unsigned)group is above 60000; don't use group nobody on these systems!
|
||||||
|
#
|
||||||
|
# On systems with shadow passwords, you might have to set 'group = shadow'
|
||||||
|
# for the server to be able to read the shadow password file. If you can
|
||||||
|
# authenticate users while in debug mode, but not in daemon mode, it may be
|
||||||
|
# that the debugging mode server is running as a user that can read the
|
||||||
|
# shadow info, and the user listed below can not.
|
||||||
|
#
|
||||||
|
# The server will also try to use "initgroups" to read /etc/groups.
|
||||||
|
# It will join all groups where "user" is a member. This can allow
|
||||||
|
# for some finer-grained access controls.
|
||||||
|
#
|
||||||
|
user = freerad
|
||||||
|
group = freerad
|
||||||
|
|
||||||
|
# panic_action: Command to execute if the server dies unexpectedly.
|
||||||
|
#
|
||||||
|
# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
|
||||||
|
# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
|
||||||
|
# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
|
||||||
|
#
|
||||||
|
# The panic action is a command which will be executed if the server
|
||||||
|
# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
|
||||||
|
# SIGABRT or SIGFPE.
|
||||||
|
#
|
||||||
|
# This can be used to start an interactive debugging session so
|
||||||
|
# that information regarding the current state of the server can
|
||||||
|
# be acquired.
|
||||||
|
#
|
||||||
|
# The following string substitutions are available:
|
||||||
|
# - %e The currently executing program e.g. /sbin/radiusd
|
||||||
|
# - %p The PID of the currently executing program e.g. 12345
|
||||||
|
#
|
||||||
|
# Standard ${} substitutions are also allowed.
|
||||||
|
#
|
||||||
|
# An example panic action for opening an interactive session in GDB would be:
|
||||||
|
#
|
||||||
|
#panic_action = "gdb %e %p"
|
||||||
|
#
|
||||||
|
# Again, don't use that on a production system.
|
||||||
|
#
|
||||||
|
# An example panic action for opening an automated session in GDB would be:
|
||||||
|
#
|
||||||
|
#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p > ${logdir}/gdb-%e-%p.log 2>&1"
|
||||||
|
#
|
||||||
|
# That command can be used on a production system.
|
||||||
|
#
|
||||||
|
|
||||||
|
# max_request_time: The maximum time (in seconds) to handle a request.
|
||||||
|
#
|
||||||
|
# Requests which take more time than this to process may be killed, and
|
||||||
|
# a REJECT message is returned.
|
||||||
|
#
|
||||||
|
# WARNING: If you notice that requests take a long time to be handled,
|
||||||
|
# then this MAY INDICATE a bug in the server, in one of the modules
|
||||||
|
# used to handle a request, OR in your local configuration.
|
||||||
|
#
|
||||||
|
# This problem is most often seen when using an SQL database. If it takes
|
||||||
|
# more than a second or two to receive an answer from the SQL database,
|
||||||
|
# then it probably means that you haven't indexed the database. See your
|
||||||
|
# SQL server documentation for more information.
|
||||||
|
#
|
||||||
|
# Useful range of values: 5 to 120
|
||||||
|
#
|
||||||
|
max_request_time = 30
|
||||||
|
|
||||||
|
# cleanup_delay: The time to wait (in seconds) before cleaning up
|
||||||
|
# a reply which was sent to the NAS.
|
||||||
|
#
|
||||||
|
# The RADIUS request is normally cached internally for a short period
|
||||||
|
# of time, after the reply is sent to the NAS. The reply packet may be
|
||||||
|
# lost in the network, and the NAS will not see it. The NAS will then
|
||||||
|
# re-send the request, and the server will respond quickly with the
|
||||||
|
# cached reply.
|
||||||
|
#
|
||||||
|
# If this value is set too low, then duplicate requests from the NAS
|
||||||
|
# MAY NOT be detected, and will instead be handled as seperate requests.
|
||||||
|
#
|
||||||
|
# If this value is set too high, then the server will cache too many
|
||||||
|
# requests, and some new requests may get blocked. (See 'max_requests'.)
|
||||||
|
#
|
||||||
|
# Useful range of values: 2 to 10
|
||||||
|
#
|
||||||
|
cleanup_delay = 5
|
||||||
|
|
||||||
|
# max_requests: The maximum number of requests which the server keeps
|
||||||
|
# track of. This should be 256 multiplied by the number of clients.
|
||||||
|
# e.g. With 4 clients, this number should be 1024.
|
||||||
|
#
|
||||||
|
# If this number is too low, then when the server becomes busy,
|
||||||
|
# it will not respond to any new requests, until the 'cleanup_delay'
|
||||||
|
# time has passed, and it has removed the old requests.
|
||||||
|
#
|
||||||
|
# If this number is set too high, then the server will use a bit more
|
||||||
|
# memory for no real benefit.
|
||||||
|
#
|
||||||
|
# If you aren't sure what it should be set to, it's better to set it
|
||||||
|
# too high than too low. Setting it to 1000 per client is probably
|
||||||
|
# the highest it should be.
|
||||||
|
#
|
||||||
|
# Useful range of values: 256 to infinity
|
||||||
|
#
|
||||||
|
max_requests = 1024
|
||||||
|
|
||||||
|
# listen: Make the server listen on a particular IP address, and send
|
||||||
|
# replies out from that address. This directive is most useful for
|
||||||
|
# hosts with multiple IP addresses on one interface.
|
||||||
|
#
|
||||||
|
# If you want the server to listen on additional addresses, or on
|
||||||
|
# additionnal ports, you can use multiple "listen" sections.
|
||||||
|
#
|
||||||
|
# Each section make the server listen for only one type of packet,
|
||||||
|
# therefore authentication and accounting have to be configured in
|
||||||
|
# different sections.
|
||||||
|
#
|
||||||
|
# The server ignore all "listen" section if you are using '-i' and '-p'
|
||||||
|
# on the command line.
|
||||||
|
#
|
||||||
|
listen {
|
||||||
|
# Type of packets to listen for.
|
||||||
|
# Allowed values are:
|
||||||
|
# auth listen for authentication packets
|
||||||
|
# acct listen for accounting packets
|
||||||
|
# proxy IP to use for sending proxied packets
|
||||||
|
# detail Read from the detail file. For examples, see
|
||||||
|
# raddb/sites-available/copy-acct-to-home-server
|
||||||
|
# status listen for Status-Server packets. For examples,
|
||||||
|
# see raddb/sites-available/status
|
||||||
|
# coa listen for CoA-Request and Disconnect-Request
|
||||||
|
# packets. For examples, see the file
|
||||||
|
# raddb/sites-available/coa
|
||||||
|
#
|
||||||
|
type = auth
|
||||||
|
|
||||||
|
# Note: "type = proxy" lets you control the source IP used for
|
||||||
|
# proxying packets, with some limitations:
|
||||||
|
#
|
||||||
|
# * A proxy listener CANNOT be used in a virtual server section.
|
||||||
|
# * You should probably set "port = 0".
|
||||||
|
# * Any "clients" configuration will be ignored.
|
||||||
|
#
|
||||||
|
# See also proxy.conf, and the "src_ipaddr" configuration entry
|
||||||
|
# in the sample "home_server" section. When you specify the
|
||||||
|
# source IP address for packets sent to a home server, the
|
||||||
|
# proxy listeners are automatically created.
|
||||||
|
|
||||||
|
# IP address on which to listen.
|
||||||
|
# Allowed values are:
|
||||||
|
# dotted quad (1.2.3.4)
|
||||||
|
# hostname (radius.example.com)
|
||||||
|
# wildcard (*)
|
||||||
|
ipaddr = *
|
||||||
|
|
||||||
|
# OR, you can use an IPv6 address, but not both
|
||||||
|
# at the same time.
|
||||||
|
# ipv6addr = :: # any. ::1 == localhost
|
||||||
|
|
||||||
|
# Port on which to listen.
|
||||||
|
# Allowed values are:
|
||||||
|
# integer port number (1812)
|
||||||
|
# 0 means "use /etc/services for the proper port"
|
||||||
|
port = 0
|
||||||
|
|
||||||
|
# Some systems support binding to an interface, in addition
|
||||||
|
# to the IP address. This feature isn't strictly necessary,
|
||||||
|
# but for sites with many IP addresses on one interface,
|
||||||
|
# it's useful to say "listen on all addresses for eth0".
|
||||||
|
#
|
||||||
|
# If your system does not support this feature, you will
|
||||||
|
# get an error if you try to use it.
|
||||||
|
#
|
||||||
|
# interface = eth0
|
||||||
|
|
||||||
|
# Per-socket lists of clients. This is a very useful feature.
|
||||||
|
#
|
||||||
|
# The name here is a reference to a section elsewhere in
|
||||||
|
# radiusd.conf, or clients.conf. Having the name as
|
||||||
|
# a reference allows multiple sockets to use the same
|
||||||
|
# set of clients.
|
||||||
|
#
|
||||||
|
# If this configuration is used, then the global list of clients
|
||||||
|
# is IGNORED for this "listen" section. Take care configuring
|
||||||
|
# this feature, to ensure you don't accidentally disable a
|
||||||
|
# client you need.
|
||||||
|
#
|
||||||
|
# See clients.conf for the configuration of "per_socket_clients".
|
||||||
|
#
|
||||||
|
# clients = per_socket_clients
|
||||||
|
}
|
||||||
|
|
||||||
|
# This second "listen" section is for listening on the accounting
|
||||||
|
# port, too.
|
||||||
|
#
|
||||||
|
listen {
|
||||||
|
ipaddr = *
|
||||||
|
# ipv6addr = ::
|
||||||
|
port = 0
|
||||||
|
type = acct
|
||||||
|
# interface = eth0
|
||||||
|
# clients = per_socket_clients
|
||||||
|
}
|
||||||
|
|
||||||
|
# hostname_lookups: Log the names of clients or just their IP addresses
|
||||||
|
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
|
||||||
|
#
|
||||||
|
# The default is 'off' because it would be overall better for the net
|
||||||
|
# if people had to knowingly turn this feature on, since enabling it
|
||||||
|
# means that each client request will result in AT LEAST one lookup
|
||||||
|
# request to the nameserver. Enabling hostname_lookups will also
|
||||||
|
# mean that your server may stop randomly for 30 seconds from time
|
||||||
|
# to time, if the DNS requests take too long.
|
||||||
|
#
|
||||||
|
# Turning hostname lookups off also means that the server won't block
|
||||||
|
# for 30 seconds, if it sees an IP address which has no name associated
|
||||||
|
# with it.
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
#
|
||||||
|
hostname_lookups = no
|
||||||
|
|
||||||
|
# Core dumps are a bad thing. This should only be set to 'yes'
|
||||||
|
# if you're debugging a problem with the server.
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
#
|
||||||
|
allow_core_dumps = no
|
||||||
|
|
||||||
|
# Regular expressions
|
||||||
|
#
|
||||||
|
# These items are set at configure time. If they're set to "yes",
|
||||||
|
# then setting them to "no" turns off regular expression support.
|
||||||
|
#
|
||||||
|
# If they're set to "no" at configure time, then setting them to "yes"
|
||||||
|
# WILL NOT WORK. It will give you an error.
|
||||||
|
#
|
||||||
|
regular_expressions = yes
|
||||||
|
extended_expressions = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# Logging section. The various "log_*" configuration items
|
||||||
|
# will eventually be moved here.
|
||||||
|
#
|
||||||
|
log {
|
||||||
|
#
|
||||||
|
# Destination for log messages. This can be one of:
|
||||||
|
#
|
||||||
|
# files - log to "file", as defined below.
|
||||||
|
# syslog - to syslog (see also the "syslog_facility", below.
|
||||||
|
# stdout - standard output
|
||||||
|
# stderr - standard error.
|
||||||
|
#
|
||||||
|
# The command-line option "-X" over-rides this option, and forces
|
||||||
|
# logging to go to stdout.
|
||||||
|
#
|
||||||
|
destination = files
|
||||||
|
|
||||||
|
#
|
||||||
|
# The logging messages for the server are appended to the
|
||||||
|
# tail of this file if destination == "files"
|
||||||
|
#
|
||||||
|
# If the server is running in debugging mode, this file is
|
||||||
|
# NOT used.
|
||||||
|
#
|
||||||
|
file = ${logdir}/radius.log
|
||||||
|
|
||||||
|
#
|
||||||
|
# If this configuration parameter is set, then log messages for
|
||||||
|
# a *request* go to this file, rather than to radius.log.
|
||||||
|
#
|
||||||
|
# i.e. This is a log file per request, once the server has accepted
|
||||||
|
# the request as being from a valid client. Messages that are
|
||||||
|
# not associated with a request still go to radius.log.
|
||||||
|
#
|
||||||
|
# Not all log messages in the server core have been updated to use
|
||||||
|
# this new internal API. As a result, some messages will still
|
||||||
|
# go to radius.log. Please submit patches to fix this behavior.
|
||||||
|
#
|
||||||
|
# The file name is expanded dynamically. You should ONLY user
|
||||||
|
# server-side attributes for the filename (e.g. things you control).
|
||||||
|
# Using this feature MAY also slow down the server substantially,
|
||||||
|
# especially if you do thinks like SQL calls as part of the
|
||||||
|
# expansion of the filename.
|
||||||
|
#
|
||||||
|
# The name of the log file should use attributes that don't change
|
||||||
|
# over the lifetime of a request, such as User-Name,
|
||||||
|
# Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
|
||||||
|
# messages will be distributed over multiple files.
|
||||||
|
#
|
||||||
|
# Logging can be enabled for an individual request by a special
|
||||||
|
# dynamic expansion macro: %{debug: 1}, where the debug level
|
||||||
|
# for this request is set to '1' (or 2, 3, etc.). e.g.
|
||||||
|
#
|
||||||
|
# ...
|
||||||
|
# update control {
|
||||||
|
# Tmp-String-0 = "%{debug:1}"
|
||||||
|
# }
|
||||||
|
# ...
|
||||||
|
#
|
||||||
|
# The attribute that the value is assigned to is unimportant,
|
||||||
|
# and should be a "throw-away" attribute with no side effects.
|
||||||
|
#
|
||||||
|
#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
|
||||||
|
|
||||||
|
#
|
||||||
|
# Which syslog facility to use, if ${destination} == "syslog"
|
||||||
|
#
|
||||||
|
# The exact values permitted here are OS-dependent. You probably
|
||||||
|
# don't want to change this.
|
||||||
|
#
|
||||||
|
syslog_facility = daemon
|
||||||
|
|
||||||
|
# Log the full User-Name attribute, as it was found in the request.
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
#
|
||||||
|
stripped_names = no
|
||||||
|
|
||||||
|
# Log authentication requests to the log file.
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
#
|
||||||
|
auth = no
|
||||||
|
|
||||||
|
# Log passwords with the authentication requests.
|
||||||
|
# auth_badpass - logs password if it's rejected
|
||||||
|
# auth_goodpass - logs password if it's correct
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
#
|
||||||
|
auth_badpass = no
|
||||||
|
auth_goodpass = no
|
||||||
|
|
||||||
|
# Log additional text at the end of the "Login OK" messages.
|
||||||
|
# for these to work, the "auth" and "auth_goopass" or "auth_badpass"
|
||||||
|
# configurations above have to be set to "yes".
|
||||||
|
#
|
||||||
|
# The strings below are dynamically expanded, which means that
|
||||||
|
# you can put anything you want in them. However, note that
|
||||||
|
# this expansion can be slow, and can negatively impact server
|
||||||
|
# performance.
|
||||||
|
#
|
||||||
|
# msg_goodpass = ""
|
||||||
|
# msg_badpass = ""
|
||||||
|
}
|
||||||
|
|
||||||
|
# The program to execute to do concurrency checks.
|
||||||
|
checkrad = ${sbindir}/checkrad
|
||||||
|
|
||||||
|
# SECURITY CONFIGURATION
|
||||||
|
#
|
||||||
|
# There may be multiple methods of attacking on the server. This
|
||||||
|
# section holds the configuration items which minimize the impact
|
||||||
|
# of those attacks
|
||||||
|
#
|
||||||
|
security {
|
||||||
|
#
|
||||||
|
# max_attributes: The maximum number of attributes
|
||||||
|
# permitted in a RADIUS packet. Packets which have MORE
|
||||||
|
# than this number of attributes in them will be dropped.
|
||||||
|
#
|
||||||
|
# If this number is set too low, then no RADIUS packets
|
||||||
|
# will be accepted.
|
||||||
|
#
|
||||||
|
# If this number is set too high, then an attacker may be
|
||||||
|
# able to send a small number of packets which will cause
|
||||||
|
# the server to use all available memory on the machine.
|
||||||
|
#
|
||||||
|
# Setting this number to 0 means "allow any number of attributes"
|
||||||
|
max_attributes = 200
|
||||||
|
|
||||||
|
#
|
||||||
|
# reject_delay: When sending an Access-Reject, it can be
|
||||||
|
# delayed for a few seconds. This may help slow down a DoS
|
||||||
|
# attack. It also helps to slow down people trying to brute-force
|
||||||
|
# crack a users password.
|
||||||
|
#
|
||||||
|
# Setting this number to 0 means "send rejects immediately"
|
||||||
|
#
|
||||||
|
# If this number is set higher than 'cleanup_delay', then the
|
||||||
|
# rejects will be sent at 'cleanup_delay' time, when the request
|
||||||
|
# is deleted from the internal cache of requests.
|
||||||
|
#
|
||||||
|
# Useful ranges: 1 to 5
|
||||||
|
reject_delay = 1
|
||||||
|
|
||||||
|
#
|
||||||
|
# status_server: Whether or not the server will respond
|
||||||
|
# to Status-Server requests.
|
||||||
|
#
|
||||||
|
# When sent a Status-Server message, the server responds with
|
||||||
|
# an Access-Accept or Accounting-Response packet.
|
||||||
|
#
|
||||||
|
# This is mainly useful for administrators who want to "ping"
|
||||||
|
# the server, without adding test users, or creating fake
|
||||||
|
# accounting packets.
|
||||||
|
#
|
||||||
|
# It's also useful when a NAS marks a RADIUS server "dead".
|
||||||
|
# The NAS can periodically "ping" the server with a Status-Server
|
||||||
|
# packet. If the server responds, it must be alive, and the
|
||||||
|
# NAS can start using it for real requests.
|
||||||
|
#
|
||||||
|
# See also raddb/sites-available/status
|
||||||
|
#
|
||||||
|
status_server = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# allow_vulnerable_openssl: Allow the server to start with
|
||||||
|
# versions of OpenSSL known to have critical vulnerabilities.
|
||||||
|
#
|
||||||
|
# This check is based on the version number reported by libssl
|
||||||
|
# and may not reflect patches applied to libssl by
|
||||||
|
# distribution maintainers.
|
||||||
|
#
|
||||||
|
allow_vulnerable_openssl = no
|
||||||
|
}
|
||||||
|
|
||||||
|
# PROXY CONFIGURATION
|
||||||
|
#
|
||||||
|
# proxy_requests: Turns proxying of RADIUS requests on or off.
|
||||||
|
#
|
||||||
|
# The server has proxying turned on by default. If your system is NOT
|
||||||
|
# set up to proxy requests to another server, then you can turn proxying
|
||||||
|
# off here. This will save a small amount of resources on the server.
|
||||||
|
#
|
||||||
|
# If you have proxying turned off, and your configuration files say
|
||||||
|
# to proxy a request, then an error message will be logged.
|
||||||
|
#
|
||||||
|
# To disable proxying, change the "yes" to "no", and comment the
|
||||||
|
# $INCLUDE line.
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
#
|
||||||
|
proxy_requests = no
|
||||||
|
$INCLUDE proxy.conf
|
||||||
|
|
||||||
|
|
||||||
|
# CLIENTS CONFIGURATION
|
||||||
|
#
|
||||||
|
# Client configuration is defined in "clients.conf".
|
||||||
|
#
|
||||||
|
|
||||||
|
# The 'clients.conf' file contains all of the information from the old
|
||||||
|
# 'clients' and 'naslist' configuration files. We recommend that you
|
||||||
|
# do NOT use 'client's or 'naslist', although they are still
|
||||||
|
# supported.
|
||||||
|
#
|
||||||
|
# Anything listed in 'clients.conf' will take precedence over the
|
||||||
|
# information from the old-style configuration files.
|
||||||
|
#
|
||||||
|
$INCLUDE clients.conf
|
||||||
|
|
||||||
|
|
||||||
|
# THREAD POOL CONFIGURATION
|
||||||
|
#
|
||||||
|
# The thread pool is a long-lived group of threads which
|
||||||
|
# take turns (round-robin) handling any incoming requests.
|
||||||
|
#
|
||||||
|
# You probably want to have a few spare threads around,
|
||||||
|
# so that high-load situations can be handled immediately. If you
|
||||||
|
# don't have any spare threads, then the request handling will
|
||||||
|
# be delayed while a new thread is created, and added to the pool.
|
||||||
|
#
|
||||||
|
# You probably don't want too many spare threads around,
|
||||||
|
# otherwise they'll be sitting there taking up resources, and
|
||||||
|
# not doing anything productive.
|
||||||
|
#
|
||||||
|
# The numbers given below should be adequate for most situations.
|
||||||
|
#
|
||||||
|
thread pool {
|
||||||
|
# Number of servers to start initially --- should be a reasonable
|
||||||
|
# ballpark figure.
|
||||||
|
start_servers = 5
|
||||||
|
|
||||||
|
# Limit on the total number of servers running.
|
||||||
|
#
|
||||||
|
# If this limit is ever reached, clients will be LOCKED OUT, so it
|
||||||
|
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
|
||||||
|
# keep a runaway server from taking the system with it as it spirals
|
||||||
|
# down...
|
||||||
|
#
|
||||||
|
# You may find that the server is regularly reaching the
|
||||||
|
# 'max_servers' number of threads, and that increasing
|
||||||
|
# 'max_servers' doesn't seem to make much difference.
|
||||||
|
#
|
||||||
|
# If this is the case, then the problem is MOST LIKELY that
|
||||||
|
# your back-end databases are taking too long to respond, and
|
||||||
|
# are preventing the server from responding in a timely manner.
|
||||||
|
#
|
||||||
|
# The solution is NOT do keep increasing the 'max_servers'
|
||||||
|
# value, but instead to fix the underlying cause of the
|
||||||
|
# problem: slow database, or 'hostname_lookups=yes'.
|
||||||
|
#
|
||||||
|
# For more information, see 'max_request_time', above.
|
||||||
|
#
|
||||||
|
max_servers = 32
|
||||||
|
|
||||||
|
# Server-pool size regulation. Rather than making you guess
|
||||||
|
# how many servers you need, FreeRADIUS dynamically adapts to
|
||||||
|
# the load it sees, that is, it tries to maintain enough
|
||||||
|
# servers to handle the current load, plus a few spare
|
||||||
|
# servers to handle transient load spikes.
|
||||||
|
#
|
||||||
|
# It does this by periodically checking how many servers are
|
||||||
|
# waiting for a request. If there are fewer than
|
||||||
|
# min_spare_servers, it creates a new spare. If there are
|
||||||
|
# more than max_spare_servers, some of the spares die off.
|
||||||
|
# The default values are probably OK for most sites.
|
||||||
|
#
|
||||||
|
min_spare_servers = 3
|
||||||
|
max_spare_servers = 10
|
||||||
|
|
||||||
|
# When the server receives a packet, it places it onto an
|
||||||
|
# internal queue, where the worker threads (configured above)
|
||||||
|
# pick it up for processing. The maximum size of that queue
|
||||||
|
# is given here.
|
||||||
|
#
|
||||||
|
# When the queue is full, any new packets will be silently
|
||||||
|
# discarded.
|
||||||
|
#
|
||||||
|
# The most common cause of the queue being full is that the
|
||||||
|
# server is dependent on a slow database, and it has received
|
||||||
|
# a large "spike" of traffic. When that happens, there is
|
||||||
|
# very little you can do other than make sure the server
|
||||||
|
# receives less traffic, or make sure that the database can
|
||||||
|
# handle the load.
|
||||||
|
#
|
||||||
|
# max_queue_size = 65536
|
||||||
|
|
||||||
|
# There may be memory leaks or resource allocation problems with
|
||||||
|
# the server. If so, set this value to 300 or so, so that the
|
||||||
|
# resources will be cleaned up periodically.
|
||||||
|
#
|
||||||
|
# This should only be necessary if there are serious bugs in the
|
||||||
|
# server which have not yet been fixed.
|
||||||
|
#
|
||||||
|
# '0' is a special value meaning 'infinity', or 'the servers never
|
||||||
|
# exit'
|
||||||
|
max_requests_per_server = 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# MODULE CONFIGURATION
|
||||||
|
#
|
||||||
|
# The names and configuration of each module is located in this section.
|
||||||
|
#
|
||||||
|
# After the modules are defined here, they may be referred to by name,
|
||||||
|
# in other sections of this configuration file.
|
||||||
|
#
|
||||||
|
modules {
|
||||||
|
#
|
||||||
|
# Each module has a configuration as follows:
|
||||||
|
#
|
||||||
|
# name [ instance ] {
|
||||||
|
# config_item = value
|
||||||
|
# ...
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# The 'name' is used to load the 'rlm_name' library
|
||||||
|
# which implements the functionality of the module.
|
||||||
|
#
|
||||||
|
# The 'instance' is optional. To have two different instances
|
||||||
|
# of a module, it first must be referred to by 'name'.
|
||||||
|
# The different copies of the module are then created by
|
||||||
|
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
|
||||||
|
#
|
||||||
|
# The instance names can then be used in later configuration
|
||||||
|
# INSTEAD of the original 'name'. See the 'radutmp' configuration
|
||||||
|
# for an example.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# As of 2.0.5, most of the module configurations are in a
|
||||||
|
# sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/
|
||||||
|
# are loaded. The modules are initialized ONLY if they are
|
||||||
|
# referenced in a processing section, such as authorize,
|
||||||
|
# authenticate, accounting, pre/post-proxy, etc.
|
||||||
|
#
|
||||||
|
$INCLUDE ${confdir}/modules/
|
||||||
|
|
||||||
|
# Extensible Authentication Protocol
|
||||||
|
#
|
||||||
|
# For all EAP related authentications.
|
||||||
|
# Now in another file, because it is very large.
|
||||||
|
#
|
||||||
|
$INCLUDE eap.conf
|
||||||
|
|
||||||
|
# Include another file that has the SQL-related configuration.
|
||||||
|
# This is another file only because it tends to be big.
|
||||||
|
#
|
||||||
|
# $INCLUDE sql.conf
|
||||||
|
|
||||||
|
#
|
||||||
|
# This module is an SQL enabled version of the counter module.
|
||||||
|
#
|
||||||
|
# Rather than maintaining seperate (GDBM) databases of
|
||||||
|
# accounting info for each counter, this module uses the data
|
||||||
|
# stored in the raddacct table by the sql modules. This
|
||||||
|
# module NEVER does any database INSERTs or UPDATEs. It is
|
||||||
|
# totally dependent on the SQL module to process Accounting
|
||||||
|
# packets.
|
||||||
|
#
|
||||||
|
# $INCLUDE sql/mysql/counter.conf
|
||||||
|
|
||||||
|
#
|
||||||
|
# IP addresses managed in an SQL table.
|
||||||
|
#
|
||||||
|
# $INCLUDE sqlippool.conf
|
||||||
|
}
|
||||||
|
|
||||||
|
# Instantiation
|
||||||
|
#
|
||||||
|
# This section orders the loading of the modules. Modules
|
||||||
|
# listed here will get loaded BEFORE the later sections like
|
||||||
|
# authorize, authenticate, etc. get examined.
|
||||||
|
#
|
||||||
|
# This section is not strictly needed. When a section like
|
||||||
|
# authorize refers to a module, it's automatically loaded and
|
||||||
|
# initialized. However, some modules may not be listed in any
|
||||||
|
# of the following sections, so they can be listed here.
|
||||||
|
#
|
||||||
|
# Also, listing modules here ensures that you have control over
|
||||||
|
# the order in which they are initalized. If one module needs
|
||||||
|
# something defined by another module, you can list them in order
|
||||||
|
# here, and ensure that the configuration will be OK.
|
||||||
|
#
|
||||||
|
instantiate {
|
||||||
|
#
|
||||||
|
# Allows the execution of external scripts.
|
||||||
|
# The entire command line (and output) must fit into 253 bytes.
|
||||||
|
#
|
||||||
|
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
|
||||||
|
exec
|
||||||
|
|
||||||
|
#
|
||||||
|
# The expression module doesn't do authorization,
|
||||||
|
# authentication, or accounting. It only does dynamic
|
||||||
|
# translation, of the form:
|
||||||
|
#
|
||||||
|
# Session-Timeout = `%{expr:2 + 3}`
|
||||||
|
#
|
||||||
|
# This module needs to be instantiated, but CANNOT be
|
||||||
|
# listed in any other section. See 'doc/rlm_expr' for
|
||||||
|
# more information.
|
||||||
|
#
|
||||||
|
# rlm_expr is also responsible for registering many
|
||||||
|
# other xlat functions such as md5, sha1 and lc.
|
||||||
|
#
|
||||||
|
# We do not recommend removing it's listing here.
|
||||||
|
expr
|
||||||
|
|
||||||
|
#
|
||||||
|
# We add the counter module here so that it registers
|
||||||
|
# the check-name attribute before any module which sets
|
||||||
|
# it
|
||||||
|
# daily
|
||||||
|
expiration
|
||||||
|
logintime
|
||||||
|
|
||||||
|
# subsections here can be thought of as "virtual" modules.
|
||||||
|
#
|
||||||
|
# e.g. If you have two redundant SQL servers, and you want to
|
||||||
|
# use them in the authorize and accounting sections, you could
|
||||||
|
# place a "redundant" block in each section, containing the
|
||||||
|
# exact same text. Or, you could uncomment the following
|
||||||
|
# lines, and list "redundant_sql" in the authorize and
|
||||||
|
# accounting sections.
|
||||||
|
#
|
||||||
|
#redundant redundant_sql {
|
||||||
|
# sql1
|
||||||
|
# sql2
|
||||||
|
#}
|
||||||
|
}
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# Policies that can be applied in multiple places are listed
|
||||||
|
# globally. That way, they can be defined once, and referred
|
||||||
|
# to multiple times.
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
$INCLUDE policy.conf
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# Load virtual servers.
|
||||||
|
#
|
||||||
|
# This next $INCLUDE line loads files in the directory that
|
||||||
|
# match the regular expression: /[a-zA-Z0-9_.]+/
|
||||||
|
#
|
||||||
|
# It allows you to define new virtual servers simply by placing
|
||||||
|
# a file into the raddb/sites-enabled/ directory.
|
||||||
|
#
|
||||||
|
$INCLUDE sites-enabled/
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# All of the other configuration sections like "authorize {}",
|
||||||
|
# "authenticate {}", "accounting {}", have been moved to the
|
||||||
|
# the file:
|
||||||
|
#
|
||||||
|
# raddb/sites-available/default
|
||||||
|
#
|
||||||
|
# This is the "default" virtual server that has the same
|
||||||
|
# configuration as in version 1.0.x and 1.1.x. The default
|
||||||
|
# installation enables this virtual server. You should
|
||||||
|
# edit it to create policies for your local site.
|
||||||
|
#
|
||||||
|
# For more documentation on virtual servers, see:
|
||||||
|
#
|
||||||
|
# raddb/sites-available/README
|
||||||
|
#
|
||||||
|
######################################################################
|
|
@ -0,0 +1,335 @@
|
||||||
|
1. Virtual Servers.
|
||||||
|
|
||||||
|
FreeRADIUS 2.0 supports virtual servers. This is probably the
|
||||||
|
single largest change that is NOT backwards compatible with 1.x.
|
||||||
|
|
||||||
|
The virtual servers do NOT have to be set up with the
|
||||||
|
"sites-available" and "sites-enabled" directories. You can still have
|
||||||
|
one "radiusd.conf" file, and put the server configuration there:
|
||||||
|
|
||||||
|
...
|
||||||
|
server {
|
||||||
|
authorize {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
authenticate {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
...
|
||||||
|
}
|
||||||
|
...
|
||||||
|
|
||||||
|
The power of virtual servers lies in their ability to separate
|
||||||
|
policies. A policy can be placed into a virtual server, where it is
|
||||||
|
guaranteed to affect only the requests that are passed through that
|
||||||
|
virtual server. In 1.x, the policies were global, and it sometimes
|
||||||
|
took much effort to write a policy so that it only applied in certain
|
||||||
|
limited situations.
|
||||||
|
|
||||||
|
|
||||||
|
2. What do we mean by "virtual server"?
|
||||||
|
|
||||||
|
|
||||||
|
A virtual server is a (nearly complete) RADIUS server, just like a
|
||||||
|
configuration for FreeRADIUS 1.x. However, FreeRADIUS can now run
|
||||||
|
multiple virtual servers at the same time. The virtual servers can
|
||||||
|
even proxy requests to each other!
|
||||||
|
|
||||||
|
The simplest way to create a virtual server is to take the all of
|
||||||
|
the request processing sections from radius.conf, ("authorize" ,
|
||||||
|
"authenticate", etc.) and wrap them in a "server {}" block, as above.
|
||||||
|
|
||||||
|
You can create another virtual server by:
|
||||||
|
|
||||||
|
1) defining a new "server foo {...}" section in radiusd.conf
|
||||||
|
2) Putting the normal "authorize", etc. sections inside of it
|
||||||
|
3) Adding a "listen" section *inside* of the "server" section.
|
||||||
|
|
||||||
|
e.g.
|
||||||
|
|
||||||
|
...
|
||||||
|
server foo {
|
||||||
|
listen {
|
||||||
|
ipaddr = 127.0.0.1
|
||||||
|
port = 2000
|
||||||
|
type = auth
|
||||||
|
}
|
||||||
|
|
||||||
|
authorize {
|
||||||
|
update control {
|
||||||
|
Cleartext-Password := "bob"
|
||||||
|
}
|
||||||
|
pap
|
||||||
|
}
|
||||||
|
|
||||||
|
authenticate {
|
||||||
|
pap
|
||||||
|
}
|
||||||
|
}
|
||||||
|
...
|
||||||
|
|
||||||
|
With that text added to "radiusd.conf", run the server in debugging
|
||||||
|
mode (radiusd -X), and in another terminal window, type:
|
||||||
|
|
||||||
|
$ radtest bob bob localhost:2000 0 testing123
|
||||||
|
|
||||||
|
You should see the server return an Access-Accept.
|
||||||
|
|
||||||
|
|
||||||
|
3. Capabilities and limitations
|
||||||
|
|
||||||
|
|
||||||
|
The only sub-sections that can appear in a virtual server section
|
||||||
|
are:
|
||||||
|
|
||||||
|
listen
|
||||||
|
client
|
||||||
|
authorize
|
||||||
|
authenticate
|
||||||
|
post-auth
|
||||||
|
pre-proxy
|
||||||
|
post-proxy
|
||||||
|
preacct
|
||||||
|
accounting
|
||||||
|
session
|
||||||
|
|
||||||
|
All other configuration parameters (modules, etc.) are global.
|
||||||
|
|
||||||
|
Inside of a virtual server, the authorize, etc. sections have their
|
||||||
|
normal meaning, and can contain anything that an authorize section
|
||||||
|
could contain in 1.x.
|
||||||
|
|
||||||
|
When a "listen" section is inside of a virtual server definition, it
|
||||||
|
means that all requests sent to that IP/port will be processed through
|
||||||
|
the virtual server. There cannot be two "listen" sections with the
|
||||||
|
same IP address and port number.
|
||||||
|
|
||||||
|
When a "client" section is inside of a virtual server definition, it
|
||||||
|
means that that client is known only to the "listen" sections that are
|
||||||
|
also inside of that virtual server. Not only is this client
|
||||||
|
definition available only to this virtual server, but the details of
|
||||||
|
the client configuration is also available only to this virtual
|
||||||
|
server.
|
||||||
|
|
||||||
|
i.e. Two virtual servers can listen on different IP address and
|
||||||
|
ports, but both can have a client with IP address 127.0.0.1. The
|
||||||
|
shared secret for that client can be different for each virtual
|
||||||
|
server.
|
||||||
|
|
||||||
|
|
||||||
|
4. More complex "listen" capabilities
|
||||||
|
|
||||||
|
The "listen" sections have a few additional configuration items that
|
||||||
|
were not in 1.x, and were not mentioned above. These configuration
|
||||||
|
items enable almost any mapping of IP / port to clients to virtual
|
||||||
|
servers.
|
||||||
|
|
||||||
|
The configuration items are:
|
||||||
|
|
||||||
|
virtual_server = <name>
|
||||||
|
|
||||||
|
If set, all requests sent to this IP / port are processed
|
||||||
|
through the named virtual server.
|
||||||
|
|
||||||
|
This directive can be used only for "listen" sections
|
||||||
|
that are global. i.e. It CANNOT be used if the
|
||||||
|
"listen" section is inside of a virtual server.
|
||||||
|
|
||||||
|
clients = <name>
|
||||||
|
|
||||||
|
If set, the "listen" section looks for a "clients" section:
|
||||||
|
|
||||||
|
clients <name> {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
|
||||||
|
It looks inside of that named "clients" section for
|
||||||
|
"client" subsections, at least one of which must
|
||||||
|
exist. Each client in that section is added to the
|
||||||
|
list of known clients for this IP / port. No other
|
||||||
|
clients are known.
|
||||||
|
|
||||||
|
If it is set, it over-rides the list of clients (if
|
||||||
|
any) in the same virtual server. Note that the
|
||||||
|
clients are NOT additive!
|
||||||
|
|
||||||
|
If it is not set, then the clients from the current
|
||||||
|
virtual server (if any) are used. If there are no
|
||||||
|
clients in this virtual server, then the global
|
||||||
|
clients are used.
|
||||||
|
|
||||||
|
i.e. The most specific directive is used:
|
||||||
|
* configuration in this "listen" section
|
||||||
|
* clients in the same virtual server
|
||||||
|
* global clients
|
||||||
|
|
||||||
|
The directives are also *exclusive*, not *additive*.
|
||||||
|
If you have one client in a virtual server, and
|
||||||
|
another client referenced from a "listen" section,
|
||||||
|
then that "listen" section will ONLY use the second
|
||||||
|
client. It will NOT use both clients.
|
||||||
|
|
||||||
|
|
||||||
|
5. More complex "client" capabilities
|
||||||
|
|
||||||
|
The "client" sections have a few additional configuration items that
|
||||||
|
were not in 1.x, and were not mentioned above. These configuration
|
||||||
|
items enable almost any mapping of IP / port to clients to virtual
|
||||||
|
servers.
|
||||||
|
|
||||||
|
The configuration items are:
|
||||||
|
|
||||||
|
virtual_server = <name>
|
||||||
|
|
||||||
|
If set, all requests from this client are processed
|
||||||
|
through the named virtual server.
|
||||||
|
|
||||||
|
This directive can be used only for "client" sections
|
||||||
|
that are global. i.e. It CANNOT be used if the
|
||||||
|
"client" section is inside of a virtual server.
|
||||||
|
|
||||||
|
If the "listen" section has a "server" entry, and a matching
|
||||||
|
client is found ALSO with a "server" entry, then the clients server is
|
||||||
|
used for that request.
|
||||||
|
|
||||||
|
|
||||||
|
6. Worked examples
|
||||||
|
|
||||||
|
|
||||||
|
Listening on one socket, and mapping requests from two clients to
|
||||||
|
two different servers.
|
||||||
|
|
||||||
|
listen {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
client one {
|
||||||
|
...
|
||||||
|
virtual_server = server_one
|
||||||
|
}
|
||||||
|
client two {
|
||||||
|
...
|
||||||
|
virtual_server = server_two
|
||||||
|
}
|
||||||
|
server server_one {
|
||||||
|
authorize {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
...
|
||||||
|
}
|
||||||
|
server server_two {
|
||||||
|
authorize {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
...
|
||||||
|
}
|
||||||
|
|
||||||
|
This could also be done as:
|
||||||
|
|
||||||
|
|
||||||
|
listen {
|
||||||
|
...
|
||||||
|
virtual_server = server_one
|
||||||
|
}
|
||||||
|
client one {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
client two {
|
||||||
|
...
|
||||||
|
virtual_server = server_two
|
||||||
|
}
|
||||||
|
server server_one {
|
||||||
|
authorize {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
...
|
||||||
|
}
|
||||||
|
server server_two {
|
||||||
|
authorize {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
...
|
||||||
|
}
|
||||||
|
|
||||||
|
In this case, the default server for the socket is "server_one", so
|
||||||
|
there is no need to set that in the client "one" configuration. The
|
||||||
|
"server_two" configuration for client "two" over-rides the default
|
||||||
|
setting for the socket.
|
||||||
|
|
||||||
|
Note that the following configuration will NOT work:
|
||||||
|
|
||||||
|
listen {
|
||||||
|
...
|
||||||
|
virtual_server = server_one
|
||||||
|
}
|
||||||
|
client one {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
server server_one {
|
||||||
|
authorize {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
...
|
||||||
|
}
|
||||||
|
server server_two {
|
||||||
|
client two {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
authorize {
|
||||||
|
...
|
||||||
|
}
|
||||||
|
...
|
||||||
|
}
|
||||||
|
|
||||||
|
In this example, client "two" is hidden inside of the virtual
|
||||||
|
server, where the "listen" section cannot find it.
|
||||||
|
|
||||||
|
|
||||||
|
7. Outlined examples
|
||||||
|
|
||||||
|
This section outlines a number of examples, with alternatives.
|
||||||
|
|
||||||
|
One server, multiple sockets
|
||||||
|
- multiple "listen" sections in a "server" section
|
||||||
|
|
||||||
|
one server per client
|
||||||
|
- define multiple servers
|
||||||
|
- have a global "listen" section
|
||||||
|
- have multiple global "clients", each with "virtual_server = X"
|
||||||
|
|
||||||
|
two servers, each with their own sockets
|
||||||
|
- define multiple servers
|
||||||
|
- put "client" sections into each "server"
|
||||||
|
- put a "listen" section into each "server"
|
||||||
|
|
||||||
|
Each server can list the same client IP, and the secret
|
||||||
|
can be different
|
||||||
|
|
||||||
|
two sockets, sharing a list of clients, but pointing to different servers
|
||||||
|
- define global "listen" sections
|
||||||
|
- in each, set "virtual_server = X"
|
||||||
|
- in each, set "clients = Y"
|
||||||
|
- define "clients Y" section, containing multiple clients.
|
||||||
|
|
||||||
|
This also means that you can have a third socket, which
|
||||||
|
doesn't share any of these clients.
|
||||||
|
|
||||||
|
|
||||||
|
8. How to decide what to do
|
||||||
|
|
||||||
|
|
||||||
|
If you want *completely* separate policies for a socket or a client,
|
||||||
|
then create a separate virtual server. Then, map the request to that
|
||||||
|
server by setting configuration entries in a "listen" section or in a
|
||||||
|
"client" section.
|
||||||
|
|
||||||
|
Start off with the common cases first. If most of the clients
|
||||||
|
and/or sockets get a particular policy, make that policy the default.
|
||||||
|
Configure it without paying attention to the sockets or clients you
|
||||||
|
want to add later, and without adding a second virtual server. Once
|
||||||
|
it works, then add the second virtual server.
|
||||||
|
|
||||||
|
If you want to re-use the previously defined sockets with the second
|
||||||
|
virtual server, then you will need one or more global "client"
|
||||||
|
sections. Those clients will contain a "virtual_server = ..." entry
|
||||||
|
that will direct requests from those clients to the appropriate
|
||||||
|
virtual server.
|
|
@ -0,0 +1,129 @@
|
||||||
|
# -*- text -*-
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# In 2.0.0, radrelay functionality is integrated into the
|
||||||
|
# server core. This virtual server gives an example of
|
||||||
|
# using radrelay functionality inside of the server.
|
||||||
|
#
|
||||||
|
# In this example, the detail file is read, and the data
|
||||||
|
# is put into SQL. This configuration is used when a RADIUS
|
||||||
|
# server on this machine is receiving accounting packets,
|
||||||
|
# and writing them to the detail file.
|
||||||
|
#
|
||||||
|
# The purpose of this virtual server is to de-couple the storage
|
||||||
|
# of long-term accounting data in SQL from "live" information
|
||||||
|
# needed by the RADIUS server as it is running.
|
||||||
|
#
|
||||||
|
# The benefit of this approach is that for a busy server, the
|
||||||
|
# overhead of performing SQL qeuries may be significant. Also,
|
||||||
|
# if the SQL databases are large (as is typical for ones storing
|
||||||
|
# months of data), the INSERTs and UPDATEs may take a relatively
|
||||||
|
# long time. Rather than slowing down the RADIUS server by
|
||||||
|
# having it interact with a database, you can just log the
|
||||||
|
# packets to a detail file, and then read that file later at a
|
||||||
|
# time when the RADIUS server is typically lightly loaded.
|
||||||
|
#
|
||||||
|
# If you use on virtual server to log to the detail file,
|
||||||
|
# and another virtual server (i.e. this one) to read from
|
||||||
|
# the detail file, then this process will happen automatically.
|
||||||
|
# A sudden spike of RADIUS traffic means that the detail file
|
||||||
|
# will grow in size, and the server will be able to handle
|
||||||
|
# large volumes of traffic quickly. When the traffic dies down,
|
||||||
|
# the server will have time to read the detail file, and insert
|
||||||
|
# the data into a long-term SQL database.
|
||||||
|
#
|
||||||
|
# $Id: 3f64cbb500cdda5014157e4776e871419f0b64df $
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
server buffered-sql {
|
||||||
|
listen {
|
||||||
|
type = detail
|
||||||
|
|
||||||
|
# The location where the detail file is located.
|
||||||
|
# This should be on local disk, and NOT on an NFS
|
||||||
|
# mounted location!
|
||||||
|
filename = "${radacctdir}/detail-*"
|
||||||
|
|
||||||
|
#
|
||||||
|
# The server can read accounting packets from the
|
||||||
|
# detail file much more quickly than those packets
|
||||||
|
# can be written to a database. If the database is
|
||||||
|
# overloaded, then bad things can happen.
|
||||||
|
#
|
||||||
|
# The server will keep track of how long it takes to
|
||||||
|
# process an entry from the detail file. It will
|
||||||
|
# then pause between handling entries. This pause
|
||||||
|
# allows databases to "catch up", and gives the
|
||||||
|
# server time to notice that other packets may have
|
||||||
|
# arrived.
|
||||||
|
#
|
||||||
|
# The pause is calculated dynamically, to ensure that
|
||||||
|
# the load due to reading the detail files is limited
|
||||||
|
# to a small percentage of CPU time. The
|
||||||
|
# "load_factor" configuration item is a number
|
||||||
|
# between 1 and 100. The server will try to keep the
|
||||||
|
# percentage of time taken by "detail" file entries
|
||||||
|
# to "load_factor" percentage of the CPU time.
|
||||||
|
#
|
||||||
|
# If the "load_factor" is set to 100, then the server
|
||||||
|
# will read packets as fast as it can, usually
|
||||||
|
# causing databases to go into overload.
|
||||||
|
#
|
||||||
|
load_factor = 10
|
||||||
|
|
||||||
|
#
|
||||||
|
# Set the interval for polling the detail file.
|
||||||
|
# If the detail file doesn't exist, the server will
|
||||||
|
# wake up, and poll for it every N seconds.
|
||||||
|
#
|
||||||
|
# Useful range of values: 1 to 60
|
||||||
|
poll_interval = 1
|
||||||
|
|
||||||
|
#
|
||||||
|
# Set the retry interval for when the home server
|
||||||
|
# does not respond. The current packet will be
|
||||||
|
# sent repeatedly, at this interval, until the
|
||||||
|
# home server responds.
|
||||||
|
#
|
||||||
|
# Useful range of values: 5 to 30
|
||||||
|
retry_interval = 30
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Pre-accounting. Decide which accounting type to use.
|
||||||
|
#
|
||||||
|
preacct {
|
||||||
|
preprocess
|
||||||
|
|
||||||
|
#
|
||||||
|
# Ensure that we have a semi-unique identifier for every
|
||||||
|
# request, and many NAS boxes are broken.
|
||||||
|
acct_unique
|
||||||
|
|
||||||
|
#
|
||||||
|
# Read the 'acct_users' file. This isn't always
|
||||||
|
# necessary, and can be deleted if you do not use it.
|
||||||
|
files
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Accounting. Log the accounting data.
|
||||||
|
#
|
||||||
|
accounting {
|
||||||
|
#
|
||||||
|
# Log traffic to an SQL database.
|
||||||
|
#
|
||||||
|
# See "Accounting queries" in sql.conf
|
||||||
|
# sql
|
||||||
|
|
||||||
|
|
||||||
|
# Cisco VoIP specific bulk accounting
|
||||||
|
# pgsql-voip
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
# The requests are not being proxied, so no pre/post-proxy
|
||||||
|
# sections are necessary.
|
||||||
|
}
|
|
@ -0,0 +1,43 @@
|
||||||
|
# -*- text -*-
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# Sample virtual server for receiving a CoA or Disconnect-Request packet.
|
||||||
|
#
|
||||||
|
|
||||||
|
# Listen on the CoA port.
|
||||||
|
#
|
||||||
|
# This uses the normal set of clients, with the same secret as for
|
||||||
|
# authentication and accounting.
|
||||||
|
#
|
||||||
|
listen {
|
||||||
|
type = coa
|
||||||
|
ipaddr = *
|
||||||
|
port = 3799
|
||||||
|
server = coa
|
||||||
|
}
|
||||||
|
|
||||||
|
server coa {
|
||||||
|
# When a packet is received, it is processed through the
|
||||||
|
# recv-coa section. This applies to *both* CoA-Request and
|
||||||
|
# Disconnect-Request packets.
|
||||||
|
recv-coa {
|
||||||
|
# CoA && Disconnect packets can be proxied in the same
|
||||||
|
# way as authentication or accounting packets.
|
||||||
|
# Just set Proxy-To-Realm, or Home-Server-Pool, and the
|
||||||
|
# packets will be proxied.
|
||||||
|
|
||||||
|
# Insert your own policies here.
|
||||||
|
ok
|
||||||
|
}
|
||||||
|
|
||||||
|
# When a packet is sent, it is processed through the
|
||||||
|
# recv-coa section. This applies to *both* CoA-Request and
|
||||||
|
# Disconnect-Request packets.
|
||||||
|
send-coa {
|
||||||
|
# Sample module.
|
||||||
|
ok
|
||||||
|
}
|
||||||
|
|
||||||
|
# You can use pre-proxy and post-proxy sections here, too.
|
||||||
|
# They will be processed for sending && receiving proxy packets.
|
||||||
|
}
|
|
@ -0,0 +1,73 @@
|
||||||
|
# -*- text -*-
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# Control socket interface.
|
||||||
|
#
|
||||||
|
# In the future, we will add username/password checking for
|
||||||
|
# connections to the control socket. We will also add
|
||||||
|
# command authorization, where the commands entered by the
|
||||||
|
# administrator are run through a virtual server before
|
||||||
|
# they are executed.
|
||||||
|
#
|
||||||
|
# For now, anyone who has permission to connect to the socket
|
||||||
|
# has nearly complete control over the server. Be warned!
|
||||||
|
#
|
||||||
|
# This functionality is NOT enabled by default.
|
||||||
|
#
|
||||||
|
# See also the "radmin" program, which is used to communicate
|
||||||
|
# with the server over the control socket.
|
||||||
|
#
|
||||||
|
# $Id: 6a6f2b9428713083720b145d12c90b9747510ec1 $
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
listen {
|
||||||
|
#
|
||||||
|
# Listen on the control socket.
|
||||||
|
#
|
||||||
|
type = control
|
||||||
|
|
||||||
|
#
|
||||||
|
# Socket location.
|
||||||
|
#
|
||||||
|
# This file is created with the server's uid and gid.
|
||||||
|
# It's permissions are r/w for that user and group, and
|
||||||
|
# no permissions for "other" users. These permissions form
|
||||||
|
# minimal security, and should not be relied on.
|
||||||
|
#
|
||||||
|
socket = ${run_dir}/${name}.sock
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following two parameters perform authentication and
|
||||||
|
# authorization of connections to the control socket.
|
||||||
|
#
|
||||||
|
# If not set, then ANYONE can connect to the control socket,
|
||||||
|
# and have complete control over the server. This is likely
|
||||||
|
# not what you want.
|
||||||
|
#
|
||||||
|
# One, or both, of "uid" and "gid" should be set. If set, the
|
||||||
|
# corresponding value is checked. Unauthorized users result
|
||||||
|
# in an error message in the log file, and the connection is
|
||||||
|
# closed.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Name of user that is allowed to connect to the control socket.
|
||||||
|
#
|
||||||
|
# uid = radius
|
||||||
|
|
||||||
|
#
|
||||||
|
# Name of group that is allowed to connect to the control socket.
|
||||||
|
#
|
||||||
|
# gid = radius
|
||||||
|
|
||||||
|
#
|
||||||
|
# Access mode.
|
||||||
|
#
|
||||||
|
# This can be used to give *some* administrators access to
|
||||||
|
# monitor the system, but not to change it.
|
||||||
|
#
|
||||||
|
# ro = read only access (default)
|
||||||
|
# rw = read/write access.
|
||||||
|
#
|
||||||
|
# mode = rw
|
||||||
|
}
|
|
@ -0,0 +1,171 @@
|
||||||
|
# -*- text -*-
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# In 2.0.0, radrelay functionality is integrated into the
|
||||||
|
# server core. This virtual server gives an example of
|
||||||
|
# using radrelay functionality inside of the server.
|
||||||
|
#
|
||||||
|
# In this example, the detail file is read, and the packets
|
||||||
|
# are proxied to a home server. You will have to configure
|
||||||
|
# realms, home_server_pool, and home_server in proxy.conf
|
||||||
|
# for this to work.
|
||||||
|
#
|
||||||
|
# The purpose of this virtual server is to enable duplication
|
||||||
|
# of information across a load-balanced, or fail-over set of
|
||||||
|
# servers. For example, if a group of clients lists two
|
||||||
|
# home servers (primary, secondary), then RADIUS accounting
|
||||||
|
# messages will go only to one server at a time. This file
|
||||||
|
# configures a server (primary, secondary) to send copies of
|
||||||
|
# the accounting information to each other.
|
||||||
|
#
|
||||||
|
# That way, each server has the same set of information, and
|
||||||
|
# can make the same decision about the user.
|
||||||
|
#
|
||||||
|
# $Id: 5f9a522f0b02178a956f63145b6b43c427260ce0 $
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
server copy-acct-to-home-server {
|
||||||
|
listen {
|
||||||
|
type = detail
|
||||||
|
|
||||||
|
######################################################
|
||||||
|
#
|
||||||
|
# !!!! WARNING !!!!
|
||||||
|
#
|
||||||
|
# The detail file reader acts just like a NAS.
|
||||||
|
#
|
||||||
|
# This means that if accounting fails, the packet
|
||||||
|
# is re-tried FOREVER. It is YOUR responsibility
|
||||||
|
# to write an accounting policy that returns "ok"
|
||||||
|
# if the packet was processed properly, "fail" on
|
||||||
|
# a database error, AND "ok" if you want to ignore
|
||||||
|
# the packet (e.g. no Acct-Status-Type).
|
||||||
|
#
|
||||||
|
# Neither the detail file write OR the detail file
|
||||||
|
# reader look at the contents of the packets. They
|
||||||
|
# just either dump the packet verbatim to the file,
|
||||||
|
# or read it verbatim from the file and pass it to
|
||||||
|
# the server.
|
||||||
|
#
|
||||||
|
######################################################
|
||||||
|
|
||||||
|
|
||||||
|
# The location where the detail file is located.
|
||||||
|
# This should be on local disk, and NOT on an NFS
|
||||||
|
# mounted location!
|
||||||
|
#
|
||||||
|
# On most systems, this should support file globbing
|
||||||
|
# e.g. "${radacctdir}/detail-*:*"
|
||||||
|
# This lets you write many smaller detail files as in
|
||||||
|
# the example in radiusd.conf: ".../detail-%Y%m%d:%H"
|
||||||
|
# Writing many small files is often better than writing
|
||||||
|
# one large file. File globbing also means that with
|
||||||
|
# a common naming scheme for detail files, then you can
|
||||||
|
# have many detail file writers, and only one reader.
|
||||||
|
filename = ${radacctdir}/detail
|
||||||
|
|
||||||
|
#
|
||||||
|
# The server can read accounting packets from the
|
||||||
|
# detail file much more quickly than those packets
|
||||||
|
# can be written to a database. If the database is
|
||||||
|
# overloaded, then bad things can happen.
|
||||||
|
#
|
||||||
|
# The server will keep track of how long it takes to
|
||||||
|
# process an entry from the detail file. It will
|
||||||
|
# then pause between handling entries. This pause
|
||||||
|
# allows databases to "catch up", and gives the
|
||||||
|
# server time to notice that other packets may have
|
||||||
|
# arrived.
|
||||||
|
#
|
||||||
|
# The pause is calculated dynamically, to ensure that
|
||||||
|
# the load due to reading the detail files is limited
|
||||||
|
# to a small percentage of CPU time. The
|
||||||
|
# "load_factor" configuration item is a number
|
||||||
|
# between 1 and 100. The server will try to keep the
|
||||||
|
# percentage of time taken by "detail" file entries
|
||||||
|
# to "load_factor" percentage of the CPU time.
|
||||||
|
#
|
||||||
|
# If the "load_factor" is set to 100, then the server
|
||||||
|
# will read packets as fast as it can, usually
|
||||||
|
# causing databases to go into overload.
|
||||||
|
#
|
||||||
|
load_factor = 10
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Pre-accounting. Decide which accounting type to use.
|
||||||
|
#
|
||||||
|
preacct {
|
||||||
|
preprocess
|
||||||
|
|
||||||
|
# Since we're just proxying, we don't need acct_unique.
|
||||||
|
|
||||||
|
#
|
||||||
|
# Look for IPASS-style 'realm/', and if not found, look for
|
||||||
|
# '@realm', and decide whether or not to proxy, based on
|
||||||
|
# that.
|
||||||
|
#
|
||||||
|
# Accounting requests are generally proxied to the same
|
||||||
|
# home server as authentication requests.
|
||||||
|
# IPASS
|
||||||
|
suffix
|
||||||
|
# ntdomain
|
||||||
|
|
||||||
|
#
|
||||||
|
# Read the 'acct_users' file. This isn't always
|
||||||
|
# necessary, and can be deleted if you do not use it.
|
||||||
|
files
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Accounting. Log the accounting data.
|
||||||
|
#
|
||||||
|
accounting {
|
||||||
|
#
|
||||||
|
# Since we're proxying, we don't log anything
|
||||||
|
# locally. Ensure that the accounting section
|
||||||
|
# "succeeds" by forcing an "ok" return.
|
||||||
|
ok
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# When the server decides to proxy a request to a home server,
|
||||||
|
# the proxied request is first passed through the pre-proxy
|
||||||
|
# stage. This stage can re-write the request, or decide to
|
||||||
|
# cancel the proxy.
|
||||||
|
#
|
||||||
|
# Only a few modules currently have this method.
|
||||||
|
#
|
||||||
|
pre-proxy {
|
||||||
|
# attr_rewrite
|
||||||
|
|
||||||
|
# If you want to have a log of packets proxied to a home
|
||||||
|
# server, un-comment the following line, and the
|
||||||
|
# 'detail pre_proxy_log' section in radiusd.conf.
|
||||||
|
# pre_proxy_log
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# When the server receives a reply to a request it proxied
|
||||||
|
# to a home server, the request may be massaged here, in the
|
||||||
|
# post-proxy stage.
|
||||||
|
#
|
||||||
|
post-proxy {
|
||||||
|
#
|
||||||
|
|
||||||
|
# If you want to have a log of replies from a home
|
||||||
|
# server, un-comment the following line, and the
|
||||||
|
# 'detail post_proxy_log' section in radiusd.conf.
|
||||||
|
# post_proxy_log
|
||||||
|
|
||||||
|
# attr_rewrite
|
||||||
|
|
||||||
|
# Uncomment the following line if you want to filter
|
||||||
|
# replies from remote proxies based on the rules
|
||||||
|
# defined in the 'attrs' file.
|
||||||
|
|
||||||
|
# attr_filter
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,140 @@
|
||||||
|
# -*- text -*-
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# This is a sample configuration for "decoupled" accounting.
|
||||||
|
# "Decoupled" accounting is where the accounting packets are
|
||||||
|
# NOT written "live" to the back-end database. This method
|
||||||
|
# can only be used if you are not interested in "live"
|
||||||
|
# accounting. i.e. Where you can tolerate delays that may be
|
||||||
|
# a few seconds, before accounting packets get written to
|
||||||
|
# the DB.
|
||||||
|
#
|
||||||
|
# Oddly enough, this method can speed up the processing of
|
||||||
|
# accounting packets, as all database activity is serialized.
|
||||||
|
#
|
||||||
|
# This file is NOT meant to be used as-is. It needs to be
|
||||||
|
# edited to match your local configuration.
|
||||||
|
#
|
||||||
|
# $Id: 199258dd7f3b3a5f3ce23d0a82798b256c85af66 $
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
# Define a virtual server to write the accounting packets.
|
||||||
|
# Any "listen" section that listens on an accounting port should
|
||||||
|
# set "virtual_server = write-detail.example.com
|
||||||
|
server write_detail.example.com {
|
||||||
|
accounting {
|
||||||
|
#
|
||||||
|
# Write the "detail" files.
|
||||||
|
#
|
||||||
|
# See raddb/modules/detail.example.com for more info.
|
||||||
|
detail.example.com
|
||||||
|
}
|
||||||
|
|
||||||
|
# That's it!
|
||||||
|
}
|
||||||
|
|
||||||
|
# Define a virtual server to process the accounting packets.
|
||||||
|
server read-detail.example.com {
|
||||||
|
# Read accounting packets from the detail file(s) for
|
||||||
|
# the home server.
|
||||||
|
listen {
|
||||||
|
type = detail
|
||||||
|
filename = "${radacctdir}/detail.example.com/detail-*:*"
|
||||||
|
load_factor = 10
|
||||||
|
}
|
||||||
|
|
||||||
|
# All packets read from the detail file are processed through
|
||||||
|
# the preacct && accounting sections.
|
||||||
|
#
|
||||||
|
# The following text is copied verbatim from sites-available/default.
|
||||||
|
# You should edit it for your own local configuration.
|
||||||
|
|
||||||
|
#
|
||||||
|
# Pre-accounting. Decide which accounting type to use.
|
||||||
|
#
|
||||||
|
preacct {
|
||||||
|
preprocess
|
||||||
|
|
||||||
|
#
|
||||||
|
# Ensure that we have a semi-unique identifier for every
|
||||||
|
# request, and many NAS boxes are broken.
|
||||||
|
acct_unique
|
||||||
|
|
||||||
|
#
|
||||||
|
# Look for IPASS-style 'realm/', and if not found, look for
|
||||||
|
# '@realm', and decide whether or not to proxy, based on
|
||||||
|
# that.
|
||||||
|
#
|
||||||
|
# Accounting requests are generally proxied to the same
|
||||||
|
# home server as authentication requests.
|
||||||
|
# IPASS
|
||||||
|
suffix
|
||||||
|
# ntdomain
|
||||||
|
|
||||||
|
#
|
||||||
|
# Read the 'acct_users' file
|
||||||
|
files
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Accounting. Log the accounting data.
|
||||||
|
#
|
||||||
|
accounting {
|
||||||
|
#
|
||||||
|
# Create a 'detail'ed log of the packets.
|
||||||
|
# Note that accounting requests which are proxied
|
||||||
|
# are also logged in the detail file.
|
||||||
|
detail
|
||||||
|
# daily
|
||||||
|
|
||||||
|
# Update the wtmp file
|
||||||
|
#
|
||||||
|
# If you don't use "radlast", you can delete this line.
|
||||||
|
unix
|
||||||
|
|
||||||
|
#
|
||||||
|
# For Simultaneous-Use tracking.
|
||||||
|
#
|
||||||
|
# Due to packet losses in the network, the data here
|
||||||
|
# may be incorrect. There is little we can do about it.
|
||||||
|
radutmp
|
||||||
|
# sradutmp
|
||||||
|
|
||||||
|
# Return an address to the IP Pool when we see a stop record.
|
||||||
|
# main_pool
|
||||||
|
|
||||||
|
#
|
||||||
|
# Log traffic to an SQL database.
|
||||||
|
#
|
||||||
|
# NOTE! You will have to ensure that any accounting packets
|
||||||
|
# NOT handled by the SQL module (e.g. "stop with zero session length"
|
||||||
|
# result in the accounting section still returning "ok".
|
||||||
|
#
|
||||||
|
# Otherwise, the server will think that the accounting packet
|
||||||
|
# was NOT handled properly, and will keep trying to process it
|
||||||
|
# through this virtual server!
|
||||||
|
#
|
||||||
|
# See "Accounting queries" in sql.conf
|
||||||
|
# sql
|
||||||
|
|
||||||
|
#
|
||||||
|
# Instead of sending the query to the SQL server,
|
||||||
|
# write it into a log file.
|
||||||
|
#
|
||||||
|
# sql_log
|
||||||
|
|
||||||
|
# Cisco VoIP specific bulk accounting
|
||||||
|
# pgsql-voip
|
||||||
|
|
||||||
|
# Filter attributes from the accounting response.
|
||||||
|
attr_filter.accounting_response
|
||||||
|
|
||||||
|
#
|
||||||
|
# See "Autz-Type Status-Server" for how this works.
|
||||||
|
#
|
||||||
|
# Acct-Type Status-Server {
|
||||||
|
#
|
||||||
|
# }
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,661 @@
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
|
||||||
|
# "server" section, and configuration directives.
|
||||||
|
#
|
||||||
|
# Virtual hosts should be put into the "sites-available"
|
||||||
|
# directory. Soft links should be created in the "sites-enabled"
|
||||||
|
# directory to these files. This is done in a normal installation.
|
||||||
|
#
|
||||||
|
# If you are using 802.1X (EAP) authentication, please see also
|
||||||
|
# the "inner-tunnel" virtual server. You wll likely have to edit
|
||||||
|
# that, too, for authentication to work.
|
||||||
|
#
|
||||||
|
# $Id: 520ccbc90f3a09cd6a80e1e3b16000b7ba94d884 $
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# Read "man radiusd" before editing this file. See the section
|
||||||
|
# titled DEBUGGING. It outlines a method where you can quickly
|
||||||
|
# obtain the configuration you want, without running into
|
||||||
|
# trouble. See also "man unlang", which documents the format
|
||||||
|
# of this file.
|
||||||
|
#
|
||||||
|
# This configuration is designed to work in the widest possible
|
||||||
|
# set of circumstances, with the widest possible number of
|
||||||
|
# authentication methods. This means that in general, you should
|
||||||
|
# need to make very few changes to this file.
|
||||||
|
#
|
||||||
|
# The best way to configure the server for your local system
|
||||||
|
# is to CAREFULLY edit this file. Most attempts to make large
|
||||||
|
# edits to this file will BREAK THE SERVER. Any edits should
|
||||||
|
# be small, and tested by running the server with "radiusd -X".
|
||||||
|
# Once the edits have been verified to work, save a copy of these
|
||||||
|
# configuration files somewhere. (e.g. as a "tar" file). Then,
|
||||||
|
# make more edits, and test, as above.
|
||||||
|
#
|
||||||
|
# There are many "commented out" references to modules such
|
||||||
|
# as ldap, sql, etc. These references serve as place-holders.
|
||||||
|
# If you need the functionality of that module, then configure
|
||||||
|
# it in radiusd.conf, and un-comment the references to it in
|
||||||
|
# this file. In most cases, those small changes will result
|
||||||
|
# in the server being able to connect to the DB, and to
|
||||||
|
# authenticate users.
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
#
|
||||||
|
# In 1.x, the "authorize", etc. sections were global in
|
||||||
|
# radiusd.conf. As of 2.0, they SHOULD be in a server section.
|
||||||
|
#
|
||||||
|
# The server section with no virtual server name is the "default"
|
||||||
|
# section. It is used when no server name is specified.
|
||||||
|
#
|
||||||
|
# We don't indent the rest of this file, because doing so
|
||||||
|
# would make it harder to read.
|
||||||
|
#
|
||||||
|
|
||||||
|
# Authorization. First preprocess (hints and huntgroups files),
|
||||||
|
# then realms, and finally look in the "users" file.
|
||||||
|
#
|
||||||
|
# Any changes made here should also be made to the "inner-tunnel"
|
||||||
|
# virtual server.
|
||||||
|
#
|
||||||
|
# The order of the realm modules will determine the order that
|
||||||
|
# we try to find a matching realm.
|
||||||
|
#
|
||||||
|
# Make *sure* that 'preprocess' comes before any realm if you
|
||||||
|
# need to setup hints for the remote radius server
|
||||||
|
authorize {
|
||||||
|
#
|
||||||
|
# Security settings. Take a User-Name, and do some simple
|
||||||
|
# checks on it, for spaces and other invalid characters. If
|
||||||
|
# it looks like the user is trying to play games, reject it.
|
||||||
|
#
|
||||||
|
# This should probably be enabled by default.
|
||||||
|
#
|
||||||
|
# See policy.conf for the definition of the filter_username policy.
|
||||||
|
#
|
||||||
|
# filter_username
|
||||||
|
|
||||||
|
#
|
||||||
|
# The preprocess module takes care of sanitizing some bizarre
|
||||||
|
# attributes in the request, and turning them into attributes
|
||||||
|
# which are more standard.
|
||||||
|
#
|
||||||
|
# It takes care of processing the 'raddb/hints' and the
|
||||||
|
# 'raddb/huntgroups' files.
|
||||||
|
preprocess
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you want to have a log of authentication requests,
|
||||||
|
# un-comment the following line, and the 'detail auth_log'
|
||||||
|
# section, above.
|
||||||
|
# auth_log
|
||||||
|
|
||||||
|
#
|
||||||
|
# The chap module will set 'Auth-Type := CHAP' if we are
|
||||||
|
# handling a CHAP request and Auth-Type has not already been set
|
||||||
|
chap
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the users are logging in with an MS-CHAP-Challenge
|
||||||
|
# attribute for authentication, the mschap module will find
|
||||||
|
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
|
||||||
|
# to the request, which will cause the server to then use
|
||||||
|
# the mschap module for authentication.
|
||||||
|
mschap
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you have a Cisco SIP server authenticating against
|
||||||
|
# FreeRADIUS, uncomment the following line, and the 'digest'
|
||||||
|
# line in the 'authenticate' section.
|
||||||
|
digest
|
||||||
|
|
||||||
|
#
|
||||||
|
# The WiMAX specification says that the Calling-Station-Id
|
||||||
|
# is 6 octets of the MAC. This definition conflicts with
|
||||||
|
# RFC 3580, and all common RADIUS practices. Un-commenting
|
||||||
|
# the "wimax" module here means that it will fix the
|
||||||
|
# Calling-Station-Id attribute to the normal format as
|
||||||
|
# specified in RFC 3580 Section 3.21
|
||||||
|
# wimax
|
||||||
|
|
||||||
|
#
|
||||||
|
# Look for IPASS style 'realm/', and if not found, look for
|
||||||
|
# '@realm', and decide whether or not to proxy, based on
|
||||||
|
# that.
|
||||||
|
# IPASS
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you are using multiple kinds of realms, you probably
|
||||||
|
# want to set "ignore_null = yes" for all of them.
|
||||||
|
# Otherwise, when the first style of realm doesn't match,
|
||||||
|
# the other styles won't be checked.
|
||||||
|
#
|
||||||
|
suffix
|
||||||
|
# ntdomain
|
||||||
|
|
||||||
|
#
|
||||||
|
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
|
||||||
|
# authentication.
|
||||||
|
#
|
||||||
|
# It also sets the EAP-Type attribute in the request
|
||||||
|
# attribute list to the EAP type from the packet.
|
||||||
|
#
|
||||||
|
# As of 2.0, the EAP module returns "ok" in the authorize stage
|
||||||
|
# for TTLS and PEAP. In 1.x, it never returned "ok" here, so
|
||||||
|
# this change is compatible with older configurations.
|
||||||
|
#
|
||||||
|
# The example below uses module failover to avoid querying all
|
||||||
|
# of the following modules if the EAP module returns "ok".
|
||||||
|
# Therefore, your LDAP and/or SQL servers will not be queried
|
||||||
|
# for the many packets that go back and forth to set up TTLS
|
||||||
|
# or PEAP. The load on those servers will therefore be reduced.
|
||||||
|
#
|
||||||
|
eap {
|
||||||
|
ok = return
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
|
||||||
|
# using the system API's to get the password. If you want
|
||||||
|
# to read /etc/passwd or /etc/shadow directly, see the
|
||||||
|
# passwd module in radiusd.conf.
|
||||||
|
#
|
||||||
|
# unix
|
||||||
|
|
||||||
|
#
|
||||||
|
# Read the 'users' file
|
||||||
|
files
|
||||||
|
|
||||||
|
#
|
||||||
|
# Look in an SQL database. The schema of the database
|
||||||
|
# is meant to mirror the "users" file.
|
||||||
|
#
|
||||||
|
# See "Authorization Queries" in sql.conf
|
||||||
|
# sql
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you are using /etc/smbpasswd, and are also doing
|
||||||
|
# mschap authentication, the un-comment this line, and
|
||||||
|
# configure the 'smbpasswd' module.
|
||||||
|
# smbpasswd
|
||||||
|
|
||||||
|
#
|
||||||
|
# The ldap module will set Auth-Type to LDAP if it has not
|
||||||
|
# already been set
|
||||||
|
# ldap
|
||||||
|
|
||||||
|
#
|
||||||
|
# Enforce daily limits on time spent logged in.
|
||||||
|
# daily
|
||||||
|
|
||||||
|
#
|
||||||
|
# Use the checkval module
|
||||||
|
# checkval
|
||||||
|
|
||||||
|
expiration
|
||||||
|
logintime
|
||||||
|
|
||||||
|
#
|
||||||
|
# If no other module has claimed responsibility for
|
||||||
|
# authentication, then try to use PAP. This allows the
|
||||||
|
# other modules listed above to add a "known good" password
|
||||||
|
# to the request, and to do nothing else. The PAP module
|
||||||
|
# will then see that password, and use it to do PAP
|
||||||
|
# authentication.
|
||||||
|
#
|
||||||
|
# This module should be listed last, so that the other modules
|
||||||
|
# get a chance to set Auth-Type for themselves.
|
||||||
|
#
|
||||||
|
pap
|
||||||
|
|
||||||
|
#
|
||||||
|
# If "status_server = yes", then Status-Server messages are passed
|
||||||
|
# through the following section, and ONLY the following section.
|
||||||
|
# This permits you to do DB queries, for example. If the modules
|
||||||
|
# listed here return "fail", then NO response is sent.
|
||||||
|
#
|
||||||
|
# Autz-Type Status-Server {
|
||||||
|
#
|
||||||
|
# }
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Authentication.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# This section lists which modules are available for authentication.
|
||||||
|
# Note that it does NOT mean 'try each module in order'. It means
|
||||||
|
# that a module from the 'authorize' section adds a configuration
|
||||||
|
# attribute 'Auth-Type := FOO'. That authentication type is then
|
||||||
|
# used to pick the apropriate module from the list below.
|
||||||
|
#
|
||||||
|
|
||||||
|
# In general, you SHOULD NOT set the Auth-Type attribute. The server
|
||||||
|
# will figure it out on its own, and will do the right thing. The
|
||||||
|
# most common side effect of erroneously setting the Auth-Type
|
||||||
|
# attribute is that one authentication method will work, but the
|
||||||
|
# others will not.
|
||||||
|
#
|
||||||
|
# The common reasons to set the Auth-Type attribute by hand
|
||||||
|
# is to either forcibly reject the user (Auth-Type := Reject),
|
||||||
|
# or to or forcibly accept the user (Auth-Type := Accept).
|
||||||
|
#
|
||||||
|
# Note that Auth-Type := Accept will NOT work with EAP.
|
||||||
|
#
|
||||||
|
# Please do not put "unlang" configurations into the "authenticate"
|
||||||
|
# section. Put them in the "post-auth" section instead. That's what
|
||||||
|
# the post-auth section is for.
|
||||||
|
#
|
||||||
|
authenticate {
|
||||||
|
#
|
||||||
|
# PAP authentication, when a back-end database listed
|
||||||
|
# in the 'authorize' section supplies a password. The
|
||||||
|
# password can be clear-text, or encrypted.
|
||||||
|
Auth-Type PAP {
|
||||||
|
pap
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Most people want CHAP authentication
|
||||||
|
# A back-end database listed in the 'authorize' section
|
||||||
|
# MUST supply a CLEAR TEXT password. Encrypted passwords
|
||||||
|
# won't work.
|
||||||
|
Auth-Type CHAP {
|
||||||
|
chap
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# MSCHAP authentication.
|
||||||
|
Auth-Type MS-CHAP {
|
||||||
|
mschap
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you have a Cisco SIP server authenticating against
|
||||||
|
# FreeRADIUS, uncomment the following line, and the 'digest'
|
||||||
|
# line in the 'authorize' section.
|
||||||
|
digest
|
||||||
|
|
||||||
|
#
|
||||||
|
# Pluggable Authentication Modules.
|
||||||
|
# pam
|
||||||
|
|
||||||
|
#
|
||||||
|
# See 'man getpwent' for information on how the 'unix'
|
||||||
|
# module checks the users password. Note that packets
|
||||||
|
# containing CHAP-Password attributes CANNOT be authenticated
|
||||||
|
# against /etc/passwd! See the FAQ for details.
|
||||||
|
#
|
||||||
|
# For normal "crypt" authentication, the "pap" module should
|
||||||
|
# be used instead of the "unix" module. The "unix" module should
|
||||||
|
# be used for authentication ONLY for compatibility with legacy
|
||||||
|
# FreeRADIUS configurations.
|
||||||
|
#
|
||||||
|
unix
|
||||||
|
|
||||||
|
# Uncomment it if you want to use ldap for authentication
|
||||||
|
#
|
||||||
|
# Note that this means "check plain-text password against
|
||||||
|
# the ldap database", which means that EAP won't work,
|
||||||
|
# as it does not supply a plain-text password.
|
||||||
|
# Auth-Type LDAP {
|
||||||
|
# ldap
|
||||||
|
# }
|
||||||
|
|
||||||
|
#
|
||||||
|
# Allow EAP authentication.
|
||||||
|
eap
|
||||||
|
|
||||||
|
#
|
||||||
|
# The older configurations sent a number of attributes in
|
||||||
|
# Access-Challenge packets, which wasn't strictly correct.
|
||||||
|
# If you want to filter out these attributes, uncomment
|
||||||
|
# the following lines.
|
||||||
|
#
|
||||||
|
# Auth-Type eap {
|
||||||
|
# eap {
|
||||||
|
# handled = 1
|
||||||
|
# }
|
||||||
|
# if (handled && (Response-Packet-Type == Access-Challenge)) {
|
||||||
|
# attr_filter.access_challenge.post-auth
|
||||||
|
# handled # override the "updated" code from attr_filter
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Pre-accounting. Decide which accounting type to use.
|
||||||
|
#
|
||||||
|
preacct {
|
||||||
|
preprocess
|
||||||
|
|
||||||
|
#
|
||||||
|
# Session start times are *implied* in RADIUS.
|
||||||
|
# The NAS never sends a "start time". Instead, it sends
|
||||||
|
# a start packet, *possibly* with an Acct-Delay-Time.
|
||||||
|
# The server is supposed to conclude that the start time
|
||||||
|
# was "Acct-Delay-Time" seconds in the past.
|
||||||
|
#
|
||||||
|
# The code below creates an explicit start time, which can
|
||||||
|
# then be used in other modules.
|
||||||
|
#
|
||||||
|
# The start time is: NOW - delay - session_length
|
||||||
|
#
|
||||||
|
|
||||||
|
# update request {
|
||||||
|
# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
|
||||||
|
# }
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Ensure that we have a semi-unique identifier for every
|
||||||
|
# request, and many NAS boxes are broken.
|
||||||
|
acct_unique
|
||||||
|
|
||||||
|
#
|
||||||
|
# Look for IPASS-style 'realm/', and if not found, look for
|
||||||
|
# '@realm', and decide whether or not to proxy, based on
|
||||||
|
# that.
|
||||||
|
#
|
||||||
|
# Accounting requests are generally proxied to the same
|
||||||
|
# home server as authentication requests.
|
||||||
|
# IPASS
|
||||||
|
suffix
|
||||||
|
# ntdomain
|
||||||
|
|
||||||
|
#
|
||||||
|
# Read the 'acct_users' file
|
||||||
|
files
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Accounting. Log the accounting data.
|
||||||
|
#
|
||||||
|
accounting {
|
||||||
|
#
|
||||||
|
# Create a 'detail'ed log of the packets.
|
||||||
|
# Note that accounting requests which are proxied
|
||||||
|
# are also logged in the detail file.
|
||||||
|
detail
|
||||||
|
# daily
|
||||||
|
|
||||||
|
# Update the wtmp file
|
||||||
|
#
|
||||||
|
# If you don't use "radlast", you can delete this line.
|
||||||
|
# unix
|
||||||
|
|
||||||
|
#
|
||||||
|
# For Simultaneous-Use tracking.
|
||||||
|
#
|
||||||
|
# Due to packet losses in the network, the data here
|
||||||
|
# may be incorrect. There is little we can do about it.
|
||||||
|
# radutmp
|
||||||
|
# sradutmp
|
||||||
|
|
||||||
|
# Return an address to the IP Pool when we see a stop record.
|
||||||
|
# main_pool
|
||||||
|
|
||||||
|
#
|
||||||
|
# Log traffic to an SQL database.
|
||||||
|
#
|
||||||
|
# See "Accounting queries" in sql.conf
|
||||||
|
# sql
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you receive stop packets with zero session length,
|
||||||
|
# they will NOT be logged in the database. The SQL module
|
||||||
|
# will print a message (only in debugging mode), and will
|
||||||
|
# return "noop".
|
||||||
|
#
|
||||||
|
# You can ignore these packets by uncommenting the following
|
||||||
|
# three lines. Otherwise, the server will not respond to the
|
||||||
|
# accounting request, and the NAS will retransmit.
|
||||||
|
#
|
||||||
|
# if (noop) {
|
||||||
|
# ok
|
||||||
|
# }
|
||||||
|
|
||||||
|
#
|
||||||
|
# Instead of sending the query to the SQL server,
|
||||||
|
# write it into a log file.
|
||||||
|
#
|
||||||
|
# sql_log
|
||||||
|
|
||||||
|
# Cisco VoIP specific bulk accounting
|
||||||
|
# pgsql-voip
|
||||||
|
|
||||||
|
# For Exec-Program and Exec-Program-Wait
|
||||||
|
exec
|
||||||
|
|
||||||
|
# Filter attributes from the accounting response.
|
||||||
|
attr_filter.accounting_response
|
||||||
|
|
||||||
|
#
|
||||||
|
# See "Autz-Type Status-Server" for how this works.
|
||||||
|
#
|
||||||
|
# Acct-Type Status-Server {
|
||||||
|
#
|
||||||
|
# }
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Session database, used for checking Simultaneous-Use. Either the radutmp
|
||||||
|
# or rlm_sql module can handle this.
|
||||||
|
# The rlm_sql module is *much* faster
|
||||||
|
session {
|
||||||
|
radutmp
|
||||||
|
|
||||||
|
#
|
||||||
|
# See "Simultaneous Use Checking Queries" in sql.conf
|
||||||
|
# sql
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Post-Authentication
|
||||||
|
# Once we KNOW that the user has been authenticated, there are
|
||||||
|
# additional steps we can take.
|
||||||
|
post-auth {
|
||||||
|
# Get an address from the IP Pool.
|
||||||
|
# main_pool
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you want to have a log of authentication replies,
|
||||||
|
# un-comment the following line, and the 'detail reply_log'
|
||||||
|
# section, above.
|
||||||
|
# reply_log
|
||||||
|
|
||||||
|
#
|
||||||
|
# After authenticating the user, do another SQL query.
|
||||||
|
#
|
||||||
|
# See "Authentication Logging Queries" in sql.conf
|
||||||
|
# sql
|
||||||
|
|
||||||
|
#
|
||||||
|
# Instead of sending the query to the SQL server,
|
||||||
|
# write it into a log file.
|
||||||
|
#
|
||||||
|
# sql_log
|
||||||
|
|
||||||
|
#
|
||||||
|
# Un-comment the following if you have set
|
||||||
|
# 'edir_account_policy_check = yes' in the ldap module sub-section of
|
||||||
|
# the 'modules' section.
|
||||||
|
#
|
||||||
|
# ldap
|
||||||
|
|
||||||
|
# For Exec-Program and Exec-Program-Wait
|
||||||
|
exec
|
||||||
|
|
||||||
|
#
|
||||||
|
# Calculate the various WiMAX keys. In order for this to work,
|
||||||
|
# you will need to define the WiMAX NAI, usually via
|
||||||
|
#
|
||||||
|
# update request {
|
||||||
|
# WiMAX-MN-NAI = "%{User-Name}"
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# If you want various keys to be calculated, you will need to
|
||||||
|
# update the reply with "template" values. The module will see
|
||||||
|
# this, and replace the template values with the correct ones
|
||||||
|
# taken from the cryptographic calculations. e.g.
|
||||||
|
#
|
||||||
|
# update reply {
|
||||||
|
# WiMAX-FA-RK-Key = 0x00
|
||||||
|
# WiMAX-MSK = "%{EAP-MSK}"
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# You may want to delete the MS-MPPE-*-Keys from the reply,
|
||||||
|
# as some WiMAX clients behave badly when those attributes
|
||||||
|
# are included. See "raddb/modules/wimax", configuration
|
||||||
|
# entry "delete_mppe_keys" for more information.
|
||||||
|
#
|
||||||
|
# wimax
|
||||||
|
|
||||||
|
# If there is a client certificate (EAP-TLS, sometimes PEAP
|
||||||
|
# and TTLS), then some attributes are filled out after the
|
||||||
|
# certificate verification has been performed. These fields
|
||||||
|
# MAY be available during the authentication, or they may be
|
||||||
|
# available only in the "post-auth" section.
|
||||||
|
#
|
||||||
|
# The first set of attributes contains information about the
|
||||||
|
# issuing certificate which is being used. The second
|
||||||
|
# contains information about the client certificate (if
|
||||||
|
# available).
|
||||||
|
#
|
||||||
|
# update reply {
|
||||||
|
# Reply-Message += "%{TLS-Cert-Serial}"
|
||||||
|
# Reply-Message += "%{TLS-Cert-Expiration}"
|
||||||
|
# Reply-Message += "%{TLS-Cert-Subject}"
|
||||||
|
# Reply-Message += "%{TLS-Cert-Issuer}"
|
||||||
|
# Reply-Message += "%{TLS-Cert-Common-Name}"
|
||||||
|
# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
|
||||||
|
#
|
||||||
|
# Reply-Message += "%{TLS-Client-Cert-Serial}"
|
||||||
|
# Reply-Message += "%{TLS-Client-Cert-Expiration}"
|
||||||
|
# Reply-Message += "%{TLS-Client-Cert-Subject}"
|
||||||
|
# Reply-Message += "%{TLS-Client-Cert-Issuer}"
|
||||||
|
# Reply-Message += "%{TLS-Client-Cert-Common-Name}"
|
||||||
|
# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
|
||||||
|
# }
|
||||||
|
|
||||||
|
# MacSEC requires the use of EAP-Key-Name. However, we don't
|
||||||
|
# want to send it for all EAP sessions. Therefore, the EAP
|
||||||
|
# modules put required data into the EAP-Session-Id attribute.
|
||||||
|
# This attribute is never put into a request or reply packet.
|
||||||
|
#
|
||||||
|
# Uncomment the next few lines to copy the required data into
|
||||||
|
# the EAP-Key-Name attribute
|
||||||
|
# if (reply:EAP-Session-Id) {
|
||||||
|
# update reply {
|
||||||
|
# EAP-Key-Name := "%{reply:EAP-Session-Id}"
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
|
||||||
|
# If the WiMAX module did it's work, you may want to do more
|
||||||
|
# things here, like delete the MS-MPPE-*-Key attributes.
|
||||||
|
#
|
||||||
|
# if (updated) {
|
||||||
|
# update reply {
|
||||||
|
# MS-MPPE-Recv-Key !* 0x00
|
||||||
|
# MS-MPPE-Send-Key !* 0x00
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
|
||||||
|
#
|
||||||
|
# Access-Reject packets are sent through the REJECT sub-section of the
|
||||||
|
# post-auth section.
|
||||||
|
#
|
||||||
|
# Add the ldap module name (or instance) if you have set
|
||||||
|
# 'edir_account_policy_check = yes' in the ldap module configuration
|
||||||
|
#
|
||||||
|
Post-Auth-Type REJECT {
|
||||||
|
# log failed authentications in SQL, too.
|
||||||
|
# sql
|
||||||
|
|
||||||
|
attr_filter.access_reject
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# When the server decides to proxy a request to a home server,
|
||||||
|
# the proxied request is first passed through the pre-proxy
|
||||||
|
# stage. This stage can re-write the request, or decide to
|
||||||
|
# cancel the proxy.
|
||||||
|
#
|
||||||
|
# Only a few modules currently have this method.
|
||||||
|
#
|
||||||
|
pre-proxy {
|
||||||
|
# attr_rewrite
|
||||||
|
|
||||||
|
# Uncomment the following line if you want to change attributes
|
||||||
|
# as defined in the preproxy_users file.
|
||||||
|
# files
|
||||||
|
|
||||||
|
# Uncomment the following line if you want to filter requests
|
||||||
|
# sent to remote servers based on the rules defined in the
|
||||||
|
# 'attrs.pre-proxy' file.
|
||||||
|
# attr_filter.pre-proxy
|
||||||
|
|
||||||
|
# If you want to have a log of packets proxied to a home
|
||||||
|
# server, un-comment the following line, and the
|
||||||
|
# 'detail pre_proxy_log' section, above.
|
||||||
|
# pre_proxy_log
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# When the server receives a reply to a request it proxied
|
||||||
|
# to a home server, the request may be massaged here, in the
|
||||||
|
# post-proxy stage.
|
||||||
|
#
|
||||||
|
post-proxy {
|
||||||
|
|
||||||
|
# If you want to have a log of replies from a home server,
|
||||||
|
# un-comment the following line, and the 'detail post_proxy_log'
|
||||||
|
# section, above.
|
||||||
|
# post_proxy_log
|
||||||
|
|
||||||
|
# attr_rewrite
|
||||||
|
|
||||||
|
# Uncomment the following line if you want to filter replies from
|
||||||
|
# remote proxies based on the rules defined in the 'attrs' file.
|
||||||
|
# attr_filter.post-proxy
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you are proxying LEAP, you MUST configure the EAP
|
||||||
|
# module, and you MUST list it here, in the post-proxy
|
||||||
|
# stage.
|
||||||
|
#
|
||||||
|
# You MUST also use the 'nostrip' option in the 'realm'
|
||||||
|
# configuration. Otherwise, the User-Name attribute
|
||||||
|
# in the proxied request will not match the user name
|
||||||
|
# hidden inside of the EAP packet, and the end server will
|
||||||
|
# reject the EAP request.
|
||||||
|
#
|
||||||
|
eap
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the server tries to proxy a request and fails, then the
|
||||||
|
# request is processed through the modules in this section.
|
||||||
|
#
|
||||||
|
# The main use of this section is to permit robust proxying
|
||||||
|
# of accounting packets. The server can be configured to
|
||||||
|
# proxy accounting packets as part of normal processing.
|
||||||
|
# Then, if the home server goes down, accounting packets can
|
||||||
|
# be logged to a local "detail" file, for processing with
|
||||||
|
# radrelay. When the home server comes back up, radrelay
|
||||||
|
# will read the detail file, and send the packets to the
|
||||||
|
# home server.
|
||||||
|
#
|
||||||
|
# With this configuration, the server always responds to
|
||||||
|
# Accounting-Requests from the NAS, but only writes
|
||||||
|
# accounting packets to disk if the home server is down.
|
||||||
|
#
|
||||||
|
# Post-Proxy-Type Fail {
|
||||||
|
# detail
|
||||||
|
# }
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,660 @@
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
|
||||||
|
# "server" section, and configuration directives.
|
||||||
|
#
|
||||||
|
# Virtual hosts should be put into the "sites-available"
|
||||||
|
# directory. Soft links should be created in the "sites-enabled"
|
||||||
|
# directory to these files. This is done in a normal installation.
|
||||||
|
#
|
||||||
|
# If you are using 802.1X (EAP) authentication, please see also
|
||||||
|
# the "inner-tunnel" virtual server. You wll likely have to edit
|
||||||
|
# that, too, for authentication to work.
|
||||||
|
#
|
||||||
|
# $Id: 520ccbc90f3a09cd6a80e1e3b16000b7ba94d884 $
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# Read "man radiusd" before editing this file. See the section
|
||||||
|
# titled DEBUGGING. It outlines a method where you can quickly
|
||||||
|
# obtain the configuration you want, without running into
|
||||||
|
# trouble. See also "man unlang", which documents the format
|
||||||
|
# of this file.
|
||||||
|
#
|
||||||
|
# This configuration is designed to work in the widest possible
|
||||||
|
# set of circumstances, with the widest possible number of
|
||||||
|
# authentication methods. This means that in general, you should
|
||||||
|
# need to make very few changes to this file.
|
||||||
|
#
|
||||||
|
# The best way to configure the server for your local system
|
||||||
|
# is to CAREFULLY edit this file. Most attempts to make large
|
||||||
|
# edits to this file will BREAK THE SERVER. Any edits should
|
||||||
|
# be small, and tested by running the server with "radiusd -X".
|
||||||
|
# Once the edits have been verified to work, save a copy of these
|
||||||
|
# configuration files somewhere. (e.g. as a "tar" file). Then,
|
||||||
|
# make more edits, and test, as above.
|
||||||
|
#
|
||||||
|
# There are many "commented out" references to modules such
|
||||||
|
# as ldap, sql, etc. These references serve as place-holders.
|
||||||
|
# If you need the functionality of that module, then configure
|
||||||
|
# it in radiusd.conf, and un-comment the references to it in
|
||||||
|
# this file. In most cases, those small changes will result
|
||||||
|
# in the server being able to connect to the DB, and to
|
||||||
|
# authenticate users.
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
#
|
||||||
|
# In 1.x, the "authorize", etc. sections were global in
|
||||||
|
# radiusd.conf. As of 2.0, they SHOULD be in a server section.
|
||||||
|
#
|
||||||
|
# The server section with no virtual server name is the "default"
|
||||||
|
# section. It is used when no server name is specified.
|
||||||
|
#
|
||||||
|
# We don't indent the rest of this file, because doing so
|
||||||
|
# would make it harder to read.
|
||||||
|
#
|
||||||
|
|
||||||
|
# Authorization. First preprocess (hints and huntgroups files),
|
||||||
|
# then realms, and finally look in the "users" file.
|
||||||
|
#
|
||||||
|
# Any changes made here should also be made to the "inner-tunnel"
|
||||||
|
# virtual server.
|
||||||
|
#
|
||||||
|
# The order of the realm modules will determine the order that
|
||||||
|
# we try to find a matching realm.
|
||||||
|
#
|
||||||
|
# Make *sure* that 'preprocess' comes before any realm if you
|
||||||
|
# need to setup hints for the remote radius server
|
||||||
|
authorize {
|
||||||
|
#
|
||||||
|
# Security settings. Take a User-Name, and do some simple
|
||||||
|
# checks on it, for spaces and other invalid characters. If
|
||||||
|
# it looks like the user is trying to play games, reject it.
|
||||||
|
#
|
||||||
|
# This should probably be enabled by default.
|
||||||
|
#
|
||||||
|
# See policy.conf for the definition of the filter_username policy.
|
||||||
|
#
|
||||||
|
# filter_username
|
||||||
|
|
||||||
|
#
|
||||||
|
# The preprocess module takes care of sanitizing some bizarre
|
||||||
|
# attributes in the request, and turning them into attributes
|
||||||
|
# which are more standard.
|
||||||
|
#
|
||||||
|
# It takes care of processing the 'raddb/hints' and the
|
||||||
|
# 'raddb/huntgroups' files.
|
||||||
|
preprocess
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you want to have a log of authentication requests,
|
||||||
|
# un-comment the following line, and the 'detail auth_log'
|
||||||
|
# section, above.
|
||||||
|
# auth_log
|
||||||
|
|
||||||
|
#
|
||||||
|
# The chap module will set 'Auth-Type := CHAP' if we are
|
||||||
|
# handling a CHAP request and Auth-Type has not already been set
|
||||||
|
chap
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the users are logging in with an MS-CHAP-Challenge
|
||||||
|
# attribute for authentication, the mschap module will find
|
||||||
|
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
|
||||||
|
# to the request, which will cause the server to then use
|
||||||
|
# the mschap module for authentication.
|
||||||
|
mschap
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you have a Cisco SIP server authenticating against
|
||||||
|
# FreeRADIUS, uncomment the following line, and the 'digest'
|
||||||
|
# line in the 'authenticate' section.
|
||||||
|
digest
|
||||||
|
|
||||||
|
#
|
||||||
|
# The WiMAX specification says that the Calling-Station-Id
|
||||||
|
# is 6 octets of the MAC. This definition conflicts with
|
||||||
|
# RFC 3580, and all common RADIUS practices. Un-commenting
|
||||||
|
# the "wimax" module here means that it will fix the
|
||||||
|
# Calling-Station-Id attribute to the normal format as
|
||||||
|
# specified in RFC 3580 Section 3.21
|
||||||
|
# wimax
|
||||||
|
|
||||||
|
#
|
||||||
|
# Look for IPASS style 'realm/', and if not found, look for
|
||||||
|
# '@realm', and decide whether or not to proxy, based on
|
||||||
|
# that.
|
||||||
|
# IPASS
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you are using multiple kinds of realms, you probably
|
||||||
|
# want to set "ignore_null = yes" for all of them.
|
||||||
|
# Otherwise, when the first style of realm doesn't match,
|
||||||
|
# the other styles won't be checked.
|
||||||
|
#
|
||||||
|
suffix
|
||||||
|
# ntdomain
|
||||||
|
|
||||||
|
#
|
||||||
|
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
|
||||||
|
# authentication.
|
||||||
|
#
|
||||||
|
# It also sets the EAP-Type attribute in the request
|
||||||
|
# attribute list to the EAP type from the packet.
|
||||||
|
#
|
||||||
|
# As of 2.0, the EAP module returns "ok" in the authorize stage
|
||||||
|
# for TTLS and PEAP. In 1.x, it never returned "ok" here, so
|
||||||
|
# this change is compatible with older configurations.
|
||||||
|
#
|
||||||
|
# The example below uses module failover to avoid querying all
|
||||||
|
# of the following modules if the EAP module returns "ok".
|
||||||
|
# Therefore, your LDAP and/or SQL servers will not be queried
|
||||||
|
# for the many packets that go back and forth to set up TTLS
|
||||||
|
# or PEAP. The load on those servers will therefore be reduced.
|
||||||
|
#
|
||||||
|
eap {
|
||||||
|
ok = return
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
|
||||||
|
# using the system API's to get the password. If you want
|
||||||
|
# to read /etc/passwd or /etc/shadow directly, see the
|
||||||
|
# passwd module in radiusd.conf.
|
||||||
|
#
|
||||||
|
# unix
|
||||||
|
|
||||||
|
#
|
||||||
|
# Read the 'users' file
|
||||||
|
files
|
||||||
|
|
||||||
|
#
|
||||||
|
# Look in an SQL database. The schema of the database
|
||||||
|
# is meant to mirror the "users" file.
|
||||||
|
#
|
||||||
|
# See "Authorization Queries" in sql.conf
|
||||||
|
# sql
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you are using /etc/smbpasswd, and are also doing
|
||||||
|
# mschap authentication, the un-comment this line, and
|
||||||
|
# configure the 'smbpasswd' module.
|
||||||
|
# smbpasswd
|
||||||
|
|
||||||
|
#
|
||||||
|
# The ldap module will set Auth-Type to LDAP if it has not
|
||||||
|
# already been set
|
||||||
|
# ldap
|
||||||
|
|
||||||
|
#
|
||||||
|
# Enforce daily limits on time spent logged in.
|
||||||
|
# daily
|
||||||
|
|
||||||
|
#
|
||||||
|
# Use the checkval module
|
||||||
|
# checkval
|
||||||
|
|
||||||
|
expiration
|
||||||
|
logintime
|
||||||
|
|
||||||
|
#
|
||||||
|
# If no other module has claimed responsibility for
|
||||||
|
# authentication, then try to use PAP. This allows the
|
||||||
|
# other modules listed above to add a "known good" password
|
||||||
|
# to the request, and to do nothing else. The PAP module
|
||||||
|
# will then see that password, and use it to do PAP
|
||||||
|
# authentication.
|
||||||
|
#
|
||||||
|
# This module should be listed last, so that the other modules
|
||||||
|
# get a chance to set Auth-Type for themselves.
|
||||||
|
#
|
||||||
|
pap
|
||||||
|
|
||||||
|
#
|
||||||
|
# If "status_server = yes", then Status-Server messages are passed
|
||||||
|
# through the following section, and ONLY the following section.
|
||||||
|
# This permits you to do DB queries, for example. If the modules
|
||||||
|
# listed here return "fail", then NO response is sent.
|
||||||
|
#
|
||||||
|
# Autz-Type Status-Server {
|
||||||
|
#
|
||||||
|
# }
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Authentication.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# This section lists which modules are available for authentication.
|
||||||
|
# Note that it does NOT mean 'try each module in order'. It means
|
||||||
|
# that a module from the 'authorize' section adds a configuration
|
||||||
|
# attribute 'Auth-Type := FOO'. That authentication type is then
|
||||||
|
# used to pick the apropriate module from the list below.
|
||||||
|
#
|
||||||
|
|
||||||
|
# In general, you SHOULD NOT set the Auth-Type attribute. The server
|
||||||
|
# will figure it out on its own, and will do the right thing. The
|
||||||
|
# most common side effect of erroneously setting the Auth-Type
|
||||||
|
# attribute is that one authentication method will work, but the
|
||||||
|
# others will not.
|
||||||
|
#
|
||||||
|
# The common reasons to set the Auth-Type attribute by hand
|
||||||
|
# is to either forcibly reject the user (Auth-Type := Reject),
|
||||||
|
# or to or forcibly accept the user (Auth-Type := Accept).
|
||||||
|
#
|
||||||
|
# Note that Auth-Type := Accept will NOT work with EAP.
|
||||||
|
#
|
||||||
|
# Please do not put "unlang" configurations into the "authenticate"
|
||||||
|
# section. Put them in the "post-auth" section instead. That's what
|
||||||
|
# the post-auth section is for.
|
||||||
|
#
|
||||||
|
authenticate {
|
||||||
|
#
|
||||||
|
# PAP authentication, when a back-end database listed
|
||||||
|
# in the 'authorize' section supplies a password. The
|
||||||
|
# password can be clear-text, or encrypted.
|
||||||
|
Auth-Type PAP {
|
||||||
|
pap
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Most people want CHAP authentication
|
||||||
|
# A back-end database listed in the 'authorize' section
|
||||||
|
# MUST supply a CLEAR TEXT password. Encrypted passwords
|
||||||
|
# won't work.
|
||||||
|
Auth-Type CHAP {
|
||||||
|
chap
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# MSCHAP authentication.
|
||||||
|
Auth-Type MS-CHAP {
|
||||||
|
mschap
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you have a Cisco SIP server authenticating against
|
||||||
|
# FreeRADIUS, uncomment the following line, and the 'digest'
|
||||||
|
# line in the 'authorize' section.
|
||||||
|
digest
|
||||||
|
|
||||||
|
#
|
||||||
|
# Pluggable Authentication Modules.
|
||||||
|
# pam
|
||||||
|
|
||||||
|
#
|
||||||
|
# See 'man getpwent' for information on how the 'unix'
|
||||||
|
# module checks the users password. Note that packets
|
||||||
|
# containing CHAP-Password attributes CANNOT be authenticated
|
||||||
|
# against /etc/passwd! See the FAQ for details.
|
||||||
|
#
|
||||||
|
# For normal "crypt" authentication, the "pap" module should
|
||||||
|
# be used instead of the "unix" module. The "unix" module should
|
||||||
|
# be used for authentication ONLY for compatibility with legacy
|
||||||
|
# FreeRADIUS configurations.
|
||||||
|
#
|
||||||
|
unix
|
||||||
|
|
||||||
|
# Uncomment it if you want to use ldap for authentication
|
||||||
|
#
|
||||||
|
# Note that this means "check plain-text password against
|
||||||
|
# the ldap database", which means that EAP won't work,
|
||||||
|
# as it does not supply a plain-text password.
|
||||||
|
# Auth-Type LDAP {
|
||||||
|
# ldap
|
||||||
|
# }
|
||||||
|
|
||||||
|
#
|
||||||
|
# Allow EAP authentication.
|
||||||
|
eap
|
||||||
|
|
||||||
|
#
|
||||||
|
# The older configurations sent a number of attributes in
|
||||||
|
# Access-Challenge packets, which wasn't strictly correct.
|
||||||
|
# If you want to filter out these attributes, uncomment
|
||||||
|
# the following lines.
|
||||||
|
#
|
||||||
|
# Auth-Type eap {
|
||||||
|
# eap {
|
||||||
|
# handled = 1
|
||||||
|
# }
|
||||||
|
# if (handled && (Response-Packet-Type == Access-Challenge)) {
|
||||||
|
# attr_filter.access_challenge.post-auth
|
||||||
|
# handled # override the "updated" code from attr_filter
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Pre-accounting. Decide which accounting type to use.
|
||||||
|
#
|
||||||
|
preacct {
|
||||||
|
preprocess
|
||||||
|
|
||||||
|
#
|
||||||
|
# Session start times are *implied* in RADIUS.
|
||||||
|
# The NAS never sends a "start time". Instead, it sends
|
||||||
|
# a start packet, *possibly* with an Acct-Delay-Time.
|
||||||
|
# The server is supposed to conclude that the start time
|
||||||
|
# was "Acct-Delay-Time" seconds in the past.
|
||||||
|
#
|
||||||
|
# The code below creates an explicit start time, which can
|
||||||
|
# then be used in other modules.
|
||||||
|
#
|
||||||
|
# The start time is: NOW - delay - session_length
|
||||||
|
#
|
||||||
|
|
||||||
|
# update request {
|
||||||
|
# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
|
||||||
|
# }
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Ensure that we have a semi-unique identifier for every
|
||||||
|
# request, and many NAS boxes are broken.
|
||||||
|
acct_unique
|
||||||
|
|
||||||
|
#
|
||||||
|
# Look for IPASS-style 'realm/', and if not found, look for
|
||||||
|
# '@realm', and decide whether or not to proxy, based on
|
||||||
|
# that.
|
||||||
|
#
|
||||||
|
# Accounting requests are generally proxied to the same
|
||||||
|
# home server as authentication requests.
|
||||||
|
# IPASS
|
||||||
|
suffix
|
||||||
|
# ntdomain
|
||||||
|
|
||||||
|
#
|
||||||
|
# Read the 'acct_users' file
|
||||||
|
files
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Accounting. Log the accounting data.
|
||||||
|
#
|
||||||
|
accounting {
|
||||||
|
#
|
||||||
|
# Create a 'detail'ed log of the packets.
|
||||||
|
# Note that accounting requests which are proxied
|
||||||
|
# are also logged in the detail file.
|
||||||
|
detail
|
||||||
|
# daily
|
||||||
|
|
||||||
|
# Update the wtmp file
|
||||||
|
#
|
||||||
|
# If you don't use "radlast", you can delete this line.
|
||||||
|
# unix
|
||||||
|
|
||||||
|
#
|
||||||
|
# For Simultaneous-Use tracking.
|
||||||
|
#
|
||||||
|
# Due to packet losses in the network, the data here
|
||||||
|
# may be incorrect. There is little we can do about it.
|
||||||
|
# radutmp
|
||||||
|
# sradutmp
|
||||||
|
|
||||||
|
# Return an address to the IP Pool when we see a stop record.
|
||||||
|
# main_pool
|
||||||
|
|
||||||
|
#
|
||||||
|
# Log traffic to an SQL database.
|
||||||
|
#
|
||||||
|
# See "Accounting queries" in sql.conf
|
||||||
|
# sql
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you receive stop packets with zero session length,
|
||||||
|
# they will NOT be logged in the database. The SQL module
|
||||||
|
# will print a message (only in debugging mode), and will
|
||||||
|
# return "noop".
|
||||||
|
#
|
||||||
|
# You can ignore these packets by uncommenting the following
|
||||||
|
# three lines. Otherwise, the server will not respond to the
|
||||||
|
# accounting request, and the NAS will retransmit.
|
||||||
|
#
|
||||||
|
# if (noop) {
|
||||||
|
# ok
|
||||||
|
# }
|
||||||
|
|
||||||
|
#
|
||||||
|
# Instead of sending the query to the SQL server,
|
||||||
|
# write it into a log file.
|
||||||
|
#
|
||||||
|
# sql_log
|
||||||
|
|
||||||
|
# Cisco VoIP specific bulk accounting
|
||||||
|
# pgsql-voip
|
||||||
|
|
||||||
|
# For Exec-Program and Exec-Program-Wait
|
||||||
|
exec
|
||||||
|
|
||||||
|
# Filter attributes from the accounting response.
|
||||||
|
attr_filter.accounting_response
|
||||||
|
|
||||||
|
#
|
||||||
|
# See "Autz-Type Status-Server" for how this works.
|
||||||
|
#
|
||||||
|
# Acct-Type Status-Server {
|
||||||
|
#
|
||||||
|
# }
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Session database, used for checking Simultaneous-Use. Either the radutmp
|
||||||
|
# or rlm_sql module can handle this.
|
||||||
|
# The rlm_sql module is *much* faster
|
||||||
|
session {
|
||||||
|
radutmp
|
||||||
|
|
||||||
|
#
|
||||||
|
# See "Simultaneous Use Checking Queries" in sql.conf
|
||||||
|
# sql
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Post-Authentication
|
||||||
|
# Once we KNOW that the user has been authenticated, there are
|
||||||
|
# additional steps we can take.
|
||||||
|
post-auth {
|
||||||
|
# Get an address from the IP Pool.
|
||||||
|
# main_pool
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you want to have a log of authentication replies,
|
||||||
|
# un-comment the following line, and the 'detail reply_log'
|
||||||
|
# section, above.
|
||||||
|
# reply_log
|
||||||
|
|
||||||
|
#
|
||||||
|
# After authenticating the user, do another SQL query.
|
||||||
|
#
|
||||||
|
# See "Authentication Logging Queries" in sql.conf
|
||||||
|
# sql
|
||||||
|
|
||||||
|
#
|
||||||
|
# Instead of sending the query to the SQL server,
|
||||||
|
# write it into a log file.
|
||||||
|
#
|
||||||
|
# sql_log
|
||||||
|
|
||||||
|
#
|
||||||
|
# Un-comment the following if you have set
|
||||||
|
# 'edir_account_policy_check = yes' in the ldap module sub-section of
|
||||||
|
# the 'modules' section.
|
||||||
|
#
|
||||||
|
# ldap
|
||||||
|
|
||||||
|
# For Exec-Program and Exec-Program-Wait
|
||||||
|
exec
|
||||||
|
|
||||||
|
#
|
||||||
|
# Calculate the various WiMAX keys. In order for this to work,
|
||||||
|
# you will need to define the WiMAX NAI, usually via
|
||||||
|
#
|
||||||
|
# update request {
|
||||||
|
# WiMAX-MN-NAI = "%{User-Name}"
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# If you want various keys to be calculated, you will need to
|
||||||
|
# update the reply with "template" values. The module will see
|
||||||
|
# this, and replace the template values with the correct ones
|
||||||
|
# taken from the cryptographic calculations. e.g.
|
||||||
|
#
|
||||||
|
# update reply {
|
||||||
|
# WiMAX-FA-RK-Key = 0x00
|
||||||
|
# WiMAX-MSK = "%{EAP-MSK}"
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# You may want to delete the MS-MPPE-*-Keys from the reply,
|
||||||
|
# as some WiMAX clients behave badly when those attributes
|
||||||
|
# are included. See "raddb/modules/wimax", configuration
|
||||||
|
# entry "delete_mppe_keys" for more information.
|
||||||
|
#
|
||||||
|
# wimax
|
||||||
|
|
||||||
|
# If there is a client certificate (EAP-TLS, sometimes PEAP
|
||||||
|
# and TTLS), then some attributes are filled out after the
|
||||||
|
# certificate verification has been performed. These fields
|
||||||
|
# MAY be available during the authentication, or they may be
|
||||||
|
# available only in the "post-auth" section.
|
||||||
|
#
|
||||||
|
# The first set of attributes contains information about the
|
||||||
|
# issuing certificate which is being used. The second
|
||||||
|
# contains information about the client certificate (if
|
||||||
|
# available).
|
||||||
|
#
|
||||||
|
# update reply {
|
||||||
|
# Reply-Message += "%{TLS-Cert-Serial}"
|
||||||
|
# Reply-Message += "%{TLS-Cert-Expiration}"
|
||||||
|
# Reply-Message += "%{TLS-Cert-Subject}"
|
||||||
|
# Reply-Message += "%{TLS-Cert-Issuer}"
|
||||||
|
# Reply-Message += "%{TLS-Cert-Common-Name}"
|
||||||
|
# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
|
||||||
|
#
|
||||||
|
# Reply-Message += "%{TLS-Client-Cert-Serial}"
|
||||||
|
# Reply-Message += "%{TLS-Client-Cert-Expiration}"
|
||||||
|
# Reply-Message += "%{TLS-Client-Cert-Subject}"
|
||||||
|
# Reply-Message += "%{TLS-Client-Cert-Issuer}"
|
||||||
|
# Reply-Message += "%{TLS-Client-Cert-Common-Name}"
|
||||||
|
# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
|
||||||
|
# }
|
||||||
|
|
||||||
|
# MacSEC requires the use of EAP-Key-Name. However, we don't
|
||||||
|
# want to send it for all EAP sessions. Therefore, the EAP
|
||||||
|
# modules put required data into the EAP-Session-Id attribute.
|
||||||
|
# This attribute is never put into a request or reply packet.
|
||||||
|
#
|
||||||
|
# Uncomment the next few lines to copy the required data into
|
||||||
|
# the EAP-Key-Name attribute
|
||||||
|
# if (reply:EAP-Session-Id) {
|
||||||
|
# update reply {
|
||||||
|
# EAP-Key-Name := "%{reply:EAP-Session-Id}"
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
|
||||||
|
# If the WiMAX module did it's work, you may want to do more
|
||||||
|
# things here, like delete the MS-MPPE-*-Key attributes.
|
||||||
|
#
|
||||||
|
# if (updated) {
|
||||||
|
# update reply {
|
||||||
|
# MS-MPPE-Recv-Key !* 0x00
|
||||||
|
# MS-MPPE-Send-Key !* 0x00
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
|
||||||
|
#
|
||||||
|
# Access-Reject packets are sent through the REJECT sub-section of the
|
||||||
|
# post-auth section.
|
||||||
|
#
|
||||||
|
# Add the ldap module name (or instance) if you have set
|
||||||
|
# 'edir_account_policy_check = yes' in the ldap module configuration
|
||||||
|
#
|
||||||
|
Post-Auth-Type REJECT {
|
||||||
|
# log failed authentications in SQL, too.
|
||||||
|
# sql
|
||||||
|
attr_filter.access_reject
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# When the server decides to proxy a request to a home server,
|
||||||
|
# the proxied request is first passed through the pre-proxy
|
||||||
|
# stage. This stage can re-write the request, or decide to
|
||||||
|
# cancel the proxy.
|
||||||
|
#
|
||||||
|
# Only a few modules currently have this method.
|
||||||
|
#
|
||||||
|
pre-proxy {
|
||||||
|
# attr_rewrite
|
||||||
|
|
||||||
|
# Uncomment the following line if you want to change attributes
|
||||||
|
# as defined in the preproxy_users file.
|
||||||
|
# files
|
||||||
|
|
||||||
|
# Uncomment the following line if you want to filter requests
|
||||||
|
# sent to remote servers based on the rules defined in the
|
||||||
|
# 'attrs.pre-proxy' file.
|
||||||
|
# attr_filter.pre-proxy
|
||||||
|
|
||||||
|
# If you want to have a log of packets proxied to a home
|
||||||
|
# server, un-comment the following line, and the
|
||||||
|
# 'detail pre_proxy_log' section, above.
|
||||||
|
# pre_proxy_log
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# When the server receives a reply to a request it proxied
|
||||||
|
# to a home server, the request may be massaged here, in the
|
||||||
|
# post-proxy stage.
|
||||||
|
#
|
||||||
|
post-proxy {
|
||||||
|
|
||||||
|
# If you want to have a log of replies from a home server,
|
||||||
|
# un-comment the following line, and the 'detail post_proxy_log'
|
||||||
|
# section, above.
|
||||||
|
# post_proxy_log
|
||||||
|
|
||||||
|
# attr_rewrite
|
||||||
|
|
||||||
|
# Uncomment the following line if you want to filter replies from
|
||||||
|
# remote proxies based on the rules defined in the 'attrs' file.
|
||||||
|
# attr_filter.post-proxy
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you are proxying LEAP, you MUST configure the EAP
|
||||||
|
# module, and you MUST list it here, in the post-proxy
|
||||||
|
# stage.
|
||||||
|
#
|
||||||
|
# You MUST also use the 'nostrip' option in the 'realm'
|
||||||
|
# configuration. Otherwise, the User-Name attribute
|
||||||
|
# in the proxied request will not match the user name
|
||||||
|
# hidden inside of the EAP packet, and the end server will
|
||||||
|
# reject the EAP request.
|
||||||
|
#
|
||||||
|
eap
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the server tries to proxy a request and fails, then the
|
||||||
|
# request is processed through the modules in this section.
|
||||||
|
#
|
||||||
|
# The main use of this section is to permit robust proxying
|
||||||
|
# of accounting packets. The server can be configured to
|
||||||
|
# proxy accounting packets as part of normal processing.
|
||||||
|
# Then, if the home server goes down, accounting packets can
|
||||||
|
# be logged to a local "detail" file, for processing with
|
||||||
|
# radrelay. When the home server comes back up, radrelay
|
||||||
|
# will read the detail file, and send the packets to the
|
||||||
|
# home server.
|
||||||
|
#
|
||||||
|
# With this configuration, the server always responds to
|
||||||
|
# Accounting-Requests from the NAS, but only writes
|
||||||
|
# accounting packets to disk if the home server is down.
|
||||||
|
#
|
||||||
|
# Post-Proxy-Type Fail {
|
||||||
|
# detail
|
||||||
|
# }
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,283 @@
|
||||||
|
# -*- text -*-
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# This is a virtual server that handles DHCP.
|
||||||
|
#
|
||||||
|
# !!!! WARNING !!!!
|
||||||
|
#
|
||||||
|
# This code is experimental, and SHOULD NOT be used in a
|
||||||
|
# production system. It is intended for validation and
|
||||||
|
# experimentation ONLY.
|
||||||
|
#
|
||||||
|
# In order for this to work, you will need to run configure:
|
||||||
|
#
|
||||||
|
# $ ./configure --with-dhcp
|
||||||
|
# $ make
|
||||||
|
# $ vi share/dictionary
|
||||||
|
#
|
||||||
|
# ## Un-comment the line containing $INCLUDE dictionary.dhcp
|
||||||
|
# ## Then, save the file.
|
||||||
|
#
|
||||||
|
# $ make install
|
||||||
|
#
|
||||||
|
# DHCP is NOT enabled by default.
|
||||||
|
#
|
||||||
|
# The goal of this effort is to get the code in front of
|
||||||
|
# people who are interested in another DHCP server.
|
||||||
|
# We NEED FEEDBACK, patches, bug reports, etc. Especially patches!
|
||||||
|
#
|
||||||
|
# Please contribute, or this work will be nothing more than
|
||||||
|
# a curiosity.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Q: What does it do?
|
||||||
|
# A: It allows the server to receive DHCP packets, and to
|
||||||
|
# respond with static, pre-configured DHCP responses.
|
||||||
|
#
|
||||||
|
# Q: Does it do static/dynamic IP assignment?
|
||||||
|
# A: No. Or, maybe. Try it and see.
|
||||||
|
#
|
||||||
|
# Q: Does it read ISC configuration or lease files?
|
||||||
|
# A: No. Please submit patches.
|
||||||
|
#
|
||||||
|
# Q: Does it have DHCP feature X?
|
||||||
|
# A: No. Please submit patches.
|
||||||
|
#
|
||||||
|
# Q: Does it support option 82?
|
||||||
|
# A: Yes.
|
||||||
|
#
|
||||||
|
# Q: Does it support other options?
|
||||||
|
# A: Maybe. See dictionary.dhcp. Please submit patches.
|
||||||
|
#
|
||||||
|
# Q: It doesn't seem to do much of anything!
|
||||||
|
# A: Exactly.
|
||||||
|
#
|
||||||
|
# $Id: 33da1f10a67dd38b889300bc998737a268ef0948 $
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
#
|
||||||
|
# The DHCP functionality goes into a virtual server.
|
||||||
|
#
|
||||||
|
server dhcp {
|
||||||
|
|
||||||
|
# Define a DHCP socket.
|
||||||
|
#
|
||||||
|
# The default port below is 6700, so you don't break your network.
|
||||||
|
# If you want it to do real DHCP, change this to 67, and good luck!
|
||||||
|
#
|
||||||
|
# You can also bind the DHCP socket to an interface.
|
||||||
|
# See below, and raddb/radiusd.conf for examples.
|
||||||
|
#
|
||||||
|
# This lets you run *one* DHCP server instance and have it listen on
|
||||||
|
# multiple interfaces, each with a separate policy.
|
||||||
|
#
|
||||||
|
# If you have multiple interfaces, it is a good idea to bind the
|
||||||
|
# listen section to an interface. You will also need one listen
|
||||||
|
# section per interface.
|
||||||
|
#
|
||||||
|
# FreeBSD does *not* support binding sockets to interfaces. Therefore,
|
||||||
|
# if you have multiple interfaces, broadcasts may go out of the wrong
|
||||||
|
# one, or even all interfaces. The solution is to use the "setfib" command.
|
||||||
|
# If you have a network "10.10.0/24" on LAN1, you will need to do:
|
||||||
|
#
|
||||||
|
# Pick any IP on the 10.10.0/24 network
|
||||||
|
# $ setfib 1 route add default 10.10.0.1
|
||||||
|
#
|
||||||
|
# Edit /etc/rc.local, and add a line:
|
||||||
|
# setfib 1 /path/to/radiusd
|
||||||
|
#
|
||||||
|
# The kern must be built with the following options:
|
||||||
|
# options ROUTETABLES=2
|
||||||
|
# or any value larger than 2.
|
||||||
|
#
|
||||||
|
# The other only solution is to update FreeRADIUS to use BPF sockets.
|
||||||
|
#
|
||||||
|
|
||||||
|
# So that we only specify these values once, and then
|
||||||
|
# use them in all of the listen sections.
|
||||||
|
port = 6700
|
||||||
|
ipaddr = 127.0.0.1
|
||||||
|
interface = lo0
|
||||||
|
|
||||||
|
# When the machine is not Linux, or has only one network
|
||||||
|
# interface, use the following listener. It receives
|
||||||
|
# broadcast *and* unicast packets.
|
||||||
|
listen {
|
||||||
|
type = dhcp
|
||||||
|
|
||||||
|
ipaddr = *
|
||||||
|
port = ${..port}
|
||||||
|
interface = ${..interface}
|
||||||
|
|
||||||
|
# The DHCP server defaults to allowing broadcast packets.
|
||||||
|
# Set this to "no" only when the server receives *all* packets
|
||||||
|
# from a relay agent. i.e. when *no* clients are on the same
|
||||||
|
# LAN as the DHCP server.
|
||||||
|
#
|
||||||
|
# It's set to "no" here for testing.
|
||||||
|
broadcast = no
|
||||||
|
}
|
||||||
|
|
||||||
|
# When the machine is Linux and has multiple network interfaces, use
|
||||||
|
# the following two listeners instead of the one above.
|
||||||
|
|
||||||
|
# Listen for broadcasts on a specific interface.
|
||||||
|
listen {
|
||||||
|
type = dhcp
|
||||||
|
ipaddr = 255.255.255.255
|
||||||
|
port = ${..port}
|
||||||
|
interface = ${..interface}
|
||||||
|
|
||||||
|
#
|
||||||
|
# The source IP for unicast packets is chosen from the first
|
||||||
|
# one of the following items which returns a valid IP
|
||||||
|
# address:
|
||||||
|
#
|
||||||
|
# src_ipaddr
|
||||||
|
# ipaddr
|
||||||
|
# reply:DHCP-Server-IP-Address
|
||||||
|
# reply:DHCP-DHCP-Server-Identifier
|
||||||
|
#
|
||||||
|
# For now, use the parent's "ipaddr", not the one
|
||||||
|
# in this listen section
|
||||||
|
#
|
||||||
|
src_ipaddr = ${..ipaddr}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Listen for unicasts on an IP, but not bound to any interface.
|
||||||
|
# This allows Linux systems to receive packets on interface X
|
||||||
|
# when the IP is associated with interface Y.
|
||||||
|
#
|
||||||
|
# Then, define which interface the packets go out of, via
|
||||||
|
# "src_interface". This means that the outbound packets
|
||||||
|
# get sent via the correct interface.
|
||||||
|
listen {
|
||||||
|
type = dhcp
|
||||||
|
ipaddr = ${..ipaddr}
|
||||||
|
port = ${..port}
|
||||||
|
|
||||||
|
#
|
||||||
|
# When sending unicast responses, this interface is
|
||||||
|
# used as the source interface. If unset, the value
|
||||||
|
# is taken from the "interface" field in this
|
||||||
|
# section.
|
||||||
|
#
|
||||||
|
# This interface is also used when adding ARP entries.
|
||||||
|
# FreeRADIUS doesn't open "raw" network sockets to send
|
||||||
|
# unicast DHCP responses on the local network. Instead,
|
||||||
|
# it updates the ARP table for this interface with the
|
||||||
|
# MAX and IP of the DHCP client. The server can then
|
||||||
|
# send a normal UDP unicast socket.
|
||||||
|
#
|
||||||
|
# NOTE: The server MUST be running as "root" in order
|
||||||
|
# to update the ARP table. Or, it must have the
|
||||||
|
# apropriate capabilities added to it after it starts up.
|
||||||
|
#
|
||||||
|
src_interface = ${..interface}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Packets received on the socket will be processed through one
|
||||||
|
# of the following sections, named after the DHCP packet type.
|
||||||
|
# See dictionary.dhcp for the packet types.
|
||||||
|
dhcp DHCP-Discover {
|
||||||
|
update reply {
|
||||||
|
DHCP-Message-Type = DHCP-Offer
|
||||||
|
}
|
||||||
|
|
||||||
|
# The contents here are invented. Change them!
|
||||||
|
update reply {
|
||||||
|
DHCP-Domain-Name-Server = 127.0.0.1
|
||||||
|
DHCP-Domain-Name-Server = 127.0.0.2
|
||||||
|
DHCP-Subnet-Mask = 255.255.255.0
|
||||||
|
DHCP-Router-Address = 192.168.1.1
|
||||||
|
DHCP-IP-Address-Lease-Time = 86400
|
||||||
|
DHCP-DHCP-Server-Identifier = 192.168.1.1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Do a simple mapping of MAC to assigned IP.
|
||||||
|
#
|
||||||
|
# See below for the definition of the "mac2ip"
|
||||||
|
# module.
|
||||||
|
#
|
||||||
|
#mac2ip
|
||||||
|
|
||||||
|
# If the MAC wasn't found in that list, do something else.
|
||||||
|
# You could call a Perl, Python, or Java script here.
|
||||||
|
|
||||||
|
#if (notfound) {
|
||||||
|
# ...
|
||||||
|
#}
|
||||||
|
|
||||||
|
# Or, allocate IPs from the DHCP pool in SQL.
|
||||||
|
# dhcp_sqlippool
|
||||||
|
|
||||||
|
ok
|
||||||
|
}
|
||||||
|
|
||||||
|
dhcp DHCP-Request {
|
||||||
|
update reply {
|
||||||
|
DHCP-Message-Type = DHCP-Ack
|
||||||
|
}
|
||||||
|
|
||||||
|
# The contents here are invented. Change them!
|
||||||
|
update reply {
|
||||||
|
DHCP-Domain-Name-Server = 127.0.0.1
|
||||||
|
DHCP-Domain-Name-Server = 127.0.0.2
|
||||||
|
DHCP-Subnet-Mask = 255.255.255.0
|
||||||
|
DHCP-Router-Address = 192.168.1.1
|
||||||
|
DHCP-IP-Address-Lease-Time = 86400
|
||||||
|
DHCP-DHCP-Server-Identifier = 192.168.1.1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Do a simple mapping of MAC to assigned IP.
|
||||||
|
#
|
||||||
|
# See below for the definition of the "mac2ip"
|
||||||
|
# module.
|
||||||
|
#
|
||||||
|
#mac2ip
|
||||||
|
|
||||||
|
# If the MAC wasn't found in that list, do something else.
|
||||||
|
# You could call a Perl, Python, or Java script here.
|
||||||
|
|
||||||
|
#if (notfound) {
|
||||||
|
# ...
|
||||||
|
#}
|
||||||
|
|
||||||
|
# Or, allocate IPs from the DHCP pool in SQL.
|
||||||
|
# dhcp_sqlippool
|
||||||
|
|
||||||
|
ok
|
||||||
|
}
|
||||||
|
|
||||||
|
# If there's no named section for the packet type, then the packet
|
||||||
|
# is processed through this section.
|
||||||
|
dhcp {
|
||||||
|
# send a DHCP NAK.
|
||||||
|
reject
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# This next section is a sample configuration for the "passwd"
|
||||||
|
# module, that reads flat-text files. It should go into
|
||||||
|
# radiusd.conf, in the "modules" section.
|
||||||
|
#
|
||||||
|
# The file is in the format <mac>,<ip>
|
||||||
|
#
|
||||||
|
# 00:01:02:03:04:05,192.168.1.100
|
||||||
|
# 01:01:02:03:04:05,192.168.1.101
|
||||||
|
# 02:01:02:03:04:05,192.168.1.102
|
||||||
|
#
|
||||||
|
# This lets you perform simple static IP assignment.
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
#passwd mac2ip {
|
||||||
|
# filename = ${confdir}/mac2ip
|
||||||
|
# format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
|
||||||
|
# delimiter = ","
|
||||||
|
#}
|
|
@ -0,0 +1,65 @@
|
||||||
|
# -*- text -*-
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# This is a virtual server that handles DHCP relaying
|
||||||
|
#
|
||||||
|
# Only one server can listen on a socket, so you cannot
|
||||||
|
# do DHCP relaying && run a DHCP server at the same time.
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
server dhcp.eth1 {
|
||||||
|
# When the machine is not Linux, or has only one network interface, use
|
||||||
|
# the following listener:
|
||||||
|
listen {
|
||||||
|
# Listen for broadcasts + unicast on eth1
|
||||||
|
ipaddr = *
|
||||||
|
port = 67
|
||||||
|
type = dhcp
|
||||||
|
interface = eth1
|
||||||
|
}
|
||||||
|
# When the machine is Linux and has multiple network interfaces, use
|
||||||
|
# the following listeners instead:
|
||||||
|
listen {
|
||||||
|
# Listen for broadcasts on eth1
|
||||||
|
ipaddr = 255.255.255.255
|
||||||
|
port = 67
|
||||||
|
type = dhcp
|
||||||
|
interface = eth1
|
||||||
|
}
|
||||||
|
listen {
|
||||||
|
# Listen for unicast on our IP address, not bound to any
|
||||||
|
# interface but telling on which interface to forward the
|
||||||
|
# packets to.
|
||||||
|
ipaddr = 192.0.100.2
|
||||||
|
port = 67
|
||||||
|
type = dhcp
|
||||||
|
arp_interface = eth1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Packets received on the socket will be processed through one
|
||||||
|
# of the following sections, named after the DHCP packet type.
|
||||||
|
# See dictionary.dhcp for the packet types.
|
||||||
|
dhcp DHCP-Discover {
|
||||||
|
update config {
|
||||||
|
# IP Address of the DHCP server
|
||||||
|
DHCP-Relay-To-IP-Address := 192.0.1.2
|
||||||
|
}
|
||||||
|
update request {
|
||||||
|
# IP Address of the DHCP relay (eth1)
|
||||||
|
DHCP-Gateway-IP-Address := 192.0.100.2
|
||||||
|
}
|
||||||
|
ok
|
||||||
|
}
|
||||||
|
|
||||||
|
dhcp DHCP-Request {
|
||||||
|
update config {
|
||||||
|
# IP Address of the DHCP server
|
||||||
|
DHCP-Relay-To-IP-Address := 192.0.1.2
|
||||||
|
}
|
||||||
|
update request {
|
||||||
|
DHCP-Gateway-IP-Address := 192.0.100.2
|
||||||
|
}
|
||||||
|
ok
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,224 @@
|
||||||
|
# -*- text -*-
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# Sample configuration file for dynamically updating the list
|
||||||
|
# of RADIUS clients at run time.
|
||||||
|
#
|
||||||
|
# Everything is keyed off of a client "network". (e.g. 192.168/16)
|
||||||
|
# This configuration lets the server know that clients within
|
||||||
|
# that network are defined dynamically.
|
||||||
|
#
|
||||||
|
# When the server receives a packet from an unknown IP address
|
||||||
|
# within that network, it tries to find a dynamic definition
|
||||||
|
# for that client. If the definition is found, the IP address
|
||||||
|
# (and other configuration) is added to the server's internal
|
||||||
|
# cache of "known clients", with a configurable lifetime.
|
||||||
|
#
|
||||||
|
# Further packets from that IP address result in the client
|
||||||
|
# definition being found in the cache. Once the lifetime is
|
||||||
|
# reached, the client definition is deleted, and any new requests
|
||||||
|
# from that client are looked up as above.
|
||||||
|
#
|
||||||
|
# If the dynamic definition is not found, then the request is
|
||||||
|
# treated as if it came from an unknown client. i.e. It is
|
||||||
|
# silently discarded.
|
||||||
|
#
|
||||||
|
# As part of protection from Denial of Service (DoS) attacks,
|
||||||
|
# the server will add only one new client per second. This CANNOT
|
||||||
|
# be changed, and is NOT configurable.
|
||||||
|
#
|
||||||
|
# $Id: f8c3cc4ddd4a8e6434911fbcc444715f4ac95912 $
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
#
|
||||||
|
# Define a network where clients may be dynamically defined.
|
||||||
|
client dynamic {
|
||||||
|
ipaddr = 192.168.0.0
|
||||||
|
|
||||||
|
#
|
||||||
|
# You MUST specify a netmask!
|
||||||
|
# IPv4 /32 or IPv6 /128 are NOT allowed!
|
||||||
|
netmask = 16
|
||||||
|
|
||||||
|
#
|
||||||
|
# Any other configuration normally found in a "client"
|
||||||
|
# entry can be used here.
|
||||||
|
|
||||||
|
#
|
||||||
|
# A shared secret does NOT have to be defined. It can
|
||||||
|
# be left out.
|
||||||
|
|
||||||
|
#
|
||||||
|
# Define the virtual server used to discover dynamic clients.
|
||||||
|
dynamic_clients = dynamic_client_server
|
||||||
|
|
||||||
|
#
|
||||||
|
# The directory where client definitions are stored. This
|
||||||
|
# needs to be used ONLY if the client definitions are stored
|
||||||
|
# in flat-text files. Each file in that directory should be
|
||||||
|
# ONE and only one client definition. The name of the file
|
||||||
|
# should be the IP address of the client.
|
||||||
|
#
|
||||||
|
# If you are storing clients in SQL, this entry should not
|
||||||
|
# be used.
|
||||||
|
# directory = ${confdir}/dynamic-clients/
|
||||||
|
|
||||||
|
#
|
||||||
|
# Define the lifetime (in seconds) for dynamic clients.
|
||||||
|
# They will be cached for this lifetime, and deleted afterwards.
|
||||||
|
#
|
||||||
|
# If the lifetime is "0", then the dynamic client is never
|
||||||
|
# deleted. The only way to delete the client is to re-start
|
||||||
|
# the server.
|
||||||
|
lifetime = 3600
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This is the virtual server referenced above by "dynamic_clients".
|
||||||
|
server dynamic_client_server {
|
||||||
|
|
||||||
|
#
|
||||||
|
# The only contents of the virtual server is the "authorize" section.
|
||||||
|
authorize {
|
||||||
|
|
||||||
|
#
|
||||||
|
# Put any modules you want here. SQL, LDAP, "exec",
|
||||||
|
# Perl, etc. The only requirements is that the
|
||||||
|
# attributes MUST go into the control item list.
|
||||||
|
#
|
||||||
|
# The request that is processed through this section
|
||||||
|
# is EMPTY. There are NO attributes. The request is fake,
|
||||||
|
# and is NOT the packet that triggered the lookup of
|
||||||
|
# the dynamic client.
|
||||||
|
#
|
||||||
|
# The ONLY piece of useful information is either
|
||||||
|
#
|
||||||
|
# Packet-Src-IP-Address (IPv4 clients)
|
||||||
|
# Packet-Src-IPv6-Address (IPv6 clients)
|
||||||
|
#
|
||||||
|
# The attributes used to define a dynamic client mirror
|
||||||
|
# the configuration items in the "client" structure.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Example 1: Hard-code a client IP. This example is
|
||||||
|
# useless, but it documents the attributes
|
||||||
|
# you need.
|
||||||
|
#
|
||||||
|
update control {
|
||||||
|
|
||||||
|
#
|
||||||
|
# Echo the IP address of the client.
|
||||||
|
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
|
||||||
|
|
||||||
|
# require_message_authenticator
|
||||||
|
FreeRADIUS-Client-Require-MA = no
|
||||||
|
|
||||||
|
# secret
|
||||||
|
FreeRADIUS-Client-Secret = "testing123"
|
||||||
|
|
||||||
|
# shortname
|
||||||
|
FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
|
||||||
|
|
||||||
|
# nastype
|
||||||
|
FreeRADIUS-Client-NAS-Type = "other"
|
||||||
|
|
||||||
|
# virtual_server
|
||||||
|
#
|
||||||
|
# This can ONLY be used if the network client
|
||||||
|
# definition (e.g. "client dynamic" above) has
|
||||||
|
# NO virtual_server defined.
|
||||||
|
#
|
||||||
|
# If the network client definition does have a
|
||||||
|
# virtual_server defined, then that is used,
|
||||||
|
# and there is no need to define this attribute.
|
||||||
|
#
|
||||||
|
FreeRADIUS-Client-Virtual-Server = "something"
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Example 2: Read the clients from "clients" files
|
||||||
|
# in a directory.
|
||||||
|
#
|
||||||
|
|
||||||
|
# This requires you to uncomment the
|
||||||
|
# "directory" configuration in the
|
||||||
|
# "client dynamic" configuration above,
|
||||||
|
# and then put one file per IP address in
|
||||||
|
# that directory.
|
||||||
|
#
|
||||||
|
dynamic_clients
|
||||||
|
|
||||||
|
#
|
||||||
|
# Example 3: Look the clients up in SQL.
|
||||||
|
#
|
||||||
|
# This requires the SQL module to be configured, of course.
|
||||||
|
if ("%{sql: SELECT nasname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}") {
|
||||||
|
update control {
|
||||||
|
#
|
||||||
|
# Echo the IP.
|
||||||
|
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Do multiple SELECT statements to grab
|
||||||
|
# the various definitions.
|
||||||
|
FreeRADIUS-Client-Shortname = "%{sql: SELECT shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
|
||||||
|
|
||||||
|
FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
|
||||||
|
|
||||||
|
FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
|
||||||
|
|
||||||
|
FreeRADIUS-Client-Virtual-Server = "%{sql: SELECT server FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
# Do an LDAP lookup in the elements OU, check to see if
|
||||||
|
# the Packet-Src-IP-Address object has a "ou"
|
||||||
|
# attribute, if it does continue. Change "ACME.COM" to
|
||||||
|
# the real OU of your organization.
|
||||||
|
#
|
||||||
|
# Assuming the following schema:
|
||||||
|
#
|
||||||
|
# OU=Elements,OU=Radius,DC=ACME,DC=COM
|
||||||
|
#
|
||||||
|
# Elements will hold a record of every NAS in your
|
||||||
|
# Network. Create Group objects based on the IP
|
||||||
|
# Address of the NAS and set the "Location" or "l"
|
||||||
|
# attribute to the NAS Huntgroup the NAS belongs to
|
||||||
|
# allow them to be centrally managed in LDAP.
|
||||||
|
#
|
||||||
|
# e.g. CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM
|
||||||
|
#
|
||||||
|
# With a "l" value of "CiscoRTR" for a Cisco Router
|
||||||
|
# that has a NAS-IP-Address or Source-IP-Address of
|
||||||
|
# 10.1.2.3.
|
||||||
|
#
|
||||||
|
# And with a "ou" value of the shared secret password
|
||||||
|
# for the NAS element. ie "password"
|
||||||
|
if ("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}") {
|
||||||
|
update control {
|
||||||
|
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
|
||||||
|
|
||||||
|
# Set the Client-Shortname to be the Location
|
||||||
|
# "l" just like in the Huntgroups, but this
|
||||||
|
# time to the shortname.
|
||||||
|
|
||||||
|
FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}"
|
||||||
|
|
||||||
|
# Lookup and set the Shared Secret based on
|
||||||
|
# the "ou" attribute.
|
||||||
|
FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Tell the caller that the client was defined properly.
|
||||||
|
#
|
||||||
|
# If the authorize section does NOT return "ok", then
|
||||||
|
# the new client is ignored.
|
||||||
|
ok
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,122 @@
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# An example virtual server configuration.
|
||||||
|
#
|
||||||
|
# $Id: 89950303b94d5763ebd96744500b7a00da186c08 $
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# This client will be available to any "listen" section that
|
||||||
|
# are defined outside of a virtual server section. However,
|
||||||
|
# when the server receives a packet from this client, the
|
||||||
|
# request will be processed through the "example" virtual
|
||||||
|
# server, as the "client" section contains a configuration item
|
||||||
|
# to that effect.
|
||||||
|
#
|
||||||
|
# Note that this client will be able to send requests to any
|
||||||
|
# port defined in a global "listen" section. It will NOT,
|
||||||
|
# however, be able to send requests to a port defined in a
|
||||||
|
# "listen" section that is contained in a "server" section.
|
||||||
|
#
|
||||||
|
# With careful matching of configurations, you should be able
|
||||||
|
# to:
|
||||||
|
#
|
||||||
|
# - Define one authentication port, but process each client
|
||||||
|
# through a separate virtual server.
|
||||||
|
#
|
||||||
|
# - define multiple authentication ports, each with a private
|
||||||
|
# list of clients.
|
||||||
|
#
|
||||||
|
# - define multiple authentication ports, each of which may
|
||||||
|
# have the same client listed, but with different shared
|
||||||
|
# secrets
|
||||||
|
#
|
||||||
|
# FYI: We use an address in the 192.0.2.* space for this example,
|
||||||
|
# as RFC 3330 says that that /24 range is used for documenation
|
||||||
|
# and examples, and should not appear on the net. You shouldn't
|
||||||
|
# use it for anything, either.
|
||||||
|
#
|
||||||
|
client 192.0.2.10 {
|
||||||
|
shortname = example-client
|
||||||
|
secret = testing123
|
||||||
|
virtual_server = example
|
||||||
|
}
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# An example virtual server. It starts off with "server name {"
|
||||||
|
# The "name" is used to reference this server from a "listen"
|
||||||
|
# or "client" section.
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
server example {
|
||||||
|
#
|
||||||
|
# Listen on 192.0.2.1:1812 for Access-Requests
|
||||||
|
#
|
||||||
|
# When the server receives a packet, it is processed
|
||||||
|
# through the "authorize", etc. sections listed here,
|
||||||
|
# NOT the global ones the "default" site.
|
||||||
|
#
|
||||||
|
listen {
|
||||||
|
ipaddr = 192.0.2.1
|
||||||
|
port = 1821
|
||||||
|
type = auth
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This client is listed within the "server" section,
|
||||||
|
# and is therefore known ONLY to the socket defined
|
||||||
|
# in the "listen" section above. If the client IP
|
||||||
|
# sends a request to a different socket, the server
|
||||||
|
# will treat it as an unknown client, and will not
|
||||||
|
# respond.
|
||||||
|
#
|
||||||
|
# In contrast, the client listed at the top of this file
|
||||||
|
# is outside of any "server" section, and is therefore
|
||||||
|
# global in scope. It can send packets to any port
|
||||||
|
# defined in a global "listen" section. It CANNOT send
|
||||||
|
# packets to the listen section defined above, though.
|
||||||
|
#
|
||||||
|
# Note that you don't have to have a "virtual_server = example"
|
||||||
|
# line here, as the client is encapsulated within
|
||||||
|
# the "server" section.
|
||||||
|
#
|
||||||
|
client 192.0.2.9 {
|
||||||
|
shortname = example-client
|
||||||
|
secret = testing123
|
||||||
|
}
|
||||||
|
|
||||||
|
authorize {
|
||||||
|
#
|
||||||
|
# Some example policies. See "man unlang" for more.
|
||||||
|
#
|
||||||
|
if ("%{User-Name}" == "bob") {
|
||||||
|
update control {
|
||||||
|
Cleartext-Password := "bob"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# And then reject the user. The next line requires
|
||||||
|
# that the "always reject {}" section is defined in
|
||||||
|
# the "modules" section of radiusd.conf.
|
||||||
|
#
|
||||||
|
reject
|
||||||
|
}
|
||||||
|
|
||||||
|
authenticate {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
post-auth {
|
||||||
|
|
||||||
|
Post-Auth-Type Reject {
|
||||||
|
update reply {
|
||||||
|
Reply-Message = "This is only an example."
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,421 @@
|
||||||
|
# -*- text -*-
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# This is a virtual server that handles *only* inner tunnel
|
||||||
|
# requests for EAP-TTLS and PEAP types.
|
||||||
|
#
|
||||||
|
# $Id: bb0b93bc9cc9ade4e78725ea113d6f228937fef7 $
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
server inner-tunnel {
|
||||||
|
|
||||||
|
#
|
||||||
|
# This next section is here to allow testing of the "inner-tunnel"
|
||||||
|
# authentication methods, independently from the "default" server.
|
||||||
|
# It is listening on "localhost", so that it can only be used from
|
||||||
|
# the same machine.
|
||||||
|
#
|
||||||
|
# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
|
||||||
|
#
|
||||||
|
# If it works, you have configured the inner tunnel correctly. To check
|
||||||
|
# if PEAP will work, use:
|
||||||
|
#
|
||||||
|
# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
|
||||||
|
#
|
||||||
|
# If that works, PEAP should work. If that command doesn't work, then
|
||||||
|
#
|
||||||
|
# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
|
||||||
|
#
|
||||||
|
# Do NOT do any PEAP tests. It won't help. Instead, concentrate
|
||||||
|
# on fixing the inner tunnel configuration. DO NOTHING ELSE.
|
||||||
|
#
|
||||||
|
listen {
|
||||||
|
ipaddr = 127.0.0.1
|
||||||
|
port = 18120
|
||||||
|
type = auth
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Authorization. First preprocess (hints and huntgroups files),
|
||||||
|
# then realms, and finally look in the "users" file.
|
||||||
|
#
|
||||||
|
# The order of the realm modules will determine the order that
|
||||||
|
# we try to find a matching realm.
|
||||||
|
#
|
||||||
|
# Make *sure* that 'preprocess' comes before any realm if you
|
||||||
|
# need to setup hints for the remote radius server
|
||||||
|
authorize {
|
||||||
|
#
|
||||||
|
# The chap module will set 'Auth-Type := CHAP' if we are
|
||||||
|
# handling a CHAP request and Auth-Type has not already been set
|
||||||
|
chap
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the users are logging in with an MS-CHAP-Challenge
|
||||||
|
# attribute for authentication, the mschap module will find
|
||||||
|
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
|
||||||
|
# to the request, which will cause the server to then use
|
||||||
|
# the mschap module for authentication.
|
||||||
|
mschap
|
||||||
|
|
||||||
|
#
|
||||||
|
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
|
||||||
|
# using the system API's to get the password. If you want
|
||||||
|
# to read /etc/passwd or /etc/shadow directly, see the
|
||||||
|
# passwd module, above.
|
||||||
|
#
|
||||||
|
# unix
|
||||||
|
|
||||||
|
#
|
||||||
|
# Look for IPASS style 'realm/', and if not found, look for
|
||||||
|
# '@realm', and decide whether or not to proxy, based on
|
||||||
|
# that.
|
||||||
|
# IPASS
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you are using multiple kinds of realms, you probably
|
||||||
|
# want to set "ignore_null = yes" for all of them.
|
||||||
|
# Otherwise, when the first style of realm doesn't match,
|
||||||
|
# the other styles won't be checked.
|
||||||
|
#
|
||||||
|
# Note that proxying the inner tunnel authentication means
|
||||||
|
# that the user MAY use one identity in the outer session
|
||||||
|
# (e.g. "anonymous", and a different one here
|
||||||
|
# (e.g. "user@example.com"). The inner session will then be
|
||||||
|
# proxied elsewhere for authentication. If you are not
|
||||||
|
# careful, this means that the user can cause you to forward
|
||||||
|
# the authentication to another RADIUS server, and have the
|
||||||
|
# accounting logs *not* sent to the other server. This makes
|
||||||
|
# it difficult to bill people for their network activity.
|
||||||
|
#
|
||||||
|
suffix
|
||||||
|
# ntdomain
|
||||||
|
|
||||||
|
#
|
||||||
|
# The "suffix" module takes care of stripping the domain
|
||||||
|
# (e.g. "@example.com") from the User-Name attribute, and the
|
||||||
|
# next few lines ensure that the request is not proxied.
|
||||||
|
#
|
||||||
|
# If you want the inner tunnel request to be proxied, delete
|
||||||
|
# the next few lines.
|
||||||
|
#
|
||||||
|
update control {
|
||||||
|
Proxy-To-Realm := LOCAL
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This module takes care of EAP-MSCHAPv2 authentication.
|
||||||
|
#
|
||||||
|
# It also sets the EAP-Type attribute in the request
|
||||||
|
# attribute list to the EAP type from the packet.
|
||||||
|
#
|
||||||
|
# The example below uses module failover to avoid querying all
|
||||||
|
# of the following modules if the EAP module returns "ok".
|
||||||
|
# Therefore, your LDAP and/or SQL servers will not be queried
|
||||||
|
# for the many packets that go back and forth to set up TTLS
|
||||||
|
# or PEAP. The load on those servers will therefore be reduced.
|
||||||
|
#
|
||||||
|
eap {
|
||||||
|
ok = return
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Read the 'users' file
|
||||||
|
files
|
||||||
|
|
||||||
|
#
|
||||||
|
# Look in an SQL database. The schema of the database
|
||||||
|
# is meant to mirror the "users" file.
|
||||||
|
#
|
||||||
|
# See "Authorization Queries" in sql.conf
|
||||||
|
# sql
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you are using /etc/smbpasswd, and are also doing
|
||||||
|
# mschap authentication, the un-comment this line, and
|
||||||
|
# configure the 'etc_smbpasswd' module, above.
|
||||||
|
# etc_smbpasswd
|
||||||
|
|
||||||
|
#
|
||||||
|
# The ldap module will set Auth-Type to LDAP if it has not
|
||||||
|
# already been set
|
||||||
|
# ldap
|
||||||
|
|
||||||
|
#
|
||||||
|
# Enforce daily limits on time spent logged in.
|
||||||
|
# daily
|
||||||
|
|
||||||
|
#
|
||||||
|
# Use the checkval module
|
||||||
|
# checkval
|
||||||
|
|
||||||
|
expiration
|
||||||
|
logintime
|
||||||
|
|
||||||
|
#
|
||||||
|
# If no other module has claimed responsibility for
|
||||||
|
# authentication, then try to use PAP. This allows the
|
||||||
|
# other modules listed above to add a "known good" password
|
||||||
|
# to the request, and to do nothing else. The PAP module
|
||||||
|
# will then see that password, and use it to do PAP
|
||||||
|
# authentication.
|
||||||
|
#
|
||||||
|
# This module should be listed last, so that the other modules
|
||||||
|
# get a chance to set Auth-Type for themselves.
|
||||||
|
#
|
||||||
|
pap
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Authentication.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# This section lists which modules are available for authentication.
|
||||||
|
# Note that it does NOT mean 'try each module in order'. It means
|
||||||
|
# that a module from the 'authorize' section adds a configuration
|
||||||
|
# attribute 'Auth-Type := FOO'. That authentication type is then
|
||||||
|
# used to pick the apropriate module from the list below.
|
||||||
|
#
|
||||||
|
|
||||||
|
# In general, you SHOULD NOT set the Auth-Type attribute. The server
|
||||||
|
# will figure it out on its own, and will do the right thing. The
|
||||||
|
# most common side effect of erroneously setting the Auth-Type
|
||||||
|
# attribute is that one authentication method will work, but the
|
||||||
|
# others will not.
|
||||||
|
#
|
||||||
|
# The common reasons to set the Auth-Type attribute by hand
|
||||||
|
# is to either forcibly reject the user, or forcibly accept him.
|
||||||
|
#
|
||||||
|
authenticate {
|
||||||
|
#
|
||||||
|
# PAP authentication, when a back-end database listed
|
||||||
|
# in the 'authorize' section supplies a password. The
|
||||||
|
# password can be clear-text, or encrypted.
|
||||||
|
Auth-Type PAP {
|
||||||
|
pap
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Most people want CHAP authentication
|
||||||
|
# A back-end database listed in the 'authorize' section
|
||||||
|
# MUST supply a CLEAR TEXT password. Encrypted passwords
|
||||||
|
# won't work.
|
||||||
|
Auth-Type CHAP {
|
||||||
|
chap
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# MSCHAP authentication.
|
||||||
|
Auth-Type MS-CHAP {
|
||||||
|
mschap
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Pluggable Authentication Modules.
|
||||||
|
# pam
|
||||||
|
|
||||||
|
#
|
||||||
|
# See 'man getpwent' for information on how the 'unix'
|
||||||
|
# module checks the users password. Note that packets
|
||||||
|
# containing CHAP-Password attributes CANNOT be authenticated
|
||||||
|
# against /etc/passwd! See the FAQ for details.
|
||||||
|
#
|
||||||
|
unix
|
||||||
|
|
||||||
|
# Uncomment it if you want to use ldap for authentication
|
||||||
|
#
|
||||||
|
# Note that this means "check plain-text password against
|
||||||
|
# the ldap database", which means that EAP won't work,
|
||||||
|
# as it does not supply a plain-text password.
|
||||||
|
# Auth-Type LDAP {
|
||||||
|
# ldap
|
||||||
|
# }
|
||||||
|
|
||||||
|
#
|
||||||
|
# Allow EAP authentication.
|
||||||
|
eap
|
||||||
|
}
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# There are no accounting requests inside of EAP-TTLS or PEAP
|
||||||
|
# tunnels.
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
|
||||||
|
# Session database, used for checking Simultaneous-Use. Either the radutmp
|
||||||
|
# or rlm_sql module can handle this.
|
||||||
|
# The rlm_sql module is *much* faster
|
||||||
|
session {
|
||||||
|
radutmp
|
||||||
|
|
||||||
|
#
|
||||||
|
# See "Simultaneous Use Checking Queries" in sql.conf
|
||||||
|
# sql
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Post-Authentication
|
||||||
|
# Once we KNOW that the user has been authenticated, there are
|
||||||
|
# additional steps we can take.
|
||||||
|
post-auth {
|
||||||
|
# Note that we do NOT assign IP addresses here.
|
||||||
|
# If you try to assign IP addresses for EAP authentication types,
|
||||||
|
# it WILL NOT WORK. You MUST use DHCP.
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you want to have a log of authentication replies,
|
||||||
|
# un-comment the following line, and the 'detail reply_log'
|
||||||
|
# section, above.
|
||||||
|
# reply_log
|
||||||
|
|
||||||
|
#
|
||||||
|
# After authenticating the user, do another SQL query.
|
||||||
|
#
|
||||||
|
# See "Authentication Logging Queries" in sql.conf
|
||||||
|
# sql
|
||||||
|
|
||||||
|
#
|
||||||
|
# Instead of sending the query to the SQL server,
|
||||||
|
# write it into a log file.
|
||||||
|
#
|
||||||
|
# sql_log
|
||||||
|
|
||||||
|
#
|
||||||
|
# Un-comment the following if you have set
|
||||||
|
# 'edir_account_policy_check = yes' in the ldap module sub-section of
|
||||||
|
# the 'modules' section.
|
||||||
|
#
|
||||||
|
# ldap
|
||||||
|
|
||||||
|
#
|
||||||
|
# Access-Reject packets are sent through the REJECT sub-section of the
|
||||||
|
# post-auth section.
|
||||||
|
#
|
||||||
|
# Add the ldap module name (or instance) if you have set
|
||||||
|
# 'edir_account_policy_check = yes' in the ldap module configuration
|
||||||
|
#
|
||||||
|
Post-Auth-Type REJECT {
|
||||||
|
# log failed authentications in SQL, too.
|
||||||
|
# sql
|
||||||
|
attr_filter.access_reject
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# The example policy below updates the outer tunnel reply
|
||||||
|
# (usually Access-Accept) with the User-Name from the inner
|
||||||
|
# tunnel User-Name. Since this section is processed in the
|
||||||
|
# context of the inner tunnel, "request" here means "inner
|
||||||
|
# tunnel request", and "outer.reply" means "outer tunnel
|
||||||
|
# reply attributes".
|
||||||
|
#
|
||||||
|
# This example is most useful when the outer session contains
|
||||||
|
# a User-Name of "anonymous@....", or a MAC address. If it
|
||||||
|
# is enabled, the NAS SHOULD use the inner tunnel User-Name
|
||||||
|
# in subsequent accounting packets. This makes it easier to
|
||||||
|
# track user sessions, as they will all be based on the real
|
||||||
|
# name, and not on "anonymous".
|
||||||
|
#
|
||||||
|
# The problem with doing this is that it ALSO exposes the
|
||||||
|
# real user name to any intermediate proxies. People use
|
||||||
|
# "anonymous" identifiers outside of the tunnel for a very
|
||||||
|
# good reason: it gives them more privacy. Setting the reply
|
||||||
|
# to contain the real user name removes ALL privacy from
|
||||||
|
# their session.
|
||||||
|
#
|
||||||
|
# If you want privacy to remain, see the
|
||||||
|
# Chargeable-User-Identity attribute from RFC 4372. In order
|
||||||
|
# to use that attribute, you will have to allocate a
|
||||||
|
# per-session identifier for the user, and store it in a
|
||||||
|
# long-term database (e.g. SQL). You should also use that
|
||||||
|
# attribute INSTEAD of the configuration below.
|
||||||
|
#
|
||||||
|
#update outer.reply {
|
||||||
|
# User-Name = "%{request:User-Name}"
|
||||||
|
#}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# When the server decides to proxy a request to a home server,
|
||||||
|
# the proxied request is first passed through the pre-proxy
|
||||||
|
# stage. This stage can re-write the request, or decide to
|
||||||
|
# cancel the proxy.
|
||||||
|
#
|
||||||
|
# Only a few modules currently have this method.
|
||||||
|
#
|
||||||
|
pre-proxy {
|
||||||
|
# attr_rewrite
|
||||||
|
|
||||||
|
# Uncomment the following line if you want to change attributes
|
||||||
|
# as defined in the preproxy_users file.
|
||||||
|
# files
|
||||||
|
|
||||||
|
# Uncomment the following line if you want to filter requests
|
||||||
|
# sent to remote servers based on the rules defined in the
|
||||||
|
# 'attrs.pre-proxy' file.
|
||||||
|
# attr_filter.pre-proxy
|
||||||
|
|
||||||
|
# If you want to have a log of packets proxied to a home
|
||||||
|
# server, un-comment the following line, and the
|
||||||
|
# 'detail pre_proxy_log' section, above.
|
||||||
|
# pre_proxy_log
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# When the server receives a reply to a request it proxied
|
||||||
|
# to a home server, the request may be massaged here, in the
|
||||||
|
# post-proxy stage.
|
||||||
|
#
|
||||||
|
post-proxy {
|
||||||
|
|
||||||
|
# If you want to have a log of replies from a home server,
|
||||||
|
# un-comment the following line, and the 'detail post_proxy_log'
|
||||||
|
# section, above.
|
||||||
|
# post_proxy_log
|
||||||
|
|
||||||
|
# attr_rewrite
|
||||||
|
|
||||||
|
# Uncomment the following line if you want to filter replies from
|
||||||
|
# remote proxies based on the rules defined in the 'attrs' file.
|
||||||
|
# attr_filter.post-proxy
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you are proxying LEAP, you MUST configure the EAP
|
||||||
|
# module, and you MUST list it here, in the post-proxy
|
||||||
|
# stage.
|
||||||
|
#
|
||||||
|
# You MUST also use the 'nostrip' option in the 'realm'
|
||||||
|
# configuration. Otherwise, the User-Name attribute
|
||||||
|
# in the proxied request will not match the user name
|
||||||
|
# hidden inside of the EAP packet, and the end server will
|
||||||
|
# reject the EAP request.
|
||||||
|
#
|
||||||
|
eap
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the server tries to proxy a request and fails, then the
|
||||||
|
# request is processed through the modules in this section.
|
||||||
|
#
|
||||||
|
# The main use of this section is to permit robust proxying
|
||||||
|
# of accounting packets. The server can be configured to
|
||||||
|
# proxy accounting packets as part of normal processing.
|
||||||
|
# Then, if the home server goes down, accounting packets can
|
||||||
|
# be logged to a local "detail" file, for processing with
|
||||||
|
# radrelay. When the home server comes back up, radrelay
|
||||||
|
# will read the detail file, and send the packets to the
|
||||||
|
# home server.
|
||||||
|
#
|
||||||
|
# With this configuration, the server always responds to
|
||||||
|
# Accounting-Requests from the NAS, but only writes
|
||||||
|
# accounting packets to disk if the home server is down.
|
||||||
|
#
|
||||||
|
# Post-Proxy-Type Fail {
|
||||||
|
# detail
|
||||||
|
# }
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
} # inner-tunnel server block
|
|
@ -0,0 +1,421 @@
|
||||||
|
# -*- text -*-
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# This is a virtual server that handles *only* inner tunnel
|
||||||
|
# requests for EAP-TTLS and PEAP types.
|
||||||
|
#
|
||||||
|
# $Id: bb0b93bc9cc9ade4e78725ea113d6f228937fef7 $
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
server inner-tunnel {
|
||||||
|
|
||||||
|
#
|
||||||
|
# This next section is here to allow testing of the "inner-tunnel"
|
||||||
|
# authentication methods, independently from the "default" server.
|
||||||
|
# It is listening on "localhost", so that it can only be used from
|
||||||
|
# the same machine.
|
||||||
|
#
|
||||||
|
# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
|
||||||
|
#
|
||||||
|
# If it works, you have configured the inner tunnel correctly. To check
|
||||||
|
# if PEAP will work, use:
|
||||||
|
#
|
||||||
|
# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
|
||||||
|
#
|
||||||
|
# If that works, PEAP should work. If that command doesn't work, then
|
||||||
|
#
|
||||||
|
# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
|
||||||
|
#
|
||||||
|
# Do NOT do any PEAP tests. It won't help. Instead, concentrate
|
||||||
|
# on fixing the inner tunnel configuration. DO NOTHING ELSE.
|
||||||
|
#
|
||||||
|
listen {
|
||||||
|
ipaddr = 127.0.0.1
|
||||||
|
port = 18120
|
||||||
|
type = auth
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Authorization. First preprocess (hints and huntgroups files),
|
||||||
|
# then realms, and finally look in the "users" file.
|
||||||
|
#
|
||||||
|
# The order of the realm modules will determine the order that
|
||||||
|
# we try to find a matching realm.
|
||||||
|
#
|
||||||
|
# Make *sure* that 'preprocess' comes before any realm if you
|
||||||
|
# need to setup hints for the remote radius server
|
||||||
|
authorize {
|
||||||
|
#
|
||||||
|
# The chap module will set 'Auth-Type := CHAP' if we are
|
||||||
|
# handling a CHAP request and Auth-Type has not already been set
|
||||||
|
chap
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the users are logging in with an MS-CHAP-Challenge
|
||||||
|
# attribute for authentication, the mschap module will find
|
||||||
|
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
|
||||||
|
# to the request, which will cause the server to then use
|
||||||
|
# the mschap module for authentication.
|
||||||
|
mschap
|
||||||
|
|
||||||
|
#
|
||||||
|
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
|
||||||
|
# using the system API's to get the password. If you want
|
||||||
|
# to read /etc/passwd or /etc/shadow directly, see the
|
||||||
|
# passwd module, above.
|
||||||
|
#
|
||||||
|
# unix
|
||||||
|
|
||||||
|
#
|
||||||
|
# Look for IPASS style 'realm/', and if not found, look for
|
||||||
|
# '@realm', and decide whether or not to proxy, based on
|
||||||
|
# that.
|
||||||
|
# IPASS
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you are using multiple kinds of realms, you probably
|
||||||
|
# want to set "ignore_null = yes" for all of them.
|
||||||
|
# Otherwise, when the first style of realm doesn't match,
|
||||||
|
# the other styles won't be checked.
|
||||||
|
#
|
||||||
|
# Note that proxying the inner tunnel authentication means
|
||||||
|
# that the user MAY use one identity in the outer session
|
||||||
|
# (e.g. "anonymous", and a different one here
|
||||||
|
# (e.g. "user@example.com"). The inner session will then be
|
||||||
|
# proxied elsewhere for authentication. If you are not
|
||||||
|
# careful, this means that the user can cause you to forward
|
||||||
|
# the authentication to another RADIUS server, and have the
|
||||||
|
# accounting logs *not* sent to the other server. This makes
|
||||||
|
# it difficult to bill people for their network activity.
|
||||||
|
#
|
||||||
|
suffix
|
||||||
|
# ntdomain
|
||||||
|
|
||||||
|
#
|
||||||
|
# The "suffix" module takes care of stripping the domain
|
||||||
|
# (e.g. "@example.com") from the User-Name attribute, and the
|
||||||
|
# next few lines ensure that the request is not proxied.
|
||||||
|
#
|
||||||
|
# If you want the inner tunnel request to be proxied, delete
|
||||||
|
# the next few lines.
|
||||||
|
#
|
||||||
|
update control {
|
||||||
|
Proxy-To-Realm := LOCAL
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This module takes care of EAP-MSCHAPv2 authentication.
|
||||||
|
#
|
||||||
|
# It also sets the EAP-Type attribute in the request
|
||||||
|
# attribute list to the EAP type from the packet.
|
||||||
|
#
|
||||||
|
# The example below uses module failover to avoid querying all
|
||||||
|
# of the following modules if the EAP module returns "ok".
|
||||||
|
# Therefore, your LDAP and/or SQL servers will not be queried
|
||||||
|
# for the many packets that go back and forth to set up TTLS
|
||||||
|
# or PEAP. The load on those servers will therefore be reduced.
|
||||||
|
#
|
||||||
|
eap {
|
||||||
|
ok = return
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Read the 'users' file
|
||||||
|
files
|
||||||
|
|
||||||
|
#
|
||||||
|
# Look in an SQL database. The schema of the database
|
||||||
|
# is meant to mirror the "users" file.
|
||||||
|
#
|
||||||
|
# See "Authorization Queries" in sql.conf
|
||||||
|
# sql
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you are using /etc/smbpasswd, and are also doing
|
||||||
|
# mschap authentication, the un-comment this line, and
|
||||||
|
# configure the 'etc_smbpasswd' module, above.
|
||||||
|
# etc_smbpasswd
|
||||||
|
|
||||||
|
#
|
||||||
|
# The ldap module will set Auth-Type to LDAP if it has not
|
||||||
|
# already been set
|
||||||
|
# ldap
|
||||||
|
|
||||||
|
#
|
||||||
|
# Enforce daily limits on time spent logged in.
|
||||||
|
# daily
|
||||||
|
|
||||||
|
#
|
||||||
|
# Use the checkval module
|
||||||
|
# checkval
|
||||||
|
|
||||||
|
expiration
|
||||||
|
logintime
|
||||||
|
|
||||||
|
#
|
||||||
|
# If no other module has claimed responsibility for
|
||||||
|
# authentication, then try to use PAP. This allows the
|
||||||
|
# other modules listed above to add a "known good" password
|
||||||
|
# to the request, and to do nothing else. The PAP module
|
||||||
|
# will then see that password, and use it to do PAP
|
||||||
|
# authentication.
|
||||||
|
#
|
||||||
|
# This module should be listed last, so that the other modules
|
||||||
|
# get a chance to set Auth-Type for themselves.
|
||||||
|
#
|
||||||
|
pap
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Authentication.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# This section lists which modules are available for authentication.
|
||||||
|
# Note that it does NOT mean 'try each module in order'. It means
|
||||||
|
# that a module from the 'authorize' section adds a configuration
|
||||||
|
# attribute 'Auth-Type := FOO'. That authentication type is then
|
||||||
|
# used to pick the apropriate module from the list below.
|
||||||
|
#
|
||||||
|
|
||||||
|
# In general, you SHOULD NOT set the Auth-Type attribute. The server
|
||||||
|
# will figure it out on its own, and will do the right thing. The
|
||||||
|
# most common side effect of erroneously setting the Auth-Type
|
||||||
|
# attribute is that one authentication method will work, but the
|
||||||
|
# others will not.
|
||||||
|
#
|
||||||
|
# The common reasons to set the Auth-Type attribute by hand
|
||||||
|
# is to either forcibly reject the user, or forcibly accept him.
|
||||||
|
#
|
||||||
|
authenticate {
|
||||||
|
#
|
||||||
|
# PAP authentication, when a back-end database listed
|
||||||
|
# in the 'authorize' section supplies a password. The
|
||||||
|
# password can be clear-text, or encrypted.
|
||||||
|
Auth-Type PAP {
|
||||||
|
pap
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Most people want CHAP authentication
|
||||||
|
# A back-end database listed in the 'authorize' section
|
||||||
|
# MUST supply a CLEAR TEXT password. Encrypted passwords
|
||||||
|
# won't work.
|
||||||
|
Auth-Type CHAP {
|
||||||
|
chap
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# MSCHAP authentication.
|
||||||
|
Auth-Type MS-CHAP {
|
||||||
|
mschap
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Pluggable Authentication Modules.
|
||||||
|
# pam
|
||||||
|
|
||||||
|
#
|
||||||
|
# See 'man getpwent' for information on how the 'unix'
|
||||||
|
# module checks the users password. Note that packets
|
||||||
|
# containing CHAP-Password attributes CANNOT be authenticated
|
||||||
|
# against /etc/passwd! See the FAQ for details.
|
||||||
|
#
|
||||||
|
unix
|
||||||
|
|
||||||
|
# Uncomment it if you want to use ldap for authentication
|
||||||
|
#
|
||||||
|
# Note that this means "check plain-text password against
|
||||||
|
# the ldap database", which means that EAP won't work,
|
||||||
|
# as it does not supply a plain-text password.
|
||||||
|
# Auth-Type LDAP {
|
||||||
|
# ldap
|
||||||
|
# }
|
||||||
|
|
||||||
|
#
|
||||||
|
# Allow EAP authentication.
|
||||||
|
eap
|
||||||
|
}
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# There are no accounting requests inside of EAP-TTLS or PEAP
|
||||||
|
# tunnels.
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
|
||||||
|
# Session database, used for checking Simultaneous-Use. Either the radutmp
|
||||||
|
# or rlm_sql module can handle this.
|
||||||
|
# The rlm_sql module is *much* faster
|
||||||
|
session {
|
||||||
|
radutmp
|
||||||
|
|
||||||
|
#
|
||||||
|
# See "Simultaneous Use Checking Queries" in sql.conf
|
||||||
|
# sql
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Post-Authentication
|
||||||
|
# Once we KNOW that the user has been authenticated, there are
|
||||||
|
# additional steps we can take.
|
||||||
|
post-auth {
|
||||||
|
# Note that we do NOT assign IP addresses here.
|
||||||
|
# If you try to assign IP addresses for EAP authentication types,
|
||||||
|
# it WILL NOT WORK. You MUST use DHCP.
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you want to have a log of authentication replies,
|
||||||
|
# un-comment the following line, and the 'detail reply_log'
|
||||||
|
# section, above.
|
||||||
|
# reply_log
|
||||||
|
|
||||||
|
#
|
||||||
|
# After authenticating the user, do another SQL query.
|
||||||
|
#
|
||||||
|
# See "Authentication Logging Queries" in sql.conf
|
||||||
|
# sql
|
||||||
|
|
||||||
|
#
|
||||||
|
# Instead of sending the query to the SQL server,
|
||||||
|
# write it into a log file.
|
||||||
|
#
|
||||||
|
# sql_log
|
||||||
|
|
||||||
|
#
|
||||||
|
# Un-comment the following if you have set
|
||||||
|
# 'edir_account_policy_check = yes' in the ldap module sub-section of
|
||||||
|
# the 'modules' section.
|
||||||
|
#
|
||||||
|
# ldap
|
||||||
|
|
||||||
|
#
|
||||||
|
# Access-Reject packets are sent through the REJECT sub-section of the
|
||||||
|
# post-auth section.
|
||||||
|
#
|
||||||
|
# Add the ldap module name (or instance) if you have set
|
||||||
|
# 'edir_account_policy_check = yes' in the ldap module configuration
|
||||||
|
#
|
||||||
|
Post-Auth-Type REJECT {
|
||||||
|
# log failed authentications in SQL, too.
|
||||||
|
# sql
|
||||||
|
attr_filter.access_reject
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# The example policy below updates the outer tunnel reply
|
||||||
|
# (usually Access-Accept) with the User-Name from the inner
|
||||||
|
# tunnel User-Name. Since this section is processed in the
|
||||||
|
# context of the inner tunnel, "request" here means "inner
|
||||||
|
# tunnel request", and "outer.reply" means "outer tunnel
|
||||||
|
# reply attributes".
|
||||||
|
#
|
||||||
|
# This example is most useful when the outer session contains
|
||||||
|
# a User-Name of "anonymous@....", or a MAC address. If it
|
||||||
|
# is enabled, the NAS SHOULD use the inner tunnel User-Name
|
||||||
|
# in subsequent accounting packets. This makes it easier to
|
||||||
|
# track user sessions, as they will all be based on the real
|
||||||
|
# name, and not on "anonymous".
|
||||||
|
#
|
||||||
|
# The problem with doing this is that it ALSO exposes the
|
||||||
|
# real user name to any intermediate proxies. People use
|
||||||
|
# "anonymous" identifiers outside of the tunnel for a very
|
||||||
|
# good reason: it gives them more privacy. Setting the reply
|
||||||
|
# to contain the real user name removes ALL privacy from
|
||||||
|
# their session.
|
||||||
|
#
|
||||||
|
# If you want privacy to remain, see the
|
||||||
|
# Chargeable-User-Identity attribute from RFC 4372. In order
|
||||||
|
# to use that attribute, you will have to allocate a
|
||||||
|
# per-session identifier for the user, and store it in a
|
||||||
|
# long-term database (e.g. SQL). You should also use that
|
||||||
|
# attribute INSTEAD of the configuration below.
|
||||||
|
#
|
||||||
|
#update outer.reply {
|
||||||
|
# User-Name = "%{request:User-Name}"
|
||||||
|
#}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# When the server decides to proxy a request to a home server,
|
||||||
|
# the proxied request is first passed through the pre-proxy
|
||||||
|
# stage. This stage can re-write the request, or decide to
|
||||||
|
# cancel the proxy.
|
||||||
|
#
|
||||||
|
# Only a few modules currently have this method.
|
||||||
|
#
|
||||||
|
pre-proxy {
|
||||||
|
# attr_rewrite
|
||||||
|
|
||||||
|
# Uncomment the following line if you want to change attributes
|
||||||
|
# as defined in the preproxy_users file.
|
||||||
|
# files
|
||||||
|
|
||||||
|
# Uncomment the following line if you want to filter requests
|
||||||
|
# sent to remote servers based on the rules defined in the
|
||||||
|
# 'attrs.pre-proxy' file.
|
||||||
|
# attr_filter.pre-proxy
|
||||||
|
|
||||||
|
# If you want to have a log of packets proxied to a home
|
||||||
|
# server, un-comment the following line, and the
|
||||||
|
# 'detail pre_proxy_log' section, above.
|
||||||
|
# pre_proxy_log
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# When the server receives a reply to a request it proxied
|
||||||
|
# to a home server, the request may be massaged here, in the
|
||||||
|
# post-proxy stage.
|
||||||
|
#
|
||||||
|
post-proxy {
|
||||||
|
|
||||||
|
# If you want to have a log of replies from a home server,
|
||||||
|
# un-comment the following line, and the 'detail post_proxy_log'
|
||||||
|
# section, above.
|
||||||
|
# post_proxy_log
|
||||||
|
|
||||||
|
# attr_rewrite
|
||||||
|
|
||||||
|
# Uncomment the following line if you want to filter replies from
|
||||||
|
# remote proxies based on the rules defined in the 'attrs' file.
|
||||||
|
# attr_filter.post-proxy
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you are proxying LEAP, you MUST configure the EAP
|
||||||
|
# module, and you MUST list it here, in the post-proxy
|
||||||
|
# stage.
|
||||||
|
#
|
||||||
|
# You MUST also use the 'nostrip' option in the 'realm'
|
||||||
|
# configuration. Otherwise, the User-Name attribute
|
||||||
|
# in the proxied request will not match the user name
|
||||||
|
# hidden inside of the EAP packet, and the end server will
|
||||||
|
# reject the EAP request.
|
||||||
|
#
|
||||||
|
eap
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the server tries to proxy a request and fails, then the
|
||||||
|
# request is processed through the modules in this section.
|
||||||
|
#
|
||||||
|
# The main use of this section is to permit robust proxying
|
||||||
|
# of accounting packets. The server can be configured to
|
||||||
|
# proxy accounting packets as part of normal processing.
|
||||||
|
# Then, if the home server goes down, accounting packets can
|
||||||
|
# be logged to a local "detail" file, for processing with
|
||||||
|
# radrelay. When the home server comes back up, radrelay
|
||||||
|
# will read the detail file, and send the packets to the
|
||||||
|
# home server.
|
||||||
|
#
|
||||||
|
# With this configuration, the server always responds to
|
||||||
|
# Accounting-Requests from the NAS, but only writes
|
||||||
|
# accounting packets to disk if the home server is down.
|
||||||
|
#
|
||||||
|
# Post-Proxy-Type Fail {
|
||||||
|
# detail
|
||||||
|
# }
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
} # inner-tunnel server block
|
|
@ -0,0 +1,190 @@
|
||||||
|
# -*- text -*-
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# The server can originate Change of Authorization (CoA) or
|
||||||
|
# Disconnect request packets. These packets are used to dynamically
|
||||||
|
# change the parameters of a users session (bandwidth, etc.), or
|
||||||
|
# to forcibly disconnect the user.
|
||||||
|
#
|
||||||
|
# There are some caveats. Not all NAS vendors support this
|
||||||
|
# functionality. Even for the ones that do, it may be difficult to
|
||||||
|
# find out what needs to go into a CoA-Request or Disconnect-Request
|
||||||
|
# packet. All we can suggest is to read the NAS documentation
|
||||||
|
# available from the vendor. That documentation SHOULD describe
|
||||||
|
# what information their equipment needs to see in a CoA packet.
|
||||||
|
#
|
||||||
|
# This information is usually a list of attributes such as:
|
||||||
|
#
|
||||||
|
# NAS-IP-Address (or NAS-IPv6 address)
|
||||||
|
# NAS-Identifier
|
||||||
|
# User-Name
|
||||||
|
# Acct-Session-Id
|
||||||
|
#
|
||||||
|
# CoA packets can be originated when a normal Access-Request or
|
||||||
|
# Accounting-Request packet is received. Simply update the
|
||||||
|
# "coa" list:
|
||||||
|
#
|
||||||
|
# update coa {
|
||||||
|
# User-Name = "%{User-Name}"
|
||||||
|
# Acct-Session-Id = "%{Acct-Session-Id}"
|
||||||
|
# NAS-IP-Address = "%{NAS-IP-Address}"
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# And the CoA packet will be sent. You can also send Disconnect
|
||||||
|
# packets by using "update disconnect { ...".
|
||||||
|
#
|
||||||
|
# This "update coa" entry can be placed in any section (authorize,
|
||||||
|
# preacct, etc.), EXCEPT for pre-proxy and post-proxy. The CoA
|
||||||
|
# packets CANNOT be sent if the original request has been proxied.
|
||||||
|
#
|
||||||
|
# The CoA functionality works best when the RADIUS server and
|
||||||
|
# the NAS receiving CoA packets are on the same network.
|
||||||
|
#
|
||||||
|
# If "update coa { ... " is used, and then later it becomes necessary
|
||||||
|
# to not send a CoA request, the following example can suppress the
|
||||||
|
# CoA packet:
|
||||||
|
#
|
||||||
|
# update control {
|
||||||
|
# Send-CoA-Request = No
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# The default destination of a CoA packet is the NAS (or client)
|
||||||
|
# the sent the original Access-Request or Accounting-Request. See
|
||||||
|
# raddb/clients.conf for a "coa_server" configuration that ties
|
||||||
|
# a client to a specific home server, or to a home server pool.
|
||||||
|
#
|
||||||
|
# If you need to send the packet to a different destination, update
|
||||||
|
# the "coa" list with one of:
|
||||||
|
#
|
||||||
|
# Packet-Dst-IP-Address = ...
|
||||||
|
# Packet-Dst-IPv6-Address = ...
|
||||||
|
# Home-Server-Pool = ...
|
||||||
|
#
|
||||||
|
# That specifies an Ipv4 or IPv6 address, or a home server pool
|
||||||
|
# (such as the "coa" pool example below). This use is not
|
||||||
|
# recommended, however, It is much better to point the client
|
||||||
|
# configuration directly at the CoA server/pool, as outlined
|
||||||
|
# earlier.
|
||||||
|
#
|
||||||
|
# If the CoA port is non-standard, you can also set:
|
||||||
|
#
|
||||||
|
# Packet-Dst-Port
|
||||||
|
#
|
||||||
|
# to have the value of the port.
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
#
|
||||||
|
# When CoA packets are sent to a NAS, the NAS is acting as a
|
||||||
|
# server (see RFC 5176). i.e. it has a type (accepts CoA and/or
|
||||||
|
# Disconnect packets), an IP address (or IPv6 address), a
|
||||||
|
# destination port, and a shared secret.
|
||||||
|
#
|
||||||
|
# This information *cannot* go into a "client" section. In the future,
|
||||||
|
# FreeRADIUS will be able to receive, and to proxy CoA packets.
|
||||||
|
# Having the CoA configuration as below means that we can later do
|
||||||
|
# load-balancing, fail-over, etc. of CoA servers. If the CoA
|
||||||
|
# configuration went into a "client" section, it would be impossible
|
||||||
|
# to do proper proxying of CoA requests.
|
||||||
|
#
|
||||||
|
home_server localhost-coa {
|
||||||
|
type = coa
|
||||||
|
|
||||||
|
#
|
||||||
|
# Note that a home server of type "coa" MUST be a real NAS,
|
||||||
|
# with an ipaddr or ipv6addr. It CANNOT point to a virtual
|
||||||
|
# server.
|
||||||
|
#
|
||||||
|
ipaddr = 127.0.0.1
|
||||||
|
port = 3799
|
||||||
|
|
||||||
|
# This secret SHOULD NOT be the same as the shared
|
||||||
|
# secret in a "client" section.
|
||||||
|
secret = testing1234
|
||||||
|
|
||||||
|
# CoA specific parameters. See raddb/proxy.conf for details.
|
||||||
|
coa {
|
||||||
|
irt = 2
|
||||||
|
mrt = 16
|
||||||
|
mrc = 5
|
||||||
|
mrd = 30
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# CoA servers can be put into pools, just like normal servers.
|
||||||
|
#
|
||||||
|
home_server_pool coa {
|
||||||
|
type = fail-over
|
||||||
|
|
||||||
|
# Point to the CoA server above.
|
||||||
|
home_server = localhost-coa
|
||||||
|
|
||||||
|
# CoA requests are run through the pre-proxy section.
|
||||||
|
# CoA responses are run through the post-proxy section.
|
||||||
|
virtual_server = originate-coa.example.com
|
||||||
|
|
||||||
|
#
|
||||||
|
# Home server pools of type "coa" cannot (currently) have
|
||||||
|
# a "fallback" configuration.
|
||||||
|
#
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# When this virtual server is run, the original request has FINISHED
|
||||||
|
# processing. i.e. the reply has already been sent to the NAS.
|
||||||
|
# You can access the attributes in the original packet, reply, and
|
||||||
|
# control items, but changing them will have NO EFFECT.
|
||||||
|
#
|
||||||
|
# The CoA packet is in the "proxy-request" attribute list.
|
||||||
|
# The CoA reply (if any) is in the "proxy-reply" attribute list.
|
||||||
|
#
|
||||||
|
server originate-coa.example.com {
|
||||||
|
pre-proxy {
|
||||||
|
update proxy-request {
|
||||||
|
NAS-IP-Address = 127.0.0.1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Handle the responses here.
|
||||||
|
#
|
||||||
|
post-proxy {
|
||||||
|
switch "%{proxy-reply:Packet-Type}" {
|
||||||
|
case CoA-ACK {
|
||||||
|
ok
|
||||||
|
}
|
||||||
|
|
||||||
|
case CoA-NAK {
|
||||||
|
# the NAS didn't like the CoA request
|
||||||
|
ok
|
||||||
|
}
|
||||||
|
|
||||||
|
case Disconnect-ACK {
|
||||||
|
ok
|
||||||
|
}
|
||||||
|
|
||||||
|
case Disconnect-NAK {
|
||||||
|
# the NAS didn't like the Disconnect request
|
||||||
|
ok
|
||||||
|
}
|
||||||
|
|
||||||
|
# Invalid packet type. This shouldn't happen.
|
||||||
|
case {
|
||||||
|
fail
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# These methods are run when there is NO response
|
||||||
|
# to the request.
|
||||||
|
#
|
||||||
|
Post-Proxy-Type Fail-CoA {
|
||||||
|
ok
|
||||||
|
}
|
||||||
|
|
||||||
|
Post-Proxy-Type Fail-Disconnect {
|
||||||
|
ok
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,47 @@
|
||||||
|
# -*- text -*-
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# This is a virtual server that handles *only* inner tunnel
|
||||||
|
# requests for EAP-TTLS and PEAP types.
|
||||||
|
#
|
||||||
|
# $Id: 1ce4137d5f93ff65a92ebaac676690cc718846ad $
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
server proxy-inner-tunnel {
|
||||||
|
|
||||||
|
#
|
||||||
|
# This example is very simple. All inner tunnel requests get
|
||||||
|
# proxied to another RADIUS server.
|
||||||
|
#
|
||||||
|
authorize {
|
||||||
|
#
|
||||||
|
# Do other things here, as necessary.
|
||||||
|
#
|
||||||
|
# e.g. run the "realms" module, to decide how to proxy
|
||||||
|
# the inner tunnel request.
|
||||||
|
#
|
||||||
|
|
||||||
|
update control {
|
||||||
|
# You should update this to be one of your realms.
|
||||||
|
Proxy-To-Realm := "example.com"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
authenticate {
|
||||||
|
#
|
||||||
|
# This is necessary so that the inner tunnel EAP-MSCHAPv2
|
||||||
|
# method can be called. That method takes care of turning
|
||||||
|
# EAP-MSCHAPv2 into plain MS-CHAPv2, if necessary.
|
||||||
|
eap
|
||||||
|
}
|
||||||
|
|
||||||
|
post-proxy {
|
||||||
|
#
|
||||||
|
# This is necessary for LEAP, or if you set:
|
||||||
|
#
|
||||||
|
# proxy_tunneled_request_as_eap = no
|
||||||
|
#
|
||||||
|
eap
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,167 @@
|
||||||
|
# -*- text -*-
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# This is a sample configuration for robust proxy accounting.
|
||||||
|
# accounting packets are proxied, OR logged locally if all
|
||||||
|
# home servers are down. When the home servers come back up,
|
||||||
|
# the accounting packets are forwarded.
|
||||||
|
#
|
||||||
|
# This method enables the server to proxy all packets to the
|
||||||
|
# home servers when they're up, AND to avoid writing to the
|
||||||
|
# detail file in most situations.
|
||||||
|
#
|
||||||
|
# In most situations, proxying of accounting messages is done
|
||||||
|
# in a "pass-through" fashion. If the home server does not
|
||||||
|
# respond, then the proxy server does not respond to the NAS.
|
||||||
|
# That means that the NAS must retransmit packets, sometimes
|
||||||
|
# forever. This example shows how the proxy server can still
|
||||||
|
# respond to the NAS, even if all home servers are down.
|
||||||
|
#
|
||||||
|
# This configuration could be done MUCH more simply if ALL
|
||||||
|
# packets were written to the detail file. But that would
|
||||||
|
# involve a lot more disk writes, which may not be a good idea.
|
||||||
|
#
|
||||||
|
# This file is NOT meant to be used as-is. It needs to be
|
||||||
|
# edited to match your local configuration.
|
||||||
|
#
|
||||||
|
# $Id: 9bf86978db676ef16f6062f4d359385e291cc930 $
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
# (1) Define two home servers.
|
||||||
|
home_server home1.example.com {
|
||||||
|
type = acct
|
||||||
|
ipaddr = 192.0.2.10
|
||||||
|
port = 1813
|
||||||
|
secret = testing123
|
||||||
|
|
||||||
|
# Mark this home server alive ONLY when it starts being responsive
|
||||||
|
status_check = request
|
||||||
|
username = "test_user_status_check"
|
||||||
|
|
||||||
|
# Set the response timeout aggressively low.
|
||||||
|
# You MAY have to increase this, depending on tests with
|
||||||
|
# your local installation.
|
||||||
|
response_window = 6
|
||||||
|
}
|
||||||
|
|
||||||
|
home_server home2.example.com {
|
||||||
|
type = acct
|
||||||
|
ipaddr = 192.0.2.20
|
||||||
|
port = 1813
|
||||||
|
secret = testing123
|
||||||
|
|
||||||
|
# Mark this home server alive ONLY when it starts being responsive
|
||||||
|
status_check = request
|
||||||
|
username = "test_user_status_check"
|
||||||
|
|
||||||
|
# Set the response timeout aggressively low.
|
||||||
|
# You MAY have to increase this, depending on tests with
|
||||||
|
# your local installation.
|
||||||
|
response_window = 6
|
||||||
|
}
|
||||||
|
|
||||||
|
# (2) Define a virtual server to be used when both of the
|
||||||
|
# home servers are down.
|
||||||
|
home_server acct_detail.example.com {
|
||||||
|
virtual_server = acct_detail.example.com
|
||||||
|
}
|
||||||
|
|
||||||
|
# Put all of the servers into a pool.
|
||||||
|
home_server_pool acct_pool.example.com {
|
||||||
|
type = load-balance # other types are OK, too.
|
||||||
|
|
||||||
|
home_server = home1.example.com
|
||||||
|
home_server = home2.example.com
|
||||||
|
# add more home_server's here.
|
||||||
|
|
||||||
|
# If all home servers are down, try a home server that
|
||||||
|
# is a local virtual server.
|
||||||
|
fallback = acct_detail.example.com
|
||||||
|
|
||||||
|
# for pre/post-proxy policies
|
||||||
|
virtual_server = home.example.com
|
||||||
|
}
|
||||||
|
|
||||||
|
# (3) Define a realm for these home servers.
|
||||||
|
# It should NOT be used as part of normal proxying decisions!
|
||||||
|
realm acct_realm.example.com {
|
||||||
|
acct_pool = acct_pool.example.com
|
||||||
|
}
|
||||||
|
|
||||||
|
# (4) Define a detail file writer.
|
||||||
|
# See raddb/modules/detail.example.com
|
||||||
|
|
||||||
|
# (5) Define the virtual server to write the packets to the detail file
|
||||||
|
# This will be called when ALL home servers are down, because of the
|
||||||
|
# "fallback" configuration in the home server pool.
|
||||||
|
server acct_detail.example.com {
|
||||||
|
accounting {
|
||||||
|
detail.example.com
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# (6) Define a virtual server to handle pre/post-proxy re-writing
|
||||||
|
server home.example.com {
|
||||||
|
pre-proxy {
|
||||||
|
# Insert pre-proxy rules here
|
||||||
|
}
|
||||||
|
|
||||||
|
post-proxy {
|
||||||
|
# Insert post-proxy rules here
|
||||||
|
|
||||||
|
# This will be called when the CURRENT packet failed
|
||||||
|
# to be proxied. This may happen when one home server
|
||||||
|
# suddenly goes down, even though another home server
|
||||||
|
# may be alive.
|
||||||
|
#
|
||||||
|
# i.e. the current request has run out of time, so it
|
||||||
|
# cannot fail over to another (possibly) alive server.
|
||||||
|
#
|
||||||
|
# We want to respond to the NAS, so that it can stop
|
||||||
|
# re-sending the packet. We write the packet to the
|
||||||
|
# "detail" file, where it will be read, and sent to
|
||||||
|
# another home server.
|
||||||
|
#
|
||||||
|
Post-Proxy-Type Fail {
|
||||||
|
detail.example.com
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Read accounting packets from the detail file(s) for
|
||||||
|
# the home server.
|
||||||
|
#
|
||||||
|
# Note that you can have only ONE "listen" section reading
|
||||||
|
# detail files from a particular directory. That is why the
|
||||||
|
# destination host name is used as part of the directory name
|
||||||
|
# below. Having two "listen" sections reading detail files
|
||||||
|
# from the same directory WILL cause problems. The packets
|
||||||
|
# may be read by one, the other, or both "listen" sections.
|
||||||
|
listen {
|
||||||
|
type = detail
|
||||||
|
filename = "${radacctdir}/detail.example.com/detail-*:*"
|
||||||
|
load_factor = 10
|
||||||
|
}
|
||||||
|
|
||||||
|
# All packets read from the detail file are proxied back to
|
||||||
|
# the home servers.
|
||||||
|
#
|
||||||
|
# The normal pre/post-proxy rules are applied to them, too.
|
||||||
|
#
|
||||||
|
# If the home servers are STILL down, then the server stops
|
||||||
|
# reading the detail file, and queues the packets for a later
|
||||||
|
# retransmission. The Post-Proxy-Type "Fail" handler is NOT
|
||||||
|
# called.
|
||||||
|
#
|
||||||
|
# When the home servers come back up, the packets are forwarded,
|
||||||
|
# and the detail file processed as normal.
|
||||||
|
accounting {
|
||||||
|
# You may want accounting policies here...
|
||||||
|
|
||||||
|
update control {
|
||||||
|
Proxy-To-Realm := "acct_realm.example.com"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,34 @@
|
||||||
|
# This is a simple server for the MS SoH requests generated by the
|
||||||
|
# peap module - see "eap.conf" for more info
|
||||||
|
|
||||||
|
# Requests are ONLY passed through the authorize section, and cannot
|
||||||
|
# current be proxied (in any event, the radius attributes used are
|
||||||
|
# internal).
|
||||||
|
|
||||||
|
server soh-server {
|
||||||
|
authorize {
|
||||||
|
if (SoH-Supported == no) {
|
||||||
|
# client NAKed our request for SoH - not supported, or turned off
|
||||||
|
update config {
|
||||||
|
Auth-Type = Accept
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
# client replied; check something - this is a local policy issue!
|
||||||
|
if (SoH-MS-Windows-Health-Status =~ /antivirus (warn|error) /) {
|
||||||
|
update config {
|
||||||
|
Auth-Type = Reject
|
||||||
|
}
|
||||||
|
update reply {
|
||||||
|
Reply-Message = "You must have antivirus enabled & installed!"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
update config {
|
||||||
|
Auth-Type = Accept
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,127 @@
|
||||||
|
# -*- text -*-
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# A virtual server to handle ONLY Status-Server packets.
|
||||||
|
#
|
||||||
|
# Server statistics can be queried with a properly formatted
|
||||||
|
# Status-Server request. See dictionary.freeradius for comments.
|
||||||
|
#
|
||||||
|
# If radiusd.conf has "status_server = yes", then any client
|
||||||
|
# will be able to send a Status-Server packet to any port
|
||||||
|
# (listen section type "auth", "acct", or "status"), and the
|
||||||
|
# server will respond.
|
||||||
|
#
|
||||||
|
# If radiusd.conf has "status_server = no", then the server will
|
||||||
|
# ignore Status-Server packets to "auth" and "acct" ports. It
|
||||||
|
# will respond only if the Status-Server packet is sent to a
|
||||||
|
# "status" port.
|
||||||
|
#
|
||||||
|
# The server statistics are available ONLY on socket of type
|
||||||
|
# "status". Qeuries for statistics sent to any other port
|
||||||
|
# are ignored.
|
||||||
|
#
|
||||||
|
# Similarly, a socket of type "status" will not process
|
||||||
|
# authentication or accounting packets. This is for security.
|
||||||
|
#
|
||||||
|
# $Id: 4e4f4179911adf96ca375a860d65903b86becade $
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
server status {
|
||||||
|
listen {
|
||||||
|
# ONLY Status-Server is allowed to this port.
|
||||||
|
# ALL other packets are ignored.
|
||||||
|
type = status
|
||||||
|
|
||||||
|
ipaddr = 127.0.0.1
|
||||||
|
port = 18121
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# We recommend that you list ONLY management clients here.
|
||||||
|
# i.e. NOT your NASes or Access Points, and for an ISP,
|
||||||
|
# DEFINITELY not any RADIUS servers that are proxying packets
|
||||||
|
# to you.
|
||||||
|
#
|
||||||
|
# If you do NOT list a client here, then any client that is
|
||||||
|
# globally defined (i.e. all of them) will be able to query
|
||||||
|
# these statistics.
|
||||||
|
#
|
||||||
|
# Do you really want your partners seeing the internal details
|
||||||
|
# of what your RADIUS server is doing?
|
||||||
|
#
|
||||||
|
client admin {
|
||||||
|
ipaddr = 127.0.0.1
|
||||||
|
secret = adminsecret
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Simple authorize section. The "Autz-Type Status-Server"
|
||||||
|
# section will work here, too. See "raddb/sites-available/default".
|
||||||
|
authorize {
|
||||||
|
ok
|
||||||
|
|
||||||
|
# respond to the Status-Server request.
|
||||||
|
Autz-Type Status-Server {
|
||||||
|
ok
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Statistics can be queried via a number of methods:
|
||||||
|
#
|
||||||
|
# All packets received/sent by the server (1 = auth, 2 = acct)
|
||||||
|
# FreeRADIUS-Statistics-Type = 3
|
||||||
|
#
|
||||||
|
# All packets proxied by the server (4 = proxy-auth, 8 = proxy-acct)
|
||||||
|
# FreeRADIUS-Statistics-Type = 12
|
||||||
|
#
|
||||||
|
# All packets sent && received:
|
||||||
|
# FreeRADIUS-Statistics-Type = 15
|
||||||
|
#
|
||||||
|
# Internal server statistics:
|
||||||
|
# FreeRADIUS-Statistics-Type = 16
|
||||||
|
#
|
||||||
|
# All packets for a particular client (globally defined)
|
||||||
|
# FreeRADIUS-Statistics-Type = 35
|
||||||
|
# FreeRADIUS-Stats-Client-IP-Address = 192.168.1.1
|
||||||
|
#
|
||||||
|
# All packets for a client attached to a "listen" ip/port
|
||||||
|
# FreeRADIUS-Statistics-Type = 35
|
||||||
|
# FreeRADIUS-Stats-Client-IP-Address = 192.168.1.1
|
||||||
|
# FreeRADIUS-Stats-Server-IP-Address = 127.0.0.1
|
||||||
|
# FreeRADIUS-Stats-Server-Port = 1812
|
||||||
|
#
|
||||||
|
# All packets for a "listen" IP/port
|
||||||
|
# FreeRADIUS-Statistics-Type = 67
|
||||||
|
# FreeRADIUS-Stats-Server-IP-Address = 127.0.0.1
|
||||||
|
# FreeRADIUS-Stats-Server-Port = 1812
|
||||||
|
#
|
||||||
|
# All packets for a home server IP / port
|
||||||
|
# FreeRADIUS-Statistics-Type = 131
|
||||||
|
# FreeRADIUS-Stats-Server-IP-Address = 192.168.1.2
|
||||||
|
# FreeRADIUS-Stats-Server-Port = 1812
|
||||||
|
|
||||||
|
#
|
||||||
|
# You can also get exponentially weighted moving averages of
|
||||||
|
# response times (in usec) of home servers. Just set the config
|
||||||
|
# item "historic_average_window" in a home_server section.
|
||||||
|
#
|
||||||
|
# By default it is zero (don't calculate it). Useful values
|
||||||
|
# are between 100, and 10,000. The server will calculate and
|
||||||
|
# remember the moving average for this window, and for 10 times
|
||||||
|
# that window.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Some of this could have been simplified. e.g. the proxy-auth and
|
||||||
|
# proxy-acct bits aren't completely necessary. But using them permits
|
||||||
|
# the server to be queried for ALL inbound && outbound packets at once.
|
||||||
|
# This gives a good snapshot of what the server is doing.
|
||||||
|
#
|
||||||
|
# Due to internal limitations, the statistics might not be exactly up
|
||||||
|
# to date. Do not expect all of the numbers to add up perfectly.
|
||||||
|
# The Status-Server packets are also counted in the total requests &&
|
||||||
|
# responses. The responses are counted only AFTER the response has
|
||||||
|
# been sent.
|
||||||
|
#
|
|
@ -0,0 +1,26 @@
|
||||||
|
# -*- text -*-
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# Sample virtual server for internally proxied requests.
|
||||||
|
#
|
||||||
|
# See the "realm virtual.example.com" example in "proxy.conf".
|
||||||
|
#
|
||||||
|
# $Id: d8eff1c615627fdb5ac1d82a67b03f620de3a7a9 $
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
#
|
||||||
|
# Sample contents: just do everything that the default configuration does.
|
||||||
|
#
|
||||||
|
# You WILL want to edit this to your local needs. We suggest copying
|
||||||
|
# the "default" file here, and then editing it. That way, any
|
||||||
|
# changes to the 'default" file will not affect this virtual server,
|
||||||
|
# and vice-versa.
|
||||||
|
#
|
||||||
|
# When this virtual server receives the request, the original
|
||||||
|
# attributes can be accessed as "outer.request", "outer.control", etc.
|
||||||
|
# See "man unlang" for more details.
|
||||||
|
#
|
||||||
|
server virtual.example.com {
|
||||||
|
$INCLUDE ${confdir}/sites-available/default
|
||||||
|
}
|
|
@ -0,0 +1,98 @@
|
||||||
|
# -*- text -*-
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# As of version 2.0.0, the server also supports the VMPS
|
||||||
|
# protocol.
|
||||||
|
#
|
||||||
|
# $Id: 13f4e955799583b1b8f843e8965465178ff6038f $
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
server vmps {
|
||||||
|
listen {
|
||||||
|
# VMPS sockets only support IPv4 addresses.
|
||||||
|
ipaddr = *
|
||||||
|
|
||||||
|
# Port on which to listen.
|
||||||
|
# Allowed values are:
|
||||||
|
# integer port number
|
||||||
|
# 1589 is the default VMPS port.
|
||||||
|
port = 1589
|
||||||
|
|
||||||
|
# Type of packets to listen for. Here, it is VMPS.
|
||||||
|
type = vmps
|
||||||
|
|
||||||
|
# Some systems support binding to an interface, in addition
|
||||||
|
# to the IP address. This feature isn't strictly necessary,
|
||||||
|
# but for sites with many IP addresses on one interface,
|
||||||
|
# it's useful to say "listen on all addresses for
|
||||||
|
# eth0".
|
||||||
|
#
|
||||||
|
# If your system does not support this feature, you will
|
||||||
|
# get an error if you try to use it.
|
||||||
|
#
|
||||||
|
# interface = eth0
|
||||||
|
}
|
||||||
|
|
||||||
|
# If you have switches that are allowed to send VMPS, but NOT
|
||||||
|
# RADIUS packets, then list them here as "client" sections.
|
||||||
|
#
|
||||||
|
# Note that for compatibility with RADIUS, you still have to
|
||||||
|
# list a "secret" for each client, though that secret will not
|
||||||
|
# be used for anything.
|
||||||
|
|
||||||
|
|
||||||
|
# And the REAL contents. This section is just like the
|
||||||
|
# "post-auth" section of radiusd.conf. In fact, it calls the
|
||||||
|
# "post-auth" component of the modules that are listed here.
|
||||||
|
# But it's called "vmps" to highlight that it's for VMPS.
|
||||||
|
#
|
||||||
|
vmps {
|
||||||
|
#
|
||||||
|
# Some requests may not have a MAC address. Try to
|
||||||
|
# create one using other attributes.
|
||||||
|
if (!VMPS-Mac) {
|
||||||
|
if (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) {
|
||||||
|
update request {
|
||||||
|
VMPS-Mac = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
update request {
|
||||||
|
VMPS-Mac = "%{VMPS-Cookie}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Do a simple mapping of MAC to VLAN.
|
||||||
|
#
|
||||||
|
# See radiusd.conf for the definition of the "mac2vlan"
|
||||||
|
# module.
|
||||||
|
#
|
||||||
|
#mac2vlan
|
||||||
|
|
||||||
|
# required VMPS reply attributes
|
||||||
|
update reply {
|
||||||
|
VMPS-Packet-Type = VMPS-Join-Response
|
||||||
|
VMPS-Cookie = "%{VMPS-Mac}"
|
||||||
|
|
||||||
|
VMPS-VLAN-Name = "please_use_real_vlan_here"
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you have VLAN's in a database, you can select
|
||||||
|
# the VLAN name based on the MAC address.
|
||||||
|
#
|
||||||
|
#VMPS-VLAN-Name = "%{sql:select ... where mac='%{VMPS-Mac}'}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# correct reply packet type for reconfirmation requests
|
||||||
|
#
|
||||||
|
if (VMPS-Packet-Type == VMPS-Reconfirm-Request){
|
||||||
|
update reply {
|
||||||
|
VMPS-Packet-Type := VMPS-Reconfirm-Response
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Proxying of VMPS requests is NOT supported.
|
||||||
|
}
|
|
@ -0,0 +1,115 @@
|
||||||
|
# -*- text -*-
|
||||||
|
##
|
||||||
|
## sql.conf -- SQL modules
|
||||||
|
##
|
||||||
|
## $Id: 6f346ec9f1d12190f132da20537f99607df71760 $
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# Configuration for the SQL module
|
||||||
|
#
|
||||||
|
# The database schemas and queries are located in subdirectories:
|
||||||
|
#
|
||||||
|
# sql/DB/schema.sql Schema
|
||||||
|
# sql/DB/dialup.conf Basic dialup (including policy) queries
|
||||||
|
# sql/DB/counter.conf counter
|
||||||
|
# sql/DB/ippool.conf IP Pools in SQL
|
||||||
|
# sql/DB/ippool.sql schema for IP pools.
|
||||||
|
#
|
||||||
|
# Where "DB" is mysql, mssql, oracle, or postgresql.
|
||||||
|
#
|
||||||
|
|
||||||
|
sql {
|
||||||
|
#
|
||||||
|
# Set the database to one of:
|
||||||
|
#
|
||||||
|
# mysql, mssql, oracle, postgresql
|
||||||
|
#
|
||||||
|
database = "mysql"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Which FreeRADIUS driver to use.
|
||||||
|
#
|
||||||
|
driver = "rlm_sql_${database}"
|
||||||
|
|
||||||
|
# Connection info:
|
||||||
|
server = "localhost"
|
||||||
|
#port = 3306
|
||||||
|
login = "radius"
|
||||||
|
password = "radpass"
|
||||||
|
|
||||||
|
# Database table configuration for everything except Oracle
|
||||||
|
radius_db = "radius"
|
||||||
|
# If you are using Oracle then use this instead
|
||||||
|
# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
|
||||||
|
|
||||||
|
# If you want both stop and start records logged to the
|
||||||
|
# same SQL table, leave this as is. If you want them in
|
||||||
|
# different tables, put the start table in acct_table1
|
||||||
|
# and stop table in acct_table2
|
||||||
|
acct_table1 = "radacct"
|
||||||
|
acct_table2 = "radacct"
|
||||||
|
|
||||||
|
# Allow for storing data after authentication
|
||||||
|
postauth_table = "radpostauth"
|
||||||
|
|
||||||
|
authcheck_table = "radcheck"
|
||||||
|
authreply_table = "radreply"
|
||||||
|
|
||||||
|
groupcheck_table = "radgroupcheck"
|
||||||
|
groupreply_table = "radgroupreply"
|
||||||
|
|
||||||
|
# Table to keep group info
|
||||||
|
usergroup_table = "radusergroup"
|
||||||
|
|
||||||
|
# If set to 'yes' (default) we read the group tables
|
||||||
|
# If set to 'no' the user MUST have Fall-Through = Yes in the radreply table
|
||||||
|
# read_groups = yes
|
||||||
|
|
||||||
|
# Remove stale session if checkrad does not see a double login
|
||||||
|
deletestalesessions = yes
|
||||||
|
|
||||||
|
# Print all SQL statements when in debug mode (-x)
|
||||||
|
sqltrace = no
|
||||||
|
sqltracefile = ${logdir}/sqltrace.sql
|
||||||
|
|
||||||
|
# number of sql connections to make to server
|
||||||
|
#
|
||||||
|
# Setting this to LESS than the number of threads means
|
||||||
|
# that some threads may starve, and you will see errors
|
||||||
|
# like "No connections available and at max connection limit"
|
||||||
|
#
|
||||||
|
# Setting this to MORE than the number of threads means
|
||||||
|
# that there are more connections than necessary.
|
||||||
|
#
|
||||||
|
num_sql_socks = ${thread[pool].max_servers}
|
||||||
|
|
||||||
|
# number of seconds to dely retrying on a failed database
|
||||||
|
# connection (per_socket)
|
||||||
|
connect_failure_retry_delay = 60
|
||||||
|
|
||||||
|
# lifetime of an SQL socket. If you are having network issues
|
||||||
|
# such as TCP sessions expiring, you may need to set the socket
|
||||||
|
# lifetime. If set to non-zero, any open connections will be
|
||||||
|
# closed "lifetime" seconds after they were first opened.
|
||||||
|
lifetime = 0
|
||||||
|
|
||||||
|
# Maximum number of queries used by an SQL socket. If you are
|
||||||
|
# having issues with SQL sockets lasting "too long", you can
|
||||||
|
# limit the number of queries performed over one socket. After
|
||||||
|
# "max_qeuries", the socket will be closed. Use 0 for "no limit".
|
||||||
|
max_queries = 0
|
||||||
|
|
||||||
|
# Set to 'yes' to read radius clients from the database ('nas' table)
|
||||||
|
# Clients will ONLY be read on server startup. For performance
|
||||||
|
# and security reasons, finding clients via SQL queries CANNOT
|
||||||
|
# be done "live" while the server is running.
|
||||||
|
#
|
||||||
|
#readclients = yes
|
||||||
|
|
||||||
|
# Table to keep radius client info
|
||||||
|
nas_table = "nas"
|
||||||
|
|
||||||
|
# Read driver-specific configuration
|
||||||
|
$INCLUDE sql/${database}/dialup.conf
|
||||||
|
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue