├── .dockerignore ├── .gitignore ├── .travis.yml ├── Dockerfile ├── LICENSE ├── README.md ├── configs ├── mysql │ ├── master │ │ └── conf.d │ │ │ ├── max_allowed_packet.cnf │ │ │ └── sql_mode.cnf │ └── radius.sql └── radius │ └── users ├── docker-compose.yml ├── docs ├── README.md └── _config.yml ├── etc └── raddb │ ├── README.rst │ ├── certs │ ├── Makefile │ ├── README │ ├── bootstrap │ ├── ca.cnf │ ├── client.cnf │ ├── inner-server.cnf │ ├── server.cnf │ └── xpextensions │ ├── clients.conf │ ├── dictionary │ ├── experimental.conf │ ├── hints │ ├── huntgroups │ ├── mods-available │ ├── README.rst │ ├── abfab_psk_sql │ ├── always │ ├── attr_filter │ ├── cache │ ├── cache_eap │ ├── chap │ ├── couchbase │ ├── counter │ ├── cui │ ├── date │ ├── detail │ ├── detail.example.com │ ├── detail.log │ ├── dhcp │ ├── dhcp_sqlippool │ ├── digest │ ├── dynamic_clients │ ├── eap │ ├── eap.save │ ├── echo │ ├── etc_group │ ├── exec │ ├── expiration │ ├── expr │ ├── files │ ├── idn │ ├── inner-eap │ ├── ippool │ ├── krb5 │ ├── ldap │ ├── linelog │ ├── logintime │ ├── mac2ip │ ├── mac2vlan │ ├── moonshot-targeted-ids │ ├── mschap │ ├── ntlm_auth │ ├── opendirectory │ ├── otp │ ├── pam │ ├── pap │ ├── passwd │ ├── perl │ ├── preprocess │ ├── python │ ├── radutmp │ ├── realm │ ├── redis │ ├── rediswho │ ├── replicate │ ├── rest │ ├── smbpasswd │ ├── smsotp │ ├── soh │ ├── sometimes │ ├── sql │ ├── sqlcounter │ ├── sqlippool │ ├── sradutmp │ ├── unbound │ ├── unix │ ├── unpack │ ├── utf8 │ ├── wimax │ └── yubikey │ ├── mods-config │ ├── README.rst │ ├── attr_filter │ │ ├── access_challenge │ │ ├── access_reject │ │ ├── accounting_response │ │ ├── post-proxy │ │ └── pre-proxy │ ├── files │ │ ├── accounting │ │ ├── authorize │ │ └── pre-proxy │ ├── perl │ │ └── example.pl │ ├── preprocess │ │ ├── hints │ │ └── huntgroups │ ├── sql │ │ ├── counter │ │ │ ├── mysql │ │ │ │ ├── dailycounter.conf │ │ │ │ ├── expire_on_login.conf │ │ │ │ ├── monthlycounter.conf │ │ │ │ └── noresetcounter.conf │ │ │ ├── postgresql │ │ │ │ ├── dailycounter.conf │ │ │ │ ├── expire_on_login.conf │ │ │ │ ├── monthlycounter.conf │ │ │ │ └── noresetcounter.conf │ │ │ └── sqlite │ │ │ │ ├── dailycounter.conf │ │ │ │ ├── expire_on_login.conf │ │ │ │ ├── monthlycounter.conf │ │ │ │ └── noresetcounter.conf │ │ ├── cui │ │ │ ├── mysql │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ ├── postgresql │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ └── sqlite │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ ├── ippool-dhcp │ │ │ ├── mysql │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ ├── oracle │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ └── sqlite │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ ├── ippool │ │ │ ├── mysql │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ ├── oracle │ │ │ │ ├── procedures.sql │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ ├── postgresql │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ └── sqlite │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ ├── main │ │ │ ├── mssql │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ ├── mysql │ │ │ │ ├── extras │ │ │ │ │ └── wimax │ │ │ │ │ │ ├── queries.conf │ │ │ │ │ │ └── schema.sql │ │ │ │ ├── queries.conf │ │ │ │ ├── schema.sql │ │ │ │ └── setup.sql │ │ │ ├── ndb │ │ │ │ ├── README │ │ │ │ ├── schema.sql │ │ │ │ └── setup.sql │ │ │ ├── oracle │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ ├── postgresql │ │ │ │ ├── extras │ │ │ │ │ ├── cisco_h323_db_schema.sql │ │ │ │ │ ├── update_radacct_group.sql │ │ │ │ │ └── voip-postpaid.conf │ │ │ │ ├── queries.conf │ │ │ │ ├── schema.sql │ │ │ │ └── setup.sql │ │ │ └── sqlite │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ └── moonshot-targeted-ids │ │ │ ├── mysql │ │ │ ├── queries.conf │ │ │ └── schema.sql │ │ │ ├── postgresql │ │ │ ├── queries.conf │ │ │ └── schema.sql │ │ │ └── sqlite │ │ │ ├── queries.conf │ │ │ └── schema.sql │ └── unbound │ │ └── default.conf │ ├── mods-enabled │ ├── always │ ├── attr_filter │ ├── cache_eap │ ├── chap │ ├── date │ ├── detail │ ├── detail.log │ ├── digest │ ├── dynamic_clients │ ├── eap │ ├── echo │ ├── exec │ ├── expiration │ ├── expr │ ├── files │ ├── linelog │ ├── logintime │ ├── mschap │ ├── ntlm_auth │ ├── pap │ ├── passwd │ ├── preprocess │ ├── radutmp │ ├── realm │ ├── replicate │ ├── soh │ ├── sql │ ├── sradutmp │ ├── unix │ ├── unpack │ └── utf8 │ ├── panic.gdb │ ├── policy.d │ ├── abfab-tr │ ├── accounting │ ├── canonicalization │ ├── control │ ├── cui │ ├── debug │ ├── dhcp │ ├── eap │ ├── filter │ ├── moonshot-targeted-ids │ └── operator-name │ ├── proxy.conf │ ├── radiusd.conf │ ├── sites-available │ ├── README │ ├── abfab-tls │ ├── abfab-tr-idp │ ├── buffered-sql │ ├── challenge │ ├── channel_bindings │ ├── check-eap-tls │ ├── coa │ ├── control-socket │ ├── copy-acct-to-home-server │ ├── decoupled-accounting │ ├── default │ ├── default.orig │ ├── dhcp │ ├── dhcp.relay │ ├── dynamic-clients │ ├── example │ ├── inner-tunnel │ ├── inner-tunnel.orig │ ├── originate-coa │ ├── proxy-inner-tunnel │ ├── robust-proxy-accounting │ ├── soh │ ├── status │ ├── tls │ ├── virtual.example.com │ └── vmps │ ├── sites-enabled │ ├── default │ └── inner-tunnel │ ├── templates.conf │ ├── trigger.conf │ └── users └── scripts ├── run-tests.sh ├── start.sh └── wait-for.sh /.dockerignore: -------------------------------------------------------------------------------- 1 | .dockerignore 2 | .git* 3 | .idea 4 | .travis.yml 5 | docs/_config.yml 6 | docker-compose.yml 7 | configs 8 | /dump/ 9 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | .idea 3 | *.pem 4 | *.der 5 | *.csr 6 | *.crt 7 | *.key 8 | *.p12 9 | serial* 10 | index.txt* 11 | configs/mysql/master/data 12 | /dump/ 13 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | # travis.yml 2 | 3 | sudo: required 4 | services: 5 | - docker 6 | 7 | env: 8 | - COMPOSE_VERSION=1.23.1 9 | 10 | before_install: 11 | - curl -L https://github.com/docker/compose/releases/download/${COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` > docker-compose 12 | - chmod +x docker-compose 13 | - sudo mv docker-compose /usr/local/bin 14 | - docker-compose --version 15 | 16 | install: 17 | - docker build --pull --no-cache -t 2stacks/freeradius . 18 | 19 | # Assist with ci test debugging: 20 | # - DEBUG=1 21 | 22 | before_script: 23 | - image="2stacks/freeradius" 24 | - docker inspect "$image" 25 | 26 | script: ./scripts/run-tests.sh 27 | 28 | notifications: 29 | email: 30 | - 2stacks@2stacks.net -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.13.1 2 | 3 | MAINTAINER 2stacks <2stacks@2stacks.net> 4 | 5 | # Use docker build --pull -t 2stacks/freeradius . 6 | 7 | # Image details 8 | LABEL net.2stacks.name="2stacks" \ 9 | net.2stacks.license="MIT" \ 10 | net.2stacks.description="Dockerfile for autobuilds" \ 11 | net.2stacks.url="http://www.2stacks.net" \ 12 | net.2stacks.vcs-type="Git" \ 13 | net.2stacks.version="1.5.1" \ 14 | net.2stacks.radius.version="3.0.20-r1" 15 | 16 | RUN apk --update add freeradius freeradius-mysql freeradius-eap openssl 17 | 18 | EXPOSE 1812/udp 1813/udp 19 | 20 | ENV DB_HOST=localhost 21 | ENV DB_PORT=3306 22 | ENV DB_USER=radius 23 | ENV DB_PASS=radpass 24 | ENV DB_NAME=radius 25 | ENV RADIUS_KEY=testing123 26 | ENV RAD_CLIENTS=10.0.0.0/24 27 | ENV RAD_DEBUG=no 28 | 29 | ADD --chown=root:radius ./etc/raddb/ /etc/raddb 30 | RUN /etc/raddb/certs/bootstrap && \ 31 | chown -R root:radius /etc/raddb/certs && \ 32 | chmod 640 /etc/raddb/certs/*.pem 33 | 34 | 35 | ADD ./scripts/start.sh /start.sh 36 | ADD ./scripts/wait-for.sh /wait-for.sh 37 | 38 | RUN chmod +x /start.sh wait-for.sh 39 | 40 | CMD ["/start.sh"] 41 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 2stacks 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | docs/README.md -------------------------------------------------------------------------------- /configs/mysql/master/conf.d/max_allowed_packet.cnf: -------------------------------------------------------------------------------- 1 | [mysqld] 2 | max_allowed_packet=256M 3 | -------------------------------------------------------------------------------- /configs/mysql/master/conf.d/sql_mode.cnf: -------------------------------------------------------------------------------- 1 | [mysqld] 2 | sql_mode = STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION 3 | -------------------------------------------------------------------------------- /configs/radius/users: -------------------------------------------------------------------------------- 1 | testing Cleartext-Password := "password", MS-CHAP-Use-NTLM-Auth := 0 2 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.2' 2 | 3 | services: 4 | freeradius: 5 | image: "2stacks/freeradius" 6 | #ports: 7 | #- "1812:1812/udp" 8 | #- "1813:1813/udp" 9 | #volumes: 10 | #- "./configs/radius/users:/etc/raddb/users" 11 | #- "./configs/radius/clients.conf:/etc/raddb/clients.conf" 12 | environment: 13 | #- DB_NAME=radius 14 | - DB_HOST=mysql 15 | #- DB_USER=radius 16 | #- DB_PASS=radpass 17 | #- DB_PORT=3306 18 | #- RADIUS_KEY=testing123 19 | #- RAD_CLIENTS=10.0.0.0/24 20 | - RAD_DEBUG=yes 21 | depends_on: 22 | - mysql 23 | links: 24 | - mysql 25 | restart: always 26 | networks: 27 | - backend 28 | 29 | mysql: 30 | image: "mysql" 31 | command: --default-authentication-plugin=mysql_native_password 32 | #ports: 33 | #- "3306:3306" 34 | volumes: 35 | - "./configs/mysql/master/data:/var/lib/mysql" 36 | #- "./configs/mysql/master/conf.d:/etc/mysql/conf.d" 37 | - "./configs/mysql/radius.sql:/docker-entrypoint-initdb.d/radius.sql" 38 | environment: 39 | - MYSQL_ROOT_PASSWORD=radius 40 | - MYSQL_USER=radius 41 | - MYSQL_PASSWORD=radpass 42 | - MYSQL_DATABASE=radius 43 | restart: always 44 | networks: 45 | - backend 46 | 47 | networks: 48 | backend: 49 | ipam: 50 | config: 51 | - subnet: 10.0.0.0/24 52 | -------------------------------------------------------------------------------- /docs/_config.yml: -------------------------------------------------------------------------------- 1 | remote_theme: mmistakes/minimal-mistakes 2 | titles_from_headings: 3 | enabled: true 4 | strip_title: true 5 | plugins: 6 | - jekyll-include-cache 7 | - jekyll-titles-from-headings -------------------------------------------------------------------------------- /etc/raddb/certs/bootstrap: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # This is a wrapper script to create default certificates when the 4 | # server first starts in debugging mode. Once the certificates have been 5 | # created, this file should be deleted. 6 | # 7 | # Ideally, this program should be run as part of the installation of any 8 | # binary package. The installation should also ensure that the permissions 9 | # and owners are correct for the files generated by this script. 10 | # 11 | # $Id: c9d939beac8d5bdc21ea1ff9233442f9ab933297 $ 12 | # 13 | umask 027 14 | cd `dirname $0` 15 | 16 | make -h > /dev/null 2>&1 17 | 18 | # 19 | # If we have a working "make", then use it. Otherwise, run the commands 20 | # manually. 21 | # 22 | if [ "$?" = "0" ]; then 23 | make all 24 | exit $? 25 | fi 26 | 27 | # 28 | # The following commands were created by running "make -n", and edited 29 | # to remove the trailing backslash, and to add "exit 1" after the commands. 30 | # 31 | # Don't edit the following text. Instead, edit the Makefile, and 32 | # re-generate these commands. 33 | # 34 | if [ ! -f dh ]; then 35 | openssl dhparam -out dh 1024 || exit 1 36 | if [ -e /dev/urandom ] ; then 37 | ln -sf /dev/urandom random 38 | else 39 | date > ./random; 40 | fi 41 | fi 42 | 43 | if [ ! -f server.key ]; then 44 | openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1 45 | fi 46 | 47 | if [ ! -f ca.key ]; then 48 | openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1 49 | fi 50 | 51 | if [ ! -f index.txt ]; then 52 | touch index.txt 53 | fi 54 | 55 | if [ ! -f serial ]; then 56 | echo '01' > serial 57 | fi 58 | 59 | if [ ! -f server.crt ]; then 60 | openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1 61 | fi 62 | 63 | if [ ! -f server.p12 ]; then 64 | openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 65 | fi 66 | 67 | if [ ! -f server.pem ]; then 68 | openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 69 | openssl verify -CAfile ca.pem server.pem || exit 1 70 | fi 71 | 72 | if [ ! -f ca.der ]; then 73 | openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1 74 | fi 75 | 76 | if [ ! -f client.key ]; then 77 | openssl req -new -out client.csr -keyout client.key -config ./client.cnf 78 | fi 79 | 80 | if [ ! -f client.crt ]; then 81 | openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf 82 | fi 83 | -------------------------------------------------------------------------------- /etc/raddb/certs/ca.cnf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | default_ca = CA_default 3 | 4 | [ CA_default ] 5 | dir = ./ 6 | certs = $dir 7 | crl_dir = $dir/crl 8 | database = $dir/index.txt 9 | new_certs_dir = $dir 10 | certificate = $dir/ca.pem 11 | serial = $dir/serial 12 | crl = $dir/crl.pem 13 | private_key = $dir/ca.key 14 | RANDFILE = $dir/.rand 15 | name_opt = ca_default 16 | cert_opt = ca_default 17 | default_days = 60 18 | default_crl_days = 30 19 | default_md = sha256 20 | preserve = no 21 | policy = policy_match 22 | crlDistributionPoints = URI:http://www.example.org/example_ca.crl 23 | 24 | [ policy_match ] 25 | countryName = match 26 | stateOrProvinceName = match 27 | organizationName = match 28 | organizationalUnitName = optional 29 | commonName = supplied 30 | emailAddress = optional 31 | 32 | [ policy_anything ] 33 | countryName = optional 34 | stateOrProvinceName = optional 35 | localityName = optional 36 | organizationName = optional 37 | organizationalUnitName = optional 38 | commonName = supplied 39 | emailAddress = optional 40 | 41 | [ req ] 42 | prompt = no 43 | distinguished_name = certificate_authority 44 | default_bits = 2048 45 | input_password = whatever 46 | output_password = whatever 47 | x509_extensions = v3_ca 48 | 49 | [certificate_authority] 50 | countryName = FR 51 | stateOrProvinceName = Radius 52 | localityName = Somewhere 53 | organizationName = Example Inc. 54 | emailAddress = admin@example.org 55 | commonName = "Example Certificate Authority" 56 | 57 | [v3_ca] 58 | subjectKeyIdentifier = hash 59 | authorityKeyIdentifier = keyid:always,issuer:always 60 | basicConstraints = critical,CA:true 61 | crlDistributionPoints = URI:http://www.example.org/example_ca.crl 62 | 63 | -------------------------------------------------------------------------------- /etc/raddb/certs/client.cnf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | default_ca = CA_default 3 | 4 | [ CA_default ] 5 | dir = ./ 6 | certs = $dir 7 | crl_dir = $dir/crl 8 | database = $dir/index.txt 9 | new_certs_dir = $dir 10 | certificate = $dir/ca.pem 11 | serial = $dir/serial 12 | crl = $dir/crl.pem 13 | private_key = $dir/ca.key 14 | RANDFILE = $dir/.rand 15 | name_opt = ca_default 16 | cert_opt = ca_default 17 | default_days = 60 18 | default_crl_days = 30 19 | default_md = sha256 20 | preserve = no 21 | policy = policy_match 22 | 23 | [ policy_match ] 24 | countryName = match 25 | stateOrProvinceName = match 26 | organizationName = match 27 | organizationalUnitName = optional 28 | commonName = supplied 29 | emailAddress = optional 30 | 31 | [ policy_anything ] 32 | countryName = optional 33 | stateOrProvinceName = optional 34 | localityName = optional 35 | organizationName = optional 36 | organizationalUnitName = optional 37 | commonName = supplied 38 | emailAddress = optional 39 | 40 | [ req ] 41 | prompt = no 42 | distinguished_name = client 43 | default_bits = 2048 44 | input_password = whatever 45 | output_password = whatever 46 | 47 | [client] 48 | countryName = FR 49 | stateOrProvinceName = Radius 50 | localityName = Somewhere 51 | organizationName = Example Inc. 52 | emailAddress = user@example.org 53 | commonName = user@example.org 54 | -------------------------------------------------------------------------------- /etc/raddb/certs/inner-server.cnf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | default_ca = CA_default 3 | 4 | [ CA_default ] 5 | dir = ./ 6 | certs = $dir 7 | crl_dir = $dir/crl 8 | database = $dir/index.txt 9 | new_certs_dir = $dir 10 | certificate = $dir/server.pem 11 | serial = $dir/serial 12 | crl = $dir/crl.pem 13 | private_key = $dir/server.key 14 | RANDFILE = $dir/.rand 15 | name_opt = ca_default 16 | cert_opt = ca_default 17 | default_days = 60 18 | default_crl_days = 30 19 | default_md = sha256 20 | preserve = no 21 | policy = policy_match 22 | 23 | [ policy_match ] 24 | countryName = match 25 | stateOrProvinceName = match 26 | organizationName = match 27 | organizationalUnitName = optional 28 | commonName = supplied 29 | emailAddress = optional 30 | 31 | [ policy_anything ] 32 | countryName = optional 33 | stateOrProvinceName = optional 34 | localityName = optional 35 | organizationName = optional 36 | organizationalUnitName = optional 37 | commonName = supplied 38 | emailAddress = optional 39 | 40 | [ req ] 41 | prompt = no 42 | distinguished_name = server 43 | default_bits = 2048 44 | input_password = whatever 45 | output_password = whatever 46 | 47 | [server] 48 | countryName = FR 49 | stateOrProvinceName = Radius 50 | localityName = Somewhere 51 | organizationName = Example Inc. 52 | emailAddress = admin@example.org 53 | commonName = "Example Inner Server Certificate" 54 | 55 | -------------------------------------------------------------------------------- /etc/raddb/certs/server.cnf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | default_ca = CA_default 3 | 4 | [ CA_default ] 5 | dir = ./ 6 | certs = $dir 7 | crl_dir = $dir/crl 8 | database = $dir/index.txt 9 | new_certs_dir = $dir 10 | certificate = $dir/server.pem 11 | serial = $dir/serial 12 | crl = $dir/crl.pem 13 | private_key = $dir/server.key 14 | RANDFILE = $dir/.rand 15 | name_opt = ca_default 16 | cert_opt = ca_default 17 | default_days = 60 18 | default_crl_days = 30 19 | default_md = sha256 20 | preserve = no 21 | policy = policy_match 22 | 23 | [ policy_match ] 24 | countryName = match 25 | stateOrProvinceName = match 26 | organizationName = match 27 | organizationalUnitName = optional 28 | commonName = supplied 29 | emailAddress = optional 30 | 31 | [ policy_anything ] 32 | countryName = optional 33 | stateOrProvinceName = optional 34 | localityName = optional 35 | organizationName = optional 36 | organizationalUnitName = optional 37 | commonName = supplied 38 | emailAddress = optional 39 | 40 | [ req ] 41 | prompt = no 42 | distinguished_name = server 43 | default_bits = 2048 44 | input_password = whatever 45 | output_password = whatever 46 | 47 | [server] 48 | countryName = FR 49 | stateOrProvinceName = Radius 50 | localityName = Somewhere 51 | organizationName = Example Inc. 52 | emailAddress = admin@example.org 53 | commonName = "Example Server Certificate" 54 | 55 | -------------------------------------------------------------------------------- /etc/raddb/certs/xpextensions: -------------------------------------------------------------------------------- 1 | # 2 | # File containing the OIDs required for Windows. 3 | # 4 | # http://support.microsoft.com/kb/814394/en-us 5 | # 6 | [ xpclient_ext] 7 | extendedKeyUsage = 1.3.6.1.5.5.7.3.2 8 | crlDistributionPoints = URI:http://www.example.com/example_ca.crl 9 | 10 | [ xpserver_ext] 11 | extendedKeyUsage = 1.3.6.1.5.5.7.3.1 12 | crlDistributionPoints = URI:http://www.example.com/example_ca.crl 13 | 14 | # 15 | # Add this to the PKCS#7 keybag attributes holding the client's private key 16 | # for machine authentication. 17 | # 18 | # the presence of this OID tells Windows XP that the cert is intended 19 | # for use by the computer itself, and not by an end-user. 20 | # 21 | # The other solution is to use Microsoft's web certificate server 22 | # to generate these certs. 23 | # 24 | # 1.3.6.1.4.1.311.17.2 25 | -------------------------------------------------------------------------------- /etc/raddb/dictionary: -------------------------------------------------------------------------------- 1 | # 2 | # This is the local dictionary file which can be 3 | # edited by local administrators. It will be loaded 4 | # AFTER the main dictionary files are loaded. 5 | # 6 | # As of version 3.0.2, FreeRADIUS will automatically 7 | # load the main dictionary files from 8 | # 9 | # ${prefix}/share/freeradius/dictionary 10 | # 11 | # It is no longer necessary for this file to $INCLUDE 12 | # the main dictionaries. However, if the $INCLUDE 13 | # line is here, nothing bad will happen. 14 | # 15 | # Any new/changed attributes MUST be placed in this file. 16 | # The pre-defined dictionaries SHOULD NOT be edited. 17 | # 18 | # See "man dictionary" for documentation on its format. 19 | # 20 | # $Id: eed5d70f41b314f9ed3f006a22d9f9a2be2c9516 $ 21 | # 22 | 23 | # 24 | # All local attributes and $INCLUDE's should go into 25 | # this file. 26 | # 27 | 28 | # If you want to add entries to the dictionary file, 29 | # which are NOT going to be placed in a RADIUS packet, 30 | # add them to the 'dictionary.local' file. 31 | # 32 | # The numbers you pick should be between 3000 and 4000. 33 | # These attributes will NOT go into a RADIUS packet. 34 | # 35 | # If you want that, you will need to use VSAs. This means 36 | # requesting allocation of a Private Enterprise Code from 37 | # http://iana.org. We STRONGLY suggest doing that only if 38 | # you are a vendor of RADIUS equipment. 39 | # 40 | # See RFC 6158 for more details. 41 | # http://ietf.org/rfc/rfc6158.txt 42 | # 43 | 44 | # 45 | # These attributes are examples 46 | # 47 | #ATTRIBUTE My-Local-String 3000 string 48 | #ATTRIBUTE My-Local-IPAddr 3001 ipaddr 49 | #ATTRIBUTE My-Local-Integer 3002 integer 50 | -------------------------------------------------------------------------------- /etc/raddb/experimental.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This file contains the configuration for experimental modules. 3 | # 4 | # By default, it is NOT included in the build. 5 | # 6 | # $Id: 87d9744a4f0fa7b9b06b4908ddd6b7d2f1a7fd62 $ 7 | # 8 | 9 | # Configuration for the Python module. 10 | # 11 | # Where radiusd is a Python module, radiusd.py, and the 12 | # function 'authorize' is called. Here is a dummy piece 13 | # of code: 14 | # 15 | # def authorize(params): 16 | # print params 17 | # return (5, ('Reply-Message', 'banned')) 18 | # 19 | # The RADIUS value-pairs are passed as a tuple of tuple 20 | # pairs as the first argument, e.g. (('attribute1', 21 | # 'value1'), ('attribute2', 'value2')) 22 | # 23 | # The function return is a tuple with the first element 24 | # being the return value of the function. 25 | # The 5 corresponds to RLM_MODULE_USERLOCK. I plan to 26 | # write the return values as Python symbols to avoid 27 | # confusion. 28 | # 29 | # The remaining tuple members are the string form of 30 | # value-pairs which are passed on to pairmake(). 31 | # 32 | python { 33 | mod_instantiate = radiusd_test 34 | func_instantiate = instantiate 35 | 36 | mod_authorize = radiusd_test 37 | func_authorize = authorize 38 | 39 | mod_accounting = radiusd_test 40 | func_accounting = accounting 41 | 42 | mod_pre_proxy = radiusd_test 43 | func_pre_proxy = pre_proxy 44 | 45 | mod_post_proxy = radiusd_test 46 | func_post_proxy = post_proxy 47 | 48 | mod_post_auth = radiusd_test 49 | func_post_auth = post_auth 50 | 51 | mod_recv_coa = radiusd_test 52 | func_recv_coa = recv_coa 53 | 54 | mod_send_coa = radiusd_test 55 | func_send_coa = send_coa 56 | 57 | mod_detach = radiusd_test 58 | func_detach = detach 59 | } 60 | 61 | 62 | # Configuration for the example module. Uncommenting it will cause it 63 | # to get loaded and initialised, but should have no real effect as long 64 | # it is not referenced in one of the autz/auth/preacct/acct sections 65 | example { 66 | # Boolean variable. 67 | # allowed values: {no, yes} 68 | boolean = yes 69 | 70 | # An integer, of any value. 71 | integer = 16 72 | 73 | # A string. 74 | string = "This is an example configuration string" 75 | 76 | # An IP address, either in dotted quad (1.2.3.4) or hostname 77 | # (example.com) 78 | ipaddr = 127.0.0.1 79 | 80 | # A subsection 81 | mysubsection { 82 | anotherinteger = 1000 83 | # They nest 84 | deeply nested { 85 | string = "This is a different string" 86 | } 87 | } 88 | } 89 | 90 | # 91 | # To create a dbm users file, do: 92 | # 93 | # cat test.users | rlm_dbm_parser -f /etc/raddb/users_db 94 | # 95 | # Then add 'dbm' in 'authorize' section. 96 | # 97 | # Note that even if the file has a ".db" or ".dbm" extension, 98 | # you may have to specify it here without that extension. This 99 | # is because the DBM libraries "helpfully" add a ".db" to the 100 | # filename, but don't check if it's already there. 101 | # 102 | dbm { 103 | usersfile = ${confdir}/users_db 104 | } 105 | 106 | # Instantiate a couple instances of the idn module 107 | idn { 108 | } 109 | 110 | # ...more commonly known as... 111 | idn idna { 112 | } 113 | 114 | idn idna_lenient { 115 | UseSTD3ASCIIRules = no 116 | } 117 | -------------------------------------------------------------------------------- /etc/raddb/hints: -------------------------------------------------------------------------------- 1 | ./mods-config/preprocess/hints -------------------------------------------------------------------------------- /etc/raddb/huntgroups: -------------------------------------------------------------------------------- 1 | ./mods-config/preprocess/huntgroups -------------------------------------------------------------------------------- /etc/raddb/mods-available/README.rst: -------------------------------------------------------------------------------- 1 | Modules in Version 3 2 | ==================== 3 | 4 | As of Version 3, all of the modules have been placed in the 5 | "mods-available/" directory. This practice follows that used by other 6 | servers such as Nginx, Apache, etc. The "modules" directory should 7 | not be used. 8 | 9 | Modules are enabled by creating a file in the mods-enabled/ directory. 10 | You can also create a soft-link from one directory to another:: 11 | 12 | $ cd raddb/mods-enabled 13 | $ ln -s ../mods-available/foo 14 | 15 | This will enable module "foo". Be sure that you have configured the 16 | module correctly before enabling it, otherwise the server will not 17 | start. You can verify the server configuration by running 18 | "radiusd -XC". 19 | 20 | A large number of modules are enabled by default. This allows the 21 | server to work with the largest number of authentication protocols. 22 | Please be careful when disabling modules. You will likely need to 23 | edit the "sites-enabled/" files to remove references to any disabled 24 | modules. 25 | 26 | Conditional Modules 27 | ------------------- 28 | 29 | Version 3 allows modules to be conditionally loaded. This is useful 30 | when you want to have a virtual server which references a module, but 31 | does not require it. Instead of editing the virtual server file, you 32 | can just conditionally enable the module. 33 | 34 | Modules are conditionally enabled by adding a "-" before their name in 35 | a virtual server. For example, you can do:: 36 | 37 | server { 38 | authorize { 39 | ... 40 | ldap 41 | -sql 42 | ... 43 | } 44 | } 45 | 46 | This says "require the LDAP module, but use the SQL module only if it 47 | is configured." 48 | 49 | This feature is not very useful for production configurations. It is, 50 | however, very useful for the default examples that ship with the 51 | server. 52 | 53 | Ignoring module 54 | --------------- 55 | 56 | If you see this message:: 57 | 58 | Ignoring module (see raddb/mods-available/README.rst) 59 | 60 | Then you are in the right place. Most of the time this message can be 61 | ignored. The message can be fixed by finding the references to "-module" 62 | in the virtual server, and deleting them. 63 | 64 | Another way to fix it is to configure the module, as described above. 65 | 66 | Simplification 67 | -------------- 68 | 69 | Allowing conditional modules simplifies the default virtual servers 70 | that are shipped with FreeRADIUS. This means that if you want to 71 | enable LDAP (for example), you no longer need to edit the files in 72 | raddb/sites-available/ in order to enable it. 73 | 74 | Instead, you should edit the raddb/mods-available/ldap file to point 75 | to your local LDAP server. Then, enable the module via the soft-link 76 | method described above. 77 | 78 | Once the module is enabled, it will automatically be used in the 79 | default configuration. 80 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/abfab_psk_sql: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ## 3 | ## Module for PSK authorizations from ABFAB trust router 4 | ## 5 | ## $Id: d75130da8a9faeb9712619bf49e68afadc30b73a $ 6 | 7 | sql psksql { 8 | 9 | driver = "rlm_sql_sqlite" 10 | 11 | sqlite { 12 | filename = "/var/lib/trust_router/keys" 13 | } 14 | 15 | } 16 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/always: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: de3f13089d8951f4c822ebc4007df58e0487de14 $ 4 | 5 | # 6 | # The "always" module is here for debugging purposes, or 7 | # for use in complex policies. 8 | # Instance simply returns the same result, always, without 9 | # doing anything. 10 | # 11 | # rcode may be one of the following values: 12 | # - reject - Reject the user. 13 | # - fail - Simulate or indicate a failure. 14 | # - ok - Simulate or indicate a success. 15 | # - handled - Indicate that the request has been handled, 16 | # stop processing, and send response if set. 17 | # - invalid - Indicate that the request is invalid. 18 | # - userlock - Indicate that the user account has been 19 | # locked out. 20 | # - notfound - Indicate that a user account can't be found. 21 | # - noop - Simulate a no-op. 22 | # - updated - Indicate that the request has been updated. 23 | # 24 | # If an instance is listed in a session {} section, 25 | # this simulates a user having sessions. 26 | # 27 | # simulcount = 28 | # 29 | # If an instance is listed in a session {} section, 30 | # this simulates the user having multilink 31 | # sessions. 32 | # 33 | # mpp = 34 | # 35 | always reject { 36 | rcode = reject 37 | } 38 | always fail { 39 | rcode = fail 40 | } 41 | always ok { 42 | rcode = ok 43 | } 44 | always handled { 45 | rcode = handled 46 | } 47 | always invalid { 48 | rcode = invalid 49 | } 50 | always userlock { 51 | rcode = userlock 52 | } 53 | always notfound { 54 | rcode = notfound 55 | } 56 | always noop { 57 | rcode = noop 58 | } 59 | always updated { 60 | rcode = updated 61 | } 62 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/attr_filter: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 1caff077b2429c948a04777fcd619be901ac83dc $ 4 | 5 | # 6 | # This file defines a number of instances of the "attr_filter" module. 7 | # 8 | 9 | # attr_filter - filters the attributes received in replies from 10 | # proxied servers, to make sure we send back to our RADIUS client 11 | # only allowed attributes. 12 | attr_filter attr_filter.post-proxy { 13 | key = "%{Realm}" 14 | filename = ${modconfdir}/${.:name}/post-proxy 15 | } 16 | 17 | # attr_filter - filters the attributes in the packets we send to 18 | # the RADIUS home servers. 19 | attr_filter attr_filter.pre-proxy { 20 | key = "%{Realm}" 21 | filename = ${modconfdir}/${.:name}/pre-proxy 22 | } 23 | 24 | # Enforce RFC requirements on the contents of Access-Reject 25 | # packets. See the comments at the top of the file for 26 | # more details. 27 | # 28 | attr_filter attr_filter.access_reject { 29 | key = "%{User-Name}" 30 | filename = ${modconfdir}/${.:name}/access_reject 31 | } 32 | 33 | # Enforce RFC requirements on the contents of Access-Challenge 34 | # packets. See the comments at the top of the file for 35 | # more details. 36 | # 37 | attr_filter attr_filter.access_challenge { 38 | key = "%{User-Name}" 39 | filename = ${modconfdir}/${.:name}/access_challenge 40 | } 41 | 42 | 43 | # Enforce RFC requirements on the contents of the 44 | # Accounting-Response packets. See the comments at the 45 | # top of the file for more details. 46 | # 47 | attr_filter attr_filter.accounting_response { 48 | key = "%{User-Name}" 49 | filename = ${modconfdir}/${.:name}/accounting_response 50 | } 51 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/cache_eap: -------------------------------------------------------------------------------- 1 | # 2 | # Cache EAP responses for resiliency on intermediary proxy fail-over 3 | # 4 | cache cache_eap { 5 | key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" 6 | 7 | ttl = 15 8 | 9 | update reply { 10 | reply: += &reply: 11 | &control:State := &request:State 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/chap: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $ 4 | 5 | # CHAP module 6 | # 7 | # To authenticate requests containing a CHAP-Password attribute. 8 | # 9 | chap { 10 | # no configuration 11 | } 12 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/counter: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: a5ac1e60ef117a2c59ace1a9d061d8f70d1da538 $ 4 | 5 | # counter module: 6 | # This module takes an attribute (count-attribute). 7 | # It also takes a key, and creates a counter for each unique 8 | # key. The count is incremented when accounting packets are 9 | # received by the server. The value of the increment depends 10 | # on the attribute type. 11 | # If the attribute is Acct-Session-Time or of an integer type we add 12 | # the value of the attribute. If it is anything else we increase the 13 | # counter by one. 14 | # 15 | # The 'reset' parameter defines when the counters are all reset to 16 | # zero. It can be hourly, daily, weekly, monthly or never. 17 | # 18 | # hourly: Reset on 00:00 of every hour 19 | # daily: Reset on 00:00:00 every day 20 | # weekly: Reset on 00:00:00 on sunday 21 | # monthly: Reset on 00:00:00 of the first day of each month 22 | # 23 | # It can also be user defined. It should be of the form: 24 | # num[hdwm] where: 25 | # h: hours, d: days, w: weeks, m: months 26 | # If the letter is omitted days will be assumed. In example: 27 | # reset = 10h (reset every 10 hours) 28 | # reset = 12 (reset every 12 days) 29 | # 30 | # 31 | # The check_name attribute defines an attribute which will be 32 | # registered by the counter module and can be used to set the 33 | # maximum allowed value for the counter after which the user 34 | # is rejected. 35 | # Something like: 36 | # 37 | # DEFAULT Max-Daily-Session := 36000 38 | # Fall-Through = 1 39 | # 40 | # You should add the counter module in the instantiate 41 | # section so that it registers check_name before the files 42 | # module reads the users file. 43 | # 44 | # If check_name is set and the user is to be rejected then we 45 | # send back a Reply-Message and we log a Failure-Message in 46 | # the radius.log 47 | # 48 | # If the count attribute is Acct-Session-Time then on each 49 | # login we send back the remaining online time as a 50 | # Session-Timeout attribute ELSE and if the reply_name is 51 | # set, we send back that attribute. The reply_name attribute 52 | # MUST be of an integer type. 53 | # 54 | # The counter-name can also be used instead of using the check_name 55 | # like below: 56 | # 57 | # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject 58 | # Reply-Message = "You've used up more than one hour today" 59 | # 60 | # The allowed_service_type attribute can be used to only take 61 | # into account specific sessions. For example if a user first 62 | # logs in through a login menu and then selects ppp there will 63 | # be two sessions. One for Login-User and one for Framed-User 64 | # service type. We only need to take into account the second one. 65 | # 66 | # The module should be added in the instantiate, authorize and 67 | # accounting sections. Make sure that in the authorize 68 | # section it comes after any module which sets the 69 | # 'check_name' attribute. 70 | # 71 | counter daily { 72 | filename = ${db_dir}/db.daily 73 | key = User-Name 74 | count_attribute = Acct-Session-Time 75 | reset = daily 76 | counter_name = Daily-Session-Time 77 | check_name = Max-Daily-Session 78 | reply_name = Session-Timeout 79 | allowed_service_type = Framed-User 80 | cache_size = 5000 81 | } 82 | 83 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/cui: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: b72aa309bfc05c2443e4bb2db061b8f33de8e359 $ 4 | 5 | # 6 | # Write Chargeable-User-Identity to the database. 7 | # 8 | # Schema raddb/sql/cui//schema.sql 9 | # Queries raddb/sql/cui//queries.conf 10 | # 11 | sql cuisql { 12 | 13 | # The dialect of SQL you want to use, this should usually match 14 | # the driver below. 15 | # 16 | # If you're using rlm_sql_null, then it should be the type of 17 | # database the logged queries are going to be executed against. 18 | dialect = "sqlite" 19 | 20 | # The sub-module to use to execute queries. This should match 21 | # the database you're attempting to connect to. 22 | # 23 | # There are CUI queries available for: 24 | # * rlm_sql_mysql 25 | # * rlm_sql_postgresql 26 | # * rlm_sql_sqlite 27 | # * rlm_sql_null (log queries to disk) 28 | # 29 | driver = "rlm_sql_${dialect}" 30 | 31 | sqlite { 32 | filename = ${radacctdir}/cui.sqlite 33 | bootstrap = ${modconfdir}/${..:name}/cui/sqlite/schema.sql 34 | } 35 | 36 | # Write CUI queries to a logfile. Useful for debugging. 37 | # logfile = ${logdir}/cuilog.sql 38 | 39 | pool { 40 | start = 5 41 | min = 4 42 | max = 10 43 | spare = 3 44 | uses = 0 45 | lifetime = 0 46 | idle_timeout = 60 47 | } 48 | 49 | cui_table = "cui" 50 | sql_user_name = "%{User-Name}" 51 | 52 | $INCLUDE ${modconfdir}/${.:name}/cui/${dialect}/queries.conf 53 | } 54 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/date: -------------------------------------------------------------------------------- 1 | # 2 | # Registers xlat to convert between time formats. 3 | # 4 | # xlat input string is an attribute name. If this attribute is of date 5 | # or integer type, the date xlat will convert it to a time string in 6 | # the format of the format config item. 7 | # 8 | # If the attribute is a string type, date will attempt to parse it in 9 | # the format specified by the format config item, and will expand 10 | # to a Unix timestamp. 11 | # 12 | date { 13 | format = "%b %e %Y %H:%M:%S %Z" 14 | 15 | # Use UTC instead of local time. 16 | # 17 | # default = no 18 | # utc = yes 19 | } 20 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/detail: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: e91e12d0b4de8f3cb084c179b321924d0248cfbb $ 4 | 5 | # Write a detailed log of all accounting records received. 6 | # 7 | detail { 8 | # Note that we do NOT use NAS-IP-Address here, as 9 | # that attribute MAY BE from the originating NAS, and 10 | # NOT from the proxy which actually sent us the 11 | # request. 12 | # 13 | # The following line creates a new detail file for 14 | # every radius client (by IP address or hostname). 15 | # In addition, a new detail file is created every 16 | # day, so that the detail file doesn't have to go 17 | # through a 'log rotation' 18 | # 19 | # If your detail files are large, you may also want to add 20 | # a ':%H' (see doc/configuration/variables.rst) to the end 21 | # of it, to create a new detail file every hour, e.g.: 22 | # 23 | # ..../detail-%Y%m%d:%H 24 | # 25 | # This will create a new detail file for every hour. 26 | # 27 | # If you are reading detail files via the "listen" section 28 | # (e.g. as in raddb/sites-available/robust-proxy-accounting), 29 | # you MUST use a unique directory for each combination of a 30 | # detail file writer, and reader. That is, there can only 31 | # be ONE "listen" section reading detail files from a 32 | # particular directory. 33 | # 34 | filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d 35 | 36 | # 37 | # If you are using radrelay, delete the above line for "file", 38 | # and use this one instead: 39 | # 40 | # filename = ${radacctdir}/detail 41 | 42 | # 43 | # Most file systems can handly nearly the full range of UTF-8 44 | # characters. Ones that can deal with a limited range should 45 | # set this to "yes". 46 | # 47 | escape_filenames = no 48 | 49 | # 50 | # The Unix-style permissions on the 'detail' file. 51 | # 52 | # The detail file often contains secret or private 53 | # information about users. So by keeping the file 54 | # permissions restrictive, we can prevent unwanted 55 | # people from seeing that information. 56 | permissions = 0600 57 | 58 | # The Unix group of the log file. 59 | # 60 | # The user that the server runs as must be in the specified 61 | # system group otherwise this will fail to work. 62 | # 63 | # group = ${security.group} 64 | 65 | # 66 | # Every entry in the detail file has a header which 67 | # is a timestamp. By default, we use the ctime 68 | # format (see "man ctime" for details). 69 | # 70 | # The header can be customised by editing this 71 | # string. See "doc/configuration/variables.rst" for a 72 | # description of what can be put here. 73 | # 74 | header = "%t" 75 | 76 | # 77 | # Uncomment this line if the detail file reader will be 78 | # reading this detail file. 79 | # 80 | # locking = yes 81 | 82 | # 83 | # Log the Packet src/dst IP/port. This is disabled by 84 | # default, as that information isn't used by many people. 85 | # 86 | # log_packet_header = yes 87 | 88 | # 89 | # Certain attributes such as User-Password may be 90 | # "sensitive", so they should not be printed in the 91 | # detail file. This section lists the attributes 92 | # that should be suppressed. 93 | # 94 | # The attributes should be listed one to a line. 95 | # 96 | #suppress { 97 | # User-Password 98 | #} 99 | 100 | } 101 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/detail.example.com: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Detail file writer, used in the following examples: 4 | # 5 | # raddb/sites-available/robust-proxy-accounting 6 | # raddb/sites-available/decoupled-accounting 7 | # 8 | # Note that this module can write detail files that are read by 9 | # only ONE "listen" section. If you use BOTH of the examples 10 | # above, you will need to define TWO "detail" modules. 11 | # 12 | # e.g. detail1.example.com && detail2.example.com 13 | # 14 | # 15 | # We write *multiple* detail files here. They will be processed by 16 | # the detail "listen" section in the order that they were created. 17 | # The directory containing these files should NOT be used for any 18 | # other purposes. i.e. It should have NO other files in it. 19 | # 20 | # Writing multiple detail enables the server to process the pieces 21 | # in smaller chunks. This helps in certain catastrophic corner cases. 22 | # 23 | # $Id: 827cdf57e70dc2ff2252016194f4bb846eecead2 $ 24 | # 25 | detail detail.example.com { 26 | filename = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G 27 | } 28 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/detail.log: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: b91cf7cb24744ee96e390aa4d7bd5f3ad4c0c0ee $ 4 | 5 | # 6 | # More examples of doing detail logs. 7 | 8 | # 9 | # Many people want to log authentication requests. 10 | # Rather than modifying the server core to print out more 11 | # messages, we can use a different instance of the 'detail' 12 | # module, to log the authentication requests to a file. 13 | # 14 | # You will also need to un-comment the 'auth_log' line 15 | # in the 'authorize' section, below. 16 | # 17 | detail auth_log { 18 | filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d 19 | 20 | # 21 | # This MUST be 0600, otherwise anyone can read 22 | # the users passwords! 23 | permissions = 0600 24 | 25 | # You may also strip out passwords completely 26 | suppress { 27 | User-Password 28 | } 29 | } 30 | 31 | # 32 | # This module logs authentication reply packets sent 33 | # to a NAS. Both Access-Accept and Access-Reject packets 34 | # are logged. 35 | # 36 | # You will also need to un-comment the 'reply_log' line 37 | # in the 'post-auth' section, below. 38 | # 39 | detail reply_log { 40 | filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d 41 | 42 | permissions = 0600 43 | } 44 | 45 | # 46 | # This module logs packets proxied to a home server. 47 | # 48 | # You will also need to un-comment the 'pre_proxy_log' line 49 | # in the 'pre-proxy' section, below. 50 | # 51 | detail pre_proxy_log { 52 | filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d 53 | 54 | # 55 | # This MUST be 0600, otherwise anyone can read 56 | # the users passwords! 57 | permissions = 0600 58 | 59 | # You may also strip out passwords completely 60 | #suppress { 61 | # User-Password 62 | #} 63 | } 64 | 65 | # 66 | # This module logs response packets from a home server. 67 | # 68 | # You will also need to un-comment the 'post_proxy_log' line 69 | # in the 'post-proxy' section, below. 70 | # 71 | detail post_proxy_log { 72 | filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d 73 | 74 | permissions = 0600 75 | } 76 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/dhcp: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: a4316335d7f73b37ec5aa9278de91d37dd28eddc $ 4 | 5 | # 6 | # This module is useful only for 'xlat'. To use it, 7 | # put 'dhcp' into the 'instantiate' section. 8 | # 9 | # %{dhcp_options:} may be used to decode 10 | # DHCP options data included in RADIUS packets by vendors 11 | # of DHCP to RADIUS gateways. 12 | # 13 | # This is known to work with the following VSAs: 14 | # * Juniper - ERX-Dhcp-Options 15 | # * Alcatel lucent SR - Alc-ToServer-Dhcp-Options 16 | # - Alc-ToClient-Dhcp-Options 17 | # 18 | dhcp { 19 | } 20 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/dhcp_sqlippool: -------------------------------------------------------------------------------- 1 | # Configuration for DHCP to use SQL IP Pools. 2 | # 3 | # See raddb/mods-available/sqlippool for common configuration explanation 4 | # 5 | # See raddb/policy.d/dhcp_sqlippool for the "glue" code that allows 6 | # the RADIUS based "sqlippool" module to be used for DHCP. 7 | # 8 | # See raddb/mods-config/sql/ippool/ for the schemas. 9 | # 10 | # See raddb/sites-available/dhcp for instructions on how to configure 11 | # the DHCP server. 12 | # 13 | # $Id: 7739a6066ba5ee794c04324179b62f047724e5d1 $ 14 | 15 | sqlippool dhcp_sqlippool { 16 | sql_module_instance = "sql" 17 | 18 | ippool_table = "radippool" 19 | 20 | lease_duration = 7200 21 | 22 | # Client's MAC address is mapped to Calling-Station-Id in policy.conf 23 | pool_key = "%{Calling-Station-Id}" 24 | 25 | # For now, it works with MySQL. 26 | $INCLUDE ${modconfdir}/sql/ippool-dhcp/mysql/queries.conf 27 | 28 | # It may also work with sqlite - this is very experimental. 29 | # Comment out the above line and add the following include. 30 | # To use sqlite you need to add '%' to safe_characters in 31 | # raddb/mods-config/sql/main/sqlite/queries.conf. 32 | # $INCLUDE ${modconfdir}/sql/ippool-dhcp/sqlite/queries.conf 33 | 34 | sqlippool_log_exists = "DHCP: Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" 35 | 36 | sqlippool_log_success = "DHCP: Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" 37 | 38 | sqlippool_log_clear = "DHCP: Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})" 39 | 40 | sqlippool_log_failed = "DHCP: IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" 41 | 42 | sqlippool_log_nopool = "DHCP: No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" 43 | 44 | } 45 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/digest: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $ 4 | 5 | # 6 | # The 'digest' module currently has no configuration. 7 | # 8 | # "Digest" authentication against a Cisco SIP server. 9 | # See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details 10 | # on performing digest authentication for Cisco SIP servers. 11 | # 12 | digest { 13 | } 14 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/dynamic_clients: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: cc2bd5fd22aa473b98af5dde3fac7a66e39a9e9d $ 4 | 5 | # This module loads RADIUS clients as needed, rather than when the server 6 | # starts. 7 | # 8 | # There are no configuration entries for this module. Instead, it 9 | # relies on the "client" configuration. You must: 10 | # 11 | # 1) link raddb/sites-enabled/dynamic_clients to 12 | # raddb/sites-available/dynamic_clients 13 | # 14 | # 2) Define a client network/mask (see top of the above file) 15 | # 16 | # 3) uncomment the "directory" entry in that client definition 17 | # 18 | # 4) list "dynamic_clients" in the "authorize" section of the 19 | # "dynamic_clients' virtual server. The default example already 20 | # does this. 21 | # 22 | # 5) put files into the above directory, one per IP. 23 | # e.g. file "192.0.2.1" should contain a normal client definition 24 | # for a client with IP address 192.0.2.1. 25 | # 26 | # For more documentation, see the file: 27 | # 28 | # raddb/sites-available/dynamic-clients 29 | # 30 | dynamic_clients { 31 | 32 | } 33 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/etc_group: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: f58b72f560ba067991d67295b546691bcd992d44 $ 4 | 5 | # "passwd" configuration, for the /etc/group file. Adds a Etc-Group-Name 6 | # attribute for every group that the user is member of. 7 | # 8 | # You will have to define the Etc-Group-Name in the 'dictionary' file 9 | # as a 'string' type. 10 | # 11 | # The Group and Group-Name attributes are automatically created by 12 | # the Unix module, and do checking against /etc/group automatically. 13 | # This means that you CANNOT use Group or Group-Name to do any other 14 | # kind of grouping in the server. You MUST define a new group 15 | # attribute. 16 | # 17 | # i.e. this module should NOT be used as-is, but should be edited to 18 | # point to a different group file. 19 | # 20 | passwd etc_group { 21 | filename = /etc/group 22 | format = "=Etc-Group-Name:::*,User-Name" 23 | hash_size = 50 24 | ignore_nislike = yes 25 | allow_multiple_keys = yes 26 | delimiter = ":" 27 | } 28 | 29 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/exec: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: bb1d4374b741a7bfcdfc098fc57af650509ceae2 $ 4 | 5 | # 6 | # Execute external programs 7 | # 8 | # This module is useful only for 'xlat'. To use it, 9 | # put 'exec' into the 'instantiate' section. You can then 10 | # do dynamic translation of attributes like: 11 | # 12 | # Attribute-Name = `%{exec:/path/to/program args}` 13 | # 14 | # The value of the attribute will be replaced with the output 15 | # of the program which is executed. Due to RADIUS protocol 16 | # limitations, any output over 253 bytes will be ignored. 17 | # 18 | # The RADIUS attributes from the user request will be placed 19 | # into environment variables of the executed program, as 20 | # described in "man unlang" and in doc/configuration/variables.rst 21 | # 22 | # See also "echo" for more sample configuration. 23 | # 24 | exec { 25 | wait = no 26 | input_pairs = request 27 | shell_escape = yes 28 | timeout = 10 29 | } 30 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/expiration: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 5d06454d0a8ccce7f50ddf7b01ba01c4ace6560a $ 4 | 5 | # 6 | # The expiration module. This handles the Expiration attribute 7 | # It should be included in the *end* of the authorize section 8 | # in order to handle user Expiration. It should also be included 9 | # in the instantiate section in order to register the Expiration 10 | # compare function 11 | # 12 | expiration { 13 | } 14 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/files: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: e3f3bf568d92eba8eb17bbad590f846f2d9e1ac8 $ 4 | 5 | # Livingston-style 'users' file 6 | # 7 | # See "man users" for more information. 8 | # 9 | files { 10 | # Search for files in a subdirectory of mods-config which 11 | # matches this instance of the files module. 12 | moddir = ${modconfdir}/${.:instance} 13 | 14 | # The default key attribute to use for matches. The content 15 | # of this attribute is used to match the "name" of the 16 | # entry. 17 | #key = "%{%{Stripped-User-Name}:-%{User-Name}}" 18 | 19 | # The old "users" style file is now located here. 20 | filename = ${moddir}/authorize 21 | 22 | # This is accepted for backwards compatibility 23 | # It will be removed in a future release. 24 | # usersfile = ${moddir}/authorize 25 | 26 | # These are accepted for backwards compatibility. 27 | # They will be renamed in a future release. 28 | acctusersfile = ${moddir}/accounting 29 | preproxy_usersfile = ${moddir}/pre-proxy 30 | } 31 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/idn: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 534054077d52a7bb0bf8e02c1e861e5c86b76df9 $ 4 | 5 | # 6 | # Internationalised domain names. 7 | # 8 | 9 | # The expansion string: %{idn: example.com} results in an ASCII 10 | # punycode version of the domain name. That version can then be used 11 | # for name comparisons. Using an i18n version of the name is NOT 12 | # RECOMMENDED, as that version is not canonical. 13 | # 14 | # i.e. the "same" domain name can be represented in many, many, 15 | # different ways. Only the idn version has *one* representation. 16 | # 17 | idn { 18 | # 19 | # Allow use of unassigned Unicode code points. 20 | # 21 | allow_unassigned = no 22 | 23 | # 24 | # Prohibit underscores and other invalid characters in domain 25 | # names. 26 | use_std3_ascii_rules = yes 27 | 28 | } -------------------------------------------------------------------------------- /etc/raddb/mods-available/inner-eap: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 576eb7739ebf18ca6323cb740a7d4278ff6d6ea2 $ 4 | 5 | # 6 | # Sample configuration for an EAP module that occurs *inside* 7 | # of a tunneled method. It is used to limit the EAP types that 8 | # can occur inside of the inner tunnel. 9 | # 10 | # See also raddb/sites-available/inner-tunnel 11 | # 12 | # See raddb/mods-available/eap for full documentation on the meaning of these 13 | # configuration entries. 14 | # 15 | eap inner-eap { 16 | # This is the best choice for PEAP. 17 | default_eap_type = mschapv2 18 | 19 | timer_expire = 60 20 | 21 | # This should be the same as the outer eap "max sessions" 22 | max_sessions = 2048 23 | 24 | # Supported EAP-types 25 | md5 { 26 | } 27 | 28 | gtc { 29 | # The default challenge, which many clients 30 | # ignore.. 31 | #challenge = "Password: " 32 | 33 | auth_type = PAP 34 | } 35 | 36 | mschapv2 { 37 | # See eap for documentation 38 | # send_error = no 39 | } 40 | 41 | # No TTLS or PEAP configuration should be listed here. 42 | 43 | ## EAP-TLS 44 | # 45 | # You SHOULD use different certificates than are used 46 | # for the outer EAP configuration! 47 | # 48 | # You can create the "inner-server.pem" file by doing: 49 | # 50 | # cd raddb/certs 51 | # vi inner-server.cnf 52 | # make inner-server 53 | # 54 | # The certificate MUST be different from the "server.cnf" 55 | # file. 56 | # 57 | # Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental. 58 | # It might work, or it might not. 59 | # 60 | tls { 61 | private_key_password = whatever 62 | private_key_file = ${certdir}/inner-server.pem 63 | 64 | # If Private key & Certificate are located in 65 | # the same file, then private_key_file & 66 | # certificate_file must contain the same file 67 | # name. 68 | # 69 | # If ca_file (below) is not used, then the 70 | # certificate_file below MUST include not 71 | # only the server certificate, but ALSO all 72 | # of the CA certificates used to sign the 73 | # server certificate. 74 | certificate_file = ${certdir}/inner-server.pem 75 | 76 | # You may want different CAs for inner and outer 77 | # certificates. If so, edit this file. 78 | ca_file = ${cadir}/ca.pem 79 | 80 | cipher_list = "DEFAULT" 81 | 82 | # You may want to set a very small fragment size. 83 | # The TLS data here needs to go inside of the 84 | # outer EAP-TLS protocol. 85 | # 86 | # Try values and see if they work... 87 | # fragment_size = 1024 88 | 89 | # Other needful things 90 | dh_file = ${certdir}/dh 91 | random_file = /dev/urandom 92 | 93 | # CRL and OCSP things go here. See the main "eap" 94 | # file for details. 95 | # check_crl = yes 96 | # ca_path = /path/to/directory/with/ca_certs/and/crls/ 97 | 98 | # Accept an expired Certificate Revocation List 99 | # 100 | # allow_expired_crl = no 101 | 102 | # 103 | # The session resumption / fast re-authentication 104 | # cache CANNOT be used for inner sessions. 105 | # 106 | } 107 | } 108 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/ippool: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 1d3305ba45ec71336f55f8f1db05f183772e1b82 $ 4 | 5 | # Do server side ip pool management. Should be added in 6 | # post-auth and accounting sections. 7 | # 8 | # The module also requires the existence of the Pool-Name 9 | # attribute. That way the administrator can add the Pool-Name 10 | # attribute in the user profiles and use different pools for 11 | # different users. The Pool-Name attribute is a *check* item 12 | # not a reply item. 13 | # 14 | # The Pool-Name should be set to the ippool module instance 15 | # name or to DEFAULT to match any module. 16 | 17 | # 18 | # Example: 19 | # radiusd.conf: ippool students { [...] } 20 | # ippool teachers { [...] } 21 | # users file : DEFAULT Group == students, Pool-Name := "students" 22 | # DEFAULT Group == teachers, Pool-Name := "teachers" 23 | # DEFAULT Group == other, Pool-Name := "DEFAULT" 24 | # 25 | # Note: If you change the range parameters you must then erase the 26 | # db files. 27 | # 28 | ippool main_pool { 29 | # The main db file used to allocate addresses. 30 | filename = ${db_dir}/db.ippool 31 | 32 | # The start and end ip addresses for this pool. 33 | range_start = 192.0.2.1 34 | range_stop = 192.0.2.254 35 | 36 | # The network mask used for this pool. 37 | netmask = 255.255.255.0 38 | 39 | # The gdbm cache size for the db files. Should 40 | # be equal to the number of ip's available in 41 | # the ip pool 42 | cache_size = 800 43 | 44 | # Helper db index file used in multilink 45 | ip_index = ${db_dir}/db.ipindex 46 | 47 | # If set, the Framed-IP-Address already in the 48 | # reply (if any) will be discarded, and replaced 49 | # ith a Framed-IP-Address assigned here. 50 | override = no 51 | 52 | # Specifies the maximum time in seconds that an 53 | # entry may be active. If set to zero, means 54 | # "no timeout". The default value is 0 55 | maximum_timeout = 0 56 | 57 | # The key to use for the session database (which 58 | # holds the allocated ip's) normally it should 59 | # just be the nas ip/port (which is the default). 60 | # 61 | # If your NAS sends the same value of NAS-Port 62 | # all requests, the key should be based on some 63 | # other attribute that is in ALL requests, AND 64 | # is unique to each machine needing an IP address. 65 | # key = "%{NAS-IP-Address} %{NAS-Port}" 66 | } 67 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/krb5: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 3b7e16ddc86c3980d5f509387008fc36d736f015 $ 4 | 5 | # 6 | # Kerberos. See doc/modules/rlm_krb5 for minimal docs. 7 | # 8 | krb5 { 9 | keytab = /path/to/keytab 10 | service_principal = name_of_principle 11 | 12 | # Pool of krb5 contexts, this allows us to make the module multithreaded 13 | # and to avoid expensive operations like resolving and opening keytabs 14 | # on every request. It may also allow TCP connections to the KDC to be 15 | # cached if that is supported by the version of libkrb5 used. 16 | # 17 | # The context pool is only used if the underlying libkrb5 reported 18 | # that it was thread safe at compile time. 19 | # 20 | pool { 21 | # Connections to create during module instantiation. 22 | # If the server cannot create specified number of 23 | # connections during instantiation it will exit. 24 | # Set to 0 to allow the server to start without the 25 | # KDC being available. 26 | start = ${thread[pool].start_servers} 27 | 28 | # Minimum number of connections to keep open 29 | min = ${thread[pool].min_spare_servers} 30 | 31 | # Maximum number of connections 32 | # 33 | # If these connections are all in use and a new one 34 | # is requested, the request will NOT get a connection. 35 | # 36 | # Setting 'max' to LESS than the number of threads means 37 | # that some threads may starve, and you will see errors 38 | # like 'No connections available and at max connection limit' 39 | # 40 | # Setting 'max' to MORE than the number of threads means 41 | # that there are more connections than necessary. 42 | max = ${thread[pool].max_servers} 43 | 44 | # Spare connections to be left idle 45 | # 46 | # NOTE: Idle connections WILL be closed if "idle_timeout" 47 | # is set. This should be less than or equal to "max" above. 48 | spare = ${thread[pool].max_spare_servers} 49 | 50 | # Number of uses before the connection is closed 51 | # 52 | # 0 means "infinite" 53 | uses = 0 54 | 55 | # The lifetime (in seconds) of the connection 56 | # 57 | # NOTE: A setting of 0 means infinite (no limit). 58 | lifetime = 0 59 | 60 | # The idle timeout (in seconds). A connection which is 61 | # unused for this length of time will be closed. 62 | # 63 | # NOTE: A setting of 0 means infinite (no timeout). 64 | idle_timeout = 0 65 | 66 | # NOTE: All configuration settings are enforced. If a 67 | # connection is closed because of "idle_timeout", 68 | # "uses", or "lifetime", then the total number of 69 | # connections MAY fall below "min". When that 70 | # happens, it will open a new connection. It will 71 | # also log a WARNING message. 72 | # 73 | # The solution is to either lower the "min" connections, 74 | # or increase lifetime/idle_timeout. 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/logintime: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 25344527759d22b49b5e990fd83f0e506442fa76 $ 4 | 5 | # The logintime module. This handles the Login-Time, 6 | # Current-Time, and Time-Of-Day attributes. It should be 7 | # included in the *end* of the authorize section in order to 8 | # handle Login-Time checks. It should also be included in the 9 | # instantiate section in order to register the Current-Time 10 | # and Time-Of-Day comparison functions. 11 | # 12 | # When the Login-Time attribute is set to some value, and the 13 | # user has been permitted to log in, a Session-Timeout is 14 | # calculated based on the remaining time. See "doc/README". 15 | # 16 | logintime { 17 | # The minimum timeout (in seconds) a user is allowed 18 | # to have. If the calculated timeout is lower we don't 19 | # allow the login. Some NAS do not handle values 20 | # lower than 60 seconds well. 21 | minimum_timeout = 60 22 | } 23 | 24 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/mac2ip: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: a4ead1d64e8220344b483718ece4712bef5e9e36 $ 4 | 5 | ###################################################################### 6 | # 7 | # This next section is a sample configuration for the "passwd" 8 | # module, that reads flat-text files. 9 | # 10 | # The file is in the format , 11 | # 12 | # 00:01:02:03:04:05,192.0.2.100 13 | # 01:01:02:03:04:05,192.0.2.101 14 | # 02:01:02:03:04:05,192.0.2.102 15 | # 16 | # This lets you perform simple static IP assignments from a flat-text 17 | # file. You will have to define lease times yourself. 18 | # 19 | ###################################################################### 20 | 21 | passwd mac2ip { 22 | filename = ${modconfdir}/${.:name}/${.:instance} 23 | format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address" 24 | delimiter = "," 25 | } 26 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/mac2vlan: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: a1db803a71cddbb98daeeeda515cff2fc77ea318 $ 4 | 5 | # A simple file to map a MAC address to a VLAN. 6 | # 7 | # The file should be in the format MAC,VLAN 8 | # the VLAN name cannot have spaces in it, for example: 9 | # 10 | # 00:01:02:03:04:05,VLAN1 11 | # 03:04:05:06:07:08,VLAN2 12 | # ... 13 | # 14 | passwd mac2vlan { 15 | filename = ${modconfdir}/${.:name}/${.:instance} 16 | format = "*VMPS-Mac:=VMPS-VLAN-Name" 17 | delimiter = "," 18 | } 19 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/moonshot-targeted-ids: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: bcf69bcf1a366a3a6ac948e63dd07d1b86d1f978 $ 4 | 5 | # 6 | # Write Moonshot-*-TargetedId (MSTID) to the database. 7 | # 8 | # Schema raddb/sql/moonshot-targeted-ids//schema.sql 9 | # Queries raddb/sql/moonshot-targeted-ids//queries.conf 10 | # 11 | sql moonshot_tid_sql { 12 | 13 | # The dialect of SQL you want to use, this should usually match 14 | # the driver below. 15 | # 16 | # If you're using rlm_sql_null, then it should be the type of 17 | # database the logged queries are going to be executed against. 18 | dialect = "sqlite" 19 | 20 | # The sub-module to use to execute queries. This should match 21 | # the database you're attempting to connect to. 22 | # 23 | # There are MSTID queries available for: 24 | # * rlm_sql_mysql 25 | # * rlm_sql_postgresql 26 | # * rlm_sql_sqlite 27 | # * rlm_sql_null (log queries to disk) 28 | # 29 | driver = "rlm_sql_${dialect}" 30 | 31 | sqlite { 32 | filename = ${radacctdir}/moonshot-targeted-ids.sqlite 33 | bootstrap = ${modconfdir}/${..:name}/moonshot-targeted-ids/sqlite/schema.sql 34 | } 35 | 36 | # Write MSTID queries to a logfile. Useful for debugging. 37 | # logfile = ${logdir}/moonshot-targeted-id-log.sql 38 | 39 | pool { 40 | start = 5 41 | min = 4 42 | max = 10 43 | spare = 3 44 | uses = 0 45 | lifetime = 0 46 | idle_timeout = 60 47 | } 48 | 49 | # If you adjust the table name here, you must also modify the table name in 50 | # the moonshot_get_targeted_id.post-auth policy in policy.d/moonshot-targeted-ids 51 | # and the schema.sql files in the mods-config/sql/moonshot-targeted-ids tree. 52 | # 53 | moonshot_tid_table = "moonshot_targeted_ids" 54 | sql_user_name = "%{User-Name}" 55 | 56 | $INCLUDE ${modconfdir}/${.:name}/moonshot-targeted-ids/${dialect}/queries.conf 57 | } 58 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/ntlm_auth: -------------------------------------------------------------------------------- 1 | # 2 | # For testing ntlm_auth authentication with PAP. 3 | # 4 | # If you have problems with authentication failing, even when the 5 | # password is good, it may be a bug in Samba: 6 | # 7 | # https://bugzilla.samba.org/show_bug.cgi?id=6563 8 | # 9 | # Depending on the AD / Samba configuration, you may also need to add: 10 | # 11 | # --allow-mschapv2 12 | # 13 | # to the list of command-line options. 14 | # 15 | exec ntlm_auth { 16 | wait = yes 17 | program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" 18 | } 19 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/opendirectory: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 9a575bf6e271a966d1d9831b85b52619d35c5183 $ 4 | 5 | # This module is only used when the server is running on the same 6 | # system as OpenDirectory. The configuration of the module is hard-coded 7 | # by Apple, and cannot be changed here. 8 | # 9 | # There are no configuration entries for this module. 10 | # 11 | # The MS-CHAP module will automatically talk to OpenDirectory, if the 12 | # server is built on an OSX machine. However, you must also set 13 | # dsAttrTypeNative:apple-enabled-auth-mech attribute in the 14 | # /config/dirserv OpenDirectory record. You will probably also need 15 | # to change the user passwords in order to re-generate the 16 | # appropriate hashes. 17 | # 18 | # See also https://discussions.apple.com/thread/6053980?tstart=0 19 | # 20 | opendirectory { 21 | 22 | } 23 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/otp: -------------------------------------------------------------------------------- 1 | # 2 | # Configuration for the OTP module. 3 | # 4 | 5 | # This module allows you to use various handheld OTP tokens 6 | # for authentication (Auth-Type := otp). These tokens are 7 | # available from various vendors. 8 | # 9 | # It works in conjunction with otpd, which implements token 10 | # management and OTP verification functions; and lsmd or gsmd, 11 | # which implements synchronous state management functions. 12 | 13 | # You must list this module in BOTH the authorize and authenticate 14 | # sections in order to use it. 15 | otp { 16 | # otpd rendezvous point. 17 | # (default: /var/run/otpd/socket) 18 | #otpd_rp = /var/run/otpd/socket 19 | 20 | # Text to use for the challenge. 21 | # Default "Challenge: %{reply:OTP-Challenge}\n Response: " 22 | 23 | challenge_prompt = "Challenge: %{reply:OTP-Challenge} \n Response: " 24 | 25 | # Length of the challenge. Most tokens probably support a 26 | # max of 8 digits. (range: 5-32 digits, default 6) 27 | #challenge_length = 6 28 | 29 | # Maximum time, in seconds, that a challenge is valid. 30 | # (The user must respond to a challenge within this time.) 31 | # It is also the minimal time between consecutive async mode 32 | # authentications, a necessary restriction due to an inherent 33 | # weakness of the RADIUS protocol which allows replay attacks. 34 | # (default: 30) 35 | #challenge_delay = 30 36 | 37 | # Whether or not to allow asynchronous ("pure" challenge/ 38 | # response) mode authentication. Since sync mode is much more 39 | # usable, and all reasonable tokens support it, the typical 40 | # use of async mode is to allow re-sync of event based tokens. 41 | # But because of the vulnerability of async mode with some tokens, 42 | # you probably want to disable this and require that out-of-sync 43 | # users re-sync from specifically secured terminals. 44 | # See the otpd docs for more info. 45 | # (default: no) 46 | #allow_async = no 47 | 48 | # Whether or not to allow synchronous mode authentication. 49 | # When using otpd with lsmd, it is *CRITICALLY IMPORTANT* 50 | # that if your OTP users can authenticate to multiple RADIUS 51 | # servers, this must be "yes" for the primary/default server, 52 | # and "no" for the others. This is because lsmd does not 53 | # share state information across multiple servers. Using "yes" 54 | # on all your RADIUS servers would allow replay attacks! 55 | # Also, for event based tokens, the user will be out of sync 56 | # on the "other" servers. In order to use "yes" on all your 57 | # servers, you must either use gsmd, which synchronises state 58 | # globally, or implement your own state synchronisation method. 59 | # (default: yes) 60 | #allow_sync = yes 61 | 62 | # If both allow_async and allow_sync are "yes", a challenge is 63 | # always presented to the user. This is incompatible with NAS 64 | # that can't present or don't handle Access-Challenge's, e.g. 65 | # PPTP servers. Even though a challenge is presented, the user 66 | # can still enter their synchronous passcode. 67 | 68 | # The following are MPPE settings. Note that MS-CHAP (v1) is 69 | # strongly discouraged. All possible values are listed as 70 | # {value = meaning}. Default values are first. 71 | #mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden} 72 | #mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40} 73 | #mschap_mppe = {2 = required, 1 = optional, 0 = forbidden} 74 | #mschap_mppe_bits = {2 = 128} 75 | } 76 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/pam: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: f4a91a948637bb2f42f613ed9faa6f9ae9ae6099 $ 4 | 5 | 6 | # Pluggable Authentication Modules 7 | # 8 | # For Linux, see: 9 | # http://www.kernel.org/pub/linux/libs/pam/index.html 10 | # 11 | # WARNING: On many systems, the system PAM libraries have 12 | # memory leaks! We STRONGLY SUGGEST that you do not 13 | # use PAM for authentication, due to those memory leaks. 14 | # 15 | pam { 16 | # 17 | # The name to use for PAM authentication. 18 | # PAM looks in /etc/pam.d/${pam_auth_name} 19 | # for it's configuration. See 'redhat/radiusd-pam' 20 | # for a sample PAM configuration file. 21 | # 22 | # Note that any Pam-Auth attribute set in the 'authorize' 23 | # section will over-ride this one. 24 | # 25 | pam_auth = radiusd 26 | } 27 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/pap: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 0038ecd154840c71ceff33ddfdd936e4e28e0bcd $ 4 | 5 | # PAP module to authenticate users based on their stored password 6 | # 7 | # Supports multiple encryption/hash schemes. See "man rlm_pap" 8 | # for details. 9 | # 10 | # For instructions on creating the various types of passwords, see: 11 | # 12 | # http://www.openldap.org/faq/data/cache/347.html 13 | pap { 14 | # By default the server will use heuristics to try and automatically 15 | # handle base64 or hex encoded passwords. This behaviour can be 16 | # stopped by setting the following to "no". 17 | # normalise = yes 18 | } 19 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/passwd: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 11bd2246642bf3c080327c7f4a67dc42603f3a6c $ 4 | 5 | # passwd module allows to do authorization via any passwd-like 6 | # file and to extract any attributes from these files. 7 | # 8 | # See the "smbpasswd" and "etc_group" files for more examples. 9 | # 10 | # parameters are: 11 | # filename - path to file 12 | # 13 | # format - format for filename record. This parameters 14 | # correlates record in the passwd file and RADIUS 15 | # attributes. 16 | # 17 | # Field marked as '*' is a key field. That is, the parameter 18 | # with this name from the request is used to search for 19 | # the record from passwd file 20 | # 21 | # Attributes marked as '=' are added to reply_items instead 22 | # of default configure_items 23 | # 24 | # Attributes marked as '~' are added to request_items 25 | # 26 | # Field marked as ',' may contain a comma separated list 27 | # of attributes. 28 | # 29 | # hash_size - hashtable size. Setting it to 0 is no longer permitted 30 | # A future version of the server will have the module 31 | # automatically determine the hash size. Having it set 32 | # manually should not be necessary. 33 | # 34 | # allow_multiple_keys - if many records for a key are allowed 35 | # 36 | # ignore_nislike - ignore NIS-related records 37 | # 38 | # delimiter - symbol to use as a field separator in passwd file, 39 | # for format ':' symbol is always used. '\0', '\n' are 40 | # not allowed 41 | # 42 | 43 | # An example configuration for using /etc/passwd. 44 | # 45 | # This is an example which will NOT WORK if you have shadow passwords, 46 | # NIS, etc. The "unix" module is normally responsible for reading 47 | # system passwords. You should use it instead of this example. 48 | # 49 | passwd etc_passwd { 50 | filename = /etc/passwd 51 | format = "*User-Name:Crypt-Password:" 52 | hash_size = 100 53 | ignore_nislike = no 54 | allow_multiple_keys = no 55 | } 56 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/perl: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: a4c166ebc256a9b0007249346bdf615bdd8229df $ 4 | 5 | # Persistent, embedded Perl interpreter. 6 | # 7 | perl { 8 | # 9 | # The Perl script to execute on authorize, authenticate, 10 | # accounting, xlat, etc. This is very similar to using 11 | # 'rlm_exec' module, but it is persistent, and therefore 12 | # faster. 13 | # 14 | filename = ${modconfdir}/${.:instance}/example.pl 15 | 16 | # 17 | # The following hashes are given to the module and 18 | # filled with value-pairs (Attribute names and values) 19 | # 20 | # %RAD_CHECK Check items 21 | # %RAD_REQUEST Attributes from the request 22 | # %RAD_REPLY Attributes for the reply 23 | # %RAD_REQUEST_PROXY Attributes from the proxied request 24 | # %RAD_REQUEST_PROXY_REPLY Attributes from the proxy reply 25 | # 26 | # The interface between FreeRADIUS and Perl is strings. 27 | # That is, attributes of type "octets" are converted to 28 | # printable strings, such as "0xabcdef". If you want to 29 | # access the binary values of the attributes, you should 30 | # call the Perl "pack" function. Then to send any binary 31 | # data back to FreeRADIUS, call the Perl "unpack" function, 32 | # so that the contents of the hashes are printable strings. 33 | # 34 | # IP addresses are sent as strings, e.g. "192.0.2.25", and 35 | # not as a 4-byte binary value. The same applies to other 36 | # attribute data types. 37 | # 38 | # Attributes of type "string" are copied to Perl as-is. 39 | # They are not escaped or interpreted. 40 | # 41 | # The return codes from functions in the perl_script 42 | # are passed directly back to the server. These 43 | # codes are defined in mods-config/example.pl 44 | # 45 | 46 | # You can define configuration items (and nested sub-sections) in perl "config" section. 47 | # These items will be accessible in the perl script through %RAD_PERLCONF hash. 48 | # For instance: $RAD_PERLCONF{'name'} $RAD_PERLCONF{'sub-config'}->{'name'} 49 | # 50 | #config { 51 | # name = "value" 52 | # sub-config { 53 | # name = "value of name from config.sub-config" 54 | # } 55 | #} 56 | 57 | # 58 | # List of functions in the module to call. 59 | # Uncomment and change if you want to use function 60 | # names other than the defaults. 61 | # 62 | #func_authenticate = authenticate 63 | #func_authorize = authorize 64 | #func_preacct = preacct 65 | #func_accounting = accounting 66 | #func_checksimul = checksimul 67 | #func_pre_proxy = pre_proxy 68 | #func_post_proxy = post_proxy 69 | #func_post_auth = post_auth 70 | #func_recv_coa = recv_coa 71 | #func_send_coa = send_coa 72 | #func_xlat = xlat 73 | #func_detach = detach 74 | 75 | # 76 | # Uncomment the following lines if you wish 77 | # to use separate functions for Start and Stop 78 | # accounting packets. In that case, the 79 | # func_accounting function is not called. 80 | # 81 | #func_start_accounting = accounting_start 82 | #func_stop_accounting = accounting_stop 83 | } 84 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/preprocess: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 8baec7961ba75fe52546cb1331868b0b2b1c38f4 $ 4 | 5 | # Preprocess the incoming RADIUS request, before handing it off 6 | # to other modules. 7 | # 8 | # This module processes the 'huntgroups' and 'hints' files. 9 | # In addition, it re-writes some weird attributes created 10 | # by some NAS, and converts the attributes into a form which 11 | # is a little more standard. 12 | # 13 | preprocess { 14 | # Search for files in a subdirectory of mods-config which 15 | # matches this instance of the preprocess module. 16 | moddir = ${modconfdir}/${.:instance} 17 | 18 | huntgroups = ${moddir}/huntgroups 19 | hints = ${moddir}/hints 20 | 21 | # This hack changes Ascend's weird port numbering 22 | # to standard 0-??? port numbers so that the "+" works 23 | # for IP address assignments. 24 | with_ascend_hack = no 25 | ascend_channels_per_line = 23 26 | 27 | # Windows NT machines often authenticate themselves as 28 | # NT_DOMAIN\username 29 | # 30 | # If this is set to 'yes', then the NT_DOMAIN portion 31 | # of the user-name is silently discarded. 32 | # 33 | # This configuration entry SHOULD NOT be used. 34 | # See the "realms" module for a better way to handle 35 | # NT domains. 36 | with_ntdomain_hack = no 37 | 38 | # Specialix Jetstream 8500 24 port access server. 39 | # 40 | # If the user name is 10 characters or longer, a "/" 41 | # and the excess characters after the 10th are 42 | # appended to the user name. 43 | # 44 | # If you're not running that NAS, you don't need 45 | # this hack. 46 | with_specialix_jetstream_hack = no 47 | 48 | # Cisco (and Quintum in Cisco mode) sends it's VSA attributes 49 | # with the attribute name *again* in the string, like: 50 | # 51 | # H323-Attribute = "h323-attribute=value". 52 | # 53 | # If this configuration item is set to 'yes', then 54 | # the redundant data in the the attribute text is stripped 55 | # out. The result is: 56 | # 57 | # H323-Attribute = "value" 58 | # 59 | # If you're not running a Cisco or Quintum NAS, you don't 60 | # need this hack. 61 | with_cisco_vsa_hack = no 62 | } 63 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/python: -------------------------------------------------------------------------------- 1 | # 2 | # Make sure the PYTHONPATH environmental variable contains the 3 | # directory(s) for the modules listed below. 4 | # 5 | # Uncomment any func_* which are included in your module. If 6 | # rlm_python is called for a section which does not have 7 | # a function defined, it will return NOOP. 8 | # 9 | python { 10 | module = example 11 | 12 | mod_instantiate = ${.module} 13 | # func_instantiate = instantiate 14 | 15 | mod_detach = ${.module} 16 | # func_detach = instantiate 17 | 18 | mod_authorize = ${.module} 19 | # func_authorize = authorize 20 | 21 | mod_authenticate = ${.module} 22 | # func_authenticate = authenticate 23 | 24 | mod_preacct = ${.module} 25 | # func_preacct = preacct 26 | 27 | mod_accounting = ${.module} 28 | # func_accounting = accounting 29 | 30 | mod_checksimul = ${.module} 31 | # func_checksimul = checksimul 32 | 33 | mod_pre_proxy = ${.module} 34 | # func_pre_proxy = pre_proxy 35 | 36 | mod_post_proxy = ${.module} 37 | # func_post_proxy = post_proxy 38 | 39 | mod_post_auth = ${.module} 40 | # func_post_auth = post_auth 41 | 42 | mod_recv_coa = ${.module} 43 | # func_recv_coa = recv_coa 44 | 45 | mod_send_coa = ${.module} 46 | # func_send_coa = send_coa 47 | } 48 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/radutmp: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 82319c033bbf349991a46b8f198a5bf5487b5da8 $ 4 | 5 | # Write a 'utmp' style file, of which users are currently 6 | # logged in, and where they've logged in from. 7 | # 8 | # This file is used mainly for Simultaneous-Use checking, 9 | # and also 'radwho', to see who's currently logged in. 10 | # 11 | radutmp { 12 | # Where the file is stored. It's not a log file, 13 | # so it doesn't need rotating. 14 | # 15 | filename = ${logdir}/radutmp 16 | 17 | # The field in the packet to key on for the 18 | # 'user' name, If you have other fields which you want 19 | # to use to key on to control Simultaneous-Use, 20 | # then you can use them here. 21 | # 22 | # Note, however, that the size of the field in the 23 | # 'utmp' data structure is small, around 32 24 | # characters, so that will limit the possible choices 25 | # of keys. 26 | # 27 | # You may want instead: %{%{Stripped-User-Name}:-%{User-Name}} 28 | username = %{User-Name} 29 | 30 | 31 | # Whether or not we want to treat "user" the same 32 | # as "USER", or "User". Some systems have problems 33 | # with case sensitivity, so this should be set to 34 | # 'no' to enable the comparisons of the key attribute 35 | # to be case insensitive. 36 | # 37 | case_sensitive = yes 38 | 39 | # Accounting information may be lost, so the user MAY 40 | # have logged off of the NAS, but we haven't noticed. 41 | # If so, we can verify this information with the NAS, 42 | # 43 | # If we want to believe the 'utmp' file, then this 44 | # configuration entry can be set to 'no'. 45 | # 46 | check_with_nas = yes 47 | 48 | # Set the file permissions, as the contents of this file 49 | # are usually private. 50 | permissions = 0600 51 | 52 | caller_id = "yes" 53 | } 54 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/realm: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 36825e0fe77cb515219ba7febc37192988ed9fba $ 4 | 5 | # Realm module, for proxying. 6 | # 7 | # You can have multiple instances of the realm module to 8 | # support multiple realm syntaxes at the same time. The 9 | # search order is defined by the order that the modules are listed 10 | # in the authorize and preacct sections. 11 | # 12 | # Four config options: 13 | # format - must be "prefix" or "suffix" 14 | # The special cases of "DEFAULT" 15 | # and "NULL" are allowed, too. 16 | # delimiter - must be a single character 17 | 18 | # 'realm/username' 19 | # 20 | # Using this entry, IPASS users have their realm set to "IPASS". 21 | realm IPASS { 22 | format = prefix 23 | delimiter = "/" 24 | } 25 | 26 | # 'username@realm' 27 | # 28 | realm suffix { 29 | format = suffix 30 | delimiter = "@" 31 | 32 | # The next 3 configuration items are valid ONLY 33 | # for a trust-router. For all other realms, 34 | # they are ignored. 35 | # trust_router = "localhost" 36 | # tr_port = 12309 37 | # rp_realm = "painless-security.com" 38 | # default_community = "apc.moonshot.ja.net" 39 | } 40 | 41 | # 'username%realm' 42 | # 43 | realm realmpercent { 44 | format = suffix 45 | delimiter = "%" 46 | } 47 | 48 | # 49 | # 'domain\user' 50 | # 51 | realm ntdomain { 52 | format = prefix 53 | delimiter = "\\" 54 | } 55 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/redis: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 7952ee4ecebf03496869c88c55a2f32dc689a364 $ 4 | 5 | # 6 | # Configuration file for the "redis" module. This module does nothing 7 | # Other than provide connections to a redis database, and a %{redis: ...} 8 | # expansion. 9 | # 10 | redis { 11 | # Host where the redis server is located. 12 | # We recommend using ONLY 127.0.0.1 ! 13 | server = 127.0.0.1 14 | 15 | # The default port. 16 | port = 6379 17 | 18 | # The password used to authenticate to the server. 19 | # We recommend using a strong password. 20 | # password = thisisreallysecretandhardtoguess 21 | 22 | # Set connection and query timeout for rlm_redis 23 | query_timeout = 5 24 | 25 | # 26 | # Information for the connection pool. The configuration items 27 | # below are the same for all modules which use the new 28 | # connection pool. 29 | # 30 | pool { 31 | # Connections to create during module instantiation. 32 | # If the server cannot create specified number of 33 | # connections during instantiation it will exit. 34 | # Set to 0 to allow the server to start without the 35 | # web service being available. 36 | start = ${thread[pool].start_servers} 37 | 38 | # Minimum number of connections to keep open 39 | min = ${thread[pool].min_spare_servers} 40 | 41 | # Maximum number of connections 42 | # 43 | # If these connections are all in use and a new one 44 | # is requested, the request will NOT get a connection. 45 | # 46 | # Setting 'max' to LESS than the number of threads means 47 | # that some threads may starve, and you will see errors 48 | # like 'No connections available and at max connection limit' 49 | # 50 | # Setting 'max' to MORE than the number of threads means 51 | # that there are more connections than necessary. 52 | max = ${thread[pool].max_servers} 53 | 54 | # Spare connections to be left idle 55 | # 56 | # NOTE: Idle connections WILL be closed if "idle_timeout" 57 | # is set. This should be less than or equal to "max" above. 58 | spare = ${thread[pool].max_spare_servers} 59 | 60 | # Number of uses before the connection is closed 61 | # 62 | # 0 means "infinite" 63 | uses = 0 64 | 65 | # The number of seconds to wait after the server tries 66 | # to open a connection, and fails. During this time, 67 | # no new connections will be opened. 68 | retry_delay = 30 69 | 70 | # The lifetime (in seconds) of the connection 71 | # 72 | # NOTE: A setting of 0 means infinite (no limit). 73 | lifetime = 86400 74 | 75 | # The pool is checked for free connections every 76 | # "cleanup_interval". If there are free connections, 77 | # then one of them is closed. 78 | cleanup_interval = 300 79 | 80 | # The idle timeout (in seconds). A connection which is 81 | # unused for this length of time will be closed. 82 | # 83 | # NOTE: A setting of 0 means infinite (no timeout). 84 | idle_timeout = 600 85 | 86 | # NOTE: All configuration settings are enforced. If a 87 | # connection is closed because of "idle_timeout", 88 | # "uses", or "lifetime", then the total number of 89 | # connections MAY fall below "min". When that 90 | # happens, it will open a new connection. It will 91 | # also log a WARNING message. 92 | # 93 | # The solution is to either lower the "min" connections, 94 | # or increase lifetime/idle_timeout. 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/rediswho: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: dba8c583f08db3490f74127d680c3d7ce5d1c572 $ 4 | 5 | # 6 | # Configuration file for the "rediswho" module. 7 | # 8 | # This module tracks the last set of login sessions for a user. 9 | # 10 | rediswho { 11 | # How many sessions to keep track of per user. 12 | # If there are more than this number, older sessions are deleted. 13 | trim_count = 15 14 | 15 | # Expiry time in seconds. Any sessions which have not received 16 | # an update in this time will be automatically expired. 17 | expire_time = 86400 18 | 19 | # 20 | # Each subsection contains insert / trim / expire queries. 21 | # The subsections are named after the contents of the 22 | # Acct-Status-Type attribute. See dictionary.rfc2866 for names 23 | # of the various Acct-Status-Type values, or look at the output 24 | # of debug mode. 25 | # 26 | # This module supports *any* Acct-Status-Type. Just add a subsection 27 | # of the appropriate name, along with insert / trim / expire queries. 28 | # 29 | Start { 30 | insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" 31 | trim = "LTRIM %{User-Name} 0 ${..trim_count}" 32 | expire = "EXPIRE %{User-Name} ${..expire_time}" 33 | } 34 | 35 | Interim-Update { 36 | insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" 37 | trim = "LTRIM %{User-Name} 0 ${..trim_count}" 38 | expire = "EXPIRE %{User-Name} ${..expire_time}" 39 | } 40 | 41 | Stop { 42 | insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" 43 | trim = "LTRIM %{User-Name} 0 ${..trim_count}" 44 | expire = "EXPIRE %{User-Name} ${..expire_time}" 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/replicate: -------------------------------------------------------------------------------- 1 | # Replicate packet(s) to a home server. 2 | # 3 | # This module will open a new socket for each packet, and "clone" 4 | # the incoming packet to the destination realm (i.e. home server). 5 | # 6 | # Use it by setting "Replicate-To-Realm = name" in the control list, 7 | # just like Proxy-To-Realm. The configurations for the two attributes 8 | # are identical. The realm must exist, the home_server_pool must exist, 9 | # and the home_server must exist. 10 | # 11 | # The only difference is that the "replicate" module sends requests 12 | # and does not expect a reply. Any reply is ignored. 13 | # 14 | # Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time. 15 | # 16 | # To use this module, list "replicate" in the "authorize" or 17 | # "accounting" section. Then, ensure that Replicate-To-Realm is set. 18 | # The contents of the "packet" attribute list will be sent to the 19 | # home server. The usual load-balancing, etc. features of the home 20 | # server will be used. 21 | # 22 | # "radmin" can be used to mark home servers alive/dead, in order to 23 | # enable/disable replication to specific servers. 24 | # 25 | # Packets can be replicated to multiple destinations. Just set 26 | # Replicate-To-Realm multiple times. One packet will be sent for 27 | # each of the Replicate-To-Realm attribute in the "control" list. 28 | # 29 | # If no packets are sent, the module returns "noop". If at least one 30 | # packet is sent, the module returns "ok". If an error occurs, the 31 | # module returns "fail" 32 | # 33 | # Note that replication does NOT change any of the packet statistics. 34 | # If you use "radmin" to look at the statistics for a home server, 35 | # the replicated packets will cause NO counters to increment. This 36 | # is not a bug, this is how replication works. 37 | # 38 | replicate { 39 | 40 | } 41 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/smbpasswd: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: d5ad2a06c767f07722dc9b9c4b13d00c26b5a280 $ 4 | 5 | # An example configuration for using /etc/smbpasswd. 6 | # 7 | # See the "passwd" file for documentation on the configuration items 8 | # for this module. 9 | # 10 | passwd smbpasswd { 11 | filename = /etc/smbpasswd 12 | format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" 13 | hash_size = 100 14 | ignore_nislike = no 15 | allow_multiple_keys = no 16 | } 17 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/smsotp: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 3be32b85f56a84725fe1a6bf508e459dbe6c4e02 $ 4 | 5 | # SMS One-time Password system. 6 | # 7 | # This module will extend FreeRadius with a socks interface to create and 8 | # validate One-Time-Passwords. The program for that creates the socket 9 | # and interacts with this module is not included here. 10 | # 11 | # The module does not check the User-Password, this should be done with 12 | # the "pap" module. See the example below. 13 | # 14 | # The module must be used in the "authorize" section to set 15 | # Auth-Type properly. The first time through, the module is called 16 | # in the "authenticate" section to authenticate the user password, and 17 | # to send the challenge. The second time through, it authenticates 18 | # the response to the challenge. e.g.: 19 | # 20 | # authorize { 21 | # ... 22 | # smsotp 23 | # ... 24 | # } 25 | # 26 | # authenticate { 27 | # ... 28 | # Auth-Type smsotp { 29 | # pap 30 | # smsotp 31 | # } 32 | # 33 | # Auth-Type smsotp-reply { 34 | # smsotp 35 | # } 36 | # ... 37 | # } 38 | # 39 | smsotp { 40 | # The location of the socket. 41 | socket = "/var/run/smsotp_socket" 42 | 43 | # Defines the challenge message that will be send to the 44 | # NAS. Default is "Enter Mobile PIN" } 45 | challenge_message = "Enter Mobile PIN:" 46 | 47 | # Defines the Auth-Type section that is run for the response to 48 | # the challenge. Default is "smsotp-reply". 49 | challenge_type = "smsotp-reply" 50 | 51 | # Control how many sockets are used to talk to the SMSOTPd 52 | # 53 | pool { 54 | # Number of connections to start 55 | start = 5 56 | 57 | # Minimum number of connections to keep open 58 | min = 4 59 | 60 | # Maximum number of connections 61 | # 62 | # If these connections are all in use and a new one 63 | # is requested, the request will NOT get a connection. 64 | max = 10 65 | 66 | # Spare connections to be left idle 67 | # 68 | # NOTE: Idle connections WILL be closed if "idle_timeout" 69 | # is set. 70 | spare = 3 71 | 72 | # Number of uses before the connection is closed 73 | # 74 | # 0 means "infinite" 75 | uses = 0 76 | 77 | # The lifetime (in seconds) of the connection 78 | lifetime = 0 79 | 80 | # idle timeout (in seconds). A connection which is 81 | # unused for this length of time will be closed. 82 | idle_timeout = 60 83 | 84 | # NOTE: All configuration settings are enforced. If a 85 | # connection is closed because of "idle_timeout", 86 | # "uses", or "lifetime", then the total number of 87 | # connections MAY fall below "min". When that 88 | # happens, it will open a new connection. It will 89 | # also log a WARNING message. 90 | # 91 | # The solution is to either lower the "min" connections, 92 | # or increase lifetime/idle_timeout. 93 | } 94 | } 95 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/soh: -------------------------------------------------------------------------------- 1 | # SoH module 2 | soh { 3 | dhcp = yes 4 | } 5 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/sometimes: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 3a96622cc938f558b023e1110769a46861716a12 $ 4 | 5 | # 6 | # The "sometimes" module is here for debugging purposes. Each instance 7 | # randomly returns the configured result, or "noop". 8 | # 9 | # It is based on the "always" module. 10 | sometimes { 11 | rcode = fail 12 | } 13 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/sqlcounter: -------------------------------------------------------------------------------- 1 | # Rather than maintaining separate (GDBM) databases of 2 | # accounting info for each counter, this module uses the data 3 | # stored in the raddacct table by the sql modules. This 4 | # module NEVER does any database INSERTs or UPDATEs. It is 5 | # totally dependent on the SQL module to process Accounting 6 | # packets. 7 | # 8 | # The sql-module-instance' parameter holds the instance of the sql 9 | # module to use when querying the SQL database. Normally it 10 | # is just "sql". If you define more and one SQL module 11 | # instance (usually for failover situations), you can 12 | # specify which module has access to the Accounting Data 13 | # (radacct table). 14 | # 15 | # The 'reset' parameter defines when the counters are all 16 | # reset to zero. It can be hourly, daily, weekly, monthly or 17 | # never. It can also be user defined. It should be of the 18 | # form: 19 | # num[hdwm] where: 20 | # h: hours, d: days, w: weeks, m: months 21 | # If the letter is ommited days will be assumed. In example: 22 | # reset = 10h (reset every 10 hours) 23 | # reset = 12 (reset every 12 days) 24 | # 25 | # The 'key' parameter specifies the unique identifier for the 26 | # counter records (usually 'User-Name'). 27 | # 28 | # The 'query' parameter specifies the SQL query used to get 29 | # the current Counter value from the database. There are 2 30 | # parameters that can be used in the query: 31 | # %%b unix time value of beginning of reset period 32 | # %%e unix time value of end of reset period 33 | # 34 | # The 'check_name' parameter is the name of the 'check' 35 | # attribute to use to access the counter in the 'users' file 36 | # or SQL radcheck or radcheckgroup tables. 37 | # 38 | # DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject 39 | # Reply-Message = "You've used up more than one hour today" 40 | # 41 | sqlcounter dailycounter { 42 | sql_module_instance = sql 43 | dialect = ${modules.sql.dialect} 44 | 45 | counter_name = Daily-Session-Time 46 | check_name = Max-Daily-Session 47 | reply_name = Session-Timeout 48 | 49 | key = User-Name 50 | reset = daily 51 | 52 | $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf 53 | } 54 | 55 | sqlcounter monthlycounter { 56 | sql_module_instance = sql 57 | dialect = ${modules.sql.dialect} 58 | 59 | counter_name = Monthly-Session-Time 60 | check_name = Max-Monthly-Session 61 | reply_name = Session-Timeout 62 | key = User-Name 63 | reset = monthly 64 | 65 | $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf 66 | } 67 | 68 | sqlcounter noresetcounter { 69 | sql_module_instance = sql 70 | dialect = ${modules.sql.dialect} 71 | 72 | counter_name = Max-All-Session-Time 73 | check_name = Max-All-Session 74 | key = User-Name 75 | reset = never 76 | 77 | $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf 78 | } 79 | 80 | # 81 | # Set an account to expire T seconds after first login. 82 | # Requires the Expire-After attribute to be set, in seconds. 83 | # You may need to edit raddb/dictionary to add the Expire-After 84 | # attribute. 85 | sqlcounter expire_on_login { 86 | sql_module_instance = sql 87 | dialect = ${modules.sql.dialect} 88 | 89 | counter_name = Expire-After-Initial-Login 90 | check_name = Expire-After 91 | key = User-Name 92 | reset = never 93 | 94 | $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf 95 | } 96 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/sqlippool: -------------------------------------------------------------------------------- 1 | # Configuration for the SQL based IP Pool module (rlm_sqlippool) 2 | # 3 | # The database schemas are available at: 4 | # 5 | # raddb/sql/ippool//schema.sql 6 | # 7 | # $Id: 435921fb297812c11060859ce1066248ef53c4df $ 8 | 9 | sqlippool { 10 | # SQL instance to use (from sql.conf) 11 | # 12 | # If you have multiple sql instances, such as "sql sql1 {...}", 13 | # use the *instance* name here: sql1. 14 | sql_module_instance = "sql" 15 | 16 | # This is duplicative of info available in the SQL module, but 17 | # we have to list it here as we do not yet support nested 18 | # reference expansions. 19 | dialect = "mysql" 20 | 21 | # SQL table to use for ippool range and lease info 22 | ippool_table = "radippool" 23 | 24 | # IP lease duration. (Leases expire even if Acct Stop packet is lost) 25 | lease_duration = 3600 26 | 27 | # 28 | # As of 3.0.16, the 'ipv6 = yes' configuration is deprecated. 29 | # You should use the "attribute_name" configuration item 30 | # below, instead. 31 | # 32 | 33 | # 34 | # The attribute to use for IP address assignment. The 35 | # default is Framed-IP-Address. You can change this to any 36 | # attribute which is IPv4 or IPv6. 37 | # 38 | # e.g. Framed-IPv6-Prefix, or Delegated-IPv6-Prefix. 39 | # 40 | # As of 3.0.16, all of the default queries have been updated to use 41 | # this attribute_name. So you can do IPv6 address assignment simply 42 | # by putting IPv6 addresses into the pool, and changing the following 43 | # line to "Framed-IPv6-Prefix" 44 | # 45 | # Note that you MUST use separate pools for each attribute. i.e. one pool 46 | # for Framed-IP-Address, a different one for Framed-IPv6-prefix, etc. 47 | # 48 | # This means configuring separate "sqlippool" instances, and different 49 | # "ippool_table" in SQL. Then, populate the pool with addresses and 50 | # it will all just work. 51 | # 52 | attribute_name = Framed-IP-Address 53 | 54 | # 55 | # Assign the IP address, even if the above attribute already exists 56 | # in the reply. 57 | # 58 | # allow_duplicates = no 59 | 60 | # Attribute which should be considered unique per NAS 61 | # 62 | # Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS) 63 | # Using Calling-Station-Id works for NAS that send fixed NAS-Port 64 | # ONLY change this if you know what you are doing! 65 | pool_key = "%{NAS-Port}" 66 | # pool_key = "%{Calling-Station-Id}" 67 | 68 | ################################################################ 69 | # 70 | # WARNING: MySQL (MyISAM) has certain limitations that means it can 71 | # hand out the same IP address to 2 different users. 72 | # 73 | # We suggest using an SQL DB with proper transaction 74 | # support, such as PostgreSQL, or using MySQL 75 | # with InnoDB. 76 | # 77 | ################################################################ 78 | 79 | # These messages are added to the "control" items, as 80 | # Module-Success-Message. They are not logged anywhere else, 81 | # unlike previous versions. If you want to have them logged 82 | # to a file, see the "linelog" module, and create an entry 83 | # which writes Module-Success-Message message. 84 | # 85 | messages { 86 | exists = "Existing IP: %{reply:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" 87 | 88 | success = "Allocated IP: %{reply:${..attribute_name}} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" 89 | 90 | clear = "Released IP ${..attribute_name} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})" 91 | 92 | failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" 93 | 94 | nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" 95 | } 96 | 97 | $INCLUDE ${modconfdir}/sql/ippool/${dialect}/queries.conf 98 | } 99 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/sradutmp: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 3a2a0e502e76ec00d4ec17e70132448e1547da46 $ 4 | 5 | # "Safe" radutmp - does not contain caller ID, so it can be 6 | # world-readable, and radwho can work for normal users, without 7 | # exposing any information that isn't already exposed by who(1). 8 | # 9 | # This is another 'instance' of the radutmp module, but it is given 10 | # then name "sradutmp" to identify it later in the "accounting" 11 | # section. 12 | radutmp sradutmp { 13 | filename = ${logdir}/sradutmp 14 | permissions = 0644 15 | caller_id = "no" 16 | } 17 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/unbound: -------------------------------------------------------------------------------- 1 | unbound dns { 2 | # filename = "${raddbdir}/mods-config/unbound/default.conf" 3 | # timeout = 3000 4 | } 5 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/unix: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $ 4 | 5 | # Unix /etc/passwd style authentication 6 | # 7 | # This module calls the system functions to get the "known good" 8 | # password. This password is usually in the "crypt" form, and is 9 | # incompatible with CHAP, MS-CHAP, PEAP, etc. 10 | # 11 | # If passwords are in /etc/shadow, you will need to set the "group" 12 | # configuration in radiusd.conf. Look for "shadow", and follow the 13 | # instructions there. 14 | # 15 | unix { 16 | # 17 | # The location of the "wtmp" file. 18 | # The only use for 'radlast'. If you don't use 19 | # 'radlast', then you can comment out this item. 20 | # 21 | # Note that the radwtmp file may get large! You should 22 | # rotate it (cp /dev/null radwtmp), or just not use it. 23 | # 24 | radwtmp = ${logdir}/radwtmp 25 | } 26 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/unpack: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 2a1e130d315daa247167372773c1994e3200f332 $ 4 | 5 | # 6 | # This module is useful only for 'xlat'. To use it, 7 | # add it to the raddb/mods-enabled/ directory. Then, 8 | # use it on the right-hand side of a variable assignment. 9 | # 10 | # ... = "%{unpack:data 1 integer}" 11 | # 12 | # The arguments are three fields: 13 | # 14 | # data 15 | # Either &Attribute-Name 16 | # the name of the attribute to unpack. 17 | # MUST be a "string" or "octets" type. 18 | # 19 | # or 0xabcdef 20 | # e.g. hex data. 21 | # 22 | # 1 23 | # The offset into the string from which 24 | # it starts unpacking. The offset starts 25 | # at zero, for the first attribute. 26 | # 27 | # integer 28 | # the data type to unpack at that offset. 29 | # e.g. integer, ipaddr, byte, short, etc. 30 | # 31 | # e.g. if we have Class = 0x00000001020304, then 32 | # 33 | # %{unpack:&Class 4 short} 34 | # 35 | # will unpack octets 4 and 5 as a "short", which has 36 | # value 0x0304. 37 | # 38 | # This module is used when vendors put multiple fields 39 | # into one attribute of type "octets". 40 | # 41 | unpack { 42 | } 43 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/utf8: -------------------------------------------------------------------------------- 1 | # 2 | # Enforces UTF-8 on strings coming in from the NAS. 3 | # 4 | # An attribute of type "string" containing UTF-8 makes 5 | # the module return NOOP. 6 | # 7 | # An attribute of type "string" containing non-UTF-8 data 8 | # makes the module return FAIL. 9 | # 10 | # This module takes no configuration. 11 | # 12 | utf8 { 13 | 14 | } 15 | -------------------------------------------------------------------------------- /etc/raddb/mods-available/wimax: -------------------------------------------------------------------------------- 1 | # 2 | # The WiMAX module currently takes no configuration. 3 | # 4 | # It should be listed in the "authorize" and "preacct" sections. 5 | # This enables the module to fix the horrible binary version 6 | # of Calling-Station-Id to the normal format, as specified in 7 | # RFC 3580, Section 3.21. 8 | # 9 | # In order to calculate the various WiMAX keys, the module should 10 | # be listed in the "post-auth" section. If EAP authentication 11 | # has been used, AND the EAP method derives MSK and EMSK, then 12 | # the various WiMAX keys can be calculated. 13 | # 14 | # Some useful things to remember: 15 | # 16 | # WiMAX-MSK = EAP MSK, but is 64 octets. 17 | # 18 | # MIP-RK-1 = HMAC-SHA256(ESMK, "miprk@wimaxforum.org" | 0x00020001) 19 | # MIP-RK-2 = HMAC-SHA256(ESMK, MIP-RK-1 | "miprk@wimaxforum.org" | 0x00020002) 20 | # MIP-RK = MIP-RK-1 | MIP-RK-2 21 | # 22 | # MIP-SPI = first 4 octets of HMAC-SHA256(MIP-RK, "SPI CMIP PMIP") 23 | # plus some magic... you've got to track *all* MIP-SPI's 24 | # on your system! 25 | # 26 | # SPI-CMIP4 = MIP-SPI 27 | # SPI-PMIP4 = MIP-SPI + 1 28 | # SPI-CMIP6 = MIP-SPI + 2 29 | # 30 | # MN-NAI is the Mobile node NAI. You have to create it, and put 31 | # it into the request or reply as something like: 32 | # 33 | # WiMAX-MN-NAI = "%{User-Name}" 34 | # 35 | # You will also have to have the appropriate IP address (v4 or v6) 36 | # in order to calculate the keys below. 37 | # 38 | # Lifetimes are derived from Session-Timeout. It needs to be set 39 | # to some useful number. 40 | # 41 | # The hash function below H() is HMAC-SHA1. 42 | # 43 | # 44 | # MN-HA-CMIP4 = H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI) 45 | # 46 | # Where HA-IPv4 is WiMAX-hHA-IP-MIP4 47 | # or maybe WiMAX-vHA-IP-MIP4 48 | # 49 | # Which goes into WiMAX-MN-hHA-MIP4-Key 50 | # or maybe WiMAX-RRQ-MN-HA-Key 51 | # or maybe even WiMAX-vHA-MIP4-Key 52 | # 53 | # The corresponding SPI is SPI-CMIP4, which is MIP-SPI, 54 | # 55 | # which goes into WiMAX-MN-hHA-MIP4-SPI 56 | # or maybe WiMAX-RRQ-MN-HA-SPI 57 | # or even WiMAX-MN-vHA-MIP4-SPI 58 | # 59 | # MN-HA-PMIP4 = H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI) 60 | # MN-HA-CMIP6 = H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI) 61 | # 62 | # both with similar comments to above for MN-HA-CMIP4. 63 | # 64 | # In order to tell which one to use (CMIP4, PMIP4, or CMIP6), 65 | # you have to set WiMAX-IP-Technology in the reply to one of 66 | # the appropriate values. 67 | # 68 | # 69 | # FA-RK = H(MIP-RK, "FA-RK") 70 | # 71 | # MN-FA = H(FA-RK, "MN FA" | FA-IP | MN-NAI) 72 | # 73 | # Where does the FA-IP come from? No idea... 74 | # 75 | # 76 | # The next two keys (HA-RK and FA-HA) are not generated 77 | # for every authentication request, but only on demand. 78 | # 79 | # HA-RK = 160-bit random number assigned by the AAA server 80 | # to a specific HA. 81 | # 82 | # FA-HA = H(HA-RK, "FA-HA" | HA-IPv4 | FA-CoAv4 | SPI) 83 | # 84 | # where HA-IPv4 is as above. 85 | # and FA-CoAv4 address of the FA as seen by the HA 86 | # and SPI is the relevant SPI for the HA-RK. 87 | # 88 | # DHCP-RK = 160-bit random number assigned by the AAA server 89 | # to a specific DHCP server. vDHCP-RK is the same 90 | # thing. 91 | # 92 | wimax { 93 | # 94 | # Some WiMAX equipment requires that the MS-MPPE-*-Key 95 | # attributes are sent in the Access-Accept, in addition to 96 | # the WiMAX-MSK attribute. 97 | # 98 | # Other WiMAX equipment request that the MS-MPPE-*-Key 99 | # attributes are NOT sent in the Access-Accept. 100 | # 101 | # By default, the EAP modules sends MS-MPPE-*-Key attributes. 102 | # The default virtual server (raddb/sites-available/default) 103 | # contains examples of adding the WiMAX-MSK. 104 | # 105 | # This configuration option makes the WiMAX module delete 106 | # the MS-MPPE-*-Key attributes. The default is to leave 107 | # them in place. 108 | # 109 | # If the keys are deleted (by setting this to "yes"), then 110 | # the WiMAX-MSK attribute is automatically added to the reply. 111 | delete_mppe_keys = no 112 | } 113 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/README.rst: -------------------------------------------------------------------------------- 1 | The mods-config Directory 2 | ========================= 3 | 4 | This directory contains module-specific configuration files. These 5 | files are in a format different from the one used by the main 6 | `radiusd.conf` files. Earlier versions of the server had many 7 | module-specific files in the main `raddb` directory. The directory 8 | contained many files, and it was not clear which files did what. 9 | 10 | For Version 3 of FreeRADIUS, we have moved to a consistent naming 11 | scheme. Each module-specific configuration file is placed in this 12 | directory, in a subdirectory named for the module. Where necessary, 13 | files in the subdirectory have been named for the processing section 14 | where they are used. 15 | 16 | For example, the `users` file is now located in 17 | `mods-config/files/authorize`. That filename tells us three things: 18 | 19 | 1. The file is used in the `authorize` section. 20 | 2. The file is used by the `files` module. 21 | 3. It is a "module configuration" file, which is a specific format. 22 | 23 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/attr_filter/access_challenge: -------------------------------------------------------------------------------- 1 | # 2 | # Configuration file for the rlm_attr_filter module. 3 | # Please see rlm_attr_filter(5) manpage for more information. 4 | # 5 | # $Id: 12ed619cf16f7322221ef2dfaf28f9c36c616e3c $ 6 | # 7 | # This configuration file is used to remove almost all of the 8 | # attributes From an Access-Challenge message. The RFCs say 9 | # that an Access-Challenge packet can contain only a few 10 | # attributes. We enforce that here. 11 | # 12 | DEFAULT 13 | EAP-Message =* ANY, 14 | State =* ANY, 15 | Message-Authenticator =* ANY, 16 | Reply-Message =* ANY, 17 | Proxy-State =* ANY, 18 | Session-Timeout =* ANY, 19 | Idle-Timeout =* ANY 20 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/attr_filter/access_reject: -------------------------------------------------------------------------------- 1 | # 2 | # Configuration file for the rlm_attr_filter module. 3 | # Please see rlm_attr_filter(5) manpage for more information. 4 | # 5 | # $Id: afd89473dc50e4ff62389e35e5cb73b512e9d352 $ 6 | # 7 | # This configuration file is used to remove almost all of the attributes 8 | # From an Access-Reject message. The RFCs say that an Access-Reject 9 | # packet can contain only a few attributes. We enforce that here. 10 | # 11 | DEFAULT 12 | EAP-Message =* ANY, 13 | State =* ANY, 14 | Message-Authenticator =* ANY, 15 | Error-Cause =* ANY, 16 | Reply-Message =* ANY, 17 | MS-CHAP-Error =* ANY, 18 | Proxy-State =* ANY, 19 | FreeRADIUS-Response-Delay =* ANY, 20 | FreeRADIUS-Response-Delay-USec =* ANY 21 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/attr_filter/accounting_response: -------------------------------------------------------------------------------- 1 | # 2 | # Configuration file for the rlm_attr_filter module. 3 | # Please see rlm_attr_filter(5) manpage for more information. 4 | # 5 | # $Id: 01e9c6f5bda7a138f45da5010c624d92b6d398a0 $ 6 | # 7 | # This configuration file is used to remove almost all of the attributes 8 | # From an Accounting-Response message. The RFC's say that an 9 | # Accounting-Response packet can contain only a few attributes. 10 | # We enforce that here. 11 | # 12 | DEFAULT 13 | Vendor-Specific =* ANY, 14 | Message-Authenticator =* ANY, 15 | Error-Cause =* ANY, 16 | Proxy-State =* ANY 17 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/attr_filter/pre-proxy: -------------------------------------------------------------------------------- 1 | # 2 | # Configuration file for the rlm_attr_filter module. 3 | # Please see rlm_attr_filter(5) manpage for more information. 4 | # 5 | # $Id: 47b01266f44d0475261c6ea16f74ca17d8838749 $ 6 | # 7 | # This file contains security and configuration information 8 | # for each realm. It can be used be an rlm_attr_filter module 9 | # instance to filter attributes before sending packets to the 10 | # home server of a realm. 11 | # 12 | # When a packet is sent to a home server, these attributes 13 | # and values are tested. Only the first match is used unless 14 | # the "Fall-Through" variable is set to "Yes". In that case 15 | # the rules defined in the DEFAULT case are processed as well. 16 | # 17 | # A special realm named "DEFAULT" matches on all realm names. 18 | # You can have only one DEFAULT entry. All entries are processed 19 | # in the order they appear in this file. The first entry that 20 | # matches the login-request will stop processing unless you use 21 | # the Fall-Through variable. 22 | # 23 | # The first line indicates the realm to which the rules apply. 24 | # Indented (with the tab character) lines following the first 25 | # line indicate the filter rules. 26 | # 27 | 28 | # This is a complete entry for 'nochap' realm. It allows to send very 29 | # basic attributes to the home server. Note that there is no Fall-Through 30 | # entry so that no DEFAULT entry will be used. Only the listed attributes 31 | # will be sent in the packet, all other attributes will be filtered out. 32 | # 33 | #nochap 34 | # User-Name =* ANY, 35 | # User-Password =* ANY, 36 | # NAS-IP-Address =* ANY, 37 | # NAS-Identifier =* ANY 38 | 39 | # The entry for the 'brokenas' realm removes the attribute NAS-Port-Type 40 | # if its value is different from 'Ethernet'. Then the default rules are 41 | # applied. 42 | # 43 | #brokenas 44 | # NAS-Port-Type == Ethernet 45 | # Fall-Through = Yes 46 | 47 | # The rest of this file contains the DEFAULT entry. 48 | # DEFAULT matches with all realm names. 49 | 50 | DEFAULT 51 | User-Name =* ANY, 52 | User-Password =* ANY, 53 | CHAP-Password =* ANY, 54 | CHAP-Challenge =* ANY, 55 | MS-CHAP-Challenge =* ANY, 56 | MS-CHAP-Response =* ANY, 57 | EAP-Message =* ANY, 58 | Message-Authenticator =* ANY, 59 | State =* ANY, 60 | NAS-IP-Address =* ANY, 61 | NAS-Identifier =* ANY, 62 | Operator-Name =* ANY, 63 | Calling-Station-Id =* ANY, 64 | Chargeable-User-Identity =* ANY, 65 | Proxy-State =* ANY 66 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/files/accounting: -------------------------------------------------------------------------------- 1 | # 2 | # $Id: eaf952a72dc9d19387af4d2056d7f7027b2435e8 $ 3 | # 4 | # This is like the 'users' file, but it is processed only for 5 | # accounting packets. 6 | # 7 | 8 | # Select between different accounting methods based for example on the 9 | # Realm, the Huntgroup-Name or any combinaison of the attribute/value 10 | # pairs contained in an accounting packet. 11 | # 12 | # You will need to add an "Acct-Type foo {...}" subsection to the 13 | # main "accounting" section in order for these sample configurations 14 | # to work. 15 | # 16 | #DEFAULT Realm == "foo.net", Acct-Type := foo 17 | # 18 | #DEFAULT Huntgroup-Name == "wifi", Acct-Type := wifi 19 | # 20 | #DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := other 21 | # 22 | #DEFAULT Acct-Status-Type == Start, Acct-Type := start 23 | 24 | # Replace the User-Name with the Stripped-User-Name, if it exists. 25 | # 26 | #DEFAULT 27 | # User-Name := "%{%{Stripped-User-Name}:-%{User-Name}}" 28 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/files/pre-proxy: -------------------------------------------------------------------------------- 1 | # 2 | # Configuration file for the rlm_files module. 3 | # Please see rlm_files(5) manpage for more information. 4 | # 5 | # $Id: 7292e23ea51717ee5cb50c4b9b609e91ebe4a41c $ 6 | # 7 | # This file is similar to the "users" file. The check items 8 | # are compared against the request, but the "reply" items are 9 | # used to update the proxied packet, not the reply to the NAS. 10 | # 11 | # You can use this file to re-write requests which are about to 12 | # be sent to a home server. 13 | # 14 | 15 | # 16 | # Requests destinated to realm "extisp" are sent to a RADIUS 17 | # home server hosted by an other company which doesn't know about 18 | # the IP addresses of our NASes. Therefore we replace the value of 19 | # the NAS-IP-Address attribute by a unique value we communicated 20 | # to them. 21 | # 22 | #DEFAULT Realm == "extisp" 23 | # NAS-IP-Address := 10.1.2.3 24 | 25 | # 26 | # For all proxied packets, set the User-Name in the proxied packet 27 | # to the Stripped-User-Name, if it exists. If not, set it to the 28 | # User-Name from the original request. 29 | # 30 | #DEFAULT 31 | # User-Name := `%{%{Stripped-User-Name}:-%{User-Name}}` 32 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/preprocess/hints: -------------------------------------------------------------------------------- 1 | # hints 2 | # 3 | # The hints file. This file is used to match 4 | # a request, and then add attributes to it. This 5 | # process allows a user to login as "bob.ppp" (for example), 6 | # and receive a PPP connection, even if the NAS doesn't 7 | # ask for PPP. The "hints" file is used to match the 8 | # ".ppp" portion of the username, and to add a set of 9 | # "user requested PPP" attributes to the request. 10 | # 11 | # Matching can take place with the the Prefix and Suffix 12 | # attributes, just like in the "users" file. 13 | # These attributes operate ONLY on the username, though. 14 | # 15 | # Note that the attributes that are set for each 16 | # entry are _NOT_ passed back to the terminal server. 17 | # Instead they are added to the information that has 18 | # been _SENT_ by the terminal server. 19 | # 20 | # This extra information can be used in the users file to 21 | # match on. Usually this is done in the DEFAULT entries, 22 | # of which there can be more than one. 23 | # 24 | # In addition a matching entry can transform a username 25 | # for authentication purposes if the "Strip-User-Name" 26 | # variable is set to Yes in an entry (default is Yes). 27 | # 28 | # A special non-protocol name-value pair called "Hint" 29 | # can be set to match on in the "users" file. 30 | # 31 | # The following is how most ISPs want to set this up. 32 | # 33 | # Version: $Id: f92ffb9f1e5bd0509b2e0e5e015001fda52bdfc3 $ 34 | # 35 | 36 | 37 | DEFAULT Suffix == ".ppp", Strip-User-Name = Yes 38 | Hint = "PPP", 39 | Service-Type = Framed-User, 40 | Framed-Protocol = PPP 41 | 42 | DEFAULT Suffix == ".slip", Strip-User-Name = Yes 43 | Hint = "SLIP", 44 | Service-Type = Framed-User, 45 | Framed-Protocol = SLIP 46 | 47 | DEFAULT Suffix == ".cslip", Strip-User-Name = Yes 48 | Hint = "CSLIP", 49 | Service-Type = Framed-User, 50 | Framed-Protocol = SLIP, 51 | Framed-Compression = Van-Jacobson-TCP-IP 52 | 53 | ###################################################################### 54 | # 55 | # These entries are old, and commented out by default. 56 | # They confuse too many people when "Peter" logs in, and the 57 | # server thinks that the user "eter" is asking for PPP. 58 | # 59 | #DEFAULT Prefix == "U", Strip-User-Name = No 60 | # Hint = "UUCP" 61 | 62 | #DEFAULT Prefix == "P", Strip-User-Name = Yes 63 | # Hint = "PPP", 64 | # Service-Type = Framed-User, 65 | # Framed-Protocol = PPP 66 | 67 | #DEFAULT Prefix == "S", Strip-User-Name = Yes 68 | # Hint = "SLIP", 69 | # Service-Type = Framed-User, 70 | # Framed-Protocol = SLIP 71 | 72 | #DEFAULT Prefix == "C", Strip-User-Name = Yes 73 | # Hint = "CSLIP", 74 | # Service-Type = Framed-User, 75 | # Framed-Protocol = SLIP, 76 | # Framed-Compression = Van-Jacobson-TCP-IP 77 | 78 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/preprocess/huntgroups: -------------------------------------------------------------------------------- 1 | # 2 | # huntgroups This file defines the `huntgroups' that you have. A 3 | # huntgroup is defined by specifying the IP address of 4 | # the NAS and possibly a port. 5 | # 6 | # Matching is done while RADIUS scans the user file; if it 7 | # includes the selection criteria "Huntgroup-Name == XXX" 8 | # the huntgroup is looked up in this file to see if it 9 | # matches. There can be multiple definitions of the same 10 | # huntgroup; the first one that matches will be used. 11 | # 12 | # This file can also be used to define restricted access 13 | # to certain huntgroups. The second and following lines 14 | # define the access restrictions (based on username and 15 | # UNIX usergroup) for the huntgroup. 16 | # 17 | 18 | # 19 | # Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name 20 | # called Alphen that matches on all three terminal servers. 21 | # 22 | #alphen NAS-IP-Address == 192.0.2.5 23 | #alphen NAS-IP-Address == 192.0.2.6 24 | #alphen NAS-IP-Address == 192.0.2.7 25 | 26 | # 27 | # The POP in Delft consists of only one terminal server. 28 | # 29 | #delft NAS-IP-Address == 198.51.100.5 30 | 31 | # 32 | # Port 0 on the first terminal server in Alphen are connected to 33 | # a huntgroup that is for business users only. Note that only one 34 | # of the username or groupname has to match to get access (OR/OR). 35 | # 36 | # Note that this huntgroup is a subset of the "alphen" huntgroup. 37 | # 38 | #business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0 39 | # User-Name == rogerl, 40 | # User-Name == henks, 41 | # Group == business, 42 | # Group == staff 43 | 44 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This query properly handles calls that span from the 3 | # previous reset period into the current period but 4 | # involves more work for the SQL server than those 5 | # below 6 | # 7 | query = "\ 8 | SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \ 9 | FROM radacct \ 10 | WHERE username = '%{${key}}' \ 11 | AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'" 12 | 13 | # 14 | # This query ignores calls that started in a previous 15 | # reset period and continue into into this one. But it 16 | # is a little easier on the SQL server 17 | # 18 | #query = "\ 19 | # SELECT SUM(acctsessiontime) \ 20 | # FROM radacct \ 21 | # WHERE username = '%{${key}}' \ 22 | # AND acctstarttime > FROM_UNIXTIME('%%b')" 23 | 24 | # 25 | # This query is the same as above, but demonstrates an 26 | # additional counter parameter '%%e' which is the 27 | # timestamp for the end of the period 28 | # 29 | #query = "\ 30 | # SELECT SUM(acctsessiontime) \ 31 | # FROM radacct \ 32 | # WHERE username = '%{${key}}' \ 33 | # AND acctstarttime BETWEEN FROM_UNIXTIME('%%b') AND FROM_UNIXTIME('%%e')" 34 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf: -------------------------------------------------------------------------------- 1 | query = "\ 2 | SELECT IFNULL( MAX(TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime))),0) \ 3 | FROM radacct \ 4 | WHERE UserName='%{${key}}' \ 5 | ORDER BY acctstarttime \ 6 | LIMIT 1;" 7 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This query properly handles calls that span from the 3 | # previous reset period into the current period but 4 | # involves more work for the SQL server than those 5 | # below 6 | # 7 | query = "\ 8 | SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \ 9 | FROM radacct \ 10 | WHERE username='%{${key}}' \ 11 | AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'" 12 | 13 | # 14 | # This query ignores calls that started in a previous 15 | # reset period and continue into into this one. But it 16 | # is a little easier on the SQL server 17 | # 18 | #query = "\ 19 | # SELECT SUM(acctsessiontime) \ 20 | # FROM radacct\ 21 | # WHERE username='%{${key}}' \ 22 | # AND acctstarttime > FROM_UNIXTIME('%%b')" 23 | 24 | # 25 | # This query is the same as above, but demonstrates an 26 | # additional counter parameter '%%e' which is the 27 | # timestamp for the end of the period 28 | # 29 | #query = "\ 30 | # SELECT SUM(acctsessiontime) \ 31 | # FROM radacct \ 32 | # WHERE username='%{${key}}' \ 33 | # AND acctstarttime BETWEEN FROM_UNIXTIME('%%b') \ 34 | # AND FROM_UNIXTIME('%%e')" 35 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf: -------------------------------------------------------------------------------- 1 | query = "\ 2 | SELECT IFNULL(SUM(AcctSessionTime),0) \ 3 | FROM radacct \ 4 | WHERE UserName='%{${key}}'" 5 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/counter/postgresql/dailycounter.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This query properly handles calls that span from the 3 | # previous reset period into the current period but 4 | # involves more work for the SQL server than those 5 | # below 6 | # 7 | query = "\ 8 | SELECT SUM(AcctSessionTime - GREATER((%%b - AcctStartTime::ABSTIME::INT4), 0)) \ 9 | FROM radacct \ 10 | WHERE UserName='%{${key}}' \ 11 | AND AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%%b'" 12 | 13 | # 14 | # This query ignores calls that started in a previous 15 | # reset period and continue into into this one. But it 16 | # is a little easier on the SQL server 17 | # 18 | #query = "\ 19 | # SELECT SUM(AcctSessionTime) \ 20 | # FROM radacct \ 21 | # WHERE UserName='%{${key}}' \ 22 | # AND AcctStartTime::ABSTIME::INT4 > '%%b'" 23 | 24 | # 25 | # This query is the same as above, but demonstrates an 26 | # additional counter parameter '%%e' which is the 27 | # timestamp for the end of the period 28 | # 29 | #query = "\ 30 | # SELECT SUM(AcctSessionTime) \ 31 | # FROM radacct \ 32 | # WHERE UserName='%{${key}}' \ 33 | # AND AcctStartTime::ABSTIME::INT4 BETWEEN '%%b' \ 34 | # AND '%%e'" 35 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/counter/postgresql/expire_on_login.conf: -------------------------------------------------------------------------------- 1 | query = "\ 2 | SELECT EXTRACT(EPOCH FROM (NOW() - acctstarttime)) \ 3 | FROM radacct \ 4 | WHERE UserName='%{${key}}' \ 5 | ORDER BY acctstarttime \ 6 | LIMIT 1;" 7 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/counter/postgresql/monthlycounter.conf: -------------------------------------------------------------------------------- 1 | # This query properly handles calls that span from the 2 | # previous reset period into the current period but 3 | # involves more work for the SQL server than those 4 | # below 5 | query = "\ 6 | SELECT SUM(AcctSessionTime - GREATER((%%b - AcctStartTime::ABSTIME::INT4), 0)) \ 7 | FROM radacct \ 8 | WHERE UserName='%{${key}}' \ 9 | AND AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%%b'" 10 | 11 | # 12 | # This query ignores calls that started in a previous 13 | # reset period and continue into into this one. But it 14 | # is a little easier on the SQL server 15 | # 16 | #query = "\ 17 | # SELECT SUM(AcctSessionTime) \ 18 | # FROM radacct \ 19 | # WHERE UserName='%{${key}}' \ 20 | # AND AcctStartTime::ABSTIME::INT4 > '%%b'" 21 | 22 | # 23 | # This query is the same as above, but demonstrates an 24 | # additional counter parameter '%%e' which is the 25 | # timestamp for the end of the period 26 | # 27 | #query = "\ 28 | # SELECT SUM(AcctSessionTime) \ 29 | # FROM radacct \ 30 | # WHERE UserName='%{${key}}' \ 31 | # AND AcctStartTime::ABSTIME::INT4 BETWEEN '%%b' AND '%%e'" 32 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/counter/postgresql/noresetcounter.conf: -------------------------------------------------------------------------------- 1 | query = "\ 2 | SELECT SUM(AcctSessionTime) \ 3 | FROM radacct \ 4 | WHERE UserName='%{${key}}'" 5 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/counter/sqlite/dailycounter.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This query properly handles calls that span from the 3 | # previous reset period into the current period but 4 | # involves more work for the SQL server than those 5 | # below 6 | # 7 | query = "\ 8 | SELECT SUM(acctsessiontime - GREATEST((%%b - strftime('%%s', acctstarttime)), 0)) \ 9 | FROM radacct \ 10 | WHERE username = '%{${key}}' \ 11 | AND (strftime('%%s', acctstarttime) + acctsessiontime) > %%b" 12 | 13 | # 14 | # This query ignores calls that started in a previous 15 | # reset period and continue into into this one. But it 16 | # is a little easier on the SQL server 17 | # 18 | #query = "\ 19 | # SELECT SUM(acctsessiontime) \ 20 | # FROM radacct \ 21 | # WHERE \username = '%{${key}}' \ 22 | # AND acctstarttime > %%b" 23 | 24 | # 25 | # This query is the same as above, but demonstrates an 26 | # additional counter parameter '%%e' which is the 27 | # timestamp for the end of the period 28 | # 29 | #query = "\ 30 | # SELECT SUM(acctsessiontime) FROM radacct \ 31 | # WHERE username = '%{${key}}' \ 32 | # AND acctstarttime BETWEEN %%b \ 33 | # AND %%e" 34 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf: -------------------------------------------------------------------------------- 1 | query = "\ 2 | SELECT GREATEST(strftime('%%s', NOW()) - strftime('%%s', acctstarttime), 0) AS expires \ 3 | FROM radacct \ 4 | WHERE username = '%{${key}}' \ 5 | ORDER BY acctstarttime \ 6 | LIMIT 1;" 7 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This query properly handles calls that span from the 3 | # previous reset period into the current period but 4 | # involves more work for the SQL server than those 5 | # below 6 | # 7 | query = "\ 8 | SELECT SUM(acctsessiontime - GREATEST((%%b - strftime('%%s', acctstarttime)), 0)) \ 9 | FROM radacct \ 10 | WHERE username = '%{${key}}' AND \ 11 | (strftime('%%s', acctstarttime) + acctsessiontime) > %%b" 12 | 13 | # 14 | # This query ignores calls that started in a previous 15 | # reset period and continue into into this one. But it 16 | # is a little easier on the SQL server 17 | # 18 | #query = "\ 19 | # SELECT SUM(acctsessiontime) \ 20 | # FROM radacct \ 21 | # WHERE username = '%{${key}}' \ 22 | # AND acctstarttime > %%b" 23 | 24 | # 25 | # This query is the same as above, but demonstrates an 26 | # additional counter parameter '%%e' which is the 27 | # timestamp for the end of the period 28 | # 29 | #query = "\ 30 | # SELECT SUM(acctsessiontime) \ 31 | # FROM radacct \ 32 | # WHERE username = '%{${key}}' \ 33 | # AND acctstarttime BETWEEN %%b \ 34 | # AND %%e" 35 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/counter/sqlite/noresetcounter.conf: -------------------------------------------------------------------------------- 1 | query = "\ 2 | SELECT IFNULL(SUM(acctsessiontime),0) \ 3 | FROM radacct \ 4 | WHERE username = '%{${key}}'" 5 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/cui/mysql/queries.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # cui/mysql/queries.conf -- Queries to update a MySQL CUI table. 4 | # 5 | # $Id: f8f18cab562e7321756cd1f3411bbc9897ef3377 $ 6 | 7 | post-auth { 8 | query = "\ 9 | INSERT IGNORE INTO ${..cui_table} \ 10 | (clientipaddress, callingstationid, username, cui, lastaccounting) \ 11 | VALUES \ 12 | ('%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}', '%{Calling-Station-Id}', \ 13 | '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL) \ 14 | ON DUPLICATE KEY UPDATE \ 15 | lastaccounting='0000-00-00 00:00:00', \ 16 | cui='%{reply:Chargeable-User-Identity}'" 17 | 18 | } 19 | 20 | accounting { 21 | reference = "%{tolower:type.%{Acct-Status-Type}.query}" 22 | type { 23 | start { 24 | query = "\ 25 | UPDATE ${....cui_table} SET \ 26 | lastaccounting = CURRENT_TIMESTAMP \ 27 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 28 | AND callingstationid = '%{Calling-Station-Id}' \ 29 | AND username = '%{User-Name}' \ 30 | AND cui = '%{Chargeable-User-Identity}'" 31 | } 32 | interim-update { 33 | query ="\ 34 | UPDATE ${....cui_table} SET \ 35 | lastaccounting = CURRENT_TIMESTAMP \ 36 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 37 | AND callingstationid = '%{Calling-Station-Id}' \ 38 | AND username = '%{User-Name}' \ 39 | AND cui = '%{Chargeable-User-Identity}'" 40 | } 41 | stop { 42 | query ="\ 43 | DELETE FROM ${....cui_table} \ 44 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 45 | AND callingstationid = '%{Calling-Station-Id}' \ 46 | AND username = '%{User-Name}' \ 47 | AND cui = '%{Chargeable-User-Identity}'" 48 | } 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/cui/mysql/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE `cui` ( 2 | `clientipaddress` varchar(46) NOT NULL default '', 3 | `callingstationid` varchar(50) NOT NULL default '', 4 | `username` varchar(64) NOT NULL default '', 5 | `cui` varchar(32) NOT NULL default '', 6 | `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP, 7 | `lastaccounting` timestamp NOT NULL default '0000-00-00 00:00:00', 8 | PRIMARY KEY (`username`,`clientipaddress`,`callingstationid`) 9 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; 10 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/cui/postgresql/queries.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # cui/postgresql/queries.conf -- Queries to update a PostgreSQL CUI table. 4 | # 5 | # $Id: 6c2215f0abbe5cb30658ea541d525fd7a274c547 $ 6 | 7 | post-auth { 8 | query = "\ 9 | INSERT INTO ${..cui_table} \ 10 | (clientipaddress, callingstationid, username, cui) \ 11 | VALUES \ 12 | ('%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}', '%{Calling-Station-Id}', \ 13 | '%{User-Name}', '%{reply:Chargeable-User-Identity}')" 14 | 15 | } 16 | 17 | accounting { 18 | reference = "%{tolower:type.%{Acct-Status-Type}.query}" 19 | type { 20 | start { 21 | query = "\ 22 | UPDATE ${....cui_table} SET \ 23 | lastaccounting = now() \ 24 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 25 | AND callingstationid = '%{Calling-Station-Id}' \ 26 | AND username = '%{User-Name}' \ 27 | AND cui = '%{Chargeable-User-Identity}'" 28 | } 29 | interim-update { 30 | query ="\ 31 | UPDATE ${....cui_table} SET \ 32 | lastaccounting = now() \ 33 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 34 | AND callingstationid = '%{Calling-Station-Id}' \ 35 | AND username = '%{User-Name}' \ 36 | AND cui = '%{Chargeable-User-Identity}'" 37 | } 38 | stop { 39 | query ="\ 40 | DELETE FROM ${....cui_table} \ 41 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 42 | AND callingstationid = '%{Calling-Station-Id}' \ 43 | AND username = '%{User-Name}' \ 44 | AND cui = '%{Chargeable-User-Identity}'" 45 | } 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/cui/postgresql/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE cui ( 2 | clientipaddress INET NOT NULL DEFAULT '0.0.0.0', 3 | callingstationid varchar(50) NOT NULL DEFAULT '', 4 | username varchar(64) NOT NULL DEFAULT '', 5 | cui varchar(32) NOT NULL DEFAULT '', 6 | creationdate TIMESTAMP with time zone NOT NULL default 'now()', 7 | lastaccounting TIMESTAMP with time zone NOT NULL default '-infinity'::timestamp, 8 | PRIMARY KEY (username, clientipaddress, callingstationid) 9 | ); 10 | 11 | CREATE RULE postauth_query AS ON INSERT TO cui 12 | WHERE EXISTS(SELECT 1 FROM cui WHERE (username, clientipaddress, callingstationid)=(NEW.username, NEW.clientipaddress, NEW.callingstationid)) 13 | DO INSTEAD UPDATE cui SET lastaccounting ='-infinity'::timestamp with time zone, cui=NEW.cui WHERE (username, clientipaddress, callingstationid)=(NEW.username, NEW.clientipaddress, NEW.callingstationid); 14 | 15 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/cui/sqlite/queries.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # cui/sqlite/queries.conf -- Queries to update a sqlite CUI table. 4 | # 5 | # $Id: 41741eb70ae9c428ba5230aaf9d9b84f95c050a9 $ 6 | 7 | post-auth { 8 | query = "\ 9 | INSERT OR REPLACE INTO ${..cui_table} \ 10 | (clientipaddress, callingstationid, username, cui, lastaccounting) \ 11 | VALUES \ 12 | ('%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}', '%{Calling-Station-Id}', \ 13 | '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL)" 14 | 15 | } 16 | 17 | accounting { 18 | reference = "%{tolower:type.%{Acct-Status-Type}.query}" 19 | type { 20 | start { 21 | query = "\ 22 | UPDATE ${....cui_table} SET \ 23 | lastaccounting = CURRENT_TIMESTAMP \ 24 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 25 | AND callingstationid = '%{Calling-Station-Id}' \ 26 | AND username = '%{User-Name}' \ 27 | AND cui = '%{Chargeable-User-Identity}'" 28 | } 29 | interim-update { 30 | query ="\ 31 | UPDATE ${....cui_table} SET \ 32 | lastaccounting = CURRENT_TIMESTAMP \ 33 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 34 | AND callingstationid = '%{Calling-Station-Id}' \ 35 | AND username = '%{User-Name}' \ 36 | AND cui = '%{Chargeable-User-Identity}'" 37 | } 38 | stop { 39 | query ="\ 40 | DELETE FROM ${....cui_table} \ 41 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 42 | AND callingstationid = '%{Calling-Station-Id}' \ 43 | AND username = '%{User-Name}' \ 44 | AND cui = '%{Chargeable-User-Identity}'" 45 | } 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/cui/sqlite/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE `cui` ( 2 | `clientipaddress` varchar(46) NOT NULL default '', 3 | `callingstationid` varchar(50) NOT NULL default '', 4 | `username` varchar(64) NOT NULL default '', 5 | `cui` varchar(32) NOT NULL default '', 6 | `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP, 7 | `lastaccounting` timestamp NOT NULL default '0000-00-00 00:00:00', 8 | PRIMARY KEY (`username`,`clientipaddress`,`callingstationid`) 9 | ); 10 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql: -------------------------------------------------------------------------------- 1 | # 2 | # Table structure for table 'radippool' 3 | # 4 | CREATE TABLE radippool ( 5 | id int(11) unsigned NOT NULL auto_increment, 6 | pool_name varchar(30) NOT NULL, 7 | framedipaddress varchar(15) NOT NULL default '', 8 | nasipaddress varchar(15) NOT NULL default '', 9 | calledstationid VARCHAR(30) NOT NULL, 10 | callingstationid VARCHAR(30) NOT NULL, 11 | expiry_time DATETIME NULL default NULL, 12 | username varchar(64) NOT NULL default '', 13 | pool_key varchar(30) NOT NULL, 14 | PRIMARY KEY (id), 15 | KEY radippool_poolname_expire (pool_name, expiry_time), 16 | KEY callingstationid (callingstationid), 17 | KEY framedipaddress (framedipaddress), 18 | KEY radippool_nasip_poolkey_ipaddress (nasipaddress, pool_key, framedipaddress) 19 | ) ENGINE=InnoDB; 20 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/ippool-dhcp/oracle/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE radippool ( 2 | id INT PRIMARY KEY, 3 | pool_name VARCHAR(30) NOT NULL, 4 | framedipaddress VARCHAR(30) NOT NULL, 5 | nasipaddress VARCHAR(30) NOT NULL, 6 | pool_key VARCHAR(64) NOT NULL, 7 | calledstationid VARCHAR(64), 8 | callingstationid VARCHAR(64) NOT NULL, 9 | expiry_time TIMESTAMP(0) NOT NULL, 10 | username VARCHAR(100) 11 | ); 12 | 13 | CREATE INDEX radippool_poolname_ipaddr ON radippool (pool_name, framedipaddress); 14 | CREATE INDEX radippool_poolname_expire ON radippool (pool_name, expiry_time); 15 | CREATE INDEX radippool_nasipaddr_key ON radippool (nasipaddress, pool_key); 16 | CREATE INDEX radippool_nasipaddr_calling ON radippool (nasipaddress, callingstationid); 17 | 18 | CREATE SEQUENCE radippool_seq START WITH 1 INCREMENT BY 1; 19 | 20 | CREATE OR REPLACE TRIGGER radippool_serialnumber 21 | BEFORE INSERT OR UPDATE OF id ON radippool 22 | FOR EACH ROW 23 | BEGIN 24 | IF ( :NEW.id = 0 OR :NEW.id IS NULL ) THEN 25 | SELECT radippool_seq.NEXTVAL INTO :NEW.id FROM dual; 26 | END IF; 27 | END; 28 | / 29 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE radippool ( 2 | id int PRIMARY KEY, 3 | pool_name varchar(30) NOT NULL, 4 | framedipaddress varchar(30) NOT NULL, 5 | nasipaddress varchar(30) NOT NULL DEFAULT '', 6 | pool_key varchar(64) NOT NULL DEFAULT '', 7 | calledstationid varchar(64), 8 | callingstationid varchar(64) NOT NULL DEFAULT '', 9 | expiry_time timestamp DEFAULT NULL, 10 | username varchar(100) 11 | ); 12 | 13 | -- Example of how to put IPs in the pool 14 | -- INSERT INTO radippool (id, pool_name, framedipaddress) VALUES (1, 'local', '192.168.5.10'); 15 | -- INSERT INTO radippool (id, pool_name, framedipaddress) VALUES (2, 'local', '192.168.5.11'); 16 | -- INSERT INTO radippool (id, pool_name, framedipaddress) VALUES (3, 'local', '192.168.5.12'); 17 | -- INSERT INTO radippool (id, pool_name, framedipaddress) VALUES (4, 'local', '192.168.5.13'); 18 | 19 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/ippool/mysql/schema.sql: -------------------------------------------------------------------------------- 1 | # 2 | # Table structure for table 'radippool' 3 | # 4 | CREATE TABLE radippool ( 5 | id int(11) unsigned NOT NULL auto_increment, 6 | pool_name varchar(30) NOT NULL, 7 | framedipaddress varchar(15) NOT NULL default '', 8 | nasipaddress varchar(15) NOT NULL default '', 9 | calledstationid VARCHAR(30) NOT NULL, 10 | callingstationid VARCHAR(30) NOT NULL, 11 | expiry_time DATETIME NULL default NULL, 12 | username varchar(64) NOT NULL default '', 13 | pool_key varchar(30) NOT NULL, 14 | PRIMARY KEY (id), 15 | KEY radippool_poolname_expire (pool_name, expiry_time), 16 | KEY framedipaddress (framedipaddress), 17 | KEY radippool_nasip_poolkey_ipaddress (nasipaddress, pool_key, framedipaddress) 18 | ) ENGINE=InnoDB; 19 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/ippool/oracle/procedures.sql: -------------------------------------------------------------------------------- 1 | CREATE OR REPLACE FUNCTION msqlippool(user varchar2, pool varchar2) 2 | RETURN varchar2 IS 3 | 4 | PRAGMA AUTONOMOUS_TRANSACTION; 5 | ip_temp varchar2(20); 6 | BEGIN 7 | 8 | -- If the user's pool is dynamic, get an ipaddress (oldest one) from the corresponding pool 9 | 10 | if pool = 'Dynamic' then 11 | select framedipaddress into ip_temp from (select framedipaddress from radippool where expiry_time < current_timestamp and pool_name = pool ORDER BY expiry_time) where rownum = 1; 12 | return (ip_temp); 13 | 14 | -- Else, then get the static ipaddress for that user from the corresponding pool 15 | 16 | else 17 | select framedipaddress into ip_temp from radippool where username = user and pool_name = pool; 18 | return (ip_temp); 19 | end if; 20 | 21 | exception 22 | 23 | -- This block is executed if there's no free ipaddresses or no static ip assigned to the user 24 | 25 | when NO_DATA_FOUND then 26 | if pool = 'Dynamic' then 27 | return(''); -- so sqlippool can log it on radius.log 28 | end if; 29 | 30 | -- Else, grabs a free IP from the static pool and saves it in radippool so the user will always get the same IP the next time 31 | 32 | select framedipaddress into ip_temp from (select framedipaddress from radippool where expiry_time < current_timestamp and username is null and pool_name = pool) where rownum = 1; 33 | UPDATE radippool SET username = user where framedipaddress = ip_temp; 34 | commit; 35 | return (ip_temp); 36 | 37 | when others 38 | then return('Oracle Exception'); 39 | 40 | END; 41 | / 42 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/ippool/oracle/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE radippool ( 2 | id INT PRIMARY KEY, 3 | pool_name VARCHAR(30) NOT NULL, 4 | framedipaddress VARCHAR(30) NOT NULL, 5 | nasipaddress VARCHAR(30) NOT NULL, 6 | pool_key INT NOT NULL, 7 | CalledStationId VARCHAR(64), 8 | CallingStationId VARCHAR(64) NOT NULL, 9 | expiry_time timestamp(0) NOT NULL, 10 | username VARCHAR(100) 11 | ); 12 | 13 | CREATE INDEX radippool_poolname_ipaadr ON radippool (pool_name, framedipaddress); 14 | CREATE INDEX radippool_poolname_expire ON radippool (pool_name, expiry_time); 15 | CREATE INDEX radippool_nasipaddr_key ON radippool (nasipaddress, pool_key); 16 | CREATE INDEX radippool_nasipaddr_calling ON radippool (nasipaddress, callingstationid); 17 | 18 | CREATE SEQUENCE radippool_seq START WITH 1 INCREMENT BY 1; 19 | 20 | CREATE OR REPLACE TRIGGER radippool_serialnumber 21 | BEFORE INSERT OR UPDATE OF id ON radippool 22 | FOR EACH ROW 23 | BEGIN 24 | if ( :new.id = 0 or :new.id is null ) then 25 | SELECT radippool_seq.nextval into :new.id from dual; 26 | end if; 27 | END; 28 | / 29 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/ippool/postgresql/schema.sql: -------------------------------------------------------------------------------- 1 | -- 2 | -- Table structure for table 'radippool' 3 | -- 4 | 5 | CREATE TABLE radippool ( 6 | id BIGSERIAL PRIMARY KEY, 7 | pool_name varchar(64) NOT NULL, 8 | FramedIPAddress INET NOT NULL, 9 | NASIPAddress VARCHAR(16) NOT NULL default '', 10 | pool_key VARCHAR(64) NOT NULL default 0, 11 | CalledStationId VARCHAR(64), 12 | CallingStationId text NOT NULL default ''::text, 13 | expiry_time TIMESTAMP(0) without time zone NOT NULL default 'now'::timestamp(0), 14 | username text DEFAULT ''::text 15 | ); 16 | 17 | CREATE INDEX radippool_poolname_expire ON radippool USING btree (pool_name, expiry_time); 18 | CREATE INDEX radippool_framedipaddress ON radippool USING btree (framedipaddress); 19 | CREATE INDEX radippool_nasip_poolkey_ipaddress ON radippool USING btree (nasipaddress, pool_key, framedipaddress); 20 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/ippool/sqlite/schema.sql: -------------------------------------------------------------------------------- 1 | -- 2 | -- Table structure for table 'radippool' 3 | -- 4 | CREATE TABLE ( 5 | id int(11) PRIMARY KEY, 6 | pool_name varchar(30) NOT NULL, 7 | framedipaddress varchar(15) NOT NULL default '', 8 | nasipaddress varchar(15) NOT NULL default '', 9 | calledstationid VARCHAR(30) NOT NULL, 10 | callingstationid VARCHAR(30) NOT NULL, 11 | expiry_time DATETIME NULL default NULL, 12 | username varchar(64) NOT NULL default '', 13 | pool_key varchar(30) NOT NULL 14 | ); 15 | 16 | CREATE INDEX radippool_poolname_expire ON radippool(pool_name, expiry_time); 17 | CREATE INDEX radippool_framedipaddress ON radippool(framedipaddress); 18 | CREATE INDEX radippool_nasip_poolkey_ipaddress ON radippool(nasipaddress, pool_key, framedipaddress); 19 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/main/mysql/extras/wimax/queries.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ## 3 | ## wimax.conf -- MySQL configuration for WiMAX keying 4 | ## 5 | ## $Id: 26942305017c59d4589d0645cfc79405b98b4c6a $ 6 | 7 | # Safe characters list for sql queries. Everything else is replaced 8 | # with their mime-encoded equivalents. 9 | # The default list should be ok 10 | #safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" 11 | 12 | ####################################################################### 13 | # Query config: Username 14 | ####################################################################### 15 | # This is the username that will get substituted, escaped, and added 16 | # as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below 17 | # everywhere a username substitution is needed so you you can be sure 18 | # the username passed from the client is escaped properly. 19 | # 20 | # Uncomment the next line, if you want the sql_user_name to mean: 21 | # 22 | # Use Stripped-User-Name, if it's there. 23 | # Else use User-Name, if it's there, 24 | # Else use hard-coded string "DEFAULT" as the user name. 25 | #sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" 26 | # 27 | sql_user_name = "%{User-Name}" 28 | 29 | ####################################################################### 30 | # Logging of WiMAX SPI -> key mappings 31 | ####################################################################### 32 | # postauth_query - Insert some info after authentication 33 | ####################################################################### 34 | 35 | postauth_query = "INSERT INTO wimax \ 36 | (username, authdate, spi, mipkey, lifetime) \ 37 | VALUES ( \ 38 | '%{User-Name}', '%S' \ 39 | '%{%{reply:WiMAX-MN-hHA-MIP4-SPI}:-%{reply:WiMAX-MN-hHA-MIP6-SPI}}', \ 40 | '%{%{reply:WiMAX-MN-hHA-MIP4-Key}:-%{reply:WiMAX-MN-hHA-MIP6-Key}}', '%{%{reply:Session-Timeout}:-86400}' )" 41 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql: -------------------------------------------------------------------------------- 1 | # 2 | # WiMAX Table structure for table 'wimax', 3 | # which replaces the "radpostauth" table. 4 | # 5 | 6 | CREATE TABLE wimax ( 7 | id int(11) NOT NULL auto_increment, 8 | username varchar(64) NOT NULL default '', 9 | authdate timestamp NOT NULL, 10 | spi varchar(16) NOT NULL default '', 11 | mipkey varchar(400) NOT NULL default '', 12 | lifetime int(12) default NULL, 13 | PRIMARY KEY (id), 14 | KEY username (username), 15 | KEY spi (spi) 16 | ) ; 17 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/main/mysql/setup.sql: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ## 3 | ## admin.sql -- MySQL commands for creating the RADIUS user. 4 | ## 5 | ## WARNING: You should change 'localhost' and 'radpass' 6 | ## to something else. Also update raddb/sql.conf 7 | ## with the new RADIUS password. 8 | ## 9 | ## $Id: aff0505a473c67b65cfc19fae079454a36d4e119 $ 10 | 11 | # 12 | # Create default administrator for RADIUS 13 | # 14 | CREATE USER 'radius'@'localhost'; 15 | SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass'); 16 | 17 | # The server can read any table in SQL 18 | GRANT SELECT ON radius.* TO 'radius'@'localhost'; 19 | 20 | # The server can write to the accounting and post-auth logging table. 21 | # 22 | # i.e. 23 | GRANT ALL on radius.radacct TO 'radius'@'localhost'; 24 | GRANT ALL on radius.radpostauth TO 'radius'@'localhost'; 25 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/main/ndb/README: -------------------------------------------------------------------------------- 1 | The SQL schema and 'create admin user" scripts are here in order to 2 | simplify the process of using MySQL cluster. 3 | 4 | The queries are NOT located here, because the database driver for 5 | MySQL cluster is just "mysql", and not "ndb". 6 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/main/ndb/setup.sql: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ## 3 | ## admin.sql -- MySQL commands for creating the RADIUS user. 4 | ## 5 | ## WARNING: You should change 'localhost' and 'radpass' 6 | ## to something else. Also update raddb/sql.conf 7 | ## with the new RADIUS password. 8 | ## 9 | ## $Id: 5c91384c0991ea9614b7c798a1ab4c89ca227115 $ 10 | 11 | # 12 | # Create default administrator for RADIUS 13 | # 14 | CREATE USER 'radius'@'localhost'; 15 | SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass'); 16 | 17 | # The server can read any table in SQL 18 | GRANT ALL ON radius.* TO 'radius'@'localhost' identified by 'radpass'; 19 | GRANT ALL ON radius.* TO 'radius'@'radsrvr' identified by 'radpass'; 20 | 21 | # The server can write to the accounting and post-auth logging table. 22 | # 23 | # i.e. 24 | #GRANT ALL on radius.radacct TO 'radius'@'localhost' identified by 'radpass'; 25 | #GRANT ALL on radius.radacct TO 'radius'@'radsrvr' identified by 'radpass'; 26 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/main/postgresql/extras/update_radacct_group.sql: -------------------------------------------------------------------------------- 1 | /* 2 | * $Id: 37f42a0b13515b09f9c7792e8a64b2a3b187e7a3 $ 3 | * 4 | * OPTIONAL Postgresql trigger for FreeRADIUS 5 | * 6 | * This trigger updates fills in the groupname field (which doesnt come in Accounting packets) 7 | * by querying the radusergroup table. 8 | * This makes it easier to do group summary reports, however note that it does add some extra 9 | * database load to 50% of your SQL accounting queries. If you dont care about group summary 10 | * reports then you dont need to install this. 11 | * 12 | */ 13 | 14 | 15 | CREATE OR REPLACE FUNCTION upd_radgroups() RETURNS trigger AS' 16 | 17 | DECLARE 18 | v_groupname varchar; 19 | 20 | BEGIN 21 | SELECT INTO v_groupname GroupName FROM radusergroup WHERE CalledStationId = NEW.CalledStationId AND UserName = NEW.UserName; 22 | IF FOUND THEN 23 | UPDATE radacct SET GroupName = v_groupname WHERE RadAcctId = NEW.RadAcctId; 24 | END IF; 25 | 26 | RETURN NEW; 27 | END 28 | 29 | 'LANGUAGE plpgsql; 30 | 31 | 32 | DROP TRIGGER upd_radgroups ON radacct; 33 | 34 | CREATE TRIGGER upd_radgroups AFTER INSERT ON radacct 35 | FOR EACH ROW EXECUTE PROCEDURE upd_radgroups(); 36 | 37 | 38 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ## 3 | ## voip-postpaid.conf -- PostgreSQL configuration for H323 VoIP billingx 4 | ## (cisco_h323_db_schema.sql) 5 | ## 6 | ## $Id: 9f1449cc37d80e37025bdfd08fbd4d028aa0c800 $ 7 | 8 | 9 | ####################################################################### 10 | # Query config: Username 11 | ####################################################################### 12 | # This is the username that will get substituted, escaped, and added 13 | # as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below 14 | # everywhere a username substitution is needed so you you can be sure 15 | # the username passed from the client is escaped properly. 16 | # 17 | # Uncomment the next line, if you want the sql_user_name to mean: 18 | # 19 | # Use Stripped-User-Name, if it's there. 20 | # Else use User-Name, if it's there, 21 | # Else use hard-coded string "none" as the user name. 22 | # 23 | #sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}" 24 | # 25 | sql_user_name = "%{User-Name}" 26 | 27 | accounting { 28 | reference = "%{tolower:type.%{Acct-Status-Type}.query}" 29 | 30 | # Write SQL queries to a logfile. This is potentially useful for bulk inserts 31 | # when used with the rlm_sql_null driver. 32 | # logfile = ${logdir}/accounting.sql 33 | 34 | type { 35 | start { 36 | query = "INSERT INTO ${....acct_table1}%{h323-call-type} \ 37 | (RadiusServerName, UserName, NASIPAddress, AcctTime, CalledStationId, \ 38 | CallingStationId, AcctDelayTime, h323gwid, h323callorigin, \ 39 | h323setuptime, H323ConnectTime, callid) \ 40 | VALUES(\ 41 | '${radius_server_name}', '%{SQL-User-Name}', \ 42 | '%{NAS-IP-Address}', now(), '%{Called-Station-Id}', \ 43 | '%{Calling-Station-Id}', '%{%{Acct-Delay-Time}:-0}', '%{h323-gw-id}', \ 44 | '%{h323-call-origin}', strip_dot('%{h323-setup-time}'), \ 45 | strip_dot('%{h323-connect-time}'), pick_id('%{h323-conf-id}', \ 46 | '%{call-id}'))" 47 | } 48 | 49 | stop { 50 | query = "INSERT INTO $....acct_table2}%{h323-call-type} \ 51 | (RadiusServerName, UserName, NASIPAddress, AcctTime, \ 52 | AcctSessionTime, AcctInputOctets, AcctOutputOctets, CalledStationId, \ 53 | CallingStationId, AcctDelayTime, H323RemoteAddress, H323VoiceQuality, \ 54 | CiscoNASPort, h323callorigin, callid, h323connecttime, \ 55 | h323disconnectcause, h323disconnecttime, h323gwid, h323setuptime) \ 56 | VALUES(\ 57 | '${radius_server_name}', '%{SQL-User-Name}', '%{NAS-IP-Address}', \ 58 | NOW(), '%{%{Acct-Session-Time}:-0}', \ 59 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Octets}:-0}', \ 60 | '%{Called-Station-Id}', '%{Calling-Station-Id}', \ 61 | '%{%{Acct-Delay-Time}:-0}', NULLIF('%{h323-remote-address}', '')::inet, \ 62 | NULLIF('%{h323-voice-quality}','')::integer, \ 63 | NULLIF('%{Cisco-NAS-Port}', ''), \ 64 | '%{h323-call-origin}', pick_id('%{h323-conf-id}', '%{call-id}'), \ 65 | strip_dot('%{h323-connect-time}'), '%{h323-disconnect-cause}', \ 66 | strip_dot('%{h323-disconnect-time}'), '%{h323-gw-id}', \ 67 | strip_dot('%{h323-setup-time}'))" 68 | } 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/main/postgresql/setup.sql: -------------------------------------------------------------------------------- 1 | /* 2 | * admin.sql -- PostgreSQL commands for creating the RADIUS user. 3 | * 4 | * WARNING: You should change 'localhost' and 'radpass' 5 | * to something else. Also update raddb/sql.conf 6 | * with the new RADIUS password. 7 | * 8 | * WARNING: This example file is untested. Use at your own risk. 9 | * Please send any bug fixes to the mailing list. 10 | * 11 | * $Id: 6dfacb3b09a1b7da135a49a49cb75a573fd3bad4 $ 12 | */ 13 | 14 | /* 15 | * Create default administrator for RADIUS 16 | */ 17 | CREATE USER radius WITH PASSWORD 'radpass'; 18 | 19 | /* 20 | * The server can read any table in SQL 21 | */ 22 | GRANT SELECT ON radcheck TO radius; 23 | GRANT SELECT ON radreply TO radius; 24 | GRANT SELECT ON radgroupcheck TO radius; 25 | GRANT SELECT ON radgroupreply TO radius; 26 | GRANT SELECT ON radusergroup TO radius; 27 | GRANT SELECT ON nas TO radius; 28 | 29 | /* 30 | * The server can write to the accounting and post-auth logging table. 31 | */ 32 | GRANT SELECT, INSERT, UPDATE on radacct TO radius; 33 | GRANT SELECT, INSERT, UPDATE on radpostauth TO radius; 34 | 35 | /* 36 | * Grant permissions on sequences 37 | */ 38 | GRANT USAGE, SELECT ON SEQUENCE nas_id_seq TO radius; 39 | GRANT USAGE, SELECT ON SEQUENCE radacct_radacctid_seq TO radius; 40 | GRANT USAGE, SELECT ON SEQUENCE radcheck_id_seq TO radius; 41 | GRANT USAGE, SELECT ON SEQUENCE radgroupcheck_id_seq TO radius; 42 | GRANT USAGE, SELECT ON SEQUENCE radgroupreply_id_seq TO radius; 43 | GRANT USAGE, SELECT ON SEQUENCE radpostauth_id_seq TO radius; 44 | GRANT USAGE, SELECT ON SEQUENCE radreply_id_seq TO radius; 45 | GRANT USAGE, SELECT ON SEQUENCE radusergroup_id_seq TO radius; 46 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/moonshot-targeted-ids/mysql/queries.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # moonshot-targeted-ids/mysql/queries.conf -- Queries to update a MySQL Moonshot-Targeted-Ids table. 4 | # 5 | # $Id: 68306db5a6c67f70804dc019e19daba5e938b4a9 $ 6 | 7 | post-auth { 8 | # Query to store the Moonshot-*-TargetedId 9 | query = "\ 10 | INSERT IGNORE INTO ${..moonshot_tid_table} \ 11 | (gss_acceptor, namespace, username, targeted_id) \ 12 | VALUES \ 13 | ('%{control:Moonshot-MSTID-GSS-Acceptor}', '%{control:Moonshot-MSTID-Namespace}', \ 14 | '%{tolower:%{User-Name}}', '%{control:Moonshot-MSTID-TargetedId}')" 15 | } 16 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/moonshot-targeted-ids/mysql/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE `moonshot_targeted_ids` ( 2 | `gss_acceptor` varchar(254) NOT NULL default '', 3 | `namespace` varchar(36) NOT NULL default '', 4 | `username` varchar(64) NOT NULL default '', 5 | `targeted_id` varchar(128) NOT NULL default '', 6 | `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP, 7 | PRIMARY KEY (`username`,`gss_acceptor`,`namespace`) 8 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; 9 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/moonshot-targeted-ids/postgresql/queries.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # moonshot-targeted-ids/postgresql/queries.conf -- Queries to update a PostgreSQL Moonshot-*-Targeted-Ids table. 4 | # 5 | # $Id: f757a870a0b68c5dc3827c00bb501082fc7e03e9 $ 6 | 7 | post-auth { 8 | # Query to store the Moonshot-*-TargetedId 9 | query = "\ 10 | INSERT INTO ${..moonshot_tid_table} \ 11 | (gss_acceptor, namespace, username, targeted_id) \ 12 | VALUES \ 13 | ('%{control:Moonshot-MSTID-GSS-Acceptor}', '%{control:Moonshot-MSTID-Namespace}', \ 14 | '%{tolower:%{User-Name}}', '%{control:Moonshot-MSTID-TargetedId}')" 15 | } 16 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/moonshot-targeted-ids/postgresql/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE moonshot_targeted_ids ( 2 | gss_acceptor varchar(254) NOT NULL DEFAULT '', 3 | namespace varchar(36) NOT NULL DEFAULT '', 4 | username varchar(64) NOT NULL DEFAULT '', 5 | targeted_id varchar(128) NOT NULL DEFAULT '', 6 | creationdate TIMESTAMP with time zone NOT NULL default 'now()', 7 | PRIMARY KEY (username, gss_acceptor, namespace) 8 | ); 9 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/moonshot-targeted-ids/sqlite/queries.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # moonshot-targeted-ids/sqlite/queries.conf -- Queries to update a sqlite Moonshot-*-Targeted-Ids table. 4 | # 5 | # $Id: 8cdb80382db6e94067a75c0428b375847eb04ad8 $ 6 | 7 | post-auth { 8 | # Query to store the Moonshot-*-TargetedId 9 | query = "\ 10 | INSERT INTO ${..moonshot_tid_table} \ 11 | (gss_acceptor, namespace, username, targeted_id) \ 12 | VALUES \ 13 | ('%{control:Moonshot-MSTID-GSS-Acceptor}', '%{control:Moonshot-MSTID-Namespace}', \ 14 | '%{tolower:%{User-Name}}', '%{control:Moonshot-MSTID-TargetedId}')" 15 | } 16 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/sql/moonshot-targeted-ids/sqlite/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE `moonshot_targeted_ids` ( 2 | `gss_acceptor` varchar(254) NOT NULL default '', 3 | `namespace` varchar(36) NOT NULL default '', 4 | `username` varchar(64) NOT NULL default '', 5 | `targeted_id` varchar(128) NOT NULL default '', 6 | `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP, 7 | PRIMARY KEY (`username`,`gss_acceptor`,`namespace`) 8 | ); 9 | -------------------------------------------------------------------------------- /etc/raddb/mods-config/unbound/default.conf: -------------------------------------------------------------------------------- 1 | server: 2 | num-threads: 2 3 | -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/always: -------------------------------------------------------------------------------- 1 | ../mods-available/always -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/attr_filter: -------------------------------------------------------------------------------- 1 | ../mods-available/attr_filter -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/cache_eap: -------------------------------------------------------------------------------- 1 | ../mods-available/cache_eap -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/chap: -------------------------------------------------------------------------------- 1 | ../mods-available/chap -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/date: -------------------------------------------------------------------------------- 1 | ../mods-available/date -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/detail: -------------------------------------------------------------------------------- 1 | ../mods-available/detail -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/detail.log: -------------------------------------------------------------------------------- 1 | ../mods-available/detail.log -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/digest: -------------------------------------------------------------------------------- 1 | ../mods-available/digest -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/dynamic_clients: -------------------------------------------------------------------------------- 1 | ../mods-available/dynamic_clients -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/eap: -------------------------------------------------------------------------------- 1 | ../mods-available/eap -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/echo: -------------------------------------------------------------------------------- 1 | ../mods-available/echo -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/exec: -------------------------------------------------------------------------------- 1 | ../mods-available/exec -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/expiration: -------------------------------------------------------------------------------- 1 | ../mods-available/expiration -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/expr: -------------------------------------------------------------------------------- 1 | ../mods-available/expr -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/files: -------------------------------------------------------------------------------- 1 | ../mods-available/files -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/linelog: -------------------------------------------------------------------------------- 1 | ../mods-available/linelog -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/logintime: -------------------------------------------------------------------------------- 1 | ../mods-available/logintime -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/mschap: -------------------------------------------------------------------------------- 1 | ../mods-available/mschap -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/ntlm_auth: -------------------------------------------------------------------------------- 1 | ../mods-available/ntlm_auth -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/pap: -------------------------------------------------------------------------------- 1 | ../mods-available/pap -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/passwd: -------------------------------------------------------------------------------- 1 | ../mods-available/passwd -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/preprocess: -------------------------------------------------------------------------------- 1 | ../mods-available/preprocess -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/radutmp: -------------------------------------------------------------------------------- 1 | ../mods-available/radutmp -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/realm: -------------------------------------------------------------------------------- 1 | ../mods-available/realm -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/replicate: -------------------------------------------------------------------------------- 1 | ../mods-available/replicate -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/soh: -------------------------------------------------------------------------------- 1 | ../mods-available/soh -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/sql: -------------------------------------------------------------------------------- 1 | ../mods-available/sql -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/sradutmp: -------------------------------------------------------------------------------- 1 | ../mods-available/sradutmp -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/unix: -------------------------------------------------------------------------------- 1 | ../mods-available/unix -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/unpack: -------------------------------------------------------------------------------- 1 | ../mods-available/unpack -------------------------------------------------------------------------------- /etc/raddb/mods-enabled/utf8: -------------------------------------------------------------------------------- 1 | ../mods-available/utf8 -------------------------------------------------------------------------------- /etc/raddb/panic.gdb: -------------------------------------------------------------------------------- 1 | info locals 2 | info args 3 | thread apply all bt full 4 | quit 5 | -------------------------------------------------------------------------------- /etc/raddb/policy.d/abfab-tr: -------------------------------------------------------------------------------- 1 | # 2 | # ABFAB Trust router policies. 3 | # 4 | # $Id: 3a088538b5acc09aebc80b40391febf1d57a617a $ 5 | # 6 | 7 | 8 | # 9 | # Verify rp parameters 10 | # 11 | psk_authorize { 12 | if (&TLS-PSK-Identity) { 13 | # TODO: may need to check trust-router-apc as well 14 | if ("%{psksql:select distinct keyid from authorizations_keys where keyid = '%{tls-psk-identity}' and '%{trust-router-coi}' like coi and '%{gss-acceptor-realm-name}' like acceptor_realm and '%{gss-acceptor-host-name}' like hostname;}") { 15 | # do things here 16 | } 17 | else { 18 | update reply { 19 | Reply-Message = "RP not authorized for this ABFAB request" 20 | } 21 | reject 22 | } 23 | } 24 | } 25 | 26 | abfab_client_check { 27 | # check that GSS-Acceptor-Host-Name is correct 28 | if ("%{client:gss_acceptor_host_name}") { 29 | if (&request:GSS-Acceptor-Host-Name) { 30 | if (&request:GSS-Acceptor-Host-Name != "%{client:gss_acceptor_host_name}") { 31 | update reply { 32 | Reply-Message = "GSS-Acceptor-Host-Name incorrect" 33 | } 34 | reject 35 | } 36 | } 37 | else { 38 | # set GSS-Acceptor-Host-Name if it is not set by the mechanism 39 | # but it is defined in the client configuration 40 | update request { 41 | GSS-Acceptor-Host-Name = "%{client:gss_acceptor_host_name}" 42 | } 43 | } 44 | } 45 | 46 | # set Trust-Router-COI attribute from the client configuration 47 | if ("%{client:trust_router_coi}") { 48 | update request { 49 | Trust-Router-COI := "%{client:trust_router_coi}" 50 | } 51 | } 52 | 53 | # set GSS-Acceptor-Realm-Name attribute from the client configuration 54 | if ("%{client:gss_acceptor_realm_name}") { 55 | update request { 56 | GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}" 57 | } 58 | } 59 | 60 | # set GSS-Acceptor-Service-Name attribute from the client configuration 61 | if ("%{client:gss_acceptor_service_name}") { 62 | update request { 63 | GSS-Acceptor-Service-Name = "%{client:gss_acceptor_service_name}" 64 | } 65 | } 66 | 67 | } 68 | 69 | # A policy which is used to validate channel-bindings. 70 | # 71 | abfab_channel_bindings { 72 | if (&GSS-Acceptor-Service-Name && (&outer.request:GSS-Acceptor-Service-Name != &GSS-Acceptor-Service-Name)) { 73 | reject 74 | } 75 | 76 | if (&GSS-Acceptor-Host-Name && &outer.request:GSS-Acceptor-Host-Name != &GSS-Acceptor-Host-Name ) { 77 | reject 78 | } 79 | 80 | if (&GSS-Acceptor-Realm-Name && &outer.request:GSS-Acceptor-Realm-Name != &GSS-Acceptor-Realm-Name ) { 81 | reject 82 | } 83 | 84 | if (&GSS-Acceptor-Service-Name || &GSS-Acceptor-Realm-Name || &GSS-Acceptor-Host-Name) { 85 | update control { 86 | &Chbind-Response-Code := success 87 | } 88 | 89 | # 90 | # ACK the attributes in the request. 91 | # 92 | # If any one of these attributes don't exist in the request, 93 | # then they won't be copied to the reply. 94 | # 95 | update reply { 96 | &GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name 97 | &GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name 98 | &GSS-Acceptor-Realm-Name = &GSS-Acceptor-Realm-Name 99 | } 100 | } 101 | 102 | # 103 | # Return "handled" so that the "authenticate" section isn't used. 104 | # 105 | handled 106 | } 107 | -------------------------------------------------------------------------------- /etc/raddb/policy.d/accounting: -------------------------------------------------------------------------------- 1 | # We check for this prefix to determine whether the class 2 | # value was generated by this server. It should be changed 3 | # so that it is globally unique. 4 | class_value_prefix = 'ai:' 5 | 6 | # 7 | # Replacement for the old rlm_acct_unique module 8 | # 9 | acct_unique { 10 | # 11 | # If we have a class attribute in the format 12 | # 'auth_id:[0-9a-f]{32}' it'll have a local value 13 | # (defined by insert_acct_class), this ensures 14 | # uniqueness and suitability. 15 | # 16 | # We could just use the Class attribute as 17 | # Acct-Unique-Session-Id, but this may cause problems 18 | # with NAS that carry Class values across between 19 | # multiple linked sessions. So we rehash class with 20 | # Acct-Session-ID to provide a truely unique session 21 | # identifier. 22 | # 23 | # Using a Class/Session-ID combination is more robust 24 | # than using elements in the Accounting-Request, 25 | # which may be subject to change, such as 26 | # NAS-IP-Address, Client-IP-Address and 27 | # NAS-Port-ID/NAS-Port. 28 | # 29 | # This policy should ensure that session data is not 30 | # affected if NAS IP addresses change, or the client 31 | # roams to a different 'port' whilst maintaining its 32 | # initial authentication session (Common in a 33 | # wireless environment). 34 | # 35 | update request { 36 | &Tmp-String-9 := "${policy.class_value_prefix}" 37 | } 38 | 39 | if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && \ 40 | ("%{string:&Class}" =~ /^${policy.class_value_prefix}([0-9a-f]{32})/i)) { 41 | update request { 42 | &Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}}" 43 | } 44 | } 45 | 46 | # 47 | # Not All devices respect RFC 2865 when dealing with 48 | # the class attribute, so be prepared to use the 49 | # older style of hashing scheme if a class attribute 50 | # is not included 51 | # 52 | else { 53 | update request { 54 | &Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}" 55 | } 56 | } 57 | } 58 | 59 | # 60 | # Insert a (hopefully unique) value into class 61 | # 62 | insert_acct_class { 63 | update reply { 64 | &Class = "${policy.class_value_prefix}%{md5:%t,%I,%{Packet-Src-Port},%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}},%{NAS-IP-Address},%{Calling-Station-ID},%{User-Name}}" 65 | } 66 | } 67 | 68 | # 69 | # Merges Acct-[Input|Output]-Octets and Acct-[Input|Output]-Gigawords into Acct-[Input|Output]-Octets64 70 | # 71 | # If the &Attr-Foo doesn't exist, it's value is taken as zero. 72 | # 73 | acct_counters64.preacct { 74 | update request { 75 | &Acct-Input-Octets64 = "%{expr:(&Acct-Input-Gigawords << 32) | &Acct-Input-Octets}" 76 | &Acct-Output-Octets64 = "%{expr:(&Acct-Output-Gigawords << 32) | &Acct-Output-Octets}" 77 | } 78 | } 79 | 80 | -------------------------------------------------------------------------------- /etc/raddb/policy.d/canonicalization: -------------------------------------------------------------------------------- 1 | # 2 | # Split User-Name in NAI format (RFC 4282) into components 3 | # 4 | # This policy writes the Username and Domain portions of the 5 | # NAI into the Stripped-User-Name and Stripped-User-Domain 6 | # attributes. 7 | # 8 | # The regular expression to do this is not strictly compliant 9 | # with the standard, but it is not possible to write a 10 | # compliant regexp without perl style regular expressions (or 11 | # at least not a legible one). 12 | # 13 | nai_regexp = '^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$' 14 | 15 | split_username_nai { 16 | if (&User-Name && (&User-Name =~ /${policy.nai_regexp}/)) { 17 | update request { 18 | &Stripped-User-Name := "%{1}" 19 | } 20 | 21 | # Only add the Stripped-User-Domain attribute if 22 | # we have a domain. This means presence checks 23 | # for Stripped-User-Domain work. 24 | if ("%{3}" != '') { 25 | update request { 26 | &Stripped-User-Domain = "%{3}" 27 | } 28 | } 29 | 30 | # If any of the expansions result in a null 31 | # string, the update section may return 32 | # something other than updated... 33 | updated 34 | } 35 | else { 36 | noop 37 | } 38 | } 39 | 40 | # 41 | # If called in post-proxy we modify the proxy-reply message 42 | # 43 | split_username_nai.post-proxy { 44 | if (&proxy-reply:User-Name && (&proxy-reply:User-Name =~ /${policy.nai_regexp}/)) { 45 | update proxy-reply { 46 | &Stripped-User-Name := "%{1}" 47 | } 48 | 49 | # Only add the Stripped-User-Domain attribute if 50 | # we have a domain. This means presence checks 51 | # for Stripped-User-Domain work. 52 | if ("%{3}" != '') { 53 | update proxy-reply { 54 | &Stripped-User-Domain = "%{3}" 55 | } 56 | } 57 | updated 58 | } 59 | else { 60 | noop 61 | } 62 | } 63 | 64 | # 65 | # Normalize the MAC Addresses in the Calling/Called-Station-Id 66 | # 67 | mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})' 68 | 69 | # 70 | # Add "rewrite_called_station_id" in the "authorize" and 71 | # "preacct" sections. 72 | # 73 | # Makes Called-Station-ID conform to what RFC3580 says should 74 | # be provided by 802.1X authenticators. 75 | # 76 | rewrite_called_station_id { 77 | if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) { 78 | update request { 79 | &Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" 80 | } 81 | 82 | # SSID component? 83 | if ("%{8}") { 84 | update request { 85 | &Called-Station-SSID := "%{8}" 86 | } 87 | } 88 | updated 89 | } 90 | else { 91 | noop 92 | } 93 | } 94 | 95 | # 96 | # Add "rewrite_calling_station_id" in the "authorize" and 97 | # "preacct" sections. 98 | # 99 | # Makes Calling-Station-ID conform to what RFC3580 says should 100 | # be provided by 802.1X authenticators. 101 | # 102 | rewrite_calling_station_id { 103 | if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) { 104 | update request { 105 | &Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" 106 | } 107 | updated 108 | } 109 | else { 110 | noop 111 | } 112 | } 113 | 114 | mask_accounting_data { 115 | if ( $ENV{RAD_DEBUG} == "no" ) { 116 | if (&Calling-Station-Id) { 117 | update request { 118 | &Calling-Station-Id := "1.1.1.1" 119 | &NAS-IP-Address := "1.1.1.1" 120 | } 121 | updated 122 | } 123 | else { 124 | noop 125 | } 126 | } 127 | } 128 | -------------------------------------------------------------------------------- /etc/raddb/policy.d/control: -------------------------------------------------------------------------------- 1 | # 2 | # If you want the server to pretend that it is dead, 3 | # then use the "do_not_respond" policy. 4 | # 5 | do_not_respond { 6 | update control { 7 | &Response-Packet-Type := Do-Not-Respond 8 | } 9 | handled 10 | } 11 | 12 | # 13 | # Send Access-Accept immediately 14 | # 15 | accept { 16 | update control { 17 | &Response-Packet-Type = Access-Accept 18 | } 19 | handled 20 | } 21 | 22 | # 23 | # Send Access-Challenge immediately 24 | # 25 | challenge { 26 | update control { 27 | &Response-Packet-Type = Access-Challenge 28 | } 29 | handled 30 | } 31 | 32 | # 33 | # Send an Accounting-Response immediately 34 | # 35 | acct_response { 36 | update control { 37 | &Response-Packet-Type = Accounting-Response 38 | } 39 | handled 40 | } 41 | -------------------------------------------------------------------------------- /etc/raddb/policy.d/debug: -------------------------------------------------------------------------------- 1 | # 2 | # Outputs the contents of the control list in debugging (-X) mode 3 | # 4 | debug_control { 5 | if("%{debug_attr:control:}" == '') { 6 | noop 7 | } 8 | } 9 | 10 | # 11 | # Outputs the contents of the request list in debugging (-X) mode 12 | # 13 | debug_request { 14 | if("%{debug_attr:request:}" == '') { 15 | noop 16 | } 17 | } 18 | 19 | # 20 | # Outputs the contents of the coa list in debugging (-X) mode 21 | # 22 | debug_coa { 23 | if("%{debug_attr:coa:}" == '') { 24 | noop 25 | } 26 | } 27 | 28 | # 29 | # Outputs the contents of the reply list in debugging (-X) mode 30 | # 31 | debug_reply { 32 | if("%{debug_attr:reply:}" == '') { 33 | noop 34 | } 35 | } 36 | 37 | # 38 | # Outputs the contents of the session state list in debugging (-X) mode 39 | # 40 | debug_session_state { 41 | if("%{debug_attr:session-state:}" == '') { 42 | noop 43 | } 44 | } 45 | 46 | # 47 | # Outputs the contents of the proxy-request state list in debugging (-X) mode 48 | # 49 | debug_proxy_request { 50 | if("%{debug_attr:proxy-request:}" == '') { 51 | noop 52 | } 53 | } 54 | 55 | # 56 | # Outputs the contents of the main lists in debugging (-X) mode 57 | # 58 | debug_all { 59 | debug_control 60 | debug_request 61 | debug_coa 62 | debug_reply 63 | debug_session_state 64 | } 65 | -------------------------------------------------------------------------------- /etc/raddb/policy.d/dhcp: -------------------------------------------------------------------------------- 1 | # Assign compatibility data to request for sqlippool 2 | dhcp_sqlippool.post-auth { 3 | 4 | 5 | # Do some minor hacks to the request so that it looks 6 | # like a RADIUS request to the SQL IP Pool module. 7 | update request { 8 | &User-Name = "DHCP-%{DHCP-Client-Hardware-Address}" 9 | &Calling-Station-Id = "%{DHCP-Client-Hardware-Address}" 10 | &NAS-IP-Address = "%{%{DHCP-Gateway-IP-Address}:-127.0.0.1}" 11 | &Acct-Status-Type = Start 12 | } 13 | 14 | # Call the actual module 15 | dhcp_sqlippool 16 | 17 | # Convert Framed-IP-Address to DHCP, but only if we 18 | # actually allocated an address. 19 | if (ok) { 20 | update reply { 21 | &DHCP-Your-IP-Address = "%{reply:Framed-IP-Address}" 22 | } 23 | } 24 | } 25 | 26 | -------------------------------------------------------------------------------- /etc/raddb/policy.d/eap: -------------------------------------------------------------------------------- 1 | # 2 | # Response caching to handle proxy failovers 3 | # 4 | Xeap.authorize { 5 | cache_eap 6 | if (ok) { 7 | # 8 | # Expire previous cache entry 9 | # 10 | if (&control:State) { 11 | update control { 12 | &Cache-TTL := 0 13 | } 14 | cache_eap 15 | 16 | update control { 17 | &State !* ANY 18 | } 19 | } 20 | 21 | handled 22 | } 23 | else { 24 | eap.authorize 25 | } 26 | } 27 | 28 | # 29 | # Populate cache with responses from the EAP module 30 | # 31 | Xeap.authenticate { 32 | eap { 33 | handled = 1 34 | } 35 | if (handled) { 36 | cache_eap.authorize 37 | 38 | handled 39 | } 40 | 41 | cache_eap.authorize 42 | } 43 | 44 | # 45 | # Forbid all EAP types. Enable this by putting "forbid_eap" 46 | # into the "authorize" section. 47 | # 48 | forbid_eap { 49 | if (&EAP-Message) { 50 | reject 51 | } 52 | } 53 | 54 | # 55 | # Forbid all non-EAP types outside of an EAP tunnel. 56 | # 57 | permit_only_eap { 58 | if (!&EAP-Message) { 59 | # We MAY be inside of a TTLS tunnel. 60 | # PEAP and EAP-FAST require EAP inside of 61 | # the tunnel, so this check is OK. 62 | # If so, then there MUST be an outer EAP message. 63 | if (!&outer.request || !&outer.request:EAP-Message) { 64 | reject 65 | } 66 | } 67 | } 68 | 69 | # 70 | # Remove Reply-Message from response if were doing EAP 71 | # 72 | # Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should 73 | # not be present in the same response. 74 | # 75 | remove_reply_message_if_eap { 76 | if (&reply:EAP-Message && &reply:Reply-Message) { 77 | update reply { 78 | &Reply-Message !* ANY 79 | } 80 | } 81 | else { 82 | noop 83 | } 84 | } 85 | 86 | -------------------------------------------------------------------------------- /etc/raddb/policy.d/operator-name: -------------------------------------------------------------------------------- 1 | # 2 | # The following policies are for the Operator-Name 3 | # configuration. 4 | # 5 | # The policies below can be called as just 'operator-name' (not 6 | # operator-name.authorize etc..) from the various config sections. 7 | # 8 | 9 | # If you require that the Operator-Name be set 10 | # for local clients then call the 'operator-name' policy 11 | # in the authorize section of the virtual-server for your clients in clients.conf 12 | 13 | # To inject an Operator-Name whilst proxying, call the 14 | # 'operator-name' policy in the pre-proxy section of the virtual server 15 | # No need to call this if you have already enabled this in 16 | # the authorize section. 17 | 18 | # 19 | # We assume that clients can have the operator-name definition 20 | # in the client.conf, e.g. 21 | # client xxxx { 22 | # ... 23 | # Operator-Name = 1your.domain 24 | # } 25 | # If this parameter is found for a client, then we add 26 | # an Operator-Name attribute 27 | # 28 | operator-name.authorize { 29 | if ("%{client:Operator-Name}") { 30 | update request { 31 | &Operator-Name = "%{client:Operator-Name}" 32 | } 33 | } 34 | } 35 | 36 | # 37 | # Before proxing the client add an Operator-Name 38 | # attribute identifying this site if the operator-name is found for this client 39 | # 40 | operator-name.pre-proxy { 41 | if (("%{request:Packet-Type}" == 'Access-Request') && "%{client:Operator-Name}") { 42 | update proxy-request { 43 | &Operator-Name := "%{client:Operator-Name}" 44 | } 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /etc/raddb/sites-available/abfab-tls: -------------------------------------------------------------------------------- 1 | # 2 | # Example configuration for ABFAB listening on TLS. 3 | # 4 | # $Id: 5dbe143da6f170505fa1b0e1c4282ebe60b139bb $ 5 | # 6 | listen { 7 | ipaddr = * 8 | port = 2083 9 | type = auth 10 | proto = tcp 11 | 12 | tls { 13 | private_key_password = whatever 14 | 15 | # Moonshot tends to distribute certs separate from keys 16 | private_key_file = ${certdir}/server.key 17 | certificate_file = ${certdir}/server.pem 18 | ca_file = ${cadir}/ca.pem 19 | dh_file = ${certdir}/dh 20 | fragment_size = 8192 21 | ca_path = ${cadir} 22 | cipher_list = "DEFAULT" 23 | 24 | cache { 25 | enable = no 26 | lifetime = 24 # hours 27 | name = "abfab-tls" 28 | # persist_dir = ${logdir}/abfab-tls 29 | } 30 | 31 | require_client_cert = yes 32 | verify { 33 | } 34 | 35 | psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}" 36 | } 37 | 38 | virtual_server = abfab-idp 39 | 40 | clients = radsec-abfab 41 | } 42 | 43 | clients radsec-abfab { 44 | # 45 | # Allow all clients, but require TLS. 46 | # This client stanza will match other RP proxies from other 47 | # realms established via the trustrouter. In general 48 | # additional client stanzas are also required for local services. 49 | # 50 | client default { 51 | ipaddr = 0.0.0.0/0 52 | proto = tls 53 | } 54 | 55 | # An example local service 56 | # client service_1 { 57 | # ipaddr = 192.0.2.20 58 | # # You should either set gss_acceptor_host_name below 59 | # # or set up policy to confirm that a client claims 60 | # # the right acceptor hostname when using ABFAB. If 61 | # # set, the RADIUS server will confirm that all 62 | # # requests have this value for the acceptor host name 63 | # gss_acceptor_host_name = "server.example.com" 64 | # # If set, this acceptor realm name will be included. 65 | # Foreign realms will typically reject a request if this is not 66 | # # properly set. 67 | # gss_acceptor_realm_name = "example.com" 68 | # # Additionally, trust_router_coi can be set; if set 69 | # # it will override the default_community in the realm 70 | # # module 71 | # # trust_router_coi = "community1.example.net" 72 | # # In production depployments it is important to set 73 | # # up certificate verification so that even if 74 | # # clients spoof IP addresses, one client cannot 75 | # # impersonate another. 76 | # } 77 | 78 | } 79 | -------------------------------------------------------------------------------- /etc/raddb/sites-available/challenge: -------------------------------------------------------------------------------- 1 | # 2 | # This file gives an example of using Challenge-Response 3 | # 4 | # In this example, the user logs in with a password, which has 5 | # to be "hello". The server will send them a challenge 6 | # consisting of a random number 0..9. The user has to respond 7 | # with that number. 8 | # 9 | # 10 | # $Id: 24c9b2546eb2a62fb60b31fa5add4537b6536a31 $ 11 | # 12 | listen { 13 | type = auth 14 | ipaddr = * 15 | port = 2000 16 | virtual_server = challenge 17 | } 18 | 19 | server challenge { 20 | authorize { 21 | 22 | # 23 | # If ther's no State attribute, then this is the request from 24 | # the user. 25 | # 26 | if (!State) { 27 | update control { 28 | Auth-Type := Step1 29 | Cleartext-Password := "hello" 30 | } 31 | } 32 | else { 33 | # 34 | # Do authentication for step 2. 35 | # Set the "known good" password to the number 36 | # saved in the session-state list. 37 | # 38 | update control { 39 | Auth-Type := Step2 40 | Cleartext-Password := &session-state:Tmp-Integer-0 41 | } 42 | } 43 | } 44 | 45 | authenticate { 46 | Auth-Type Step1 { 47 | # If the password doesn't match, the user is rejected 48 | # immediately. 49 | pap 50 | 51 | # 52 | # Set the random number to save. 53 | # 54 | update session-state { 55 | Tmp-Integer-0 := "%{randstr:n}" 56 | } 57 | update reply { 58 | Reply-Message := &session-state:Tmp-Integer-0 59 | } 60 | 61 | # 62 | # Send an Access-Challenge. 63 | # See raddb/policy.d/control for the definition 64 | # of "challenge" 65 | # 66 | challenge 67 | } 68 | 69 | Auth-Type Step2 { 70 | # 71 | # Do PAP authentication with the password. 72 | # 73 | pap 74 | } 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /etc/raddb/sites-available/channel_bindings: -------------------------------------------------------------------------------- 1 | # 2 | # A virtual server which is used to validate channel-bindings. 3 | # 4 | # $Id: b9f0ac791511903e4be8794203d324446e7a949c $ 5 | # 6 | server channel_bindings { 7 | # 8 | # Only the "authorize" section is needed. 9 | # 10 | authorize { 11 | # In general this section should include a policy for each type 12 | # of channel binding that may be in use. For example each lower 13 | # layer such as GSS-EAP (RFC 7055) or IEEE 802.11I is likely to 14 | # need a separate channel binding policy. 15 | abfab_channel_bindings 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /etc/raddb/sites-available/check-eap-tls: -------------------------------------------------------------------------------- 1 | # This virtual server allows EAP-TLS to reject access requests 2 | # based on some attributes of the certificates involved. 3 | # 4 | # To use this virtual server, you must enable it in the tls 5 | # section of mods-enabled/eap as well as adding a link to this 6 | # file in sites-enabled/. 7 | # 8 | # 9 | # Value-pairs that are available for checking include: 10 | # 11 | # TLS-Client-Cert-Subject 12 | # TLS-Client-Cert-Issuer 13 | # TLS-Client-Cert-Common-Name 14 | # TLS-Client-Cert-Subject-Alt-Name-Email 15 | # 16 | # To see a full list of attributes, run the server in debug mode 17 | # with this virtual server configured, and look at the attributes 18 | # passed in to this virtual server. 19 | # 20 | # 21 | # This virtual server is also useful when using EAP-TLS as it is 22 | # only called once, just before the final Accept is about to be 23 | # returned from eap, whereas the outer authorize section is called 24 | # multiple times for each challenge / response. For this reason, 25 | # here may be a good location to put authentication logging, and 26 | # modules that check for further authorization, especially if they 27 | # hit external services such as sql or ldap. 28 | 29 | 30 | server check-eap-tls { 31 | 32 | 33 | # Authorize - this is the only section required. 34 | # 35 | # To accept the access request, set Auth-Type = Accept, otherwise 36 | # set it to Reject. 37 | 38 | authorize { 39 | 40 | # 41 | # By default, we just accept the request: 42 | # 43 | update config { 44 | &Auth-Type := Accept 45 | } 46 | 47 | 48 | # 49 | # Check the client certificate matches a string, and reject otherwise 50 | # 51 | 52 | # if ("%{TLS-Client-Cert-Common-Name}" == 'client.example.com') { 53 | # update config { 54 | # &Auth-Type := Accept 55 | # } 56 | # } 57 | # else { 58 | # update config { 59 | # &Auth-Type := Reject 60 | # } 61 | # update reply { 62 | # &Reply-Message := "Your certificate is not valid." 63 | # } 64 | # } 65 | 66 | 67 | # 68 | # Check the client certificate common name against the supplied User-Name 69 | # 70 | # if (&User-Name == "host/%{TLS-Client-Cert-Common-Name}") { 71 | # update config { 72 | # &Auth-Type := Accept 73 | # } 74 | # } 75 | # else { 76 | # update config { 77 | # &Auth-Type := Reject 78 | # } 79 | # } 80 | 81 | 82 | # 83 | # This is a convenient place to call LDAP, for example, when using 84 | # EAP-TLS, as it will only be called once, after all certificates as 85 | # part of the EAP-TLS challenge process have been verified. 86 | # 87 | # An example could be to use LDAP to check that the connecting host, as 88 | # well as presenting a valid certificate, is also in a group based on 89 | # the User-Name (assuming this contains the service principal name). 90 | # Settings such as the following could be used in the ldap module 91 | # configuration: 92 | # 93 | # basedn = "dc=example, dc=com" 94 | # filter = "(servicePrincipalName=%{User-Name})" 95 | # base_filter = "(objectClass=computer)" 96 | # groupname_attribute = cn 97 | # groupmembership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))" 98 | 99 | # ldap 100 | 101 | # Now let's test membership of an LDAP group (the ldap bind user will 102 | # need permission to read this group membership): 103 | 104 | # if (!(Ldap-Group == "Permitted-Laptops")) { 105 | # update config { 106 | # &Auth-Type := Reject 107 | # } 108 | # } 109 | 110 | # or, to be more specific, you could use the group's full DN: 111 | # if (!(Ldap-Group == "CN=Permitted-Laptops,OU=Groups,DC=example,DC=org")) { 112 | 113 | 114 | # 115 | # This may be a better place to call the files modules when using 116 | # EAP-TLS, as it will only be called once, after the challenge-response 117 | # iteration has completed. 118 | # 119 | 120 | # files 121 | 122 | 123 | # 124 | # Log all request attributes, plus TLS certificate details, to the 125 | # auth_log file. Again, this is just once per connection request, so 126 | # may be preferable than in the outer authorize section. It is 127 | # suggested that 'auth_log' also be in the outer post-auth and 128 | # Post-Auth REJECT sections to log reply packet details, too. 129 | # 130 | 131 | auth_log 132 | 133 | } 134 | } 135 | 136 | -------------------------------------------------------------------------------- /etc/raddb/sites-available/coa: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ###################################################################### 3 | # 4 | # Sample virtual server for receiving a CoA or Disconnect-Request packet. 5 | # 6 | 7 | # Listen on the CoA port. 8 | # 9 | # This uses the normal set of clients, with the same secret as for 10 | # authentication and accounting. 11 | # 12 | listen { 13 | type = coa 14 | ipaddr = * 15 | port = 3799 16 | virtual_server = coa 17 | } 18 | 19 | server coa { 20 | # When a packet is received, it is processed through the 21 | # recv-coa section. This applies to *both* CoA-Request and 22 | # Disconnect-Request packets. 23 | recv-coa { 24 | # CoA && Disconnect packets can be proxied in the same 25 | # way as authentication or accounting packets. 26 | # Just set Proxy-To-Realm, or Home-Server-Pool, and the 27 | # packets will be proxied. 28 | 29 | # Do proxying based on realms here. You don't need 30 | # "IPASS" or "ntdomain", as the proxying is based on 31 | # the Operator-Name attribute. It contains the realm, 32 | # and ONLY the realm (prefixed by a '1') 33 | suffix 34 | 35 | # Insert your own policies here. 36 | ok 37 | } 38 | 39 | # When a packet is sent, it is processed through the 40 | # send-coa section. This applies to *both* CoA-Request and 41 | # Disconnect-Request packets. 42 | send-coa { 43 | # Sample module. 44 | ok 45 | } 46 | 47 | # You can use pre-proxy and post-proxy sections here, too. 48 | # They will be processed for sending && receiving proxy packets. 49 | } 50 | -------------------------------------------------------------------------------- /etc/raddb/sites-available/control-socket: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ###################################################################### 3 | # 4 | # Control socket interface. 5 | # 6 | # In the future, we will add username/password checking for 7 | # connections to the control socket. We will also add 8 | # command authorization, where the commands entered by the 9 | # administrator are run through a virtual server before 10 | # they are executed. 11 | # 12 | # For now, anyone who has permission to connect to the socket 13 | # has nearly complete control over the server. Be warned! 14 | # 15 | # This functionality is NOT enabled by default. 16 | # 17 | # See also the "radmin" program, which is used to communicate 18 | # with the server over the control socket. 19 | # 20 | # $Id: 97ba9ef972539af80dcaf84090b55d991095a93e $ 21 | # 22 | ###################################################################### 23 | listen { 24 | # 25 | # Listen on the control socket. 26 | # 27 | type = control 28 | 29 | # 30 | # Socket location. 31 | # 32 | # This file is created with the server's uid and gid. 33 | # It's permissions are r/w for that user and group, and 34 | # no permissions for "other" users. These permissions form 35 | # minimal security, and should not be relied on. 36 | # 37 | socket = ${run_dir}/${name}.sock 38 | 39 | # 40 | # Peercred auth 41 | # 42 | # By default the server users the peercred feature of unix 43 | # sockets to get the UID and GID of the user connecting to 44 | # the socket. You may choose to disable this functionality 45 | # and rely on the file system for enforcing permissions. 46 | # 47 | # On most Unix systems, the permissions set on the socket 48 | # are not enforced, but the ones on the directory containing 49 | # the socket are. 50 | # 51 | # To use filesystem permissions you should create a new 52 | # directory just to house the socket file, and set 53 | # appropriate permissions on that. 54 | # 55 | # peercred = no 56 | # socket = ${run_dir}/control/${name}.sock 57 | 58 | # 59 | # The following two parameters perform authentication and 60 | # authorization of connections to the control socket. 61 | # 62 | # If not set, then ANYONE can connect to the control socket, 63 | # and have complete control over the server. This is likely 64 | # not what you want. 65 | # 66 | # One, or both, of "uid" and "gid" should be set. If set, the 67 | # corresponding value is checked. Unauthorized users result 68 | # in an error message in the log file, and the connection is 69 | # closed. 70 | # 71 | 72 | # 73 | # Name of user that is allowed to connect to the control socket. 74 | # 75 | # uid = radius 76 | 77 | # 78 | # Name of group that is allowed to connect to the control socket. 79 | # 80 | # gid = radius 81 | 82 | # 83 | # Access mode. 84 | # 85 | # This can be used to give *some* administrators access to 86 | # monitor the system, but not to change it. 87 | # 88 | # ro = read only access (default) 89 | # rw = read/write access. 90 | # 91 | # mode = rw 92 | } 93 | -------------------------------------------------------------------------------- /etc/raddb/sites-available/decoupled-accounting: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ###################################################################### 3 | # 4 | # This is a sample configuration for "decoupled" accounting. 5 | # "Decoupled" accounting is where the accounting packets are 6 | # NOT written "live" to the back-end database. This method 7 | # can only be used if you are not interested in "live" 8 | # accounting. i.e. Where you can tolerate delays that may be 9 | # a few seconds, before accounting packets get written to 10 | # the DB. 11 | # 12 | # Oddly enough, this method can speed up the processing of 13 | # accounting packets, as all database activity is serialized. 14 | # 15 | # This file is NOT meant to be used as-is. It needs to be 16 | # edited to match your local configuration. 17 | # 18 | # $Id: 6b1b5b337216e433498c1fdb85ced8a53b34df94 $ 19 | # 20 | ###################################################################### 21 | 22 | # Define a virtual server to write the accounting packets. 23 | # Any "listen" section that listens on an accounting port should 24 | # set "virtual_server = write-detail.example.com 25 | server write_detail.example.com { 26 | accounting { 27 | # 28 | # Write the "detail" files. 29 | # 30 | # See raddb/modules/detail.example.com for more info. 31 | detail.example.com 32 | } 33 | 34 | # That's it! 35 | } 36 | 37 | # Define a virtual server to process the accounting packets. 38 | server read-detail.example.com { 39 | # Read accounting packets from the detail file(s) for 40 | # the home server. 41 | listen { 42 | type = detail 43 | filename = "${radacctdir}/detail.example.com/detail-*:*" 44 | load_factor = 10 45 | track = yes 46 | } 47 | 48 | # All packets read from the detail file are processed through 49 | # the preacct && accounting sections. 50 | # 51 | # The following text is copied verbatim from sites-available/default. 52 | # You should edit it for your own local configuration. 53 | 54 | # 55 | # Pre-accounting. Decide which accounting type to use. 56 | # 57 | preacct { 58 | preprocess 59 | 60 | # 61 | # Ensure that we have a semi-unique identifier for every 62 | # request, and many NAS boxes are broken. 63 | acct_unique 64 | 65 | # 66 | # Look for IPASS-style 'realm/', and if not found, look for 67 | # '@realm', and decide whether or not to proxy, based on 68 | # that. 69 | # 70 | # Accounting requests are generally proxied to the same 71 | # home server as authentication requests. 72 | # IPASS 73 | suffix 74 | # ntdomain 75 | 76 | # 77 | # Read the 'acct_users' file 78 | files 79 | } 80 | 81 | # 82 | # Accounting. Log the accounting data. 83 | # 84 | accounting { 85 | # 86 | # Create a 'detail'ed log of the packets. 87 | # Note that accounting requests which are proxied 88 | # are also logged in the detail file. 89 | detail 90 | # daily 91 | 92 | # Update the wtmp file 93 | # 94 | # If you don't use "radlast", you can delete this line. 95 | unix 96 | 97 | # 98 | # For Simultaneous-Use tracking. 99 | # 100 | # Due to packet losses in the network, the data here 101 | # may be incorrect. There is little we can do about it. 102 | radutmp 103 | # sradutmp 104 | 105 | # Return an address to the IP Pool when we see a stop record. 106 | # main_pool 107 | 108 | # 109 | # Log traffic to an SQL database. 110 | # 111 | # NOTE! You will have to ensure that any accounting packets 112 | # NOT handled by the SQL module (e.g. "stop with zero session length" 113 | # result in the accounting section still returning "ok". 114 | # 115 | # Otherwise, the server will think that the accounting packet 116 | # was NOT handled properly, and will keep trying to process it 117 | # through this virtual server! 118 | # 119 | # See "Accounting queries" in sql.conf 120 | # sql 121 | 122 | # Cisco VoIP specific bulk accounting 123 | # pgsql-voip 124 | 125 | # Filter attributes from the accounting response. 126 | attr_filter.accounting_response 127 | 128 | # 129 | # See "Autz-Type Status-Server" for how this works. 130 | # 131 | # Acct-Type Status-Server { 132 | # 133 | # } 134 | } 135 | } 136 | -------------------------------------------------------------------------------- /etc/raddb/sites-available/dhcp.relay: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ###################################################################### 3 | # 4 | # This is a virtual server that handles DHCP relaying 5 | # 6 | # Only one server can listen on a socket, so you cannot 7 | # do DHCP relaying && run a DHCP server at the same time. 8 | # 9 | ###################################################################### 10 | 11 | server dhcp.eth1 { 12 | listen { 13 | ipaddr = * 14 | port = 67 15 | type = dhcp 16 | interface = eth1 17 | } 18 | 19 | # Packets received on the socket will be processed through one 20 | # of the following sections, named after the DHCP packet type. 21 | # See dictionary.dhcp for the packet types. 22 | dhcp DHCP-Discover { 23 | update config { 24 | # IP Address of the DHCP server 25 | &DHCP-Relay-To-IP-Address := 192.0.2.2 26 | } 27 | update request { 28 | # IP Address of the DHCP relay (ourselves) 29 | &DHCP-Gateway-IP-Address := 192.0.2.1 30 | } 31 | ok 32 | } 33 | 34 | dhcp DHCP-Request { 35 | update config { 36 | # IP Address of the DHCP server 37 | &DHCP-Relay-To-IP-Address := 192.0.2.2 38 | } 39 | update request { 40 | &DHCP-Gateway-IP-Address := 192.0.2.2 41 | } 42 | ok 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /etc/raddb/sites-available/example: -------------------------------------------------------------------------------- 1 | ###################################################################### 2 | # 3 | # An example virtual server configuration. 4 | # 5 | # $Id: 5f204aaa6fc87e487b8542e1e4781623ff7f4a73 $ 6 | # 7 | ###################################################################### 8 | 9 | 10 | # 11 | # This client will be available to any "listen" section that 12 | # are defined outside of a virtual server section. However, 13 | # when the server receives a packet from this client, the 14 | # request will be processed through the "example" virtual 15 | # server, as the "client" section contains a configuration item 16 | # to that effect. 17 | # 18 | # Note that this client will be able to send requests to any 19 | # port defined in a global "listen" section. It will NOT, 20 | # however, be able to send requests to a port defined in a 21 | # "listen" section that is contained in a "server" section. 22 | # 23 | # With careful matching of configurations, you should be able 24 | # to: 25 | # 26 | # - Define one authentication port, but process each client 27 | # through a separate virtual server. 28 | # 29 | # - define multiple authentication ports, each with a private 30 | # list of clients. 31 | # 32 | # - define multiple authentication ports, each of which may 33 | # have the same client listed, but with different shared 34 | # secrets 35 | # 36 | # FYI: We use an address in the 192.0.2.* space for this example, 37 | # as RFC 3330 says that that /24 range is used for documentation 38 | # and examples, and should not appear on the net. You shouldn't 39 | # use it for anything, either. 40 | # 41 | client 192.0.2.10 { 42 | shortname = example-client 43 | secret = testing123 44 | virtual_server = example 45 | } 46 | 47 | ###################################################################### 48 | # 49 | # An example virtual server. It starts off with "server name {" 50 | # The "name" is used to reference this server from a "listen" 51 | # or "client" section. 52 | # 53 | ###################################################################### 54 | server example { 55 | # 56 | # Listen on 192.0.2.1:1812 for Access-Requests 57 | # 58 | # When the server receives a packet, it is processed 59 | # through the "authorize", etc. sections listed here, 60 | # NOT the global ones the "default" site. 61 | # 62 | listen { 63 | ipaddr = 192.0.2.1 64 | port = 1821 65 | type = auth 66 | } 67 | 68 | # 69 | # This client is listed within the "server" section, 70 | # and is therefore known ONLY to the socket defined 71 | # in the "listen" section above. If the client IP 72 | # sends a request to a different socket, the server 73 | # will treat it as an unknown client, and will not 74 | # respond. 75 | # 76 | # In contrast, the client listed at the top of this file 77 | # is outside of any "server" section, and is therefore 78 | # global in scope. It can send packets to any port 79 | # defined in a global "listen" section. It CANNOT send 80 | # packets to the listen section defined above, though. 81 | # 82 | # Note that you don't have to have a "virtual_server = example" 83 | # line here, as the client is encapsulated within 84 | # the "server" section. 85 | # 86 | client 192.0.2.9 { 87 | shortname = example-client 88 | secret = testing123 89 | } 90 | 91 | authorize { 92 | # 93 | # Some example policies. See "man unlang" for more. 94 | # 95 | if (&User-Name == 'bob') { 96 | update control { 97 | &Cleartext-Password := 'bob' 98 | } 99 | } 100 | 101 | # 102 | # And then reject the user. The next line requires 103 | # that the "always reject {}" section is defined in 104 | # the "modules" section of radiusd.conf. 105 | # 106 | reject 107 | } 108 | 109 | authenticate { 110 | 111 | } 112 | 113 | post-auth { 114 | 115 | Post-Auth-Type Reject { 116 | update reply { 117 | &Reply-Message = 'This is only an example.' 118 | } 119 | } 120 | } 121 | 122 | } 123 | -------------------------------------------------------------------------------- /etc/raddb/sites-available/proxy-inner-tunnel: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ###################################################################### 3 | # 4 | # This is a virtual server that handles *only* inner tunnel 5 | # requests for EAP-TTLS and PEAP types. 6 | # 7 | # $Id: 938d954592d3824e4d51e3315d0f7e0b5cfde824 $ 8 | # 9 | ###################################################################### 10 | 11 | server proxy-inner-tunnel { 12 | 13 | # 14 | # This example is very simple. All inner tunnel requests get 15 | # proxied to another RADIUS server. 16 | # 17 | authorize { 18 | # 19 | # Do other things here, as necessary. 20 | # 21 | # e.g. run the "realms" module, to decide how to proxy 22 | # the inner tunnel request. 23 | # 24 | 25 | update control { 26 | # You should update this to be one of your realms. 27 | &Proxy-To-Realm := "example.com" 28 | } 29 | } 30 | 31 | authenticate { 32 | # 33 | # This is necessary so that the inner tunnel EAP-MSCHAPv2 34 | # method can be called. That method takes care of turning 35 | # EAP-MSCHAPv2 into plain MS-CHAPv2, if necessary. 36 | eap 37 | } 38 | 39 | post-proxy { 40 | # 41 | # This is necessary for LEAP, or if you set: 42 | # 43 | # proxy_tunneled_request_as_eap = no 44 | # 45 | eap 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /etc/raddb/sites-available/soh: -------------------------------------------------------------------------------- 1 | # This is a simple server for the MS SoH requests generated by the 2 | # peap module - see "eap.conf" for more info 3 | 4 | # Requests are ONLY passed through the authorize section, and cannot 5 | # current be proxied (in any event, the radius attributes used are 6 | # internal). 7 | 8 | server soh-server { 9 | authorize { 10 | if (&SoH-Supported == no) { 11 | # client NAKed our request for SoH - not supported, or turned off 12 | update config { 13 | &Auth-Type = Accept 14 | } 15 | } 16 | else { 17 | # client replied; check something - this is a local policy issue! 18 | if (&SoH-MS-Windows-Health-Status =~ /antivirus (warn|error) /) { 19 | update config { 20 | &Auth-Type = Reject 21 | } 22 | update reply { 23 | &Reply-Message = 'You must have antivirus enabled & installed!' 24 | } 25 | } 26 | else { 27 | update config { 28 | &Auth-Type = Accept 29 | } 30 | } 31 | } 32 | } 33 | } 34 | 35 | -------------------------------------------------------------------------------- /etc/raddb/sites-available/virtual.example.com: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ###################################################################### 3 | # 4 | # Sample virtual server for internally proxied requests. 5 | # 6 | # See the "realm virtual.example.com" example in "proxy.conf". 7 | # 8 | # $Id: 3c4aea7458cca50c9f43f33e6aebd5ca08180de7 $ 9 | # 10 | ###################################################################### 11 | 12 | # 13 | # You will want to edit this to your local needs. We suggest copying 14 | # the text from the "default" file here, and then editing the text. 15 | # That way, any changes to the "default" file will not affect this 16 | # virtual server, and vice-versa. 17 | # 18 | # When this virtual server receives the request, the original 19 | # attributes can be accessed as "outer.request", "outer.control", etc. 20 | # See "man unlang" for more details. 21 | # 22 | server virtual.example.com { 23 | authorize { 24 | # insert policies here 25 | } 26 | 27 | authenticate { 28 | # insert policies here 29 | } 30 | 31 | # etc. 32 | } 33 | -------------------------------------------------------------------------------- /etc/raddb/sites-available/vmps: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ###################################################################### 3 | # 4 | # As of version 2.0.0, the server also supports the VMPS 5 | # protocol. 6 | # 7 | # $Id: c5c50786f4f5563d27218c70bf98c3898f47e5ba $ 8 | # 9 | ###################################################################### 10 | 11 | server vmps { 12 | listen { 13 | # VMPS sockets only support IPv4 addresses. 14 | ipaddr = * 15 | 16 | # Port on which to listen. 17 | # Allowed values are: 18 | # integer port number 19 | # 1589 is the default VMPS port. 20 | port = 1589 21 | 22 | # Type of packets to listen for. Here, it is VMPS. 23 | type = vmps 24 | 25 | # Some systems support binding to an interface, in addition 26 | # to the IP address. This feature isn't strictly necessary, 27 | # but for sites with many IP addresses on one interface, 28 | # it's useful to say "listen on all addresses for 29 | # eth0". 30 | # 31 | # If your system does not support this feature, you will 32 | # get an error if you try to use it. 33 | # 34 | # interface = eth0 35 | } 36 | 37 | # If you have switches that are allowed to send VMPS, but NOT 38 | # RADIUS packets, then list them here as "client" sections. 39 | # 40 | # Note that for compatibility with RADIUS, you still have to 41 | # list a "secret" for each client, though that secret will not 42 | # be used for anything. 43 | 44 | 45 | # And the REAL contents. This section is just like the 46 | # "post-auth" section of radiusd.conf. In fact, it calls the 47 | # "post-auth" component of the modules that are listed here. 48 | # But it's called "vmps" to highlight that it's for VMPS. 49 | # 50 | vmps { 51 | # 52 | # Some requests may not have a MAC address. Try to 53 | # create one using other attributes. 54 | if (!&VMPS-Mac) { 55 | if (&VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) { 56 | update request { 57 | &VMPS-Mac = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}" 58 | } 59 | } 60 | else { 61 | update request { 62 | &VMPS-Mac = &VMPS-Cookie 63 | } 64 | } 65 | } 66 | 67 | # Do a simple mapping of MAC to VLAN. 68 | # 69 | # See radiusd.conf for the definition of the "mac2vlan" 70 | # module. 71 | # 72 | #mac2vlan 73 | 74 | # required VMPS reply attributes 75 | update reply { 76 | &VMPS-Packet-Type = VMPS-Join-Response 77 | &VMPS-Cookie = &VMPS-Mac 78 | 79 | &VMPS-VLAN-Name = "please_use_real_vlan_here" 80 | 81 | # 82 | # If you have VLAN's in a database, you can select 83 | # the VLAN name based on the MAC address. 84 | # 85 | #&VMPS-VLAN-Name = "%{sql:select ... where mac='%{VMPS-Mac}'}" 86 | } 87 | 88 | # correct reply packet type for reconfirmation requests 89 | # 90 | if (&VMPS-Packet-Type == VMPS-Reconfirm-Request){ 91 | update reply { 92 | &VMPS-Packet-Type := VMPS-Reconfirm-Response 93 | } 94 | } 95 | } 96 | 97 | # Proxying of VMPS requests is NOT supported. 98 | } 99 | -------------------------------------------------------------------------------- /etc/raddb/sites-enabled/default: -------------------------------------------------------------------------------- 1 | ../sites-available/default -------------------------------------------------------------------------------- /etc/raddb/sites-enabled/inner-tunnel: -------------------------------------------------------------------------------- 1 | ../sites-available/inner-tunnel -------------------------------------------------------------------------------- /etc/raddb/templates.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ## 3 | ## templates.conf -- configurations to be used in multiple places 4 | ## 5 | ## $Id: 7b8b44e051c974c1a0a6e27a0cff50e621835df2 $ 6 | 7 | ###################################################################### 8 | # 9 | # Version 2.0 has a useful new feature called "templates". 10 | # 11 | # Use templates by adding a line in radiusd.conf: 12 | # 13 | # $INCLUDE templates.conf 14 | # 15 | # The goal of the templates is to have common configuration located 16 | # in this file, and to list only the *differences* in the individual 17 | # sections. This feature is most useful for sections like "clients" 18 | # or "home_servers", where many may be defined, and each one has 19 | # similar repeated configuration. 20 | # 21 | # Something similar to templates can be done by putting common 22 | # configuration into separate files, and using "$INCLUDE file...", 23 | # but this is more flexible, and simpler to understand. It's also 24 | # cheaper for the server, because "$INCLUDE" makes a copy of the 25 | # configuration for inclusion, and templates are simply referenced. 26 | # 27 | # The templates are defined in the "templates" section, so that they 28 | # do not affect the rest of the server configuration. 29 | # 30 | # A section can reference a template by using "$template name" 31 | # 32 | templates { 33 | # 34 | # The contents of the templates section are other 35 | # configuration sections that would normally go into 36 | # the configuration files. 37 | # 38 | 39 | # 40 | # This is a default template for the "home_server" section. 41 | # Note that there is no name for the section. 42 | # 43 | # Any configuration item that is valid for a "home_server" 44 | # section is also valid here. When a "home_server" section 45 | # is defined in proxy.conf, this section is referenced as 46 | # the template. 47 | # 48 | # Configuration items that are explicitly listed in a 49 | # "home_server" section of proxy.conf are used in 50 | # preference to the configuration items listed here. 51 | # 52 | # However, if a configuration item is NOT listed in a 53 | # "home_server" section of proxy.conf, then the value here 54 | # is used. 55 | # 56 | # This functionality lets you put common configuration into 57 | # a template, and to put only the unique configuration 58 | # items in "proxy.conf". Each section in proxy.conf can 59 | # then contain a line "$template home_server", which will 60 | # cause it to reference this template. 61 | # 62 | home_server { 63 | response_window = 20 64 | zombie_period = 40 65 | revive_interval = 120 66 | # 67 | # Etc. 68 | } 69 | 70 | # 71 | # You can also have named templates. For example, if you 72 | # are proxying to 3 different home servers all at the same 73 | # site, with identical configurations (other than IP 74 | # addresses), you can use this named template. 75 | # 76 | 77 | # Then, each "home_server" section in "proxy.conf" would 78 | # only list the IP address of that home server, and a 79 | # line saying 80 | # 81 | # $template example_com 82 | # 83 | # That would tell FreeRADIUS to look in the section below 84 | # for the rest of the configuration items. 85 | # 86 | # For various reasons, you shouldn't have a "." in the template 87 | # name. Doing so means that the server will be unable to find 88 | # the template. 89 | # 90 | example_com { 91 | type = auth 92 | port = 1812 93 | secret = testing123 94 | response_window = 20 95 | # 96 | # Etc... 97 | } 98 | 99 | # 100 | # You can have templates for other sections, too, but they 101 | # seem to be most useful for home_servers. 102 | # 103 | # For now, you can use templates only for sections in 104 | # radiusd.conf, not sub-sections. So you still have to use 105 | # the "$INCLUDE file.." method for things like defining 106 | # multiple "sql" modules, each with similar configuration. 107 | # 108 | } 109 | -------------------------------------------------------------------------------- /etc/raddb/users: -------------------------------------------------------------------------------- 1 | ./mods-config/files/authorize -------------------------------------------------------------------------------- /scripts/run-tests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -ev 3 | docker-compose up -d 4 | docker pull 2stacks/radtest 5 | # Wait for MySQL to bootstrap 6 | sleep 15 7 | docker-compose ps 8 | docker run -it --rm --network docker-freeradius_backend 2stacks/radtest radtest testing password freeradius 2 testing123 9 | -------------------------------------------------------------------------------- /scripts/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | if [ "${RAD_DEBUG}" = "yes" ] 3 | then 4 | /wait-for.sh ${DB_HOST}:${DB_PORT} -t 15 -- /usr/sbin/radiusd -X -f -d /etc/raddb 5 | else 6 | /wait-for.sh ${DB_HOST}:${DB_PORT} -t 15 -- /usr/sbin/radiusd -f -d /etc/raddb 7 | fi 8 | -------------------------------------------------------------------------------- /scripts/wait-for.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | TIMEOUT=15 4 | QUIET=0 5 | 6 | echoerr() { 7 | if [ "$QUIET" -ne 1 ]; then printf "%s\n" "$*" 1>&2; fi 8 | } 9 | 10 | usage() { 11 | exitcode="$1" 12 | cat << USAGE >&2 13 | Usage: 14 | $cmdname host:port [-t timeout] [-- command args] 15 | -q | --quiet Do not output any status messages 16 | -t TIMEOUT | --timeout=timeout Timeout in seconds, zero for no timeout 17 | -- COMMAND ARGS Execute command with args after the test finishes 18 | USAGE 19 | exit "$exitcode" 20 | } 21 | 22 | wait_for() { 23 | command="$*" 24 | for i in `seq $TIMEOUT` ; do 25 | nc -z "$HOST" "$PORT" > /dev/null 2>&1 26 | 27 | result=$? 28 | if [ $result -eq 0 ] ; then 29 | if [ -n "$command" ] ; then 30 | exec $command 31 | fi 32 | exit 0 33 | fi 34 | sleep 1 35 | done 36 | echo "Operation timed out" >&2 37 | exit 1 38 | } 39 | 40 | while [ $# -gt 0 ] 41 | do 42 | case "$1" in 43 | *:* ) 44 | HOST=$(printf "%s\n" "$1"| cut -d : -f 1) 45 | PORT=$(printf "%s\n" "$1"| cut -d : -f 2) 46 | shift 1 47 | ;; 48 | -q | --quiet) 49 | QUIET=1 50 | shift 1 51 | ;; 52 | -t) 53 | TIMEOUT="$2" 54 | if [ "$TIMEOUT" = "" ]; then break; fi 55 | shift 2 56 | ;; 57 | --timeout=*) 58 | TIMEOUT="${1#*=}" 59 | shift 1 60 | ;; 61 | --) 62 | shift 63 | break 64 | ;; 65 | --help) 66 | usage 0 67 | ;; 68 | *) 69 | echoerr "Unknown argument: $1" 70 | usage 1 71 | ;; 72 | esac 73 | done 74 | 75 | if [ "$HOST" = "" -o "$PORT" = "" ]; then 76 | echoerr "Error: you need to provide a host and port to test." 77 | usage 2 78 | fi 79 | 80 | wait_for "$@" 81 | --------------------------------------------------------------------------------