├── .dockerignore ├── .gitignore ├── .gitmodules ├── .travis.yml ├── CHANGELOG ├── Dockerfile ├── LICENSE ├── README.md ├── certs ├── freeradius │ ├── Makefile │ ├── README │ ├── bootstrap │ ├── ca.cnf │ ├── client.cnf │ ├── inner-server.cnf │ ├── server.cnf │ └── xpextensions └── postgres │ ├── ca.crt │ ├── server.crt │ └── server.key ├── compose ├── django │ ├── Dockerfile │ ├── entrypoint │ └── start └── postgres │ └── init │ ├── init-user-db.sh │ ├── schema.sh │ └── schema.sql ├── docker-compose.yml ├── docs ├── README.md └── _config.yml ├── raddb ├── README.rst ├── certs │ ├── Makefile │ ├── README │ ├── bootstrap │ ├── ca.cnf │ ├── client.cnf │ ├── inner-server.cnf │ ├── server.cnf │ └── xpextensions ├── clients.conf ├── dictionary ├── experimental.conf ├── hints ├── huntgroups ├── mods-available │ ├── README.rst │ ├── abfab_psk_sql │ ├── always │ ├── attr_filter │ ├── cache │ ├── cache_eap │ ├── chap │ ├── couchbase │ ├── counter │ ├── cui │ ├── date │ ├── detail │ ├── detail.example.com │ ├── detail.log │ ├── dhcp │ ├── dhcp_sqlippool │ ├── digest │ ├── dynamic_clients │ ├── eap │ ├── echo │ ├── etc_group │ ├── exec │ ├── expiration │ ├── expr │ ├── files │ ├── idn │ ├── inner-eap │ ├── ippool │ ├── krb5 │ ├── ldap │ ├── linelog │ ├── logintime │ ├── mac2ip │ ├── mac2vlan │ ├── moonshot-targeted-ids │ ├── mschap │ ├── ntlm_auth │ ├── opendirectory │ ├── otp │ ├── pam │ ├── pap │ ├── passwd │ ├── perl │ ├── preprocess │ ├── python │ ├── radutmp │ ├── realm │ ├── redis │ ├── rediswho │ ├── replicate │ ├── rest │ ├── smbpasswd │ ├── smsotp │ ├── soh │ ├── sometimes │ ├── sql │ ├── sqlcounter │ ├── sqlippool │ ├── sradutmp │ ├── unbound │ ├── unix │ ├── unpack │ ├── utf8 │ ├── wimax │ └── yubikey ├── mods-config │ ├── README.rst │ ├── attr_filter │ │ ├── access_challenge │ │ ├── access_reject │ │ ├── accounting_response │ │ ├── post-proxy │ │ └── pre-proxy │ ├── files │ │ ├── accounting │ │ ├── authorize │ │ └── pre-proxy │ ├── perl │ │ └── example.pl │ ├── preprocess │ │ ├── hints │ │ └── huntgroups │ ├── python │ │ ├── example.py │ │ └── radiusd.py │ ├── ruby │ │ └── example.rb │ ├── sql │ │ ├── counter │ │ │ ├── mysql │ │ │ │ ├── dailycounter.conf │ │ │ │ ├── expire_on_login.conf │ │ │ │ ├── monthlycounter.conf │ │ │ │ └── noresetcounter.conf │ │ │ ├── postgresql │ │ │ │ ├── dailycounter.conf │ │ │ │ ├── expire_on_login.conf │ │ │ │ ├── monthlycounter.conf │ │ │ │ └── noresetcounter.conf │ │ │ └── sqlite │ │ │ │ ├── dailycounter.conf │ │ │ │ ├── expire_on_login.conf │ │ │ │ ├── monthlycounter.conf │ │ │ │ └── noresetcounter.conf │ │ ├── cui │ │ │ ├── mysql │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ ├── postgresql │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ └── sqlite │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ ├── ippool-dhcp │ │ │ ├── mysql │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ ├── oracle │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ └── sqlite │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ ├── ippool │ │ │ ├── mysql │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ ├── oracle │ │ │ │ ├── procedures.sql │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ ├── postgresql │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ └── sqlite │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ ├── main │ │ │ ├── mssql │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ ├── mysql │ │ │ │ ├── extras │ │ │ │ │ └── wimax │ │ │ │ │ │ ├── queries.conf │ │ │ │ │ │ └── schema.sql │ │ │ │ ├── queries.conf │ │ │ │ ├── schema.sql │ │ │ │ └── setup.sql │ │ │ ├── ndb │ │ │ │ ├── README │ │ │ │ ├── schema.sql │ │ │ │ └── setup.sql │ │ │ ├── oracle │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ │ ├── postgresql │ │ │ │ ├── extras │ │ │ │ │ ├── cisco_h323_db_schema.sql │ │ │ │ │ └── voip-postpaid.conf │ │ │ │ ├── queries.conf │ │ │ │ ├── schema.sql │ │ │ │ └── setup.sql │ │ │ └── sqlite │ │ │ │ ├── queries.conf │ │ │ │ └── schema.sql │ │ └── moonshot-targeted-ids │ │ │ ├── mysql │ │ │ ├── queries.conf │ │ │ └── schema.sql │ │ │ ├── postgresql │ │ │ ├── queries.conf │ │ │ └── schema.sql │ │ │ └── sqlite │ │ │ ├── queries.conf │ │ │ └── schema.sql │ └── unbound │ │ └── default.conf ├── mods-enabled │ ├── always │ ├── attr_filter │ ├── cache_eap │ ├── chap │ ├── date │ ├── detail │ ├── detail.log │ ├── digest │ ├── dynamic_clients │ ├── eap │ ├── echo │ ├── exec │ ├── expiration │ ├── expr │ ├── files │ ├── linelog │ ├── logintime │ ├── mschap │ ├── ntlm_auth │ ├── pap │ ├── passwd │ ├── preprocess │ ├── radutmp │ ├── realm │ ├── replicate │ ├── rest │ ├── soh │ ├── sql │ ├── sqlcounter │ ├── sradutmp │ ├── unix │ ├── unpack │ └── utf8 ├── panic.gdb ├── policy.d │ ├── abfab-tr │ ├── accounting │ ├── canonicalization │ ├── control │ ├── cui │ ├── debug │ ├── dhcp │ ├── eap │ ├── filter │ ├── moonshot-targeted-ids │ ├── operator-name │ └── rfc7542 ├── proxy.conf ├── radiusd.conf ├── sites-available │ ├── README │ ├── abfab-tls │ ├── abfab-tr-idp │ ├── buffered-sql │ ├── challenge │ ├── channel_bindings │ ├── check-eap-tls │ ├── coa │ ├── control-socket │ ├── copy-acct-to-home-server │ ├── decoupled-accounting │ ├── default │ ├── dhcp │ ├── dhcp.relay │ ├── dynamic-clients │ ├── example │ ├── inner-tunnel │ ├── originate-coa │ ├── proxy-inner-tunnel │ ├── robust-proxy-accounting │ ├── soh │ ├── status │ ├── tls │ ├── virtual.example.com │ └── vmps ├── sites-enabled │ ├── default │ └── inner-tunnel ├── templates.conf ├── trigger.conf └── users └── scripts ├── local_settings.py ├── run-tests.sh ├── start.sh ├── users.csv └── wait-for.sh /.dockerignore: -------------------------------------------------------------------------------- 1 | .* 2 | !.env 3 | /certs/ 4 | docs/_config.yml 5 | docker-compose.yml 6 | /backup/ -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *.swp 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | env/ 12 | build/ 13 | develop-eggs/ 14 | dist/ 15 | downloads/ 16 | eggs/ 17 | /lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | *.egg-info/ 23 | .installed.cfg 24 | *.egg 25 | 26 | # PyInstaller 27 | # Usually these files are written by a python script from a template 28 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 29 | *.manifest 30 | *.spec 31 | 32 | # Installer logs 33 | pip-log.txt 34 | pip-delete-this-directory.txt 35 | 36 | # Unit test / coverage reports 37 | htmlcov/ 38 | .tox/ 39 | .coverage 40 | .cache 41 | nosetests.xml 42 | coverage.xml 43 | 44 | # Translations 45 | *.mo 46 | *.pot 47 | 48 | # Django stuff: 49 | #*.log 50 | 51 | # Sphinx documentation 52 | docs/_build/ 53 | 54 | # PyBuilder 55 | target/ 56 | 57 | # editors 58 | *.komodoproject 59 | 60 | # other 61 | *.DS_Store* 62 | *~ 63 | ._* 64 | *.db 65 | *.tar.gz 66 | tests/.env 67 | media/ 68 | 69 | #Pycharm projects 70 | .idea/ 71 | 72 | # Project Stuff 73 | certs/CA 74 | dh 75 | *.pem 76 | *.der 77 | *.csr 78 | *.crt 79 | *.key 80 | *.p12 81 | serial* 82 | index.txt* 83 | passwords.mk 84 | backup/* 85 | /certs/postgres/server.key 86 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "django-freeradius"] 2 | path = django-freeradius 3 | url = https://github.com/openwisp/django-freeradius 4 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | # travis.yml 2 | language: python 3 | sudo: required 4 | 5 | cache: pip 6 | 7 | python: 8 | - "3.6" 9 | 10 | services: 11 | - docker 12 | 13 | env: 14 | - COMPOSE_VERSION=1.23.1 15 | 16 | before_install: 17 | # Stop Travis-CI postgresql,use docker integration instead 18 | - sudo /etc/init.d/postgresql stop 19 | - curl -L https://github.com/docker/compose/releases/download/${COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` > docker-compose 20 | - chmod +x docker-compose 21 | - sudo mv docker-compose /usr/local/bin 22 | - docker-compose --version 23 | 24 | install: 25 | # Assist with ci test debugging: 26 | #- DEBUG=1 27 | # Build freeradius-django 28 | - docker build --pull --no-cache -t 2stacks/freeradius-django . 29 | # Build django container 30 | - cp ./scripts/local_settings.py ./django-freeradius/tests/ 31 | - docker-compose build --pull 32 | 33 | before_script: 34 | - image="2stacks/freeradius-django" 35 | - docker inspect "$image" 36 | - sudo chown root:70 ./certs/postgres/* 37 | - sudo chmod 640 ./certs/postgres/server.key 38 | 39 | script: ./scripts/run-tests.sh 40 | 41 | notifications: 42 | email: 43 | - 2stacks@2stacks.net -------------------------------------------------------------------------------- /CHANGELOG: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 5 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 6 | 7 | ## [1.2.0] - 2019-12-23 8 | ### Changed 9 | - Bump python from 3.8.0-alpine to 3.8.1-alpine in /compose/django 10 | - [dependencies] Updated dependencies for WeasyPrint 11 | - Bump freeradius/freeradius-server from 3.0.19-alpine to 3.0.20-alpine 12 | - Synched with latest django-freeradius/master 13 | - See also - https://github.com/2stacks/freeradius-django/compare/v1.1.2...master 14 | 15 | ## [1.1.2] - 2019-07-11 16 | ### Changed 17 | - Optimized ENV declaration in Dockerfile 18 | - freeradius-server:latest-alpine bumped to Alpine 3.10 and Freeradius 3.0.19 19 | - Locked version of freeradius server in Dockerfile 20 | - Synched with latest django-freeradius/master 21 | - Updated Jekyll theme 22 | 23 | ## [1.1.1] - 2019-04-10 24 | ### Added 25 | - CHANGELOG 26 | 27 | ### Changed 28 | - Base container freeradius/freeradius-server bumped to 3.0.19 29 | 30 | ## [1.1.0] - 2019-03-29 31 | ### Added 32 | - Local docker build of django-freeradius from submodule 33 | - Travis scripts for integration tests 34 | 35 | ### Changed 36 | - Everything 37 | 38 | ## [1.0.0] - 2019-03-29 39 | ### Added 40 | - Initial commit -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM freeradius/freeradius-server:3.0.21-alpine 2 | 3 | MAINTAINER 2stacks <2stacks@2stacks.net> 4 | 5 | RUN apk --update add postgresql-dev 6 | 7 | EXPOSE 1812/udp 1813/udp 8 | 9 | ENV DB_HOST=postgres \ 10 | DB_PORT=5432 \ 11 | DB_USER=debug \ 12 | DB_PASS=debug \ 13 | DB_NAME=radius \ 14 | API_HOST=django \ 15 | API_PORT=8000 \ 16 | API_PROTOCOL=http \ 17 | API_TOKEN=djangofreeradiusapitoken \ 18 | RADIUS_SSL_MODE=disable \ 19 | RADIUS_KEY=testing123 \ 20 | RADIUS_CLIENTS=10.0.0.0/24 \ 21 | RADIUS_DEBUG=no 22 | 23 | ADD --chown=root:root ./raddb/ /etc/raddb 24 | 25 | ADD ./scripts/start.sh /start.sh 26 | ADD ./scripts/wait-for.sh /wait-for.sh 27 | RUN chmod +x /start.sh 28 | 29 | CMD ["/start.sh"] 30 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 2stacks 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | docs/README.md -------------------------------------------------------------------------------- /certs/freeradius/bootstrap: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # This is a wrapper script to create default certificates when the 4 | # server first starts in debugging mode. Once the certificates have been 5 | # created, this file should be deleted. 6 | # 7 | # Ideally, this program should be run as part of the installation of any 8 | # binary package. The installation should also ensure that the permissions 9 | # and owners are correct for the files generated by this script. 10 | # 11 | # $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $ 12 | # 13 | umask 027 14 | cd `dirname $0` 15 | 16 | make -h > /dev/null 2>&1 17 | 18 | # 19 | # If we have a working "make", then use it. Otherwise, run the commands 20 | # manually. 21 | # 22 | if [ "$?" = "0" ]; then 23 | make all 24 | exit $? 25 | fi 26 | 27 | # 28 | # The following commands were created by running "make -n", and edited 29 | # to remove the trailing backslash, and to add "exit 1" after the commands. 30 | # 31 | # Don't edit the following text. Instead, edit the Makefile, and 32 | # re-generate these commands. 33 | # 34 | if [ ! -f dh ]; then 35 | openssl dhparam -out dh 2048 || exit 1 36 | if [ -e /dev/urandom ] ; then 37 | ln -sf /dev/urandom random 38 | else 39 | date > ./random; 40 | fi 41 | fi 42 | 43 | if [ ! -f server.key ]; then 44 | openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1 45 | fi 46 | 47 | if [ ! -f ca.key ]; then 48 | openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1 49 | fi 50 | 51 | if [ ! -f index.txt ]; then 52 | touch index.txt 53 | fi 54 | 55 | if [ ! -f serial ]; then 56 | echo '01' > serial 57 | fi 58 | 59 | if [ ! -f server.crt ]; then 60 | openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1 61 | fi 62 | 63 | if [ ! -f server.p12 ]; then 64 | openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 65 | fi 66 | 67 | if [ ! -f server.pem ]; then 68 | openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 69 | openssl verify -CAfile ca.pem server.pem || exit 1 70 | fi 71 | 72 | if [ ! -f ca.der ]; then 73 | openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1 74 | fi 75 | 76 | if [ ! -f client.key ]; then 77 | openssl req -new -out client.csr -keyout client.key -config ./client.cnf 78 | fi 79 | 80 | if [ ! -f client.crt ]; then 81 | openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf 82 | fi 83 | -------------------------------------------------------------------------------- /certs/freeradius/ca.cnf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | default_ca = CA_default 3 | 4 | [ CA_default ] 5 | dir = ./ 6 | certs = $dir 7 | crl_dir = $dir/crl 8 | database = $dir/index.txt 9 | new_certs_dir = $dir 10 | certificate = $dir/ca.pem 11 | serial = $dir/serial 12 | crl = $dir/crl.pem 13 | private_key = $dir/ca.key 14 | RANDFILE = $dir/.rand 15 | name_opt = ca_default 16 | cert_opt = ca_default 17 | default_days = 60 18 | default_crl_days = 30 19 | default_md = sha256 20 | preserve = no 21 | policy = policy_match 22 | crlDistributionPoints = URI:http://www.example.org/example_ca.crl 23 | 24 | [ policy_match ] 25 | countryName = match 26 | stateOrProvinceName = match 27 | organizationName = match 28 | organizationalUnitName = optional 29 | commonName = supplied 30 | emailAddress = optional 31 | 32 | [ policy_anything ] 33 | countryName = optional 34 | stateOrProvinceName = optional 35 | localityName = optional 36 | organizationName = optional 37 | organizationalUnitName = optional 38 | commonName = supplied 39 | emailAddress = optional 40 | 41 | [ req ] 42 | prompt = no 43 | distinguished_name = certificate_authority 44 | default_bits = 2048 45 | input_password = whatever 46 | output_password = whatever 47 | x509_extensions = v3_ca 48 | 49 | [certificate_authority] 50 | countryName = FR 51 | stateOrProvinceName = Radius 52 | localityName = Somewhere 53 | organizationName = Example Inc. 54 | emailAddress = admin@example.org 55 | commonName = "Example Certificate Authority" 56 | 57 | [v3_ca] 58 | subjectKeyIdentifier = hash 59 | authorityKeyIdentifier = keyid:always,issuer:always 60 | basicConstraints = critical,CA:true 61 | crlDistributionPoints = URI:http://www.example.org/example_ca.crl 62 | 63 | -------------------------------------------------------------------------------- /certs/freeradius/client.cnf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | default_ca = CA_default 3 | 4 | [ CA_default ] 5 | dir = ./ 6 | certs = $dir 7 | crl_dir = $dir/crl 8 | database = $dir/index.txt 9 | new_certs_dir = $dir 10 | certificate = $dir/ca.pem 11 | serial = $dir/serial 12 | crl = $dir/crl.pem 13 | private_key = $dir/ca.key 14 | RANDFILE = $dir/.rand 15 | name_opt = ca_default 16 | cert_opt = ca_default 17 | default_days = 60 18 | default_crl_days = 30 19 | default_md = sha256 20 | preserve = no 21 | policy = policy_match 22 | 23 | [ policy_match ] 24 | countryName = match 25 | stateOrProvinceName = match 26 | organizationName = match 27 | organizationalUnitName = optional 28 | commonName = supplied 29 | emailAddress = optional 30 | 31 | [ policy_anything ] 32 | countryName = optional 33 | stateOrProvinceName = optional 34 | localityName = optional 35 | organizationName = optional 36 | organizationalUnitName = optional 37 | commonName = supplied 38 | emailAddress = optional 39 | 40 | [ req ] 41 | prompt = no 42 | distinguished_name = client 43 | default_bits = 2048 44 | input_password = whatever 45 | output_password = whatever 46 | 47 | [client] 48 | countryName = FR 49 | stateOrProvinceName = Radius 50 | localityName = Somewhere 51 | organizationName = Example Inc. 52 | emailAddress = user@example.org 53 | commonName = user@example.org 54 | -------------------------------------------------------------------------------- /certs/freeradius/inner-server.cnf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | default_ca = CA_default 3 | 4 | [ CA_default ] 5 | dir = ./ 6 | certs = $dir 7 | crl_dir = $dir/crl 8 | database = $dir/index.txt 9 | new_certs_dir = $dir 10 | certificate = $dir/server.pem 11 | serial = $dir/serial 12 | crl = $dir/crl.pem 13 | private_key = $dir/server.key 14 | RANDFILE = $dir/.rand 15 | name_opt = ca_default 16 | cert_opt = ca_default 17 | default_days = 60 18 | default_crl_days = 30 19 | default_md = sha256 20 | preserve = no 21 | policy = policy_match 22 | 23 | [ policy_match ] 24 | countryName = match 25 | stateOrProvinceName = match 26 | organizationName = match 27 | organizationalUnitName = optional 28 | commonName = supplied 29 | emailAddress = optional 30 | 31 | [ policy_anything ] 32 | countryName = optional 33 | stateOrProvinceName = optional 34 | localityName = optional 35 | organizationName = optional 36 | organizationalUnitName = optional 37 | commonName = supplied 38 | emailAddress = optional 39 | 40 | [ req ] 41 | prompt = no 42 | distinguished_name = server 43 | default_bits = 2048 44 | input_password = whatever 45 | output_password = whatever 46 | 47 | [server] 48 | countryName = FR 49 | stateOrProvinceName = Radius 50 | localityName = Somewhere 51 | organizationName = Example Inc. 52 | emailAddress = admin@example.org 53 | commonName = "Example Inner Server Certificate" 54 | 55 | -------------------------------------------------------------------------------- /certs/freeradius/server.cnf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | default_ca = CA_default 3 | 4 | [ CA_default ] 5 | dir = ./ 6 | certs = $dir 7 | crl_dir = $dir/crl 8 | database = $dir/index.txt 9 | new_certs_dir = $dir 10 | certificate = $dir/server.pem 11 | serial = $dir/serial 12 | crl = $dir/crl.pem 13 | private_key = $dir/server.key 14 | RANDFILE = $dir/.rand 15 | name_opt = ca_default 16 | cert_opt = ca_default 17 | default_days = 60 18 | default_crl_days = 30 19 | default_md = sha256 20 | preserve = no 21 | policy = policy_match 22 | 23 | [ policy_match ] 24 | countryName = match 25 | stateOrProvinceName = match 26 | organizationName = match 27 | organizationalUnitName = optional 28 | commonName = supplied 29 | emailAddress = optional 30 | 31 | [ policy_anything ] 32 | countryName = optional 33 | stateOrProvinceName = optional 34 | localityName = optional 35 | organizationName = optional 36 | organizationalUnitName = optional 37 | commonName = supplied 38 | emailAddress = optional 39 | 40 | [ req ] 41 | prompt = no 42 | distinguished_name = server 43 | default_bits = 2048 44 | input_password = whatever 45 | output_password = whatever 46 | 47 | [server] 48 | countryName = FR 49 | stateOrProvinceName = Radius 50 | localityName = Somewhere 51 | organizationName = Example Inc. 52 | emailAddress = admin@example.org 53 | commonName = "Example Server Certificate" 54 | 55 | -------------------------------------------------------------------------------- /certs/freeradius/xpextensions: -------------------------------------------------------------------------------- 1 | # 2 | # File containing the OIDs required for Windows. 3 | # 4 | # http://support.microsoft.com/kb/814394/en-us 5 | # 6 | [ xpclient_ext] 7 | extendedKeyUsage = 1.3.6.1.5.5.7.3.2 8 | crlDistributionPoints = URI:http://www.example.com/example_ca.crl 9 | 10 | [ xpserver_ext] 11 | extendedKeyUsage = 1.3.6.1.5.5.7.3.1 12 | crlDistributionPoints = URI:http://www.example.com/example_ca.crl 13 | 14 | # 15 | # Add this to the PKCS#7 keybag attributes holding the client's private key 16 | # for machine authentication. 17 | # 18 | # the presence of this OID tells Windows XP that the cert is intended 19 | # for use by the computer itself, and not by an end-user. 20 | # 21 | # The other solution is to use Microsoft's web certificate server 22 | # to generate these certs. 23 | # 24 | # 1.3.6.1.4.1.311.17.2 25 | -------------------------------------------------------------------------------- /certs/postgres/ca.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDRzCCAi+gAwIBAgIJAL687slkYiO/MA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNV 3 | BAMMEUZyZWVyYWRpdXMgRGV2IENBMB4XDTE4MDcxMDAxMjEzNVoXDTI4MDcwNzAx 4 | MjEzNVowHDEaMBgGA1UEAwwRRnJlZXJhZGl1cyBEZXYgQ0EwggEiMA0GCSqGSIb3 5 | DQEBAQUAA4IBDwAwggEKAoIBAQCyL65EBAiL8ZZUNIsRrx2WvAi2HzY2cAYCrTSt 6 | C3XtyUb68reXz0Nk8kBsQ7+nl7QBSpQj5kFhV6bmUHblOsZvivZ3LeAEKI+G+6Ol 7 | bNVTy0sV5DhvjEevu7sGhdrSpZa8ivjW6Ajs6IKw0c5Pghgp30ZjYlbMEpNB38jw 8 | GAA8G4DgeQ/0x7Fww4djOtYjfo1/eiWwacRnjbd1NSibZ7gyM6FwrhZm5Pewux3f 9 | NzT++8EYGgbWdbKYjEfh7+windI1BBMaV4fh3BpBnButNIwA4vHwH9mE5Tt5SLCf 10 | lJGvOnzGQQEKShqpYEvPXMMzu49WLO9d12uodnpa0Mf2nNSHAgMBAAGjgYswgYgw 11 | HQYDVR0OBBYEFLTT/pX9bI7pWzmDPILiL+Vp7HfCMEwGA1UdIwRFMEOAFLTT/pX9 12 | bI7pWzmDPILiL+Vp7HfCoSCkHjAcMRowGAYDVQQDDBFGcmVlcmFkaXVzIERldiBD 13 | QYIJAL687slkYiO/MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3 14 | DQEBCwUAA4IBAQBgDxJZKGUdTF4QcAPtuQmMbT7YD7Nm4Dqb8ntjs8gTpMDMqeuR 15 | 39heCd9K/aIznRMufCkIKTiro8DRYTNwTl2r75Fov7I3/OnI5ukeEogXDQ0BLesV 16 | Js+ye/5oDEw8AylqNHSR0i9Eb/zelchlt69qUMWZ3ybcm//sbg6GqsrMd0jU88nx 17 | QdWObiCMBxJOe5TRAImw1t2dOtIodsM0mCABuM6gntRPVtZfd8F0f6Dp9Iwe7vIP 18 | JxaIDyPFRug8fwoo5qWAAVd51SWuXjy5uKCAN+DU8CNuZwPbOF4TIICkfDfhp+9z 19 | 5zB4vfeSIfcZsJcAHqw8a+AyI7sCZ3f5LtbE 20 | -----END CERTIFICATE----- 21 | -------------------------------------------------------------------------------- /certs/postgres/server.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpAIBAAKCAQEAvGY/WTOv6lJcT1q+2m+NiV5w8a9I4BVVf/R/q1b5mrFjGtRh 3 | AzaXdA6bGUEMPFeRu08Efuw7JNwqEB73yeF26aoggX1SS2zmXoXioiBcIXIfEOJg 4 | dzU748esQ+0B7xyvxe+y2P3ePN1puhyZO8dFUqx83B0tqNxVRbv4UPgF9X+P3Xo9 5 | 9uegI/oOOyObPYgXaZZjUpxUfT0LNDhwuaiFQSGApNNNEoGlK0pRHqGuK1VtuNR6 6 | WqqapE/kVh1a3ICr5mt2ACrbnjsHuhzs/xRKV8UhvJHXWuvgz0H4dw4vD4YsEFb+ 7 | esPkrBK0x6OYrEKTWUiAT8zzU5NOIg2IfcBwSQIDAQABAoIBAHTwpmuQ+KVin+el 8 | tQdS7LCSjVqG6Z4lv99ffQt2PhJ1/sT9hIYBEbs5Aa6IQLcHx+5S2sCJkyCLBBTj 9 | k/ycVTounmShzD4DB28ufYESwv0DoCLT0PrNcTIuk0/KQkQQM06SPRoRYiu3Z1Pd 10 | QoPnabEqXYonFltVABz70uM3QEOj7CFhyV059MWSTgIL6/qzW8TzxCLDHVLRRc3K 11 | c7X6K/qA+x0vgbU8uHYS747ln1EmFK/coue11cuyHFspM2iFf48DQ7f5EsX2awAB 12 | /qsuHhdnOiADSDhiI/ijr0zDa+ZI8UGPOQBvJPbgERWqLG8lRha2vYapy60zjYDL 13 | ek6VYLECgYEA6TTYkoOnARe+ZI2M3Opjq7TRjo8+7tgP2B6c9NgPFSa/WJxHXD3/ 14 | iYtwxr+AKbk2bD82iIv0NC7sRphw3baEmP+5tV1wkiWNh2PxC/dWV6oqM0svoUiB 15 | BcK9WdpKhHyivKidyC0ZCHMvFEy5YDe+fKG9c2dm0sUsPSlVgUtpfdUCgYEAztBE 16 | Nh7FVojWYHemhs1vdSM8YciWKs+OrUjrl8UXj0Zyz35h5Y+GrB+N/KtVdbo9BnWp 17 | rsurEb/Ey4dA0ljb+Ms5yzAUeELLXNcmZ++XEsUiJKnTFYg0V4q1/wb52Kq1hegJ 18 | zIlDSn23qB8qRZZEohkmv5GGpFEC4X5hM1fF/qUCgYEAoOoDCk3nXXypti5p5UGi 19 | Vqek9W5oKVxSyniNKvEurxSWcakcIEzzV1AtGCapY6DWKakQkvWnIp7CEBA9yO6Y 20 | 3g2OcdOwylc5KhPPDsey/zh+d/hIPEyQIo52I1rZkkOB8xWSEb70h/0anjI2s2qj 21 | eNINrGTL8WF2Hhm4U0fa2aUCgYEAzoEYyy14gEqMPLDcf9fbxgwT+9ONVlv/rDmW 22 | vOnY94AxncwlNlJU98NeRIBUCgSXcL7GWroVK9jfSRbZe++sXcWXBLMSjW6snxxZ 23 | xghvQhfDWvaTxflFwm/IAElX6qeyL24dcrVQkq3rV50e2XMNPwp8LWbDGYmmpcBK 24 | kDjBg90CgYALd7yesBxEhoUZ4bOsbESV1zWwt2rCng7gWyyx5Aajc1IG4rGfBqbh 25 | j1WSyIBxa9Ufa2q9wAvbFmA7MSbxUvBMq7xqJyoi4Zjd8PcbSOz1GP091z5UaHCw 26 | SEd1VhpQ9FKAlHEoAgvjoUkpYBztssC7MGzMzCBgRARmRZhKuTvfEw== 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /compose/django/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8.5-alpine 2 | 3 | ENV PYTHONUNBUFFERED 1 4 | 5 | RUN apk update \ 6 | # psycopg2 dependencies 7 | && apk add --virtual build-deps gcc python3-dev musl-dev \ 8 | && apk add postgresql-dev \ 9 | # WeasyPrint dependencies 10 | libffi-dev cairo-dev pango-dev \ 11 | # Pillow dependencies 12 | jpeg-dev zlib-dev freetype-dev lcms2-dev openjpeg-dev tiff-dev tk-dev tcl-dev \ 13 | # Mysql client dependencies 14 | mariadb-connector-c-dev 15 | 16 | # Requirements are installed here to ensure they will be cached. 17 | COPY ./django-freeradius/requirements.txt /requirements.txt 18 | COPY ./django-freeradius/requirements-test.txt /requirements-test.txt 19 | RUN pip install -r /requirements.txt && pip install -r /requirements-test.txt 20 | 21 | # Temporary untill new release of openwisp-utils 22 | RUN pip install https://github.com/openwisp/openwisp-utils/tarball/master 23 | RUN pip install https://github.com/openwisp/django-freeradius/tarball/master 24 | 25 | COPY ./compose/django/entrypoint /entrypoint 26 | RUN sed -i 's/\r//' /entrypoint 27 | RUN chmod +x /entrypoint 28 | 29 | COPY ./compose/django/start /start 30 | RUN sed -i 's/\r//' /start 31 | RUN chmod +x /start 32 | 33 | WORKDIR /app 34 | 35 | ENTRYPOINT ["/entrypoint"] 36 | -------------------------------------------------------------------------------- /compose/django/entrypoint: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | 8 | if [ -z "${POSTGRES_USER}" ]; then 9 | base_postgres_image_default_user='postgres' 10 | export POSTGRES_USER="${base_postgres_image_default_user}" 11 | fi 12 | export DATABASE_URL="postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}" 13 | 14 | postgres_ready() { 15 | python << END 16 | import sys 17 | 18 | import psycopg2 19 | 20 | try: 21 | psycopg2.connect( 22 | dbname="${POSTGRES_DB}", 23 | user="${POSTGRES_USER}", 24 | password="${POSTGRES_PASSWORD}", 25 | host="${POSTGRES_HOST}", 26 | port="${POSTGRES_PORT}", 27 | ) 28 | except psycopg2.OperationalError: 29 | sys.exit(-1) 30 | sys.exit(0) 31 | 32 | END 33 | } 34 | until postgres_ready; do 35 | >&2 echo 'Waiting for PostgreSQL to become available...' 36 | sleep 1 37 | done 38 | >&2 echo 'PostgreSQL is available' 39 | 40 | exec "$@" 41 | -------------------------------------------------------------------------------- /compose/django/start: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | 8 | python manage.py migrate 9 | python manage.py runserver 0.0.0.0:8000 10 | -------------------------------------------------------------------------------- /compose/postgres/init/init-user-db.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL 5 | CREATE USER radius; 6 | CREATE DATABASE radius; 7 | GRANT ALL PRIVILEGES ON DATABASE radius TO radius; 8 | EOSQL 9 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.2' 2 | 3 | services: 4 | 5 | freeradius: 6 | image: 2stacks/freeradius-django 7 | ports: 8 | - "1812:1812/udp" 9 | - "1813:1813/udp" 10 | #volumes: 11 | #- "./certs/freeradius:/etc/raddb/certs" 12 | environment: 13 | #- DB_NAME=radius 14 | #- DB_HOST=postgres 15 | #- DB_USER=debug 16 | #- DB_PASS=debug 17 | #- DB_PORT=5432 18 | - API_HOST=django 19 | - API_PORT=8000 20 | - API_PROTOCOL=http 21 | - API_TOKEN=djangofreeradiusapitoken 22 | - RADIUS_SSL_MODE=prefer 23 | #- RADIUS_KEY=testing123 24 | #- RADIUS_CLIENTS=10.0.0.0/24 25 | - RADIUS_DEBUG=yes 26 | depends_on: 27 | - postgres 28 | - django 29 | restart: always 30 | networks: 31 | - backend 32 | 33 | django: 34 | build: 35 | context: . 36 | dockerfile: ./compose/django/Dockerfile 37 | image: 2stacks/django-freeradius 38 | depends_on: 39 | - postgres 40 | volumes: 41 | - ./django-freeradius/tests:/app 42 | environment: 43 | - POSTGRES_HOST=postgres 44 | - POSTGRES_PORT=5432 45 | - POSTGRES_DB=radius 46 | - POSTGRES_USER=debug 47 | - POSTGRES_PASSWORD=debug 48 | ports: 49 | - "8000:8000" 50 | networks: 51 | - backend 52 | command: /start 53 | 54 | postgres: 55 | image: postgres:10-alpine 56 | ports: 57 | - "127.0.0.1:5432:5432" 58 | volumes: 59 | - postgres_data:/var/lib/postgresql/data 60 | - ./certs/postgres/server.crt:/server.crt 61 | - ./certs/postgres/server.key:/server.key 62 | - ./certs/postgres/ca.crt:/ca.crt 63 | environment: 64 | - POSTGRES_DB=radius 65 | - POSTGRES_USER=debug 66 | - POSTGRES_PASSWORD=debug 67 | restart: always 68 | networks: 69 | - backend 70 | command: postgres -c ssl=on -c ssl_key_file=/server.key -c ssl_cert_file=/server.crt 71 | 72 | volumes: 73 | postgres_data: {} 74 | 75 | networks: 76 | backend: 77 | ipam: 78 | config: 79 | - subnet: 10.0.0.0/24 80 | -------------------------------------------------------------------------------- /docs/_config.yml: -------------------------------------------------------------------------------- 1 | remote_theme: mmistakes/minimal-mistakes 2 | titles_from_headings: 3 | enabled: true 4 | strip_title: true 5 | plugins: 6 | - jekyll-include-cache 7 | - jekyll-titles-from-headings 8 | -------------------------------------------------------------------------------- /raddb/certs/bootstrap: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # This is a wrapper script to create default certificates when the 4 | # server first starts in debugging mode. Once the certificates have been 5 | # created, this file should be deleted. 6 | # 7 | # Ideally, this program should be run as part of the installation of any 8 | # binary package. The installation should also ensure that the permissions 9 | # and owners are correct for the files generated by this script. 10 | # 11 | # $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $ 12 | # 13 | umask 027 14 | cd `dirname $0` 15 | 16 | make -h > /dev/null 2>&1 17 | 18 | # 19 | # If we have a working "make", then use it. Otherwise, run the commands 20 | # manually. 21 | # 22 | if [ "$?" = "0" ]; then 23 | make all 24 | exit $? 25 | fi 26 | 27 | # 28 | # The following commands were created by running "make -n", and edited 29 | # to remove the trailing backslash, and to add "exit 1" after the commands. 30 | # 31 | # Don't edit the following text. Instead, edit the Makefile, and 32 | # re-generate these commands. 33 | # 34 | if [ ! -f dh ]; then 35 | openssl dhparam -out dh 2048 || exit 1 36 | if [ -e /dev/urandom ] ; then 37 | ln -sf /dev/urandom random 38 | else 39 | date > ./random; 40 | fi 41 | fi 42 | 43 | if [ ! -f server.key ]; then 44 | openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1 45 | fi 46 | 47 | if [ ! -f ca.key ]; then 48 | openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1 49 | fi 50 | 51 | if [ ! -f index.txt ]; then 52 | touch index.txt 53 | fi 54 | 55 | if [ ! -f serial ]; then 56 | echo '01' > serial 57 | fi 58 | 59 | if [ ! -f server.crt ]; then 60 | openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1 61 | fi 62 | 63 | if [ ! -f server.p12 ]; then 64 | openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 65 | fi 66 | 67 | if [ ! -f server.pem ]; then 68 | openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 69 | openssl verify -CAfile ca.pem server.pem || exit 1 70 | fi 71 | 72 | if [ ! -f ca.der ]; then 73 | openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1 74 | fi 75 | 76 | if [ ! -f client.key ]; then 77 | openssl req -new -out client.csr -keyout client.key -config ./client.cnf 78 | fi 79 | 80 | if [ ! -f client.crt ]; then 81 | openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf 82 | fi 83 | -------------------------------------------------------------------------------- /raddb/certs/ca.cnf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | default_ca = CA_default 3 | 4 | [ CA_default ] 5 | dir = ./ 6 | certs = $dir 7 | crl_dir = $dir/crl 8 | database = $dir/index.txt 9 | new_certs_dir = $dir 10 | certificate = $dir/ca.pem 11 | serial = $dir/serial 12 | crl = $dir/crl.pem 13 | private_key = $dir/ca.key 14 | RANDFILE = $dir/.rand 15 | name_opt = ca_default 16 | cert_opt = ca_default 17 | default_days = 60 18 | default_crl_days = 30 19 | default_md = sha256 20 | preserve = no 21 | policy = policy_match 22 | crlDistributionPoints = URI:http://www.example.org/example_ca.crl 23 | 24 | [ policy_match ] 25 | countryName = match 26 | stateOrProvinceName = match 27 | organizationName = match 28 | organizationalUnitName = optional 29 | commonName = supplied 30 | emailAddress = optional 31 | 32 | [ policy_anything ] 33 | countryName = optional 34 | stateOrProvinceName = optional 35 | localityName = optional 36 | organizationName = optional 37 | organizationalUnitName = optional 38 | commonName = supplied 39 | emailAddress = optional 40 | 41 | [ req ] 42 | prompt = no 43 | distinguished_name = certificate_authority 44 | default_bits = 2048 45 | input_password = whatever 46 | output_password = whatever 47 | x509_extensions = v3_ca 48 | 49 | [certificate_authority] 50 | countryName = FR 51 | stateOrProvinceName = Radius 52 | localityName = Somewhere 53 | organizationName = Example Inc. 54 | emailAddress = admin@example.org 55 | commonName = "Example Certificate Authority" 56 | 57 | [v3_ca] 58 | subjectKeyIdentifier = hash 59 | authorityKeyIdentifier = keyid:always,issuer:always 60 | basicConstraints = critical,CA:true 61 | crlDistributionPoints = URI:http://www.example.org/example_ca.crl 62 | 63 | -------------------------------------------------------------------------------- /raddb/certs/client.cnf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | default_ca = CA_default 3 | 4 | [ CA_default ] 5 | dir = ./ 6 | certs = $dir 7 | crl_dir = $dir/crl 8 | database = $dir/index.txt 9 | new_certs_dir = $dir 10 | certificate = $dir/ca.pem 11 | serial = $dir/serial 12 | crl = $dir/crl.pem 13 | private_key = $dir/ca.key 14 | RANDFILE = $dir/.rand 15 | name_opt = ca_default 16 | cert_opt = ca_default 17 | default_days = 60 18 | default_crl_days = 30 19 | default_md = sha256 20 | preserve = no 21 | policy = policy_match 22 | 23 | [ policy_match ] 24 | countryName = match 25 | stateOrProvinceName = match 26 | organizationName = match 27 | organizationalUnitName = optional 28 | commonName = supplied 29 | emailAddress = optional 30 | 31 | [ policy_anything ] 32 | countryName = optional 33 | stateOrProvinceName = optional 34 | localityName = optional 35 | organizationName = optional 36 | organizationalUnitName = optional 37 | commonName = supplied 38 | emailAddress = optional 39 | 40 | [ req ] 41 | prompt = no 42 | distinguished_name = client 43 | default_bits = 2048 44 | input_password = whatever 45 | output_password = whatever 46 | 47 | [client] 48 | countryName = FR 49 | stateOrProvinceName = Radius 50 | localityName = Somewhere 51 | organizationName = Example Inc. 52 | emailAddress = user@example.org 53 | commonName = user@example.org 54 | -------------------------------------------------------------------------------- /raddb/certs/inner-server.cnf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | default_ca = CA_default 3 | 4 | [ CA_default ] 5 | dir = ./ 6 | certs = $dir 7 | crl_dir = $dir/crl 8 | database = $dir/index.txt 9 | new_certs_dir = $dir 10 | certificate = $dir/server.pem 11 | serial = $dir/serial 12 | crl = $dir/crl.pem 13 | private_key = $dir/server.key 14 | RANDFILE = $dir/.rand 15 | name_opt = ca_default 16 | cert_opt = ca_default 17 | default_days = 60 18 | default_crl_days = 30 19 | default_md = sha256 20 | preserve = no 21 | policy = policy_match 22 | 23 | [ policy_match ] 24 | countryName = match 25 | stateOrProvinceName = match 26 | organizationName = match 27 | organizationalUnitName = optional 28 | commonName = supplied 29 | emailAddress = optional 30 | 31 | [ policy_anything ] 32 | countryName = optional 33 | stateOrProvinceName = optional 34 | localityName = optional 35 | organizationName = optional 36 | organizationalUnitName = optional 37 | commonName = supplied 38 | emailAddress = optional 39 | 40 | [ req ] 41 | prompt = no 42 | distinguished_name = server 43 | default_bits = 2048 44 | input_password = whatever 45 | output_password = whatever 46 | 47 | [server] 48 | countryName = FR 49 | stateOrProvinceName = Radius 50 | localityName = Somewhere 51 | organizationName = Example Inc. 52 | emailAddress = admin@example.org 53 | commonName = "Example Inner Server Certificate" 54 | 55 | -------------------------------------------------------------------------------- /raddb/certs/server.cnf: -------------------------------------------------------------------------------- 1 | [ ca ] 2 | default_ca = CA_default 3 | 4 | [ CA_default ] 5 | dir = ./ 6 | certs = $dir 7 | crl_dir = $dir/crl 8 | database = $dir/index.txt 9 | new_certs_dir = $dir 10 | certificate = $dir/server.pem 11 | serial = $dir/serial 12 | crl = $dir/crl.pem 13 | private_key = $dir/server.key 14 | RANDFILE = $dir/.rand 15 | name_opt = ca_default 16 | cert_opt = ca_default 17 | default_days = 60 18 | default_crl_days = 30 19 | default_md = sha256 20 | preserve = no 21 | policy = policy_match 22 | 23 | [ policy_match ] 24 | countryName = match 25 | stateOrProvinceName = match 26 | organizationName = match 27 | organizationalUnitName = optional 28 | commonName = supplied 29 | emailAddress = optional 30 | 31 | [ policy_anything ] 32 | countryName = optional 33 | stateOrProvinceName = optional 34 | localityName = optional 35 | organizationName = optional 36 | organizationalUnitName = optional 37 | commonName = supplied 38 | emailAddress = optional 39 | 40 | [ req ] 41 | prompt = no 42 | distinguished_name = server 43 | default_bits = 2048 44 | input_password = whatever 45 | output_password = whatever 46 | 47 | [server] 48 | countryName = FR 49 | stateOrProvinceName = Radius 50 | localityName = Somewhere 51 | organizationName = Example Inc. 52 | emailAddress = admin@example.org 53 | commonName = "Example Server Certificate" 54 | 55 | -------------------------------------------------------------------------------- /raddb/certs/xpextensions: -------------------------------------------------------------------------------- 1 | # 2 | # File containing the OIDs required for Windows. 3 | # 4 | # http://support.microsoft.com/kb/814394/en-us 5 | # 6 | [ xpclient_ext] 7 | extendedKeyUsage = 1.3.6.1.5.5.7.3.2 8 | crlDistributionPoints = URI:http://www.example.com/example_ca.crl 9 | 10 | [ xpserver_ext] 11 | extendedKeyUsage = 1.3.6.1.5.5.7.3.1 12 | crlDistributionPoints = URI:http://www.example.com/example_ca.crl 13 | 14 | # 15 | # Add this to the PKCS#7 keybag attributes holding the client's private key 16 | # for machine authentication. 17 | # 18 | # the presence of this OID tells Windows XP that the cert is intended 19 | # for use by the computer itself, and not by an end-user. 20 | # 21 | # The other solution is to use Microsoft's web certificate server 22 | # to generate these certs. 23 | # 24 | # 1.3.6.1.4.1.311.17.2 25 | -------------------------------------------------------------------------------- /raddb/dictionary: -------------------------------------------------------------------------------- 1 | # 2 | # This is the local dictionary file which can be 3 | # edited by local administrators. It will be loaded 4 | # AFTER the main dictionary files are loaded. 5 | # 6 | # As of version 3.0.2, FreeRADIUS will automatically 7 | # load the main dictionary files from 8 | # 9 | # ${prefix}/share/freeradius/dictionary 10 | # 11 | # It is no longer necessary for this file to $INCLUDE 12 | # the main dictionaries. However, if the $INCLUDE 13 | # line is here, nothing bad will happen. 14 | # 15 | # Any new/changed attributes MUST be placed in this file. 16 | # The pre-defined dictionaries SHOULD NOT be edited. 17 | # 18 | # See "man dictionary" for documentation on its format. 19 | # 20 | # $Id: eed5d70f41b314f9ed3f006a22d9f9a2be2c9516 $ 21 | # 22 | 23 | # 24 | # All local attributes and $INCLUDE's should go into 25 | # this file. 26 | # 27 | 28 | # If you want to add entries to the dictionary file, 29 | # which are NOT going to be placed in a RADIUS packet, 30 | # add them to the 'dictionary.local' file. 31 | # 32 | # The numbers you pick should be between 3000 and 4000. 33 | # These attributes will NOT go into a RADIUS packet. 34 | # 35 | # If you want that, you will need to use VSAs. This means 36 | # requesting allocation of a Private Enterprise Code from 37 | # http://iana.org. We STRONGLY suggest doing that only if 38 | # you are a vendor of RADIUS equipment. 39 | # 40 | # See RFC 6158 for more details. 41 | # http://ietf.org/rfc/rfc6158.txt 42 | # 43 | 44 | # 45 | # These attributes are examples 46 | # 47 | #ATTRIBUTE My-Local-String 3000 string 48 | #ATTRIBUTE My-Local-IPAddr 3001 ipaddr 49 | #ATTRIBUTE My-Local-Integer 3002 integer 50 | -------------------------------------------------------------------------------- /raddb/experimental.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This file contains the configuration for experimental modules. 3 | # 4 | # By default, it is NOT included in the build. 5 | # 6 | # $Id: 87d9744a4f0fa7b9b06b4908ddd6b7d2f1a7fd62 $ 7 | # 8 | 9 | # Configuration for the Python module. 10 | # 11 | # Where radiusd is a Python module, radiusd.py, and the 12 | # function 'authorize' is called. Here is a dummy piece 13 | # of code: 14 | # 15 | # def authorize(params): 16 | # print params 17 | # return (5, ('Reply-Message', 'banned')) 18 | # 19 | # The RADIUS value-pairs are passed as a tuple of tuple 20 | # pairs as the first argument, e.g. (('attribute1', 21 | # 'value1'), ('attribute2', 'value2')) 22 | # 23 | # The function return is a tuple with the first element 24 | # being the return value of the function. 25 | # The 5 corresponds to RLM_MODULE_USERLOCK. I plan to 26 | # write the return values as Python symbols to avoid 27 | # confusion. 28 | # 29 | # The remaining tuple members are the string form of 30 | # value-pairs which are passed on to pairmake(). 31 | # 32 | python { 33 | mod_instantiate = radiusd_test 34 | func_instantiate = instantiate 35 | 36 | mod_authorize = radiusd_test 37 | func_authorize = authorize 38 | 39 | mod_accounting = radiusd_test 40 | func_accounting = accounting 41 | 42 | mod_pre_proxy = radiusd_test 43 | func_pre_proxy = pre_proxy 44 | 45 | mod_post_proxy = radiusd_test 46 | func_post_proxy = post_proxy 47 | 48 | mod_post_auth = radiusd_test 49 | func_post_auth = post_auth 50 | 51 | mod_recv_coa = radiusd_test 52 | func_recv_coa = recv_coa 53 | 54 | mod_send_coa = radiusd_test 55 | func_send_coa = send_coa 56 | 57 | mod_detach = radiusd_test 58 | func_detach = detach 59 | } 60 | 61 | 62 | # Configuration for the example module. Uncommenting it will cause it 63 | # to get loaded and initialised, but should have no real effect as long 64 | # it is not referenced in one of the autz/auth/preacct/acct sections 65 | example { 66 | # Boolean variable. 67 | # allowed values: {no, yes} 68 | boolean = yes 69 | 70 | # An integer, of any value. 71 | integer = 16 72 | 73 | # A string. 74 | string = "This is an example configuration string" 75 | 76 | # An IP address, either in dotted quad (1.2.3.4) or hostname 77 | # (example.com) 78 | ipaddr = 127.0.0.1 79 | 80 | # A subsection 81 | mysubsection { 82 | anotherinteger = 1000 83 | # They nest 84 | deeply nested { 85 | string = "This is a different string" 86 | } 87 | } 88 | } 89 | 90 | # 91 | # To create a dbm users file, do: 92 | # 93 | # cat test.users | rlm_dbm_parser -f /etc/raddb/users_db 94 | # 95 | # Then add 'dbm' in 'authorize' section. 96 | # 97 | # Note that even if the file has a ".db" or ".dbm" extension, 98 | # you may have to specify it here without that extension. This 99 | # is because the DBM libraries "helpfully" add a ".db" to the 100 | # filename, but don't check if it's already there. 101 | # 102 | dbm { 103 | usersfile = ${confdir}/users_db 104 | } 105 | 106 | # Instantiate a couple instances of the idn module 107 | idn { 108 | } 109 | 110 | # ...more commonly known as... 111 | idn idna { 112 | } 113 | 114 | idn idna_lenient { 115 | UseSTD3ASCIIRules = no 116 | } 117 | -------------------------------------------------------------------------------- /raddb/hints: -------------------------------------------------------------------------------- 1 | ./mods-config/preprocess/hints -------------------------------------------------------------------------------- /raddb/huntgroups: -------------------------------------------------------------------------------- 1 | ./mods-config/preprocess/huntgroups -------------------------------------------------------------------------------- /raddb/mods-available/README.rst: -------------------------------------------------------------------------------- 1 | Modules in Version 3 2 | ==================== 3 | 4 | As of Version 3, all of the modules have been placed in the 5 | "mods-available/" directory. This practice follows that used by other 6 | servers such as Nginx, Apache, etc. The "modules" directory should 7 | not be used. 8 | 9 | Modules are enabled by creating a file in the mods-enabled/ directory. 10 | You can also create a soft-link from one directory to another:: 11 | 12 | $ cd raddb/mods-enabled 13 | $ ln -s ../mods-available/foo 14 | 15 | This will enable module "foo". Be sure that you have configured the 16 | module correctly before enabling it, otherwise the server will not 17 | start. You can verify the server configuration by running 18 | "radiusd -XC". 19 | 20 | A large number of modules are enabled by default. This allows the 21 | server to work with the largest number of authentication protocols. 22 | Please be careful when disabling modules. You will likely need to 23 | edit the "sites-enabled/" files to remove references to any disabled 24 | modules. 25 | 26 | Conditional Modules 27 | ------------------- 28 | 29 | Version 3 allows modules to be conditionally loaded. This is useful 30 | when you want to have a virtual server which references a module, but 31 | does not require it. Instead of editing the virtual server file, you 32 | can just conditionally enable the module. 33 | 34 | Modules are conditionally enabled by adding a "-" before their name in 35 | a virtual server. For example, you can do:: 36 | 37 | server { 38 | authorize { 39 | ... 40 | ldap 41 | -sql 42 | ... 43 | } 44 | } 45 | 46 | This says "require the LDAP module, but use the SQL module only if it 47 | is configured." 48 | 49 | This feature is not very useful for production configurations. It is, 50 | however, very useful for the default examples that ship with the 51 | server. 52 | 53 | Ignoring module 54 | --------------- 55 | 56 | If you see this message:: 57 | 58 | Ignoring module (see raddb/mods-available/README.rst) 59 | 60 | Then you are in the right place. Most of the time this message can be 61 | ignored. The message can be fixed by finding the references to "-module" 62 | in the virtual server, and deleting them. 63 | 64 | Another way to fix it is to configure the module, as described above. 65 | 66 | Simplification 67 | -------------- 68 | 69 | Allowing conditional modules simplifies the default virtual servers 70 | that are shipped with FreeRADIUS. This means that if you want to 71 | enable LDAP (for example), you no longer need to edit the files in 72 | raddb/sites-available/ in order to enable it. 73 | 74 | Instead, you should edit the raddb/mods-available/ldap file to point 75 | to your local LDAP server. Then, enable the module via the soft-link 76 | method described above. 77 | 78 | Once the module is enabled, it will automatically be used in the 79 | default configuration. 80 | -------------------------------------------------------------------------------- /raddb/mods-available/abfab_psk_sql: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ## 3 | ## Module for PSK authorizations from ABFAB trust router 4 | ## 5 | ## $Id: d75130da8a9faeb9712619bf49e68afadc30b73a $ 6 | 7 | sql psksql { 8 | 9 | driver = "rlm_sql_sqlite" 10 | 11 | sqlite { 12 | filename = "/var/lib/trust_router/keys" 13 | } 14 | 15 | } 16 | -------------------------------------------------------------------------------- /raddb/mods-available/always: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: de3f13089d8951f4c822ebc4007df58e0487de14 $ 4 | 5 | # 6 | # The "always" module is here for debugging purposes, or 7 | # for use in complex policies. 8 | # Instance simply returns the same result, always, without 9 | # doing anything. 10 | # 11 | # rcode may be one of the following values: 12 | # - reject - Reject the user. 13 | # - fail - Simulate or indicate a failure. 14 | # - ok - Simulate or indicate a success. 15 | # - handled - Indicate that the request has been handled, 16 | # stop processing, and send response if set. 17 | # - invalid - Indicate that the request is invalid. 18 | # - userlock - Indicate that the user account has been 19 | # locked out. 20 | # - notfound - Indicate that a user account can't be found. 21 | # - noop - Simulate a no-op. 22 | # - updated - Indicate that the request has been updated. 23 | # 24 | # If an instance is listed in a session {} section, 25 | # this simulates a user having sessions. 26 | # 27 | # simulcount = 28 | # 29 | # If an instance is listed in a session {} section, 30 | # this simulates the user having multilink 31 | # sessions. 32 | # 33 | # mpp = 34 | # 35 | always reject { 36 | rcode = reject 37 | } 38 | always fail { 39 | rcode = fail 40 | } 41 | always ok { 42 | rcode = ok 43 | } 44 | always handled { 45 | rcode = handled 46 | } 47 | always invalid { 48 | rcode = invalid 49 | } 50 | always userlock { 51 | rcode = userlock 52 | } 53 | always notfound { 54 | rcode = notfound 55 | } 56 | always noop { 57 | rcode = noop 58 | } 59 | always updated { 60 | rcode = updated 61 | } 62 | -------------------------------------------------------------------------------- /raddb/mods-available/attr_filter: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 1caff077b2429c948a04777fcd619be901ac83dc $ 4 | 5 | # 6 | # This file defines a number of instances of the "attr_filter" module. 7 | # 8 | 9 | # attr_filter - filters the attributes received in replies from 10 | # proxied servers, to make sure we send back to our RADIUS client 11 | # only allowed attributes. 12 | attr_filter attr_filter.post-proxy { 13 | key = "%{Realm}" 14 | filename = ${modconfdir}/${.:name}/post-proxy 15 | } 16 | 17 | # attr_filter - filters the attributes in the packets we send to 18 | # the RADIUS home servers. 19 | attr_filter attr_filter.pre-proxy { 20 | key = "%{Realm}" 21 | filename = ${modconfdir}/${.:name}/pre-proxy 22 | } 23 | 24 | # Enforce RFC requirements on the contents of Access-Reject 25 | # packets. See the comments at the top of the file for 26 | # more details. 27 | # 28 | attr_filter attr_filter.access_reject { 29 | key = "%{User-Name}" 30 | filename = ${modconfdir}/${.:name}/access_reject 31 | } 32 | 33 | # Enforce RFC requirements on the contents of Access-Challenge 34 | # packets. See the comments at the top of the file for 35 | # more details. 36 | # 37 | attr_filter attr_filter.access_challenge { 38 | key = "%{User-Name}" 39 | filename = ${modconfdir}/${.:name}/access_challenge 40 | } 41 | 42 | 43 | # Enforce RFC requirements on the contents of the 44 | # Accounting-Response packets. See the comments at the 45 | # top of the file for more details. 46 | # 47 | attr_filter attr_filter.accounting_response { 48 | key = "%{User-Name}" 49 | filename = ${modconfdir}/${.:name}/accounting_response 50 | } 51 | -------------------------------------------------------------------------------- /raddb/mods-available/cache_eap: -------------------------------------------------------------------------------- 1 | # 2 | # Cache EAP responses for resiliency on intermediary proxy fail-over 3 | # 4 | cache cache_eap { 5 | key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" 6 | 7 | ttl = 15 8 | 9 | update reply { 10 | reply: += &reply: 11 | &control:State := &request:State 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /raddb/mods-available/chap: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $ 4 | 5 | # CHAP module 6 | # 7 | # To authenticate requests containing a CHAP-Password attribute. 8 | # 9 | chap { 10 | # no configuration 11 | } 12 | -------------------------------------------------------------------------------- /raddb/mods-available/counter: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: a5ac1e60ef117a2c59ace1a9d061d8f70d1da538 $ 4 | 5 | # counter module: 6 | # This module takes an attribute (count-attribute). 7 | # It also takes a key, and creates a counter for each unique 8 | # key. The count is incremented when accounting packets are 9 | # received by the server. The value of the increment depends 10 | # on the attribute type. 11 | # If the attribute is Acct-Session-Time or of an integer type we add 12 | # the value of the attribute. If it is anything else we increase the 13 | # counter by one. 14 | # 15 | # The 'reset' parameter defines when the counters are all reset to 16 | # zero. It can be hourly, daily, weekly, monthly or never. 17 | # 18 | # hourly: Reset on 00:00 of every hour 19 | # daily: Reset on 00:00:00 every day 20 | # weekly: Reset on 00:00:00 on sunday 21 | # monthly: Reset on 00:00:00 of the first day of each month 22 | # 23 | # It can also be user defined. It should be of the form: 24 | # num[hdwm] where: 25 | # h: hours, d: days, w: weeks, m: months 26 | # If the letter is omitted days will be assumed. In example: 27 | # reset = 10h (reset every 10 hours) 28 | # reset = 12 (reset every 12 days) 29 | # 30 | # 31 | # The check_name attribute defines an attribute which will be 32 | # registered by the counter module and can be used to set the 33 | # maximum allowed value for the counter after which the user 34 | # is rejected. 35 | # Something like: 36 | # 37 | # DEFAULT Max-Daily-Session := 36000 38 | # Fall-Through = 1 39 | # 40 | # You should add the counter module in the instantiate 41 | # section so that it registers check_name before the files 42 | # module reads the users file. 43 | # 44 | # If check_name is set and the user is to be rejected then we 45 | # send back a Reply-Message and we log a Failure-Message in 46 | # the radius.log 47 | # 48 | # If the count attribute is Acct-Session-Time then on each 49 | # login we send back the remaining online time as a 50 | # Session-Timeout attribute ELSE and if the reply_name is 51 | # set, we send back that attribute. The reply_name attribute 52 | # MUST be of an integer type. 53 | # 54 | # The counter-name can also be used instead of using the check_name 55 | # like below: 56 | # 57 | # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject 58 | # Reply-Message = "You've used up more than one hour today" 59 | # 60 | # The allowed_service_type attribute can be used to only take 61 | # into account specific sessions. For example if a user first 62 | # logs in through a login menu and then selects ppp there will 63 | # be two sessions. One for Login-User and one for Framed-User 64 | # service type. We only need to take into account the second one. 65 | # 66 | # The module should be added in the instantiate, authorize and 67 | # accounting sections. Make sure that in the authorize 68 | # section it comes after any module which sets the 69 | # 'check_name' attribute. 70 | # 71 | counter daily { 72 | filename = ${db_dir}/db.daily 73 | key = User-Name 74 | count_attribute = Acct-Session-Time 75 | reset = daily 76 | counter_name = Daily-Session-Time 77 | check_name = Max-Daily-Session 78 | reply_name = Session-Timeout 79 | allowed_service_type = Framed-User 80 | cache_size = 5000 81 | } 82 | 83 | -------------------------------------------------------------------------------- /raddb/mods-available/cui: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: b72aa309bfc05c2443e4bb2db061b8f33de8e359 $ 4 | 5 | # 6 | # Write Chargeable-User-Identity to the database. 7 | # 8 | # Schema raddb/sql/cui//schema.sql 9 | # Queries raddb/sql/cui//queries.conf 10 | # 11 | sql cuisql { 12 | 13 | # The dialect of SQL you want to use, this should usually match 14 | # the driver below. 15 | # 16 | # If you're using rlm_sql_null, then it should be the type of 17 | # database the logged queries are going to be executed against. 18 | dialect = "sqlite" 19 | 20 | # The sub-module to use to execute queries. This should match 21 | # the database you're attempting to connect to. 22 | # 23 | # There are CUI queries available for: 24 | # * rlm_sql_mysql 25 | # * rlm_sql_postgresql 26 | # * rlm_sql_sqlite 27 | # * rlm_sql_null (log queries to disk) 28 | # 29 | driver = "rlm_sql_${dialect}" 30 | 31 | sqlite { 32 | filename = ${radacctdir}/cui.sqlite 33 | bootstrap = ${modconfdir}/${..:name}/cui/sqlite/schema.sql 34 | } 35 | 36 | # Write CUI queries to a logfile. Useful for debugging. 37 | # logfile = ${logdir}/cuilog.sql 38 | 39 | pool { 40 | start = 5 41 | min = 4 42 | max = 10 43 | spare = 3 44 | uses = 0 45 | lifetime = 0 46 | idle_timeout = 60 47 | } 48 | 49 | cui_table = "cui" 50 | sql_user_name = "%{User-Name}" 51 | 52 | $INCLUDE ${modconfdir}/${.:name}/cui/${dialect}/queries.conf 53 | } 54 | -------------------------------------------------------------------------------- /raddb/mods-available/date: -------------------------------------------------------------------------------- 1 | # 2 | # Registers xlat to convert between time formats. 3 | # 4 | # xlat input string is an attribute name. If this attribute is of date 5 | # or integer type, the date xlat will convert it to a time string in 6 | # the format of the format config item. 7 | # 8 | # If the attribute is a string type, date will attempt to parse it in 9 | # the format specified by the format config item, and will expand 10 | # to a Unix timestamp. 11 | # 12 | date { 13 | format = "%b %e %Y %H:%M:%S %Z" 14 | 15 | # Use UTC instead of local time. 16 | # 17 | # default = no 18 | # utc = yes 19 | } 20 | 21 | # 22 | # The WISPr-Session-Terminate-Time attribute is of type "string", 23 | # and not "date". Use this expansion to create an attribute 24 | # that holds an actual date: 25 | # 26 | # Tmp-Date-0 := "%{wispr2date:&reply:WISPr-Session-Terminate-Time}" 27 | # 28 | date wispr2date { 29 | format = "%Y-%m-%dT%H:%M:%S" 30 | 31 | # Use UTC instead of local time. 32 | # 33 | # default = no 34 | # utc = yes 35 | } 36 | -------------------------------------------------------------------------------- /raddb/mods-available/detail: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: e91e12d0b4de8f3cb084c179b321924d0248cfbb $ 4 | 5 | # Write a detailed log of all accounting records received. 6 | # 7 | detail { 8 | # Note that we do NOT use NAS-IP-Address here, as 9 | # that attribute MAY BE from the originating NAS, and 10 | # NOT from the proxy which actually sent us the 11 | # request. 12 | # 13 | # The following line creates a new detail file for 14 | # every radius client (by IP address or hostname). 15 | # In addition, a new detail file is created every 16 | # day, so that the detail file doesn't have to go 17 | # through a 'log rotation' 18 | # 19 | # If your detail files are large, you may also want to add 20 | # a ':%H' (see doc/configuration/variables.rst) to the end 21 | # of it, to create a new detail file every hour, e.g.: 22 | # 23 | # ..../detail-%Y%m%d:%H 24 | # 25 | # This will create a new detail file for every hour. 26 | # 27 | # If you are reading detail files via the "listen" section 28 | # (e.g. as in raddb/sites-available/robust-proxy-accounting), 29 | # you MUST use a unique directory for each combination of a 30 | # detail file writer, and reader. That is, there can only 31 | # be ONE "listen" section reading detail files from a 32 | # particular directory. 33 | # 34 | filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d 35 | 36 | # 37 | # If you are using radrelay, delete the above line for "file", 38 | # and use this one instead: 39 | # 40 | # filename = ${radacctdir}/detail 41 | 42 | # 43 | # Most file systems can handly nearly the full range of UTF-8 44 | # characters. Ones that can deal with a limited range should 45 | # set this to "yes". 46 | # 47 | escape_filenames = no 48 | 49 | # 50 | # The Unix-style permissions on the 'detail' file. 51 | # 52 | # The detail file often contains secret or private 53 | # information about users. So by keeping the file 54 | # permissions restrictive, we can prevent unwanted 55 | # people from seeing that information. 56 | permissions = 0600 57 | 58 | # The Unix group of the log file. 59 | # 60 | # The user that the server runs as must be in the specified 61 | # system group otherwise this will fail to work. 62 | # 63 | # group = ${security.group} 64 | 65 | # 66 | # Every entry in the detail file has a header which 67 | # is a timestamp. By default, we use the ctime 68 | # format (see "man ctime" for details). 69 | # 70 | # The header can be customised by editing this 71 | # string. See "doc/configuration/variables.rst" for a 72 | # description of what can be put here. 73 | # 74 | header = "%t" 75 | 76 | # 77 | # Uncomment this line if the detail file reader will be 78 | # reading this detail file. 79 | # 80 | # locking = yes 81 | 82 | # 83 | # Log the Packet src/dst IP/port. This is disabled by 84 | # default, as that information isn't used by many people. 85 | # 86 | # log_packet_header = yes 87 | 88 | # 89 | # Certain attributes such as User-Password may be 90 | # "sensitive", so they should not be printed in the 91 | # detail file. This section lists the attributes 92 | # that should be suppressed. 93 | # 94 | # The attributes should be listed one to a line. 95 | # 96 | #suppress { 97 | # User-Password 98 | #} 99 | 100 | } 101 | -------------------------------------------------------------------------------- /raddb/mods-available/detail.example.com: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Detail file writer, used in the following examples: 4 | # 5 | # raddb/sites-available/robust-proxy-accounting 6 | # raddb/sites-available/decoupled-accounting 7 | # 8 | # Note that this module can write detail files that are read by 9 | # only ONE "listen" section. If you use BOTH of the examples 10 | # above, you will need to define TWO "detail" modules. 11 | # 12 | # e.g. detail1.example.com && detail2.example.com 13 | # 14 | # 15 | # We write *multiple* detail files here. They will be processed by 16 | # the detail "listen" section in the order that they were created. 17 | # The directory containing these files should NOT be used for any 18 | # other purposes. i.e. It should have NO other files in it. 19 | # 20 | # Writing multiple detail enables the server to process the pieces 21 | # in smaller chunks. This helps in certain catastrophic corner cases. 22 | # 23 | # $Id: 827cdf57e70dc2ff2252016194f4bb846eecead2 $ 24 | # 25 | detail detail.example.com { 26 | filename = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G 27 | } 28 | -------------------------------------------------------------------------------- /raddb/mods-available/detail.log: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: b91cf7cb24744ee96e390aa4d7bd5f3ad4c0c0ee $ 4 | 5 | # 6 | # More examples of doing detail logs. 7 | 8 | # 9 | # Many people want to log authentication requests. 10 | # Rather than modifying the server core to print out more 11 | # messages, we can use a different instance of the 'detail' 12 | # module, to log the authentication requests to a file. 13 | # 14 | # You will also need to un-comment the 'auth_log' line 15 | # in the 'authorize' section, below. 16 | # 17 | detail auth_log { 18 | filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d 19 | 20 | # 21 | # This MUST be 0600, otherwise anyone can read 22 | # the users passwords! 23 | permissions = 0600 24 | 25 | # You may also strip out passwords completely 26 | suppress { 27 | User-Password 28 | } 29 | } 30 | 31 | # 32 | # This module logs authentication reply packets sent 33 | # to a NAS. Both Access-Accept and Access-Reject packets 34 | # are logged. 35 | # 36 | # You will also need to un-comment the 'reply_log' line 37 | # in the 'post-auth' section, below. 38 | # 39 | detail reply_log { 40 | filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d 41 | 42 | permissions = 0600 43 | } 44 | 45 | # 46 | # This module logs packets proxied to a home server. 47 | # 48 | # You will also need to un-comment the 'pre_proxy_log' line 49 | # in the 'pre-proxy' section, below. 50 | # 51 | detail pre_proxy_log { 52 | filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d 53 | 54 | # 55 | # This MUST be 0600, otherwise anyone can read 56 | # the users passwords! 57 | permissions = 0600 58 | 59 | # You may also strip out passwords completely 60 | #suppress { 61 | # User-Password 62 | #} 63 | } 64 | 65 | # 66 | # This module logs response packets from a home server. 67 | # 68 | # You will also need to un-comment the 'post_proxy_log' line 69 | # in the 'post-proxy' section, below. 70 | # 71 | detail post_proxy_log { 72 | filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d 73 | 74 | permissions = 0600 75 | } 76 | -------------------------------------------------------------------------------- /raddb/mods-available/dhcp: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: a4316335d7f73b37ec5aa9278de91d37dd28eddc $ 4 | 5 | # 6 | # This module is useful only for 'xlat'. To use it, 7 | # put 'dhcp' into the 'instantiate' section. 8 | # 9 | # %{dhcp_options:} may be used to decode 10 | # DHCP options data included in RADIUS packets by vendors 11 | # of DHCP to RADIUS gateways. 12 | # 13 | # This is known to work with the following VSAs: 14 | # * Juniper - ERX-Dhcp-Options 15 | # * Alcatel lucent SR - Alc-ToServer-Dhcp-Options 16 | # - Alc-ToClient-Dhcp-Options 17 | # 18 | dhcp { 19 | } 20 | -------------------------------------------------------------------------------- /raddb/mods-available/dhcp_sqlippool: -------------------------------------------------------------------------------- 1 | # Configuration for DHCP to use SQL IP Pools. 2 | # 3 | # See raddb/mods-available/sqlippool for common configuration explanation 4 | # 5 | # See raddb/policy.d/dhcp_sqlippool for the "glue" code that allows 6 | # the RADIUS based "sqlippool" module to be used for DHCP. 7 | # 8 | # See raddb/mods-config/sql/ippool/ for the schemas. 9 | # 10 | # See raddb/sites-available/dhcp for instructions on how to configure 11 | # the DHCP server. 12 | # 13 | # $Id: ee0d3d56db3447083a1d7768e28a30cb76aba53a $ 14 | 15 | sqlippool dhcp_sqlippool { 16 | sql_module_instance = "sql" 17 | 18 | ippool_table = "radippool" 19 | 20 | # Name of the check item attribute to be used as a key in the SQL queries 21 | pool_name = "Pool-Name" 22 | 23 | lease_duration = 7200 24 | 25 | # Client's MAC address is mapped to Calling-Station-Id in policy.conf 26 | pool_key = "%{Calling-Station-Id}" 27 | 28 | # For now, it works with MySQL. 29 | $INCLUDE ${modconfdir}/sql/ippool-dhcp/mysql/queries.conf 30 | 31 | # It may also work with sqlite - this is very experimental. 32 | # Comment out the above line and add the following include. 33 | # To use sqlite you need to add '%' to safe_characters in 34 | # raddb/mods-config/sql/main/sqlite/queries.conf. 35 | # $INCLUDE ${modconfdir}/sql/ippool-dhcp/sqlite/queries.conf 36 | 37 | sqlippool_log_exists = "DHCP: Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" 38 | 39 | sqlippool_log_success = "DHCP: Allocated IP: %{reply:Framed-IP-Address} from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" 40 | 41 | sqlippool_log_clear = "DHCP: Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})" 42 | 43 | sqlippool_log_failed = "DHCP: IP Allocation FAILED from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" 44 | 45 | sqlippool_log_nopool = "DHCP: No ${..pool_name} defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" 46 | 47 | } 48 | -------------------------------------------------------------------------------- /raddb/mods-available/digest: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $ 4 | 5 | # 6 | # The 'digest' module currently has no configuration. 7 | # 8 | # "Digest" authentication against a Cisco SIP server. 9 | # See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details 10 | # on performing digest authentication for Cisco SIP servers. 11 | # 12 | digest { 13 | } 14 | -------------------------------------------------------------------------------- /raddb/mods-available/dynamic_clients: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: cc2bd5fd22aa473b98af5dde3fac7a66e39a9e9d $ 4 | 5 | # This module loads RADIUS clients as needed, rather than when the server 6 | # starts. 7 | # 8 | # There are no configuration entries for this module. Instead, it 9 | # relies on the "client" configuration. You must: 10 | # 11 | # 1) link raddb/sites-enabled/dynamic_clients to 12 | # raddb/sites-available/dynamic_clients 13 | # 14 | # 2) Define a client network/mask (see top of the above file) 15 | # 16 | # 3) uncomment the "directory" entry in that client definition 17 | # 18 | # 4) list "dynamic_clients" in the "authorize" section of the 19 | # "dynamic_clients' virtual server. The default example already 20 | # does this. 21 | # 22 | # 5) put files into the above directory, one per IP. 23 | # e.g. file "192.0.2.1" should contain a normal client definition 24 | # for a client with IP address 192.0.2.1. 25 | # 26 | # For more documentation, see the file: 27 | # 28 | # raddb/sites-available/dynamic-clients 29 | # 30 | dynamic_clients { 31 | 32 | } 33 | -------------------------------------------------------------------------------- /raddb/mods-available/etc_group: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: f58b72f560ba067991d67295b546691bcd992d44 $ 4 | 5 | # "passwd" configuration, for the /etc/group file. Adds a Etc-Group-Name 6 | # attribute for every group that the user is member of. 7 | # 8 | # You will have to define the Etc-Group-Name in the 'dictionary' file 9 | # as a 'string' type. 10 | # 11 | # The Group and Group-Name attributes are automatically created by 12 | # the Unix module, and do checking against /etc/group automatically. 13 | # This means that you CANNOT use Group or Group-Name to do any other 14 | # kind of grouping in the server. You MUST define a new group 15 | # attribute. 16 | # 17 | # i.e. this module should NOT be used as-is, but should be edited to 18 | # point to a different group file. 19 | # 20 | passwd etc_group { 21 | filename = /etc/group 22 | format = "=Etc-Group-Name:::*,User-Name" 23 | hash_size = 50 24 | ignore_nislike = yes 25 | allow_multiple_keys = yes 26 | delimiter = ":" 27 | } 28 | 29 | -------------------------------------------------------------------------------- /raddb/mods-available/exec: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: bb1d4374b741a7bfcdfc098fc57af650509ceae2 $ 4 | 5 | # 6 | # Execute external programs 7 | # 8 | # This module is useful only for 'xlat'. To use it, 9 | # put 'exec' into the 'instantiate' section. You can then 10 | # do dynamic translation of attributes like: 11 | # 12 | # Attribute-Name = `%{exec:/path/to/program args}` 13 | # 14 | # The value of the attribute will be replaced with the output 15 | # of the program which is executed. Due to RADIUS protocol 16 | # limitations, any output over 253 bytes will be ignored. 17 | # 18 | # The RADIUS attributes from the user request will be placed 19 | # into environment variables of the executed program, as 20 | # described in "man unlang" and in doc/configuration/variables.rst 21 | # 22 | # See also "echo" for more sample configuration. 23 | # 24 | exec { 25 | wait = no 26 | input_pairs = request 27 | shell_escape = yes 28 | timeout = 10 29 | } 30 | -------------------------------------------------------------------------------- /raddb/mods-available/expiration: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 5d06454d0a8ccce7f50ddf7b01ba01c4ace6560a $ 4 | 5 | # 6 | # The expiration module. This handles the Expiration attribute 7 | # It should be included in the *end* of the authorize section 8 | # in order to handle user Expiration. It should also be included 9 | # in the instantiate section in order to register the Expiration 10 | # compare function 11 | # 12 | expiration { 13 | } 14 | -------------------------------------------------------------------------------- /raddb/mods-available/files: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: e3f3bf568d92eba8eb17bbad590f846f2d9e1ac8 $ 4 | 5 | # Livingston-style 'users' file 6 | # 7 | # See "man users" for more information. 8 | # 9 | files { 10 | # Search for files in a subdirectory of mods-config which 11 | # matches this instance of the files module. 12 | moddir = ${modconfdir}/${.:instance} 13 | 14 | # The default key attribute to use for matches. The content 15 | # of this attribute is used to match the "name" of the 16 | # entry. 17 | #key = "%{%{Stripped-User-Name}:-%{User-Name}}" 18 | 19 | # The old "users" style file is now located here. 20 | filename = ${moddir}/authorize 21 | 22 | # This is accepted for backwards compatibility 23 | # It will be removed in a future release. 24 | # usersfile = ${moddir}/authorize 25 | 26 | # These are accepted for backwards compatibility. 27 | # They will be renamed in a future release. 28 | acctusersfile = ${moddir}/accounting 29 | preproxy_usersfile = ${moddir}/pre-proxy 30 | } 31 | -------------------------------------------------------------------------------- /raddb/mods-available/idn: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 534054077d52a7bb0bf8e02c1e861e5c86b76df9 $ 4 | 5 | # 6 | # Internationalised domain names. 7 | # 8 | 9 | # The expansion string: %{idn: example.com} results in an ASCII 10 | # punycode version of the domain name. That version can then be used 11 | # for name comparisons. Using an i18n version of the name is NOT 12 | # RECOMMENDED, as that version is not canonical. 13 | # 14 | # i.e. the "same" domain name can be represented in many, many, 15 | # different ways. Only the idn version has *one* representation. 16 | # 17 | idn { 18 | # 19 | # Allow use of unassigned Unicode code points. 20 | # 21 | allow_unassigned = no 22 | 23 | # 24 | # Prohibit underscores and other invalid characters in domain 25 | # names. 26 | use_std3_ascii_rules = yes 27 | 28 | } -------------------------------------------------------------------------------- /raddb/mods-available/inner-eap: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 576eb7739ebf18ca6323cb740a7d4278ff6d6ea2 $ 4 | 5 | # 6 | # Sample configuration for an EAP module that occurs *inside* 7 | # of a tunneled method. It is used to limit the EAP types that 8 | # can occur inside of the inner tunnel. 9 | # 10 | # See also raddb/sites-available/inner-tunnel 11 | # 12 | # See raddb/mods-available/eap for full documentation on the meaning of these 13 | # configuration entries. 14 | # 15 | eap inner-eap { 16 | # This is the best choice for PEAP. 17 | default_eap_type = mschapv2 18 | 19 | timer_expire = 60 20 | 21 | # This should be the same as the outer eap "max sessions" 22 | max_sessions = 2048 23 | 24 | # Supported EAP-types 25 | md5 { 26 | } 27 | 28 | gtc { 29 | # The default challenge, which many clients 30 | # ignore.. 31 | #challenge = "Password: " 32 | 33 | auth_type = PAP 34 | } 35 | 36 | mschapv2 { 37 | # See eap for documentation 38 | # send_error = no 39 | } 40 | 41 | # No TTLS or PEAP configuration should be listed here. 42 | 43 | ## EAP-TLS 44 | # 45 | # You SHOULD use different certificates than are used 46 | # for the outer EAP configuration! 47 | # 48 | # You can create the "inner-server.pem" file by doing: 49 | # 50 | # cd raddb/certs 51 | # vi inner-server.cnf 52 | # make inner-server 53 | # 54 | # The certificate MUST be different from the "server.cnf" 55 | # file. 56 | # 57 | # Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental. 58 | # It might work, or it might not. 59 | # 60 | tls { 61 | private_key_password = whatever 62 | private_key_file = ${certdir}/inner-server.pem 63 | 64 | # If Private key & Certificate are located in 65 | # the same file, then private_key_file & 66 | # certificate_file must contain the same file 67 | # name. 68 | # 69 | # If ca_file (below) is not used, then the 70 | # certificate_file below MUST include not 71 | # only the server certificate, but ALSO all 72 | # of the CA certificates used to sign the 73 | # server certificate. 74 | certificate_file = ${certdir}/inner-server.pem 75 | 76 | # You may want different CAs for inner and outer 77 | # certificates. If so, edit this file. 78 | ca_file = ${cadir}/ca.pem 79 | 80 | cipher_list = "DEFAULT" 81 | 82 | # You may want to set a very small fragment size. 83 | # The TLS data here needs to go inside of the 84 | # outer EAP-TLS protocol. 85 | # 86 | # Try values and see if they work... 87 | # fragment_size = 1024 88 | 89 | # Other needful things 90 | dh_file = ${certdir}/dh 91 | random_file = /dev/urandom 92 | 93 | # CRL and OCSP things go here. See the main "eap" 94 | # file for details. 95 | # check_crl = yes 96 | # ca_path = /path/to/directory/with/ca_certs/and/crls/ 97 | 98 | # Accept an expired Certificate Revocation List 99 | # 100 | # allow_expired_crl = no 101 | 102 | # 103 | # The session resumption / fast re-authentication 104 | # cache CANNOT be used for inner sessions. 105 | # 106 | } 107 | } 108 | -------------------------------------------------------------------------------- /raddb/mods-available/ippool: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 1d3305ba45ec71336f55f8f1db05f183772e1b82 $ 4 | 5 | # Do server side ip pool management. Should be added in 6 | # post-auth and accounting sections. 7 | # 8 | # The module also requires the existence of the Pool-Name 9 | # attribute. That way the administrator can add the Pool-Name 10 | # attribute in the user profiles and use different pools for 11 | # different users. The Pool-Name attribute is a *check* item 12 | # not a reply item. 13 | # 14 | # The Pool-Name should be set to the ippool module instance 15 | # name or to DEFAULT to match any module. 16 | 17 | # 18 | # Example: 19 | # radiusd.conf: ippool students { [...] } 20 | # ippool teachers { [...] } 21 | # users file : DEFAULT Group == students, Pool-Name := "students" 22 | # DEFAULT Group == teachers, Pool-Name := "teachers" 23 | # DEFAULT Group == other, Pool-Name := "DEFAULT" 24 | # 25 | # Note: If you change the range parameters you must then erase the 26 | # db files. 27 | # 28 | ippool main_pool { 29 | # The main db file used to allocate addresses. 30 | filename = ${db_dir}/db.ippool 31 | 32 | # The start and end ip addresses for this pool. 33 | range_start = 192.0.2.1 34 | range_stop = 192.0.2.254 35 | 36 | # The network mask used for this pool. 37 | netmask = 255.255.255.0 38 | 39 | # The gdbm cache size for the db files. Should 40 | # be equal to the number of ip's available in 41 | # the ip pool 42 | cache_size = 800 43 | 44 | # Helper db index file used in multilink 45 | ip_index = ${db_dir}/db.ipindex 46 | 47 | # If set, the Framed-IP-Address already in the 48 | # reply (if any) will be discarded, and replaced 49 | # ith a Framed-IP-Address assigned here. 50 | override = no 51 | 52 | # Specifies the maximum time in seconds that an 53 | # entry may be active. If set to zero, means 54 | # "no timeout". The default value is 0 55 | maximum_timeout = 0 56 | 57 | # The key to use for the session database (which 58 | # holds the allocated ip's) normally it should 59 | # just be the nas ip/port (which is the default). 60 | # 61 | # If your NAS sends the same value of NAS-Port 62 | # all requests, the key should be based on some 63 | # other attribute that is in ALL requests, AND 64 | # is unique to each machine needing an IP address. 65 | # key = "%{NAS-IP-Address} %{NAS-Port}" 66 | } 67 | -------------------------------------------------------------------------------- /raddb/mods-available/krb5: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: c88b5fbb4b35cc4e61bfb93a616d891fb79ebc0c $ 4 | 5 | # 6 | # Kerberos. See doc/modules/rlm_krb5 for minimal docs. 7 | # 8 | krb5 { 9 | # 10 | # The keytab file MUST be owned by the UID/GID used by the server. 11 | # The keytab file MUST be writable by the server. 12 | # The keytab file MUST NOT be readable by other users on the system. 13 | # The keytab file MUST exist before the server is started. 14 | # 15 | keytab = ${localstatedir}/lib/radiusd/keytab 16 | service_principal = name_of_principle 17 | 18 | # Pool of krb5 contexts, this allows us to make the module multithreaded 19 | # and to avoid expensive operations like resolving and opening keytabs 20 | # on every request. It may also allow TCP connections to the KDC to be 21 | # cached if that is supported by the version of libkrb5 used. 22 | # 23 | # The context pool is only used if the underlying libkrb5 reported 24 | # that it was thread safe at compile time. 25 | # 26 | pool { 27 | # Connections to create during module instantiation. 28 | # If the server cannot create specified number of 29 | # connections during instantiation it will exit. 30 | # Set to 0 to allow the server to start without the 31 | # KDC being available. 32 | start = ${thread[pool].start_servers} 33 | 34 | # Minimum number of connections to keep open 35 | min = ${thread[pool].min_spare_servers} 36 | 37 | # Maximum number of connections 38 | # 39 | # If these connections are all in use and a new one 40 | # is requested, the request will NOT get a connection. 41 | # 42 | # Setting 'max' to LESS than the number of threads means 43 | # that some threads may starve, and you will see errors 44 | # like 'No connections available and at max connection limit' 45 | # 46 | # Setting 'max' to MORE than the number of threads means 47 | # that there are more connections than necessary. 48 | max = ${thread[pool].max_servers} 49 | 50 | # Spare connections to be left idle 51 | # 52 | # NOTE: Idle connections WILL be closed if "idle_timeout" 53 | # is set. This should be less than or equal to "max" above. 54 | spare = ${thread[pool].max_spare_servers} 55 | 56 | # Number of uses before the connection is closed 57 | # 58 | # 0 means "infinite" 59 | uses = 0 60 | 61 | # The lifetime (in seconds) of the connection 62 | # 63 | # NOTE: A setting of 0 means infinite (no limit). 64 | lifetime = 0 65 | 66 | # The idle timeout (in seconds). A connection which is 67 | # unused for this length of time will be closed. 68 | # 69 | # NOTE: A setting of 0 means infinite (no timeout). 70 | idle_timeout = 0 71 | 72 | # NOTE: All configuration settings are enforced. If a 73 | # connection is closed because of "idle_timeout", 74 | # "uses", or "lifetime", then the total number of 75 | # connections MAY fall below "min". When that 76 | # happens, it will open a new connection. It will 77 | # also log a WARNING message. 78 | # 79 | # The solution is to either lower the "min" connections, 80 | # or increase lifetime/idle_timeout. 81 | } 82 | } 83 | -------------------------------------------------------------------------------- /raddb/mods-available/logintime: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 25344527759d22b49b5e990fd83f0e506442fa76 $ 4 | 5 | # The logintime module. This handles the Login-Time, 6 | # Current-Time, and Time-Of-Day attributes. It should be 7 | # included in the *end* of the authorize section in order to 8 | # handle Login-Time checks. It should also be included in the 9 | # instantiate section in order to register the Current-Time 10 | # and Time-Of-Day comparison functions. 11 | # 12 | # When the Login-Time attribute is set to some value, and the 13 | # user has been permitted to log in, a Session-Timeout is 14 | # calculated based on the remaining time. See "doc/README". 15 | # 16 | logintime { 17 | # The minimum timeout (in seconds) a user is allowed 18 | # to have. If the calculated timeout is lower we don't 19 | # allow the login. Some NAS do not handle values 20 | # lower than 60 seconds well. 21 | minimum_timeout = 60 22 | } 23 | 24 | -------------------------------------------------------------------------------- /raddb/mods-available/mac2ip: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: a4ead1d64e8220344b483718ece4712bef5e9e36 $ 4 | 5 | ###################################################################### 6 | # 7 | # This next section is a sample configuration for the "passwd" 8 | # module, that reads flat-text files. 9 | # 10 | # The file is in the format , 11 | # 12 | # 00:01:02:03:04:05,192.0.2.100 13 | # 01:01:02:03:04:05,192.0.2.101 14 | # 02:01:02:03:04:05,192.0.2.102 15 | # 16 | # This lets you perform simple static IP assignments from a flat-text 17 | # file. You will have to define lease times yourself. 18 | # 19 | ###################################################################### 20 | 21 | passwd mac2ip { 22 | filename = ${modconfdir}/${.:name}/${.:instance} 23 | format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address" 24 | delimiter = "," 25 | } 26 | -------------------------------------------------------------------------------- /raddb/mods-available/mac2vlan: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: a1db803a71cddbb98daeeeda515cff2fc77ea318 $ 4 | 5 | # A simple file to map a MAC address to a VLAN. 6 | # 7 | # The file should be in the format MAC,VLAN 8 | # the VLAN name cannot have spaces in it, for example: 9 | # 10 | # 00:01:02:03:04:05,VLAN1 11 | # 03:04:05:06:07:08,VLAN2 12 | # ... 13 | # 14 | passwd mac2vlan { 15 | filename = ${modconfdir}/${.:name}/${.:instance} 16 | format = "*VMPS-Mac:=VMPS-VLAN-Name" 17 | delimiter = "," 18 | } 19 | -------------------------------------------------------------------------------- /raddb/mods-available/moonshot-targeted-ids: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: bcf69bcf1a366a3a6ac948e63dd07d1b86d1f978 $ 4 | 5 | # 6 | # Write Moonshot-*-TargetedId (MSTID) to the database. 7 | # 8 | # Schema raddb/sql/moonshot-targeted-ids//schema.sql 9 | # Queries raddb/sql/moonshot-targeted-ids//queries.conf 10 | # 11 | sql moonshot_tid_sql { 12 | 13 | # The dialect of SQL you want to use, this should usually match 14 | # the driver below. 15 | # 16 | # If you're using rlm_sql_null, then it should be the type of 17 | # database the logged queries are going to be executed against. 18 | dialect = "sqlite" 19 | 20 | # The sub-module to use to execute queries. This should match 21 | # the database you're attempting to connect to. 22 | # 23 | # There are MSTID queries available for: 24 | # * rlm_sql_mysql 25 | # * rlm_sql_postgresql 26 | # * rlm_sql_sqlite 27 | # * rlm_sql_null (log queries to disk) 28 | # 29 | driver = "rlm_sql_${dialect}" 30 | 31 | sqlite { 32 | filename = ${radacctdir}/moonshot-targeted-ids.sqlite 33 | bootstrap = ${modconfdir}/${..:name}/moonshot-targeted-ids/sqlite/schema.sql 34 | } 35 | 36 | # Write MSTID queries to a logfile. Useful for debugging. 37 | # logfile = ${logdir}/moonshot-targeted-id-log.sql 38 | 39 | pool { 40 | start = 5 41 | min = 4 42 | max = 10 43 | spare = 3 44 | uses = 0 45 | lifetime = 0 46 | idle_timeout = 60 47 | } 48 | 49 | # If you adjust the table name here, you must also modify the table name in 50 | # the moonshot_get_targeted_id.post-auth policy in policy.d/moonshot-targeted-ids 51 | # and the schema.sql files in the mods-config/sql/moonshot-targeted-ids tree. 52 | # 53 | moonshot_tid_table = "moonshot_targeted_ids" 54 | sql_user_name = "%{User-Name}" 55 | 56 | $INCLUDE ${modconfdir}/${.:name}/moonshot-targeted-ids/${dialect}/queries.conf 57 | } 58 | -------------------------------------------------------------------------------- /raddb/mods-available/ntlm_auth: -------------------------------------------------------------------------------- 1 | # 2 | # For testing ntlm_auth authentication with PAP. 3 | # 4 | # If you have problems with authentication failing, even when the 5 | # password is good, it may be a bug in Samba: 6 | # 7 | # https://bugzilla.samba.org/show_bug.cgi?id=6563 8 | # 9 | # Depending on the AD / Samba configuration, you may also need to add: 10 | # 11 | # --allow-mschapv2 12 | # 13 | # to the list of command-line options. 14 | # 15 | exec ntlm_auth { 16 | wait = yes 17 | program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" 18 | } 19 | -------------------------------------------------------------------------------- /raddb/mods-available/opendirectory: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 443d74dc08f19ddb59ea342f756c90066623e1c6 $ 4 | 5 | # This module is only used when the server is running on the same 6 | # system as OpenDirectory. The configuration of the module is hard-coded 7 | # by Apple, and cannot be changed here. 8 | # 9 | # There are no configuration entries for this module. 10 | # 11 | # The MS-CHAP module will automatically talk to OpenDirectory, if the 12 | # server is built on an OSX machine. However, you must also set 13 | # dsAttrTypeNative:apple-enabled-auth-mech attribute in the 14 | # /config/dirserv OpenDirectory record. You will probably also need 15 | # to change the user passwords in order to re-generate the 16 | # appropriate hashes. 17 | # 18 | # Complete OSX configuration information is available on Apple's web site: 19 | # 20 | # https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf 21 | # 22 | # See also https://discussions.apple.com/thread/6053980?tstart=0 23 | # 24 | opendirectory { 25 | 26 | } 27 | -------------------------------------------------------------------------------- /raddb/mods-available/otp: -------------------------------------------------------------------------------- 1 | # 2 | # Configuration for the OTP module. 3 | # 4 | 5 | # This module allows you to use various handheld OTP tokens 6 | # for authentication (Auth-Type := otp). These tokens are 7 | # available from various vendors. 8 | # 9 | # It works in conjunction with otpd, which implements token 10 | # management and OTP verification functions; and lsmd or gsmd, 11 | # which implements synchronous state management functions. 12 | 13 | # You must list this module in BOTH the authorize and authenticate 14 | # sections in order to use it. 15 | otp { 16 | # otpd rendezvous point. 17 | # (default: /var/run/otpd/socket) 18 | #otpd_rp = /var/run/otpd/socket 19 | 20 | # Text to use for the challenge. 21 | # Default "Challenge: %{reply:OTP-Challenge}\n Response: " 22 | 23 | challenge_prompt = "Challenge: %{reply:OTP-Challenge} \n Response: " 24 | 25 | # Length of the challenge. Most tokens probably support a 26 | # max of 8 digits. (range: 5-32 digits, default 6) 27 | #challenge_length = 6 28 | 29 | # Maximum time, in seconds, that a challenge is valid. 30 | # (The user must respond to a challenge within this time.) 31 | # It is also the minimal time between consecutive async mode 32 | # authentications, a necessary restriction due to an inherent 33 | # weakness of the RADIUS protocol which allows replay attacks. 34 | # (default: 30) 35 | #challenge_delay = 30 36 | 37 | # Whether or not to allow asynchronous ("pure" challenge/ 38 | # response) mode authentication. Since sync mode is much more 39 | # usable, and all reasonable tokens support it, the typical 40 | # use of async mode is to allow re-sync of event based tokens. 41 | # But because of the vulnerability of async mode with some tokens, 42 | # you probably want to disable this and require that out-of-sync 43 | # users re-sync from specifically secured terminals. 44 | # See the otpd docs for more info. 45 | # (default: no) 46 | #allow_async = no 47 | 48 | # Whether or not to allow synchronous mode authentication. 49 | # When using otpd with lsmd, it is *CRITICALLY IMPORTANT* 50 | # that if your OTP users can authenticate to multiple RADIUS 51 | # servers, this must be "yes" for the primary/default server, 52 | # and "no" for the others. This is because lsmd does not 53 | # share state information across multiple servers. Using "yes" 54 | # on all your RADIUS servers would allow replay attacks! 55 | # Also, for event based tokens, the user will be out of sync 56 | # on the "other" servers. In order to use "yes" on all your 57 | # servers, you must either use gsmd, which synchronises state 58 | # globally, or implement your own state synchronisation method. 59 | # (default: yes) 60 | #allow_sync = yes 61 | 62 | # If both allow_async and allow_sync are "yes", a challenge is 63 | # always presented to the user. This is incompatible with NAS 64 | # that can't present or don't handle Access-Challenge's, e.g. 65 | # PPTP servers. Even though a challenge is presented, the user 66 | # can still enter their synchronous passcode. 67 | 68 | # The following are MPPE settings. Note that MS-CHAP (v1) is 69 | # strongly discouraged. All possible values are listed as 70 | # {value = meaning}. Default values are first. 71 | #mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden} 72 | #mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40} 73 | #mschap_mppe = {2 = required, 1 = optional, 0 = forbidden} 74 | #mschap_mppe_bits = {2 = 128} 75 | } 76 | -------------------------------------------------------------------------------- /raddb/mods-available/pam: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: f4a91a948637bb2f42f613ed9faa6f9ae9ae6099 $ 4 | 5 | 6 | # Pluggable Authentication Modules 7 | # 8 | # For Linux, see: 9 | # http://www.kernel.org/pub/linux/libs/pam/index.html 10 | # 11 | # WARNING: On many systems, the system PAM libraries have 12 | # memory leaks! We STRONGLY SUGGEST that you do not 13 | # use PAM for authentication, due to those memory leaks. 14 | # 15 | pam { 16 | # 17 | # The name to use for PAM authentication. 18 | # PAM looks in /etc/pam.d/${pam_auth_name} 19 | # for it's configuration. See 'redhat/radiusd-pam' 20 | # for a sample PAM configuration file. 21 | # 22 | # Note that any Pam-Auth attribute set in the 'authorize' 23 | # section will over-ride this one. 24 | # 25 | pam_auth = radiusd 26 | } 27 | -------------------------------------------------------------------------------- /raddb/mods-available/pap: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 0038ecd154840c71ceff33ddfdd936e4e28e0bcd $ 4 | 5 | # PAP module to authenticate users based on their stored password 6 | # 7 | # Supports multiple encryption/hash schemes. See "man rlm_pap" 8 | # for details. 9 | # 10 | # For instructions on creating the various types of passwords, see: 11 | # 12 | # http://www.openldap.org/faq/data/cache/347.html 13 | pap { 14 | # By default the server will use heuristics to try and automatically 15 | # handle base64 or hex encoded passwords. This behaviour can be 16 | # stopped by setting the following to "no". 17 | # normalise = yes 18 | } 19 | -------------------------------------------------------------------------------- /raddb/mods-available/passwd: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 11bd2246642bf3c080327c7f4a67dc42603f3a6c $ 4 | 5 | # passwd module allows to do authorization via any passwd-like 6 | # file and to extract any attributes from these files. 7 | # 8 | # See the "smbpasswd" and "etc_group" files for more examples. 9 | # 10 | # parameters are: 11 | # filename - path to file 12 | # 13 | # format - format for filename record. This parameters 14 | # correlates record in the passwd file and RADIUS 15 | # attributes. 16 | # 17 | # Field marked as '*' is a key field. That is, the parameter 18 | # with this name from the request is used to search for 19 | # the record from passwd file 20 | # 21 | # Attributes marked as '=' are added to reply_items instead 22 | # of default configure_items 23 | # 24 | # Attributes marked as '~' are added to request_items 25 | # 26 | # Field marked as ',' may contain a comma separated list 27 | # of attributes. 28 | # 29 | # hash_size - hashtable size. Setting it to 0 is no longer permitted 30 | # A future version of the server will have the module 31 | # automatically determine the hash size. Having it set 32 | # manually should not be necessary. 33 | # 34 | # allow_multiple_keys - if many records for a key are allowed 35 | # 36 | # ignore_nislike - ignore NIS-related records 37 | # 38 | # delimiter - symbol to use as a field separator in passwd file, 39 | # for format ':' symbol is always used. '\0', '\n' are 40 | # not allowed 41 | # 42 | 43 | # An example configuration for using /etc/passwd. 44 | # 45 | # This is an example which will NOT WORK if you have shadow passwords, 46 | # NIS, etc. The "unix" module is normally responsible for reading 47 | # system passwords. You should use it instead of this example. 48 | # 49 | passwd etc_passwd { 50 | filename = /etc/passwd 51 | format = "*User-Name:Crypt-Password:" 52 | hash_size = 100 53 | ignore_nislike = no 54 | allow_multiple_keys = no 55 | } 56 | -------------------------------------------------------------------------------- /raddb/mods-available/perl: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: fa04cdabb71767050aaa0664da792fd6086adb19 $ 4 | 5 | # Persistent, embedded Perl interpreter. 6 | # 7 | perl { 8 | # 9 | # The Perl script to execute on authorize, authenticate, 10 | # accounting, xlat, etc. This is very similar to using 11 | # 'rlm_exec' module, but it is persistent, and therefore 12 | # faster. 13 | # 14 | filename = ${modconfdir}/${.:instance}/example.pl 15 | 16 | # 17 | # Options which are passed to the Perl interpreter. 18 | # These are (mostly) the same options as are passed 19 | # to the "perl" command line. 20 | # 21 | # The most useful flag is "-T". This sets tainting on. And 22 | # as of 3.0.18, makes it impossible to leverage bad 23 | # User-Names into local command execution. 24 | # 25 | perl_flags = "-T" 26 | 27 | # 28 | # The following hashes are given to the module and 29 | # filled with value-pairs (Attribute names and values) 30 | # 31 | # %RAD_CHECK Check items 32 | # %RAD_REQUEST Attributes from the request 33 | # %RAD_REPLY Attributes for the reply 34 | # %RAD_REQUEST_PROXY Attributes from the proxied request 35 | # %RAD_REQUEST_PROXY_REPLY Attributes from the proxy reply 36 | # 37 | # The interface between FreeRADIUS and Perl is strings. 38 | # That is, attributes of type "octets" are converted to 39 | # printable strings, such as "0xabcdef". If you want to 40 | # access the binary values of the attributes, you should 41 | # call the Perl "pack" function. Then to send any binary 42 | # data back to FreeRADIUS, call the Perl "unpack" function, 43 | # so that the contents of the hashes are printable strings. 44 | # 45 | # IP addresses are sent as strings, e.g. "192.0.2.25", and 46 | # not as a 4-byte binary value. The same applies to other 47 | # attribute data types. 48 | # 49 | # Attributes of type "string" are copied to Perl as-is. 50 | # They are not escaped or interpreted. 51 | # 52 | # The return codes from functions in the perl_script 53 | # are passed directly back to the server. These 54 | # codes are defined in mods-config/example.pl 55 | # 56 | 57 | # You can define configuration items (and nested sub-sections) in perl "config" section. 58 | # These items will be accessible in the perl script through %RAD_PERLCONF hash. 59 | # For instance: $RAD_PERLCONF{'name'} $RAD_PERLCONF{'sub-config'}->{'name'} 60 | # 61 | #config { 62 | # name = "value" 63 | # sub-config { 64 | # name = "value of name from config.sub-config" 65 | # } 66 | #} 67 | 68 | # 69 | # List of functions in the module to call. 70 | # Uncomment and change if you want to use function 71 | # names other than the defaults. 72 | # 73 | #func_authenticate = authenticate 74 | #func_authorize = authorize 75 | #func_preacct = preacct 76 | #func_accounting = accounting 77 | #func_checksimul = checksimul 78 | #func_pre_proxy = pre_proxy 79 | #func_post_proxy = post_proxy 80 | #func_post_auth = post_auth 81 | #func_recv_coa = recv_coa 82 | #func_send_coa = send_coa 83 | #func_xlat = xlat 84 | #func_detach = detach 85 | 86 | # 87 | # Uncomment the following lines if you wish 88 | # to use separate functions for Start and Stop 89 | # accounting packets. In that case, the 90 | # func_accounting function is not called. 91 | # 92 | #func_start_accounting = accounting_start 93 | #func_stop_accounting = accounting_stop 94 | } 95 | -------------------------------------------------------------------------------- /raddb/mods-available/preprocess: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 8baec7961ba75fe52546cb1331868b0b2b1c38f4 $ 4 | 5 | # Preprocess the incoming RADIUS request, before handing it off 6 | # to other modules. 7 | # 8 | # This module processes the 'huntgroups' and 'hints' files. 9 | # In addition, it re-writes some weird attributes created 10 | # by some NAS, and converts the attributes into a form which 11 | # is a little more standard. 12 | # 13 | preprocess { 14 | # Search for files in a subdirectory of mods-config which 15 | # matches this instance of the preprocess module. 16 | moddir = ${modconfdir}/${.:instance} 17 | 18 | huntgroups = ${moddir}/huntgroups 19 | hints = ${moddir}/hints 20 | 21 | # This hack changes Ascend's weird port numbering 22 | # to standard 0-??? port numbers so that the "+" works 23 | # for IP address assignments. 24 | with_ascend_hack = no 25 | ascend_channels_per_line = 23 26 | 27 | # Windows NT machines often authenticate themselves as 28 | # NT_DOMAIN\username 29 | # 30 | # If this is set to 'yes', then the NT_DOMAIN portion 31 | # of the user-name is silently discarded. 32 | # 33 | # This configuration entry SHOULD NOT be used. 34 | # See the "realms" module for a better way to handle 35 | # NT domains. 36 | with_ntdomain_hack = no 37 | 38 | # Specialix Jetstream 8500 24 port access server. 39 | # 40 | # If the user name is 10 characters or longer, a "/" 41 | # and the excess characters after the 10th are 42 | # appended to the user name. 43 | # 44 | # If you're not running that NAS, you don't need 45 | # this hack. 46 | with_specialix_jetstream_hack = no 47 | 48 | # Cisco (and Quintum in Cisco mode) sends it's VSA attributes 49 | # with the attribute name *again* in the string, like: 50 | # 51 | # H323-Attribute = "h323-attribute=value". 52 | # 53 | # If this configuration item is set to 'yes', then 54 | # the redundant data in the the attribute text is stripped 55 | # out. The result is: 56 | # 57 | # H323-Attribute = "value" 58 | # 59 | # If you're not running a Cisco or Quintum NAS, you don't 60 | # need this hack. 61 | with_cisco_vsa_hack = no 62 | } 63 | -------------------------------------------------------------------------------- /raddb/mods-available/python: -------------------------------------------------------------------------------- 1 | # 2 | # Make sure the PYTHONPATH environmental variable contains the 3 | # directory(s) for the modules listed below. 4 | # 5 | # Uncomment any func_* which are included in your module. If 6 | # rlm_python is called for a section which does not have 7 | # a function defined, it will return NOOP. 8 | # 9 | python { 10 | # Path to the python modules 11 | # 12 | # Note that due to limitations on Python, this configuration 13 | # item is GLOBAL TO THE SERVER. That is, you cannot have two 14 | # instances of the python module, each with a different path. 15 | # 16 | # python_path="/path/to/python/files:/another_path/to/python_files/" 17 | 18 | module = example 19 | 20 | # Pass all VPS lists as a 6-tuple to the callbacks 21 | # (request, reply, config, state, proxy_req, proxy_reply) 22 | # pass_all_vps = no 23 | 24 | # Pass all VPS lists as a dictionary to the callbacks 25 | # Keys: "request", "reply", "config", "session-state", "proxy-request", 26 | # "proxy-reply" 27 | # This option prevales over "pass_all_vps" 28 | # pass_all_vps_dict = no 29 | 30 | mod_instantiate = ${.module} 31 | # func_instantiate = instantiate 32 | 33 | mod_detach = ${.module} 34 | # func_detach = instantiate 35 | 36 | mod_authorize = ${.module} 37 | # func_authorize = authorize 38 | 39 | mod_authenticate = ${.module} 40 | # func_authenticate = authenticate 41 | 42 | mod_preacct = ${.module} 43 | # func_preacct = preacct 44 | 45 | mod_accounting = ${.module} 46 | # func_accounting = accounting 47 | 48 | mod_checksimul = ${.module} 49 | # func_checksimul = checksimul 50 | 51 | mod_pre_proxy = ${.module} 52 | # func_pre_proxy = pre_proxy 53 | 54 | mod_post_proxy = ${.module} 55 | # func_post_proxy = post_proxy 56 | 57 | mod_post_auth = ${.module} 58 | # func_post_auth = post_auth 59 | 60 | mod_recv_coa = ${.module} 61 | # func_recv_coa = recv_coa 62 | 63 | mod_send_coa = ${.module} 64 | # func_send_coa = send_coa 65 | } 66 | -------------------------------------------------------------------------------- /raddb/mods-available/radutmp: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 82319c033bbf349991a46b8f198a5bf5487b5da8 $ 4 | 5 | # Write a 'utmp' style file, of which users are currently 6 | # logged in, and where they've logged in from. 7 | # 8 | # This file is used mainly for Simultaneous-Use checking, 9 | # and also 'radwho', to see who's currently logged in. 10 | # 11 | radutmp { 12 | # Where the file is stored. It's not a log file, 13 | # so it doesn't need rotating. 14 | # 15 | filename = ${logdir}/radutmp 16 | 17 | # The field in the packet to key on for the 18 | # 'user' name, If you have other fields which you want 19 | # to use to key on to control Simultaneous-Use, 20 | # then you can use them here. 21 | # 22 | # Note, however, that the size of the field in the 23 | # 'utmp' data structure is small, around 32 24 | # characters, so that will limit the possible choices 25 | # of keys. 26 | # 27 | # You may want instead: %{%{Stripped-User-Name}:-%{User-Name}} 28 | username = %{User-Name} 29 | 30 | 31 | # Whether or not we want to treat "user" the same 32 | # as "USER", or "User". Some systems have problems 33 | # with case sensitivity, so this should be set to 34 | # 'no' to enable the comparisons of the key attribute 35 | # to be case insensitive. 36 | # 37 | case_sensitive = yes 38 | 39 | # Accounting information may be lost, so the user MAY 40 | # have logged off of the NAS, but we haven't noticed. 41 | # If so, we can verify this information with the NAS, 42 | # 43 | # If we want to believe the 'utmp' file, then this 44 | # configuration entry can be set to 'no'. 45 | # 46 | check_with_nas = yes 47 | 48 | # Set the file permissions, as the contents of this file 49 | # are usually private. 50 | permissions = 0600 51 | 52 | caller_id = "yes" 53 | } 54 | -------------------------------------------------------------------------------- /raddb/mods-available/realm: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: f3f4620aaf1bfb97a6a545b236ae3e5080553a11 $ 4 | 5 | # Realm module, for proxying. 6 | # 7 | # You can have multiple instances of the realm module to 8 | # support multiple realm syntaxes at the same time. The 9 | # search order is defined by the order that the modules are listed 10 | # in the authorize and preacct sections. 11 | # 12 | # Four config options: 13 | # format - must be "prefix" or "suffix" 14 | # The special cases of "DEFAULT" 15 | # and "NULL" are allowed, too. 16 | # delimiter - must be a single character 17 | 18 | # 'realm/username' 19 | # 20 | # Using this entry, IPASS users have their realm set to "IPASS". 21 | realm IPASS { 22 | format = prefix 23 | delimiter = "/" 24 | } 25 | 26 | # 'username@realm' 27 | # 28 | realm suffix { 29 | format = suffix 30 | delimiter = "@" 31 | 32 | # The next configuration items are valid ONLY for a trust-router. 33 | # For all other realms, they are ignored. 34 | # trust_router = "localhost" 35 | # tr_port = 12309 36 | # rp_realm = "realm.example.com" 37 | # default_community = "apc.communities.example.com" 38 | # rekey_enabled = no 39 | # realm_lifetime = 0 40 | } 41 | 42 | # 'realm!username' 43 | # 44 | realm bangpath { 45 | format = prefix 46 | delimiter = "!" 47 | 48 | # The next configuration items are valid ONLY for a trust-router. 49 | # For all other realms, they are ignored. 50 | # trust_router = "localhost" 51 | # tr_port = 12309 52 | # rp_realm = "realm.example.com" 53 | # default_community = "apc.communities.example.com" 54 | # rekey_enabled = no 55 | # realm_lifetime = 0 56 | } 57 | 58 | # 'username%realm' 59 | # 60 | realm realmpercent { 61 | format = suffix 62 | delimiter = "%" 63 | } 64 | 65 | # 66 | # 'domain\user' 67 | # 68 | realm ntdomain { 69 | format = prefix 70 | delimiter = "\\" 71 | } 72 | -------------------------------------------------------------------------------- /raddb/mods-available/redis: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 7952ee4ecebf03496869c88c55a2f32dc689a364 $ 4 | 5 | # 6 | # Configuration file for the "redis" module. This module does nothing 7 | # Other than provide connections to a redis database, and a %{redis: ...} 8 | # expansion. 9 | # 10 | redis { 11 | # Host where the redis server is located. 12 | # We recommend using ONLY 127.0.0.1 ! 13 | server = 127.0.0.1 14 | 15 | # The default port. 16 | port = 6379 17 | 18 | # The password used to authenticate to the server. 19 | # We recommend using a strong password. 20 | # password = thisisreallysecretandhardtoguess 21 | 22 | # Set connection and query timeout for rlm_redis 23 | query_timeout = 5 24 | 25 | # 26 | # Information for the connection pool. The configuration items 27 | # below are the same for all modules which use the new 28 | # connection pool. 29 | # 30 | pool { 31 | # Connections to create during module instantiation. 32 | # If the server cannot create specified number of 33 | # connections during instantiation it will exit. 34 | # Set to 0 to allow the server to start without the 35 | # web service being available. 36 | start = ${thread[pool].start_servers} 37 | 38 | # Minimum number of connections to keep open 39 | min = ${thread[pool].min_spare_servers} 40 | 41 | # Maximum number of connections 42 | # 43 | # If these connections are all in use and a new one 44 | # is requested, the request will NOT get a connection. 45 | # 46 | # Setting 'max' to LESS than the number of threads means 47 | # that some threads may starve, and you will see errors 48 | # like 'No connections available and at max connection limit' 49 | # 50 | # Setting 'max' to MORE than the number of threads means 51 | # that there are more connections than necessary. 52 | max = ${thread[pool].max_servers} 53 | 54 | # Spare connections to be left idle 55 | # 56 | # NOTE: Idle connections WILL be closed if "idle_timeout" 57 | # is set. This should be less than or equal to "max" above. 58 | spare = ${thread[pool].max_spare_servers} 59 | 60 | # Number of uses before the connection is closed 61 | # 62 | # 0 means "infinite" 63 | uses = 0 64 | 65 | # The number of seconds to wait after the server tries 66 | # to open a connection, and fails. During this time, 67 | # no new connections will be opened. 68 | retry_delay = 30 69 | 70 | # The lifetime (in seconds) of the connection 71 | # 72 | # NOTE: A setting of 0 means infinite (no limit). 73 | lifetime = 86400 74 | 75 | # The pool is checked for free connections every 76 | # "cleanup_interval". If there are free connections, 77 | # then one of them is closed. 78 | cleanup_interval = 300 79 | 80 | # The idle timeout (in seconds). A connection which is 81 | # unused for this length of time will be closed. 82 | # 83 | # NOTE: A setting of 0 means infinite (no timeout). 84 | idle_timeout = 600 85 | 86 | # NOTE: All configuration settings are enforced. If a 87 | # connection is closed because of "idle_timeout", 88 | # "uses", or "lifetime", then the total number of 89 | # connections MAY fall below "min". When that 90 | # happens, it will open a new connection. It will 91 | # also log a WARNING message. 92 | # 93 | # The solution is to either lower the "min" connections, 94 | # or increase lifetime/idle_timeout. 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /raddb/mods-available/rediswho: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: dba8c583f08db3490f74127d680c3d7ce5d1c572 $ 4 | 5 | # 6 | # Configuration file for the "rediswho" module. 7 | # 8 | # This module tracks the last set of login sessions for a user. 9 | # 10 | rediswho { 11 | # How many sessions to keep track of per user. 12 | # If there are more than this number, older sessions are deleted. 13 | trim_count = 15 14 | 15 | # Expiry time in seconds. Any sessions which have not received 16 | # an update in this time will be automatically expired. 17 | expire_time = 86400 18 | 19 | # 20 | # Each subsection contains insert / trim / expire queries. 21 | # The subsections are named after the contents of the 22 | # Acct-Status-Type attribute. See dictionary.rfc2866 for names 23 | # of the various Acct-Status-Type values, or look at the output 24 | # of debug mode. 25 | # 26 | # This module supports *any* Acct-Status-Type. Just add a subsection 27 | # of the appropriate name, along with insert / trim / expire queries. 28 | # 29 | Start { 30 | insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" 31 | trim = "LTRIM %{User-Name} 0 ${..trim_count}" 32 | expire = "EXPIRE %{User-Name} ${..expire_time}" 33 | } 34 | 35 | Interim-Update { 36 | insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" 37 | trim = "LTRIM %{User-Name} 0 ${..trim_count}" 38 | expire = "EXPIRE %{User-Name} ${..expire_time}" 39 | } 40 | 41 | Stop { 42 | insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" 43 | trim = "LTRIM %{User-Name} 0 ${..trim_count}" 44 | expire = "EXPIRE %{User-Name} ${..expire_time}" 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /raddb/mods-available/replicate: -------------------------------------------------------------------------------- 1 | # Replicate packet(s) to a home server. 2 | # 3 | # This module will open a new socket for each packet, and "clone" 4 | # the incoming packet to the destination realm (i.e. home server). 5 | # 6 | # Use it by setting "Replicate-To-Realm = name" in the control list, 7 | # just like Proxy-To-Realm. The configurations for the two attributes 8 | # are identical. The realm must exist, the home_server_pool must exist, 9 | # and the home_server must exist. 10 | # 11 | # The only difference is that the "replicate" module sends requests 12 | # and does not expect a reply. Any reply is ignored. 13 | # 14 | # Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time. 15 | # 16 | # To use this module, list "replicate" in the "authorize" or 17 | # "accounting" section. Then, ensure that Replicate-To-Realm is set. 18 | # The contents of the "packet" attribute list will be sent to the 19 | # home server. The usual load-balancing, etc. features of the home 20 | # server will be used. 21 | # 22 | # "radmin" can be used to mark home servers alive/dead, in order to 23 | # enable/disable replication to specific servers. 24 | # 25 | # Packets can be replicated to multiple destinations. Just set 26 | # Replicate-To-Realm multiple times. One packet will be sent for 27 | # each of the Replicate-To-Realm attribute in the "control" list. 28 | # 29 | # If no packets are sent, the module returns "noop". If at least one 30 | # packet is sent, the module returns "ok". If an error occurs, the 31 | # module returns "fail" 32 | # 33 | # Note that replication does NOT change any of the packet statistics. 34 | # If you use "radmin" to look at the statistics for a home server, 35 | # the replicated packets will cause NO counters to increment. This 36 | # is not a bug, this is how replication works. 37 | # 38 | replicate { 39 | 40 | } 41 | -------------------------------------------------------------------------------- /raddb/mods-available/smbpasswd: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: d5ad2a06c767f07722dc9b9c4b13d00c26b5a280 $ 4 | 5 | # An example configuration for using /etc/smbpasswd. 6 | # 7 | # See the "passwd" file for documentation on the configuration items 8 | # for this module. 9 | # 10 | passwd smbpasswd { 11 | filename = /etc/smbpasswd 12 | format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" 13 | hash_size = 100 14 | ignore_nislike = no 15 | allow_multiple_keys = no 16 | } 17 | -------------------------------------------------------------------------------- /raddb/mods-available/smsotp: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 3be32b85f56a84725fe1a6bf508e459dbe6c4e02 $ 4 | 5 | # SMS One-time Password system. 6 | # 7 | # This module will extend FreeRadius with a socks interface to create and 8 | # validate One-Time-Passwords. The program for that creates the socket 9 | # and interacts with this module is not included here. 10 | # 11 | # The module does not check the User-Password, this should be done with 12 | # the "pap" module. See the example below. 13 | # 14 | # The module must be used in the "authorize" section to set 15 | # Auth-Type properly. The first time through, the module is called 16 | # in the "authenticate" section to authenticate the user password, and 17 | # to send the challenge. The second time through, it authenticates 18 | # the response to the challenge. e.g.: 19 | # 20 | # authorize { 21 | # ... 22 | # smsotp 23 | # ... 24 | # } 25 | # 26 | # authenticate { 27 | # ... 28 | # Auth-Type smsotp { 29 | # pap 30 | # smsotp 31 | # } 32 | # 33 | # Auth-Type smsotp-reply { 34 | # smsotp 35 | # } 36 | # ... 37 | # } 38 | # 39 | smsotp { 40 | # The location of the socket. 41 | socket = "/var/run/smsotp_socket" 42 | 43 | # Defines the challenge message that will be send to the 44 | # NAS. Default is "Enter Mobile PIN" } 45 | challenge_message = "Enter Mobile PIN:" 46 | 47 | # Defines the Auth-Type section that is run for the response to 48 | # the challenge. Default is "smsotp-reply". 49 | challenge_type = "smsotp-reply" 50 | 51 | # Control how many sockets are used to talk to the SMSOTPd 52 | # 53 | pool { 54 | # Number of connections to start 55 | start = 5 56 | 57 | # Minimum number of connections to keep open 58 | min = 4 59 | 60 | # Maximum number of connections 61 | # 62 | # If these connections are all in use and a new one 63 | # is requested, the request will NOT get a connection. 64 | max = 10 65 | 66 | # Spare connections to be left idle 67 | # 68 | # NOTE: Idle connections WILL be closed if "idle_timeout" 69 | # is set. 70 | spare = 3 71 | 72 | # Number of uses before the connection is closed 73 | # 74 | # 0 means "infinite" 75 | uses = 0 76 | 77 | # The lifetime (in seconds) of the connection 78 | lifetime = 0 79 | 80 | # idle timeout (in seconds). A connection which is 81 | # unused for this length of time will be closed. 82 | idle_timeout = 60 83 | 84 | # NOTE: All configuration settings are enforced. If a 85 | # connection is closed because of "idle_timeout", 86 | # "uses", or "lifetime", then the total number of 87 | # connections MAY fall below "min". When that 88 | # happens, it will open a new connection. It will 89 | # also log a WARNING message. 90 | # 91 | # The solution is to either lower the "min" connections, 92 | # or increase lifetime/idle_timeout. 93 | } 94 | } 95 | -------------------------------------------------------------------------------- /raddb/mods-available/soh: -------------------------------------------------------------------------------- 1 | # SoH module 2 | soh { 3 | dhcp = yes 4 | } 5 | -------------------------------------------------------------------------------- /raddb/mods-available/sometimes: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 3a96622cc938f558b023e1110769a46861716a12 $ 4 | 5 | # 6 | # The "sometimes" module is here for debugging purposes. Each instance 7 | # randomly returns the configured result, or "noop". 8 | # 9 | # It is based on the "always" module. 10 | sometimes { 11 | rcode = fail 12 | } 13 | -------------------------------------------------------------------------------- /raddb/mods-available/sradutmp: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 3a2a0e502e76ec00d4ec17e70132448e1547da46 $ 4 | 5 | # "Safe" radutmp - does not contain caller ID, so it can be 6 | # world-readable, and radwho can work for normal users, without 7 | # exposing any information that isn't already exposed by who(1). 8 | # 9 | # This is another 'instance' of the radutmp module, but it is given 10 | # then name "sradutmp" to identify it later in the "accounting" 11 | # section. 12 | radutmp sradutmp { 13 | filename = ${logdir}/sradutmp 14 | permissions = 0644 15 | caller_id = "no" 16 | } 17 | -------------------------------------------------------------------------------- /raddb/mods-available/unbound: -------------------------------------------------------------------------------- 1 | unbound dns { 2 | # filename = "${raddbdir}/mods-config/unbound/default.conf" 3 | # timeout = 3000 4 | } 5 | -------------------------------------------------------------------------------- /raddb/mods-available/unix: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $ 4 | 5 | # Unix /etc/passwd style authentication 6 | # 7 | # This module calls the system functions to get the "known good" 8 | # password. This password is usually in the "crypt" form, and is 9 | # incompatible with CHAP, MS-CHAP, PEAP, etc. 10 | # 11 | # If passwords are in /etc/shadow, you will need to set the "group" 12 | # configuration in radiusd.conf. Look for "shadow", and follow the 13 | # instructions there. 14 | # 15 | unix { 16 | # 17 | # The location of the "wtmp" file. 18 | # The only use for 'radlast'. If you don't use 19 | # 'radlast', then you can comment out this item. 20 | # 21 | # Note that the radwtmp file may get large! You should 22 | # rotate it (cp /dev/null radwtmp), or just not use it. 23 | # 24 | radwtmp = ${logdir}/radwtmp 25 | } 26 | -------------------------------------------------------------------------------- /raddb/mods-available/unpack: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # $Id: 665dd2aca16b9498a4d2b8a91e41d27741185738 $ 4 | 5 | # 6 | # This module is useful only for 'xlat'. To use it, 7 | # add it to the raddb/mods-enabled/ directory. Then, 8 | # use it on the right-hand side of a variable assignment. 9 | # 10 | # ... = "%{unpack:data 1 integer}" 11 | # 12 | # The arguments are three fields: 13 | # 14 | # data 15 | # Either &Attribute-Name 16 | # the name of the attribute to unpack. 17 | # MUST be a "string" or "octets" type. 18 | # 19 | # or 0xabcdef 20 | # e.g. hex data. 21 | # 22 | # 1 23 | # The offset into the string from which 24 | # it starts unpacking. The offset starts 25 | # at zero, for the first attribute. 26 | # 27 | # integer 28 | # the data type to unpack at that offset. 29 | # e.g. integer, ipaddr, byte, short, etc. 30 | # 31 | # e.g. if we have Class = 0x0000000102030405, then 32 | # 33 | # %{unpack:&Class 4 short} 34 | # 35 | # will unpack octets 4 and 5 as a "short", which has 36 | # value 0x0304. 37 | # 38 | # This module is used when vendors put multiple fields 39 | # into one attribute of type "octets". 40 | # 41 | # The module can also be used to unpack substrings, by specifing a 42 | # data type of "string(len)" or "octets(len)". Where "len" is an 43 | # actual number. For example: 44 | # 45 | # %{unpack:&User-Name 1 string(2)} 46 | # 47 | # When given a User-Name of "hello", it will start taking the 48 | # substring at offset 1 (i.e. "e"), and it will take two characters 49 | # from that offset, i.e. "el". 50 | # 51 | # When "octets(len)" is used, the output is printed as hex. e.g. for 52 | # the above example with Class: 53 | # 54 | # %{unpack:&Class 4 octets(4)} 55 | # 56 | # Will return the hex string "02030405" 57 | # 58 | unpack { 59 | } 60 | -------------------------------------------------------------------------------- /raddb/mods-available/utf8: -------------------------------------------------------------------------------- 1 | # 2 | # Enforces UTF-8 on strings coming in from the NAS. 3 | # 4 | # An attribute of type "string" containing UTF-8 makes 5 | # the module return NOOP. 6 | # 7 | # An attribute of type "string" containing non-UTF-8 data 8 | # makes the module return FAIL. 9 | # 10 | # This module takes no configuration. 11 | # 12 | utf8 { 13 | 14 | } 15 | -------------------------------------------------------------------------------- /raddb/mods-config/README.rst: -------------------------------------------------------------------------------- 1 | The mods-config Directory 2 | ========================= 3 | 4 | This directory contains module-specific configuration files. These 5 | files are in a format different from the one used by the main 6 | `radiusd.conf` files. Earlier versions of the server had many 7 | module-specific files in the main `raddb` directory. The directory 8 | contained many files, and it was not clear which files did what. 9 | 10 | For Version 3 of FreeRADIUS, we have moved to a consistent naming 11 | scheme. Each module-specific configuration file is placed in this 12 | directory, in a subdirectory named for the module. Where necessary, 13 | files in the subdirectory have been named for the processing section 14 | where they are used. 15 | 16 | For example, the `users` file is now located in 17 | `mods-config/files/authorize`. That filename tells us three things: 18 | 19 | 1. The file is used in the `authorize` section. 20 | 2. The file is used by the `files` module. 21 | 3. It is a "module configuration" file, which is a specific format. 22 | 23 | -------------------------------------------------------------------------------- /raddb/mods-config/attr_filter/access_challenge: -------------------------------------------------------------------------------- 1 | # 2 | # Configuration file for the rlm_attr_filter module. 3 | # Please see rlm_attr_filter(5) manpage for more information. 4 | # 5 | # $Id: 12ed619cf16f7322221ef2dfaf28f9c36c616e3c $ 6 | # 7 | # This configuration file is used to remove almost all of the 8 | # attributes From an Access-Challenge message. The RFCs say 9 | # that an Access-Challenge packet can contain only a few 10 | # attributes. We enforce that here. 11 | # 12 | DEFAULT 13 | EAP-Message =* ANY, 14 | State =* ANY, 15 | Message-Authenticator =* ANY, 16 | Reply-Message =* ANY, 17 | Proxy-State =* ANY, 18 | Session-Timeout =* ANY, 19 | Idle-Timeout =* ANY 20 | -------------------------------------------------------------------------------- /raddb/mods-config/attr_filter/access_reject: -------------------------------------------------------------------------------- 1 | # 2 | # Configuration file for the rlm_attr_filter module. 3 | # Please see rlm_attr_filter(5) manpage for more information. 4 | # 5 | # $Id: 47f167b085c2a4e22701fe9fe74b8fe0b9575421 $ 6 | # 7 | # This configuration file is used to remove almost all of the attributes 8 | # From an Access-Reject message. The RFCs say that an Access-Reject 9 | # packet can contain only a few attributes. We enforce that here. 10 | # 11 | DEFAULT 12 | EAP-Message =* ANY, 13 | State =* ANY, 14 | Message-Authenticator =* ANY, 15 | Error-Cause =* ANY, 16 | Reply-Message =* ANY, 17 | MS-CHAP-Error =* ANY, 18 | Proxy-State =* ANY 19 | -------------------------------------------------------------------------------- /raddb/mods-config/attr_filter/accounting_response: -------------------------------------------------------------------------------- 1 | # 2 | # Configuration file for the rlm_attr_filter module. 3 | # Please see rlm_attr_filter(5) manpage for more information. 4 | # 5 | # $Id: 01e9c6f5bda7a138f45da5010c624d92b6d398a0 $ 6 | # 7 | # This configuration file is used to remove almost all of the attributes 8 | # From an Accounting-Response message. The RFC's say that an 9 | # Accounting-Response packet can contain only a few attributes. 10 | # We enforce that here. 11 | # 12 | DEFAULT 13 | Vendor-Specific =* ANY, 14 | Message-Authenticator =* ANY, 15 | Error-Cause =* ANY, 16 | Proxy-State =* ANY 17 | -------------------------------------------------------------------------------- /raddb/mods-config/attr_filter/pre-proxy: -------------------------------------------------------------------------------- 1 | # 2 | # Configuration file for the rlm_attr_filter module. 3 | # Please see rlm_attr_filter(5) manpage for more information. 4 | # 5 | # $Id: 47b01266f44d0475261c6ea16f74ca17d8838749 $ 6 | # 7 | # This file contains security and configuration information 8 | # for each realm. It can be used be an rlm_attr_filter module 9 | # instance to filter attributes before sending packets to the 10 | # home server of a realm. 11 | # 12 | # When a packet is sent to a home server, these attributes 13 | # and values are tested. Only the first match is used unless 14 | # the "Fall-Through" variable is set to "Yes". In that case 15 | # the rules defined in the DEFAULT case are processed as well. 16 | # 17 | # A special realm named "DEFAULT" matches on all realm names. 18 | # You can have only one DEFAULT entry. All entries are processed 19 | # in the order they appear in this file. The first entry that 20 | # matches the login-request will stop processing unless you use 21 | # the Fall-Through variable. 22 | # 23 | # The first line indicates the realm to which the rules apply. 24 | # Indented (with the tab character) lines following the first 25 | # line indicate the filter rules. 26 | # 27 | 28 | # This is a complete entry for 'nochap' realm. It allows to send very 29 | # basic attributes to the home server. Note that there is no Fall-Through 30 | # entry so that no DEFAULT entry will be used. Only the listed attributes 31 | # will be sent in the packet, all other attributes will be filtered out. 32 | # 33 | #nochap 34 | # User-Name =* ANY, 35 | # User-Password =* ANY, 36 | # NAS-IP-Address =* ANY, 37 | # NAS-Identifier =* ANY 38 | 39 | # The entry for the 'brokenas' realm removes the attribute NAS-Port-Type 40 | # if its value is different from 'Ethernet'. Then the default rules are 41 | # applied. 42 | # 43 | #brokenas 44 | # NAS-Port-Type == Ethernet 45 | # Fall-Through = Yes 46 | 47 | # The rest of this file contains the DEFAULT entry. 48 | # DEFAULT matches with all realm names. 49 | 50 | DEFAULT 51 | User-Name =* ANY, 52 | User-Password =* ANY, 53 | CHAP-Password =* ANY, 54 | CHAP-Challenge =* ANY, 55 | MS-CHAP-Challenge =* ANY, 56 | MS-CHAP-Response =* ANY, 57 | EAP-Message =* ANY, 58 | Message-Authenticator =* ANY, 59 | State =* ANY, 60 | NAS-IP-Address =* ANY, 61 | NAS-Identifier =* ANY, 62 | Operator-Name =* ANY, 63 | Calling-Station-Id =* ANY, 64 | Chargeable-User-Identity =* ANY, 65 | Proxy-State =* ANY 66 | -------------------------------------------------------------------------------- /raddb/mods-config/files/accounting: -------------------------------------------------------------------------------- 1 | # 2 | # $Id: eaf952a72dc9d19387af4d2056d7f7027b2435e8 $ 3 | # 4 | # This is like the 'users' file, but it is processed only for 5 | # accounting packets. 6 | # 7 | 8 | # Select between different accounting methods based for example on the 9 | # Realm, the Huntgroup-Name or any combinaison of the attribute/value 10 | # pairs contained in an accounting packet. 11 | # 12 | # You will need to add an "Acct-Type foo {...}" subsection to the 13 | # main "accounting" section in order for these sample configurations 14 | # to work. 15 | # 16 | #DEFAULT Realm == "foo.net", Acct-Type := foo 17 | # 18 | #DEFAULT Huntgroup-Name == "wifi", Acct-Type := wifi 19 | # 20 | #DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := other 21 | # 22 | #DEFAULT Acct-Status-Type == Start, Acct-Type := start 23 | 24 | # Replace the User-Name with the Stripped-User-Name, if it exists. 25 | # 26 | #DEFAULT 27 | # User-Name := "%{%{Stripped-User-Name}:-%{User-Name}}" 28 | -------------------------------------------------------------------------------- /raddb/mods-config/files/pre-proxy: -------------------------------------------------------------------------------- 1 | # 2 | # Configuration file for the rlm_files module. 3 | # Please see rlm_files(5) manpage for more information. 4 | # 5 | # $Id: 7292e23ea51717ee5cb50c4b9b609e91ebe4a41c $ 6 | # 7 | # This file is similar to the "users" file. The check items 8 | # are compared against the request, but the "reply" items are 9 | # used to update the proxied packet, not the reply to the NAS. 10 | # 11 | # You can use this file to re-write requests which are about to 12 | # be sent to a home server. 13 | # 14 | 15 | # 16 | # Requests destinated to realm "extisp" are sent to a RADIUS 17 | # home server hosted by an other company which doesn't know about 18 | # the IP addresses of our NASes. Therefore we replace the value of 19 | # the NAS-IP-Address attribute by a unique value we communicated 20 | # to them. 21 | # 22 | #DEFAULT Realm == "extisp" 23 | # NAS-IP-Address := 10.1.2.3 24 | 25 | # 26 | # For all proxied packets, set the User-Name in the proxied packet 27 | # to the Stripped-User-Name, if it exists. If not, set it to the 28 | # User-Name from the original request. 29 | # 30 | #DEFAULT 31 | # User-Name := `%{%{Stripped-User-Name}:-%{User-Name}}` 32 | -------------------------------------------------------------------------------- /raddb/mods-config/preprocess/hints: -------------------------------------------------------------------------------- 1 | # 2 | # hints 3 | # 4 | # The hints file. This file is used to match 5 | # a request, and then add attributes to it. This 6 | # process allows a user to login as "bob.ppp" (for example), 7 | # and receive a PPP connection, even if the NAS doesn't 8 | # ask for PPP. The "hints" file is used to match the 9 | # ".ppp" portion of the username, and to add a set of 10 | # "user requested PPP" attributes to the request. 11 | # 12 | # Matching can take place with the the Prefix and Suffix 13 | # attributes, just like in the "users" file. 14 | # These attributes operate ONLY on the username, though. 15 | # 16 | # Note that the attributes that are set for each entry are 17 | # NOT added to the reply attributes passed back to the NAS. 18 | # Instead they are added to the list of attributes in the 19 | # request that has been SENT by the NAS. 20 | # 21 | # This extra information can be used in the users file to 22 | # match on. Usually this is done in the DEFAULT entries, 23 | # of which there can be more than one. 24 | # 25 | # In addition a matching entry can transform a username 26 | # for authentication purposes if the "Strip-User-Name" 27 | # variable is set to Yes in an entry (default is Yes). 28 | # 29 | # A special non-protocol name-value pair called "Hint" 30 | # can be set to match on in the "users" file. 31 | # 32 | # As with the "users" file, the first entry that matches the 33 | # incoming request will cause the server to stop looking for 34 | # more hints. If the "Fall-Through" attribute is set to 35 | # "Yes" in an entry then the server will not stop, but 36 | # continue to process further hints from the file. Matches 37 | # on subsequent hints will be against the altered request 38 | # from the previous hints, not against the original request. 39 | # 40 | # The following is how most dial-up ISPs want to set this up. 41 | # 42 | # Version: $Id: 84d4d78d5dc8613f6205fc2ef48f454101caaf33 $ 43 | # 44 | 45 | 46 | DEFAULT Suffix == ".ppp", Strip-User-Name = Yes 47 | Hint = "PPP", 48 | Service-Type = Framed-User, 49 | Framed-Protocol = PPP 50 | 51 | DEFAULT Suffix == ".slip", Strip-User-Name = Yes 52 | Hint = "SLIP", 53 | Service-Type = Framed-User, 54 | Framed-Protocol = SLIP 55 | 56 | DEFAULT Suffix == ".cslip", Strip-User-Name = Yes 57 | Hint = "CSLIP", 58 | Service-Type = Framed-User, 59 | Framed-Protocol = SLIP, 60 | Framed-Compression = Van-Jacobson-TCP-IP 61 | 62 | ###################################################################### 63 | # 64 | # These entries are old, and commented out by default. 65 | # They confuse too many people when "Peter" logs in, and the 66 | # server thinks that the user "eter" is asking for PPP. 67 | # 68 | #DEFAULT Prefix == "U", Strip-User-Name = No 69 | # Hint = "UUCP" 70 | 71 | #DEFAULT Prefix == "P", Strip-User-Name = Yes 72 | # Hint = "PPP", 73 | # Service-Type = Framed-User, 74 | # Framed-Protocol = PPP 75 | 76 | #DEFAULT Prefix == "S", Strip-User-Name = Yes 77 | # Hint = "SLIP", 78 | # Service-Type = Framed-User, 79 | # Framed-Protocol = SLIP 80 | 81 | #DEFAULT Prefix == "C", Strip-User-Name = Yes 82 | # Hint = "CSLIP", 83 | # Service-Type = Framed-User, 84 | # Framed-Protocol = SLIP, 85 | # Framed-Compression = Van-Jacobson-TCP-IP 86 | 87 | -------------------------------------------------------------------------------- /raddb/mods-config/preprocess/huntgroups: -------------------------------------------------------------------------------- 1 | # 2 | # huntgroups This file defines the `huntgroups' that you have. A 3 | # huntgroup is defined by specifying the IP address of 4 | # the NAS and possibly a port. 5 | # 6 | # Matching is done while RADIUS scans the user file; if it 7 | # includes the selection criteria "Huntgroup-Name == XXX" 8 | # the huntgroup is looked up in this file to see if it 9 | # matches. There can be multiple definitions of the same 10 | # huntgroup; the first one that matches will be used. 11 | # 12 | # This file can also be used to define restricted access 13 | # to certain huntgroups. The second and following lines 14 | # define the access restrictions (based on username and 15 | # UNIX usergroup) for the huntgroup. 16 | # 17 | 18 | # 19 | # Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name 20 | # called Alphen that matches on all three terminal servers. 21 | # 22 | #alphen NAS-IP-Address == 192.0.2.5 23 | #alphen NAS-IP-Address == 192.0.2.6 24 | #alphen NAS-IP-Address == 192.0.2.7 25 | 26 | # 27 | # The POP in Delft consists of only one terminal server. 28 | # 29 | #delft NAS-IP-Address == 198.51.100.5 30 | 31 | # 32 | # Port 0 on the first terminal server in Alphen are connected to 33 | # a huntgroup that is for business users only. Note that only one 34 | # of the username or groupname has to match to get access (OR/OR). 35 | # 36 | # Note that this huntgroup is a subset of the "alphen" huntgroup. 37 | # 38 | #business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0 39 | # User-Name == rogerl, 40 | # User-Name == henks, 41 | # Group == business, 42 | # Group == staff 43 | 44 | -------------------------------------------------------------------------------- /raddb/mods-config/python/example.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python2 2 | # 3 | # Python module example file 4 | # Miguel A.L. Paraz 5 | # 6 | # $Id: cfc69020067796d5e7c9f1dd4b67ce8dd57f4ac2 $ 7 | 8 | import radiusd 9 | 10 | # Check post_auth for the most complete example using different 11 | # input and output formats 12 | 13 | def instantiate(p): 14 | print "*** instantiate ***" 15 | print p 16 | # return 0 for success or -1 for failure 17 | 18 | 19 | def authorize(p): 20 | print "*** authorize ***" 21 | radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***') 22 | print 23 | print p 24 | print 25 | print radiusd.config 26 | return radiusd.RLM_MODULE_OK 27 | 28 | 29 | def preacct(p): 30 | print "*** preacct ***" 31 | print p 32 | return radiusd.RLM_MODULE_OK 33 | 34 | 35 | def accounting(p): 36 | print "*** accounting ***" 37 | radiusd.radlog(radiusd.L_INFO, '*** radlog call in accounting (0) ***') 38 | print 39 | print p 40 | return radiusd.RLM_MODULE_OK 41 | 42 | 43 | def pre_proxy(p): 44 | print "*** pre_proxy ***" 45 | print p 46 | return radiusd.RLM_MODULE_OK 47 | 48 | 49 | def post_proxy(p): 50 | print "*** post_proxy ***" 51 | print p 52 | return radiusd.RLM_MODULE_OK 53 | 54 | 55 | def post_auth(p): 56 | print "*** post_auth ***" 57 | 58 | # This is true when using pass_all_vps_dict 59 | if type(p) is dict: 60 | print "Request:", p["request"] 61 | print "Reply:", p["reply"] 62 | print "Config:", p["config"] 63 | print "State:", p["session-state"] 64 | print "Proxy-Request:", p["proxy-request"] 65 | print "Proxy-Reply:", p["proxy-reply"] 66 | 67 | else: 68 | print p 69 | 70 | # Dictionary representing changes we want to make to the different VPS 71 | update_dict = { 72 | "request": (("User-Password", ":=", "A new password"),), 73 | "reply": (("Reply-Message", "The module is doing its job"), 74 | ("User-Name", "NewUserName")), 75 | "config": (("Cleartext-Password", "A new password"),), 76 | } 77 | 78 | return radiusd.RLM_MODULE_OK, update_dict 79 | # Alternatively, you could use the legacy 3-tuple output 80 | # (only reply and config can be updated) 81 | # return radiusd.RLM_MODULE_OK, update_dict["reply"], update_dict["config"] 82 | 83 | 84 | def recv_coa(p): 85 | print "*** recv_coa ***" 86 | print p 87 | return radiusd.RLM_MODULE_OK 88 | 89 | 90 | def send_coa(p): 91 | print "*** send_coa ***" 92 | print p 93 | return radiusd.RLM_MODULE_OK 94 | 95 | 96 | def detach(): 97 | print "*** goodbye from example.py ***" 98 | return radiusd.RLM_MODULE_OK 99 | 100 | -------------------------------------------------------------------------------- /raddb/mods-config/python/radiusd.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python2 2 | # 3 | # Definitions for RADIUS programs 4 | # 5 | # Copyright 2002 Miguel A.L. Paraz 6 | # 7 | # This should only be used when testing modules. 8 | # Inside freeradius, the 'radiusd' Python module is created by the C module 9 | # and the definitions are automatically created. 10 | # 11 | # $Id: 7129923994fcc3cdffef1fb17e34b975796bf8aa $ 12 | 13 | # from modules.h 14 | 15 | RLM_MODULE_REJECT = 0 16 | RLM_MODULE_FAIL = 1 17 | RLM_MODULE_OK = 2 18 | RLM_MODULE_HANDLED = 3 19 | RLM_MODULE_INVALID = 4 20 | RLM_MODULE_USERLOCK = 5 21 | RLM_MODULE_NOTFOUND = 6 22 | RLM_MODULE_NOOP = 7 23 | RLM_MODULE_UPDATED = 8 24 | RLM_MODULE_NUMCODES = 9 25 | 26 | # from log.h 27 | L_AUTH = 2 28 | L_INFO = 3 29 | L_ERR = 4 30 | L_WARN = 5 31 | L_PROXY = 6 32 | L_ACCT = 7 33 | 34 | L_DBG = 16 35 | L_DBG_WARN = 17 36 | L_DBG_ERR = 18 37 | L_DBG_WARN_REQ = 19 38 | L_DBG_ERR_REQ = 20 39 | 40 | # log function 41 | def radlog(level, msg): 42 | import sys 43 | sys.stdout.write(msg + '\n') 44 | 45 | level = level 46 | 47 | 48 | -------------------------------------------------------------------------------- /raddb/mods-config/ruby/example.rb: -------------------------------------------------------------------------------- 1 | #This is example radius.rb script 2 | module Radiusd 3 | def Radiusd.instantiate(arg) 4 | radlog(L_DBG,"[ruby]Running ruby instantiate") 5 | p arg 6 | return Radiusd::RLM_MODULE_OK 7 | end 8 | def Radiusd.authenticate(arg) 9 | radlog(L_DBG,"[ruby]Running ruby authenticate") 10 | p arg 11 | return Radiusd::RLM_MODULE_NOOP 12 | end 13 | def Radiusd.authorize(arg) 14 | radlog(L_DBG,"[ruby]Running ruby authorize") 15 | p arg 16 | #Here we return Cleartext-Password, which could have been retrieved from DB. 17 | return [Radiusd::RLM_MODULE_UPDATED, [],[["Cleartext-Password","pass"]]] 18 | end 19 | def Radiusd.accounting(arg) 20 | radlog(L_DBG,"[ruby]Running ruby accounting") 21 | p arg 22 | return Radiusd::RLM_MODULE_NOOP 23 | end 24 | 25 | end 26 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/counter/mysql/dailycounter.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This query properly handles calls that span from the 3 | # previous reset period into the current period but 4 | # involves more work for the SQL server than those 5 | # below 6 | # 7 | query = "\ 8 | SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \ 9 | FROM radacct \ 10 | WHERE username = '%{${key}}' \ 11 | AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'" 12 | 13 | # 14 | # This query ignores calls that started in a previous 15 | # reset period and continue into into this one. But it 16 | # is a little easier on the SQL server 17 | # 18 | #query = "\ 19 | # SELECT SUM(acctsessiontime) \ 20 | # FROM radacct \ 21 | # WHERE username = '%{${key}}' \ 22 | # AND acctstarttime > FROM_UNIXTIME('%%b')" 23 | 24 | # 25 | # This query is the same as above, but demonstrates an 26 | # additional counter parameter '%%e' which is the 27 | # timestamp for the end of the period 28 | # 29 | #query = "\ 30 | # SELECT SUM(acctsessiontime) \ 31 | # FROM radacct \ 32 | # WHERE username = '%{${key}}' \ 33 | # AND acctstarttime BETWEEN FROM_UNIXTIME('%%b') AND FROM_UNIXTIME('%%e')" 34 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/counter/mysql/expire_on_login.conf: -------------------------------------------------------------------------------- 1 | query = "\ 2 | SELECT IFNULL( MAX(TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime))),0) \ 3 | FROM radacct \ 4 | WHERE UserName='%{${key}}' \ 5 | ORDER BY acctstarttime \ 6 | LIMIT 1;" 7 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/counter/mysql/monthlycounter.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This query properly handles calls that span from the 3 | # previous reset period into the current period but 4 | # involves more work for the SQL server than those 5 | # below 6 | # 7 | query = "\ 8 | SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \ 9 | FROM radacct \ 10 | WHERE username='%{${key}}' \ 11 | AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'" 12 | 13 | # 14 | # This query ignores calls that started in a previous 15 | # reset period and continue into into this one. But it 16 | # is a little easier on the SQL server 17 | # 18 | #query = "\ 19 | # SELECT SUM(acctsessiontime) \ 20 | # FROM radacct\ 21 | # WHERE username='%{${key}}' \ 22 | # AND acctstarttime > FROM_UNIXTIME('%%b')" 23 | 24 | # 25 | # This query is the same as above, but demonstrates an 26 | # additional counter parameter '%%e' which is the 27 | # timestamp for the end of the period 28 | # 29 | #query = "\ 30 | # SELECT SUM(acctsessiontime) \ 31 | # FROM radacct \ 32 | # WHERE username='%{${key}}' \ 33 | # AND acctstarttime BETWEEN FROM_UNIXTIME('%%b') \ 34 | # AND FROM_UNIXTIME('%%e')" 35 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/counter/mysql/noresetcounter.conf: -------------------------------------------------------------------------------- 1 | query = "\ 2 | SELECT IFNULL(SUM(AcctSessionTime),0) \ 3 | FROM radacct \ 4 | WHERE UserName='%{${key}}'" 5 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/counter/postgresql/dailycounter.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This query properly handles calls that span from the 3 | # previous reset period into the current period but 4 | # involves more work for the SQL server than those 5 | # below 6 | # 7 | query = "\ 8 | SELECT SUM(AcctSessionTime - GREATER((%%b - AcctStartTime::ABSTIME::INT4), 0)) \ 9 | FROM radacct \ 10 | WHERE UserName='%{${key}}' \ 11 | AND AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%%b'" 12 | 13 | # 14 | # This query ignores calls that started in a previous 15 | # reset period and continue into into this one. But it 16 | # is a little easier on the SQL server 17 | # 18 | #query = "\ 19 | # SELECT SUM(AcctSessionTime) \ 20 | # FROM radacct \ 21 | # WHERE UserName='%{${key}}' \ 22 | # AND AcctStartTime::ABSTIME::INT4 > '%%b'" 23 | 24 | # 25 | # This query is the same as above, but demonstrates an 26 | # additional counter parameter '%%e' which is the 27 | # timestamp for the end of the period 28 | # 29 | #query = "\ 30 | # SELECT SUM(AcctSessionTime) \ 31 | # FROM radacct \ 32 | # WHERE UserName='%{${key}}' \ 33 | # AND AcctStartTime::ABSTIME::INT4 BETWEEN '%%b' \ 34 | # AND '%%e'" 35 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/counter/postgresql/expire_on_login.conf: -------------------------------------------------------------------------------- 1 | query = "\ 2 | SELECT EXTRACT(EPOCH FROM (NOW() - acctstarttime)) \ 3 | FROM radacct \ 4 | WHERE UserName='%{${key}}' \ 5 | ORDER BY acctstarttime \ 6 | LIMIT 1;" 7 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/counter/postgresql/monthlycounter.conf: -------------------------------------------------------------------------------- 1 | # This query properly handles calls that span from the 2 | # previous reset period into the current period but 3 | # involves more work for the SQL server than those 4 | # below 5 | query = "\ 6 | SELECT SUM(AcctSessionTime - GREATER((%%b - AcctStartTime::ABSTIME::INT4), 0)) \ 7 | FROM radacct \ 8 | WHERE UserName='%{${key}}' \ 9 | AND AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%%b'" 10 | 11 | # 12 | # This query ignores calls that started in a previous 13 | # reset period and continue into into this one. But it 14 | # is a little easier on the SQL server 15 | # 16 | #query = "\ 17 | # SELECT SUM(AcctSessionTime) \ 18 | # FROM radacct \ 19 | # WHERE UserName='%{${key}}' \ 20 | # AND AcctStartTime::ABSTIME::INT4 > '%%b'" 21 | 22 | # 23 | # This query is the same as above, but demonstrates an 24 | # additional counter parameter '%%e' which is the 25 | # timestamp for the end of the period 26 | # 27 | #query = "\ 28 | # SELECT SUM(AcctSessionTime) \ 29 | # FROM radacct \ 30 | # WHERE UserName='%{${key}}' \ 31 | # AND AcctStartTime::ABSTIME::INT4 BETWEEN '%%b' AND '%%e'" 32 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/counter/postgresql/noresetcounter.conf: -------------------------------------------------------------------------------- 1 | query = "\ 2 | SELECT SUM(AcctSessionTime) \ 3 | FROM radacct \ 4 | WHERE UserName='%{${key}}'" 5 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/counter/sqlite/dailycounter.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This query properly handles calls that span from the 3 | # previous reset period into the current period but 4 | # involves more work for the SQL server than those 5 | # below 6 | # 7 | query = "\ 8 | SELECT SUM(acctsessiontime - GREATEST((%%b - strftime('%%s', acctstarttime)), 0)) \ 9 | FROM radacct \ 10 | WHERE username = '%{${key}}' \ 11 | AND (strftime('%%s', acctstarttime) + acctsessiontime) > %%b" 12 | 13 | # 14 | # This query ignores calls that started in a previous 15 | # reset period and continue into into this one. But it 16 | # is a little easier on the SQL server 17 | # 18 | #query = "\ 19 | # SELECT SUM(acctsessiontime) \ 20 | # FROM radacct \ 21 | # WHERE \username = '%{${key}}' \ 22 | # AND acctstarttime > %%b" 23 | 24 | # 25 | # This query is the same as above, but demonstrates an 26 | # additional counter parameter '%%e' which is the 27 | # timestamp for the end of the period 28 | # 29 | #query = "\ 30 | # SELECT SUM(acctsessiontime) FROM radacct \ 31 | # WHERE username = '%{${key}}' \ 32 | # AND acctstarttime BETWEEN %%b \ 33 | # AND %%e" 34 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/counter/sqlite/expire_on_login.conf: -------------------------------------------------------------------------------- 1 | query = "\ 2 | SELECT GREATEST(strftime('%%s', NOW()) - strftime('%%s', acctstarttime), 0) AS expires \ 3 | FROM radacct \ 4 | WHERE username = '%{${key}}' \ 5 | ORDER BY acctstarttime \ 6 | LIMIT 1;" 7 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/counter/sqlite/monthlycounter.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This query properly handles calls that span from the 3 | # previous reset period into the current period but 4 | # involves more work for the SQL server than those 5 | # below 6 | # 7 | query = "\ 8 | SELECT SUM(acctsessiontime - GREATEST((%%b - strftime('%%s', acctstarttime)), 0)) \ 9 | FROM radacct \ 10 | WHERE username = '%{${key}}' AND \ 11 | (strftime('%%s', acctstarttime) + acctsessiontime) > %%b" 12 | 13 | # 14 | # This query ignores calls that started in a previous 15 | # reset period and continue into into this one. But it 16 | # is a little easier on the SQL server 17 | # 18 | #query = "\ 19 | # SELECT SUM(acctsessiontime) \ 20 | # FROM radacct \ 21 | # WHERE username = '%{${key}}' \ 22 | # AND acctstarttime > %%b" 23 | 24 | # 25 | # This query is the same as above, but demonstrates an 26 | # additional counter parameter '%%e' which is the 27 | # timestamp for the end of the period 28 | # 29 | #query = "\ 30 | # SELECT SUM(acctsessiontime) \ 31 | # FROM radacct \ 32 | # WHERE username = '%{${key}}' \ 33 | # AND acctstarttime BETWEEN %%b \ 34 | # AND %%e" 35 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/counter/sqlite/noresetcounter.conf: -------------------------------------------------------------------------------- 1 | query = "\ 2 | SELECT IFNULL(SUM(acctsessiontime),0) \ 3 | FROM radacct \ 4 | WHERE username = '%{${key}}'" 5 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/cui/mysql/queries.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # cui/mysql/queries.conf -- Queries to update a MySQL CUI table. 4 | # 5 | # $Id: f8f18cab562e7321756cd1f3411bbc9897ef3377 $ 6 | 7 | post-auth { 8 | query = "\ 9 | INSERT IGNORE INTO ${..cui_table} \ 10 | (clientipaddress, callingstationid, username, cui, lastaccounting) \ 11 | VALUES \ 12 | ('%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}', '%{Calling-Station-Id}', \ 13 | '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL) \ 14 | ON DUPLICATE KEY UPDATE \ 15 | lastaccounting='0000-00-00 00:00:00', \ 16 | cui='%{reply:Chargeable-User-Identity}'" 17 | 18 | } 19 | 20 | accounting { 21 | reference = "%{tolower:type.%{Acct-Status-Type}.query}" 22 | type { 23 | start { 24 | query = "\ 25 | UPDATE ${....cui_table} SET \ 26 | lastaccounting = CURRENT_TIMESTAMP \ 27 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 28 | AND callingstationid = '%{Calling-Station-Id}' \ 29 | AND username = '%{User-Name}' \ 30 | AND cui = '%{Chargeable-User-Identity}'" 31 | } 32 | interim-update { 33 | query ="\ 34 | UPDATE ${....cui_table} SET \ 35 | lastaccounting = CURRENT_TIMESTAMP \ 36 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 37 | AND callingstationid = '%{Calling-Station-Id}' \ 38 | AND username = '%{User-Name}' \ 39 | AND cui = '%{Chargeable-User-Identity}'" 40 | } 41 | stop { 42 | query ="\ 43 | DELETE FROM ${....cui_table} \ 44 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 45 | AND callingstationid = '%{Calling-Station-Id}' \ 46 | AND username = '%{User-Name}' \ 47 | AND cui = '%{Chargeable-User-Identity}'" 48 | } 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/cui/mysql/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE `cui` ( 2 | `clientipaddress` varchar(46) NOT NULL default '', 3 | `callingstationid` varchar(50) NOT NULL default '', 4 | `username` varchar(64) NOT NULL default '', 5 | `cui` varchar(32) NOT NULL default '', 6 | `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP, 7 | `lastaccounting` timestamp NOT NULL default '0000-00-00 00:00:00', 8 | PRIMARY KEY (`username`,`clientipaddress`,`callingstationid`) 9 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; 10 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/cui/postgresql/queries.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # cui/postgresql/queries.conf -- Queries to update a PostgreSQL CUI table. 4 | # 5 | # $Id: 6c2215f0abbe5cb30658ea541d525fd7a274c547 $ 6 | 7 | post-auth { 8 | query = "\ 9 | INSERT INTO ${..cui_table} \ 10 | (clientipaddress, callingstationid, username, cui) \ 11 | VALUES \ 12 | ('%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}', '%{Calling-Station-Id}', \ 13 | '%{User-Name}', '%{reply:Chargeable-User-Identity}')" 14 | 15 | } 16 | 17 | accounting { 18 | reference = "%{tolower:type.%{Acct-Status-Type}.query}" 19 | type { 20 | start { 21 | query = "\ 22 | UPDATE ${....cui_table} SET \ 23 | lastaccounting = now() \ 24 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 25 | AND callingstationid = '%{Calling-Station-Id}' \ 26 | AND username = '%{User-Name}' \ 27 | AND cui = '%{Chargeable-User-Identity}'" 28 | } 29 | interim-update { 30 | query ="\ 31 | UPDATE ${....cui_table} SET \ 32 | lastaccounting = now() \ 33 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 34 | AND callingstationid = '%{Calling-Station-Id}' \ 35 | AND username = '%{User-Name}' \ 36 | AND cui = '%{Chargeable-User-Identity}'" 37 | } 38 | stop { 39 | query ="\ 40 | DELETE FROM ${....cui_table} \ 41 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 42 | AND callingstationid = '%{Calling-Station-Id}' \ 43 | AND username = '%{User-Name}' \ 44 | AND cui = '%{Chargeable-User-Identity}'" 45 | } 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/cui/postgresql/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE cui ( 2 | clientipaddress INET NOT NULL DEFAULT '0.0.0.0', 3 | callingstationid varchar(50) NOT NULL DEFAULT '', 4 | username varchar(64) NOT NULL DEFAULT '', 5 | cui varchar(32) NOT NULL DEFAULT '', 6 | creationdate TIMESTAMP with time zone NOT NULL default 'now()', 7 | lastaccounting TIMESTAMP with time zone NOT NULL default '-infinity'::timestamp, 8 | PRIMARY KEY (username, clientipaddress, callingstationid) 9 | ); 10 | 11 | CREATE RULE postauth_query AS ON INSERT TO cui 12 | WHERE EXISTS(SELECT 1 FROM cui WHERE (username, clientipaddress, callingstationid)=(NEW.username, NEW.clientipaddress, NEW.callingstationid)) 13 | DO INSTEAD UPDATE cui SET lastaccounting ='-infinity'::timestamp with time zone, cui=NEW.cui WHERE (username, clientipaddress, callingstationid)=(NEW.username, NEW.clientipaddress, NEW.callingstationid); 14 | 15 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/cui/sqlite/queries.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # cui/sqlite/queries.conf -- Queries to update a sqlite CUI table. 4 | # 5 | # $Id: 41741eb70ae9c428ba5230aaf9d9b84f95c050a9 $ 6 | 7 | post-auth { 8 | query = "\ 9 | INSERT OR REPLACE INTO ${..cui_table} \ 10 | (clientipaddress, callingstationid, username, cui, lastaccounting) \ 11 | VALUES \ 12 | ('%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}', '%{Calling-Station-Id}', \ 13 | '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL)" 14 | 15 | } 16 | 17 | accounting { 18 | reference = "%{tolower:type.%{Acct-Status-Type}.query}" 19 | type { 20 | start { 21 | query = "\ 22 | UPDATE ${....cui_table} SET \ 23 | lastaccounting = CURRENT_TIMESTAMP \ 24 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 25 | AND callingstationid = '%{Calling-Station-Id}' \ 26 | AND username = '%{User-Name}' \ 27 | AND cui = '%{Chargeable-User-Identity}'" 28 | } 29 | interim-update { 30 | query ="\ 31 | UPDATE ${....cui_table} SET \ 32 | lastaccounting = CURRENT_TIMESTAMP \ 33 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 34 | AND callingstationid = '%{Calling-Station-Id}' \ 35 | AND username = '%{User-Name}' \ 36 | AND cui = '%{Chargeable-User-Identity}'" 37 | } 38 | stop { 39 | query ="\ 40 | DELETE FROM ${....cui_table} \ 41 | WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ 42 | AND callingstationid = '%{Calling-Station-Id}' \ 43 | AND username = '%{User-Name}' \ 44 | AND cui = '%{Chargeable-User-Identity}'" 45 | } 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/cui/sqlite/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE `cui` ( 2 | `clientipaddress` varchar(46) NOT NULL default '', 3 | `callingstationid` varchar(50) NOT NULL default '', 4 | `username` varchar(64) NOT NULL default '', 5 | `cui` varchar(32) NOT NULL default '', 6 | `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP, 7 | `lastaccounting` timestamp NOT NULL default '0000-00-00 00:00:00', 8 | PRIMARY KEY (`username`,`clientipaddress`,`callingstationid`) 9 | ); 10 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql: -------------------------------------------------------------------------------- 1 | # 2 | # Table structure for table 'radippool' 3 | # 4 | CREATE TABLE radippool ( 5 | id int(11) unsigned NOT NULL auto_increment, 6 | pool_name varchar(30) NOT NULL, 7 | framedipaddress varchar(15) NOT NULL default '', 8 | nasipaddress varchar(15) NOT NULL default '', 9 | calledstationid VARCHAR(30) NOT NULL, 10 | callingstationid VARCHAR(30) NOT NULL, 11 | expiry_time DATETIME NULL default NULL, 12 | username varchar(64) NOT NULL default '', 13 | pool_key varchar(30) NOT NULL, 14 | PRIMARY KEY (id), 15 | KEY radippool_poolname_expire (pool_name, expiry_time), 16 | KEY callingstationid (callingstationid), 17 | KEY framedipaddress (framedipaddress), 18 | KEY radippool_nasip_poolkey_ipaddress (nasipaddress, pool_key, framedipaddress) 19 | ) ENGINE=InnoDB; 20 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/ippool-dhcp/oracle/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE radippool ( 2 | id INT PRIMARY KEY, 3 | pool_name VARCHAR(30) NOT NULL, 4 | framedipaddress VARCHAR(30) NOT NULL, 5 | nasipaddress VARCHAR(30) NOT NULL, 6 | pool_key VARCHAR(64) NOT NULL, 7 | calledstationid VARCHAR(64), 8 | callingstationid VARCHAR(64) NOT NULL, 9 | expiry_time TIMESTAMP(0) NOT NULL, 10 | username VARCHAR(100) 11 | ); 12 | 13 | CREATE INDEX radippool_poolname_ipaddr ON radippool (pool_name, framedipaddress); 14 | CREATE INDEX radippool_poolname_expire ON radippool (pool_name, expiry_time); 15 | CREATE INDEX radippool_nasipaddr_key ON radippool (nasipaddress, pool_key); 16 | CREATE INDEX radippool_nasipaddr_calling ON radippool (nasipaddress, callingstationid); 17 | 18 | CREATE SEQUENCE radippool_seq START WITH 1 INCREMENT BY 1; 19 | 20 | CREATE OR REPLACE TRIGGER radippool_serialnumber 21 | BEFORE INSERT OR UPDATE OF id ON radippool 22 | FOR EACH ROW 23 | BEGIN 24 | IF ( :NEW.id = 0 OR :NEW.id IS NULL ) THEN 25 | SELECT radippool_seq.NEXTVAL INTO :NEW.id FROM dual; 26 | END IF; 27 | END; 28 | / 29 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE radippool ( 2 | id int PRIMARY KEY, 3 | pool_name varchar(30) NOT NULL, 4 | framedipaddress varchar(30) NOT NULL, 5 | nasipaddress varchar(30) NOT NULL DEFAULT '', 6 | pool_key varchar(64) NOT NULL DEFAULT '', 7 | calledstationid varchar(64), 8 | callingstationid varchar(64) NOT NULL DEFAULT '', 9 | expiry_time timestamp DEFAULT NULL, 10 | username varchar(100) 11 | ); 12 | 13 | -- Example of how to put IPs in the pool 14 | -- INSERT INTO radippool (id, pool_name, framedipaddress) VALUES (1, 'local', '192.168.5.10'); 15 | -- INSERT INTO radippool (id, pool_name, framedipaddress) VALUES (2, 'local', '192.168.5.11'); 16 | -- INSERT INTO radippool (id, pool_name, framedipaddress) VALUES (3, 'local', '192.168.5.12'); 17 | -- INSERT INTO radippool (id, pool_name, framedipaddress) VALUES (4, 'local', '192.168.5.13'); 18 | 19 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/ippool/mysql/schema.sql: -------------------------------------------------------------------------------- 1 | # 2 | # Table structure for table 'radippool' 3 | # 4 | CREATE TABLE radippool ( 5 | id int(11) unsigned NOT NULL auto_increment, 6 | pool_name varchar(30) NOT NULL, 7 | framedipaddress varchar(15) NOT NULL default '', 8 | nasipaddress varchar(15) NOT NULL default '', 9 | calledstationid VARCHAR(30) NOT NULL, 10 | callingstationid VARCHAR(30) NOT NULL, 11 | expiry_time DATETIME NULL default NULL, 12 | username varchar(64) NOT NULL default '', 13 | pool_key varchar(30) NOT NULL, 14 | PRIMARY KEY (id), 15 | KEY radippool_poolname_expire (pool_name, expiry_time), 16 | KEY framedipaddress (framedipaddress), 17 | KEY radippool_nasip_poolkey_ipaddress (nasipaddress, pool_key, framedipaddress) 18 | ) ENGINE=InnoDB; 19 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/ippool/oracle/procedures.sql: -------------------------------------------------------------------------------- 1 | CREATE OR REPLACE FUNCTION msqlippool(user varchar2, pool varchar2) 2 | RETURN varchar2 IS 3 | 4 | PRAGMA AUTONOMOUS_TRANSACTION; 5 | ip_temp varchar2(20); 6 | BEGIN 7 | 8 | -- If the user's pool is dynamic, get an ipaddress (oldest one) from the corresponding pool 9 | 10 | if pool = 'Dynamic' then 11 | select framedipaddress into ip_temp from (select framedipaddress from radippool where expiry_time < current_timestamp and pool_name = pool ORDER BY expiry_time) where rownum = 1; 12 | return (ip_temp); 13 | 14 | -- Else, then get the static ipaddress for that user from the corresponding pool 15 | 16 | else 17 | select framedipaddress into ip_temp from radippool where username = user and pool_name = pool; 18 | return (ip_temp); 19 | end if; 20 | 21 | exception 22 | 23 | -- This block is executed if there's no free ipaddresses or no static ip assigned to the user 24 | 25 | when NO_DATA_FOUND then 26 | if pool = 'Dynamic' then 27 | return(''); -- so sqlippool can log it on radius.log 28 | end if; 29 | 30 | -- Else, grabs a free IP from the static pool and saves it in radippool so the user will always get the same IP the next time 31 | 32 | select framedipaddress into ip_temp from (select framedipaddress from radippool where expiry_time < current_timestamp and username is null and pool_name = pool) where rownum = 1; 33 | UPDATE radippool SET username = user where framedipaddress = ip_temp; 34 | commit; 35 | return (ip_temp); 36 | 37 | when others 38 | then return('Oracle Exception'); 39 | 40 | END; 41 | / 42 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/ippool/oracle/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE radippool ( 2 | id INT PRIMARY KEY, 3 | pool_name VARCHAR(30) NOT NULL, 4 | framedipaddress VARCHAR(30) NOT NULL, 5 | nasipaddress VARCHAR(30) NOT NULL, 6 | pool_key INT NOT NULL, 7 | CalledStationId VARCHAR(64), 8 | CallingStationId VARCHAR(64) NOT NULL, 9 | expiry_time timestamp(0) NOT NULL, 10 | username VARCHAR(100) 11 | ); 12 | 13 | CREATE INDEX radippool_poolname_ipaadr ON radippool (pool_name, framedipaddress); 14 | CREATE INDEX radippool_poolname_expire ON radippool (pool_name, expiry_time); 15 | CREATE INDEX radippool_nasipaddr_key ON radippool (nasipaddress, pool_key); 16 | CREATE INDEX radippool_nasipaddr_calling ON radippool (nasipaddress, callingstationid); 17 | 18 | CREATE SEQUENCE radippool_seq START WITH 1 INCREMENT BY 1; 19 | 20 | CREATE OR REPLACE TRIGGER radippool_serialnumber 21 | BEFORE INSERT OR UPDATE OF id ON radippool 22 | FOR EACH ROW 23 | BEGIN 24 | if ( :new.id = 0 or :new.id is null ) then 25 | SELECT radippool_seq.nextval into :new.id from dual; 26 | end if; 27 | END; 28 | / 29 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/ippool/postgresql/schema.sql: -------------------------------------------------------------------------------- 1 | -- 2 | -- Table structure for table 'radippool' 3 | -- 4 | 5 | CREATE TABLE radippool ( 6 | id BIGSERIAL PRIMARY KEY, 7 | pool_name varchar(64) NOT NULL, 8 | FramedIPAddress INET NOT NULL, 9 | NASIPAddress VARCHAR(16) NOT NULL default '', 10 | pool_key VARCHAR(64) NOT NULL default 0, 11 | CalledStationId VARCHAR(64), 12 | CallingStationId text NOT NULL default ''::text, 13 | expiry_time TIMESTAMP(0) without time zone NOT NULL default 'now'::timestamp(0), 14 | username text DEFAULT ''::text 15 | ); 16 | 17 | CREATE INDEX radippool_poolname_expire ON radippool USING btree (pool_name, expiry_time); 18 | CREATE INDEX radippool_framedipaddress ON radippool USING btree (framedipaddress); 19 | CREATE INDEX radippool_nasip_poolkey_ipaddress ON radippool USING btree (nasipaddress, pool_key, framedipaddress); 20 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/ippool/sqlite/schema.sql: -------------------------------------------------------------------------------- 1 | -- 2 | -- Table structure for table 'radippool' 3 | -- 4 | CREATE TABLE radippool ( 5 | id int(11) PRIMARY KEY, 6 | pool_name varchar(30) NOT NULL, 7 | framedipaddress varchar(15) NOT NULL default '', 8 | nasipaddress varchar(15) NOT NULL default '', 9 | calledstationid VARCHAR(30) NOT NULL, 10 | callingstationid VARCHAR(30) NOT NULL, 11 | expiry_time DATETIME NULL default NULL, 12 | username varchar(64) NOT NULL default '', 13 | pool_key varchar(30) NOT NULL 14 | ); 15 | 16 | CREATE INDEX radippool_poolname_expire ON radippool(pool_name, expiry_time); 17 | CREATE INDEX radippool_framedipaddress ON radippool(framedipaddress); 18 | CREATE INDEX radippool_nasip_poolkey_ipaddress ON radippool(nasipaddress, pool_key, framedipaddress); 19 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/main/mysql/extras/wimax/queries.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ## 3 | ## wimax.conf -- MySQL configuration for WiMAX keying 4 | ## 5 | ## $Id: 26942305017c59d4589d0645cfc79405b98b4c6a $ 6 | 7 | # Safe characters list for sql queries. Everything else is replaced 8 | # with their mime-encoded equivalents. 9 | # The default list should be ok 10 | #safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" 11 | 12 | ####################################################################### 13 | # Query config: Username 14 | ####################################################################### 15 | # This is the username that will get substituted, escaped, and added 16 | # as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below 17 | # everywhere a username substitution is needed so you you can be sure 18 | # the username passed from the client is escaped properly. 19 | # 20 | # Uncomment the next line, if you want the sql_user_name to mean: 21 | # 22 | # Use Stripped-User-Name, if it's there. 23 | # Else use User-Name, if it's there, 24 | # Else use hard-coded string "DEFAULT" as the user name. 25 | #sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" 26 | # 27 | sql_user_name = "%{User-Name}" 28 | 29 | ####################################################################### 30 | # Logging of WiMAX SPI -> key mappings 31 | ####################################################################### 32 | # postauth_query - Insert some info after authentication 33 | ####################################################################### 34 | 35 | postauth_query = "INSERT INTO wimax \ 36 | (username, authdate, spi, mipkey, lifetime) \ 37 | VALUES ( \ 38 | '%{User-Name}', '%S' \ 39 | '%{%{reply:WiMAX-MN-hHA-MIP4-SPI}:-%{reply:WiMAX-MN-hHA-MIP6-SPI}}', \ 40 | '%{%{reply:WiMAX-MN-hHA-MIP4-Key}:-%{reply:WiMAX-MN-hHA-MIP6-Key}}', '%{%{reply:Session-Timeout}:-86400}' )" 41 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql: -------------------------------------------------------------------------------- 1 | # 2 | # WiMAX Table structure for table 'wimax', 3 | # which replaces the "radpostauth" table. 4 | # 5 | 6 | CREATE TABLE wimax ( 7 | id int(11) NOT NULL auto_increment, 8 | username varchar(64) NOT NULL default '', 9 | authdate timestamp NOT NULL, 10 | spi varchar(16) NOT NULL default '', 11 | mipkey varchar(400) NOT NULL default '', 12 | lifetime int(12) default NULL, 13 | PRIMARY KEY (id), 14 | KEY username (username), 15 | KEY spi (spi) 16 | ) ; 17 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/main/mysql/setup.sql: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ## 3 | ## admin.sql -- MySQL commands for creating the RADIUS user. 4 | ## 5 | ## WARNING: You should change 'localhost' and 'radpass' 6 | ## to something else. Also update raddb/sql.conf 7 | ## with the new RADIUS password. 8 | ## 9 | ## $Id: aff0505a473c67b65cfc19fae079454a36d4e119 $ 10 | 11 | # 12 | # Create default administrator for RADIUS 13 | # 14 | CREATE USER 'radius'@'localhost'; 15 | SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass'); 16 | 17 | # The server can read any table in SQL 18 | GRANT SELECT ON radius.* TO 'radius'@'localhost'; 19 | 20 | # The server can write to the accounting and post-auth logging table. 21 | # 22 | # i.e. 23 | GRANT ALL on radius.radacct TO 'radius'@'localhost'; 24 | GRANT ALL on radius.radpostauth TO 'radius'@'localhost'; 25 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/main/ndb/README: -------------------------------------------------------------------------------- 1 | The SQL schema and 'create admin user" scripts are here in order to 2 | simplify the process of using MySQL cluster. 3 | 4 | The queries are NOT located here, because the database driver for 5 | MySQL cluster is just "mysql", and not "ndb". 6 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/main/ndb/setup.sql: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ## 3 | ## admin.sql -- MySQL commands for creating the RADIUS user. 4 | ## 5 | ## WARNING: You should change 'localhost' and 'radpass' 6 | ## to something else. Also update raddb/sql.conf 7 | ## with the new RADIUS password. 8 | ## 9 | ## $Id: 5c91384c0991ea9614b7c798a1ab4c89ca227115 $ 10 | 11 | # 12 | # Create default administrator for RADIUS 13 | # 14 | CREATE USER 'radius'@'localhost'; 15 | SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass'); 16 | 17 | # The server can read any table in SQL 18 | GRANT ALL ON radius.* TO 'radius'@'localhost' identified by 'radpass'; 19 | GRANT ALL ON radius.* TO 'radius'@'radsrvr' identified by 'radpass'; 20 | 21 | # The server can write to the accounting and post-auth logging table. 22 | # 23 | # i.e. 24 | #GRANT ALL on radius.radacct TO 'radius'@'localhost' identified by 'radpass'; 25 | #GRANT ALL on radius.radacct TO 'radius'@'radsrvr' identified by 'radpass'; 26 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ## 3 | ## voip-postpaid.conf -- PostgreSQL configuration for H323 VoIP billingx 4 | ## (cisco_h323_db_schema.sql) 5 | ## 6 | ## $Id: 9f1449cc37d80e37025bdfd08fbd4d028aa0c800 $ 7 | 8 | 9 | ####################################################################### 10 | # Query config: Username 11 | ####################################################################### 12 | # This is the username that will get substituted, escaped, and added 13 | # as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below 14 | # everywhere a username substitution is needed so you you can be sure 15 | # the username passed from the client is escaped properly. 16 | # 17 | # Uncomment the next line, if you want the sql_user_name to mean: 18 | # 19 | # Use Stripped-User-Name, if it's there. 20 | # Else use User-Name, if it's there, 21 | # Else use hard-coded string "none" as the user name. 22 | # 23 | #sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}" 24 | # 25 | sql_user_name = "%{User-Name}" 26 | 27 | accounting { 28 | reference = "%{tolower:type.%{Acct-Status-Type}.query}" 29 | 30 | # Write SQL queries to a logfile. This is potentially useful for bulk inserts 31 | # when used with the rlm_sql_null driver. 32 | # logfile = ${logdir}/accounting.sql 33 | 34 | type { 35 | start { 36 | query = "INSERT INTO ${....acct_table1}%{h323-call-type} \ 37 | (RadiusServerName, UserName, NASIPAddress, AcctTime, CalledStationId, \ 38 | CallingStationId, AcctDelayTime, h323gwid, h323callorigin, \ 39 | h323setuptime, H323ConnectTime, callid) \ 40 | VALUES(\ 41 | '${radius_server_name}', '%{SQL-User-Name}', \ 42 | '%{NAS-IP-Address}', now(), '%{Called-Station-Id}', \ 43 | '%{Calling-Station-Id}', '%{%{Acct-Delay-Time}:-0}', '%{h323-gw-id}', \ 44 | '%{h323-call-origin}', strip_dot('%{h323-setup-time}'), \ 45 | strip_dot('%{h323-connect-time}'), pick_id('%{h323-conf-id}', \ 46 | '%{call-id}'))" 47 | } 48 | 49 | stop { 50 | query = "INSERT INTO $....acct_table2}%{h323-call-type} \ 51 | (RadiusServerName, UserName, NASIPAddress, AcctTime, \ 52 | AcctSessionTime, AcctInputOctets, AcctOutputOctets, CalledStationId, \ 53 | CallingStationId, AcctDelayTime, H323RemoteAddress, H323VoiceQuality, \ 54 | CiscoNASPort, h323callorigin, callid, h323connecttime, \ 55 | h323disconnectcause, h323disconnecttime, h323gwid, h323setuptime) \ 56 | VALUES(\ 57 | '${radius_server_name}', '%{SQL-User-Name}', '%{NAS-IP-Address}', \ 58 | NOW(), '%{%{Acct-Session-Time}:-0}', \ 59 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Octets}:-0}', \ 60 | '%{Called-Station-Id}', '%{Calling-Station-Id}', \ 61 | '%{%{Acct-Delay-Time}:-0}', NULLIF('%{h323-remote-address}', '')::inet, \ 62 | NULLIF('%{h323-voice-quality}','')::integer, \ 63 | NULLIF('%{Cisco-NAS-Port}', ''), \ 64 | '%{h323-call-origin}', pick_id('%{h323-conf-id}', '%{call-id}'), \ 65 | strip_dot('%{h323-connect-time}'), '%{h323-disconnect-cause}', \ 66 | strip_dot('%{h323-disconnect-time}'), '%{h323-gw-id}', \ 67 | strip_dot('%{h323-setup-time}'))" 68 | } 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/main/postgresql/setup.sql: -------------------------------------------------------------------------------- 1 | /* 2 | * admin.sql -- PostgreSQL commands for creating the RADIUS user. 3 | * 4 | * WARNING: You should change 'localhost' and 'radpass' 5 | * to something else. Also update raddb/sql.conf 6 | * with the new RADIUS password. 7 | * 8 | * WARNING: This example file is untested. Use at your own risk. 9 | * Please send any bug fixes to the mailing list. 10 | * 11 | * $Id: 6dfacb3b09a1b7da135a49a49cb75a573fd3bad4 $ 12 | */ 13 | 14 | /* 15 | * Create default administrator for RADIUS 16 | */ 17 | CREATE USER radius WITH PASSWORD 'radpass'; 18 | 19 | /* 20 | * The server can read any table in SQL 21 | */ 22 | GRANT SELECT ON radcheck TO radius; 23 | GRANT SELECT ON radreply TO radius; 24 | GRANT SELECT ON radgroupcheck TO radius; 25 | GRANT SELECT ON radgroupreply TO radius; 26 | GRANT SELECT ON radusergroup TO radius; 27 | GRANT SELECT ON nas TO radius; 28 | 29 | /* 30 | * The server can write to the accounting and post-auth logging table. 31 | */ 32 | GRANT SELECT, INSERT, UPDATE on radacct TO radius; 33 | GRANT SELECT, INSERT, UPDATE on radpostauth TO radius; 34 | 35 | /* 36 | * Grant permissions on sequences 37 | */ 38 | GRANT USAGE, SELECT ON SEQUENCE nas_id_seq TO radius; 39 | GRANT USAGE, SELECT ON SEQUENCE radacct_radacctid_seq TO radius; 40 | GRANT USAGE, SELECT ON SEQUENCE radcheck_id_seq TO radius; 41 | GRANT USAGE, SELECT ON SEQUENCE radgroupcheck_id_seq TO radius; 42 | GRANT USAGE, SELECT ON SEQUENCE radgroupreply_id_seq TO radius; 43 | GRANT USAGE, SELECT ON SEQUENCE radpostauth_id_seq TO radius; 44 | GRANT USAGE, SELECT ON SEQUENCE radreply_id_seq TO radius; 45 | GRANT USAGE, SELECT ON SEQUENCE radusergroup_id_seq TO radius; 46 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/moonshot-targeted-ids/mysql/queries.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # moonshot-targeted-ids/mysql/queries.conf -- Queries to update a MySQL Moonshot-Targeted-Ids table. 4 | # 5 | # $Id: 68306db5a6c67f70804dc019e19daba5e938b4a9 $ 6 | 7 | post-auth { 8 | # Query to store the Moonshot-*-TargetedId 9 | query = "\ 10 | INSERT IGNORE INTO ${..moonshot_tid_table} \ 11 | (gss_acceptor, namespace, username, targeted_id) \ 12 | VALUES \ 13 | ('%{control:Moonshot-MSTID-GSS-Acceptor}', '%{control:Moonshot-MSTID-Namespace}', \ 14 | '%{tolower:%{User-Name}}', '%{control:Moonshot-MSTID-TargetedId}')" 15 | } 16 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/moonshot-targeted-ids/mysql/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE `moonshot_targeted_ids` ( 2 | `gss_acceptor` varchar(254) NOT NULL default '', 3 | `namespace` varchar(36) NOT NULL default '', 4 | `username` varchar(64) NOT NULL default '', 5 | `targeted_id` varchar(128) NOT NULL default '', 6 | `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP, 7 | PRIMARY KEY (`username`,`gss_acceptor`,`namespace`) 8 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; 9 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/moonshot-targeted-ids/postgresql/queries.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # moonshot-targeted-ids/postgresql/queries.conf -- Queries to update a PostgreSQL Moonshot-*-Targeted-Ids table. 4 | # 5 | # $Id: f757a870a0b68c5dc3827c00bb501082fc7e03e9 $ 6 | 7 | post-auth { 8 | # Query to store the Moonshot-*-TargetedId 9 | query = "\ 10 | INSERT INTO ${..moonshot_tid_table} \ 11 | (gss_acceptor, namespace, username, targeted_id) \ 12 | VALUES \ 13 | ('%{control:Moonshot-MSTID-GSS-Acceptor}', '%{control:Moonshot-MSTID-Namespace}', \ 14 | '%{tolower:%{User-Name}}', '%{control:Moonshot-MSTID-TargetedId}')" 15 | } 16 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/moonshot-targeted-ids/postgresql/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE moonshot_targeted_ids ( 2 | gss_acceptor varchar(254) NOT NULL DEFAULT '', 3 | namespace varchar(36) NOT NULL DEFAULT '', 4 | username varchar(64) NOT NULL DEFAULT '', 5 | targeted_id varchar(128) NOT NULL DEFAULT '', 6 | creationdate TIMESTAMP with time zone NOT NULL default 'now()', 7 | PRIMARY KEY (username, gss_acceptor, namespace) 8 | ); 9 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/moonshot-targeted-ids/sqlite/queries.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # moonshot-targeted-ids/sqlite/queries.conf -- Queries to update a sqlite Moonshot-*-Targeted-Ids table. 4 | # 5 | # $Id: 8cdb80382db6e94067a75c0428b375847eb04ad8 $ 6 | 7 | post-auth { 8 | # Query to store the Moonshot-*-TargetedId 9 | query = "\ 10 | INSERT INTO ${..moonshot_tid_table} \ 11 | (gss_acceptor, namespace, username, targeted_id) \ 12 | VALUES \ 13 | ('%{control:Moonshot-MSTID-GSS-Acceptor}', '%{control:Moonshot-MSTID-Namespace}', \ 14 | '%{tolower:%{User-Name}}', '%{control:Moonshot-MSTID-TargetedId}')" 15 | } 16 | -------------------------------------------------------------------------------- /raddb/mods-config/sql/moonshot-targeted-ids/sqlite/schema.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE `moonshot_targeted_ids` ( 2 | `gss_acceptor` varchar(254) NOT NULL default '', 3 | `namespace` varchar(36) NOT NULL default '', 4 | `username` varchar(64) NOT NULL default '', 5 | `targeted_id` varchar(128) NOT NULL default '', 6 | `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP, 7 | PRIMARY KEY (`username`,`gss_acceptor`,`namespace`) 8 | ); 9 | -------------------------------------------------------------------------------- /raddb/mods-config/unbound/default.conf: -------------------------------------------------------------------------------- 1 | server: 2 | num-threads: 2 3 | -------------------------------------------------------------------------------- /raddb/mods-enabled/always: -------------------------------------------------------------------------------- 1 | ../mods-available/always -------------------------------------------------------------------------------- /raddb/mods-enabled/attr_filter: -------------------------------------------------------------------------------- 1 | ../mods-available/attr_filter -------------------------------------------------------------------------------- /raddb/mods-enabled/cache_eap: -------------------------------------------------------------------------------- 1 | ../mods-available/cache_eap -------------------------------------------------------------------------------- /raddb/mods-enabled/chap: -------------------------------------------------------------------------------- 1 | ../mods-available/chap -------------------------------------------------------------------------------- /raddb/mods-enabled/date: -------------------------------------------------------------------------------- 1 | ../mods-available/date -------------------------------------------------------------------------------- /raddb/mods-enabled/detail: -------------------------------------------------------------------------------- 1 | ../mods-available/detail -------------------------------------------------------------------------------- /raddb/mods-enabled/detail.log: -------------------------------------------------------------------------------- 1 | ../mods-available/detail.log -------------------------------------------------------------------------------- /raddb/mods-enabled/digest: -------------------------------------------------------------------------------- 1 | ../mods-available/digest -------------------------------------------------------------------------------- /raddb/mods-enabled/dynamic_clients: -------------------------------------------------------------------------------- 1 | ../mods-available/dynamic_clients -------------------------------------------------------------------------------- /raddb/mods-enabled/eap: -------------------------------------------------------------------------------- 1 | ../mods-available/eap -------------------------------------------------------------------------------- /raddb/mods-enabled/echo: -------------------------------------------------------------------------------- 1 | ../mods-available/echo -------------------------------------------------------------------------------- /raddb/mods-enabled/exec: -------------------------------------------------------------------------------- 1 | ../mods-available/exec -------------------------------------------------------------------------------- /raddb/mods-enabled/expiration: -------------------------------------------------------------------------------- 1 | ../mods-available/expiration -------------------------------------------------------------------------------- /raddb/mods-enabled/expr: -------------------------------------------------------------------------------- 1 | ../mods-available/expr -------------------------------------------------------------------------------- /raddb/mods-enabled/files: -------------------------------------------------------------------------------- 1 | ../mods-available/files -------------------------------------------------------------------------------- /raddb/mods-enabled/linelog: -------------------------------------------------------------------------------- 1 | ../mods-available/linelog -------------------------------------------------------------------------------- /raddb/mods-enabled/logintime: -------------------------------------------------------------------------------- 1 | ../mods-available/logintime -------------------------------------------------------------------------------- /raddb/mods-enabled/mschap: -------------------------------------------------------------------------------- 1 | ../mods-available/mschap -------------------------------------------------------------------------------- /raddb/mods-enabled/ntlm_auth: -------------------------------------------------------------------------------- 1 | ../mods-available/ntlm_auth -------------------------------------------------------------------------------- /raddb/mods-enabled/pap: -------------------------------------------------------------------------------- 1 | ../mods-available/pap -------------------------------------------------------------------------------- /raddb/mods-enabled/passwd: -------------------------------------------------------------------------------- 1 | ../mods-available/passwd -------------------------------------------------------------------------------- /raddb/mods-enabled/preprocess: -------------------------------------------------------------------------------- 1 | ../mods-available/preprocess -------------------------------------------------------------------------------- /raddb/mods-enabled/radutmp: -------------------------------------------------------------------------------- 1 | ../mods-available/radutmp -------------------------------------------------------------------------------- /raddb/mods-enabled/realm: -------------------------------------------------------------------------------- 1 | ../mods-available/realm -------------------------------------------------------------------------------- /raddb/mods-enabled/replicate: -------------------------------------------------------------------------------- 1 | ../mods-available/replicate -------------------------------------------------------------------------------- /raddb/mods-enabled/rest: -------------------------------------------------------------------------------- 1 | ../mods-available/rest -------------------------------------------------------------------------------- /raddb/mods-enabled/soh: -------------------------------------------------------------------------------- 1 | ../mods-available/soh -------------------------------------------------------------------------------- /raddb/mods-enabled/sql: -------------------------------------------------------------------------------- 1 | ../mods-available/sql -------------------------------------------------------------------------------- /raddb/mods-enabled/sqlcounter: -------------------------------------------------------------------------------- 1 | ../mods-available/sqlcounter -------------------------------------------------------------------------------- /raddb/mods-enabled/sradutmp: -------------------------------------------------------------------------------- 1 | ../mods-available/sradutmp -------------------------------------------------------------------------------- /raddb/mods-enabled/unix: -------------------------------------------------------------------------------- 1 | ../mods-available/unix -------------------------------------------------------------------------------- /raddb/mods-enabled/unpack: -------------------------------------------------------------------------------- 1 | ../mods-available/unpack -------------------------------------------------------------------------------- /raddb/mods-enabled/utf8: -------------------------------------------------------------------------------- 1 | ../mods-available/utf8 -------------------------------------------------------------------------------- /raddb/panic.gdb: -------------------------------------------------------------------------------- 1 | info locals 2 | info args 3 | thread apply all bt full 4 | quit 5 | -------------------------------------------------------------------------------- /raddb/policy.d/abfab-tr: -------------------------------------------------------------------------------- 1 | # 2 | # ABFAB Trust router policies. 3 | # 4 | # $Id: 3a088538b5acc09aebc80b40391febf1d57a617a $ 5 | # 6 | 7 | 8 | # 9 | # Verify rp parameters 10 | # 11 | psk_authorize { 12 | if (&TLS-PSK-Identity) { 13 | # TODO: may need to check trust-router-apc as well 14 | if ("%{psksql:select distinct keyid from authorizations_keys where keyid = '%{tls-psk-identity}' and '%{trust-router-coi}' like coi and '%{gss-acceptor-realm-name}' like acceptor_realm and '%{gss-acceptor-host-name}' like hostname;}") { 15 | # do things here 16 | } 17 | else { 18 | update reply { 19 | Reply-Message = "RP not authorized for this ABFAB request" 20 | } 21 | reject 22 | } 23 | } 24 | } 25 | 26 | abfab_client_check { 27 | # check that GSS-Acceptor-Host-Name is correct 28 | if ("%{client:gss_acceptor_host_name}") { 29 | if (&request:GSS-Acceptor-Host-Name) { 30 | if (&request:GSS-Acceptor-Host-Name != "%{client:gss_acceptor_host_name}") { 31 | update reply { 32 | Reply-Message = "GSS-Acceptor-Host-Name incorrect" 33 | } 34 | reject 35 | } 36 | } 37 | else { 38 | # set GSS-Acceptor-Host-Name if it is not set by the mechanism 39 | # but it is defined in the client configuration 40 | update request { 41 | GSS-Acceptor-Host-Name = "%{client:gss_acceptor_host_name}" 42 | } 43 | } 44 | } 45 | 46 | # set Trust-Router-COI attribute from the client configuration 47 | if ("%{client:trust_router_coi}") { 48 | update request { 49 | Trust-Router-COI := "%{client:trust_router_coi}" 50 | } 51 | } 52 | 53 | # set GSS-Acceptor-Realm-Name attribute from the client configuration 54 | if ("%{client:gss_acceptor_realm_name}") { 55 | update request { 56 | GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}" 57 | } 58 | } 59 | 60 | # set GSS-Acceptor-Service-Name attribute from the client configuration 61 | if ("%{client:gss_acceptor_service_name}") { 62 | update request { 63 | GSS-Acceptor-Service-Name = "%{client:gss_acceptor_service_name}" 64 | } 65 | } 66 | 67 | } 68 | 69 | # A policy which is used to validate channel-bindings. 70 | # 71 | abfab_channel_bindings { 72 | if (&GSS-Acceptor-Service-Name && (&outer.request:GSS-Acceptor-Service-Name != &GSS-Acceptor-Service-Name)) { 73 | reject 74 | } 75 | 76 | if (&GSS-Acceptor-Host-Name && &outer.request:GSS-Acceptor-Host-Name != &GSS-Acceptor-Host-Name ) { 77 | reject 78 | } 79 | 80 | if (&GSS-Acceptor-Realm-Name && &outer.request:GSS-Acceptor-Realm-Name != &GSS-Acceptor-Realm-Name ) { 81 | reject 82 | } 83 | 84 | if (&GSS-Acceptor-Service-Name || &GSS-Acceptor-Realm-Name || &GSS-Acceptor-Host-Name) { 85 | update control { 86 | &Chbind-Response-Code := success 87 | } 88 | 89 | # 90 | # ACK the attributes in the request. 91 | # 92 | # If any one of these attributes don't exist in the request, 93 | # then they won't be copied to the reply. 94 | # 95 | update reply { 96 | &GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name 97 | &GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name 98 | &GSS-Acceptor-Realm-Name = &GSS-Acceptor-Realm-Name 99 | } 100 | } 101 | 102 | # 103 | # Return "handled" so that the "authenticate" section isn't used. 104 | # 105 | handled 106 | } 107 | -------------------------------------------------------------------------------- /raddb/policy.d/canonicalization: -------------------------------------------------------------------------------- 1 | # 2 | # Split User-Name in NAI format (RFC 4282) into components 3 | # 4 | # This policy writes the Username and Domain portions of the 5 | # NAI into the Stripped-User-Name and Stripped-User-Domain 6 | # attributes. 7 | # 8 | # The regular expression to do this is not strictly compliant 9 | # with the standard, but it is not possible to write a 10 | # compliant regexp without perl style regular expressions (or 11 | # at least not a legible one). 12 | # 13 | nai_regexp = '^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$' 14 | 15 | split_username_nai { 16 | if (&User-Name && (&User-Name =~ /${policy.nai_regexp}/)) { 17 | update request { 18 | &Stripped-User-Name := "%{1}" 19 | } 20 | 21 | # Only add the Stripped-User-Domain attribute if 22 | # we have a domain. This means presence checks 23 | # for Stripped-User-Domain work. 24 | if ("%{3}" != '') { 25 | update request { 26 | &Stripped-User-Domain = "%{3}" 27 | } 28 | } 29 | 30 | # If any of the expansions result in a null 31 | # string, the update section may return 32 | # something other than updated... 33 | updated 34 | } 35 | else { 36 | noop 37 | } 38 | } 39 | 40 | # 41 | # If called in post-proxy we modify the proxy-reply message 42 | # 43 | split_username_nai.post-proxy { 44 | if (&proxy-reply:User-Name && (&proxy-reply:User-Name =~ /${policy.nai_regexp}/)) { 45 | update proxy-reply { 46 | &Stripped-User-Name := "%{1}" 47 | } 48 | 49 | # Only add the Stripped-User-Domain attribute if 50 | # we have a domain. This means presence checks 51 | # for Stripped-User-Domain work. 52 | if ("%{3}" != '') { 53 | update proxy-reply { 54 | &Stripped-User-Domain = "%{3}" 55 | } 56 | } 57 | updated 58 | } 59 | else { 60 | noop 61 | } 62 | } 63 | 64 | # 65 | # Normalize the MAC Addresses in the Calling/Called-Station-Id 66 | # 67 | mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})' 68 | 69 | # 70 | # Add "rewrite_called_station_id" in the "authorize" and 71 | # "preacct" sections. 72 | # 73 | # Makes Called-Station-ID conform to what RFC3580 says should 74 | # be provided by 802.1X authenticators. 75 | # 76 | rewrite_called_station_id { 77 | if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) { 78 | update request { 79 | &Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" 80 | } 81 | 82 | # SSID component? 83 | if ("%{8}") { 84 | update request { 85 | &Called-Station-SSID := "%{8}" 86 | } 87 | } 88 | updated 89 | } 90 | else { 91 | noop 92 | } 93 | } 94 | 95 | # 96 | # Add "rewrite_calling_station_id" in the "authorize" and 97 | # "preacct" sections. 98 | # 99 | # Makes Calling-Station-ID conform to what RFC3580 says should 100 | # be provided by 802.1X authenticators. 101 | # 102 | rewrite_calling_station_id { 103 | if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) { 104 | update request { 105 | &Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" 106 | } 107 | updated 108 | } 109 | else { 110 | noop 111 | } 112 | } 113 | 114 | -------------------------------------------------------------------------------- /raddb/policy.d/control: -------------------------------------------------------------------------------- 1 | # 2 | # If you want the server to pretend that it is dead, 3 | # then use the "do_not_respond" policy. 4 | # 5 | do_not_respond { 6 | update control { 7 | &Response-Packet-Type := Do-Not-Respond 8 | } 9 | handled 10 | } 11 | 12 | # 13 | # Send Access-Accept immediately 14 | # 15 | accept { 16 | update control { 17 | &Response-Packet-Type = Access-Accept 18 | } 19 | handled 20 | } 21 | 22 | # 23 | # Send Access-Challenge immediately 24 | # 25 | challenge { 26 | update control { 27 | &Response-Packet-Type = Access-Challenge 28 | } 29 | handled 30 | } 31 | 32 | # 33 | # Send an Accounting-Response immediately 34 | # 35 | acct_response { 36 | update control { 37 | &Response-Packet-Type = Accounting-Response 38 | } 39 | handled 40 | } 41 | -------------------------------------------------------------------------------- /raddb/policy.d/debug: -------------------------------------------------------------------------------- 1 | # 2 | # Outputs the contents of the control list in debugging (-X) mode 3 | # 4 | debug_control { 5 | if("%{debug_attr:control:}" == '') { 6 | noop 7 | } 8 | } 9 | 10 | # 11 | # Outputs the contents of the request list in debugging (-X) mode 12 | # 13 | debug_request { 14 | if("%{debug_attr:request:}" == '') { 15 | noop 16 | } 17 | } 18 | 19 | # 20 | # Outputs the contents of the coa list in debugging (-X) mode 21 | # 22 | debug_coa { 23 | if("%{debug_attr:coa:}" == '') { 24 | noop 25 | } 26 | } 27 | 28 | # 29 | # Outputs the contents of the reply list in debugging (-X) mode 30 | # 31 | debug_reply { 32 | if("%{debug_attr:reply:}" == '') { 33 | noop 34 | } 35 | } 36 | 37 | # 38 | # Outputs the contents of the session state list in debugging (-X) mode 39 | # 40 | debug_session_state { 41 | if("%{debug_attr:session-state:}" == '') { 42 | noop 43 | } 44 | } 45 | 46 | # 47 | # Outputs the contents of the proxy-request state list in debugging (-X) mode 48 | # 49 | debug_proxy_request { 50 | if("%{debug_attr:proxy-request:}" == '') { 51 | noop 52 | } 53 | } 54 | 55 | # 56 | # Outputs the contents of the main lists in debugging (-X) mode 57 | # 58 | debug_all { 59 | debug_control 60 | debug_request 61 | debug_coa 62 | debug_reply 63 | debug_session_state 64 | } 65 | -------------------------------------------------------------------------------- /raddb/policy.d/dhcp: -------------------------------------------------------------------------------- 1 | # Assign compatibility data to request for sqlippool 2 | dhcp_sqlippool.post-auth { 3 | 4 | 5 | # Do some minor hacks to the request so that it looks 6 | # like a RADIUS request to the SQL IP Pool module. 7 | update request { 8 | &User-Name = "DHCP-%{DHCP-Client-Hardware-Address}" 9 | &Calling-Station-Id = "%{DHCP-Client-Hardware-Address}" 10 | &NAS-IP-Address = "%{%{DHCP-Gateway-IP-Address}:-127.0.0.1}" 11 | &Acct-Status-Type = Start 12 | } 13 | 14 | # Call the actual module 15 | dhcp_sqlippool 16 | 17 | # Convert Framed-IP-Address to DHCP, but only if we 18 | # actually allocated an address. 19 | if (ok) { 20 | update reply { 21 | &DHCP-Your-IP-Address = "%{reply:Framed-IP-Address}" 22 | } 23 | } 24 | } 25 | 26 | -------------------------------------------------------------------------------- /raddb/policy.d/eap: -------------------------------------------------------------------------------- 1 | # 2 | # Response caching to handle proxy failovers 3 | # 4 | Xeap.authorize { 5 | cache_eap 6 | if (ok) { 7 | # 8 | # Expire previous cache entry 9 | # 10 | if (&control:State) { 11 | update control { 12 | &Cache-TTL := 0 13 | } 14 | cache_eap 15 | 16 | update control { 17 | &State !* ANY 18 | } 19 | } 20 | 21 | handled 22 | } 23 | else { 24 | eap.authorize 25 | } 26 | } 27 | 28 | # 29 | # Populate cache with responses from the EAP module 30 | # 31 | Xeap.authenticate { 32 | eap { 33 | handled = 1 34 | } 35 | if (handled) { 36 | cache_eap.authorize 37 | 38 | handled 39 | } 40 | 41 | cache_eap.authorize 42 | } 43 | 44 | # 45 | # Forbid all EAP types. Enable this by putting "forbid_eap" 46 | # into the "authorize" section. 47 | # 48 | forbid_eap { 49 | if (&EAP-Message) { 50 | reject 51 | } 52 | } 53 | 54 | # 55 | # Forbid all non-EAP types outside of an EAP tunnel. 56 | # 57 | permit_only_eap { 58 | if (!&EAP-Message) { 59 | # We MAY be inside of a TTLS tunnel. 60 | # PEAP and EAP-FAST require EAP inside of 61 | # the tunnel, so this check is OK. 62 | # If so, then there MUST be an outer EAP message. 63 | if (!&outer.request || !&outer.request:EAP-Message) { 64 | reject 65 | } 66 | } 67 | } 68 | 69 | # 70 | # Remove Reply-Message from response if were doing EAP 71 | # 72 | # Be RFC 3579 2.6.5 compliant - EAP-Message and Reply-Message should 73 | # not be present in the same response. 74 | # 75 | remove_reply_message_if_eap { 76 | if (&reply:EAP-Message && &reply:Reply-Message) { 77 | update reply { 78 | &Reply-Message !* ANY 79 | } 80 | } 81 | else { 82 | noop 83 | } 84 | } 85 | 86 | -------------------------------------------------------------------------------- /raddb/policy.d/operator-name: -------------------------------------------------------------------------------- 1 | # 2 | # The following policies are for the Operator-Name 3 | # configuration. 4 | # 5 | # The policies below can be called as just 'operator-name' (not 6 | # operator-name.authorize etc..) from the various config sections. 7 | # 8 | 9 | # If you require that the Operator-Name be set 10 | # for local clients then call the 'operator-name' policy 11 | # in the authorize section of the virtual-server for your clients in clients.conf 12 | 13 | # To inject an Operator-Name whilst proxying, call the 14 | # 'operator-name' policy in the pre-proxy section of the virtual server 15 | # No need to call this if you have already enabled this in 16 | # the authorize section. 17 | 18 | # 19 | # We assume that clients can have the operator-name definition 20 | # in the client.conf, e.g. 21 | # client xxxx { 22 | # ... 23 | # Operator-Name = 1your.domain 24 | # } 25 | # If this parameter is found for a client, then we add 26 | # an Operator-Name attribute 27 | # 28 | operator-name.authorize { 29 | if ("%{client:Operator-Name}") { 30 | update request { 31 | &Operator-Name = "%{client:Operator-Name}" 32 | } 33 | } 34 | } 35 | 36 | # 37 | # Before proxing the client add an Operator-Name 38 | # attribute identifying this site if the operator-name is found for this client 39 | # 40 | operator-name.pre-proxy { 41 | if (("%{request:Packet-Type}" == 'Access-Request') && "%{client:Operator-Name}") { 42 | update proxy-request { 43 | &Operator-Name := "%{client:Operator-Name}" 44 | } 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /raddb/policy.d/rfc7542: -------------------------------------------------------------------------------- 1 | # 2 | # The following policy is for RFC7542-style bang path 3 | # management. 4 | # 5 | # It hands control from the standard 'suffix' realm 6 | # processor to the 'bangpath' processer, allowing the 7 | # definition of specific routing information in the 8 | # decoration of the User-Name. 9 | # 10 | # Use this with caution. In particular, read the following 11 | # RFC document sections for reasons why you shouldn't use 12 | # this, and also why this is used: 13 | # 14 | # 1. https://tools.ietf.org/html/rfc4282#section-2.7 15 | # 2. https://tools.ietf.org/html/rfc7542#section-3.3.1 16 | # 17 | # $Id: 84a5c17d2623ca622884c835bb7906e63c417e77 $ 18 | # 19 | 20 | # This is a |-separated list of realms this specific service 21 | # is responsible for. We cannot read this from the proxy.conf 22 | # file, so we turn this into an 'or list' regex. 23 | # Examples: rfc7542_realms = 'example.com' 24 | # rfc7542_realms = 'example.com|another.net|this.org' 25 | # 26 | rfc7542_realms = 'changeme' 27 | 28 | # This policy checks the User-Name attribute whether it is in 29 | # RFC7542 bang-path format. If it is, it lets the bangpath realm 30 | # processor handle it, otherwise it leaves it for suffix to handle 31 | # 32 | rfc7542.authorize { 33 | # Format: not_local_realm!...@local_realm: Handle with bangpath 34 | if ( (&request:User-Name =~ /(.+)!(.*)\@(${policy.rfc7542_realms})/) && \ 35 | !(&request:User-Name =~ /(${policy.rfc7542_realms})!(.*)\@(.+)/) ) { 36 | bangpath 37 | updated 38 | } 39 | 40 | # Format: local_realm!...@not_local_realm: Handle with bangpath 41 | elsif ( (&request:User-Name =~ /(${policy.rfc7542_realms})!(.*)\@(.+)/) && \ 42 | !(&request:User-Name =~ /(.+)!(.*)\@(${policy.rfc7542_realms})/) ) { 43 | bangpath 44 | updated 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /raddb/sites-available/abfab-tls: -------------------------------------------------------------------------------- 1 | # 2 | # Example configuration for ABFAB listening on TLS. 3 | # 4 | # $Id: 5dbe143da6f170505fa1b0e1c4282ebe60b139bb $ 5 | # 6 | listen { 7 | ipaddr = * 8 | port = 2083 9 | type = auth 10 | proto = tcp 11 | 12 | tls { 13 | private_key_password = whatever 14 | 15 | # Moonshot tends to distribute certs separate from keys 16 | private_key_file = ${certdir}/server.key 17 | certificate_file = ${certdir}/server.pem 18 | ca_file = ${cadir}/ca.pem 19 | dh_file = ${certdir}/dh 20 | fragment_size = 8192 21 | ca_path = ${cadir} 22 | cipher_list = "DEFAULT" 23 | 24 | cache { 25 | enable = no 26 | lifetime = 24 # hours 27 | name = "abfab-tls" 28 | # persist_dir = ${logdir}/abfab-tls 29 | } 30 | 31 | require_client_cert = yes 32 | verify { 33 | } 34 | 35 | psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}" 36 | } 37 | 38 | virtual_server = abfab-idp 39 | 40 | clients = radsec-abfab 41 | } 42 | 43 | clients radsec-abfab { 44 | # 45 | # Allow all clients, but require TLS. 46 | # This client stanza will match other RP proxies from other 47 | # realms established via the trustrouter. In general 48 | # additional client stanzas are also required for local services. 49 | # 50 | client default { 51 | ipaddr = 0.0.0.0/0 52 | proto = tls 53 | } 54 | 55 | # An example local service 56 | # client service_1 { 57 | # ipaddr = 192.0.2.20 58 | # # You should either set gss_acceptor_host_name below 59 | # # or set up policy to confirm that a client claims 60 | # # the right acceptor hostname when using ABFAB. If 61 | # # set, the RADIUS server will confirm that all 62 | # # requests have this value for the acceptor host name 63 | # gss_acceptor_host_name = "server.example.com" 64 | # # If set, this acceptor realm name will be included. 65 | # Foreign realms will typically reject a request if this is not 66 | # # properly set. 67 | # gss_acceptor_realm_name = "example.com" 68 | # # Additionally, trust_router_coi can be set; if set 69 | # # it will override the default_community in the realm 70 | # # module 71 | # # trust_router_coi = "community1.example.net" 72 | # # In production depployments it is important to set 73 | # # up certificate verification so that even if 74 | # # clients spoof IP addresses, one client cannot 75 | # # impersonate another. 76 | # } 77 | 78 | } 79 | -------------------------------------------------------------------------------- /raddb/sites-available/challenge: -------------------------------------------------------------------------------- 1 | # 2 | # This file gives an example of using Challenge-Response 3 | # 4 | # In this example, the user logs in with a password, which has 5 | # to be "hello". The server will send them a challenge 6 | # consisting of a random number 0..9. The user has to respond 7 | # with that number. 8 | # 9 | # 10 | # $Id: 24c9b2546eb2a62fb60b31fa5add4537b6536a31 $ 11 | # 12 | listen { 13 | type = auth 14 | ipaddr = * 15 | port = 2000 16 | virtual_server = challenge 17 | } 18 | 19 | server challenge { 20 | authorize { 21 | 22 | # 23 | # If ther's no State attribute, then this is the request from 24 | # the user. 25 | # 26 | if (!State) { 27 | update control { 28 | Auth-Type := Step1 29 | Cleartext-Password := "hello" 30 | } 31 | } 32 | else { 33 | # 34 | # Do authentication for step 2. 35 | # Set the "known good" password to the number 36 | # saved in the session-state list. 37 | # 38 | update control { 39 | Auth-Type := Step2 40 | Cleartext-Password := &session-state:Tmp-Integer-0 41 | } 42 | } 43 | } 44 | 45 | authenticate { 46 | Auth-Type Step1 { 47 | # If the password doesn't match, the user is rejected 48 | # immediately. 49 | pap 50 | 51 | # 52 | # Set the random number to save. 53 | # 54 | update session-state { 55 | Tmp-Integer-0 := "%{randstr:n}" 56 | } 57 | update reply { 58 | Reply-Message := &session-state:Tmp-Integer-0 59 | } 60 | 61 | # 62 | # Send an Access-Challenge. 63 | # See raddb/policy.d/control for the definition 64 | # of "challenge" 65 | # 66 | challenge 67 | } 68 | 69 | Auth-Type Step2 { 70 | # 71 | # Do PAP authentication with the password. 72 | # 73 | pap 74 | } 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /raddb/sites-available/channel_bindings: -------------------------------------------------------------------------------- 1 | # 2 | # A virtual server which is used to validate channel-bindings. 3 | # 4 | # $Id: b9f0ac791511903e4be8794203d324446e7a949c $ 5 | # 6 | server channel_bindings { 7 | # 8 | # Only the "authorize" section is needed. 9 | # 10 | authorize { 11 | # In general this section should include a policy for each type 12 | # of channel binding that may be in use. For example each lower 13 | # layer such as GSS-EAP (RFC 7055) or IEEE 802.11I is likely to 14 | # need a separate channel binding policy. 15 | abfab_channel_bindings 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /raddb/sites-available/coa: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ###################################################################### 3 | # 4 | # Sample virtual server for receiving a CoA or Disconnect-Request packet. 5 | # 6 | 7 | # Listen on the CoA port. 8 | # 9 | # This uses the normal set of clients, with the same secret as for 10 | # authentication and accounting. 11 | # 12 | listen { 13 | type = coa 14 | ipaddr = * 15 | port = 3799 16 | virtual_server = coa 17 | } 18 | 19 | server coa { 20 | # When a packet is received, it is processed through the 21 | # recv-coa section. This applies to *both* CoA-Request and 22 | # Disconnect-Request packets. 23 | recv-coa { 24 | # CoA && Disconnect packets can be proxied in the same 25 | # way as authentication or accounting packets. 26 | # Just set Proxy-To-Realm, or Home-Server-Pool, and the 27 | # packets will be proxied. 28 | 29 | # Do proxying based on realms here. You don't need 30 | # "IPASS" or "ntdomain", as the proxying is based on 31 | # the Operator-Name attribute. It contains the realm, 32 | # and ONLY the realm (prefixed by a '1') 33 | suffix 34 | 35 | # Insert your own policies here. 36 | ok 37 | } 38 | 39 | # When a packet is sent, it is processed through the 40 | # send-coa section. This applies to *both* CoA-Request and 41 | # Disconnect-Request packets. 42 | send-coa { 43 | # Sample module. 44 | ok 45 | } 46 | 47 | # You can use pre-proxy and post-proxy sections here, too. 48 | # They will be processed for sending && receiving proxy packets. 49 | } 50 | -------------------------------------------------------------------------------- /raddb/sites-available/control-socket: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ###################################################################### 3 | # 4 | # Control socket interface. 5 | # 6 | # In the future, we will add username/password checking for 7 | # connections to the control socket. We will also add 8 | # command authorization, where the commands entered by the 9 | # administrator are run through a virtual server before 10 | # they are executed. 11 | # 12 | # For now, anyone who has permission to connect to the socket 13 | # has nearly complete control over the server. Be warned! 14 | # 15 | # This functionality is NOT enabled by default. 16 | # 17 | # See also the "radmin" program, which is used to communicate 18 | # with the server over the control socket. 19 | # 20 | # $Id: 97ba9ef972539af80dcaf84090b55d991095a93e $ 21 | # 22 | ###################################################################### 23 | listen { 24 | # 25 | # Listen on the control socket. 26 | # 27 | type = control 28 | 29 | # 30 | # Socket location. 31 | # 32 | # This file is created with the server's uid and gid. 33 | # It's permissions are r/w for that user and group, and 34 | # no permissions for "other" users. These permissions form 35 | # minimal security, and should not be relied on. 36 | # 37 | socket = ${run_dir}/${name}.sock 38 | 39 | # 40 | # Peercred auth 41 | # 42 | # By default the server users the peercred feature of unix 43 | # sockets to get the UID and GID of the user connecting to 44 | # the socket. You may choose to disable this functionality 45 | # and rely on the file system for enforcing permissions. 46 | # 47 | # On most Unix systems, the permissions set on the socket 48 | # are not enforced, but the ones on the directory containing 49 | # the socket are. 50 | # 51 | # To use filesystem permissions you should create a new 52 | # directory just to house the socket file, and set 53 | # appropriate permissions on that. 54 | # 55 | # peercred = no 56 | # socket = ${run_dir}/control/${name}.sock 57 | 58 | # 59 | # The following two parameters perform authentication and 60 | # authorization of connections to the control socket. 61 | # 62 | # If not set, then ANYONE can connect to the control socket, 63 | # and have complete control over the server. This is likely 64 | # not what you want. 65 | # 66 | # One, or both, of "uid" and "gid" should be set. If set, the 67 | # corresponding value is checked. Unauthorized users result 68 | # in an error message in the log file, and the connection is 69 | # closed. 70 | # 71 | 72 | # 73 | # Name of user that is allowed to connect to the control socket. 74 | # 75 | # uid = radius 76 | 77 | # 78 | # Name of group that is allowed to connect to the control socket. 79 | # 80 | # gid = radius 81 | 82 | # 83 | # Access mode. 84 | # 85 | # This can be used to give *some* administrators access to 86 | # monitor the system, but not to change it. 87 | # 88 | # ro = read only access (default) 89 | # rw = read/write access. 90 | # 91 | # mode = rw 92 | } 93 | -------------------------------------------------------------------------------- /raddb/sites-available/dhcp.relay: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ###################################################################### 3 | # 4 | # This is a virtual server that handles DHCP relaying 5 | # 6 | # Only one server can listen on a socket, so you cannot 7 | # do DHCP relaying && run a DHCP server at the same time. 8 | # 9 | ###################################################################### 10 | 11 | server dhcp.eth1 { 12 | listen { 13 | ipaddr = * 14 | port = 67 15 | type = dhcp 16 | interface = eth1 17 | } 18 | 19 | # Packets received on the socket will be processed through one 20 | # of the following sections, named after the DHCP packet type. 21 | # See dictionary.dhcp for the packet types. 22 | dhcp DHCP-Discover { 23 | update config { 24 | # IP Address of the DHCP server 25 | &DHCP-Relay-To-IP-Address := 192.0.2.2 26 | } 27 | update request { 28 | # IP Address of the DHCP relay (ourselves) 29 | &DHCP-Gateway-IP-Address := 192.0.2.1 30 | } 31 | ok 32 | } 33 | 34 | dhcp DHCP-Request { 35 | update config { 36 | # IP Address of the DHCP server 37 | &DHCP-Relay-To-IP-Address := 192.0.2.2 38 | } 39 | update request { 40 | &DHCP-Gateway-IP-Address := 192.0.2.2 41 | } 42 | ok 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /raddb/sites-available/proxy-inner-tunnel: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ###################################################################### 3 | # 4 | # This is a virtual server that handles *only* inner tunnel 5 | # requests for EAP-TTLS and PEAP types. 6 | # 7 | # $Id: 938d954592d3824e4d51e3315d0f7e0b5cfde824 $ 8 | # 9 | ###################################################################### 10 | 11 | server proxy-inner-tunnel { 12 | 13 | # 14 | # This example is very simple. All inner tunnel requests get 15 | # proxied to another RADIUS server. 16 | # 17 | authorize { 18 | # 19 | # Do other things here, as necessary. 20 | # 21 | # e.g. run the "realms" module, to decide how to proxy 22 | # the inner tunnel request. 23 | # 24 | 25 | update control { 26 | # You should update this to be one of your realms. 27 | &Proxy-To-Realm := "example.com" 28 | } 29 | } 30 | 31 | authenticate { 32 | # 33 | # This is necessary so that the inner tunnel EAP-MSCHAPv2 34 | # method can be called. That method takes care of turning 35 | # EAP-MSCHAPv2 into plain MS-CHAPv2, if necessary. 36 | eap 37 | } 38 | 39 | post-proxy { 40 | # 41 | # This is necessary for LEAP, or if you set: 42 | # 43 | # proxy_tunneled_request_as_eap = no 44 | # 45 | eap 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /raddb/sites-available/soh: -------------------------------------------------------------------------------- 1 | # This is a simple server for the MS SoH requests generated by the 2 | # peap module - see "eap.conf" for more info 3 | 4 | # Requests are ONLY passed through the authorize section, and cannot 5 | # current be proxied (in any event, the radius attributes used are 6 | # internal). 7 | 8 | server soh-server { 9 | authorize { 10 | if (&SoH-Supported == no) { 11 | # client NAKed our request for SoH - not supported, or turned off 12 | update config { 13 | &Auth-Type = Accept 14 | } 15 | } 16 | else { 17 | # client replied; check something - this is a local policy issue! 18 | if (&SoH-MS-Windows-Health-Status =~ /antivirus (warn|error) /) { 19 | update config { 20 | &Auth-Type = Reject 21 | } 22 | update reply { 23 | &Reply-Message = 'You must have antivirus enabled & installed!' 24 | } 25 | } 26 | else { 27 | update config { 28 | &Auth-Type = Accept 29 | } 30 | } 31 | } 32 | } 33 | } 34 | 35 | -------------------------------------------------------------------------------- /raddb/sites-available/virtual.example.com: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ###################################################################### 3 | # 4 | # Sample virtual server for internally proxied requests. 5 | # 6 | # See the "realm virtual.example.com" example in "proxy.conf". 7 | # 8 | # $Id: 3c4aea7458cca50c9f43f33e6aebd5ca08180de7 $ 9 | # 10 | ###################################################################### 11 | 12 | # 13 | # You will want to edit this to your local needs. We suggest copying 14 | # the text from the "default" file here, and then editing the text. 15 | # That way, any changes to the "default" file will not affect this 16 | # virtual server, and vice-versa. 17 | # 18 | # When this virtual server receives the request, the original 19 | # attributes can be accessed as "outer.request", "outer.control", etc. 20 | # See "man unlang" for more details. 21 | # 22 | server virtual.example.com { 23 | authorize { 24 | # insert policies here 25 | } 26 | 27 | authenticate { 28 | # insert policies here 29 | } 30 | 31 | # etc. 32 | } 33 | -------------------------------------------------------------------------------- /raddb/sites-available/vmps: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ###################################################################### 3 | # 4 | # As of version 2.0.0, the server also supports the VMPS 5 | # protocol. 6 | # 7 | # $Id: c5c50786f4f5563d27218c70bf98c3898f47e5ba $ 8 | # 9 | ###################################################################### 10 | 11 | server vmps { 12 | listen { 13 | # VMPS sockets only support IPv4 addresses. 14 | ipaddr = * 15 | 16 | # Port on which to listen. 17 | # Allowed values are: 18 | # integer port number 19 | # 1589 is the default VMPS port. 20 | port = 1589 21 | 22 | # Type of packets to listen for. Here, it is VMPS. 23 | type = vmps 24 | 25 | # Some systems support binding to an interface, in addition 26 | # to the IP address. This feature isn't strictly necessary, 27 | # but for sites with many IP addresses on one interface, 28 | # it's useful to say "listen on all addresses for 29 | # eth0". 30 | # 31 | # If your system does not support this feature, you will 32 | # get an error if you try to use it. 33 | # 34 | # interface = eth0 35 | } 36 | 37 | # If you have switches that are allowed to send VMPS, but NOT 38 | # RADIUS packets, then list them here as "client" sections. 39 | # 40 | # Note that for compatibility with RADIUS, you still have to 41 | # list a "secret" for each client, though that secret will not 42 | # be used for anything. 43 | 44 | 45 | # And the REAL contents. This section is just like the 46 | # "post-auth" section of radiusd.conf. In fact, it calls the 47 | # "post-auth" component of the modules that are listed here. 48 | # But it's called "vmps" to highlight that it's for VMPS. 49 | # 50 | vmps { 51 | # 52 | # Some requests may not have a MAC address. Try to 53 | # create one using other attributes. 54 | if (!&VMPS-Mac) { 55 | if (&VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) { 56 | update request { 57 | &VMPS-Mac = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}" 58 | } 59 | } 60 | else { 61 | update request { 62 | &VMPS-Mac = &VMPS-Cookie 63 | } 64 | } 65 | } 66 | 67 | # Do a simple mapping of MAC to VLAN. 68 | # 69 | # See radiusd.conf for the definition of the "mac2vlan" 70 | # module. 71 | # 72 | #mac2vlan 73 | 74 | # required VMPS reply attributes 75 | update reply { 76 | &VMPS-Packet-Type = VMPS-Join-Response 77 | &VMPS-Cookie = &VMPS-Mac 78 | 79 | &VMPS-VLAN-Name = "please_use_real_vlan_here" 80 | 81 | # 82 | # If you have VLAN's in a database, you can select 83 | # the VLAN name based on the MAC address. 84 | # 85 | #&VMPS-VLAN-Name = "%{sql:select ... where mac='%{VMPS-Mac}'}" 86 | } 87 | 88 | # correct reply packet type for reconfirmation requests 89 | # 90 | if (&VMPS-Packet-Type == VMPS-Reconfirm-Request){ 91 | update reply { 92 | &VMPS-Packet-Type := VMPS-Reconfirm-Response 93 | } 94 | } 95 | } 96 | 97 | # Proxying of VMPS requests is NOT supported. 98 | } 99 | -------------------------------------------------------------------------------- /raddb/sites-enabled/default: -------------------------------------------------------------------------------- 1 | ../sites-available/default -------------------------------------------------------------------------------- /raddb/sites-enabled/inner-tunnel: -------------------------------------------------------------------------------- 1 | ../sites-available/inner-tunnel -------------------------------------------------------------------------------- /raddb/templates.conf: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ## 3 | ## templates.conf -- configurations to be used in multiple places 4 | ## 5 | ## $Id: 7b8b44e051c974c1a0a6e27a0cff50e621835df2 $ 6 | 7 | ###################################################################### 8 | # 9 | # Version 2.0 has a useful new feature called "templates". 10 | # 11 | # Use templates by adding a line in radiusd.conf: 12 | # 13 | # $INCLUDE templates.conf 14 | # 15 | # The goal of the templates is to have common configuration located 16 | # in this file, and to list only the *differences* in the individual 17 | # sections. This feature is most useful for sections like "clients" 18 | # or "home_servers", where many may be defined, and each one has 19 | # similar repeated configuration. 20 | # 21 | # Something similar to templates can be done by putting common 22 | # configuration into separate files, and using "$INCLUDE file...", 23 | # but this is more flexible, and simpler to understand. It's also 24 | # cheaper for the server, because "$INCLUDE" makes a copy of the 25 | # configuration for inclusion, and templates are simply referenced. 26 | # 27 | # The templates are defined in the "templates" section, so that they 28 | # do not affect the rest of the server configuration. 29 | # 30 | # A section can reference a template by using "$template name" 31 | # 32 | templates { 33 | # 34 | # The contents of the templates section are other 35 | # configuration sections that would normally go into 36 | # the configuration files. 37 | # 38 | 39 | # 40 | # This is a default template for the "home_server" section. 41 | # Note that there is no name for the section. 42 | # 43 | # Any configuration item that is valid for a "home_server" 44 | # section is also valid here. When a "home_server" section 45 | # is defined in proxy.conf, this section is referenced as 46 | # the template. 47 | # 48 | # Configuration items that are explicitly listed in a 49 | # "home_server" section of proxy.conf are used in 50 | # preference to the configuration items listed here. 51 | # 52 | # However, if a configuration item is NOT listed in a 53 | # "home_server" section of proxy.conf, then the value here 54 | # is used. 55 | # 56 | # This functionality lets you put common configuration into 57 | # a template, and to put only the unique configuration 58 | # items in "proxy.conf". Each section in proxy.conf can 59 | # then contain a line "$template home_server", which will 60 | # cause it to reference this template. 61 | # 62 | home_server { 63 | response_window = 20 64 | zombie_period = 40 65 | revive_interval = 120 66 | # 67 | # Etc. 68 | } 69 | 70 | # 71 | # You can also have named templates. For example, if you 72 | # are proxying to 3 different home servers all at the same 73 | # site, with identical configurations (other than IP 74 | # addresses), you can use this named template. 75 | # 76 | 77 | # Then, each "home_server" section in "proxy.conf" would 78 | # only list the IP address of that home server, and a 79 | # line saying 80 | # 81 | # $template example_com 82 | # 83 | # That would tell FreeRADIUS to look in the section below 84 | # for the rest of the configuration items. 85 | # 86 | # For various reasons, you shouldn't have a "." in the template 87 | # name. Doing so means that the server will be unable to find 88 | # the template. 89 | # 90 | example_com { 91 | type = auth 92 | port = 1812 93 | secret = testing123 94 | response_window = 20 95 | # 96 | # Etc... 97 | } 98 | 99 | # 100 | # You can have templates for other sections, too, but they 101 | # seem to be most useful for home_servers. 102 | # 103 | # For now, you can use templates only for sections in 104 | # radiusd.conf, not sub-sections. So you still have to use 105 | # the "$INCLUDE file.." method for things like defining 106 | # multiple "sql" modules, each with similar configuration. 107 | # 108 | } 109 | -------------------------------------------------------------------------------- /raddb/users: -------------------------------------------------------------------------------- 1 | ./mods-config/files/authorize -------------------------------------------------------------------------------- /scripts/local_settings.py: -------------------------------------------------------------------------------- 1 | # RENAME THIS FILE TO local_settings.py IF YOU NEED TO CUSTOMIZE SOME SETTINGS 2 | # BUT DO NOT COMMIT 3 | 4 | DATABASES = { 5 | 'default': { 6 | 'ENGINE': 'django.db.backends.postgresql_psycopg2', 7 | 'NAME': 'radius', 8 | 'USER': 'debug', 9 | 'PASSWORD': 'debug', 10 | 'HOST': 'postgres', 11 | 'PORT': '5432', 12 | 'OPTIONS': {'sslmode': 'require'}, 13 | }, 14 | } 15 | 16 | ALLOWED_HOSTS = ['*'] 17 | -------------------------------------------------------------------------------- /scripts/run-tests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -ev 3 | docker-compose up -d 4 | # Wait for Postgresql to bootstrap 5 | sleep 10 6 | docker-compose ps 7 | docker-compose run --rm -v $PWD/scripts/users.csv:/users.csv django python manage.py batch_add_users --name users --file /users.csv 8 | docker pull 2stacks/radtest 9 | docker run -it --rm --network freeradius-django_backend 2stacks/radtest radtest testing password freeradius 2 testing123 10 | -------------------------------------------------------------------------------- /scripts/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | if [ "${RADIUS_DEBUG}" = "yes" ] 3 | then 4 | /wait-for.sh ${API_HOST}:${API_PORT} -t 15 -- radiusd -X -d /etc/raddb 5 | else 6 | /wait-for.sh ${API_HOST}:${API_PORT} -t 15 -- radiusd -d /etc/raddb 7 | fi 8 | -------------------------------------------------------------------------------- /scripts/users.csv: -------------------------------------------------------------------------------- 1 | testing,cleartext$password,testing@localhost,testing,testing -------------------------------------------------------------------------------- /scripts/wait-for.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | TIMEOUT=15 4 | QUIET=0 5 | 6 | echoerr() { 7 | if [ "$QUIET" -ne 1 ]; then printf "%s\n" "$*" 1>&2; fi 8 | } 9 | 10 | usage() { 11 | exitcode="$1" 12 | cat << USAGE >&2 13 | Usage: 14 | $cmdname host:port [-t timeout] [-- command args] 15 | -q | --quiet Do not output any status messages 16 | -t TIMEOUT | --timeout=timeout Timeout in seconds, zero for no timeout 17 | -- COMMAND ARGS Execute command with args after the test finishes 18 | USAGE 19 | exit "$exitcode" 20 | } 21 | 22 | wait_for() { 23 | command="$*" 24 | for i in `seq $TIMEOUT` ; do 25 | nc -z "$HOST" "$PORT" > /dev/null 2>&1 26 | 27 | result=$? 28 | if [ $result -eq 0 ] ; then 29 | if [ -n "$command" ] ; then 30 | exec $command 31 | fi 32 | exit 0 33 | fi 34 | sleep 1 35 | done 36 | echo "Operation timed out" >&2 37 | exit 1 38 | } 39 | 40 | while [ $# -gt 0 ] 41 | do 42 | case "$1" in 43 | *:* ) 44 | HOST=$(printf "%s\n" "$1"| cut -d : -f 1) 45 | PORT=$(printf "%s\n" "$1"| cut -d : -f 2) 46 | shift 1 47 | ;; 48 | -q | --quiet) 49 | QUIET=1 50 | shift 1 51 | ;; 52 | -t) 53 | TIMEOUT="$2" 54 | if [ "$TIMEOUT" = "" ]; then break; fi 55 | shift 2 56 | ;; 57 | --timeout=*) 58 | TIMEOUT="${1#*=}" 59 | shift 1 60 | ;; 61 | --) 62 | shift 63 | break 64 | ;; 65 | --help) 66 | usage 0 67 | ;; 68 | *) 69 | echoerr "Unknown argument: $1" 70 | usage 1 71 | ;; 72 | esac 73 | done 74 | 75 | if [ "$HOST" = "" -o "$PORT" = "" ]; then 76 | echoerr "Error: you need to provide a host and port to test." 77 | usage 2 78 | fi 79 | 80 | wait_for "$@" 81 | --------------------------------------------------------------------------------