├── ReadMe.md ├── config ├── ngx_http_auth_radius.c ├── ngx_http_auth_radius.h ├── ngx_http_auth_radius_module.c └── raddb ├── dictionary ├── dictionary.compat ├── dictionary.freeradius ├── dictionary.freeradius.internal ├── dictionary.microsoft ├── dictionary.rfc2865 ├── dictionary.rfc2866 ├── dictionary.rfc2867 ├── dictionary.rfc2868 ├── dictionary.rfc2869 ├── dictionary.rfc3162 ├── dictionary.rfc3576 ├── dictionary.rfc3580 ├── dictionary.rfc4072 ├── dictionary.rfc4372 ├── dictionary.rfc4603 ├── dictionary.rfc4675 ├── dictionary.rfc4679 ├── dictionary.rfc4818 ├── dictionary.rfc4849 ├── dictionary.rfc5090 ├── dictionary.rfc5176 ├── dictionary.rfc5580 ├── dictionary.rfc5607 └── dictionary.rfc5904 /ReadMe.md: -------------------------------------------------------------------------------- 1 | # nginx-http-radius authentication module 2 | http authentication by radius protocol. 3 | 4 | @author qudreams 5 | 6 | # Note: 7 | The nginx-http-radius module depend on libmyradclient,so you must compile the library firstly; 8 | libmyradclient.a must be in same directory with nginx-http-radius module,because the nginx-http-radius module 9 | set the environment variables CORE_INCS and CORE_LIBS in 'config' file depending this. 10 | The module also just support the following authentication methods: 11 | PAP,CHAP,MSCHAP,MSCHAPV2,EAPMD5 12 | # Usage: 13 | 1. compile the libmyradclient firstly. 14 | 2. compile the module into nginx like this: 15 | ./configure --add-module=src/nginx-http-radius-module 16 | make 17 | 18 | after compiling,install it by the following directive: 19 | make install 20 | 21 | Nginx will be installed into the directory /usr/local/nginx acquiescently. 22 | 3. install nginx,and then modify the configuration file nginx.conf. 23 | the configuration file may be like the following: 24 | 25 | http { 26 | #set the directory of radius dictionary. 27 | radius_dict_directory "/usr/local/nginx/raddb/"; 28 | 29 | #radius server configuration including 30 | 31 | radius_server "radius_server1" { 32 | #authentication timed-out 33 | auth_timeout 5; 34 | 35 | #limit to resend the request 36 | resend_limit 3; 37 | 38 | #radius authentication server url. 39 | url "127.0.0.1:1812"; 40 | 41 | #share secret 42 | share_secret "secret"; 43 | } 44 | 45 | server { 46 | listen 80; 47 | server_name localhost; 48 | 49 | #charset koi8-r; 50 | 51 | #access_log logs/host.access.log main; 52 | 53 | location = /{ 54 | root html; 55 | index index.html index.htm; 56 | 57 | #radius server configuration 58 | 59 | #the third paramter is authentication method,you can set the following value: 60 | # PAP CHAP MSCHAP MSCHAP2 EAPMD5 61 | 62 | auth_radius_server "radius_server1" "PAP"; 63 | 64 | #authentication realm,you can set the following value: 65 | # Restricted "Close Content" off 66 | 67 | auth_radius "Restricted"; 68 | } 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /config: -------------------------------------------------------------------------------- 1 | ngx_addon_name=ngx_http_auth_radius_module 2 | HTTP_MODULES="$HTTP_MODULES ngx_http_auth_radius_module" 3 | NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_auth_radius_module.c \ 4 | $ngx_addon_dir/ngx_http_auth_radius.c" 5 | CORE_INCS="$CORE_INCS $ngx_addon_dir/../libmyradclient/" 6 | CORE_LIBS="$CORE_LIBS $ngx_addon_dir/../libmyradclient/libmyradclient.a" 7 | -------------------------------------------------------------------------------- /ngx_http_auth_radius.c: -------------------------------------------------------------------------------- 1 | #include "ngx_http_auth_radius.h" 2 | 3 | #define MAX_RADIUS_SOCKETS 32 4 | 5 | typedef void (*ngx_queue_walk_handler)(ngx_queue_t* q,void* ctx); 6 | 7 | static void 8 | ngx_http_auth_radius_response_post_event(ngx_http_auth_radius_proxy_t* proxy, 9 | RADIUS_PACKET* reply,ngx_log_t* log); 10 | static ssize_t ngx_http_auth_radius_recv(ngx_connection_t *c); 11 | static void 12 | ngx_http_auth_radius_process_finish(ngx_http_auth_radius_request_t* rr); 13 | 14 | void 15 | ngx_queue_walk(ngx_queue_t* queue, 16 | ngx_queue_walk_handler walk_handler,void* ctx) 17 | { 18 | ngx_queue_t* q = NULL; 19 | ngx_queue_t* next = NULL; 20 | ngx_queue_t* sentinel = NULL; 21 | 22 | sentinel = ngx_queue_sentinel(queue); 23 | 24 | for(q = ngx_queue_head(queue);q != sentinel;q = next) { 25 | next = ngx_queue_next(q); 26 | walk_handler(q,ctx); 27 | } 28 | } 29 | 30 | 31 | ngx_http_auth_radius_connection_t* 32 | ngx_http_auth_radius_connect(int sf,ngx_pool_t*pool,ngx_log_t* log) 33 | { 34 | ngx_int_t event; 35 | ngx_event_t *rev, *wev; 36 | ngx_socket_t s; 37 | ngx_connection_t *c = NULL; 38 | ngx_http_auth_radius_connection_t* uc = NULL; 39 | 40 | assert(pool != NULL && log != NULL); 41 | 42 | uc = ngx_pcalloc(pool,sizeof(*uc)); 43 | if(uc == NULL) { 44 | ngx_log_error(NGX_LOG_ERR,log, 45 | NGX_ENOMEM,"failed to create radius connection"); 46 | return NULL; 47 | } 48 | 49 | s = ngx_socket(sf, SOCK_DGRAM, 0); 50 | 51 | ngx_log_debug1(NGX_LOG_DEBUG_EVENT,log, 0, "UDP socket %d", s); 52 | 53 | if (s == -1) { 54 | ngx_log_error(NGX_LOG_ALERT,log, ngx_socket_errno, 55 | ngx_socket_n " failed"); 56 | ngx_pfree(pool,uc); 57 | return NULL; 58 | } 59 | 60 | c = ngx_get_connection(s,log); 61 | 62 | if (c == NULL) { 63 | if (ngx_close_socket(s) == -1) { 64 | ngx_log_error(NGX_LOG_ALERT,log, ngx_socket_errno, 65 | ngx_close_socket_n "failed"); 66 | } 67 | ngx_pfree(pool,uc); 68 | return NULL; 69 | } 70 | 71 | if (ngx_nonblocking(s) == -1) { 72 | ngx_log_error(NGX_LOG_ALERT,log, ngx_socket_errno, 73 | ngx_nonblocking_n " failed"); 74 | 75 | ngx_free_connection(c); 76 | 77 | if (ngx_close_socket(s) == -1) { 78 | ngx_log_error(NGX_LOG_ALERT,log, ngx_socket_errno, 79 | ngx_close_socket_n " failed"); 80 | } 81 | 82 | ngx_pfree(pool,uc); 83 | return NULL; 84 | } 85 | 86 | rev = c->read; 87 | wev = c->write; 88 | 89 | rev->log = log; 90 | wev->log = log; 91 | 92 | 93 | c->number = ngx_atomic_fetch_add(ngx_connection_counter, 1); 94 | 95 | /* UDP sockets are always ready to write */ 96 | wev->ready = 1; 97 | 98 | if (ngx_add_event) { 99 | 100 | event = (ngx_event_flags & NGX_USE_CLEAR_EVENT) ? 101 | /* kqueue, epoll */ NGX_CLEAR_EVENT: 102 | /* select, poll, /dev/poll */ NGX_LEVEL_EVENT; 103 | /* eventport event type has no meaning: oneshot only */ 104 | 105 | if (ngx_add_event(rev, NGX_READ_EVENT, event) != NGX_OK) { 106 | 107 | ngx_pfree(pool,uc); 108 | return NULL; 109 | } 110 | 111 | } else { 112 | /* rtsig */ 113 | 114 | if (ngx_add_conn(c) == NGX_ERROR) { 115 | ngx_pfree(pool,uc); 116 | return NULL; 117 | } 118 | } 119 | uc->c = c; 120 | uc->last_used = time(NULL); 121 | 122 | return uc; 123 | } 124 | 125 | 126 | void 127 | ngx_http_auth_radius_close_connection(ngx_http_auth_radius_connection_t* uc) 128 | { 129 | ngx_pool_t* pool = NULL; 130 | ngx_http_auth_radius_proxy_t* proxy = uc->data; 131 | 132 | pool = proxy->pool; 133 | if(fr_packet_list_socket_remove(proxy->request_packets,uc->c->fd)) { 134 | ngx_log_debug(NGX_LOG_DEBUG_HTTP,uc->c->log,0, 135 | "ngx_http_auth_radius: close udp connection: socket=%d",uc->c->fd); 136 | 137 | fr_hash_table_delete(proxy->udp_connections,uc); 138 | ngx_close_connection(uc->c); 139 | ngx_pfree(pool,uc); 140 | proxy->conn_counter--; 141 | } 142 | } 143 | 144 | 145 | static ngx_int_t 146 | ngx_http_auth_radius_recv(ngx_connection_t *c) 147 | { 148 | ngx_int_t n; 149 | ngx_err_t err; 150 | ngx_event_t *rev; 151 | RADIUS_PACKET* reply = NULL; 152 | ngx_http_auth_radius_connection_t* uc = NULL; 153 | ngx_http_auth_radius_proxy_t* proxy = NULL; 154 | 155 | uc = c->data; 156 | proxy = uc->data; 157 | rev = c->read; 158 | 159 | do { 160 | reply = rad_recv(c->fd,0); 161 | 162 | if (reply) { 163 | ngx_http_auth_radius_response_post_event(proxy,reply,c->log); 164 | return NGX_OK; 165 | } 166 | err = ngx_socket_errno; 167 | 168 | if (err == NGX_EAGAIN || err == NGX_EINTR) { 169 | n = NGX_AGAIN; 170 | } else { 171 | n = ngx_connection_error(c, err, "ngx_http_auth_radius_recv() failed"); 172 | break; 173 | } 174 | } while (err == NGX_EINTR); 175 | 176 | rev->ready = 0; 177 | 178 | if (n == NGX_ERROR) { 179 | rev->error = 1; 180 | ngx_http_auth_radius_close_connection(uc); 181 | } 182 | 183 | return n; 184 | } 185 | 186 | 187 | static void 188 | ngx_http_auth_radius_recv_response(ngx_event_t* rev) { 189 | ngx_connection_t* c = NULL; 190 | ssize_t n = 0; 191 | c = rev->data; 192 | 193 | do { 194 | n = ngx_http_auth_radius_recv(c); 195 | if(n == NGX_ERROR) { 196 | return; 197 | } 198 | }while(rev->ready); 199 | } 200 | 201 | 202 | static ngx_http_auth_radius_connection_t* 203 | ngx_http_auth_radius_create_connection(ngx_http_auth_radius_proxy_t* proxy, 204 | int sf,ngx_log_t* log) 205 | { 206 | fr_hash_table_t* ucs = NULL; 207 | ngx_http_auth_radius_connection_t* uc = NULL; 208 | 209 | ucs = proxy->udp_connections; 210 | uc = ngx_http_auth_radius_connect(sf,proxy->pool,log); 211 | if(uc == NULL) { 212 | return NULL; 213 | } 214 | uc->data = proxy; 215 | 216 | if(fr_hash_table_insert(ucs,uc)) { 217 | proxy->conn_counter++; 218 | 219 | uc->c->data = uc; 220 | uc->c->read->handler = ngx_http_auth_radius_recv_response; 221 | } else { 222 | ngx_log_error(NGX_LOG_ERR,log,0, 223 | "ngx_http_auth_radius: failed to insert the \ 224 | connection socketfd=%d to hash-table of connections", 225 | uc->c->fd); 226 | 227 | ngx_close_connection(uc->c); 228 | ngx_pfree(proxy->pool,uc); 229 | uc = NULL; 230 | } 231 | 232 | return uc; 233 | } 234 | 235 | 236 | ngx_int_t 237 | ngx_http_auth_radius_alloc_id(ngx_http_auth_radius_proxy_t* proxy, 238 | ngx_http_auth_radius_request_t* rr,ngx_log_t* log) 239 | { 240 | assert(proxy != NULL && rr != NULL); 241 | 242 | int rcode = 0; 243 | fr_packet_list_t* pl = NULL; 244 | int sf = rr->request->dst_ipaddr.af; 245 | ngx_http_auth_radius_connection_t* uc = NULL; 246 | 247 | pl = proxy->request_packets; 248 | 249 | retry: 250 | if(fr_hash_table_num_elements(proxy->udp_connections) == 0) { 251 | rcode = 0; 252 | } else { 253 | rcode = fr_packet_list_id_alloc(pl,rr->request); 254 | } 255 | 256 | if(rcode == 0) { 257 | if(proxy->conn_counter < MAX_RADIUS_SOCKETS) { 258 | //there is no udp connection,so we create new one. 259 | ngx_log_debug(NGX_LOG_DEBUG_HTTP,log,0, 260 | "ngx_http_auth_radius: \ 261 | there is no udp connection,so we create a new one."); 262 | 263 | uc = ngx_http_auth_radius_create_connection(proxy,sf,log); 264 | if(uc == NULL) { 265 | return NGX_ERROR; 266 | } 267 | if(fr_packet_list_socket_add(pl,uc->c->fd) == 0) { 268 | ngx_log_error(NGX_LOG_ERR, 269 | log,0, 270 | "ngx_http_auth_radius: add socket failed"); 271 | } 272 | goto retry; 273 | } else { 274 | //beyond the limit of sockets 275 | ngx_log_error(NGX_LOG_ERR,log,0, 276 | "ngx_http_auth_radius: \ 277 | the opening sockets have been out of limits: %d", 278 | MAX_RADIUS_SOCKETS); 279 | 280 | return NGX_ERROR; 281 | } 282 | } 283 | 284 | if(rcode == 0) { 285 | ngx_log_error(NGX_LOG_ERR,log,0, 286 | "ngx_http_auth_radius: %s",fr_strerror()); 287 | 288 | return NGX_ERROR; 289 | } 290 | 291 | assert(rr->request->id != -1); 292 | 293 | ngx_log_debug(NGX_LOG_DEBUG_HTTP,log,0, 294 | "ngx_http_auth_radius: alloc request id successfully: %d,fd=%d", 295 | rr->request->id,rr->request->sockfd); 296 | 297 | return NGX_OK; 298 | } 299 | 300 | 301 | static void 302 | ngx_http_auth_radius_delete_request(ngx_http_auth_radius_request_t* rr) 303 | { 304 | ngx_queue_remove(&rr->queue); 305 | } 306 | 307 | 308 | static void 309 | ngx_http_auth_radius_add_request(ngx_http_auth_radius_request_t* rr) { 310 | ngx_http_auth_radius_ctx_t* ctx = rr->data; 311 | ngx_http_auth_radius_proxy_t* proxy = ctx->proxy; 312 | 313 | ngx_queue_insert_tail(&proxy->requests,&rr->queue); 314 | } 315 | 316 | 317 | void 318 | ngx_http_auth_radius_resend_handler(ngx_event_t* ev) 319 | { 320 | ngx_http_auth_radius_proxy_t* proxy = NULL; 321 | ngx_http_auth_radius_request_t* rr = NULL; 322 | ngx_queue_t* next = NULL; 323 | ngx_queue_t* q = NULL; 324 | ngx_queue_t* sentinel = NULL; 325 | ngx_queue_t* requests = NULL; 326 | ngx_http_auth_radius_ctx_t* ctx = NULL; 327 | ngx_http_auth_radius_server_t* server = NULL; 328 | time_t timer; 329 | ngx_int_t temp_timer; 330 | time_t now; 331 | 332 | if(ev) { 333 | timer = 0; 334 | 335 | now = time(NULL); 336 | proxy = ev->data; 337 | requests = &proxy->requests; 338 | sentinel = ngx_queue_sentinel(requests); 339 | 340 | for(q = ngx_queue_head(requests);q != sentinel;q = next) { 341 | next = ngx_queue_next(q); 342 | rr = ngx_queue_data(q,ngx_http_auth_radius_request_t,queue); 343 | ctx = rr->data; 344 | temp_timer = 0; 345 | server = ctx->rlcf->server; 346 | 347 | if(rr->done == 0) 348 | { 349 | if((rr->tries >= server->resend_limit) && (now >= rr->expire)) 350 | { 351 | rr->done = 1; 352 | rr->error_code = NGX_HTTP_AUTH_RADIUS_TIMEDOUT; 353 | ngx_http_auth_radius_process_finish(rr); 354 | } else if(now >= rr->expire) { 355 | /*resend it*/ 356 | ngx_log_debug(NGX_LOG_DEBUG_HTTP,ev->log,0, 357 | "resend the radius request id %d,code %d again", 358 | rr->request->id,rr->request->code); 359 | 360 | rr->tries++; 361 | rr->expire = now + server->auth_timeout; 362 | 363 | rad_send_request(rr->request,(char*)server->share_secret.data, 364 | rr->password); 365 | temp_timer = server->auth_timeout; 366 | } else { 367 | /*the request is not timed-out*/ 368 | temp_timer = rr->expire - now; 369 | } 370 | 371 | if((timer == 0) && temp_timer > 0) { 372 | timer = temp_timer; 373 | } else if(temp_timer > 0) { 374 | if(temp_timer < timer) 375 | timer = temp_timer; 376 | } 377 | } 378 | } 379 | 380 | if(timer > 0) { 381 | ngx_add_timer(&proxy->resend_event,(ngx_msec_t)(timer * 1000)); 382 | } 383 | } 384 | } 385 | 386 | 387 | static void 388 | ngx_http_auth_radius_process_response(ngx_http_auth_radius_request_t* rr) 389 | { 390 | RADIUS_PACKET* pr = NULL; 391 | ngx_http_auth_radius_ctx_t* ctx = NULL; 392 | ngx_http_auth_radius_server_t* server = NULL; 393 | ngx_http_auth_radius_loc_conf_t* rlcf = NULL; 394 | RADIUS_PACKET* reply = NULL; 395 | ngx_log_t* log = NULL; 396 | char buf[256] = {0}; 397 | 398 | ctx = rr->data; 399 | pr = rr->request; 400 | reply = rr->reply; 401 | 402 | rlcf = ctx->rlcf; 403 | server = rlcf->server; 404 | log = ctx->r->connection->log; 405 | 406 | if(rad_verify(reply,pr,(char*)server->share_secret.data) < 0) //error 407 | { 408 | ngx_memzero(buf,sizeof(buf)); 409 | inet_ntop(reply->src_ipaddr.af,&reply->src_ipaddr.ipaddr,buf,sizeof(buf)); 410 | ngx_log_error(NGX_LOG_WARN,log,0, 411 | "unexpected reply from server: %s:%d,so discard it", 412 | buf,ntohs(reply->src_port)); 413 | 414 | rr->reply = NULL; 415 | goto failed; 416 | } 417 | 418 | if(rad_decode(reply,pr,(char*)server->share_secret.data) < 0) { 419 | bzero(buf,sizeof(buf)); 420 | inet_ntop(reply->src_ipaddr.af,&reply->src_ipaddr.ipaddr,buf,sizeof(buf)); 421 | 422 | ngx_log_error(NGX_LOG_WARN,log,0, 423 | "ngx_http_auth_radius: \ 424 | cann't decode the reply from server: %s:%d,so discard it", 425 | buf,ntohs(reply->src_port)); 426 | rr->reply = NULL; 427 | 428 | goto failed; 429 | } 430 | 431 | if(rlcf->auth_type == EAPMD5) { 432 | rad_unmap_eap_types(reply); 433 | } 434 | /*just for debug*/ 435 | if(fr_debug_flag) 436 | debug_reply_packet(reply); 437 | 438 | if(rlcf->auth_type == EAPMD5 && reply->code == PW_ACCESS_CHALLENGE) { 439 | if(rad_process_eap_request(pr,reply, 440 | (char*)server->share_secret.data,rr->password) < 0) 441 | { 442 | rr->reply = NULL; 443 | goto failed; 444 | } else { 445 | /*if we received a Challenge from radius-server, 446 | * we will send a access-request again 447 | *so we should reset the expired-time. 448 | */ 449 | rr->expire = time(NULL) + server->auth_timeout; 450 | /* 451 | * the reply is useless,so we free it. 452 | */ 453 | rr->reply = NULL; 454 | rad_free(&reply); 455 | } 456 | } else { 457 | rr->reply = reply; 458 | rr->done = 1; 459 | if(reply->code == PW_AUTHENTICATION_ACK) { 460 | rr->error_code = NGX_HTTP_AUTH_RADIUS_OK; 461 | } else { 462 | rr->error_code = NGX_HTTP_AUTH_RADIUS_REJECT; 463 | } 464 | ngx_http_auth_radius_process_finish(rr); 465 | } 466 | return; 467 | 468 | failed: 469 | rad_free(&reply); 470 | } 471 | 472 | 473 | static void 474 | ngx_http_auth_radius_response_post_event_handler(ngx_event_t* ev) 475 | { 476 | ngx_http_auth_radius_request_t* rr = NULL; 477 | rr = ev->data; 478 | ngx_pfree(rr->pool,ev); 479 | 480 | ngx_http_auth_radius_process_response(rr); 481 | } 482 | 483 | 484 | static void 485 | ngx_http_auth_radius_response_post_event(ngx_http_auth_radius_proxy_t* proxy, 486 | RADIUS_PACKET* reply,ngx_log_t* log) 487 | { 488 | RADIUS_PACKET** pr = NULL; 489 | ngx_http_auth_radius_request_t* rr = NULL; 490 | fr_packet_list_t* pl = NULL; 491 | char addr[256] = {0}; 492 | ngx_pool_t* pool = NULL; 493 | ngx_event_t* ev = NULL; 494 | 495 | pl = proxy->request_packets; 496 | 497 | pr = fr_packet_list_find_byreply(pl,reply); 498 | if(pr) { 499 | rr = fr_packet2myptr(ngx_http_auth_radius_request_t,request,pr); 500 | pool = rr->pool; 501 | ev = ngx_pcalloc(pool,sizeof(*ev)); 502 | if(ev == NULL) { 503 | ngx_log_error(NGX_LOG_ERR,log,NGX_ENOMEM,"out of memory"); 504 | rad_free(&reply); 505 | return; 506 | } 507 | 508 | rr->reply = reply; 509 | ev->data = rr; 510 | ev->log = log; 511 | ev->handler = ngx_http_auth_radius_response_post_event_handler; 512 | ngx_post_event(ev,&ngx_posted_events); 513 | } else { 514 | inet_ntop(reply->src_ipaddr.af,&reply->src_ipaddr.ipaddr,addr,sizeof(addr)); 515 | ngx_log_error(NGX_LOG_WARN,log,0, 516 | "ngx_http_auth_radius: \ 517 | not find request correspond to the reply from server: \ 518 | %s:%d,code=%d,id=%d,so discard it", 519 | addr,reply->src_port,reply->code,reply->id); 520 | rad_free(&reply); 521 | } 522 | } 523 | 524 | 525 | /* 526 | * we will call this function after radius authentication or authentication timeout 527 | */ 528 | static void 529 | ngx_http_auth_radius_process_finish(ngx_http_auth_radius_request_t* rr) { 530 | ngx_http_auth_radius_ctx_t* ctx = NULL; 531 | ngx_http_auth_radius_proxy_t* proxy = NULL; 532 | 533 | ctx = rr->data; 534 | proxy = ctx->proxy; 535 | 536 | if(rr->done) { 537 | fr_packet_list_delete(proxy->request_packets,rr->request); 538 | ngx_http_auth_radius_delete_request(rr); 539 | rr->handler(rr); 540 | } 541 | } 542 | 543 | 544 | void 545 | ngx_http_auth_radius_destroy_request(ngx_http_auth_radius_proxy_t* proxy, 546 | ngx_http_auth_radius_request_t* rr) 547 | { 548 | ngx_pool_t* pool = NULL; 549 | 550 | if(rr == NULL) { 551 | return; 552 | } 553 | 554 | pool = rr->pool; 555 | 556 | if(rr->request->id >= 0) { 557 | ngx_log_debug(NGX_LOG_DEBUG_HTTP,pool->log,0, 558 | "ngx_http_auth_radius: free radius packet id: %d", 559 | rr->request->id); 560 | if(fr_packet_list_id_free(proxy->request_packets,rr->request) == 0) { 561 | ngx_log_error(NGX_LOG_WARN,pool->log,0, 562 | "ngx_http_auth_radius: free radius packet id %d failed", 563 | rr->request->id); 564 | } 565 | rr->request->id = -1; 566 | } 567 | 568 | /*free: RADIUS_PACKET to request*/ 569 | if(rr->request) { 570 | rad_free(&rr->request); 571 | } 572 | 573 | /*free: RADIUS_PACKET to reply*/ 574 | if(rr->reply) { 575 | rad_free(&rr->reply); 576 | } 577 | 578 | ngx_pfree(pool,rr); 579 | } 580 | 581 | 582 | /* 583 | * create radius request 584 | */ 585 | ngx_http_auth_radius_request_t* 586 | ngx_http_auth_radius_create_request(ngx_http_auth_radius_proxy_t* proxy, 587 | ngx_http_request_t* r) 588 | { 589 | ngx_http_auth_radius_request_t* rr = NULL; 590 | RADIUS_PACKET* rp = NULL; 591 | ngx_addr_t* addr = NULL; 592 | int port = 0; 593 | ngx_http_auth_radius_loc_conf_t* rlcf = NULL; 594 | ngx_str_t user = ngx_null_string; 595 | ngx_str_t pwd = ngx_null_string; 596 | ngx_url_t* url = NULL; 597 | ngx_pool_t* pool = r->pool; 598 | ngx_http_auth_radius_server_t* server = NULL; 599 | 600 | rlcf = ngx_http_get_module_loc_conf(r,ngx_http_auth_radius_module); 601 | 602 | rr = ngx_pcalloc(pool,sizeof(ngx_http_auth_radius_request_t)); 603 | if(rr == NULL) { 604 | goto failed; 605 | } 606 | rr->pool = pool; 607 | 608 | user = r->headers_in.user; 609 | pwd = r->headers_in.passwd; 610 | 611 | rp = rad_request_packet_create((char*)user.data,user.len, 612 | (char*)pwd.data,pwd.len,rlcf->auth_type); 613 | if(rp == NULL) { 614 | goto failed; 615 | } 616 | 617 | /*Note: 618 | * we must use RADIUS_PACKET member dst_ipaddr as following 619 | */ 620 | server = rlcf->server; 621 | url = &server->parsed_url; 622 | addr = url->addrs; 623 | bzero(&rp->dst_ipaddr,sizeof(rp->dst_ipaddr)); 624 | fr_sockaddr2ipaddr((const struct sockaddr_storage*)addr->sockaddr, 625 | addr->socklen,&rp->dst_ipaddr,&port); 626 | rp->dst_port = port & 0xFFFF; 627 | rp->sockfd = -1; 628 | rp->src_ipaddr.af = rp->dst_ipaddr.af; 629 | 630 | rr->request = rp; 631 | rr->reply = NULL; 632 | 633 | rr->tries = 0; 634 | ngx_memcpy(rr->password,(char*)pwd.data,pwd.len); 635 | rr->done = 0; 636 | 637 | if(ngx_http_auth_radius_alloc_id(proxy,rr,r->connection->log) == NGX_ERROR) { 638 | goto failed; 639 | } 640 | /* 641 | * Note: 642 | * we must call rad_set_eap_id to set 643 | * the eap-id attribute after ceating EAP-response packet 644 | */ 645 | if(rlcf->auth_type == EAPMD5) { 646 | if(rad_set_eap_id(rp) == -1) { 647 | goto failed; 648 | } 649 | } 650 | 651 | rr->timestamp = time(NULL); 652 | rr->expire = rr->timestamp + server->auth_timeout; 653 | rr->error_code = NGX_HTTP_AUTH_RADIUS_OK; 654 | 655 | return rr; 656 | failed: 657 | ngx_http_auth_radius_destroy_request(proxy,rr); 658 | return NULL; 659 | } 660 | 661 | 662 | ngx_int_t 663 | ngx_http_auth_radius_send_request(ngx_http_request_t* r) { 664 | ngx_http_auth_radius_proxy_t* proxy = NULL; 665 | ngx_http_auth_radius_request_t* rr = NULL; 666 | ngx_http_auth_radius_ctx_t* ctx = NULL; 667 | ngx_http_auth_radius_server_t* server = NULL; 668 | ngx_http_auth_radius_loc_conf_t* rlcf = NULL; 669 | ngx_str_t share_secret = ngx_null_string; 670 | 671 | ctx = ngx_http_get_module_ctx(r,ngx_http_auth_radius_module); 672 | 673 | proxy = ctx->proxy; 674 | rr = ctx->rr; 675 | rlcf = ctx->rlcf; 676 | 677 | server = rlcf->server; 678 | share_secret = server->share_secret; 679 | 680 | if(rlcf->auth_type != EAPMD5) { 681 | if(rad_send_request(rr->request,(char*)share_secret.data,rr->password) < 0) { 682 | return NGX_ERROR; 683 | } 684 | } else { 685 | if(rad_send_eap_response(rr->request,(char*)share_secret.data,rr->password) < 0) { 686 | return NGX_ERROR; 687 | } 688 | } 689 | /* 690 | * Note: 691 | * the follow function fr_packet_list_insert is very different to others. 692 | * On success,the function will return 1 693 | * On failed,it will return 0 694 | */ 695 | if(fr_packet_list_insert(proxy->request_packets,&rr->request) == 0) { 696 | ngx_log_error(NGX_LOG_ERR,r->connection->log,0, 697 | "add radius packet failed: fd=%d,id=%d", 698 | rr->request->sockfd,rr->request->id); 699 | return NGX_ERROR; 700 | } 701 | 702 | if(ngx_queue_empty(&proxy->requests)) { 703 | ngx_add_timer(&proxy->resend_event,(ngx_msec_t)(server->auth_timeout * 1000)); 704 | } 705 | 706 | ngx_http_auth_radius_add_request(rr); 707 | 708 | return NGX_OK; 709 | } 710 | 711 | 712 | ngx_int_t 713 | ngx_http_auth_radius_dict_init(const ngx_str_t* dict_dir,ngx_log_t* log) 714 | { 715 | ngx_int_t rc = NGX_OK; 716 | u_char dict[1024] = {0}; 717 | 718 | ngx_snprintf(dict,sizeof(dict) - 1,"%V",dict_dir); 719 | if(dict_init((char*)dict,"dictionary") == -1) { 720 | ngx_log_error(NGX_LOG_ERR,log,0, 721 | "ngx_http_auth_radius: failed to initial radius dictionry: %s", 722 | fr_strerror()); 723 | rc = NGX_ERROR; 724 | } 725 | return rc; 726 | } 727 | 728 | 729 | static int 730 | ngx_http_auth_radius_close_connection_walker(void* ctx,void* data) 731 | { 732 | ngx_http_auth_radius_connection_t* uc = data; 733 | 734 | ngx_http_auth_radius_close_connection(uc); 735 | 736 | return 0; 737 | } 738 | 739 | 740 | static void 741 | ngx_http_auth_radius_destroy_connections(ngx_http_auth_radius_proxy_t* proxy) 742 | { 743 | fr_hash_table_t* ucs = NULL; 744 | ucs = proxy->udp_connections; 745 | 746 | fr_hash_table_walk(ucs,ngx_http_auth_radius_close_connection_walker,proxy); 747 | fr_hash_table_free(ucs); 748 | proxy->udp_connections = NULL; 749 | } 750 | 751 | 752 | static void 753 | ngx_http_auth_radius_clean_queue_request(ngx_queue_t* q,void* ctx) 754 | { 755 | ngx_http_auth_radius_request_t* rr = NULL; 756 | ngx_http_auth_radius_proxy_t* proxy = ctx; 757 | 758 | ngx_queue_remove(q); 759 | rr = ngx_queue_data(q,ngx_http_auth_radius_request_t,queue); 760 | ngx_http_auth_radius_destroy_request(proxy,rr); 761 | } 762 | 763 | 764 | static void 765 | ngx_http_auth_radius_cleanall_request(ngx_http_auth_radius_proxy_t* proxy) 766 | { 767 | ngx_queue_walk(&proxy->requests, 768 | ngx_http_auth_radius_clean_queue_request,proxy); 769 | } 770 | 771 | 772 | static void 773 | ngx_http_auth_radius_proxy_cleanup(void* data) 774 | { 775 | ngx_http_auth_radius_proxy_t* proxy = data; 776 | 777 | if(proxy) { 778 | ngx_log_debug(NGX_LOG_DEBUG_HTTP,proxy->pool->log,0, 779 | "cleanup radius authentication"); 780 | 781 | ngx_http_auth_radius_cleanall_request(proxy); 782 | 783 | if(proxy->request_packets) { 784 | fr_packet_list_free(proxy->request_packets); 785 | } 786 | 787 | if(proxy->resend_event.timer_set) { 788 | ngx_del_timer(&proxy->resend_event); 789 | } 790 | 791 | ngx_http_auth_radius_destroy_connections(proxy); 792 | 793 | dict_free(); 794 | 795 | ngx_pfree(proxy->pool,proxy); 796 | } 797 | } 798 | 799 | 800 | static uint32_t 801 | ngx_http_auth_radius_hash_connection(const void* data) 802 | { 803 | ngx_http_auth_radius_connection_t* uc = NULL; 804 | 805 | uc = (ngx_http_auth_radius_connection_t*)data; 806 | return fr_hash(&uc->c->fd,sizeof(uc->c->fd)); 807 | } 808 | 809 | 810 | ngx_http_auth_radius_proxy_t* 811 | ngx_http_auth_radius_create_proxy(ngx_pool_t* pool) 812 | { 813 | ngx_pool_cleanup_t* cln = NULL; 814 | ngx_http_auth_radius_proxy_t* proxy = NULL; 815 | ngx_log_t* log = NULL; 816 | 817 | if(pool == NULL) { 818 | return NULL; 819 | } 820 | 821 | log = pool->log; 822 | ngx_log_debug(NGX_LOG_DEBUG_HTTP,log,0,"create proxy"); 823 | 824 | cln = ngx_pool_cleanup_add(pool,0); 825 | if(cln == NULL) { 826 | goto failed; 827 | } 828 | 829 | cln->handler = ngx_http_auth_radius_proxy_cleanup; 830 | 831 | proxy = ngx_pcalloc(pool,sizeof(ngx_http_auth_radius_proxy_t)); 832 | if(proxy == NULL) { 833 | goto failed; 834 | } 835 | cln->data = proxy; 836 | 837 | proxy->event_set = 0; 838 | proxy->request_packets = fr_packet_list_create(1); 839 | ngx_queue_init(&proxy->requests); 840 | proxy->pool = pool; 841 | 842 | proxy->udp_connections = fr_hash_table_create(ngx_http_auth_radius_hash_connection, 843 | NULL,NULL); 844 | if(proxy->udp_connections == NULL) { 845 | goto failed; 846 | } 847 | 848 | fr_debug_flag = 1; 849 | fr_log_fp = stdout; 850 | 851 | return proxy; 852 | failed: 853 | ngx_http_auth_radius_proxy_cleanup(proxy); 854 | return NULL; 855 | } 856 | 857 | 858 | ngx_int_t 859 | ngx_http_auth_radius_set_realm(ngx_http_request_t* r,const ngx_str_t* realm) { 860 | r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); 861 | if (r->headers_out.www_authenticate == NULL) { 862 | return NGX_HTTP_INTERNAL_SERVER_ERROR; 863 | } 864 | 865 | r->headers_out.www_authenticate->hash = 1; 866 | r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1; 867 | r->headers_out.www_authenticate->key.data = (u_char *) "WWW-Authenticate"; 868 | r->headers_out.www_authenticate->value = *realm; 869 | 870 | return NGX_HTTP_UNAUTHORIZED; 871 | } 872 | 873 | 874 | static void 875 | ngx_http_auth_radius_authenticate_finish_handler(ngx_http_auth_radius_request_t* rr) 876 | { 877 | ngx_http_auth_radius_ctx_t* ctx = rr->data; 878 | ngx_log_debug3(NGX_LOG_DEBUG_HTTP,ctx->r->connection->log,0, 879 | "ngx_http_auth_radius: request finish: id=%d,code=%d,authentication result=%i", 880 | rr->request->id,rr->request->code,rr->error_code); 881 | 882 | ngx_http_core_run_phases(ctx->r); 883 | } 884 | 885 | 886 | static void ngx_http_auth_radius_set_resend_event(ngx_log_t* log, 887 | ngx_http_auth_radius_proxy_t* proxy) 888 | { 889 | proxy->event_set = 1; 890 | proxy->resend_event.log = log; 891 | proxy->resend_event.data = proxy; 892 | proxy->resend_event.handler = ngx_http_auth_radius_resend_handler; 893 | } 894 | 895 | ngx_int_t 896 | ngx_http_auth_radius_authenticate(ngx_http_request_t* r) 897 | { 898 | ngx_http_auth_radius_request_t* rr = NULL; 899 | ngx_http_auth_radius_ctx_t* ctx = NULL; 900 | ngx_int_t rc = NGX_AGAIN; 901 | ngx_http_auth_radius_loc_conf_t* rlcf = NULL; 902 | 903 | ctx = ngx_http_get_module_ctx(r,ngx_http_auth_radius_module); 904 | rr = ctx->rr; 905 | rlcf = ctx->rlcf; 906 | 907 | //set resend-event firstly 908 | if(ctx->proxy->event_set == 0) { 909 | ngx_http_auth_radius_set_resend_event(r->connection->log,ctx->proxy); 910 | } 911 | 912 | if(rr->done) { 913 | //radius authentication has finished 914 | if(rr->error_code != NGX_HTTP_AUTH_RADIUS_OK) { 915 | rc = ngx_http_auth_radius_set_realm(r,&rlcf->realm);; 916 | } else { 917 | rc = NGX_OK; 918 | } 919 | 920 | return rc; 921 | } 922 | 923 | rr->handler = ngx_http_auth_radius_authenticate_finish_handler; 924 | 925 | if(ngx_http_auth_radius_send_request(r) == NGX_ERROR) { 926 | return NGX_ERROR; 927 | } 928 | 929 | return NGX_AGAIN; 930 | } 931 | -------------------------------------------------------------------------------- /ngx_http_auth_radius.h: -------------------------------------------------------------------------------- 1 | /* 2 | *HTTP-Radius authentication 3 | *2014-03-06 created by qudreams 4 | *All rights reserved. 5 | */ 6 | 7 | #ifndef NGX_HTTP_AUTH_RADIUS_H 8 | #define NGX_HTTP_AUTH_RADIUS_H 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | #include 24 | 25 | #define RADIUS_PWD_LEN 128 26 | #define RADIUS_SECRET_LEN 64 27 | #define MAX_SESSION_ID_LEN 128 28 | #define RADIUS_USERNAME_LEN 253 29 | 30 | #define NGX_HTTP_AUTH_RADIUS_OK 0 31 | #define NGX_HTTP_AUTH_RADIUS_REJECT -1 32 | #define NGX_HTTP_AUTH_RADIUS_TIMEDOUT -2 33 | #define NGX_HTTP_AUTH_RADIUS_INTERNAL_ERROR -3 34 | 35 | typedef struct ngx_http_auth_radius_request_s ngx_http_auth_radius_request_t; 36 | typedef struct ngx_http_auth_radius_proxy_s ngx_http_auth_radius_proxy_t; 37 | typedef struct ngx_http_auth_radius_connection_s ngx_http_auth_radius_connection_t; 38 | typedef struct ngx_http_auth_radius_ctx_s ngx_http_auth_radius_ctx_t; 39 | typedef struct ngx_http_auth_radius_server_s ngx_http_auth_radius_server_t; 40 | typedef struct ngx_http_auth_radius_loc_conf_s ngx_http_auth_radius_loc_conf_t; 41 | 42 | typedef void (*ngx_http_auth_radius_handler_pt)(ngx_http_auth_radius_request_t*); 43 | 44 | struct ngx_http_auth_radius_request_s { 45 | ngx_queue_t queue; 46 | RADIUS_PACKET* request; 47 | RADIUS_PACKET* reply; 48 | 49 | char password[RADIUS_PWD_LEN]; 50 | time_t timestamp; 51 | time_t expire; 52 | 53 | /*the times that we have tried to send it*/ 54 | int8_t tries; 55 | uint8_t done; 56 | ngx_int_t error_code; 57 | ngx_http_auth_radius_handler_pt handler; 58 | ngx_pool_t* pool; //pointer to the ngx_http_request_t->pool 59 | void* data; //pointer to ngx_http_auth_radius_ctx_t 60 | }; 61 | 62 | struct ngx_http_auth_radius_connection_s { 63 | ngx_connection_t* c; 64 | time_t last_used; 65 | void* data; 66 | }; 67 | 68 | struct ngx_http_auth_radius_proxy_s { 69 | ngx_int_t event_set;//resend_event set or not 70 | ngx_event_t resend_event; /*resend timeout*/ 71 | fr_packet_list_t* request_packets; 72 | ngx_queue_t requests; 73 | ngx_int_t conn_counter; 74 | /*udp connections.Note: it's just a socket.we don't connect udp-server*/ 75 | fr_hash_table_t* udp_connections; 76 | ngx_pool_t* pool; 77 | }; 78 | 79 | struct ngx_http_auth_radius_ctx_s { 80 | ngx_http_request_t* r; 81 | ngx_http_auth_radius_request_t* rr; /*radius request*/ 82 | ngx_http_auth_radius_proxy_t* proxy; 83 | ngx_http_auth_radius_loc_conf_t* rlcf; 84 | }; 85 | 86 | 87 | struct ngx_http_auth_radius_server_s { 88 | ngx_str_t alias; //the alias name 89 | ngx_str_t url;//the url of radius server like [host]:[port] 90 | ngx_url_t parsed_url; //parsed url 91 | ngx_int_t auth_timeout;//radius authentication time-out 92 | ngx_int_t resend_limit;//the limit of times to resend radius request. 93 | ngx_str_t share_secret; //share secret 94 | }; 95 | 96 | typedef struct { 97 | ngx_array_t* servers; 98 | ngx_str_t dict_dir; //radius dictionary directory 99 | } ngx_http_auth_radius_main_conf_t; 100 | 101 | struct ngx_http_auth_radius_loc_conf_s { 102 | ngx_http_auth_radius_server_t* server;//pointer to radius server 103 | ngx_int_t auth_type; 104 | ngx_str_t realm; 105 | }; 106 | 107 | 108 | ngx_int_t 109 | ngx_http_auth_radius_dict_init(const ngx_str_t* dict_dir,ngx_log_t* log); 110 | 111 | ngx_http_auth_radius_connection_t* 112 | ngx_http_auth_radius_connect(int family,ngx_pool_t* pool,ngx_log_t* log); 113 | 114 | void 115 | ngx_auth_radius_recv_response(ngx_event_t* rev); 116 | 117 | ngx_http_auth_radius_request_t* 118 | ngx_http_auth_radius_create_request(ngx_http_auth_radius_proxy_t* proxy, 119 | ngx_http_request_t* r); 120 | 121 | void 122 | ngx_http_auth_radius_destroy_request(ngx_http_auth_radius_proxy_t* proxy, 123 | ngx_http_auth_radius_request_t* r); 124 | 125 | ngx_int_t 126 | ngx_auth_radius_send_request(ngx_http_request_t* r); 127 | 128 | ngx_http_auth_radius_proxy_t* 129 | ngx_http_auth_radius_create_proxy(ngx_pool_t* pool); 130 | 131 | void 132 | ngx_http_auth_radius_close_connection(ngx_http_auth_radius_connection_t* uc); 133 | 134 | void 135 | ngx_auth_radius_resend_handler(ngx_event_t* ev); 136 | 137 | ngx_int_t 138 | ngx_http_auth_radius_set_realm(ngx_http_request_t* r,const ngx_str_t* realm); 139 | 140 | ngx_int_t 141 | ngx_http_auth_radius_authenticate(ngx_http_request_t* r); 142 | 143 | extern ngx_module_t ngx_http_auth_radius_module; 144 | 145 | #endif 146 | -------------------------------------------------------------------------------- /ngx_http_auth_radius_module.c: -------------------------------------------------------------------------------- 1 | /* 2 | *ngx_http_auth_radius_module.c: 2014-03-02 created for HTTP-radius authentication 3 | *all rights reserved to qudreams. 4 | */ 5 | 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include "ngx_http_auth_radius.h" 12 | 13 | 14 | #define AUTH_RADIUS_UNKNOWN -1 15 | 16 | static ngx_str_t auth_radius_types[] = { 17 | ngx_string("PAP"), 18 | ngx_string("CHAP"), 19 | ngx_string("MSCHAP"), 20 | ngx_string("MSCHAP2"), 21 | ngx_string("EAPMD5") 22 | }; 23 | 24 | static void* ngx_http_auth_radius_create_main_conf(ngx_conf_t* cf); 25 | static char* ngx_http_auth_radius_init_main_conf(ngx_conf_t*cf,void* conf); 26 | static void* ngx_http_auth_radius_create_loc_conf(ngx_conf_t* cf); 27 | static char* ngx_http_auth_radius_merge_loc_conf(ngx_conf_t*cf,void* prev,void* conf); 28 | 29 | static char* ngx_http_auth_radius_block(ngx_conf_t* cf,ngx_command_t* cmd,void* conf); 30 | static char* ngx_http_auth_radius_server(ngx_conf_t* cf,ngx_command_t* cmd,void* conf); 31 | static char* ngx_http_auth_radius(ngx_conf_t* cf,ngx_command_t* cmd,void* conf); 32 | 33 | static ngx_int_t ngx_http_auth_radius_init(ngx_conf_t* cf); 34 | static ngx_int_t ngx_http_auth_radius_handler(ngx_http_request_t* r); 35 | 36 | 37 | static ngx_command_t ngx_http_auth_radius_cmds[] = { 38 | { 39 | ngx_string("radius_server"), 40 | NGX_HTTP_MAIN_CONF | NGX_CONF_BLOCK | NGX_CONF_TAKE1, 41 | ngx_http_auth_radius_block, 42 | NGX_HTTP_MAIN_CONF_OFFSET, 43 | 0, 44 | NULL }, 45 | { 46 | ngx_string("radius_dict_directory"), 47 | NGX_HTTP_MAIN_CONF | NGX_CONF_TAKE1, 48 | ngx_conf_set_str_slot, 49 | NGX_HTTP_MAIN_CONF_OFFSET, 50 | offsetof(ngx_http_auth_radius_main_conf_t,dict_dir), 51 | NULL }, 52 | { 53 | ngx_string("auth_radius_server"), 54 | NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF| NGX_HTTP_LOC_CONF | NGX_CONF_TAKE2, 55 | ngx_http_auth_radius_server, 56 | NGX_HTTP_LOC_CONF_OFFSET, 57 | 0, 58 | NULL }, 59 | { 60 | ngx_string("auth_radius"), 61 | NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF| NGX_HTTP_LOC_CONF | NGX_CONF_TAKE1, 62 | ngx_http_auth_radius, 63 | NGX_HTTP_LOC_CONF_OFFSET, 64 | 0, 65 | NULL } 66 | }; 67 | 68 | 69 | static ngx_http_module_t ngx_http_auth_radius_module_ctx = { 70 | NULL, /*preconfiguration*/ 71 | ngx_http_auth_radius_init, /*postconfiguration*/ 72 | ngx_http_auth_radius_create_main_conf, /*create main configuration*/ 73 | ngx_http_auth_radius_init_main_conf, /*init main configuration*/ 74 | NULL, /*create server configuration*/ 75 | NULL, /*merge server configuration*/ 76 | ngx_http_auth_radius_create_loc_conf, /*create location configuration*/ 77 | ngx_http_auth_radius_merge_loc_conf /*merge location configuration*/ 78 | }; 79 | 80 | 81 | ngx_module_t ngx_http_auth_radius_module = { 82 | NGX_MODULE_V1, 83 | &ngx_http_auth_radius_module_ctx, 84 | ngx_http_auth_radius_cmds, 85 | NGX_HTTP_MODULE, 86 | NULL, /*init master*/ 87 | NULL, /*init module*/ 88 | NULL, /*init process*/ 89 | NULL, /*init thread*/ 90 | NULL, /*exit thread*/ 91 | NULL, /*exit process*/ 92 | NULL, /*exit master*/ 93 | NGX_MODULE_V1_PADDING 94 | }; 95 | 96 | 97 | static ngx_http_auth_radius_proxy_t* auth_radius_proxy = NULL; 98 | 99 | static void* 100 | ngx_http_auth_radius_create_main_conf(ngx_conf_t* cf) { 101 | ngx_http_auth_radius_main_conf_t* rmcf = NULL; 102 | 103 | rmcf = ngx_pcalloc(cf->pool,sizeof(*rmcf)); 104 | if(rmcf != NULL) { 105 | ngx_str_null(&rmcf->dict_dir); 106 | } 107 | 108 | return rmcf; 109 | } 110 | 111 | 112 | static char* 113 | ngx_http_auth_radius_init_main_conf(ngx_conf_t* cf,void* conf) { 114 | ngx_http_auth_radius_main_conf_t* rmcf = conf; 115 | 116 | if(ngx_http_auth_radius_dict_init(&rmcf->dict_dir, 117 | cf->log) == NGX_ERROR) { 118 | 119 | return NGX_CONF_ERROR; 120 | } 121 | 122 | return NGX_CONF_OK; 123 | } 124 | 125 | static void* 126 | ngx_http_auth_radius_create_loc_conf(ngx_conf_t* cf) { 127 | 128 | ngx_http_auth_radius_loc_conf_t* rlcf = NULL; 129 | 130 | rlcf = ngx_pcalloc(cf->pool,sizeof(*rlcf)); 131 | if(rlcf != NULL) { 132 | rlcf->server = NGX_CONF_UNSET_PTR; 133 | rlcf->auth_type = NGX_CONF_UNSET; 134 | } 135 | 136 | return rlcf; 137 | } 138 | 139 | 140 | static char* 141 | ngx_http_auth_radius_merge_loc_conf(ngx_conf_t* cf, 142 | void* prev,void* conf) 143 | { 144 | ngx_http_auth_radius_loc_conf_t* child = conf; 145 | ngx_http_auth_radius_loc_conf_t* parent = prev; 146 | 147 | ngx_conf_merge_ptr_value(child->server, 148 | parent->server,NULL); 149 | ngx_conf_merge_value(child->auth_type, 150 | parent->auth_type,PAP); 151 | 152 | return NGX_CONF_OK; 153 | } 154 | 155 | 156 | static char* 157 | ngx_http_auth_radius_server_block(ngx_conf_t* cf, 158 | ngx_command_t* dummy,void* conf) 159 | { 160 | ngx_str_t* val = NULL; 161 | ngx_http_auth_radius_main_conf_t* rmcf = conf; 162 | ngx_http_auth_radius_server_t* server = NULL; 163 | ngx_http_auth_radius_server_t* servers = NULL; 164 | 165 | servers = (ngx_http_auth_radius_server_t*)rmcf->servers->elts; 166 | server = servers + rmcf->servers->nelts - 1; 167 | 168 | if(cf->args->nelts != 2) { 169 | ngx_conf_log_error(NGX_LOG_ERR,cf,0, 170 | "ngx_http_auth_radius: directive parameter is incorrect"); 171 | return NGX_CONF_ERROR; 172 | } 173 | 174 | val = cf->args->elts; 175 | if(ngx_strncmp(val[0].data,(u_char*)"auth_timeout",val[0].len) == 0) { 176 | server->auth_timeout = ngx_atoi(val[1].data,val[1].len); 177 | } else if(ngx_strncmp(val[0].data,(u_char*)"resend_limit",val[0].len) == 0) { 178 | server->resend_limit = ngx_atoi(val[1].data,val[1].len); 179 | } else if(ngx_strncmp(val[0].data,(u_char*)"url",val[0].len) == 0) { 180 | server->url = val[1]; 181 | } else if(ngx_strncmp(val[0].data,(u_char*)"share_secret",val[0].len) == 0) { 182 | server->share_secret.data = ngx_pcalloc(cf->pool,val[1].len + 1); 183 | if(server->share_secret.data == NULL) { 184 | ngx_conf_log_error(NGX_LOG_ERR,cf,0, 185 | "ngx_http_auth_radius: \ 186 | out of memory to allocate memory for share secret"); 187 | return NGX_CONF_ERROR; 188 | } 189 | 190 | ngx_memcpy(server->share_secret.data,val[1].data,val[1].len); 191 | server->share_secret.len = val[1].len; 192 | } 193 | 194 | return NGX_CONF_OK; 195 | } 196 | 197 | 198 | static char* 199 | ngx_http_auth_radius_block(ngx_conf_t* cf, 200 | ngx_command_t* cmd,void* conf) 201 | { 202 | ngx_http_auth_radius_main_conf_t* rmcf = conf; 203 | ngx_conf_t saved = *cf; 204 | ngx_str_t *value,name; 205 | ngx_http_auth_radius_server_t* server = NULL; 206 | char* rv = NULL; 207 | 208 | value = cf->args->elts; 209 | name = value[1]; 210 | if(name.len == 0) { 211 | ngx_conf_log_error(NGX_LOG_EMERG,cf,0, 212 | "ngx_auth_radius: Missing radius server name"); 213 | return NGX_CONF_ERROR; 214 | } 215 | 216 | if(rmcf->servers == NULL) { 217 | rmcf->servers = ngx_array_create(cf->pool,5,sizeof(*server)); 218 | if(rmcf->servers == NULL) { 219 | return NGX_CONF_ERROR; 220 | } 221 | } 222 | 223 | server = ngx_array_push(rmcf->servers); 224 | if(server == NULL) { 225 | return NGX_CONF_ERROR; 226 | } 227 | 228 | server->alias = name; 229 | cf->handler = ngx_http_auth_radius_server_block; 230 | cf->handler_conf = conf; 231 | rv = ngx_conf_parse(cf,NULL); 232 | *cf = saved; 233 | 234 | if(rv == NGX_CONF_OK) { 235 | if(server->url.data == NULL) { 236 | ngx_conf_log_error(NGX_LOG_ERR,cf,0, 237 | "ngx_http_auth_radius: server url haven't been set."); 238 | return NGX_CONF_ERROR; 239 | } 240 | 241 | server->parsed_url.url = server->url; 242 | server->parsed_url.default_port = 1812; 243 | if(ngx_parse_url(cf->pool,&server->parsed_url) == NGX_ERROR) { 244 | ngx_conf_log_error(NGX_LOG_ERR,cf,0, 245 | "ngx_http_auth_radius: illegal server ulr: %V", 246 | &server->url); 247 | return NGX_CONF_ERROR; 248 | } 249 | } 250 | 251 | return NGX_CONF_OK; 252 | } 253 | 254 | 255 | static ngx_int_t 256 | ngx_http_auth_radius_parse_auth_type(const ngx_str_t* type_name) { 257 | ngx_int_t auth_type = AUTH_RADIUS_UNKNOWN; 258 | ngx_uint_t i = 0; 259 | ngx_str_t* name = NULL; 260 | 261 | for(i = 0;i < sizeof(auth_radius_types) / sizeof(ngx_str_t);i++) { 262 | name = auth_radius_types + i; 263 | 264 | if((type_name->len == name->len) && 265 | (ngx_strncasecmp(type_name->data,name->data,type_name->len) == 0)) 266 | { 267 | auth_type = i; 268 | break; 269 | } 270 | } 271 | 272 | return auth_type; 273 | } 274 | 275 | 276 | static char* 277 | ngx_http_auth_radius(ngx_conf_t* cf,ngx_command_t* cmd,void* conf) { 278 | ngx_http_auth_radius_loc_conf_t* rlcf = conf; 279 | ngx_str_t* value = cf->args->elts; 280 | u_char* p = NULL; 281 | 282 | if(value[1].len == 3 && ngx_strncmp(value[1].data,"off",3) == 0) { 283 | ngx_str_set(&rlcf->realm,""); 284 | return NGX_CONF_OK; 285 | } 286 | 287 | rlcf->realm.len = sizeof("Basic realm=\"") - 1 + value[1].len + 1; 288 | rlcf->realm.data = ngx_pcalloc(cf->pool,rlcf->realm.len); 289 | if(rlcf->realm.data == NULL) { 290 | return NGX_CONF_ERROR; 291 | } 292 | 293 | p = ngx_cpymem(rlcf->realm.data,"Basic realm=\"",sizeof("Basic realm=\"") - 1); 294 | p = ngx_cpymem(p,value[1].data,value[1].len); 295 | *p = '"'; 296 | 297 | return NGX_CONF_OK; 298 | } 299 | 300 | 301 | static char* 302 | ngx_http_auth_radius_server(ngx_conf_t* cf,ngx_command_t* cmd,void* conf) { 303 | ngx_http_auth_radius_loc_conf_t* rlcf = conf; 304 | ngx_http_auth_radius_main_conf_t* rmcf = NULL; 305 | ngx_http_auth_radius_server_t* server = NULL; 306 | ngx_http_auth_radius_server_t* servers = NULL; 307 | ngx_str_t* host_name = NULL; 308 | ngx_str_t* type_name = NULL; 309 | ngx_uint_t i = 0; 310 | 311 | rmcf = ngx_http_conf_get_module_main_conf(cf,ngx_http_auth_radius_module); 312 | 313 | host_name = (ngx_str_t*)(cf->args->elts) + 1; 314 | type_name = (ngx_str_t*)(cf->args->elts) + 2; 315 | 316 | servers = (ngx_http_auth_radius_server_t*)(rmcf->servers->elts); 317 | 318 | for(i = 0;i < rmcf->servers->nelts;i++) { 319 | server = servers + i; 320 | if(ngx_memcmp(server->alias.data,host_name->data,host_name->len) == 0) { 321 | rlcf->server = server; 322 | rlcf->auth_type = ngx_http_auth_radius_parse_auth_type(type_name); 323 | 324 | if(rlcf->auth_type == AUTH_RADIUS_UNKNOWN) { 325 | break; 326 | } 327 | 328 | return NGX_CONF_OK;; 329 | } 330 | } 331 | 332 | return NGX_CONF_ERROR; 333 | } 334 | 335 | 336 | static ngx_int_t 337 | ngx_http_auth_radius_init(ngx_conf_t* cf) { 338 | ngx_http_core_main_conf_t* cmcf = NULL; 339 | ngx_http_handler_pt* h = NULL; 340 | 341 | 342 | ngx_conf_log_error(NGX_LOG_ERR,cf,0,"cf->log: %p,pool: %p,pool->log: %p", 343 | cf->log,cf->pool,cf->pool->log); 344 | auth_radius_proxy = ngx_http_auth_radius_create_proxy(cf->pool); 345 | 346 | if(auth_radius_proxy == NULL) { 347 | ngx_conf_log_error(NGX_LOG_ERR,cf,NGX_ENOMEM, 348 | "ngx_http_auth_radius: failed to create radius proxy"); 349 | 350 | return NGX_ERROR; 351 | } 352 | 353 | cmcf = ngx_http_conf_get_module_main_conf(cf,ngx_http_core_module); 354 | 355 | h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers); 356 | if(h == NULL) { 357 | return NGX_ERROR; 358 | } 359 | 360 | *h = ngx_http_auth_radius_handler; 361 | 362 | return NGX_OK; 363 | } 364 | 365 | 366 | static ngx_int_t 367 | ngx_http_auth_radius_handler(ngx_http_request_t* r) { 368 | ngx_http_auth_radius_loc_conf_t* rlcf = NULL; 369 | ngx_int_t rc = NGX_OK; 370 | ngx_http_auth_radius_ctx_t* ctx = NULL; 371 | ngx_http_auth_radius_request_t* rr = NULL; 372 | 373 | rlcf = ngx_http_get_module_loc_conf(r,ngx_http_auth_radius_module); 374 | if(rlcf == NULL || rlcf->realm.len == 0) { 375 | return NGX_DECLINED; 376 | } 377 | 378 | ctx = ngx_http_get_module_ctx(r,ngx_http_auth_radius_module); 379 | if(ctx == NULL) { 380 | rc = ngx_http_auth_basic_user(r); 381 | if(rc == NGX_DECLINED) { 382 | return ngx_http_auth_radius_set_realm(r,&rlcf->realm); 383 | } 384 | 385 | if(rc == NGX_ERROR) { 386 | return NGX_HTTP_INTERNAL_SERVER_ERROR; 387 | } 388 | 389 | ngx_log_debug1(NGX_LOG_DEBUG_HTTP, 390 | r->connection->log, 0, "http_auth_radius: Username is \"%V\"", 391 | &r->headers_in.user); 392 | if (r->headers_in.passwd.len == 0) { 393 | ngx_log_debug0(NGX_LOG_DEBUG_HTTP, 394 | r->connection->log, 0, "http_auth_radius: Password is empty"); 395 | return ngx_http_auth_radius_set_realm(r,&rlcf->realm); 396 | } 397 | 398 | ctx = ngx_pcalloc(r->pool,sizeof(*ctx)); 399 | if(ctx == NULL) { 400 | return NGX_HTTP_INTERNAL_SERVER_ERROR; 401 | } 402 | 403 | rr = ngx_http_auth_radius_create_request(auth_radius_proxy,r); 404 | if(rr == NULL) { 405 | return NGX_HTTP_INTERNAL_SERVER_ERROR; 406 | } 407 | 408 | ctx->proxy = auth_radius_proxy; 409 | ctx->rr = rr; 410 | ctx->r = r; 411 | ctx->rlcf = rlcf; 412 | rr->data = ctx; 413 | 414 | ngx_http_set_ctx(r,ctx,ngx_http_auth_radius_module); 415 | } 416 | 417 | rc = ngx_http_auth_radius_authenticate(r); 418 | if(rc != NGX_AGAIN) { 419 | ngx_http_auth_radius_destroy_request(auth_radius_proxy,ctx->rr); 420 | } 421 | 422 | return rc; 423 | } 424 | -------------------------------------------------------------------------------- /raddb/dictionary: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Version $Id$ 4 | # 5 | # DO NOT EDIT THE FILES IN THIS DIRECTORY 6 | # 7 | # The files in this directory are maintained and updated by 8 | # the FreeRADIUS project. Newer releases of software may update 9 | # or change these files. 10 | # 11 | # Use the main dictionary file (usually /etc/raddb/dictionary) 12 | # for local system attributes and $INCLUDEs. 13 | # 14 | # 15 | # 16 | # This file contains dictionary translations for parsing 17 | # requests and generating responses. All transactions are 18 | # composed of Attribute/Value Pairs. The value of each attribute 19 | # is specified as one of 4 data types. Valid data types are: 20 | # 21 | # text - printable, generally UTF-8 encoded (subset of 'string') 22 | # string - 0-253 octets 23 | # ipaddr - 4 octets in network byte order 24 | # integer - 32 bit value in big endian order (high byte first) 25 | # date - 32 bit value in big endian order - seconds since 26 | # 00:00:00 GMT, Jan. 1, 1970 27 | # ifid - 8 octets in network byte order 28 | # ipv6addr - 16 octets in network byte order 29 | # ipv6prefix - 18 octets in network byte order 30 | # 31 | # FreeRADIUS includes extended data types which are not defined 32 | # in the RFC's. These data types are: 33 | # 34 | # abinary - Ascend's binary filter format. 35 | # byte - 8 bit unsigned integer 36 | # ether - 6 octets of hh:hh:hh:hh:hh:hh 37 | # where 'h' is hex digits, upper or lowercase. 38 | # short - 16-bit unsigned integer 39 | # octets - raw octets, printed and input as hex strings. 40 | # e.g.: 0x123456789abcdef 41 | # tlv - type-length-value (only for certain WiMAX attributes) 42 | # 43 | # 44 | # Enumerated values are stored in the user file with dictionary 45 | # VALUE translations for easy administration. 46 | # 47 | # Example: 48 | # 49 | # ATTRIBUTE VALUE 50 | # --------------- ----- 51 | # Framed-Protocol = PPP 52 | # 7 = 1 (integer encoding) 53 | # 54 | 55 | # 56 | # Include compatibility dictionary for older users file. Move 57 | # this directive to the end of this file if you want to see the 58 | # old names in the logfiles, INSTEAD OF the new names. 59 | # 60 | $INCLUDE dictionary.compat 61 | #$INCLUDE dictionary.usr.illegal 62 | #$INCLUDE dictionary.ascend.illegal 63 | 64 | # 65 | # Include the RFC dictionaries next. 66 | # 67 | # For a complete list of the standard attributes and values, 68 | # see: 69 | # http://www.iana.org/assignments/radius-types 70 | # 71 | $INCLUDE dictionary.rfc2865 72 | $INCLUDE dictionary.rfc2866 73 | $INCLUDE dictionary.rfc2867 74 | $INCLUDE dictionary.rfc2868 75 | $INCLUDE dictionary.rfc2869 76 | $INCLUDE dictionary.rfc3162 77 | $INCLUDE dictionary.rfc3576 78 | $INCLUDE dictionary.rfc3580 79 | $INCLUDE dictionary.rfc4072 80 | $INCLUDE dictionary.rfc4372 81 | $INCLUDE dictionary.rfc4603 82 | $INCLUDE dictionary.rfc4675 83 | $INCLUDE dictionary.rfc4679 84 | $INCLUDE dictionary.rfc4818 85 | $INCLUDE dictionary.rfc4849 86 | $INCLUDE dictionary.rfc5176 87 | $INCLUDE dictionary.rfc5580 88 | $INCLUDE dictionary.rfc5607 89 | $INCLUDE dictionary.rfc5904 90 | 91 | # 92 | # Include vendor dictionaries after the standard ones. 93 | # 94 | #$INCLUDE dictionary.3com 95 | #$INCLUDE dictionary.3gpp 96 | #$INCLUDE dictionary.3gpp2 97 | #$INCLUDE dictionary.acc 98 | #$INCLUDE dictionary.acme 99 | #$INCLUDE dictionary.airespace 100 | #$INCLUDE dictionary.alcatel 101 | #$INCLUDE dictionary.alcatel.sr 102 | #$INCLUDE dictionary.alteon 103 | #$INCLUDE dictionary.alvarion 104 | #$INCLUDE dictionary.apc 105 | #$INCLUDE dictionary.aruba 106 | #$INCLUDE dictionary.azaire 107 | #$INCLUDE dictionary.ascend 108 | #$INCLUDE dictionary.bay 109 | #$INCLUDE dictionary.bintec 110 | #$INCLUDE dictionary.cablelabs 111 | #$INCLUDE dictionary.cabletron 112 | #$INCLUDE dictionary.chillispot 113 | #$INCLUDE dictionary.cisco 114 | # 115 | # The Cisco VPN300 dictionary is the same as the altiga one. 116 | # You shouldn't use both at the same time. 117 | # 118 | #$INCLUDE dictionary.cisco.vpn3000 119 | #$INCLUDE dictionary.cisco.vpn5000 120 | #$INCLUDE dictionary.cisco.bbsm 121 | #$INCLUDE dictionary.clavister 122 | #$INCLUDE dictionary.colubris 123 | #$INCLUDE dictionary.cosine 124 | #$INCLUDE dictionary.digium 125 | #$INCLUDE dictionary.eltex 126 | #$INCLUDE dictionary.epygi 127 | #$INCLUDE dictionary.erx 128 | #$INCLUDE dictionary.ericsson 129 | #$INCLUDE dictionary.extreme 130 | #$INCLUDE dictionary.freeradius 131 | #$INCLUDE dictionary.freeswitch 132 | #$INCLUDE dictionary.fortinet 133 | #$INCLUDE dictionary.foundry 134 | #$INCLUDE dictionary.gandalf 135 | #$INCLUDE dictionary.gemtek 136 | #$INCLUDE dictionary.h3c 137 | #$INCLUDE dictionary.hp 138 | #$INCLUDE dictionary.huawei 139 | #$INCLUDE dictionary.iea 140 | #$INCLUDE dictionary.infonet 141 | #$INCLUDE dictionary.issanni 142 | #$INCLUDE dictionary.itk 143 | #$INCLUDE dictionary.ipunplugged 144 | #$INCLUDE dictionary.juniper 145 | #$INCLUDE dictionary.jradius 146 | #$INCLUDE dictionary.karlnet 147 | #$INCLUDE dictionary.lancom 148 | #$INCLUDE dictionary.livingston 149 | #$INCLUDE dictionary.localweb 150 | #$INCLUDE dictionary.lucent 151 | #$INCLUDE dictionary.manzara 152 | #$INCLUDE dictionary.merit 153 | $INCLUDE dictionary.microsoft 154 | #$INCLUDE dictionary.mikrotik 155 | #$INCLUDE dictionary.motorola 156 | #$INCLUDE dictionary.motorola.wimax 157 | #$INCLUDE dictionary.navini 158 | #$INCLUDE dictionary.netscreen 159 | #$INCLUDE dictionary.networkphysics 160 | #$INCLUDE dictionary.nexans 161 | #$INCLUDE dictionary.ntua 162 | #$INCLUDE dictionary.nokia 163 | # 164 | # Commented out because of attribute conflicts. 165 | # 166 | #$INCLUDE dictionary.nokia.conflict 167 | #$INCLUDE dictionary.nomadix 168 | #$INCLUDE dictionary.nortel 169 | # 170 | # Commented out because of attribute conflicts. 171 | # 172 | #$INCLUDE dictionary.openser 173 | #$INCLUDE dictionary.packeteer 174 | #$INCLUDE dictionary.patton 175 | #$INCLUDE dictionary.propel 176 | #$INCLUDE dictionary.prosoft 177 | #$INCLUDE dictionary.quiconnect 178 | #$INCLUDE dictionary.quintum 179 | #$INCLUDE dictionary.redback 180 | #$INCLUDE dictionary.redcreek 181 | #$INCLUDE dictionary.riverstone 182 | #$INCLUDE dictionary.roaringpenguin 183 | #$INCLUDE dictionary.shasta 184 | #$INCLUDE dictionary.shiva 185 | #$INCLUDE dictionary.siemens 186 | #$INCLUDE dictionary.slipstream 187 | #$INCLUDE dictionary.sonicwall 188 | #$INCLUDE dictionary.springtide 189 | #$INCLUDE dictionary.starent 190 | #$INCLUDE dictionary.symbol 191 | #$INCLUDE dictionary.telebit 192 | #$INCLUDE dictionary.trapeze 193 | #$INCLUDE dictionary.tropos 194 | #$INCLUDE dictionary.t_systems_nova 195 | #$INCLUDE dictionary.ukerna 196 | #$INCLUDE dictionary.unix 197 | #$INCLUDE dictionary.usr 198 | #$INCLUDE dictionary.utstarcom 199 | #$INCLUDE dictionary.valemount 200 | #$INCLUDE dictionary.versanet 201 | #$INCLUDE dictionary.vqp 202 | #$INCLUDE dictionary.waverider 203 | #$INCLUDE dictionary.walabi 204 | #$INCLUDE dictionary.wichorus 205 | #$INCLUDE dictionary.wimax 206 | #$INCLUDE dictionary.wispr 207 | #$INCLUDE dictionary.xedia 208 | #$INCLUDE dictionary.xylan 209 | #$INCLUDE dictionary.zyxel 210 | 211 | # 212 | # And finally the server internal attributes. 213 | # 214 | $INCLUDE dictionary.freeradius.internal 215 | 216 | # 217 | # Miscellaneous attributes defined in weird places that 218 | # don't really belong anywhere else... 219 | # 220 | ATTRIBUTE Originating-Line-Info 94 string 221 | 222 | # As defined in draft-sterman-aaa-sip-00.txt 223 | ATTRIBUTE Digest-Response 206 string 224 | ATTRIBUTE Digest-Attributes 207 octets # stupid format 225 | 226 | # 227 | # Integer Translations 228 | # 229 | VALUE Service-Type Voice 12 230 | VALUE Service-Type Fax 13 231 | VALUE Service-Type Modem-Relay 14 232 | VALUE Service-Type IAPP-Register 15 233 | VALUE Service-Type IAPP-AP-Check 16 234 | 235 | VALUE Framed-Protocol GPRS-PDP-Context 7 236 | 237 | VALUE NAS-Port-Type Wireless-CDMA2000 22 238 | VALUE NAS-Port-Type Wireless-UMTS 23 239 | VALUE NAS-Port-Type Wireless-1X-EV 24 240 | VALUE NAS-Port-Type IAPP 25 241 | 242 | VALUE NAS-Port-Type FTTP 26 243 | VALUE NAS-Port-Type Wireless-802.16 27 244 | VALUE NAS-Port-Type Wireless-802.20 28 245 | VALUE NAS-Port-Type Wireless-802.22 29 246 | 247 | VALUE NAS-Port-Type xPON 35 248 | VALUE NAS-Port-Type Wireless-XGP 36 249 | 250 | VALUE Framed-Protocol PPTP 9 251 | -------------------------------------------------------------------------------- /raddb/dictionary.compat: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Obsolete names for backwards compatibility with older users files. 4 | # Move the $INCLUDE in the main dictionary file to the end if you want 5 | # these names to be used in the "details" logfile. 6 | # 7 | ATTRIBUTE Password 2 string encrypt=1 8 | ATTRIBUTE Client-Id 4 ipaddr 9 | ATTRIBUTE Client-Port-Id 5 integer 10 | ATTRIBUTE User-Service-Type 6 integer 11 | ATTRIBUTE Framed-Address 8 ipaddr 12 | ATTRIBUTE Framed-Netmask 9 ipaddr 13 | ATTRIBUTE Framed-Filter-Id 11 string 14 | ATTRIBUTE Login-Host 14 ipaddr 15 | ATTRIBUTE Login-Port 16 integer 16 | ATTRIBUTE Old-Password 17 string 17 | ATTRIBUTE Port-Message 18 string 18 | ATTRIBUTE Dialback-No 19 string 19 | ATTRIBUTE Dialback-Name 20 string 20 | ATTRIBUTE Challenge-State 24 string 21 | VALUE Framed-Compression Van-Jacobsen-TCP-IP 1 22 | VALUE Framed-Compression VJ-TCP-IP 1 23 | VALUE Service-Type Shell-User 6 24 | VALUE Auth-Type Unix 1 25 | VALUE Service-Type Dialback-Login-User 3 26 | VALUE Service-Type Dialback-Framed-User 4 27 | VALUE Service-Type Dialout-Framed-User 5 28 | 29 | # 30 | # For compatibility with MERIT users files. 31 | # 32 | ATTRIBUTE Login-Callback-Number 19 string 33 | ATTRIBUTE Framed-Callback-Id 20 string 34 | ATTRIBUTE Client-Port-DNIS 30 string 35 | ATTRIBUTE Caller-ID 31 string 36 | VALUE Service-Type Login 1 37 | VALUE Service-Type Framed 2 38 | VALUE Service-Type Callback-Login 3 39 | VALUE Service-Type Callback-Framed 4 40 | VALUE Service-Type Exec-User 7 41 | -------------------------------------------------------------------------------- /raddb/dictionary.freeradius: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # The FreeRADIUS Vendor-Specific dictionary. 4 | # 5 | # Version: $Id$ 6 | # 7 | # For a complete list of Private Enterprise Codes, see: 8 | # 9 | # http://www.isi.edu/in-notes/iana/assignments/enterprise-numbers 10 | # 11 | 12 | VENDOR FreeRADIUS 11344 13 | 14 | BEGIN-VENDOR FreeRADIUS 15 | 16 | ATTRIBUTE FreeRADIUS-Proxied-To 1 ipaddr 17 | ATTRIBUTE FreeRADIUS-Acct-Session-Start-Time 2 date 18 | 19 | 20 | # 21 | # This attribute is really a bitmask. 22 | # 23 | ATTRIBUTE FreeRADIUS-Statistics-Type 127 integer 24 | 25 | VALUE FreeRADIUS-Statistics-Type None 0 26 | VALUE FreeRADIUS-Statistics-Type Authentication 1 27 | VALUE FreeRADIUS-Statistics-Type Accounting 2 28 | VALUE FreeRADIUS-Statistics-Type Proxy-Authentication 4 29 | VALUE FreeRADIUS-Statistics-Type Proxy-Accounting 8 30 | VALUE FreeRADIUS-Statistics-Type Internal 0x10 31 | VALUE FreeRADIUS-Statistics-Type Client 0x20 32 | VALUE FreeRADIUS-Statistics-Type Server 0x40 33 | VALUE FreeRADIUS-Statistics-Type Home-Server 0x80 34 | 35 | VALUE FreeRADIUS-Statistics-Type Auth-Acct 0x03 36 | VALUE FreeRADIUS-Statistics-Type Proxy-Auth-Acct 0x0c 37 | 38 | VALUE FreeRADIUS-Statistics-Type All 0x1f 39 | 40 | # 41 | # Global authentication statistics for packets received by the server. 42 | # 43 | ATTRIBUTE FreeRADIUS-Total-Access-Requests 128 integer 44 | ATTRIBUTE FreeRADIUS-Total-Access-Accepts 129 integer 45 | ATTRIBUTE FreeRADIUS-Total-Access-Rejects 130 integer 46 | ATTRIBUTE FreeRADIUS-Total-Access-Challenges 131 integer 47 | ATTRIBUTE FreeRADIUS-Total-Auth-Responses 132 integer 48 | ATTRIBUTE FreeRADIUS-Total-Auth-Duplicate-Requests 133 integer 49 | ATTRIBUTE FreeRADIUS-Total-Auth-Malformed-Requests 134 integer 50 | ATTRIBUTE FreeRADIUS-Total-Auth-Invalid-Requests 135 integer 51 | ATTRIBUTE FreeRADIUS-Total-Auth-Dropped-Requests 136 integer 52 | ATTRIBUTE FreeRADIUS-Total-Auth-Unknown-Types 137 integer 53 | 54 | # 55 | # Global statistics for auth packets sent by the server to all home servers 56 | # 57 | ATTRIBUTE FreeRADIUS-Total-Proxy-Access-Requests 138 integer 58 | ATTRIBUTE FreeRADIUS-Total-Proxy-Access-Accepts 139 integer 59 | ATTRIBUTE FreeRADIUS-Total-Proxy-Access-Rejects 140 integer 60 | ATTRIBUTE FreeRADIUS-Total-Proxy-Access-Challenges 141 integer 61 | ATTRIBUTE FreeRADIUS-Total-Proxy-Auth-Responses 142 integer 62 | ATTRIBUTE FreeRADIUS-Total-Proxy-Auth-Duplicate-Requests 143 integer 63 | ATTRIBUTE FreeRADIUS-Total-Proxy-Auth-Malformed-Requests 144 integer 64 | ATTRIBUTE FreeRADIUS-Total-Proxy-Auth-Invalid-Requests 145 integer 65 | ATTRIBUTE FreeRADIUS-Total-Proxy-Auth-Dropped-Requests 146 integer 66 | ATTRIBUTE FreeRADIUS-Total-Proxy-Auth-Unknown-Types 147 integer 67 | 68 | # 69 | # Global accounting statistics for packets received by the server. 70 | # 71 | ATTRIBUTE FreeRADIUS-Total-Accounting-Requests 148 integer 72 | ATTRIBUTE FreeRADIUS-Total-Accounting-Responses 149 integer 73 | ATTRIBUTE FreeRADIUS-Total-Acct-Duplicate-Requests 150 integer 74 | ATTRIBUTE FreeRADIUS-Total-Acct-Malformed-Requests 151 integer 75 | ATTRIBUTE FreeRADIUS-Total-Acct-Invalid-Requests 152 integer 76 | ATTRIBUTE FreeRADIUS-Total-Acct-Dropped-Requests 153 integer 77 | ATTRIBUTE FreeRADIUS-Total-Acct-Unknown-Types 154 integer 78 | 79 | # 80 | # Global statistics for acct packets sent by the server to all home servers 81 | # 82 | ATTRIBUTE FreeRADIUS-Total-Proxy-Accounting-Requests 155 integer 83 | ATTRIBUTE FreeRADIUS-Total-Proxy-Accounting-Responses 156 integer 84 | ATTRIBUTE FreeRADIUS-Total-Proxy-Acct-Duplicate-Requests 157 integer 85 | ATTRIBUTE FreeRADIUS-Total-Proxy-Acct-Malformed-Requests 158 integer 86 | ATTRIBUTE FreeRADIUS-Total-Proxy-Acct-Invalid-Requests 159 integer 87 | ATTRIBUTE FreeRADIUS-Total-Proxy-Acct-Dropped-Requests 160 integer 88 | ATTRIBUTE FreeRADIUS-Total-Proxy-Acct-Unknown-Types 161 integer 89 | 90 | # 91 | # Internal queues. Different packet types are put into different queues. 92 | # 93 | ATTRIBUTE FreeRADIUS-Queue-Len-Internal 162 integer 94 | ATTRIBUTE FreeRADIUS-Queue-Len-Proxy 163 integer 95 | ATTRIBUTE FreeRADIUS-Queue-Len-Auth 164 integer 96 | ATTRIBUTE FreeRADIUS-Queue-Len-Acct 165 integer 97 | ATTRIBUTE FreeRADIUS-Queue-Len-Detail 166 integer 98 | 99 | ATTRIBUTE FreeRADIUS-Stats-Client-IP-Address 167 ipaddr 100 | ATTRIBUTE FreeRADIUS-Stats-Client-Number 168 integer 101 | ATTRIBUTE FreeRADIUS-Stats-Client-Netmask 169 integer 102 | 103 | ATTRIBUTE FreeRADIUS-Stats-Server-IP-Address 170 ipaddr 104 | ATTRIBUTE FreeRADIUS-Stats-Server-Port 171 integer 105 | 106 | ATTRIBUTE FreeRADIUS-Stats-Server-Outstanding-Requests 172 integer 107 | ATTRIBUTE FreeRADIUS-Stats-Server-State 173 integer 108 | 109 | VALUE FreeRADIUS-Stats-Server-State Alive 0 110 | VALUE FreeRADIUS-Stats-Server-State Zombie 1 111 | VALUE FreeRADIUS-Stats-Server-State Dead 2 112 | 113 | # 114 | # When a home server is marked "dead" or "alive" 115 | # 116 | ATTRIBUTE FreeRADIUS-Stats-Server-Time-Of-Death 174 date 117 | ATTRIBUTE FreeRADIUS-Stats-Server-Time-Of-Life 175 date 118 | 119 | # 120 | # When this server was started. If start == hup, it hasn't been 121 | # hup'd yet. This is friendlier than having hup == 0 on start. 122 | # 123 | ATTRIBUTE FreeRADIUS-Stats-Start-Time 176 date 124 | ATTRIBUTE FreeRADIUS-Stats-HUP-Time 177 date 125 | 126 | # 127 | # Exponential moving average of home server response time 128 | # Window-1 is the average is calculated over "window" packets. 129 | # Window-10 is the average is calculated over "10 * window" packets. 130 | # 131 | # Both Window-1 and Window-10 are times in microseconds 132 | # (1/1000000 of a second). 133 | # 134 | ATTRIBUTE FreeRADIUS-Server-EMA-Window 178 integer 135 | ATTRIBUTE FreeRADIUS-Server-EMA-USEC-Window-1 179 integer 136 | ATTRIBUTE FreeRADIUS-Server-EMA-USEC-Window-10 180 integer 137 | 138 | END-VENDOR FreeRADIUS 139 | -------------------------------------------------------------------------------- /raddb/dictionary.freeradius.internal: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Non Protocol Attributes used by FreeRADIUS 4 | # 5 | # $Id$ 6 | # 7 | 8 | # The attributes number ranges are allocates as follows: 9 | # 10 | # Range: 500-999 11 | # server-side attributes which can go in a reply list 12 | 13 | # These attributes CAN go in the reply item list. 14 | ATTRIBUTE Fall-Through 500 integer 15 | ATTRIBUTE Relax-Filter 501 integer 16 | ATTRIBUTE Exec-Program 502 string 17 | ATTRIBUTE Exec-Program-Wait 503 string 18 | 19 | # These attributes CANNOT go in the reply item list. 20 | 21 | # 22 | # Range: 1000+ 23 | # Attributes which cannot go in a reply list. 24 | # 25 | # 26 | # Range: 1000-1199 27 | # Miscellaneous server attributes. 28 | # 29 | # 30 | # Non-Protocol Attributes 31 | # These attributes are used internally by the server 32 | # 33 | ATTRIBUTE Auth-Type 1000 integer 34 | ATTRIBUTE Menu 1001 string 35 | ATTRIBUTE Termination-Menu 1002 string 36 | ATTRIBUTE Prefix 1003 string 37 | ATTRIBUTE Suffix 1004 string 38 | ATTRIBUTE Group 1005 string 39 | ATTRIBUTE Crypt-Password 1006 string 40 | ATTRIBUTE Connect-Rate 1007 integer 41 | ATTRIBUTE Add-Prefix 1008 string 42 | ATTRIBUTE Add-Suffix 1009 string 43 | ATTRIBUTE Expiration 1010 date 44 | ATTRIBUTE Autz-Type 1011 integer 45 | ATTRIBUTE Acct-Type 1012 integer 46 | ATTRIBUTE Session-Type 1013 integer 47 | ATTRIBUTE Post-Auth-Type 1014 integer 48 | ATTRIBUTE Pre-Proxy-Type 1015 integer 49 | ATTRIBUTE Post-Proxy-Type 1016 integer 50 | ATTRIBUTE Pre-Acct-Type 1017 integer 51 | 52 | # 53 | # This is the EAP type of authentication, which is set 54 | # by the EAP module, for informational purposes only. 55 | # 56 | ATTRIBUTE EAP-Type 1018 integer 57 | ATTRIBUTE EAP-TLS-Require-Client-Cert 1019 integer 58 | ATTRIBUTE EAP-Id 1020 integer 59 | ATTRIBUTE EAP-Code 1021 integer 60 | # Attribute 1022 unused, was EAP-MD5-Password, which was 61 | # used only be radeapclient. It's been replaced by Cleartext-Password 62 | ATTRIBUTE PEAP-Version 1023 integer 63 | ATTRIBUTE Client-Shortname 1024 string 64 | ATTRIBUTE Load-Balance-Key 1025 string 65 | ATTRIBUTE Raw-Attribute 1026 octets 66 | ATTRIBUTE TNC-VLAN-Access 1027 string 67 | ATTRIBUTE TNC-VLAN-Isolate 1028 string 68 | ATTRIBUTE User-Category 1029 string 69 | ATTRIBUTE Group-Name 1030 string 70 | ATTRIBUTE Huntgroup-Name 1031 string 71 | ATTRIBUTE Simultaneous-Use 1034 integer 72 | ATTRIBUTE Strip-User-Name 1035 integer 73 | ATTRIBUTE Hint 1040 string 74 | ATTRIBUTE Pam-Auth 1041 string 75 | ATTRIBUTE Login-Time 1042 string 76 | ATTRIBUTE Stripped-User-Name 1043 string 77 | ATTRIBUTE Current-Time 1044 string 78 | ATTRIBUTE Realm 1045 string 79 | ATTRIBUTE No-Such-Attribute 1046 string 80 | ATTRIBUTE Packet-Type 1047 integer 81 | ATTRIBUTE Proxy-To-Realm 1048 string 82 | ATTRIBUTE Replicate-To-Realm 1049 string 83 | ATTRIBUTE Acct-Session-Start-Time 1050 date 84 | ATTRIBUTE Acct-Unique-Session-Id 1051 string 85 | ATTRIBUTE Client-IP-Address 1052 ipaddr 86 | ATTRIBUTE Ldap-UserDn 1053 string 87 | ATTRIBUTE NS-MTA-MD5-Password 1054 string 88 | ATTRIBUTE SQL-User-Name 1055 string 89 | ATTRIBUTE LM-Password 1057 octets 90 | ATTRIBUTE NT-Password 1058 octets 91 | ATTRIBUTE SMB-Account-CTRL 1059 integer 92 | ATTRIBUTE SMB-Account-CTRL-TEXT 1061 string 93 | ATTRIBUTE User-Profile 1062 string 94 | ATTRIBUTE Digest-Realm 1063 string 95 | ATTRIBUTE Digest-Nonce 1064 string 96 | ATTRIBUTE Digest-Method 1065 string 97 | ATTRIBUTE Digest-URI 1066 string 98 | ATTRIBUTE Digest-QOP 1067 string 99 | ATTRIBUTE Digest-Algorithm 1068 string 100 | ATTRIBUTE Digest-Body-Digest 1069 string 101 | ATTRIBUTE Digest-CNonce 1070 string 102 | ATTRIBUTE Digest-Nonce-Count 1071 string 103 | ATTRIBUTE Digest-User-Name 1072 string 104 | ATTRIBUTE Pool-Name 1073 string 105 | ATTRIBUTE Ldap-Group 1074 string 106 | ATTRIBUTE Module-Success-Message 1075 string 107 | ATTRIBUTE Module-Failure-Message 1076 string 108 | # X99-Fast 1077 integer 109 | ATTRIBUTE Rewrite-Rule 1078 string 110 | ATTRIBUTE Sql-Group 1079 string 111 | ATTRIBUTE Response-Packet-Type 1080 integer 112 | ATTRIBUTE Digest-HA1 1081 string 113 | ATTRIBUTE MS-CHAP-Use-NTLM-Auth 1082 integer 114 | ATTRIBUTE NTLM-User-Name 1083 string 115 | ATTRIBUTE MS-CHAP-User-Name 1083 string 116 | ATTRIBUTE Packet-Src-IP-Address 1084 ipaddr 117 | ATTRIBUTE Packet-Dst-IP-Address 1085 ipaddr 118 | ATTRIBUTE Packet-Src-Port 1086 integer 119 | ATTRIBUTE Packet-Dst-Port 1087 integer 120 | ATTRIBUTE Packet-Authentication-Vector 1088 octets 121 | ATTRIBUTE Time-Of-Day 1089 string 122 | ATTRIBUTE Request-Processing-Stage 1090 string 123 | ATTRIBUTE Cache-No-Caching 1091 string 124 | ATTRIBUTE Cache-Delete-Cache 1092 string 125 | ATTRIBUTE SHA-Password 1093 octets 126 | ATTRIBUTE SSHA-Password 1094 octets 127 | ATTRIBUTE SHA1-Password 1093 octets 128 | ATTRIBUTE SSHA1-Password 1094 octets 129 | ATTRIBUTE MD5-Password 1095 octets 130 | ATTRIBUTE SMD5-Password 1096 octets 131 | ATTRIBUTE Packet-Src-IPv6-Address 1097 ipv6addr 132 | ATTRIBUTE Packet-Dst-IPv6-Address 1098 ipv6addr 133 | ATTRIBUTE Virtual-Server 1099 string 134 | ATTRIBUTE Cleartext-Password 1100 string 135 | ATTRIBUTE Password-With-Header 1101 string 136 | ATTRIBUTE Inner-Tunnel-User-Name 1102 string 137 | 138 | # 139 | # EAP-IKEv2 is experimental. 140 | # 141 | ATTRIBUTE EAP-IKEv2-IDType 1103 integer 142 | 143 | VALUE EAP-IKEv2-IDType IPV4_ADDR 1 144 | VALUE EAP-IKEv2-IDType FQDN 2 145 | VALUE EAP-IKEv2-IDType RFC822_ADDR 3 146 | VALUE EAP-IKEv2-IDType IPV6_ADDR 5 147 | VALUE EAP-IKEv2-IDType DER_ASN1_DN 9 148 | VALUE EAP-IKEv2-IDType DER_ASN1_GN 10 149 | VALUE EAP-IKEv2-IDType KEY_ID 11 150 | 151 | ATTRIBUTE EAP-IKEv2-ID 1104 string 152 | ATTRIBUTE EAP-IKEv2-Secret 1105 string 153 | ATTRIBUTE EAP-IKEv2-AuthType 1106 integer 154 | 155 | VALUE EAP-IKEv2-AuthType none 0 156 | VALUE EAP-IKEv2-AuthType secret 1 157 | VALUE EAP-IKEv2-AuthType cert 2 158 | VALUE EAP-IKEv2-AuthType both 3 159 | 160 | ATTRIBUTE Send-Disconnect-Request 1107 integer 161 | ATTRIBUTE Send-CoA-Request 1107 integer 162 | 163 | VALUE Send-CoA-Request No 0 164 | VALUE Send-CoA-Request Yes 1 165 | 166 | ATTRIBUTE Module-Return-Code 1108 integer 167 | 168 | VALUE Module-Return-Code reject 0 169 | VALUE Module-Return-Code fail 1 170 | VALUE Module-Return-Code ok 2 171 | VALUE Module-Return-Code handled 3 172 | VALUE Module-Return-Code invalid 4 173 | VALUE Module-Return-Code userlock 5 174 | VALUE Module-Return-Code notfound 6 175 | VALUE Module-Return-Code noop 7 176 | VALUE Module-Return-Code updated 8 177 | 178 | ATTRIBUTE Packet-Original-Timestamp 1109 date 179 | ATTRIBUTE SQL-Table-Name 1110 string 180 | ATTRIBUTE Home-Server-Pool 1111 string 181 | 182 | ATTRIBUTE FreeRADIUS-Client-IP-Address 1120 ipaddr 183 | ATTRIBUTE FreeRADIUS-Client-IPv6-Address 1121 ipv6addr 184 | ATTRIBUTE FreeRADIUS-Client-Require-MA 1122 integer 185 | 186 | VALUE FreeRADIUS-Client-Require-MA no 0 187 | VALUE FreeRADIUS-Client-Require-MA yes 1 188 | 189 | ATTRIBUTE FreeRADIUS-Client-Secret 1123 string 190 | ATTRIBUTE FreeRADIUS-Client-Shortname 1124 string 191 | ATTRIBUTE FreeRADIUS-Client-NAS-Type 1125 string 192 | ATTRIBUTE FreeRADIUS-Client-Virtual-Server 1126 string 193 | 194 | # For session resumption 195 | ATTRIBUTE Allow-Session-Resumption 1127 integer 196 | 197 | VALUE Allow-Session-Resumption no 0 198 | VALUE Allow-Session-Resumption yes 1 199 | 200 | ATTRIBUTE EAP-Session-Resumed 1128 integer 201 | 202 | VALUE EAP-Session-Resumed no 0 203 | VALUE EAP-Session-Resumed yes 1 204 | 205 | # 206 | # Expose EAP keys in the reply. 207 | # 208 | ATTRIBUTE EAP-MSK 1129 octets 209 | ATTRIBUTE EAP-EMSK 1130 octets 210 | 211 | # 212 | # For send/recv CoA packets (like Auth-Type, Acct-Type, etc.) 213 | # 214 | ATTRIBUTE Recv-CoA-Type 1131 integer 215 | ATTRIBUTE Send-CoA-Type 1132 integer 216 | 217 | ATTRIBUTE MS-CHAP-Password 1133 string 218 | ATTRIBUTE Packet-Transmit-Counter 1134 integer 219 | ATTRIBUTE Cached-Session-Policy 1135 string 220 | 221 | # 222 | # Range: 1200-1279 223 | # EAP-SIM (and other EAP type) weirdness. 224 | # 225 | # For EAP-SIM, some attribute definitions for database interface 226 | # 227 | ATTRIBUTE EAP-Sim-Subtype 1200 integer 228 | 229 | ATTRIBUTE EAP-Sim-Rand1 1201 octets 230 | ATTRIBUTE EAP-Sim-Rand2 1202 octets 231 | ATTRIBUTE EAP-Sim-Rand3 1203 octets 232 | 233 | ATTRIBUTE EAP-Sim-SRES1 1204 octets 234 | ATTRIBUTE EAP-Sim-SRES2 1205 octets 235 | ATTRIBUTE EAP-Sim-SRES3 1206 octets 236 | 237 | VALUE EAP-Sim-Subtype Start 10 238 | VALUE EAP-Sim-Subtype Challenge 11 239 | VALUE EAP-Sim-Subtype Notification 12 240 | VALUE EAP-Sim-Subtype Re-authentication 13 241 | 242 | # this attribute is used internally by the client code. 243 | ATTRIBUTE EAP-Sim-State 1207 integer 244 | 245 | ATTRIBUTE EAP-Sim-IMSI 1208 string 246 | ATTRIBUTE EAP-Sim-HMAC 1209 string 247 | ATTRIBUTE EAP-Sim-KEY 1210 octets 248 | ATTRIBUTE EAP-Sim-EXTRA 1211 octets 249 | 250 | ATTRIBUTE EAP-Sim-KC1 1212 octets 251 | ATTRIBUTE EAP-Sim-KC2 1213 octets 252 | ATTRIBUTE EAP-Sim-KC3 1214 octets 253 | 254 | # 255 | # Range: 1280 - 1535 256 | # EAP-type specific attributes 257 | # 258 | 259 | # these are PW_EAP_X + 1280 260 | ATTRIBUTE EAP-Type-Identity 1281 string 261 | ATTRIBUTE EAP-Type-Notification 1282 string 262 | ATTRIBUTE EAP-Type-NAK 1283 string 263 | ATTRIBUTE EAP-Type-MD5 1284 octets 264 | ATTRIBUTE EAP-Type-OTP 1285 string 265 | ATTRIBUTE EAP-Type-GTC 1286 string 266 | ATTRIBUTE EAP-Type-TLS 1297 octets 267 | ATTRIBUTE EAP-Type-SIM 1298 octets 268 | ATTRIBUTE EAP-Type-LEAP 1301 octets 269 | ATTRIBUTE EAP-Type-SIM2 1302 octets 270 | ATTRIBUTE EAP-Type-TTLS 1305 octets 271 | ATTRIBUTE EAP-Type-PEAP 1309 octets 272 | 273 | # 274 | # Range: 1536 - 1791 275 | # EAP Sim sub-types. 276 | # 277 | 278 | # these are PW_EAP_SIM_X + 1536 279 | ATTRIBUTE EAP-Sim-RAND 1537 octets 280 | ATTRIBUTE EAP-Sim-PADDING 1542 octets 281 | ATTRIBUTE EAP-Sim-NONCE_MT 1543 octets 282 | ATTRIBUTE EAP-Sim-PERMANENT_ID_REQ 1546 octets 283 | ATTRIBUTE EAP-Sim-MAC 1547 octets 284 | ATTRIBUTE EAP-Sim-NOTIFICATION 1548 octets 285 | ATTRIBUTE EAP-Sim-ANY_ID_REQ 1549 octets 286 | ATTRIBUTE EAP-Sim-IDENTITY 1550 octets 287 | ATTRIBUTE EAP-Sim-VERSION_LIST 1551 octets 288 | ATTRIBUTE EAP-Sim-SELECTED_VERSION 1552 octets 289 | ATTRIBUTE EAP-Sim-FULLAUTH_ID_REQ 1553 octets 290 | ATTRIBUTE EAP-Sim-COUNTER 1555 octets 291 | ATTRIBUTE EAP-Sim-COUNTER_TOO_SMALL 1556 octets 292 | ATTRIBUTE EAP-Sim-NONCE_S 1557 octets 293 | ATTRIBUTE EAP-Sim-IV 1665 octets 294 | ATTRIBUTE EAP-Sim-ENCR_DATA 1666 octets 295 | ATTRIBUTE EAP-Sim-NEXT_PSEUDONUM 1668 octets 296 | ATTRIBUTE EAP-Sim-NEXT_REAUTH_ID 1669 octets 297 | ATTRIBUTE EAP-Sim-CHECKCODE 1670 octets 298 | 299 | # 300 | # Range: 1800-1899 301 | # Temporary attributes, for local storage. 302 | # 303 | ATTRIBUTE Tmp-String-0 1800 string 304 | ATTRIBUTE Tmp-String-1 1801 string 305 | ATTRIBUTE Tmp-String-2 1802 string 306 | ATTRIBUTE Tmp-String-3 1803 string 307 | ATTRIBUTE Tmp-String-4 1804 string 308 | ATTRIBUTE Tmp-String-5 1805 string 309 | ATTRIBUTE Tmp-String-6 1806 string 310 | ATTRIBUTE Tmp-String-7 1807 string 311 | ATTRIBUTE Tmp-String-8 1808 string 312 | ATTRIBUTE Tmp-String-9 1809 string 313 | 314 | ATTRIBUTE Tmp-Integer-0 1810 integer 315 | ATTRIBUTE Tmp-Integer-1 1811 integer 316 | ATTRIBUTE Tmp-Integer-2 1812 integer 317 | ATTRIBUTE Tmp-Integer-3 1813 integer 318 | ATTRIBUTE Tmp-Integer-4 1814 integer 319 | ATTRIBUTE Tmp-Integer-5 1815 integer 320 | ATTRIBUTE Tmp-Integer-6 1816 integer 321 | ATTRIBUTE Tmp-Integer-7 1817 integer 322 | ATTRIBUTE Tmp-Integer-8 1818 integer 323 | ATTRIBUTE Tmp-Integer-9 1819 integer 324 | 325 | ATTRIBUTE Tmp-IP-Address-0 1820 ipaddr 326 | ATTRIBUTE Tmp-IP-Address-1 1821 ipaddr 327 | ATTRIBUTE Tmp-IP-Address-2 1822 ipaddr 328 | ATTRIBUTE Tmp-IP-Address-3 1823 ipaddr 329 | ATTRIBUTE Tmp-IP-Address-4 1824 ipaddr 330 | ATTRIBUTE Tmp-IP-Address-5 1825 ipaddr 331 | ATTRIBUTE Tmp-IP-Address-6 1826 ipaddr 332 | ATTRIBUTE Tmp-IP-Address-7 1827 ipaddr 333 | ATTRIBUTE Tmp-IP-Address-8 1828 ipaddr 334 | ATTRIBUTE Tmp-IP-Address-9 1829 ipaddr 335 | 336 | # Range: 1900-1909 337 | # WiMAX server-side attributes. 338 | # 339 | # These are NOT sent in a packet, but are otherwise 340 | # available for testing and validation. The various 341 | # things that *are* sent in a packet are derived from 342 | # these attributes. 343 | # 344 | ATTRIBUTE WiMAX-MN-NAI 1900 string 345 | 346 | ATTRIBUTE TLS-Cert-Serial 1910 string 347 | ATTRIBUTE TLS-Cert-Expiration 1911 string 348 | ATTRIBUTE TLS-Cert-Issuer 1912 string 349 | ATTRIBUTE TLS-Cert-Subject 1913 string 350 | ATTRIBUTE TLS-Cert-Common-Name 1914 string 351 | # 1915 - 1919: reserved for future cert attributes 352 | ATTRIBUTE TLS-Client-Cert-Serial 1920 string 353 | ATTRIBUTE TLS-Client-Cert-Expiration 1921 string 354 | ATTRIBUTE TLS-Client-Cert-Issuer 1922 string 355 | ATTRIBUTE TLS-Client-Cert-Subject 1923 string 356 | ATTRIBUTE TLS-Client-Cert-Common-Name 1924 string 357 | ATTRIBUTE TLS-Client-Cert-Filename 1925 string 358 | 359 | # 360 | # Range: 1910-2099 361 | # Free 362 | # 363 | # Range: 2100-2199 364 | # SoH attributes; FIXME: these should really be protocol attributes 365 | # so that the SoH radius request can be proxied, but from which 366 | # vendor? Sigh... 367 | # 368 | ATTRIBUTE SoH-MS-Machine-OS-vendor 2100 integer 369 | VALUE SoH-MS-Machine-OS-vendor Microsoft 311 370 | 371 | ATTRIBUTE SoH-MS-Machine-OS-version 2101 integer 372 | ATTRIBUTE SoH-MS-Machine-OS-release 2102 integer 373 | ATTRIBUTE SoH-MS-Machine-OS-build 2103 integer 374 | ATTRIBUTE SoH-MS-Machine-SP-version 2104 integer 375 | ATTRIBUTE SoH-MS-Machine-SP-release 2105 integer 376 | 377 | ATTRIBUTE SoH-MS-Machine-Processor 2106 integer 378 | VALUE SoH-MS-Machine-Processor x86 0 379 | VALUE SoH-MS-Machine-Processor i64 6 380 | VALUE SoH-MS-Machine-Processor x86_64 9 381 | 382 | ATTRIBUTE SoH-MS-Machine-Name 2107 string 383 | ATTRIBUTE SoH-MS-Correlation-Id 2108 octets 384 | ATTRIBUTE SoH-MS-Machine-Role 2109 integer 385 | VALUE SoH-MS-Machine-Role client 1 386 | VALUE SoH-MS-Machine-Role dc 2 387 | VALUE SoH-MS-Machine-Role server 3 388 | 389 | 390 | ATTRIBUTE SoH-Supported 2119 integer 391 | VALUE SoH-Supported no 0 392 | VALUE SoH-Supported yes 1 393 | 394 | ATTRIBUTE SoH-MS-Windows-Health-Status 2120 string 395 | ATTRIBUTE SoH-MS-Health-Other 2129 string 396 | 397 | # 398 | # Range: 2200-2999 399 | # Free 400 | # 401 | # Range: 3000-3999 402 | # Site-local attributes (see raddb/dictionary.in) 403 | # Do NOT define attributes in this range! 404 | # 405 | # Range: 4000-65535 406 | # Unused 407 | # 408 | # Range: 65536- 409 | # Invalid. Don't use. 410 | # 411 | 412 | # 413 | # Non-Protocol Integer Translations 414 | # 415 | 416 | VALUE Auth-Type Local 0 417 | VALUE Auth-Type System 1 418 | VALUE Auth-Type SecurID 2 419 | VALUE Auth-Type Crypt-Local 3 420 | VALUE Auth-Type Reject 4 421 | VALUE Auth-Type ActivCard 5 422 | VALUE Auth-Type EAP 6 423 | VALUE Auth-Type ARAP 7 424 | 425 | # 426 | # FreeRADIUS extensions (most originally from Cistron) 427 | # 428 | VALUE Auth-Type Accept 254 429 | 430 | VALUE Auth-Type PAP 1024 431 | VALUE Auth-Type CHAP 1025 432 | # 1026 was LDAP, but we deleted it. Adding it back will break the 433 | # ldap module. 434 | VALUE Auth-Type PAM 1027 435 | VALUE Auth-Type MS-CHAP 1028 436 | VALUE Auth-Type MSCHAP 1028 437 | VALUE Auth-Type Kerberos 1029 438 | VALUE Auth-Type CRAM 1030 439 | VALUE Auth-Type NS-MTA-MD5 1031 440 | # 1032 is unused (was a duplicate of CRAM) 441 | VALUE Auth-Type SMB 1033 442 | VALUE Auth-Type MS-CHAP-V2 1034 443 | 444 | # 445 | # Authorization type, too. 446 | # 447 | VALUE Autz-Type Local 0 448 | 449 | # 450 | # And accounting 451 | # 452 | VALUE Acct-Type Local 0 453 | 454 | # 455 | # And Session handling 456 | # 457 | VALUE Session-Type Local 0 458 | 459 | # 460 | # And Post-Auth 461 | VALUE Post-Auth-Type Local 0 462 | 463 | # 464 | # Experimental Non-Protocol Integer Translations for FreeRADIUS 465 | # 466 | VALUE Fall-Through No 0 467 | VALUE Fall-Through Yes 1 468 | 469 | VALUE Relax-Filter No 0 470 | VALUE Relax-Filter Yes 1 471 | 472 | VALUE Strip-User-Name No 0 473 | VALUE Strip-User-Name Yes 1 474 | 475 | VALUE Packet-Type Access-Request 1 476 | VALUE Packet-Type Access-Accept 2 477 | VALUE Packet-Type Access-Reject 3 478 | VALUE Packet-Type Accounting-Request 4 479 | VALUE Packet-Type Accounting-Response 5 480 | VALUE Packet-Type Accounting-Status 6 481 | VALUE Packet-Type Password-Request 7 482 | VALUE Packet-Type Password-Accept 8 483 | VALUE Packet-Type Password-Reject 9 484 | VALUE Packet-Type Accounting-Message 10 485 | VALUE Packet-Type Access-Challenge 11 486 | VALUE Packet-Type Status-Server 12 487 | VALUE Packet-Type Status-Client 13 488 | 489 | # 490 | # The following packet types are described in RFC 2882, 491 | # but they are NOT part of the RADIUS standard. Instead, 492 | # they are informational about vendor-specific extensions 493 | # to the RADIUS standard. 494 | # 495 | VALUE Packet-Type Resource-Free-Request 21 496 | VALUE Packet-Type Resource-Free-Response 22 497 | VALUE Packet-Type Resource-Query-Request 23 498 | VALUE Packet-Type Resource-Query-Response 24 499 | VALUE Packet-Type Alternate-Resource-Reclaim-Request 25 500 | VALUE Packet-Type NAS-Reboot-Request 26 501 | VALUE Packet-Type NAS-Reboot-Response 27 502 | VALUE Packet-Type Next-Passcode 29 503 | VALUE Packet-Type New-Pin 30 504 | VALUE Packet-Type Terminate-Session 31 505 | VALUE Packet-Type Password-Expired 32 506 | VALUE Packet-Type Event-Request 33 507 | VALUE Packet-Type Event-Response 34 508 | 509 | # RFC 3576 allocates packet types 40-45 510 | 511 | VALUE Packet-Type Disconnect-Request 40 512 | VALUE Packet-Type Disconnect-ACK 41 513 | VALUE Packet-Type Disconnect-NAK 42 514 | VALUE Packet-Type CoA-Request 43 515 | VALUE Packet-Type CoA-ACK 44 516 | VALUE Packet-Type CoA-NAK 45 517 | 518 | VALUE Packet-Type IP-Address-Allocate 50 519 | VALUE Packet-Type IP-Address-Release 51 520 | 521 | VALUE Response-Packet-Type Access-Request 1 522 | VALUE Response-Packet-Type Access-Accept 2 523 | VALUE Response-Packet-Type Access-Reject 3 524 | VALUE Response-Packet-Type Accounting-Request 4 525 | VALUE Response-Packet-Type Accounting-Response 5 526 | VALUE Response-Packet-Type Accounting-Status 6 527 | VALUE Response-Packet-Type Password-Request 7 528 | VALUE Response-Packet-Type Password-Accept 8 529 | VALUE Response-Packet-Type Password-Reject 9 530 | VALUE Response-Packet-Type Accounting-Message 10 531 | VALUE Response-Packet-Type Access-Challenge 11 532 | VALUE Response-Packet-Type Status-Server 12 533 | VALUE Response-Packet-Type Status-Client 13 534 | 535 | VALUE Response-Packet-Type Disconnect-Request 40 536 | VALUE Response-Packet-Type Disconnect-ACK 41 537 | VALUE Response-Packet-Type Disconnect-NAK 42 538 | VALUE Response-Packet-Type CoA-Request 43 539 | VALUE Response-Packet-Type CoA-ACK 44 540 | VALUE Response-Packet-Type CoA-NAK 45 541 | # 542 | # Special value 543 | # 544 | VALUE Response-Packet-Type Do-Not-Respond 256 545 | 546 | # 547 | # EAP Sub-types, inside of Request and Response packets 548 | # 549 | # http://www.iana.org/assignments/ppp-numbers 550 | # "PPP EAP REQUEST/RESPONSE TYPES" 551 | # 552 | # 553 | # See dictionary.microsoft, MS-Acct-EAP-Type for similar definitions 554 | # 555 | VALUE EAP-Type None 0 556 | VALUE EAP-Type Identity 1 557 | VALUE EAP-Type Notification 2 558 | VALUE EAP-Type NAK 3 559 | VALUE EAP-Type MD5-Challenge 4 560 | VALUE EAP-Type One-Time-Password 5 561 | VALUE EAP-Type Generic-Token-Card 6 562 | VALUE EAP-Type RSA-Public-Key 9 563 | VALUE EAP-Type DSS-Unilateral 10 564 | VALUE EAP-Type KEA 11 565 | VALUE EAP-Type KEA-Validate 12 566 | VALUE EAP-Type EAP-TLS 13 567 | VALUE EAP-Type Defender-Token 14 568 | VALUE EAP-Type RSA-SecurID-EAP 15 569 | VALUE EAP-Type Arcot-Systems-EAP 16 570 | VALUE EAP-Type Cisco-LEAP 17 571 | VALUE EAP-Type Nokia-IP-Smart-Card 18 572 | VALUE EAP-Type SIM 18 573 | VALUE EAP-Type SRP-SHA1-Part-1 19 574 | VALUE EAP-Type SRP-SHA1-Part-2 20 575 | VALUE EAP-Type EAP-TTLS 21 576 | VALUE EAP-Type Remote-Access-Service 22 577 | VALUE EAP-Type UMTS 23 578 | VALUE EAP-Type EAP-3Com-Wireless 24 579 | VALUE EAP-Type PEAP 25 580 | VALUE EAP-Type MS-EAP-Authentication 26 581 | VALUE EAP-Type MAKE 27 582 | VALUE EAP-Type CRYPTOCard 28 583 | VALUE EAP-Type EAP-MSCHAP-V2 29 584 | VALUE EAP-Type DynamID 30 585 | VALUE EAP-Type Rob-EAP 31 586 | VALUE EAP-Type SecurID-EAP 32 587 | VALUE EAP-Type MS-Authentication-TLV 33 588 | VALUE EAP-Type SentriNET 34 589 | VALUE EAP-Type EAP-Actiontec-Wireless 35 590 | VALUE EAP-Type Cogent-Biomentric-EAP 36 591 | VALUE EAP-Type AirFortress-EAP 37 592 | VALUE EAP-Type EAP-HTTP-Digest 38 593 | VALUE EAP-Type SecuriSuite-EAP 39 594 | VALUE EAP-Type DeviceConnect-EAP 40 595 | VALUE EAP-Type EAP-SPEKE 41 596 | VALUE EAP-Type EAP-MOBAC 42 597 | 598 | # 599 | # These are duplicate values, to get around the problem of 600 | # having two MS-CHAPv2 EAP types. 601 | # 602 | VALUE EAP-Type Microsoft-MS-CHAPv2 26 603 | VALUE EAP-Type Cisco-MS-CHAPv2 29 604 | 605 | # 606 | # And this is what most people mean by MS-CHAPv2 607 | # 608 | VALUE EAP-Type MS-CHAP-V2 26 609 | 610 | # 611 | # This says TLS, but it's only valid for TTLS & PEAP. 612 | # EAP-TLS *always* requires a client certificate. 613 | # 614 | VALUE EAP-TLS-Require-Client-Cert No 0 615 | VALUE EAP-TLS-Require-Client-Cert Yes 1 616 | 617 | # 618 | # These are the EAP-Code values. 619 | # 620 | VALUE EAP-Code Request 1 621 | VALUE EAP-Code Response 2 622 | VALUE EAP-Code Success 3 623 | VALUE EAP-Code Failure 4 624 | 625 | # 626 | # For MS-CHAP, do we run ntlm_auth, or not. 627 | # 628 | VALUE MS-CHAP-Use-NTLM-Auth No 0 629 | VALUE MS-CHAP-Use-NTLM-Auth Yes 1 630 | -------------------------------------------------------------------------------- /raddb/dictionary.microsoft: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Microsoft's VSA's, from RFC 2548 4 | # 5 | # $Id$ 6 | # 7 | 8 | VENDOR Microsoft 311 9 | 10 | BEGIN-VENDOR Microsoft 11 | ATTRIBUTE MS-CHAP-Response 1 octets 12 | ATTRIBUTE MS-CHAP-Error 2 string 13 | ATTRIBUTE MS-CHAP-CPW-1 3 octets 14 | ATTRIBUTE MS-CHAP-CPW-2 4 octets 15 | ATTRIBUTE MS-CHAP-LM-Enc-PW 5 octets 16 | ATTRIBUTE MS-CHAP-NT-Enc-PW 6 octets 17 | ATTRIBUTE MS-MPPE-Encryption-Policy 7 octets 18 | # This is referred to as both singular and plural in the RFC. 19 | # Plural seems to make more sense. 20 | ATTRIBUTE MS-MPPE-Encryption-Type 8 octets 21 | ATTRIBUTE MS-MPPE-Encryption-Types 8 octets 22 | ATTRIBUTE MS-RAS-Vendor 9 integer # content is Vendor-ID 23 | ATTRIBUTE MS-CHAP-Domain 10 string 24 | ATTRIBUTE MS-CHAP-Challenge 11 octets 25 | ATTRIBUTE MS-CHAP-MPPE-Keys 12 octets encrypt=1 26 | ATTRIBUTE MS-BAP-Usage 13 integer 27 | ATTRIBUTE MS-Link-Utilization-Threshold 14 integer # values are 1-100 28 | ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer 29 | ATTRIBUTE MS-MPPE-Send-Key 16 octets encrypt=2 30 | ATTRIBUTE MS-MPPE-Recv-Key 17 octets encrypt=2 31 | ATTRIBUTE MS-RAS-Version 18 string 32 | ATTRIBUTE MS-Old-ARAP-Password 19 octets 33 | ATTRIBUTE MS-New-ARAP-Password 20 octets 34 | ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer 35 | 36 | ATTRIBUTE MS-Filter 22 octets 37 | ATTRIBUTE MS-Acct-Auth-Type 23 integer 38 | ATTRIBUTE MS-Acct-EAP-Type 24 integer 39 | 40 | ATTRIBUTE MS-CHAP2-Response 25 octets 41 | ATTRIBUTE MS-CHAP2-Success 26 octets 42 | ATTRIBUTE MS-CHAP2-CPW 27 octets 43 | 44 | ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr 45 | ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr 46 | ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr 47 | ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr 48 | 49 | #ATTRIBUTE MS-ARAP-Challenge 33 octets 50 | 51 | ## MS-RNAP 52 | # 53 | # http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-RNAP%5D.pdf 54 | 55 | ATTRIBUTE MS-RAS-Client-Name 34 string 56 | ATTRIBUTE MS-RAS-Client-Version 35 string 57 | ATTRIBUTE MS-Quarantine-IPFilter 36 octets 58 | ATTRIBUTE MS-Quarantine-Session-Timeout 37 integer 59 | ATTRIBUTE MS-User-Security-Identity 40 string 60 | ATTRIBUTE MS-Identity-Type 41 integer 61 | ATTRIBUTE MS-Service-Class 42 string 62 | ATTRIBUTE MS-Quarantine-User-Class 44 string 63 | ATTRIBUTE MS-Quarantine-State 45 integer 64 | ATTRIBUTE MS-Quarantine-Grace-Time 46 integer 65 | ATTRIBUTE MS-Network-Access-Server-Type 47 integer 66 | ATTRIBUTE MS-AFW-Zone 48 integer 67 | 68 | VALUE MS-AFW-Zone MS-AFW-Zone-Boundary-Policy 1 69 | VALUE MS-AFW-Zone MS-AFW-Zone-Unprotected-Policy 2 70 | VALUE MS-AFW-Zone MS-AFW-Zone-Protected-Policy 3 71 | 72 | ATTRIBUTE MS-AFW-Protection-Level 49 integer 73 | 74 | VALUE MS-AFW-Protection-Level HECP-Response-Sign-Only 1 75 | VALUE MS-AFW-Protection-Level HECP-Response-Sign-And-Encrypt 2 76 | 77 | ATTRIBUTE MS-Machine-Name 50 string 78 | ATTRIBUTE MS-IPv6-Filter 51 octets 79 | ATTRIBUTE MS-IPv4-Remediation-Servers 52 octets 80 | ATTRIBUTE MS-IPv6-Remediation-Servers 53 octets 81 | ATTRIBUTE MS-RNAP-Not-Quarantine-Capable 54 integer 82 | 83 | VALUE MS-RNAP-Not-Quarantine-Capable SoH-Sent 0 84 | VALUE MS-RNAP-Not-Quarantine-Capable SoH-Not-Sent 1 85 | 86 | ATTRIBUTE MS-Quarantine-SOH 55 octets 87 | ATTRIBUTE MS-RAS-Correlation 56 octets 88 | 89 | # Or this might be 56? 90 | ATTRIBUTE MS-Extended-Quarantine-State 57 integer 91 | 92 | ATTRIBUTE MS-HCAP-User-Groups 58 string 93 | ATTRIBUTE MS-HCAP-Location-Group-Name 59 string 94 | ATTRIBUTE MS-HCAP-User-Name 60 string 95 | ATTRIBUTE MS-User-IPv4-Address 61 ipaddr 96 | ATTRIBUTE MS-User-IPv6-Address 62 ipv6addr 97 | ATTRIBUTE MS-TSG-Device-Redirection 63 integer 98 | 99 | # 100 | # Integer Translations 101 | # 102 | 103 | # MS-BAP-Usage Values 104 | 105 | VALUE MS-BAP-Usage Not-Allowed 0 106 | VALUE MS-BAP-Usage Allowed 1 107 | VALUE MS-BAP-Usage Required 2 108 | 109 | # MS-ARAP-Password-Change-Reason Values 110 | 111 | VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1 112 | VALUE MS-ARAP-PW-Change-Reason Expired-Password 2 113 | VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3 114 | VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4 115 | 116 | # MS-Acct-Auth-Type Values 117 | 118 | VALUE MS-Acct-Auth-Type PAP 1 119 | VALUE MS-Acct-Auth-Type CHAP 2 120 | VALUE MS-Acct-Auth-Type MS-CHAP-1 3 121 | VALUE MS-Acct-Auth-Type MS-CHAP-2 4 122 | VALUE MS-Acct-Auth-Type EAP 5 123 | 124 | # MS-Acct-EAP-Type Values 125 | 126 | VALUE MS-Acct-EAP-Type MD5 4 127 | VALUE MS-Acct-EAP-Type OTP 5 128 | VALUE MS-Acct-EAP-Type Generic-Token-Card 6 129 | VALUE MS-Acct-EAP-Type TLS 13 130 | 131 | # MS-Identity-Type Values 132 | 133 | VALUE MS-Identity-Type Machine-Health-Check 1 134 | VALUE MS-Identity-Type Ignore-User-Lookup-Failure 2 135 | 136 | # MS-Quarantine-State Values 137 | 138 | VALUE MS-Quarantine-State Full-Access 0 139 | VALUE MS-Quarantine-State Quarantine 1 140 | VALUE MS-Quarantine-State Probation 2 141 | 142 | # MS-Network-Access-Server-Type Values 143 | 144 | VALUE MS-Network-Access-Server-Type Unspecified 0 145 | VALUE MS-Network-Access-Server-Type Terminal-Server-Gateway 1 146 | VALUE MS-Network-Access-Server-Type Remote-Access-Server 2 147 | VALUE MS-Network-Access-Server-Type DHCP-Server 3 148 | VALUE MS-Network-Access-Server-Type Wireless-Access-Point 4 149 | VALUE MS-Network-Access-Server-Type HRA 5 150 | VALUE MS-Network-Access-Server-Type HCAP-Server 6 151 | 152 | # MS-Extended-Quarantine-State Values 153 | 154 | VALUE MS-Extended-Quarantine-State Transition 1 155 | VALUE MS-Extended-Quarantine-State Infected 2 156 | VALUE MS-Extended-Quarantine-State Unknown 3 157 | VALUE MS-Extended-Quarantine-State No-Data 4 158 | 159 | END-VENDOR Microsoft 160 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc2865: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 2865. 4 | # http://www.ietf.org/rfc/rfc2865.txt 5 | # 6 | # $Id$ 7 | # 8 | ATTRIBUTE User-Name 1 string 9 | ATTRIBUTE User-Password 2 string encrypt=1 10 | ATTRIBUTE CHAP-Password 3 octets 11 | ATTRIBUTE NAS-IP-Address 4 ipaddr 12 | ATTRIBUTE NAS-Port 5 integer 13 | ATTRIBUTE Service-Type 6 integer 14 | ATTRIBUTE Framed-Protocol 7 integer 15 | ATTRIBUTE Framed-IP-Address 8 ipaddr 16 | ATTRIBUTE Framed-IP-Netmask 9 ipaddr 17 | ATTRIBUTE Framed-Routing 10 integer 18 | ATTRIBUTE Filter-Id 11 string 19 | ATTRIBUTE Framed-MTU 12 integer 20 | ATTRIBUTE Framed-Compression 13 integer 21 | ATTRIBUTE Login-IP-Host 14 ipaddr 22 | ATTRIBUTE Login-Service 15 integer 23 | ATTRIBUTE Login-TCP-Port 16 integer 24 | # Attribute 17 is undefined 25 | ATTRIBUTE Reply-Message 18 string 26 | ATTRIBUTE Callback-Number 19 string 27 | ATTRIBUTE Callback-Id 20 string 28 | # Attribute 21 is undefined 29 | ATTRIBUTE Framed-Route 22 string 30 | ATTRIBUTE Framed-IPX-Network 23 ipaddr 31 | ATTRIBUTE State 24 octets 32 | ATTRIBUTE Class 25 octets 33 | ATTRIBUTE Vendor-Specific 26 octets 34 | ATTRIBUTE Session-Timeout 27 integer 35 | ATTRIBUTE Idle-Timeout 28 integer 36 | ATTRIBUTE Termination-Action 29 integer 37 | ATTRIBUTE Called-Station-Id 30 string 38 | ATTRIBUTE Calling-Station-Id 31 string 39 | ATTRIBUTE NAS-Identifier 32 string 40 | ATTRIBUTE Proxy-State 33 octets 41 | ATTRIBUTE Login-LAT-Service 34 string 42 | ATTRIBUTE Login-LAT-Node 35 string 43 | ATTRIBUTE Login-LAT-Group 36 octets 44 | ATTRIBUTE Framed-AppleTalk-Link 37 integer 45 | ATTRIBUTE Framed-AppleTalk-Network 38 integer 46 | ATTRIBUTE Framed-AppleTalk-Zone 39 string 47 | 48 | ATTRIBUTE CHAP-Challenge 60 octets 49 | ATTRIBUTE NAS-Port-Type 61 integer 50 | ATTRIBUTE Port-Limit 62 integer 51 | ATTRIBUTE Login-LAT-Port 63 string 52 | 53 | # 54 | # Integer Translations 55 | # 56 | 57 | # Service types 58 | 59 | VALUE Service-Type Login-User 1 60 | VALUE Service-Type Framed-User 2 61 | VALUE Service-Type Callback-Login-User 3 62 | VALUE Service-Type Callback-Framed-User 4 63 | VALUE Service-Type Outbound-User 5 64 | VALUE Service-Type Administrative-User 6 65 | VALUE Service-Type NAS-Prompt-User 7 66 | VALUE Service-Type Authenticate-Only 8 67 | VALUE Service-Type Callback-NAS-Prompt 9 68 | VALUE Service-Type Call-Check 10 69 | VALUE Service-Type Callback-Administrative 11 70 | 71 | # Framed Protocols 72 | 73 | VALUE Framed-Protocol PPP 1 74 | VALUE Framed-Protocol SLIP 2 75 | VALUE Framed-Protocol ARAP 3 76 | VALUE Framed-Protocol Gandalf-SLML 4 77 | VALUE Framed-Protocol Xylogics-IPX-SLIP 5 78 | VALUE Framed-Protocol X.75-Synchronous 6 79 | 80 | # Framed Routing Values 81 | 82 | VALUE Framed-Routing None 0 83 | VALUE Framed-Routing Broadcast 1 84 | VALUE Framed-Routing Listen 2 85 | VALUE Framed-Routing Broadcast-Listen 3 86 | 87 | # Framed Compression Types 88 | 89 | VALUE Framed-Compression None 0 90 | VALUE Framed-Compression Van-Jacobson-TCP-IP 1 91 | VALUE Framed-Compression IPX-Header-Compression 2 92 | VALUE Framed-Compression Stac-LZS 3 93 | 94 | # Login Services 95 | 96 | VALUE Login-Service Telnet 0 97 | VALUE Login-Service Rlogin 1 98 | VALUE Login-Service TCP-Clear 2 99 | VALUE Login-Service PortMaster 3 100 | VALUE Login-Service LAT 4 101 | VALUE Login-Service X25-PAD 5 102 | VALUE Login-Service X25-T3POS 6 103 | VALUE Login-Service TCP-Clear-Quiet 8 104 | 105 | # Login-TCP-Port (see /etc/services for more examples) 106 | 107 | VALUE Login-TCP-Port Telnet 23 108 | VALUE Login-TCP-Port Rlogin 513 109 | VALUE Login-TCP-Port Rsh 514 110 | 111 | # Termination Options 112 | 113 | VALUE Termination-Action Default 0 114 | VALUE Termination-Action RADIUS-Request 1 115 | 116 | # NAS Port Types 117 | 118 | VALUE NAS-Port-Type Async 0 119 | VALUE NAS-Port-Type Sync 1 120 | VALUE NAS-Port-Type ISDN 2 121 | VALUE NAS-Port-Type ISDN-V120 3 122 | VALUE NAS-Port-Type ISDN-V110 4 123 | VALUE NAS-Port-Type Virtual 5 124 | VALUE NAS-Port-Type PIAFS 6 125 | VALUE NAS-Port-Type HDLC-Clear-Channel 7 126 | VALUE NAS-Port-Type X.25 8 127 | VALUE NAS-Port-Type X.75 9 128 | VALUE NAS-Port-Type G.3-Fax 10 129 | VALUE NAS-Port-Type SDSL 11 130 | VALUE NAS-Port-Type ADSL-CAP 12 131 | VALUE NAS-Port-Type ADSL-DMT 13 132 | VALUE NAS-Port-Type IDSL 14 133 | VALUE NAS-Port-Type Ethernet 15 134 | VALUE NAS-Port-Type xDSL 16 135 | VALUE NAS-Port-Type Cable 17 136 | VALUE NAS-Port-Type Wireless-Other 18 137 | VALUE NAS-Port-Type Wireless-802.11 19 138 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc2866: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 2866. 4 | # http://www.ietf.org/rfc/rfc2866.txt 5 | # 6 | # $Id$ 7 | # 8 | ATTRIBUTE Acct-Status-Type 40 integer 9 | ATTRIBUTE Acct-Delay-Time 41 integer 10 | ATTRIBUTE Acct-Input-Octets 42 integer 11 | ATTRIBUTE Acct-Output-Octets 43 integer 12 | ATTRIBUTE Acct-Session-Id 44 string 13 | ATTRIBUTE Acct-Authentic 45 integer 14 | ATTRIBUTE Acct-Session-Time 46 integer 15 | ATTRIBUTE Acct-Input-Packets 47 integer 16 | ATTRIBUTE Acct-Output-Packets 48 integer 17 | ATTRIBUTE Acct-Terminate-Cause 49 integer 18 | ATTRIBUTE Acct-Multi-Session-Id 50 string 19 | ATTRIBUTE Acct-Link-Count 51 integer 20 | 21 | # Accounting Status Types 22 | 23 | VALUE Acct-Status-Type Start 1 24 | VALUE Acct-Status-Type Stop 2 25 | VALUE Acct-Status-Type Alive 3 # dup 26 | VALUE Acct-Status-Type Interim-Update 3 27 | VALUE Acct-Status-Type Accounting-On 7 28 | VALUE Acct-Status-Type Accounting-Off 8 29 | VALUE Acct-Status-Type Failed 15 30 | 31 | # Authentication Types 32 | 33 | VALUE Acct-Authentic RADIUS 1 34 | VALUE Acct-Authentic Local 2 35 | VALUE Acct-Authentic Remote 3 36 | VALUE Acct-Authentic Diameter 4 37 | 38 | # Acct Terminate Causes 39 | 40 | VALUE Acct-Terminate-Cause User-Request 1 41 | VALUE Acct-Terminate-Cause Lost-Carrier 2 42 | VALUE Acct-Terminate-Cause Lost-Service 3 43 | VALUE Acct-Terminate-Cause Idle-Timeout 4 44 | VALUE Acct-Terminate-Cause Session-Timeout 5 45 | VALUE Acct-Terminate-Cause Admin-Reset 6 46 | VALUE Acct-Terminate-Cause Admin-Reboot 7 47 | VALUE Acct-Terminate-Cause Port-Error 8 48 | VALUE Acct-Terminate-Cause NAS-Error 9 49 | VALUE Acct-Terminate-Cause NAS-Request 10 50 | VALUE Acct-Terminate-Cause NAS-Reboot 11 51 | VALUE Acct-Terminate-Cause Port-Unneeded 12 52 | VALUE Acct-Terminate-Cause Port-Preempted 13 53 | VALUE Acct-Terminate-Cause Port-Suspended 14 54 | VALUE Acct-Terminate-Cause Service-Unavailable 15 55 | VALUE Acct-Terminate-Cause Callback 16 56 | VALUE Acct-Terminate-Cause User-Error 17 57 | VALUE Acct-Terminate-Cause Host-Request 18 58 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc2867: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 2867. 4 | # http://www.ietf.org/rfc/rfc2867.txt 5 | # 6 | # $Id$ 7 | # 8 | ATTRIBUTE Acct-Tunnel-Connection 68 string 9 | ATTRIBUTE Acct-Tunnel-Packets-Lost 86 integer 10 | 11 | VALUE Acct-Status-Type Tunnel-Start 9 12 | VALUE Acct-Status-Type Tunnel-Stop 10 13 | VALUE Acct-Status-Type Tunnel-Reject 11 14 | VALUE Acct-Status-Type Tunnel-Link-Start 12 15 | VALUE Acct-Status-Type Tunnel-Link-Stop 13 16 | VALUE Acct-Status-Type Tunnel-Link-Reject 14 17 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc2868: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 2868. 4 | # http://www.ietf.org/rfc/rfc2868.txt 5 | # 6 | # $Id$ 7 | # 8 | ATTRIBUTE Tunnel-Type 64 integer has_tag 9 | ATTRIBUTE Tunnel-Medium-Type 65 integer has_tag 10 | ATTRIBUTE Tunnel-Client-Endpoint 66 string has_tag 11 | ATTRIBUTE Tunnel-Server-Endpoint 67 string has_tag 12 | 13 | ATTRIBUTE Tunnel-Password 69 string has_tag,encrypt=2 14 | 15 | ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag 16 | ATTRIBUTE Tunnel-Assignment-Id 82 string has_tag 17 | ATTRIBUTE Tunnel-Preference 83 integer has_tag 18 | 19 | ATTRIBUTE Tunnel-Client-Auth-Id 90 string has_tag 20 | ATTRIBUTE Tunnel-Server-Auth-Id 91 string has_tag 21 | 22 | # Tunnel Type 23 | 24 | VALUE Tunnel-Type PPTP 1 25 | VALUE Tunnel-Type L2F 2 26 | VALUE Tunnel-Type L2TP 3 27 | VALUE Tunnel-Type ATMP 4 28 | VALUE Tunnel-Type VTP 5 29 | VALUE Tunnel-Type AH 6 30 | VALUE Tunnel-Type IP 7 31 | VALUE Tunnel-Type MIN-IP 8 32 | VALUE Tunnel-Type ESP 9 33 | VALUE Tunnel-Type GRE 10 34 | VALUE Tunnel-Type DVS 11 35 | VALUE Tunnel-Type IP-in-IP 12 36 | 37 | # Tunnel Medium Type 38 | 39 | VALUE Tunnel-Medium-Type IP 1 40 | VALUE Tunnel-Medium-Type IPv4 1 41 | VALUE Tunnel-Medium-Type IPv6 2 42 | VALUE Tunnel-Medium-Type NSAP 3 43 | VALUE Tunnel-Medium-Type HDLC 4 44 | VALUE Tunnel-Medium-Type BBN-1822 5 45 | VALUE Tunnel-Medium-Type IEEE-802 6 46 | VALUE Tunnel-Medium-Type E.163 7 47 | VALUE Tunnel-Medium-Type E.164 8 48 | VALUE Tunnel-Medium-Type F.69 9 49 | VALUE Tunnel-Medium-Type X.121 10 50 | VALUE Tunnel-Medium-Type IPX 11 51 | VALUE Tunnel-Medium-Type Appletalk 12 52 | VALUE Tunnel-Medium-Type DecNet-IV 13 53 | VALUE Tunnel-Medium-Type Banyan-Vines 14 54 | VALUE Tunnel-Medium-Type E.164-NSAP 15 55 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc2869: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 2869. 4 | # http://www.ietf.org/rfc/rfc2869.txt 5 | # 6 | # $Id$ 7 | # 8 | ATTRIBUTE Acct-Input-Gigawords 52 integer 9 | ATTRIBUTE Acct-Output-Gigawords 53 integer 10 | 11 | ATTRIBUTE Event-Timestamp 55 date 12 | 13 | ATTRIBUTE ARAP-Password 70 octets # 16 octets of data 14 | ATTRIBUTE ARAP-Features 71 octets # 14 octets of data 15 | ATTRIBUTE ARAP-Zone-Access 72 integer 16 | ATTRIBUTE ARAP-Security 73 integer 17 | ATTRIBUTE ARAP-Security-Data 74 string 18 | ATTRIBUTE Password-Retry 75 integer 19 | ATTRIBUTE Prompt 76 integer 20 | ATTRIBUTE Connect-Info 77 string 21 | ATTRIBUTE Configuration-Token 78 string 22 | ATTRIBUTE EAP-Message 79 octets 23 | ATTRIBUTE Message-Authenticator 80 octets 24 | 25 | ATTRIBUTE ARAP-Challenge-Response 84 octets # 8 octets of data 26 | ATTRIBUTE Acct-Interim-Interval 85 integer 27 | # 86: RFC 2867 28 | ATTRIBUTE NAS-Port-Id 87 string 29 | ATTRIBUTE Framed-Pool 88 string 30 | 31 | # ARAP Zone Access 32 | 33 | VALUE ARAP-Zone-Access Default-Zone 1 34 | VALUE ARAP-Zone-Access Zone-Filter-Inclusive 2 35 | VALUE ARAP-Zone-Access Zone-Filter-Exclusive 4 36 | 37 | # Prompt 38 | VALUE Prompt No-Echo 0 39 | VALUE Prompt Echo 1 40 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc3162: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 3162. 4 | # http://www.ietf.org/rfc/rfc3162.txt 5 | # 6 | # $Id$ 7 | # 8 | ATTRIBUTE NAS-IPv6-Address 95 ipv6addr 9 | ATTRIBUTE Framed-Interface-Id 96 ifid 10 | ATTRIBUTE Framed-IPv6-Prefix 97 ipv6prefix 11 | ATTRIBUTE Login-IPv6-Host 98 ipv6addr 12 | ATTRIBUTE Framed-IPv6-Route 99 string 13 | ATTRIBUTE Framed-IPv6-Pool 100 string 14 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc3576: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 3576. 4 | # http://www.ietf.org/rfc/rfc3576.txt 5 | # 6 | # $Id$ 7 | # 8 | ATTRIBUTE Error-Cause 101 integer 9 | 10 | # Service Types 11 | 12 | VALUE Service-Type Authorize-Only 17 13 | 14 | # Error causes 15 | 16 | VALUE Error-Cause Residual-Context-Removed 201 17 | VALUE Error-Cause Invalid-EAP-Packet 202 18 | VALUE Error-Cause Unsupported-Attribute 401 19 | VALUE Error-Cause Missing-Attribute 402 20 | VALUE Error-Cause NAS-Identification-Mismatch 403 21 | VALUE Error-Cause Invalid-Request 404 22 | VALUE Error-Cause Unsupported-Service 405 23 | VALUE Error-Cause Unsupported-Extension 406 24 | VALUE Error-Cause Administratively-Prohibited 501 25 | VALUE Error-Cause Proxy-Request-Not-Routable 502 26 | VALUE Error-Cause Session-Context-Not-Found 503 27 | VALUE Error-Cause Session-Context-Not-Removable 504 28 | VALUE Error-Cause Proxy-Processing-Error 505 29 | VALUE Error-Cause Resources-Unavailable 506 30 | VALUE Error-Cause Request-Initiated 507 31 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc3580: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 3580. 4 | # http://www.ietf.org/rfc/rfc3580.txt 5 | # 6 | # $Id$ 7 | # 8 | VALUE Acct-Terminate-Cause Supplicant-Restart 19 9 | VALUE Acct-Terminate-Cause Reauthentication-Failure 20 10 | VALUE Acct-Terminate-Cause Port-Reinit 21 11 | VALUE Acct-Terminate-Cause Port-Disabled 22 12 | 13 | VALUE NAS-Port-Type Token-Ring 20 14 | VALUE NAS-Port-Type FDDI 21 15 | 16 | VALUE Tunnel-Type VLAN 13 17 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc4072: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 4072 4 | # http://www.ietf.org/rfc/4072.txt 5 | # 6 | # $Id$ 7 | # 8 | 9 | ATTRIBUTE EAP-Key-Name 102 string 10 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc4372: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 4372. 4 | # http://www.ietf.org/rfc/4372.txt 5 | # 6 | # $Id$ 7 | # 8 | ATTRIBUTE Chargeable-User-Identity 89 string 9 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc4603: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ############################################################################## 3 | # 4 | # Attributes and values defined in RFC 4603. 5 | # http://www.ietf.org/rfc/rfc4603.txt 6 | # 7 | # $Id$ 8 | # 9 | ############################################################################## 10 | 11 | 12 | VALUE NAS-Port-Type PPPoA 30 13 | VALUE NAS-Port-Type PPPoEoA 31 14 | VALUE NAS-Port-Type PPPoEoE 32 15 | VALUE NAS-Port-Type PPPoEoVLAN 33 16 | VALUE NAS-Port-Type PPPoEoQinQ 34 17 | 18 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc4675: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 4675. 4 | # http://www.ietf.org/rfc/4675.txt 5 | # 6 | # $Id$ 7 | # 8 | 9 | # 10 | # High byte = '1' (0x31) means the frames are tagged. 11 | # High byte = '2' (0x32) means the frames are untagged. 12 | # 13 | # Next 12 bits MUST be zero. 14 | # 15 | # Lower 12 bits is the IEEE-802.1Q VLAN VID. 16 | # 17 | ATTRIBUTE Egress-VLANID 56 integer 18 | ATTRIBUTE Ingress-Filters 57 integer 19 | 20 | # 21 | # First byte == '1' (0x31) means that the frames are tagged. 22 | # First byte == '2' (0x32) means that the frames are untagged. 23 | # 24 | ATTRIBUTE Egress-VLAN-Name 58 string 25 | ATTRIBUTE User-Priority-Table 59 octets # 8 26 | 27 | VALUE Ingress-Filters Enabled 1 28 | VALUE Ingress-Filters Disabled 2 29 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc4679: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 4679. 4 | # http://www.ietf.org/rfc/4679.txt 5 | # 6 | # $Id$ 7 | # 8 | 9 | VENDOR ADSL-Forum 3561 10 | 11 | BEGIN-VENDOR ADSL-Forum 12 | 13 | # 14 | # The first two attributes are prefixed with "ADSL-" because of 15 | # conflicting names in dictionary.redback. 16 | # 17 | ATTRIBUTE ADSL-Agent-Circuit-Id 1 string 18 | ATTRIBUTE ADSL-Agent-Remote-Id 2 string 19 | ATTRIBUTE Actual-Data-Rate-Upstream 129 integer 20 | ATTRIBUTE Actual-Data-Rate-Downstream 130 integer 21 | ATTRIBUTE Minimum-Data-Rate-Upstream 131 integer 22 | ATTRIBUTE Minimum-Data-Rate-Downstream 132 integer 23 | ATTRIBUTE Attainable-Data-Rate-Upstream 133 integer 24 | ATTRIBUTE Attainable-Data-Rate-Downstream 134 integer 25 | ATTRIBUTE Maximum-Data-Rate-Upstream 135 integer 26 | ATTRIBUTE Maximum-Data-Rate-Downstream 136 integer 27 | ATTRIBUTE Minimum-Data-Rate-Upstream-Low-Power 137 integer 28 | ATTRIBUTE Minimum-Data-Rate-Downstream-Low-Power 138 integer 29 | ATTRIBUTE Maximum-Interleaving-Delay-Upstream 139 integer 30 | ATTRIBUTE Actual-Interleaving-Delay-Upstream 140 integer 31 | ATTRIBUTE Maximum-Interleaving-Delay-Downstream 141 integer 32 | ATTRIBUTE Actual-Interleaving-Delay-Downstream 142 integer 33 | 34 | # 35 | # This next attribute has a weird encoding. 36 | # 37 | # Octet[0] - 0x01 AAL5 38 | # Octet[0] - 0x02 Ethernet 39 | 40 | # Octet[1] - 0x00 Not Available 41 | # Octet[1] - 0x01 Untagged Ethernet 42 | # Octet[1] - 0x02 Single-Tagged Ethernet 43 | 44 | # Octet[2] - 0x00 Not available 45 | # Octet[2] - 0x01 PPPoA LLC 46 | # Octet[2] - 0x02 PPPoA Null 47 | # Octet[2] - 0x03 IPoA LLC 48 | # Octet[2] - 0x04 IPoA NULL 49 | # Octet[2] - 0x05 Ethernet over AAL5 LLC with FCS 50 | # Octet[2] - 0x06 Ethernet over AAL5 LLC without FCS 51 | # Octet[2] - 0x07 Ethernet over AAL5 Null with FCS 52 | # Octet[2] - 0x08 Ethernet over AAL5 Null without FCS 53 | # 54 | ATTRIBUTE Access-Loop-Encapsulation 144 octets # 3 55 | 56 | # 57 | # If this attribute exists, it means that IFW has been performed 58 | # for the subscribers session. 59 | # 60 | ATTRIBUTE IWF-Session 252 octets # 0 61 | 62 | END-VENDOR ADSL-Forum 63 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc4818: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | ############################################################################## 3 | # 4 | # Attributes and values defined in RFC 4818. 5 | # http://www.ietf.org/rfc/rfc4818.txt 6 | # 7 | # $Id$ 8 | # 9 | ############################################################################## 10 | 11 | ATTRIBUTE Delegated-IPv6-Prefix 123 ipv6prefix 12 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc4849: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 4849. 4 | # http://www.ietf.org/rfc/rfc4849.txt 5 | # 6 | # $Id$ 7 | # 8 | ATTRIBUTE NAS-Filter-Rule 92 string 9 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc5090: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 5090. 4 | # http://www.ietf.org/rfc/rfc5090.txt 5 | # 6 | # $Id$ 7 | # 8 | ATTRIBUTE Digest-Response 103 string 9 | ATTRIBUTE Digest-Realm 104 string 10 | ATTRIBUTE Digest-Nonce 105 string 11 | ATTRIBUTE Digest-Response-Auth 106 string 12 | ATTRIBUTE Digest-Nextnonce 107 string 13 | ATTRIBUTE Digest-Method 108 string 14 | ATTRIBUTE Digest-URI 109 string 15 | ATTRIBUTE Digest-Qop 110 string 16 | ATTRIBUTE Digest-Algorithm 111 string 17 | ATTRIBUTE Digest-Entity-Body-Hash 112 string 18 | ATTRIBUTE Digest-CNonce 113 string 19 | ATTRIBUTE Digest-Nonce-Count 114 string 20 | ATTRIBUTE Digest-Username 115 string 21 | ATTRIBUTE Digest-Opaque 116 string 22 | ATTRIBUTE Digest-Auth-Param 117 string 23 | ATTRIBUTE Digest-AKA-Auts 118 string 24 | ATTRIBUTE Digest-Domain 119 string 25 | ATTRIBUTE Digest-Stale 120 string 26 | ATTRIBUTE Digest-HA1 121 string 27 | ATTRIBUTE SIP-AOR 122 string 28 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc5176: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 5176. 4 | # http://www.ietf.org/rfc/rfc5176.txt 5 | # 6 | # $Id$ 7 | # 8 | VALUE Error-Cause Invalid-Attribute-Value 407 9 | VALUE Error-Cause Multiple-Session-Selection-Unsupported 508 10 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc5580: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 5580. 4 | # http://www.ietf.org/rfc/rfc5580.txt 5 | # 6 | # $Id$ 7 | # 8 | 9 | # One ASCII character of Namespace ID 10 | # 0 = TADIG (GSM) 11 | # 1 = Realm 12 | # 2 = E212 13 | # 14 | # 15 | # Followed by the actual string 16 | ATTRIBUTE Operator-Name 126 string 17 | 18 | # 19 | # Large blobs of stuff 20 | # 21 | ATTRIBUTE Location-Information 127 octets 22 | ATTRIBUTE Location-Data 128 octets 23 | ATTRIBUTE Basic-Location-Policy-Rules 129 octets 24 | ATTRIBUTE Extended-Location-Policy-Rules 130 octets 25 | 26 | # 27 | # Really a bit-packed field 28 | # 29 | ATTRIBUTE Location-Capable 131 integer 30 | VALUE Location-Capable Civix-Location 1 31 | VALUE Location-Capable Geo-Location 2 32 | VALUE Location-Capable Users-Location 4 33 | VALUE Location-Capable NAS-Location 8 34 | 35 | ATTRIBUTE Requested-Location-Info 132 integer 36 | VALUE Requested-Location-Info Civix-Location 1 37 | VALUE Requested-Location-Info Geo-Location 2 38 | VALUE Requested-Location-Info Users-Location 4 39 | VALUE Requested-Location-Info NAS-Location 8 40 | VALUE Requested-Location-Info Future-Requests 16 41 | VALUE Requested-Location-Info None 32 42 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc5607: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 5607. 4 | # http://www.ietf.org/rfc/rfc5607.txt 5 | # 6 | # $Id$ 7 | # 8 | 9 | VALUE Service-Type Framed-Management 18 10 | 11 | ATTRIBUTE Framed-Management 133 integer 12 | 13 | VALUE Framed-Management SNMP 1 14 | VALUE Framed-Management Web-Based 2 15 | VALUE Framed-Management Netconf 3 16 | VALUE Framed-Management FTP 4 17 | VALUE Framed-Management TFTP 5 18 | VALUE Framed-Management SFTP 6 19 | VALUE Framed-Management RCP 7 20 | VALUE Framed-Management SCP 8 21 | 22 | ATTRIBUTE Management-Transport-Protection 134 integer 23 | 24 | VALUE Management-Transport-Protection No-Protection 1 25 | VALUE Management-Transport-Protection Integrity-Protection 2 26 | VALUE Management-Transport-Protection Integrity-Confidentiality-Protection 3 27 | 28 | ATTRIBUTE Management-Policy-Id 135 string 29 | 30 | ATTRIBUTE Management-Privilege-Level 136 integer 31 | -------------------------------------------------------------------------------- /raddb/dictionary.rfc5904: -------------------------------------------------------------------------------- 1 | # -*- text -*- 2 | # 3 | # Attributes and values defined in RFC 5904. 4 | # http://www.ietf.org/rfc/rfc5904.txt 5 | # 6 | # $Id$ 7 | # 8 | 9 | # The next two attributes are continued, like EAP-Message/ 10 | ATTRIBUTE PKM-SS-Cert 137 octets 11 | ATTRIBUTE PKM-CA-Cert 138 octets 12 | 13 | # 28 bytes of data, 7 integers 14 | ATTRIBUTE PKM-Config-Settings 139 octets 15 | ATTRIBUTE PKM-Cryptosuite-List 140 octets 16 | ATTRIBUTE PKM-SAID 141 short 17 | 18 | # 6 bytes of data: SAID, 1 byte of type, 3 of cryptosuite 19 | ATTRIBUTE PKM-SA-Descriptor 142 octets 20 | 21 | # 133 bytes of data: integer lifetime, 1 byte sequence, 128 bytes of key 22 | ATTRIBUTE PKM-Auth-Key 143 octets 23 | --------------------------------------------------------------------------------