diff -Nur e-smith-radiusd-2.6.0.old/createlinks e-smith-radiusd-2.6.0/createlinks --- e-smith-radiusd-2.6.0.old/createlinks 2016-02-05 16:34:10.000000000 -0500 +++ e-smith-radiusd-2.6.0/createlinks 2016-04-01 12:42:04.837000000 -0400 @@ -24,7 +24,9 @@ foreach (qw( raddb/clients.conf - raddb/eap.conf + raddb/mods-available/eap + raddb/mods-available/ldap + raddb/sites-available/default raddb/proxy.conf radiusclient-ng/servers)) { @@ -33,7 +35,7 @@ console-save domain-modify remoteaccess-update - ldap-update + ldap-update )); } @@ -46,7 +48,7 @@ console-save domain-modify remoteaccess-update - ldap-update + ldap-update )); } @@ -68,3 +70,9 @@ safe_symlink("../daemontools", "root/etc/rc.d/init.d/supervise/radiusd"); service_link_enhanced("radiusd", "S90", "7"); + +# activate modules +#safe_symlink("../mods-available/realm", "root/etc/raddb/mods-enabled/realm"); +safe_symlink("../mods-available/ldap", "root/etc/raddb/mods-enabled/ldap"); +safe_symlink("../mods-available/smbpasswd", "root/etc/raddb/mods-enabled/smbpasswd"); + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost 2008-10-07 13:37:19.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost 2016-04-01 11:45:59.890000000 -0400 @@ -46,7 +46,7 @@ # other # for all other types # -} nastype = other +} nas_type = other { # # The following two configurations are for future use. diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap 2005-06-11 14:24:39.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap 1969-12-31 19:00:00.000000000 -0500 @@ -1 +0,0 @@ -eap \{ diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType 2005-06-11 14:24:51.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType 1969-12-31 19:00:00.000000000 -0500 @@ -1,14 +0,0 @@ -{ - # Invoke the default supported EAP type when - # EAP-Identity response is received. - # - # The incoming EAP messages DO NOT specify which EAP - # type they will be using, so it MUST be set here. - # - # For now, only one default EAP type may be used at a time. - # - # If the EAP-Type attribute is set by another module, - # then that EAP type takes precedence over the - # default type configured here. - # -} default_eap_type = peap diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire 2005-06-11 14:24:56.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire 1969-12-31 19:00:00.000000000 -0500 @@ -1,7 +0,0 @@ -{ - # A list is maintained to correlate EAP-Response - # packets with EAP-Request packets. After a - # configurable length of time, entries in the list - # expire, and are deleted. - # -} timer_expire = 60 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown 2005-06-11 14:25:19.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown 1969-12-31 19:00:00.000000000 -0500 @@ -1,14 +0,0 @@ -{ - # There are many EAP types, but the server has support - # for only a limited subset. If the server receives - # a request for an EAP type it does not support, then - # it normally rejects the request. By setting this - # configuration to "yes", you can tell the server to - # instead keep processing the request. Another module - # MUST then be configured to proxy the request to - # another RADIUS server which supports that EAP type. - # - # If another module is NOT configured to handle the - # request, then the request will still end up being - # rejected. -} ignore_unknown_eap_types = no diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug 2005-06-11 14:25:22.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug 1969-12-31 19:00:00.000000000 -0500 @@ -1,8 +0,0 @@ -{ - # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given - # a User-Name attribute in an Access-Accept, it copies one - # more byte than it should. - # - # We can work around it by configurably adding an extra - # zero byte. -} cisco_accounting_username_bug = no diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls 2005-06-13 12:12:02.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls 1969-12-31 19:00:00.000000000 -0500 @@ -1,64 +0,0 @@ -{ - ## EAP-TLS - # - # To generate ctest certificates, run the script - # - # ../scripts/certs.sh - # - # The documents on http://www.freeradius.org/doc - # are old, but may be helpful. - # - # See also: - # - # http://www.dslreports.com/forum/remark,9286052~mode=flat - # -} - tls \{ - private_key_password = whatever - private_key_file = $\{raddbdir\}/certs/radiusd.pem - certificate_file = $\{raddbdir\}/certs/radiusd.pem - CA_file = $\{raddbdir\}/certs/radiusd.pem - dh_file = $\{raddbdir\}/certs/dh - random_file = $\{raddbdir\}/certs/random -{ - # - # This can never exceed the size of a RADIUS - # packet (4096 bytes), and is preferably half - # that, to accomodate other attributes in - # RADIUS packet. On most APs the MAX packet - # length is configured between 1500 - 1600 - # In these cases, fragment size should be - # 1024 or less. - # -} #fragment_size = 1024 -{ - # include_length is a flag which is - # by default set to yes If set to - # yes, Total Length of the message is - # included in EVERY packet we send. - # If set to no, Total Length of the - # message is included ONLY in the - # First packet of a fragment series. - # -} #include_length = yes -{ - # Check the Certificate Revocation List - # - # 1) Copy CA certificates and CRLs to same directory. - # 2) Execute 'c_rehash '. - # 'c_rehash' is OpenSSL's command. - # 3) Add 'CA_path=' - # to radiusd.conf's tls section. - # 4) uncomment the line below. - # 5) Restart radiusd -} #check_crl = yes -{ - # - # If check_cert_cn is set, the value will - # be xlat'ed and checked against the CN - # in the client certificate. If the values - # do not match, the certificate verification - # will fail rejecting the user. - # -} #check_cert_cn = %\{User-Name\} - \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap 2005-06-11 14:25:31.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap 1969-12-31 19:00:00.000000000 -0500 @@ -1,26 +0,0 @@ -{ - # - # The tunneled EAP session needs a default EAP type - # which is separate from the one for the non-tunneled - # EAP module. Inside of the TLS/PEAP tunnel, we - # recommend using EAP-MS-CHAPv2. - # - # The PEAP module needs the TLS module to be installed - # and configured, in order to use the TLS tunnel - # inside of the EAP packet. You will still need to - # configure the TLS module, even if you do not want - # to deploy EAP-TLS in your network. Users will not - # be able to request EAP-TLS, as it requires them to - # have a client certificate. EAP-PEAP does not - # require a client certificate. - # -} - peap \{ -{ # The tunneled EAP session needs a default - # EAP type which is separate from the one for - # the non-tunneled EAP module. Inside of the - # PEAP tunnel, we recommend using MS-CHAPv2, - # as that is the default type supported by - # Windows clients. -} default_eap_type = mschapv2 - \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2 e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2 2005-06-11 14:25:34.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2 1969-12-31 19:00:00.000000000 -0500 @@ -1,18 +0,0 @@ -{ - # - # This takes no configuration. - # - # Note that it is the EAP MS-CHAPv2 sub-module, not - # the main 'mschap' module. - # - # Note also that in order for this sub-module to work, - # the main 'mschap' module MUST ALSO be configured. - # - # This module is the *Microsoft* implementation of MS-CHAPv2 - # in EAP. There is another (incompatible) implementation - # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not - # currently support. - # -} - mschapv2 \{ - \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/99end --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/99end 2005-06-11 14:25:39.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/99end 1969-12-31 19:00:00.000000000 -0500 @@ -1 +0,0 @@ -\} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap 2005-06-11 14:24:39.000000000 -0400 @@ -0,0 +1 @@ +eap \{ diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType 2005-06-11 14:24:51.000000000 -0400 @@ -0,0 +1,14 @@ +{ + # Invoke the default supported EAP type when + # EAP-Identity response is received. + # + # The incoming EAP messages DO NOT specify which EAP + # type they will be using, so it MUST be set here. + # + # For now, only one default EAP type may be used at a time. + # + # If the EAP-Type attribute is set by another module, + # then that EAP type takes precedence over the + # default type configured here. + # +} default_eap_type = peap diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire 2005-06-11 14:24:56.000000000 -0400 @@ -0,0 +1,7 @@ +{ + # A list is maintained to correlate EAP-Response + # packets with EAP-Request packets. After a + # configurable length of time, entries in the list + # expire, and are deleted. + # +} timer_expire = 60 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown 2005-06-11 14:25:19.000000000 -0400 @@ -0,0 +1,14 @@ +{ + # There are many EAP types, but the server has support + # for only a limited subset. If the server receives + # a request for an EAP type it does not support, then + # it normally rejects the request. By setting this + # configuration to "yes", you can tell the server to + # instead keep processing the request. Another module + # MUST then be configured to proxy the request to + # another RADIUS server which supports that EAP type. + # + # If another module is NOT configured to handle the + # request, then the request will still end up being + # rejected. +} ignore_unknown_eap_types = no diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug 2005-06-11 14:25:22.000000000 -0400 @@ -0,0 +1,8 @@ +{ + # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given + # a User-Name attribute in an Access-Accept, it copies one + # more byte than it should. + # + # We can work around it by configurably adding an extra + # zero byte. +} cisco_accounting_username_bug = no diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon 2016-04-01 12:02:53.346000000 -0400 @@ -0,0 +1,130 @@ +{ + ## EAP-TLS + # + # To generate ctest certificates, run the script + # + # ../scripts/certs.sh + # + # The documents on http://www.freeradius.org/doc + # are old, but may be helpful. + # + # See also: + # + # http://www.dslreports.com/forum/remark,9286052~mode=flat + # + # Note that you should NOT use a globally known CA here! + # e.g. using a Verisign cert as a "known CA" means that + # ANYONE who has a certificate signed by them can + # authenticate via EAP-TLS! This is likely not what you want. +} + tls-config tls-common \{ + private_key_password = whatever + private_key_file = $\{raddbdir\}/certs/radiusd.pem + certificate_file = $\{raddbdir\}/certs/radiusd.pem + ca_file = $\{raddbdir\}/certs/radiusd.pem + dh_file = $\{raddbdir\}/certs/dh + random_file = $\{raddbdir\}/certs/random +{ + # + # This can never exceed the size of a RADIUS + # packet (4096 bytes), and is preferably half + # that, to accomodate other attributes in + # RADIUS packet. On most APs the MAX packet + # length is configured between 1500 - 1600 + # In these cases, fragment size should be + # 1024 or less. + # +} #fragment_size = 1024 +{ + # include_length is a flag which is + # by default set to yes If set to + # yes, Total Length of the message is + # included in EVERY packet we send. + # If set to no, Total Length of the + # message is included ONLY in the + # First packet of a fragment series. + # +} #include_length = yes +{ + # Check the Certificate Revocation List + # + # 1) Copy CA certificates and CRLs to same directory. + # 2) Execute 'c_rehash '. + # 'c_rehash' is OpenSSL's command. + # 3) Add 'CA_path=' + # to radiusd.conf's tls section. + # 4) uncomment the line below. + # 5) Restart radiusd +} #check_crl = yes +{ + # + # If check_cert_cn is set, the value will + # be xlat'ed and checked against the CN + # in the client certificate. If the values + # do not match, the certificate verification + # will fail rejecting the user. + # +} #check_cert_cn = %\{User-Name\} +{ + # + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". +} cipher_list = "DEFAULT" +{ + # + + # + # Elliptical cryptography configuration + # + # Only for OpenSSL >= 0.9.8.f + # +} ecdh_curve = "prime256v1" + +{ + # + # Session resumption / fast reauthentication + # cache. + # + # The cache contains the following information: + # + # session Id - unique identifier, managed by SSL + # User-Name - from the Access-Accept + # Stripped-User-Name - from the Access-Request + # Cached-Session-Policy - from the Access-Accept + # + # The "Cached-Session-Policy" is the name of a + # policy which should be applied to the cached + # session. This policy can be used to assign + # VLANs, IP addresses, etc. It serves as a useful + # way to re-apply the policy from the original + # Access-Accept to the subsequent Access-Accept + # for the cached session. + # + # On session resumption, these attributes are + # copied from the cache, and placed into the + # reply list. + # + # You probably also want "use_tunneled_reply = yes" + # when using fast session resumption. + # +} cache \{ + enable = yes + lifetime = 24 # hours + max_entries = 255 + \} +{ + # + # As of version 2.1.10, client certificates can be + # validated via an external command. This allows + # dynamic CRLs or OCSP to be used. + # + # This configuration is commented out in the + # default configuration. Uncomment it, and configure + # the correct paths below to enable it. + # +} + + + + \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls 2016-04-01 12:06:29.540000000 -0400 @@ -0,0 +1,21 @@ +{ + ## EAP-TLS + # + # As of Version 3.0, the TLS configuration for TLS-based + # EAP types is above in the "tls-config" section. + # +} + tls \{ +{ + # Point to the common TLS configuration +} tls = tls-common +{ + # + # As part of checking a client certificate, the EAP-TLS + # sets some attributes such as TLS-Client-Cert-CN. This + # virtual server has access to these attributes, and can + # be used to accept or reject the request. + # +} # virtual_server = check-eap-tls + \} + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls 2016-04-01 12:08:51.030000000 -0400 @@ -0,0 +1,90 @@ +{ + ## EAP-TTLS + # + # The TTLS module implements the EAP-TTLS protocol, + # which can be described as EAP inside of Diameter, + # inside of TLS, inside of EAP, inside of RADIUS... + # + # Surprisingly, it works quite well. + # +} ttls \{ +{ + # Which tls-config section the TLS negotiation parameters + # are in - see EAP-TLS above for an explanation. + # + # In the case that an old configuration from FreeRADIUS + # v2.x is being used, all the options of the tls-config + # section may also appear instead in the 'tls' section + # above. If that is done, the tls= option here (and in + # tls above) MUST be commented out. + # +} tls = tls-common +{ + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TTLS tunnel, we recommend + # using EAP-MD5. If the request does not contain an + # EAP conversation, then this configuration entry is + # ignored. + # +} default_eap_type = md5 +{ + # The tunneled authentication request does not usually + # contain useful attributes like 'Calling-Station-Id', + # etc. These attributes are outside of the tunnel, + # and normally unavailable to the tunneled + # authentication request. + # + # By setting this configuration entry to 'yes', + # any attribute which is NOT in the tunneled + # authentication request, but which IS available + # outside of the tunnel, is copied to the tunneled + # request. + # + # allowed values: {no, yes} + # +} copy_request_to_tunnel = no +{ + # The reply attributes sent to the NAS are usually + # based on the name of the user 'outside' of the + # tunnel (usually 'anonymous'). If you want to send + # the reply attributes based on the user name inside + # of the tunnel, then set this configuration entry to + # 'yes', and the reply to the NAS will be taken from + # the reply to the tunneled request. + # + # allowed values: {no, yes} + # +} use_tunneled_reply = no +{ + # + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # If this entry is commented out, the inner + # tunneled request will be sent through + # the virtual server that processed the + # outer requests. + # +} virtual_server = "inner-tunnel" +{ + # This has the same meaning, and overwrites, the + # same field in the "tls" configuration, above. + # The default value here is "yes". + # +} # include_length = yes +{ + # + # Unlike EAP-TLS, EAP-TTLS does not require a client + # certificate. However, you can require one by setting the + # following option. You can also override this option by + # setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # +} # require_client_cert = yes + \} + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap 2016-04-01 12:04:44.387000000 -0400 @@ -0,0 +1,33 @@ +{ + # + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TLS/PEAP tunnel, we + # recommend using EAP-MS-CHAPv2. + # + # The PEAP module needs the TLS module to be installed + # and configured, in order to use the TLS tunnel + # inside of the EAP packet. You will still need to + # configure the TLS module, even if you do not want + # to deploy EAP-TLS in your network. Users will not + # be able to request EAP-TLS, as it requires them to + # have a client certificate. EAP-PEAP does not + # require a client certificate. + # +} + peap \{ + tls = tls-common + +{ # The tunneled EAP session needs a default + # EAP type which is separate from the one for + # the non-tunneled EAP module. Inside of the + # PEAP tunnel, we recommend using MS-CHAPv2, + # as that is the default type supported by + # Windows clients. +} default_eap_type = mschapv2 + + + copy_request_to_tunnel = no + use_tunneled_reply = no + + \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 2005-06-11 14:25:34.000000000 -0400 @@ -0,0 +1,18 @@ +{ + # + # This takes no configuration. + # + # Note that it is the EAP MS-CHAPv2 sub-module, not + # the main 'mschap' module. + # + # Note also that in order for this sub-module to work, + # the main 'mschap' module MUST ALSO be configured. + # + # This module is the *Microsoft* implementation of MS-CHAPv2 + # in EAP. There is another (incompatible) implementation + # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not + # currently support. + # +} + mschapv2 \{ + \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end 2005-06-11 14:25:39.000000000 -0400 @@ -0,0 +1 @@ +\} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap 2016-04-01 12:33:08.367000000 -0400 @@ -0,0 +1,291 @@ +{ + + use esmith::util; + $OUT = ''; + + $pw = esmith::util::LdapPassword(); + $base = esmith::util::ldapBase ($DomainName); + +} ldap \{ + server = "localhost" + identity = "cn=root,{ $base }" + password = { $pw } + basedn = "{ $base }" + filter = "(&(objectClass=posixAccount)(uid=%\{Stripped-User-Name:-%\{User-Name\}\}))" + ldap_connections_number = 5 + timeout = 4 + timelimit = 3 + net_timeout = 3 + tls \{ + start_tls = no + \} + groupname_attribute = cn + groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%\{Stripped-User-Name:-%\{User-Name\}\}))" + + update \{ + control:Password-With-Header += 'userPassword' + + \} + user \{ + # Where to start searching in the tree for users +# base_dn = "$\{..base_dn\}" + + # Filter for user objects, should be specific enough + # to identify a single user object. +# filter = "(uid=%\{%\{Stripped-User-Name\}:-%\{User-Name\}\})" + \} + group \{ + # Where to start searching in the tree for groups +# base_dn = "$\{..base_dn\}" + + # Filter for group objects, should match all available + # group objects a user might be a member of. +# filter = "(objectClass=posixGroup)" +# membership_attribute = "memberOf" + \} + + profile \{ + # Filter for RADIUS profile objects +# filter = "(objectclass=radiusprofile)" + + # The default profile applied to all users. +# default = "cn=radprofile,dc=example,dc=org" + + # The list of profiles which are applied (after the default) + # to all users. + # The "User-Profile" attribute in the control list + # will override this setting at run-time. +# attribute = "radiusProfileDn" + \} + + + client \{ + # Where to start searching in the tree for clients +# base_dn = "$\{..base_dn\}" + + # + # Filter to match client objects + # +# filter = '(objectClass=frClient)' + + # Search scope, may be 'base', 'one', 'sub' or 'children' +# scope = 'sub' + + # + # Client attribute mappings are in the format: + # = + # + # Arbitrary attributes (accessible by %{client:}) are not yet supported. + # + # The following attributes are required: + # * identifier - IPv4 address, or IPv4 address with prefix, or hostname. + # * secret - RADIUS shared secret. + # + # The following attributes are optional: + # * shortname - Friendly name associated with the client + # * nas_type - NAS Type + # * virtual_server - Virtual server to associate the client with + # * require_message_authenticator - Whether we require the Message-Authenticator + # attribute to be present in requests from the client. + # + # Schemas are available in doc/schemas/ldap for openldap and eDirectory + # + attribute \{ +# identifier = 'radiusClientIdentifier' +# secret = 'radiusClientSecret' +# shortname = 'radiusClientShortname' +# nas_type = 'radiusClientType' +# virtual_server = 'radiusClientVirtualServer' +# require_message_authenticator = 'radiusClientRequireMa' + \} + \} + + + + # Useful for recording things like the last time the user logged + # in, or the Acct-Session-ID for CoA/DM. + # + # LDAP modification items are in the format: + # + # + # Where: + # : The LDAP attribute to add modify or delete. + # : One of the assignment operators: + # (:=, +=, -=, ++). + # Note: '=' is *not* supported. + # : The value to add modify or delete. + # + # WARNING: If using the ':=' operator with a multi-valued LDAP + # attribute, all instances of the attribute will be removed and + # replaced with a single attribute. + accounting \{ + reference = "%\{tolower:type.%\{Acct-Status-Type\}\}" + + type \{ + start \{ + update \{ + description := "Online at %S" + \} + \} + + interim-update \{ + update \{ + description := "Last seen at %S" + \} + \} + + stop \{ + update \{ + description := "Offline at %S" + \} + \} + \} + \} + + + + + # + # Post-Auth can modify LDAP objects too + # + post-auth \{ + update \{ + description := "Authenticated at %S" + \} + \} + + + + + + # LDAP connection-specific options. + # + # These options set timeouts, keep-alives, etc. for the connections. + # + options \{ + # Control under which situations aliases are followed. + # May be one of 'never', 'searching', 'finding' or 'always' + # default: libldap's default which is usually 'never'. + # + # LDAP_OPT_DEREF is set to this value. +# dereference = 'always' + + # + # The following two configuration items control whether the + # server follows references returned by LDAP directory. + # They are mostly for Active Directory compatibility. + # If you set these to "no", then searches will likely return + # "operations error", instead of a useful result. + # + chase_referrals = yes + rebind = yes + + # Seconds to wait for LDAP query to finish. default: 20 + timeout = 10 + + # Seconds LDAP server has to process the query (server-side + # time limit). default: 20 + # + # LDAP_OPT_TIMELIMIT is set to this value. + timelimit = 3 + + # Seconds to wait for response of the server. (network + # failures) default: 10 + # + # LDAP_OPT_NETWORK_TIMEOUT is set to this value. + net_timeout = 1 + + # LDAP_OPT_X_KEEPALIVE_IDLE + idle = 60 + + # LDAP_OPT_X_KEEPALIVE_PROBES + probes = 3 + + # LDAP_OPT_X_KEEPALIVE_INTERVAL + interval = 3 + + # ldap_debug: debug flag for LDAP SDK + # (see OpenLDAP documentation). Set this to enable + # huge amounts of LDAP debugging on the screen. + # You should only use this if you are an LDAP expert. + # + # default: 0x0000 (no debugging messages) + # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) + ldap_debug = 0x0028 + \} + + + # The connection pool is new for 3.0, and will be used in many + # modules, for all kinds of connection-related activity. + # + # When the server is not threaded, the connection pool + # limits are ignored, and only one connection is used. + pool \{ + # Number of connections to start + start = 5 + + # Minimum number of connections to keep open + min = 4 + + # Maximum number of connections + # + # If these connections are all in use and a new one + # is requested, the request will NOT get a connection. + # + # Setting 'max' to LESS than the number of threads means + # that some threads may starve, and you will see errors + # like "No connections available and at max connection limit" + # + # Setting 'max' to MORE than the number of threads means + # that there are more connections than necessary. + max = $\{thread[pool].max_servers\} + + # Spare connections to be left idle + # + # NOTE: Idle connections WILL be closed if "idle_timeout" + # is set. + spare = 3 + + # Number of uses before the connection is closed + # + # 0 means "infinite" + uses = 0 + + # The lifetime (in seconds) of the connection + lifetime = 0 + + # Idle timeout (in seconds). A connection which is + # unused for this length of time will be closed. + idle_timeout = 60 + + # NOTE: All configuration settings are enforced. If a + # connection is closed because of "idle_timeout", + # "uses", or "lifetime", then the total number of + # connections MAY fall below "min". When that + # happens, it will open a new connection. It will + # also log a WARNING message. + # + # The solution is to either lower the "min" connections, + # or increase lifetime/idle_timeout. + \} + + + + + + + + + + + + + + + + + + + + + \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init 2016-02-05 16:34:10.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init 2016-04-01 09:29:51.476000000 -0400 @@ -27,9 +27,17 @@ raddbdir = $\{sysconfdir\}/raddb radacctdir = $\{logdir\}/radacct +{ +# +# name of the running server. See also the "-n" command-line option. +} +name = radiusd + confdir = $\{raddbdir\} +modconfdir = $\{confdir\}/mods-config +certdir = $\{confdir\}/certs +cadir = $\{confdir\}/certs run_dir = $\{localstatedir\}/run/radiusd -log_file = $\{logdir\}/radius.log { # libdir: Where to find the rlm_* modules. # @@ -73,31 +81,45 @@ # # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` } -pidfile = $\{run_dir\}/radiusd.pid +pidfile = $\{run_dir\}/$\{name\}.pid { -# user/group: The name (or #number) of the user/group to run radiusd as. +# panic_action: Command to execute if the server dies unexpectedly. +# +# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT. +# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS. +# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART. +# +# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE +# PATTACH CAN BE USED AS AN ATTACK VECTOR. +# +# The panic action is a command which will be executed if the server +# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS, +# SIGABRT or SIGFPE. # -# If these are commented out, the server will run as the user/group -# that started it. In order to change to a different user/group, you -# MUST be root ( or have root privleges ) to start the server. +# This can be used to start an interactive debugging session so +# that information regarding the current state of the server can +# be acquired. # -# We STRONGLY recommend that you run the server with as few permissions -# as possible. That is, if you're not using shadow passwords, the -# user and group items below should be set to 'nobody'. +# The following string substitutions are available: +# - %e The currently executing program e.g. /sbin/radiusd +# - %p The PID of the currently executing program e.g. 12345 # -# On SCO (ODT 3) use "user = nouser" and "group = nogroup". +# Standard ${} substitutions are also allowed. # -# NOTE that some kernels refuse to setgid(group) when the value of -# (unsigned)group is above 60000; don't use group nobody on these systems! +# An example panic action for opening an interactive session in GDB would be: +# +#panic_action = "gdb %e %p" +# +# Again, don't use that on a production system. +# +# An example panic action for opening an automated session in GDB would be: +# +#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log" +# +# That command can be used on a production system. # -# On systems with shadow passwords, you might have to set 'group = shadow' -# for the server to be able to read the shadow password file. If you can -# authenticate users while in debug mode, but not in daemon mode, it may be -# that the debugging mode server is running as a user that can read the -# shadow info, and the user listed below can not. } -user = root -group = root + { # max_request_time: The maximum time (in seconds) to handle a request. # @@ -207,13 +229,6 @@ } hostname_lookups = no { -# Core dumps are a bad thing. This should only be set to 'yes' -# if you're debugging a problem with the server. -# -# allowed values: \{no, yes\} -} -allow_core_dumps = no -{ # Regular expressions # # These items are set at configure time. If they're set to "yes", @@ -225,27 +240,6 @@ regular_expressions = yes extended_expressions = yes { -# Log the full User-Name attribute, as it was found in the request. -# -# allowed values: \{no, yes\} -} -log_stripped_names = no -{ -# Log authentication requests to the log file. -# -# allowed values: \{no, yes\} -} -log_auth = no -{ -# Log passwords with the authentication requests. -# log_auth_badpass - logs password if it's rejected -# log_auth_goodpass - logs password if it's correct -# -# allowed values: \{no, yes\} -} -log_auth_badpass = no -log_auth_goodpass = no -{ # usercollide: Turn "username collision" code on and off. See the # "doc/duplicate-users" file # diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log 2016-04-01 09:21:32.222000000 -0400 @@ -0,0 +1,127 @@ +{ +# +# Logging section. The various "log_*" configuration items +# will eventually be moved here. +# +# previously this section was only: +#log_file = $\{logdir\}/radius.log +} +log \{ +{ + # + # Destination for log messages. This can be one of: + # + # files - log to "file", as defined below. + # syslog - to syslog (see also the "syslog_facility", below. + # stdout - standard output + # stderr - standard error. + # + # The command-line option "-X" over-rides this option, and forces + # logging to go to stdout. + # +} destination = files +{ + # + # Highlight important messages sent to stderr and stdout. + # + # Option will be ignored (disabled) if output if TERM is not + # an xterm or output is not to a TTY. + # +} colourise = yes +{ + # + # The logging messages for the server are appended to the + # tail of this file if destination == "files" + # + # If the server is running in debugging mode, this file is + # NOT used. + # +} file = ${logdir}/radius.log +{ + # + # If this configuration parameter is set, then log messages for + # a *request* go to this file, rather than to radius.log. + # + # i.e. This is a log file per request, once the server has accepted + # the request as being from a valid client. Messages that are + # not associated with a request still go to radius.log. + # + # Not all log messages in the server core have been updated to use + # this new internal API. As a result, some messages will still + # go to radius.log. Please submit patches to fix this behavior. + # + # The file name is expanded dynamically. You should ONLY user + # server-side attributes for the filename (e.g. things you control). + # Using this feature MAY also slow down the server substantially, + # especially if you do thinks like SQL calls as part of the + # expansion of the filename. + # + # The name of the log file should use attributes that don't change + # over the lifetime of a request, such as User-Name, + # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log + # messages will be distributed over multiple files. + # + # Logging can be enabled for an individual request by a special + # dynamic expansion macro: %{debug: 1}, where the debug level + # for this request is set to '1' (or 2, 3, etc.). e.g. + # + # ... + # update control { + # Tmp-String-0 = "%{debug:1}" + # } + # ... + # + # The attribute that the value is assigned to is unimportant, + # and should be a "throw-away" attribute with no side effects. + # + #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log + + # + # Which syslog facility to use, if ${destination} == "syslog" + # + # The exact values permitted here are OS-dependent. You probably + # don't want to change this. + # +} syslog_facility = daemon +{ + # Log the full User-Name attribute, as it was found in the request. + # + # allowed values: {no, yes} + # + # +} stripped_names = no +{ + # Log authentication requests to the log file. + # + # allowed values: {no, yes} + # +} auth = no +{ + # Log passwords with the authentication requests. + # auth_badpass - logs password if it's rejected + # auth_goodpass - logs password if it's correct + # + # allowed values: {no, yes} + # +} auth_badpass = no + auth_goodpass = no +{ + # Log additional text at the end of the "Login OK" messages. + # for these to work, the "auth" and "auth_goodpass" or "auth_badpass" + # configurations above have to be set to "yes". + # + # The strings below are dynamically expanded, which means that + # you can put anything you want in them. However, note that + # this expansion can be slow, and can negatively impact server + # performance. + # +} +# msg_goodpass = "" +# msg_badpass = "" +{ + # The message when the user exceeds the Simultaneous-Use limit. + # +} + msg_denied = "You are already logged in - access denied" +\} + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security 2005-06-11 12:01:54.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security 2016-04-01 07:32:01.846000000 -0400 @@ -6,6 +6,43 @@ # of those attacks } security \{ +{ # user/group: The name (or #number) of the user/group to run radiusd as. + # + # If these are commented out, the server will run as the + # user/group that started it. In order to change to a + # different user/group, you MUST be root ( or have root + # privileges ) to start the server. + # + # We STRONGLY recommend that you run the server with as few + # permissions as possible. That is, if you're not using + # shadow passwords, the user and group items below should be + # set to radius'. + # + # NOTE that some kernels refuse to setgid(group) when the + # value of (unsigned)group is above 60000; don't use group + # "nobody" on these systems! + # + # On systems with shadow passwords, you might have to set + # 'group = shadow' for the server to be able to read the + # shadow password file. If you can authenticate users while + # in debug mode, but not in daemon mode, it may be that the + # debugging mode server is running as a user that can read + # the shadow info, and the user listed below can not. + # + # The server will also try to use "initgroups" to read + # /etc/groups. It will join all groups where "user" is a + # member. This can allow for some finer-grained access + # controls. + # +} user = root + group = root +{ + # Core dumps are a bad thing. This should only be set to + # 'yes' if you're debugging a problem with the server. + # + # allowed values: {no, yes} + # +} allow_core_dumps = no { # max_attributes: The maximum number of attributes # permitted in a RADIUS packet. Packets which have MORE diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration 2005-06-11 14:31:14.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration 2016-04-01 07:48:08.316000000 -0400 @@ -99,4 +99,19 @@ # '0' is a special value meaning 'infinity', or 'the servers never # exit' } max_requests_per_server = 0 +{ + # If the received PPS is larger than the processed PPS, *and* + # the queue is more than half full, then new accounting + # requests are probabilistically discarded. This lowers the + # number of packets that the server needs to process. Over + # time, the server will "catch up" with the traffic. + # + # Throwing away accounting packets is usually safe and low + # impact. The NAS will retransmit them in a few seconds, or + # even a few minutes. Vendors should read RFC 5080 Section 2.2.1 + # to see how accounting packets should be retransmitted. Using + # any other method is likely to cause network meltdowns. + # +} auto_limit_acct = no + \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp 2016-04-01 07:49:00.444000000 -0400 @@ -0,0 +1,10 @@ +{ +###################################################################### +# +# SNMP notifications. Uncomment the following line to enable +# snmptraps. Note that you MUST also configure the full path +# to the "snmptrap" command in the "trigger.conf" file. +# +} +#$INCLUDE trigger.conf + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init 2005-06-11 14:32:26.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init 2016-04-01 07:56:07.712000000 -0400 @@ -7,18 +7,34 @@ # in other sections of this configuration file. } modules \{ { - # Each module has a configuration as follows: - # - # name [ instance ] \{ - # config_item = value - # ... - # \} - # - # The 'name' is used to load the 'rlm_name' library - # which implements the functionality of the module. - # - # The 'instance' is optional. To have two different instances - # of a module, it first must be referred to by 'name'. - # The different copies of the module are then created by - # inventing two 'instance' names, e.g. 'instance1' and 'instance2' + # + # Each module has a configuration as follows: + # + # name [ instance ] { + # config_item = value + # ... + # } + # + # The 'name' is used to load the 'rlm_name' library + # which implements the functionality of the module. + # + # The 'instance' is optional. To have two different instances + # of a module, it first must be referred to by 'name'. + # The different copies of the module are then created by + # inventing two 'instance' names, e.g. 'instance1' and 'instance2' + # + # The instance names can then be used in later configuration + # INSTEAD of the original 'name'. See the 'radutmp' configuration + # for an example. + # + + # + # As of 3.0, modules are in mods-enabled/. Files matching + # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are + # initialized ONLY if they are referenced in a processing + # section, such as authorize, authenticate, accounting, + # pre/post-proxy, etc. + # } + $INCLUDE mods-enabled/ + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess 2005-06-11 14:37:58.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess 1969-12-31 19:00:00.000000000 -0500 @@ -1,47 +0,0 @@ -{ - # Preprocess the incoming RADIUS request, before handing it off - # to other modules. -} preprocess \{ -{ - # This hack changes Ascend's wierd port numberings - # to standard 0-??? port numbers so that the "+" works - # for IP address assignments. -} with_ascend_hack = no - ascend_channels_per_line = 23 -{ - # Windows NT machines often authenticate themselves as - # NT_DOMAIN\username - # - # If this is set to 'yes', then the NT_DOMAIN portion - # of the user-name is silently discarded. - # - # This configuration entry SHOULD NOT be used. - # See the "realms" module for a better way to handle - # NT domains. -} with_ntdomain_hack = no -{ - # Specialix Jetstream 8500 24 port access server. - # - # If the user name is 10 characters or longer, a "/" - # and the excess characters after the 10th are - # appended to the user name. - # - # If you're not running that NAS, you don't need - # this hack. -} with_specialix_jetstream_hack = no -{ - # Cisco sends it's VSA attributes with the attribute - # name *again* in the string, like: - # - # H323-Attribute = "h323-attribute=value". - # - # If this configuration item is set to 'yes', then - # the redundant data in the the attribute text is stripped - # out. The result is: - # - # H323-Attribute = "value" - # - # If you're not running a Cisco NAS, you don't need - # this hack. -} with_cisco_vsa_hack = no - \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix 2005-06-11 12:11:42.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix 1969-12-31 19:00:00.000000000 -0500 @@ -1,8 +0,0 @@ -{ - # 'username@realm' -} realm suffix \{ - format = suffix - delimiter = "@" - ignore_default = yes - ignore_null = yes - \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain 2005-06-11 14:12:54.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain 1969-12-31 19:00:00.000000000 -0500 @@ -1,8 +0,0 @@ -{ - # 'domain\user' -} realm ntdomain \{ - format = prefix - delimiter = "\\" - ignore_default = no - ignore_null = no - \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap 2005-06-11 12:08:29.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap 1969-12-31 19:00:00.000000000 -0500 @@ -1,6 +0,0 @@ -{ - # Extensible Authentication Protocol - # - # For all EAP related authentications. - # Now in another file, because it is very large. -}$INCLUDE $\{confdir\}/eap.conf diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap 2005-06-11 14:57:35.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap 1969-12-31 19:00:00.000000000 -0500 @@ -1,50 +0,0 @@ -{ - # Microsoft CHAP authentication - # - # This module supports MS-CHAP and MS-CHAPv2 authentication. - # It also enforces the SMB-Account-Ctrl attribute. -} mschap \{ -{ - # As of 0.9, the mschap module does NOT support - # reading from /etc/smbpasswd. - # - # If you are using /etc/smbpasswd, see the 'passwd' - # module for an example of how to use /etc/smbpasswd - # - # authtype value, if present, will be used - # to overwrite (or add) Auth-Type during - # authorization. Normally should be MS-CHAP -} authtype = MS-CHAP -{ - # if use_mppe is not set to no mschap will - # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and - # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 -} use_mppe = yes -{ - # if mppe is enabled require_encryption makes - # encryption moderate -} require_encryption = yes -{ - # require_strong always requires 128 bit key - # encryption - # -} require_strong = yes -{ - # Windows sends us a username in the form of - # DOMAIN\user, but sends the challenge response - # based on only the user portion. This hack - # corrects for that incorrect behavior. -} with_ntdomain_hack = yes -{ - # The module can perform authentication itself, OR - # use a Windows Domain Controller. This configuration - # directive tells the module to call the ntlm_auth - # program, which will do the authentication, and return - # the NT-Key. Note that you MUST have "winbindd" and - # "nmbd" running on the local machine for ntlm_auth - # to work. See the ntlm_auth program documentation - # for details. - # - # Be VERY careful when editing the following line! - #ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%\{Stripped-User-Name:-%\{User-Name:-None\}\} --challenge=%\{mschap:Challenge:-00\} --nt-response=%\{mschap:NT-Response:-00\}" -} \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap 2013-02-13 18:00:55.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap 1969-12-31 19:00:00.000000000 -0500 @@ -1,24 +0,0 @@ -{ - - use esmith::util; - $OUT = ''; - - $pw = esmith::util::LdapPassword(); - $base = esmith::util::ldapBase ($DomainName); - -} ldap \{ - server = "localhost" - identity = "cn=root,{ $base }" - password = { $pw } - basedn = "{ $base }" - filter = "(&(objectClass=posixAccount)(uid=%\{Stripped-User-Name:-%\{User-Name\}\}))" - ldap_connections_number = 5 - timeout = 4 - timelimit = 3 - net_timeout = 3 - tls \{ - start_tls = no - \} - groupname_attribute = cn - groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%\{Stripped-User-Name:-%\{User-Name\}\}))" - \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd 2005-06-11 14:34:29.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd 1969-12-31 19:00:00.000000000 -0500 @@ -1,10 +0,0 @@ -{ - # An example configuration for using /etc/samba/smbpasswd. -} passwd smbpasswd \{ - filename = /etc/samba/smbpasswd - format = "*Stripped-User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" - authtype = MS-CHAP - hashsize = 100 - ignorenislike = no - allowmultiplekeys = no - \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files 2005-06-11 14:47:21.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files 1969-12-31 19:00:00.000000000 -0500 @@ -1,11 +0,0 @@ -{ - # Livingston-style 'users' file -} files \{ - usersfile = $\{confdir\}/users -{ - # If you want to use the old Cistron 'users' file - # with FreeRADIUS, you should change the next line - # to 'compat = cistron'. You can the copy your 'users' - # file from Cistron. -} compat = no - \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject 2005-06-11 14:35:56.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject 1969-12-31 19:00:00.000000000 -0500 @@ -1,6 +0,0 @@ -{ - # Each instance simply returns the same result, always, without - # doing anything. -} always reject \{ - rcode = reject - \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique 2008-10-07 13:37:19.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique 1969-12-31 19:00:00.000000000 -0500 @@ -1,13 +0,0 @@ -{ - # Create a unique accounting session Id. Many NASes re-use or - # repeat values for Acct-Session-Id, causing no end of - # confusion. - # - # This module will add a (probably) unique session id - # to an accounting packet based on the attributes listed - # below found in the packet. See doc/rlm_acct_unique for - # more information. - # -} acct_unique \{ - key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" - \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail 2008-10-07 13:37:19.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail 1969-12-31 19:00:00.000000000 -0500 @@ -1,36 +0,0 @@ -{ - # Write a detailed log of all accounting records received. - # -} detail \{ -{ # Note that we do NOT use NAS-IP-Address here, as - # that attribute MAY BE from the originating NAS, and - # NOT from the proxy which actually sent us the - # request. The Client-IP-Address attribute is ALWAYS - # the address of the client which sent us the - # request. - # - # The following line creates a new detail file for - # every radius client (by IP address or hostname). - # In addition, a new detail file is created every - # day, so that the detail file doesn't have to go - # through a 'log rotation' - # - # If your detail files are large, you may also want - # to add a ':%H' (see doc/variables.txt) to the end - # of it, to create a new detail file every hour, e.g.: - # - # ..../detail-%Y%m%d:%H - # - # This will create a new detail file for every hour. - # -} detailfile = $\{logdir\}/accounting.log -{ - # - # The Unix-style permissions on the 'detail' file. - # - # The detail file often contains secret or private - # information about users. So by keeping the file - # permissions restrictive, we can prevent unwanted - # people from seeing that information. -} detailperm = 0600 - \} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init 2008-10-07 13:37:19.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init 1969-12-31 19:00:00.000000000 -0500 @@ -1,11 +0,0 @@ -{ -# Authorization. First preprocess (hints and huntgroups files), -# then realms, and finally look in the "users" file. -# -# The order of the realm modules will determine the order that -# we try to find a matching realm. -# -# Make *sure* that 'preprocess' comes before any realm if you -# need to setup hints for the remote radius server -} -authorize \{ diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default 2013-02-13 18:00:55.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default 1969-12-31 19:00:00.000000000 -0500 @@ -1,39 +0,0 @@ -{ - # The preprocess module takes care of sanitizing some bizarre - # attributes in the request, and turning them into attributes - # which are more standard. - # - # It takes care of processing the 'raddb/hints' and the - # 'raddb/huntgroups' files. - # - # It also adds the %\{Client-IP-Address\} attribute to the request. -} preprocess -{ - # If you are using multiple kinds of realms, you probably - # want to set "ignore_null = yes" for all of them. - # Otherwise, when the first style of realm doesn't match, - # the other styles won't be checked. -} suffix - ntdomain -{ - # This module takes care of EAP-PEAP authentication. - # - # It also sets the EAP-Type attribute in the request - # attribute list to the EAP type from the packet. -} eap -{ - # If the users are logging in with an MS-CHAP-Challenge - # attribute for authentication, the mschap module will find - # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' - # to the request, which will cause the server to then use - # the mschap module for authentication. -} mschap -{ - # If you are using /etc/smbpasswd, and are also doing - # mschap authentication, the un-comment this line, and - # configure the 'smbpasswd' module, above. - ( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd'; -} -{ - # Read the 'users' file -} files diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end 2008-10-07 13:37:19.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end 1969-12-31 19:00:00.000000000 -0500 @@ -1 +0,0 @@ -\} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup 2008-10-07 13:37:19.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup 1969-12-31 19:00:00.000000000 -0500 @@ -1,5 +0,0 @@ -{ - my @authModules = ''; - $OUT = ''; -} - diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap 2008-10-07 13:37:19.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap 1969-12-31 19:00:00.000000000 -0500 @@ -1,5 +0,0 @@ -{ - push(@authModules, "\tAuth-Type MS-CHAP\{\n\t\tmschap\n\t\}\n"); - $OUT = ''; -} - diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap 2013-02-13 18:00:55.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap 1969-12-31 19:00:00.000000000 -0500 @@ -1,5 +0,0 @@ -{ - push(@authModules, "\tAuth-Type LDAP\{\n\t\tldap\n\t\}\n"); - $OUT = ''; -} - diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap 2008-10-07 13:37:19.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap 1969-12-31 19:00:00.000000000 -0500 @@ -1,4 +0,0 @@ -{ - push(@authModules, "\teap\n"); - $OUT = ''; -} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process 2008-10-07 13:37:19.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process 1969-12-31 19:00:00.000000000 -0500 @@ -1,23 +0,0 @@ -{ -# Authentication. -# -# This section lists which modules are available for authentication. -# Note that it does NOT mean 'try each module in order'. It means -# that a module from the 'authorize' section adds a configuration -# attribute 'Auth-Type := FOO'. That authentication type is then -# used to pick the apropriate module from the list below. -# -# In general, you SHOULD NOT set the Auth-Type attribute. The server -# will figure it out on its own, and will do the right thing. The -# most common side effect of erroneously setting the Auth-Type -# attribute is that one authentication method will work, but the -# others will not. -# -# The common reasons to set the Auth-Type attribute by hand -# is to either forcibly reject the user, or forcibly accept him. - - $OUT = "authenticate \{\n"; - $OUT .= "$_\n" foreach @authModules; - $OUT .= "\}\n"; - -} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct 2008-10-07 13:37:19.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct 1969-12-31 19:00:00.000000000 -0500 @@ -1,17 +0,0 @@ -{ -# -# Pre-accounting. Decide which accounting type to use. -# -}preacct \{ - preprocess -{ - # - # Ensure that we have a semi-unique identifier for every - # request, and many NAS boxes are broken. -} acct_unique -{ - # Accounting requests are generally proxied to the same - # home server as authentication requests. -} suffix - ntdomain -\} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate 2016-04-01 08:37:06.246000000 -0400 @@ -0,0 +1,45 @@ +{ +# Instantiation +# +# This section orders the loading of the modules. Modules +# listed here will get loaded BEFORE the later sections like +# authorize, authenticate, etc. get examined. +# +# This section is not strictly needed. When a section like +# authorize refers to a module, it's automatically loaded and +# initialized. However, some modules may not be listed in any +# of the following sections, so they can be listed here. +# +# Also, listing modules here ensures that you have control over +# the order in which they are initialized. If one module needs +# something defined by another module, you can list them in order +# here, and ensure that the configuration will be OK. +# +# After the modules listed here have been loaded, all of the modules +# in the "mods-enabled" directory will be loaded. Loading the +# "mods-enabled" directory means that unlike Version 2, you usually +# don't need to list modules here. +# +} +instantiate \{ + # + # We list the counter module here so that it registers + # the check_name attribute before any module which sets + # it +# daily + + # subsections here can be thought of as "virtual" modules. + # + # e.g. If you have two redundant SQL servers, and you want to + # use them in the authorize and accounting sections, you could + # place a "redundant" block in each section, containing the + # exact same text. Or, you could uncomment the following + # lines, and list "redundant_sql" in the authorize and + # accounting sections. + # + #redundant redundant_sql \{ + # sql1 + # sql2 + #\} +\} + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init 2008-10-07 13:37:19.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init 1969-12-31 19:00:00.000000000 -0500 @@ -1,5 +0,0 @@ -{ -# -# Accounting. Log the accounting data. -# -}accounting \{ diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default 2008-10-07 13:37:19.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default 1969-12-31 19:00:00.000000000 -0500 @@ -1,5 +0,0 @@ -{ # - # Create a 'detail'ed log of the packets. - # Note that accounting requests which are proxied - # are also logged in the detail file. -} detail diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end 2008-10-07 13:37:19.000000000 -0400 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end 1969-12-31 19:00:00.000000000 -0500 @@ -1 +0,0 @@ -\} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy 2016-04-01 08:34:12.100000000 -0400 @@ -0,0 +1,20 @@ +{ +###################################################################### +# +# Policies are virtual modules, similar to those defined in the +# "instantiate" section above. +# +# Defining a policy in one of the policy.d files means that it can be +# referenced in multiple places as a *name*, rather than as a series of +# conditions to match, and actions to take. +# +# Policies are something like subroutines in a normal language, but +# they cannot be called recursively. They MUST be defined in order. +# If policy A calls policy B, then B MUST be defined before A. +# +###################################################################### +} +policy \{ + $INCLUDE policy.d/ +\} + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers 2016-04-01 08:32:46.291000000 -0400 @@ -0,0 +1,33 @@ +{ +###################################################################### +# +#<----->Load virtual servers. +# +#<----->This next $INCLUDE line loads files in the directory that +#<----->match the regular expression: /[a-zA-Z0-9_.]+/ +# +#<----->It allows you to define new virtual servers simply by placing +#<----->a file into the raddb/sites-enabled/ directory. +# +}$INCLUDE sites-enabled/ +{ +###################################################################### +# +#<----->All of the other configuration sections like "authorize {}", +#<----->"authenticate {}", "accounting {}", have been moved to the +#<----->the file: +# +#<-----><------>raddb/sites-available/default +# +#<----->This is the "default" virtual server that has the same +#<----->configuration as in version 1.0.x and 1.1.x. The default +#<----->installation enables this virtual server. You should +#<----->edit it to create policies for your local site. +# +#<----->For more documentation on virtual servers, see: +# +#<-----><------>raddb/sites-available/README +# +###################################################################### + +} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init 2016-04-01 09:39:19.463000000 -0400 @@ -0,0 +1,49 @@ +{ +###################################################################### +# +# As of 2.0.0, FreeRADIUS supports virtual hosts using the +# "server" section, and configuration directives. +# +# Virtual hosts should be put into the "sites-available" +# directory. Soft links should be created in the "sites-enabled" +# directory to these files. This is done in a normal installation. +# +# If you are using 802.1X (EAP) authentication, please see also +# the "inner-tunnel" virtual server. You will likely have to edit +# that, too, for authentication to work. +# +# $Id: 77c271c4820c2d609b7d0a6bc2b65636d73730bc $ +# +###################################################################### +# +# Read "man radiusd" before editing this file. See the section +# titled DEBUGGING. It outlines a method where you can quickly +# obtain the configuration you want, without running into +# trouble. See also "man unlang", which documents the format +# of this file. +# +# This configuration is designed to work in the widest possible +# set of circumstances, with the widest possible number of +# authentication methods. This means that in general, you should +# need to make very few changes to this file. +# +# The best way to configure the server for your local system +# is to CAREFULLY edit this file. Most attempts to make large +# edits to this file will BREAK THE SERVER. Any edits should +# be small, and tested by running the server with "radiusd -X". +# Once the edits have been verified to work, save a copy of these +# configuration files somewhere. (e.g. as a "tar" file). Then, +# make more edits, and test, as above. +# +# There are many "commented out" references to modules such +# as ldap, sql, etc. These references serve as place-holders. +# If you need the functionality of that module, then configure +# it in radiusd.conf, and un-comment the references to it in +# this file. In most cases, those small changes will result +# in the server being able to connect to the DB, and to +# authenticate users. +# +###################################################################### +} +server default \{ + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen 2016-04-01 10:01:03.411000000 -0400 @@ -0,0 +1,90 @@ +{ +# listen: Make the server listen on a particular IP address, and send +# replies out from that address. This directive is most useful for +# hosts with multiple IP addresses on one interface. +# +# If you want the server to listen on additional addresses, or on +# additionnal ports, you can use multiple "listen" sections. +# +# Each section make the server listen for only one type of packet, +# therefore authentication and accounting have to be configured in +# different sections. +# +# The server ignore all "listen" section if you are using '-i' and '-p' +# on the command line. +} +# auth +listen \{ + type = auth +{ + # ipaddr/ipv4addr/ipv6addr - IP address on which to listen. + # Out of several options the first one will be used. + # + # Allowed values are: + # IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr) + # IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr) + # hostname (radius.example.com, + # A record for ipv4addr, + # AAAA record for ipv6addr, + # A or AAAA record for ipaddr) + # wildcard (*) + # + # ipv4addr = * + # ipv6addr = * +} + ipaddr = * + port = 0 +# interface = eth0 +# clients = per_socket_clients +{ + # + # Connection limiting for sockets with "proto = tcp". + # + # This section is ignored for other kinds of sockets. + # +} limit \{ +{ + # + # Limit the number of simultaneous TCP connections to the socket + # + # The default is 16. + # Setting this to 0 means "no limit" +} max_connections = 16 +{ + # The per-socket "max_requests" option does not exist. + + # + # The lifetime, in seconds, of a TCP connection. After + # this lifetime, the connection will be closed. + # + # Setting this to 0 means "forever". +} lifetime = 0 +{ + # + # The idle timeout, in seconds, of a TCP connection. + # If no packets have been received over the connection for + # this time, the connection will be closed. + # + # Setting this to 0 means "no timeout". + # + # We STRONGLY RECOMMEND that you set an idle timeout. + # +} idle_timeout = 30 + \} + +\} + +# +# This second "listen" section is for listening on the accounting +# port, too. +# +listen \{ + type = acct + ipaddr = * + port = 0 +\} + + + + + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init 2008-10-07 13:37:19.000000000 -0400 @@ -0,0 +1,11 @@ +{ +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +} +authorize \{ diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default 2016-04-01 10:10:46.038000000 -0400 @@ -0,0 +1,102 @@ +{ + # + # Take a User-Name, and perform some checks on it, for spaces and other + # invalid characters. If the User-Name appears invalid, reject the + # request. + # + # See policy.d/filter for the definition of the filter_username policy. + # +} filter_username +{ + # The preprocess module takes care of sanitizing some bizarre + # attributes in the request, and turning them into attributes + # which are more standard. + # + # It takes care of processing the 'raddb/hints' and the + # 'raddb/huntgroups' files. + # + # It also adds the %\{Client-IP-Address\} attribute to the request. +} preprocess +{ + # If you are using multiple kinds of realms, you probably + # want to set "ignore_null = yes" for all of them. + # Otherwise, when the first style of realm doesn't match, + # the other styles won't be checked. +} suffix + ntdomain +{ + # This module takes care of EAP-PEAP authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. +} eap \{ + ok = return + \} + +{ + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. +} mschap +{ + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # configure the 'smbpasswd' module, above. + ( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd'; +} + +{ + # + # Pull crypt'd passwords from /etc/passwd or /etc/shadow, + # using the system API's to get the password. If you want + # to read /etc/passwd or /etc/shadow directly, see the + # passwd module in radiusd.conf. + # +}# unix + + +{ + # Read the 'users' file +} files + +{ + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in sql.conf +} -sql +{ + # + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # configure the 'smbpasswd' module. +}# smbpasswd +{ + # + # The ldap module reads passwords from the LDAP database. +} -ldap + +{ # + # Enforce daily limits on time spent logged in. +# daily + + # +} expiration + logintime +{ + # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password + # to the request, and to do nothing else. The PAP module + # will then see that password, and use it to do PAP + # authentication. + # + # This module should be listed last, so that the other modules + # get a chance to set Auth-Type for themselves. + # +} pap + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end 2008-10-07 13:37:19.000000000 -0400 @@ -0,0 +1 @@ +\} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup 2008-10-07 13:37:19.000000000 -0400 @@ -0,0 +1,5 @@ +{ + my @authModules = ''; + $OUT = ''; +} + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap 2008-10-07 13:37:19.000000000 -0400 @@ -0,0 +1,5 @@ +{ + push(@authModules, "\tAuth-Type MS-CHAP\{\n\t\tmschap\n\t\}\n"); + $OUT = ''; +} + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap 2013-02-13 18:00:55.000000000 -0500 @@ -0,0 +1,5 @@ +{ + push(@authModules, "\tAuth-Type LDAP\{\n\t\tldap\n\t\}\n"); + $OUT = ''; +} + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap 2008-10-07 13:37:19.000000000 -0400 @@ -0,0 +1,4 @@ +{ + push(@authModules, "\teap\n"); + $OUT = ''; +} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process 2008-10-07 13:37:19.000000000 -0400 @@ -0,0 +1,23 @@ +{ +# Authentication. +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the apropriate module from the list below. +# +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user, or forcibly accept him. + + $OUT = "authenticate \{\n"; + $OUT .= "$_\n" foreach @authModules; + $OUT .= "\}\n"; + +} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct 2016-04-01 11:06:09.665000000 -0400 @@ -0,0 +1,47 @@ +{ +# +# Pre-accounting. Decide which accounting type to use. +# +}preacct \{ + preprocess +{ + # + # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets + # into a single 64bit counter Acct-[Input|Output]-Octets64. + # +}# acct_counters64 +{ + # + # Session start times are *implied* in RADIUS. + # The NAS never sends a "start time". Instead, it sends + # a start packet, *possibly* with an Acct-Delay-Time. + # The server is supposed to conclude that the start time + # was "Acct-Delay-Time" seconds in the past. + # + # The code below creates an explicit start time, which can + # then be used in other modules. It will be *mostly* correct. + # Any errors are due to the 1-second resolution of RADIUS, + # and the possibility that the time on the NAS may be off. + # + # The start time is: NOW - delay - session_length + # +} +# update request { +# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" +# } + +{ + # + # Ensure that we have a semi-unique identifier for every + # request, and many NAS boxes are broken. +} + + acct_unique +{ + # Accounting requests are generally proxied to the same + # home server as authentication requests. +} suffix + ntdomain + files + +\} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init 2008-10-07 13:37:19.000000000 -0400 @@ -0,0 +1,5 @@ +{ +# +# Accounting. Log the accounting data. +# +}accounting \{ diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default 2008-10-07 13:37:19.000000000 -0400 @@ -0,0 +1,5 @@ +{ # + # Create a 'detail'ed log of the packets. + # Note that accounting requests which are proxied + # are also logged in the detail file. +} detail diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end 2008-10-07 13:37:19.000000000 -0400 @@ -0,0 +1 @@ +\} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init 2016-04-01 11:13:35.135000000 -0400 @@ -0,0 +1,6 @@ +{ +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +}session \{ + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end 2016-04-01 11:13:53.209000000 -0400 @@ -0,0 +1 @@ +\} diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init 2016-04-01 11:14:55.538000000 -0400 @@ -0,0 +1,8 @@ +{ +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +}post-auth \{ + # Get an address from the IP Pool. +# main_pool + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end 2016-04-01 11:16:54.094000000 -0400 @@ -0,0 +1,26 @@ +{ + # Remove reply message if the response contains an EAP-Message +} remove_reply_message_if_eap +{ + # + # Access-Reject packets are sent through the REJECT sub-section of the + # post-auth section. + # + # Add the ldap module name (or instance) if you have set + # 'edir_account_policy_check = yes' in the ldap module configuration + # +} Post-Auth-Type REJECT \{ + # log failed authentications in SQL, too. + #-sql + attr_filter.access_reject + + # Insert EAP-Failure message if the request was + # rejected by policy instead of because of an + # authentication failure + eap + + # Remove reply message if the response contains an EAP-Message + remove_reply_message_if_eap + \} +\} + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy 2016-04-01 11:18:35.647000000 -0400 @@ -0,0 +1,28 @@ +pre-proxy \{ +{ + # Before proxing the request add an Operator-Name attribute identifying + # if the operator-name is found for this client. + # No need to uncomment this if you have already enabled this in + # the authorize section. +}# operator-name +{ + # The client requests the CUI by sending a CUI attribute + # containing one zero byte. + # Uncomment the line below if *requesting* the CUI. +}# cui +{ + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +}# files +{ + # Uncomment the following line if you want to filter requests + # sent to remote servers based on the rules defined in the + # 'attrs.pre-proxy' file. +}# attr_filter.pre-proxy +{ + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. +}# pre_proxy_log +\} + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy 2016-04-01 11:20:52.751000000 -0400 @@ -0,0 +1,54 @@ +{ +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +} +post-proxy \{ +{ + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. +}# post_proxy_log +{ + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. +}# attr_filter.post-proxy +{ + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # +} eap +{ + # + # If the server tries to proxy a request and fails, then the + # request is processed through the modules in this section. + # + # The main use of this section is to permit robust proxying + # of accounting packets. The server can be configured to + # proxy accounting packets as part of normal processing. + # Then, if the home server goes down, accounting packets can + # be logged to a local "detail" file, for processing with + # radrelay. When the home server comes back up, radrelay + # will read the detail file, and send the packets to the + # home server. + # + # With this configuration, the server always responds to + # Accounting-Requests from the NAS, but only writes + # accounting packets to disk if the home server is down. + # +}# Post-Proxy-Type Fail \{ +# detail +# \} +\} + + diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end 1969-12-31 19:00:00.000000000 -0500 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end 2016-04-01 09:40:43.175000000 -0400 @@ -0,0 +1,7 @@ + +\} +{ +# +#end of default server +# +}