/[smeserver]/rpms/e-smith-radiusd/sme10/e-smith-radiusd-2.6.0-freeradius3.patch
ViewVC logotype

Contents of /rpms/e-smith-radiusd/sme10/e-smith-radiusd-2.6.0-freeradius3.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.3 - (show annotations) (download)
Tue Apr 12 10:16:09 2016 UTC (8 years, 7 months ago) by unnilennium
Branch: MAIN
CVS Tags: e-smith-radiusd-2_6_0-22_el7_sme, e-smith-radiusd-2_6_0-12_el7_sme, e-smith-radiusd-2_6_0-13_el7_sme, e-smith-radiusd-2_6_0-21_el7_sme, e-smith-radiusd-2_6_0-23_el7_sme, e-smith-radiusd-2_6_0-10_el7_sme, e-smith-radiusd-2_6_0-20_el7_sme, e-smith-radiusd-2_6_0-15_el7_sme, e-smith-radiusd-2_6_0-19_el7_sme, e-smith-radiusd-2_6_0-14_el7_sme, e-smith-radiusd-2_6_0-11_el7_sme, e-smith-radiusd-2_6_0-16_el7_sme, e-smith-radiusd-2_6_0-9_el7_sme, e-smith-radiusd-2_6_0-18_el7_sme, e-smith-radiusd-2_6_0-17_el7_sme, e-smith-radiusd-2_6_0-8_el7_sme, HEAD
Changes since 1.2: +2 -2 lines
* Tue Apr 12 2016 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-8.sme
- escaped {} characters in ldap template [SME: 9434]

1 diff -Nur e-smith-radiusd-2.6.0.old/createlinks e-smith-radiusd-2.6.0/createlinks
2 --- e-smith-radiusd-2.6.0.old/createlinks 2016-02-05 16:34:10.000000000 -0500
3 +++ e-smith-radiusd-2.6.0/createlinks 2016-04-01 12:42:04.837000000 -0400
4 @@ -24,7 +24,9 @@
5
6 foreach (qw(
7 raddb/clients.conf
8 - raddb/eap.conf
9 + raddb/mods-available/eap
10 + raddb/mods-available/ldap
11 + raddb/sites-available/default
12 raddb/proxy.conf
13 radiusclient-ng/servers))
14 {
15 @@ -33,7 +35,7 @@
16 console-save
17 domain-modify
18 remoteaccess-update
19 - ldap-update
20 + ldap-update
21 ));
22 }
23
24 @@ -46,7 +48,7 @@
25 console-save
26 domain-modify
27 remoteaccess-update
28 - ldap-update
29 + ldap-update
30 ));
31 }
32
33 @@ -68,3 +70,9 @@
34
35 safe_symlink("../daemontools", "root/etc/rc.d/init.d/supervise/radiusd");
36 service_link_enhanced("radiusd", "S90", "7");
37 +
38 +# activate modules
39 +#safe_symlink("../mods-available/realm", "root/etc/raddb/mods-enabled/realm");
40 +safe_symlink("../mods-available/ldap", "root/etc/raddb/mods-enabled/ldap");
41 +safe_symlink("../mods-available/smbpasswd", "root/etc/raddb/mods-enabled/smbpasswd");
42 +
43 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost
44 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost 2008-10-07 13:37:19.000000000 -0400
45 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/clients.conf/10localhost 2016-04-01 11:45:59.890000000 -0400
46 @@ -46,7 +46,7 @@
47 # other # for all other types
48
49 #
50 -} nastype = other
51 +} nas_type = other
52 {
53 #
54 # The following two configurations are for future use.
55 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap
56 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap 2005-06-11 14:24:39.000000000 -0400
57 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/10eap 1969-12-31 19:00:00.000000000 -0500
58 @@ -1 +0,0 @@
59 -eap \{
60 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType
61 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType 2005-06-11 14:24:51.000000000 -0400
62 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/15defaultType 1969-12-31 19:00:00.000000000 -0500
63 @@ -1,14 +0,0 @@
64 -{
65 - # Invoke the default supported EAP type when
66 - # EAP-Identity response is received.
67 - #
68 - # The incoming EAP messages DO NOT specify which EAP
69 - # type they will be using, so it MUST be set here.
70 - #
71 - # For now, only one default EAP type may be used at a time.
72 - #
73 - # If the EAP-Type attribute is set by another module,
74 - # then that EAP type takes precedence over the
75 - # default type configured here.
76 - #
77 -} default_eap_type = peap
78 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire
79 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire 2005-06-11 14:24:56.000000000 -0400
80 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/20timerExpire 1969-12-31 19:00:00.000000000 -0500
81 @@ -1,7 +0,0 @@
82 -{
83 - # A list is maintained to correlate EAP-Response
84 - # packets with EAP-Request packets. After a
85 - # configurable length of time, entries in the list
86 - # expire, and are deleted.
87 - #
88 -} timer_expire = 60
89 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown
90 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown 2005-06-11 14:25:19.000000000 -0400
91 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/25ignoreUnknown 1969-12-31 19:00:00.000000000 -0500
92 @@ -1,14 +0,0 @@
93 -{
94 - # There are many EAP types, but the server has support
95 - # for only a limited subset. If the server receives
96 - # a request for an EAP type it does not support, then
97 - # it normally rejects the request. By setting this
98 - # configuration to "yes", you can tell the server to
99 - # instead keep processing the request. Another module
100 - # MUST then be configured to proxy the request to
101 - # another RADIUS server which supports that EAP type.
102 - #
103 - # If another module is NOT configured to handle the
104 - # request, then the request will still end up being
105 - # rejected.
106 -} ignore_unknown_eap_types = no
107 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug
108 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug 2005-06-11 14:25:22.000000000 -0400
109 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/30ciscoBug 1969-12-31 19:00:00.000000000 -0500
110 @@ -1,8 +0,0 @@
111 -{
112 - # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
113 - # a User-Name attribute in an Access-Accept, it copies one
114 - # more byte than it should.
115 - #
116 - # We can work around it by configurably adding an extra
117 - # zero byte.
118 -} cisco_accounting_username_bug = no
119 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls
120 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls 2005-06-13 12:12:02.000000000 -0400
121 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/35tls 1969-12-31 19:00:00.000000000 -0500
122 @@ -1,64 +0,0 @@
123 -{
124 - ## EAP-TLS
125 - #
126 - # To generate ctest certificates, run the script
127 - #
128 - # ../scripts/certs.sh
129 - #
130 - # The documents on http://www.freeradius.org/doc
131 - # are old, but may be helpful.
132 - #
133 - # See also:
134 - #
135 - # http://www.dslreports.com/forum/remark,9286052~mode=flat
136 - #
137 -}
138 - tls \{
139 - private_key_password = whatever
140 - private_key_file = $\{raddbdir\}/certs/radiusd.pem
141 - certificate_file = $\{raddbdir\}/certs/radiusd.pem
142 - CA_file = $\{raddbdir\}/certs/radiusd.pem
143 - dh_file = $\{raddbdir\}/certs/dh
144 - random_file = $\{raddbdir\}/certs/random
145 -{
146 - #
147 - # This can never exceed the size of a RADIUS
148 - # packet (4096 bytes), and is preferably half
149 - # that, to accomodate other attributes in
150 - # RADIUS packet. On most APs the MAX packet
151 - # length is configured between 1500 - 1600
152 - # In these cases, fragment size should be
153 - # 1024 or less.
154 - #
155 -} #fragment_size = 1024
156 -{
157 - # include_length is a flag which is
158 - # by default set to yes If set to
159 - # yes, Total Length of the message is
160 - # included in EVERY packet we send.
161 - # If set to no, Total Length of the
162 - # message is included ONLY in the
163 - # First packet of a fragment series.
164 - #
165 -} #include_length = yes
166 -{
167 - # Check the Certificate Revocation List
168 - #
169 - # 1) Copy CA certificates and CRLs to same directory.
170 - # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
171 - # 'c_rehash' is OpenSSL's command.
172 - # 3) Add 'CA_path=<CA certs&CRLs directory>'
173 - # to radiusd.conf's tls section.
174 - # 4) uncomment the line below.
175 - # 5) Restart radiusd
176 -} #check_crl = yes
177 -{
178 - #
179 - # If check_cert_cn is set, the value will
180 - # be xlat'ed and checked against the CN
181 - # in the client certificate. If the values
182 - # do not match, the certificate verification
183 - # will fail rejecting the user.
184 - #
185 -} #check_cert_cn = %\{User-Name\}
186 - \}
187 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap
188 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap 2005-06-11 14:25:31.000000000 -0400
189 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/40peap 1969-12-31 19:00:00.000000000 -0500
190 @@ -1,26 +0,0 @@
191 -{
192 - #
193 - # The tunneled EAP session needs a default EAP type
194 - # which is separate from the one for the non-tunneled
195 - # EAP module. Inside of the TLS/PEAP tunnel, we
196 - # recommend using EAP-MS-CHAPv2.
197 - #
198 - # The PEAP module needs the TLS module to be installed
199 - # and configured, in order to use the TLS tunnel
200 - # inside of the EAP packet. You will still need to
201 - # configure the TLS module, even if you do not want
202 - # to deploy EAP-TLS in your network. Users will not
203 - # be able to request EAP-TLS, as it requires them to
204 - # have a client certificate. EAP-PEAP does not
205 - # require a client certificate.
206 - #
207 -}
208 - peap \{
209 -{ # The tunneled EAP session needs a default
210 - # EAP type which is separate from the one for
211 - # the non-tunneled EAP module. Inside of the
212 - # PEAP tunnel, we recommend using MS-CHAPv2,
213 - # as that is the default type supported by
214 - # Windows clients.
215 -} default_eap_type = mschapv2
216 - \}
217 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2 e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2
218 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2 2005-06-11 14:25:34.000000000 -0400
219 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/45mschapv2 1969-12-31 19:00:00.000000000 -0500
220 @@ -1,18 +0,0 @@
221 -{
222 - #
223 - # This takes no configuration.
224 - #
225 - # Note that it is the EAP MS-CHAPv2 sub-module, not
226 - # the main 'mschap' module.
227 - #
228 - # Note also that in order for this sub-module to work,
229 - # the main 'mschap' module MUST ALSO be configured.
230 - #
231 - # This module is the *Microsoft* implementation of MS-CHAPv2
232 - # in EAP. There is another (incompatible) implementation
233 - # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
234 - # currently support.
235 - #
236 -}
237 - mschapv2 \{
238 - \}
239 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/99end
240 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/eap.conf/99end 2005-06-11 14:25:39.000000000 -0400
241 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/eap.conf/99end 1969-12-31 19:00:00.000000000 -0500
242 @@ -1 +0,0 @@
243 -\}
244 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap
245 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap 1969-12-31 19:00:00.000000000 -0500
246 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/10eap 2005-06-11 14:24:39.000000000 -0400
247 @@ -0,0 +1 @@
248 +eap \{
249 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType
250 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType 1969-12-31 19:00:00.000000000 -0500
251 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/15defaultType 2005-06-11 14:24:51.000000000 -0400
252 @@ -0,0 +1,14 @@
253 +{
254 + # Invoke the default supported EAP type when
255 + # EAP-Identity response is received.
256 + #
257 + # The incoming EAP messages DO NOT specify which EAP
258 + # type they will be using, so it MUST be set here.
259 + #
260 + # For now, only one default EAP type may be used at a time.
261 + #
262 + # If the EAP-Type attribute is set by another module,
263 + # then that EAP type takes precedence over the
264 + # default type configured here.
265 + #
266 +} default_eap_type = peap
267 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire
268 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire 1969-12-31 19:00:00.000000000 -0500
269 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/20timerExpire 2005-06-11 14:24:56.000000000 -0400
270 @@ -0,0 +1,7 @@
271 +{
272 + # A list is maintained to correlate EAP-Response
273 + # packets with EAP-Request packets. After a
274 + # configurable length of time, entries in the list
275 + # expire, and are deleted.
276 + #
277 +} timer_expire = 60
278 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown
279 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown 1969-12-31 19:00:00.000000000 -0500
280 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/25ignoreUnknown 2005-06-11 14:25:19.000000000 -0400
281 @@ -0,0 +1,14 @@
282 +{
283 + # There are many EAP types, but the server has support
284 + # for only a limited subset. If the server receives
285 + # a request for an EAP type it does not support, then
286 + # it normally rejects the request. By setting this
287 + # configuration to "yes", you can tell the server to
288 + # instead keep processing the request. Another module
289 + # MUST then be configured to proxy the request to
290 + # another RADIUS server which supports that EAP type.
291 + #
292 + # If another module is NOT configured to handle the
293 + # request, then the request will still end up being
294 + # rejected.
295 +} ignore_unknown_eap_types = no
296 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug
297 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug 1969-12-31 19:00:00.000000000 -0500
298 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/30ciscoBug 2005-06-11 14:25:22.000000000 -0400
299 @@ -0,0 +1,8 @@
300 +{
301 + # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
302 + # a User-Name attribute in an Access-Accept, it copies one
303 + # more byte than it should.
304 + #
305 + # We can work around it by configurably adding an extra
306 + # zero byte.
307 +} cisco_accounting_username_bug = no
308 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon
309 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon 1969-12-31 19:00:00.000000000 -0500
310 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/35tlscommon 2016-04-01 12:02:53.346000000 -0400
311 @@ -0,0 +1,130 @@
312 +{
313 + ## EAP-TLS
314 + #
315 + # To generate ctest certificates, run the script
316 + #
317 + # ../scripts/certs.sh
318 + #
319 + # The documents on http://www.freeradius.org/doc
320 + # are old, but may be helpful.
321 + #
322 + # See also:
323 + #
324 + # http://www.dslreports.com/forum/remark,9286052~mode=flat
325 + #
326 + # Note that you should NOT use a globally known CA here!
327 + # e.g. using a Verisign cert as a "known CA" means that
328 + # ANYONE who has a certificate signed by them can
329 + # authenticate via EAP-TLS! This is likely not what you want.
330 +}
331 + tls-config tls-common \{
332 + private_key_password = whatever
333 + private_key_file = $\{raddbdir\}/certs/radiusd.pem
334 + certificate_file = $\{raddbdir\}/certs/radiusd.pem
335 + ca_file = $\{raddbdir\}/certs/radiusd.pem
336 + dh_file = $\{raddbdir\}/certs/dh
337 + random_file = $\{raddbdir\}/certs/random
338 +{
339 + #
340 + # This can never exceed the size of a RADIUS
341 + # packet (4096 bytes), and is preferably half
342 + # that, to accomodate other attributes in
343 + # RADIUS packet. On most APs the MAX packet
344 + # length is configured between 1500 - 1600
345 + # In these cases, fragment size should be
346 + # 1024 or less.
347 + #
348 +} #fragment_size = 1024
349 +{
350 + # include_length is a flag which is
351 + # by default set to yes If set to
352 + # yes, Total Length of the message is
353 + # included in EVERY packet we send.
354 + # If set to no, Total Length of the
355 + # message is included ONLY in the
356 + # First packet of a fragment series.
357 + #
358 +} #include_length = yes
359 +{
360 + # Check the Certificate Revocation List
361 + #
362 + # 1) Copy CA certificates and CRLs to same directory.
363 + # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
364 + # 'c_rehash' is OpenSSL's command.
365 + # 3) Add 'CA_path=<CA certs&CRLs directory>'
366 + # to radiusd.conf's tls section.
367 + # 4) uncomment the line below.
368 + # 5) Restart radiusd
369 +} #check_crl = yes
370 +{
371 + #
372 + # If check_cert_cn is set, the value will
373 + # be xlat'ed and checked against the CN
374 + # in the client certificate. If the values
375 + # do not match, the certificate verification
376 + # will fail rejecting the user.
377 + #
378 +} #check_cert_cn = %\{User-Name\}
379 +{
380 + #
381 + # Set this option to specify the allowed
382 + # TLS cipher suites. The format is listed
383 + # in "man 1 ciphers".
384 +} cipher_list = "DEFAULT"
385 +{
386 + #
387 +
388 + #
389 + # Elliptical cryptography configuration
390 + #
391 + # Only for OpenSSL >= 0.9.8.f
392 + #
393 +} ecdh_curve = "prime256v1"
394 +
395 +{
396 + #
397 + # Session resumption / fast reauthentication
398 + # cache.
399 + #
400 + # The cache contains the following information:
401 + #
402 + # session Id - unique identifier, managed by SSL
403 + # User-Name - from the Access-Accept
404 + # Stripped-User-Name - from the Access-Request
405 + # Cached-Session-Policy - from the Access-Accept
406 + #
407 + # The "Cached-Session-Policy" is the name of a
408 + # policy which should be applied to the cached
409 + # session. This policy can be used to assign
410 + # VLANs, IP addresses, etc. It serves as a useful
411 + # way to re-apply the policy from the original
412 + # Access-Accept to the subsequent Access-Accept
413 + # for the cached session.
414 + #
415 + # On session resumption, these attributes are
416 + # copied from the cache, and placed into the
417 + # reply list.
418 + #
419 + # You probably also want "use_tunneled_reply = yes"
420 + # when using fast session resumption.
421 + #
422 +} cache \{
423 + enable = yes
424 + lifetime = 24 # hours
425 + max_entries = 255
426 + \}
427 +{
428 + #
429 + # As of version 2.1.10, client certificates can be
430 + # validated via an external command. This allows
431 + # dynamic CRLs or OCSP to be used.
432 + #
433 + # This configuration is commented out in the
434 + # default configuration. Uncomment it, and configure
435 + # the correct paths below to enable it.
436 + #
437 +}
438 +
439 +
440 +
441 + \}
442 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls
443 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls 1969-12-31 19:00:00.000000000 -0500
444 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/37tls 2016-04-01 12:06:29.540000000 -0400
445 @@ -0,0 +1,21 @@
446 +{
447 + ## EAP-TLS
448 + #
449 + # As of Version 3.0, the TLS configuration for TLS-based
450 + # EAP types is above in the "tls-config" section.
451 + #
452 +}
453 + tls \{
454 +{
455 + # Point to the common TLS configuration
456 +} tls = tls-common
457 +{
458 + #
459 + # As part of checking a client certificate, the EAP-TLS
460 + # sets some attributes such as TLS-Client-Cert-CN. This
461 + # virtual server has access to these attributes, and can
462 + # be used to accept or reject the request.
463 + #
464 +} # virtual_server = check-eap-tls
465 + \}
466 +
467 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls
468 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls 1969-12-31 19:00:00.000000000 -0500
469 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/39ttls 2016-04-01 12:08:51.030000000 -0400
470 @@ -0,0 +1,90 @@
471 +{
472 + ## EAP-TTLS
473 + #
474 + # The TTLS module implements the EAP-TTLS protocol,
475 + # which can be described as EAP inside of Diameter,
476 + # inside of TLS, inside of EAP, inside of RADIUS...
477 + #
478 + # Surprisingly, it works quite well.
479 + #
480 +} ttls \{
481 +{
482 + # Which tls-config section the TLS negotiation parameters
483 + # are in - see EAP-TLS above for an explanation.
484 + #
485 + # In the case that an old configuration from FreeRADIUS
486 + # v2.x is being used, all the options of the tls-config
487 + # section may also appear instead in the 'tls' section
488 + # above. If that is done, the tls= option here (and in
489 + # tls above) MUST be commented out.
490 + #
491 +} tls = tls-common
492 +{
493 + # The tunneled EAP session needs a default EAP type
494 + # which is separate from the one for the non-tunneled
495 + # EAP module. Inside of the TTLS tunnel, we recommend
496 + # using EAP-MD5. If the request does not contain an
497 + # EAP conversation, then this configuration entry is
498 + # ignored.
499 + #
500 +} default_eap_type = md5
501 +{
502 + # The tunneled authentication request does not usually
503 + # contain useful attributes like 'Calling-Station-Id',
504 + # etc. These attributes are outside of the tunnel,
505 + # and normally unavailable to the tunneled
506 + # authentication request.
507 + #
508 + # By setting this configuration entry to 'yes',
509 + # any attribute which is NOT in the tunneled
510 + # authentication request, but which IS available
511 + # outside of the tunnel, is copied to the tunneled
512 + # request.
513 + #
514 + # allowed values: {no, yes}
515 + #
516 +} copy_request_to_tunnel = no
517 +{
518 + # The reply attributes sent to the NAS are usually
519 + # based on the name of the user 'outside' of the
520 + # tunnel (usually 'anonymous'). If you want to send
521 + # the reply attributes based on the user name inside
522 + # of the tunnel, then set this configuration entry to
523 + # 'yes', and the reply to the NAS will be taken from
524 + # the reply to the tunneled request.
525 + #
526 + # allowed values: {no, yes}
527 + #
528 +} use_tunneled_reply = no
529 +{
530 + #
531 + # The inner tunneled request can be sent
532 + # through a virtual server constructed
533 + # specifically for this purpose.
534 + #
535 + # If this entry is commented out, the inner
536 + # tunneled request will be sent through
537 + # the virtual server that processed the
538 + # outer requests.
539 + #
540 +} virtual_server = "inner-tunnel"
541 +{
542 + # This has the same meaning, and overwrites, the
543 + # same field in the "tls" configuration, above.
544 + # The default value here is "yes".
545 + #
546 +} # include_length = yes
547 +{
548 + #
549 + # Unlike EAP-TLS, EAP-TTLS does not require a client
550 + # certificate. However, you can require one by setting the
551 + # following option. You can also override this option by
552 + # setting
553 + #
554 + # EAP-TLS-Require-Client-Cert = Yes
555 + #
556 + # in the control items for a request.
557 + #
558 +} # require_client_cert = yes
559 + \}
560 +
561 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap
562 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap 1969-12-31 19:00:00.000000000 -0500
563 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/40peap 2016-04-01 12:04:44.387000000 -0400
564 @@ -0,0 +1,33 @@
565 +{
566 + #
567 + # The tunneled EAP session needs a default EAP type
568 + # which is separate from the one for the non-tunneled
569 + # EAP module. Inside of the TLS/PEAP tunnel, we
570 + # recommend using EAP-MS-CHAPv2.
571 + #
572 + # The PEAP module needs the TLS module to be installed
573 + # and configured, in order to use the TLS tunnel
574 + # inside of the EAP packet. You will still need to
575 + # configure the TLS module, even if you do not want
576 + # to deploy EAP-TLS in your network. Users will not
577 + # be able to request EAP-TLS, as it requires them to
578 + # have a client certificate. EAP-PEAP does not
579 + # require a client certificate.
580 + #
581 +}
582 + peap \{
583 + tls = tls-common
584 +
585 +{ # The tunneled EAP session needs a default
586 + # EAP type which is separate from the one for
587 + # the non-tunneled EAP module. Inside of the
588 + # PEAP tunnel, we recommend using MS-CHAPv2,
589 + # as that is the default type supported by
590 + # Windows clients.
591 +} default_eap_type = mschapv2
592 +
593 +
594 + copy_request_to_tunnel = no
595 + use_tunneled_reply = no
596 +
597 + \}
598 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2
599 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 1969-12-31 19:00:00.000000000 -0500
600 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/45mschapv2 2005-06-11 14:25:34.000000000 -0400
601 @@ -0,0 +1,18 @@
602 +{
603 + #
604 + # This takes no configuration.
605 + #
606 + # Note that it is the EAP MS-CHAPv2 sub-module, not
607 + # the main 'mschap' module.
608 + #
609 + # Note also that in order for this sub-module to work,
610 + # the main 'mschap' module MUST ALSO be configured.
611 + #
612 + # This module is the *Microsoft* implementation of MS-CHAPv2
613 + # in EAP. There is another (incompatible) implementation
614 + # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
615 + # currently support.
616 + #
617 +}
618 + mschapv2 \{
619 + \}
620 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end
621 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end 1969-12-31 19:00:00.000000000 -0500
622 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/eap/99end 2005-06-11 14:25:39.000000000 -0400
623 @@ -0,0 +1 @@
624 +\}
625 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap
626 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap 1969-12-31 19:00:00.000000000 -0500
627 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/mods-available/ldap/25modules30ldap 2016-04-01 12:33:08.367000000 -0400
628 @@ -0,0 +1,291 @@
629 +{
630 +
631 + use esmith::util;
632 + $OUT = '';
633 +
634 + $pw = esmith::util::LdapPassword();
635 + $base = esmith::util::ldapBase ($DomainName);
636 +
637 +} ldap \{
638 + server = "localhost"
639 + identity = "cn=root,{ $base }"
640 + password = { $pw }
641 + basedn = "{ $base }"
642 + filter = "(&(objectClass=posixAccount)(uid=%\{Stripped-User-Name:-%\{User-Name\}\}))"
643 + ldap_connections_number = 5
644 + timeout = 4
645 + timelimit = 3
646 + net_timeout = 3
647 + tls \{
648 + start_tls = no
649 + \}
650 + groupname_attribute = cn
651 + groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%\{Stripped-User-Name:-%\{User-Name\}\}))"
652 +
653 + update \{
654 + control:Password-With-Header += 'userPassword'
655 +
656 + \}
657 + user \{
658 + # Where to start searching in the tree for users
659 +# base_dn = "$\{..base_dn\}"
660 +
661 + # Filter for user objects, should be specific enough
662 + # to identify a single user object.
663 +# filter = "(uid=%\{%\{Stripped-User-Name\}:-%\{User-Name\}\})"
664 + \}
665 + group \{
666 + # Where to start searching in the tree for groups
667 +# base_dn = "$\{..base_dn\}"
668 +
669 + # Filter for group objects, should match all available
670 + # group objects a user might be a member of.
671 +# filter = "(objectClass=posixGroup)"
672 +# membership_attribute = "memberOf"
673 + \}
674 +
675 + profile \{
676 + # Filter for RADIUS profile objects
677 +# filter = "(objectclass=radiusprofile)"
678 +
679 + # The default profile applied to all users.
680 +# default = "cn=radprofile,dc=example,dc=org"
681 +
682 + # The list of profiles which are applied (after the default)
683 + # to all users.
684 + # The "User-Profile" attribute in the control list
685 + # will override this setting at run-time.
686 +# attribute = "radiusProfileDn"
687 + \}
688 +
689 +
690 + client \{
691 + # Where to start searching in the tree for clients
692 +# base_dn = "$\{..base_dn\}"
693 +
694 + #
695 + # Filter to match client objects
696 + #
697 +# filter = '(objectClass=frClient)'
698 +
699 + # Search scope, may be 'base', 'one', 'sub' or 'children'
700 +# scope = 'sub'
701 +
702 + #
703 + # Client attribute mappings are in the format:
704 + # <client attribute> = <ldap attribute>
705 + #
706 + # Arbitrary attributes (accessible by %\{client:<attr>\}) are not yet supported.
707 + #
708 + # The following attributes are required:
709 + # * identifier - IPv4 address, or IPv4 address with prefix, or hostname.
710 + # * secret - RADIUS shared secret.
711 + #
712 + # The following attributes are optional:
713 + # * shortname - Friendly name associated with the client
714 + # * nas_type - NAS Type
715 + # * virtual_server - Virtual server to associate the client with
716 + # * require_message_authenticator - Whether we require the Message-Authenticator
717 + # attribute to be present in requests from the client.
718 + #
719 + # Schemas are available in doc/schemas/ldap for openldap and eDirectory
720 + #
721 + attribute \{
722 +# identifier = 'radiusClientIdentifier'
723 +# secret = 'radiusClientSecret'
724 +# shortname = 'radiusClientShortname'
725 +# nas_type = 'radiusClientType'
726 +# virtual_server = 'radiusClientVirtualServer'
727 +# require_message_authenticator = 'radiusClientRequireMa'
728 + \}
729 + \}
730 +
731 +
732 +
733 + # Useful for recording things like the last time the user logged
734 + # in, or the Acct-Session-ID for CoA/DM.
735 + #
736 + # LDAP modification items are in the format:
737 + # <ldap attr> <op> <value>
738 + #
739 + # Where:
740 + # <ldap attr>: The LDAP attribute to add modify or delete.
741 + # <op>: One of the assignment operators:
742 + # (:=, +=, -=, ++).
743 + # Note: '=' is *not* supported.
744 + # <value>: The value to add modify or delete.
745 + #
746 + # WARNING: If using the ':=' operator with a multi-valued LDAP
747 + # attribute, all instances of the attribute will be removed and
748 + # replaced with a single attribute.
749 + accounting \{
750 + reference = "%\{tolower:type.%\{Acct-Status-Type\}\}"
751 +
752 + type \{
753 + start \{
754 + update \{
755 + description := "Online at %S"
756 + \}
757 + \}
758 +
759 + interim-update \{
760 + update \{
761 + description := "Last seen at %S"
762 + \}
763 + \}
764 +
765 + stop \{
766 + update \{
767 + description := "Offline at %S"
768 + \}
769 + \}
770 + \}
771 + \}
772 +
773 +
774 +
775 +
776 + #
777 + # Post-Auth can modify LDAP objects too
778 + #
779 + post-auth \{
780 + update \{
781 + description := "Authenticated at %S"
782 + \}
783 + \}
784 +
785 +
786 +
787 +
788 +
789 + # LDAP connection-specific options.
790 + #
791 + # These options set timeouts, keep-alives, etc. for the connections.
792 + #
793 + options \{
794 + # Control under which situations aliases are followed.
795 + # May be one of 'never', 'searching', 'finding' or 'always'
796 + # default: libldap's default which is usually 'never'.
797 + #
798 + # LDAP_OPT_DEREF is set to this value.
799 +# dereference = 'always'
800 +
801 + #
802 + # The following two configuration items control whether the
803 + # server follows references returned by LDAP directory.
804 + # They are mostly for Active Directory compatibility.
805 + # If you set these to "no", then searches will likely return
806 + # "operations error", instead of a useful result.
807 + #
808 + chase_referrals = yes
809 + rebind = yes
810 +
811 + # Seconds to wait for LDAP query to finish. default: 20
812 + timeout = 10
813 +
814 + # Seconds LDAP server has to process the query (server-side
815 + # time limit). default: 20
816 + #
817 + # LDAP_OPT_TIMELIMIT is set to this value.
818 + timelimit = 3
819 +
820 + # Seconds to wait for response of the server. (network
821 + # failures) default: 10
822 + #
823 + # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
824 + net_timeout = 1
825 +
826 + # LDAP_OPT_X_KEEPALIVE_IDLE
827 + idle = 60
828 +
829 + # LDAP_OPT_X_KEEPALIVE_PROBES
830 + probes = 3
831 +
832 + # LDAP_OPT_X_KEEPALIVE_INTERVAL
833 + interval = 3
834 +
835 + # ldap_debug: debug flag for LDAP SDK
836 + # (see OpenLDAP documentation). Set this to enable
837 + # huge amounts of LDAP debugging on the screen.
838 + # You should only use this if you are an LDAP expert.
839 + #
840 + # default: 0x0000 (no debugging messages)
841 + # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
842 + ldap_debug = 0x0028
843 + \}
844 +
845 +
846 + # The connection pool is new for 3.0, and will be used in many
847 + # modules, for all kinds of connection-related activity.
848 + #
849 + # When the server is not threaded, the connection pool
850 + # limits are ignored, and only one connection is used.
851 + pool \{
852 + # Number of connections to start
853 + start = 5
854 +
855 + # Minimum number of connections to keep open
856 + min = 4
857 +
858 + # Maximum number of connections
859 + #
860 + # If these connections are all in use and a new one
861 + # is requested, the request will NOT get a connection.
862 + #
863 + # Setting 'max' to LESS than the number of threads means
864 + # that some threads may starve, and you will see errors
865 + # like "No connections available and at max connection limit"
866 + #
867 + # Setting 'max' to MORE than the number of threads means
868 + # that there are more connections than necessary.
869 + max = $\{thread[pool].max_servers\}
870 +
871 + # Spare connections to be left idle
872 + #
873 + # NOTE: Idle connections WILL be closed if "idle_timeout"
874 + # is set.
875 + spare = 3
876 +
877 + # Number of uses before the connection is closed
878 + #
879 + # 0 means "infinite"
880 + uses = 0
881 +
882 + # The lifetime (in seconds) of the connection
883 + lifetime = 0
884 +
885 + # Idle timeout (in seconds). A connection which is
886 + # unused for this length of time will be closed.
887 + idle_timeout = 60
888 +
889 + # NOTE: All configuration settings are enforced. If a
890 + # connection is closed because of "idle_timeout",
891 + # "uses", or "lifetime", then the total number of
892 + # connections MAY fall below "min". When that
893 + # happens, it will open a new connection. It will
894 + # also log a WARNING message.
895 + #
896 + # The solution is to either lower the "min" connections,
897 + # or increase lifetime/idle_timeout.
898 + \}
899 +
900 +
901 +
902 +
903 +
904 +
905 +
906 +
907 +
908 +
909 +
910 +
911 +
912 +
913 +
914 +
915 +
916 +
917 +
918 +
919 + \}
920 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init
921 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init 2016-02-05 16:34:10.000000000 -0500
922 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/05init 2016-04-01 09:29:51.476000000 -0400
923 @@ -27,9 +27,17 @@
924 raddbdir = $\{sysconfdir\}/raddb
925 radacctdir = $\{logdir\}/radacct
926
927 +{
928 +#
929 +# name of the running server. See also the "-n" command-line option.
930 +}
931 +name = radiusd
932 +
933 confdir = $\{raddbdir\}
934 +modconfdir = $\{confdir\}/mods-config
935 +certdir = $\{confdir\}/certs
936 +cadir = $\{confdir\}/certs
937 run_dir = $\{localstatedir\}/run/radiusd
938 -log_file = $\{logdir\}/radius.log
939 {
940 # libdir: Where to find the rlm_* modules.
941 #
942 @@ -73,31 +81,45 @@
943 #
944 # e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
945 }
946 -pidfile = $\{run_dir\}/radiusd.pid
947 +pidfile = $\{run_dir\}/$\{name\}.pid
948 {
949 -# user/group: The name (or #number) of the user/group to run radiusd as.
950 +# panic_action: Command to execute if the server dies unexpectedly.
951 +#
952 +# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
953 +# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
954 +# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
955 +#
956 +# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
957 +# PATTACH CAN BE USED AS AN ATTACK VECTOR.
958 +#
959 +# The panic action is a command which will be executed if the server
960 +# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
961 +# SIGABRT or SIGFPE.
962 #
963 -# If these are commented out, the server will run as the user/group
964 -# that started it. In order to change to a different user/group, you
965 -# MUST be root ( or have root privleges ) to start the server.
966 +# This can be used to start an interactive debugging session so
967 +# that information regarding the current state of the server can
968 +# be acquired.
969 #
970 -# We STRONGLY recommend that you run the server with as few permissions
971 -# as possible. That is, if you're not using shadow passwords, the
972 -# user and group items below should be set to 'nobody'.
973 +# The following string substitutions are available:
974 +# - %e The currently executing program e.g. /sbin/radiusd
975 +# - %p The PID of the currently executing program e.g. 12345
976 #
977 -# On SCO (ODT 3) use "user = nouser" and "group = nogroup".
978 +# Standard ${} substitutions are also allowed.
979 #
980 -# NOTE that some kernels refuse to setgid(group) when the value of
981 -# (unsigned)group is above 60000; don't use group nobody on these systems!
982 +# An example panic action for opening an interactive session in GDB would be:
983 +#
984 +#panic_action = "gdb %e %p"
985 +#
986 +# Again, don't use that on a production system.
987 +#
988 +# An example panic action for opening an automated session in GDB would be:
989 +#
990 +#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
991 +#
992 +# That command can be used on a production system.
993 #
994 -# On systems with shadow passwords, you might have to set 'group = shadow'
995 -# for the server to be able to read the shadow password file. If you can
996 -# authenticate users while in debug mode, but not in daemon mode, it may be
997 -# that the debugging mode server is running as a user that can read the
998 -# shadow info, and the user listed below can not.
999 }
1000 -user = root
1001 -group = root
1002 +
1003 {
1004 # max_request_time: The maximum time (in seconds) to handle a request.
1005 #
1006 @@ -207,13 +229,6 @@
1007 }
1008 hostname_lookups = no
1009 {
1010 -# Core dumps are a bad thing. This should only be set to 'yes'
1011 -# if you're debugging a problem with the server.
1012 -#
1013 -# allowed values: \{no, yes\}
1014 -}
1015 -allow_core_dumps = no
1016 -{
1017 # Regular expressions
1018 #
1019 # These items are set at configure time. If they're set to "yes",
1020 @@ -225,27 +240,6 @@
1021 regular_expressions = yes
1022 extended_expressions = yes
1023 {
1024 -# Log the full User-Name attribute, as it was found in the request.
1025 -#
1026 -# allowed values: \{no, yes\}
1027 -}
1028 -log_stripped_names = no
1029 -{
1030 -# Log authentication requests to the log file.
1031 -#
1032 -# allowed values: \{no, yes\}
1033 -}
1034 -log_auth = no
1035 -{
1036 -# Log passwords with the authentication requests.
1037 -# log_auth_badpass - logs password if it's rejected
1038 -# log_auth_goodpass - logs password if it's correct
1039 -#
1040 -# allowed values: \{no, yes\}
1041 -}
1042 -log_auth_badpass = no
1043 -log_auth_goodpass = no
1044 -{
1045 # usercollide: Turn "username collision" code on and off. See the
1046 # "doc/duplicate-users" file
1047 #
1048 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log
1049 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log 1969-12-31 19:00:00.000000000 -0500
1050 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/07log 2016-04-01 09:21:32.222000000 -0400
1051 @@ -0,0 +1,127 @@
1052 +{
1053 +#
1054 +# Logging section. The various "log_*" configuration items
1055 +# will eventually be moved here.
1056 +#
1057 +# previously this section was only:
1058 +#log_file = $\{logdir\}/radius.log
1059 +}
1060 +log \{
1061 +{
1062 + #
1063 + # Destination for log messages. This can be one of:
1064 + #
1065 + # files - log to "file", as defined below.
1066 + # syslog - to syslog (see also the "syslog_facility", below.
1067 + # stdout - standard output
1068 + # stderr - standard error.
1069 + #
1070 + # The command-line option "-X" over-rides this option, and forces
1071 + # logging to go to stdout.
1072 + #
1073 +} destination = files
1074 +{
1075 + #
1076 + # Highlight important messages sent to stderr and stdout.
1077 + #
1078 + # Option will be ignored (disabled) if output if TERM is not
1079 + # an xterm or output is not to a TTY.
1080 + #
1081 +} colourise = yes
1082 +{
1083 + #
1084 + # The logging messages for the server are appended to the
1085 + # tail of this file if destination == "files"
1086 + #
1087 + # If the server is running in debugging mode, this file is
1088 + # NOT used.
1089 + #
1090 +} file = $\{logdir\}/radius.log
1091 +{
1092 + #
1093 + # If this configuration parameter is set, then log messages for
1094 + # a *request* go to this file, rather than to radius.log.
1095 + #
1096 + # i.e. This is a log file per request, once the server has accepted
1097 + # the request as being from a valid client. Messages that are
1098 + # not associated with a request still go to radius.log.
1099 + #
1100 + # Not all log messages in the server core have been updated to use
1101 + # this new internal API. As a result, some messages will still
1102 + # go to radius.log. Please submit patches to fix this behavior.
1103 + #
1104 + # The file name is expanded dynamically. You should ONLY user
1105 + # server-side attributes for the filename (e.g. things you control).
1106 + # Using this feature MAY also slow down the server substantially,
1107 + # especially if you do thinks like SQL calls as part of the
1108 + # expansion of the filename.
1109 + #
1110 + # The name of the log file should use attributes that don't change
1111 + # over the lifetime of a request, such as User-Name,
1112 + # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
1113 + # messages will be distributed over multiple files.
1114 + #
1115 + # Logging can be enabled for an individual request by a special
1116 + # dynamic expansion macro: %{debug: 1}, where the debug level
1117 + # for this request is set to '1' (or 2, 3, etc.). e.g.
1118 + #
1119 + # ...
1120 + # update control {
1121 + # Tmp-String-0 = "%{debug:1}"
1122 + # }
1123 + # ...
1124 + #
1125 + # The attribute that the value is assigned to is unimportant,
1126 + # and should be a "throw-away" attribute with no side effects.
1127 + #
1128 + #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
1129 +
1130 + #
1131 + # Which syslog facility to use, if ${destination} == "syslog"
1132 + #
1133 + # The exact values permitted here are OS-dependent. You probably
1134 + # don't want to change this.
1135 + #
1136 +} syslog_facility = daemon
1137 +{
1138 + # Log the full User-Name attribute, as it was found in the request.
1139 + #
1140 + # allowed values: {no, yes}
1141 + #
1142 + #
1143 +} stripped_names = no
1144 +{
1145 + # Log authentication requests to the log file.
1146 + #
1147 + # allowed values: {no, yes}
1148 + #
1149 +} auth = no
1150 +{
1151 + # Log passwords with the authentication requests.
1152 + # auth_badpass - logs password if it's rejected
1153 + # auth_goodpass - logs password if it's correct
1154 + #
1155 + # allowed values: {no, yes}
1156 + #
1157 +} auth_badpass = no
1158 + auth_goodpass = no
1159 +{
1160 + # Log additional text at the end of the "Login OK" messages.
1161 + # for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
1162 + # configurations above have to be set to "yes".
1163 + #
1164 + # The strings below are dynamically expanded, which means that
1165 + # you can put anything you want in them. However, note that
1166 + # this expansion can be slow, and can negatively impact server
1167 + # performance.
1168 + #
1169 +}
1170 +# msg_goodpass = ""
1171 +# msg_badpass = ""
1172 +{
1173 + # The message when the user exceeds the Simultaneous-Use limit.
1174 + #
1175 +}
1176 + msg_denied = "You are already logged in - access denied"
1177 +\}
1178 +
1179 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security
1180 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security 2005-06-11 12:01:54.000000000 -0400
1181 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/10security 2016-04-01 07:32:01.846000000 -0400
1182 @@ -6,6 +6,43 @@
1183 # of those attacks
1184 }
1185 security \{
1186 +{ # user/group: The name (or #number) of the user/group to run radiusd as.
1187 + #
1188 + # If these are commented out, the server will run as the
1189 + # user/group that started it. In order to change to a
1190 + # different user/group, you MUST be root ( or have root
1191 + # privileges ) to start the server.
1192 + #
1193 + # We STRONGLY recommend that you run the server with as few
1194 + # permissions as possible. That is, if you're not using
1195 + # shadow passwords, the user and group items below should be
1196 + # set to radius'.
1197 + #
1198 + # NOTE that some kernels refuse to setgid(group) when the
1199 + # value of (unsigned)group is above 60000; don't use group
1200 + # "nobody" on these systems!
1201 + #
1202 + # On systems with shadow passwords, you might have to set
1203 + # 'group = shadow' for the server to be able to read the
1204 + # shadow password file. If you can authenticate users while
1205 + # in debug mode, but not in daemon mode, it may be that the
1206 + # debugging mode server is running as a user that can read
1207 + # the shadow info, and the user listed below can not.
1208 + #
1209 + # The server will also try to use "initgroups" to read
1210 + # /etc/groups. It will join all groups where "user" is a
1211 + # member. This can allow for some finer-grained access
1212 + # controls.
1213 + #
1214 +} user = root
1215 + group = root
1216 +{
1217 + # Core dumps are a bad thing. This should only be set to
1218 + # 'yes' if you're debugging a problem with the server.
1219 + #
1220 + # allowed values: {no, yes}
1221 + #
1222 +} allow_core_dumps = no
1223 {
1224 # max_attributes: The maximum number of attributes
1225 # permitted in a RADIUS packet. Packets which have MORE
1226 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration
1227 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration 2005-06-11 14:31:14.000000000 -0400
1228 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/15configuration 2016-04-01 07:48:08.316000000 -0400
1229 @@ -99,4 +99,19 @@
1230 # '0' is a special value meaning 'infinity', or 'the servers never
1231 # exit'
1232 } max_requests_per_server = 0
1233 +{
1234 + # If the received PPS is larger than the processed PPS, *and*
1235 + # the queue is more than half full, then new accounting
1236 + # requests are probabilistically discarded. This lowers the
1237 + # number of packets that the server needs to process. Over
1238 + # time, the server will "catch up" with the traffic.
1239 + #
1240 + # Throwing away accounting packets is usually safe and low
1241 + # impact. The NAS will retransmit them in a few seconds, or
1242 + # even a few minutes. Vendors should read RFC 5080 Section 2.2.1
1243 + # to see how accounting packets should be retransmitted. Using
1244 + # any other method is likely to cause network meltdowns.
1245 + #
1246 +} auto_limit_acct = no
1247 +
1248 \}
1249 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp
1250 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp 1969-12-31 19:00:00.000000000 -0500
1251 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/17snmp 2016-04-01 07:49:00.444000000 -0400
1252 @@ -0,0 +1,10 @@
1253 +{
1254 +######################################################################
1255 +#
1256 +# SNMP notifications. Uncomment the following line to enable
1257 +# snmptraps. Note that you MUST also configure the full path
1258 +# to the "snmptrap" command in the "trigger.conf" file.
1259 +#
1260 +}
1261 +#$INCLUDE trigger.conf
1262 +
1263 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init
1264 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init 2005-06-11 14:32:26.000000000 -0400
1265 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/20modules00init 2016-04-01 07:56:07.712000000 -0400
1266 @@ -7,18 +7,34 @@
1267 # in other sections of this configuration file.
1268 }
1269 modules \{ {
1270 - # Each module has a configuration as follows:
1271 - #
1272 - # name [ instance ] \{
1273 - # config_item = value
1274 - # ...
1275 - # \}
1276 - #
1277 - # The 'name' is used to load the 'rlm_name' library
1278 - # which implements the functionality of the module.
1279 - #
1280 - # The 'instance' is optional. To have two different instances
1281 - # of a module, it first must be referred to by 'name'.
1282 - # The different copies of the module are then created by
1283 - # inventing two 'instance' names, e.g. 'instance1' and 'instance2'
1284 + #
1285 + # Each module has a configuration as follows:
1286 + #
1287 + # name [ instance ] {
1288 + # config_item = value
1289 + # ...
1290 + # }
1291 + #
1292 + # The 'name' is used to load the 'rlm_name' library
1293 + # which implements the functionality of the module.
1294 + #
1295 + # The 'instance' is optional. To have two different instances
1296 + # of a module, it first must be referred to by 'name'.
1297 + # The different copies of the module are then created by
1298 + # inventing two 'instance' names, e.g. 'instance1' and 'instance2'
1299 + #
1300 + # The instance names can then be used in later configuration
1301 + # INSTEAD of the original 'name'. See the 'radutmp' configuration
1302 + # for an example.
1303 + #
1304 +
1305 + #
1306 + # As of 3.0, modules are in mods-enabled/. Files matching
1307 + # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are
1308 + # initialized ONLY if they are referenced in a processing
1309 + # section, such as authorize, authenticate, accounting,
1310 + # pre/post-proxy, etc.
1311 + #
1312 }
1313 + $INCLUDE mods-enabled/
1314 +
1315 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess
1316 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess 2005-06-11 14:37:58.000000000 -0400
1317 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules05preprocess 1969-12-31 19:00:00.000000000 -0500
1318 @@ -1,47 +0,0 @@
1319 -{
1320 - # Preprocess the incoming RADIUS request, before handing it off
1321 - # to other modules.
1322 -} preprocess \{
1323 -{
1324 - # This hack changes Ascend's wierd port numberings
1325 - # to standard 0-??? port numbers so that the "+" works
1326 - # for IP address assignments.
1327 -} with_ascend_hack = no
1328 - ascend_channels_per_line = 23
1329 -{
1330 - # Windows NT machines often authenticate themselves as
1331 - # NT_DOMAIN\username
1332 - #
1333 - # If this is set to 'yes', then the NT_DOMAIN portion
1334 - # of the user-name is silently discarded.
1335 - #
1336 - # This configuration entry SHOULD NOT be used.
1337 - # See the "realms" module for a better way to handle
1338 - # NT domains.
1339 -} with_ntdomain_hack = no
1340 -{
1341 - # Specialix Jetstream 8500 24 port access server.
1342 - #
1343 - # If the user name is 10 characters or longer, a "/"
1344 - # and the excess characters after the 10th are
1345 - # appended to the user name.
1346 - #
1347 - # If you're not running that NAS, you don't need
1348 - # this hack.
1349 -} with_specialix_jetstream_hack = no
1350 -{
1351 - # Cisco sends it's VSA attributes with the attribute
1352 - # name *again* in the string, like:
1353 - #
1354 - # H323-Attribute = "h323-attribute=value".
1355 - #
1356 - # If this configuration item is set to 'yes', then
1357 - # the redundant data in the the attribute text is stripped
1358 - # out. The result is:
1359 - #
1360 - # H323-Attribute = "value"
1361 - #
1362 - # If you're not running a Cisco NAS, you don't need
1363 - # this hack.
1364 -} with_cisco_vsa_hack = no
1365 - \}
1366 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix
1367 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix 2005-06-11 12:11:42.000000000 -0400
1368 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules10suffix 1969-12-31 19:00:00.000000000 -0500
1369 @@ -1,8 +0,0 @@
1370 -{
1371 - # 'username@realm'
1372 -} realm suffix \{
1373 - format = suffix
1374 - delimiter = "@"
1375 - ignore_default = yes
1376 - ignore_null = yes
1377 - \}
1378 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain
1379 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain 2005-06-11 14:12:54.000000000 -0400
1380 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules15ntdomain 1969-12-31 19:00:00.000000000 -0500
1381 @@ -1,8 +0,0 @@
1382 -{
1383 - # 'domain\user'
1384 -} realm ntdomain \{
1385 - format = prefix
1386 - delimiter = "\\"
1387 - ignore_default = no
1388 - ignore_null = no
1389 - \}
1390 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap
1391 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap 2005-06-11 12:08:29.000000000 -0400
1392 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules20eap 1969-12-31 19:00:00.000000000 -0500
1393 @@ -1,6 +0,0 @@
1394 -{
1395 - # Extensible Authentication Protocol
1396 - #
1397 - # For all EAP related authentications.
1398 - # Now in another file, because it is very large.
1399 -}$INCLUDE $\{confdir\}/eap.conf
1400 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap
1401 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap 2005-06-11 14:57:35.000000000 -0400
1402 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules25mschap 1969-12-31 19:00:00.000000000 -0500
1403 @@ -1,50 +0,0 @@
1404 -{
1405 - # Microsoft CHAP authentication
1406 - #
1407 - # This module supports MS-CHAP and MS-CHAPv2 authentication.
1408 - # It also enforces the SMB-Account-Ctrl attribute.
1409 -} mschap \{
1410 -{
1411 - # As of 0.9, the mschap module does NOT support
1412 - # reading from /etc/smbpasswd.
1413 - #
1414 - # If you are using /etc/smbpasswd, see the 'passwd'
1415 - # module for an example of how to use /etc/smbpasswd
1416 - #
1417 - # authtype value, if present, will be used
1418 - # to overwrite (or add) Auth-Type during
1419 - # authorization. Normally should be MS-CHAP
1420 -} authtype = MS-CHAP
1421 -{
1422 - # if use_mppe is not set to no mschap will
1423 - # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
1424 - # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
1425 -} use_mppe = yes
1426 -{
1427 - # if mppe is enabled require_encryption makes
1428 - # encryption moderate
1429 -} require_encryption = yes
1430 -{
1431 - # require_strong always requires 128 bit key
1432 - # encryption
1433 - #
1434 -} require_strong = yes
1435 -{
1436 - # Windows sends us a username in the form of
1437 - # DOMAIN\user, but sends the challenge response
1438 - # based on only the user portion. This hack
1439 - # corrects for that incorrect behavior.
1440 -} with_ntdomain_hack = yes
1441 -{
1442 - # The module can perform authentication itself, OR
1443 - # use a Windows Domain Controller. This configuration
1444 - # directive tells the module to call the ntlm_auth
1445 - # program, which will do the authentication, and return
1446 - # the NT-Key. Note that you MUST have "winbindd" and
1447 - # "nmbd" running on the local machine for ntlm_auth
1448 - # to work. See the ntlm_auth program documentation
1449 - # for details.
1450 - #
1451 - # Be VERY careful when editing the following line!
1452 - #ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%\{Stripped-User-Name:-%\{User-Name:-None\}\} --challenge=%\{mschap:Challenge:-00\} --nt-response=%\{mschap:NT-Response:-00\}"
1453 -} \}
1454 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap
1455 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap 2013-02-13 18:00:55.000000000 -0500
1456 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30ldap 1969-12-31 19:00:00.000000000 -0500
1457 @@ -1,24 +0,0 @@
1458 -{
1459 -
1460 - use esmith::util;
1461 - $OUT = '';
1462 -
1463 - $pw = esmith::util::LdapPassword();
1464 - $base = esmith::util::ldapBase ($DomainName);
1465 -
1466 -} ldap \{
1467 - server = "localhost"
1468 - identity = "cn=root,{ $base }"
1469 - password = { $pw }
1470 - basedn = "{ $base }"
1471 - filter = "(&(objectClass=posixAccount)(uid=%\{Stripped-User-Name:-%\{User-Name\}\}))"
1472 - ldap_connections_number = 5
1473 - timeout = 4
1474 - timelimit = 3
1475 - net_timeout = 3
1476 - tls \{
1477 - start_tls = no
1478 - \}
1479 - groupname_attribute = cn
1480 - groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%\{Stripped-User-Name:-%\{User-Name\}\}))"
1481 - \}
1482 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd
1483 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd 2005-06-11 14:34:29.000000000 -0400
1484 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules30smbpasswd 1969-12-31 19:00:00.000000000 -0500
1485 @@ -1,10 +0,0 @@
1486 -{
1487 - # An example configuration for using /etc/samba/smbpasswd.
1488 -} passwd smbpasswd \{
1489 - filename = /etc/samba/smbpasswd
1490 - format = "*Stripped-User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
1491 - authtype = MS-CHAP
1492 - hashsize = 100
1493 - ignorenislike = no
1494 - allowmultiplekeys = no
1495 - \}
1496 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files
1497 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files 2005-06-11 14:47:21.000000000 -0400
1498 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules35files 1969-12-31 19:00:00.000000000 -0500
1499 @@ -1,11 +0,0 @@
1500 -{
1501 - # Livingston-style 'users' file
1502 -} files \{
1503 - usersfile = $\{confdir\}/users
1504 -{
1505 - # If you want to use the old Cistron 'users' file
1506 - # with FreeRADIUS, you should change the next line
1507 - # to 'compat = cistron'. You can the copy your 'users'
1508 - # file from Cistron.
1509 -} compat = no
1510 - \}
1511 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject
1512 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject 2005-06-11 14:35:56.000000000 -0400
1513 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules40reject 1969-12-31 19:00:00.000000000 -0500
1514 @@ -1,6 +0,0 @@
1515 -{
1516 - # Each instance simply returns the same result, always, without
1517 - # doing anything.
1518 -} always reject \{
1519 - rcode = reject
1520 - \}
1521 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique
1522 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique 2008-10-07 13:37:19.000000000 -0400
1523 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules45acctUnique 1969-12-31 19:00:00.000000000 -0500
1524 @@ -1,13 +0,0 @@
1525 -{
1526 - # Create a unique accounting session Id. Many NASes re-use or
1527 - # repeat values for Acct-Session-Id, causing no end of
1528 - # confusion.
1529 - #
1530 - # This module will add a (probably) unique session id
1531 - # to an accounting packet based on the attributes listed
1532 - # below found in the packet. See doc/rlm_acct_unique for
1533 - # more information.
1534 - #
1535 -} acct_unique \{
1536 - key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
1537 - \}
1538 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail
1539 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail 2008-10-07 13:37:19.000000000 -0400
1540 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/25modules50detail 1969-12-31 19:00:00.000000000 -0500
1541 @@ -1,36 +0,0 @@
1542 -{
1543 - # Write a detailed log of all accounting records received.
1544 - #
1545 -} detail \{
1546 -{ # Note that we do NOT use NAS-IP-Address here, as
1547 - # that attribute MAY BE from the originating NAS, and
1548 - # NOT from the proxy which actually sent us the
1549 - # request. The Client-IP-Address attribute is ALWAYS
1550 - # the address of the client which sent us the
1551 - # request.
1552 - #
1553 - # The following line creates a new detail file for
1554 - # every radius client (by IP address or hostname).
1555 - # In addition, a new detail file is created every
1556 - # day, so that the detail file doesn't have to go
1557 - # through a 'log rotation'
1558 - #
1559 - # If your detail files are large, you may also want
1560 - # to add a ':%H' (see doc/variables.txt) to the end
1561 - # of it, to create a new detail file every hour, e.g.:
1562 - #
1563 - # ..../detail-%Y%m%d:%H
1564 - #
1565 - # This will create a new detail file for every hour.
1566 - #
1567 -} detailfile = $\{logdir\}/accounting.log
1568 -{
1569 - #
1570 - # The Unix-style permissions on the 'detail' file.
1571 - #
1572 - # The detail file often contains secret or private
1573 - # information about users. So by keeping the file
1574 - # permissions restrictive, we can prevent unwanted
1575 - # people from seeing that information.
1576 -} detailperm = 0600
1577 - \}
1578 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init
1579 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init 2008-10-07 13:37:19.000000000 -0400
1580 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization00init 1969-12-31 19:00:00.000000000 -0500
1581 @@ -1,11 +0,0 @@
1582 -{
1583 -# Authorization. First preprocess (hints and huntgroups files),
1584 -# then realms, and finally look in the "users" file.
1585 -#
1586 -# The order of the realm modules will determine the order that
1587 -# we try to find a matching realm.
1588 -#
1589 -# Make *sure* that 'preprocess' comes before any realm if you
1590 -# need to setup hints for the remote radius server
1591 -}
1592 -authorize \{
1593 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default
1594 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default 2013-02-13 18:00:55.000000000 -0500
1595 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization40default 1969-12-31 19:00:00.000000000 -0500
1596 @@ -1,39 +0,0 @@
1597 -{
1598 - # The preprocess module takes care of sanitizing some bizarre
1599 - # attributes in the request, and turning them into attributes
1600 - # which are more standard.
1601 - #
1602 - # It takes care of processing the 'raddb/hints' and the
1603 - # 'raddb/huntgroups' files.
1604 - #
1605 - # It also adds the %\{Client-IP-Address\} attribute to the request.
1606 -} preprocess
1607 -{
1608 - # If you are using multiple kinds of realms, you probably
1609 - # want to set "ignore_null = yes" for all of them.
1610 - # Otherwise, when the first style of realm doesn't match,
1611 - # the other styles won't be checked.
1612 -} suffix
1613 - ntdomain
1614 -{
1615 - # This module takes care of EAP-PEAP authentication.
1616 - #
1617 - # It also sets the EAP-Type attribute in the request
1618 - # attribute list to the EAP type from the packet.
1619 -} eap
1620 -{
1621 - # If the users are logging in with an MS-CHAP-Challenge
1622 - # attribute for authentication, the mschap module will find
1623 - # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
1624 - # to the request, which will cause the server to then use
1625 - # the mschap module for authentication.
1626 -} mschap
1627 -{
1628 - # If you are using /etc/smbpasswd, and are also doing
1629 - # mschap authentication, the un-comment this line, and
1630 - # configure the 'smbpasswd' module, above.
1631 - ( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd';
1632 -}
1633 -{
1634 - # Read the 'users' file
1635 -} files
1636 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end
1637 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end 2008-10-07 13:37:19.000000000 -0400
1638 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/65authorization99end 1969-12-31 19:00:00.000000000 -0500
1639 @@ -1 +0,0 @@
1640 -\}
1641 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup
1642 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup 2008-10-07 13:37:19.000000000 -0400
1643 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate00setup 1969-12-31 19:00:00.000000000 -0500
1644 @@ -1,5 +0,0 @@
1645 -{
1646 - my @authModules = '';
1647 - $OUT = '';
1648 -}
1649 -
1650 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap
1651 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap 2008-10-07 13:37:19.000000000 -0400
1652 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate10AuthMsChap 1969-12-31 19:00:00.000000000 -0500
1653 @@ -1,5 +0,0 @@
1654 -{
1655 - push(@authModules, "\tAuth-Type MS-CHAP\{\n\t\tmschap\n\t\}\n");
1656 - $OUT = '';
1657 -}
1658 -
1659 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap
1660 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap 2013-02-13 18:00:55.000000000 -0500
1661 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate15ldap 1969-12-31 19:00:00.000000000 -0500
1662 @@ -1,5 +0,0 @@
1663 -{
1664 - push(@authModules, "\tAuth-Type LDAP\{\n\t\tldap\n\t\}\n");
1665 - $OUT = '';
1666 -}
1667 -
1668 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap
1669 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap 2008-10-07 13:37:19.000000000 -0400
1670 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate20authEap 1969-12-31 19:00:00.000000000 -0500
1671 @@ -1,4 +0,0 @@
1672 -{
1673 - push(@authModules, "\teap\n");
1674 - $OUT = '';
1675 -}
1676 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process
1677 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process 2008-10-07 13:37:19.000000000 -0400
1678 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/70authenticate99process 1969-12-31 19:00:00.000000000 -0500
1679 @@ -1,23 +0,0 @@
1680 -{
1681 -# Authentication.
1682 -#
1683 -# This section lists which modules are available for authentication.
1684 -# Note that it does NOT mean 'try each module in order'. It means
1685 -# that a module from the 'authorize' section adds a configuration
1686 -# attribute 'Auth-Type := FOO'. That authentication type is then
1687 -# used to pick the apropriate module from the list below.
1688 -#
1689 -# In general, you SHOULD NOT set the Auth-Type attribute. The server
1690 -# will figure it out on its own, and will do the right thing. The
1691 -# most common side effect of erroneously setting the Auth-Type
1692 -# attribute is that one authentication method will work, but the
1693 -# others will not.
1694 -#
1695 -# The common reasons to set the Auth-Type attribute by hand
1696 -# is to either forcibly reject the user, or forcibly accept him.
1697 -
1698 - $OUT = "authenticate \{\n";
1699 - $OUT .= "$_\n" foreach @authModules;
1700 - $OUT .= "\}\n";
1701 -
1702 -}
1703 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct
1704 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct 2008-10-07 13:37:19.000000000 -0400
1705 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/75preacct 1969-12-31 19:00:00.000000000 -0500
1706 @@ -1,17 +0,0 @@
1707 -{
1708 -#
1709 -# Pre-accounting. Decide which accounting type to use.
1710 -#
1711 -}preacct \{
1712 - preprocess
1713 -{
1714 - #
1715 - # Ensure that we have a semi-unique identifier for every
1716 - # request, and many NAS boxes are broken.
1717 -} acct_unique
1718 -{
1719 - # Accounting requests are generally proxied to the same
1720 - # home server as authentication requests.
1721 -} suffix
1722 - ntdomain
1723 -\}
1724 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate
1725 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate 1969-12-31 19:00:00.000000000 -0500
1726 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/77Instantiate 2016-04-01 08:37:06.246000000 -0400
1727 @@ -0,0 +1,45 @@
1728 +{
1729 +# Instantiation
1730 +#
1731 +# This section orders the loading of the modules. Modules
1732 +# listed here will get loaded BEFORE the later sections like
1733 +# authorize, authenticate, etc. get examined.
1734 +#
1735 +# This section is not strictly needed. When a section like
1736 +# authorize refers to a module, it's automatically loaded and
1737 +# initialized. However, some modules may not be listed in any
1738 +# of the following sections, so they can be listed here.
1739 +#
1740 +# Also, listing modules here ensures that you have control over
1741 +# the order in which they are initialized. If one module needs
1742 +# something defined by another module, you can list them in order
1743 +# here, and ensure that the configuration will be OK.
1744 +#
1745 +# After the modules listed here have been loaded, all of the modules
1746 +# in the "mods-enabled" directory will be loaded. Loading the
1747 +# "mods-enabled" directory means that unlike Version 2, you usually
1748 +# don't need to list modules here.
1749 +#
1750 +}
1751 +instantiate \{
1752 + #
1753 + # We list the counter module here so that it registers
1754 + # the check_name attribute before any module which sets
1755 + # it
1756 +# daily
1757 +
1758 + # subsections here can be thought of as "virtual" modules.
1759 + #
1760 + # e.g. If you have two redundant SQL servers, and you want to
1761 + # use them in the authorize and accounting sections, you could
1762 + # place a "redundant" block in each section, containing the
1763 + # exact same text. Or, you could uncomment the following
1764 + # lines, and list "redundant_sql" in the authorize and
1765 + # accounting sections.
1766 + #
1767 + #redundant redundant_sql \{
1768 + # sql1
1769 + # sql2
1770 + #\}
1771 +\}
1772 +
1773 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init
1774 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init 2008-10-07 13:37:19.000000000 -0400
1775 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting00init 1969-12-31 19:00:00.000000000 -0500
1776 @@ -1,5 +0,0 @@
1777 -{
1778 -#
1779 -# Accounting. Log the accounting data.
1780 -#
1781 -}accounting \{
1782 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default
1783 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default 2008-10-07 13:37:19.000000000 -0400
1784 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting40default 1969-12-31 19:00:00.000000000 -0500
1785 @@ -1,5 +0,0 @@
1786 -{ #
1787 - # Create a 'detail'ed log of the packets.
1788 - # Note that accounting requests which are proxied
1789 - # are also logged in the detail file.
1790 -} detail
1791 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end
1792 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end 2008-10-07 13:37:19.000000000 -0400
1793 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80accounting99end 1969-12-31 19:00:00.000000000 -0500
1794 @@ -1 +0,0 @@
1795 -\}
1796 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy
1797 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy 1969-12-31 19:00:00.000000000 -0500
1798 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/80Policy 2016-04-01 08:34:12.100000000 -0400
1799 @@ -0,0 +1,20 @@
1800 +{
1801 +######################################################################
1802 +#
1803 +# Policies are virtual modules, similar to those defined in the
1804 +# "instantiate" section above.
1805 +#
1806 +# Defining a policy in one of the policy.d files means that it can be
1807 +# referenced in multiple places as a *name*, rather than as a series of
1808 +# conditions to match, and actions to take.
1809 +#
1810 +# Policies are something like subroutines in a normal language, but
1811 +# they cannot be called recursively. They MUST be defined in order.
1812 +# If policy A calls policy B, then B MUST be defined before A.
1813 +#
1814 +######################################################################
1815 +}
1816 +policy \{
1817 + $INCLUDE policy.d/
1818 +\}
1819 +
1820 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers
1821 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers 1969-12-31 19:00:00.000000000 -0500
1822 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/radiusd.conf/90LoadVirtualServers 2016-04-01 08:32:46.291000000 -0400
1823 @@ -0,0 +1,33 @@
1824 +{
1825 +######################################################################
1826 +#
1827 +#<----->Load virtual servers.
1828 +#
1829 +#<----->This next $INCLUDE line loads files in the directory that
1830 +#<----->match the regular expression: /[a-zA-Z0-9_.]+/
1831 +#
1832 +#<----->It allows you to define new virtual servers simply by placing
1833 +#<----->a file into the raddb/sites-enabled/ directory.
1834 +#
1835 +}$INCLUDE sites-enabled/
1836 +{
1837 +######################################################################
1838 +#
1839 +#<----->All of the other configuration sections like "authorize {}",
1840 +#<----->"authenticate {}", "accounting {}", have been moved to the
1841 +#<----->the file:
1842 +#
1843 +#<-----><------>raddb/sites-available/default
1844 +#
1845 +#<----->This is the "default" virtual server that has the same
1846 +#<----->configuration as in version 1.0.x and 1.1.x. The default
1847 +#<----->installation enables this virtual server. You should
1848 +#<----->edit it to create policies for your local site.
1849 +#
1850 +#<----->For more documentation on virtual servers, see:
1851 +#
1852 +#<-----><------>raddb/sites-available/README
1853 +#
1854 +######################################################################
1855 +
1856 +}
1857 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init
1858 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init 1969-12-31 19:00:00.000000000 -0500
1859 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/01init 2016-04-01 09:39:19.463000000 -0400
1860 @@ -0,0 +1,49 @@
1861 +{
1862 +######################################################################
1863 +#
1864 +# As of 2.0.0, FreeRADIUS supports virtual hosts using the
1865 +# "server" section, and configuration directives.
1866 +#
1867 +# Virtual hosts should be put into the "sites-available"
1868 +# directory. Soft links should be created in the "sites-enabled"
1869 +# directory to these files. This is done in a normal installation.
1870 +#
1871 +# If you are using 802.1X (EAP) authentication, please see also
1872 +# the "inner-tunnel" virtual server. You will likely have to edit
1873 +# that, too, for authentication to work.
1874 +#
1875 +# $Id: e-smith-radiusd-2.6.0-freeradius3.patch,v 1.2 2016/04/07 03:14:49 unnilennium Exp $
1876 +#
1877 +######################################################################
1878 +#
1879 +# Read "man radiusd" before editing this file. See the section
1880 +# titled DEBUGGING. It outlines a method where you can quickly
1881 +# obtain the configuration you want, without running into
1882 +# trouble. See also "man unlang", which documents the format
1883 +# of this file.
1884 +#
1885 +# This configuration is designed to work in the widest possible
1886 +# set of circumstances, with the widest possible number of
1887 +# authentication methods. This means that in general, you should
1888 +# need to make very few changes to this file.
1889 +#
1890 +# The best way to configure the server for your local system
1891 +# is to CAREFULLY edit this file. Most attempts to make large
1892 +# edits to this file will BREAK THE SERVER. Any edits should
1893 +# be small, and tested by running the server with "radiusd -X".
1894 +# Once the edits have been verified to work, save a copy of these
1895 +# configuration files somewhere. (e.g. as a "tar" file). Then,
1896 +# make more edits, and test, as above.
1897 +#
1898 +# There are many "commented out" references to modules such
1899 +# as ldap, sql, etc. These references serve as place-holders.
1900 +# If you need the functionality of that module, then configure
1901 +# it in radiusd.conf, and un-comment the references to it in
1902 +# this file. In most cases, those small changes will result
1903 +# in the server being able to connect to the DB, and to
1904 +# authenticate users.
1905 +#
1906 +######################################################################
1907 +}
1908 +server default \{
1909 +
1910 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen
1911 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen 1969-12-31 19:00:00.000000000 -0500
1912 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/20listen 2016-04-01 10:01:03.411000000 -0400
1913 @@ -0,0 +1,90 @@
1914 +{
1915 +# listen: Make the server listen on a particular IP address, and send
1916 +# replies out from that address. This directive is most useful for
1917 +# hosts with multiple IP addresses on one interface.
1918 +#
1919 +# If you want the server to listen on additional addresses, or on
1920 +# additionnal ports, you can use multiple "listen" sections.
1921 +#
1922 +# Each section make the server listen for only one type of packet,
1923 +# therefore authentication and accounting have to be configured in
1924 +# different sections.
1925 +#
1926 +# The server ignore all "listen" section if you are using '-i' and '-p'
1927 +# on the command line.
1928 +}
1929 +# auth
1930 +listen \{
1931 + type = auth
1932 +{
1933 + # ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
1934 + # Out of several options the first one will be used.
1935 + #
1936 + # Allowed values are:
1937 + # IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr)
1938 + # IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr)
1939 + # hostname (radius.example.com,
1940 + # A record for ipv4addr,
1941 + # AAAA record for ipv6addr,
1942 + # A or AAAA record for ipaddr)
1943 + # wildcard (*)
1944 + #
1945 + # ipv4addr = *
1946 + # ipv6addr = *
1947 +}
1948 + ipaddr = *
1949 + port = 0
1950 +# interface = eth0
1951 +# clients = per_socket_clients
1952 +{
1953 + #
1954 + # Connection limiting for sockets with "proto = tcp".
1955 + #
1956 + # This section is ignored for other kinds of sockets.
1957 + #
1958 +} limit \{
1959 +{
1960 + #
1961 + # Limit the number of simultaneous TCP connections to the socket
1962 + #
1963 + # The default is 16.
1964 + # Setting this to 0 means "no limit"
1965 +} max_connections = 16
1966 +{
1967 + # The per-socket "max_requests" option does not exist.
1968 +
1969 + #
1970 + # The lifetime, in seconds, of a TCP connection. After
1971 + # this lifetime, the connection will be closed.
1972 + #
1973 + # Setting this to 0 means "forever".
1974 +} lifetime = 0
1975 +{
1976 + #
1977 + # The idle timeout, in seconds, of a TCP connection.
1978 + # If no packets have been received over the connection for
1979 + # this time, the connection will be closed.
1980 + #
1981 + # Setting this to 0 means "no timeout".
1982 + #
1983 + # We STRONGLY RECOMMEND that you set an idle timeout.
1984 + #
1985 +} idle_timeout = 30
1986 + \}
1987 +
1988 +\}
1989 +
1990 +#
1991 +# This second "listen" section is for listening on the accounting
1992 +# port, too.
1993 +#
1994 +listen \{
1995 + type = acct
1996 + ipaddr = *
1997 + port = 0
1998 +\}
1999 +
2000 +
2001 +
2002 +
2003 +
2004 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init
2005 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init 1969-12-31 19:00:00.000000000 -0500
2006 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization00init 2008-10-07 13:37:19.000000000 -0400
2007 @@ -0,0 +1,11 @@
2008 +{
2009 +# Authorization. First preprocess (hints and huntgroups files),
2010 +# then realms, and finally look in the "users" file.
2011 +#
2012 +# The order of the realm modules will determine the order that
2013 +# we try to find a matching realm.
2014 +#
2015 +# Make *sure* that 'preprocess' comes before any realm if you
2016 +# need to setup hints for the remote radius server
2017 +}
2018 +authorize \{
2019 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default
2020 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default 1969-12-31 19:00:00.000000000 -0500
2021 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization40default 2016-04-01 10:10:46.038000000 -0400
2022 @@ -0,0 +1,102 @@
2023 +{
2024 + #
2025 + # Take a User-Name, and perform some checks on it, for spaces and other
2026 + # invalid characters. If the User-Name appears invalid, reject the
2027 + # request.
2028 + #
2029 + # See policy.d/filter for the definition of the filter_username policy.
2030 + #
2031 +} filter_username
2032 +{
2033 + # The preprocess module takes care of sanitizing some bizarre
2034 + # attributes in the request, and turning them into attributes
2035 + # which are more standard.
2036 + #
2037 + # It takes care of processing the 'raddb/hints' and the
2038 + # 'raddb/huntgroups' files.
2039 + #
2040 + # It also adds the %\{Client-IP-Address\} attribute to the request.
2041 +} preprocess
2042 +{
2043 + # If you are using multiple kinds of realms, you probably
2044 + # want to set "ignore_null = yes" for all of them.
2045 + # Otherwise, when the first style of realm doesn't match,
2046 + # the other styles won't be checked.
2047 +} suffix
2048 + ntdomain
2049 +{
2050 + # This module takes care of EAP-PEAP authentication.
2051 + #
2052 + # It also sets the EAP-Type attribute in the request
2053 + # attribute list to the EAP type from the packet.
2054 +} eap \{
2055 + ok = return
2056 + \}
2057 +
2058 +{
2059 + # If the users are logging in with an MS-CHAP-Challenge
2060 + # attribute for authentication, the mschap module will find
2061 + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
2062 + # to the request, which will cause the server to then use
2063 + # the mschap module for authentication.
2064 +} mschap
2065 +{
2066 + # If you are using /etc/smbpasswd, and are also doing
2067 + # mschap authentication, the un-comment this line, and
2068 + # configure the 'smbpasswd' module, above.
2069 + ( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd';
2070 +}
2071 +
2072 +{
2073 + #
2074 + # Pull crypt'd passwords from /etc/passwd or /etc/shadow,
2075 + # using the system API's to get the password. If you want
2076 + # to read /etc/passwd or /etc/shadow directly, see the
2077 + # passwd module in radiusd.conf.
2078 + #
2079 +}# unix
2080 +
2081 +
2082 +{
2083 + # Read the 'users' file
2084 +} files
2085 +
2086 +{
2087 + #
2088 + # Look in an SQL database. The schema of the database
2089 + # is meant to mirror the "users" file.
2090 + #
2091 + # See "Authorization Queries" in sql.conf
2092 +} -sql
2093 +{
2094 + #
2095 + # If you are using /etc/smbpasswd, and are also doing
2096 + # mschap authentication, the un-comment this line, and
2097 + # configure the 'smbpasswd' module.
2098 +}# smbpasswd
2099 +{
2100 + #
2101 + # The ldap module reads passwords from the LDAP database.
2102 +} -ldap
2103 +
2104 +{ #
2105 + # Enforce daily limits on time spent logged in.
2106 +# daily
2107 +
2108 + #
2109 +} expiration
2110 + logintime
2111 +{
2112 + #
2113 + # If no other module has claimed responsibility for
2114 + # authentication, then try to use PAP. This allows the
2115 + # other modules listed above to add a "known good" password
2116 + # to the request, and to do nothing else. The PAP module
2117 + # will then see that password, and use it to do PAP
2118 + # authentication.
2119 + #
2120 + # This module should be listed last, so that the other modules
2121 + # get a chance to set Auth-Type for themselves.
2122 + #
2123 +} pap
2124 +
2125 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end
2126 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end 1969-12-31 19:00:00.000000000 -0500
2127 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/35authorization99end 2008-10-07 13:37:19.000000000 -0400
2128 @@ -0,0 +1 @@
2129 +\}
2130 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup
2131 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup 1969-12-31 19:00:00.000000000 -0500
2132 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate00setup 2008-10-07 13:37:19.000000000 -0400
2133 @@ -0,0 +1,5 @@
2134 +{
2135 + my @authModules = '';
2136 + $OUT = '';
2137 +}
2138 +
2139 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap
2140 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap 1969-12-31 19:00:00.000000000 -0500
2141 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate10AuthMsChap 2008-10-07 13:37:19.000000000 -0400
2142 @@ -0,0 +1,5 @@
2143 +{
2144 + push(@authModules, "\tAuth-Type MS-CHAP\{\n\t\tmschap\n\t\}\n");
2145 + $OUT = '';
2146 +}
2147 +
2148 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap
2149 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap 1969-12-31 19:00:00.000000000 -0500
2150 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate15ldap 2013-02-13 18:00:55.000000000 -0500
2151 @@ -0,0 +1,5 @@
2152 +{
2153 + push(@authModules, "\tAuth-Type LDAP\{\n\t\tldap\n\t\}\n");
2154 + $OUT = '';
2155 +}
2156 +
2157 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap
2158 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap 1969-12-31 19:00:00.000000000 -0500
2159 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate20authEap 2008-10-07 13:37:19.000000000 -0400
2160 @@ -0,0 +1,4 @@
2161 +{
2162 + push(@authModules, "\teap\n");
2163 + $OUT = '';
2164 +}
2165 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process
2166 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process 1969-12-31 19:00:00.000000000 -0500
2167 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/40authenticate99process 2008-10-07 13:37:19.000000000 -0400
2168 @@ -0,0 +1,23 @@
2169 +{
2170 +# Authentication.
2171 +#
2172 +# This section lists which modules are available for authentication.
2173 +# Note that it does NOT mean 'try each module in order'. It means
2174 +# that a module from the 'authorize' section adds a configuration
2175 +# attribute 'Auth-Type := FOO'. That authentication type is then
2176 +# used to pick the apropriate module from the list below.
2177 +#
2178 +# In general, you SHOULD NOT set the Auth-Type attribute. The server
2179 +# will figure it out on its own, and will do the right thing. The
2180 +# most common side effect of erroneously setting the Auth-Type
2181 +# attribute is that one authentication method will work, but the
2182 +# others will not.
2183 +#
2184 +# The common reasons to set the Auth-Type attribute by hand
2185 +# is to either forcibly reject the user, or forcibly accept him.
2186 +
2187 + $OUT = "authenticate \{\n";
2188 + $OUT .= "$_\n" foreach @authModules;
2189 + $OUT .= "\}\n";
2190 +
2191 +}
2192 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct
2193 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct 1969-12-31 19:00:00.000000000 -0500
2194 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/55preacct 2016-04-01 11:06:09.665000000 -0400
2195 @@ -0,0 +1,47 @@
2196 +{
2197 +#
2198 +# Pre-accounting. Decide which accounting type to use.
2199 +#
2200 +}preacct \{
2201 + preprocess
2202 +{
2203 + #
2204 + # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
2205 + # into a single 64bit counter Acct-[Input|Output]-Octets64.
2206 + #
2207 +}# acct_counters64
2208 +{
2209 + #
2210 + # Session start times are *implied* in RADIUS.
2211 + # The NAS never sends a "start time". Instead, it sends
2212 + # a start packet, *possibly* with an Acct-Delay-Time.
2213 + # The server is supposed to conclude that the start time
2214 + # was "Acct-Delay-Time" seconds in the past.
2215 + #
2216 + # The code below creates an explicit start time, which can
2217 + # then be used in other modules. It will be *mostly* correct.
2218 + # Any errors are due to the 1-second resolution of RADIUS,
2219 + # and the possibility that the time on the NAS may be off.
2220 + #
2221 + # The start time is: NOW - delay - session_length
2222 + #
2223 +}
2224 +# update request {
2225 +# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
2226 +# }
2227 +
2228 +{
2229 + #
2230 + # Ensure that we have a semi-unique identifier for every
2231 + # request, and many NAS boxes are broken.
2232 +}
2233 +
2234 + acct_unique
2235 +{
2236 + # Accounting requests are generally proxied to the same
2237 + # home server as authentication requests.
2238 +} suffix
2239 + ntdomain
2240 + files
2241 +
2242 +\}
2243 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init
2244 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init 1969-12-31 19:00:00.000000000 -0500
2245 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting00init 2008-10-07 13:37:19.000000000 -0400
2246 @@ -0,0 +1,5 @@
2247 +{
2248 +#
2249 +# Accounting. Log the accounting data.
2250 +#
2251 +}accounting \{
2252 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default
2253 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default 1969-12-31 19:00:00.000000000 -0500
2254 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting40default 2008-10-07 13:37:19.000000000 -0400
2255 @@ -0,0 +1,5 @@
2256 +{ #
2257 + # Create a 'detail'ed log of the packets.
2258 + # Note that accounting requests which are proxied
2259 + # are also logged in the detail file.
2260 +} detail
2261 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end
2262 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end 1969-12-31 19:00:00.000000000 -0500
2263 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/60accounting99end 2008-10-07 13:37:19.000000000 -0400
2264 @@ -0,0 +1 @@
2265 +\}
2266 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init
2267 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init 1969-12-31 19:00:00.000000000 -0500
2268 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session00init 2016-04-01 11:13:35.135000000 -0400
2269 @@ -0,0 +1,6 @@
2270 +{
2271 +# Session database, used for checking Simultaneous-Use. Either the radutmp
2272 +# or rlm_sql module can handle this.
2273 +# The rlm_sql module is *much* faster
2274 +}session \{
2275 +
2276 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end
2277 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end 1969-12-31 19:00:00.000000000 -0500
2278 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/70session99end 2016-04-01 11:13:53.209000000 -0400
2279 @@ -0,0 +1 @@
2280 +\}
2281 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init
2282 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init 1969-12-31 19:00:00.000000000 -0500
2283 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth00init 2016-04-01 11:14:55.538000000 -0400
2284 @@ -0,0 +1,8 @@
2285 +{
2286 +# Post-Authentication
2287 +# Once we KNOW that the user has been authenticated, there are
2288 +# additional steps we can take.
2289 +}post-auth \{
2290 + # Get an address from the IP Pool.
2291 +# main_pool
2292 +
2293 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end
2294 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end 1969-12-31 19:00:00.000000000 -0500
2295 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/80postauth99end 2016-04-01 11:16:54.094000000 -0400
2296 @@ -0,0 +1,26 @@
2297 +{
2298 + # Remove reply message if the response contains an EAP-Message
2299 +} remove_reply_message_if_eap
2300 +{
2301 + #
2302 + # Access-Reject packets are sent through the REJECT sub-section of the
2303 + # post-auth section.
2304 + #
2305 + # Add the ldap module name (or instance) if you have set
2306 + # 'edir_account_policy_check = yes' in the ldap module configuration
2307 + #
2308 +} Post-Auth-Type REJECT \{
2309 + # log failed authentications in SQL, too.
2310 + #-sql
2311 + attr_filter.access_reject
2312 +
2313 + # Insert EAP-Failure message if the request was
2314 + # rejected by policy instead of because of an
2315 + # authentication failure
2316 + eap
2317 +
2318 + # Remove reply message if the response contains an EAP-Message
2319 + remove_reply_message_if_eap
2320 + \}
2321 +\}
2322 +
2323 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy
2324 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy 1969-12-31 19:00:00.000000000 -0500
2325 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/85preproxy 2016-04-01 11:18:35.647000000 -0400
2326 @@ -0,0 +1,28 @@
2327 +pre-proxy \{
2328 +{
2329 + # Before proxing the request add an Operator-Name attribute identifying
2330 + # if the operator-name is found for this client.
2331 + # No need to uncomment this if you have already enabled this in
2332 + # the authorize section.
2333 +}# operator-name
2334 +{
2335 + # The client requests the CUI by sending a CUI attribute
2336 + # containing one zero byte.
2337 + # Uncomment the line below if *requesting* the CUI.
2338 +}# cui
2339 +{
2340 + # Uncomment the following line if you want to change attributes
2341 + # as defined in the preproxy_users file.
2342 +}# files
2343 +{
2344 + # Uncomment the following line if you want to filter requests
2345 + # sent to remote servers based on the rules defined in the
2346 + # 'attrs.pre-proxy' file.
2347 +}# attr_filter.pre-proxy
2348 +{
2349 + # If you want to have a log of packets proxied to a home
2350 + # server, un-comment the following line, and the
2351 + # 'detail pre_proxy_log' section, above.
2352 +}# pre_proxy_log
2353 +\}
2354 +
2355 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy
2356 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy 1969-12-31 19:00:00.000000000 -0500
2357 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/90postproxy 2016-04-01 11:20:52.751000000 -0400
2358 @@ -0,0 +1,54 @@
2359 +{
2360 +#
2361 +# When the server receives a reply to a request it proxied
2362 +# to a home server, the request may be massaged here, in the
2363 +# post-proxy stage.
2364 +#
2365 +}
2366 +post-proxy \{
2367 +{
2368 + # If you want to have a log of replies from a home server,
2369 + # un-comment the following line, and the 'detail post_proxy_log'
2370 + # section, above.
2371 +}# post_proxy_log
2372 +{
2373 + # Uncomment the following line if you want to filter replies from
2374 + # remote proxies based on the rules defined in the 'attrs' file.
2375 +}# attr_filter.post-proxy
2376 +{
2377 + #
2378 + # If you are proxying LEAP, you MUST configure the EAP
2379 + # module, and you MUST list it here, in the post-proxy
2380 + # stage.
2381 + #
2382 + # You MUST also use the 'nostrip' option in the 'realm'
2383 + # configuration. Otherwise, the User-Name attribute
2384 + # in the proxied request will not match the user name
2385 + # hidden inside of the EAP packet, and the end server will
2386 + # reject the EAP request.
2387 + #
2388 +} eap
2389 +{
2390 + #
2391 + # If the server tries to proxy a request and fails, then the
2392 + # request is processed through the modules in this section.
2393 + #
2394 + # The main use of this section is to permit robust proxying
2395 + # of accounting packets. The server can be configured to
2396 + # proxy accounting packets as part of normal processing.
2397 + # Then, if the home server goes down, accounting packets can
2398 + # be logged to a local "detail" file, for processing with
2399 + # radrelay. When the home server comes back up, radrelay
2400 + # will read the detail file, and send the packets to the
2401 + # home server.
2402 + #
2403 + # With this configuration, the server always responds to
2404 + # Accounting-Requests from the NAS, but only writes
2405 + # accounting packets to disk if the home server is down.
2406 + #
2407 +}# Post-Proxy-Type Fail \{
2408 +# detail
2409 +# \}
2410 +\}
2411 +
2412 +
2413 diff -Nur e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end
2414 --- e-smith-radiusd-2.6.0.old/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end 1969-12-31 19:00:00.000000000 -0500
2415 +++ e-smith-radiusd-2.6.0/root/etc/e-smith/templates/etc/raddb/sites-available/default/99end 2016-04-01 09:40:43.175000000 -0400
2416 @@ -0,0 +1,7 @@
2417 +
2418 +\}
2419 +{
2420 +#
2421 +#end of default server
2422 +#
2423 +}

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed