/[smeserver]/rpms/e-smith-radiusd/sme10/e-smith-radiusd-2.6.0-freeradius3.patch
ViewVC logotype

Annotation of /rpms/e-smith-radiusd/sme10/e-smith-radiusd-2.6.0-freeradius3.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.3 - (hide annotations) (download)
Tue Apr 12 10:16:09 2016 UTC (8 years, 6 months ago) by unnilennium
Branch: MAIN
CVS Tags: e-smith-radiusd-2_6_0-22_el7_sme, e-smith-radiusd-2_6_0-12_el7_sme, e-smith-radiusd-2_6_0-13_el7_sme, e-smith-radiusd-2_6_0-21_el7_sme, e-smith-radiusd-2_6_0-23_el7_sme, e-smith-radiusd-2_6_0-10_el7_sme, e-smith-radiusd-2_6_0-20_el7_sme, e-smith-radiusd-2_6_0-15_el7_sme, e-smith-radiusd-2_6_0-19_el7_sme, e-smith-radiusd-2_6_0-14_el7_sme, e-smith-radiusd-2_6_0-11_el7_sme, e-smith-radiusd-2_6_0-16_el7_sme, e-smith-radiusd-2_6_0-9_el7_sme, e-smith-radiusd-2_6_0-18_el7_sme, e-smith-radiusd-2_6_0-17_el7_sme, e-smith-radiusd-2_6_0-8_el7_sme, HEAD
Changes since 1.2: +2 -2 lines
* Tue Apr 12 2016 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-8.sme
- escaped {} characters in ldap template [SME: 9434]

1 unnilennium 1.1 diff -Nur e-smith-radiusd-2.6.0.old/createlinks e-smith-radiusd-2.6.0/createlinks
2     --- e-smith-radiusd-2.6.0.old/createlinks 2016-02-05 16:34:10.000000000 -0500
3     +++ e-smith-radiusd-2.6.0/createlinks 2016-04-01 12:42:04.837000000 -0400
4     @@ -24,7 +24,9 @@
5    
6     foreach (qw(
7     raddb/clients.conf
8     - raddb/eap.conf
9     + raddb/mods-available/eap
10     + raddb/mods-available/ldap
11     + raddb/sites-available/default
12     raddb/proxy.conf
13     radiusclient-ng/servers))
14     {
15     @@ -33,7 +35,7 @@
16     console-save
17     domain-modify
18     remoteaccess-update
19     - ldap-update
20     + ldap-update
21     ));
22     }
23    
24     @@ -46,7 +48,7 @@
25     console-save
26     domain-modify
27     remoteaccess-update
28     - ldap-update
29     + ldap-update
30     ));
31     }
32    
33     @@ -68,3 +70,9 @@
34    
35     safe_symlink("../daemontools", "root/etc/rc.d/init.d/supervise/radiusd");
36     service_link_enhanced("radiusd", "S90", "7");
37     +
38     +# activate modules
39     +#safe_symlink("../mods-available/realm", "root/etc/raddb/mods-enabled/realm");
40     +safe_symlink("../mods-available/ldap", "root/etc/raddb/mods-enabled/ldap");
41     +safe_symlink("../mods-available/smbpasswd", "root/etc/raddb/mods-enabled/smbpasswd");
42     +
43     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost
44     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost 2008-10-07 13:37:19.000000000 -0400
45     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost 2016-04-01 11:45:59.890000000 -0400
46     @@ -46,7 +46,7 @@
47     # other # for all other types
48    
49     #
50     -} nastype = other
51     +} nas_type = other
52     {
53     #
54     # The following two configurations are for future use.
55     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap
56     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap 2005-06-11 14:24:39.000000000 -0400
57     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap 1969-12-31 19:00:00.000000000 -0500
58     @@ -1 +0,0 @@
59     -eap \{
60     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType
61     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType 2005-06-11 14:24:51.000000000 -0400
62     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType 1969-12-31 19:00:00.000000000 -0500
63     @@ -1,14 +0,0 @@
64     -{
65     - # Invoke the default supported EAP type when
66     - # EAP-Identity response is received.
67     - #
68     - # The incoming EAP messages DO NOT specify which EAP
69     - # type they will be using, so it MUST be set here.
70     - #
71     - # For now, only one default EAP type may be used at a time.
72     - #
73     - # If the EAP-Type attribute is set by another module,
74     - # then that EAP type takes precedence over the
75     - # default type configured here.
76     - #
77     -} default_eap_type = peap
78     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire
79     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire 2005-06-11 14:24:56.000000000 -0400
80     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire 1969-12-31 19:00:00.000000000 -0500
81     @@ -1,7 +0,0 @@
82     -{
83     - # A list is maintained to correlate EAP-Response
84     - # packets with EAP-Request packets. After a
85     - # configurable length of time, entries in the list
86     - # expire, and are deleted.
87     - #
88     -} timer_expire = 60
89     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown
90     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown 2005-06-11 14:25:19.000000000 -0400
91     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown 1969-12-31 19:00:00.000000000 -0500
92     @@ -1,14 +0,0 @@
93     -{
94     - # There are many EAP types, but the server has support
95     - # for only a limited subset. If the server receives
96     - # a request for an EAP type it does not support, then
97     - # it normally rejects the request. By setting this
98     - # configuration to "yes", you can tell the server to
99     - # instead keep processing the request. Another module
100     - # MUST then be configured to proxy the request to
101     - # another RADIUS server which supports that EAP type.
102     - #
103     - # If another module is NOT configured to handle the
104     - # request, then the request will still end up being
105     - # rejected.
106     -} ignore_unknown_eap_types = no
107     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug
108     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug 2005-06-11 14:25:22.000000000 -0400
109     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug 1969-12-31 19:00:00.000000000 -0500
110     @@ -1,8 +0,0 @@
111     -{
112     - # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
113     - # a User-Name attribute in an Access-Accept, it copies one
114     - # more byte than it should.
115     - #
116     - # We can work around it by configurably adding an extra
117     - # zero byte.
118     -} cisco_accounting_username_bug = no
119     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls
120     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls 2005-06-13 12:12:02.000000000 -0400
121     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls 1969-12-31 19:00:00.000000000 -0500
122     @@ -1,64 +0,0 @@
123     -{
124     - ## EAP-TLS
125     - #
126     - # To generate ctest certificates, run the script
127     - #
128     - # ../scripts/certs.sh
129     - #
130     - # The documents on http://www.freeradius.org/doc
131     - # are old, but may be helpful.
132     - #
133     - # See also:
134     - #
135     - # http://www.dslreports.com/forum/remark,9286052~mode=flat
136     - #
137     -}
138     - tls \{
139     - private_key_password = whatever
140     - private_key_file = $\{raddbdir\}/certs/radiusd.pem
141     - certificate_file = $\{raddbdir\}/certs/radiusd.pem
142     - CA_file = $\{raddbdir\}/certs/radiusd.pem
143     - dh_file = $\{raddbdir\}/certs/dh
144     - random_file = $\{raddbdir\}/certs/random
145     -{
146     - #
147     - # This can never exceed the size of a RADIUS
148     - # packet (4096 bytes), and is preferably half
149     - # that, to accomodate other attributes in
150     - # RADIUS packet. On most APs the MAX packet
151     - # length is configured between 1500 - 1600
152     - # In these cases, fragment size should be
153     - # 1024 or less.
154     - #
155     -} #fragment_size = 1024
156     -{
157     - # include_length is a flag which is
158     - # by default set to yes If set to
159     - # yes, Total Length of the message is
160     - # included in EVERY packet we send.
161     - # If set to no, Total Length of the
162     - # message is included ONLY in the
163     - # First packet of a fragment series.
164     - #
165     -} #include_length = yes
166     -{
167     - # Check the Certificate Revocation List
168     - #
169     - # 1) Copy CA certificates and CRLs to same directory.
170     - # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
171     - # 'c_rehash' is OpenSSL's command.
172     - # 3) Add 'CA_path=<CA certs&CRLs directory>'
173     - # to radiusd.conf's tls section.
174     - # 4) uncomment the line below.
175     - # 5) Restart radiusd
176     -} #check_crl = yes
177     -{
178     - #
179     - # If check_cert_cn is set, the value will
180     - # be xlat'ed and checked against the CN
181     - # in the client certificate. If the values
182     - # do not match, the certificate verification
183     - # will fail rejecting the user.
184     - #
185     -} #check_cert_cn = %\{User-Name\}
186     - \}
187     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap
188     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap 2005-06-11 14:25:31.000000000 -0400
189     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap 1969-12-31 19:00:00.000000000 -0500
190     @@ -1,26 +0,0 @@
191     -{
192     - #
193     - # The tunneled EAP session needs a default EAP type
194     - # which is separate from the one for the non-tunneled
195     - # EAP module. Inside of the TLS/PEAP tunnel, we
196     - # recommend using EAP-MS-CHAPv2.
197     - #
198     - # The PEAP module needs the TLS module to be installed
199     - # and configured, in order to use the TLS tunnel
200     - # inside of the EAP packet. You will still need to
201     - # configure the TLS module, even if you do not want
202     - # to deploy EAP-TLS in your network. Users will not
203     - # be able to request EAP-TLS, as it requires them to
204     - # have a client certificate. EAP-PEAP does not
205     - # require a client certificate.
206     - #
207     -}
208     - peap \{
209     -{ # The tunneled EAP session needs a default
210     - # EAP type which is separate from the one for
211     - # the non-tunneled EAP module. Inside of the
212     - # PEAP tunnel, we recommend using MS-CHAPv2,
213     - # as that is the default type supported by
214     - # Windows clients.
215     -} default_eap_type = mschapv2
216     - \}
217     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2 e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2
218     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2 2005-06-11 14:25:34.000000000 -0400
219     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2 1969-12-31 19:00:00.000000000 -0500
220     @@ -1,18 +0,0 @@
221     -{
222     - #
223     - # This takes no configuration.
224     - #
225     - # Note that it is the EAP MS-CHAPv2 sub-module, not
226     - # the main 'mschap' module.
227     - #
228     - # Note also that in order for this sub-module to work,
229     - # the main 'mschap' module MUST ALSO be configured.
230     - #
231     - # This module is the *Microsoft* implementation of MS-CHAPv2
232     - # in EAP. There is another (incompatible) implementation
233     - # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
234     - # currently support.
235     - #
236     -}
237     - mschapv2 \{
238     - \}
239     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/99end
240     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/99end 2005-06-11 14:25:39.000000000 -0400
241     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/99end 1969-12-31 19:00:00.000000000 -0500
242     @@ -1 +0,0 @@
243     -\}
244     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap
245     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap 1969-12-31 19:00:00.000000000 -0500
246     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap 2005-06-11 14:24:39.000000000 -0400
247     @@ -0,0 +1 @@
248     +eap \{
249     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType
250     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType 1969-12-31 19:00:00.000000000 -0500
251     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType 2005-06-11 14:24:51.000000000 -0400
252     @@ -0,0 +1,14 @@
253     +{
254     + # Invoke the default supported EAP type when
255     + # EAP-Identity response is received.
256     + #
257     + # The incoming EAP messages DO NOT specify which EAP
258     + # type they will be using, so it MUST be set here.
259     + #
260     + # For now, only one default EAP type may be used at a time.
261     + #
262     + # If the EAP-Type attribute is set by another module,
263     + # then that EAP type takes precedence over the
264     + # default type configured here.
265     + #
266     +} default_eap_type = peap
267     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire
268     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire 1969-12-31 19:00:00.000000000 -0500
269     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire 2005-06-11 14:24:56.000000000 -0400
270     @@ -0,0 +1,7 @@
271     +{
272     + # A list is maintained to correlate EAP-Response
273     + # packets with EAP-Request packets. After a
274     + # configurable length of time, entries in the list
275     + # expire, and are deleted.
276     + #
277     +} timer_expire = 60
278     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown
279     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown 1969-12-31 19:00:00.000000000 -0500
280     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown 2005-06-11 14:25:19.000000000 -0400
281     @@ -0,0 +1,14 @@
282     +{
283     + # There are many EAP types, but the server has support
284     + # for only a limited subset. If the server receives
285     + # a request for an EAP type it does not support, then
286     + # it normally rejects the request. By setting this
287     + # configuration to "yes", you can tell the server to
288     + # instead keep processing the request. Another module
289     + # MUST then be configured to proxy the request to
290     + # another RADIUS server which supports that EAP type.
291     + #
292     + # If another module is NOT configured to handle the
293     + # request, then the request will still end up being
294     + # rejected.
295     +} ignore_unknown_eap_types = no
296     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug
297     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug 1969-12-31 19:00:00.000000000 -0500
298     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug 2005-06-11 14:25:22.000000000 -0400
299     @@ -0,0 +1,8 @@
300     +{
301     + # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
302     + # a User-Name attribute in an Access-Accept, it copies one
303     + # more byte than it should.
304     + #
305     + # We can work around it by configurably adding an extra
306     + # zero byte.
307     +} cisco_accounting_username_bug = no
308     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon
309     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon 1969-12-31 19:00:00.000000000 -0500
310     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon 2016-04-01 12:02:53.346000000 -0400
311     @@ -0,0 +1,130 @@
312     +{
313     + ## EAP-TLS
314     + #
315     + # To generate ctest certificates, run the script
316     + #
317     + # ../scripts/certs.sh
318     + #
319     + # The documents on http://www.freeradius.org/doc
320     + # are old, but may be helpful.
321     + #
322     + # See also:
323     + #
324     + # http://www.dslreports.com/forum/remark,9286052~mode=flat
325     + #
326     + # Note that you should NOT use a globally known CA here!
327     + # e.g. using a Verisign cert as a "known CA" means that
328     + # ANYONE who has a certificate signed by them can
329     + # authenticate via EAP-TLS! This is likely not what you want.
330     +}
331     + tls-config tls-common \{
332     + private_key_password = whatever
333     + private_key_file = $\{raddbdir\}/certs/radiusd.pem
334     + certificate_file = $\{raddbdir\}/certs/radiusd.pem
335     + ca_file = $\{raddbdir\}/certs/radiusd.pem
336     + dh_file = $\{raddbdir\}/certs/dh
337     + random_file = $\{raddbdir\}/certs/random
338     +{
339     + #
340     + # This can never exceed the size of a RADIUS
341     + # packet (4096 bytes), and is preferably half
342     + # that, to accomodate other attributes in
343     + # RADIUS packet. On most APs the MAX packet
344     + # length is configured between 1500 - 1600
345     + # In these cases, fragment size should be
346     + # 1024 or less.
347     + #
348     +} #fragment_size = 1024
349     +{
350     + # include_length is a flag which is
351     + # by default set to yes If set to
352     + # yes, Total Length of the message is
353     + # included in EVERY packet we send.
354     + # If set to no, Total Length of the
355     + # message is included ONLY in the
356     + # First packet of a fragment series.
357     + #
358     +} #include_length = yes
359     +{
360     + # Check the Certificate Revocation List
361     + #
362     + # 1) Copy CA certificates and CRLs to same directory.
363     + # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
364     + # 'c_rehash' is OpenSSL's command.
365     + # 3) Add 'CA_path=<CA certs&CRLs directory>'
366     + # to radiusd.conf's tls section.
367     + # 4) uncomment the line below.
368     + # 5) Restart radiusd
369     +} #check_crl = yes
370     +{
371     + #
372     + # If check_cert_cn is set, the value will
373     + # be xlat'ed and checked against the CN
374     + # in the client certificate. If the values
375     + # do not match, the certificate verification
376     + # will fail rejecting the user.
377     + #
378     +} #check_cert_cn = %\{User-Name\}
379     +{
380     + #
381     + # Set this option to specify the allowed
382     + # TLS cipher suites. The format is listed
383     + # in "man 1 ciphers".
384     +} cipher_list = "DEFAULT"
385     +{
386     + #
387     +
388     + #
389     + # Elliptical cryptography configuration
390     + #
391     + # Only for OpenSSL >= 0.9.8.f
392     + #
393     +} ecdh_curve = "prime256v1"
394     +
395     +{
396     + #
397     + # Session resumption / fast reauthentication
398     + # cache.
399     + #
400     + # The cache contains the following information:
401     + #
402     + # session Id - unique identifier, managed by SSL
403     + # User-Name - from the Access-Accept
404     + # Stripped-User-Name - from the Access-Request
405     + # Cached-Session-Policy - from the Access-Accept
406     + #
407     + # The "Cached-Session-Policy" is the name of a
408     + # policy which should be applied to the cached
409     + # session. This policy can be used to assign
410     + # VLANs, IP addresses, etc. It serves as a useful
411     + # way to re-apply the policy from the original
412     + # Access-Accept to the subsequent Access-Accept
413     + # for the cached session.
414     + #
415     + # On session resumption, these attributes are
416     + # copied from the cache, and placed into the
417     + # reply list.
418     + #
419     + # You probably also want "use_tunneled_reply = yes"
420     + # when using fast session resumption.
421     + #
422     +} cache \{
423     + enable = yes
424     + lifetime = 24 # hours
425     + max_entries = 255
426     + \}
427     +{
428     + #
429     + # As of version 2.1.10, client certificates can be
430     + # validated via an external command. This allows
431     + # dynamic CRLs or OCSP to be used.
432     + #
433     + # This configuration is commented out in the
434     + # default configuration. Uncomment it, and configure
435     + # the correct paths below to enable it.
436     + #
437     +}
438     +
439     +
440     +
441     + \}
442     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls
443     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls 1969-12-31 19:00:00.000000000 -0500
444     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls 2016-04-01 12:06:29.540000000 -0400
445     @@ -0,0 +1,21 @@
446     +{
447     + ## EAP-TLS
448     + #
449     + # As of Version 3.0, the TLS configuration for TLS-based
450     + # EAP types is above in the "tls-config" section.
451     + #
452     +}
453     + tls \{
454     +{
455     + # Point to the common TLS configuration
456     +} tls = tls-common
457     +{
458     + #
459     + # As part of checking a client certificate, the EAP-TLS
460     + # sets some attributes such as TLS-Client-Cert-CN. This
461     + # virtual server has access to these attributes, and can
462     + # be used to accept or reject the request.
463     + #
464     +} # virtual_server = check-eap-tls
465     + \}
466     +
467     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls
468     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls 1969-12-31 19:00:00.000000000 -0500
469     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls 2016-04-01 12:08:51.030000000 -0400
470     @@ -0,0 +1,90 @@
471     +{
472     + ## EAP-TTLS
473     + #
474     + # The TTLS module implements the EAP-TTLS protocol,
475     + # which can be described as EAP inside of Diameter,
476     + # inside of TLS, inside of EAP, inside of RADIUS...
477     + #
478     + # Surprisingly, it works quite well.
479     + #
480     +} ttls \{
481     +{
482     + # Which tls-config section the TLS negotiation parameters
483     + # are in - see EAP-TLS above for an explanation.
484     + #
485     + # In the case that an old configuration from FreeRADIUS
486     + # v2.x is being used, all the options of the tls-config
487     + # section may also appear instead in the 'tls' section
488     + # above. If that is done, the tls= option here (and in
489     + # tls above) MUST be commented out.
490     + #
491     +} tls = tls-common
492     +{
493     + # The tunneled EAP session needs a default EAP type
494     + # which is separate from the one for the non-tunneled
495     + # EAP module. Inside of the TTLS tunnel, we recommend
496     + # using EAP-MD5. If the request does not contain an
497     + # EAP conversation, then this configuration entry is
498     + # ignored.
499     + #
500     +} default_eap_type = md5
501     +{
502     + # The tunneled authentication request does not usually
503     + # contain useful attributes like 'Calling-Station-Id',
504     + # etc. These attributes are outside of the tunnel,
505     + # and normally unavailable to the tunneled
506     + # authentication request.
507     + #
508     + # By setting this configuration entry to 'yes',
509     + # any attribute which is NOT in the tunneled
510     + # authentication request, but which IS available
511     + # outside of the tunnel, is copied to the tunneled
512     + # request.
513     + #
514     + # allowed values: {no, yes}
515     + #
516     +} copy_request_to_tunnel = no
517     +{
518     + # The reply attributes sent to the NAS are usually
519     + # based on the name of the user 'outside' of the
520     + # tunnel (usually 'anonymous'). If you want to send
521     + # the reply attributes based on the user name inside
522     + # of the tunnel, then set this configuration entry to
523     + # 'yes', and the reply to the NAS will be taken from
524     + # the reply to the tunneled request.
525     + #
526     + # allowed values: {no, yes}
527     + #
528     +} use_tunneled_reply = no
529     +{
530     + #
531     + # The inner tunneled request can be sent
532     + # through a virtual server constructed
533     + # specifically for this purpose.
534     + #
535     + # If this entry is commented out, the inner
536     + # tunneled request will be sent through
537     + # the virtual server that processed the
538     + # outer requests.
539     + #
540     +} virtual_server = "inner-tunnel"
541     +{
542     + # This has the same meaning, and overwrites, the
543     + # same field in the "tls" configuration, above.
544     + # The default value here is "yes".
545     + #
546     +} # include_length = yes
547     +{
548     + #
549     + # Unlike EAP-TLS, EAP-TTLS does not require a client
550     + # certificate. However, you can require one by setting the
551     + # following option. You can also override this option by
552     + # setting
553     + #
554     + # EAP-TLS-Require-Client-Cert = Yes
555     + #
556     + # in the control items for a request.
557     + #
558     +} # require_client_cert = yes
559     + \}
560     +
561     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap
562     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap 1969-12-31 19:00:00.000000000 -0500
563     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap 2016-04-01 12:04:44.387000000 -0400
564     @@ -0,0 +1,33 @@
565     +{
566     + #
567     + # The tunneled EAP session needs a default EAP type
568     + # which is separate from the one for the non-tunneled
569     + # EAP module. Inside of the TLS/PEAP tunnel, we
570     + # recommend using EAP-MS-CHAPv2.
571     + #
572     + # The PEAP module needs the TLS module to be installed
573     + # and configured, in order to use the TLS tunnel
574     + # inside of the EAP packet. You will still need to
575     + # configure the TLS module, even if you do not want
576     + # to deploy EAP-TLS in your network. Users will not
577     + # be able to request EAP-TLS, as it requires them to
578     + # have a client certificate. EAP-PEAP does not
579     + # require a client certificate.
580     + #
581     +}
582     + peap \{
583     + tls = tls-common
584     +
585     +{ # The tunneled EAP session needs a default
586     + # EAP type which is separate from the one for
587     + # the non-tunneled EAP module. Inside of the
588     + # PEAP tunnel, we recommend using MS-CHAPv2,
589     + # as that is the default type supported by
590     + # Windows clients.
591     +} default_eap_type = mschapv2
592     +
593     +
594     + copy_request_to_tunnel = no
595     + use_tunneled_reply = no
596     +
597     + \}
598     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2
599     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 1969-12-31 19:00:00.000000000 -0500
600     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 2005-06-11 14:25:34.000000000 -0400
601     @@ -0,0 +1,18 @@
602     +{
603     + #
604     + # This takes no configuration.
605     + #
606     + # Note that it is the EAP MS-CHAPv2 sub-module, not
607     + # the main 'mschap' module.
608     + #
609     + # Note also that in order for this sub-module to work,
610     + # the main 'mschap' module MUST ALSO be configured.
611     + #
612     + # This module is the *Microsoft* implementation of MS-CHAPv2
613     + # in EAP. There is another (incompatible) implementation
614     + # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
615     + # currently support.
616     + #
617     +}
618     + mschapv2 \{
619     + \}
620     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end
621     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end 1969-12-31 19:00:00.000000000 -0500
622     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end 2005-06-11 14:25:39.000000000 -0400
623     @@ -0,0 +1 @@
624     +\}
625     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap
626     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap 1969-12-31 19:00:00.000000000 -0500
627     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap 2016-04-01 12:33:08.367000000 -0400
628     @@ -0,0 +1,291 @@
629     +{
630     +
631     + use esmith::util;
632     + $OUT = '';
633     +
634     + $pw = esmith::util::LdapPassword();
635     + $base = esmith::util::ldapBase ($DomainName);
636     +
637     +} ldap \{
638     + server = "localhost"
639     + identity = "cn=root,{ $base }"
640     + password = { $pw }
641     + basedn = "{ $base }"
642     + filter = "(&(objectClass=posixAccount)(uid=%\{Stripped-User-Name:-%\{User-Name\}\}))"
643     + ldap_connections_number = 5
644     + timeout = 4
645     + timelimit = 3
646     + net_timeout = 3
647     + tls \{
648     + start_tls = no
649     + \}
650     + groupname_attribute = cn
651     + groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%\{Stripped-User-Name:-%\{User-Name\}\}))"
652     +
653     + update \{
654     + control:Password-With-Header += 'userPassword'
655     +
656     + \}
657     + user \{
658     + # Where to start searching in the tree for users
659     +# base_dn = "$\{..base_dn\}"
660     +
661     + # Filter for user objects, should be specific enough
662     + # to identify a single user object.
663     +# filter = "(uid=%\{%\{Stripped-User-Name\}:-%\{User-Name\}\})"
664     + \}
665     + group \{
666     + # Where to start searching in the tree for groups
667     +# base_dn = "$\{..base_dn\}"
668     +
669     + # Filter for group objects, should match all available
670     + # group objects a user might be a member of.
671     +# filter = "(objectClass=posixGroup)"
672     +# membership_attribute = "memberOf"
673     + \}
674     +
675     + profile \{
676     + # Filter for RADIUS profile objects
677     +# filter = "(objectclass=radiusprofile)"
678     +
679     + # The default profile applied to all users.
680     +# default = "cn=radprofile,dc=example,dc=org"
681     +
682     + # The list of profiles which are applied (after the default)
683     + # to all users.
684     + # The "User-Profile" attribute in the control list
685     + # will override this setting at run-time.
686     +# attribute = "radiusProfileDn"
687     + \}
688     +
689     +
690     + client \{
691     + # Where to start searching in the tree for clients
692     +# base_dn = "$\{..base_dn\}"
693     +
694     + #
695     + # Filter to match client objects
696     + #
697     +# filter = '(objectClass=frClient)'
698     +
699     + # Search scope, may be 'base', 'one', 'sub' or 'children'
700     +# scope = 'sub'
701     +
702     + #
703     + # Client attribute mappings are in the format:
704     + # <client attribute> = <ldap attribute>
705     + #
706 unnilennium 1.3 + # Arbitrary attributes (accessible by %\{client:<attr>\}) are not yet supported.
707 unnilennium 1.1 + #
708     + # The following attributes are required:
709     + # * identifier - IPv4 address, or IPv4 address with prefix, or hostname.
710     + # * secret - RADIUS shared secret.
711     + #
712     + # The following attributes are optional:
713     + # * shortname - Friendly name associated with the client
714     + # * nas_type - NAS Type
715     + # * virtual_server - Virtual server to associate the client with
716     + # * require_message_authenticator - Whether we require the Message-Authenticator
717     + # attribute to be present in requests from the client.
718     + #
719     + # Schemas are available in doc/schemas/ldap for openldap and eDirectory
720     + #
721     + attribute \{
722     +# identifier = 'radiusClientIdentifier'
723     +# secret = 'radiusClientSecret'
724     +# shortname = 'radiusClientShortname'
725     +# nas_type = 'radiusClientType'
726     +# virtual_server = 'radiusClientVirtualServer'
727     +# require_message_authenticator = 'radiusClientRequireMa'
728     + \}
729     + \}
730     +
731     +
732     +
733     + # Useful for recording things like the last time the user logged
734     + # in, or the Acct-Session-ID for CoA/DM.
735     + #
736     + # LDAP modification items are in the format:
737     + # <ldap attr> <op> <value>
738     + #
739     + # Where:
740     + # <ldap attr>: The LDAP attribute to add modify or delete.
741     + # <op>: One of the assignment operators:
742     + # (:=, +=, -=, ++).
743     + # Note: '=' is *not* supported.
744     + # <value>: The value to add modify or delete.
745     + #
746     + # WARNING: If using the ':=' operator with a multi-valued LDAP
747     + # attribute, all instances of the attribute will be removed and
748     + # replaced with a single attribute.
749     + accounting \{
750     + reference = "%\{tolower:type.%\{Acct-Status-Type\}\}"
751     +
752     + type \{
753     + start \{
754     + update \{
755     + description := "Online at %S"
756     + \}
757     + \}
758     +
759     + interim-update \{
760     + update \{
761     + description := "Last seen at %S"
762     + \}
763     + \}
764     +
765     + stop \{
766     + update \{
767     + description := "Offline at %S"
768     + \}
769     + \}
770     + \}
771     + \}
772     +
773     +
774     +
775     +
776     + #
777     + # Post-Auth can modify LDAP objects too
778     + #
779     + post-auth \{
780     + update \{
781     + description := "Authenticated at %S"
782     + \}
783     + \}
784     +
785     +
786     +
787     +
788     +
789     + # LDAP connection-specific options.
790     + #
791     + # These options set timeouts, keep-alives, etc. for the connections.
792     + #
793     + options \{
794     + # Control under which situations aliases are followed.
795     + # May be one of 'never', 'searching', 'finding' or 'always'
796     + # default: libldap's default which is usually 'never'.
797     + #
798     + # LDAP_OPT_DEREF is set to this value.
799     +# dereference = 'always'
800     +
801     + #
802     + # The following two configuration items control whether the
803     + # server follows references returned by LDAP directory.
804     + # They are mostly for Active Directory compatibility.
805     + # If you set these to "no", then searches will likely return
806     + # "operations error", instead of a useful result.
807     + #
808     + chase_referrals = yes
809     + rebind = yes
810     +
811     + # Seconds to wait for LDAP query to finish. default: 20
812     + timeout = 10
813     +
814     + # Seconds LDAP server has to process the query (server-side
815     + # time limit). default: 20
816     + #
817     + # LDAP_OPT_TIMELIMIT is set to this value.
818     + timelimit = 3
819     +
820     + # Seconds to wait for response of the server. (network
821     + # failures) default: 10
822     + #
823     + # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
824     + net_timeout = 1
825     +
826     + # LDAP_OPT_X_KEEPALIVE_IDLE
827     + idle = 60
828     +
829     + # LDAP_OPT_X_KEEPALIVE_PROBES
830     + probes = 3
831     +
832     + # LDAP_OPT_X_KEEPALIVE_INTERVAL
833     + interval = 3
834     +
835     + # ldap_debug: debug flag for LDAP SDK
836     + # (see OpenLDAP documentation). Set this to enable
837     + # huge amounts of LDAP debugging on the screen.
838     + # You should only use this if you are an LDAP expert.
839     + #
840     + # default: 0x0000 (no debugging messages)
841     + # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
842     + ldap_debug = 0x0028
843     + \}
844     +
845     +
846     + # The connection pool is new for 3.0, and will be used in many
847     + # modules, for all kinds of connection-related activity.
848     + #
849     + # When the server is not threaded, the connection pool
850     + # limits are ignored, and only one connection is used.
851     + pool \{
852     + # Number of connections to start
853     + start = 5
854     +
855     + # Minimum number of connections to keep open
856     + min = 4
857     +
858     + # Maximum number of connections
859     + #
860     + # If these connections are all in use and a new one
861     + # is requested, the request will NOT get a connection.
862     + #
863     + # Setting 'max' to LESS than the number of threads means
864     + # that some threads may starve, and you will see errors
865     + # like "No connections available and at max connection limit"
866     + #
867     + # Setting 'max' to MORE than the number of threads means
868     + # that there are more connections than necessary.
869     + max = $\{thread[pool].max_servers\}
870     +
871     + # Spare connections to be left idle
872     + #
873     + # NOTE: Idle connections WILL be closed if "idle_timeout"
874     + # is set.
875     + spare = 3
876     +
877     + # Number of uses before the connection is closed
878     + #
879     + # 0 means "infinite"
880     + uses = 0
881     +
882     + # The lifetime (in seconds) of the connection
883     + lifetime = 0
884     +
885     + # Idle timeout (in seconds). A connection which is
886     + # unused for this length of time will be closed.
887     + idle_timeout = 60
888     +
889     + # NOTE: All configuration settings are enforced. If a
890     + # connection is closed because of "idle_timeout",
891     + # "uses", or "lifetime", then the total number of
892     + # connections MAY fall below "min". When that
893     + # happens, it will open a new connection. It will
894     + # also log a WARNING message.
895     + #
896     + # The solution is to either lower the "min" connections,
897     + # or increase lifetime/idle_timeout.
898     + \}
899     +
900     +
901     +
902     +
903     +
904     +
905     +
906     +
907     +
908     +
909     +
910     +
911     +
912     +
913     +
914     +
915     +
916     +
917     +
918     +
919     + \}
920     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init
921     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init 2016-02-05 16:34:10.000000000 -0500
922     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init 2016-04-01 09:29:51.476000000 -0400
923     @@ -27,9 +27,17 @@
924     raddbdir = $\{sysconfdir\}/raddb
925     radacctdir = $\{logdir\}/radacct
926    
927     +{
928     +#
929     +# name of the running server. See also the "-n" command-line option.
930     +}
931     +name = radiusd
932     +
933     confdir = $\{raddbdir\}
934     +modconfdir = $\{confdir\}/mods-config
935     +certdir = $\{confdir\}/certs
936     +cadir = $\{confdir\}/certs
937     run_dir = $\{localstatedir\}/run/radiusd
938     -log_file = $\{logdir\}/radius.log
939     {
940     # libdir: Where to find the rlm_* modules.
941     #
942     @@ -73,31 +81,45 @@
943     #
944     # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
945     }
946     -pidfile = $\{run_dir\}/radiusd.pid
947     +pidfile = $\{run_dir\}/$\{name\}.pid
948     {
949     -# user/group: The name (or #number) of the user/group to run radiusd as.
950     +# panic_action: Command to execute if the server dies unexpectedly.
951     +#
952     +# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
953     +# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
954     +# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
955     +#
956     +# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
957     +# PATTACH CAN BE USED AS AN ATTACK VECTOR.
958     +#
959     +# The panic action is a command which will be executed if the server
960     +# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
961     +# SIGABRT or SIGFPE.
962     #
963     -# If these are commented out, the server will run as the user/group
964     -# that started it. In order to change to a different user/group, you
965     -# MUST be root ( or have root privleges ) to start the server.
966     +# This can be used to start an interactive debugging session so
967     +# that information regarding the current state of the server can
968     +# be acquired.
969     #
970     -# We STRONGLY recommend that you run the server with as few permissions
971     -# as possible. That is, if you're not using shadow passwords, the
972     -# user and group items below should be set to 'nobody'.
973     +# The following string substitutions are available:
974     +# - %e The currently executing program e.g. /sbin/radiusd
975     +# - %p The PID of the currently executing program e.g. 12345
976     #
977     -# On SCO (ODT 3) use "user = nouser" and "group = nogroup".
978     +# Standard ${} substitutions are also allowed.
979     #
980     -# NOTE that some kernels refuse to setgid(group) when the value of
981     -# (unsigned)group is above 60000; don't use group nobody on these systems!
982     +# An example panic action for opening an interactive session in GDB would be:
983     +#
984     +#panic_action = "gdb %e %p"
985     +#
986     +# Again, don't use that on a production system.
987     +#
988     +# An example panic action for opening an automated session in GDB would be:
989     +#
990     +#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
991     +#
992     +# That command can be used on a production system.
993     #
994     -# On systems with shadow passwords, you might have to set 'group = shadow'
995     -# for the server to be able to read the shadow password file. If you can
996     -# authenticate users while in debug mode, but not in daemon mode, it may be
997     -# that the debugging mode server is running as a user that can read the
998     -# shadow info, and the user listed below can not.
999     }
1000     -user = root
1001     -group = root
1002     +
1003     {
1004     # max_request_time: The maximum time (in seconds) to handle a request.
1005     #
1006     @@ -207,13 +229,6 @@
1007     }
1008     hostname_lookups = no
1009     {
1010     -# Core dumps are a bad thing. This should only be set to 'yes'
1011     -# if you're debugging a problem with the server.
1012     -#
1013     -# allowed values: \{no, yes\}
1014     -}
1015     -allow_core_dumps = no
1016     -{
1017     # Regular expressions
1018     #
1019     # These items are set at configure time. If they're set to "yes",
1020     @@ -225,27 +240,6 @@
1021     regular_expressions = yes
1022     extended_expressions = yes
1023     {
1024     -# Log the full User-Name attribute, as it was found in the request.
1025     -#
1026     -# allowed values: \{no, yes\}
1027     -}
1028     -log_stripped_names = no
1029     -{
1030     -# Log authentication requests to the log file.
1031     -#
1032     -# allowed values: \{no, yes\}
1033     -}
1034     -log_auth = no
1035     -{
1036     -# Log passwords with the authentication requests.
1037     -# log_auth_badpass - logs password if it's rejected
1038     -# log_auth_goodpass - logs password if it's correct
1039     -#
1040     -# allowed values: \{no, yes\}
1041     -}
1042     -log_auth_badpass = no
1043     -log_auth_goodpass = no
1044     -{
1045     # usercollide: Turn "username collision" code on and off. See the
1046     # "doc/duplicate-users" file
1047     #
1048     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log
1049     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log 1969-12-31 19:00:00.000000000 -0500
1050     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log 2016-04-01 09:21:32.222000000 -0400
1051     @@ -0,0 +1,127 @@
1052     +{
1053     +#
1054     +# Logging section. The various "log_*" configuration items
1055     +# will eventually be moved here.
1056     +#
1057     +# previously this section was only:
1058     +#log_file = $\{logdir\}/radius.log
1059     +}
1060     +log \{
1061     +{
1062     + #
1063     + # Destination for log messages. This can be one of:
1064     + #
1065     + # files - log to "file", as defined below.
1066     + # syslog - to syslog (see also the "syslog_facility", below.
1067     + # stdout - standard output
1068     + # stderr - standard error.
1069     + #
1070     + # The command-line option "-X" over-rides this option, and forces
1071     + # logging to go to stdout.
1072     + #
1073     +} destination = files
1074     +{
1075     + #
1076     + # Highlight important messages sent to stderr and stdout.
1077     + #
1078     + # Option will be ignored (disabled) if output if TERM is not
1079     + # an xterm or output is not to a TTY.
1080     + #
1081     +} colourise = yes
1082     +{
1083     + #
1084     + # The logging messages for the server are appended to the
1085     + # tail of this file if destination == "files"
1086     + #
1087     + # If the server is running in debugging mode, this file is
1088     + # NOT used.
1089     + #
1090 unnilennium 1.2 +} file = $\{logdir\}/radius.log
1091 unnilennium 1.1 +{
1092     + #
1093     + # If this configuration parameter is set, then log messages for
1094     + # a *request* go to this file, rather than to radius.log.
1095     + #
1096     + # i.e. This is a log file per request, once the server has accepted
1097     + # the request as being from a valid client. Messages that are
1098     + # not associated with a request still go to radius.log.
1099     + #
1100     + # Not all log messages in the server core have been updated to use
1101     + # this new internal API. As a result, some messages will still
1102     + # go to radius.log. Please submit patches to fix this behavior.
1103     + #
1104     + # The file name is expanded dynamically. You should ONLY user
1105     + # server-side attributes for the filename (e.g. things you control).
1106     + # Using this feature MAY also slow down the server substantially,
1107     + # especially if you do thinks like SQL calls as part of the
1108     + # expansion of the filename.
1109     + #
1110     + # The name of the log file should use attributes that don't change
1111     + # over the lifetime of a request, such as User-Name,
1112     + # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
1113     + # messages will be distributed over multiple files.
1114     + #
1115     + # Logging can be enabled for an individual request by a special
1116     + # dynamic expansion macro: %{debug: 1}, where the debug level
1117     + # for this request is set to '1' (or 2, 3, etc.). e.g.
1118     + #
1119     + # ...
1120     + # update control {
1121     + # Tmp-String-0 = "%{debug:1}"
1122     + # }
1123     + # ...
1124     + #
1125     + # The attribute that the value is assigned to is unimportant,
1126     + # and should be a "throw-away" attribute with no side effects.
1127     + #
1128     + #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
1129     +
1130     + #
1131     + # Which syslog facility to use, if ${destination} == "syslog"
1132     + #
1133     + # The exact values permitted here are OS-dependent. You probably
1134     + # don't want to change this.
1135     + #
1136     +} syslog_facility = daemon
1137     +{
1138     + # Log the full User-Name attribute, as it was found in the request.
1139     + #
1140     + # allowed values: {no, yes}
1141     + #
1142     + #
1143     +} stripped_names = no
1144     +{
1145     + # Log authentication requests to the log file.
1146     + #
1147     + # allowed values: {no, yes}
1148     + #
1149     +} auth = no
1150     +{
1151     + # Log passwords with the authentication requests.
1152     + # auth_badpass - logs password if it's rejected
1153     + # auth_goodpass - logs password if it's correct
1154     + #
1155     + # allowed values: {no, yes}
1156     + #
1157     +} auth_badpass = no
1158     + auth_goodpass = no
1159     +{
1160     + # Log additional text at the end of the "Login OK" messages.
1161     + # for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
1162     + # configurations above have to be set to "yes".
1163     + #
1164     + # The strings below are dynamically expanded, which means that
1165     + # you can put anything you want in them. However, note that
1166     + # this expansion can be slow, and can negatively impact server
1167     + # performance.
1168     + #
1169     +}
1170     +# msg_goodpass = ""
1171     +# msg_badpass = ""
1172     +{
1173     + # The message when the user exceeds the Simultaneous-Use limit.
1174     + #
1175     +}
1176     + msg_denied = "You are already logged in - access denied"
1177     +\}
1178     +
1179     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security
1180     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security 2005-06-11 12:01:54.000000000 -0400
1181     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security 2016-04-01 07:32:01.846000000 -0400
1182     @@ -6,6 +6,43 @@
1183     # of those attacks
1184     }
1185     security \{
1186     +{ # user/group: The name (or #number) of the user/group to run radiusd as.
1187     + #
1188     + # If these are commented out, the server will run as the
1189     + # user/group that started it. In order to change to a
1190     + # different user/group, you MUST be root ( or have root
1191     + # privileges ) to start the server.
1192     + #
1193     + # We STRONGLY recommend that you run the server with as few
1194     + # permissions as possible. That is, if you're not using
1195     + # shadow passwords, the user and group items below should be
1196     + # set to radius'.
1197     + #
1198     + # NOTE that some kernels refuse to setgid(group) when the
1199     + # value of (unsigned)group is above 60000; don't use group
1200     + # "nobody" on these systems!
1201     + #
1202     + # On systems with shadow passwords, you might have to set
1203     + # 'group = shadow' for the server to be able to read the
1204     + # shadow password file. If you can authenticate users while
1205     + # in debug mode, but not in daemon mode, it may be that the
1206     + # debugging mode server is running as a user that can read
1207     + # the shadow info, and the user listed below can not.
1208     + #
1209     + # The server will also try to use "initgroups" to read
1210     + # /etc/groups. It will join all groups where "user" is a
1211     + # member. This can allow for some finer-grained access
1212     + # controls.
1213     + #
1214     +} user = root
1215     + group = root
1216     +{
1217     + # Core dumps are a bad thing. This should only be set to
1218     + # 'yes' if you're debugging a problem with the server.
1219     + #
1220     + # allowed values: {no, yes}
1221     + #
1222     +} allow_core_dumps = no
1223     {
1224     # max_attributes: The maximum number of attributes
1225     # permitted in a RADIUS packet. Packets which have MORE
1226     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration
1227     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration 2005-06-11 14:31:14.000000000 -0400
1228     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration 2016-04-01 07:48:08.316000000 -0400
1229     @@ -99,4 +99,19 @@
1230     # '0' is a special value meaning 'infinity', or 'the servers never
1231     # exit'
1232     } max_requests_per_server = 0
1233     +{
1234     + # If the received PPS is larger than the processed PPS, *and*
1235     + # the queue is more than half full, then new accounting
1236     + # requests are probabilistically discarded. This lowers the
1237     + # number of packets that the server needs to process. Over
1238     + # time, the server will "catch up" with the traffic.
1239     + #
1240     + # Throwing away accounting packets is usually safe and low
1241     + # impact. The NAS will retransmit them in a few seconds, or
1242     + # even a few minutes. Vendors should read RFC 5080 Section 2.2.1
1243     + # to see how accounting packets should be retransmitted. Using
1244     + # any other method is likely to cause network meltdowns.
1245     + #
1246     +} auto_limit_acct = no
1247     +
1248     \}
1249     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp
1250     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp 1969-12-31 19:00:00.000000000 -0500
1251     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp 2016-04-01 07:49:00.444000000 -0400
1252     @@ -0,0 +1,10 @@
1253     +{
1254     +######################################################################
1255     +#
1256     +# SNMP notifications. Uncomment the following line to enable
1257     +# snmptraps. Note that you MUST also configure the full path
1258     +# to the "snmptrap" command in the "trigger.conf" file.
1259     +#
1260     +}
1261     +#$INCLUDE trigger.conf
1262     +
1263     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init
1264     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init 2005-06-11 14:32:26.000000000 -0400
1265     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init 2016-04-01 07:56:07.712000000 -0400
1266     @@ -7,18 +7,34 @@
1267     # in other sections of this configuration file.
1268     }
1269     modules \{ {
1270     - # Each module has a configuration as follows:
1271     - #
1272     - # name [ instance ] \{
1273     - # config_item = value
1274     - # ...
1275     - # \}
1276     - #
1277     - # The 'name' is used to load the 'rlm_name' library
1278     - # which implements the functionality of the module.
1279     - #
1280     - # The 'instance' is optional. To have two different instances
1281     - # of a module, it first must be referred to by 'name'.
1282     - # The different copies of the module are then created by
1283     - # inventing two 'instance' names, e.g. 'instance1' and 'instance2'
1284     + #
1285     + # Each module has a configuration as follows:
1286     + #
1287     + # name [ instance ] {
1288     + # config_item = value
1289     + # ...
1290     + # }
1291     + #
1292     + # The 'name' is used to load the 'rlm_name' library
1293     + # which implements the functionality of the module.
1294     + #
1295     + # The 'instance' is optional. To have two different instances
1296     + # of a module, it first must be referred to by 'name'.
1297     + # The different copies of the module are then created by
1298     + # inventing two 'instance' names, e.g. 'instance1' and 'instance2'
1299     + #
1300     + # The instance names can then be used in later configuration
1301     + # INSTEAD of the original 'name'. See the 'radutmp' configuration
1302     + # for an example.
1303     + #
1304     +
1305     + #
1306     + # As of 3.0, modules are in mods-enabled/. Files matching
1307     + # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are
1308     + # initialized ONLY if they are referenced in a processing
1309     + # section, such as authorize, authenticate, accounting,
1310     + # pre/post-proxy, etc.
1311     + #
1312     }
1313     + $INCLUDE mods-enabled/
1314     +
1315     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess
1316     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess 2005-06-11 14:37:58.000000000 -0400
1317     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess 1969-12-31 19:00:00.000000000 -0500
1318     @@ -1,47 +0,0 @@
1319     -{
1320     - # Preprocess the incoming RADIUS request, before handing it off
1321     - # to other modules.
1322     -} preprocess \{
1323     -{
1324     - # This hack changes Ascend's wierd port numberings
1325     - # to standard 0-??? port numbers so that the "+" works
1326     - # for IP address assignments.
1327     -} with_ascend_hack = no
1328     - ascend_channels_per_line = 23
1329     -{
1330     - # Windows NT machines often authenticate themselves as
1331     - # NT_DOMAIN\username
1332     - #
1333     - # If this is set to 'yes', then the NT_DOMAIN portion
1334     - # of the user-name is silently discarded.
1335     - #
1336     - # This configuration entry SHOULD NOT be used.
1337     - # See the "realms" module for a better way to handle
1338     - # NT domains.
1339     -} with_ntdomain_hack = no
1340     -{
1341     - # Specialix Jetstream 8500 24 port access server.
1342     - #
1343     - # If the user name is 10 characters or longer, a "/"
1344     - # and the excess characters after the 10th are
1345     - # appended to the user name.
1346     - #
1347     - # If you're not running that NAS, you don't need
1348     - # this hack.
1349     -} with_specialix_jetstream_hack = no
1350     -{
1351     - # Cisco sends it's VSA attributes with the attribute
1352     - # name *again* in the string, like:
1353     - #
1354     - # H323-Attribute = "h323-attribute=value".
1355     - #
1356     - # If this configuration item is set to 'yes', then
1357     - # the redundant data in the the attribute text is stripped
1358     - # out. The result is:
1359     - #
1360     - # H323-Attribute = "value"
1361     - #
1362     - # If you're not running a Cisco NAS, you don't need
1363     - # this hack.
1364     -} with_cisco_vsa_hack = no
1365     - \}
1366     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix
1367     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix 2005-06-11 12:11:42.000000000 -0400
1368     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix 1969-12-31 19:00:00.000000000 -0500
1369     @@ -1,8 +0,0 @@
1370     -{
1371     - # 'username@realm'
1372     -} realm suffix \{
1373     - format = suffix
1374     - delimiter = "@"
1375     - ignore_default = yes
1376     - ignore_null = yes
1377     - \}
1378     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain
1379     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain 2005-06-11 14:12:54.000000000 -0400
1380     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain 1969-12-31 19:00:00.000000000 -0500
1381     @@ -1,8 +0,0 @@
1382     -{
1383     - # 'domain\user'
1384     -} realm ntdomain \{
1385     - format = prefix
1386     - delimiter = "\\"
1387     - ignore_default = no
1388     - ignore_null = no
1389     - \}
1390     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap
1391     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap 2005-06-11 12:08:29.000000000 -0400
1392     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap 1969-12-31 19:00:00.000000000 -0500
1393     @@ -1,6 +0,0 @@
1394     -{
1395     - # Extensible Authentication Protocol
1396     - #
1397     - # For all EAP related authentications.
1398     - # Now in another file, because it is very large.
1399     -}$INCLUDE $\{confdir\}/eap.conf
1400     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap
1401     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap 2005-06-11 14:57:35.000000000 -0400
1402     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap 1969-12-31 19:00:00.000000000 -0500
1403     @@ -1,50 +0,0 @@
1404     -{
1405     - # Microsoft CHAP authentication
1406     - #
1407     - # This module supports MS-CHAP and MS-CHAPv2 authentication.
1408     - # It also enforces the SMB-Account-Ctrl attribute.
1409     -} mschap \{
1410     -{
1411     - # As of 0.9, the mschap module does NOT support
1412     - # reading from /etc/smbpasswd.
1413     - #
1414     - # If you are using /etc/smbpasswd, see the 'passwd'
1415     - # module for an example of how to use /etc/smbpasswd
1416     - #
1417     - # authtype value, if present, will be used
1418     - # to overwrite (or add) Auth-Type during
1419     - # authorization. Normally should be MS-CHAP
1420     -} authtype = MS-CHAP
1421     -{
1422     - # if use_mppe is not set to no mschap will
1423     - # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
1424     - # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
1425     -} use_mppe = yes
1426     -{
1427     - # if mppe is enabled require_encryption makes
1428     - # encryption moderate
1429     -} require_encryption = yes
1430     -{
1431     - # require_strong always requires 128 bit key
1432     - # encryption
1433     - #
1434     -} require_strong = yes
1435     -{
1436     - # Windows sends us a username in the form of
1437     - # DOMAIN\user, but sends the challenge response
1438     - # based on only the user portion. This hack
1439     - # corrects for that incorrect behavior.
1440     -} with_ntdomain_hack = yes
1441     -{
1442     - # The module can perform authentication itself, OR
1443     - # use a Windows Domain Controller. This configuration
1444     - # directive tells the module to call the ntlm_auth
1445     - # program, which will do the authentication, and return
1446     - # the NT-Key. Note that you MUST have "winbindd" and
1447     - # "nmbd" running on the local machine for ntlm_auth
1448     - # to work. See the ntlm_auth program documentation
1449     - # for details.
1450     - #
1451     - # Be VERY careful when editing the following line!
1452     - #ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%\{Stripped-User-Name:-%\{User-Name:-None\}\} --challenge=%\{mschap:Challenge:-00\} --nt-response=%\{mschap:NT-Response:-00\}"
1453     -} \}
1454     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap
1455     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap 2013-02-13 18:00:55.000000000 -0500
1456     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap 1969-12-31 19:00:00.000000000 -0500
1457     @@ -1,24 +0,0 @@
1458     -{
1459     -
1460     - use esmith::util;
1461     - $OUT = '';
1462     -
1463     - $pw = esmith::util::LdapPassword();
1464     - $base = esmith::util::ldapBase ($DomainName);
1465     -
1466     -} ldap \{
1467     - server = "localhost"
1468     - identity = "cn=root,{ $base }"
1469     - password = { $pw }
1470     - basedn = "{ $base }"
1471     - filter = "(&(objectClass=posixAccount)(uid=%\{Stripped-User-Name:-%\{User-Name\}\}))"
1472     - ldap_connections_number = 5
1473     - timeout = 4
1474     - timelimit = 3
1475     - net_timeout = 3
1476     - tls \{
1477     - start_tls = no
1478     - \}
1479     - groupname_attribute = cn
1480     - groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%\{Stripped-User-Name:-%\{User-Name\}\}))"
1481     - \}
1482     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd
1483     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd 2005-06-11 14:34:29.000000000 -0400
1484     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd 1969-12-31 19:00:00.000000000 -0500
1485     @@ -1,10 +0,0 @@
1486     -{
1487     - # An example configuration for using /etc/samba/smbpasswd.
1488     -} passwd smbpasswd \{
1489     - filename = /etc/samba/smbpasswd
1490     - format = "*Stripped-User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
1491     - authtype = MS-CHAP
1492     - hashsize = 100
1493     - ignorenislike = no
1494     - allowmultiplekeys = no
1495     - \}
1496     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files
1497     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files 2005-06-11 14:47:21.000000000 -0400
1498     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files 1969-12-31 19:00:00.000000000 -0500
1499     @@ -1,11 +0,0 @@
1500     -{
1501     - # Livingston-style 'users' file
1502     -} files \{
1503     - usersfile = $\{confdir\}/users
1504     -{
1505     - # If you want to use the old Cistron 'users' file
1506     - # with FreeRADIUS, you should change the next line
1507     - # to 'compat = cistron'. You can the copy your 'users'
1508     - # file from Cistron.
1509     -} compat = no
1510     - \}
1511     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject
1512     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject 2005-06-11 14:35:56.000000000 -0400
1513     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject 1969-12-31 19:00:00.000000000 -0500
1514     @@ -1,6 +0,0 @@
1515     -{
1516     - # Each instance simply returns the same result, always, without
1517     - # doing anything.
1518     -} always reject \{
1519     - rcode = reject
1520     - \}
1521     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique
1522     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique 2008-10-07 13:37:19.000000000 -0400
1523     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique 1969-12-31 19:00:00.000000000 -0500
1524     @@ -1,13 +0,0 @@
1525     -{
1526     - # Create a unique accounting session Id. Many NASes re-use or
1527     - # repeat values for Acct-Session-Id, causing no end of
1528     - # confusion.
1529     - #
1530     - # This module will add a (probably) unique session id
1531     - # to an accounting packet based on the attributes listed
1532     - # below found in the packet. See doc/rlm_acct_unique for
1533     - # more information.
1534     - #
1535     -} acct_unique \{
1536     - key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
1537     - \}
1538     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail
1539     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail 2008-10-07 13:37:19.000000000 -0400
1540     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail 1969-12-31 19:00:00.000000000 -0500
1541     @@ -1,36 +0,0 @@
1542     -{
1543     - # Write a detailed log of all accounting records received.
1544     - #
1545     -} detail \{
1546     -{ # Note that we do NOT use NAS-IP-Address here, as
1547     - # that attribute MAY BE from the originating NAS, and
1548     - # NOT from the proxy which actually sent us the
1549     - # request. The Client-IP-Address attribute is ALWAYS
1550     - # the address of the client which sent us the
1551     - # request.
1552     - #
1553     - # The following line creates a new detail file for
1554     - # every radius client (by IP address or hostname).
1555     - # In addition, a new detail file is created every
1556     - # day, so that the detail file doesn't have to go
1557     - # through a 'log rotation'
1558     - #
1559     - # If your detail files are large, you may also want
1560     - # to add a ':%H' (see doc/variables.txt) to the end
1561     - # of it, to create a new detail file every hour, e.g.:
1562     - #
1563     - # ..../detail-%Y%m%d:%H
1564     - #
1565     - # This will create a new detail file for every hour.
1566     - #
1567     -} detailfile = $\{logdir\}/accounting.log
1568     -{
1569     - #
1570     - # The Unix-style permissions on the 'detail' file.
1571     - #
1572     - # The detail file often contains secret or private
1573     - # information about users. So by keeping the file
1574     - # permissions restrictive, we can prevent unwanted
1575     - # people from seeing that information.
1576     -} detailperm = 0600
1577     - \}
1578     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init
1579     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init 2008-10-07 13:37:19.000000000 -0400
1580     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init 1969-12-31 19:00:00.000000000 -0500
1581     @@ -1,11 +0,0 @@
1582     -{
1583     -# Authorization. First preprocess (hints and huntgroups files),
1584     -# then realms, and finally look in the "users" file.
1585     -#
1586     -# The order of the realm modules will determine the order that
1587     -# we try to find a matching realm.
1588     -#
1589     -# Make *sure* that 'preprocess' comes before any realm if you
1590     -# need to setup hints for the remote radius server
1591     -}
1592     -authorize \{
1593     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default
1594     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default 2013-02-13 18:00:55.000000000 -0500
1595     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default 1969-12-31 19:00:00.000000000 -0500
1596     @@ -1,39 +0,0 @@
1597     -{
1598     - # The preprocess module takes care of sanitizing some bizarre
1599     - # attributes in the request, and turning them into attributes
1600     - # which are more standard.
1601     - #
1602     - # It takes care of processing the 'raddb/hints' and the
1603     - # 'raddb/huntgroups' files.
1604     - #
1605     - # It also adds the %\{Client-IP-Address\} attribute to the request.
1606     -} preprocess
1607     -{
1608     - # If you are using multiple kinds of realms, you probably
1609     - # want to set "ignore_null = yes" for all of them.
1610     - # Otherwise, when the first style of realm doesn't match,
1611     - # the other styles won't be checked.
1612     -} suffix
1613     - ntdomain
1614     -{
1615     - # This module takes care of EAP-PEAP authentication.
1616     - #
1617     - # It also sets the EAP-Type attribute in the request
1618     - # attribute list to the EAP type from the packet.
1619     -} eap
1620     -{
1621     - # If the users are logging in with an MS-CHAP-Challenge
1622     - # attribute for authentication, the mschap module will find
1623     - # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
1624     - # to the request, which will cause the server to then use
1625     - # the mschap module for authentication.
1626     -} mschap
1627     -{
1628     - # If you are using /etc/smbpasswd, and are also doing
1629     - # mschap authentication, the un-comment this line, and
1630     - # configure the 'smbpasswd' module, above.
1631     - ( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd';
1632     -}
1633     -{
1634     - # Read the 'users' file
1635     -} files
1636     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end
1637     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end 2008-10-07 13:37:19.000000000 -0400
1638     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end 1969-12-31 19:00:00.000000000 -0500
1639     @@ -1 +0,0 @@
1640     -\}
1641     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup
1642     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup 2008-10-07 13:37:19.000000000 -0400
1643     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup 1969-12-31 19:00:00.000000000 -0500
1644     @@ -1,5 +0,0 @@
1645     -{
1646     - my @authModules = '';
1647     - $OUT = '';
1648     -}
1649     -
1650     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap
1651     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap 2008-10-07 13:37:19.000000000 -0400
1652     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap 1969-12-31 19:00:00.000000000 -0500
1653     @@ -1,5 +0,0 @@
1654     -{
1655     - push(@authModules, "\tAuth-Type MS-CHAP\{\n\t\tmschap\n\t\}\n");
1656     - $OUT = '';
1657     -}
1658     -
1659     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap
1660     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap 2013-02-13 18:00:55.000000000 -0500
1661     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap 1969-12-31 19:00:00.000000000 -0500
1662     @@ -1,5 +0,0 @@
1663     -{
1664     - push(@authModules, "\tAuth-Type LDAP\{\n\t\tldap\n\t\}\n");
1665     - $OUT = '';
1666     -}
1667     -
1668     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap
1669     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap 2008-10-07 13:37:19.000000000 -0400
1670     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap 1969-12-31 19:00:00.000000000 -0500
1671     @@ -1,4 +0,0 @@
1672     -{
1673     - push(@authModules, "\teap\n");
1674     - $OUT = '';
1675     -}
1676     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process
1677     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process 2008-10-07 13:37:19.000000000 -0400
1678     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process 1969-12-31 19:00:00.000000000 -0500
1679     @@ -1,23 +0,0 @@
1680     -{
1681     -# Authentication.
1682     -#
1683     -# This section lists which modules are available for authentication.
1684     -# Note that it does NOT mean 'try each module in order'. It means
1685     -# that a module from the 'authorize' section adds a configuration
1686     -# attribute 'Auth-Type := FOO'. That authentication type is then
1687     -# used to pick the apropriate module from the list below.
1688     -#
1689     -# In general, you SHOULD NOT set the Auth-Type attribute. The server
1690     -# will figure it out on its own, and will do the right thing. The
1691     -# most common side effect of erroneously setting the Auth-Type
1692     -# attribute is that one authentication method will work, but the
1693     -# others will not.
1694     -#
1695     -# The common reasons to set the Auth-Type attribute by hand
1696     -# is to either forcibly reject the user, or forcibly accept him.
1697     -
1698     - $OUT = "authenticate \{\n";
1699     - $OUT .= "$_\n" foreach @authModules;
1700     - $OUT .= "\}\n";
1701     -
1702     -}
1703     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct
1704     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct 2008-10-07 13:37:19.000000000 -0400
1705     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct 1969-12-31 19:00:00.000000000 -0500
1706     @@ -1,17 +0,0 @@
1707     -{
1708     -#
1709     -# Pre-accounting. Decide which accounting type to use.
1710     -#
1711     -}preacct \{
1712     - preprocess
1713     -{
1714     - #
1715     - # Ensure that we have a semi-unique identifier for every
1716     - # request, and many NAS boxes are broken.
1717     -} acct_unique
1718     -{
1719     - # Accounting requests are generally proxied to the same
1720     - # home server as authentication requests.
1721     -} suffix
1722     - ntdomain
1723     -\}
1724     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate
1725     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate 1969-12-31 19:00:00.000000000 -0500
1726     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate 2016-04-01 08:37:06.246000000 -0400
1727     @@ -0,0 +1,45 @@
1728     +{
1729     +# Instantiation
1730     +#
1731     +# This section orders the loading of the modules. Modules
1732     +# listed here will get loaded BEFORE the later sections like
1733     +# authorize, authenticate, etc. get examined.
1734     +#
1735     +# This section is not strictly needed. When a section like
1736     +# authorize refers to a module, it's automatically loaded and
1737     +# initialized. However, some modules may not be listed in any
1738     +# of the following sections, so they can be listed here.
1739     +#
1740     +# Also, listing modules here ensures that you have control over
1741     +# the order in which they are initialized. If one module needs
1742     +# something defined by another module, you can list them in order
1743     +# here, and ensure that the configuration will be OK.
1744     +#
1745     +# After the modules listed here have been loaded, all of the modules
1746     +# in the "mods-enabled" directory will be loaded. Loading the
1747     +# "mods-enabled" directory means that unlike Version 2, you usually
1748     +# don't need to list modules here.
1749     +#
1750     +}
1751     +instantiate \{
1752     + #
1753     + # We list the counter module here so that it registers
1754     + # the check_name attribute before any module which sets
1755     + # it
1756     +# daily
1757     +
1758     + # subsections here can be thought of as "virtual" modules.
1759     + #
1760     + # e.g. If you have two redundant SQL servers, and you want to
1761     + # use them in the authorize and accounting sections, you could
1762     + # place a "redundant" block in each section, containing the
1763     + # exact same text. Or, you could uncomment the following
1764     + # lines, and list "redundant_sql" in the authorize and
1765     + # accounting sections.
1766     + #
1767     + #redundant redundant_sql \{
1768     + # sql1
1769     + # sql2
1770     + #\}
1771     +\}
1772     +
1773     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init
1774     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init 2008-10-07 13:37:19.000000000 -0400
1775     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init 1969-12-31 19:00:00.000000000 -0500
1776     @@ -1,5 +0,0 @@
1777     -{
1778     -#
1779     -# Accounting. Log the accounting data.
1780     -#
1781     -}accounting \{
1782     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default
1783     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default 2008-10-07 13:37:19.000000000 -0400
1784     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default 1969-12-31 19:00:00.000000000 -0500
1785     @@ -1,5 +0,0 @@
1786     -{ #
1787     - # Create a 'detail'ed log of the packets.
1788     - # Note that accounting requests which are proxied
1789     - # are also logged in the detail file.
1790     -} detail
1791     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end
1792     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end 2008-10-07 13:37:19.000000000 -0400
1793     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end 1969-12-31 19:00:00.000000000 -0500
1794     @@ -1 +0,0 @@
1795     -\}
1796     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy
1797     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy 1969-12-31 19:00:00.000000000 -0500
1798     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy 2016-04-01 08:34:12.100000000 -0400
1799     @@ -0,0 +1,20 @@
1800     +{
1801     +######################################################################
1802     +#
1803     +# Policies are virtual modules, similar to those defined in the
1804     +# "instantiate" section above.
1805     +#
1806     +# Defining a policy in one of the policy.d files means that it can be
1807     +# referenced in multiple places as a *name*, rather than as a series of
1808     +# conditions to match, and actions to take.
1809     +#
1810     +# Policies are something like subroutines in a normal language, but
1811     +# they cannot be called recursively. They MUST be defined in order.
1812     +# If policy A calls policy B, then B MUST be defined before A.
1813     +#
1814     +######################################################################
1815     +}
1816     +policy \{
1817     + $INCLUDE policy.d/
1818     +\}
1819     +
1820     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers
1821     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers 1969-12-31 19:00:00.000000000 -0500
1822     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers 2016-04-01 08:32:46.291000000 -0400
1823     @@ -0,0 +1,33 @@
1824     +{
1825     +######################################################################
1826     +#
1827     +#<----->Load virtual servers.
1828     +#
1829     +#<----->This next $INCLUDE line loads files in the directory that
1830     +#<----->match the regular expression: /[a-zA-Z0-9_.]+/
1831     +#
1832     +#<----->It allows you to define new virtual servers simply by placing
1833     +#<----->a file into the raddb/sites-enabled/ directory.
1834     +#
1835     +}$INCLUDE sites-enabled/
1836     +{
1837     +######################################################################
1838     +#
1839     +#<----->All of the other configuration sections like "authorize {}",
1840     +#<----->"authenticate {}", "accounting {}", have been moved to the
1841     +#<----->the file:
1842     +#
1843     +#<-----><------>raddb/sites-available/default
1844     +#
1845     +#<----->This is the "default" virtual server that has the same
1846     +#<----->configuration as in version 1.0.x and 1.1.x. The default
1847     +#<----->installation enables this virtual server. You should
1848     +#<----->edit it to create policies for your local site.
1849     +#
1850     +#<----->For more documentation on virtual servers, see:
1851     +#
1852     +#<-----><------>raddb/sites-available/README
1853     +#
1854     +######################################################################
1855     +
1856     +}
1857     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init
1858     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init 1969-12-31 19:00:00.000000000 -0500
1859     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init 2016-04-01 09:39:19.463000000 -0400
1860     @@ -0,0 +1,49 @@
1861     +{
1862     +######################################################################
1863     +#
1864     +# As of 2.0.0, FreeRADIUS supports virtual hosts using the
1865     +# "server" section, and configuration directives.
1866     +#
1867     +# Virtual hosts should be put into the "sites-available"
1868     +# directory. Soft links should be created in the "sites-enabled"
1869     +# directory to these files. This is done in a normal installation.
1870     +#
1871     +# If you are using 802.1X (EAP) authentication, please see also
1872     +# the "inner-tunnel" virtual server. You will likely have to edit
1873     +# that, too, for authentication to work.
1874     +#
1875 unnilennium 1.3 +# $Id: e-smith-radiusd-2.6.0-freeradius3.patch,v 1.2 2016/04/07 03:14:49 unnilennium Exp $
1876 unnilennium 1.1 +#
1877     +######################################################################
1878     +#
1879     +# Read "man radiusd" before editing this file. See the section
1880     +# titled DEBUGGING. It outlines a method where you can quickly
1881     +# obtain the configuration you want, without running into
1882     +# trouble. See also "man unlang", which documents the format
1883     +# of this file.
1884     +#
1885     +# This configuration is designed to work in the widest possible
1886     +# set of circumstances, with the widest possible number of
1887     +# authentication methods. This means that in general, you should
1888     +# need to make very few changes to this file.
1889     +#
1890     +# The best way to configure the server for your local system
1891     +# is to CAREFULLY edit this file. Most attempts to make large
1892     +# edits to this file will BREAK THE SERVER. Any edits should
1893     +# be small, and tested by running the server with "radiusd -X".
1894     +# Once the edits have been verified to work, save a copy of these
1895     +# configuration files somewhere. (e.g. as a "tar" file). Then,
1896     +# make more edits, and test, as above.
1897     +#
1898     +# There are many "commented out" references to modules such
1899     +# as ldap, sql, etc. These references serve as place-holders.
1900     +# If you need the functionality of that module, then configure
1901     +# it in radiusd.conf, and un-comment the references to it in
1902     +# this file. In most cases, those small changes will result
1903     +# in the server being able to connect to the DB, and to
1904     +# authenticate users.
1905     +#
1906     +######################################################################
1907     +}
1908     +server default \{
1909     +
1910     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen
1911     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen 1969-12-31 19:00:00.000000000 -0500
1912     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen 2016-04-01 10:01:03.411000000 -0400
1913     @@ -0,0 +1,90 @@
1914     +{
1915     +# listen: Make the server listen on a particular IP address, and send
1916     +# replies out from that address. This directive is most useful for
1917     +# hosts with multiple IP addresses on one interface.
1918     +#
1919     +# If you want the server to listen on additional addresses, or on
1920     +# additionnal ports, you can use multiple "listen" sections.
1921     +#
1922     +# Each section make the server listen for only one type of packet,
1923     +# therefore authentication and accounting have to be configured in
1924     +# different sections.
1925     +#
1926     +# The server ignore all "listen" section if you are using '-i' and '-p'
1927     +# on the command line.
1928     +}
1929     +# auth
1930     +listen \{
1931     + type = auth
1932     +{
1933     + # ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
1934     + # Out of several options the first one will be used.
1935     + #
1936     + # Allowed values are:
1937     + # IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr)
1938     + # IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr)
1939     + # hostname (radius.example.com,
1940     + # A record for ipv4addr,
1941     + # AAAA record for ipv6addr,
1942     + # A or AAAA record for ipaddr)
1943     + # wildcard (*)
1944     + #
1945     + # ipv4addr = *
1946     + # ipv6addr = *
1947     +}
1948     + ipaddr = *
1949     + port = 0
1950     +# interface = eth0
1951     +# clients = per_socket_clients
1952     +{
1953     + #
1954     + # Connection limiting for sockets with "proto = tcp".
1955     + #
1956     + # This section is ignored for other kinds of sockets.
1957     + #
1958     +} limit \{
1959     +{
1960     + #
1961     + # Limit the number of simultaneous TCP connections to the socket
1962     + #
1963     + # The default is 16.
1964     + # Setting this to 0 means "no limit"
1965     +} max_connections = 16
1966     +{
1967     + # The per-socket "max_requests" option does not exist.
1968     +
1969     + #
1970     + # The lifetime, in seconds, of a TCP connection. After
1971     + # this lifetime, the connection will be closed.
1972     + #
1973     + # Setting this to 0 means "forever".
1974     +} lifetime = 0
1975     +{
1976     + #
1977     + # The idle timeout, in seconds, of a TCP connection.
1978     + # If no packets have been received over the connection for
1979     + # this time, the connection will be closed.
1980     + #
1981     + # Setting this to 0 means "no timeout".
1982     + #
1983     + # We STRONGLY RECOMMEND that you set an idle timeout.
1984     + #
1985     +} idle_timeout = 30
1986     + \}
1987     +
1988     +\}
1989     +
1990     +#
1991     +# This second "listen" section is for listening on the accounting
1992     +# port, too.
1993     +#
1994     +listen \{
1995     + type = acct
1996     + ipaddr = *
1997     + port = 0
1998     +\}
1999     +
2000     +
2001     +
2002     +
2003     +
2004     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init
2005     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init 1969-12-31 19:00:00.000000000 -0500
2006     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init 2008-10-07 13:37:19.000000000 -0400
2007     @@ -0,0 +1,11 @@
2008     +{
2009     +# Authorization. First preprocess (hints and huntgroups files),
2010     +# then realms, and finally look in the "users" file.
2011     +#
2012     +# The order of the realm modules will determine the order that
2013     +# we try to find a matching realm.
2014     +#
2015     +# Make *sure* that 'preprocess' comes before any realm if you
2016     +# need to setup hints for the remote radius server
2017     +}
2018     +authorize \{
2019     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default
2020     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default 1969-12-31 19:00:00.000000000 -0500
2021     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default 2016-04-01 10:10:46.038000000 -0400
2022     @@ -0,0 +1,102 @@
2023     +{
2024     + #
2025     + # Take a User-Name, and perform some checks on it, for spaces and other
2026     + # invalid characters. If the User-Name appears invalid, reject the
2027     + # request.
2028     + #
2029     + # See policy.d/filter for the definition of the filter_username policy.
2030     + #
2031     +} filter_username
2032     +{
2033     + # The preprocess module takes care of sanitizing some bizarre
2034     + # attributes in the request, and turning them into attributes
2035     + # which are more standard.
2036     + #
2037     + # It takes care of processing the 'raddb/hints' and the
2038     + # 'raddb/huntgroups' files.
2039     + #
2040     + # It also adds the %\{Client-IP-Address\} attribute to the request.
2041     +} preprocess
2042     +{
2043     + # If you are using multiple kinds of realms, you probably
2044     + # want to set "ignore_null = yes" for all of them.
2045     + # Otherwise, when the first style of realm doesn't match,
2046     + # the other styles won't be checked.
2047     +} suffix
2048     + ntdomain
2049     +{
2050     + # This module takes care of EAP-PEAP authentication.
2051     + #
2052     + # It also sets the EAP-Type attribute in the request
2053     + # attribute list to the EAP type from the packet.
2054     +} eap \{
2055     + ok = return
2056     + \}
2057     +
2058     +{
2059     + # If the users are logging in with an MS-CHAP-Challenge
2060     + # attribute for authentication, the mschap module will find
2061     + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
2062     + # to the request, which will cause the server to then use
2063     + # the mschap module for authentication.
2064     +} mschap
2065     +{
2066     + # If you are using /etc/smbpasswd, and are also doing
2067     + # mschap authentication, the un-comment this line, and
2068     + # configure the 'smbpasswd' module, above.
2069     + ( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd';
2070     +}
2071     +
2072     +{
2073     + #
2074     + # Pull crypt'd passwords from /etc/passwd or /etc/shadow,
2075     + # using the system API's to get the password. If you want
2076     + # to read /etc/passwd or /etc/shadow directly, see the
2077     + # passwd module in radiusd.conf.
2078     + #
2079     +}# unix
2080     +
2081     +
2082     +{
2083     + # Read the 'users' file
2084     +} files
2085     +
2086     +{
2087     + #
2088     + # Look in an SQL database. The schema of the database
2089     + # is meant to mirror the "users" file.
2090     + #
2091     + # See "Authorization Queries" in sql.conf
2092     +} -sql
2093     +{
2094     + #
2095     + # If you are using /etc/smbpasswd, and are also doing
2096     + # mschap authentication, the un-comment this line, and
2097     + # configure the 'smbpasswd' module.
2098     +}# smbpasswd
2099     +{
2100     + #
2101     + # The ldap module reads passwords from the LDAP database.
2102     +} -ldap
2103     +
2104     +{ #
2105     + # Enforce daily limits on time spent logged in.
2106     +# daily
2107     +
2108     + #
2109     +} expiration
2110     + logintime
2111     +{
2112     + #
2113     + # If no other module has claimed responsibility for
2114     + # authentication, then try to use PAP. This allows the
2115     + # other modules listed above to add a "known good" password
2116     + # to the request, and to do nothing else. The PAP module
2117     + # will then see that password, and use it to do PAP
2118     + # authentication.
2119     + #
2120     + # This module should be listed last, so that the other modules
2121     + # get a chance to set Auth-Type for themselves.
2122     + #
2123     +} pap
2124     +
2125     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end
2126     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end 1969-12-31 19:00:00.000000000 -0500
2127     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end 2008-10-07 13:37:19.000000000 -0400
2128     @@ -0,0 +1 @@
2129     +\}
2130     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup
2131     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup 1969-12-31 19:00:00.000000000 -0500
2132     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup 2008-10-07 13:37:19.000000000 -0400
2133     @@ -0,0 +1,5 @@
2134     +{
2135     + my @authModules = '';
2136     + $OUT = '';
2137     +}
2138     +
2139     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap
2140     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap 1969-12-31 19:00:00.000000000 -0500
2141     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap 2008-10-07 13:37:19.000000000 -0400
2142     @@ -0,0 +1,5 @@
2143     +{
2144     + push(@authModules, "\tAuth-Type MS-CHAP\{\n\t\tmschap\n\t\}\n");
2145     + $OUT = '';
2146     +}
2147     +
2148     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap
2149     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap 1969-12-31 19:00:00.000000000 -0500
2150     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap 2013-02-13 18:00:55.000000000 -0500
2151     @@ -0,0 +1,5 @@
2152     +{
2153     + push(@authModules, "\tAuth-Type LDAP\{\n\t\tldap\n\t\}\n");
2154     + $OUT = '';
2155     +}
2156     +
2157     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap
2158     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap 1969-12-31 19:00:00.000000000 -0500
2159     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap 2008-10-07 13:37:19.000000000 -0400
2160     @@ -0,0 +1,4 @@
2161     +{
2162     + push(@authModules, "\teap\n");
2163     + $OUT = '';
2164     +}
2165     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process
2166     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process 1969-12-31 19:00:00.000000000 -0500
2167     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process 2008-10-07 13:37:19.000000000 -0400
2168     @@ -0,0 +1,23 @@
2169     +{
2170     +# Authentication.
2171     +#
2172     +# This section lists which modules are available for authentication.
2173     +# Note that it does NOT mean 'try each module in order'. It means
2174     +# that a module from the 'authorize' section adds a configuration
2175     +# attribute 'Auth-Type := FOO'. That authentication type is then
2176     +# used to pick the apropriate module from the list below.
2177     +#
2178     +# In general, you SHOULD NOT set the Auth-Type attribute. The server
2179     +# will figure it out on its own, and will do the right thing. The
2180     +# most common side effect of erroneously setting the Auth-Type
2181     +# attribute is that one authentication method will work, but the
2182     +# others will not.
2183     +#
2184     +# The common reasons to set the Auth-Type attribute by hand
2185     +# is to either forcibly reject the user, or forcibly accept him.
2186     +
2187     + $OUT = "authenticate \{\n";
2188     + $OUT .= "$_\n" foreach @authModules;
2189     + $OUT .= "\}\n";
2190     +
2191     +}
2192     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct
2193     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct 1969-12-31 19:00:00.000000000 -0500
2194     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct 2016-04-01 11:06:09.665000000 -0400
2195     @@ -0,0 +1,47 @@
2196     +{
2197     +#
2198     +# Pre-accounting. Decide which accounting type to use.
2199     +#
2200     +}preacct \{
2201     + preprocess
2202     +{
2203     + #
2204     + # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
2205     + # into a single 64bit counter Acct-[Input|Output]-Octets64.
2206     + #
2207     +}# acct_counters64
2208     +{
2209     + #
2210     + # Session start times are *implied* in RADIUS.
2211     + # The NAS never sends a "start time". Instead, it sends
2212     + # a start packet, *possibly* with an Acct-Delay-Time.
2213     + # The server is supposed to conclude that the start time
2214     + # was "Acct-Delay-Time" seconds in the past.
2215     + #
2216     + # The code below creates an explicit start time, which can
2217     + # then be used in other modules. It will be *mostly* correct.
2218     + # Any errors are due to the 1-second resolution of RADIUS,
2219     + # and the possibility that the time on the NAS may be off.
2220     + #
2221     + # The start time is: NOW - delay - session_length
2222     + #
2223     +}
2224     +# update request {
2225     +# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
2226     +# }
2227     +
2228     +{
2229     + #
2230     + # Ensure that we have a semi-unique identifier for every
2231     + # request, and many NAS boxes are broken.
2232     +}
2233     +
2234     + acct_unique
2235     +{
2236     + # Accounting requests are generally proxied to the same
2237     + # home server as authentication requests.
2238     +} suffix
2239     + ntdomain
2240     + files
2241     +
2242     +\}
2243     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init
2244     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init 1969-12-31 19:00:00.000000000 -0500
2245     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init 2008-10-07 13:37:19.000000000 -0400
2246     @@ -0,0 +1,5 @@
2247     +{
2248     +#
2249     +# Accounting. Log the accounting data.
2250     +#
2251     +}accounting \{
2252     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default
2253     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default 1969-12-31 19:00:00.000000000 -0500
2254     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default 2008-10-07 13:37:19.000000000 -0400
2255     @@ -0,0 +1,5 @@
2256     +{ #
2257     + # Create a 'detail'ed log of the packets.
2258     + # Note that accounting requests which are proxied
2259     + # are also logged in the detail file.
2260     +} detail
2261     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end
2262     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end 1969-12-31 19:00:00.000000000 -0500
2263     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end 2008-10-07 13:37:19.000000000 -0400
2264     @@ -0,0 +1 @@
2265     +\}
2266     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init
2267     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init 1969-12-31 19:00:00.000000000 -0500
2268     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init 2016-04-01 11:13:35.135000000 -0400
2269     @@ -0,0 +1,6 @@
2270     +{
2271     +# Session database, used for checking Simultaneous-Use. Either the radutmp
2272     +# or rlm_sql module can handle this.
2273     +# The rlm_sql module is *much* faster
2274     +}session \{
2275     +
2276     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end
2277     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end 1969-12-31 19:00:00.000000000 -0500
2278     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end 2016-04-01 11:13:53.209000000 -0400
2279     @@ -0,0 +1 @@
2280     +\}
2281     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init
2282     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init 1969-12-31 19:00:00.000000000 -0500
2283     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init 2016-04-01 11:14:55.538000000 -0400
2284     @@ -0,0 +1,8 @@
2285     +{
2286     +# Post-Authentication
2287     +# Once we KNOW that the user has been authenticated, there are
2288     +# additional steps we can take.
2289     +}post-auth \{
2290     + # Get an address from the IP Pool.
2291     +# main_pool
2292     +
2293     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end
2294     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end 1969-12-31 19:00:00.000000000 -0500
2295     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end 2016-04-01 11:16:54.094000000 -0400
2296     @@ -0,0 +1,26 @@
2297     +{
2298     + # Remove reply message if the response contains an EAP-Message
2299     +} remove_reply_message_if_eap
2300     +{
2301     + #
2302     + # Access-Reject packets are sent through the REJECT sub-section of the
2303     + # post-auth section.
2304     + #
2305     + # Add the ldap module name (or instance) if you have set
2306     + # 'edir_account_policy_check = yes' in the ldap module configuration
2307     + #
2308     +} Post-Auth-Type REJECT \{
2309     + # log failed authentications in SQL, too.
2310     + #-sql
2311     + attr_filter.access_reject
2312     +
2313     + # Insert EAP-Failure message if the request was
2314     + # rejected by policy instead of because of an
2315     + # authentication failure
2316     + eap
2317     +
2318     + # Remove reply message if the response contains an EAP-Message
2319     + remove_reply_message_if_eap
2320     + \}
2321     +\}
2322     +
2323     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy
2324     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy 1969-12-31 19:00:00.000000000 -0500
2325     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy 2016-04-01 11:18:35.647000000 -0400
2326     @@ -0,0 +1,28 @@
2327     +pre-proxy \{
2328     +{
2329     + # Before proxing the request add an Operator-Name attribute identifying
2330     + # if the operator-name is found for this client.
2331     + # No need to uncomment this if you have already enabled this in
2332     + # the authorize section.
2333     +}# operator-name
2334     +{
2335     + # The client requests the CUI by sending a CUI attribute
2336     + # containing one zero byte.
2337     + # Uncomment the line below if *requesting* the CUI.
2338     +}# cui
2339     +{
2340     + # Uncomment the following line if you want to change attributes
2341     + # as defined in the preproxy_users file.
2342     +}# files
2343     +{
2344     + # Uncomment the following line if you want to filter requests
2345     + # sent to remote servers based on the rules defined in the
2346     + # 'attrs.pre-proxy' file.
2347     +}# attr_filter.pre-proxy
2348     +{
2349     + # If you want to have a log of packets proxied to a home
2350     + # server, un-comment the following line, and the
2351     + # 'detail pre_proxy_log' section, above.
2352     +}# pre_proxy_log
2353     +\}
2354     +
2355     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy
2356     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy 1969-12-31 19:00:00.000000000 -0500
2357     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy 2016-04-01 11:20:52.751000000 -0400
2358     @@ -0,0 +1,54 @@
2359     +{
2360     +#
2361     +# When the server receives a reply to a request it proxied
2362     +# to a home server, the request may be massaged here, in the
2363     +# post-proxy stage.
2364     +#
2365     +}
2366     +post-proxy \{
2367     +{
2368     + # If you want to have a log of replies from a home server,
2369     + # un-comment the following line, and the 'detail post_proxy_log'
2370     + # section, above.
2371     +}# post_proxy_log
2372     +{
2373     + # Uncomment the following line if you want to filter replies from
2374     + # remote proxies based on the rules defined in the 'attrs' file.
2375     +}# attr_filter.post-proxy
2376     +{
2377     + #
2378     + # If you are proxying LEAP, you MUST configure the EAP
2379     + # module, and you MUST list it here, in the post-proxy
2380     + # stage.
2381     + #
2382     + # You MUST also use the 'nostrip' option in the 'realm'
2383     + # configuration. Otherwise, the User-Name attribute
2384     + # in the proxied request will not match the user name
2385     + # hidden inside of the EAP packet, and the end server will
2386     + # reject the EAP request.
2387     + #
2388     +} eap
2389     +{
2390     + #
2391     + # If the server tries to proxy a request and fails, then the
2392     + # request is processed through the modules in this section.
2393     + #
2394     + # The main use of this section is to permit robust proxying
2395     + # of accounting packets. The server can be configured to
2396     + # proxy accounting packets as part of normal processing.
2397     + # Then, if the home server goes down, accounting packets can
2398     + # be logged to a local "detail" file, for processing with
2399     + # radrelay. When the home server comes back up, radrelay
2400     + # will read the detail file, and send the packets to the
2401     + # home server.
2402     + #
2403     + # With this configuration, the server always responds to
2404     + # Accounting-Requests from the NAS, but only writes
2405     + # accounting packets to disk if the home server is down.
2406     + #
2407     +}# Post-Proxy-Type Fail \{
2408     +# detail
2409     +# \}
2410     +\}
2411     +
2412     +
2413     diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end
2414     --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end 1969-12-31 19:00:00.000000000 -0500
2415     +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end 2016-04-01 09:40:43.175000000 -0400
2416     @@ -0,0 +1,7 @@
2417     +
2418     +\}
2419     +{
2420     +#
2421     +#end of default server
2422     +#
2423     +}

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed