initial commit of file from CVS for e-smith-radiusd on Wed 12 Jul 09:08:31 BST 2023
Brian Read
10 months ago
parent
0680d12b90
commit
bc28d49d0d
@ -0,0 +1,4 @@
|
||||
*.rpm
|
||||
*.log
|
||||
*spec-20*
|
||||
*.tar.xz
|
||||
@ -0,0 +1,21 @@
|
||||
# Makefile for source rpm: e-smith-radiusd
|
||||
# $Id: Makefile,v 1.1 2016/02/05 21:34:34 stephdl Exp $
|
||||
NAME := e-smith-radiusd
|
||||
SPECFILE = $(firstword $(wildcard *.spec))
|
||||
|
||||
define find-makefile-common
|
||||
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
|
||||
endef
|
||||
|
||||
MAKEFILE_COMMON := $(shell $(find-makefile-common))
|
||||
|
||||
ifeq ($(MAKEFILE_COMMON),)
|
||||
# attept a checkout
|
||||
define checkout-makefile-common
|
||||
test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
|
||||
endef
|
||||
|
||||
MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
|
||||
endif
|
||||
|
||||
include $(MAKEFILE_COMMON)
|
||||
@ -1,3 +1,17 @@
|
||||
# e-smith-radiusd
|
||||
# <img src="https://www.koozali.org/images/koozali/Logo/Png/Koozali_logo_2016.png" width="25%" vertical="auto" style="vertical-align:bottom"> e-smith-radiusd
|
||||
|
||||
SMEServer Koozali developed git repo for e-smith-radiusd smeserver
|
||||
SMEServer Koozali developed git repo for e-smith-radiusd smeserver
|
||||
|
||||
## Wiki
|
||||
<br />https://wiki.koozali.org/
|
||||
|
||||
## Bugzilla
|
||||
Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=e-smith-radiusd&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
|
||||
|
||||
## Description
|
||||
|
||||
<br />*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.*
|
||||
*Once it has been checked, then this comment will be deleted*
|
||||
<br />
|
||||
|
||||
e-smith-radiusd is a versatile open source software that can be used to set up and manage remote access to networks. It is a RADIUS server that supports user authentication, authorization, and accounting for a variety of network protocols. It is an ideal choice for organizations looking to set up and manage their own network infrastructure. It is easy to set up and configure and provides secure, reliable, and scalable network access for users. It also supports a wide variety of authentication methods, including PAP, CHAP, MS-CHAP, and EAP, allowing for a highly customizable user experience. e-smith-radiusd is a reliable and powerful solution for organizations looking to scale their network access needs.
|
||||
|
||||
@ -0,0 +1 @@
|
||||
sme10
|
||||
@ -0,0 +1,96 @@
|
||||
#!/usr/bin/perl -w
|
||||
|
||||
use esmith::Build::CreateLinks qw(:all);
|
||||
|
||||
#--------------------------------------------------
|
||||
# general radiusd configuration
|
||||
#--------------------------------------------------
|
||||
foreach (qw(raddb/radiusd.conf raddb/mods-config/files/authorize))
|
||||
{
|
||||
templates2events("/etc/$_", qw(
|
||||
bootstrap-console-save
|
||||
console-save
|
||||
password-modify
|
||||
remoteaccess-update
|
||||
user-create
|
||||
user-delete
|
||||
user-lock
|
||||
user-modify
|
||||
user-modify-admin
|
||||
e-smith-radiusd-update
|
||||
));
|
||||
}
|
||||
templates2events("/etc/raddb/radiusd.conf", "bootstrap-ldap-save");
|
||||
templates2events("/etc/radiusclient-ng/radiusclient.conf", "bootstrap-console-save");
|
||||
|
||||
templates2events("/etc/raddb/radiusd.conf", "e-smith-radiusd-update");
|
||||
templates2events("/etc/radiusclient-ng/radiusclient.conf", "e-smith-radiusd-update");
|
||||
|
||||
foreach (qw(
|
||||
raddb/clients.conf
|
||||
raddb/mods-available/eap
|
||||
raddb/mods-available/ldap
|
||||
raddb/mods-available/smbpasswd
|
||||
raddb/sites-available/default
|
||||
raddb/sites-available/inner-tunnel
|
||||
raddb/proxy.conf
|
||||
radiusclient-ng/servers
|
||||
raddb/mods-config/files/authorize))
|
||||
{
|
||||
templates2events("/etc/$_", qw(
|
||||
bootstrap-console-save
|
||||
console-save
|
||||
domain-modify
|
||||
remoteaccess-update
|
||||
ldap-update
|
||||
e-smith-radiusd-update
|
||||
));
|
||||
}
|
||||
|
||||
foreach (qw(
|
||||
radiusclient-ng/dictionary
|
||||
radiusclient-ng/dictionary.microsoft))
|
||||
{
|
||||
templates2events("/usr/share/$_", qw(
|
||||
bootstrap-console-save
|
||||
console-save
|
||||
domain-modify
|
||||
remoteaccess-update
|
||||
ldap-update
|
||||
e-smith-radiusd-update
|
||||
));
|
||||
}
|
||||
|
||||
foreach $event ( qw(
|
||||
console-save
|
||||
domain-modify
|
||||
ldap-update
|
||||
password-modify
|
||||
remoteaccess-update
|
||||
user-create
|
||||
user-delete
|
||||
user-lock
|
||||
user-modify
|
||||
user-modify-admin
|
||||
|
||||
) )
|
||||
{
|
||||
safe_symlink("sigterm", "root/etc/e-smith/events/$event/services2adjust/radiusd");
|
||||
}
|
||||
|
||||
$event="e-smith-radiusd-update";
|
||||
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/radiusd");
|
||||
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/rsyslog");
|
||||
templates2events("/etc/rsyslog.conf",$event);
|
||||
# systemd-specific action mandatory for this package-update event
|
||||
event_link("systemd-reload", $event, "89");
|
||||
event_link("systemd-default", $event, "88");
|
||||
|
||||
templates2events("/etc/raddb/certs/radiusd.pem", qw( bootstrap-console-save ssl-update e-smith-radiusd-update) );
|
||||
safe_symlink("restart", "root/etc/e-smith/events/ssl-update/services2adjust/radiusd");
|
||||
|
||||
# activate modules
|
||||
#safe_symlink("../mods-available/realm", "root/etc/raddb/mods-enabled/realm");
|
||||
safe_symlink("../mods-available/ldap", "root/etc/raddb/mods-enabled/ldap");
|
||||
safe_symlink("../mods-available/smbpasswd", "root/etc/raddb/mods-enabled/smbpasswd");
|
||||
|
||||
@ -0,0 +1,267 @@
|
||||
# $Id: e-smith-radiusd.spec,v 1.26 2022/04/17 18:27:00 jpp Exp $
|
||||
|
||||
Summary: e-smith server and gateway - configure PPTP inbound VPN
|
||||
%define name e-smith-radiusd
|
||||
Name: %{name}
|
||||
%define version 2.6.0
|
||||
%define release 24
|
||||
Version: %{version}
|
||||
Release: %{release}%{?dist}
|
||||
License: GPL
|
||||
Group: Networking/Daemons
|
||||
Source: %{name}-%{version}.tar.xz
|
||||
|
||||
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
|
||||
Requires: e-smith-base >= 4.13.16-27
|
||||
Requires: e-smith-lib >= 1.15.1-16
|
||||
Requires: freeradius >= 2.1.12
|
||||
Requires: freeradius-ldap >= 2.1.12
|
||||
Requires: radiusclient-ng >= 0.5.6
|
||||
Obsoletes: radiusclient <= 0.3.2
|
||||
BuildRequires: e-smith-devtools >= 1.13.1-03
|
||||
BuildArchitectures: noarch
|
||||
%define stunnelid 451
|
||||
|
||||
%description
|
||||
e-smith server and gateway - configure radius server
|
||||
|
||||
%changelog
|
||||
* Wed Jul 12 2023 cvs2git.sh aka Brian Read <brianr@koozali.org> 2.6.0-24.sme
|
||||
- Roll up patches and move to git repo [SME: 12338]
|
||||
|
||||
* Wed Jul 12 2023 BogusDateBot
|
||||
- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
|
||||
by assuming the date is correct and changing the weekday.
|
||||
Tue Oct 27 2010 --> Tue Oct 26 2010 or Wed Oct 27 2010 or Tue Nov 02 2010 or ....
|
||||
|
||||
* Sun Apr 17 2022 Jean-Philippe Pialasse <tests@pialasse.com> 2.6.0-23.sme
|
||||
- redirect daemon log to its own file [SME: 11947]
|
||||
|
||||
* Thu Feb 17 2022 Jean-Philippe Pialasse <tests@pialasse.com> 2.6.0-22.sme
|
||||
- workaround upstream missing definition of /var/run/radiusd/tmp [SME: 11859]
|
||||
|
||||
* Thu Nov 18 2021 Terry Fage <tfage@yahoo.com.au> 2.6.0-21.sme
|
||||
- fix startup informational message Duplicate Auth-Type 'REJECT' [SME: 11736]
|
||||
- patch was blank, populate and apply [SME: 11736]
|
||||
|
||||
* Mon Nov 15 2021 John H. Bennett III <bennettj@johnbennettservices.com> 2.6.0-20.sme
|
||||
- fix startup informational message Duplicate Auth-Type 'REJECT' [SME: 11736]
|
||||
|
||||
* Mon Nov 08 2021 John H. Bennett III <bennettj@johnbennettservices.com> 2.6.0-19.sme
|
||||
- add db property PAP-auth [SME: 11735]
|
||||
|
||||
* Sat Nov 06 2021 John H. Bennett III <bennettj@johnbennettservices.com> 2.6.0-18.sme
|
||||
- add/fix PAP-auth patch [SME: 11735]
|
||||
|
||||
* Thu Nov 04 2021 John H. Bennett III <bennettj@johnbennettservices.com> 2.6.0-17.sme
|
||||
- fix WAP-auth patch [SME: 11718]
|
||||
- fix LDAP-auth patch [SME: 11719]
|
||||
|
||||
* Mon Aug 23 2021 Jean-Philippe Pialasse <tests@pialasse.com> 2.6.0-16.sme
|
||||
- fix ssl template metadata patch [SME: 11680]
|
||||
|
||||
* Wed Jun 02 2021 Jean-Philippe Pialasse <tests@pialasse.com> 2.6.0-15.sme
|
||||
- remove services2adjust in bootstrap-console-save event, this put systemd in a loop [SME: 11602]
|
||||
|
||||
* Mon May 31 2021 Jean-Philippe Pialasse <tests@pialasse.com> 2.6.0-14.sme
|
||||
- ssl pem using template in place of copy [SME: 11602]
|
||||
|
||||
* Sun Jan 03 2021 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-13.sme
|
||||
- radiusd needs ldap started before [SME: 11302]
|
||||
|
||||
* Sat Jan 02 2021 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-12.sme
|
||||
- add Restart=always [SME: 11113]
|
||||
change group of pem file to radiusd
|
||||
|
||||
* Tue Dec 08 2020 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-11.sme
|
||||
- create -update event [SME: 11155]
|
||||
- move radiusd to systemd {SME: 11113]
|
||||
remove noise from spec file
|
||||
|
||||
* Thu Dec 19 2019 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-9.sme
|
||||
- fix server restartting with virtual_server error [SME: 10853]
|
||||
|
||||
* Tue Apr 12 2016 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-8.sme
|
||||
- escaped {} characters in ldap template [SME: 9434]
|
||||
|
||||
* Sun Apr 10 2016 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-7.sme
|
||||
- fix typo [SME: 9434]
|
||||
|
||||
* Wed Apr 06 2016 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-6.sme
|
||||
- more adjustements regarding [SME: 9434]
|
||||
- e-smith-radiusd-2.6.0-freeradius3bis.patch
|
||||
- e-smith-radiusd-2.6.0-freeradius3ter.patch
|
||||
|
||||
* Fri Apr 01 2016 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-3.sme
|
||||
- fix directorie rpm ownership [SME: 9425]
|
||||
|
||||
* Fri Apr 01 2016 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-2.sme
|
||||
- updated syntax and conf files for freeradius3 server [SME: 9409]
|
||||
|
||||
* Fri Feb 05 2016 stephane de Labrusse <stephdl@de-labrusse.fr> 2.6.0-1.sme
|
||||
- Initial release to sme10
|
||||
|
||||
* Sat Jun 8 2013 Daniel Berteaud <daniel@firewall-services.com> 2.4.0-10.sme
|
||||
- the config file is radiusclient.conf, not radiusclient-ng.conf [SME: 7546]
|
||||
|
||||
* Thu Jun 6 2013 Daniel Berteaud <daniel@firewall-services.com> 2.4.0-9.sme
|
||||
- Add templates for radiusclient-ng.conf file to remove binaddr
|
||||
directive [SME: 7546]
|
||||
|
||||
* Sun Apr 14 2013 Charlie Brady <charlie_brady@mitel.com> 2.4.0-8.sme
|
||||
- Add directive to options.pptpd so that radius plugin can find the
|
||||
radiusclient configuration file. [SME: 7546]
|
||||
|
||||
* Sat Apr 13 2013 Charlie Brady <charlie_brady@mitel.com> 2.4.0-7.sme
|
||||
- Fix permissions of /etc/radiusclient-ng/servers. [SME: 7548]
|
||||
|
||||
* Mon Mar 11 2013 Shad L. Lords <slords@mail.com> 2.4.0-6.sme
|
||||
- Obsolete el5 version of radiusclient [SME: 7273]
|
||||
|
||||
* Thu Feb 21 2013 Daniel Berteaud <daniel@firewall-services.com> 2.4.0-5.sme
|
||||
- Use the new listen directive instead of bind_address which is deprecated [SME: 7377]
|
||||
|
||||
* Mon Feb 18 2013 Daniel Berteaud <daniel@firewall-services.com> 2.4.0-4.sme
|
||||
- Send log to stdout [SME: 7251]
|
||||
|
||||
* Thu Feb 14 2013 Shad L. Lords <slords@mail.com> 2.4.0-3.sme
|
||||
- Add requires for freeradius-ldap module [SME: 7252]
|
||||
|
||||
* Thu Feb 14 2013 Shad L. Lords <slords@mail.com> 2.4.0-2.sme
|
||||
- Update radiusclient to radiusclient-ng
|
||||
|
||||
* Wed Feb 13 2013 Shad L. Lords <slords@mail.com> 2.4.0-1.sme
|
||||
- Roll new stream for sme9
|
||||
|
||||
* Mon Nov 1 2010 Shad L. Lords <slords@mail.com> 2.2.0-4.sme
|
||||
- Auth against ldap if it is master [SME: 6323]
|
||||
|
||||
* Wed Oct 27 2010 Shad L. Lords <slords@mail.com> 2.2.0-3.sme
|
||||
Tue Oct 27 2010 --> Tue Oct 26 2010 or Wed Oct 27 2010 or Tue Nov 02 2010 or ....
|
||||
- Add ldap as an auth type to radius [SME: 6313]
|
||||
|
||||
* Tue Jun 2 2009 Shad L. Lords <slords@mail.com> 2.2.0-2.sme
|
||||
- Fix owner/perms for radius files [SME: 5317]
|
||||
|
||||
* Tue Oct 7 2008 Shad L. Lords <slords@mail.com> 2.2.0-1.sme
|
||||
- Roll new stream to separate sme7/sme8 trees [SME: 4633]
|
||||
|
||||
* Wed Aug 20 2008 Jonathan Martens <smeserver-contribs@snetram.nl> 1.0.0-18
|
||||
- Allow for multiple auth modules in radiusd.conf [SME: 4166]
|
||||
|
||||
* Sat Aug 09 2008 Gavin Weight <gweight@gmail.com> 1.0.0-17
|
||||
- Remove the Requires kernel =>2.4 line. [SME: 4483]
|
||||
|
||||
* Fri May 18 2007 Federico Simoncelli <federico.simoncelli@gmail.com> 1.0.0-16
|
||||
- Added support for fixed ip addresses in the pptp vpn [SME: 1230]
|
||||
|
||||
* Sun Apr 29 2007 Shad L. Lords <slords@mail.com>
|
||||
- Clean up spec so package can be built by koji/plague
|
||||
|
||||
* Fri Apr 06 2007 Shad L. Lords <slords@mail.com> 1.0.0-14
|
||||
- Fix perms on servers file [SME: 2720]
|
||||
|
||||
* Fri Apr 06 2007 Shad L. Lords <slords@mail.com> 1.0.0-14
|
||||
- Fix perms on client.conf file [SME: 2708]
|
||||
|
||||
* Wed Mar 07 2007 Shad L. Lords <slords@mail.com> 1.0.0-13
|
||||
- Break up auth template to allow customization [SME: 2565]
|
||||
|
||||
* Thu Dec 07 2006 Shad L. Lords <slords@mail.com>
|
||||
- Update to new release naming. No functional changes.
|
||||
- Make Packager generic
|
||||
|
||||
* Wed Nov 30 2005 Gordon Rowell <gordonr@gormand.com.au> 1.0.0-12
|
||||
- Bump release number only
|
||||
|
||||
* Tue Sep 27 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.0.0-11]
|
||||
- Fix run script so that output actually goes to the logger. [SF: 1280982]
|
||||
|
||||
* Mon Sep 26 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.0.0-10]
|
||||
- Make sure that the log/run script is executable, and that
|
||||
the log directory exists. [SF: 1280982]
|
||||
- Make sure that stunnel user exists, by making sure that
|
||||
%pre script works :-) (%stunnelid was not defined).
|
||||
|
||||
* Mon Sep 26 2005 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.0.0-9]
|
||||
- Add a log/run script [SF: 1280982]
|
||||
|
||||
* Fri Sep 2 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.0.0-8]
|
||||
- Make sure that stunnel user exists, by %pre script.
|
||||
|
||||
* Mon Jul 18 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.0.0-7]
|
||||
- [More updates from Shad.]
|
||||
- Add accounting into radiusd
|
||||
- Let radius do its own normal logging
|
||||
|
||||
* Tue Jul 12 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.0.0-6]
|
||||
- Expand /etc/raddb/users in user-lock [SF: 1225995]
|
||||
- Expand sigterm in password-modify, ldap-update [SF: 1225995]
|
||||
|
||||
* Fri Jun 24 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.0.0-5]
|
||||
- Expand /etc/raddb/users in password-modify event [SF: 1215401]
|
||||
|
||||
* Fri Jun 24 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.0.0-4]
|
||||
- Add missing patch to allow local hosts to be radius clients. [SF: 1215401]
|
||||
|
||||
* Thu Jun 16 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.0.0-3]
|
||||
- Use e-smith-services startup symlink for radiusd, so that 'status'
|
||||
property is honoured. [SF: 1215401]
|
||||
|
||||
* Tue Jun 14 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.0.0-2]
|
||||
- Patches from Shad to automate radiusd startup, and to allow local hosts to
|
||||
be radius clients. [SF: 1215401]
|
||||
|
||||
* Mon Jun 13 2005 Shad L. Lords <slords@mail.com>
|
||||
- [1.0.0-1]
|
||||
- initial
|
||||
|
||||
%prep
|
||||
%setup
|
||||
rm -rf root/service root/var/service root/var/log/radiusd
|
||||
mkdir -p root/var/log/stunnel/ssl
|
||||
|
||||
%build
|
||||
perl createlinks
|
||||
|
||||
%install
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
(cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT)
|
||||
rm -f %{name}-%{version}-%{release}-filelist
|
||||
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
|
||||
--file /sbin/e-smith/systemd/radiusd-configure 'attr(0554,root,root)' \
|
||||
--file /sbin/e-smith/systemd/radiusd-certificate 'attr(0554,root,root)' \
|
||||
--dir /var/service/radiusd 'attr(01755,root,root)' \
|
||||
--dir /var/log/stunnel 'attr(0755,stunnel,stunnel)' \
|
||||
--dir /var/log/stunnel/ssl 'attr(0755,stunnel,stunnel)' \
|
||||
|sed -e '/%dir %attr(0755,root,root) \/etc\/raddb/d' \
|
||||
|sed -e '/%dir %attr(0755,root,root) \/etc\/raddb\/mods-enabled/d' \
|
||||
> %{name}-%{version}-%{release}-filelist
|
||||
echo "%doc COPYING" >> %{name}-%{version}-%{release}-filelist
|
||||
|
||||
%pre
|
||||
/sbin/e-smith/create-system-user stunnel %{stunnelid} \
|
||||
'chrooted stunnel user user' /var/log/stunnel/ssl /bin/false
|
||||
if [ $1 -gt 1 ] ; then
|
||||
if [ -e /var/service/radiusd/run ] ; then
|
||||
/usr/bin/sv d radiusd
|
||||
/usr/bin/sv d radiusd/log
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%files -f %{name}-%{version}-%{release}-filelist
|
||||
%defattr(-,root,root)
|
||||
@ -0,0 +1 @@
|
||||
enabled
|
||||
@ -0,0 +1 @@
|
||||
service
|
||||
@ -0,0 +1,4 @@
|
||||
TEMPLATE_PATH="/home/e-smith/ssl.pem"
|
||||
OUTPUT_FILENAME="/etc/raddb/certs/radiusd.pem"
|
||||
GID="radiusd"
|
||||
PERMS=0640
|
||||
@ -0,0 +1,3 @@
|
||||
PERMS=0640
|
||||
UID="root"
|
||||
GID="radiusd"
|
||||
@ -0,0 +1,3 @@
|
||||
PERMS=0640
|
||||
UID="root"
|
||||
GID="radiusd"
|
||||
@ -0,0 +1,3 @@
|
||||
PERMS=0640
|
||||
UID="root"
|
||||
GID="radiusd"
|
||||
@ -0,0 +1,3 @@
|
||||
PERMS=0640
|
||||
UID="root"
|
||||
GID="radiusd"
|
||||
@ -0,0 +1,3 @@
|
||||
PERMS=0640
|
||||
UID="root"
|
||||
GID="radiusd"
|
||||
@ -0,0 +1,3 @@
|
||||
PERMS=0640
|
||||
UID="root"
|
||||
GID="radiusd"
|
||||
@ -0,0 +1,3 @@
|
||||
PERMS=0640
|
||||
UID="root"
|
||||
GID="radiusd"
|
||||
@ -0,0 +1,3 @@
|
||||
PERMS=0640
|
||||
UID="root"
|
||||
GID="radiusd"
|
||||
@ -0,0 +1,3 @@
|
||||
PERMS=0640
|
||||
UID="root"
|
||||
GID="radiusd"
|
||||
@ -0,0 +1 @@
|
||||
PERMS=0600
|
||||
@ -0,0 +1 @@
|
||||
radius-config-file /etc/radiusclient-ng/radiusclient.conf
|
||||
@ -0,0 +1,60 @@
|
||||
{
|
||||
use esmith::util;
|
||||
$pw = esmith::util::LdapPassword;
|
||||
$pw =~ s/^(.{31}).*$/$1/;
|
||||
"";
|
||||
}
|
||||
client localhost \{
|
||||
ipaddr = 127.0.0.1
|
||||
{ #
|
||||
# The shared secret use to "encrypt" and "sign" packets between
|
||||
# the NAS and FreeRADIUS. You MUST change this secret from the
|
||||
# default, otherwise it's not a secret any more!
|
||||
#
|
||||
# The secret can be any string, up to 32 characters in length.
|
||||
#
|
||||
|
||||
} secret = { $pw }
|
||||
{
|
||||
#
|
||||
# The short name is used as an alias for the fully qualified
|
||||
# domain name, or the IP address.
|
||||
#
|
||||
} shortname = localhost
|
||||
{
|
||||
#
|
||||
# the following three fields are optional, but may be used by
|
||||
# checkrad.pl for simultaneous use checks
|
||||
#
|
||||
|
||||
#
|
||||
# The nastype tells 'checkrad.pl' which NAS-specific method to
|
||||
# use to query the NAS for simultaneous use.
|
||||
#
|
||||
# Permitted NAS types are:
|
||||
#
|
||||
# cisco
|
||||
# computone
|
||||
# livingston
|
||||
# max40xx
|
||||
# multitech
|
||||
# netserver
|
||||
# pathras
|
||||
# patton
|
||||
# portslave
|
||||
# tc
|
||||
# usrhiper
|
||||
# other # for all other types
|
||||
|
||||
#
|
||||
} nas_type = other
|
||||
{
|
||||
#
|
||||
# The following two configurations are for future use.
|
||||
# The 'naspasswd' file is currently used to store the NAS
|
||||
# login name and password, which is used by checkrad.pl
|
||||
# when querying the NAS for simultaneous use.
|
||||
#
|
||||
# login = !root
|
||||
# password = someadminpas
|
||||
}\}
|
||||
@ -0,0 +1,25 @@
|
||||
{
|
||||
use esmith::HostsDB;
|
||||
my $hostsdb = esmith::HostsDB->open;
|
||||
|
||||
# Handle each defined virtual domain
|
||||
foreach my $host ($hostsdb->get_all_by_prop(HostType => "Local"))
|
||||
{
|
||||
$radiuskey = $host->prop('RadiusKey') || undef;
|
||||
next unless defined $radiuskey;
|
||||
|
||||
$hostname = $host->key;
|
||||
$hostname =~ s/\..*//;
|
||||
$hostip = $host->prop('InternalIP') || '127.0.0.1';
|
||||
$nastype = $host->prop('NASType') || 'other';
|
||||
|
||||
$OUT .= <<EOF;
|
||||
client $hostname \{
|
||||
ipaddr = $hostip
|
||||
secret = $radiuskey
|
||||
shortname = $hostname
|
||||
nas_type = $nastype
|
||||
\}
|
||||
EOF
|
||||
}
|
||||
}
|
||||
@ -0,0 +1 @@
|
||||
eap \{
|
||||
@ -0,0 +1,14 @@
|
||||
{
|
||||
# Invoke the default supported EAP type when
|
||||
# EAP-Identity response is received.
|
||||
#
|
||||
# The incoming EAP messages DO NOT specify which EAP
|
||||
# type they will be using, so it MUST be set here.
|
||||
#
|
||||
# For now, only one default EAP type may be used at a time.
|
||||
#
|
||||
# If the EAP-Type attribute is set by another module,
|
||||
# then that EAP type takes precedence over the
|
||||
# default type configured here.
|
||||
#
|
||||
} default_eap_type = peap
|
||||
@ -0,0 +1,7 @@
|
||||
{
|
||||
# A list is maintained to correlate EAP-Response
|
||||
# packets with EAP-Request packets. After a
|
||||
# configurable length of time, entries in the list
|
||||
# expire, and are deleted.
|
||||
#
|
||||
} timer_expire = 60
|
||||
@ -0,0 +1,14 @@
|
||||
{
|
||||
# There are many EAP types, but the server has support
|
||||
# for only a limited subset. If the server receives
|
||||
# a request for an EAP type it does not support, then
|
||||
# it normally rejects the request. By setting this
|
||||
# configuration to "yes", you can tell the server to
|
||||
# instead keep processing the request. Another module
|
||||
# MUST then be configured to proxy the request to
|
||||
# another RADIUS server which supports that EAP type.
|
||||
#
|
||||
# If another module is NOT configured to handle the
|
||||
# request, then the request will still end up being
|
||||
# rejected.
|
||||
} ignore_unknown_eap_types = no
|
||||
@ -0,0 +1,8 @@
|
||||
{
|
||||
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
|
||||
# a User-Name attribute in an Access-Accept, it copies one
|
||||
# more byte than it should.
|
||||
#
|
||||
# We can work around it by configurably adding an extra
|
||||
# zero byte.
|
||||
} cisco_accounting_username_bug = no
|
||||
@ -0,0 +1,130 @@
|
||||
{
|
||||
## EAP-TLS
|
||||
#
|
||||
# To generate ctest certificates, run the script
|
||||
#
|
||||
# ../scripts/certs.sh
|
||||
#
|
||||
# The documents on http://www.freeradius.org/doc
|
||||
# are old, but may be helpful.
|
||||
#
|
||||
# See also:
|
||||
#
|
||||
# http://www.dslreports.com/forum/remark,9286052~mode=flat
|
||||
#
|
||||
# Note that you should NOT use a globally known CA here!
|
||||
# e.g. using a Verisign cert as a "known CA" means that
|
||||
# ANYONE who has a certificate signed by them can
|
||||
# authenticate via EAP-TLS! This is likely not what you want.
|
||||
}
|
||||
tls-config tls-common \{
|
||||
private_key_password = whatever
|
||||
private_key_file = $\{raddbdir\}/certs/radiusd.pem
|
||||
certificate_file = $\{raddbdir\}/certs/radiusd.pem
|
||||
ca_file = $\{raddbdir\}/certs/radiusd.pem
|
||||
dh_file = $\{raddbdir\}/certs/dh
|
||||
random_file = $\{raddbdir\}/certs/random
|
||||
{
|
||||
#
|
||||
# This can never exceed the size of a RADIUS
|
||||
# packet (4096 bytes), and is preferably half
|
||||
# that, to accomodate other attributes in
|
||||
# RADIUS packet. On most APs the MAX packet
|
||||
# length is configured between 1500 - 1600
|
||||
# In these cases, fragment size should be
|
||||
# 1024 or less.
|
||||
#
|
||||
} #fragment_size = 1024
|
||||
{
|
||||
# include_length is a flag which is
|
||||
# by default set to yes If set to
|
||||
# yes, Total Length of the message is
|
||||
# included in EVERY packet we send.
|
||||
# If set to no, Total Length of the
|
||||
# message is included ONLY in the
|
||||
# First packet of a fragment series.
|
||||
#
|
||||
} #include_length = yes
|
||||
{
|
||||
# Check the Certificate Revocation List
|
||||
#
|
||||
# 1) Copy CA certificates and CRLs to same directory.
|
||||
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
|
||||
# 'c_rehash' is OpenSSL's command.
|
||||
# 3) Add 'CA_path=<CA certs&CRLs directory>'
|
||||
# to radiusd.conf's tls section.
|
||||
# 4) uncomment the line below.
|
||||
# 5) Restart radiusd
|
||||
} #check_crl = yes
|
||||
{
|
||||
#
|
||||
# If check_cert_cn is set, the value will
|
||||
# be xlat'ed and checked against the CN
|
||||
# in the client certificate. If the values
|
||||
# do not match, the certificate verification
|
||||
# will fail rejecting the user.
|
||||
#
|
||||
} #check_cert_cn = %\{User-Name\}
|
||||
{
|
||||
#
|
||||
# Set this option to specify the allowed
|
||||
# TLS cipher suites. The format is listed
|
||||
# in "man 1 ciphers".
|
||||
} cipher_list = "DEFAULT"
|
||||
{
|
||||
#
|
||||
|
||||
#
|
||||
# Elliptical cryptography configuration
|
||||
#
|
||||
# Only for OpenSSL >= 0.9.8.f
|
||||
#
|
||||
} ecdh_curve = "prime256v1"
|
||||
|
||||
{
|
||||
#
|
||||
# Session resumption / fast reauthentication
|
||||
# cache.
|
||||
#
|
||||
# The cache contains the following information:
|
||||
#
|
||||
# session Id - unique identifier, managed by SSL
|
||||
# User-Name - from the Access-Accept
|
||||
# Stripped-User-Name - from the Access-Request
|
||||
# Cached-Session-Policy - from the Access-Accept
|
||||
#
|
||||
# The "Cached-Session-Policy" is the name of a
|
||||
# policy which should be applied to the cached
|
||||
# session. This policy can be used to assign
|
||||
# VLANs, IP addresses, etc. It serves as a useful
|
||||
# way to re-apply the policy from the original
|
||||
# Access-Accept to the subsequent Access-Accept
|
||||
# for the cached session.
|
||||
#
|
||||
# On session resumption, these attributes are
|
||||
# copied from the cache, and placed into the
|
||||
# reply list.
|
||||
#
|
||||
# You probably also want "use_tunneled_reply = yes"
|
||||
# when using fast session resumption.
|
||||
#
|
||||
} cache \{
|
||||
enable = yes
|
||||
lifetime = 24 # hours
|
||||
max_entries = 255
|
||||
\}
|
||||
{
|
||||
#
|
||||
# As of version 2.1.10, client certificates can be
|
||||
# validated via an external command. This allows
|
||||
# dynamic CRLs or OCSP to be used.
|
||||
#
|
||||
# This configuration is commented out in the
|
||||
# default configuration. Uncomment it, and configure
|
||||
# the correct paths below to enable it.
|
||||
#
|
||||
}
|
||||
|
||||
|
||||
|
||||
\}
|
||||
@ -0,0 +1,21 @@
|
||||
{
|
||||
## EAP-TLS
|
||||
#
|
||||
# As of Version 3.0, the TLS configuration for TLS-based
|
||||
# EAP types is above in the "tls-config" section.
|
||||
#
|
||||
}
|
||||
tls \{
|
||||
{
|
||||
# Point to the common TLS configuration
|
||||
} tls = tls-common
|
||||
{
|
||||
#
|
||||
# As part of checking a client certificate, the EAP-TLS
|
||||
# sets some attributes such as TLS-Client-Cert-CN. This
|
||||
# virtual server has access to these attributes, and can
|
||||
# be used to accept or reject the request.
|
||||
#
|
||||
} # virtual_server = check-eap-tls
|
||||
\}
|
||||
|
||||
@ -0,0 +1,90 @@
|
||||
{
|
||||
## EAP-TTLS
|
||||
#
|
||||
# The TTLS module implements the EAP-TTLS protocol,
|
||||
# which can be described as EAP inside of Diameter,
|
||||
# inside of TLS, inside of EAP, inside of RADIUS...
|
||||
#
|
||||
# Surprisingly, it works quite well.
|
||||
#
|
||||
} ttls \{
|
||||
{
|
||||
# Which tls-config section the TLS negotiation parameters
|
||||
# are in - see EAP-TLS above for an explanation.
|
||||
#
|
||||
# In the case that an old configuration from FreeRADIUS
|
||||
# v2.x is being used, all the options of the tls-config
|
||||
# section may also appear instead in the 'tls' section
|
||||
# above. If that is done, the tls= option here (and in
|
||||
# tls above) MUST be commented out.
|
||||
#
|
||||
} tls = tls-common
|
||||
{
|
||||
# The tunneled EAP session needs a default EAP type
|
||||
# which is separate from the one for the non-tunneled
|
||||
# EAP module. Inside of the TTLS tunnel, we recommend
|
||||
# using EAP-MD5. If the request does not contain an
|
||||
# EAP conversation, then this configuration entry is
|
||||
# ignored.
|
||||
#
|
||||
} default_eap_type = md5
|
||||
{
|
||||
# The tunneled authentication request does not usually
|
||||
# contain useful attributes like 'Calling-Station-Id',
|
||||
# etc. These attributes are outside of the tunnel,
|
||||
# and normally unavailable to the tunneled
|
||||
# authentication request.
|
||||
#
|
||||
# By setting this configuration entry to 'yes',
|
||||
# any attribute which is NOT in the tunneled
|
||||
# authentication request, but which IS available
|
||||
# outside of the tunnel, is copied to the tunneled
|
||||
# request.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
} copy_request_to_tunnel = no
|
||||
{
|
||||
# The reply attributes sent to the NAS are usually
|
||||
# based on the name of the user 'outside' of the
|
||||
# tunnel (usually 'anonymous'). If you want to send
|
||||
# the reply attributes based on the user name inside
|
||||
# of the tunnel, then set this configuration entry to
|
||||
# 'yes', and the reply to the NAS will be taken from
|
||||
# the reply to the tunneled request.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
} use_tunneled_reply = no
|
||||
{
|
||||
#
|
||||
# The inner tunneled request can be sent
|
||||
# through a virtual server constructed
|
||||
# specifically for this purpose.
|
||||
#
|
||||
# If this entry is commented out, the inner
|
||||
# tunneled request will be sent through
|
||||
# the virtual server that processed the
|
||||
# outer requests.
|
||||
#
|
||||
} virtual_server = "inner-tunnel"
|
||||
{
|
||||
# This has the same meaning, and overwrites, the
|
||||
# same field in the "tls" configuration, above.
|
||||
# The default value here is "yes".
|
||||
#
|
||||
} # include_length = yes
|
||||
{
|
||||
#
|
||||
# Unlike EAP-TLS, EAP-TTLS does not require a client
|
||||
# certificate. However, you can require one by setting the
|
||||
# following option. You can also override this option by
|
||||
# setting
|
||||
#
|
||||
# EAP-TLS-Require-Client-Cert = Yes
|
||||
#
|
||||
# in the control items for a request.
|
||||
#
|
||||
} # require_client_cert = yes
|
||||
\}
|
||||
|
||||
@ -0,0 +1,33 @@
|
||||
{
|
||||
#
|
||||
# The tunneled EAP session needs a default EAP type
|
||||
# which is separate from the one for the non-tunneled
|
||||
# EAP module. Inside of the TLS/PEAP tunnel, we
|
||||
# recommend using EAP-MS-CHAPv2.
|
||||
#
|
||||
# The PEAP module needs the TLS module to be installed
|
||||
# and configured, in order to use the TLS tunnel
|
||||
# inside of the EAP packet. You will still need to
|
||||
# configure the TLS module, even if you do not want
|
||||
# to deploy EAP-TLS in your network. Users will not
|
||||
# be able to request EAP-TLS, as it requires them to
|
||||
# have a client certificate. EAP-PEAP does not
|
||||
# require a client certificate.
|
||||
#
|
||||
}
|
||||
peap \{
|
||||
tls = tls-common
|
||||
virtual_server = "inner-tunnel"
|
||||
{ # The tunneled EAP session needs a default
|
||||
# EAP type which is separate from the one for
|
||||
# the non-tunneled EAP module. Inside of the
|
||||
# PEAP tunnel, we recommend using MS-CHAPv2,
|
||||
# as that is the default type supported by
|
||||
# Windows clients.
|
||||
} default_eap_type = mschapv2
|
||||
|
||||
|
||||
copy_request_to_tunnel = no
|
||||
use_tunneled_reply = no
|
||||
|
||||
\}
|
||||
@ -0,0 +1,18 @@
|
||||
{
|
||||
#
|
||||
# This takes no configuration.
|
||||
#
|
||||
# Note that it is the EAP MS-CHAPv2 sub-module, not
|
||||
# the main 'mschap' module.
|
||||
#
|
||||
# Note also that in order for this sub-module to work,
|
||||
# the main 'mschap' module MUST ALSO be configured.
|
||||
#
|
||||
# This module is the *Microsoft* implementation of MS-CHAPv2
|
||||
# in EAP. There is another (incompatible) implementation
|
||||
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
|
||||
# currently support.
|
||||
#
|
||||
}
|
||||
mschapv2 \{
|
||||
\}
|
||||
@ -0,0 +1 @@
|
||||
\}
|
||||
@ -0,0 +1,291 @@
|
||||
{
|
||||
|
||||
use esmith::util;
|
||||
$OUT = '';
|
||||
|
||||
$pw = esmith::util::LdapPassword();
|
||||
$base = esmith::util::ldapBase ($DomainName);
|
||||
|
||||
} ldap \{
|
||||
server = "localhost"
|
||||
identity = "cn=root,{ $base }"
|
||||
password = { $pw }
|
||||
base_dn = "{ $base }"
|
||||
filter = "(&(objectClass=posixAccount)(uid=%\{Stripped-User-Name:-%\{User-Name\}\}))"
|
||||
ldap_connections_number = 5
|
||||
timeout = 4
|
||||
timelimit = 3
|
||||
net_timeout = 3
|
||||
tls \{
|
||||
start_tls = no
|
||||
\}
|
||||
groupname_attribute = cn
|
||||
groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%\{Stripped-User-Name:-%\{User-Name\}\}))"
|
||||
|
||||
update \{
|
||||
control:Password-With-Header += 'userPassword'
|
||||
|
||||
\}
|
||||
user \{
|
||||
# Where to start searching in the tree for users
|
||||
base_dn = "$\{..base_dn\}"
|
||||
|
||||
# Filter for user objects, should be specific enough
|
||||
# to identify a single user object.
|
||||
filter = "(uid=%\{%\{Stripped-User-Name\}:-%\{User-Name\}\})"
|
||||
\}
|
||||
group \{
|
||||
# Where to start searching in the tree for groups
|
||||
# base_dn = "$\{..base_dn\}"
|
||||
|
||||
# Filter for group objects, should match all available
|
||||
# group objects a user might be a member of.
|
||||
# filter = "(objectClass=posixGroup)"
|
||||
# membership_attribute = "memberOf"
|
||||
\}
|
||||
|
||||
profile \{
|
||||
# Filter for RADIUS profile objects
|
||||
# filter = "(objectclass=radiusprofile)"
|
||||
|
||||
# The default profile applied to all users.
|
||||
# default = "cn=radprofile,dc=example,dc=org"
|
||||
|
||||
# The list of profiles which are applied (after the default)
|
||||
# to all users.
|
||||
# The "User-Profile" attribute in the control list
|
||||
# will override this setting at run-time.
|
||||
# attribute = "radiusProfileDn"
|
||||
\}
|
||||
|
||||
|
||||
client \{
|
||||
# Where to start searching in the tree for clients
|
||||
# base_dn = "$\{..base_dn\}"
|
||||
|
||||
#
|
||||
# Filter to match client objects
|
||||
#
|
||||
# filter = '(objectClass=frClient)'
|
||||
|
||||
# Search scope, may be 'base', 'one', 'sub' or 'children'
|
||||
# scope = 'sub'
|
||||
|
||||
#
|
||||
# Client attribute mappings are in the format:
|
||||
# <client attribute> = <ldap attribute>
|
||||
#
|
||||
# Arbitrary attributes (accessible by %\{client:<attr>\}) are not yet supported.
|
||||
#
|
||||
# The following attributes are required:
|
||||
# * identifier - IPv4 address, or IPv4 address with prefix, or hostname.
|
||||
# * secret - RADIUS shared secret.
|
||||
#
|
||||
# The following attributes are optional:
|
||||
# * shortname - Friendly name associated with the client
|
||||
# * nas_type - NAS Type
|
||||
# * virtual_server - Virtual server to associate the client with
|
||||
# * require_message_authenticator - Whether we require the Message-Authenticator
|
||||
# attribute to be present in requests from the client.
|
||||
#
|
||||
# Schemas are available in doc/schemas/ldap for openldap and eDirectory
|
||||
#
|
||||
attribute \{
|
||||
# identifier = 'radiusClientIdentifier'
|
||||
# secret = 'radiusClientSecret'
|
||||
# shortname = 'radiusClientShortname'
|
||||
# nas_type = 'radiusClientType'
|
||||
# virtual_server = 'radiusClientVirtualServer'
|
||||
# require_message_authenticator = 'radiusClientRequireMa'
|
||||
\}
|
||||
\}
|
||||
|
||||
|
||||
|
||||
# Useful for recording things like the last time the user logged
|
||||
# in, or the Acct-Session-ID for CoA/DM.
|
||||
#
|
||||
# LDAP modification items are in the format:
|
||||
# <ldap attr> <op> <value>
|
||||
#
|
||||
# Where:
|
||||
# <ldap attr>: The LDAP attribute to add modify or delete.
|
||||
# <op>: One of the assignment operators:
|
||||
# (:=, +=, -=, ++).
|
||||
# Note: '=' is *not* supported.
|
||||
# <value>: The value to add modify or delete.
|
||||
#
|
||||
# WARNING: If using the ':=' operator with a multi-valued LDAP
|
||||
# attribute, all instances of the attribute will be removed and
|
||||
# replaced with a single attribute.
|
||||
accounting \{
|
||||
reference = "%\{tolower:type.%\{Acct-Status-Type\}\}"
|
||||
|
||||
type \{
|
||||
start \{
|
||||
update \{
|
||||
description := "Online at %S"
|
||||
\}
|
||||
\}
|
||||
|
||||
interim-update \{
|
||||
update \{
|
||||
description := "Last seen at %S"
|
||||
\}
|
||||
\}
|
||||
|
||||
stop \{
|
||||
update \{
|
||||
description := "Offline at %S"
|
||||
\}
|
||||
\}
|
||||
\}
|
||||
\}
|
||||
|
||||
|
||||
|
||||
|
||||
#
|
||||
# Post-Auth can modify LDAP objects too
|
||||
#
|
||||
post-auth \{
|
||||
update \{
|
||||
description := "Authenticated at %S"
|
||||
\}
|
||||
\}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# LDAP connection-specific options.
|
||||
#
|
||||
# These options set timeouts, keep-alives, etc. for the connections.
|
||||
#
|
||||
options \{
|
||||
# Control under which situations aliases are followed.
|
||||
# May be one of 'never', 'searching', 'finding' or 'always'
|
||||
# default: libldap's default which is usually 'never'.
|
||||
#
|
||||
# LDAP_OPT_DEREF is set to this value.
|
||||
# dereference = 'always'
|
||||
|
||||
#
|
||||
# The following two configuration items control whether the
|
||||
# server follows references returned by LDAP directory.
|
||||
# They are mostly for Active Directory compatibility.
|
||||
# If you set these to "no", then searches will likely return
|
||||
# "operations error", instead of a useful result.
|
||||
#
|
||||
chase_referrals = yes
|
||||
rebind = yes
|
||||
|
||||
# Seconds to wait for LDAP query to finish. default: 20
|
||||
timeout = 10
|
||||
|
||||
# Seconds LDAP server has to process the query (server-side
|
||||
# time limit). default: 20
|
||||
#
|
||||
# LDAP_OPT_TIMELIMIT is set to this value.
|
||||
timelimit = 3
|
||||
|
||||
# Seconds to wait for response of the server. (network
|
||||
# failures) default: 10
|
||||
#
|
||||
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
|
||||
net_timeout = 1
|
||||
|
||||
# LDAP_OPT_X_KEEPALIVE_IDLE
|
||||
idle = 60
|
||||
|
||||
# LDAP_OPT_X_KEEPALIVE_PROBES
|
||||
probes = 3
|
||||
|
||||
# LDAP_OPT_X_KEEPALIVE_INTERVAL
|
||||
interval = 3
|
||||
|
||||
# ldap_debug: debug flag for LDAP SDK
|
||||
# (see OpenLDAP documentation). Set this to enable
|
||||
# huge amounts of LDAP debugging on the screen.
|
||||
# You should only use this if you are an LDAP expert.
|
||||
#
|
||||
# default: 0x0000 (no debugging messages)
|
||||
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
|
||||
ldap_debug = 0x0028
|
||||
\}
|
||||
|
||||
|
||||
# The connection pool is new for 3.0, and will be used in many
|
||||
# modules, for all kinds of connection-related activity.
|
||||
#
|
||||
# When the server is not threaded, the connection pool
|
||||
# limits are ignored, and only one connection is used.
|
||||
pool \{
|
||||
# Number of connections to start
|
||||
start = 5
|
||||
|
||||
# Minimum number of connections to keep open
|
||||
min = 4
|
||||
|
||||
# Maximum number of connections
|
||||
#
|
||||
# If these connections are all in use and a new one
|
||||
# is requested, the request will NOT get a connection.
|
||||
#
|
||||
# Setting 'max' to LESS than the number of threads means
|
||||
# that some threads may starve, and you will see errors
|
||||
# like "No connections available and at max connection limit"
|
||||
#
|
||||
# Setting 'max' to MORE than the number of threads means
|
||||
# that there are more connections than necessary.
|
||||
max = $\{thread[pool].max_servers\}
|
||||
|
||||
# Spare connections to be left idle
|
||||
#
|
||||
# NOTE: Idle connections WILL be closed if "idle_timeout"
|
||||
# is set.
|
||||
spare = 3
|
||||
|
||||
# Number of uses before the connection is closed
|
||||
#
|
||||
# 0 means "infinite"
|
||||
uses = 0
|
||||
|
||||
# The lifetime (in seconds) of the connection
|
||||
lifetime = 0
|
||||
|
||||
# Idle timeout (in seconds). A connection which is
|
||||
# unused for this length of time will be closed.
|
||||
idle_timeout = 60
|
||||
|
||||
# NOTE: All configuration settings are enforced. If a
|
||||
# connection is closed because of "idle_timeout",
|
||||
# "uses", or "lifetime", then the total number of
|
||||
# connections MAY fall below "min". When that
|
||||
# happens, it will open a new connection. It will
|
||||
# also log a WARNING message.
|
||||
#
|
||||
# The solution is to either lower the "min" connections,
|
||||
# or increase lifetime/idle_timeout.
|
||||
\}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
\}
|
||||
@ -0,0 +1,19 @@
|
||||
{
|
||||
# -*- text -*-
|
||||
#
|
||||
# $Id: e-smith-radiusd-2.6.0-freeradius3bis.patch,v 1.2 2016/04/07 05:52:20 unnilennium Exp $
|
||||
|
||||
# An example configuration for using /etc/smbpasswd.
|
||||
#
|
||||
# See the "passwd" file for documentation on the configuration items
|
||||
# for this module.
|
||||
#
|
||||
}
|
||||
passwd smbpasswd \{
|
||||
filename = /etc/samba/smbpasswd
|
||||
format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
|
||||
hash_size = 100
|
||||
ignore_nislike = no
|
||||
allow_multiple_keys = no
|
||||
\}
|
||||
|
||||
@ -0,0 +1,2 @@
|
||||
root Auth-Type := Reject
|
||||
|
||||
@ -0,0 +1,29 @@
|
||||
{
|
||||
use esmith::AccountsDB;
|
||||
|
||||
my $adb = esmith::AccountsDB->open_ro()
|
||||
or die "Couldnt' open AccountsDB\n";
|
||||
|
||||
my @accounts = $adb->get('admin');
|
||||
push @accounts, $adb->users;
|
||||
|
||||
foreach my $account (@accounts)
|
||||
{
|
||||
next unless (($account->prop('VPNClientAccess') || 'no') eq 'yes');
|
||||
|
||||
next unless (($account->prop('PasswordSet') || 'no') eq 'yes');
|
||||
|
||||
my $name = $account->key;
|
||||
|
||||
$OUT .= <<HERE;
|
||||
$name Service-Type == Framed-User, Framed-Protocol == PPP
|
||||
HERE
|
||||
|
||||
my $pptpip = $account->prop('PPTPIP');
|
||||
next unless ($pptpip);
|
||||
|
||||
$OUT .= <<HER2;
|
||||
Framed-IP-Address = $pptpip, Framed-Netmask = 255.255.255.255
|
||||
HER2
|
||||
}
|
||||
}
|
||||
@ -0,0 +1 @@
|
||||
DEFAULT EAP-Message =* Something
|
||||
@ -0,0 +1 @@
|
||||
DEFAULT Auth-Type := Reject
|
||||
@ -0,0 +1,117 @@
|
||||
{
|
||||
#
|
||||
# proxy.conf - proxy radius and realm configuration directives
|
||||
#
|
||||
# This file is included by default. To disable it, you will need
|
||||
# to modify the PROXY CONFIGURATION section of "radiusd.conf".
|
||||
#
|
||||
#######################################################################
|
||||
#
|
||||
# Proxy server configuration
|
||||
#
|
||||
# This entry controls the servers behaviour towards ALL other servers
|
||||
# to which it sends proxy requests.
|
||||
#
|
||||
}
|
||||
proxy server \{
|
||||
{
|
||||
#
|
||||
# If the NAS re-sends the request to us, we can immediately re-send
|
||||
# the proxy request to the end server. To do so, use 'yes' here.
|
||||
#
|
||||
# If this is set to 'no', then we send the retries on our own schedule,
|
||||
# and ignore any duplicate NAS requests.
|
||||
#
|
||||
# If you want to have the server send proxy retries ONLY when the NAS
|
||||
# sends it's retries to the server, then set this to 'yes', and
|
||||
# set the other proxy configuration parameters to 0 (zero).
|
||||
#
|
||||
# Additionally, if you want 'failover' to work, the server must manage
|
||||
# retries and timeouts. Therefore, if this is set to yes, then no
|
||||
# failover functionality is possible.
|
||||
#
|
||||
} synchronous = no
|
||||
{
|
||||
#
|
||||
# The time (in seconds) to wait for a response from the proxy, before
|
||||
# re-sending the proxied request.
|
||||
#
|
||||
# If this time is set too high, then the NAS may re-send the request,
|
||||
# or it may give up entirely, and reject the user.
|
||||
#
|
||||
# If it is set too low, then the RADIUS server which receives the proxy
|
||||
# request will get kicked unnecessarily.
|
||||
#
|
||||
} retry_delay = 5
|
||||
{
|
||||
#
|
||||
# The number of retries to send before giving up, and sending a reject
|
||||
# message to the NAS.
|
||||
#
|
||||
} retry_count = 3
|
||||
{
|
||||
#
|
||||
# If the home server does not respond to any of the multiple retries,
|
||||
# then FreeRADIUS will stop sending it proxy requests, and mark it 'dead'.
|
||||
#
|
||||
# If there are multiple entries configured for this realm, then the
|
||||
# server will fail-over to the next one listed. If no more are listed,
|
||||
# then no requests will be proxied to that realm.
|
||||
#
|
||||
#
|
||||
# After a configurable 'dead_time', in seconds, FreeRADIUS will
|
||||
# speculatively mark the home server active, and start sending requests
|
||||
# to it again.
|
||||
#
|
||||
# If this dead time is set too low, then you will lose requests,
|
||||
# as FreeRADIUS will quickly switch back to the home server, even if
|
||||
# it isn't up again.
|
||||
#
|
||||
# If this dead time is set too high, then FreeRADIUS may take too long
|
||||
# to switch back to the primary home server.
|
||||
#
|
||||
# Realistic values for this number are in the range of minutes to hours.
|
||||
# (60 to 3600)
|
||||
#
|
||||
} dead_time = 120
|
||||
{
|
||||
# An ldflag attribute for all realms to be included in a round-robin
|
||||
# setup must be specified, and that ldflag must be the same for all
|
||||
# realms of the same name.
|
||||
# Currently (0 or fail_over) and (1 or round_robin) are the
|
||||
# supported values for ldflag. Fail over is the default setup.
|
||||
#
|
||||
# DO NOT INCLUDE LOCAL AUTH/ACCT HOST REALMS IN A ROUND-ROBIN QUEUE.
|
||||
|
||||
|
||||
#
|
||||
# If all exact matching realms did not respond, we can try the
|
||||
# DEFAULT realm, too. This is what the server normally does.
|
||||
#
|
||||
# This behaviour may be undesired for some cases. e.g. You are proxying
|
||||
# for two different ISP's, and then act as a general dial-up for Gric.
|
||||
# If one of the first two ISP's has their RADIUS server go down, you do
|
||||
# NOT want to proxy those requests to GRIC. Instead, you probably want
|
||||
# to just drop the requests on the floor. In that case, set this value
|
||||
# to 'no'.
|
||||
#
|
||||
# allowed values: \{yes, no\}
|
||||
#
|
||||
} default_fallback = yes
|
||||
{
|
||||
#
|
||||
# Older versions of the server would pass proxy requests through the
|
||||
# 'authorize' sections twice; once when the packet was received
|
||||
# from the NAS, and again after the reply was received from the home
|
||||
# server. Now that we have a 'post_proxy' section, the replies from
|
||||
# the home server should be sent through that, instead of through
|
||||
# the 'authorize' section again.
|
||||
#
|
||||
# However, for backwards compatibility, this behaviour is configurable.
|
||||
# The default configuration is 'yes', for backwards compatibility.
|
||||
# To use ONLY the new 'post_proxy' section, set this value to 'no'.
|
||||
#
|
||||
# allowed values: \{yes, no\}
|
||||
#
|
||||
} post_proxy_authorize = yes
|
||||
\}
|
||||
@ -0,0 +1,11 @@
|
||||
{
|
||||
#
|
||||
# This realm is for requests which don't have an explicit realm
|
||||
# prefix or suffix. User names like "bob" will match this one.
|
||||
#
|
||||
}
|
||||
realm NULL \{
|
||||
type = radius
|
||||
authhost = LOCAL
|
||||
accthost = LOCAL
|
||||
\}
|
||||
@ -0,0 +1,10 @@
|
||||
{
|
||||
#
|
||||
# This realm is for ALL OTHER requests.
|
||||
#
|
||||
}
|
||||
realm DEFAULT \{
|
||||
type = radius
|
||||
authhost = LOCAL
|
||||
accthost = LOCAL
|
||||
\}
|
||||
@ -0,0 +1,268 @@
|
||||
{
|
||||
# radiusd.conf -- FreeRADIUS server configuration file.
|
||||
#
|
||||
# http://www.freeradius.org/
|
||||
#
|
||||
# The location of other config files and
|
||||
# logfiles are declared in this file
|
||||
#
|
||||
# Also general configuration for modules can be done
|
||||
# in this file, it is exported through the API to
|
||||
# modules that ask for it.
|
||||
#
|
||||
# The configuration variables defined here are of the form $\{foo\}
|
||||
# They are local to this file, and do not change from request to
|
||||
# request.
|
||||
#
|
||||
# The per-request variables are of the form %\{Attribute-Name\}, and
|
||||
# are taken from the values of the attribute in the incoming
|
||||
# request. See 'doc/variables.txt' for more information.
|
||||
}
|
||||
prefix = /usr
|
||||
exec_prefix = /usr
|
||||
sysconfdir = /etc
|
||||
localstatedir = /var
|
||||
sbindir = /usr/sbin
|
||||
logdir = $\{localstatedir\}/log/radius
|
||||
raddbdir = $\{sysconfdir\}/raddb
|
||||
radacctdir = $\{logdir\}/radacct
|
||||
|
||||
{
|
||||
#
|
||||
# name of the running server. See also the "-n" command-line option.
|
||||
}
|
||||
name = radiusd
|
||||
|
||||
confdir = $\{raddbdir\}
|
||||
modconfdir = $\{confdir\}/mods-config
|
||||
certdir = $\{confdir\}/certs
|
||||
cadir = $\{confdir\}/certs
|
||||
run_dir = $\{localstatedir\}/run/radiusd
|
||||
{
|
||||
# libdir: Where to find the rlm_* modules.
|
||||
#
|
||||
# This should be automatically set at configuration time.
|
||||
#
|
||||
# If the server builds and installs, but fails at execution time
|
||||
# with an 'undefined symbol' error, then you can use the libdir
|
||||
# directive to work around the problem.
|
||||
#
|
||||
# The cause is usually that a library has been installed on your
|
||||
# system in a place where the dynamic linker CANNOT find it. When
|
||||
# executing as root (or another user), your personal environment MAY
|
||||
# be set up to allow the dynamic linker to find the library. When
|
||||
# executing as a daemon, FreeRADIUS MAY NOT have the same
|
||||
# personalized configuration.
|
||||
#
|
||||
# To work around the problem, find out which library contains that symbol,
|
||||
# and add the directory containing that library to the end of 'libdir',
|
||||
# with a colon separating the directory names. NO spaces are allowed.
|
||||
#
|
||||
# e.g. libdir = /usr/local/lib:/opt/package/lib
|
||||
#
|
||||
# You can also try setting the LD_LIBRARY_PATH environment variable
|
||||
# in a script which starts the server.
|
||||
#
|
||||
# If that does not work, then you can re-configure and re-build the
|
||||
# server to NOT use shared libraries, via:
|
||||
#
|
||||
# ./configure --disable-shared
|
||||
# make
|
||||
# make install
|
||||
}
|
||||
libdir = /usr/lib
|
||||
{
|
||||
# pidfile: Where to place the PID of the RADIUS server.
|
||||
#
|
||||
# The server may be signalled while it's running by using this
|
||||
# file.
|
||||
#
|
||||
# This file is written when ONLY running in daemon mode.
|
||||
#
|
||||
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
|
||||
}
|
||||
pidfile = $\{run_dir\}/$\{name\}.pid
|
||||
{
|
||||
# panic_action: Command to execute if the server dies unexpectedly.
|
||||
#
|
||||
# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
|
||||
# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
|
||||
# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
|
||||
#
|
||||
# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
|
||||
# PATTACH CAN BE USED AS AN ATTACK VECTOR.
|
||||
#
|
||||
# The panic action is a command which will be executed if the server
|
||||
# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
|
||||
# SIGABRT or SIGFPE.
|
||||
#
|
||||
# This can be used to start an interactive debugging session so
|
||||
# that information regarding the current state of the server can
|
||||
# be acquired.
|
||||
#
|
||||
# The following string substitutions are available:
|
||||
# - %e The currently executing program e.g. /sbin/radiusd
|
||||
# - %p The PID of the currently executing program e.g. 12345
|
||||
#
|
||||
# Standard ${} substitutions are also allowed.
|
||||
#
|
||||
# An example panic action for opening an interactive session in GDB would be:
|
||||
#
|
||||
#panic_action = "gdb %e %p"
|
||||
#
|
||||
# Again, don't use that on a production system.
|
||||
#
|
||||
# An example panic action for opening an automated session in GDB would be:
|
||||
#
|
||||
#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
|
||||
#
|
||||
# That command can be used on a production system.
|
||||
#
|
||||
}
|
||||
|
||||
{
|
||||
# max_request_time: The maximum time (in seconds) to handle a request.
|
||||
#
|
||||
# Requests which take more time than this to process may be killed, and
|
||||
# a REJECT message is returned.
|
||||
#
|
||||
# WARNING: If you notice that requests take a long time to be handled,
|
||||
# then this MAY INDICATE a bug in the server, in one of the modules
|
||||
# used to handle a request, OR in your local configuration.
|
||||
#
|
||||
# This problem is most often seen when using an SQL database. If it takes
|
||||
# more than a second or two to receive an answer from the SQL database,
|
||||
# then it probably means that you haven't indexed the database. See your
|
||||
# SQL server documentation for more information.
|
||||
#
|
||||
# Useful range of values: 5 to 120
|
||||
}
|
||||
max_request_time = 30
|
||||
{
|
||||
# delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
|
||||
# to be handled, then maybe the server should delete it.
|
||||
#
|
||||
# If you're running in threaded, or thread pool mode, this setting
|
||||
# should probably be 'no'. Setting it to 'yes' when using a threaded
|
||||
# server MAY cause the server to crash!
|
||||
}
|
||||
delete_blocked_requests = no
|
||||
{
|
||||
# cleanup_delay: The time to wait (in seconds) before cleaning up
|
||||
# a reply which was sent to the NAS.
|
||||
#
|
||||
# The RADIUS request is normally cached internally for a short period
|
||||
# of time, after the reply is sent to the NAS. The reply packet may be
|
||||
# lost in the network, and the NAS will not see it. The NAS will then
|
||||
# re-send the request, and the server will respond quickly with the
|
||||
# cached reply.
|
||||
#
|
||||
# If this value is set too low, then duplicate requests from the NAS
|
||||
# MAY NOT be detected, and will instead be handled as seperate requests.
|
||||
#
|
||||
# If this value is set too high, then the server will cache too many
|
||||
# requests, and some new requests may get blocked. (See 'max_requests'.)
|
||||
#
|
||||
# Useful range of values: 2 to 10
|
||||
}
|
||||
cleanup_delay = 5
|
||||
{
|
||||
# max_requests: The maximum number of requests which the server keeps
|
||||
# track of. This should be 256 multiplied by the number of clients.
|
||||
# e.g. With 4 clients, this number should be 1024.
|
||||
#
|
||||
# If this number is too low, then when the server becomes busy,
|
||||
# it will not respond to any new requests, until the 'cleanup_delay'
|
||||
# time has passed, and it has removed the old requests.
|
||||
#
|
||||
# If this number is set too high, then the server will use a bit more
|
||||
# memory for no real benefit.
|
||||
#
|
||||
# If you aren't sure what it should be set to, it's better to set it
|
||||
# too high than too low. Setting it to 1000 per client is probably
|
||||
# the highest it should be.
|
||||
#
|
||||
# Useful range of values: 256 to infinity
|
||||
}
|
||||
max_requests = 1024
|
||||
{
|
||||
# hostname_lookups: Log the names of clients or just their IP addresses
|
||||
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
|
||||
#
|
||||
# The default is 'off' because it would be overall better for the net
|
||||
# if people had to knowingly turn this feature on, since enabling it
|
||||
# means that each client request will result in AT LEAST one lookup
|
||||
# request to the nameserver. Enabling hostname_lookups will also
|
||||
# mean that your server may stop randomly for 30 seconds from time
|
||||
# to time, if the DNS requests take too long.
|
||||
#
|
||||
# Turning hostname lookups off also means that the server won't block
|
||||
# for 30 seconds, if it sees an IP address which has no name associated
|
||||
# with it.
|
||||
#
|
||||
# allowed values: \{no, yes\}
|
||||
}
|
||||
hostname_lookups = no
|
||||
{
|
||||
# Regular expressions
|
||||
#
|
||||
# These items are set at configure time. If they're set to "yes",
|
||||
# then setting them to "no" turns off regular expression support.
|
||||
#
|
||||
# If they're set to "no" at configure time, then setting them to "yes"
|
||||
# WILL NOT WORK. It will give you an error.
|
||||
}
|
||||
regular_expressions = yes
|
||||
extended_expressions = yes
|
||||
{
|
||||
# usercollide: Turn "username collision" code on and off. See the
|
||||
# "doc/duplicate-users" file
|
||||
#
|
||||
# WARNING
|
||||
# !!!!!!! Setting this to "yes" may result in the server behaving
|
||||
# !!!!!!! strangely. The "username collision" code will ONLY work
|
||||
# !!!!!!! with clear-text passwords. Even then, it may not do what
|
||||
# !!!!!!! you want, or what you expect.
|
||||
# !!!!!!!
|
||||
# !!!!!!! We STRONGLY RECOMMEND that you do not use this feature,
|
||||
# !!!!!!! and that you find another way of acheiving the same goal.
|
||||
# !!!!!!!
|
||||
# !!!!!!! e,g. module fail-over. See 'doc/configurable_failover'
|
||||
# WARNING
|
||||
}
|
||||
usercollide = no
|
||||
{
|
||||
# lower_user / lower_pass:
|
||||
# Lower case the username/password "before" or "after"
|
||||
# attempting to authenticate.
|
||||
#
|
||||
# If "before", the server will first modify the request and then try
|
||||
# to auth the user. If "after", the server will first auth using the
|
||||
# values provided by the user. If that fails it will reprocess the
|
||||
# request after modifying it as you specify below.
|
||||
#
|
||||
# This is as close as we can get to case insensitivity. It is the
|
||||
# admin's job to ensure that the username on the auth db side is
|
||||
# *also* lowercase to make this work
|
||||
#
|
||||
# Default is 'no' (don't lowercase values)
|
||||
# Valid values = "before" / "after" / "no"
|
||||
}
|
||||
lower_user = no
|
||||
lower_pass = no
|
||||
{
|
||||
# nospace_user / nospace_pass:
|
||||
#
|
||||
# Some users like to enter spaces in their username or password
|
||||
# incorrectly. To save yourself the tech support call, you can
|
||||
# eliminate those spaces here:
|
||||
#
|
||||
# Default is 'no' (don't remove spaces)
|
||||
# Valid values = "before" / "after" / "no" (explanation above)
|
||||
}
|
||||
nospace_user = no
|
||||
nospace_pass = no
|
||||
{
|
||||
# The program to execute to do concurrency checks.
|
||||
}
|
||||
checkrad = $\{sbindir\}/checkrad
|
||||
@ -0,0 +1,127 @@
|
||||
{
|
||||
#
|
||||
# Logging section. The various "log_*" configuration items
|
||||
# will eventually be moved here.
|
||||
#
|
||||
# previously this section was only:
|
||||
#log_file = $\{logdir\}/radius.log
|
||||
}
|
||||
log \{
|
||||
{
|
||||
#
|
||||
# Destination for log messages. This can be one of:
|
||||
#
|
||||
# files - log to "file", as defined below.
|
||||
# syslog - to syslog (see also the "syslog_facility", below.
|
||||
# stdout - standard output
|
||||
# stderr - standard error.
|
||||
#
|
||||
# The command-line option "-X" over-rides this option, and forces
|
||||
# logging to go to stdout.
|
||||
#
|
||||
} destination = files
|
||||
{
|
||||
#
|
||||
# Highlight important messages sent to stderr and stdout.
|
||||
#
|
||||
# Option will be ignored (disabled) if output if TERM is not
|
||||
# an xterm or output is not to a TTY.
|
||||
#
|
||||
} colourise = yes
|
||||
{
|
||||
#
|
||||
# The logging messages for the server are appended to the
|
||||
# tail of this file if destination == "files"
|
||||
#
|
||||
# If the server is running in debugging mode, this file is
|
||||
# NOT used.
|
||||
#
|
||||
} file = $\{logdir\}/radius.log
|
||||
{
|
||||
#
|
||||
# If this configuration parameter is set, then log messages for
|
||||
# a *request* go to this file, rather than to radius.log.
|
||||
#
|
||||
# i.e. This is a log file per request, once the server has accepted
|
||||
# the request as being from a valid client. Messages that are
|
||||
# not associated with a request still go to radius.log.
|
||||
#
|
||||
# Not all log messages in the server core have been updated to use
|
||||
# this new internal API. As a result, some messages will still
|
||||
# go to radius.log. Please submit patches to fix this behavior.
|
||||
#
|
||||
# The file name is expanded dynamically. You should ONLY user
|
||||
# server-side attributes for the filename (e.g. things you control).
|
||||
# Using this feature MAY also slow down the server substantially,
|
||||
# especially if you do thinks like SQL calls as part of the
|
||||
# expansion of the filename.
|
||||
#
|
||||
# The name of the log file should use attributes that don't change
|
||||
# over the lifetime of a request, such as User-Name,
|
||||
# Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
|
||||
# messages will be distributed over multiple files.
|
||||
#
|
||||
# Logging can be enabled for an individual request by a special
|
||||
# dynamic expansion macro: %{debug: 1}, where the debug level
|
||||
# for this request is set to '1' (or 2, 3, etc.). e.g.
|
||||
#
|
||||
# ...
|
||||
# update control {
|
||||
# Tmp-String-0 = "%{debug:1}"
|
||||
# }
|
||||
# ...
|
||||
#
|
||||
# The attribute that the value is assigned to is unimportant,
|
||||
# and should be a "throw-away" attribute with no side effects.
|
||||
#
|
||||
#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
|
||||
|
||||
#
|
||||
# Which syslog facility to use, if ${destination} == "syslog"
|
||||
#
|
||||
# The exact values permitted here are OS-dependent. You probably
|
||||
# don't want to change this.
|
||||
#
|
||||
} syslog_facility = daemon
|
||||
{
|
||||
# Log the full User-Name attribute, as it was found in the request.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
#
|
||||
} stripped_names = no
|
||||
{
|
||||
# Log authentication requests to the log file.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
} auth = no
|
||||
{
|
||||
# Log passwords with the authentication requests.
|
||||
# auth_badpass - logs password if it's rejected
|
||||
# auth_goodpass - logs password if it's correct
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
} auth_badpass = no
|
||||
auth_goodpass = no
|
||||
{
|
||||
# Log additional text at the end of the "Login OK" messages.
|
||||
# for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
|
||||
# configurations above have to be set to "yes".
|
||||
#
|
||||
# The strings below are dynamically expanded, which means that
|
||||
# you can put anything you want in them. However, note that
|
||||
# this expansion can be slow, and can negatively impact server
|
||||
# performance.
|
||||
#
|
||||
}
|
||||
# msg_goodpass = ""
|
||||
# msg_badpass = ""
|
||||
{
|
||||
# The message when the user exceeds the Simultaneous-Use limit.
|
||||
#
|
||||
}
|
||||
msg_denied = "You are already logged in - access denied"
|
||||
\}
|
||||
|
||||
@ -0,0 +1,88 @@
|
||||
{
|
||||
# SECURITY CONFIGURATION
|
||||
#
|
||||
# There may be multiple methods of attacking on the server. This
|
||||
# section holds the configuration items which minimize the impact
|
||||
# of those attacks
|
||||
}
|
||||
security \{
|
||||
{ # user/group: The name (or #number) of the user/group to run radiusd as.
|
||||
#
|
||||
# If these are commented out, the server will run as the
|
||||
# user/group that started it. In order to change to a
|
||||
# different user/group, you MUST be root ( or have root
|
||||
# privileges ) to start the server.
|
||||
#
|
||||
# We STRONGLY recommend that you run the server with as few
|
||||
# permissions as possible. That is, if you're not using
|
||||
# shadow passwords, the user and group items below should be
|
||||
# set to radius'.
|
||||
#
|
||||
# NOTE that some kernels refuse to setgid(group) when the
|
||||
# value of (unsigned)group is above 60000; don't use group
|
||||
# "nobody" on these systems!
|
||||
#
|
||||
# On systems with shadow passwords, you might have to set
|
||||
# 'group = shadow' for the server to be able to read the
|
||||
# shadow password file. If you can authenticate users while
|
||||
# in debug mode, but not in daemon mode, it may be that the
|
||||
# debugging mode server is running as a user that can read
|
||||
# the shadow info, and the user listed below can not.
|
||||
#
|
||||
# The server will also try to use "initgroups" to read
|
||||
# /etc/groups. It will join all groups where "user" is a
|
||||
# member. This can allow for some finer-grained access
|
||||
# controls.
|
||||
#
|
||||
} user = root
|
||||
group = root
|
||||
{
|
||||
# Core dumps are a bad thing. This should only be set to
|
||||
# 'yes' if you're debugging a problem with the server.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
} allow_core_dumps = no
|
||||
{
|
||||
# max_attributes: The maximum number of attributes
|
||||
# permitted in a RADIUS packet. Packets which have MORE
|
||||
# than this number of attributes in them will be dropped.
|
||||
#
|
||||
# If this number is set too low, then no RADIUS packets
|
||||
# will be accepted.
|
||||
#
|
||||
# If this number is set too high, then an attacker may be
|
||||
# able to send a small number of packets which will cause
|
||||
# the server to use all available memory on the machine.
|
||||
#
|
||||
# Setting this number to 0 means "allow any number of attributes"
|
||||
} max_attributes = 200
|
||||
{
|
||||
# delayed_reject: When sending an Access-Reject, it can be
|
||||
# delayed for a few seconds. This may help slow down a DoS
|
||||
# attack. It also helps to slow down people trying to brute-force
|
||||
# crack a users password.
|
||||
#
|
||||
# Setting this number to 0 means "send rejects immediately"
|
||||
#
|
||||
# If this number is set higher than 'cleanup_delay', then the
|
||||
# rejects will be sent at 'cleanup_delay' time, when the request
|
||||
# is deleted from the internal cache of requests.
|
||||
#
|
||||
# Useful ranges: 1 to 5
|
||||
} reject_delay = 1
|
||||
{
|
||||
# status_server: Whether or not the server will respond
|
||||
# to Status-Server requests.
|
||||
#
|
||||
# Normally this should be set to "no", because they're useless.
|
||||
# See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives
|
||||
#
|
||||
# However, certain NAS boxes may require them.
|
||||
#
|
||||
# When sent a Status-Server message, the server responds with
|
||||
# an Access-Accept packet, containing a Reply-Message attribute,
|
||||
# which is a string describing how long the server has been
|
||||
# running.
|
||||
} status_server = no
|
||||
\}
|
||||
@ -0,0 +1,117 @@
|
||||
{
|
||||
# PROXY CONFIGURATION
|
||||
#
|
||||
# proxy_requests: Turns proxying of RADIUS requests on or off.
|
||||
#
|
||||
# The server has proxying turned on by default. If your system is NOT
|
||||
# set up to proxy requests to another server, then you can turn proxying
|
||||
# off here. This will save a small amount of resources on the server.
|
||||
#
|
||||
# If you have proxying turned off, and your configuration files say
|
||||
# to proxy a request, then an error message will be logged.
|
||||
#
|
||||
# To disable proxying, change the "yes" to "no", and comment the
|
||||
# $INCLUDE line.
|
||||
#
|
||||
# allowed values: \{no, yes\}
|
||||
}
|
||||
proxy_requests = no
|
||||
$INCLUDE $\{confdir\}/proxy.conf
|
||||
{
|
||||
# CLIENTS CONFIGURATION
|
||||
#
|
||||
# Client configuration is defined in "clients.conf".
|
||||
#
|
||||
# The 'clients.conf' file contains all of the information from the old
|
||||
# 'clients' and 'naslist' configuration files. We recommend that you
|
||||
# do NOT use 'client's or 'naslist', although they are still
|
||||
# supported.
|
||||
#
|
||||
# Anything listed in 'clients.conf' will take precedence over the
|
||||
# information from the old-style configuration files.
|
||||
}
|
||||
$INCLUDE $\{confdir\}/clients.conf
|
||||
{
|
||||
# THREAD POOL CONFIGURATION
|
||||
#
|
||||
# The thread pool is a long-lived group of threads which
|
||||
# take turns (round-robin) handling any incoming requests.
|
||||
#
|
||||
# You probably want to have a few spare threads around,
|
||||
# so that high-load situations can be handled immediately. If you
|
||||
# don't have any spare threads, then the request handling will
|
||||
# be delayed while a new thread is created, and added to the pool.
|
||||
#
|
||||
# You probably don't want too many spare threads around,
|
||||
# otherwise they'll be sitting there taking up resources, and
|
||||
# not doing anything productive.
|
||||
#
|
||||
# The numbers given below should be adequate for most situations.
|
||||
}
|
||||
thread pool \{
|
||||
{ # Number of servers to start initially --- should be a reasonable
|
||||
# ballpark figure.
|
||||
} start_servers = 5
|
||||
{
|
||||
# Limit on the total number of servers running.
|
||||
#
|
||||
# If this limit is ever reached, clients will be LOCKED OUT, so it
|
||||
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
|
||||
# keep a runaway server from taking the system with it as it spirals
|
||||
# down...
|
||||
#
|
||||
# You may find that the server is regularly reaching the
|
||||
# 'max_servers' number of threads, and that increasing
|
||||
# 'max_servers' doesn't seem to make much difference.
|
||||
#
|
||||
# If this is the case, then the problem is MOST LIKELY that
|
||||
# your back-end databases are taking too long to respond, and
|
||||
# are preventing the server from responding in a timely manner.
|
||||
#
|
||||
# The solution is NOT do keep increasing the 'max_servers'
|
||||
# value, but instead to fix the underlying cause of the
|
||||
# problem: slow database, or 'hostname_lookups=yes'.
|
||||
#
|
||||
# For more information, see 'max_request_time', above.
|
||||
} max_servers = 32
|
||||
{
|
||||
# Server-pool size regulation. Rather than making you guess
|
||||
# how many servers you need, FreeRADIUS dynamically adapts to
|
||||
# the load it sees, that is, it tries to maintain enough
|
||||
# servers to handle the current load, plus a few spare
|
||||
# servers to handle transient load spikes.
|
||||
#
|
||||
# It does this by periodically checking how many servers are
|
||||
# waiting for a request. If there are fewer than
|
||||
# min_spare_servers, it creates a new spare. If there are
|
||||
# more than max_spare_servers, some of the spares die off.
|
||||
# The default values are probably OK for most sites.
|
||||
} min_spare_servers = 3
|
||||
max_spare_servers = 10
|
||||
{
|
||||
# There may be memory leaks or resource allocation problems with
|
||||
# the server. If so, set this value to 300 or so, so that the
|
||||
# resources will be cleaned up periodically.
|
||||
#
|
||||
# This should only be necessary if there are serious bugs in the
|
||||
# server which have not yet been fixed.
|
||||
#
|
||||
# '0' is a special value meaning 'infinity', or 'the servers never
|
||||
# exit'
|
||||
} max_requests_per_server = 0
|
||||
{
|
||||
# If the received PPS is larger than the processed PPS, *and*
|
||||
# the queue is more than half full, then new accounting
|
||||
# requests are probabilistically discarded. This lowers the
|
||||
# number of packets that the server needs to process. Over
|
||||
# time, the server will "catch up" with the traffic.
|
||||
#
|
||||
# Throwing away accounting packets is usually safe and low
|
||||
# impact. The NAS will retransmit them in a few seconds, or
|
||||
# even a few minutes. Vendors should read RFC 5080 Section 2.2.1
|
||||
# to see how accounting packets should be retransmitted. Using
|
||||
# any other method is likely to cause network meltdowns.
|
||||
#
|
||||
} auto_limit_acct = no
|
||||
|
||||
\}
|
||||
@ -0,0 +1,10 @@
|
||||
{
|
||||
######################################################################
|
||||
#
|
||||
# SNMP notifications. Uncomment the following line to enable
|
||||
# snmptraps. Note that you MUST also configure the full path
|
||||
# to the "snmptrap" command in the "trigger.conf" file.
|
||||
#
|
||||
}
|
||||
#$INCLUDE trigger.conf
|
||||
|
||||
@ -0,0 +1,40 @@
|
||||
{
|
||||
# MODULE CONFIGURATION
|
||||
#
|
||||
# The names and configuration of each module is located in this section.
|
||||
#
|
||||
# After the modules are defined here, they may be referred to by name,
|
||||
# in other sections of this configuration file.
|
||||
}
|
||||
modules \{ {
|
||||
#
|
||||
# Each module has a configuration as follows:
|
||||
#
|
||||
# name [ instance ] {
|
||||
# config_item = value
|
||||
# ...
|
||||
# }
|
||||
#
|
||||
# The 'name' is used to load the 'rlm_name' library
|
||||
# which implements the functionality of the module.
|
||||
#
|
||||
# The 'instance' is optional. To have two different instances
|
||||
# of a module, it first must be referred to by 'name'.
|
||||
# The different copies of the module are then created by
|
||||
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
|
||||
#
|
||||
# The instance names can then be used in later configuration
|
||||
# INSTEAD of the original 'name'. See the 'radutmp' configuration
|
||||
# for an example.
|
||||
#
|
||||
|
||||
#
|
||||
# As of 3.0, modules are in mods-enabled/. Files matching
|
||||
# the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are
|
||||
# initialized ONLY if they are referenced in a processing
|
||||
# section, such as authorize, authenticate, accounting,
|
||||
# pre/post-proxy, etc.
|
||||
#
|
||||
}
|
||||
$INCLUDE mods-enabled/
|
||||
|
||||
@ -0,0 +1 @@
|
||||
\}
|
||||
@ -0,0 +1,45 @@
|
||||
{
|
||||
# Instantiation
|
||||
#
|
||||
# This section orders the loading of the modules. Modules
|
||||
# listed here will get loaded BEFORE the later sections like
|
||||
# authorize, authenticate, etc. get examined.
|
||||
#
|
||||
# This section is not strictly needed. When a section like
|
||||
# authorize refers to a module, it's automatically loaded and
|
||||
# initialized. However, some modules may not be listed in any
|
||||
# of the following sections, so they can be listed here.
|
||||
#
|
||||
# Also, listing modules here ensures that you have control over
|
||||
# the order in which they are initialized. If one module needs
|
||||
# something defined by another module, you can list them in order
|
||||
# here, and ensure that the configuration will be OK.
|
||||
#
|
||||
# After the modules listed here have been loaded, all of the modules
|
||||
# in the "mods-enabled" directory will be loaded. Loading the
|
||||
# "mods-enabled" directory means that unlike Version 2, you usually
|
||||
# don't need to list modules here.
|
||||
#
|
||||
}
|
||||
instantiate \{
|
||||
#
|
||||
# We list the counter module here so that it registers
|
||||
# the check_name attribute before any module which sets
|
||||
# it
|
||||
# daily
|
||||
|
||||
# subsections here can be thought of as "virtual" modules.
|
||||
#
|
||||
# e.g. If you have two redundant SQL servers, and you want to
|
||||
# use them in the authorize and accounting sections, you could
|
||||
# place a "redundant" block in each section, containing the
|
||||
# exact same text. Or, you could uncomment the following
|
||||
# lines, and list "redundant_sql" in the authorize and
|
||||
# accounting sections.
|
||||
#
|
||||
#redundant redundant_sql \{
|
||||
# sql1
|
||||
# sql2
|
||||
#\}
|
||||
\}
|
||||
|
||||
@ -0,0 +1,20 @@
|
||||
{
|
||||
######################################################################
|
||||
#
|
||||
# Policies are virtual modules, similar to those defined in the
|
||||
# "instantiate" section above.
|
||||
#
|
||||
# Defining a policy in one of the policy.d files means that it can be
|
||||
# referenced in multiple places as a *name*, rather than as a series of
|
||||
# conditions to match, and actions to take.
|
||||
#
|
||||
# Policies are something like subroutines in a normal language, but
|
||||
# they cannot be called recursively. They MUST be defined in order.
|
||||
# If policy A calls policy B, then B MUST be defined before A.
|
||||
#
|
||||
######################################################################
|
||||
}
|
||||
policy \{
|
||||
$INCLUDE policy.d/
|
||||
\}
|
||||
|
||||
@ -0,0 +1,33 @@
|
||||
{
|
||||
######################################################################
|
||||
#
|
||||
#<----->Load virtual servers.
|
||||
#
|
||||
#<----->This next $INCLUDE line loads files in the directory that
|
||||
#<----->match the regular expression: /[a-zA-Z0-9_.]+/
|
||||
#
|
||||
#<----->It allows you to define new virtual servers simply by placing
|
||||
#<----->a file into the raddb/sites-enabled/ directory.
|
||||
#
|
||||
}$INCLUDE sites-enabled/
|
||||
{
|
||||
######################################################################
|
||||
#
|
||||
#<----->All of the other configuration sections like "authorize {}",
|
||||
#<----->"authenticate {}", "accounting {}", have been moved to the
|
||||
#<----->the file:
|
||||
#
|
||||
#<-----><------>raddb/sites-available/default
|
||||
#
|
||||
#<----->This is the "default" virtual server that has the same
|
||||
#<----->configuration as in version 1.0.x and 1.1.x. The default
|
||||
#<----->installation enables this virtual server. You should
|
||||
#<----->edit it to create policies for your local site.
|
||||
#
|
||||
#<----->For more documentation on virtual servers, see:
|
||||
#
|
||||
#<-----><------>raddb/sites-available/README
|
||||
#
|
||||
######################################################################
|
||||
|
||||
}
|
||||
@ -0,0 +1,49 @@
|
||||
{
|
||||
######################################################################
|
||||
#
|
||||
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
|
||||
# "server" section, and configuration directives.
|
||||
#
|
||||
# Virtual hosts should be put into the "sites-available"
|
||||
# directory. Soft links should be created in the "sites-enabled"
|
||||
# directory to these files. This is done in a normal installation.
|
||||
#
|
||||
# If you are using 802.1X (EAP) authentication, please see also
|
||||
# the "inner-tunnel" virtual server. You will likely have to edit
|
||||
# that, too, for authentication to work.
|
||||
#
|
||||
# $Id: e-smith-radiusd-2.6.0-freeradius3.patch,v 1.3 2016/04/12 10:16:09 unnilennium Exp $
|
||||
#
|
||||
######################################################################
|
||||
#
|
||||
# Read "man radiusd" before editing this file. See the section
|
||||
# titled DEBUGGING. It outlines a method where you can quickly
|
||||
# obtain the configuration you want, without running into
|
||||
# trouble. See also "man unlang", which documents the format
|
||||
# of this file.
|
||||
#
|
||||
# This configuration is designed to work in the widest possible
|
||||
# set of circumstances, with the widest possible number of
|
||||
# authentication methods. This means that in general, you should
|
||||
# need to make very few changes to this file.
|
||||
#
|
||||
# The best way to configure the server for your local system
|
||||
# is to CAREFULLY edit this file. Most attempts to make large
|
||||
# edits to this file will BREAK THE SERVER. Any edits should
|
||||
# be small, and tested by running the server with "radiusd -X".
|
||||
# Once the edits have been verified to work, save a copy of these
|
||||
# configuration files somewhere. (e.g. as a "tar" file). Then,
|
||||
# make more edits, and test, as above.
|
||||
#
|
||||
# There are many "commented out" references to modules such
|
||||
# as ldap, sql, etc. These references serve as place-holders.
|
||||
# If you need the functionality of that module, then configure
|
||||
# it in radiusd.conf, and un-comment the references to it in
|
||||
# this file. In most cases, those small changes will result
|
||||
# in the server being able to connect to the DB, and to
|
||||
# authenticate users.
|
||||
#
|
||||
######################################################################
|
||||
}
|
||||
server default \{
|
||||
|
||||
@ -0,0 +1,90 @@
|
||||
{
|
||||
# listen: Make the server listen on a particular IP address, and send
|
||||
# replies out from that address. This directive is most useful for
|
||||
# hosts with multiple IP addresses on one interface.
|
||||
#
|
||||
# If you want the server to listen on additional addresses, or on
|
||||
# additionnal ports, you can use multiple "listen" sections.
|
||||
#
|
||||
# Each section make the server listen for only one type of packet,
|
||||
# therefore authentication and accounting have to be configured in
|
||||
# different sections.
|
||||
#
|
||||
# The server ignore all "listen" section if you are using '-i' and '-p'
|
||||
# on the command line.
|
||||
}
|
||||
# auth
|
||||
listen \{
|
||||
type = auth
|
||||
{
|
||||
# ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
|
||||
# Out of several options the first one will be used.
|
||||
#
|
||||
# Allowed values are:
|
||||
# IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr)
|
||||
# IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr)
|
||||
# hostname (radius.example.com,
|
||||
# A record for ipv4addr,
|
||||
# AAAA record for ipv6addr,
|
||||
# A or AAAA record for ipaddr)
|
||||
# wildcard (*)
|
||||
#
|
||||
# ipv4addr = *
|
||||
# ipv6addr = *
|
||||
}
|
||||
ipaddr = *
|
||||
port = 0
|
||||
# interface = eth0
|
||||
# clients = per_socket_clients
|
||||
{
|
||||
#
|
||||
# Connection limiting for sockets with "proto = tcp".
|
||||
#
|
||||
# This section is ignored for other kinds of sockets.
|
||||
#
|
||||
} limit \{
|
||||
{
|
||||
#
|
||||
# Limit the number of simultaneous TCP connections to the socket
|
||||
#
|
||||
# The default is 16.
|
||||
# Setting this to 0 means "no limit"
|
||||
} max_connections = 16
|
||||
{
|
||||
# The per-socket "max_requests" option does not exist.
|
||||
|
||||
#
|
||||
# The lifetime, in seconds, of a TCP connection. After
|
||||
# this lifetime, the connection will be closed.
|
||||
#
|
||||
# Setting this to 0 means "forever".
|
||||
} lifetime = 0
|
||||
{
|
||||
#
|
||||
# The idle timeout, in seconds, of a TCP connection.
|
||||
# If no packets have been received over the connection for
|
||||
# this time, the connection will be closed.
|
||||
#
|
||||
# Setting this to 0 means "no timeout".
|
||||
#
|
||||
# We STRONGLY RECOMMEND that you set an idle timeout.
|
||||
#
|
||||
} idle_timeout = 30
|
||||
\}
|
||||
|
||||
\}
|
||||
|
||||
#
|
||||
# This second "listen" section is for listening on the accounting
|
||||
# port, too.
|
||||
#
|
||||
listen \{
|
||||
type = acct
|
||||
ipaddr = *
|
||||
port = 0
|
||||
\}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -0,0 +1,11 @@
|
||||
{
|
||||
# Authorization. First preprocess (hints and huntgroups files),
|
||||
# then realms, and finally look in the "users" file.
|
||||
#
|
||||
# The order of the realm modules will determine the order that
|
||||
# we try to find a matching realm.
|
||||
#
|
||||
# Make *sure* that 'preprocess' comes before any realm if you
|
||||
# need to setup hints for the remote radius server
|
||||
}
|
||||
authorize \{
|
||||
@ -0,0 +1,106 @@
|
||||
{
|
||||
#
|
||||
# Take a User-Name, and perform some checks on it, for spaces and other
|
||||
# invalid characters. If the User-Name appears invalid, reject the
|
||||
# request.
|
||||
#
|
||||
# See policy.d/filter for the definition of the filter_username policy.
|
||||
#
|
||||
}# filter_username
|
||||
{
|
||||
# The preprocess module takes care of sanitizing some bizarre
|
||||
# attributes in the request, and turning them into attributes
|
||||
# which are more standard.
|
||||
#
|
||||
# It takes care of processing the 'raddb/hints' and the
|
||||
# 'raddb/huntgroups' files.
|
||||
#
|
||||
# It also adds the %\{Client-IP-Address\} attribute to the request.
|
||||
} preprocess
|
||||
{
|
||||
# If you are using multiple kinds of realms, you probably
|
||||
# want to set "ignore_null = yes" for all of them.
|
||||
# Otherwise, when the first style of realm doesn't match,
|
||||
# the other styles won't be checked.
|
||||
} suffix
|
||||
ntdomain
|
||||
{
|
||||
# This module takes care of EAP-PEAP authentication.
|
||||
#
|
||||
# It also sets the EAP-Type attribute in the request
|
||||
# attribute list to the EAP type from the packet.
|
||||
} eap \{
|
||||
ok = return
|
||||
\}
|
||||
|
||||
{
|
||||
# If the users are logging in with an MS-CHAP-Challenge
|
||||
# attribute for authentication, the mschap module will find
|
||||
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
|
||||
# to the request, which will cause the server to then use
|
||||
# the mschap module for authentication.
|
||||
} mschap
|
||||
{
|
||||
# If you are using /etc/smbpasswd, and are also doing
|
||||
# mschap authentication, the un-comment this line, and
|
||||
# configure the 'smbpasswd' module, above.
|
||||
( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd';
|
||||
}
|
||||
|
||||
{
|
||||
#
|
||||
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
|
||||
# using the system API's to get the password. If you want
|
||||
# to read /etc/passwd or /etc/shadow directly, see the
|
||||
# passwd module in radiusd.conf.
|
||||
#
|
||||
}# unix
|
||||
|
||||
|
||||
{
|
||||
# Read the 'users' file
|
||||
} files
|
||||
|
||||
{
|
||||
#
|
||||
# Look in an SQL database. The schema of the database
|
||||
# is meant to mirror the "users" file.
|
||||
#
|
||||
# See "Authorization Queries" in sql.conf
|
||||
}# -sql
|
||||
{
|
||||
#
|
||||
# If you are using /etc/smbpasswd, and are also doing
|
||||
# mschap authentication, the un-comment this line, and
|
||||
# configure the 'smbpasswd' module.
|
||||
}# smbpasswd
|
||||
{
|
||||
#
|
||||
# The ldap module reads passwords from the LDAP database.
|
||||
} -ldap
|
||||
if ((ok || updated) && User-Password) \{
|
||||
update control \{
|
||||
Auth-Type := ldap
|
||||
\}
|
||||
\}
|
||||
{ #
|
||||
# Enforce daily limits on time spent logged in.
|
||||
# daily
|
||||
|
||||
#
|
||||
} expiration
|
||||
logintime
|
||||
{
|
||||
#
|
||||
# If no other module has claimed responsibility for
|
||||
# authentication, then try to use PAP. This allows the
|
||||
# other modules listed above to add a "known good" password
|
||||
# to the request, and to do nothing else. The PAP module
|
||||
# will then see that password, and use it to do PAP
|
||||
# authentication.
|
||||
#
|
||||
# This module should be listed last, so that the other modules
|
||||
# get a chance to set Auth-Type for themselves.
|
||||
#
|
||||
} pap
|
||||
|
||||
@ -0,0 +1 @@
|
||||
\}
|
||||
@ -0,0 +1,5 @@
|
||||
{
|
||||
my @authModules = '';
|
||||
$OUT = '';
|
||||
}
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
{
|
||||
push(@authModules, "\tAuth-Type MS-CHAP\{\n\t\tmschap\n\t\}\n");
|
||||
$OUT = '';
|
||||
}
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
{
|
||||
push(@authModules, "\tAuth-Type LDAP\{\n\t\tldap\n\t\}\n");
|
||||
$OUT = '';
|
||||
}
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
{
|
||||
push(@authModules, "\tAuth-Type EAP\{\n\t\teap\n\t\}\n");
|
||||
$OUT = '';
|
||||
}
|
||||
@ -0,0 +1,7 @@
|
||||
{
|
||||
if (($radiusd{'PAP'} || 'disabled') eq 'enabled')
|
||||
{
|
||||
push(@authModules, "\tAuth-Type PAP\{\n\t\tpap\n\t\}\n");
|
||||
$OUT = '';
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,23 @@
|
||||
{
|
||||
# Authentication.
|
||||
#
|
||||
# This section lists which modules are available for authentication.
|
||||
# Note that it does NOT mean 'try each module in order'. It means
|
||||
# that a module from the 'authorize' section adds a configuration
|
||||
# attribute 'Auth-Type := FOO'. That authentication type is then
|
||||
# used to pick the apropriate module from the list below.
|
||||
#
|
||||
# In general, you SHOULD NOT set the Auth-Type attribute. The server
|
||||
# will figure it out on its own, and will do the right thing. The
|
||||
# most common side effect of erroneously setting the Auth-Type
|
||||
# attribute is that one authentication method will work, but the
|
||||
# others will not.
|
||||
#
|
||||
# The common reasons to set the Auth-Type attribute by hand
|
||||
# is to either forcibly reject the user, or forcibly accept him.
|
||||
|
||||
$OUT = "authenticate \{\n";
|
||||
$OUT .= "$_\n" foreach @authModules;
|
||||
$OUT .= "\}\n";
|
||||
|
||||
}
|
||||
@ -0,0 +1,47 @@
|
||||
{
|
||||
#
|
||||
# Pre-accounting. Decide which accounting type to use.
|
||||
#
|
||||
}preacct \{
|
||||
preprocess
|
||||
{
|
||||
#
|
||||
# Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
|
||||
# into a single 64bit counter Acct-[Input|Output]-Octets64.
|
||||
#
|
||||
}# acct_counters64
|
||||
{
|
||||
#
|
||||
# Session start times are *implied* in RADIUS.
|
||||
# The NAS never sends a "start time". Instead, it sends
|
||||
# a start packet, *possibly* with an Acct-Delay-Time.
|
||||
# The server is supposed to conclude that the start time
|
||||
# was "Acct-Delay-Time" seconds in the past.
|
||||
#
|
||||
# The code below creates an explicit start time, which can
|
||||
# then be used in other modules. It will be *mostly* correct.
|
||||
# Any errors are due to the 1-second resolution of RADIUS,
|
||||
# and the possibility that the time on the NAS may be off.
|
||||
#
|
||||
# The start time is: NOW - delay - session_length
|
||||
#
|
||||
}
|
||||
# update request {
|
||||
# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
|
||||
# }
|
||||
|
||||
{
|
||||
#
|
||||
# Ensure that we have a semi-unique identifier for every
|
||||
# request, and many NAS boxes are broken.
|
||||
}
|
||||
|
||||
acct_unique
|
||||
{
|
||||
# Accounting requests are generally proxied to the same
|
||||
# home server as authentication requests.
|
||||
} suffix
|
||||
ntdomain
|
||||
files
|
||||
|
||||
\}
|
||||
@ -0,0 +1,5 @@
|
||||
{
|
||||
#
|
||||
# Accounting. Log the accounting data.
|
||||
#
|
||||
}accounting \{
|
||||
@ -0,0 +1,5 @@
|
||||
{ #
|
||||
# Create a 'detail'ed log of the packets.
|
||||
# Note that accounting requests which are proxied
|
||||
# are also logged in the detail file.
|
||||
} detail
|
||||
@ -0,0 +1 @@
|
||||
\}
|
||||
@ -0,0 +1,6 @@
|
||||
{
|
||||
# Session database, used for checking Simultaneous-Use. Either the radutmp
|
||||
# or rlm_sql module can handle this.
|
||||
# The rlm_sql module is *much* faster
|
||||
}session \{
|
||||
|
||||
@ -0,0 +1 @@
|
||||
\}
|
||||
@ -0,0 +1,8 @@
|
||||
{
|
||||
# Post-Authentication
|
||||
# Once we KNOW that the user has been authenticated, there are
|
||||
# additional steps we can take.
|
||||
}post-auth \{
|
||||
# Get an address from the IP Pool.
|
||||
# main_pool
|
||||
|
||||
@ -0,0 +1,26 @@
|
||||
{
|
||||
# Remove reply message if the response contains an EAP-Message
|
||||
} remove_reply_message_if_eap
|
||||
{
|
||||
#
|
||||
# Access-Reject packets are sent through the REJECT sub-section of the
|
||||
# post-auth section.
|
||||
#
|
||||
# Add the ldap module name (or instance) if you have set
|
||||
# 'edir_account_policy_check = yes' in the ldap module configuration
|
||||
#
|
||||
} Post-Auth-Type REJECT \{
|
||||
# log failed authentications in SQL, too.
|
||||
#-sql
|
||||
attr_filter.access_reject
|
||||
|
||||
# Insert EAP-Failure message if the request was
|
||||
# rejected by policy instead of because of an
|
||||
# authentication failure
|
||||
eap
|
||||
|
||||
# Remove reply message if the response contains an EAP-Message
|
||||
remove_reply_message_if_eap
|
||||
\}
|
||||
\}
|
||||
|
||||
@ -0,0 +1,28 @@
|
||||
pre-proxy \{
|
||||
{
|
||||
# Before proxing the request add an Operator-Name attribute identifying
|
||||
# if the operator-name is found for this client.
|
||||
# No need to uncomment this if you have already enabled this in
|
||||
# the authorize section.
|
||||
}# operator-name
|
||||
{
|
||||
# The client requests the CUI by sending a CUI attribute
|
||||
# containing one zero byte.
|
||||
# Uncomment the line below if *requesting* the CUI.
|
||||
}# cui
|
||||
{
|
||||
# Uncomment the following line if you want to change attributes
|
||||
# as defined in the preproxy_users file.
|
||||
}# files
|
||||
{
|
||||
# Uncomment the following line if you want to filter requests
|
||||
# sent to remote servers based on the rules defined in the
|
||||
# 'attrs.pre-proxy' file.
|
||||
}# attr_filter.pre-proxy
|
||||
{
|
||||
# If you want to have a log of packets proxied to a home
|
||||
# server, un-comment the following line, and the
|
||||
# 'detail pre_proxy_log' section, above.
|
||||
}# pre_proxy_log
|
||||
\}
|
||||
|
||||
@ -0,0 +1,54 @@
|
||||
{
|
||||
#
|
||||
# When the server receives a reply to a request it proxied
|
||||
# to a home server, the request may be massaged here, in the
|
||||
# post-proxy stage.
|
||||
#
|
||||
}
|
||||
post-proxy \{
|
||||
{
|
||||
# If you want to have a log of replies from a home server,
|
||||
# un-comment the following line, and the 'detail post_proxy_log'
|
||||
# section, above.
|
||||
}# post_proxy_log
|
||||
{
|
||||
# Uncomment the following line if you want to filter replies from
|
||||
# remote proxies based on the rules defined in the 'attrs' file.
|
||||
}# attr_filter.post-proxy
|
||||
{
|
||||
#
|
||||
# If you are proxying LEAP, you MUST configure the EAP
|
||||
# module, and you MUST list it here, in the post-proxy
|
||||
# stage.
|
||||
#
|
||||
# You MUST also use the 'nostrip' option in the 'realm'
|
||||
# configuration. Otherwise, the User-Name attribute
|
||||
# in the proxied request will not match the user name
|
||||
# hidden inside of the EAP packet, and the end server will
|
||||
# reject the EAP request.
|
||||
#
|
||||
} eap
|
||||
{
|
||||
#
|
||||
# If the server tries to proxy a request and fails, then the
|
||||
# request is processed through the modules in this section.
|
||||
#
|
||||
# The main use of this section is to permit robust proxying
|
||||
# of accounting packets. The server can be configured to
|
||||
# proxy accounting packets as part of normal processing.
|
||||
# Then, if the home server goes down, accounting packets can
|
||||
# be logged to a local "detail" file, for processing with
|
||||
# radrelay. When the home server comes back up, radrelay
|
||||
# will read the detail file, and send the packets to the
|
||||
# home server.
|
||||
#
|
||||
# With this configuration, the server always responds to
|
||||
# Accounting-Requests from the NAS, but only writes
|
||||
# accounting packets to disk if the home server is down.
|
||||
#
|
||||
}# Post-Proxy-Type Fail \{
|
||||
# detail
|
||||
# \}
|
||||
\}
|
||||
|
||||
|
||||
@ -0,0 +1,7 @@
|
||||
|
||||
\}
|
||||
{
|
||||
#
|
||||
#end of default server
|
||||
#
|
||||
}
|
||||
@ -0,0 +1,13 @@
|
||||
{
|
||||
# -*- text -*-
|
||||
######################################################################
|
||||
#
|
||||
# This is a virtual server that handles *only* inner tunnel
|
||||
# requests for EAP-TTLS and PEAP types.
|
||||
#
|
||||
# $Id: e-smith-radiusd-2.6.0-freeradius3ter.patch,v 1.2 2016/04/10 07:30:52 unnilennium Exp $
|
||||
#
|
||||
######################################################################
|
||||
}
|
||||
server inner-tunnel \{
|
||||
|
||||
@ -0,0 +1,27 @@
|
||||
{
|
||||
#
|
||||
# This next section is here to allow testing of the "inner-tunnel"
|
||||
# authentication methods, independently from the "default" server.
|
||||
# It is listening on "localhost", so that it can only be used from
|
||||
# the same machine.
|
||||
#
|
||||
# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
|
||||
#
|
||||
# If it works, you have configured the inner tunnel correctly. To check
|
||||
# if PEAP will work, use:
|
||||
#
|
||||
# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
|
||||
#
|
||||
# If that works, PEAP should work. If that command doesn't work, then
|
||||
#
|
||||
# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
|
||||
#
|
||||
# Do NOT do any PEAP tests. It won't help. Instead, concentrate
|
||||
# on fixing the inner tunnel configuration. DO NOTHING ELSE.
|
||||
#
|
||||
}
|
||||
listen \{
|
||||
ipaddr = 127.0.0.1
|
||||
port = 18120
|
||||
type = auth
|
||||
\}
|
||||
@ -0,0 +1,11 @@
|
||||
{
|
||||
# Authorization. First preprocess (hints and huntgroups files),
|
||||
# then realms, and finally look in the "users" file.
|
||||
#
|
||||
# The order of the realm modules will determine the order that
|
||||
# we try to find a matching realm.
|
||||
#
|
||||
# Make *sure* that 'preprocess' comes before any realm if you
|
||||
# need to setup hints for the remote radius server
|
||||
}
|
||||
authorize \{
|
||||
@ -0,0 +1,117 @@
|
||||
{
|
||||
#
|
||||
# The chap module will set 'Auth-Type := CHAP' if we are
|
||||
# handling a CHAP request and Auth-Type has not already been set
|
||||
} chap
|
||||
{
|
||||
#
|
||||
# If the users are logging in with an MS-CHAP-Challenge
|
||||
# attribute for authentication, the mschap module will find
|
||||
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
|
||||
# to the request, which will cause the server to then use
|
||||
# the mschap module for authentication.
|
||||
} mschap
|
||||
{
|
||||
#
|
||||
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
|
||||
# using the system API's to get the password. If you want
|
||||
# to read /etc/passwd or /etc/shadow directly, see the
|
||||
# passwd module, above.
|
||||
#
|
||||
}# unix
|
||||
{
|
||||
#
|
||||
# Look for IPASS style 'realm/', and if not found, look for
|
||||
# '@realm', and decide whether or not to proxy, based on
|
||||
# that.
|
||||
}# IPASS
|
||||
{
|
||||
#
|
||||
# If you are using multiple kinds of realms, you probably
|
||||
# want to set "ignore_null = yes" for all of them.
|
||||
# Otherwise, when the first style of realm doesn't match,
|
||||
# the other styles won't be checked.
|
||||
#
|
||||
# Note that proxying the inner tunnel authentication means
|
||||
# that the user MAY use one identity in the outer session
|
||||
# (e.g. "anonymous", and a different one here
|
||||
# (e.g. "user@example.com"). The inner session will then be
|
||||
# proxied elsewhere for authentication. If you are not
|
||||
# careful, this means that the user can cause you to forward
|
||||
# the authentication to another RADIUS server, and have the
|
||||
# accounting logs *not* sent to the other server. This makes
|
||||
# it difficult to bill people for their network activity.
|
||||
#
|
||||
} suffix
|
||||
# ntdomain
|
||||
{
|
||||
#
|
||||
# The "suffix" module takes care of stripping the domain
|
||||
# (e.g. "@example.com") from the User-Name attribute, and the
|
||||
# next few lines ensure that the request is not proxied.
|
||||
#
|
||||
# If you want the inner tunnel request to be proxied, delete
|
||||
# the next few lines.
|
||||
#
|
||||
|
||||
} update control \{
|
||||
Proxy-To-Realm := LOCAL
|
||||
\}
|
||||
{
|
||||
#
|
||||
# This module takes care of EAP-MSCHAPv2 authentication.
|
||||
#
|
||||
# It also sets the EAP-Type attribute in the request
|
||||
# attribute list to the EAP type from the packet.
|
||||
#
|
||||
# The example below uses module failover to avoid querying all
|
||||
# of the following modules if the EAP module returns "ok".
|
||||
# Therefore, your LDAP and/or SQL servers will not be queried
|
||||
# for the many packets that go back and forth to set up TTLS
|
||||
# or PEAP. The load on those servers will therefore be reduced.
|
||||
#
|
||||
} eap \{
|
||||
ok = return
|
||||
\}
|
||||
{
|
||||
#
|
||||
# Read the 'users' file
|
||||
} files
|
||||
{
|
||||
#
|
||||
# Look in an SQL database. The schema of the database
|
||||
# is meant to mirror the "users" file.
|
||||
#
|
||||
# See "Authorization Queries" in sql.conf
|
||||
}# -sql
|
||||
-ldap
|
||||
if ((ok || updated) && User-Password) \{
|
||||
update control \{
|
||||
Auth-Type := ldap
|
||||
\}
|
||||
\}
|
||||
{
|
||||
#
|
||||
# Enforce daily limits on time spent logged in.
|
||||
}# daily
|
||||
expiration
|
||||
logintime
|
||||
{
|
||||
# If you are using /etc/smbpasswd, and are also doing
|
||||
# mschap authentication, then un-comment this line, and
|
||||
# enable the "smbpasswd" module.
|
||||
} smbpasswd
|
||||
{
|
||||
#
|
||||
# If no other module has claimed responsibility for
|
||||
# authentication, then try to use PAP. This allows the
|
||||
# other modules listed above to add a "known good" password
|
||||
# to the request, and to do nothing else. The PAP module
|
||||
# will then see that password, and use it to do PAP
|
||||
# authentication.
|
||||
#
|
||||
# This module should be listed last, so that the other modules
|
||||
# get a chance to set Auth-Type for themselves.
|
||||
#
|
||||
} pap
|
||||
|
||||
@ -0,0 +1 @@
|
||||
\}
|
||||
@ -0,0 +1,5 @@
|
||||
{
|
||||
my @authModules = '';
|
||||
$OUT = '';
|
||||
}
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
{
|
||||
push(@authModules, "\tAuth-Type MS-CHAP\{\n\t\tmschap\n\t\}\n");
|
||||
$OUT = '';
|
||||
}
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
{
|
||||
push(@authModules, "\tAuth-Type PAP\{\n\t\tpap\n\t\}\n");
|
||||
$OUT = '';
|
||||
}
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
{
|
||||
push(@authModules, "\tAuth-Type CHAP\{\n\t\tchap\n\t\}\n");
|
||||
$OUT = '';
|
||||
}
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
{
|
||||
push(@authModules, "\tAuth-Type LDAP\{\n\t\tldap\n\t\}\n");
|
||||
$OUT = '';
|
||||
}
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
{
|
||||
push(@authModules, "\tAuth-Type EAP\{\n\t\teap\n\t\}\n");
|
||||
$OUT = '';
|
||||
}
|
||||
@ -0,0 +1,23 @@
|
||||
{
|
||||
# Authentication.
|
||||
#
|
||||
# This section lists which modules are available for authentication.
|
||||
# Note that it does NOT mean 'try each module in order'. It means
|
||||
# that a module from the 'authorize' section adds a configuration
|
||||
# attribute 'Auth-Type := FOO'. That authentication type is then
|
||||
# used to pick the apropriate module from the list below.
|
||||
#
|
||||
# In general, you SHOULD NOT set the Auth-Type attribute. The server
|
||||
# will figure it out on its own, and will do the right thing. The
|
||||
# most common side effect of erroneously setting the Auth-Type
|
||||
# attribute is that one authentication method will work, but the
|
||||
# others will not.
|
||||
#
|
||||
# The common reasons to set the Auth-Type attribute by hand
|
||||
# is to either forcibly reject the user, or forcibly accept him.
|
||||
|
||||
$OUT = "authenticate \{\n";
|
||||
$OUT .= "$_\n" foreach @authModules;
|
||||
$OUT .= "\}\n";
|
||||
|
||||
}
|
||||
@ -0,0 +1,47 @@
|
||||
{
|
||||
#
|
||||
# Pre-accounting. Decide which accounting type to use.
|
||||
#
|
||||
}preacct \{
|
||||
preprocess
|
||||
{
|
||||
#
|
||||
# Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
|
||||
# into a single 64bit counter Acct-[Input|Output]-Octets64.
|
||||
#
|
||||
}# acct_counters64
|
||||
{
|
||||
#
|
||||
# Session start times are *implied* in RADIUS.
|
||||
# The NAS never sends a "start time". Instead, it sends
|
||||
# a start packet, *possibly* with an Acct-Delay-Time.
|
||||
# The server is supposed to conclude that the start time
|
||||
# was "Acct-Delay-Time" seconds in the past.
|
||||
#
|
||||
# The code below creates an explicit start time, which can
|
||||
# then be used in other modules. It will be *mostly* correct.
|
||||
# Any errors are due to the 1-second resolution of RADIUS,
|
||||
# and the possibility that the time on the NAS may be off.
|
||||
#
|
||||
# The start time is: NOW - delay - session_length
|
||||
#
|
||||
}
|
||||
# update request {
|
||||
# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
|
||||
# }
|
||||
|
||||
{
|
||||
#
|
||||
# Ensure that we have a semi-unique identifier for every
|
||||
# request, and many NAS boxes are broken.
|
||||
}
|
||||
|
||||
acct_unique
|
||||
{
|
||||
# Accounting requests are generally proxied to the same
|
||||
# home server as authentication requests.
|
||||
} suffix
|
||||
ntdomain
|
||||
files
|
||||
|
||||
\}
|
||||
@ -0,0 +1,6 @@
|
||||
{
|
||||
# Session database, used for checking Simultaneous-Use. Either the radutmp
|
||||
# or rlm_sql module can handle this.
|
||||
# The rlm_sql module is *much* faster
|
||||
}session \{
|
||||
|
||||
@ -0,0 +1,3 @@
|
||||
radutmp
|
||||
# sql
|
||||
|
||||
@ -0,0 +1 @@
|
||||
\}
|
||||
@ -0,0 +1,8 @@
|
||||
{
|
||||
# Post-Authentication
|
||||
# Once we KNOW that the user has been authenticated, there are
|
||||
# additional steps we can take.
|
||||
}post-auth \{
|
||||
# Get an address from the IP Pool.
|
||||
# main_pool
|
||||
|
||||
@ -0,0 +1,31 @@
|
||||
{
|
||||
# If you want privacy to remain, see the
|
||||
# Chargeable-User-Identity attribute from RFC 4372.
|
||||
# If you want to use it just uncomment the line below.
|
||||
}# cui-inner
|
||||
{
|
||||
#
|
||||
# If you want to have a log of authentication replies,
|
||||
# un-comment the following line, and enable the
|
||||
# 'detail reply_log' module.
|
||||
}# reply_log
|
||||
{
|
||||
#
|
||||
# After authenticating the user, do another SQL query.
|
||||
#
|
||||
# See "Authentication Logging Queries" in sql.conf
|
||||
}# -sql
|
||||
{
|
||||
#
|
||||
# Instead of sending the query to the SQL server,
|
||||
# write it into a log file.
|
||||
#
|
||||
}# sql_log
|
||||
{
|
||||
#
|
||||
# Un-comment the following if you have set
|
||||
# 'edir_account_policy_check = yes' in the ldap module sub-section of
|
||||
# the 'modules' section.
|
||||
#
|
||||
}# ldap
|
||||
|
||||
@ -0,0 +1,26 @@
|
||||
{
|
||||
# Remove reply message if the response contains an EAP-Message
|
||||
} remove_reply_message_if_eap
|
||||
{
|
||||
#
|
||||
# Access-Reject packets are sent through the REJECT sub-section of the
|
||||
# post-auth section.
|
||||
#
|
||||
# Add the ldap module name (or instance) if you have set
|
||||
# 'edir_account_policy_check = yes' in the ldap module configuration
|
||||
#
|
||||
} Post-Auth-Type REJECT \{
|
||||
# log failed authentications in SQL, too.
|
||||
#-sql
|
||||
attr_filter.access_reject
|
||||
|
||||
# Insert EAP-Failure message if the request was
|
||||
# rejected by policy instead of because of an
|
||||
# authentication failure
|
||||
eap
|
||||
|
||||
# Remove reply message if the response contains an EAP-Message
|
||||
remove_reply_message_if_eap
|
||||
\}
|
||||
\}
|
||||
|
||||
@ -0,0 +1,17 @@
|
||||
pre-proxy \{
|
||||
{
|
||||
# Uncomment the following line if you want to change attributes
|
||||
# as defined in the preproxy_users file.
|
||||
}# files
|
||||
{
|
||||
# Uncomment the following line if you want to filter requests
|
||||
# sent to remote servers based on the rules defined in the
|
||||
# 'attrs.pre-proxy' file.
|
||||
}# attr_filter.pre-proxy
|
||||
{
|
||||
# If you want to have a log of packets proxied to a home
|
||||
# server, un-comment the following line, and the
|
||||
# 'detail pre_proxy_log' section, above.
|
||||
}# pre_proxy_log
|
||||
\}
|
||||
|
||||
@ -0,0 +1,54 @@
|
||||
{
|
||||
#
|
||||
# When the server receives a reply to a request it proxied
|
||||
# to a home server, the request may be massaged here, in the
|
||||
# post-proxy stage.
|
||||
#
|
||||
}
|
||||
post-proxy \{
|
||||
{
|
||||
# If you want to have a log of replies from a home server,
|
||||
# un-comment the following line, and the 'detail post_proxy_log'
|
||||
# section, above.
|
||||
}# post_proxy_log
|
||||
{
|
||||
# Uncomment the following line if you want to filter replies from
|
||||
# remote proxies based on the rules defined in the 'attrs' file.
|
||||
}# attr_filter.post-proxy
|
||||
{
|
||||
#
|
||||
# If you are proxying LEAP, you MUST configure the EAP
|
||||
# module, and you MUST list it here, in the post-proxy
|
||||
# stage.
|
||||
#
|
||||
# You MUST also use the 'nostrip' option in the 'realm'
|
||||
# configuration. Otherwise, the User-Name attribute
|
||||
# in the proxied request will not match the user name
|
||||
# hidden inside of the EAP packet, and the end server will
|
||||
# reject the EAP request.
|
||||
#
|
||||
} eap
|
||||
{
|
||||
#
|
||||
# If the server tries to proxy a request and fails, then the
|
||||
# request is processed through the modules in this section.
|
||||
#
|
||||
# The main use of this section is to permit robust proxying
|
||||
# of accounting packets. The server can be configured to
|
||||
# proxy accounting packets as part of normal processing.
|
||||
# Then, if the home server goes down, accounting packets can
|
||||
# be logged to a local "detail" file, for processing with
|
||||
# radrelay. When the home server comes back up, radrelay
|
||||
# will read the detail file, and send the packets to the
|
||||
# home server.
|
||||
#
|
||||
# With this configuration, the server always responds to
|
||||
# Accounting-Requests from the NAS, but only writes
|
||||
# accounting packets to disk if the home server is down.
|
||||
#
|
||||
}# Post-Proxy-Type Fail \{
|
||||
# detail
|
||||
# \}
|
||||
\}
|
||||
|
||||
|
||||
@ -0,0 +1,7 @@
|
||||
|
||||
\}
|
||||
{
|
||||
#
|
||||
#end of default server
|
||||
#
|
||||
}
|
||||
@ -0,0 +1 @@
|
||||
auth_order radius,local
|
||||
@ -0,0 +1 @@
|
||||
login_tries 4
|
||||
@ -0,0 +1 @@
|
||||
login_timeout 60
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue