1 |
unnilennium |
1.1 |
diff -Nur e-smith-radiusd-2.6.0.old/createlinks e-smith-radiusd-2.6.0/createlinks |
2 |
|
|
--- e-smith-radiusd-2.6.0.old/createlinks 2016-02-05 16:34:10.000000000 -0500 |
3 |
|
|
+++ e-smith-radiusd-2.6.0/createlinks 2016-04-01 12:42:04.837000000 -0400 |
4 |
|
|
@@ -24,7 +24,9 @@ |
5 |
|
|
|
6 |
|
|
foreach (qw( |
7 |
|
|
raddb/clients.conf |
8 |
|
|
- raddb/eap.conf |
9 |
|
|
+ raddb/mods-available/eap |
10 |
|
|
+ raddb/mods-available/ldap |
11 |
|
|
+ raddb/sites-available/default |
12 |
|
|
raddb/proxy.conf |
13 |
|
|
radiusclient-ng/servers)) |
14 |
|
|
{ |
15 |
|
|
@@ -33,7 +35,7 @@ |
16 |
|
|
console-save |
17 |
|
|
domain-modify |
18 |
|
|
remoteaccess-update |
19 |
|
|
- ldap-update |
20 |
|
|
+ ldap-update |
21 |
|
|
)); |
22 |
|
|
} |
23 |
|
|
|
24 |
|
|
@@ -46,7 +48,7 @@ |
25 |
|
|
console-save |
26 |
|
|
domain-modify |
27 |
|
|
remoteaccess-update |
28 |
|
|
- ldap-update |
29 |
|
|
+ ldap-update |
30 |
|
|
)); |
31 |
|
|
} |
32 |
|
|
|
33 |
|
|
@@ -68,3 +70,9 @@ |
34 |
|
|
|
35 |
|
|
safe_symlink("../daemontools", "root/etc/rc.d/init.d/supervise/radiusd"); |
36 |
|
|
service_link_enhanced("radiusd", "S90", "7"); |
37 |
|
|
+ |
38 |
|
|
+# activate modules |
39 |
|
|
+#safe_symlink("../mods-available/realm", "root/etc/raddb/mods-enabled/realm"); |
40 |
|
|
+safe_symlink("../mods-available/ldap", "root/etc/raddb/mods-enabled/ldap"); |
41 |
|
|
+safe_symlink("../mods-available/smbpasswd", "root/etc/raddb/mods-enabled/smbpasswd"); |
42 |
|
|
+ |
43 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost |
44 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost 2008-10-07 13:37:19.000000000 -0400 |
45 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost 2016-04-01 11:45:59.890000000 -0400 |
46 |
|
|
@@ -46,7 +46,7 @@ |
47 |
|
|
# other # for all other types |
48 |
|
|
|
49 |
|
|
# |
50 |
|
|
-} nastype = other |
51 |
|
|
+} nas_type = other |
52 |
|
|
{ |
53 |
|
|
# |
54 |
|
|
# The following two configurations are for future use. |
55 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap |
56 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap 2005-06-11 14:24:39.000000000 -0400 |
57 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap 1969-12-31 19:00:00.000000000 -0500 |
58 |
|
|
@@ -1 +0,0 @@ |
59 |
|
|
-eap \{ |
60 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType |
61 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType 2005-06-11 14:24:51.000000000 -0400 |
62 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType 1969-12-31 19:00:00.000000000 -0500 |
63 |
|
|
@@ -1,14 +0,0 @@ |
64 |
|
|
-{ |
65 |
|
|
- # Invoke the default supported EAP type when |
66 |
|
|
- # EAP-Identity response is received. |
67 |
|
|
- # |
68 |
|
|
- # The incoming EAP messages DO NOT specify which EAP |
69 |
|
|
- # type they will be using, so it MUST be set here. |
70 |
|
|
- # |
71 |
|
|
- # For now, only one default EAP type may be used at a time. |
72 |
|
|
- # |
73 |
|
|
- # If the EAP-Type attribute is set by another module, |
74 |
|
|
- # then that EAP type takes precedence over the |
75 |
|
|
- # default type configured here. |
76 |
|
|
- # |
77 |
|
|
-} default_eap_type = peap |
78 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire |
79 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire 2005-06-11 14:24:56.000000000 -0400 |
80 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire 1969-12-31 19:00:00.000000000 -0500 |
81 |
|
|
@@ -1,7 +0,0 @@ |
82 |
|
|
-{ |
83 |
|
|
- # A list is maintained to correlate EAP-Response |
84 |
|
|
- # packets with EAP-Request packets. After a |
85 |
|
|
- # configurable length of time, entries in the list |
86 |
|
|
- # expire, and are deleted. |
87 |
|
|
- # |
88 |
|
|
-} timer_expire = 60 |
89 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown |
90 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown 2005-06-11 14:25:19.000000000 -0400 |
91 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown 1969-12-31 19:00:00.000000000 -0500 |
92 |
|
|
@@ -1,14 +0,0 @@ |
93 |
|
|
-{ |
94 |
|
|
- # There are many EAP types, but the server has support |
95 |
|
|
- # for only a limited subset. If the server receives |
96 |
|
|
- # a request for an EAP type it does not support, then |
97 |
|
|
- # it normally rejects the request. By setting this |
98 |
|
|
- # configuration to "yes", you can tell the server to |
99 |
|
|
- # instead keep processing the request. Another module |
100 |
|
|
- # MUST then be configured to proxy the request to |
101 |
|
|
- # another RADIUS server which supports that EAP type. |
102 |
|
|
- # |
103 |
|
|
- # If another module is NOT configured to handle the |
104 |
|
|
- # request, then the request will still end up being |
105 |
|
|
- # rejected. |
106 |
|
|
-} ignore_unknown_eap_types = no |
107 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug |
108 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug 2005-06-11 14:25:22.000000000 -0400 |
109 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug 1969-12-31 19:00:00.000000000 -0500 |
110 |
|
|
@@ -1,8 +0,0 @@ |
111 |
|
|
-{ |
112 |
|
|
- # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given |
113 |
|
|
- # a User-Name attribute in an Access-Accept, it copies one |
114 |
|
|
- # more byte than it should. |
115 |
|
|
- # |
116 |
|
|
- # We can work around it by configurably adding an extra |
117 |
|
|
- # zero byte. |
118 |
|
|
-} cisco_accounting_username_bug = no |
119 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls |
120 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls 2005-06-13 12:12:02.000000000 -0400 |
121 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls 1969-12-31 19:00:00.000000000 -0500 |
122 |
|
|
@@ -1,64 +0,0 @@ |
123 |
|
|
-{ |
124 |
|
|
- ## EAP-TLS |
125 |
|
|
- # |
126 |
|
|
- # To generate ctest certificates, run the script |
127 |
|
|
- # |
128 |
|
|
- # ../scripts/certs.sh |
129 |
|
|
- # |
130 |
|
|
- # The documents on http://www.freeradius.org/doc |
131 |
|
|
- # are old, but may be helpful. |
132 |
|
|
- # |
133 |
|
|
- # See also: |
134 |
|
|
- # |
135 |
|
|
- # http://www.dslreports.com/forum/remark,9286052~mode=flat |
136 |
|
|
- # |
137 |
|
|
-} |
138 |
|
|
- tls \{ |
139 |
|
|
- private_key_password = whatever |
140 |
|
|
- private_key_file = $\{raddbdir\}/certs/radiusd.pem |
141 |
|
|
- certificate_file = $\{raddbdir\}/certs/radiusd.pem |
142 |
|
|
- CA_file = $\{raddbdir\}/certs/radiusd.pem |
143 |
|
|
- dh_file = $\{raddbdir\}/certs/dh |
144 |
|
|
- random_file = $\{raddbdir\}/certs/random |
145 |
|
|
-{ |
146 |
|
|
- # |
147 |
|
|
- # This can never exceed the size of a RADIUS |
148 |
|
|
- # packet (4096 bytes), and is preferably half |
149 |
|
|
- # that, to accomodate other attributes in |
150 |
|
|
- # RADIUS packet. On most APs the MAX packet |
151 |
|
|
- # length is configured between 1500 - 1600 |
152 |
|
|
- # In these cases, fragment size should be |
153 |
|
|
- # 1024 or less. |
154 |
|
|
- # |
155 |
|
|
-} #fragment_size = 1024 |
156 |
|
|
-{ |
157 |
|
|
- # include_length is a flag which is |
158 |
|
|
- # by default set to yes If set to |
159 |
|
|
- # yes, Total Length of the message is |
160 |
|
|
- # included in EVERY packet we send. |
161 |
|
|
- # If set to no, Total Length of the |
162 |
|
|
- # message is included ONLY in the |
163 |
|
|
- # First packet of a fragment series. |
164 |
|
|
- # |
165 |
|
|
-} #include_length = yes |
166 |
|
|
-{ |
167 |
|
|
- # Check the Certificate Revocation List |
168 |
|
|
- # |
169 |
|
|
- # 1) Copy CA certificates and CRLs to same directory. |
170 |
|
|
- # 2) Execute 'c_rehash <CA certs&CRLs Directory>'. |
171 |
|
|
- # 'c_rehash' is OpenSSL's command. |
172 |
|
|
- # 3) Add 'CA_path=<CA certs&CRLs directory>' |
173 |
|
|
- # to radiusd.conf's tls section. |
174 |
|
|
- # 4) uncomment the line below. |
175 |
|
|
- # 5) Restart radiusd |
176 |
|
|
-} #check_crl = yes |
177 |
|
|
-{ |
178 |
|
|
- # |
179 |
|
|
- # If check_cert_cn is set, the value will |
180 |
|
|
- # be xlat'ed and checked against the CN |
181 |
|
|
- # in the client certificate. If the values |
182 |
|
|
- # do not match, the certificate verification |
183 |
|
|
- # will fail rejecting the user. |
184 |
|
|
- # |
185 |
|
|
-} #check_cert_cn = %\{User-Name\} |
186 |
|
|
- \} |
187 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap |
188 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap 2005-06-11 14:25:31.000000000 -0400 |
189 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap 1969-12-31 19:00:00.000000000 -0500 |
190 |
|
|
@@ -1,26 +0,0 @@ |
191 |
|
|
-{ |
192 |
|
|
- # |
193 |
|
|
- # The tunneled EAP session needs a default EAP type |
194 |
|
|
- # which is separate from the one for the non-tunneled |
195 |
|
|
- # EAP module. Inside of the TLS/PEAP tunnel, we |
196 |
|
|
- # recommend using EAP-MS-CHAPv2. |
197 |
|
|
- # |
198 |
|
|
- # The PEAP module needs the TLS module to be installed |
199 |
|
|
- # and configured, in order to use the TLS tunnel |
200 |
|
|
- # inside of the EAP packet. You will still need to |
201 |
|
|
- # configure the TLS module, even if you do not want |
202 |
|
|
- # to deploy EAP-TLS in your network. Users will not |
203 |
|
|
- # be able to request EAP-TLS, as it requires them to |
204 |
|
|
- # have a client certificate. EAP-PEAP does not |
205 |
|
|
- # require a client certificate. |
206 |
|
|
- # |
207 |
|
|
-} |
208 |
|
|
- peap \{ |
209 |
|
|
-{ # The tunneled EAP session needs a default |
210 |
|
|
- # EAP type which is separate from the one for |
211 |
|
|
- # the non-tunneled EAP module. Inside of the |
212 |
|
|
- # PEAP tunnel, we recommend using MS-CHAPv2, |
213 |
|
|
- # as that is the default type supported by |
214 |
|
|
- # Windows clients. |
215 |
|
|
-} default_eap_type = mschapv2 |
216 |
|
|
- \} |
217 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2 e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2 |
218 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2 2005-06-11 14:25:34.000000000 -0400 |
219 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2 1969-12-31 19:00:00.000000000 -0500 |
220 |
|
|
@@ -1,18 +0,0 @@ |
221 |
|
|
-{ |
222 |
|
|
- # |
223 |
|
|
- # This takes no configuration. |
224 |
|
|
- # |
225 |
|
|
- # Note that it is the EAP MS-CHAPv2 sub-module, not |
226 |
|
|
- # the main 'mschap' module. |
227 |
|
|
- # |
228 |
|
|
- # Note also that in order for this sub-module to work, |
229 |
|
|
- # the main 'mschap' module MUST ALSO be configured. |
230 |
|
|
- # |
231 |
|
|
- # This module is the *Microsoft* implementation of MS-CHAPv2 |
232 |
|
|
- # in EAP. There is another (incompatible) implementation |
233 |
|
|
- # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not |
234 |
|
|
- # currently support. |
235 |
|
|
- # |
236 |
|
|
-} |
237 |
|
|
- mschapv2 \{ |
238 |
|
|
- \} |
239 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/99end |
240 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/99end 2005-06-11 14:25:39.000000000 -0400 |
241 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/99end 1969-12-31 19:00:00.000000000 -0500 |
242 |
|
|
@@ -1 +0,0 @@ |
243 |
|
|
-\} |
244 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap |
245 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap 1969-12-31 19:00:00.000000000 -0500 |
246 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap 2005-06-11 14:24:39.000000000 -0400 |
247 |
|
|
@@ -0,0 +1 @@ |
248 |
|
|
+eap \{ |
249 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType |
250 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType 1969-12-31 19:00:00.000000000 -0500 |
251 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType 2005-06-11 14:24:51.000000000 -0400 |
252 |
|
|
@@ -0,0 +1,14 @@ |
253 |
|
|
+{ |
254 |
|
|
+ # Invoke the default supported EAP type when |
255 |
|
|
+ # EAP-Identity response is received. |
256 |
|
|
+ # |
257 |
|
|
+ # The incoming EAP messages DO NOT specify which EAP |
258 |
|
|
+ # type they will be using, so it MUST be set here. |
259 |
|
|
+ # |
260 |
|
|
+ # For now, only one default EAP type may be used at a time. |
261 |
|
|
+ # |
262 |
|
|
+ # If the EAP-Type attribute is set by another module, |
263 |
|
|
+ # then that EAP type takes precedence over the |
264 |
|
|
+ # default type configured here. |
265 |
|
|
+ # |
266 |
|
|
+} default_eap_type = peap |
267 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire |
268 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire 1969-12-31 19:00:00.000000000 -0500 |
269 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire 2005-06-11 14:24:56.000000000 -0400 |
270 |
|
|
@@ -0,0 +1,7 @@ |
271 |
|
|
+{ |
272 |
|
|
+ # A list is maintained to correlate EAP-Response |
273 |
|
|
+ # packets with EAP-Request packets. After a |
274 |
|
|
+ # configurable length of time, entries in the list |
275 |
|
|
+ # expire, and are deleted. |
276 |
|
|
+ # |
277 |
|
|
+} timer_expire = 60 |
278 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown |
279 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown 1969-12-31 19:00:00.000000000 -0500 |
280 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown 2005-06-11 14:25:19.000000000 -0400 |
281 |
|
|
@@ -0,0 +1,14 @@ |
282 |
|
|
+{ |
283 |
|
|
+ # There are many EAP types, but the server has support |
284 |
|
|
+ # for only a limited subset. If the server receives |
285 |
|
|
+ # a request for an EAP type it does not support, then |
286 |
|
|
+ # it normally rejects the request. By setting this |
287 |
|
|
+ # configuration to "yes", you can tell the server to |
288 |
|
|
+ # instead keep processing the request. Another module |
289 |
|
|
+ # MUST then be configured to proxy the request to |
290 |
|
|
+ # another RADIUS server which supports that EAP type. |
291 |
|
|
+ # |
292 |
|
|
+ # If another module is NOT configured to handle the |
293 |
|
|
+ # request, then the request will still end up being |
294 |
|
|
+ # rejected. |
295 |
|
|
+} ignore_unknown_eap_types = no |
296 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug |
297 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug 1969-12-31 19:00:00.000000000 -0500 |
298 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug 2005-06-11 14:25:22.000000000 -0400 |
299 |
|
|
@@ -0,0 +1,8 @@ |
300 |
|
|
+{ |
301 |
|
|
+ # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given |
302 |
|
|
+ # a User-Name attribute in an Access-Accept, it copies one |
303 |
|
|
+ # more byte than it should. |
304 |
|
|
+ # |
305 |
|
|
+ # We can work around it by configurably adding an extra |
306 |
|
|
+ # zero byte. |
307 |
|
|
+} cisco_accounting_username_bug = no |
308 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon |
309 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon 1969-12-31 19:00:00.000000000 -0500 |
310 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon 2016-04-01 12:02:53.346000000 -0400 |
311 |
|
|
@@ -0,0 +1,130 @@ |
312 |
|
|
+{ |
313 |
|
|
+ ## EAP-TLS |
314 |
|
|
+ # |
315 |
|
|
+ # To generate ctest certificates, run the script |
316 |
|
|
+ # |
317 |
|
|
+ # ../scripts/certs.sh |
318 |
|
|
+ # |
319 |
|
|
+ # The documents on http://www.freeradius.org/doc |
320 |
|
|
+ # are old, but may be helpful. |
321 |
|
|
+ # |
322 |
|
|
+ # See also: |
323 |
|
|
+ # |
324 |
|
|
+ # http://www.dslreports.com/forum/remark,9286052~mode=flat |
325 |
|
|
+ # |
326 |
|
|
+ # Note that you should NOT use a globally known CA here! |
327 |
|
|
+ # e.g. using a Verisign cert as a "known CA" means that |
328 |
|
|
+ # ANYONE who has a certificate signed by them can |
329 |
|
|
+ # authenticate via EAP-TLS! This is likely not what you want. |
330 |
|
|
+} |
331 |
|
|
+ tls-config tls-common \{ |
332 |
|
|
+ private_key_password = whatever |
333 |
|
|
+ private_key_file = $\{raddbdir\}/certs/radiusd.pem |
334 |
|
|
+ certificate_file = $\{raddbdir\}/certs/radiusd.pem |
335 |
|
|
+ ca_file = $\{raddbdir\}/certs/radiusd.pem |
336 |
|
|
+ dh_file = $\{raddbdir\}/certs/dh |
337 |
|
|
+ random_file = $\{raddbdir\}/certs/random |
338 |
|
|
+{ |
339 |
|
|
+ # |
340 |
|
|
+ # This can never exceed the size of a RADIUS |
341 |
|
|
+ # packet (4096 bytes), and is preferably half |
342 |
|
|
+ # that, to accomodate other attributes in |
343 |
|
|
+ # RADIUS packet. On most APs the MAX packet |
344 |
|
|
+ # length is configured between 1500 - 1600 |
345 |
|
|
+ # In these cases, fragment size should be |
346 |
|
|
+ # 1024 or less. |
347 |
|
|
+ # |
348 |
|
|
+} #fragment_size = 1024 |
349 |
|
|
+{ |
350 |
|
|
+ # include_length is a flag which is |
351 |
|
|
+ # by default set to yes If set to |
352 |
|
|
+ # yes, Total Length of the message is |
353 |
|
|
+ # included in EVERY packet we send. |
354 |
|
|
+ # If set to no, Total Length of the |
355 |
|
|
+ # message is included ONLY in the |
356 |
|
|
+ # First packet of a fragment series. |
357 |
|
|
+ # |
358 |
|
|
+} #include_length = yes |
359 |
|
|
+{ |
360 |
|
|
+ # Check the Certificate Revocation List |
361 |
|
|
+ # |
362 |
|
|
+ # 1) Copy CA certificates and CRLs to same directory. |
363 |
|
|
+ # 2) Execute 'c_rehash <CA certs&CRLs Directory>'. |
364 |
|
|
+ # 'c_rehash' is OpenSSL's command. |
365 |
|
|
+ # 3) Add 'CA_path=<CA certs&CRLs directory>' |
366 |
|
|
+ # to radiusd.conf's tls section. |
367 |
|
|
+ # 4) uncomment the line below. |
368 |
|
|
+ # 5) Restart radiusd |
369 |
|
|
+} #check_crl = yes |
370 |
|
|
+{ |
371 |
|
|
+ # |
372 |
|
|
+ # If check_cert_cn is set, the value will |
373 |
|
|
+ # be xlat'ed and checked against the CN |
374 |
|
|
+ # in the client certificate. If the values |
375 |
|
|
+ # do not match, the certificate verification |
376 |
|
|
+ # will fail rejecting the user. |
377 |
|
|
+ # |
378 |
|
|
+} #check_cert_cn = %\{User-Name\} |
379 |
|
|
+{ |
380 |
|
|
+ # |
381 |
|
|
+ # Set this option to specify the allowed |
382 |
|
|
+ # TLS cipher suites. The format is listed |
383 |
|
|
+ # in "man 1 ciphers". |
384 |
|
|
+} cipher_list = "DEFAULT" |
385 |
|
|
+{ |
386 |
|
|
+ # |
387 |
|
|
+ |
388 |
|
|
+ # |
389 |
|
|
+ # Elliptical cryptography configuration |
390 |
|
|
+ # |
391 |
|
|
+ # Only for OpenSSL >= 0.9.8.f |
392 |
|
|
+ # |
393 |
|
|
+} ecdh_curve = "prime256v1" |
394 |
|
|
+ |
395 |
|
|
+{ |
396 |
|
|
+ # |
397 |
|
|
+ # Session resumption / fast reauthentication |
398 |
|
|
+ # cache. |
399 |
|
|
+ # |
400 |
|
|
+ # The cache contains the following information: |
401 |
|
|
+ # |
402 |
|
|
+ # session Id - unique identifier, managed by SSL |
403 |
|
|
+ # User-Name - from the Access-Accept |
404 |
|
|
+ # Stripped-User-Name - from the Access-Request |
405 |
|
|
+ # Cached-Session-Policy - from the Access-Accept |
406 |
|
|
+ # |
407 |
|
|
+ # The "Cached-Session-Policy" is the name of a |
408 |
|
|
+ # policy which should be applied to the cached |
409 |
|
|
+ # session. This policy can be used to assign |
410 |
|
|
+ # VLANs, IP addresses, etc. It serves as a useful |
411 |
|
|
+ # way to re-apply the policy from the original |
412 |
|
|
+ # Access-Accept to the subsequent Access-Accept |
413 |
|
|
+ # for the cached session. |
414 |
|
|
+ # |
415 |
|
|
+ # On session resumption, these attributes are |
416 |
|
|
+ # copied from the cache, and placed into the |
417 |
|
|
+ # reply list. |
418 |
|
|
+ # |
419 |
|
|
+ # You probably also want "use_tunneled_reply = yes" |
420 |
|
|
+ # when using fast session resumption. |
421 |
|
|
+ # |
422 |
|
|
+} cache \{ |
423 |
|
|
+ enable = yes |
424 |
|
|
+ lifetime = 24 # hours |
425 |
|
|
+ max_entries = 255 |
426 |
|
|
+ \} |
427 |
|
|
+{ |
428 |
|
|
+ # |
429 |
|
|
+ # As of version 2.1.10, client certificates can be |
430 |
|
|
+ # validated via an external command. This allows |
431 |
|
|
+ # dynamic CRLs or OCSP to be used. |
432 |
|
|
+ # |
433 |
|
|
+ # This configuration is commented out in the |
434 |
|
|
+ # default configuration. Uncomment it, and configure |
435 |
|
|
+ # the correct paths below to enable it. |
436 |
|
|
+ # |
437 |
|
|
+} |
438 |
|
|
+ |
439 |
|
|
+ |
440 |
|
|
+ |
441 |
|
|
+ \} |
442 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls |
443 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls 1969-12-31 19:00:00.000000000 -0500 |
444 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls 2016-04-01 12:06:29.540000000 -0400 |
445 |
|
|
@@ -0,0 +1,21 @@ |
446 |
|
|
+{ |
447 |
|
|
+ ## EAP-TLS |
448 |
|
|
+ # |
449 |
|
|
+ # As of Version 3.0, the TLS configuration for TLS-based |
450 |
|
|
+ # EAP types is above in the "tls-config" section. |
451 |
|
|
+ # |
452 |
|
|
+} |
453 |
|
|
+ tls \{ |
454 |
|
|
+{ |
455 |
|
|
+ # Point to the common TLS configuration |
456 |
|
|
+} tls = tls-common |
457 |
|
|
+{ |
458 |
|
|
+ # |
459 |
|
|
+ # As part of checking a client certificate, the EAP-TLS |
460 |
|
|
+ # sets some attributes such as TLS-Client-Cert-CN. This |
461 |
|
|
+ # virtual server has access to these attributes, and can |
462 |
|
|
+ # be used to accept or reject the request. |
463 |
|
|
+ # |
464 |
|
|
+} # virtual_server = check-eap-tls |
465 |
|
|
+ \} |
466 |
|
|
+ |
467 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls |
468 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls 1969-12-31 19:00:00.000000000 -0500 |
469 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls 2016-04-01 12:08:51.030000000 -0400 |
470 |
|
|
@@ -0,0 +1,90 @@ |
471 |
|
|
+{ |
472 |
|
|
+ ## EAP-TTLS |
473 |
|
|
+ # |
474 |
|
|
+ # The TTLS module implements the EAP-TTLS protocol, |
475 |
|
|
+ # which can be described as EAP inside of Diameter, |
476 |
|
|
+ # inside of TLS, inside of EAP, inside of RADIUS... |
477 |
|
|
+ # |
478 |
|
|
+ # Surprisingly, it works quite well. |
479 |
|
|
+ # |
480 |
|
|
+} ttls \{ |
481 |
|
|
+{ |
482 |
|
|
+ # Which tls-config section the TLS negotiation parameters |
483 |
|
|
+ # are in - see EAP-TLS above for an explanation. |
484 |
|
|
+ # |
485 |
|
|
+ # In the case that an old configuration from FreeRADIUS |
486 |
|
|
+ # v2.x is being used, all the options of the tls-config |
487 |
|
|
+ # section may also appear instead in the 'tls' section |
488 |
|
|
+ # above. If that is done, the tls= option here (and in |
489 |
|
|
+ # tls above) MUST be commented out. |
490 |
|
|
+ # |
491 |
|
|
+} tls = tls-common |
492 |
|
|
+{ |
493 |
|
|
+ # The tunneled EAP session needs a default EAP type |
494 |
|
|
+ # which is separate from the one for the non-tunneled |
495 |
|
|
+ # EAP module. Inside of the TTLS tunnel, we recommend |
496 |
|
|
+ # using EAP-MD5. If the request does not contain an |
497 |
|
|
+ # EAP conversation, then this configuration entry is |
498 |
|
|
+ # ignored. |
499 |
|
|
+ # |
500 |
|
|
+} default_eap_type = md5 |
501 |
|
|
+{ |
502 |
|
|
+ # The tunneled authentication request does not usually |
503 |
|
|
+ # contain useful attributes like 'Calling-Station-Id', |
504 |
|
|
+ # etc. These attributes are outside of the tunnel, |
505 |
|
|
+ # and normally unavailable to the tunneled |
506 |
|
|
+ # authentication request. |
507 |
|
|
+ # |
508 |
|
|
+ # By setting this configuration entry to 'yes', |
509 |
|
|
+ # any attribute which is NOT in the tunneled |
510 |
|
|
+ # authentication request, but which IS available |
511 |
|
|
+ # outside of the tunnel, is copied to the tunneled |
512 |
|
|
+ # request. |
513 |
|
|
+ # |
514 |
|
|
+ # allowed values: {no, yes} |
515 |
|
|
+ # |
516 |
|
|
+} copy_request_to_tunnel = no |
517 |
|
|
+{ |
518 |
|
|
+ # The reply attributes sent to the NAS are usually |
519 |
|
|
+ # based on the name of the user 'outside' of the |
520 |
|
|
+ # tunnel (usually 'anonymous'). If you want to send |
521 |
|
|
+ # the reply attributes based on the user name inside |
522 |
|
|
+ # of the tunnel, then set this configuration entry to |
523 |
|
|
+ # 'yes', and the reply to the NAS will be taken from |
524 |
|
|
+ # the reply to the tunneled request. |
525 |
|
|
+ # |
526 |
|
|
+ # allowed values: {no, yes} |
527 |
|
|
+ # |
528 |
|
|
+} use_tunneled_reply = no |
529 |
|
|
+{ |
530 |
|
|
+ # |
531 |
|
|
+ # The inner tunneled request can be sent |
532 |
|
|
+ # through a virtual server constructed |
533 |
|
|
+ # specifically for this purpose. |
534 |
|
|
+ # |
535 |
|
|
+ # If this entry is commented out, the inner |
536 |
|
|
+ # tunneled request will be sent through |
537 |
|
|
+ # the virtual server that processed the |
538 |
|
|
+ # outer requests. |
539 |
|
|
+ # |
540 |
|
|
+} virtual_server = "inner-tunnel" |
541 |
|
|
+{ |
542 |
|
|
+ # This has the same meaning, and overwrites, the |
543 |
|
|
+ # same field in the "tls" configuration, above. |
544 |
|
|
+ # The default value here is "yes". |
545 |
|
|
+ # |
546 |
|
|
+} # include_length = yes |
547 |
|
|
+{ |
548 |
|
|
+ # |
549 |
|
|
+ # Unlike EAP-TLS, EAP-TTLS does not require a client |
550 |
|
|
+ # certificate. However, you can require one by setting the |
551 |
|
|
+ # following option. You can also override this option by |
552 |
|
|
+ # setting |
553 |
|
|
+ # |
554 |
|
|
+ # EAP-TLS-Require-Client-Cert = Yes |
555 |
|
|
+ # |
556 |
|
|
+ # in the control items for a request. |
557 |
|
|
+ # |
558 |
|
|
+} # require_client_cert = yes |
559 |
|
|
+ \} |
560 |
|
|
+ |
561 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap |
562 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap 1969-12-31 19:00:00.000000000 -0500 |
563 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap 2016-04-01 12:04:44.387000000 -0400 |
564 |
|
|
@@ -0,0 +1,33 @@ |
565 |
|
|
+{ |
566 |
|
|
+ # |
567 |
|
|
+ # The tunneled EAP session needs a default EAP type |
568 |
|
|
+ # which is separate from the one for the non-tunneled |
569 |
|
|
+ # EAP module. Inside of the TLS/PEAP tunnel, we |
570 |
|
|
+ # recommend using EAP-MS-CHAPv2. |
571 |
|
|
+ # |
572 |
|
|
+ # The PEAP module needs the TLS module to be installed |
573 |
|
|
+ # and configured, in order to use the TLS tunnel |
574 |
|
|
+ # inside of the EAP packet. You will still need to |
575 |
|
|
+ # configure the TLS module, even if you do not want |
576 |
|
|
+ # to deploy EAP-TLS in your network. Users will not |
577 |
|
|
+ # be able to request EAP-TLS, as it requires them to |
578 |
|
|
+ # have a client certificate. EAP-PEAP does not |
579 |
|
|
+ # require a client certificate. |
580 |
|
|
+ # |
581 |
|
|
+} |
582 |
|
|
+ peap \{ |
583 |
|
|
+ tls = tls-common |
584 |
|
|
+ |
585 |
|
|
+{ # The tunneled EAP session needs a default |
586 |
|
|
+ # EAP type which is separate from the one for |
587 |
|
|
+ # the non-tunneled EAP module. Inside of the |
588 |
|
|
+ # PEAP tunnel, we recommend using MS-CHAPv2, |
589 |
|
|
+ # as that is the default type supported by |
590 |
|
|
+ # Windows clients. |
591 |
|
|
+} default_eap_type = mschapv2 |
592 |
|
|
+ |
593 |
|
|
+ |
594 |
|
|
+ copy_request_to_tunnel = no |
595 |
|
|
+ use_tunneled_reply = no |
596 |
|
|
+ |
597 |
|
|
+ \} |
598 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 |
599 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 1969-12-31 19:00:00.000000000 -0500 |
600 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 2005-06-11 14:25:34.000000000 -0400 |
601 |
|
|
@@ -0,0 +1,18 @@ |
602 |
|
|
+{ |
603 |
|
|
+ # |
604 |
|
|
+ # This takes no configuration. |
605 |
|
|
+ # |
606 |
|
|
+ # Note that it is the EAP MS-CHAPv2 sub-module, not |
607 |
|
|
+ # the main 'mschap' module. |
608 |
|
|
+ # |
609 |
|
|
+ # Note also that in order for this sub-module to work, |
610 |
|
|
+ # the main 'mschap' module MUST ALSO be configured. |
611 |
|
|
+ # |
612 |
|
|
+ # This module is the *Microsoft* implementation of MS-CHAPv2 |
613 |
|
|
+ # in EAP. There is another (incompatible) implementation |
614 |
|
|
+ # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not |
615 |
|
|
+ # currently support. |
616 |
|
|
+ # |
617 |
|
|
+} |
618 |
|
|
+ mschapv2 \{ |
619 |
|
|
+ \} |
620 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end |
621 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end 1969-12-31 19:00:00.000000000 -0500 |
622 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end 2005-06-11 14:25:39.000000000 -0400 |
623 |
|
|
@@ -0,0 +1 @@ |
624 |
|
|
+\} |
625 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap |
626 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap 1969-12-31 19:00:00.000000000 -0500 |
627 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap 2016-04-01 12:33:08.367000000 -0400 |
628 |
|
|
@@ -0,0 +1,291 @@ |
629 |
|
|
+{ |
630 |
|
|
+ |
631 |
|
|
+ use esmith::util; |
632 |
|
|
+ $OUT = ''; |
633 |
|
|
+ |
634 |
|
|
+ $pw = esmith::util::LdapPassword(); |
635 |
|
|
+ $base = esmith::util::ldapBase ($DomainName); |
636 |
|
|
+ |
637 |
|
|
+} ldap \{ |
638 |
|
|
+ server = "localhost" |
639 |
|
|
+ identity = "cn=root,{ $base }" |
640 |
|
|
+ password = { $pw } |
641 |
|
|
+ basedn = "{ $base }" |
642 |
|
|
+ filter = "(&(objectClass=posixAccount)(uid=%\{Stripped-User-Name:-%\{User-Name\}\}))" |
643 |
|
|
+ ldap_connections_number = 5 |
644 |
|
|
+ timeout = 4 |
645 |
|
|
+ timelimit = 3 |
646 |
|
|
+ net_timeout = 3 |
647 |
|
|
+ tls \{ |
648 |
|
|
+ start_tls = no |
649 |
|
|
+ \} |
650 |
|
|
+ groupname_attribute = cn |
651 |
|
|
+ groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%\{Stripped-User-Name:-%\{User-Name\}\}))" |
652 |
|
|
+ |
653 |
|
|
+ update \{ |
654 |
|
|
+ control:Password-With-Header += 'userPassword' |
655 |
|
|
+ |
656 |
|
|
+ \} |
657 |
|
|
+ user \{ |
658 |
|
|
+ # Where to start searching in the tree for users |
659 |
|
|
+# base_dn = "$\{..base_dn\}" |
660 |
|
|
+ |
661 |
|
|
+ # Filter for user objects, should be specific enough |
662 |
|
|
+ # to identify a single user object. |
663 |
|
|
+# filter = "(uid=%\{%\{Stripped-User-Name\}:-%\{User-Name\}\})" |
664 |
|
|
+ \} |
665 |
|
|
+ group \{ |
666 |
|
|
+ # Where to start searching in the tree for groups |
667 |
|
|
+# base_dn = "$\{..base_dn\}" |
668 |
|
|
+ |
669 |
|
|
+ # Filter for group objects, should match all available |
670 |
|
|
+ # group objects a user might be a member of. |
671 |
|
|
+# filter = "(objectClass=posixGroup)" |
672 |
|
|
+# membership_attribute = "memberOf" |
673 |
|
|
+ \} |
674 |
|
|
+ |
675 |
|
|
+ profile \{ |
676 |
|
|
+ # Filter for RADIUS profile objects |
677 |
|
|
+# filter = "(objectclass=radiusprofile)" |
678 |
|
|
+ |
679 |
|
|
+ # The default profile applied to all users. |
680 |
|
|
+# default = "cn=radprofile,dc=example,dc=org" |
681 |
|
|
+ |
682 |
|
|
+ # The list of profiles which are applied (after the default) |
683 |
|
|
+ # to all users. |
684 |
|
|
+ # The "User-Profile" attribute in the control list |
685 |
|
|
+ # will override this setting at run-time. |
686 |
|
|
+# attribute = "radiusProfileDn" |
687 |
|
|
+ \} |
688 |
|
|
+ |
689 |
|
|
+ |
690 |
|
|
+ client \{ |
691 |
|
|
+ # Where to start searching in the tree for clients |
692 |
|
|
+# base_dn = "$\{..base_dn\}" |
693 |
|
|
+ |
694 |
|
|
+ # |
695 |
|
|
+ # Filter to match client objects |
696 |
|
|
+ # |
697 |
|
|
+# filter = '(objectClass=frClient)' |
698 |
|
|
+ |
699 |
|
|
+ # Search scope, may be 'base', 'one', 'sub' or 'children' |
700 |
|
|
+# scope = 'sub' |
701 |
|
|
+ |
702 |
|
|
+ # |
703 |
|
|
+ # Client attribute mappings are in the format: |
704 |
|
|
+ # <client attribute> = <ldap attribute> |
705 |
|
|
+ # |
706 |
unnilennium |
1.3 |
+ # Arbitrary attributes (accessible by %\{client:<attr>\}) are not yet supported. |
707 |
unnilennium |
1.1 |
+ # |
708 |
|
|
+ # The following attributes are required: |
709 |
|
|
+ # * identifier - IPv4 address, or IPv4 address with prefix, or hostname. |
710 |
|
|
+ # * secret - RADIUS shared secret. |
711 |
|
|
+ # |
712 |
|
|
+ # The following attributes are optional: |
713 |
|
|
+ # * shortname - Friendly name associated with the client |
714 |
|
|
+ # * nas_type - NAS Type |
715 |
|
|
+ # * virtual_server - Virtual server to associate the client with |
716 |
|
|
+ # * require_message_authenticator - Whether we require the Message-Authenticator |
717 |
|
|
+ # attribute to be present in requests from the client. |
718 |
|
|
+ # |
719 |
|
|
+ # Schemas are available in doc/schemas/ldap for openldap and eDirectory |
720 |
|
|
+ # |
721 |
|
|
+ attribute \{ |
722 |
|
|
+# identifier = 'radiusClientIdentifier' |
723 |
|
|
+# secret = 'radiusClientSecret' |
724 |
|
|
+# shortname = 'radiusClientShortname' |
725 |
|
|
+# nas_type = 'radiusClientType' |
726 |
|
|
+# virtual_server = 'radiusClientVirtualServer' |
727 |
|
|
+# require_message_authenticator = 'radiusClientRequireMa' |
728 |
|
|
+ \} |
729 |
|
|
+ \} |
730 |
|
|
+ |
731 |
|
|
+ |
732 |
|
|
+ |
733 |
|
|
+ # Useful for recording things like the last time the user logged |
734 |
|
|
+ # in, or the Acct-Session-ID for CoA/DM. |
735 |
|
|
+ # |
736 |
|
|
+ # LDAP modification items are in the format: |
737 |
|
|
+ # <ldap attr> <op> <value> |
738 |
|
|
+ # |
739 |
|
|
+ # Where: |
740 |
|
|
+ # <ldap attr>: The LDAP attribute to add modify or delete. |
741 |
|
|
+ # <op>: One of the assignment operators: |
742 |
|
|
+ # (:=, +=, -=, ++). |
743 |
|
|
+ # Note: '=' is *not* supported. |
744 |
|
|
+ # <value>: The value to add modify or delete. |
745 |
|
|
+ # |
746 |
|
|
+ # WARNING: If using the ':=' operator with a multi-valued LDAP |
747 |
|
|
+ # attribute, all instances of the attribute will be removed and |
748 |
|
|
+ # replaced with a single attribute. |
749 |
|
|
+ accounting \{ |
750 |
|
|
+ reference = "%\{tolower:type.%\{Acct-Status-Type\}\}" |
751 |
|
|
+ |
752 |
|
|
+ type \{ |
753 |
|
|
+ start \{ |
754 |
|
|
+ update \{ |
755 |
|
|
+ description := "Online at %S" |
756 |
|
|
+ \} |
757 |
|
|
+ \} |
758 |
|
|
+ |
759 |
|
|
+ interim-update \{ |
760 |
|
|
+ update \{ |
761 |
|
|
+ description := "Last seen at %S" |
762 |
|
|
+ \} |
763 |
|
|
+ \} |
764 |
|
|
+ |
765 |
|
|
+ stop \{ |
766 |
|
|
+ update \{ |
767 |
|
|
+ description := "Offline at %S" |
768 |
|
|
+ \} |
769 |
|
|
+ \} |
770 |
|
|
+ \} |
771 |
|
|
+ \} |
772 |
|
|
+ |
773 |
|
|
+ |
774 |
|
|
+ |
775 |
|
|
+ |
776 |
|
|
+ # |
777 |
|
|
+ # Post-Auth can modify LDAP objects too |
778 |
|
|
+ # |
779 |
|
|
+ post-auth \{ |
780 |
|
|
+ update \{ |
781 |
|
|
+ description := "Authenticated at %S" |
782 |
|
|
+ \} |
783 |
|
|
+ \} |
784 |
|
|
+ |
785 |
|
|
+ |
786 |
|
|
+ |
787 |
|
|
+ |
788 |
|
|
+ |
789 |
|
|
+ # LDAP connection-specific options. |
790 |
|
|
+ # |
791 |
|
|
+ # These options set timeouts, keep-alives, etc. for the connections. |
792 |
|
|
+ # |
793 |
|
|
+ options \{ |
794 |
|
|
+ # Control under which situations aliases are followed. |
795 |
|
|
+ # May be one of 'never', 'searching', 'finding' or 'always' |
796 |
|
|
+ # default: libldap's default which is usually 'never'. |
797 |
|
|
+ # |
798 |
|
|
+ # LDAP_OPT_DEREF is set to this value. |
799 |
|
|
+# dereference = 'always' |
800 |
|
|
+ |
801 |
|
|
+ # |
802 |
|
|
+ # The following two configuration items control whether the |
803 |
|
|
+ # server follows references returned by LDAP directory. |
804 |
|
|
+ # They are mostly for Active Directory compatibility. |
805 |
|
|
+ # If you set these to "no", then searches will likely return |
806 |
|
|
+ # "operations error", instead of a useful result. |
807 |
|
|
+ # |
808 |
|
|
+ chase_referrals = yes |
809 |
|
|
+ rebind = yes |
810 |
|
|
+ |
811 |
|
|
+ # Seconds to wait for LDAP query to finish. default: 20 |
812 |
|
|
+ timeout = 10 |
813 |
|
|
+ |
814 |
|
|
+ # Seconds LDAP server has to process the query (server-side |
815 |
|
|
+ # time limit). default: 20 |
816 |
|
|
+ # |
817 |
|
|
+ # LDAP_OPT_TIMELIMIT is set to this value. |
818 |
|
|
+ timelimit = 3 |
819 |
|
|
+ |
820 |
|
|
+ # Seconds to wait for response of the server. (network |
821 |
|
|
+ # failures) default: 10 |
822 |
|
|
+ # |
823 |
|
|
+ # LDAP_OPT_NETWORK_TIMEOUT is set to this value. |
824 |
|
|
+ net_timeout = 1 |
825 |
|
|
+ |
826 |
|
|
+ # LDAP_OPT_X_KEEPALIVE_IDLE |
827 |
|
|
+ idle = 60 |
828 |
|
|
+ |
829 |
|
|
+ # LDAP_OPT_X_KEEPALIVE_PROBES |
830 |
|
|
+ probes = 3 |
831 |
|
|
+ |
832 |
|
|
+ # LDAP_OPT_X_KEEPALIVE_INTERVAL |
833 |
|
|
+ interval = 3 |
834 |
|
|
+ |
835 |
|
|
+ # ldap_debug: debug flag for LDAP SDK |
836 |
|
|
+ # (see OpenLDAP documentation). Set this to enable |
837 |
|
|
+ # huge amounts of LDAP debugging on the screen. |
838 |
|
|
+ # You should only use this if you are an LDAP expert. |
839 |
|
|
+ # |
840 |
|
|
+ # default: 0x0000 (no debugging messages) |
841 |
|
|
+ # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) |
842 |
|
|
+ ldap_debug = 0x0028 |
843 |
|
|
+ \} |
844 |
|
|
+ |
845 |
|
|
+ |
846 |
|
|
+ # The connection pool is new for 3.0, and will be used in many |
847 |
|
|
+ # modules, for all kinds of connection-related activity. |
848 |
|
|
+ # |
849 |
|
|
+ # When the server is not threaded, the connection pool |
850 |
|
|
+ # limits are ignored, and only one connection is used. |
851 |
|
|
+ pool \{ |
852 |
|
|
+ # Number of connections to start |
853 |
|
|
+ start = 5 |
854 |
|
|
+ |
855 |
|
|
+ # Minimum number of connections to keep open |
856 |
|
|
+ min = 4 |
857 |
|
|
+ |
858 |
|
|
+ # Maximum number of connections |
859 |
|
|
+ # |
860 |
|
|
+ # If these connections are all in use and a new one |
861 |
|
|
+ # is requested, the request will NOT get a connection. |
862 |
|
|
+ # |
863 |
|
|
+ # Setting 'max' to LESS than the number of threads means |
864 |
|
|
+ # that some threads may starve, and you will see errors |
865 |
|
|
+ # like "No connections available and at max connection limit" |
866 |
|
|
+ # |
867 |
|
|
+ # Setting 'max' to MORE than the number of threads means |
868 |
|
|
+ # that there are more connections than necessary. |
869 |
|
|
+ max = $\{thread[pool].max_servers\} |
870 |
|
|
+ |
871 |
|
|
+ # Spare connections to be left idle |
872 |
|
|
+ # |
873 |
|
|
+ # NOTE: Idle connections WILL be closed if "idle_timeout" |
874 |
|
|
+ # is set. |
875 |
|
|
+ spare = 3 |
876 |
|
|
+ |
877 |
|
|
+ # Number of uses before the connection is closed |
878 |
|
|
+ # |
879 |
|
|
+ # 0 means "infinite" |
880 |
|
|
+ uses = 0 |
881 |
|
|
+ |
882 |
|
|
+ # The lifetime (in seconds) of the connection |
883 |
|
|
+ lifetime = 0 |
884 |
|
|
+ |
885 |
|
|
+ # Idle timeout (in seconds). A connection which is |
886 |
|
|
+ # unused for this length of time will be closed. |
887 |
|
|
+ idle_timeout = 60 |
888 |
|
|
+ |
889 |
|
|
+ # NOTE: All configuration settings are enforced. If a |
890 |
|
|
+ # connection is closed because of "idle_timeout", |
891 |
|
|
+ # "uses", or "lifetime", then the total number of |
892 |
|
|
+ # connections MAY fall below "min". When that |
893 |
|
|
+ # happens, it will open a new connection. It will |
894 |
|
|
+ # also log a WARNING message. |
895 |
|
|
+ # |
896 |
|
|
+ # The solution is to either lower the "min" connections, |
897 |
|
|
+ # or increase lifetime/idle_timeout. |
898 |
|
|
+ \} |
899 |
|
|
+ |
900 |
|
|
+ |
901 |
|
|
+ |
902 |
|
|
+ |
903 |
|
|
+ |
904 |
|
|
+ |
905 |
|
|
+ |
906 |
|
|
+ |
907 |
|
|
+ |
908 |
|
|
+ |
909 |
|
|
+ |
910 |
|
|
+ |
911 |
|
|
+ |
912 |
|
|
+ |
913 |
|
|
+ |
914 |
|
|
+ |
915 |
|
|
+ |
916 |
|
|
+ |
917 |
|
|
+ |
918 |
|
|
+ |
919 |
|
|
+ \} |
920 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init |
921 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init 2016-02-05 16:34:10.000000000 -0500 |
922 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init 2016-04-01 09:29:51.476000000 -0400 |
923 |
|
|
@@ -27,9 +27,17 @@ |
924 |
|
|
raddbdir = $\{sysconfdir\}/raddb |
925 |
|
|
radacctdir = $\{logdir\}/radacct |
926 |
|
|
|
927 |
|
|
+{ |
928 |
|
|
+# |
929 |
|
|
+# name of the running server. See also the "-n" command-line option. |
930 |
|
|
+} |
931 |
|
|
+name = radiusd |
932 |
|
|
+ |
933 |
|
|
confdir = $\{raddbdir\} |
934 |
|
|
+modconfdir = $\{confdir\}/mods-config |
935 |
|
|
+certdir = $\{confdir\}/certs |
936 |
|
|
+cadir = $\{confdir\}/certs |
937 |
|
|
run_dir = $\{localstatedir\}/run/radiusd |
938 |
|
|
-log_file = $\{logdir\}/radius.log |
939 |
|
|
{ |
940 |
|
|
# libdir: Where to find the rlm_* modules. |
941 |
|
|
# |
942 |
|
|
@@ -73,31 +81,45 @@ |
943 |
|
|
# |
944 |
|
|
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` |
945 |
|
|
} |
946 |
|
|
-pidfile = $\{run_dir\}/radiusd.pid |
947 |
|
|
+pidfile = $\{run_dir\}/$\{name\}.pid |
948 |
|
|
{ |
949 |
|
|
-# user/group: The name (or #number) of the user/group to run radiusd as. |
950 |
|
|
+# panic_action: Command to execute if the server dies unexpectedly. |
951 |
|
|
+# |
952 |
|
|
+# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT. |
953 |
|
|
+# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS. |
954 |
|
|
+# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART. |
955 |
|
|
+# |
956 |
|
|
+# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE |
957 |
|
|
+# PATTACH CAN BE USED AS AN ATTACK VECTOR. |
958 |
|
|
+# |
959 |
|
|
+# The panic action is a command which will be executed if the server |
960 |
|
|
+# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS, |
961 |
|
|
+# SIGABRT or SIGFPE. |
962 |
|
|
# |
963 |
|
|
-# If these are commented out, the server will run as the user/group |
964 |
|
|
-# that started it. In order to change to a different user/group, you |
965 |
|
|
-# MUST be root ( or have root privleges ) to start the server. |
966 |
|
|
+# This can be used to start an interactive debugging session so |
967 |
|
|
+# that information regarding the current state of the server can |
968 |
|
|
+# be acquired. |
969 |
|
|
# |
970 |
|
|
-# We STRONGLY recommend that you run the server with as few permissions |
971 |
|
|
-# as possible. That is, if you're not using shadow passwords, the |
972 |
|
|
-# user and group items below should be set to 'nobody'. |
973 |
|
|
+# The following string substitutions are available: |
974 |
|
|
+# - %e The currently executing program e.g. /sbin/radiusd |
975 |
|
|
+# - %p The PID of the currently executing program e.g. 12345 |
976 |
|
|
# |
977 |
|
|
-# On SCO (ODT 3) use "user = nouser" and "group = nogroup". |
978 |
|
|
+# Standard ${} substitutions are also allowed. |
979 |
|
|
# |
980 |
|
|
-# NOTE that some kernels refuse to setgid(group) when the value of |
981 |
|
|
-# (unsigned)group is above 60000; don't use group nobody on these systems! |
982 |
|
|
+# An example panic action for opening an interactive session in GDB would be: |
983 |
|
|
+# |
984 |
|
|
+#panic_action = "gdb %e %p" |
985 |
|
|
+# |
986 |
|
|
+# Again, don't use that on a production system. |
987 |
|
|
+# |
988 |
|
|
+# An example panic action for opening an automated session in GDB would be: |
989 |
|
|
+# |
990 |
|
|
+#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log" |
991 |
|
|
+# |
992 |
|
|
+# That command can be used on a production system. |
993 |
|
|
# |
994 |
|
|
-# On systems with shadow passwords, you might have to set 'group = shadow' |
995 |
|
|
-# for the server to be able to read the shadow password file. If you can |
996 |
|
|
-# authenticate users while in debug mode, but not in daemon mode, it may be |
997 |
|
|
-# that the debugging mode server is running as a user that can read the |
998 |
|
|
-# shadow info, and the user listed below can not. |
999 |
|
|
} |
1000 |
|
|
-user = root |
1001 |
|
|
-group = root |
1002 |
|
|
+ |
1003 |
|
|
{ |
1004 |
|
|
# max_request_time: The maximum time (in seconds) to handle a request. |
1005 |
|
|
# |
1006 |
|
|
@@ -207,13 +229,6 @@ |
1007 |
|
|
} |
1008 |
|
|
hostname_lookups = no |
1009 |
|
|
{ |
1010 |
|
|
-# Core dumps are a bad thing. This should only be set to 'yes' |
1011 |
|
|
-# if you're debugging a problem with the server. |
1012 |
|
|
-# |
1013 |
|
|
-# allowed values: \{no, yes\} |
1014 |
|
|
-} |
1015 |
|
|
-allow_core_dumps = no |
1016 |
|
|
-{ |
1017 |
|
|
# Regular expressions |
1018 |
|
|
# |
1019 |
|
|
# These items are set at configure time. If they're set to "yes", |
1020 |
|
|
@@ -225,27 +240,6 @@ |
1021 |
|
|
regular_expressions = yes |
1022 |
|
|
extended_expressions = yes |
1023 |
|
|
{ |
1024 |
|
|
-# Log the full User-Name attribute, as it was found in the request. |
1025 |
|
|
-# |
1026 |
|
|
-# allowed values: \{no, yes\} |
1027 |
|
|
-} |
1028 |
|
|
-log_stripped_names = no |
1029 |
|
|
-{ |
1030 |
|
|
-# Log authentication requests to the log file. |
1031 |
|
|
-# |
1032 |
|
|
-# allowed values: \{no, yes\} |
1033 |
|
|
-} |
1034 |
|
|
-log_auth = no |
1035 |
|
|
-{ |
1036 |
|
|
-# Log passwords with the authentication requests. |
1037 |
|
|
-# log_auth_badpass - logs password if it's rejected |
1038 |
|
|
-# log_auth_goodpass - logs password if it's correct |
1039 |
|
|
-# |
1040 |
|
|
-# allowed values: \{no, yes\} |
1041 |
|
|
-} |
1042 |
|
|
-log_auth_badpass = no |
1043 |
|
|
-log_auth_goodpass = no |
1044 |
|
|
-{ |
1045 |
|
|
# usercollide: Turn "username collision" code on and off. See the |
1046 |
|
|
# "doc/duplicate-users" file |
1047 |
|
|
# |
1048 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log |
1049 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log 1969-12-31 19:00:00.000000000 -0500 |
1050 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log 2016-04-01 09:21:32.222000000 -0400 |
1051 |
|
|
@@ -0,0 +1,127 @@ |
1052 |
|
|
+{ |
1053 |
|
|
+# |
1054 |
|
|
+# Logging section. The various "log_*" configuration items |
1055 |
|
|
+# will eventually be moved here. |
1056 |
|
|
+# |
1057 |
|
|
+# previously this section was only: |
1058 |
|
|
+#log_file = $\{logdir\}/radius.log |
1059 |
|
|
+} |
1060 |
|
|
+log \{ |
1061 |
|
|
+{ |
1062 |
|
|
+ # |
1063 |
|
|
+ # Destination for log messages. This can be one of: |
1064 |
|
|
+ # |
1065 |
|
|
+ # files - log to "file", as defined below. |
1066 |
|
|
+ # syslog - to syslog (see also the "syslog_facility", below. |
1067 |
|
|
+ # stdout - standard output |
1068 |
|
|
+ # stderr - standard error. |
1069 |
|
|
+ # |
1070 |
|
|
+ # The command-line option "-X" over-rides this option, and forces |
1071 |
|
|
+ # logging to go to stdout. |
1072 |
|
|
+ # |
1073 |
|
|
+} destination = files |
1074 |
|
|
+{ |
1075 |
|
|
+ # |
1076 |
|
|
+ # Highlight important messages sent to stderr and stdout. |
1077 |
|
|
+ # |
1078 |
|
|
+ # Option will be ignored (disabled) if output if TERM is not |
1079 |
|
|
+ # an xterm or output is not to a TTY. |
1080 |
|
|
+ # |
1081 |
|
|
+} colourise = yes |
1082 |
|
|
+{ |
1083 |
|
|
+ # |
1084 |
|
|
+ # The logging messages for the server are appended to the |
1085 |
|
|
+ # tail of this file if destination == "files" |
1086 |
|
|
+ # |
1087 |
|
|
+ # If the server is running in debugging mode, this file is |
1088 |
|
|
+ # NOT used. |
1089 |
|
|
+ # |
1090 |
unnilennium |
1.2 |
+} file = $\{logdir\}/radius.log |
1091 |
unnilennium |
1.1 |
+{ |
1092 |
|
|
+ # |
1093 |
|
|
+ # If this configuration parameter is set, then log messages for |
1094 |
|
|
+ # a *request* go to this file, rather than to radius.log. |
1095 |
|
|
+ # |
1096 |
|
|
+ # i.e. This is a log file per request, once the server has accepted |
1097 |
|
|
+ # the request as being from a valid client. Messages that are |
1098 |
|
|
+ # not associated with a request still go to radius.log. |
1099 |
|
|
+ # |
1100 |
|
|
+ # Not all log messages in the server core have been updated to use |
1101 |
|
|
+ # this new internal API. As a result, some messages will still |
1102 |
|
|
+ # go to radius.log. Please submit patches to fix this behavior. |
1103 |
|
|
+ # |
1104 |
|
|
+ # The file name is expanded dynamically. You should ONLY user |
1105 |
|
|
+ # server-side attributes for the filename (e.g. things you control). |
1106 |
|
|
+ # Using this feature MAY also slow down the server substantially, |
1107 |
|
|
+ # especially if you do thinks like SQL calls as part of the |
1108 |
|
|
+ # expansion of the filename. |
1109 |
|
|
+ # |
1110 |
|
|
+ # The name of the log file should use attributes that don't change |
1111 |
|
|
+ # over the lifetime of a request, such as User-Name, |
1112 |
|
|
+ # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log |
1113 |
|
|
+ # messages will be distributed over multiple files. |
1114 |
|
|
+ # |
1115 |
|
|
+ # Logging can be enabled for an individual request by a special |
1116 |
|
|
+ # dynamic expansion macro: %{debug: 1}, where the debug level |
1117 |
|
|
+ # for this request is set to '1' (or 2, 3, etc.). e.g. |
1118 |
|
|
+ # |
1119 |
|
|
+ # ... |
1120 |
|
|
+ # update control { |
1121 |
|
|
+ # Tmp-String-0 = "%{debug:1}" |
1122 |
|
|
+ # } |
1123 |
|
|
+ # ... |
1124 |
|
|
+ # |
1125 |
|
|
+ # The attribute that the value is assigned to is unimportant, |
1126 |
|
|
+ # and should be a "throw-away" attribute with no side effects. |
1127 |
|
|
+ # |
1128 |
|
|
+ #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log |
1129 |
|
|
+ |
1130 |
|
|
+ # |
1131 |
|
|
+ # Which syslog facility to use, if ${destination} == "syslog" |
1132 |
|
|
+ # |
1133 |
|
|
+ # The exact values permitted here are OS-dependent. You probably |
1134 |
|
|
+ # don't want to change this. |
1135 |
|
|
+ # |
1136 |
|
|
+} syslog_facility = daemon |
1137 |
|
|
+{ |
1138 |
|
|
+ # Log the full User-Name attribute, as it was found in the request. |
1139 |
|
|
+ # |
1140 |
|
|
+ # allowed values: {no, yes} |
1141 |
|
|
+ # |
1142 |
|
|
+ # |
1143 |
|
|
+} stripped_names = no |
1144 |
|
|
+{ |
1145 |
|
|
+ # Log authentication requests to the log file. |
1146 |
|
|
+ # |
1147 |
|
|
+ # allowed values: {no, yes} |
1148 |
|
|
+ # |
1149 |
|
|
+} auth = no |
1150 |
|
|
+{ |
1151 |
|
|
+ # Log passwords with the authentication requests. |
1152 |
|
|
+ # auth_badpass - logs password if it's rejected |
1153 |
|
|
+ # auth_goodpass - logs password if it's correct |
1154 |
|
|
+ # |
1155 |
|
|
+ # allowed values: {no, yes} |
1156 |
|
|
+ # |
1157 |
|
|
+} auth_badpass = no |
1158 |
|
|
+ auth_goodpass = no |
1159 |
|
|
+{ |
1160 |
|
|
+ # Log additional text at the end of the "Login OK" messages. |
1161 |
|
|
+ # for these to work, the "auth" and "auth_goodpass" or "auth_badpass" |
1162 |
|
|
+ # configurations above have to be set to "yes". |
1163 |
|
|
+ # |
1164 |
|
|
+ # The strings below are dynamically expanded, which means that |
1165 |
|
|
+ # you can put anything you want in them. However, note that |
1166 |
|
|
+ # this expansion can be slow, and can negatively impact server |
1167 |
|
|
+ # performance. |
1168 |
|
|
+ # |
1169 |
|
|
+} |
1170 |
|
|
+# msg_goodpass = "" |
1171 |
|
|
+# msg_badpass = "" |
1172 |
|
|
+{ |
1173 |
|
|
+ # The message when the user exceeds the Simultaneous-Use limit. |
1174 |
|
|
+ # |
1175 |
|
|
+} |
1176 |
|
|
+ msg_denied = "You are already logged in - access denied" |
1177 |
|
|
+\} |
1178 |
|
|
+ |
1179 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security |
1180 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security 2005-06-11 12:01:54.000000000 -0400 |
1181 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security 2016-04-01 07:32:01.846000000 -0400 |
1182 |
|
|
@@ -6,6 +6,43 @@ |
1183 |
|
|
# of those attacks |
1184 |
|
|
} |
1185 |
|
|
security \{ |
1186 |
|
|
+{ # user/group: The name (or #number) of the user/group to run radiusd as. |
1187 |
|
|
+ # |
1188 |
|
|
+ # If these are commented out, the server will run as the |
1189 |
|
|
+ # user/group that started it. In order to change to a |
1190 |
|
|
+ # different user/group, you MUST be root ( or have root |
1191 |
|
|
+ # privileges ) to start the server. |
1192 |
|
|
+ # |
1193 |
|
|
+ # We STRONGLY recommend that you run the server with as few |
1194 |
|
|
+ # permissions as possible. That is, if you're not using |
1195 |
|
|
+ # shadow passwords, the user and group items below should be |
1196 |
|
|
+ # set to radius'. |
1197 |
|
|
+ # |
1198 |
|
|
+ # NOTE that some kernels refuse to setgid(group) when the |
1199 |
|
|
+ # value of (unsigned)group is above 60000; don't use group |
1200 |
|
|
+ # "nobody" on these systems! |
1201 |
|
|
+ # |
1202 |
|
|
+ # On systems with shadow passwords, you might have to set |
1203 |
|
|
+ # 'group = shadow' for the server to be able to read the |
1204 |
|
|
+ # shadow password file. If you can authenticate users while |
1205 |
|
|
+ # in debug mode, but not in daemon mode, it may be that the |
1206 |
|
|
+ # debugging mode server is running as a user that can read |
1207 |
|
|
+ # the shadow info, and the user listed below can not. |
1208 |
|
|
+ # |
1209 |
|
|
+ # The server will also try to use "initgroups" to read |
1210 |
|
|
+ # /etc/groups. It will join all groups where "user" is a |
1211 |
|
|
+ # member. This can allow for some finer-grained access |
1212 |
|
|
+ # controls. |
1213 |
|
|
+ # |
1214 |
|
|
+} user = root |
1215 |
|
|
+ group = root |
1216 |
|
|
+{ |
1217 |
|
|
+ # Core dumps are a bad thing. This should only be set to |
1218 |
|
|
+ # 'yes' if you're debugging a problem with the server. |
1219 |
|
|
+ # |
1220 |
|
|
+ # allowed values: {no, yes} |
1221 |
|
|
+ # |
1222 |
|
|
+} allow_core_dumps = no |
1223 |
|
|
{ |
1224 |
|
|
# max_attributes: The maximum number of attributes |
1225 |
|
|
# permitted in a RADIUS packet. Packets which have MORE |
1226 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration |
1227 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration 2005-06-11 14:31:14.000000000 -0400 |
1228 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration 2016-04-01 07:48:08.316000000 -0400 |
1229 |
|
|
@@ -99,4 +99,19 @@ |
1230 |
|
|
# '0' is a special value meaning 'infinity', or 'the servers never |
1231 |
|
|
# exit' |
1232 |
|
|
} max_requests_per_server = 0 |
1233 |
|
|
+{ |
1234 |
|
|
+ # If the received PPS is larger than the processed PPS, *and* |
1235 |
|
|
+ # the queue is more than half full, then new accounting |
1236 |
|
|
+ # requests are probabilistically discarded. This lowers the |
1237 |
|
|
+ # number of packets that the server needs to process. Over |
1238 |
|
|
+ # time, the server will "catch up" with the traffic. |
1239 |
|
|
+ # |
1240 |
|
|
+ # Throwing away accounting packets is usually safe and low |
1241 |
|
|
+ # impact. The NAS will retransmit them in a few seconds, or |
1242 |
|
|
+ # even a few minutes. Vendors should read RFC 5080 Section 2.2.1 |
1243 |
|
|
+ # to see how accounting packets should be retransmitted. Using |
1244 |
|
|
+ # any other method is likely to cause network meltdowns. |
1245 |
|
|
+ # |
1246 |
|
|
+} auto_limit_acct = no |
1247 |
|
|
+ |
1248 |
|
|
\} |
1249 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp |
1250 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp 1969-12-31 19:00:00.000000000 -0500 |
1251 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp 2016-04-01 07:49:00.444000000 -0400 |
1252 |
|
|
@@ -0,0 +1,10 @@ |
1253 |
|
|
+{ |
1254 |
|
|
+###################################################################### |
1255 |
|
|
+# |
1256 |
|
|
+# SNMP notifications. Uncomment the following line to enable |
1257 |
|
|
+# snmptraps. Note that you MUST also configure the full path |
1258 |
|
|
+# to the "snmptrap" command in the "trigger.conf" file. |
1259 |
|
|
+# |
1260 |
|
|
+} |
1261 |
|
|
+#$INCLUDE trigger.conf |
1262 |
|
|
+ |
1263 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init |
1264 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init 2005-06-11 14:32:26.000000000 -0400 |
1265 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init 2016-04-01 07:56:07.712000000 -0400 |
1266 |
|
|
@@ -7,18 +7,34 @@ |
1267 |
|
|
# in other sections of this configuration file. |
1268 |
|
|
} |
1269 |
|
|
modules \{ { |
1270 |
|
|
- # Each module has a configuration as follows: |
1271 |
|
|
- # |
1272 |
|
|
- # name [ instance ] \{ |
1273 |
|
|
- # config_item = value |
1274 |
|
|
- # ... |
1275 |
|
|
- # \} |
1276 |
|
|
- # |
1277 |
|
|
- # The 'name' is used to load the 'rlm_name' library |
1278 |
|
|
- # which implements the functionality of the module. |
1279 |
|
|
- # |
1280 |
|
|
- # The 'instance' is optional. To have two different instances |
1281 |
|
|
- # of a module, it first must be referred to by 'name'. |
1282 |
|
|
- # The different copies of the module are then created by |
1283 |
|
|
- # inventing two 'instance' names, e.g. 'instance1' and 'instance2' |
1284 |
|
|
+ # |
1285 |
|
|
+ # Each module has a configuration as follows: |
1286 |
|
|
+ # |
1287 |
|
|
+ # name [ instance ] { |
1288 |
|
|
+ # config_item = value |
1289 |
|
|
+ # ... |
1290 |
|
|
+ # } |
1291 |
|
|
+ # |
1292 |
|
|
+ # The 'name' is used to load the 'rlm_name' library |
1293 |
|
|
+ # which implements the functionality of the module. |
1294 |
|
|
+ # |
1295 |
|
|
+ # The 'instance' is optional. To have two different instances |
1296 |
|
|
+ # of a module, it first must be referred to by 'name'. |
1297 |
|
|
+ # The different copies of the module are then created by |
1298 |
|
|
+ # inventing two 'instance' names, e.g. 'instance1' and 'instance2' |
1299 |
|
|
+ # |
1300 |
|
|
+ # The instance names can then be used in later configuration |
1301 |
|
|
+ # INSTEAD of the original 'name'. See the 'radutmp' configuration |
1302 |
|
|
+ # for an example. |
1303 |
|
|
+ # |
1304 |
|
|
+ |
1305 |
|
|
+ # |
1306 |
|
|
+ # As of 3.0, modules are in mods-enabled/. Files matching |
1307 |
|
|
+ # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are |
1308 |
|
|
+ # initialized ONLY if they are referenced in a processing |
1309 |
|
|
+ # section, such as authorize, authenticate, accounting, |
1310 |
|
|
+ # pre/post-proxy, etc. |
1311 |
|
|
+ # |
1312 |
|
|
} |
1313 |
|
|
+ $INCLUDE mods-enabled/ |
1314 |
|
|
+ |
1315 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess |
1316 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess 2005-06-11 14:37:58.000000000 -0400 |
1317 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess 1969-12-31 19:00:00.000000000 -0500 |
1318 |
|
|
@@ -1,47 +0,0 @@ |
1319 |
|
|
-{ |
1320 |
|
|
- # Preprocess the incoming RADIUS request, before handing it off |
1321 |
|
|
- # to other modules. |
1322 |
|
|
-} preprocess \{ |
1323 |
|
|
-{ |
1324 |
|
|
- # This hack changes Ascend's wierd port numberings |
1325 |
|
|
- # to standard 0-??? port numbers so that the "+" works |
1326 |
|
|
- # for IP address assignments. |
1327 |
|
|
-} with_ascend_hack = no |
1328 |
|
|
- ascend_channels_per_line = 23 |
1329 |
|
|
-{ |
1330 |
|
|
- # Windows NT machines often authenticate themselves as |
1331 |
|
|
- # NT_DOMAIN\username |
1332 |
|
|
- # |
1333 |
|
|
- # If this is set to 'yes', then the NT_DOMAIN portion |
1334 |
|
|
- # of the user-name is silently discarded. |
1335 |
|
|
- # |
1336 |
|
|
- # This configuration entry SHOULD NOT be used. |
1337 |
|
|
- # See the "realms" module for a better way to handle |
1338 |
|
|
- # NT domains. |
1339 |
|
|
-} with_ntdomain_hack = no |
1340 |
|
|
-{ |
1341 |
|
|
- # Specialix Jetstream 8500 24 port access server. |
1342 |
|
|
- # |
1343 |
|
|
- # If the user name is 10 characters or longer, a "/" |
1344 |
|
|
- # and the excess characters after the 10th are |
1345 |
|
|
- # appended to the user name. |
1346 |
|
|
- # |
1347 |
|
|
- # If you're not running that NAS, you don't need |
1348 |
|
|
- # this hack. |
1349 |
|
|
-} with_specialix_jetstream_hack = no |
1350 |
|
|
-{ |
1351 |
|
|
- # Cisco sends it's VSA attributes with the attribute |
1352 |
|
|
- # name *again* in the string, like: |
1353 |
|
|
- # |
1354 |
|
|
- # H323-Attribute = "h323-attribute=value". |
1355 |
|
|
- # |
1356 |
|
|
- # If this configuration item is set to 'yes', then |
1357 |
|
|
- # the redundant data in the the attribute text is stripped |
1358 |
|
|
- # out. The result is: |
1359 |
|
|
- # |
1360 |
|
|
- # H323-Attribute = "value" |
1361 |
|
|
- # |
1362 |
|
|
- # If you're not running a Cisco NAS, you don't need |
1363 |
|
|
- # this hack. |
1364 |
|
|
-} with_cisco_vsa_hack = no |
1365 |
|
|
- \} |
1366 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix |
1367 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix 2005-06-11 12:11:42.000000000 -0400 |
1368 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix 1969-12-31 19:00:00.000000000 -0500 |
1369 |
|
|
@@ -1,8 +0,0 @@ |
1370 |
|
|
-{ |
1371 |
|
|
- # 'username@realm' |
1372 |
|
|
-} realm suffix \{ |
1373 |
|
|
- format = suffix |
1374 |
|
|
- delimiter = "@" |
1375 |
|
|
- ignore_default = yes |
1376 |
|
|
- ignore_null = yes |
1377 |
|
|
- \} |
1378 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain |
1379 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain 2005-06-11 14:12:54.000000000 -0400 |
1380 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain 1969-12-31 19:00:00.000000000 -0500 |
1381 |
|
|
@@ -1,8 +0,0 @@ |
1382 |
|
|
-{ |
1383 |
|
|
- # 'domain\user' |
1384 |
|
|
-} realm ntdomain \{ |
1385 |
|
|
- format = prefix |
1386 |
|
|
- delimiter = "\\" |
1387 |
|
|
- ignore_default = no |
1388 |
|
|
- ignore_null = no |
1389 |
|
|
- \} |
1390 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap |
1391 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap 2005-06-11 12:08:29.000000000 -0400 |
1392 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap 1969-12-31 19:00:00.000000000 -0500 |
1393 |
|
|
@@ -1,6 +0,0 @@ |
1394 |
|
|
-{ |
1395 |
|
|
- # Extensible Authentication Protocol |
1396 |
|
|
- # |
1397 |
|
|
- # For all EAP related authentications. |
1398 |
|
|
- # Now in another file, because it is very large. |
1399 |
|
|
-}$INCLUDE $\{confdir\}/eap.conf |
1400 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap |
1401 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap 2005-06-11 14:57:35.000000000 -0400 |
1402 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap 1969-12-31 19:00:00.000000000 -0500 |
1403 |
|
|
@@ -1,50 +0,0 @@ |
1404 |
|
|
-{ |
1405 |
|
|
- # Microsoft CHAP authentication |
1406 |
|
|
- # |
1407 |
|
|
- # This module supports MS-CHAP and MS-CHAPv2 authentication. |
1408 |
|
|
- # It also enforces the SMB-Account-Ctrl attribute. |
1409 |
|
|
-} mschap \{ |
1410 |
|
|
-{ |
1411 |
|
|
- # As of 0.9, the mschap module does NOT support |
1412 |
|
|
- # reading from /etc/smbpasswd. |
1413 |
|
|
- # |
1414 |
|
|
- # If you are using /etc/smbpasswd, see the 'passwd' |
1415 |
|
|
- # module for an example of how to use /etc/smbpasswd |
1416 |
|
|
- # |
1417 |
|
|
- # authtype value, if present, will be used |
1418 |
|
|
- # to overwrite (or add) Auth-Type during |
1419 |
|
|
- # authorization. Normally should be MS-CHAP |
1420 |
|
|
-} authtype = MS-CHAP |
1421 |
|
|
-{ |
1422 |
|
|
- # if use_mppe is not set to no mschap will |
1423 |
|
|
- # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and |
1424 |
|
|
- # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 |
1425 |
|
|
-} use_mppe = yes |
1426 |
|
|
-{ |
1427 |
|
|
- # if mppe is enabled require_encryption makes |
1428 |
|
|
- # encryption moderate |
1429 |
|
|
-} require_encryption = yes |
1430 |
|
|
-{ |
1431 |
|
|
- # require_strong always requires 128 bit key |
1432 |
|
|
- # encryption |
1433 |
|
|
- # |
1434 |
|
|
-} require_strong = yes |
1435 |
|
|
-{ |
1436 |
|
|
- # Windows sends us a username in the form of |
1437 |
|
|
- # DOMAIN\user, but sends the challenge response |
1438 |
|
|
- # based on only the user portion. This hack |
1439 |
|
|
- # corrects for that incorrect behavior. |
1440 |
|
|
-} with_ntdomain_hack = yes |
1441 |
|
|
-{ |
1442 |
|
|
- # The module can perform authentication itself, OR |
1443 |
|
|
- # use a Windows Domain Controller. This configuration |
1444 |
|
|
- # directive tells the module to call the ntlm_auth |
1445 |
|
|
- # program, which will do the authentication, and return |
1446 |
|
|
- # the NT-Key. Note that you MUST have "winbindd" and |
1447 |
|
|
- # "nmbd" running on the local machine for ntlm_auth |
1448 |
|
|
- # to work. See the ntlm_auth program documentation |
1449 |
|
|
- # for details. |
1450 |
|
|
- # |
1451 |
|
|
- # Be VERY careful when editing the following line! |
1452 |
|
|
- #ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%\{Stripped-User-Name:-%\{User-Name:-None\}\} --challenge=%\{mschap:Challenge:-00\} --nt-response=%\{mschap:NT-Response:-00\}" |
1453 |
|
|
-} \} |
1454 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap |
1455 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap 2013-02-13 18:00:55.000000000 -0500 |
1456 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap 1969-12-31 19:00:00.000000000 -0500 |
1457 |
|
|
@@ -1,24 +0,0 @@ |
1458 |
|
|
-{ |
1459 |
|
|
- |
1460 |
|
|
- use esmith::util; |
1461 |
|
|
- $OUT = ''; |
1462 |
|
|
- |
1463 |
|
|
- $pw = esmith::util::LdapPassword(); |
1464 |
|
|
- $base = esmith::util::ldapBase ($DomainName); |
1465 |
|
|
- |
1466 |
|
|
-} ldap \{ |
1467 |
|
|
- server = "localhost" |
1468 |
|
|
- identity = "cn=root,{ $base }" |
1469 |
|
|
- password = { $pw } |
1470 |
|
|
- basedn = "{ $base }" |
1471 |
|
|
- filter = "(&(objectClass=posixAccount)(uid=%\{Stripped-User-Name:-%\{User-Name\}\}))" |
1472 |
|
|
- ldap_connections_number = 5 |
1473 |
|
|
- timeout = 4 |
1474 |
|
|
- timelimit = 3 |
1475 |
|
|
- net_timeout = 3 |
1476 |
|
|
- tls \{ |
1477 |
|
|
- start_tls = no |
1478 |
|
|
- \} |
1479 |
|
|
- groupname_attribute = cn |
1480 |
|
|
- groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%\{Stripped-User-Name:-%\{User-Name\}\}))" |
1481 |
|
|
- \} |
1482 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd |
1483 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd 2005-06-11 14:34:29.000000000 -0400 |
1484 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd 1969-12-31 19:00:00.000000000 -0500 |
1485 |
|
|
@@ -1,10 +0,0 @@ |
1486 |
|
|
-{ |
1487 |
|
|
- # An example configuration for using /etc/samba/smbpasswd. |
1488 |
|
|
-} passwd smbpasswd \{ |
1489 |
|
|
- filename = /etc/samba/smbpasswd |
1490 |
|
|
- format = "*Stripped-User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" |
1491 |
|
|
- authtype = MS-CHAP |
1492 |
|
|
- hashsize = 100 |
1493 |
|
|
- ignorenislike = no |
1494 |
|
|
- allowmultiplekeys = no |
1495 |
|
|
- \} |
1496 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files |
1497 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files 2005-06-11 14:47:21.000000000 -0400 |
1498 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files 1969-12-31 19:00:00.000000000 -0500 |
1499 |
|
|
@@ -1,11 +0,0 @@ |
1500 |
|
|
-{ |
1501 |
|
|
- # Livingston-style 'users' file |
1502 |
|
|
-} files \{ |
1503 |
|
|
- usersfile = $\{confdir\}/users |
1504 |
|
|
-{ |
1505 |
|
|
- # If you want to use the old Cistron 'users' file |
1506 |
|
|
- # with FreeRADIUS, you should change the next line |
1507 |
|
|
- # to 'compat = cistron'. You can the copy your 'users' |
1508 |
|
|
- # file from Cistron. |
1509 |
|
|
-} compat = no |
1510 |
|
|
- \} |
1511 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject |
1512 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject 2005-06-11 14:35:56.000000000 -0400 |
1513 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject 1969-12-31 19:00:00.000000000 -0500 |
1514 |
|
|
@@ -1,6 +0,0 @@ |
1515 |
|
|
-{ |
1516 |
|
|
- # Each instance simply returns the same result, always, without |
1517 |
|
|
- # doing anything. |
1518 |
|
|
-} always reject \{ |
1519 |
|
|
- rcode = reject |
1520 |
|
|
- \} |
1521 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique |
1522 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique 2008-10-07 13:37:19.000000000 -0400 |
1523 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique 1969-12-31 19:00:00.000000000 -0500 |
1524 |
|
|
@@ -1,13 +0,0 @@ |
1525 |
|
|
-{ |
1526 |
|
|
- # Create a unique accounting session Id. Many NASes re-use or |
1527 |
|
|
- # repeat values for Acct-Session-Id, causing no end of |
1528 |
|
|
- # confusion. |
1529 |
|
|
- # |
1530 |
|
|
- # This module will add a (probably) unique session id |
1531 |
|
|
- # to an accounting packet based on the attributes listed |
1532 |
|
|
- # below found in the packet. See doc/rlm_acct_unique for |
1533 |
|
|
- # more information. |
1534 |
|
|
- # |
1535 |
|
|
-} acct_unique \{ |
1536 |
|
|
- key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" |
1537 |
|
|
- \} |
1538 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail |
1539 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail 2008-10-07 13:37:19.000000000 -0400 |
1540 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail 1969-12-31 19:00:00.000000000 -0500 |
1541 |
|
|
@@ -1,36 +0,0 @@ |
1542 |
|
|
-{ |
1543 |
|
|
- # Write a detailed log of all accounting records received. |
1544 |
|
|
- # |
1545 |
|
|
-} detail \{ |
1546 |
|
|
-{ # Note that we do NOT use NAS-IP-Address here, as |
1547 |
|
|
- # that attribute MAY BE from the originating NAS, and |
1548 |
|
|
- # NOT from the proxy which actually sent us the |
1549 |
|
|
- # request. The Client-IP-Address attribute is ALWAYS |
1550 |
|
|
- # the address of the client which sent us the |
1551 |
|
|
- # request. |
1552 |
|
|
- # |
1553 |
|
|
- # The following line creates a new detail file for |
1554 |
|
|
- # every radius client (by IP address or hostname). |
1555 |
|
|
- # In addition, a new detail file is created every |
1556 |
|
|
- # day, so that the detail file doesn't have to go |
1557 |
|
|
- # through a 'log rotation' |
1558 |
|
|
- # |
1559 |
|
|
- # If your detail files are large, you may also want |
1560 |
|
|
- # to add a ':%H' (see doc/variables.txt) to the end |
1561 |
|
|
- # of it, to create a new detail file every hour, e.g.: |
1562 |
|
|
- # |
1563 |
|
|
- # ..../detail-%Y%m%d:%H |
1564 |
|
|
- # |
1565 |
|
|
- # This will create a new detail file for every hour. |
1566 |
|
|
- # |
1567 |
|
|
-} detailfile = $\{logdir\}/accounting.log |
1568 |
|
|
-{ |
1569 |
|
|
- # |
1570 |
|
|
- # The Unix-style permissions on the 'detail' file. |
1571 |
|
|
- # |
1572 |
|
|
- # The detail file often contains secret or private |
1573 |
|
|
- # information about users. So by keeping the file |
1574 |
|
|
- # permissions restrictive, we can prevent unwanted |
1575 |
|
|
- # people from seeing that information. |
1576 |
|
|
-} detailperm = 0600 |
1577 |
|
|
- \} |
1578 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init |
1579 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init 2008-10-07 13:37:19.000000000 -0400 |
1580 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init 1969-12-31 19:00:00.000000000 -0500 |
1581 |
|
|
@@ -1,11 +0,0 @@ |
1582 |
|
|
-{ |
1583 |
|
|
-# Authorization. First preprocess (hints and huntgroups files), |
1584 |
|
|
-# then realms, and finally look in the "users" file. |
1585 |
|
|
-# |
1586 |
|
|
-# The order of the realm modules will determine the order that |
1587 |
|
|
-# we try to find a matching realm. |
1588 |
|
|
-# |
1589 |
|
|
-# Make *sure* that 'preprocess' comes before any realm if you |
1590 |
|
|
-# need to setup hints for the remote radius server |
1591 |
|
|
-} |
1592 |
|
|
-authorize \{ |
1593 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default |
1594 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default 2013-02-13 18:00:55.000000000 -0500 |
1595 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default 1969-12-31 19:00:00.000000000 -0500 |
1596 |
|
|
@@ -1,39 +0,0 @@ |
1597 |
|
|
-{ |
1598 |
|
|
- # The preprocess module takes care of sanitizing some bizarre |
1599 |
|
|
- # attributes in the request, and turning them into attributes |
1600 |
|
|
- # which are more standard. |
1601 |
|
|
- # |
1602 |
|
|
- # It takes care of processing the 'raddb/hints' and the |
1603 |
|
|
- # 'raddb/huntgroups' files. |
1604 |
|
|
- # |
1605 |
|
|
- # It also adds the %\{Client-IP-Address\} attribute to the request. |
1606 |
|
|
-} preprocess |
1607 |
|
|
-{ |
1608 |
|
|
- # If you are using multiple kinds of realms, you probably |
1609 |
|
|
- # want to set "ignore_null = yes" for all of them. |
1610 |
|
|
- # Otherwise, when the first style of realm doesn't match, |
1611 |
|
|
- # the other styles won't be checked. |
1612 |
|
|
-} suffix |
1613 |
|
|
- ntdomain |
1614 |
|
|
-{ |
1615 |
|
|
- # This module takes care of EAP-PEAP authentication. |
1616 |
|
|
- # |
1617 |
|
|
- # It also sets the EAP-Type attribute in the request |
1618 |
|
|
- # attribute list to the EAP type from the packet. |
1619 |
|
|
-} eap |
1620 |
|
|
-{ |
1621 |
|
|
- # If the users are logging in with an MS-CHAP-Challenge |
1622 |
|
|
- # attribute for authentication, the mschap module will find |
1623 |
|
|
- # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' |
1624 |
|
|
- # to the request, which will cause the server to then use |
1625 |
|
|
- # the mschap module for authentication. |
1626 |
|
|
-} mschap |
1627 |
|
|
-{ |
1628 |
|
|
- # If you are using /etc/smbpasswd, and are also doing |
1629 |
|
|
- # mschap authentication, the un-comment this line, and |
1630 |
|
|
- # configure the 'smbpasswd' module, above. |
1631 |
|
|
- ( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd'; |
1632 |
|
|
-} |
1633 |
|
|
-{ |
1634 |
|
|
- # Read the 'users' file |
1635 |
|
|
-} files |
1636 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end |
1637 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end 2008-10-07 13:37:19.000000000 -0400 |
1638 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end 1969-12-31 19:00:00.000000000 -0500 |
1639 |
|
|
@@ -1 +0,0 @@ |
1640 |
|
|
-\} |
1641 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup |
1642 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup 2008-10-07 13:37:19.000000000 -0400 |
1643 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup 1969-12-31 19:00:00.000000000 -0500 |
1644 |
|
|
@@ -1,5 +0,0 @@ |
1645 |
|
|
-{ |
1646 |
|
|
- my @authModules = ''; |
1647 |
|
|
- $OUT = ''; |
1648 |
|
|
-} |
1649 |
|
|
- |
1650 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap |
1651 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap 2008-10-07 13:37:19.000000000 -0400 |
1652 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap 1969-12-31 19:00:00.000000000 -0500 |
1653 |
|
|
@@ -1,5 +0,0 @@ |
1654 |
|
|
-{ |
1655 |
|
|
- push(@authModules, "\tAuth-Type MS-CHAP\{\n\t\tmschap\n\t\}\n"); |
1656 |
|
|
- $OUT = ''; |
1657 |
|
|
-} |
1658 |
|
|
- |
1659 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap |
1660 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap 2013-02-13 18:00:55.000000000 -0500 |
1661 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap 1969-12-31 19:00:00.000000000 -0500 |
1662 |
|
|
@@ -1,5 +0,0 @@ |
1663 |
|
|
-{ |
1664 |
|
|
- push(@authModules, "\tAuth-Type LDAP\{\n\t\tldap\n\t\}\n"); |
1665 |
|
|
- $OUT = ''; |
1666 |
|
|
-} |
1667 |
|
|
- |
1668 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap |
1669 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap 2008-10-07 13:37:19.000000000 -0400 |
1670 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap 1969-12-31 19:00:00.000000000 -0500 |
1671 |
|
|
@@ -1,4 +0,0 @@ |
1672 |
|
|
-{ |
1673 |
|
|
- push(@authModules, "\teap\n"); |
1674 |
|
|
- $OUT = ''; |
1675 |
|
|
-} |
1676 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process |
1677 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process 2008-10-07 13:37:19.000000000 -0400 |
1678 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process 1969-12-31 19:00:00.000000000 -0500 |
1679 |
|
|
@@ -1,23 +0,0 @@ |
1680 |
|
|
-{ |
1681 |
|
|
-# Authentication. |
1682 |
|
|
-# |
1683 |
|
|
-# This section lists which modules are available for authentication. |
1684 |
|
|
-# Note that it does NOT mean 'try each module in order'. It means |
1685 |
|
|
-# that a module from the 'authorize' section adds a configuration |
1686 |
|
|
-# attribute 'Auth-Type := FOO'. That authentication type is then |
1687 |
|
|
-# used to pick the apropriate module from the list below. |
1688 |
|
|
-# |
1689 |
|
|
-# In general, you SHOULD NOT set the Auth-Type attribute. The server |
1690 |
|
|
-# will figure it out on its own, and will do the right thing. The |
1691 |
|
|
-# most common side effect of erroneously setting the Auth-Type |
1692 |
|
|
-# attribute is that one authentication method will work, but the |
1693 |
|
|
-# others will not. |
1694 |
|
|
-# |
1695 |
|
|
-# The common reasons to set the Auth-Type attribute by hand |
1696 |
|
|
-# is to either forcibly reject the user, or forcibly accept him. |
1697 |
|
|
- |
1698 |
|
|
- $OUT = "authenticate \{\n"; |
1699 |
|
|
- $OUT .= "$_\n" foreach @authModules; |
1700 |
|
|
- $OUT .= "\}\n"; |
1701 |
|
|
- |
1702 |
|
|
-} |
1703 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct |
1704 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct 2008-10-07 13:37:19.000000000 -0400 |
1705 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct 1969-12-31 19:00:00.000000000 -0500 |
1706 |
|
|
@@ -1,17 +0,0 @@ |
1707 |
|
|
-{ |
1708 |
|
|
-# |
1709 |
|
|
-# Pre-accounting. Decide which accounting type to use. |
1710 |
|
|
-# |
1711 |
|
|
-}preacct \{ |
1712 |
|
|
- preprocess |
1713 |
|
|
-{ |
1714 |
|
|
- # |
1715 |
|
|
- # Ensure that we have a semi-unique identifier for every |
1716 |
|
|
- # request, and many NAS boxes are broken. |
1717 |
|
|
-} acct_unique |
1718 |
|
|
-{ |
1719 |
|
|
- # Accounting requests are generally proxied to the same |
1720 |
|
|
- # home server as authentication requests. |
1721 |
|
|
-} suffix |
1722 |
|
|
- ntdomain |
1723 |
|
|
-\} |
1724 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate |
1725 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate 1969-12-31 19:00:00.000000000 -0500 |
1726 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate 2016-04-01 08:37:06.246000000 -0400 |
1727 |
|
|
@@ -0,0 +1,45 @@ |
1728 |
|
|
+{ |
1729 |
|
|
+# Instantiation |
1730 |
|
|
+# |
1731 |
|
|
+# This section orders the loading of the modules. Modules |
1732 |
|
|
+# listed here will get loaded BEFORE the later sections like |
1733 |
|
|
+# authorize, authenticate, etc. get examined. |
1734 |
|
|
+# |
1735 |
|
|
+# This section is not strictly needed. When a section like |
1736 |
|
|
+# authorize refers to a module, it's automatically loaded and |
1737 |
|
|
+# initialized. However, some modules may not be listed in any |
1738 |
|
|
+# of the following sections, so they can be listed here. |
1739 |
|
|
+# |
1740 |
|
|
+# Also, listing modules here ensures that you have control over |
1741 |
|
|
+# the order in which they are initialized. If one module needs |
1742 |
|
|
+# something defined by another module, you can list them in order |
1743 |
|
|
+# here, and ensure that the configuration will be OK. |
1744 |
|
|
+# |
1745 |
|
|
+# After the modules listed here have been loaded, all of the modules |
1746 |
|
|
+# in the "mods-enabled" directory will be loaded. Loading the |
1747 |
|
|
+# "mods-enabled" directory means that unlike Version 2, you usually |
1748 |
|
|
+# don't need to list modules here. |
1749 |
|
|
+# |
1750 |
|
|
+} |
1751 |
|
|
+instantiate \{ |
1752 |
|
|
+ # |
1753 |
|
|
+ # We list the counter module here so that it registers |
1754 |
|
|
+ # the check_name attribute before any module which sets |
1755 |
|
|
+ # it |
1756 |
|
|
+# daily |
1757 |
|
|
+ |
1758 |
|
|
+ # subsections here can be thought of as "virtual" modules. |
1759 |
|
|
+ # |
1760 |
|
|
+ # e.g. If you have two redundant SQL servers, and you want to |
1761 |
|
|
+ # use them in the authorize and accounting sections, you could |
1762 |
|
|
+ # place a "redundant" block in each section, containing the |
1763 |
|
|
+ # exact same text. Or, you could uncomment the following |
1764 |
|
|
+ # lines, and list "redundant_sql" in the authorize and |
1765 |
|
|
+ # accounting sections. |
1766 |
|
|
+ # |
1767 |
|
|
+ #redundant redundant_sql \{ |
1768 |
|
|
+ # sql1 |
1769 |
|
|
+ # sql2 |
1770 |
|
|
+ #\} |
1771 |
|
|
+\} |
1772 |
|
|
+ |
1773 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init |
1774 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init 2008-10-07 13:37:19.000000000 -0400 |
1775 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init 1969-12-31 19:00:00.000000000 -0500 |
1776 |
|
|
@@ -1,5 +0,0 @@ |
1777 |
|
|
-{ |
1778 |
|
|
-# |
1779 |
|
|
-# Accounting. Log the accounting data. |
1780 |
|
|
-# |
1781 |
|
|
-}accounting \{ |
1782 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default |
1783 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default 2008-10-07 13:37:19.000000000 -0400 |
1784 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default 1969-12-31 19:00:00.000000000 -0500 |
1785 |
|
|
@@ -1,5 +0,0 @@ |
1786 |
|
|
-{ # |
1787 |
|
|
- # Create a 'detail'ed log of the packets. |
1788 |
|
|
- # Note that accounting requests which are proxied |
1789 |
|
|
- # are also logged in the detail file. |
1790 |
|
|
-} detail |
1791 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end |
1792 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end 2008-10-07 13:37:19.000000000 -0400 |
1793 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end 1969-12-31 19:00:00.000000000 -0500 |
1794 |
|
|
@@ -1 +0,0 @@ |
1795 |
|
|
-\} |
1796 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy |
1797 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy 1969-12-31 19:00:00.000000000 -0500 |
1798 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy 2016-04-01 08:34:12.100000000 -0400 |
1799 |
|
|
@@ -0,0 +1,20 @@ |
1800 |
|
|
+{ |
1801 |
|
|
+###################################################################### |
1802 |
|
|
+# |
1803 |
|
|
+# Policies are virtual modules, similar to those defined in the |
1804 |
|
|
+# "instantiate" section above. |
1805 |
|
|
+# |
1806 |
|
|
+# Defining a policy in one of the policy.d files means that it can be |
1807 |
|
|
+# referenced in multiple places as a *name*, rather than as a series of |
1808 |
|
|
+# conditions to match, and actions to take. |
1809 |
|
|
+# |
1810 |
|
|
+# Policies are something like subroutines in a normal language, but |
1811 |
|
|
+# they cannot be called recursively. They MUST be defined in order. |
1812 |
|
|
+# If policy A calls policy B, then B MUST be defined before A. |
1813 |
|
|
+# |
1814 |
|
|
+###################################################################### |
1815 |
|
|
+} |
1816 |
|
|
+policy \{ |
1817 |
|
|
+ $INCLUDE policy.d/ |
1818 |
|
|
+\} |
1819 |
|
|
+ |
1820 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers |
1821 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers 1969-12-31 19:00:00.000000000 -0500 |
1822 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers 2016-04-01 08:32:46.291000000 -0400 |
1823 |
|
|
@@ -0,0 +1,33 @@ |
1824 |
|
|
+{ |
1825 |
|
|
+###################################################################### |
1826 |
|
|
+# |
1827 |
|
|
+#<----->Load virtual servers. |
1828 |
|
|
+# |
1829 |
|
|
+#<----->This next $INCLUDE line loads files in the directory that |
1830 |
|
|
+#<----->match the regular expression: /[a-zA-Z0-9_.]+/ |
1831 |
|
|
+# |
1832 |
|
|
+#<----->It allows you to define new virtual servers simply by placing |
1833 |
|
|
+#<----->a file into the raddb/sites-enabled/ directory. |
1834 |
|
|
+# |
1835 |
|
|
+}$INCLUDE sites-enabled/ |
1836 |
|
|
+{ |
1837 |
|
|
+###################################################################### |
1838 |
|
|
+# |
1839 |
|
|
+#<----->All of the other configuration sections like "authorize {}", |
1840 |
|
|
+#<----->"authenticate {}", "accounting {}", have been moved to the |
1841 |
|
|
+#<----->the file: |
1842 |
|
|
+# |
1843 |
|
|
+#<-----><------>raddb/sites-available/default |
1844 |
|
|
+# |
1845 |
|
|
+#<----->This is the "default" virtual server that has the same |
1846 |
|
|
+#<----->configuration as in version 1.0.x and 1.1.x. The default |
1847 |
|
|
+#<----->installation enables this virtual server. You should |
1848 |
|
|
+#<----->edit it to create policies for your local site. |
1849 |
|
|
+# |
1850 |
|
|
+#<----->For more documentation on virtual servers, see: |
1851 |
|
|
+# |
1852 |
|
|
+#<-----><------>raddb/sites-available/README |
1853 |
|
|
+# |
1854 |
|
|
+###################################################################### |
1855 |
|
|
+ |
1856 |
|
|
+} |
1857 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init |
1858 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init 1969-12-31 19:00:00.000000000 -0500 |
1859 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init 2016-04-01 09:39:19.463000000 -0400 |
1860 |
|
|
@@ -0,0 +1,49 @@ |
1861 |
|
|
+{ |
1862 |
|
|
+###################################################################### |
1863 |
|
|
+# |
1864 |
|
|
+# As of 2.0.0, FreeRADIUS supports virtual hosts using the |
1865 |
|
|
+# "server" section, and configuration directives. |
1866 |
|
|
+# |
1867 |
|
|
+# Virtual hosts should be put into the "sites-available" |
1868 |
|
|
+# directory. Soft links should be created in the "sites-enabled" |
1869 |
|
|
+# directory to these files. This is done in a normal installation. |
1870 |
|
|
+# |
1871 |
|
|
+# If you are using 802.1X (EAP) authentication, please see also |
1872 |
|
|
+# the "inner-tunnel" virtual server. You will likely have to edit |
1873 |
|
|
+# that, too, for authentication to work. |
1874 |
|
|
+# |
1875 |
unnilennium |
1.3 |
+# $Id: e-smith-radiusd-2.6.0-freeradius3.patch,v 1.2 2016/04/07 03:14:49 unnilennium Exp $ |
1876 |
unnilennium |
1.1 |
+# |
1877 |
|
|
+###################################################################### |
1878 |
|
|
+# |
1879 |
|
|
+# Read "man radiusd" before editing this file. See the section |
1880 |
|
|
+# titled DEBUGGING. It outlines a method where you can quickly |
1881 |
|
|
+# obtain the configuration you want, without running into |
1882 |
|
|
+# trouble. See also "man unlang", which documents the format |
1883 |
|
|
+# of this file. |
1884 |
|
|
+# |
1885 |
|
|
+# This configuration is designed to work in the widest possible |
1886 |
|
|
+# set of circumstances, with the widest possible number of |
1887 |
|
|
+# authentication methods. This means that in general, you should |
1888 |
|
|
+# need to make very few changes to this file. |
1889 |
|
|
+# |
1890 |
|
|
+# The best way to configure the server for your local system |
1891 |
|
|
+# is to CAREFULLY edit this file. Most attempts to make large |
1892 |
|
|
+# edits to this file will BREAK THE SERVER. Any edits should |
1893 |
|
|
+# be small, and tested by running the server with "radiusd -X". |
1894 |
|
|
+# Once the edits have been verified to work, save a copy of these |
1895 |
|
|
+# configuration files somewhere. (e.g. as a "tar" file). Then, |
1896 |
|
|
+# make more edits, and test, as above. |
1897 |
|
|
+# |
1898 |
|
|
+# There are many "commented out" references to modules such |
1899 |
|
|
+# as ldap, sql, etc. These references serve as place-holders. |
1900 |
|
|
+# If you need the functionality of that module, then configure |
1901 |
|
|
+# it in radiusd.conf, and un-comment the references to it in |
1902 |
|
|
+# this file. In most cases, those small changes will result |
1903 |
|
|
+# in the server being able to connect to the DB, and to |
1904 |
|
|
+# authenticate users. |
1905 |
|
|
+# |
1906 |
|
|
+###################################################################### |
1907 |
|
|
+} |
1908 |
|
|
+server default \{ |
1909 |
|
|
+ |
1910 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen |
1911 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen 1969-12-31 19:00:00.000000000 -0500 |
1912 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen 2016-04-01 10:01:03.411000000 -0400 |
1913 |
|
|
@@ -0,0 +1,90 @@ |
1914 |
|
|
+{ |
1915 |
|
|
+# listen: Make the server listen on a particular IP address, and send |
1916 |
|
|
+# replies out from that address. This directive is most useful for |
1917 |
|
|
+# hosts with multiple IP addresses on one interface. |
1918 |
|
|
+# |
1919 |
|
|
+# If you want the server to listen on additional addresses, or on |
1920 |
|
|
+# additionnal ports, you can use multiple "listen" sections. |
1921 |
|
|
+# |
1922 |
|
|
+# Each section make the server listen for only one type of packet, |
1923 |
|
|
+# therefore authentication and accounting have to be configured in |
1924 |
|
|
+# different sections. |
1925 |
|
|
+# |
1926 |
|
|
+# The server ignore all "listen" section if you are using '-i' and '-p' |
1927 |
|
|
+# on the command line. |
1928 |
|
|
+} |
1929 |
|
|
+# auth |
1930 |
|
|
+listen \{ |
1931 |
|
|
+ type = auth |
1932 |
|
|
+{ |
1933 |
|
|
+ # ipaddr/ipv4addr/ipv6addr - IP address on which to listen. |
1934 |
|
|
+ # Out of several options the first one will be used. |
1935 |
|
|
+ # |
1936 |
|
|
+ # Allowed values are: |
1937 |
|
|
+ # IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr) |
1938 |
|
|
+ # IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr) |
1939 |
|
|
+ # hostname (radius.example.com, |
1940 |
|
|
+ # A record for ipv4addr, |
1941 |
|
|
+ # AAAA record for ipv6addr, |
1942 |
|
|
+ # A or AAAA record for ipaddr) |
1943 |
|
|
+ # wildcard (*) |
1944 |
|
|
+ # |
1945 |
|
|
+ # ipv4addr = * |
1946 |
|
|
+ # ipv6addr = * |
1947 |
|
|
+} |
1948 |
|
|
+ ipaddr = * |
1949 |
|
|
+ port = 0 |
1950 |
|
|
+# interface = eth0 |
1951 |
|
|
+# clients = per_socket_clients |
1952 |
|
|
+{ |
1953 |
|
|
+ # |
1954 |
|
|
+ # Connection limiting for sockets with "proto = tcp". |
1955 |
|
|
+ # |
1956 |
|
|
+ # This section is ignored for other kinds of sockets. |
1957 |
|
|
+ # |
1958 |
|
|
+} limit \{ |
1959 |
|
|
+{ |
1960 |
|
|
+ # |
1961 |
|
|
+ # Limit the number of simultaneous TCP connections to the socket |
1962 |
|
|
+ # |
1963 |
|
|
+ # The default is 16. |
1964 |
|
|
+ # Setting this to 0 means "no limit" |
1965 |
|
|
+} max_connections = 16 |
1966 |
|
|
+{ |
1967 |
|
|
+ # The per-socket "max_requests" option does not exist. |
1968 |
|
|
+ |
1969 |
|
|
+ # |
1970 |
|
|
+ # The lifetime, in seconds, of a TCP connection. After |
1971 |
|
|
+ # this lifetime, the connection will be closed. |
1972 |
|
|
+ # |
1973 |
|
|
+ # Setting this to 0 means "forever". |
1974 |
|
|
+} lifetime = 0 |
1975 |
|
|
+{ |
1976 |
|
|
+ # |
1977 |
|
|
+ # The idle timeout, in seconds, of a TCP connection. |
1978 |
|
|
+ # If no packets have been received over the connection for |
1979 |
|
|
+ # this time, the connection will be closed. |
1980 |
|
|
+ # |
1981 |
|
|
+ # Setting this to 0 means "no timeout". |
1982 |
|
|
+ # |
1983 |
|
|
+ # We STRONGLY RECOMMEND that you set an idle timeout. |
1984 |
|
|
+ # |
1985 |
|
|
+} idle_timeout = 30 |
1986 |
|
|
+ \} |
1987 |
|
|
+ |
1988 |
|
|
+\} |
1989 |
|
|
+ |
1990 |
|
|
+# |
1991 |
|
|
+# This second "listen" section is for listening on the accounting |
1992 |
|
|
+# port, too. |
1993 |
|
|
+# |
1994 |
|
|
+listen \{ |
1995 |
|
|
+ type = acct |
1996 |
|
|
+ ipaddr = * |
1997 |
|
|
+ port = 0 |
1998 |
|
|
+\} |
1999 |
|
|
+ |
2000 |
|
|
+ |
2001 |
|
|
+ |
2002 |
|
|
+ |
2003 |
|
|
+ |
2004 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init |
2005 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init 1969-12-31 19:00:00.000000000 -0500 |
2006 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init 2008-10-07 13:37:19.000000000 -0400 |
2007 |
|
|
@@ -0,0 +1,11 @@ |
2008 |
|
|
+{ |
2009 |
|
|
+# Authorization. First preprocess (hints and huntgroups files), |
2010 |
|
|
+# then realms, and finally look in the "users" file. |
2011 |
|
|
+# |
2012 |
|
|
+# The order of the realm modules will determine the order that |
2013 |
|
|
+# we try to find a matching realm. |
2014 |
|
|
+# |
2015 |
|
|
+# Make *sure* that 'preprocess' comes before any realm if you |
2016 |
|
|
+# need to setup hints for the remote radius server |
2017 |
|
|
+} |
2018 |
|
|
+authorize \{ |
2019 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default |
2020 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default 1969-12-31 19:00:00.000000000 -0500 |
2021 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default 2016-04-01 10:10:46.038000000 -0400 |
2022 |
|
|
@@ -0,0 +1,102 @@ |
2023 |
|
|
+{ |
2024 |
|
|
+ # |
2025 |
|
|
+ # Take a User-Name, and perform some checks on it, for spaces and other |
2026 |
|
|
+ # invalid characters. If the User-Name appears invalid, reject the |
2027 |
|
|
+ # request. |
2028 |
|
|
+ # |
2029 |
|
|
+ # See policy.d/filter for the definition of the filter_username policy. |
2030 |
|
|
+ # |
2031 |
|
|
+} filter_username |
2032 |
|
|
+{ |
2033 |
|
|
+ # The preprocess module takes care of sanitizing some bizarre |
2034 |
|
|
+ # attributes in the request, and turning them into attributes |
2035 |
|
|
+ # which are more standard. |
2036 |
|
|
+ # |
2037 |
|
|
+ # It takes care of processing the 'raddb/hints' and the |
2038 |
|
|
+ # 'raddb/huntgroups' files. |
2039 |
|
|
+ # |
2040 |
|
|
+ # It also adds the %\{Client-IP-Address\} attribute to the request. |
2041 |
|
|
+} preprocess |
2042 |
|
|
+{ |
2043 |
|
|
+ # If you are using multiple kinds of realms, you probably |
2044 |
|
|
+ # want to set "ignore_null = yes" for all of them. |
2045 |
|
|
+ # Otherwise, when the first style of realm doesn't match, |
2046 |
|
|
+ # the other styles won't be checked. |
2047 |
|
|
+} suffix |
2048 |
|
|
+ ntdomain |
2049 |
|
|
+{ |
2050 |
|
|
+ # This module takes care of EAP-PEAP authentication. |
2051 |
|
|
+ # |
2052 |
|
|
+ # It also sets the EAP-Type attribute in the request |
2053 |
|
|
+ # attribute list to the EAP type from the packet. |
2054 |
|
|
+} eap \{ |
2055 |
|
|
+ ok = return |
2056 |
|
|
+ \} |
2057 |
|
|
+ |
2058 |
|
|
+{ |
2059 |
|
|
+ # If the users are logging in with an MS-CHAP-Challenge |
2060 |
|
|
+ # attribute for authentication, the mschap module will find |
2061 |
|
|
+ # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' |
2062 |
|
|
+ # to the request, which will cause the server to then use |
2063 |
|
|
+ # the mschap module for authentication. |
2064 |
|
|
+} mschap |
2065 |
|
|
+{ |
2066 |
|
|
+ # If you are using /etc/smbpasswd, and are also doing |
2067 |
|
|
+ # mschap authentication, the un-comment this line, and |
2068 |
|
|
+ # configure the 'smbpasswd' module, above. |
2069 |
|
|
+ ( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd'; |
2070 |
|
|
+} |
2071 |
|
|
+ |
2072 |
|
|
+{ |
2073 |
|
|
+ # |
2074 |
|
|
+ # Pull crypt'd passwords from /etc/passwd or /etc/shadow, |
2075 |
|
|
+ # using the system API's to get the password. If you want |
2076 |
|
|
+ # to read /etc/passwd or /etc/shadow directly, see the |
2077 |
|
|
+ # passwd module in radiusd.conf. |
2078 |
|
|
+ # |
2079 |
|
|
+}# unix |
2080 |
|
|
+ |
2081 |
|
|
+ |
2082 |
|
|
+{ |
2083 |
|
|
+ # Read the 'users' file |
2084 |
|
|
+} files |
2085 |
|
|
+ |
2086 |
|
|
+{ |
2087 |
|
|
+ # |
2088 |
|
|
+ # Look in an SQL database. The schema of the database |
2089 |
|
|
+ # is meant to mirror the "users" file. |
2090 |
|
|
+ # |
2091 |
|
|
+ # See "Authorization Queries" in sql.conf |
2092 |
|
|
+} -sql |
2093 |
|
|
+{ |
2094 |
|
|
+ # |
2095 |
|
|
+ # If you are using /etc/smbpasswd, and are also doing |
2096 |
|
|
+ # mschap authentication, the un-comment this line, and |
2097 |
|
|
+ # configure the 'smbpasswd' module. |
2098 |
|
|
+}# smbpasswd |
2099 |
|
|
+{ |
2100 |
|
|
+ # |
2101 |
|
|
+ # The ldap module reads passwords from the LDAP database. |
2102 |
|
|
+} -ldap |
2103 |
|
|
+ |
2104 |
|
|
+{ # |
2105 |
|
|
+ # Enforce daily limits on time spent logged in. |
2106 |
|
|
+# daily |
2107 |
|
|
+ |
2108 |
|
|
+ # |
2109 |
|
|
+} expiration |
2110 |
|
|
+ logintime |
2111 |
|
|
+{ |
2112 |
|
|
+ # |
2113 |
|
|
+ # If no other module has claimed responsibility for |
2114 |
|
|
+ # authentication, then try to use PAP. This allows the |
2115 |
|
|
+ # other modules listed above to add a "known good" password |
2116 |
|
|
+ # to the request, and to do nothing else. The PAP module |
2117 |
|
|
+ # will then see that password, and use it to do PAP |
2118 |
|
|
+ # authentication. |
2119 |
|
|
+ # |
2120 |
|
|
+ # This module should be listed last, so that the other modules |
2121 |
|
|
+ # get a chance to set Auth-Type for themselves. |
2122 |
|
|
+ # |
2123 |
|
|
+} pap |
2124 |
|
|
+ |
2125 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end |
2126 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end 1969-12-31 19:00:00.000000000 -0500 |
2127 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end 2008-10-07 13:37:19.000000000 -0400 |
2128 |
|
|
@@ -0,0 +1 @@ |
2129 |
|
|
+\} |
2130 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup |
2131 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup 1969-12-31 19:00:00.000000000 -0500 |
2132 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup 2008-10-07 13:37:19.000000000 -0400 |
2133 |
|
|
@@ -0,0 +1,5 @@ |
2134 |
|
|
+{ |
2135 |
|
|
+ my @authModules = ''; |
2136 |
|
|
+ $OUT = ''; |
2137 |
|
|
+} |
2138 |
|
|
+ |
2139 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap |
2140 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap 1969-12-31 19:00:00.000000000 -0500 |
2141 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap 2008-10-07 13:37:19.000000000 -0400 |
2142 |
|
|
@@ -0,0 +1,5 @@ |
2143 |
|
|
+{ |
2144 |
|
|
+ push(@authModules, "\tAuth-Type MS-CHAP\{\n\t\tmschap\n\t\}\n"); |
2145 |
|
|
+ $OUT = ''; |
2146 |
|
|
+} |
2147 |
|
|
+ |
2148 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap |
2149 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap 1969-12-31 19:00:00.000000000 -0500 |
2150 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap 2013-02-13 18:00:55.000000000 -0500 |
2151 |
|
|
@@ -0,0 +1,5 @@ |
2152 |
|
|
+{ |
2153 |
|
|
+ push(@authModules, "\tAuth-Type LDAP\{\n\t\tldap\n\t\}\n"); |
2154 |
|
|
+ $OUT = ''; |
2155 |
|
|
+} |
2156 |
|
|
+ |
2157 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap |
2158 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap 1969-12-31 19:00:00.000000000 -0500 |
2159 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap 2008-10-07 13:37:19.000000000 -0400 |
2160 |
|
|
@@ -0,0 +1,4 @@ |
2161 |
|
|
+{ |
2162 |
|
|
+ push(@authModules, "\teap\n"); |
2163 |
|
|
+ $OUT = ''; |
2164 |
|
|
+} |
2165 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process |
2166 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process 1969-12-31 19:00:00.000000000 -0500 |
2167 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process 2008-10-07 13:37:19.000000000 -0400 |
2168 |
|
|
@@ -0,0 +1,23 @@ |
2169 |
|
|
+{ |
2170 |
|
|
+# Authentication. |
2171 |
|
|
+# |
2172 |
|
|
+# This section lists which modules are available for authentication. |
2173 |
|
|
+# Note that it does NOT mean 'try each module in order'. It means |
2174 |
|
|
+# that a module from the 'authorize' section adds a configuration |
2175 |
|
|
+# attribute 'Auth-Type := FOO'. That authentication type is then |
2176 |
|
|
+# used to pick the apropriate module from the list below. |
2177 |
|
|
+# |
2178 |
|
|
+# In general, you SHOULD NOT set the Auth-Type attribute. The server |
2179 |
|
|
+# will figure it out on its own, and will do the right thing. The |
2180 |
|
|
+# most common side effect of erroneously setting the Auth-Type |
2181 |
|
|
+# attribute is that one authentication method will work, but the |
2182 |
|
|
+# others will not. |
2183 |
|
|
+# |
2184 |
|
|
+# The common reasons to set the Auth-Type attribute by hand |
2185 |
|
|
+# is to either forcibly reject the user, or forcibly accept him. |
2186 |
|
|
+ |
2187 |
|
|
+ $OUT = "authenticate \{\n"; |
2188 |
|
|
+ $OUT .= "$_\n" foreach @authModules; |
2189 |
|
|
+ $OUT .= "\}\n"; |
2190 |
|
|
+ |
2191 |
|
|
+} |
2192 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct |
2193 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct 1969-12-31 19:00:00.000000000 -0500 |
2194 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct 2016-04-01 11:06:09.665000000 -0400 |
2195 |
|
|
@@ -0,0 +1,47 @@ |
2196 |
|
|
+{ |
2197 |
|
|
+# |
2198 |
|
|
+# Pre-accounting. Decide which accounting type to use. |
2199 |
|
|
+# |
2200 |
|
|
+}preacct \{ |
2201 |
|
|
+ preprocess |
2202 |
|
|
+{ |
2203 |
|
|
+ # |
2204 |
|
|
+ # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets |
2205 |
|
|
+ # into a single 64bit counter Acct-[Input|Output]-Octets64. |
2206 |
|
|
+ # |
2207 |
|
|
+}# acct_counters64 |
2208 |
|
|
+{ |
2209 |
|
|
+ # |
2210 |
|
|
+ # Session start times are *implied* in RADIUS. |
2211 |
|
|
+ # The NAS never sends a "start time". Instead, it sends |
2212 |
|
|
+ # a start packet, *possibly* with an Acct-Delay-Time. |
2213 |
|
|
+ # The server is supposed to conclude that the start time |
2214 |
|
|
+ # was "Acct-Delay-Time" seconds in the past. |
2215 |
|
|
+ # |
2216 |
|
|
+ # The code below creates an explicit start time, which can |
2217 |
|
|
+ # then be used in other modules. It will be *mostly* correct. |
2218 |
|
|
+ # Any errors are due to the 1-second resolution of RADIUS, |
2219 |
|
|
+ # and the possibility that the time on the NAS may be off. |
2220 |
|
|
+ # |
2221 |
|
|
+ # The start time is: NOW - delay - session_length |
2222 |
|
|
+ # |
2223 |
|
|
+} |
2224 |
|
|
+# update request { |
2225 |
|
|
+# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" |
2226 |
|
|
+# } |
2227 |
|
|
+ |
2228 |
|
|
+{ |
2229 |
|
|
+ # |
2230 |
|
|
+ # Ensure that we have a semi-unique identifier for every |
2231 |
|
|
+ # request, and many NAS boxes are broken. |
2232 |
|
|
+} |
2233 |
|
|
+ |
2234 |
|
|
+ acct_unique |
2235 |
|
|
+{ |
2236 |
|
|
+ # Accounting requests are generally proxied to the same |
2237 |
|
|
+ # home server as authentication requests. |
2238 |
|
|
+} suffix |
2239 |
|
|
+ ntdomain |
2240 |
|
|
+ files |
2241 |
|
|
+ |
2242 |
|
|
+\} |
2243 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init |
2244 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init 1969-12-31 19:00:00.000000000 -0500 |
2245 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init 2008-10-07 13:37:19.000000000 -0400 |
2246 |
|
|
@@ -0,0 +1,5 @@ |
2247 |
|
|
+{ |
2248 |
|
|
+# |
2249 |
|
|
+# Accounting. Log the accounting data. |
2250 |
|
|
+# |
2251 |
|
|
+}accounting \{ |
2252 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default |
2253 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default 1969-12-31 19:00:00.000000000 -0500 |
2254 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default 2008-10-07 13:37:19.000000000 -0400 |
2255 |
|
|
@@ -0,0 +1,5 @@ |
2256 |
|
|
+{ # |
2257 |
|
|
+ # Create a 'detail'ed log of the packets. |
2258 |
|
|
+ # Note that accounting requests which are proxied |
2259 |
|
|
+ # are also logged in the detail file. |
2260 |
|
|
+} detail |
2261 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end |
2262 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end 1969-12-31 19:00:00.000000000 -0500 |
2263 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end 2008-10-07 13:37:19.000000000 -0400 |
2264 |
|
|
@@ -0,0 +1 @@ |
2265 |
|
|
+\} |
2266 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init |
2267 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init 1969-12-31 19:00:00.000000000 -0500 |
2268 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init 2016-04-01 11:13:35.135000000 -0400 |
2269 |
|
|
@@ -0,0 +1,6 @@ |
2270 |
|
|
+{ |
2271 |
|
|
+# Session database, used for checking Simultaneous-Use. Either the radutmp |
2272 |
|
|
+# or rlm_sql module can handle this. |
2273 |
|
|
+# The rlm_sql module is *much* faster |
2274 |
|
|
+}session \{ |
2275 |
|
|
+ |
2276 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end |
2277 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end 1969-12-31 19:00:00.000000000 -0500 |
2278 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end 2016-04-01 11:13:53.209000000 -0400 |
2279 |
|
|
@@ -0,0 +1 @@ |
2280 |
|
|
+\} |
2281 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init |
2282 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init 1969-12-31 19:00:00.000000000 -0500 |
2283 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init 2016-04-01 11:14:55.538000000 -0400 |
2284 |
|
|
@@ -0,0 +1,8 @@ |
2285 |
|
|
+{ |
2286 |
|
|
+# Post-Authentication |
2287 |
|
|
+# Once we KNOW that the user has been authenticated, there are |
2288 |
|
|
+# additional steps we can take. |
2289 |
|
|
+}post-auth \{ |
2290 |
|
|
+ # Get an address from the IP Pool. |
2291 |
|
|
+# main_pool |
2292 |
|
|
+ |
2293 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end |
2294 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end 1969-12-31 19:00:00.000000000 -0500 |
2295 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end 2016-04-01 11:16:54.094000000 -0400 |
2296 |
|
|
@@ -0,0 +1,26 @@ |
2297 |
|
|
+{ |
2298 |
|
|
+ # Remove reply message if the response contains an EAP-Message |
2299 |
|
|
+} remove_reply_message_if_eap |
2300 |
|
|
+{ |
2301 |
|
|
+ # |
2302 |
|
|
+ # Access-Reject packets are sent through the REJECT sub-section of the |
2303 |
|
|
+ # post-auth section. |
2304 |
|
|
+ # |
2305 |
|
|
+ # Add the ldap module name (or instance) if you have set |
2306 |
|
|
+ # 'edir_account_policy_check = yes' in the ldap module configuration |
2307 |
|
|
+ # |
2308 |
|
|
+} Post-Auth-Type REJECT \{ |
2309 |
|
|
+ # log failed authentications in SQL, too. |
2310 |
|
|
+ #-sql |
2311 |
|
|
+ attr_filter.access_reject |
2312 |
|
|
+ |
2313 |
|
|
+ # Insert EAP-Failure message if the request was |
2314 |
|
|
+ # rejected by policy instead of because of an |
2315 |
|
|
+ # authentication failure |
2316 |
|
|
+ eap |
2317 |
|
|
+ |
2318 |
|
|
+ # Remove reply message if the response contains an EAP-Message |
2319 |
|
|
+ remove_reply_message_if_eap |
2320 |
|
|
+ \} |
2321 |
|
|
+\} |
2322 |
|
|
+ |
2323 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy |
2324 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy 1969-12-31 19:00:00.000000000 -0500 |
2325 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy 2016-04-01 11:18:35.647000000 -0400 |
2326 |
|
|
@@ -0,0 +1,28 @@ |
2327 |
|
|
+pre-proxy \{ |
2328 |
|
|
+{ |
2329 |
|
|
+ # Before proxing the request add an Operator-Name attribute identifying |
2330 |
|
|
+ # if the operator-name is found for this client. |
2331 |
|
|
+ # No need to uncomment this if you have already enabled this in |
2332 |
|
|
+ # the authorize section. |
2333 |
|
|
+}# operator-name |
2334 |
|
|
+{ |
2335 |
|
|
+ # The client requests the CUI by sending a CUI attribute |
2336 |
|
|
+ # containing one zero byte. |
2337 |
|
|
+ # Uncomment the line below if *requesting* the CUI. |
2338 |
|
|
+}# cui |
2339 |
|
|
+{ |
2340 |
|
|
+ # Uncomment the following line if you want to change attributes |
2341 |
|
|
+ # as defined in the preproxy_users file. |
2342 |
|
|
+}# files |
2343 |
|
|
+{ |
2344 |
|
|
+ # Uncomment the following line if you want to filter requests |
2345 |
|
|
+ # sent to remote servers based on the rules defined in the |
2346 |
|
|
+ # 'attrs.pre-proxy' file. |
2347 |
|
|
+}# attr_filter.pre-proxy |
2348 |
|
|
+{ |
2349 |
|
|
+ # If you want to have a log of packets proxied to a home |
2350 |
|
|
+ # server, un-comment the following line, and the |
2351 |
|
|
+ # 'detail pre_proxy_log' section, above. |
2352 |
|
|
+}# pre_proxy_log |
2353 |
|
|
+\} |
2354 |
|
|
+ |
2355 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy |
2356 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy 1969-12-31 19:00:00.000000000 -0500 |
2357 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy 2016-04-01 11:20:52.751000000 -0400 |
2358 |
|
|
@@ -0,0 +1,54 @@ |
2359 |
|
|
+{ |
2360 |
|
|
+# |
2361 |
|
|
+# When the server receives a reply to a request it proxied |
2362 |
|
|
+# to a home server, the request may be massaged here, in the |
2363 |
|
|
+# post-proxy stage. |
2364 |
|
|
+# |
2365 |
|
|
+} |
2366 |
|
|
+post-proxy \{ |
2367 |
|
|
+{ |
2368 |
|
|
+ # If you want to have a log of replies from a home server, |
2369 |
|
|
+ # un-comment the following line, and the 'detail post_proxy_log' |
2370 |
|
|
+ # section, above. |
2371 |
|
|
+}# post_proxy_log |
2372 |
|
|
+{ |
2373 |
|
|
+ # Uncomment the following line if you want to filter replies from |
2374 |
|
|
+ # remote proxies based on the rules defined in the 'attrs' file. |
2375 |
|
|
+}# attr_filter.post-proxy |
2376 |
|
|
+{ |
2377 |
|
|
+ # |
2378 |
|
|
+ # If you are proxying LEAP, you MUST configure the EAP |
2379 |
|
|
+ # module, and you MUST list it here, in the post-proxy |
2380 |
|
|
+ # stage. |
2381 |
|
|
+ # |
2382 |
|
|
+ # You MUST also use the 'nostrip' option in the 'realm' |
2383 |
|
|
+ # configuration. Otherwise, the User-Name attribute |
2384 |
|
|
+ # in the proxied request will not match the user name |
2385 |
|
|
+ # hidden inside of the EAP packet, and the end server will |
2386 |
|
|
+ # reject the EAP request. |
2387 |
|
|
+ # |
2388 |
|
|
+} eap |
2389 |
|
|
+{ |
2390 |
|
|
+ # |
2391 |
|
|
+ # If the server tries to proxy a request and fails, then the |
2392 |
|
|
+ # request is processed through the modules in this section. |
2393 |
|
|
+ # |
2394 |
|
|
+ # The main use of this section is to permit robust proxying |
2395 |
|
|
+ # of accounting packets. The server can be configured to |
2396 |
|
|
+ # proxy accounting packets as part of normal processing. |
2397 |
|
|
+ # Then, if the home server goes down, accounting packets can |
2398 |
|
|
+ # be logged to a local "detail" file, for processing with |
2399 |
|
|
+ # radrelay. When the home server comes back up, radrelay |
2400 |
|
|
+ # will read the detail file, and send the packets to the |
2401 |
|
|
+ # home server. |
2402 |
|
|
+ # |
2403 |
|
|
+ # With this configuration, the server always responds to |
2404 |
|
|
+ # Accounting-Requests from the NAS, but only writes |
2405 |
|
|
+ # accounting packets to disk if the home server is down. |
2406 |
|
|
+ # |
2407 |
|
|
+}# Post-Proxy-Type Fail \{ |
2408 |
|
|
+# detail |
2409 |
|
|
+# \} |
2410 |
|
|
+\} |
2411 |
|
|
+ |
2412 |
|
|
+ |
2413 |
|
|
diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end |
2414 |
|
|
--- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end 1969-12-31 19:00:00.000000000 -0500 |
2415 |
|
|
+++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end 2016-04-01 09:40:43.175000000 -0400 |
2416 |
|
|
@@ -0,0 +1,7 @@ |
2417 |
|
|
+ |
2418 |
|
|
+\} |
2419 |
|
|
+{ |
2420 |
|
|
+# |
2421 |
|
|
+#end of default server |
2422 |
|
|
+# |
2423 |
|
|
+} |