e-smith-radiusd/sme10/e-smith-radiusd-2.6.0-freeradius3.patch

diff -Nur e-smith-radiusd-2.6.0.old/createlinks e-smith-radiusd-2.6.0/createlinks
--- e-smith-radiusd-2.6.0.old/createlinks       2016-02-05 16:34:10.000000000 -0500
+++ e-smith-radiusd-2.6.0/createlinks   2016-04-01 12:42:04.837000000 -0400
@@ -24,7 +24,9 @@
 
 foreach (qw(
     raddb/clients.conf
-    raddb/eap.conf
+    raddb/mods-available/eap
+    raddb/mods-available/ldap
+    raddb/sites-available/default
     raddb/proxy.conf
     radiusclient-ng/servers))
 {
@@ -33,7 +35,7 @@
        console-save
        domain-modify
        remoteaccess-update
-    ldap-update
+       ldap-update
     ));
 }
 
@@ -46,7 +48,7 @@
        console-save
        domain-modify
        remoteaccess-update
-    ldap-update
+       ldap-update
     ));
 }
 
@@ -68,3 +70,9 @@
 
 safe_symlink("../daemontools", "root/etc/rc.d/init.d/supervise/radiusd");
 service_link_enhanced("radiusd", "S90", "7");
+
+# activate modules
+#safe_symlink("../mods-available/realm", "root/etc/raddb/mods-enabled/realm");
+safe_symlink("../mods-available/ldap", "root/etc/raddb/mods-enabled/ldap");
+safe_symlink("../mods-available/smbpasswd", "root/etc/raddb/mods-enabled/smbpasswd");
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost     2008-10-07 13:37:19.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost 2016-04-01 11:45:59.890000000 -0400
@@ -46,7 +46,7 @@
        #       other           # for all other types
 
        #
-}      nastype = other
+}      nas_type = other
 {
        #
        #  The following two configurations are for future use.
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap       2005-06-11 14:24:39.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap   1969-12-31 19:00:00.000000000 -0500
@@ -1 +0,0 @@
-eap \{
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType       2005-06-11 14:24:51.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType   1969-12-31 19:00:00.000000000 -0500
@@ -1,14 +0,0 @@
-{
-       #  Invoke the default supported EAP type when
-       #  EAP-Identity response is received.
-       #
-       #  The incoming EAP messages DO NOT specify which EAP
-       #  type they will be using, so it MUST be set here.
-       #
-       #  For now, only one default EAP type may be used at a time.
-       #
-       #  If the EAP-Type attribute is set by another module,
-       #  then that EAP type takes precedence over the
-       #  default type configured here.
-       #
-}      default_eap_type = peap
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire       2005-06-11 14:24:56.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire   1969-12-31 19:00:00.000000000 -0500
@@ -1,7 +0,0 @@
-{
-       #  A list is maintained to correlate EAP-Response
-       #  packets with EAP-Request packets.  After a
-       #  configurable length of time, entries in the list
-       #  expire, and are deleted.
-       #       
-}      timer_expire     = 60   
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown     2005-06-11 14:25:19.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown 1969-12-31 19:00:00.000000000 -0500
@@ -1,14 +0,0 @@
-{
-       #  There are many EAP types, but the server has support
-       #  for only a limited subset.  If the server receives
-       #  a request for an EAP type it does not support, then
-       #  it normally rejects the request.  By setting this
-       #  configuration to "yes", you can tell the server to
-       #  instead keep processing the request.  Another module
-       #  MUST then be configured to proxy the request to
-       #  another RADIUS server which supports that EAP type.
-       #       
-       #  If another module is NOT configured to handle the
-       #  request, then the request will still end up being
-       #  rejected.
-}      ignore_unknown_eap_types = no
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug  2005-06-11 14:25:22.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug      1969-12-31 19:00:00.000000000 -0500
@@ -1,8 +0,0 @@
-{
-       # Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
-       # a User-Name attribute in an Access-Accept, it copies one
-       # more byte than it should.
-       #
-       # We can work around it by configurably adding an extra
-       # zero byte.
-}      cisco_accounting_username_bug = no
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls       2005-06-13 12:12:02.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls   1969-12-31 19:00:00.000000000 -0500
@@ -1,64 +0,0 @@
-{
-       ## EAP-TLS
-       #
-       #  To generate ctest certificates, run the script
-       #
-       #   ../scripts/certs.sh
-       #
-       #  The documents on http://www.freeradius.org/doc
-       #  are old, but may be helpful.
-       #
-       #  See also:
-       #
-       #  http://www.dslreports.com/forum/remark,9286052~mode=flat
-       #
-}
-       tls \{
-               private_key_password = whatever
-               private_key_file = $\{raddbdir\}/certs/radiusd.pem
-               certificate_file = $\{raddbdir\}/certs/radiusd.pem
-               CA_file = $\{raddbdir\}/certs/radiusd.pem
-               dh_file = $\{raddbdir\}/certs/dh
-               random_file = $\{raddbdir\}/certs/random
-{
-               #
-               #  This can never exceed the size of a RADIUS
-               #  packet (4096 bytes), and is preferably half
-               #  that, to accomodate other attributes in
-               #  RADIUS packet.  On most APs the MAX packet
-               #  length is configured between 1500 - 1600
-               #  In these cases, fragment size should be
-               #  1024 or less.
-               #
-}              #fragment_size = 1024
-{
-               #  include_length is a flag which is
-               #  by default set to yes If set to
-               #  yes, Total Length of the message is
-               #  included in EVERY packet we send.
-               #  If set to no, Total Length of the
-               #  message is included ONLY in the
-               #  First packet of a fragment series.
-               #
-}              #include_length = yes
-{
-               #  Check the Certificate Revocation List
-               #  
-               #  1) Copy CA certificates and CRLs to same directory.
-               #  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
-               #       'c_rehash' is OpenSSL's command.
-               #  3) Add 'CA_path=<CA certs&CRLs directory>'
-               #         to radiusd.conf's tls section.
-               #  4) uncomment the line below.
-               #  5) Restart radiusd
-}              #check_crl = yes
-{
-               #
-               #  If check_cert_cn is set, the value will
-               #  be xlat'ed and checked against the CN
-               #  in the client certificate.  If the values
-               #  do not match, the certificate verification
-               #  will fail rejecting the user.
-               #
-}              #check_cert_cn = %\{User-Name\}
-       \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap      2005-06-11 14:25:31.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap  1969-12-31 19:00:00.000000000 -0500
@@ -1,26 +0,0 @@
-{
-       #
-       #  The tunneled EAP session needs a default EAP type
-       #  which is separate from the one for the non-tunneled
-       #  EAP module.  Inside of the TLS/PEAP tunnel, we
-       #  recommend using EAP-MS-CHAPv2.
-       #
-       #  The PEAP module needs the TLS module to be installed
-       #  and configured, in order to use the TLS tunnel
-       #  inside of the EAP packet.  You will still need to 
-       #  configure the TLS module, even if you do not want
-       #  to deploy EAP-TLS in your network.  Users will not
-       #  be able to request EAP-TLS, as it requires them to
-       #  have a client certificate.  EAP-PEAP does not
-       #  require a client certificate.
-       #
-}
-       peap \{
-{                      #  The tunneled EAP session needs a default
-               #  EAP type which is separate from the one for
-               #  the non-tunneled EAP module.  Inside of the
-               #  PEAP tunnel, we recommend using MS-CHAPv2,
-               #  as that is the default type supported by
-               #  Windows clients.
-}              default_eap_type = mschapv2
-       \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2 e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2  2005-06-11 14:25:34.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2      1969-12-31 19:00:00.000000000 -0500
@@ -1,18 +0,0 @@
-{
-       #
-       #  This takes no configuration.
-       #
-       #  Note that it is the EAP MS-CHAPv2 sub-module, not
-       #  the main 'mschap' module.
-       #
-       #  Note also that in order for this sub-module to work,
-       #  the main 'mschap' module MUST ALSO be configured.
-       #
-       #  This module is the *Microsoft* implementation of MS-CHAPv2
-       #  in EAP.  There is another (incompatible) implementation
-       #  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
-       #  currently support.
-       #
-}
-       mschapv2 \{
-       \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/99end
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/99end       2005-06-11 14:25:39.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/99end   1969-12-31 19:00:00.000000000 -0500
@@ -1 +0,0 @@
-\}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap     1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap 2005-06-11 14:24:39.000000000 -0400
@@ -0,0 +1 @@
+eap \{
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType     1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType 2005-06-11 14:24:51.000000000 -0400
@@ -0,0 +1,14 @@
+{
+       #  Invoke the default supported EAP type when
+       #  EAP-Identity response is received.
+       #
+       #  The incoming EAP messages DO NOT specify which EAP
+       #  type they will be using, so it MUST be set here.
+       #
+       #  For now, only one default EAP type may be used at a time.
+       #
+       #  If the EAP-Type attribute is set by another module,
+       #  then that EAP type takes precedence over the
+       #  default type configured here.
+       #
+}      default_eap_type = peap
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire     1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire 2005-06-11 14:24:56.000000000 -0400
@@ -0,0 +1,7 @@
+{
+       #  A list is maintained to correlate EAP-Response
+       #  packets with EAP-Request packets.  After a
+       #  configurable length of time, entries in the list
+       #  expire, and are deleted.
+       #       
+}      timer_expire     = 60   
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown   1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown       2005-06-11 14:25:19.000000000 -0400
@@ -0,0 +1,14 @@
+{
+       #  There are many EAP types, but the server has support
+       #  for only a limited subset.  If the server receives
+       #  a request for an EAP type it does not support, then
+       #  it normally rejects the request.  By setting this
+       #  configuration to "yes", you can tell the server to
+       #  instead keep processing the request.  Another module
+       #  MUST then be configured to proxy the request to
+       #  another RADIUS server which supports that EAP type.
+       #       
+       #  If another module is NOT configured to handle the
+       #  request, then the request will still end up being
+       #  rejected.
+}      ignore_unknown_eap_types = no
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug        1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug    2005-06-11 14:25:22.000000000 -0400
@@ -0,0 +1,8 @@
+{
+       # Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
+       # a User-Name attribute in an Access-Accept, it copies one
+       # more byte than it should.
+       #
+       # We can work around it by configurably adding an extra
+       # zero byte.
+}      cisco_accounting_username_bug = no
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon       1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon   2016-04-01 12:02:53.346000000 -0400
@@ -0,0 +1,130 @@
+{
+       ## EAP-TLS
+       #
+       #  To generate ctest certificates, run the script
+       #
+       #   ../scripts/certs.sh
+       #
+       #  The documents on http://www.freeradius.org/doc
+       #  are old, but may be helpful.
+       #
+       #  See also:
+       #
+       #  http://www.dslreports.com/forum/remark,9286052~mode=flat
+       #
+       #  Note that you should NOT use a globally known CA here!
+       #  e.g. using a Verisign cert as a "known CA" means that
+       #  ANYONE who has a certificate signed by them can
+       #  authenticate via EAP-TLS!  This is likely not what you want.
+}
+       tls-config tls-common \{
+               private_key_password = whatever
+               private_key_file = $\{raddbdir\}/certs/radiusd.pem
+               certificate_file = $\{raddbdir\}/certs/radiusd.pem
+               ca_file = $\{raddbdir\}/certs/radiusd.pem
+               dh_file = $\{raddbdir\}/certs/dh
+               random_file = $\{raddbdir\}/certs/random
+{
+               #
+               #  This can never exceed the size of a RADIUS
+               #  packet (4096 bytes), and is preferably half
+               #  that, to accomodate other attributes in
+               #  RADIUS packet.  On most APs the MAX packet
+               #  length is configured between 1500 - 1600
+               #  In these cases, fragment size should be
+               #  1024 or less.
+               #
+}              #fragment_size = 1024
+{
+               #  include_length is a flag which is
+               #  by default set to yes If set to
+               #  yes, Total Length of the message is
+               #  included in EVERY packet we send.
+               #  If set to no, Total Length of the
+               #  message is included ONLY in the
+               #  First packet of a fragment series.
+               #
+}              #include_length = yes
+{
+               #  Check the Certificate Revocation List
+               #  
+               #  1) Copy CA certificates and CRLs to same directory.
+               #  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
+               #       'c_rehash' is OpenSSL's command.
+               #  3) Add 'CA_path=<CA certs&CRLs directory>'
+               #         to radiusd.conf's tls section.
+               #  4) uncomment the line below.
+               #  5) Restart radiusd
+}              #check_crl = yes
+{
+               #
+               #  If check_cert_cn is set, the value will
+               #  be xlat'ed and checked against the CN
+               #  in the client certificate.  If the values
+               #  do not match, the certificate verification
+               #  will fail rejecting the user.
+               #
+}              #check_cert_cn = %\{User-Name\}
+{
+                #
+                # Set this option to specify the allowed
+                # TLS cipher suites.  The format is listed
+                # in "man 1 ciphers".
+}                cipher_list = "DEFAULT"
+{
+                #
+
+                #
+                #  Elliptical cryptography configuration
+                #
+                #  Only for OpenSSL >= 0.9.8.f
+                #
+}                ecdh_curve = "prime256v1"
+
+{
+                #
+                #  Session resumption / fast reauthentication
+                #  cache.
+                #
+                #  The cache contains the following information:
+                #
+                #  session Id - unique identifier, managed by SSL
+                #  User-Name  - from the Access-Accept
+                #  Stripped-User-Name - from the Access-Request
+                #  Cached-Session-Policy - from the Access-Accept
+                #
+                #  The "Cached-Session-Policy" is the name of a
+                #  policy which should be applied to the cached
+                #  session.  This policy can be used to assign
+                #  VLANs, IP addresses, etc.  It serves as a useful
+                #  way to re-apply the policy from the original
+                #  Access-Accept to the subsequent Access-Accept
+                #  for the cached session.
+                #
+                #  On session resumption, these attributes are
+                #  copied from the cache, and placed into the
+                #  reply list.
+                #
+                #  You probably also want "use_tunneled_reply = yes"
+                #  when using fast session resumption.
+                #
+}                cache \{
+                        enable = yes
+                        lifetime = 24 # hours
+                       max_entries = 255
+               \}
+{
+                #
+                #  As of version 2.1.10, client certificates can be
+                #  validated via an external command.  This allows
+                #  dynamic CRLs or OCSP to be used.
+                #
+                #  This configuration is commented out in the
+                #  default configuration.  Uncomment it, and configure
+                #  the correct paths below to enable it.
+                #
+}
+
+
+
+       \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls     1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls 2016-04-01 12:06:29.540000000 -0400
@@ -0,0 +1,21 @@
+{
+       ## EAP-TLS
+        #
+        #  As of Version 3.0, the TLS configuration for TLS-based
+        #  EAP types is above in the "tls-config" section.
+        #
+}
+        tls \{
+{
+                # Point to the common TLS configuration
+}                tls = tls-common
+{
+                #
+                # As part of checking a client certificate, the EAP-TLS
+                # sets some attributes such as TLS-Client-Cert-CN. This
+                # virtual server has access to these attributes, and can
+                # be used to accept or reject the request.
+                #
+}        #       virtual_server = check-eap-tls
+        \}
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls    1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls        2016-04-01 12:08:51.030000000 -0400
@@ -0,0 +1,90 @@
+{
+        ## EAP-TTLS
+        #
+        #  The TTLS module implements the EAP-TTLS protocol,
+        #  which can be described as EAP inside of Diameter,
+        #  inside of TLS, inside of EAP, inside of RADIUS...
+        #
+        #  Surprisingly, it works quite well.
+        #
+}        ttls \{
+{
+                #  Which tls-config section the TLS negotiation parameters
+                #  are in - see EAP-TLS above for an explanation.
+                #
+                #  In the case that an old configuration from FreeRADIUS
+                #  v2.x is being used, all the options of the tls-config
+                #  section may also appear instead in the 'tls' section
+                #  above. If that is done, the tls= option here (and in
+                #  tls above) MUST be commented out.
+                #
+}                tls = tls-common
+{
+                #  The tunneled EAP session needs a default EAP type
+                #  which is separate from the one for the non-tunneled
+                #  EAP module.  Inside of the TTLS tunnel, we recommend
+                #  using EAP-MD5.  If the request does not contain an
+                #  EAP conversation, then this configuration entry is
+                #  ignored.
+                #
+}                default_eap_type = md5
+{
+                #  The tunneled authentication request does not usually
+                #  contain useful attributes like 'Calling-Station-Id',
+                #  etc.  These attributes are outside of the tunnel,
+                #  and normally unavailable to the tunneled
+                #  authentication request.
+                #
+                #  By setting this configuration entry to 'yes',
+                #  any attribute which is NOT in the tunneled
+                #  authentication request, but which IS available
+                #  outside of the tunnel, is copied to the tunneled
+                #  request.
+                #
+                #  allowed values: {no, yes}
+                #
+}                copy_request_to_tunnel = no
+{
+                #  The reply attributes sent to the NAS are usually
+                #  based on the name of the user 'outside' of the
+                #  tunnel (usually 'anonymous').  If you want to send
+                #  the reply attributes based on the user name inside
+                #  of the tunnel, then set this configuration entry to
+                #  'yes', and the reply to the NAS will be taken from
+                #  the reply to the tunneled request.
+                #
+                #  allowed values: {no, yes}
+                #
+}                use_tunneled_reply = no
+{
+                #
+                #  The inner tunneled request can be sent
+                #  through a virtual server constructed
+                #  specifically for this purpose.
+                #
+                #  If this entry is commented out, the inner
+                #  tunneled request will be sent through
+                #  the virtual server that processed the
+                #  outer requests.
+                #
+}                virtual_server = "inner-tunnel"
+{
+                #  This has the same meaning, and overwrites, the
+                #  same field in the "tls" configuration, above.
+                #  The default value here is "yes".
+                #
+}        #       include_length = yes
+{
+                #
+                # Unlike EAP-TLS, EAP-TTLS does not require a client
+                # certificate. However, you can require one by setting the
+                # following option. You can also override this option by
+                # setting
+                #
+                #       EAP-TLS-Require-Client-Cert = Yes
+                #
+                # in the control items for a request.
+                #
+}        #       require_client_cert = yes
+        \}
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap    1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap        2016-04-01 12:04:44.387000000 -0400
@@ -0,0 +1,33 @@
+{
+       #
+       #  The tunneled EAP session needs a default EAP type
+       #  which is separate from the one for the non-tunneled
+       #  EAP module.  Inside of the TLS/PEAP tunnel, we
+       #  recommend using EAP-MS-CHAPv2.
+       #
+       #  The PEAP module needs the TLS module to be installed
+       #  and configured, in order to use the TLS tunnel
+       #  inside of the EAP packet.  You will still need to 
+       #  configure the TLS module, even if you do not want
+       #  to deploy EAP-TLS in your network.  Users will not
+       #  be able to request EAP-TLS, as it requires them to
+       #  have a client certificate.  EAP-PEAP does not
+       #  require a client certificate.
+       #
+}
+       peap \{
+                tls = tls-common
+
+{                      #  The tunneled EAP session needs a default
+               #  EAP type which is separate from the one for
+               #  the non-tunneled EAP module.  Inside of the
+               #  PEAP tunnel, we recommend using MS-CHAPv2,
+               #  as that is the default type supported by
+               #  Windows clients.
+}              default_eap_type = mschapv2
+
+
+                copy_request_to_tunnel = no
+                use_tunneled_reply = no
+
+       \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2        1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2    2005-06-11 14:25:34.000000000 -0400
@@ -0,0 +1,18 @@
+{
+       #
+       #  This takes no configuration.
+       #
+       #  Note that it is the EAP MS-CHAPv2 sub-module, not
+       #  the main 'mschap' module.
+       #
+       #  Note also that in order for this sub-module to work,
+       #  the main 'mschap' module MUST ALSO be configured.
+       #
+       #  This module is the *Microsoft* implementation of MS-CHAPv2
+       #  in EAP.  There is another (incompatible) implementation
+       #  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
+       #  currently support.
+       #
+}
+       mschapv2 \{
+       \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end     1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end 2005-06-11 14:25:39.000000000 -0400
@@ -0,0 +1 @@
+\}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap  1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap      2016-04-01 12:33:08.367000000 -0400
@@ -0,0 +1,291 @@
+{
+
+    use esmith::util;
+    $OUT = '';
+
+    $pw = esmith::util::LdapPassword();
+    $base = esmith::util::ldapBase ($DomainName);
+
+}      ldap \{
+               server = "localhost"
+               identity = "cn=root,{ $base }"
+               password = { $pw }
+               basedn = "{ $base }"
+               filter = "(&(objectClass=posixAccount)(uid=%\{Stripped-User-Name:-%\{User-Name\}\}))"
+               ldap_connections_number = 5
+               timeout = 4
+               timelimit = 3
+               net_timeout = 3
+               tls \{
+                       start_tls = no
+               \}
+               groupname_attribute = cn
+               groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%\{Stripped-User-Name:-%\{User-Name\}\}))"
+
+        update \{
+                control:Password-With-Header    += 'userPassword'
+
+        \}
+        user \{
+                #  Where to start searching in the tree for users
+#                base_dn = "$\{..base_dn\}"
+
+                #  Filter for user objects, should be specific enough
+                #  to identify a single user object.
+#                filter = "(uid=%\{%\{Stripped-User-Name\}:-%\{User-Name\}\})"
+        \}
+        group \{
+                #  Where to start searching in the tree for groups
+#                base_dn = "$\{..base_dn\}"
+
+                #  Filter for group objects, should match all available
+                #  group objects a user might be a member of.
+#                filter = "(objectClass=posixGroup)"
+#                membership_attribute = "memberOf"
+        \}
+
+        profile \{
+                #  Filter for RADIUS profile objects
+#               filter = "(objectclass=radiusprofile)"
+
+                #  The default profile applied to all users.
+#               default = "cn=radprofile,dc=example,dc=org"
+
+                #  The list of profiles which are applied (after the default)
+                #  to all users.
+                #  The "User-Profile" attribute in the control list
+                #  will override this setting at run-time.
+#               attribute = "radiusProfileDn"
+        \}
+
+
+        client \{
+                #   Where to start searching in the tree for clients
+#                base_dn = "$\{..base_dn\}"
+
+                #
+                #  Filter to match client objects
+                #
+#                filter = '(objectClass=frClient)'
+
+                # Search scope, may be 'base', 'one', 'sub' or 'children'
+#               scope = 'sub'
+
+                #
+                #  Client attribute mappings are in the format:
+                #      <client attribute> = <ldap attribute>
+                #
+                #  Arbitrary attributes (accessible by %{client:<attr>}) are not yet supported.
+                #
+                #  The following attributes are required:
+                #    * identifier - IPv4 address, or IPv4 address with prefix, or hostname.
+                #    * secret - RADIUS shared secret.
+                #
+                #  The following attributes are optional:
+                #    * shortname - Friendly name associated with the client
+                #    * nas_type - NAS Type
+                #    * virtual_server - Virtual server to associate the client with
+                #    * require_message_authenticator - Whether we require the Message-Authenticator
+                #      attribute to be present in requests from the client.
+                #
+                #  Schemas are available in doc/schemas/ldap for openldap and eDirectory
+                #
+                attribute \{
+#                        identifier                      = 'radiusClientIdentifier'
+#                        secret                          = 'radiusClientSecret'
+#                       shortname                       = 'radiusClientShortname'
+#                       nas_type                        = 'radiusClientType'
+#                       virtual_server                  = 'radiusClientVirtualServer'
+#                       require_message_authenticator   = 'radiusClientRequireMa'
+                \}
+        \}
+
+
+
+        #  Useful for recording things like the last time the user logged
+        #  in, or the Acct-Session-ID for CoA/DM.
+        #
+        #  LDAP modification items are in the format:
+        #       <ldap attr> <op> <value>
+        #
+        #  Where:
+        #       <ldap attr>:    The LDAP attribute to add modify or delete.
+        #       <op>:           One of the assignment operators:
+        #                       (:=, +=, -=, ++).
+        #                       Note: '=' is *not* supported.
+        #       <value>:        The value to add modify or delete.
+        #
+        #  WARNING: If using the ':=' operator with a multi-valued LDAP
+        #  attribute, all instances of the attribute will be removed and
+        #  replaced with a single attribute.
+        accounting \{
+                reference = "%\{tolower:type.%\{Acct-Status-Type\}\}"
+
+                type \{
+                        start \{
+                                update \{
+                                        description := "Online at %S"
+                               \}
+                        \}
+
+                        interim-update \{
+                                update \{
+                                        description := "Last seen at %S"
+                                \}
+                        \}
+
+                        stop \{
+                                update \{
+                                        description := "Offline at %S"
+                                \}
+                        \}
+                \}
+        \}
+
+
+
+
+        #
+        #  Post-Auth can modify LDAP objects too
+        #
+        post-auth \{
+                update \{
+                        description := "Authenticated at %S"
+                \}
+        \}
+
+
+
+
+
+        #  LDAP connection-specific options.
+        #
+        #  These options set timeouts, keep-alives, etc. for the connections.
+        #
+        options \{
+                #  Control under which situations aliases are followed.
+                #  May be one of 'never', 'searching', 'finding' or 'always'
+                #  default: libldap's default which is usually 'never'.
+                #
+                #  LDAP_OPT_DEREF is set to this value.
+#               dereference = 'always'
+
+                #
+                #  The following two configuration items control whether the
+                #  server follows references returned by LDAP directory.
+                #  They are  mostly for Active Directory compatibility.
+                #  If you set these to "no", then searches will likely return
+                #  "operations error", instead of a useful result.
+                #
+                chase_referrals = yes
+                rebind = yes
+
+                #  Seconds to wait for LDAP query to finish. default: 20
+                timeout = 10
+
+                #  Seconds LDAP server has to process the query (server-side
+                #  time limit). default: 20
+                #
+                #  LDAP_OPT_TIMELIMIT is set to this value.
+                timelimit = 3
+
+                #  Seconds to wait for response of the server. (network
+                #  failures) default: 10
+                #
+                #  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
+                net_timeout = 1
+
+                #  LDAP_OPT_X_KEEPALIVE_IDLE
+                idle = 60
+
+                #  LDAP_OPT_X_KEEPALIVE_PROBES
+                probes = 3
+
+                #  LDAP_OPT_X_KEEPALIVE_INTERVAL
+                interval = 3
+
+                #  ldap_debug: debug flag for LDAP SDK
+                #  (see OpenLDAP documentation).  Set this to enable
+                #  huge amounts of LDAP debugging on the screen.
+                #  You should only use this if you are an LDAP expert.
+                #
+                #       default: 0x0000 (no debugging messages)
+                #       Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
+                ldap_debug = 0x0028
+        \}
+
+
+        #  The connection pool is new for 3.0, and will be used in many
+        #  modules, for all kinds of connection-related activity.
+        #
+        #  When the server is not threaded, the connection pool
+        #  limits are ignored, and only one connection is used.
+        pool \{
+                #  Number of connections to start
+                start = 5
+
+                #  Minimum number of connections to keep open
+                min = 4
+
+                #  Maximum number of connections
+                #
+                #  If these connections are all in use and a new one
+                #  is requested, the request will NOT get a connection.
+                #
+                #  Setting 'max' to LESS than the number of threads means
+                #  that some threads may starve, and you will see errors
+                #  like "No connections available and at max connection limit"
+                #
+                #  Setting 'max' to MORE than the number of threads means
+                #  that there are more connections than necessary.
+                max = $\{thread[pool].max_servers\}
+
+                #  Spare connections to be left idle
+                #
+                #  NOTE: Idle connections WILL be closed if "idle_timeout"
+                #  is set.
+                spare = 3
+
+                #  Number of uses before the connection is closed
+                #
+                #  0 means "infinite"
+                uses = 0
+
+                #  The lifetime (in seconds) of the connection
+                lifetime = 0
+
+                #  Idle timeout (in seconds).  A connection which is
+                #  unused for this length of time will be closed.
+                idle_timeout = 60
+
+                #  NOTE: All configuration settings are enforced.  If a
+                #  connection is closed because of "idle_timeout",
+                #  "uses", or "lifetime", then the total number of
+                #  connections MAY fall below "min".  When that
+                #  happens, it will open a new connection.  It will
+                #  also log a WARNING message.
+                #
+                #  The solution is to either lower the "min" connections,
+                #  or increase lifetime/idle_timeout.
+        \}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+       \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init  2016-02-05 16:34:10.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init      2016-04-01 09:29:51.476000000 -0400
@@ -27,9 +27,17 @@
 raddbdir = $\{sysconfdir\}/raddb
 radacctdir = $\{logdir\}/radacct
 
+{
+#
+#  name of the running server.  See also the "-n" command-line option.
+}
+name = radiusd
+
 confdir = $\{raddbdir\}
+modconfdir = $\{confdir\}/mods-config
+certdir = $\{confdir\}/certs
+cadir   = $\{confdir\}/certs
 run_dir = $\{localstatedir\}/run/radiusd
-log_file = $\{logdir\}/radius.log
 {
 # libdir: Where to find the rlm_* modules.
 #
@@ -73,31 +81,45 @@
 #
 #  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
 }
-pidfile = $\{run_dir\}/radiusd.pid
+pidfile = $\{run_dir\}/$\{name\}.pid
 {
-# user/group: The name (or #number) of the user/group to run radiusd as.
+#  panic_action: Command to execute if the server dies unexpectedly.
+#
+#  FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
+#  AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
+#  AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
+#
+#  THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
+#  PATTACH CAN BE USED AS AN ATTACK VECTOR.
+#
+#  The panic action is a command which will be executed if the server
+#  receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
+#  SIGABRT or SIGFPE.
 #
-#      If these are commented out, the server will run as the user/group
-#      that started it.  In order to change to a different user/group, you
-#      MUST be root ( or have root privleges ) to start the server.
+#  This can be used to start an interactive debugging session so
+#  that information regarding the current state of the server can
+#  be acquired.
 #
-#      We STRONGLY recommend that you run the server with as few permissions
-#      as possible.  That is, if you're not using shadow passwords, the
-#      user and group items below should be set to 'nobody'.
+#  The following string substitutions are available:
+#  - %e   The currently executing program e.g. /sbin/radiusd
+#  - %p   The PID of the currently executing program e.g. 12345
 #
-#      On SCO (ODT 3) use "user = nouser" and "group = nogroup".
+#  Standard ${} substitutions are also allowed.
 #
-#  NOTE that some kernels refuse to setgid(group) when the value of
-#  (unsigned)group is above 60000; don't use group nobody on these systems!
+#  An example panic action for opening an interactive session in GDB would be:
+#
+#panic_action = "gdb %e %p"
+#
+#  Again, don't use that on a production system.
+#
+#  An example panic action for opening an automated session in GDB would be:
+#
+#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
+#
+#  That command can be used on a production system.
 #
-#  On systems with shadow passwords, you might have to set 'group = shadow'
-#  for the server to be able to read the shadow password file.  If you can
-#  authenticate users while in debug mode, but not in daemon mode, it may be
-#  that the debugging mode server is running as a user that can read the
-#  shadow info, and the user listed below can not.
 }
-user = root
-group = root
+
 {
 #  max_request_time: The maximum time (in seconds) to handle a request.
 #
@@ -207,13 +229,6 @@
 }
 hostname_lookups = no
 {
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-#  if you're debugging a problem with the server.
-#
-#  allowed values: \{no, yes\}
-}
-allow_core_dumps = no
-{
 #  Regular expressions
 #
 #  These items are set at configure time.  If they're set to "yes",
@@ -225,27 +240,6 @@
 regular_expressions = yes
 extended_expressions = yes
 {
-#  Log the full User-Name attribute, as it was found in the request.
-#
-# allowed values: \{no, yes\}
-}
-log_stripped_names = no
-{
-#  Log authentication requests to the log file.
-#
-#  allowed values: \{no, yes\}
-}
-log_auth = no
-{
-#  Log passwords with the authentication requests.
-#  log_auth_badpass  - logs password if it's rejected
-#  log_auth_goodpass - logs password if it's correct
-#
-#  allowed values: \{no, yes\}
-}
-log_auth_badpass = no
-log_auth_goodpass = no
-{
 # usercollide:  Turn "username collision" code on and off.  See the
 # "doc/duplicate-users" file
 #
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log   1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log       2016-04-01 09:21:32.222000000 -0400
@@ -0,0 +1,127 @@
+{
+#
+#  Logging section.  The various "log_*" configuration items
+#  will eventually be moved here.
+#
+# previously this section was only:
+#log_file = $\{logdir\}/radius.log
+}
+log \{
+{
+        #
+        #  Destination for log messages.  This can be one of:
+        #
+        #       files - log to "file", as defined below.
+        #       syslog - to syslog (see also the "syslog_facility", below.
+        #       stdout - standard output
+        #       stderr - standard error.
+        #
+        #  The command-line option "-X" over-rides this option, and forces
+        #  logging to go to stdout.
+        #
+}        destination = files
+{
+        #
+        #  Highlight important messages sent to stderr and stdout.
+        #
+        #  Option will be ignored (disabled) if output if TERM is not
+        #  an xterm or output is not to a TTY.
+        #
+}        colourise = yes
+{
+        #
+        #  The logging messages for the server are appended to the
+        #  tail of this file if destination == "files"
+        #
+        #  If the server is running in debugging mode, this file is
+        #  NOT used.
+        #
+}        file = ${logdir}/radius.log
+{
+        #
+        #  If this configuration parameter is set, then log messages for
+        #  a *request* go to this file, rather than to radius.log.
+        #
+        #  i.e. This is a log file per request, once the server has accepted
+        #  the request as being from a valid client.  Messages that are
+        #  not associated with a request still go to radius.log.
+        #
+        #  Not all log messages in the server core have been updated to use
+        #  this new internal API.  As a result, some messages will still
+        #  go to radius.log.  Please submit patches to fix this behavior.
+        #
+        #  The file name is expanded dynamically.  You should ONLY user
+        #  server-side attributes for the filename (e.g. things you control).
+        #  Using this feature MAY also slow down the server substantially,
+        #  especially if you do thinks like SQL calls as part of the
+        #  expansion of the filename.
+        #
+        #  The name of the log file should use attributes that don't change
+        #  over the lifetime of a request, such as User-Name,
+        #  Virtual-Server or Packet-Src-IP-Address.  Otherwise, the log
+        #  messages will be distributed over multiple files.
+        #
+        #  Logging can be enabled for an individual request by a special
+        #  dynamic expansion macro:  %{debug: 1}, where the debug level
+        #  for this request is set to '1' (or 2, 3, etc.).  e.g.
+        #
+        #       ...
+        #       update control {
+        #              Tmp-String-0 = "%{debug:1}"
+        #       }
+        #       ...
+        #
+        #  The attribute that the value is assigned to is unimportant,
+        #  and should be a "throw-away" attribute with no side effects.
+        #
+        #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
+
+        #
+        #  Which syslog facility to use, if ${destination} == "syslog"
+        #
+        #  The exact values permitted here are OS-dependent.  You probably
+        #  don't want to change this.
+        #
+}        syslog_facility = daemon
+{
+        #  Log the full User-Name attribute, as it was found in the request.
+        #
+        # allowed values: {no, yes}
+        #
+        #
+}        stripped_names = no
+{
+        #  Log authentication requests to the log file.
+        #
+        #  allowed values: {no, yes}
+        #
+}        auth = no
+{
+        #  Log passwords with the authentication requests.
+        #  auth_badpass  - logs password if it's rejected
+        #  auth_goodpass - logs password if it's correct
+        #
+        #  allowed values: {no, yes}
+        #
+}        auth_badpass = no
+        auth_goodpass = no
+{
+        #  Log additional text at the end of the "Login OK" messages.
+        #  for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
+        #  configurations above have to be set to "yes".
+        #
+        #  The strings below are dynamically expanded, which means that
+        #  you can put anything you want in them.  However, note that
+        #  this expansion can be slow, and can negatively impact server
+        #  performance.
+        #
+}
+#       msg_goodpass = ""
+#       msg_badpass = ""
+{
+        #  The message when the user exceeds the Simultaneous-Use limit.
+        #
+}
+        msg_denied = "You are already logged in - access denied"
+\}
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security      2005-06-11 12:01:54.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security  2016-04-01 07:32:01.846000000 -0400
@@ -6,6 +6,43 @@
 #  of those attacks
 }
 security \{
+{        # user/group: The name (or #number) of the user/group to run radiusd as.
+        #
+        #   If these are commented out, the server will run as the
+        #   user/group that started it.  In order to change to a
+        #   different user/group, you MUST be root ( or have root
+        #   privileges ) to start the server.
+        #
+        #   We STRONGLY recommend that you run the server with as few
+        #   permissions as possible.  That is, if you're not using
+        #   shadow passwords, the user and group items below should be
+        #   set to radius'.
+        #
+        #  NOTE that some kernels refuse to setgid(group) when the
+        #  value of (unsigned)group is above 60000; don't use group
+        #  "nobody" on these systems!
+        #
+        #  On systems with shadow passwords, you might have to set
+        #  'group = shadow' for the server to be able to read the
+        #  shadow password file.  If you can authenticate users while
+        #  in debug mode, but not in daemon mode, it may be that the
+        #  debugging mode server is running as a user that can read
+        #  the shadow info, and the user listed below can not.
+        #
+        #  The server will also try to use "initgroups" to read
+        #  /etc/groups.  It will join all groups where "user" is a
+        #  member.  This can allow for some finer-grained access
+        #  controls.
+        #
+}        user = root
+        group = root
+{
+        #  Core dumps are a bad thing.  This should only be set to
+        #  'yes' if you're debugging a problem with the server.
+        #
+        #  allowed values: {no, yes}
+        #
+}        allow_core_dumps = no
 {
        #  max_attributes: The maximum number of attributes
        #  permitted in a RADIUS packet.  Packets which have MORE
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration 2005-06-11 14:31:14.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration     2016-04-01 07:48:08.316000000 -0400
@@ -99,4 +99,19 @@
        #  '0' is a special value meaning 'infinity', or 'the servers never
        #  exit'
 }      max_requests_per_server = 0
+{
+        #  If the received PPS is larger than the processed PPS, *and*
+        #  the queue is more than half full, then new accounting
+        #  requests are probabilistically discarded.  This lowers the
+        #  number of packets that the server needs to process.  Over
+        #  time, the server will "catch up" with the traffic.
+        #
+        #  Throwing away accounting packets is usually safe and low
+        #  impact.  The NAS will retransmit them in a few seconds, or
+        #  even a few minutes.  Vendors should read RFC 5080 Section 2.2.1
+        #  to see how accounting packets should be retransmitted.  Using
+        #  any other method is likely to cause network meltdowns.
+        #
+}        auto_limit_acct = no
+
 \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp  1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp      2016-04-01 07:49:00.444000000 -0400
@@ -0,0 +1,10 @@
+{
+######################################################################
+#
+#  SNMP notifications.  Uncomment the following line to enable
+#  snmptraps.  Note that you MUST also configure the full path
+#  to the "snmptrap" command in the "trigger.conf" file.
+#
+}
+#$INCLUDE trigger.conf
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init 2005-06-11 14:32:26.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init     2016-04-01 07:56:07.712000000 -0400
@@ -7,18 +7,34 @@
 #  in other sections of this configuration file.
 }
 modules \{ {
-       #  Each module has a configuration as follows:
-       #
-       #   name [ instance ] \{
-       #          config_item = value
-       #          ...
-       #   \}
-       #
-       #  The 'name' is used to load the 'rlm_name' library
-       #  which implements the functionality of the module.
-       #
-       #  The 'instance' is optional.  To have two different instances
-       #  of a module, it first must be referred to by 'name'.
-       #  The different copies of the module are then created by
-       #  inventing two 'instance' names, e.g. 'instance1' and 'instance2'
+        #
+        #  Each module has a configuration as follows:
+        #
+        #       name [ instance ] {
+        #               config_item = value
+        #               ...
+        #       }
+        #
+        #  The 'name' is used to load the 'rlm_name' library
+        #  which implements the functionality of the module.
+        #
+        #  The 'instance' is optional.  To have two different instances
+        #  of a module, it first must be referred to by 'name'.
+        #  The different copies of the module are then created by
+        #  inventing two 'instance' names, e.g. 'instance1' and 'instance2'
+        #
+        #  The instance names can then be used in later configuration
+        #  INSTEAD of the original 'name'.  See the 'radutmp' configuration
+        #  for an example.
+        #
+
+        #
+        #  As of 3.0, modules are in mods-enabled/.  Files matching
+        #  the regex /[a-zA-Z0-9_.]+/ are loaded.  The modules are
+        #  initialized ONLY if they are referenced in a processing
+        #  section, such as authorize, authenticate, accounting,
+        #  pre/post-proxy, etc.
+        #
 }
+        $INCLUDE mods-enabled/
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess   2005-06-11 14:37:58.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess       1969-12-31 19:00:00.000000000 -0500
@@ -1,47 +0,0 @@
-{
-       # Preprocess the incoming RADIUS request, before handing it off
-       # to other modules.
-}      preprocess \{
-{
-               # This hack changes Ascend's wierd port numberings
-               # to standard 0-??? port numbers so that the "+" works
-               # for IP address assignments.
-}              with_ascend_hack = no
-               ascend_channels_per_line = 23
-{
-               # Windows NT machines often authenticate themselves as
-               # NT_DOMAIN\username
-               #
-               # If this is set to 'yes', then the NT_DOMAIN portion
-               # of the user-name is silently discarded.
-               #
-               # This configuration entry SHOULD NOT be used.
-               # See the "realms" module for a better way to handle
-               # NT domains.
-}              with_ntdomain_hack = no
-{
-               # Specialix Jetstream 8500 24 port access server.
-               #
-               # If the user name is 10 characters or longer, a "/"
-               # and the excess characters after the 10th are
-               # appended to the user name.
-               #
-               # If you're not running that NAS, you don't need
-               # this hack.
-}              with_specialix_jetstream_hack = no
-{
-               # Cisco sends it's VSA attributes with the attribute
-               # name *again* in the string, like:
-               #
-               #   H323-Attribute = "h323-attribute=value".
-               #
-               # If this configuration item is set to 'yes', then
-               # the redundant data in the the attribute text is stripped
-               # out.  The result is:
-               #
-               #  H323-Attribute = "value"
-               #
-               # If you're not running a Cisco NAS, you don't need
-               # this hack.
-}              with_cisco_vsa_hack = no
-       \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix       2005-06-11 12:11:42.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix   1969-12-31 19:00:00.000000000 -0500
@@ -1,8 +0,0 @@
-{
-       #  'username@realm'
-}      realm suffix \{
-               format = suffix
-               delimiter = "@"
-               ignore_default = yes
-               ignore_null = yes
-       \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain     2005-06-11 14:12:54.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain 1969-12-31 19:00:00.000000000 -0500
@@ -1,8 +0,0 @@
-{
-       #  'domain\user'
-}      realm ntdomain \{
-               format = prefix
-               delimiter = "\\"
-               ignore_default = no
-               ignore_null = no
-       \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap  2005-06-11 12:08:29.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap      1969-12-31 19:00:00.000000000 -0500
@@ -1,6 +0,0 @@
-{
-       #  Extensible Authentication Protocol
-       #
-       #  For all EAP related authentications.
-       #  Now in another file, because it is very large.
-}$INCLUDE $\{confdir\}/eap.conf
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap       2005-06-11 14:57:35.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap   1969-12-31 19:00:00.000000000 -0500
@@ -1,50 +0,0 @@
-{
-       # Microsoft CHAP authentication
-       #
-       #  This module supports MS-CHAP and MS-CHAPv2 authentication.
-       #  It also enforces the SMB-Account-Ctrl attribute.
-}      mschap \{
-{
-               #  As of 0.9, the mschap module does NOT support
-               #  reading from /etc/smbpasswd.
-               #
-               #  If you are using /etc/smbpasswd, see the 'passwd'
-               #  module for an example of how to use /etc/smbpasswd
-               #
-               # authtype value, if present, will be used
-               # to overwrite (or add) Auth-Type during
-               # authorization. Normally should be MS-CHAP
-}              authtype = MS-CHAP
-{
-               # if use_mppe is not set to no mschap will
-               # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
-               # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
-}              use_mppe = yes
-{
-               # if mppe is enabled require_encryption makes
-               # encryption moderate
-}              require_encryption = yes
-{
-               # require_strong always requires 128 bit key
-               # encryption
-               #
-}              require_strong = yes
-{
-               # Windows sends us a username in the form of
-               # DOMAIN\user, but sends the challenge response
-               # based on only the user portion.  This hack
-               # corrects for that incorrect behavior.
-}              with_ntdomain_hack = yes
-{
-               # The module can perform authentication itself, OR
-               # use a Windows Domain Controller.  This configuration
-               # directive tells the module to call the ntlm_auth
-               # program, which will do the authentication, and return
-               # the NT-Key.  Note that you MUST have "winbindd" and
-               # "nmbd" running on the local machine for ntlm_auth
-               # to work.  See the ntlm_auth program documentation
-               # for details.
-               #
-               # Be VERY careful when editing the following line!
-               #ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%\{Stripped-User-Name:-%\{User-Name:-None\}\} --challenge=%\{mschap:Challenge:-00\} --nt-response=%\{mschap:NT-Response:-00\}"
-}      \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap 2013-02-13 18:00:55.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap     1969-12-31 19:00:00.000000000 -0500
@@ -1,24 +0,0 @@
-{
-
-    use esmith::util;
-    $OUT = '';
-
-    $pw = esmith::util::LdapPassword();
-    $base = esmith::util::ldapBase ($DomainName);
-
-}      ldap \{
-               server = "localhost"
-               identity = "cn=root,{ $base }"
-               password = { $pw }
-               basedn = "{ $base }"
-               filter = "(&(objectClass=posixAccount)(uid=%\{Stripped-User-Name:-%\{User-Name\}\}))"
-               ldap_connections_number = 5
-               timeout = 4
-               timelimit = 3
-               net_timeout = 3
-               tls \{
-                       start_tls = no
-               \}
-               groupname_attribute = cn
-               groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%\{Stripped-User-Name:-%\{User-Name\}\}))"
-       \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd    2005-06-11 14:34:29.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd        1969-12-31 19:00:00.000000000 -0500
@@ -1,10 +0,0 @@
-{
-       #  An example configuration for using /etc/samba/smbpasswd.
-}      passwd smbpasswd \{
-               filename = /etc/samba/smbpasswd
-               format = "*Stripped-User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
-               authtype = MS-CHAP
-               hashsize = 100
-               ignorenislike = no
-               allowmultiplekeys = no
-       \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files        2005-06-11 14:47:21.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files    1969-12-31 19:00:00.000000000 -0500
@@ -1,11 +0,0 @@
-{
-       # Livingston-style 'users' file
-}      files \{
-               usersfile = $\{confdir\}/users
-{
-               #  If you want to use the old Cistron 'users' file
-               #  with FreeRADIUS, you should change the next line
-               #  to 'compat = cistron'.  You can the copy your 'users'
-               #  file from Cistron.
-}              compat = no
-       \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject       2005-06-11 14:35:56.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject   1969-12-31 19:00:00.000000000 -0500
@@ -1,6 +0,0 @@
-{
-       # Each instance simply returns the same result, always, without
-       # doing anything.
-}      always reject \{
-               rcode = reject
-       \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique   2008-10-07 13:37:19.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique       1969-12-31 19:00:00.000000000 -0500
@@ -1,13 +0,0 @@
-{
-       # Create a unique accounting session Id.  Many NASes re-use or
-       # repeat values for Acct-Session-Id, causing no end of
-       # confusion.
-       #
-       #  This module will add a (probably) unique session id 
-       #  to an accounting packet based on the attributes listed
-       #  below found in the packet.  See doc/rlm_acct_unique for
-       #  more information.
-       #
-}      acct_unique \{
-               key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
-       \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail       2008-10-07 13:37:19.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail   1969-12-31 19:00:00.000000000 -0500
@@ -1,36 +0,0 @@
-{
-       # Write a detailed log of all accounting records received.
-       #
-}      detail \{
-{              #  Note that we do NOT use NAS-IP-Address here, as
-               #  that attribute MAY BE from the originating NAS, and
-               #  NOT from the proxy which actually sent us the
-               #  request.  The Client-IP-Address attribute is ALWAYS
-               #  the address of the client which sent us the
-               #  request.
-               #
-               #  The following line creates a new detail file for
-               #  every radius client (by IP address or hostname).
-               #  In addition, a new detail file is created every
-               #  day, so that the detail file doesn't have to go
-               #  through a 'log rotation'
-               #
-               #  If your detail files are large, you may also want
-               #  to add a ':%H' (see doc/variables.txt) to the end
-               #  of it, to create a new detail file every hour, e.g.:
-               #
-               #   ..../detail-%Y%m%d:%H
-               #
-               #  This will create a new detail file for every hour.
-               #
-}              detailfile = $\{logdir\}/accounting.log
-{
-               #
-               #  The Unix-style permissions on the 'detail' file.
-               #
-               #  The detail file often contains secret or private
-               #  information about users.  So by keeping the file
-               #  permissions restrictive, we can prevent unwanted
-               #  people from seeing that information.
-}              detailperm = 0600
-       \}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init   2008-10-07 13:37:19.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init       1969-12-31 19:00:00.000000000 -0500
@@ -1,11 +0,0 @@
-{
-#  Authorization. First preprocess (hints and huntgroups files),
-#  then realms, and finally look in the "users" file.
-#
-#  The order of the realm modules will determine the order that
-#  we try to find a matching realm.
-#
-#  Make *sure* that 'preprocess' comes before any realm if you 
-#  need to setup hints for the remote radius server
-}
-authorize \{
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default        2013-02-13 18:00:55.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default    1969-12-31 19:00:00.000000000 -0500
@@ -1,39 +0,0 @@
-{
-       #  The preprocess module takes care of sanitizing some bizarre
-       #  attributes in the request, and turning them into attributes
-       #  which are more standard.
-       #
-       #  It takes care of processing the 'raddb/hints' and the
-       #  'raddb/huntgroups' files.
-       #
-       #  It also adds the %\{Client-IP-Address\} attribute to the request.
-}      preprocess
-{      
-       #  If you are using multiple kinds of realms, you probably
-       #  want to set "ignore_null = yes" for all of them.
-       #  Otherwise, when the first style of realm doesn't match,
-       #  the other styles won't be checked.
-}      suffix
-       ntdomain
-{      
-       #  This module takes care of EAP-PEAP authentication.
-       #
-       #  It also sets the EAP-Type attribute in the request
-       #  attribute list to the EAP type from the packet.
-}      eap
-{
-       #  If the users are logging in with an MS-CHAP-Challenge
-       #  attribute for authentication, the mschap module will find
-       #  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
-       #  to the request, which will cause the server to then use
-       #  the mschap module for authentication.
-}      mschap
-{      
-       #  If you are using /etc/smbpasswd, and are also doing
-       #  mschap authentication, the un-comment this line, and
-       #  configure the 'smbpasswd' module, above.
-        ( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd';
-}      
-{      
-       #  Read the 'users' file
-}      files
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end    2008-10-07 13:37:19.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end        1969-12-31 19:00:00.000000000 -0500
@@ -1 +0,0 @@
-\}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup   2008-10-07 13:37:19.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup       1969-12-31 19:00:00.000000000 -0500
@@ -1,5 +0,0 @@
-{
-    my @authModules = '';
-    $OUT = '';
-}
-
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap      2008-10-07 13:37:19.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap  1969-12-31 19:00:00.000000000 -0500
@@ -1,5 +0,0 @@
-{
-    push(@authModules, "\tAuth-Type MS-CHAP\{\n\t\tmschap\n\t\}\n");
-    $OUT = '';
-}
-
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap    2013-02-13 18:00:55.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap        1969-12-31 19:00:00.000000000 -0500
@@ -1,5 +0,0 @@
-{
-    push(@authModules, "\tAuth-Type LDAP\{\n\t\tldap\n\t\}\n");
-    $OUT = '';
-}
-
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap 2008-10-07 13:37:19.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap     1969-12-31 19:00:00.000000000 -0500
@@ -1,4 +0,0 @@
-{
-    push(@authModules, "\teap\n");
-    $OUT = '';
-}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process 2008-10-07 13:37:19.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process     1969-12-31 19:00:00.000000000 -0500
@@ -1,23 +0,0 @@
-{
-#  Authentication.
-#
-#  This section lists which modules are available for authentication.
-#  Note that it does NOT mean 'try each module in order'.  It means
-#  that a module from the 'authorize' section adds a configuration
-#  attribute 'Auth-Type := FOO'.  That authentication type is then
-#  used to pick the apropriate module from the list below.
-#
-#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
-#  will figure it out on its own, and will do the right thing.  The
-#  most common side effect of erroneously setting the Auth-Type
-#  attribute is that one authentication method will work, but the
-#  others will not.
-#
-#  The common reasons to set the Auth-Type attribute by hand
-#  is to either forcibly reject the user, or forcibly accept him.
-
-    $OUT = "authenticate \{\n";
-    $OUT .= "$_\n" foreach @authModules;
-    $OUT .= "\}\n";
-
-}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct       2008-10-07 13:37:19.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct   1969-12-31 19:00:00.000000000 -0500
@@ -1,17 +0,0 @@
-{
-#
-#  Pre-accounting.  Decide which accounting type to use.
-#
-}preacct \{
-       preprocess
-{
-       #
-       #  Ensure that we have a semi-unique identifier for every
-       #  request, and many NAS boxes are broken.
-}      acct_unique
-{
-       #  Accounting requests are generally proxied to the same
-       #  home server as authentication requests.
-}      suffix
-       ntdomain
-\}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate   1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate       2016-04-01 08:37:06.246000000 -0400
@@ -0,0 +1,45 @@
+{
+# Instantiation
+#
+#  This section orders the loading of the modules.  Modules
+#  listed here will get loaded BEFORE the later sections like
+#  authorize, authenticate, etc. get examined.
+#
+#  This section is not strictly needed.  When a section like
+#  authorize refers to a module, it's automatically loaded and
+#  initialized.  However, some modules may not be listed in any
+#  of the following sections, so they can be listed here.
+#
+#  Also, listing modules here ensures that you have control over
+#  the order in which they are initialized.  If one module needs
+#  something defined by another module, you can list them in order
+#  here, and ensure that the configuration will be OK.
+#
+#  After the modules listed here have been loaded, all of the modules
+#  in the "mods-enabled" directory will be loaded.  Loading the
+#  "mods-enabled" directory means that unlike Version 2, you usually
+#  don't need to list modules here.
+#
+}
+instantiate \{
+        #
+        # We list the counter module here so that it registers
+        # the check_name attribute before any module which sets
+        # it
+#       daily
+
+        # subsections here can be thought of as "virtual" modules.
+        #
+        # e.g. If you have two redundant SQL servers, and you want to
+        # use them in the authorize and accounting sections, you could
+        # place a "redundant" block in each section, containing the
+        # exact same text.  Or, you could uncomment the following
+        # lines, and list "redundant_sql" in the authorize and
+        # accounting sections.
+        #
+        #redundant redundant_sql \{
+        #       sql1
+        #       sql2
+        #\}
+\}
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init      2008-10-07 13:37:19.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init  1969-12-31 19:00:00.000000000 -0500
@@ -1,5 +0,0 @@
-{
-#
-#  Accounting.  Log the accounting data.
-#
-}accounting \{
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default   2008-10-07 13:37:19.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default       1969-12-31 19:00:00.000000000 -0500
@@ -1,5 +0,0 @@
-{      #
-       #  Create a 'detail'ed log of the packets.
-       #  Note that accounting requests which are proxied
-       #  are also logged in the detail file.
-}      detail
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end       2008-10-07 13:37:19.000000000 -0400
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end   1969-12-31 19:00:00.000000000 -0500
@@ -1 +0,0 @@
-\}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy        1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy    2016-04-01 08:34:12.100000000 -0400
@@ -0,0 +1,20 @@
+{
+######################################################################
+#
+#  Policies are virtual modules, similar to those defined in the
+#  "instantiate" section above.
+#
+#  Defining a policy in one of the policy.d files means that it can be
+#  referenced in multiple places as a *name*, rather than as a series of
+#  conditions to match, and actions to take.
+#
+#  Policies are something like subroutines in a normal language, but
+#  they cannot be called recursively. They MUST be defined in order.
+#  If policy A calls policy B, then B MUST be defined before A.
+#
+######################################################################
+}
+policy \{
+       $INCLUDE policy.d/
+\}
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers    1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers        2016-04-01 08:32:46.291000000 -0400
@@ -0,0 +1,33 @@
+{
+######################################################################
+#
+#<----->Load virtual servers.
+#
+#<----->This next $INCLUDE line loads files in the directory that
+#<----->match the regular expression: /[a-zA-Z0-9_.]+/
+#
+#<----->It allows you to define new virtual servers simply by placing
+#<----->a file into the raddb/sites-enabled/ directory.
+#
+}$INCLUDE sites-enabled/
+{
+######################################################################
+#
+#<----->All of the other configuration sections like "authorize {}",
+#<----->"authenticate {}", "accounting {}", have been moved to the
+#<----->the file:
+#
+#<-----><------>raddb/sites-available/default
+#
+#<----->This is the "default" virtual server that has the same
+#<----->configuration as in version 1.0.x and 1.1.x.  The default
+#<----->installation enables this virtual server.  You should
+#<----->edit it to create policies for your local site.
+#
+#<----->For more documentation on virtual servers, see:
+#
+#<-----><------>raddb/sites-available/README
+#
+######################################################################
+
+}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init       1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init   2016-04-01 09:39:19.463000000 -0400
@@ -0,0 +1,49 @@
+{
+######################################################################
+#
+#       As of 2.0.0, FreeRADIUS supports virtual hosts using the
+#       "server" section, and configuration directives.
+#
+#       Virtual hosts should be put into the "sites-available"
+#       directory.  Soft links should be created in the "sites-enabled"
+#       directory to these files.  This is done in a normal installation.
+#
+#       If you are using 802.1X (EAP) authentication, please see also
+#       the "inner-tunnel" virtual server.  You will likely have to edit
+#       that, too, for authentication to work.
+#
+#       $Id: 77c271c4820c2d609b7d0a6bc2b65636d73730bc $
+#
+######################################################################
+#
+#       Read "man radiusd" before editing this file.  See the section
+#       titled DEBUGGING.  It outlines a method where you can quickly
+#       obtain the configuration you want, without running into
+#       trouble.  See also "man unlang", which documents the format
+#       of this file.
+#
+#       This configuration is designed to work in the widest possible
+#       set of circumstances, with the widest possible number of
+#       authentication methods.  This means that in general, you should
+#       need to make very few changes to this file.
+#
+#       The best way to configure the server for your local system
+#       is to CAREFULLY edit this file.  Most attempts to make large
+#       edits to this file will BREAK THE SERVER.  Any edits should
+#       be small, and tested by running the server with "radiusd -X".
+#       Once the edits have been verified to work, save a copy of these
+#       configuration files somewhere.  (e.g. as a "tar" file).  Then,
+#       make more edits, and test, as above.
+#
+#       There are many "commented out" references to modules such
+#       as ldap, sql, etc.  These references serve as place-holders.
+#       If you need the functionality of that module, then configure
+#       it in radiusd.conf, and un-comment the references to it in
+#       this file.  In most cases, those small changes will result
+#       in the server being able to connect to the DB, and to
+#       authenticate users.
+#
+######################################################################
+}
+server default \{
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen     1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen 2016-04-01 10:01:03.411000000 -0400
@@ -0,0 +1,90 @@
+{
+#  listen: Make the server listen on a particular IP address, and send
+#  replies out from that address. This directive is most useful for
+#  hosts with multiple IP addresses on one interface.
+#
+#  If you want the server to listen on additional addresses, or on
+#  additionnal ports, you can use multiple "listen" sections.
+#
+#  Each section make the server listen for only one type of packet,
+#  therefore authentication and accounting have to be configured in
+#  different sections.
+#
+#  The server ignore all "listen" section if you are using '-i' and '-p'
+#  on the command line.
+}
+# auth 
+listen \{
+    type = auth
+{
+        #  ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
+        #  Out of several options the first one will be used.
+        #
+        #  Allowed values are:
+        #       IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr)
+        #       IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr)
+        #       hostname     (radius.example.com,
+        #                       A record for ipv4addr,
+        #                       AAAA record for ipv6addr,
+        #                       A or AAAA record for ipaddr)
+        #       wildcard     (*)
+        #
+        # ipv4addr = *
+        # ipv6addr = *
+}
+    ipaddr = *
+    port = 0
+#   interface = eth0
+#   clients = per_socket_clients
+{
+        #
+        #  Connection limiting for sockets with "proto = tcp".
+        #
+        #  This section is ignored for other kinds of sockets.
+        #
+}        limit \{
+{              
+             #
+              #  Limit the number of simultaneous TCP connections to the socket
+              #
+              #  The default is 16.
+              #  Setting this to 0 means "no limit"
+}              max_connections = 16
+{
+              #  The per-socket "max_requests" option does not exist.
+
+              #
+              #  The lifetime, in seconds, of a TCP connection.  After
+              #  this lifetime, the connection will be closed.
+              #
+              #  Setting this to 0 means "forever".
+}              lifetime = 0
+{
+              #
+              #  The idle timeout, in seconds, of a TCP connection.
+              #  If no packets have been received over the connection for
+              #  this time, the connection will be closed.
+              #
+              #  Setting this to 0 means "no timeout".
+              #
+              #  We STRONGLY RECOMMEND that you set an idle timeout.
+              #
+}              idle_timeout = 30
+        \}
+
+\}
+
+#
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen \{
+    type = acct
+    ipaddr = *
+    port = 0
+\}
+
+
+
+
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init        1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init    2008-10-07 13:37:19.000000000 -0400
@@ -0,0 +1,11 @@
+{
+#  Authorization. First preprocess (hints and huntgroups files),
+#  then realms, and finally look in the "users" file.
+#
+#  The order of the realm modules will determine the order that
+#  we try to find a matching realm.
+#
+#  Make *sure* that 'preprocess' comes before any realm if you 
+#  need to setup hints for the remote radius server
+}
+authorize \{
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default     1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default 2016-04-01 10:10:46.038000000 -0400
@@ -0,0 +1,102 @@
+{
+        #
+        #  Take a User-Name, and perform some checks on it, for spaces and other
+        #  invalid characters.  If the User-Name appears invalid, reject the
+        #  request.
+        #
+        #  See policy.d/filter for the definition of the filter_username policy.
+        #
+}        filter_username
+{
+       #  The preprocess module takes care of sanitizing some bizarre
+       #  attributes in the request, and turning them into attributes
+       #  which are more standard.
+       #
+       #  It takes care of processing the 'raddb/hints' and the
+       #  'raddb/huntgroups' files.
+       #
+       #  It also adds the %\{Client-IP-Address\} attribute to the request.
+}      preprocess
+{      
+       #  If you are using multiple kinds of realms, you probably
+       #  want to set "ignore_null = yes" for all of them.
+       #  Otherwise, when the first style of realm doesn't match,
+       #  the other styles won't be checked.
+}      suffix
+       ntdomain
+{      
+       #  This module takes care of EAP-PEAP authentication.
+       #
+       #  It also sets the EAP-Type attribute in the request
+       #  attribute list to the EAP type from the packet.
+}      eap \{
+                ok = return
+        \}
+
+{
+       #  If the users are logging in with an MS-CHAP-Challenge
+       #  attribute for authentication, the mschap module will find
+       #  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
+       #  to the request, which will cause the server to then use
+       #  the mschap module for authentication.
+}      mschap
+{      
+       #  If you are using /etc/smbpasswd, and are also doing
+       #  mschap authentication, the un-comment this line, and
+       #  configure the 'smbpasswd' module, above.
+        ( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd';
+}
+
+{
+        #
+        #  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
+        #  using the system API's to get the password.  If you want
+        #  to read /etc/passwd or /etc/shadow directly, see the
+        #  passwd module in radiusd.conf.
+        #
+}#       unix
+
+       
+{      
+       #  Read the 'users' file
+}      files
+
+{
+        #
+        #  Look in an SQL database.  The schema of the database
+        #  is meant to mirror the "users" file.
+        #
+        #  See "Authorization Queries" in sql.conf
+}        -sql
+{
+        #
+        #  If you are using /etc/smbpasswd, and are also doing
+        #  mschap authentication, the un-comment this line, and
+        #  configure the 'smbpasswd' module.
+}#       smbpasswd
+{
+        #
+        #  The ldap module reads passwords from the LDAP database.
+}        -ldap
+
+{        #
+        #  Enforce daily limits on time spent logged in.
+#       daily
+
+        #
+}        expiration
+        logintime
+{
+        #
+        #  If no other module has claimed responsibility for
+        #  authentication, then try to use PAP.  This allows the
+        #  other modules listed above to add a "known good" password
+        #  to the request, and to do nothing else.  The PAP module
+        #  will then see that password, and use it to do PAP
+        #  authentication.
+        #
+        #  This module should be listed last, so that the other modules
+        #  get a chance to set Auth-Type for themselves.
+        #
+}        pap
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end 1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end     2008-10-07 13:37:19.000000000 -0400
@@ -0,0 +1 @@
+\}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup        1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup    2008-10-07 13:37:19.000000000 -0400
@@ -0,0 +1,5 @@
+{
+    my @authModules = '';
+    $OUT = '';
+}
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap   1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap       2008-10-07 13:37:19.000000000 -0400
@@ -0,0 +1,5 @@
+{
+    push(@authModules, "\tAuth-Type MS-CHAP\{\n\t\tmschap\n\t\}\n");
+    $OUT = '';
+}
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap 1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap     2013-02-13 18:00:55.000000000 -0500
@@ -0,0 +1,5 @@
+{
+    push(@authModules, "\tAuth-Type LDAP\{\n\t\tldap\n\t\}\n");
+    $OUT = '';
+}
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap      1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap  2008-10-07 13:37:19.000000000 -0400
@@ -0,0 +1,4 @@
+{
+    push(@authModules, "\teap\n");
+    $OUT = '';
+}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process      1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process  2008-10-07 13:37:19.000000000 -0400
@@ -0,0 +1,23 @@
+{
+#  Authentication.
+#
+#  This section lists which modules are available for authentication.
+#  Note that it does NOT mean 'try each module in order'.  It means
+#  that a module from the 'authorize' section adds a configuration
+#  attribute 'Auth-Type := FOO'.  That authentication type is then
+#  used to pick the apropriate module from the list below.
+#
+#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
+#  will figure it out on its own, and will do the right thing.  The
+#  most common side effect of erroneously setting the Auth-Type
+#  attribute is that one authentication method will work, but the
+#  others will not.
+#
+#  The common reasons to set the Auth-Type attribute by hand
+#  is to either forcibly reject the user, or forcibly accept him.
+
+    $OUT = "authenticate \{\n";
+    $OUT .= "$_\n" foreach @authModules;
+    $OUT .= "\}\n";
+
+}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct    1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct        2016-04-01 11:06:09.665000000 -0400
@@ -0,0 +1,47 @@
+{
+#
+#  Pre-accounting.  Decide which accounting type to use.
+#
+}preacct \{
+       preprocess
+{
+        #
+        #  Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
+        #  into a single 64bit counter Acct-[Input|Output]-Octets64.
+        #
+}#       acct_counters64
+{
+        #
+        #  Session start times are *implied* in RADIUS.
+        #  The NAS never sends a "start time".  Instead, it sends
+        #  a start packet, *possibly* with an Acct-Delay-Time.
+        #  The server is supposed to conclude that the start time
+        #  was "Acct-Delay-Time" seconds in the past.
+        #
+        #  The code below creates an explicit start time, which can
+        #  then be used in other modules.  It will be *mostly* correct.
+        #  Any errors are due to the 1-second resolution of RADIUS,
+        #  and the possibility that the time on the NAS may be off.
+        #
+        #  The start time is: NOW - delay - session_length
+        #
+}
+#       update request {
+#               FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
+#       }
+
+{
+        #
+        #  Ensure that we have a semi-unique identifier for every
+        #  request, and many NAS boxes are broken.
+}
+       
+        acct_unique
+{
+       #  Accounting requests are generally proxied to the same
+       #  home server as authentication requests.
+}      suffix
+       ntdomain
+        files
+
+\}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init   1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init       2008-10-07 13:37:19.000000000 -0400
@@ -0,0 +1,5 @@
+{
+#
+#  Accounting.  Log the accounting data.
+#
+}accounting \{
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default        1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default    2008-10-07 13:37:19.000000000 -0400
@@ -0,0 +1,5 @@
+{      #
+       #  Create a 'detail'ed log of the packets.
+       #  Note that accounting requests which are proxied
+       #  are also logged in the detail file.
+}      detail
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end    1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end        2008-10-07 13:37:19.000000000 -0400
@@ -0,0 +1 @@
+\}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init      1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init  2016-04-01 11:13:35.135000000 -0400
@@ -0,0 +1,6 @@
+{
+#  Session database, used for checking Simultaneous-Use. Either the radutmp
+#  or rlm_sql module can handle this.
+#  The rlm_sql module is *much* faster
+}session \{
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end       1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end   2016-04-01 11:13:53.209000000 -0400
@@ -0,0 +1 @@
+\}
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init     1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init 2016-04-01 11:14:55.538000000 -0400
@@ -0,0 +1,8 @@
+{
+#  Post-Authentication
+#  Once we KNOW that the user has been authenticated, there are
+#  additional steps we can take.
+}post-auth \{
+        #  Get an address from the IP Pool.
+#       main_pool
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end      1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end  2016-04-01 11:16:54.094000000 -0400
@@ -0,0 +1,26 @@
+{
+        #  Remove reply message if the response contains an EAP-Message
+}        remove_reply_message_if_eap
+{
+        #
+        #  Access-Reject packets are sent through the REJECT sub-section of the
+        #  post-auth section.
+        #
+        #  Add the ldap module name (or instance) if you have set
+        #  'edir_account_policy_check = yes' in the ldap module configuration
+        #
+}        Post-Auth-Type REJECT \{
+                # log failed authentications in SQL, too.
+                #-sql
+                attr_filter.access_reject
+
+                # Insert EAP-Failure message if the request was
+                # rejected by policy instead of because of an
+                # authentication failure
+                eap
+
+                #  Remove reply message if the response contains an EAP-Message
+                remove_reply_message_if_eap
+        \}
+\}
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy   1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy       2016-04-01 11:18:35.647000000 -0400
@@ -0,0 +1,28 @@
+pre-proxy \{
+{
+        # Before proxing the request add an Operator-Name attribute identifying
+        # if the operator-name is found for this client.
+        # No need to uncomment this if you have already enabled this in
+        # the authorize section.
+}#       operator-name
+{
+        #  The client requests the CUI by sending a CUI attribute
+        #  containing one zero byte.
+        #  Uncomment the line below if *requesting* the CUI.
+}#       cui
+{
+        #  Uncomment the following line if you want to change attributes
+        #  as defined in the preproxy_users file.
+}#       files
+{
+        #  Uncomment the following line if you want to filter requests
+        #  sent to remote servers based on the rules defined in the
+        #  'attrs.pre-proxy' file.
+}#       attr_filter.pre-proxy
+{
+        #  If you want to have a log of packets proxied to a home
+        #  server, un-comment the following line, and the
+        #  'detail pre_proxy_log' section, above.
+}#       pre_proxy_log
+\}
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy  1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy      2016-04-01 11:20:52.751000000 -0400
@@ -0,0 +1,54 @@
+{
+#
+#  When the server receives a reply to a request it proxied
+#  to a home server, the request may be massaged here, in the
+#  post-proxy stage.
+#
+}
+post-proxy \{
+{
+        #  If you want to have a log of replies from a home server,
+        #  un-comment the following line, and the 'detail post_proxy_log'
+        #  section, above.
+}#       post_proxy_log
+{
+        #  Uncomment the following line if you want to filter replies from
+        #  remote proxies based on the rules defined in the 'attrs' file.
+}#       attr_filter.post-proxy
+{
+        #
+        #  If you are proxying LEAP, you MUST configure the EAP
+        #  module, and you MUST list it here, in the post-proxy
+        #  stage.
+        #
+        #  You MUST also use the 'nostrip' option in the 'realm'
+        #  configuration.  Otherwise, the User-Name attribute
+        #  in the proxied request will not match the user name
+        #  hidden inside of the EAP packet, and the end server will
+        #  reject the EAP request.
+        #
+}        eap
+{
+        #
+        #  If the server tries to proxy a request and fails, then the
+        #  request is processed through the modules in this section.
+        #
+        #  The main use of this section is to permit robust proxying
+        #  of accounting packets.  The server can be configured to
+        #  proxy accounting packets as part of normal processing.
+        #  Then, if the home server goes down, accounting packets can
+        #  be logged to a local "detail" file, for processing with
+        #  radrelay.  When the home server comes back up, radrelay
+        #  will read the detail file, and send the packets to the
+        #  home server.
+        #
+        #  With this configuration, the server always responds to
+        #  Accounting-Requests from the NAS, but only writes
+        #  accounting packets to disk if the home server is down.
+        #
+}#       Post-Proxy-Type Fail \{
+#                       detail
+#       \}
+\}
+
+
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end        1969-12-31 19:00:00.000000000 -0500
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end    2016-04-01 09:40:43.175000000 -0400
@@ -0,0 +1,7 @@
+
+\}
+{
+#
+#end of default server
+#
+}