From b456e13542059d6b79d28ea42db73e0cc682b94c Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Tue, 17 Jul 2018 10:43:31 +0200 Subject: [PATCH] radius: update to freeradius 3 (and no more LDAP) --- group_vars/all/vars.yml | 2 + group_vars/all/vault.yml | 40 +- roles/radius/files/default/freeradius | 2 - roles/radius/files/mods-available/eap | 873 ++++++++++++++++++ .../users => mods-config/files/authorize} | 59 +- roles/radius/files/raddb/acct_users | 23 - roles/radius/files/raddb/attrs | 129 --- .../radius/files/raddb/attrs.access_challenge | 19 - roles/radius/files/raddb/attrs.access_reject | 17 - .../files/raddb/attrs.accounting_response | 15 - roles/radius/files/raddb/attrs.pre-proxy | 62 -- roles/radius/files/raddb/certs/BKCA.crt | 33 - roles/radius/files/raddb/certs/dh | 5 - roles/radius/files/raddb/certs/server.crt | 68 -- roles/radius/files/raddb/certs/server.key | 51 - roles/radius/files/raddb/clients.conf | 244 ----- roles/radius/files/raddb/dictionary | 32 - roles/radius/files/raddb/eap.conf | 697 -------------- roles/radius/files/raddb/hints | 77 -- roles/radius/files/raddb/huntgroups | 46 - roles/radius/files/raddb/ldap.attrmap | 76 -- roles/radius/files/raddb/modules/acct_unique | 17 - roles/radius/files/raddb/modules/always | 31 - roles/radius/files/raddb/modules/attr_filter | 48 - roles/radius/files/raddb/modules/attr_rewrite | 46 - roles/radius/files/raddb/modules/cache | 77 -- roles/radius/files/raddb/modules/chap | 11 - roles/radius/files/raddb/modules/checkval | 44 - roles/radius/files/raddb/modules/counter | 82 -- roles/radius/files/raddb/modules/cui | 25 - roles/radius/files/raddb/modules/detail | 93 -- .../files/raddb/modules/detail.example.com | 27 - roles/radius/files/raddb/modules/detail.log | 75 -- .../radius/files/raddb/modules/dhcp_sqlippool | 30 - roles/radius/files/raddb/modules/digest | 13 - .../files/raddb/modules/dynamic_clients | 32 - roles/radius/files/raddb/modules/echo | 123 --- roles/radius/files/raddb/modules/etc_group | 28 - roles/radius/files/raddb/modules/exec | 30 - roles/radius/files/raddb/modules/expiration | 19 - roles/radius/files/raddb/modules/expr | 20 - roles/radius/files/raddb/modules/files | 46 - roles/radius/files/raddb/modules/inner-eap | 161 ---- roles/radius/files/raddb/modules/ippool | 75 -- roles/radius/files/raddb/modules/krb5 | 11 - roles/radius/files/raddb/modules/ldap | 197 ---- roles/radius/files/raddb/modules/linelog | 105 --- roles/radius/files/raddb/modules/logintime | 31 - roles/radius/files/raddb/modules/mac2ip | 25 - roles/radius/files/raddb/modules/mac2vlan | 18 - roles/radius/files/raddb/modules/mschap | 87 -- roles/radius/files/raddb/modules/ntlm_auth | 12 - .../radius/files/raddb/modules/opendirectory | 13 - roles/radius/files/raddb/modules/otp | 78 -- roles/radius/files/raddb/modules/pam | 26 - roles/radius/files/raddb/modules/pap | 22 - roles/radius/files/raddb/modules/passwd | 55 -- roles/radius/files/raddb/modules/perl | 58 -- roles/radius/files/raddb/modules/policy | 21 - roles/radius/files/raddb/modules/preprocess | 58 -- roles/radius/files/raddb/modules/radrelay | 26 - roles/radius/files/raddb/modules/radutmp | 53 -- roles/radius/files/raddb/modules/realm | 46 - roles/radius/files/raddb/modules/redis | 35 - roles/radius/files/raddb/modules/rediswho | 28 - roles/radius/files/raddb/modules/replicate | 40 - roles/radius/files/raddb/modules/smbpasswd | 16 - roles/radius/files/raddb/modules/smsotp | 50 - roles/radius/files/raddb/modules/soh | 4 - roles/radius/files/raddb/modules/sql_log | 92 -- .../raddb/modules/sqlcounter_expire_on_login | 37 - roles/radius/files/raddb/modules/sradutmp | 16 - roles/radius/files/raddb/modules/unix | 25 - roles/radius/files/raddb/modules/wimax | 112 --- roles/radius/files/raddb/policy.conf | 284 ------ roles/radius/files/raddb/preproxy_users | 31 - roles/radius/files/raddb/proxy.conf | 759 --------------- roles/radius/files/raddb/radiusd.conf | 865 ----------------- .../files/raddb/sites-enabled/control-socket | 73 -- .../files/raddb/sites-enabled/inner-tunnel | 421 --------- .../sites-enabled => sites-available}/default | 453 +++++++-- roles/radius/tasks/main.yml | 82 +- roles/radius/templates/clients.conf.j2 | 15 + 83 files changed, 1325 insertions(+), 6778 deletions(-) delete mode 100644 roles/radius/files/default/freeradius create mode 100644 roles/radius/files/mods-available/eap rename roles/radius/files/{raddb/users => mods-config/files/authorize} (79%) delete mode 100644 roles/radius/files/raddb/acct_users delete mode 100644 roles/radius/files/raddb/attrs delete mode 100644 roles/radius/files/raddb/attrs.access_challenge delete mode 100644 roles/radius/files/raddb/attrs.access_reject delete mode 100644 roles/radius/files/raddb/attrs.accounting_response delete mode 100644 roles/radius/files/raddb/attrs.pre-proxy delete mode 100644 roles/radius/files/raddb/certs/BKCA.crt delete mode 100644 roles/radius/files/raddb/certs/dh delete mode 100644 roles/radius/files/raddb/certs/server.crt delete mode 100644 roles/radius/files/raddb/certs/server.key delete mode 100644 roles/radius/files/raddb/clients.conf delete mode 100644 roles/radius/files/raddb/dictionary delete mode 100644 roles/radius/files/raddb/eap.conf delete mode 100644 roles/radius/files/raddb/hints delete mode 100644 roles/radius/files/raddb/huntgroups delete mode 100644 roles/radius/files/raddb/ldap.attrmap delete mode 100644 roles/radius/files/raddb/modules/acct_unique delete mode 100644 roles/radius/files/raddb/modules/always delete mode 100644 roles/radius/files/raddb/modules/attr_filter delete mode 100644 roles/radius/files/raddb/modules/attr_rewrite delete mode 100644 roles/radius/files/raddb/modules/cache delete mode 100644 roles/radius/files/raddb/modules/chap delete mode 100644 roles/radius/files/raddb/modules/checkval delete mode 100644 roles/radius/files/raddb/modules/counter delete mode 100644 roles/radius/files/raddb/modules/cui delete mode 100644 roles/radius/files/raddb/modules/detail delete mode 100644 roles/radius/files/raddb/modules/detail.example.com delete mode 100644 roles/radius/files/raddb/modules/detail.log delete mode 100644 roles/radius/files/raddb/modules/dhcp_sqlippool delete mode 100644 roles/radius/files/raddb/modules/digest delete mode 100644 roles/radius/files/raddb/modules/dynamic_clients delete mode 100644 roles/radius/files/raddb/modules/echo delete mode 100644 roles/radius/files/raddb/modules/etc_group delete mode 100644 roles/radius/files/raddb/modules/exec delete mode 100644 roles/radius/files/raddb/modules/expiration delete mode 100644 roles/radius/files/raddb/modules/expr delete mode 100644 roles/radius/files/raddb/modules/files delete mode 100644 roles/radius/files/raddb/modules/inner-eap delete mode 100644 roles/radius/files/raddb/modules/ippool delete mode 100644 roles/radius/files/raddb/modules/krb5 delete mode 100644 roles/radius/files/raddb/modules/ldap delete mode 100644 roles/radius/files/raddb/modules/linelog delete mode 100644 roles/radius/files/raddb/modules/logintime delete mode 100644 roles/radius/files/raddb/modules/mac2ip delete mode 100644 roles/radius/files/raddb/modules/mac2vlan delete mode 100644 roles/radius/files/raddb/modules/mschap delete mode 100644 roles/radius/files/raddb/modules/ntlm_auth delete mode 100644 roles/radius/files/raddb/modules/opendirectory delete mode 100644 roles/radius/files/raddb/modules/otp delete mode 100644 roles/radius/files/raddb/modules/pam delete mode 100644 roles/radius/files/raddb/modules/pap delete mode 100644 roles/radius/files/raddb/modules/passwd delete mode 100644 roles/radius/files/raddb/modules/perl delete mode 100644 roles/radius/files/raddb/modules/policy delete mode 100644 roles/radius/files/raddb/modules/preprocess delete mode 100644 roles/radius/files/raddb/modules/radrelay delete mode 100644 roles/radius/files/raddb/modules/radutmp delete mode 100644 roles/radius/files/raddb/modules/realm delete mode 100644 roles/radius/files/raddb/modules/redis delete mode 100644 roles/radius/files/raddb/modules/rediswho delete mode 100644 roles/radius/files/raddb/modules/replicate delete mode 100644 roles/radius/files/raddb/modules/smbpasswd delete mode 100644 roles/radius/files/raddb/modules/smsotp delete mode 100644 roles/radius/files/raddb/modules/soh delete mode 100644 roles/radius/files/raddb/modules/sql_log delete mode 100644 roles/radius/files/raddb/modules/sqlcounter_expire_on_login delete mode 100644 roles/radius/files/raddb/modules/sradutmp delete mode 100644 roles/radius/files/raddb/modules/unix delete mode 100644 roles/radius/files/raddb/modules/wimax delete mode 100644 roles/radius/files/raddb/policy.conf delete mode 100644 roles/radius/files/raddb/preproxy_users delete mode 100644 roles/radius/files/raddb/proxy.conf delete mode 100644 roles/radius/files/raddb/radiusd.conf delete mode 100644 roles/radius/files/raddb/sites-enabled/control-socket delete mode 100644 roles/radius/files/raddb/sites-enabled/inner-tunnel rename roles/radius/files/{raddb/sites-enabled => sites-available}/default (57%) create mode 100644 roles/radius/templates/clients.conf.j2 diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 803f8a5..9cdab72 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -62,6 +62,8 @@ racktables_dbname: racktables racktables_dbuser: racktables racktables_dbpass: "{{ vault_racktables_dbpass }}" +radius_secret: "{{ vault_radius_secret }}" + snmp_allowed: - 172.23.2.5 - 172.23.2.6 diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 564c54c..a168621 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,20 +1,22 @@ $ANSIBLE_VAULT;1.1;AES256 -36306335393738643138333865653135393433303961636664646631376262646639353236326139 -6163646265666661323338383762616439333263653137660a316464663037616564333235303631 -62376366353464373865386630343562616435323838366261666538333232626433383666613966 -6665313262613237370a616539623339366434396337396163333132333137306466386139316234 -62666465613731656665363163326135356661633636376136326132616134633634356634303333 -35613238353264313330313938376130323736663633343634316165393438613532623034363366 -63373233333137653565616536386232303235303636383166346632306138386462663033373235 -32306366393933336337393232366335303931623130633936393633613831326136623336663264 -64383938633737343333386131653032343864646337666663313730623665363764336633613865 -62363635633330306637356464373134333334346166336166383963616564666664623262353862 -34636236356662623832306431373665353865386334653333366539643138386633646666623534 -62346539643335633230353530633731353733316361663033623434386263303163653834643338 -65666330383464653763643239393731663637373366316137303861326333306337376239626332 -61303964393139616135643563393761363537653663356234343538373035336133396365643039 -65626636666538316363653538303666636161636461376562656466393936333364333231656564 -65373332346463386162306332636337346331386463626263343933663137663832656331343164 -33373235363534343862346236613430613832376533613130663661303637306664383130306664 -66343265633636623362363636343961306335613264323461366164626633333439626464613839 -396364653963343565326335306631346462 +34323830636434356232336237383362646533393264313661333735613034333464353832303464 +3332346366616662366462366266666466393163626534630a643035303761386235313635313965 +61383834313330353236636432626135663066313166316263353831333435636632636538376136 +3336623331396462650a363163303561303638396566643235326662303535653335643531663636 +63396166376636313334303939663335386331646462386361383633363662666630626632656337 +33643864316435663036363130653962663238633231356262356435336533323265643633353131 +36356638613935363664623265616365663038646638613730643464376366323936386339616237 +66306632316430346366336163363035643730656337633931663836343365303961356332333135 +35663162376232623038663335313366393163343361346263386439343264343563646131646265 +65653832666433643962343866326661326337303433346162343930323334323138646561396163 +39356438343833366334306266643636616265383466626162393536316231336362373530363136 +63633834393430666165396366623132626334386239323937396461353564313736316362666231 +32343036656266353936306339643766656530306363656465633236653235663661663930666164 +35353134353663306661386238636132343331613338626536303065633561316461393362373461 +35396364353135386564396332323936353765366130333039373061333135623233363134366231 +64663037333830363934303139306663646437316666613531656239656339336161313138633161 +30656466336566336365373835663038346533353539346335623438383231326466356666346538 +30386337373738393935616236336165313666643636396438653265356338653831623430393733 +63313262376636653336396139613137643461663761323263383036646466643633313233373539 +37643433323666326331386231623266346136616339646335376134666165326333393136373037 +6362 diff --git a/roles/radius/files/default/freeradius b/roles/radius/files/default/freeradius deleted file mode 100644 index b3be0ab..0000000 --- a/roles/radius/files/default/freeradius +++ /dev/null @@ -1,2 +0,0 @@ -# Options for the FreeRADIUS daemon. -FREERADIUS_OPTIONS="-d /etc/raddb" diff --git a/roles/radius/files/mods-available/eap b/roles/radius/files/mods-available/eap new file mode 100644 index 0000000..4ab7a3f --- /dev/null +++ b/roles/radius/files/mods-available/eap @@ -0,0 +1,873 @@ +# -*- text -*- +## +## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) +## +## $Id: 0e8d5caef5ad09dfa6acb14c5d475bae55cf4b27 $ + +####################################################################### +# +# Whatever you do, do NOT set 'Auth-Type := EAP'. The server +# is smart enough to figure this out on its own. The most +# common side effect of setting 'Auth-Type := EAP' is that the +# users then cannot use ANY other authentication method. +# +eap { + # Invoke the default supported EAP type when + # EAP-Identity response is received. + # + # The incoming EAP messages DO NOT specify which EAP + # type they will be using, so it MUST be set here. + # + # For now, only one default EAP type may be used at a time. + # + # If the EAP-Type attribute is set by another module, + # then that EAP type takes precedence over the + # default type configured here. + # + default_eap_type = peap + + # A list is maintained to correlate EAP-Response + # packets with EAP-Request packets. After a + # configurable length of time, entries in the list + # expire, and are deleted. + # + timer_expire = 60 + + # There are many EAP types, but the server has support + # for only a limited subset. If the server receives + # a request for an EAP type it does not support, then + # it normally rejects the request. By setting this + # configuration to "yes", you can tell the server to + # instead keep processing the request. Another module + # MUST then be configured to proxy the request to + # another RADIUS server which supports that EAP type. + # + # If another module is NOT configured to handle the + # request, then the request will still end up being + # rejected. + ignore_unknown_eap_types = no + + # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given + # a User-Name attribute in an Access-Accept, it copies one + # more byte than it should. + # + # We can work around it by configurably adding an extra + # zero byte. + cisco_accounting_username_bug = no + + # + # Help prevent DoS attacks by limiting the number of + # sessions that the server is tracking. For simplicity, + # this is taken from the "max_requests" directive in + # radiusd.conf. + max_sessions = ${max_requests} + + # Supported EAP-types + + # + # We do NOT recommend using EAP-MD5 authentication + # for wireless connections. It is insecure, and does + # not provide for dynamic WEP keys. + # +# md5 { +# } + + # + # EAP-pwd -- secure password-based authentication + # + pwd { + group = 19 + + # + server_id = radius@radius1.binary.kitchen + + # This has the same meaning as for TLS. + fragment_size = 1020 + + # The virtual server which determines the + # "known good" password for the user. + # Note that unlike TLS, only the "authorize" + # section is processed. EAP-PWD requests can be + # distinguished by having a User-Name, but + # no User-Password, CHAP-Password, EAP-Message, etc. + virtual_server = "inner-tunnel" + } + + # Cisco LEAP + # + # We do not recommend using LEAP in new deployments. See: + # http://www.securiteam.com/tools/5TP012ACKE.html + # + # Cisco LEAP uses the MS-CHAP algorithm (but not + # the MS-CHAP attributes) to perform it's authentication. + # + # As a result, LEAP *requires* access to the plain-text + # User-Password, or the NT-Password attributes. + # 'System' authentication is impossible with LEAP. + # +# leap { +# } + + # Generic Token Card. + # + # Currently, this is only permitted inside of EAP-TTLS, + # or EAP-PEAP. The module "challenges" the user with + # text, and the response from the user is taken to be + # the User-Password. + # + # Proxying the tunneled EAP-GTC session is a bad idea, + # the users password will go over the wire in plain-text, + # for anyone to see. + # + gtc { + # The default challenge, which many clients + # ignore.. + #challenge = "Password: " + + # The plain-text response which comes back + # is put into a User-Password attribute, + # and passed to another module for + # authentication. This allows the EAP-GTC + # response to be checked against plain-text, + # or crypt'd passwords. + # + # If you say "Local" instead of "PAP", then + # the module will look for a User-Password + # configured for the request, and do the + # authentication itself. + # + auth_type = PAP + } + + ## Common TLS configuration for TLS-based EAP types + # + # See raddb/certs/README for additional comments + # on certificates. + # + # If OpenSSL was not found at the time the server was + # built, the "tls", "ttls", and "peap" sections will + # be ignored. + # + # If you do not currently have certificates signed by + # a trusted CA you may use the 'snakeoil' certificates. + # Included with the server in raddb/certs. + # + # If these certificates have not been auto-generated: + # cd raddb/certs + # make + # + # These test certificates SHOULD NOT be used in a normal + # deployment. They are created only to make it easier + # to install the server, and to perform some simple + # tests with EAP-TLS, TTLS, or PEAP. + # + # See also: + # + # http://www.dslreports.com/forum/remark,9286052~mode=flat + # + # Note that you should NOT use a globally known CA here! + # e.g. using a Verisign cert as a "known CA" means that + # ANYONE who has a certificate signed by them can + # authenticate via EAP-TLS! This is likely not what you want. + tls-config tls-common { +# private_key_password = whatever + private_key_file = ${certdir}/srv.key + + # If Private key & Certificate are located in + # the same file, then private_key_file & + # certificate_file must contain the same file + # name. + # + # If ca_file (below) is not used, then the + # certificate_file below MUST include not + # only the server certificate, but ALSO all + # of the CA certificates used to sign the + # server certificate. + certificate_file = ${certdir}/srv.crt + + # Trusted Root CA list + # + # ALL of the CA's in this list will be trusted + # to issue client certificates for authentication. + # + # In general, you should use self-signed + # certificates for 802.1x (EAP) authentication. + # In that case, this CA file should contain + # *one* CA certificate. + # + ca_file = ${certdir}/srv.crt + + # OpenSSL will automatically create certificate chains, + # unless we tell it to not do that. The problem is that + # it sometimes gets the chains right from a certificate + # signature view, but wrong from the clients view. + # + # When setting "auto_chain = no", the server certificate + # file MUST include the full certificate chain. + # auto_chain = yes + + # + # If OpenSSL supports TLS-PSK, then we can use + # a PSK identity and (hex) password. When the + # following two configuration items are specified, + # then certificate-based configuration items are + # not allowed. e.g.: + # + # private_key_password + # private_key_file + # certificate_file + # ca_file + # ca_path + # + # For now, the identity is fixed, and must be the + # same on the client. The passphrase must be a hex + # value, and can be up to 256 hex digits. + # + # Future versions of the server may be able to + # look up the shared key (hexphrase) based on the + # identity. + # + # psk_identity = "test" + # psk_hexphrase = "036363823" + + # + # For DH cipher suites to work, you have to + # run OpenSSL to create the DH file first: + # + # openssl dhparam -out certs/dh 2048 + # + dh_file = ${certdir}/dh + + # + # If your system doesn't have /dev/urandom, + # you will need to create this file, and + # periodically change its contents. + # + # For security reasons, FreeRADIUS doesn't + # write to files in its configuration + # directory. + # + # random_file = /dev/urandom + + # + # This can never exceed the size of a RADIUS + # packet (4096 bytes), and is preferably half + # that, to accommodate other attributes in + # RADIUS packet. On most APs the MAX packet + # length is configured between 1500 - 1600 + # In these cases, fragment size should be + # 1024 or less. + # + # fragment_size = 1024 + + # include_length is a flag which is + # by default set to yes If set to + # yes, Total Length of the message is + # included in EVERY packet we send. + # If set to no, Total Length of the + # message is included ONLY in the + # First packet of a fragment series. + # + # include_length = yes + + + # Check the Certificate Revocation List + # + # 1) Copy CA certificates and CRLs to same directory. + # 2) Execute 'c_rehash '. + # 'c_rehash' is OpenSSL's command. + # 3) uncomment the lines below. + # 5) Restart radiusd + # check_crl = yes + + # Check if intermediate CAs have been revoked. + # check_all_crl = yes + + ca_path = ${cadir} + + # + # If check_cert_issuer is set, the value will + # be checked against the DN of the issuer in + # the client certificate. If the values do not + # match, the certificate verification will fail, + # rejecting the user. + # + # In 2.1.10 and later, this check can be done + # more generally by checking the value of the + # TLS-Client-Cert-Issuer attribute. This check + # can be done via any mechanism you choose. + # + # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" + + # + # If check_cert_cn is set, the value will + # be xlat'ed and checked against the CN + # in the client certificate. If the values + # do not match, the certificate verification + # will fail rejecting the user. + # + # This check is done only if the previous + # "check_cert_issuer" is not set, or if + # the check succeeds. + # + # In 2.1.10 and later, this check can be done + # more generally by checking the value of the + # TLS-Client-Cert-CN attribute. This check + # can be done via any mechanism you choose. + # + # check_cert_cn = %{User-Name} + # + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". + # + # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2" + # + cipher_list = "DEFAULT" + + # Work-arounds for OpenSSL nonsense + # OpenSSL 1.0.1f and 1.0.1g do not calculate + # the EAP keys correctly. The fix is to upgrade + # OpenSSL, or disable TLS 1.2 here. + # + # For EAP-FAST, this MUST be set to "yes". + # +# disable_tlsv1_2 = no + + # + + # + # Elliptical cryptography configuration + # + # Only for OpenSSL >= 0.9.8.f + # + ecdh_curve = "prime256v1" + + # + # Session resumption / fast reauthentication + # cache. + # + # The cache contains the following information: + # + # session Id - unique identifier, managed by SSL + # User-Name - from the Access-Accept + # Stripped-User-Name - from the Access-Request + # Cached-Session-Policy - from the Access-Accept + # + # The "Cached-Session-Policy" is the name of a + # policy which should be applied to the cached + # session. This policy can be used to assign + # VLANs, IP addresses, etc. It serves as a useful + # way to re-apply the policy from the original + # Access-Accept to the subsequent Access-Accept + # for the cached session. + # + # On session resumption, these attributes are + # copied from the cache, and placed into the + # reply list. + # + # You probably also want "use_tunneled_reply = yes" + # when using fast session resumption. + # + cache { + # + # Enable it. The default is "no". Deleting the entire "cache" + # subsection also disables caching. + # + # You can disallow resumption for a particular user by adding the + # following attribute to the control item list: + # + # Allow-Session-Resumption = No + # + # If "enable = no" below, you CANNOT enable resumption for just one + # user by setting the above attribute to "yes". + # + enable = yes + + # + # Lifetime of the cached entries, in hours. The sessions will be + # deleted/invalidated after this time. + # + lifetime = 24 # hours + + # + # The maximum number of entries in the + # cache. Set to "0" for "infinite". + # + # This could be set to the number of users + # who are logged in... which can be a LOT. + # + max_entries = 255 + + # + # Internal "name" of the session cache. Used to + # distinguish which TLS context sessions belong to. + # + # The server will generate a random value if unset. + # This will change across server restart so you MUST + # set the "name" if you want to persist sessions (see + # below). + # + #name = "EAP module" + + # + # Simple directory-based storage of sessions. + # Two files per session will be written, the SSL + # state and the cached VPs. This will persist session + # across server restarts. + # + # The server will need write perms, and the directory + # should be secured from anyone else. You might want + # a script to remove old files from here periodically: + # + # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; + # + # This feature REQUIRES "name" option be set above. + # + #persist_dir = "${logdir}/tlscache" + } + + # + # As of version 2.1.10, client certificates can be + # validated via an external command. This allows + # dynamic CRLs or OCSP to be used. + # + # This configuration is commented out in the + # default configuration. Uncomment it, and configure + # the correct paths below to enable it. + # + # If OCSP checking is enabled, and the OCSP checks fail, + # the verify section is not run. + # + # If OCSP checking is disabled, the verify section is + # run on successful certificate validation. + # + verify { + # If the OCSP checks succeed, the verify section + # is run to allow additional checks. + # + # If you want to skip verify on OCSP success, + # uncomment this configuration item, and set it + # to "yes". + # skip_if_ocsp_ok = no + + # A temporary directory where the client + # certificates are stored. This directory + # MUST be owned by the UID of the server, + # and MUST not be accessible by any other + # users. When the server starts, it will do + # "chmod go-rwx" on the directory, for + # security reasons. The directory MUST + # exist when the server starts. + # + # You should also delete all of the files + # in the directory when the server starts. + # tmpdir = /tmp/radiusd + + # The command used to verify the client cert. + # We recommend using the OpenSSL command-line + # tool. + # + # The ${..ca_path} text is a reference to + # the ca_path variable defined above. + # + # The %{TLS-Client-Cert-Filename} is the name + # of the temporary file containing the cert + # in PEM format. This file is automatically + # deleted by the server when the command + # returns. + # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" + } + + # + # OCSP Configuration + # Certificates can be verified against an OCSP + # Responder. This makes it possible to immediately + # revoke certificates without the distribution of + # new Certificate Revocation Lists (CRLs). + # + ocsp { + # + # Enable it. The default is "no". + # Deleting the entire "ocsp" subsection + # also disables ocsp checking + # + enable = no + + # + # The OCSP Responder URL can be automatically + # extracted from the certificate in question. + # To override the OCSP Responder URL set + # "override_cert_url = yes". + # + override_cert_url = yes + + # + # If the OCSP Responder address is not extracted from + # the certificate, the URL can be defined here. + # + url = "http://127.0.0.1/ocsp/" + + # + # If the OCSP Responder can not cope with nonce + # in the request, then it can be disabled here. + # + # For security reasons, disabling this option + # is not recommended as nonce protects against + # replay attacks. + # + # Note that Microsoft AD Certificate Services OCSP + # Responder does not enable nonce by default. It is + # more secure to enable nonce on the responder than + # to disable it in the query here. + # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx + # + # use_nonce = yes + + # + # Number of seconds before giving up waiting + # for OCSP response. 0 uses system default. + # + # timeout = 0 + + # + # Normally an error in querying the OCSP + # responder (no response from server, server did + # not understand the request, etc) will result in + # a validation failure. + # + # To treat these errors as 'soft' failures and + # still accept the certificate, enable this + # option. + # + # Warning: this may enable clients with revoked + # certificates to connect if the OCSP responder + # is not available. Use with caution. + # + # softfail = no + } + } + + ## EAP-TLS + # + # As of Version 3.0, the TLS configuration for TLS-based + # EAP types is above in the "tls-config" section. + # +# tls { + # Point to the common TLS configuration +# tls = tls-common + + # + # As part of checking a client certificate, the EAP-TLS + # sets some attributes such as TLS-Client-Cert-CN. This + # virtual server has access to these attributes, and can + # be used to accept or reject the request. + # + # virtual_server = check-eap-tls +# } + + + ## EAP-TTLS + # + # The TTLS module implements the EAP-TTLS protocol, + # which can be described as EAP inside of Diameter, + # inside of TLS, inside of EAP, inside of RADIUS... + # + # Surprisingly, it works quite well. + # + ttls { + # Which tls-config section the TLS negotiation parameters + # are in - see EAP-TLS above for an explanation. + # + # In the case that an old configuration from FreeRADIUS + # v2.x is being used, all the options of the tls-config + # section may also appear instead in the 'tls' section + # above. If that is done, the tls= option here (and in + # tls above) MUST be commented out. + # + tls = tls-common + + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TTLS tunnel, we recommend + # using EAP-MD5. If the request does not contain an + # EAP conversation, then this configuration entry is + # ignored. + # + default_eap_type = gtc + + # The tunneled authentication request does not usually + # contain useful attributes like 'Calling-Station-Id', + # etc. These attributes are outside of the tunnel, + # and normally unavailable to the tunneled + # authentication request. + # + # By setting this configuration entry to 'yes', + # any attribute which is NOT in the tunneled + # authentication request, but which IS available + # outside of the tunnel, is copied to the tunneled + # request. + # + # allowed values: {no, yes} + # + copy_request_to_tunnel = no + + # + # As of version 3.0.5, this configuration item + # is deprecated. Instead, you should use + # + # update outer.session-state { + # ... + # + # } + # + # This will cache attributes for the final Access-Accept. + # + # The reply attributes sent to the NAS are usually + # based on the name of the user 'outside' of the + # tunnel (usually 'anonymous'). If you want to send + # the reply attributes based on the user name inside + # of the tunnel, then set this configuration entry to + # 'yes', and the reply to the NAS will be taken from + # the reply to the tunneled request. + # + # allowed values: {no, yes} + # + use_tunneled_reply = no + + # + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # If this entry is commented out, the inner + # tunneled request will be sent through + # the virtual server that processed the + # outer requests. + # + virtual_server = "inner-tunnel" + + # This has the same meaning, and overwrites, the + # same field in the "tls" configuration, above. + # The default value here is "yes". + # + # include_length = yes + + # + # Unlike EAP-TLS, EAP-TTLS does not require a client + # certificate. However, you can require one by setting the + # following option. You can also override this option by + # setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # + # require_client_cert = yes + } + + + ## EAP-PEAP + # + + ################################################## + # + # !!!!! WARNINGS for Windows compatibility !!!!! + # + ################################################## + # + # If you see the server send an Access-Challenge, + # and the client never sends another Access-Request, + # then + # + # STOP! + # + # The server certificate has to have special OID's + # in it, or else the Microsoft clients will silently + # fail. See the "scripts/xpextensions" file for + # details, and the following page: + # + # http://support.microsoft.com/kb/814394/en-us + # + # For additional Windows XP SP2 issues, see: + # + # http://support.microsoft.com/kb/885453/en-us + # + # + # If is still doesn't work, and you're using Samba, + # you may be encountering a Samba bug. See: + # + # https://bugzilla.samba.org/show_bug.cgi?id=6563 + # + # Note that we do not necessarily agree with their + # explanation... but the fix does appear to work. + # + ################################################## + + # + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TLS/PEAP tunnel, we + # recommend using EAP-MS-CHAPv2. + # + peap { + # Which tls-config section the TLS negotiation parameters + # are in - see EAP-TLS above for an explanation. + # + # In the case that an old configuration from FreeRADIUS + # v2.x is being used, all the options of the tls-config + # section may also appear instead in the 'tls' section + # above. If that is done, the tls= option here (and in + # tls above) MUST be commented out. + # + tls = tls-common + + # The tunneled EAP session needs a default + # EAP type which is separate from the one for + # the non-tunneled EAP module. Inside of the + # PEAP tunnel, we recommend using MS-CHAPv2, + # as that is the default type supported by + # Windows clients. + # + default_eap_type = mschapv2 + + # The PEAP module also has these configuration + # items, which are the same as for TTLS. + # + copy_request_to_tunnel = no + + # + # As of version 3.0.5, this configuration item + # is deprecated. Instead, you should use + # + # update outer.session-state { + # ... + # + # } + # + # This will cache attributes for the final Access-Accept. + # + use_tunneled_reply = no + + # When the tunneled session is proxied, the + # home server may not understand EAP-MSCHAP-V2. + # Set this entry to "no" to proxy the tunneled + # EAP-MSCHAP-V2 as normal MSCHAPv2. + # + # proxy_tunneled_request_as_eap = yes + + # + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # If this entry is commented out, the inner + # tunneled request will be sent through + # the virtual server that processed the + # outer requests. + # + virtual_server = "inner-tunnel" + + # This option enables support for MS-SoH + # see doc/SoH.txt for more info. + # It is disabled by default. + # + # soh = yes + + # + # The SoH reply will be turned into a request which + # can be sent to a specific virtual server: + # + # soh_virtual_server = "soh-server" + + # + # Unlike EAP-TLS, PEAP does not require a client certificate. + # However, you can require one by setting the following + # option. You can also override this option by setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # + # require_client_cert = yes + } + + # + # This takes no configuration. + # + # Note that it is the EAP MS-CHAPv2 sub-module, not + # the main 'mschap' module. + # + # Note also that in order for this sub-module to work, + # the main 'mschap' module MUST ALSO be configured. + # + # This module is the *Microsoft* implementation of MS-CHAPv2 + # in EAP. There is another (incompatible) implementation + # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not + # currently support. + # + mschapv2 { + # Prior to version 2.1.11, the module never + # sent the MS-CHAP-Error message to the + # client. This worked, but it had issues + # when the cached password was wrong. The + # server *should* send "E=691 R=0" to the + # client, which tells it to prompt the user + # for a new password. + # + # The default is to behave as in 2.1.10 and + # earlier, which is known to work. If you + # set "send_error = yes", then the error + # message will be sent back to the client. + # This *may* help some clients work better, + # but *may* also cause other clients to stop + # working. + # +# send_error = no + + # Server identifier to send back in the challenge. + # This should generally be the host name of the + # RADIUS server. Or, some information to uniquely + # identify it. +# identity = "FreeRADIUS" + } + + ## EAP-FAST + # + # The FAST module implements the EAP-FAST protocol + # +# fast { + # Point to the common TLS configuration + # + # cipher_list though must include "ADH" for anonymous provisioning. + # This is not as straight forward as appending "ADH" alongside + # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is + # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used + # +# tls = tls-common + + # PAC lifetime in seconds (default: seven days) + # +# pac_lifetime = 604800 + + # Authority ID of the server + # + # if you are running a cluster of RADIUS servers, you should make + # the value chosen here (and for "pac_opaque_key") the same on all + # your RADIUS servers. This value should be unique to your + # installation. We suggest using a domain name. + # +# authority_identity = "1234" + + # PAC Opaque encryption key (must be exactly 32 bytes in size) + # + # This value MUST be secret, and MUST be generated using + # a secure method, such as via 'openssl rand -hex 32' + # +# pac_opaque_key = "0123456789abcdef0123456789ABCDEF" + + # Same as for TTLS, PEAP, etc. + # +# virtual_server = inner-tunnel +# } +} diff --git a/roles/radius/files/raddb/users b/roles/radius/files/mods-config/files/authorize similarity index 79% rename from roles/radius/files/raddb/users rename to roles/radius/files/mods-config/files/authorize index 1c17b50..30b8640 100644 --- a/roles/radius/files/raddb/users +++ b/roles/radius/files/mods-config/files/authorize @@ -1,10 +1,10 @@ # -# Please read the documentation file ../doc/processing_users_file, -# or 'man 5 users' (after installing the server) for more information. +# Configuration file for the rlm_files module. +# Please see rlm_files(5) manpage for more information. # -# This file contains authentication security and configuration +# This file contains authentication security and configuration # information for each user. Accounting requests are NOT processed -# through this file. Instead, see 'acct_users', in this directory. +# through this file. Instead, see 'accounting', in this directory. # # The first field is the user's name and can be up to # 253 characters in length. This is followed (on the same line) with @@ -27,10 +27,6 @@ # matches the login-request will stop processing unless you use # the Fall-Through variable. # -# If you use the database support to turn this file into a .db or .dbm -# file, the DEFAULT entries _have_ to be at the end of this file and -# you can't have multiple entries for one username. -# # Indented (with the tab character) lines following the first # line indicate the configuration values to be passed back to # the comm server to allow the initiation of a user session. @@ -38,13 +34,14 @@ # or the host to log the user onto. # # You can include another `users' file with `$INCLUDE users.other' -# # # For a list of RADIUS attributes, and links to their definitions, -# see: +# see: http://www.freeradius.org/rfc/attributes.html # -# http://www.freeradius.org/rfc/attributes.html +# Entries below this point are examples included in the server for +# educational purposes. They may be deleted from the deployed +# configuration without impacting the operation of the server. # # @@ -83,9 +80,33 @@ # Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP +# +# The canonical testing user which is in most of the +# examples. +# +#bob Cleartext-Password := "hello" +# Reply-Message := "Hello, %{User-Name}" +# + +# regular user vlan +binary Cleartext-Password := "kitchen" + Tunnel-Type := "VLAN", + Tunnel-Medium-Type := "IEEE-802", + Tunnel-Private-Group-Id := 2303 + +# IoT / MQTT vlan +mqtt Cleartext-Password := "test1234" + Tunnel-Type := "VLAN", + Tunnel-Medium-Type := "IEEE-802", + Tunnel-Private-Group-Id := 2304 + # # This is an entry for a user with a space in their name. -# Note the double quotes surrounding the name. +# Note the double quotes surrounding the name. If you have +# users with spaces in their names, you must also change +# the "filter_username" policy to allow spaces. +# +# See raddb/policy.d/filter, filter_username {} section. # #"John Doe" Cleartext-Password := "hello" # Reply-Message = "Hello, %{User-Name}" @@ -119,7 +140,7 @@ # the following DEFAULT entries # #swilson Service-Type == Framed-User, Huntgroup-Name == "alphen" -# Framed-IP-Address = 192.168.1.65, +# Framed-IP-Address = 192.0.2.65, # Fall-Through = Yes # @@ -147,11 +168,11 @@ # IP address. The Port-Id (S0, S1 etc) will be added to it. # #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen" -# Framed-IP-Address = 192.168.1.32+, +# Framed-IP-Address = 192.0.2.32+, # Fall-Through = Yes #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft" -# Framed-IP-Address = 192.168.2.32+, +# Framed-IP-Address = 198.51.100.32+, # Fall-Through = Yes # @@ -200,4 +221,12 @@ DEFAULT Hint == "SLIP" # DEFAULT # Service-Type = Administrative-User + # On no match, the user is denied access. + + +######################################################### +# You should add test accounts to the TOP of this file! # +# See the example user "bob" above. # +######################################################### + diff --git a/roles/radius/files/raddb/acct_users b/roles/radius/files/raddb/acct_users deleted file mode 100644 index 219a667..0000000 --- a/roles/radius/files/raddb/acct_users +++ /dev/null @@ -1,23 +0,0 @@ -# -# $Id: fafac849a0f0519cdaf7acf2ef51c8b36a5a6255 $ -# -# This is like the 'users' file, but it is processed only for -# accounting packets. -# - -# Select between different accounting methods based for example on the -# Realm, the Huntgroup-Name or any combinaison of the attribute/value -# pairs contained in an accounting packet. -# -#DEFAULT Realm == "foo.net", Acct-Type := sql_log.foo -# -#DEFAULT Huntgroup-Name == "wifi", Acct-Type := sql_log.wifi -# -#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := sql_log.other -# -#DEFAULT Acct-Status-Type == Start, Acct-Type := sql_log.start - -# Replace the User-Name with the Stripped-User-Name, if it exists. -# -#DEFAULT -# User-Name := "%{Stripped-User-Name:-%{User-Name}}" diff --git a/roles/radius/files/raddb/attrs b/roles/radius/files/raddb/attrs deleted file mode 100644 index 596294d..0000000 --- a/roles/radius/files/raddb/attrs +++ /dev/null @@ -1,129 +0,0 @@ -# -# Configuration file for the rlm_attr_filter module. -# Please see rlm_attr_filter(5) manpage for more information. -# -# $Id: 76c644b100656f8bd45e768b13cbcf140ce5a770 $ -# -# This file contains security and configuration information -# for each realm. The first field is the realm name and -# can be up to 253 characters in length. This is followed (on -# the next line) with the list of filter rules to be used to -# decide what attributes and/or values we allow proxy servers -# to pass to the NAS for this realm. -# -# When a proxy-reply packet is received from a home server, -# these attributes and values are tested. Only the first match -# is used unless the "Fall-Through" variable is set to "Yes". -# In that case the rules defined in the DEFAULT case are -# processed as well. -# -# A special realm named "DEFAULT" matches on all realm names. -# You can have only one DEFAULT entry. All entries are processed -# in the order they appear in this file. The first entry that -# matches the login-request will stop processing unless you use -# the Fall-Through variable. -# -# Indented (with the tab character) lines following the first -# line indicate the filter rules. -# -# You can include another `attrs' file with `$INCLUDE attrs.other' -# - -# -# This is a complete entry for realm "fisp". Note that there is no -# Fall-Through entry so that no DEFAULT entry will be used, and the -# server will NOT allow any other a/v pairs other than the ones -# listed here. -# -# These rules allow: -# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear ) -# o PPP sessions ( no SLIP, CSLIP, etc. ) -# o dynamic ip assignment ( can't assign a static ip ) -# o an idle timeout value set to 600 seconds (10 min) or less -# o a max session time set to 28800 seconds (8 hours) or less -# -#fisp -# Service-Type == Framed-User, -# Framed-Protocol == PPP, -# Framed-IP-Address == 255.255.255.254, -# Idle-Timeout <= 600, -# Session-Timeout <= 28800 - -# -# This is a complete entry for realm "tisp". Note that there is no -# Fall-Through entry so that no DEFAULT entry will be used, and the -# server will NOT allow any other a/v pairs other than the ones -# listed here. -# -# These rules allow: -# o Only Login-User Service-Type ( no framed/ppp sessions ) -# o Telnet sessions only ( no rlogin, tcp-clear ) -# o Login hosts of either 192.168.1.1 or 192.168.1.2 -# -#tisp -# Service-Type == Login-User, -# Login-Service == Telnet, -# Login-TCP-Port == 23, -# Login-IP-Host == 192.168.1.1, -# Login-IP-Host == 192.168.1.2 - -# -# The following example can be used for a home server which is only -# allowed to supply a Reply-Message, a Session-Timeout attribute of -# maximum 86400, a Idle-Timeout attribute of maximum 600 and a -# Acct-Interim-Interval attribute between 300 and 3600. -# All other attributes sent back will be filtered out. -# -#strictrealm -# Reply-Message =* ANY, -# Session-Timeout <= 86400, -# Idle-Timeout <= 600, -# Acct-Interim-Interval >= 300, -# Acct-Interim-Interval <= 3600 - -# -# This is a complete entry for realm "spamrealm". Fall-Through is used, -# so that the DEFAULT filter rules are used in addition to these. -# -# These rules allow: -# o Force the application of Filter-ID attribute to be returned -# in the proxy reply, whether the proxy sent it or not. -# o The standard DEFAULT rules as defined below -# -#spamrealm -# Framed-Filter-Id := "nosmtp.in", -# Fall-Through = Yes - -# -# The rest of this file contains the DEFAULT entry. -# DEFAULT matches with all realm names. (except if the realm previously -# matched an entry with no Fall-Through) -# - -DEFAULT - Service-Type == Framed-User, - Service-Type == Login-User, - Login-Service == Telnet, - Login-Service == Rlogin, - Login-Service == TCP-Clear, - Login-TCP-Port <= 65536, - Framed-IP-Address == 255.255.255.254, - Framed-IP-Netmask == 255.255.255.255, - Framed-Protocol == PPP, - Framed-Protocol == SLIP, - Framed-Compression == Van-Jacobson-TCP-IP, - Framed-MTU >= 576, - Framed-Filter-ID =* ANY, - Reply-Message =* ANY, - Proxy-State =* ANY, - EAP-Message =* ANY, - Message-Authenticator =* ANY, - MS-MPPE-Recv-Key =* ANY, - MS-MPPE-Send-Key =* ANY, - MS-CHAP-MPPE-Keys =* ANY, - State =* ANY, - Session-Timeout <= 28800, - Idle-Timeout <= 600, - Calling-Station-Id =* ANY, - Operator-Name =* ANY, - Port-Limit <= 2 diff --git a/roles/radius/files/raddb/attrs.access_challenge b/roles/radius/files/raddb/attrs.access_challenge deleted file mode 100644 index 0a845ff..0000000 --- a/roles/radius/files/raddb/attrs.access_challenge +++ /dev/null @@ -1,19 +0,0 @@ -# -# Configuration file for the rlm_attr_filter module. -# Please see rlm_attr_filter(5) manpage for more information. -# -# $Id: 78ea54e83f4a998797f16a8c564b5c2f32642adc $ -# -# This configuration file is used to remove almost all of the -# attributes From an Access-Challenge message. The RFC's say -# that an Access-Challenge packet can contain only a few -# attributes. We enforce that here. -# -DEFAULT - EAP-Message =* ANY, - State =* ANY, - Message-Authenticator =* ANY, - Reply-Message =* ANY, - Proxy-State =* ANY, - Session-Timeout =* ANY, - Idle-Timeout =* ANY diff --git a/roles/radius/files/raddb/attrs.access_reject b/roles/radius/files/raddb/attrs.access_reject deleted file mode 100644 index 1f08698..0000000 --- a/roles/radius/files/raddb/attrs.access_reject +++ /dev/null @@ -1,17 +0,0 @@ -# -# Configuration file for the rlm_attr_filter module. -# Please see rlm_attr_filter(5) manpage for more information. -# -# $Id: e263d504cfdc5cf5db00fa6aacf2bd148a7623fc $ -# -# This configuration file is used to remove almost all of the attributes -# From an Access-Reject message. The RFC's say that an Access-Reject -# packet can contain only a few attributes. We enforce that here. -# -DEFAULT - EAP-Message =* ANY, - State =* ANY, - Message-Authenticator =* ANY, - Reply-Message =* ANY, - MS-CHAP-Error =* ANY, - Proxy-State =* ANY diff --git a/roles/radius/files/raddb/attrs.accounting_response b/roles/radius/files/raddb/attrs.accounting_response deleted file mode 100644 index eb72eec..0000000 --- a/roles/radius/files/raddb/attrs.accounting_response +++ /dev/null @@ -1,15 +0,0 @@ -# -# Configuration file for the rlm_attr_filter module. -# Please see rlm_attr_filter(5) manpage for more information. -# -# $Id: 3746ce4da3d58fcdd0b777a93e599045353c27ac $ -# -# This configuration file is used to remove almost all of the attributes -# From an Accounting-Response message. The RFC's say that an -# Accounting-Response packet can contain only a few attributes. -# We enforce that here. -# -DEFAULT - Vendor-Specific =* ANY, - Message-Authenticator =* ANY, - Proxy-State =* ANY diff --git a/roles/radius/files/raddb/attrs.pre-proxy b/roles/radius/files/raddb/attrs.pre-proxy deleted file mode 100644 index 786a341..0000000 --- a/roles/radius/files/raddb/attrs.pre-proxy +++ /dev/null @@ -1,62 +0,0 @@ -# -# Configuration file for the rlm_attr_filter module. -# Please see rlm_attr_filter(5) manpage for more information. -# -# $Id: 8c601cf205f9d85b75c1ec7fc8e816e7341a5ba4 $ -# -# This file contains security and configuration information -# for each realm. It can be used be an rlm_attr_filter module -# instance to filter attributes before sending packets to the -# home server of a realm. -# -# When a packet is sent to a home server, these attributes -# and values are tested. Only the first match is used unless -# the "Fall-Through" variable is set to "Yes". In that case -# the rules defined in the DEFAULT case are processed as well. -# -# A special realm named "DEFAULT" matches on all realm names. -# You can have only one DEFAULT entry. All entries are processed -# in the order they appear in this file. The first entry that -# matches the login-request will stop processing unless you use -# the Fall-Through variable. -# -# The first line indicates the realm to which the rules apply. -# Indented (with the tab character) lines following the first -# line indicate the filter rules. -# - -# This is a complete entry for 'nochap' realm. It allows to send very -# basic attributes to the home server. Note that there is no Fall-Through -# entry so that no DEFAULT entry will be used. Only the listed attributes -# will be sent in the packet, all other attributes will be filtered out. -# -#nochap -# User-Name =* ANY, -# User-Password =* ANY, -# NAS-Ip-Address =* ANY, -# NAS-Identifier =* ANY - -# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type -# if its value is different from 'Ethernet'. Then the default rules are -# applied. -# -#brokenas -# NAS-Port-Type == Ethernet -# Fall-Through = Yes - -# The rest of this file contains the DEFAULT entry. -# DEFAULT matches with all realm names. - -DEFAULT - User-Name =* ANY, - User-Password =* ANY, - CHAP-Password =* ANY, - CHAP-Challenge =* ANY, - MS-CHAP-Challenge =* ANY, - MS-CHAP-Response =* ANY, - EAP-Message =* ANY, - Message-Authenticator =* ANY, - State =* ANY, - NAS-IP-Address =* ANY, - NAS-Identifier =* ANY, - Proxy-State =* ANY diff --git a/roles/radius/files/raddb/certs/BKCA.crt b/roles/radius/files/raddb/certs/BKCA.crt deleted file mode 100644 index d961296..0000000 --- a/roles/radius/files/raddb/certs/BKCA.crt +++ /dev/null @@ -1,33 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFuTCCA6GgAwIBAgIJANVP+EmgIyEFMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV -BAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMRMwEQYDVQQHDApSZWdlbnNidXJnMRww -GgYDVQQKDBNCaW5hcnkgS2l0Y2hlbiBlLlYuMR8wHQYDVQQDDBZCaW5hcnkgS2l0 -Y2hlbiBSb290IENBMB4XDTE1MDUyMjA3MDcyN1oXDTI1MDUxOTA3MDcyN1owczEL -MAkGA1UEBhMCREUxEDAOBgNVBAgMB0JhdmFyaWExEzARBgNVBAcMClJlZ2Vuc2J1 -cmcxHDAaBgNVBAoME0JpbmFyeSBLaXRjaGVuIGUuVi4xHzAdBgNVBAMMFkJpbmFy -eSBLaXRjaGVuIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQCwBmbxYSdTH+Ti2UdjpLRbSjA4uMRjJpVus0IviOtjr5nbfx/uA4b+UuhU0FS6 -69vjuBeheu85SCQLZVA3If2qttlBNPvW8/WzQtmHqAK4jMGTIeD5PNH75bhIafMu -LWz5nRcagWoKVeumi9dhFofuoO6uSv1BdSbwK3gYkt5guKl5Pio9HITSFP961ndQ -n6dBLPvy4m+pJ6MZxhzaQIvxRr9uVRJieHH9Yl/CQcl2d1YQ24/KNiFFdF2NPyKE -+eFl8UWl/6sHS8tqLwhs4qeJCL1ir/1bjr8mZigflBE4mwtuV8EDF0pWWOyYehii -NLcS3LfLzv25N9mwhwGMJqLTDihtkcBCNx3c2qFrri1MvXy/KFrHKh2jt9pvgYDX -M2+g+tm+aWXfylu6k1GOIByT5ALktUzhfwuxk0SdplZNUqSfu1DccvxP9hbtSZPP -EnARbcTD/wOCSDj+nSG8scUIo3pNHddh0zx+W16kwBoNGHJX+g7vkMJikvYlHo2i -6CRdx47MknCgj/jQSPlajxAH5zzDcABbFRoRKh/esDEeGaKMKVyKJJFlx4CmHQ53 -zc/jV3VjQo5yL1v3YUYllccZeXmGQb5UJoSRfpE+mvO9+EYAxWLydswNeQI1f1r8 -CTWlD4tT0gooZzGKpw58Zp3IacXIzjDT5Ri2xfB+Oo4WaQIDAQABo1AwTjAdBgNV -HQ4EFgQU7MXazC3sn6xTIDkKtBv4AvYcob0wHwYDVR0jBBgwFoAU7MXazC3sn6xT -IDkKtBv4AvYcob0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAq/fD -BfaVi1KjRANxHKXmADqN0UpSdVoB2qKsj9nJ07fdS38rUqA+QjU+zmCufVkmMxKf -es3qZz5fOHkVHAiOt65XWFtYK62JByr4LomLDVDWSM4BmbU4aB8ix9ZPOr+NmB4B -QX99w0aMknO/ohVQ7InubgsXMaKA8kggCtpBQkfwcF2ntIGvyeuPJYwAWG19iH4a -uAvOdgyDCuta6UI5UPCdYdArFv3hn6+ht60tMdxo1qq9KUlyqZ3AX1Xd4+krLlCI -Kp+qfcyJ1igD5wT50egOAvc9SydFaXgAUIjt3oY5YYvP+MWmVMI107jl4jfMnQeI -G5qIEy9luhrjqJaHfLHyT10IaU/uZB7ZvZx7ElIo1YlTlIcMU8Wg6CJponDh/1aw -PbQhtuzk60N5905zDnpSHJSa91JcpVsLPv2ykQfimA8HNH2xS7ORXUJzwvEB1vhM -KnGMQB0px7HQtTTCKcDFeqZXygi4nXNygrp+swnO869jV4e6ReeV/RB7nxjd307J -gpRdtBbIambnFP74nJUhRk/60VlCDz92f+CTosHM6rdlOxFyX69cZZhoCFU5u4wF -ODqfxRzNJPhChozXcciAcLfhx89x0ob92XQenzZzFtylDvUAskhdhTMFLKGHstH7 -Q8Xr0jNYp5PaGNC5m+m9ngLYe6GzxGol7dLJElc= ------END CERTIFICATE----- diff --git a/roles/radius/files/raddb/certs/dh b/roles/radius/files/raddb/certs/dh deleted file mode 100644 index 7ec1241..0000000 --- a/roles/radius/files/raddb/certs/dh +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIGHAoGBANh0ncSD3/1BWAYxZjtnYskokt29hEDRIFznWT54iWXAbaMoz05g5TJA -/CceHuBsjNkvywEzOXt+OkaGEub14M4G1IkLoxMcwBCaUIP28pCSKg2vTna3zyfY -E3hYDgXNCw897PZ9jH7ngDRNqgwKqoHVViqLefHwpEJoiRlE6xEDAgEC ------END DH PARAMETERS----- diff --git a/roles/radius/files/raddb/certs/server.crt b/roles/radius/files/raddb/certs/server.crt deleted file mode 100644 index 2602549..0000000 --- a/roles/radius/files/raddb/certs/server.crt +++ /dev/null @@ -1,68 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIGCzCCA/OgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwczELMAkGA1UEBhMCREUx -EDAOBgNVBAgMB0JhdmFyaWExEzARBgNVBAcMClJlZ2Vuc2J1cmcxHDAaBgNVBAoM -E0JpbmFyeSBLaXRjaGVuIGUuVi4xHzAdBgNVBAMMFkJpbmFyeSBLaXRjaGVuIFJv -b3QgQ0EwHhcNMTUwNTIyMTExODU0WhcNMTcwNTIxMTExODU0WjBcMQswCQYDVQQG -EwJERTEQMA4GA1UECAwHQmF2YXJpYTEcMBoGA1UECgwTQmluYXJ5IEtpdGNoZW4g -ZS5WLjEdMBsGA1UEAwwUbGRhcDEuYmluYXJ5LmtpdGNoZW4wggIiMA0GCSqGSIb3 -DQEBAQUAA4ICDwAwggIKAoICAQC6ykZYkdpD2vFJlIdXW6waJC8q4OUrxkmi9A8A -qy9JX884he20wa8cSBN2fsMy96pLozm6hwtTRJB30rZ2Rr/vtTYk4PgEfI2drhlk -4QCByItI6VYP4hx7+huK0JpVykHEm14/KyfMb46kjxZMpgYk50pJ8etmYm+p/uV3 -evP6IKlIg03UoL+dfvRV6QWf841lklCZ4KEJFXRn+xilZtd8QsHs7ku5qC6UEuQ9 -Qj4fGeUKvBvAKbej0kyMLU8UO2wcgz/qeJsdtMsb41msk3ThLJ8/rAwhhXC1liUu -85g7NpSw2kgFKpVtroorJxoCJ52jWcUwXToKBtG0TTyC35j+mudxjTTSIguTbXha -x/Ku6tuA2rs5gYThQcdFcwkoF0Q14GZzA8qRbnKMwexcn7n7MjumBTan+KFuopii -PP0SpvYqm4jLzJEGe4L/TaiklIG0tHCLEWEdSj3Gi+Rw4QeAkML1ICc5yhtvCXdk -ZFt79VDZqnFC+GuHG974raMbiSMhBl3JfQr0ugCHQ8rcJYfdK4yrbWn2XxxD22CG -Gha8eV8wA4O1rprG6/d5RIiEhcoQc+OpCjhN0WXpSOzZZj7JSRNKXnmH0obncp9m -BklW7lArhvDtRj4AarZhdQAXrWQuzUTGoQJMi01Ijz/7aBgGLrsjgbSw3W63n+td -0+yAVQIDAQABo4G/MIG8MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T -U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRoZGD68u2nhxCjCPwx -FQe+yWI14DAfBgNVHSMEGDAWgBTsxdrMLeyfrFMgOQq0G/gC9hyhvTALBgNVHQ8E -BAMCBeAwNAYDVR0RBC0wK4IUbGRhcDEuYmluYXJ5LmtpdGNoZW6CE2xkYXAuYmlu -YXJ5LmtpdGNoZW4wDQYJKoZIhvcNAQELBQADggIBAKXuCIyuJtpu6ycy59w+Tt+7 -LOYeSUZySF9dW9l0ptgHtPU5z6PcTHiaCydJMXbJAJ4L7wny6Luj2NRvcN15H+Ry -/C+mlEc5xbqOfhqRTPWhSwlGvaRZy/BQQalxxGoWoimmbJzY0AHUaW9yMHebvqAz -OOugXt4eqg9c0C+eXIsBoR6LZcMNLqLFwYE94NX+wSCHV/DDzrKqVnnxAJJyZB+t -u/c4fqCFtJqERZtMhgZbc/AhIRzUc3QyNI3rdZ46EDgTE7C8bF7vFNajqWHwn4tW -+o7lZpcIocsc0zI2hQZ01N8KFADVr8KDsYzQ6T9+DcoiGE+3T8WBu3zKqKUGekvX -hEKqfnlNgtvJqdrQ9YVd+JYJ61m4xm9g5GuhkIk3NNMwLhdpSKmRMneHWvCyE74d -qHN308AJh5boH5tKxxtR3Mh6Ay8ualx9W2pewIn7sF354S8lkeqQEyC60uunR4C3 -1Z7i1zFGc3itu7n5rCQN7zlp8wCpLjOBk9XweEBGfD82J06Gyxa+DAHPm5KSmAnl -t21B3BwCNtZEZLjjhdB4hFzFhkJztYl07Qhij3qwsCy2cllYTjlznRJI4NKwmPQ8 -m7B1qqlA7snBwUGvXC6e4v9qlwkXC+2fLHtEbQB5741KdjsLBNVWTfjRx2sGMP8w -/8Jj2W9x6wBTta9VtqjX ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFuTCCA6GgAwIBAgIJANVP+EmgIyEFMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV -BAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMRMwEQYDVQQHDApSZWdlbnNidXJnMRww -GgYDVQQKDBNCaW5hcnkgS2l0Y2hlbiBlLlYuMR8wHQYDVQQDDBZCaW5hcnkgS2l0 -Y2hlbiBSb290IENBMB4XDTE1MDUyMjA3MDcyN1oXDTI1MDUxOTA3MDcyN1owczEL -MAkGA1UEBhMCREUxEDAOBgNVBAgMB0JhdmFyaWExEzARBgNVBAcMClJlZ2Vuc2J1 -cmcxHDAaBgNVBAoME0JpbmFyeSBLaXRjaGVuIGUuVi4xHzAdBgNVBAMMFkJpbmFy -eSBLaXRjaGVuIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQCwBmbxYSdTH+Ti2UdjpLRbSjA4uMRjJpVus0IviOtjr5nbfx/uA4b+UuhU0FS6 -69vjuBeheu85SCQLZVA3If2qttlBNPvW8/WzQtmHqAK4jMGTIeD5PNH75bhIafMu -LWz5nRcagWoKVeumi9dhFofuoO6uSv1BdSbwK3gYkt5guKl5Pio9HITSFP961ndQ -n6dBLPvy4m+pJ6MZxhzaQIvxRr9uVRJieHH9Yl/CQcl2d1YQ24/KNiFFdF2NPyKE -+eFl8UWl/6sHS8tqLwhs4qeJCL1ir/1bjr8mZigflBE4mwtuV8EDF0pWWOyYehii -NLcS3LfLzv25N9mwhwGMJqLTDihtkcBCNx3c2qFrri1MvXy/KFrHKh2jt9pvgYDX -M2+g+tm+aWXfylu6k1GOIByT5ALktUzhfwuxk0SdplZNUqSfu1DccvxP9hbtSZPP -EnARbcTD/wOCSDj+nSG8scUIo3pNHddh0zx+W16kwBoNGHJX+g7vkMJikvYlHo2i -6CRdx47MknCgj/jQSPlajxAH5zzDcABbFRoRKh/esDEeGaKMKVyKJJFlx4CmHQ53 -zc/jV3VjQo5yL1v3YUYllccZeXmGQb5UJoSRfpE+mvO9+EYAxWLydswNeQI1f1r8 -CTWlD4tT0gooZzGKpw58Zp3IacXIzjDT5Ri2xfB+Oo4WaQIDAQABo1AwTjAdBgNV -HQ4EFgQU7MXazC3sn6xTIDkKtBv4AvYcob0wHwYDVR0jBBgwFoAU7MXazC3sn6xT -IDkKtBv4AvYcob0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAq/fD -BfaVi1KjRANxHKXmADqN0UpSdVoB2qKsj9nJ07fdS38rUqA+QjU+zmCufVkmMxKf -es3qZz5fOHkVHAiOt65XWFtYK62JByr4LomLDVDWSM4BmbU4aB8ix9ZPOr+NmB4B -QX99w0aMknO/ohVQ7InubgsXMaKA8kggCtpBQkfwcF2ntIGvyeuPJYwAWG19iH4a -uAvOdgyDCuta6UI5UPCdYdArFv3hn6+ht60tMdxo1qq9KUlyqZ3AX1Xd4+krLlCI -Kp+qfcyJ1igD5wT50egOAvc9SydFaXgAUIjt3oY5YYvP+MWmVMI107jl4jfMnQeI -G5qIEy9luhrjqJaHfLHyT10IaU/uZB7ZvZx7ElIo1YlTlIcMU8Wg6CJponDh/1aw -PbQhtuzk60N5905zDnpSHJSa91JcpVsLPv2ykQfimA8HNH2xS7ORXUJzwvEB1vhM -KnGMQB0px7HQtTTCKcDFeqZXygi4nXNygrp+swnO869jV4e6ReeV/RB7nxjd307J -gpRdtBbIambnFP74nJUhRk/60VlCDz92f+CTosHM6rdlOxFyX69cZZhoCFU5u4wF -ODqfxRzNJPhChozXcciAcLfhx89x0ob92XQenzZzFtylDvUAskhdhTMFLKGHstH7 -Q8Xr0jNYp5PaGNC5m+m9ngLYe6GzxGol7dLJElc= ------END CERTIFICATE----- diff --git a/roles/radius/files/raddb/certs/server.key b/roles/radius/files/raddb/certs/server.key deleted file mode 100644 index 7901228..0000000 --- a/roles/radius/files/raddb/certs/server.key +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKAIBAAKCAgEAuspGWJHaQ9rxSZSHV1usGiQvKuDlK8ZJovQPAKsvSV/POIXt -tMGvHEgTdn7DMveqS6M5uocLU0SQd9K2dka/77U2JOD4BHyNna4ZZOEAgciLSOlW -D+Ice/obitCaVcpBxJtePysnzG+OpI8WTKYGJOdKSfHrZmJvqf7ld3rz+iCpSINN -1KC/nX70VekFn/ONZZJQmeChCRV0Z/sYpWbXfELB7O5LuagulBLkPUI+HxnlCrwb -wCm3o9JMjC1PFDtsHIM/6nibHbTLG+NZrJN04SyfP6wMIYVwtZYlLvOYOzaUsNpI -BSqVba6KKycaAiedo1nFMF06CgbRtE08gt+Y/prncY000iILk214WsfyrurbgNq7 -OYGE4UHHRXMJKBdENeBmcwPKkW5yjMHsXJ+5+zI7pgU2p/ihbqKYojz9Eqb2KpuI -y8yRBnuC/02opJSBtLRwixFhHUo9xovkcOEHgJDC9SAnOcobbwl3ZGRbe/VQ2apx -Qvhrhxve+K2jG4kjIQZdyX0K9LoAh0PK3CWH3SuMq21p9l8cQ9tghhoWvHlfMAOD -ta6axuv3eUSIhIXKEHPjqQo4TdFl6Ujs2WY+yUkTSl55h9KG53KfZgZJVu5QK4bw -7UY+AGq2YXUAF61kLs1ExqECTItNSI8/+2gYBi67I4G0sN1ut5/rXdPsgFUCAwEA -AQKCAgALuEVRqVUYjNQ22arkQEw8F6kd955pcLeOEeIfGJ6O7AQEd+LCRKTIEX2n -Iaz9taxpsoQcv/xl7RdjbUUlhqrkT2pmRfdJ0MbR7eqJ+dQeUIbsvDc6J+XBoZ+4 -xf3pBBe8TkNLk1mb6iP5D0FG7ePUzO5MVXF/qw12jRe4t243c3Urp5Fqletv5ldO -TKCduJpWlSeZgA6ak04KeCbDugArO8UPKKR3saW6hLTtYwqiyO0mD0dudy+eh8Nl -yDH+Avx1jYalH4wcAQv9Y/ZsbZQXzMTxKcpZEBZSTmlm2MHkdTg/IHMEX/egOiNR -MdLf77xkU22b6z2JA4SE25PAYmcm9tYO6PO8m5z8qM2bpDBIfc8MZZf8PpIzgdTB -OqDr8saInLiwrdY/BDAObUQaHOE3zns36XzMPnhStulu6mTc4AW0+RlHAZSX5Wh1 -0YAtt0tfCeC6vIornLsCUQQGmAbbcep4u1XSKPdvJLxZ6H5iS6kzalzV8ajX29kr -0H6bwMWmZR1RAEjbeesoa9aQRrXVZVwfrx4/8dRR0338z0/DDZhnjuRqLOby6I4F -wDwuiBSy5oZgK0nVUiMmhLz0gmU+mClFKO4sV/wPfiWjQiqDYmumLW+OlB4rtwLv -mAvre0nKH3HUj0LlYaQHM743tguT/HmbHf3zXhB6QcLAOMnUwQKCAQEA9AAYSep4 -Le7ryGRq1Oqvdx5kf1WVEwZherwmxy73139TojBg6pLdmbKfDX+RibIhj1dkw3Ob -K9X6CwAZxgIDfBj8E10fPwRMSgL83TTpo22ttrsrJtfsZ16U46Wg+w2B/Pf8OiRR -d+r+uEAcjQ7fwkUcxkGaUPtQ66zhfR3HVvQ86n5F2H/mv4gmR/3o3tMpPp4Z8ZoZ -/8P54HbKX0im911lovG4G48d0r4vlJp4aqEor1qkhiubpEnUKJcP6FY8W6s/12Ez -xz2MqHX/je6oG7r6Im4vf3h8jG5eyd1cnb2iyFmwtBeIyToHKYmY5M81dYAxqD7Z -AmPTwTGwm5H1EwKCAQEAw/nqwaGprsh3eJwgpZal68xpw7c1dJFLupNlbvSsiFSc -UA9iYIGcRV4lp1FwYQeO8mRa3NyXjcFrrMECv3YfzBKpIK8nZPuzmBO7GGvPZQ6n -Ca0eV81qOx0DFmspyz2Dgn2b5hn5VJSKdFw4mQY1+I5JHvDihaVosp8vfZGEDD5h -8c4zG3ZmdZMgzAzxdCWBbFbYgOvPawhfaH8hgD9+Q4jwxW2Q6qIVtI8PBniVTcKe -Wl7DqkZusRCWIR1t4+Z/JLLqg+YxywMpWEkwMcTrxrCMeBNs3ONoppVLsmNCFUyP -bcL982z3RfjOXGj4qO6KfpwXOoO0Pmn/nykeDuMp9wKCAQEAhitLL9HrVa6sHlwB -VqTZ6VFgB5jCyVxX28p8NEjCZdAQ5/1cPYCWs/5BcYW1PJcj1xNCSCtYpwkZXlUm -1veifOmsKuWo2dj+LjBoZSbEVmZoADP5bXmL9+dNTcR0ubfaw4SFQF9aIOuqNxyh -1nrYVZX1VZsbRO58t6svrsHiLBFPMc5Pj9X8x1MRYcLf+y733gPH1k9bfoV/8IrB -ixWDIkBMNAZgq17OEmUb+sXZ8yA9I/dewpxWEEe8jrlKOQK6W9nV2BQOCb/xiWyh -IqWZ8O2mv6oBGkHhksLaAnxjgiWVzj9raAwM3kG3UILl/ONnzP250H8Gi0bjWLd/ -Gnxu2wKCAQA4oKll5Am82G41KqAAWQR+myVgiTroAOfp9JdVtVt5VUGJnLhnfGwk -Wyz0KQMY9m8muTrMIO2l52LumyLpIf/UHvxB1nrCojxl0CW6y8Q0xkQb9qsS4ec1 -R4/R1YtRD+hFN3hpx82U1AshzlgIV5QWyz5zs1UxGveizX6SgQ6v3wK8NUHtSIwY -ozfR3leSoRfBr2KF9h2MJvIyprGOdkpMx3ATDDLYqZcuAjxsOUGjI35QTJurQwjP -HyTSUsejF8JbX1uGW2i96Z7zxMopR2Z9lhwwwiQtu4RMxk0GMcoxj1rOc46f3Tei -P1+ZsjdP0QWxyfaoUNAvTL+xRNdLo/ZHAoIBABXaQQ7Ks23cem6lap+1AVueSJnS -zU81Rm19C7iVRy/u4pFIaAk0rfWAuBfN0JwBGGqIAXCkHlfR/pnKyRcpyCi/sbWw -fKK/CRbfpl/vHaeSpeMrgYoPRE1kX8Onkl9DEabRqVqE2nu+izNww42RxPKHWrQQ -6buNLpBLmkab7rNA3wN/NWO/k9bV33dWb4VjGB+/MnIU414HnGBHNsfu0aGuky8y -7Eq1kMXU4KeYZkSjDA/JWVJUYveKciir3DxUzJwAsOQH/c4sdRMTi2nwI4M3qOXr -9roLFgZETv0V6hKt/bQTce8no7FX5wFUYRoJf1j0YibXAWw31o5TXc4FcCM= ------END RSA PRIVATE KEY----- diff --git a/roles/radius/files/raddb/clients.conf b/roles/radius/files/raddb/clients.conf deleted file mode 100644 index 3cc9224..0000000 --- a/roles/radius/files/raddb/clients.conf +++ /dev/null @@ -1,244 +0,0 @@ -# -*- text -*- -## -## clients.conf -- client configuration directives -## -## $Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $ - -####################################################################### -# -# Define RADIUS clients (usually a NAS, Access Point, etc.). - -# -# Defines a RADIUS client. -# -# '127.0.0.1' is another name for 'localhost'. It is enabled by default, -# to allow testing of the server after an initial installation. If you -# are not going to be permitting RADIUS queries from localhost, we suggest -# that you delete, or comment out, this entry. -# -# - -# -# Each client has a "short name" that is used to distinguish it from -# other clients. -# -# In version 1.x, the string after the word "client" was the IP -# address of the client. In 2.0, the IP address is configured via -# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x -# format is still accepted. -# -client localhost { - # Allowed values are: - # dotted quad (1.2.3.4) - # hostname (radius.example.com) - ipaddr = 127.0.0.1 - - # OR, you can use an IPv6 address, but not both - # at the same time. -# ipv6addr = :: # any. ::1 == localhost - - # - # A note on DNS: We STRONGLY recommend using IP addresses - # rather than host names. Using host names means that the - # server will do DNS lookups when it starts, making it - # dependent on DNS. i.e. If anything goes wrong with DNS, - # the server won't start! - # - # The server also looks up the IP address from DNS once, and - # only once, when it starts. If the DNS record is later - # updated, the server WILL NOT see that update. - # - - # One client definition can be applied to an entire network. - # e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and - # "netmask = 8" - # - # If not specified, the default netmask is 32 (i.e. /32) - # - # We do NOT recommend using anything other than 32. There - # are usually other, better ways to achieve the same goal. - # Using netmasks of other than 32 can cause security issues. - # - # You can specify overlapping networks (127/8 and 127.0/16) - # In that case, the smallest possible network will be used - # as the "best match" for the client. - # - # Clients can also be defined dynamically at run time, based - # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier, - # etc. - # See raddb/sites-available/dynamic-clients for details. - # - -# netmask = 32 - - # - # The shared secret use to "encrypt" and "sign" packets between - # the NAS and FreeRADIUS. You MUST change this secret from the - # default, otherwise it's not a secret any more! - # - # The secret can be any string, up to 8k characters in length. - # - # Control codes can be entered vi octal encoding, - # e.g. "\101\102" == "AB" - # Quotation marks can be entered by escaping them, - # e.g. "foo\"bar" - # - # A note on security: The security of the RADIUS protocol - # depends COMPLETELY on this secret! We recommend using a - # shared secret that is composed of: - # - # upper case letters - # lower case letters - # numbers - # - # And is at LEAST 8 characters long, preferably 16 characters in - # length. The secret MUST be random, and should not be words, - # phrase, or anything else that is recognizable. - # - # The default secret below is only for testing, and should - # not be used in any real environment. - # - secret = testing123 - - # - # Old-style clients do not send a Message-Authenticator - # in an Access-Request. RFC 5080 suggests that all clients - # SHOULD include it in an Access-Request. The configuration - # item below allows the server to require it. If a client - # is required to include a Message-Authenticator and it does - # not, then the packet will be silently discarded. - # - # allowed values: yes, no - require_message_authenticator = no - - # - # The short name is used as an alias for the fully qualified - # domain name, or the IP address. - # - # It is accepted for compatibility with 1.x, but it is no - # longer necessary in 2.0 - # -# shortname = localhost - - # - # the following three fields are optional, but may be used by - # checkrad.pl for simultaneous use checks - # - - # - # The nastype tells 'checkrad.pl' which NAS-specific method to - # use to query the NAS for simultaneous use. - # - # Permitted NAS types are: - # - # cisco - # computone - # livingston - # juniper - # max40xx - # multitech - # netserver - # pathras - # patton - # portslave - # tc - # usrhiper - # other # for all other types - - # - nastype = other # localhost isn't usually a NAS... - - # - # The following two configurations are for future use. - # The 'naspasswd' file is currently used to store the NAS - # login name and password, which is used by checkrad.pl - # when querying the NAS for simultaneous use. - # -# login = !root -# password = someadminpas - - # - # As of 2.0, clients can also be tied to a virtual server. - # This is done by setting the "virtual_server" configuration - # item, as in the example below. - # -# virtual_server = home1 - - # - # A pointer to the "home_server_pool" OR a "home_server" - # section that contains the CoA configuration for this - # client. For an example of a coa home server or pool, - # see raddb/sites-available/originate-coa -# coa_server = coa -} - -# Cisco Networking Gear -client cisco { - ipaddr = 172.23.1.0 - netmask = 24 - secret = eu0phaeC - nastype = cisco -} - - -# IPv6 Client -#client ::1 { -# secret = testing123 -# shortname = localhost -#} -# -# All IPv6 Site-local clients -#client fe80::/16 { -# secret = testing123 -# shortname = localhost -#} - -#client some.host.org { -# secret = testing123 -# shortname = localhost -#} - -# -# You can now specify one secret for a network of clients. -# When a client request comes in, the BEST match is chosen. -# i.e. The entry from the smallest possible network. -# -#client 192.168.0.0/24 { -# secret = testing123-1 -# shortname = private-network-1 -#} -# -#client 192.168.0.0/16 { -# secret = testing123-2 -# shortname = private-network-2 -#} - - -#client 10.10.10.10 { -# # secret and password are mapped through the "secrets" file. -# secret = testing123 -# shortname = liv1 -# # the following three fields are optional, but may be used by -# # checkrad.pl for simultaneous usage checks -# nastype = livingston -# login = !root -# password = someadminpas -#} - -####################################################################### -# -# Per-socket client lists. The configuration entries are exactly -# the same as above, but they are nested inside of a section. -# -# You can have as many per-socket client lists as you have "listen" -# sections, or you can re-use a list among multiple "listen" sections. -# -# Un-comment this section, and edit a "listen" section to add: -# "clients = per_socket_clients". That IP address/port combination -# will then accept ONLY the clients listed in this section. -# -#clients per_socket_clients { -# client 192.168.3.4 { -# secret = testing123 -# } -#} diff --git a/roles/radius/files/raddb/dictionary b/roles/radius/files/raddb/dictionary deleted file mode 100644 index 99c42d7..0000000 --- a/roles/radius/files/raddb/dictionary +++ /dev/null @@ -1,32 +0,0 @@ -# -# This is the master dictionary file, which references the -# pre-defined dictionary files included with the server. -# -# Any new/changed attributes MUST be placed in this file, as -# the pre-defined dictionaries SHOULD NOT be edited. -# -# $Id: ceb31c82feb869972588f60fe6ace2fc1db70224 $ -# - -# -# The filename given here should be an absolute path. -# -$INCLUDE /usr/share/freeradius/dictionary - -# -# Place additional attributes or $INCLUDEs here. They will -# over-ride the definitions in the pre-defined dictionaries. -# -# See the 'man' page for 'dictionary' for information on -# the format of the dictionary files. - -# -# If you want to add entries to the dictionary file, -# which are NOT going to be placed in a RADIUS packet, -# add them here. The numbers you pick should be between -# 3000 and 4000. -# - -#ATTRIBUTE My-Local-String 3000 string -#ATTRIBUTE My-Local-IPAddr 3001 ipaddr -#ATTRIBUTE My-Local-Integer 3002 integer diff --git a/roles/radius/files/raddb/eap.conf b/roles/radius/files/raddb/eap.conf deleted file mode 100644 index 697b91e..0000000 --- a/roles/radius/files/raddb/eap.conf +++ /dev/null @@ -1,697 +0,0 @@ -# -*- text -*- -## -## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) -## -## $Id: 95bebe4d25ef13871fb201ba540ed008078dab07 $ - -####################################################################### -# -# Whatever you do, do NOT set 'Auth-Type := EAP'. The server -# is smart enough to figure this out on its own. The most -# common side effect of setting 'Auth-Type := EAP' is that the -# users then cannot use ANY other authentication method. -# -# EAP types NOT listed here may be supported via the "eap2" module. -# See experimental.conf for documentation. -# - eap { - # Invoke the default supported EAP type when - # EAP-Identity response is received. - # - # The incoming EAP messages DO NOT specify which EAP - # type they will be using, so it MUST be set here. - # - # For now, only one default EAP type may be used at a time. - # - # If the EAP-Type attribute is set by another module, - # then that EAP type takes precedence over the - # default type configured here. - # - default_eap_type = ttls - - # A list is maintained to correlate EAP-Response - # packets with EAP-Request packets. After a - # configurable length of time, entries in the list - # expire, and are deleted. - # - timer_expire = 60 - - # There are many EAP types, but the server has support - # for only a limited subset. If the server receives - # a request for an EAP type it does not support, then - # it normally rejects the request. By setting this - # configuration to "yes", you can tell the server to - # instead keep processing the request. Another module - # MUST then be configured to proxy the request to - # another RADIUS server which supports that EAP type. - # - # If another module is NOT configured to handle the - # request, then the request will still end up being - # rejected. - ignore_unknown_eap_types = no - - # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given - # a User-Name attribute in an Access-Accept, it copies one - # more byte than it should. - # - # We can work around it by configurably adding an extra - # zero byte. - cisco_accounting_username_bug = no - - # - # Help prevent DoS attacks by limiting the number of - # sessions that the server is tracking. For simplicity, - # this is taken from the "max_requests" directive in - # radiusd.conf. - max_sessions = ${max_requests} - - # Supported EAP-types - - # - # We do NOT recommend using EAP-MD5 authentication - # for wireless connections. It is insecure, and does - # not provide for dynamic WEP keys. - # - #md5 { - #} - - # Cisco LEAP - # - # We do not recommend using LEAP in new deployments. See: - # http://www.securiteam.com/tools/5TP012ACKE.html - # - # Cisco LEAP uses the MS-CHAP algorithm (but not - # the MS-CHAP attributes) to perform it's authentication. - # - # As a result, LEAP *requires* access to the plain-text - # User-Password, or the NT-Password attributes. - # 'System' authentication is impossible with LEAP. - # - leap { - } - - # Generic Token Card. - # - # Currently, this is only permitted inside of EAP-TTLS, - # or EAP-PEAP. The module "challenges" the user with - # text, and the response from the user is taken to be - # the User-Password. - # - # Proxying the tunneled EAP-GTC session is a bad idea, - # the users password will go over the wire in plain-text, - # for anyone to see. - # - gtc { - # The default challenge, which many clients - # ignore.. - #challenge = "Password: " - - # The plain-text response which comes back - # is put into a User-Password attribute, - # and passed to another module for - # authentication. This allows the EAP-GTC - # response to be checked against plain-text, - # or crypt'd passwords. - # - # If you say "Local" instead of "PAP", then - # the module will look for a User-Password - # configured for the request, and do the - # authentication itself. - # - auth_type = PAP - } - - ## EAP-TLS - # - # See raddb/certs/README for additional comments - # on certificates. - # - # If OpenSSL was not found at the time the server was - # built, the "tls", "ttls", and "peap" sections will - # be ignored. - # - # Otherwise, when the server first starts in debugging - # mode, test certificates will be created. See the - # "make_cert_command" below for details, and the README - # file in raddb/certs - # - # These test certificates SHOULD NOT be used in a normal - # deployment. They are created only to make it easier - # to install the server, and to perform some simple - # tests with EAP-TLS, TTLS, or PEAP. - # - # See also: - # - # http://www.dslreports.com/forum/remark,9286052~mode=flat - # - # Note that you should NOT use a globally known CA here! - # e.g. using a Verisign cert as a "known CA" means that - # ANYONE who has a certificate signed by them can - # authenticate via EAP-TLS! This is likely not what you want. - tls { - # - # These is used to simplify later configurations. - # - certdir = ${confdir}/certs - cadir = ${confdir}/certs - - #private_key_password = whatever - private_key_file = ${certdir}/srv.key - - # If Private key & Certificate are located in - # the same file, then private_key_file & - # certificate_file must contain the same file - # name. - # - # If CA_file (below) is not used, then the - # certificate_file below MUST include not - # only the server certificate, but ALSO all - # of the CA certificates used to sign the - # server certificate. - certificate_file = ${certdir}/srv.crt - - # Trusted Root CA list - # - # ALL of the CA's in this list will be trusted - # to issue client certificates for authentication. - # - # In general, you should use self-signed - # certificates for 802.1x (EAP) authentication. - # In that case, this CA file should contain - # *one* CA certificate. - # - # This parameter is used only for EAP-TLS, - # when you issue client certificates. If you do - # not use client certificates, and you do not want - # to permit EAP-TLS authentication, then delete - # this configuration item. - #CA_file = ${cadir}/ca.pem - - # - # For DH cipher suites to work, you have to - # run OpenSSL to create the DH file first: - # - # openssl dhparam -out certs/dh 1024 - # - dh_file = ${certdir}/dh - - # - # If your system doesn't have /dev/urandom, - # you will need to create this file, and - # periodically change its contents. - # - # For security reasons, FreeRADIUS doesn't - # write to files in its configuration - # directory. - # -# random_file = ${certdir}/random - - # - # This can never exceed the size of a RADIUS - # packet (4096 bytes), and is preferably half - # that, to accomodate other attributes in - # RADIUS packet. On most APs the MAX packet - # length is configured between 1500 - 1600 - # In these cases, fragment size should be - # 1024 or less. - # - # fragment_size = 1024 - - # include_length is a flag which is - # by default set to yes If set to - # yes, Total Length of the message is - # included in EVERY packet we send. - # If set to no, Total Length of the - # message is included ONLY in the - # First packet of a fragment series. - # - # include_length = yes - - # Check the Certificate Revocation List - # - # 1) Copy CA certificates and CRLs to same directory. - # 2) Execute 'c_rehash '. - # 'c_rehash' is OpenSSL's command. - # 3) uncomment the line below. - # 5) Restart radiusd - # check_crl = yes - CA_path = ${cadir} - - # - # If check_cert_issuer is set, the value will - # be checked against the DN of the issuer in - # the client certificate. If the values do not - # match, the cerficate verification will fail, - # rejecting the user. - # - # In 2.1.10 and later, this check can be done - # more generally by checking the value of the - # TLS-Client-Cert-Issuer attribute. This check - # can be done via any mechanism you choose. - # - # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" - - # - # If check_cert_cn is set, the value will - # be xlat'ed and checked against the CN - # in the client certificate. If the values - # do not match, the certificate verification - # will fail rejecting the user. - # - # This check is done only if the previous - # "check_cert_issuer" is not set, or if - # the check succeeds. - # - # In 2.1.10 and later, this check can be done - # more generally by checking the value of the - # TLS-Client-Cert-CN attribute. This check - # can be done via any mechanism you choose. - # - # check_cert_cn = %{User-Name} - # - # Set this option to specify the allowed - # TLS cipher suites. The format is listed - # in "man 1 ciphers". - cipher_list = "DEFAULT" - - # - # As part of checking a client certificate, the EAP-TLS - # sets some attributes such as TLS-Client-Cert-CN. This - # virtual server has access to these attributes, and can - # be used to accept or reject the request. - # - # virtual_server = check-eap-tls - - # This command creates the initial "snake oil" - # certificates when the server is run as root, - # and via "radiusd -X". - # - # As of 2.1.11, it *also* checks the server - # certificate for validity, including expiration. - # This means that radiusd will refuse to start - # when the certificate has expired. The alternative - # is to have the 802.1X clients refuse to connect - # when they discover the certificate has expired. - # - # Debugging client issues is hard, so it's better - # for the server to print out an error message, - # and refuse to start. - # - make_cert_command = "${certdir}/bootstrap" - - # - # Elliptical cryptography configuration - # - # Only for OpenSSL >= 0.9.8.f - # - ecdh_curve = "prime256v1" - - # - # Session resumption / fast reauthentication - # cache. - # - # The cache contains the following information: - # - # session Id - unique identifier, managed by SSL - # User-Name - from the Access-Accept - # Stripped-User-Name - from the Access-Request - # Cached-Session-Policy - from the Access-Accept - # - # The "Cached-Session-Policy" is the name of a - # policy which should be applied to the cached - # session. This policy can be used to assign - # VLANs, IP addresses, etc. It serves as a useful - # way to re-apply the policy from the original - # Access-Accept to the subsequent Access-Accept - # for the cached session. - # - # On session resumption, these attributes are - # copied from the cache, and placed into the - # reply list. - # - # You probably also want "use_tunneled_reply = yes" - # when using fast session resumption. - # - cache { - # - # Enable it. The default is "no". - # Deleting the entire "cache" subsection - # Also disables caching. - # - # You can disallow resumption for a - # particular user by adding the following - # attribute to the control item list: - # - # Allow-Session-Resumption = No - # - # If "enable = no" below, you CANNOT - # enable resumption for just one user - # by setting the above attribute to "yes". - # - enable = no - - # - # Lifetime of the cached entries, in hours. - # The sessions will be deleted after this - # time. - # - lifetime = 24 # hours - - # - # The maximum number of entries in the - # cache. Set to "0" for "infinite". - # - # This could be set to the number of users - # who are logged in... which can be a LOT. - # - max_entries = 255 - } - - # - # As of version 2.1.10, client certificates can be - # validated via an external command. This allows - # dynamic CRLs or OCSP to be used. - # - # This configuration is commented out in the - # default configuration. Uncomment it, and configure - # the correct paths below to enable it. - # - verify { - # A temporary directory where the client - # certificates are stored. This directory - # MUST be owned by the UID of the server, - # and MUST not be accessible by any other - # users. When the server starts, it will do - # "chmod go-rwx" on the directory, for - # security reasons. The directory MUST - # exist when the server starts. - # - # You should also delete all of the files - # in the directory when the server starts. - # tmpdir = /tmp/radiusd - - # The command used to verify the client cert. - # We recommend using the OpenSSL command-line - # tool. - # - # The ${..CA_path} text is a reference to - # the CA_path variable defined above. - # - # The %{TLS-Client-Cert-Filename} is the name - # of the temporary file containing the cert - # in PEM format. This file is automatically - # deleted by the server when the command - # returns. - # client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}" - } - - # - # OCSP Configuration - # Certificates can be verified against an OCSP - # Responder. This makes it possible to immediately - # revoke certificates without the distribution of - # new Certificate Revokation Lists (CRLs). - # - ocsp { - # - # Enable it. The default is "no". - # Deleting the entire "ocsp" subsection - # Also disables ocsp checking - # - enable = no - - # - # The OCSP Responder URL can be automatically - # extracted from the certificate in question. - # To override the OCSP Responder URL set - # "override_cert_url = yes". - # - override_cert_url = yes - - # - # If the OCSP Responder address is not - # extracted from the certificate, the - # URL can be defined here. - - # - # Limitation: Currently the HTTP - # Request is not sending the "Host: " - # information to the web-server. This - # can be a problem if the OCSP - # Responder is running as a vhost. - # - url = "http://127.0.0.1/ocsp/" - - # - # If the OCSP Responder can not cope with nonce - # in the request, then it can be disabled here. - # - # For security reasons, disabling this option - # is not recommended as nonce protects against - # replay attacks. - # - # Note that Microsoft AD Certificate Services OCSP - # Responder does not enable nonce by default. It is - # more secure to enable nonce on the responder than - # to disable it in the query here. - # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx - # - # use_nonce = yes - - # - # Number of seconds before giving up waiting - # for OCSP response. 0 uses system default. - # - # timeout = 0 - - # - # Normally an error in querying the OCSP - # responder (no response from server, server did - # not understand the request, etc) will result in - # a validation failure. - # - # To treat these errors as 'soft' failures and - # still accept the certificate, enable this - # option. - # - # Warning: this may enable clients with revoked - # certificates to connect if the OCSP responder - # is not available. Use with caution. - # - # softfail = no - } - } - - # The TTLS module implements the EAP-TTLS protocol, - # which can be described as EAP inside of Diameter, - # inside of TLS, inside of EAP, inside of RADIUS... - # - # Surprisingly, it works quite well. - # - # The TTLS module needs the TLS module to be installed - # and configured, in order to use the TLS tunnel - # inside of the EAP packet. You will still need to - # configure the TLS module, even if you do not want - # to deploy EAP-TLS in your network. Users will not - # be able to request EAP-TLS, as it requires them to - # have a client certificate. EAP-TTLS does not - # require a client certificate. - # - # You can make TTLS require a client cert by setting - # - # EAP-TLS-Require-Client-Cert = Yes - # - # in the control items for a request. - # - ttls { - # The tunneled EAP session needs a default - # EAP type which is separate from the one for - # the non-tunneled EAP module. Inside of the - # TTLS tunnel, we recommend using EAP-MD5. - # If the request does not contain an EAP - # conversation, then this configuration entry - # is ignored. - default_eap_type = gtc - - # The tunneled authentication request does - # not usually contain useful attributes - # like 'Calling-Station-Id', etc. These - # attributes are outside of the tunnel, - # and normally unavailable to the tunneled - # authentication request. - # - # By setting this configuration entry to - # 'yes', any attribute which NOT in the - # tunneled authentication request, but - # which IS available outside of the tunnel, - # is copied to the tunneled request. - # - # allowed values: {no, yes} - copy_request_to_tunnel = no - - # The reply attributes sent to the NAS are - # usually based on the name of the user - # 'outside' of the tunnel (usually - # 'anonymous'). If you want to send the - # reply attributes based on the user name - # inside of the tunnel, then set this - # configuration entry to 'yes', and the reply - # to the NAS will be taken from the reply to - # the tunneled request. - # - # allowed values: {no, yes} - use_tunneled_reply = no - - # - # The inner tunneled request can be sent - # through a virtual server constructed - # specifically for this purpose. - # - # If this entry is commented out, the inner - # tunneled request will be sent through - # the virtual server that processed the - # outer requests. - # - virtual_server = "inner-tunnel" - - # This has the same meaning as the - # same field in the "tls" module, above. - # The default value here is "yes". - # include_length = yes - } - - ################################################## - # - # !!!!! WARNINGS for Windows compatibility !!!!! - # - ################################################## - # - # If you see the server send an Access-Challenge, - # and the client never sends another Access-Request, - # then - # - # STOP! - # - # The server certificate has to have special OID's - # in it, or else the Microsoft clients will silently - # fail. See the "scripts/xpextensions" file for - # details, and the following page: - # - # http://support.microsoft.com/kb/814394/en-us - # - # For additional Windows XP SP2 issues, see: - # - # http://support.microsoft.com/kb/885453/en-us - # - # - # If is still doesn't work, and you're using Samba, - # you may be encountering a Samba bug. See: - # - # https://bugzilla.samba.org/show_bug.cgi?id=6563 - # - # Note that we do not necessarily agree with their - # explanation... but the fix does appear to work. - # - ################################################## - - # - # The tunneled EAP session needs a default EAP type - # which is separate from the one for the non-tunneled - # EAP module. Inside of the TLS/PEAP tunnel, we - # recommend using EAP-MS-CHAPv2. - # - # The PEAP module needs the TLS module to be installed - # and configured, in order to use the TLS tunnel - # inside of the EAP packet. You will still need to - # configure the TLS module, even if you do not want - # to deploy EAP-TLS in your network. Users will not - # be able to request EAP-TLS, as it requires them to - # have a client certificate. EAP-PEAP does not - # require a client certificate. - # - # - # You can make PEAP require a client cert by setting - # - # EAP-TLS-Require-Client-Cert = Yes - # - # in the control items for a request. - # - peap { - # The tunneled EAP session needs a default - # EAP type which is separate from the one for - # the non-tunneled EAP module. Inside of the - # PEAP tunnel, we recommend using MS-CHAPv2, - # as that is the default type supported by - # Windows clients. - default_eap_type = mschapv2 - - # the PEAP module also has these configuration - # items, which are the same as for TTLS. - copy_request_to_tunnel = no - use_tunneled_reply = no - - # When the tunneled session is proxied, the - # home server may not understand EAP-MSCHAP-V2. - # Set this entry to "no" to proxy the tunneled - # EAP-MSCHAP-V2 as normal MSCHAPv2. - # proxy_tunneled_request_as_eap = yes - - # - # The inner tunneled request can be sent - # through a virtual server constructed - # specifically for this purpose. - # - # If this entry is commented out, the inner - # tunneled request will be sent through - # the virtual server that processed the - # outer requests. - # - virtual_server = "inner-tunnel" - - # This option enables support for MS-SoH - # see doc/SoH.txt for more info. - # It is disabled by default. - # -# soh = yes - - # - # The SoH reply will be turned into a request which - # can be sent to a specific virtual server: - # -# soh_virtual_server = "soh-server" - } - - # - # This takes no configuration. - # - # Note that it is the EAP MS-CHAPv2 sub-module, not - # the main 'mschap' module. - # - # Note also that in order for this sub-module to work, - # the main 'mschap' module MUST ALSO be configured. - # - # This module is the *Microsoft* implementation of MS-CHAPv2 - # in EAP. There is another (incompatible) implementation - # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not - # currently support. - # - mschapv2 { - # Prior to version 2.1.11, the module never - # sent the MS-CHAP-Error message to the - # client. This worked, but it had issues - # when the cached password was wrong. The - # server *should* send "E=691 R=0" to the - # client, which tells it to prompt the user - # for a new password. - # - # The default is to behave as in 2.1.10 and - # earlier, which is known to work. If you - # set "send_error = yes", then the error - # message will be sent back to the client. - # This *may* help some clients work better, - # but *may* also cause other clients to stop - # working. - # -# send_error = no - } - } diff --git a/roles/radius/files/raddb/hints b/roles/radius/files/raddb/hints deleted file mode 100644 index 87306ad..0000000 --- a/roles/radius/files/raddb/hints +++ /dev/null @@ -1,77 +0,0 @@ -# hints -# -# The hints file. This file is used to match -# a request, and then add attributes to it. This -# process allows a user to login as "bob.ppp" (for example), -# and receive a PPP connection, even if the NAS doesn't -# ask for PPP. The "hints" file is used to match the -# ".ppp" portion of the username, and to add a set of -# "user requested PPP" attributes to the request. -# -# Matching can take place with the the Prefix and Suffix -# attributes, just like in the "users" file. -# These attributes operate ONLY on the username, though. -# -# Note that the attributes that are set for each -# entry are _NOT_ passed back to the terminal server. -# Instead they are added to the information that has -# been _SENT_ by the terminal server. -# -# This extra information can be used in the users file to -# match on. Usually this is done in the DEFAULT entries, -# of which there can be more than one. -# -# In addition a matching entry can transform a username -# for authentication purposes if the "Strip-User-Name" -# variable is set to Yes in an entry (default is Yes). -# -# A special non-protocol name-value pair called "Hint" -# can be set to match on in the "users" file. -# -# The following is how most ISPs want to set this up. -# -# Version: $Id: f92ffb9f1e5bd0509b2e0e5e015001fda52bdfc3 $ -# - - -DEFAULT Suffix == ".ppp", Strip-User-Name = Yes - Hint = "PPP", - Service-Type = Framed-User, - Framed-Protocol = PPP - -DEFAULT Suffix == ".slip", Strip-User-Name = Yes - Hint = "SLIP", - Service-Type = Framed-User, - Framed-Protocol = SLIP - -DEFAULT Suffix == ".cslip", Strip-User-Name = Yes - Hint = "CSLIP", - Service-Type = Framed-User, - Framed-Protocol = SLIP, - Framed-Compression = Van-Jacobson-TCP-IP - -###################################################################### -# -# These entries are old, and commented out by default. -# They confuse too many people when "Peter" logs in, and the -# server thinks that the user "eter" is asking for PPP. -# -#DEFAULT Prefix == "U", Strip-User-Name = No -# Hint = "UUCP" - -#DEFAULT Prefix == "P", Strip-User-Name = Yes -# Hint = "PPP", -# Service-Type = Framed-User, -# Framed-Protocol = PPP - -#DEFAULT Prefix == "S", Strip-User-Name = Yes -# Hint = "SLIP", -# Service-Type = Framed-User, -# Framed-Protocol = SLIP - -#DEFAULT Prefix == "C", Strip-User-Name = Yes -# Hint = "CSLIP", -# Service-Type = Framed-User, -# Framed-Protocol = SLIP, -# Framed-Compression = Van-Jacobson-TCP-IP - diff --git a/roles/radius/files/raddb/huntgroups b/roles/radius/files/raddb/huntgroups deleted file mode 100644 index 96169b6..0000000 --- a/roles/radius/files/raddb/huntgroups +++ /dev/null @@ -1,46 +0,0 @@ -# -# huntgroups This file defines the `huntgroups' that you have. A -# huntgroup is defined by specifying the IP address of -# the NAS and possibly a port range. Port can be identified -# as just one port, or a range (from-to), and multiple ports -# or ranges of ports must be seperated by a comma. For -# example: 1,2,3-8 -# -# Matching is done while RADIUS scans the user file; if it -# includes the selection criterium "Huntgroup-Name == XXX" -# the huntgroup is looked up in this file to see if it -# matches. There can be multiple definitions of the same -# huntgroup; the first one that matches will be used. -# -# This file can also be used to define restricted access -# to certain huntgroups. The second and following lines -# define the access restrictions (based on username and -# UNIX usergroup) for the huntgroup. -# - -# -# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name -# called Alphen that matches on all three terminal servers. -# -#alphen NAS-IP-Address == 192.168.2.5 -#alphen NAS-IP-Address == 192.168.2.6 -#alphen NAS-IP-Address == 192.168.2.7 - -# -# The POP in Delft consists of only one terminal server. -# -#delft NAS-IP-Address == 192.168.3.5 - -# -# Ports 0-7 on the first terminal server in Alphen are connected to -# a huntgroup that is for business users only. Note that only one -# of the username or groupname has to match to get access (OR/OR). -# -# Note that this huntgroup is a subset of the "alphen" huntgroup. -# -#business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 0-7 -# User-Name = rogerl, -# User-Name = henks, -# Group = business, -# Group = staff - diff --git a/roles/radius/files/raddb/ldap.attrmap b/roles/radius/files/raddb/ldap.attrmap deleted file mode 100644 index 5bbfcd5..0000000 --- a/roles/radius/files/raddb/ldap.attrmap +++ /dev/null @@ -1,76 +0,0 @@ -# -# Mapping of RADIUS dictionary attributes to LDAP directory attributes -# to be used by LDAP authentication and authorization module (rlm_ldap) -# -# Format: -# ItemType RADIUS-Attribute-Name ldapAttributeName [operator] -# -# Where: -# ItemType = checkItem or replyItem -# RADIUS-Attribute-Name = attribute name in RADIUS dictionary -# ldapAttributeName = attribute name in LDAP schema -# operator = optional, and may not be present. -# If not present, defaults to "==" for checkItems, -# and "=" for replyItems. -# If present, the operator here should be one -# of the same operators as defined in the "users"3 -# file ("man users", or "man 5 users"). -# If an operator is present in the value of the -# LDAP entry (i.e. ":=foo"), then it over-rides -# both the default, and any operator given here. -# -# If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies -# a LDAP attribute which can be used to store any RADIUS -# attribute/value-pair in LDAP directory. -# -# You should edit this file to suit it to your needs. -# - -checkItem $GENERIC$ radiusCheckItem -replyItem $GENERIC$ radiusReplyItem - -checkItem Auth-Type radiusAuthType -checkItem Simultaneous-Use radiusSimultaneousUse -checkItem Called-Station-Id radiusCalledStationId -checkItem Calling-Station-Id radiusCallingStationId -checkItem LM-Password lmPassword -checkItem NT-Password ntPassword -checkItem LM-Password sambaLmPassword -checkItem NT-Password sambaNtPassword -checkItem LM-Password dBCSPwd -checkitem Password-With-Header userPassword -checkItem SMB-Account-CTRL-TEXT acctFlags -checkItem Expiration radiusExpiration -checkItem NAS-IP-Address radiusNASIpAddress - -replyItem Service-Type radiusServiceType -replyItem Framed-Protocol radiusFramedProtocol -replyItem Framed-IP-Address radiusFramedIPAddress -replyItem Framed-IP-Netmask radiusFramedIPNetmask -replyItem Framed-Route radiusFramedRoute -replyItem Framed-Routing radiusFramedRouting -replyItem Filter-Id radiusFilterId -replyItem Framed-MTU radiusFramedMTU -replyItem Framed-Compression radiusFramedCompression -replyItem Login-IP-Host radiusLoginIPHost -replyItem Login-Service radiusLoginService -replyItem Login-TCP-Port radiusLoginTCPPort -replyItem Callback-Number radiusCallbackNumber -replyItem Callback-Id radiusCallbackId -replyItem Framed-IPX-Network radiusFramedIPXNetwork -replyItem Class radiusClass -replyItem Session-Timeout radiusSessionTimeout -replyItem Idle-Timeout radiusIdleTimeout -replyItem Termination-Action radiusTerminationAction -replyItem Login-LAT-Service radiusLoginLATService -replyItem Login-LAT-Node radiusLoginLATNode -replyItem Login-LAT-Group radiusLoginLATGroup -replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink -replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork -replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone -replyItem Port-Limit radiusPortLimit -replyItem Login-LAT-Port radiusLoginLATPort -replyItem Reply-Message radiusReplyMessage -replyItem Tunnel-Type radiusTunnelType -replyItem Tunnel-Medium-Type radiusTunnelMediumType -replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId diff --git a/roles/radius/files/raddb/modules/acct_unique b/roles/radius/files/raddb/modules/acct_unique deleted file mode 100644 index f822674..0000000 --- a/roles/radius/files/raddb/modules/acct_unique +++ /dev/null @@ -1,17 +0,0 @@ -# -*- text -*- -# -# $Id: cfd89eb1bf690b605892969ebd922e6885f24fcc $ - -# -# Create a unique accounting session Id. Many NASes re-use -# or repeat values for Acct-Session-Id, causing no end of -# confusion. -# -# This module will add a (probably) unique session id -# to an accounting packet based on the attributes listed -# below found in the packet. See doc/rlm_acct_unique for -# more information. -# -acct_unique { - key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" -} diff --git a/roles/radius/files/raddb/modules/always b/roles/radius/files/raddb/modules/always deleted file mode 100644 index 58f8a58..0000000 --- a/roles/radius/files/raddb/modules/always +++ /dev/null @@ -1,31 +0,0 @@ -# -*- text -*- -# -# $Id: c28187f05d4f0416442203b016feb7e2b818716f $ - -# -# The "always" module is here for debugging purposes. Each -# instance simply returns the same result, always, without -# doing anything. -always fail { - rcode = fail -} -always reject { - rcode = reject -} -always noop { - rcode = noop -} -always handled { - rcode = handled -} -always updated { - rcode = updated -} -always notfound { - rcode = notfound -} -always ok { - rcode = ok - simulcount = 0 - mpp = no -} diff --git a/roles/radius/files/raddb/modules/attr_filter b/roles/radius/files/raddb/modules/attr_filter deleted file mode 100644 index 87f236b..0000000 --- a/roles/radius/files/raddb/modules/attr_filter +++ /dev/null @@ -1,48 +0,0 @@ -# -*- text -*- -# -# $Id: acb28a9c587526a22f9310ade21d6a480a0bfe28 $ - -# -# This file defines a number of instances of the "attr_filter" module. -# - -# attr_filter - filters the attributes received in replies from -# proxied servers, to make sure we send back to our RADIUS client -# only allowed attributes. -attr_filter attr_filter.post-proxy { - attrsfile = ${confdir}/attrs -} - -# attr_filter - filters the attributes in the packets we send to -# the RADIUS home servers. -attr_filter attr_filter.pre-proxy { - attrsfile = ${confdir}/attrs.pre-proxy -} - -# Enforce RFC requirements on the contents of Access-Reject -# packets. See the comments at the top of the file for -# more details. -# -attr_filter attr_filter.access_reject { - key = %{User-Name} - attrsfile = ${confdir}/attrs.access_reject -} - -# Enforce RFC requirements on the contents of Access-Reject -# packets. See the comments at the top of the file for -# more details. -# -attr_filter attr_filter.access_challenge { - key = %{User-Name} - attrsfile = ${confdir}/attrs.access_challenge -} - - -# Enforce RFC requirements on the contents of the -# Accounting-Response packets. See the comments at the -# top of the file for more details. -# -attr_filter attr_filter.accounting_response { - key = %{User-Name} - attrsfile = ${confdir}/attrs.accounting_response -} diff --git a/roles/radius/files/raddb/modules/attr_rewrite b/roles/radius/files/raddb/modules/attr_rewrite deleted file mode 100644 index bf9461d..0000000 --- a/roles/radius/files/raddb/modules/attr_rewrite +++ /dev/null @@ -1,46 +0,0 @@ -# -*- text -*- -# -# $Id: 8fb93224288061781980a156d541f5283abee1a0 $ - -# rewrite arbitrary packets. Useful in accounting and authorization. -# -# As of 2.0, much of the functionality of this module is in "unlang". -# You should probably investigate using that before trying to use -# the "attr_rewrite" module. -# -# -# The module can also use the Rewrite-Rule attribute. If it -# is set and matches the name of the module instance, then -# that module instance will be the only one which runs. -# -# Also if new_attribute is set to yes then a new attribute -# will be created containing the value replacewith and it -# will be added to searchin (packet, reply, proxy, -# proxy_reply or config). -# -# searchfor,ignore_case and max_matches will be ignored in that case. -# -# Backreferences are supported. -# %{0} will contain the string the whole match -# %{1} to %{8} will contain the contents of the 1st to -# the 8th parentheses -# -# If max_matches is greater than one, the backreferences will -# correspond to the first attributed that matched. - -# -attr_rewrite sanecallerid { - attribute = Called-Station-Id - # may be "packet", "reply", "proxy", "proxy_reply" or "config" - searchin = packet - searchfor = "[+ ]" - replacewith = "" - ignore_case = no - new_attribute = no - max_matches = 10 - - ## If set to yes then the replace string will be - ## appended to the original string - append = no -} - diff --git a/roles/radius/files/raddb/modules/cache b/roles/radius/files/raddb/modules/cache deleted file mode 100644 index 252a454..0000000 --- a/roles/radius/files/raddb/modules/cache +++ /dev/null @@ -1,77 +0,0 @@ -# -*- text -*- -# -# $Id: da4a099beae8eeb3bfe5f70f20523a4258f7f0cd $ - -# -# A module to cache attributes. The idea is that you can look -# up information in a database, and then cache it. Repeated -# requests for the same information will then have the cached -# values added to the request. -# -# The module can cache a fixed set of attributes per key. -# It can be listed in "authorize", "post-auth", "pre-proxy" -# and "post-proxy". -# -# If you want different things cached for authorize and post-auth, -# you will need to define two instances of the "cache" module. -# -# The module returns "ok" if it found a cache entry. -# The module returns "updated" if it added a new cache entry. -# The module returns "noop" if it did nothing. -# -cache { - # The key used to index the cache. It is dynamically expanded - # at run time. - key = "%{User-Name}" - - # The TTL of cache entries, in seconds. Entries older than this - # will be expired. - # - # You can set the TTL per cache entry, but adding a control - # variable "Cache-TTL". The value there will over-ride this one. - # Setting a Cache-TTL of 0 means "delete this entry". - # - # This value should be between 10 and 86400. - ttl = 10 - - # A timestamp used to flush the cache, via - # - # radmin -e "set module config cache epoch 123456789" - # - # Where last value is a 32-bit Unix timestamp. Cache entries - # older than this are expired, and new entries added. - # - # You should ALWAYS leave it as "epoch = 0" here. - epoch = 0 - - # The module can also operate in status-only mode where it will - # not add new cache entries, or merge existing ones. - # - # To enable set the control variable "Cache-Status-Only" to "yes" - # The module will return "ok" if it found a cache entry. - # The module will return "notfound" if it failed to find a cache entry, - # or the entry had expired. - # - # Note: expired entries will still be removed. - - # If yes the following attributes will be added to the request list: - # * Cache-Entry-Hits - The number of times this entry has been - # retrieved. - add-stats = no - - # The list of attributes to cache for a particular key. - # Each key gets the same set of cached attributes. - # The attributes are dynamically expanded at run time. - # - # You can specify which list the attribute goes into by - # prefixing the attribute name with the list. This allows - # you to update multiple lists with one configuration. - # - # If no list is specified the request list will be updated. - update { - # list:Attr-Name - reply:Reply-Message += "I'm the cached reply from %t" - - control:Class := 0x010203 - } -} diff --git a/roles/radius/files/raddb/modules/chap b/roles/radius/files/raddb/modules/chap deleted file mode 100644 index 97d965b..0000000 --- a/roles/radius/files/raddb/modules/chap +++ /dev/null @@ -1,11 +0,0 @@ -# -*- text -*- -# -# $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $ - -# CHAP module -# -# To authenticate requests containing a CHAP-Password attribute. -# -chap { - # no configuration -} diff --git a/roles/radius/files/raddb/modules/checkval b/roles/radius/files/raddb/modules/checkval deleted file mode 100644 index f4a368c..0000000 --- a/roles/radius/files/raddb/modules/checkval +++ /dev/null @@ -1,44 +0,0 @@ -# -*- text -*- -# -# $Id: ed26e571e8f0bcf3bf586ceb16d0cdff182f5017 $ - -# A simple value checking module -# -# As of 2.0, much of the functionality of this module is in "unlang". -# You should probably investigate using that before trying to use -# the "checkval" module. -# -# It can be used to check if an attribute value in the request -# matches a (possibly multi valued) attribute in the check -# items This can be used for example for caller-id -# authentication. For the module to run, both the request -# attribute and the check items attribute must exist -# -# i.e. -# A user has an ldap entry with 2 radiusCallingStationId -# attributes with values "12345678" and "12345679". If we -# enable rlm_checkval, then any request which contains a -# Calling-Station-Id with one of those two values will be -# accepted. Requests with other values for -# Calling-Station-Id will be rejected. -# -# Regular expressions in the check attribute value are allowed -# as long as the operator is '=~' -# -checkval { - # The attribute to look for in the request - item-name = Calling-Station-Id - - # The attribute to look for in check items. Can be multi valued - check-name = Calling-Station-Id - - # The data type. Can be - # string,integer,ipaddr,date,abinary,octets - data-type = string - - # If set to yes and we dont find the item-name attribute in the - # request then we send back a reject - # DEFAULT is no - #notfound-reject = no -} - diff --git a/roles/radius/files/raddb/modules/counter b/roles/radius/files/raddb/modules/counter deleted file mode 100644 index d9962da..0000000 --- a/roles/radius/files/raddb/modules/counter +++ /dev/null @@ -1,82 +0,0 @@ -# -*- text -*- -# -# $Id: 2dad39a25c676821c6e602881e5bec52d738abfd $ - -# counter module: -# This module takes an attribute (count-attribute). -# It also takes a key, and creates a counter for each unique -# key. The count is incremented when accounting packets are -# received by the server. The value of the increment depends -# on the attribute type. -# If the attribute is Acct-Session-Time or of an integer type we add -# the value of the attribute. If it is anything else we increase the -# counter by one. -# -# The 'reset' parameter defines when the counters are all reset to -# zero. It can be hourly, daily, weekly, monthly or never. -# -# hourly: Reset on 00:00 of every hour -# daily: Reset on 00:00:00 every day -# weekly: Reset on 00:00:00 on sunday -# monthly: Reset on 00:00:00 of the first day of each month -# -# It can also be user defined. It should be of the form: -# num[hdwm] where: -# h: hours, d: days, w: weeks, m: months -# If the letter is ommited days will be assumed. In example: -# reset = 10h (reset every 10 hours) -# reset = 12 (reset every 12 days) -# -# -# The check-name attribute defines an attribute which will be -# registered by the counter module and can be used to set the -# maximum allowed value for the counter after which the user -# is rejected. -# Something like: -# -# DEFAULT Max-Daily-Session := 36000 -# Fall-Through = 1 -# -# You should add the counter module in the instantiate -# section so that it registers check-name before the files -# module reads the users file. -# -# If check-name is set and the user is to be rejected then we -# send back a Reply-Message and we log a Failure-Message in -# the radius.log -# -# If the count attribute is Acct-Session-Time then on each -# login we send back the remaining online time as a -# Session-Timeout attribute ELSE and if the reply-name is -# set, we send back that attribute. The reply-name attribute -# MUST be of an integer type. -# -# The counter-name can also be used instead of using the check-name -# like below: -# -# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject -# Reply-Message = "You've used up more than one hour today" -# -# The allowed-servicetype attribute can be used to only take -# into account specific sessions. For example if a user first -# logs in through a login menu and then selects ppp there will -# be two sessions. One for Login-User and one for Framed-User -# service type. We only need to take into account the second one. -# -# The module should be added in the instantiate, authorize and -# accounting sections. Make sure that in the authorize -# section it comes after any module which sets the -# 'check-name' attribute. -# -counter daily { - filename = ${db_dir}/db.daily - key = User-Name - count-attribute = Acct-Session-Time - reset = daily - counter-name = Daily-Session-Time - check-name = Max-Daily-Session - reply-name = Session-Timeout - allowed-servicetype = Framed-User - cache-size = 5000 -} - diff --git a/roles/radius/files/raddb/modules/cui b/roles/radius/files/raddb/modules/cui deleted file mode 100644 index 0248154..0000000 --- a/roles/radius/files/raddb/modules/cui +++ /dev/null @@ -1,25 +0,0 @@ -# -*- text -*- -# -# $Id: 246461369a25c17feae3168bb66050203d4b8a34 $ - -# -# Write Chargeable-User-Identity to the database. -# -# Schema raddb/sql/mysql/cui.sql -# Queries raddb/sql/mysql/cui.conf -# -sql cui { - database = "mysql" - driver = "rlm_sql_${database}" - server = "localhost" - login = "db_login_name" - password = "db_password" - radius_db = "db_name" -# sqltrace = yes -# sqltracefile = ${logdir}/cuitrace.sql - num_sql_socks = 5 - connect_failure_retry_delay = 60 - cui_table = "cui" - sql_user_name = "%{User-Name}" -#$INCLUDE sql/${database}/cui.conf -} diff --git a/roles/radius/files/raddb/modules/detail b/roles/radius/files/raddb/modules/detail deleted file mode 100644 index a50bea3..0000000 --- a/roles/radius/files/raddb/modules/detail +++ /dev/null @@ -1,93 +0,0 @@ -# -*- text -*- -# -# $Id: 2e68d065ec93d0644cf7e931d97fdfac4e2be552 $ - -# Write a detailed log of all accounting records received. -# -detail { - # Note that we do NOT use NAS-IP-Address here, as - # that attribute MAY BE from the originating NAS, and - # NOT from the proxy which actually sent us the - # request. - # - # The following line creates a new detail file for - # every radius client (by IP address or hostname). - # In addition, a new detail file is created every - # day, so that the detail file doesn't have to go - # through a 'log rotation' - # - # If your detail files are large, you may also want - # to add a ':%H' (see doc/variables.txt) to the end - # of it, to create a new detail file every hour, e.g.: - # - # ..../detail-%Y%m%d:%H - # - # This will create a new detail file for every hour. - # - # If you are reading detail files via the "listen" section - # (e.g. as in raddb/sites-available/robust-proxy-accounting), - # you MUST use a unique directory for each combination of a - # detail file writer, and reader. That is, there can only - # be ONE "listen" section reading detail files from a - # particular directory. - # - detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d - - # - # If you are using radrelay, delete the above line for "detailfile", - # and use this one instead: - # -# detailfile = ${radacctdir}/detail - - # - # The Unix-style permissions on the 'detail' file. - # - # The detail file often contains secret or private - # information about users. So by keeping the file - # permissions restrictive, we can prevent unwanted - # people from seeing that information. - detailperm = 0600 - - # The Unix group of the log file. - # - # The user that the server runs as must be in the specified - # system group otherwise this will fail to work. - # -# group = freerad - - # - # Every entry in the detail file has a header which - # is a timestamp. By default, we use the ctime - # format (see "man ctime" for details). - # - # The header can be customized by editing this - # string. See "doc/variables.txt" for a description - # of what can be put here. - # - header = "%t" - - # - # Uncomment this line if the detail file reader will be - # reading this detail file. - # -# locking = yes - - # - # Log the Packet src/dst IP/port. This is disabled by - # default, as that information isn't used by many people. - # -# log_packet_header = yes - - # - # Certain attributes such as User-Password may be - # "sensitive", so they should not be printed in the - # detail file. This section lists the attributes - # that should be suppressed. - # - # The attributes should be listed one to a line. - # - #suppress { - # User-Password - #} - -} diff --git a/roles/radius/files/raddb/modules/detail.example.com b/roles/radius/files/raddb/modules/detail.example.com deleted file mode 100644 index 9af26cb..0000000 --- a/roles/radius/files/raddb/modules/detail.example.com +++ /dev/null @@ -1,27 +0,0 @@ -# -*- text -*- -# -# Detail file writer, used in the following examples: -# -# raddb/sites-available/robust-proxy-accounting -# raddb/sites-available/decoupled-accounting -# -# Note that this module can write detail files that are read by -# only ONE "listen" section. If you use BOTH of the examples -# above, you will need to define TWO "detail" modules. -# -# e.g. detail1.example.com && detail2.example.com -# -# -# We write *multiple* detail files here. They will be processed by -# the detail "listen" section in the order that they were created. -# The directory containing these files should NOT be used for any -# other purposes. i.e. It should have NO other files in it. -# -# Writing multiple detail enables the server to process the pieces -# in smaller chunks. This helps in certain catastrophic corner cases. -# -# $Id: af7e3452fdd49ed6a3cd379c2a4d90e17f34532f $ -# -detail detail.example.com { - detailfile = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G -} diff --git a/roles/radius/files/raddb/modules/detail.log b/roles/radius/files/raddb/modules/detail.log deleted file mode 100644 index dd97f88..0000000 --- a/roles/radius/files/raddb/modules/detail.log +++ /dev/null @@ -1,75 +0,0 @@ -# -*- text -*- -# -# $Id: c36dce75c6d41b7470bd177a27ed96d3fe3dafe5 $ - -# -# More examples of doing detail logs. - -# -# Many people want to log authentication requests. -# Rather than modifying the server core to print out more -# messages, we can use a different instance of the 'detail' -# module, to log the authentication requests to a file. -# -# You will also need to un-comment the 'auth_log' line -# in the 'authorize' section, below. -# -detail auth_log { - detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d - - # - # This MUST be 0600, otherwise anyone can read - # the users passwords! - detailperm = 0600 - - # You may also strip out passwords completely - suppress { - User-Password - } -} - -# -# This module logs authentication reply packets sent -# to a NAS. Both Access-Accept and Access-Reject packets -# are logged. -# -# You will also need to un-comment the 'reply_log' line -# in the 'post-auth' section, below. -# -detail reply_log { - detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d - - detailperm = 0600 -} - -# -# This module logs packets proxied to a home server. -# -# You will also need to un-comment the 'pre_proxy_log' line -# in the 'pre-proxy' section, below. -# -detail pre_proxy_log { - detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d - - # - # This MUST be 0600, otherwise anyone can read - # the users passwords! - detailperm = 0600 - - # You may also strip out passwords completely - #suppress { - # User-Password - #} -} - -# -# This module logs response packets from a home server. -# -# You will also need to un-comment the 'post_proxy_log' line -# in the 'post-proxy' section, below. -# -detail post_proxy_log { - detailfile = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d - - detailperm = 0600 -} diff --git a/roles/radius/files/raddb/modules/dhcp_sqlippool b/roles/radius/files/raddb/modules/dhcp_sqlippool deleted file mode 100644 index 7c696bd..0000000 --- a/roles/radius/files/raddb/modules/dhcp_sqlippool +++ /dev/null @@ -1,30 +0,0 @@ -## Configuration for DHCP to use SQL IP Pools. -## -## See sqlippool.conf for common configuration explanation -## -## $Id: 39358b222d016d62e5cf6e8c77fd214cc7614feb $ - -sqlippool dhcp_sqlippool { - sql-instance-name = "sql" - - ippool_table = "radippool" - - lease-duration = 7200 - - # Client's MAC address is mapped to Calling-Station-Id in policy.conf - pool-key = "%{Calling-Station-Id}" - - # For now, it only works with MySQL. - $INCLUDE ${confdir}/sql/mysql/ippool-dhcp.conf - - sqlippool_log_exists = "DHCP: Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" - - sqlippool_log_success = "DHCP: Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" - - sqlippool_log_clear = "DHCP: Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})" - - sqlippool_log_failed = "DHCP: IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" - - sqlippool_log_nopool = "DHCP: No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" - -} diff --git a/roles/radius/files/raddb/modules/digest b/roles/radius/files/raddb/modules/digest deleted file mode 100644 index af52017..0000000 --- a/roles/radius/files/raddb/modules/digest +++ /dev/null @@ -1,13 +0,0 @@ -# -*- text -*- -# -# $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $ - -# -# The 'digest' module currently has no configuration. -# -# "Digest" authentication against a Cisco SIP server. -# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details -# on performing digest authentication for Cisco SIP servers. -# -digest { -} diff --git a/roles/radius/files/raddb/modules/dynamic_clients b/roles/radius/files/raddb/modules/dynamic_clients deleted file mode 100644 index 581c939..0000000 --- a/roles/radius/files/raddb/modules/dynamic_clients +++ /dev/null @@ -1,32 +0,0 @@ -# -*- text -*- -# -# $Id: bf047be5c7b48f2f021981a6abf4199d888fc3ee $ - -# This module loads RADIUS clients as needed, rather than when the server -# starts. -# -# There are no configuration entries for this module. Instead, it -# relies on the "client" configuration. You must: -# -# 1) link raddb/sites-enabled/dyanmic_clients to -# raddb/sites-available/dyanmic_clients -# -# 2) Define a client network/mask (see top of the above file) -# -# 3) uncomment the "directory" entry in that client definition -# -# 4) list "dynamic_clients" in the "authorize" section of the -# "dynamic_clients' virtual server. The default example already -# does this. -# -# 5) put files into the above directory, one per IP. -# e.g. file "192.168.1.1" should contain a normal client definition -# for a client with IP address 192.168.1.1. -# -# For more documentation, see the file: -# -# raddb/sites-available/dynamic-clients -# -dynamic_clients { - -} diff --git a/roles/radius/files/raddb/modules/echo b/roles/radius/files/raddb/modules/echo deleted file mode 100644 index 9c07d29..0000000 --- a/roles/radius/files/raddb/modules/echo +++ /dev/null @@ -1,123 +0,0 @@ -# -*- text -*- -# -# $Id: 0ca6bd8d27c25bf4f84fd27f97323b8961814d77 $ - -# -# This is a more general example of the execute module. -# -# This one is called "echo". -# -# Attribute-Name = `%{echo:/path/to/program args}` -# -# If you wish to execute an external program in more than -# one section (e.g. 'authorize', 'pre_proxy', etc), then it -# is probably best to define a different instance of the -# 'exec' module for every section. -# -# The return value of the program run determines the result -# of the exec instance call as follows: -# (See doc/configurable_failover for details) -# -# < 0 : fail the module failed -# = 0 : ok the module succeeded -# = 1 : reject the module rejected the user -# = 2 : fail the module failed -# = 3 : ok the module succeeded -# = 4 : handled the module has done everything to handle the request -# = 5 : invalid the user's configuration entry was invalid -# = 6 : userlock the user was locked out -# = 7 : notfound the user was not found -# = 8 : noop the module did nothing -# = 9 : updated the module updated information in the request -# > 9 : fail the module failed -# -exec echo { - # - # Wait for the program to finish. - # - # If we do NOT wait, then the program is "fire and - # forget", and any output attributes from it are ignored. - # - # If we are looking for the program to output - # attributes, and want to add those attributes to the - # request, then we MUST wait for the program to - # finish, and therefore set 'wait=yes' - # - # allowed values: {no, yes} - wait = yes - - # - # The name of the program to execute, and it's - # arguments. Dynamic translation is done on this - # field, so things like the following example will - # work. - # - program = "/bin/echo %{User-Name}" - - # - # The attributes which are placed into the - # environment variables for the program. - # - # Allowed values are: - # - # request attributes from the request - # config attributes from the configuration items list - # reply attributes from the reply - # proxy-request attributes from the proxy request - # proxy-reply attributes from the proxy reply - # - # Note that some attributes may not exist at some - # stages. e.g. There may be no proxy-reply - # attributes if this module is used in the - # 'authorize' section. - # - input_pairs = request - - # - # Where to place the output attributes (if any) from - # the executed program. The values allowed, and the - # restrictions as to availability, are the same as - # for the input_pairs. - # - output_pairs = reply - - # - # When to execute the program. If the packet - # type does NOT match what's listed here, then - # the module does NOT execute the program. - # - # For a list of allowed packet types, see - # the 'dictionary' file, and look for VALUEs - # of the Packet-Type attribute. - # - # By default, the module executes on ANY packet. - # Un-comment out the following line to tell the - # module to execute only if an Access-Accept is - # being sent to the NAS. - # - #packet_type = Access-Accept - - # - # Should we escape the environment variables? - # - # If this is set, all the RADIUS attributes - # are capitalised and dashes replaced with - # underscores. Also, RADIUS values are surrounded - # with double-quotes. - # - # That is to say: User-Name=BobUser => USER_NAME="BobUser" - shell_escape = yes - - - # - # How long should we wait for the program to finish? - # - # Default is 10 seconds, which should be plenty for nearly - # anything. Range is 1 to 30 seconds. You are strongly - # encouraged to NOT increase this value. Decreasing can - # be used to cause authentication to fail sooner when you - # know it's going to fail anyway due to the time taken, - # thereby saving resources. - # - #timeout = 10 -} diff --git a/roles/radius/files/raddb/modules/etc_group b/roles/radius/files/raddb/modules/etc_group deleted file mode 100644 index aea6faa..0000000 --- a/roles/radius/files/raddb/modules/etc_group +++ /dev/null @@ -1,28 +0,0 @@ -# -*- text -*- -# -# $Id: 614c52b82b3e12fab54313aecb5c1120559781f3 $ - -# "passwd" configuration, for the /etc/group file. Adds a Etc-Group-Name -# attribute for every group that the user is member of. -# -# You will have to define the Etc-Group-Name in the 'dictionary' file -# as a 'string' type. -# -# The Group and Group-Name attributes are automatically created by -# the Unix module, and do checking against /etc/group automatically. -# This means that you CANNOT use Group or Group-Name to do any other -# kind of grouping in the server. You MUST define a new group -# attribute. -# -# i.e. this module should NOT be used as-is, but should be edited to -# point to a different group file. -# -passwd etc_group { - filename = /etc/group - format = "=Etc-Group-Name:::*,User-Name" - hashsize = 50 - ignorenislike = yes - allowmultiplekeys = yes - delimiter = ":" -} - diff --git a/roles/radius/files/raddb/modules/exec b/roles/radius/files/raddb/modules/exec deleted file mode 100644 index 470b9cb..0000000 --- a/roles/radius/files/raddb/modules/exec +++ /dev/null @@ -1,30 +0,0 @@ -# -*- text -*- -# -# $Id: 5f21e4350f091ed51813865a31b2796c4b487f9f $ - -# -# Execute external programs -# -# This module is useful only for 'xlat'. To use it, -# put 'exec' into the 'instantiate' section. You can then -# do dynamic translation of attributes like: -# -# Attribute-Name = `%{exec:/path/to/program args}` -# -# The value of the attribute will be replaced with the output -# of the program which is executed. Due to RADIUS protocol -# limitations, any output over 253 bytes will be ignored. -# -# The RADIUS attributes from the user request will be placed -# into environment variables of the executed program, as -# described in "man unlang" and in doc/variables.txt -# -# See also "echo" for more sample configuration. -# -exec { - wait = no - input_pairs = request - shell_escape = yes - output = none - timeout = 10 -} diff --git a/roles/radius/files/raddb/modules/expiration b/roles/radius/files/raddb/modules/expiration deleted file mode 100644 index 18f2667..0000000 --- a/roles/radius/files/raddb/modules/expiration +++ /dev/null @@ -1,19 +0,0 @@ -# -*- text -*- -# -# $Id: 8bbd88973459d82f3967135c66a5b566fffc130a $ - -# -# The expiration module. This handles the Expiration attribute -# It should be included in the *end* of the authorize section -# in order to handle user Expiration. It should also be included -# in the instantiate section in order to register the Expiration -# compare function -# -expiration { - # - # The Reply-Message which will be sent back in case the - # account has expired. Dynamic substitution is supported - # - reply-message = "Password Has Expired\r\n" - #reply-message = "Your account has expired, %{User-Name}\r\n" -} diff --git a/roles/radius/files/raddb/modules/expr b/roles/radius/files/raddb/modules/expr deleted file mode 100644 index 9b2513d..0000000 --- a/roles/radius/files/raddb/modules/expr +++ /dev/null @@ -1,20 +0,0 @@ -# -*- text -*- -# -# $Id: 6caeb9bccb3310d76f0c527afa58d10432359ee5 $ - -# -# The 'expression' module currently has no configuration. -# -# This module is useful only for 'xlat'. To use it, -# put 'expr' into the 'instantiate' section. You can then -# do dynamic translation of attributes like: -# -# Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}` -# -# The value of the attribute will be replaced with the output -# of the program which is executed. Due to RADIUS protocol -# limitations, any output over 253 bytes will be ignored. -# -# The module also registers a few paircompare functions -expr { -} diff --git a/roles/radius/files/raddb/modules/files b/roles/radius/files/raddb/modules/files deleted file mode 100644 index 8a41117..0000000 --- a/roles/radius/files/raddb/modules/files +++ /dev/null @@ -1,46 +0,0 @@ -# -*- text -*- -# -# $Id: e0198d85b2d14fa7b75b0e8c1bf6427c4bd89058 $ - -# Livingston-style 'users' file -# -files { - # The default key attribute to use for matches. The content - # of this attribute is used to match the "name" of the - # entry. - #key = "%{%{Stripped-User-Name}:-%{User-Name}}" - - usersfile = ${confdir}/users - acctusersfile = ${confdir}/acct_users - preproxy_usersfile = ${confdir}/preproxy_users - - # If you want to use the old Cistron 'users' file - # with FreeRADIUS, you should change the next line - # to 'compat = cistron'. You can the copy your 'users' - # file from Cistron. - compat = no -} - -# An example which defines a second instance of the "files" module. -# This instance is named "second_files". In order for it to be used -# in a virtual server, it needs to be listed as "second_files" -# inside of the "authorize" section (or other section). If you just -# list "files", that will refer to the configuration defined above. -# - -# The two names here mean: -# "files" - this is a configuration for the "rlm_files" module -# "second_files" - this is a named configuration, which isn't -# the default configuration. -files second_files { - #key = "%{%{Stripped-User-Name}:-%{User-Name}}" - - # The names here don't matter. They just need to be different - # from the names for the "files" configuration above. If they - # are the same, then this configuration will end up being the - # same as the one above. - usersfile = ${confdir}/second_users - acctusersfile = ${confdir}/second_acct_users - preproxy_usersfile = ${confdir}/second_preproxy_users -} - diff --git a/roles/radius/files/raddb/modules/inner-eap b/roles/radius/files/raddb/modules/inner-eap deleted file mode 100644 index 6f55097..0000000 --- a/roles/radius/files/raddb/modules/inner-eap +++ /dev/null @@ -1,161 +0,0 @@ -# -*- text -*- -# -# $Id: 0a26c9c1672823e46219d831e2be18890450c2a7 $ - -# -# Sample configuration for an EAP module that occurs *inside* -# of a tunneled method. It is used to limit the EAP types that -# can occur inside of the inner tunnel. -# -# See also raddb/sites-available/inner-tunnel -# -# To use this module, edit raddb/sites-available/inner-tunnel, and -# replace the references to "eap" with "inner-eap". -# -# See raddb/eap.conf for full documentation on the meaning of the -# configuration entries here. -# -eap inner-eap { - # This is the best choice for PEAP. - default_eap_type = mschapv2 - timer_expire = 60 - - # This should be the same as the outer eap "max sessions" - max_sessions = 2048 - - # Supported EAP-types - md5 { - } - - gtc { - # The default challenge, which many clients - # ignore.. - #challenge = "Password: " - - auth_type = PAP - } - - mschapv2 { - } - - # No TTLS or PEAP configuration should be listed here. - - ## EAP-TLS - # - # You SHOULD use different certificates than are used - # for the outer EAP configuration! - # - # Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental. - # - tls { - # - # These is used to simplify later configurations. - # - certdir = ${confdir}/certs - cadir = ${confdir}/certs - - private_key_password = whatever - private_key_file = ${certdir}/server.pem - - # If Private key & Certificate are located in - # the same file, then private_key_file & - # certificate_file must contain the same file - # name. - # - # If CA_file (below) is not used, then the - # certificate_file below MUST include not - # only the server certificate, but ALSO all - # of the CA certificates used to sign the - # server certificate. - certificate_file = ${certdir}/server.pem - - # Trusted Root CA list - # - # ALL of the CA's in this list will be trusted - # to issue client certificates for authentication. - # - # In general, you should use self-signed - # certificates for 802.1x (EAP) authentication. - # In that case, this CA file should contain - # *one* CA certificate. - # - # This parameter is used only for EAP-TLS, - # when you issue client certificates. If you do - # not use client certificates, and you do not want - # to permit EAP-TLS authentication, then delete - # this configuration item. - CA_file = ${cadir}/ca.pem - - # - # For DH cipher suites to work, you have to - # run OpenSSL to create the DH file first: - # - # openssl dhparam -out certs/dh 1024 - # - dh_file = ${certdir}/dh - random_file = ${certdir}/random - - # - # This can never exceed the size of a RADIUS - # packet (4096 bytes), and is preferably half - # that, to accomodate other attributes in - # RADIUS packet. On most APs the MAX packet - # length is configured between 1500 - 1600 - # In these cases, fragment size should be - # 1024 or less. - # - # fragment_size = 1024 - - # include_length is a flag which is - # by default set to yes If set to - # yes, Total Length of the message is - # included in EVERY packet we send. - # If set to no, Total Length of the - # message is included ONLY in the - # First packet of a fragment series. - # - # include_length = yes - - # Check the Certificate Revocation List - # - # 1) Copy CA certificates and CRLs to same directory. - # 2) Execute 'c_rehash '. - # 'c_rehash' is OpenSSL's command. - # 3) uncomment the line below. - # 5) Restart radiusd - # check_crl = yes - # CA_path = /path/to/directory/with/ca_certs/and/crls/ - - # - # If check_cert_issuer is set, the value will - # be checked against the DN of the issuer in - # the client certificate. If the values do not - # match, the cerficate verification will fail, - # rejecting the user. - # - # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" - - # - # If check_cert_cn is set, the value will - # be xlat'ed and checked against the CN - # in the client certificate. If the values - # do not match, the certificate verification - # will fail rejecting the user. - # - # This check is done only if the previous - # "check_cert_issuer" is not set, or if - # the check succeeds. - # - # check_cert_cn = %{User-Name} - # - # Set this option to specify the allowed - # TLS cipher suites. The format is listed - # in "man 1 ciphers". - cipher_list = "DEFAULT" - - # - # The session resumption / fast reauthentication - # cache CANNOT be used for inner sessions. - # - } -} diff --git a/roles/radius/files/raddb/modules/ippool b/roles/radius/files/raddb/modules/ippool deleted file mode 100644 index 6d181e7..0000000 --- a/roles/radius/files/raddb/modules/ippool +++ /dev/null @@ -1,75 +0,0 @@ -# -*- text -*- -# -# $Id: 05561cf37fe71142adc97410daba3ae08a1cb68c $ - -# Do server side ip pool management. Should be added in -# post-auth and accounting sections. -# -# The module also requires the existance of the Pool-Name -# attribute. That way the administrator can add the Pool-Name -# attribute in the user profiles and use different pools for -# different users. The Pool-Name attribute is a *check* item -# not a reply item. -# -# The Pool-Name should be set to the ippool module instance -# name or to DEFAULT to match any module. - -# -# Example: -# radiusd.conf: ippool students { [...] } -# ippool teachers { [...] } -# users file : DEFAULT Group == students, Pool-Name := "students" -# DEFAULT Group == teachers, Pool-Name := "teachers" -# DEFAULT Group == other, Pool-Name := "DEFAULT" -# -# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST ********* -# ********* THEN ERASE THE DB FILES ********* -# -ippool main_pool { - - # range-start,range-stop: - # The start and end ip addresses for this pool. - range-start = 192.168.1.1 - range-stop = 192.168.3.254 - - # netmask: - # The network mask used for this pool. - netmask = 255.255.255.0 - - # cache-size: - # The gdbm cache size for the db files. Should - # be equal to the number of ip's available in - # the ip pool - cache-size = 800 - - # session-db: - # The main db file used to allocate addresses. - session-db = ${db_dir}/db.ippool - - # ip-index: - # Helper db index file used in multilink - ip-index = ${db_dir}/db.ipindex - - # override: - # If set, the Framed-IP-Address already in the - # reply (if any) will be discarded, and replaced - # with a Framed-IP-Address assigned here. - override = no - - # maximum-timeout: - # Specifies the maximum time in seconds that an - # entry may be active. If set to zero, means - # "no timeout". The default value is 0 - maximum-timeout = 0 - - # key: - # The key to use for the session database (which - # holds the allocated ip's) normally it should - # just be the nas ip/port (which is the default). - # - # If your NAS sends the same value of NAS-Port - # all requests, the key should be based on some - # other attribute that is in ALL requests, AND - # is unique to each machine needing an IP address. - #key = "%{NAS-IP-Address} %{NAS-Port}" -} diff --git a/roles/radius/files/raddb/modules/krb5 b/roles/radius/files/raddb/modules/krb5 deleted file mode 100644 index 37c6209..0000000 --- a/roles/radius/files/raddb/modules/krb5 +++ /dev/null @@ -1,11 +0,0 @@ -# -*- text -*- -# -# $Id: 81d1cf2cad2c5dd919acdc993f4484673d80121e $ - -# -# Kerberos. See doc/rlm_krb5 for minimal docs. -# -krb5 { - keytab = /path/to/keytab - service_principal = name_of_principle -} diff --git a/roles/radius/files/raddb/modules/ldap b/roles/radius/files/raddb/modules/ldap deleted file mode 100644 index a0669bc..0000000 --- a/roles/radius/files/raddb/modules/ldap +++ /dev/null @@ -1,197 +0,0 @@ -# -*- text -*- -# -# $Id: d13892634e4a8458c942ce170f59f98521dce500 $ - -# Lightweight Directory Access Protocol (LDAP) -# -# This module definition allows you to use LDAP for -# authorization and authentication. -# -# See raddb/sites-available/default for reference to the -# ldap module in the authorize and authenticate sections. -# -# However, LDAP can be used for authentication ONLY when the -# Access-Request packet contains a clear-text User-Password -# attribute. LDAP authentication will NOT work for any other -# authentication method. -# -# This means that LDAP servers don't understand EAP. If you -# force "Auth-Type = LDAP", and then send the server a -# request containing EAP authentication, then authentication -# WILL NOT WORK. -# -# The solution is to use the default configuration, which does -# work. -# -# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We -# really can't emphasize this enough. -# -ldap { - # - # Note that this needs to match the name in the LDAP - # server certificate, if you're using ldaps. - server = "127.0.0.1" - identity = "cn=Services,ou=roles,dc=binary-kitchen,dc=de" - password = svcpwd - basedn = "dc=binary-kitchen,dc=de" - filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" - #base_filter = "(objectclass=radiusprofile)" - - # How many connections to keep open to the LDAP server. - # This saves time over opening a new LDAP socket for - # every authentication request. - ldap_connections_number = 5 - - # How many times the connection can be used before - # being re-established. This is useful for things - # like load balancers, which may exhibit sticky - # behaviour without it. (0) is unlimited. - max_uses = 0 - - # Port to connect on, defaults to 389. Setting this to - # 636 will enable LDAPS if start_tls (see below) is not - # able to be used. - #port = 389 - - # seconds to wait for LDAP query to finish. default: 20 - timeout = 4 - - # seconds LDAP server has to process the query (server-side - # time limit). default: 20 - # - # LDAP_OPT_TIMELIMIT is set to this value. - timelimit = 3 - - # - # seconds to wait for response of the server. (network - # failures) default: 10 - # - # LDAP_OPT_NETWORK_TIMEOUT is set to this value. - net_timeout = 1 - - # - # This subsection configures the tls related items - # that control how FreeRADIUS connects to an LDAP - # server. It contains all of the "tls_*" configuration - # entries used in older versions of FreeRADIUS. Those - # configuration entries can still be used, but we recommend - # using these. - # - tls { - # Set this to 'yes' to use TLS encrypted connections - # to the LDAP database by using the StartTLS extended - # operation. - # - # The StartTLS operation is supposed to be - # used with normal ldap connections instead of - # using ldaps (port 636) connections - start_tls = no - - # cacertfile = /path/to/cacert.pem - # cacertdir = /path/to/ca/dir/ - # certfile = /path/to/radius.crt - # keyfile = /path/to/radius.key - # randfile = /path/to/rnd - - # Certificate Verification requirements. Can be: - # "never" (don't even bother trying) - # "allow" (try, but don't fail if the cerificate - # can't be verified) - # "demand" (fail if the certificate doesn't verify.) - # - # The default is "allow" - # require_cert = "demand" - } - - # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" - # profile_attribute = "radiusProfileDn" - # access_attr = "dialupAccess" - - # Mapping of RADIUS dictionary attributes to LDAP - # directory attributes. - dictionary_mapping = ${confdir}/ldap.attrmap - - # Set password_attribute = nspmPassword to get the - # user's password from a Novell eDirectory - # backend. This will work ONLY IF FreeRADIUS has been - # built with the --with-edir configure option. - # - # See also the following links: - # - # http://www.novell.com/coolsolutions/appnote/16745.html - # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html - # - # Novell may require TLS encrypted sessions before returning - # the user's password. - # - # password_attribute = userPassword - - # Un-comment the following to disable Novell - # eDirectory account policy check and intruder - # detection. This will work *only if* FreeRADIUS is - # configured to build with --with-edir option. - # - edir_account_policy_check = no - - # - # Group membership checking. Disabled by default. - # - # groupname_attribute = cn - # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" - # groupmembership_attribute = radiusGroupName - - # compare_check_items = yes - # do_xlat = yes - # access_attr_used_for_allow = yes - - # - # The following two configuration items are for Active Directory - # compatibility. If you see the helpful "operations error" - # being returned to the LDAP module, uncomment the next - # two lines. - # - # chase_referrals = yes - # rebind = yes - - # - # By default, if the packet contains a User-Password, - # and no other module is configured to handle the - # authentication, the LDAP module sets itself to do - # LDAP bind for authentication. - # - # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. - # - # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). - # - # You can disable this behavior by setting the following - # configuration entry to "no". - # - # allowed values: {no, yes} - # set_auth_type = yes - - # ldap_debug: debug flag for LDAP SDK - # (see OpenLDAP documentation). Set this to enable - # huge amounts of LDAP debugging on the screen. - # You should only use this if you are an LDAP expert. - # - # default: 0x0000 (no debugging messages) - # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) - #ldap_debug = 0x0028 - - # - # Keepalive configuration. This MAY NOT be supported by your - # LDAP library. If these configuration entries appear in the - # output of "radiusd -X", then they are supported. Otherwise, - # they are unsupported, and changing them will do nothing. - # - keepalive { - # LDAP_OPT_X_KEEPALIVE_IDLE - idle = 60 - - # LDAP_OPT_X_KEEPALIVE_PROBES - probes = 3 - - # LDAP_OPT_X_KEEPALIVE_INTERVAL - interval = 3 - } -} diff --git a/roles/radius/files/raddb/modules/linelog b/roles/radius/files/raddb/modules/linelog deleted file mode 100644 index 478b4fa..0000000 --- a/roles/radius/files/raddb/modules/linelog +++ /dev/null @@ -1,105 +0,0 @@ -# -*- text -*- -# -# $Id: a57741ac3fa5f884ed64d896da3807af5d2a6b99 $ - -# -# The "linelog" module will log one line of text to a file. -# Both the filename and the line of text are dynamically expanded. -# -# We STRONGLY suggest that you do not use data from the -# packet as part of the filename. -# -linelog { - # - # The file where the logs will go. - # - # If the filename is "syslog", then the log messages will - # go to syslog. - filename = ${logdir}/linelog - - # - # The Unix-style permissions on the log file. - # - # Depending on format string, the log file may contain secret or - # private information about users. Keep the file permissions as - # restrictive as possible. - permissions = 0600 - - # - # The Unix group of the log file. - # - # The user that freeradius runs as must be in the specified - # group, otherwise it will not be possible to set the group. - # - # group = freerad - - # - # If logging via syslog, the facility can be set here. Otherwise - # the syslog_facility option in radiusd.conf will be used. - # - # syslog_facility = daemon - - # - # The default format string. - format = "This is a log message for %{User-Name}" - - # - # This next line can be omitted. If it is omitted, then - # the log message is static, and is always given by "format", - # above. - # - # If it is defined, then the string is dynamically expanded, - # and the result is used to find another configuration entry - # here, with the given name. That name is then used as the - # format string. - # - # If the configuration entry cannot be found, then no log - # message is printed. - # - # i.e. You can have many log messages in one "linelog" module. - # If this two-step expansion did not exist, you would have - # needed to configure one "linelog" module for each log message. - - # - # Reference the Packet-Type (Access-Request, etc.) If it doesn't - # exist, reference the "format" entry, above. - reference = "%{%{Packet-Type}:-format}" - - # - # Followed by a series of log messages. - Access-Request = "Requested access: %{User-Name}" - Access-Reject = "Rejected access: %{User-Name}" - Access-Challenge = "Sent challenge: %{User-Name}" - - # - # The log messages can be grouped into sections and - # sub-sections, too. The "reference" item needs to have a "." - # for every section. e.g. reference = foo.bar will reference - # the "foo" section, "bar" configuration item. - # - - # - # Used if: reference = "foo.bar". - foo { - bar = "Example log. Please ignore" - } - - # - # Another example: - # reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" - # - Accounting-Request { - Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})" - Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds" - - # Don't log anything for these packets. - Alive = "" - - Accounting-On = "NAS %C (%{NAS-IP-Address}) just came online" - Accounting-Off = "NAS %C (%{NAS-IP-Address}) just went offline" - - # don't log anything for other Acct-Status-Types. - unknown = "" - } - -} diff --git a/roles/radius/files/raddb/modules/logintime b/roles/radius/files/raddb/modules/logintime deleted file mode 100644 index 58fa3e7..0000000 --- a/roles/radius/files/raddb/modules/logintime +++ /dev/null @@ -1,31 +0,0 @@ -# -*- text -*- -# -# $Id: 26691a93664c464f49394773e04d3b2ed565d142 $ - -# The logintime module. This handles the Login-Time, -# Current-Time, and Time-Of-Day attributes. It should be -# included in the *end* of the authorize section in order to -# handle Login-Time checks. It should also be included in the -# instantiate section in order to register the Current-Time -# and Time-Of-Day comparison functions. -# -# When the Login-Time attribute is set to some value, and the -# user has bene permitted to log in, a Session-Timeout is -# calculated based on the remaining time. See "doc/README". -# -logintime { - # - # The Reply-Message which will be sent back in case - # the account is calling outside of the allowed - # timespan. Dynamic substitution is supported. - # - reply-message = "You are calling outside your allowed timespan\r\n" - #reply-message = "Outside allowed timespan (%{control:Login-Time}), %{User-Name}\r\n" - - # The minimum timeout (in seconds) a user is allowed - # to have. If the calculated timeout is lower we don't - # allow the logon. Some NASes do not handle values - # lower than 60 seconds well. - minimum-timeout = 60 -} - diff --git a/roles/radius/files/raddb/modules/mac2ip b/roles/radius/files/raddb/modules/mac2ip deleted file mode 100644 index 655d4b6..0000000 --- a/roles/radius/files/raddb/modules/mac2ip +++ /dev/null @@ -1,25 +0,0 @@ -# -*- text -*- -# -# $Id: 793d5690e1d4520bb3db1d9900d6be09da2587ae $ - -###################################################################### -# -# This next section is a sample configuration for the "passwd" -# module, that reads flat-text files. -# -# The file is in the format , -# -# 00:01:02:03:04:05,192.168.1.100 -# 01:01:02:03:04:05,192.168.1.101 -# 02:01:02:03:04:05,192.168.1.102 -# -# This lets you perform simple static IP assignments from a flat-text -# file. You will have to define lease times yourself. -# -###################################################################### - -passwd mac2ip { - filename = ${confdir}/mac2ip - format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address" - delimiter = "," -} diff --git a/roles/radius/files/raddb/modules/mac2vlan b/roles/radius/files/raddb/modules/mac2vlan deleted file mode 100644 index 61ee40f..0000000 --- a/roles/radius/files/raddb/modules/mac2vlan +++ /dev/null @@ -1,18 +0,0 @@ -# -*- text -*- -# -# $Id: bdfef238076bb1ea16c494bf6e22f1d2af848b62 $ - -# A simple file to map a MAC address to a VLAN. -# -# The file should be in the format MAC,VLAN -# the VLAN name cannot have spaces in it, for example: -# -# 00:01:02:03:04:05,VLAN1 -# 03:04:05:06:07:08,VLAN2 -# ... -# -passwd mac2vlan { - filename = ${confdir}/mac2vlan - format = "*VMPS-Mac:=VMPS-VLAN-Name" - delimiter = "," -} diff --git a/roles/radius/files/raddb/modules/mschap b/roles/radius/files/raddb/modules/mschap deleted file mode 100644 index bd6dc34..0000000 --- a/roles/radius/files/raddb/modules/mschap +++ /dev/null @@ -1,87 +0,0 @@ -# -*- text -*- -# -# $Id: 9e016a09a158f55bbc9b48876f0cb2b776b4cd96 $ - -# Microsoft CHAP authentication -# -# This module supports MS-CHAP and MS-CHAPv2 authentication. -# It also enforces the SMB-Account-Ctrl attribute. -# -mschap { - # - # If you are using /etc/smbpasswd, see the 'passwd' - # module for an example of how to use /etc/smbpasswd - - # if use_mppe is not set to no mschap will - # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and - # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 - # -# use_mppe = no - - # if mppe is enabled require_encryption makes - # encryption moderate - # -# require_encryption = yes - - # require_strong always requires 128 bit key - # encryption - # -# require_strong = yes - - # Windows sends us a username in the form of - # DOMAIN\user, but sends the challenge response - # based on only the user portion. This hack - # corrects for that incorrect behavior. - # -# with_ntdomain_hack = no - - # The module can perform authentication itself, OR - # use a Windows Domain Controller. This configuration - # directive tells the module to call the ntlm_auth - # program, which will do the authentication, and return - # the NT-Key. Note that you MUST have "winbindd" and - # "nmbd" running on the local machine for ntlm_auth - # to work. See the ntlm_auth program documentation - # for details. - # - # If ntlm_auth is configured below, then the mschap - # module will call ntlm_auth for every MS-CHAP - # authentication request. If there is a cleartext - # or NT hashed password available, you can set - # "MS-CHAP-Use-NTLM-Auth := No" in the control items, - # and the mschap module will do the authentication itself, - # without calling ntlm_auth. - # - # Be VERY careful when editing the following line! - # - # You can also try setting the user name as: - # - # ... --username=%{mschap:User-Name} ... - # - # In that case, the mschap module will look at the User-Name - # attribute, and do prefix/suffix checks in order to obtain - # the "best" user name for the request. - # -# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" - - # The default is to wait 10 seconds for ntlm_auth to - # complete. This is a long time, and if it's taking that - # long then you likely have other problems in your domain. - # The length of time can be decreased with the following - # option, which can save clients waiting if your ntlm_auth - # usually finishes quicker. Range 1 to 10 seconds. - # -# ntlm_auth_timeout = 10 - - # For Apple Server, when running on the same machine as - # Open Directory. It has no effect on other systems. - # -# use_open_directory = yes - - # On failure, set (or not) the MS-CHAP error code saying - # "retries allowed". -# allow_retry = yes - - # An optional retry message. -# retry_msg = "Re-enter (or reset) the password" -} diff --git a/roles/radius/files/raddb/modules/ntlm_auth b/roles/radius/files/raddb/modules/ntlm_auth deleted file mode 100644 index 9ee11aa..0000000 --- a/roles/radius/files/raddb/modules/ntlm_auth +++ /dev/null @@ -1,12 +0,0 @@ -# -# For testing ntlm_auth authentication with PAP. -# -# If you have problems with authentication failing, even when the -# password is good, it may be a bug in Samba: -# -# https://bugzilla.samba.org/show_bug.cgi?id=6563 -# -exec ntlm_auth { - wait = yes - program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" -} diff --git a/roles/radius/files/raddb/modules/opendirectory b/roles/radius/files/raddb/modules/opendirectory deleted file mode 100644 index 10dd507..0000000 --- a/roles/radius/files/raddb/modules/opendirectory +++ /dev/null @@ -1,13 +0,0 @@ -# -*- text -*- -# -# $Id: 2a44ef695f4eaf6f1c461b3d92fda54e9b910f9e $ - -# This module is only used when the server is running on the same -# system as OpenDirectory. The configuration of the module is hard-coded -# by Apple, and cannot be changed here. -# -# There are no configuration entries for this module. -# -opendirectory { - -} diff --git a/roles/radius/files/raddb/modules/otp b/roles/radius/files/raddb/modules/otp deleted file mode 100644 index 3ae59e1..0000000 --- a/roles/radius/files/raddb/modules/otp +++ /dev/null @@ -1,78 +0,0 @@ -# -# Configuration for the OTP module. -# - -# This module allows you to use various handheld OTP tokens -# for authentication (Auth-Type := otp). These tokens are -# available from various vendors. -# -# It works in conjunction with otpd, which implements token -# management and OTP verification functions; and lsmd or gsmd, -# which implements synchronous state management functions. -# otpd, lsmd and gsmd are available from TRI-D Systems: -# - -# You must list this module in BOTH the authorize and authenticate -# sections in order to use it. -otp { - # otpd rendezvous point. - # (default: /var/run/otpd/socket) - #otpd_rp = /var/run/otpd/socket - - # Text to use for the challenge. The '%' character is - # disallowed, except that you MUST have a single "%s" - # sequence in the string; the challenge itself is - # inserted there. (default "Challenge: %s\n Response: ") - #challenge_prompt = "Challenge: %s\n Response: " - - # Length of the challenge. Most tokens probably support a - # max of 8 digits. (range: 5-32 digits, default 6) - #challenge_length = 6 - - # Maximum time, in seconds, that a challenge is valid. - # (The user must respond to a challenge within this time.) - # It is also the minimal time between consecutive async mode - # authentications, a necessary restriction due to an inherent - # weakness of the RADIUS protocol which allows replay attacks. - # (default: 30) - #challenge_delay = 30 - - # Whether or not to allow asynchronous ("pure" challenge/ - # response) mode authentication. Since sync mode is much more - # usable, and all reasonable tokens support it, the typical - # use of async mode is to allow resync of event based tokens. - # But because of the vulnerability of async mode with some tokens, - # you probably want to disable this and require that out-of-sync - # users resync from specifically secured terminals. - # See the otpd docs for more info. - # (default: no) - #allow_async = no - - # Whether or not to allow synchronous mode authentication. - # When using otpd with lsmd, it is *CRITICALLY IMPORTANT* - # that if your OTP users can authenticate to multiple RADIUS - # servers, this must be "yes" for the primary/default server, - # and "no" for the others. This is because lsmd does not - # share state information across multiple servers. Using "yes" - # on all your RADIUS servers would allow replay attacks! - # Also, for event based tokens, the user will be out of sync - # on the "other" servers. In order to use "yes" on all your - # servers, you must either use gsmd, which synchronizes state - # globally, or implement your own state synchronization method. - # (default: yes) - #allow_sync = yes - - # If both allow_async and allow_sync are "yes", a challenge is - # always presented to the user. This is incompatible with NAS's - # that can't present or don't handle Access-Challenge's, e.g. - # PPTP servers. Even though a challenge is presented, the user - # can still enter their synchronous passcode. - - # The following are MPPE settings. Note that MS-CHAP (v1) is - # strongly discouraged. All possible values are listed as - # {value = meaning}. Default values are first. - #mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden} - #mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40} - #mschap_mppe = {2 = required, 1 = optional, 0 = forbidden} - #mschap_mppe_bits = {2 = 128} -} diff --git a/roles/radius/files/raddb/modules/pam b/roles/radius/files/raddb/modules/pam deleted file mode 100644 index a31dfda..0000000 --- a/roles/radius/files/raddb/modules/pam +++ /dev/null @@ -1,26 +0,0 @@ -# -*- text -*- -# -# $Id: f4a91a948637bb2f42f613ed9faa6f9ae9ae6099 $ - - -# Pluggable Authentication Modules -# -# For Linux, see: -# http://www.kernel.org/pub/linux/libs/pam/index.html -# -# WARNING: On many systems, the system PAM libraries have -# memory leaks! We STRONGLY SUGGEST that you do not -# use PAM for authentication, due to those memory leaks. -# -pam { - # - # The name to use for PAM authentication. - # PAM looks in /etc/pam.d/${pam_auth_name} - # for it's configuration. See 'redhat/radiusd-pam' - # for a sample PAM configuration file. - # - # Note that any Pam-Auth attribute set in the 'authorize' - # section will over-ride this one. - # - pam_auth = radiusd -} diff --git a/roles/radius/files/raddb/modules/pap b/roles/radius/files/raddb/modules/pap deleted file mode 100644 index 46768e3..0000000 --- a/roles/radius/files/raddb/modules/pap +++ /dev/null @@ -1,22 +0,0 @@ -# -*- text -*- -# -# $Id: 5c7d29d654bea9c076d6434f32795c2b2d002757 $ - -# PAP module to authenticate users based on their stored password -# -# Supports multiple encryption/hash schemes. See "man rlm_pap" -# for details. -# -# The "auto_header" configuration item can be set to "yes". -# In this case, the module will look inside of the User-Password -# attribute for the headers {crypt}, {clear}, etc., and will -# automatically create the attribute on the right-hand side, -# with the correct value. It will also automatically handle -# Base-64 encoded data, hex strings, and binary data. -# -# For instructions on creating the various types of passwords, see: -# -# http://www.openldap.org/faq/data/cache/347.html -pap { - auto_header = no -} diff --git a/roles/radius/files/raddb/modules/passwd b/roles/radius/files/raddb/modules/passwd deleted file mode 100644 index 7850781..0000000 --- a/roles/radius/files/raddb/modules/passwd +++ /dev/null @@ -1,55 +0,0 @@ -# -*- text -*- -# -# $Id: cc37ca0d7eaf9887720eccc2de0ecb75a51117c8 $ - -# passwd module allows to do authorization via any passwd-like -# file and to extract any attributes from these files. -# -# See the "smbpasswd" and "etc_group" files for more examples. -# -# parameters are: -# filename - path to filename -# -# format - format for filename record. This parameters -# correlates record in the passwd file and RADIUS -# attributes. -# -# Field marked as '*' is a key field. That is, the parameter -# with this name from the request is used to search for -# the record from passwd file -# -# Attributes marked as '=' are added to reply_items instead -# of default configure_itmes -# -# Attributes marked as '~' are added to request_items -# -# Field marked as ',' may contain a comma separated list -# of attributes. -# -# hashsize - hashtable size. Setting it to 0 is no longer permitted -# A future version of the server will have the module -# automatically determine the hash size. Having it set -# manually should not be necessary. -# -# allowmultiplekeys - if many records for a key are allowed -# -# ignorenislike - ignore NIS-related records -# -# delimiter - symbol to use as a field separator in passwd file, -# for format ':' symbol is always used. '\0', '\n' are -# not allowed -# - -# An example configuration for using /etc/passwd. -# -# This is an example which will NOT WORK if you have shadow passwords, -# NIS, etc. The "unix" module is normally responsible for reading -# system passwords. You should use it instead of this example. -# -passwd etc_passwd { - filename = /etc/passwd - format = "*User-Name:Crypt-Password:" - hashsize = 100 - ignorenislike = no - allowmultiplekeys = no -} diff --git a/roles/radius/files/raddb/modules/perl b/roles/radius/files/raddb/modules/perl deleted file mode 100644 index b63a87f..0000000 --- a/roles/radius/files/raddb/modules/perl +++ /dev/null @@ -1,58 +0,0 @@ -# -*- text -*- -# -# $Id: 69ad3076119ec814518a6db45eec4bc41dc090f7 $ - -# Persistent, embedded Perl interpreter. -# -perl { - # - # The Perl script to execute on authorize, authenticate, - # accounting, xlat, etc. This is very similar to using - # 'rlm_exec' module, but it is persistent, and therefore - # faster. - # - module = ${confdir}/example.pl - - # - # The following hashes are given to the module and - # filled with value-pairs (Attribute names and values) - # - # %RAD_CHECK Check items - # %RAD_REQUEST Attributes from the request - # %RAD_REPLY Attributes for the reply - # - # The return codes from functions in the perl_script - # are passed directly back to the server. These - # codes are defined in doc/configurable_failover, - # src/include/modules.h (RLM_MODULE_REJECT, etc), - # and are pre-defined in the 'example.pl' program - # which is included. - # - - # - # List of functions in the module to call. - # Uncomment and change if you want to use function - # names other than the defaults. - # - #func_authenticate = authenticate - #func_authorize = authorize - #func_preacct = preacct - #func_accounting = accounting - #func_checksimul = checksimul - #func_pre_proxy = pre_proxy - #func_post_proxy = post_proxy - #func_post_auth = post_auth - #func_recv_coa = recv_coa - #func_send_coa = send_coa - #func_xlat = xlat - #func_detach = detach - - # - # Uncomment the following lines if you wish - # to use separate functions for Start and Stop - # accounting packets. In that case, the - # func_accounting function is not called. - # - #func_start_accounting = accounting_start - #func_stop_accounting = accounting_stop -} diff --git a/roles/radius/files/raddb/modules/policy b/roles/radius/files/raddb/modules/policy deleted file mode 100644 index f642816..0000000 --- a/roles/radius/files/raddb/modules/policy +++ /dev/null @@ -1,21 +0,0 @@ -# -*- text -*- -# -# $Id: 9b1b111ce70dbfd4ce25cdd2774d5878dbea7023 $ - -# -# Module implementing a DIFFERENT policy language. -# The syntax here is NOT "unlang", but something else. -# -# See the "raddb/policy.txt" file for documentation and examples. -# There isn't much else in the way of documentation, sorry. -# -policy { - # The only configuration item is a filename containing - # the policies to execute. - # - # When "policy" is listed in a section (e.g. "authorize"), - # it will run a policy named for that section. - # - filename = ${confdir}/policy.txt -} - diff --git a/roles/radius/files/raddb/modules/preprocess b/roles/radius/files/raddb/modules/preprocess deleted file mode 100644 index 266c206..0000000 --- a/roles/radius/files/raddb/modules/preprocess +++ /dev/null @@ -1,58 +0,0 @@ -# -*- text -*- -# -# $Id: e00aa85a9bd924b3a79c034f6f5d4d7d9a98c208 $ - -# Preprocess the incoming RADIUS request, before handing it off -# to other modules. -# -# This module processes the 'huntgroups' and 'hints' files. -# In addition, it re-writes some weird attributes created -# by some NASes, and converts the attributes into a form which -# is a little more standard. -# -preprocess { - huntgroups = ${confdir}/huntgroups - hints = ${confdir}/hints - - # This hack changes Ascend's wierd port numberings - # to standard 0-??? port numbers so that the "+" works - # for IP address assignments. - with_ascend_hack = no - ascend_channels_per_line = 23 - - # Windows NT machines often authenticate themselves as - # NT_DOMAIN\username - # - # If this is set to 'yes', then the NT_DOMAIN portion - # of the user-name is silently discarded. - # - # This configuration entry SHOULD NOT be used. - # See the "realms" module for a better way to handle - # NT domains. - with_ntdomain_hack = no - - # Specialix Jetstream 8500 24 port access server. - # - # If the user name is 10 characters or longer, a "/" - # and the excess characters after the 10th are - # appended to the user name. - # - # If you're not running that NAS, you don't need - # this hack. - with_specialix_jetstream_hack = no - - # Cisco (and Quintum in Cisco mode) sends it's VSA attributes - # with the attribute name *again* in the string, like: - # - # H323-Attribute = "h323-attribute=value". - # - # If this configuration item is set to 'yes', then - # the redundant data in the the attribute text is stripped - # out. The result is: - # - # H323-Attribute = "value" - # - # If you're not running a Cisco or Quintum NAS, you don't - # need this hack. - with_cisco_vsa_hack = no -} diff --git a/roles/radius/files/raddb/modules/radrelay b/roles/radius/files/raddb/modules/radrelay deleted file mode 100644 index a29106f..0000000 --- a/roles/radius/files/raddb/modules/radrelay +++ /dev/null @@ -1,26 +0,0 @@ -# -*- text -*- -# -# $Id: dede42698a19413b524a1a68b7ea312aa8a506aa $ - -# Write "detail" files which can be read by radrelay. -# This module should be used only by a server which receives -# Accounting-Request packets from the network. -# -# It should NOT be used in the radrelay.conf file. -# -# Use it by adding "radrelay" to the "accounting" section: -# -# accounting { -# ... -# radrelay -# ... -# } -# -detail radrelay { - detailfile = ${radacctdir}/detail - - locking = yes - - # The other directives from the main detail module - # can be used here, but they're not required. -} diff --git a/roles/radius/files/raddb/modules/radutmp b/roles/radius/files/raddb/modules/radutmp deleted file mode 100644 index af729f3..0000000 --- a/roles/radius/files/raddb/modules/radutmp +++ /dev/null @@ -1,53 +0,0 @@ -# -*- text -*- -# -# $Id: 3ad88cde616ce041f0dcc87858950daafdd3d336 $ - -# Write a 'utmp' style file, of which users are currently -# logged in, and where they've logged in from. -# -# This file is used mainly for Simultaneous-Use checking, -# and also 'radwho', to see who's currently logged in. -# -radutmp { - # Where the file is stored. It's not a log file, - # so it doesn't need rotating. - # - filename = ${logdir}/radutmp - - # The field in the packet to key on for the - # 'user' name, If you have other fields which you want - # to use to key on to control Simultaneous-Use, - # then you can use them here. - # - # Note, however, that the size of the field in the - # 'utmp' data structure is small, around 32 - # characters, so that will limit the possible choices - # of keys. - # - # You may want instead: %{Stripped-User-Name:-%{User-Name}} - username = %{User-Name} - - - # Whether or not we want to treat "user" the same - # as "USER", or "User". Some systems have problems - # with case sensitivity, so this should be set to - # 'no' to enable the comparisons of the key attribute - # to be case insensitive. - # - case_sensitive = yes - - # Accounting information may be lost, so the user MAY - # have logged off of the NAS, but we haven't noticed. - # If so, we can verify this information with the NAS, - # - # If we want to believe the 'utmp' file, then this - # configuration entry can be set to 'no'. - # - check_with_nas = yes - - # Set the file permissions, as the contents of this file - # are usually private. - perm = 0600 - - callerid = "yes" -} diff --git a/roles/radius/files/raddb/modules/realm b/roles/radius/files/raddb/modules/realm deleted file mode 100644 index ff34898..0000000 --- a/roles/radius/files/raddb/modules/realm +++ /dev/null @@ -1,46 +0,0 @@ -# -*- text -*- -# -# $Id: 95d9f2b98de1b33346c6129aa7e88a901248cd4d $ - -# Realm module, for proxying. -# -# You can have multiple instances of the realm module to -# support multiple realm syntaxs at the same time. The -# search order is defined by the order that the modules are listed -# in the authorize and preacct sections. -# -# Four config options: -# format - must be "prefix" or "suffix" -# The special cases of "DEFAULT" -# and "NULL" are allowed, too. -# delimiter - must be a single character - -# 'realm/username' -# -# Using this entry, IPASS users have their realm set to "IPASS". -realm IPASS { - format = prefix - delimiter = "/" -} - -# 'username@realm' -# -realm suffix { - format = suffix - delimiter = "@" -} - -# 'username%realm' -# -realm realmpercent { - format = suffix - delimiter = "%" -} - -# -# 'domain\user' -# -realm ntdomain { - format = prefix - delimiter = "\\" -} diff --git a/roles/radius/files/raddb/modules/redis b/roles/radius/files/raddb/modules/redis deleted file mode 100644 index fafe613..0000000 --- a/roles/radius/files/raddb/modules/redis +++ /dev/null @@ -1,35 +0,0 @@ -# -*- text -*- -# -# $Id: d7605d9888607aa6451ab24450cebfd7bc9d4437 $ - -# -# Configuration file for the "redis" module. This module does nothing -# Other than provide connections to a redis database, and a %{redis: ...} -# expansion. -# -redis { - # Host where the redis server is located. - # We recommend using ONLY 127.0.0.1 ! - hostname = 127.0.0.1 - - # The default port. - port = 6379 - - # The password used to authenticate to the server. - # We recommend using a strong password. -# password = thisisreallysecretandhardtoguess - - # The number of connections to open to the database. - num_connections = 20 - - # If a connection fails, retry after this time. - connect_failure_retry_delay = 60 - - # Set the maximum lifetime for one connection. - # Use 0 for "lives forever" - lifetime = 86400 - - # Set the maximum queries used for one connection. - # Use 0 for "no limit" - max_queries = 0 -} \ No newline at end of file diff --git a/roles/radius/files/raddb/modules/rediswho b/roles/radius/files/raddb/modules/rediswho deleted file mode 100644 index 12d0e41..0000000 --- a/roles/radius/files/raddb/modules/rediswho +++ /dev/null @@ -1,28 +0,0 @@ -# -*- text -*- -# -# $Id: e16550c9991a5e76a77f349cfa5b82d5163f172e $ - -# -# Configuration file for the "rediswho" module. -# -rediswho { - # How many sessions to keep track of per user. - # If there are more than this number, older sessions are deleted. - trim-count = 15 - - # Expiry time in seconds. Any sessions which have not received - # an update in this time will be automatically expired. - expire-time = 86400 - - start-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" - start-trim = "LTRIM %{User-Name} 0 ${trim-count}" - start-expire = "EXPIRE %{User-Name} ${expire-time}" - - alive-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" - alive-trim = "LTRIM %{User-Name} 0 ${trim-count}" - alive-expire = "EXPIRE %{User-Name} ${expire-time}" - - stop-insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" - stop-trim = "LTRIM %{User-Name} 0 ${trim-count}" - stop-expire = "EXPIRE %{User-Name} ${expire-time}" -} diff --git a/roles/radius/files/raddb/modules/replicate b/roles/radius/files/raddb/modules/replicate deleted file mode 100644 index 6df4523..0000000 --- a/roles/radius/files/raddb/modules/replicate +++ /dev/null @@ -1,40 +0,0 @@ -# Replicate packet(s) to a home server. -# -# This module will open a new socket for each packet, and "clone" -# the incoming packet to the destination realm (i.e. home server). -# -# Use it by setting "Replicate-To-Realm = name" in the control list, -# just like Proxy-To-Realm. The configurations for the two attributes -# are identical. The realm must exist, the home_server_pool must exist, -# and the home_server must exist. -# -# The only difference is that the "replicate" module sends requests -# and does not expect a reply. Any reply is ignored. -# -# Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time. -# -# To use this module, list "replicate" in the "authorize" or -# "accounting" section. Then, ensure that Replicate-To-Realm is set. -# The contents of the "packet" attribute list will be sent to the -# home server. The usual load-balancing, etc. features of the home -# server will be used. -# -# "radmin" can be used to mark home servers alive/dead, in order to -# enable/disable replication to specific servers. -# -# Packets can be replicated to multiple destinations. Just set -# Replicate-To-Realm multiple times. One packet will be sent for -# each of the Replicate-To-Realm attribute in the "control" list. -# -# If no packets are sent, the module returns "noop". If at least one -# packet is sent, the module returns "ok". If an error occurs, the -# module returns "fail" -# -# Note that replication does NOT change any of the packet statistics. -# If you use "radmin" to look at the statistics for a home server, -# the replicated packets will cause NO counters to increment. This -# is not a bug, this is how replication works. -# -replicate { - -} diff --git a/roles/radius/files/raddb/modules/smbpasswd b/roles/radius/files/raddb/modules/smbpasswd deleted file mode 100644 index fb8512f..0000000 --- a/roles/radius/files/raddb/modules/smbpasswd +++ /dev/null @@ -1,16 +0,0 @@ -# -*- text -*- -# -# $Id: 74e64047302d7d8f575672617e8a213aaf5a32d3 $ - -# An example configuration for using /etc/smbpasswd. -# -# See the "passwd" file for documentation on the configuration items -# for this module. -# -passwd smbpasswd { - filename = /etc/smbpasswd - format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" - hashsize = 100 - ignorenislike = no - allowmultiplekeys = no -} diff --git a/roles/radius/files/raddb/modules/smsotp b/roles/radius/files/raddb/modules/smsotp deleted file mode 100644 index 113fe7c..0000000 --- a/roles/radius/files/raddb/modules/smsotp +++ /dev/null @@ -1,50 +0,0 @@ -# -*- text -*- -# -# $Id: 0a339b4a1b9f1eafeb05992f2643497e802e2a49 $ - -# SMS One-time Password system. -# -# This module will extend FreeRadius with a socks interface to create and -# validate One-Time-Passwords. The program for that creates the socket -# and interacts with this module is not included here. -# -# The module does not check the User-Password, this should be done with -# the "pap" module. See the example below. -# -# The module must be used in the "authorize" section to set -# Auth-Type properly. The first time through, the module is called -# in the "authenticate" section to authenticate the user password, and -# to send the challenge. The second time through, it authenticates -# the response to the challenge. e.g.: -# -# authorize { -# ... -# smsotp -# ... -# } -# -# authenticate { -# ... -# Auth-Type smsotp { -# pap -# smsotp -# } -# -# Auth-Type smsotp-reply { -# smsotp -# } -# ... -# } -# -smsotp { - # The location of the socket. - socket = "/var/run/smsotp_socket" - - # Defines the challenge message that will be send to the - # NAS. Default is "Enter Mobile PIN" } - challenge_message = "Enter Mobile PIN:" - - # Defines the Auth-Type section that is run for the response to - # the challenge. Default is "smsotp-reply". - challenge_type = "smsotp-reply" -} diff --git a/roles/radius/files/raddb/modules/soh b/roles/radius/files/raddb/modules/soh deleted file mode 100644 index d125ce4..0000000 --- a/roles/radius/files/raddb/modules/soh +++ /dev/null @@ -1,4 +0,0 @@ -# SoH module -soh { - dhcp = yes -} diff --git a/roles/radius/files/raddb/modules/sql_log b/roles/radius/files/raddb/modules/sql_log deleted file mode 100644 index c91a7b6..0000000 --- a/roles/radius/files/raddb/modules/sql_log +++ /dev/null @@ -1,92 +0,0 @@ -# -*- text -*- -# -# $Id: 3e6bf2104f74ffad8866eb69459a94f623601130 $ - -# -# The rlm_sql_log module appends the SQL queries in a log -# file which is read later by the radsqlrelay program. -# -# This module only performs the dynamic expansion of the -# variables found in the SQL statements. No operation is -# executed on the database server. (this could be done -# later by an external program) That means the module is -# useful only with non-"SELECT" statements. -# -# See rlm_sql_log(5) manpage. -# -# This same functionality could also be implemented by logging -# to a "detail" file, reading that, and then writing to SQL. -# See raddb/sites-available/buffered-sql for an example. -# -sql_log { - path = "${radacctdir}/sql-relay" - acct_table = "radacct" - postauth_table = "radpostauth" - sql_user_name = "%{%{User-Name}:-DEFAULT}" - - # - # Setting this to "yes" will allow UTF-8 characters to be - # written to the log file. Otherwise, they are escaped - # as being potentially invalid. - # - utf8 = no - - # - # The names here are taken from the Acct-Status-Type names. - # Just add another entry here for Accounting-On, - # Accounting-Off, etc. - # - Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ - NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ - AcctSessionTime, AcctTerminateCause) VALUES \ - ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ - '%{Framed-IP-Address}', '%S', '0', '0', '');" - - Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ - NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ - AcctSessionTime, AcctTerminateCause) VALUES \ - ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ - '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \ - '%{Acct-Terminate-Cause}');" - - Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ - NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ - AcctSessionTime, AcctTerminateCause) VALUES \ - ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ - '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');" - - # The same as "Alive" - Interim-Update = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ - NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ - AcctSessionTime, AcctTerminateCause) VALUES \ - ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ - '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');" - - Post-Auth = "INSERT INTO ${postauth_table} \ - (username, pass, reply, authdate) VALUES \ - ('%{User-Name}', '%{User-Password:-Chap-Password}', \ - '%{reply:Packet-Type}', '%S');" - - Accounting-On = "UPDATE ${acct_table} \ - SET \ - acctstoptime = '%S', \ - acctsessiontime = unix_timestamp('%S') - \ - unix_timestamp(acctstarttime), \ - acctterminatecause = '%{Acct-Terminate-Cause}', \ - acctstopdelay = %{%{Acct-Delay-Time}:-0} \ - WHERE acctstoptime IS NULL \ - AND nasipaddress = '%{NAS-IP-Address}' \ - AND acctstarttime <= '%S'"" - - Accounting-Off = "UPDATE ${acct_table} \ - SET \ - acctstoptime = '%S', \ - acctsessiontime = unix_timestamp('%S') - \ - unix_timestamp(acctstarttime), \ - acctterminatecause = '%{Acct-Terminate-Cause}', \ - acctstopdelay = %{%{Acct-Delay-Time}:-0} \ - WHERE acctstoptime IS NULL \ - AND nasipaddress = '%{NAS-IP-Address}' \ - AND acctstarttime <= '%S'"" -} - diff --git a/roles/radius/files/raddb/modules/sqlcounter_expire_on_login b/roles/radius/files/raddb/modules/sqlcounter_expire_on_login deleted file mode 100644 index f73627e..0000000 --- a/roles/radius/files/raddb/modules/sqlcounter_expire_on_login +++ /dev/null @@ -1,37 +0,0 @@ -# -*- text -*- -# -# $Id: c950169307009b088b2c31274f496ffe38e8a793 $ - -# -# Set an account to expire T seconds after first login. -# Requires the Expire-After attribute to be set, in seconds. -# You may need to edit raddb/dictionary to add the Expire-After -# attribute. -# -# This example is for MySQL. Other SQL variants should be similar. -# -# For versions prior to 2.1.11, this module defined the following -# expansion strings: -# -# %k key_name -# %S sqlmod_inst -# -# These SHOULD NOT be used. If these are used in your configuration, -# they should be replaced by the following strings, which will work -# identically to the previous ones: -# -# %k ${key} -# %S ${sqlmod-inst} -# -sqlcounter expire_on_login { - counter-name = Expire-After-Initial-Login - check-name = Expire-After - sqlmod-inst = sql - key = User-Name - reset = never - query = "SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \ - FROM radacct \ - WHERE UserName='%{${key}}' \ - ORDER BY acctstarttime \ - LIMIT 1;" -} diff --git a/roles/radius/files/raddb/modules/sradutmp b/roles/radius/files/raddb/modules/sradutmp deleted file mode 100644 index 16fe020..0000000 --- a/roles/radius/files/raddb/modules/sradutmp +++ /dev/null @@ -1,16 +0,0 @@ -# -*- text -*- -# -# $Id: a7700bac6aaa93940c784f1b6df08b61eb77a1a3 $ - -# "Safe" radutmp - does not contain caller ID, so it can be -# world-readable, and radwho can work for normal users, without -# exposing any information that isn't already exposed by who(1). -# -# This is another 'instance' of the radutmp module, but it is given -# then name "sradutmp" to identify it later in the "accounting" -# section. -radutmp sradutmp { - filename = ${logdir}/sradutmp - perm = 0644 - callerid = "no" -} diff --git a/roles/radius/files/raddb/modules/unix b/roles/radius/files/raddb/modules/unix deleted file mode 100644 index a5798d5..0000000 --- a/roles/radius/files/raddb/modules/unix +++ /dev/null @@ -1,25 +0,0 @@ -# -*- text -*- -# -# $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $ - -# Unix /etc/passwd style authentication -# -# This module calls the system functions to get the "known good" -# password. This password is usually in the "crypt" form, and is -# incompatible with CHAP, MS-CHAP, PEAP, etc. -# -# If passwords are in /etc/shadow, you will need to set the "group" -# configuration in radiusd.conf. Look for "shadow", and follow the -# instructions there. -# -unix { - # - # The location of the "wtmp" file. - # The only use for 'radlast'. If you don't use - # 'radlast', then you can comment out this item. - # - # Note that the radwtmp file may get large! You should - # rotate it (cp /dev/null radwtmp), or just not use it. - # - radwtmp = ${logdir}/radwtmp -} diff --git a/roles/radius/files/raddb/modules/wimax b/roles/radius/files/raddb/modules/wimax deleted file mode 100644 index 7ab5c4f..0000000 --- a/roles/radius/files/raddb/modules/wimax +++ /dev/null @@ -1,112 +0,0 @@ -# -# The WiMAX module currently takes no configuration. -# -# It should be listed in the "authorize" and "preacct" sections. -# This enables the module to fix the horrible binary version -# of Calling-Station-Id to the normal format, as specified in -# RFC 3580, Section 3.21. -# -# In order to calculate the various WiMAX keys, the module should -# be listed in the "post-auth" section. If EAP authentication -# has been used, AND the EAP method derives MSK and EMSK, then -# the various WiMAX keys can be calculated. -# -# Some useful things to remember: -# -# WiMAX-MSK = EAP MSK, but is 64 octets. -# -# MIP-RK-1 = HMAC-SHA256(ESMK, "miprk@wimaxforum.org" | 0x00020001) -# MIP-RK-2 = HMAC-SHA256(ESMK, MIP-RK-1 | "miprk@wimaxforum.org" | 0x00020002) -# MIP-RK = MIP-RK-1 | MIP-RK-2 -# -# MIP-SPI = first 4 octets of HMAC-SHA256(MIP-RK, "SPI CMIP PMIP") -# plus some magic... you've got to track *all* MIP-SPI's -# on your system! -# -# SPI-CMIP4 = MIP-SPI -# SPI-PMIP4 = MIP-SPI + 1 -# SPI-CMIP6 = MIP-SPI + 2 -# -# MN-NAI is the Mobile node NAI. You have to create it, and put -# it into the request or reply as something like: -# -# WiMAX-MN-NAI = "%{User-Name}" -# -# You will also have to have the appropriate IP address (v4 or v6) -# in order to calculate the keys below. -# -# Lifetimes are derived from Session-Timeout. It needs to be set -# to some useful number. -# -# The hash function below H() is HMAC-SHA1. -# -# -# MN-HA-CMIP4 = H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI) -# -# Where HA-IPv4 is WiMAX-hHA-IP-MIP4 -# or maybe WiMAX-vHA-IP-MIP4 -# -# Which goes into WiMAX-MN-hHA-MIP4-Key -# or maybe WiMAX-RRQ-MN-HA-Key -# or maybe even WiMAX-vHA-MIP4-Key -# -# The corresponding SPI is SPI-CMIP4, which is MIP-SPI, -# -# which goes into WiMAX-MN-hHA-MIP4-SPI -# or maybe WiMAX-RRQ-MN-HA-SPI -# or even WiMAX-MN-vHA-MIP4-SPI -# -# MN-HA-PMIP4 = H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI) -# MN-HA-CMIP6 = H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI) -# -# both with similar comments to above for MN-HA-CMIP4. -# -# In order to tell which one to use (CMIP4, PMIP4, or CMIP6), -# you have to set WiMAX-IP-Technology in the reply to one of -# the appropriate values. -# -# -# FA-RK = H(MIP-RK, "FA-RK") -# -# MN-FA = H(FA-RK, "MN FA" | FA-IP | MN-NAI) -# -# Where does the FA-IP come from? No idea... -# -# -# The next two keys (HA-RK and FA-HA) are not generated -# for every authentication request, but only on demand. -# -# HA-RK = 160-bit random number assigned by the AAA server -# to a specific HA. -# -# FA-HA = H(HA-RK, "FA-HA" | HA-IPv4 | FA-CoAv4 | SPI) -# -# where HA-IPv4 is as above. -# and FA-CoAv4 address of the FA as seen by the HA -# and SPI is the relevant SPI for the HA-RK. -# -# DHCP-RK = 160-bit random number assigned by the AAA server -# to a specific DHCP server. vDHCP-RK is the same -# thing. -# -wimax { - # - # Some WiMAX equipement requires that the MS-MPPE-*-Key - # attributes are sent in the Access-Accept, in addition to - # the WiMAX-MSK attribute. - # - # Other WiMAX equipment request that the MS-MPPE-*-Key - # attributes are NOT sent in the Access-Accept. - # - # By default, the EAP modules sends MS-MPPE-*-Key attributes. - # The default virtual server (raddb/sites-available/default) - # contains examples of adding the WiMAX-MSK. - # - # This configuration option makes the WiMAX module delete - # the MS-MPPE-*-Key attributes. The default is to leave - # them in place. - # - # If the keys are deleted (by setting this to "yes"), then - # the WiMAX-MSK attribute is automatically added to the reply. - delete_mppe_keys = no -} diff --git a/roles/radius/files/raddb/policy.conf b/roles/radius/files/raddb/policy.conf deleted file mode 100644 index 878a145..0000000 --- a/roles/radius/files/raddb/policy.conf +++ /dev/null @@ -1,284 +0,0 @@ -# -*- text -*- -## -## policy.conf -- FreeRADIUS server configuration file. -## -## http://www.freeradius.org/ -## $Id: e8a85759279dae0e6e7bd340f53c0adcbc128bf9 $ -## - -# -# Policies are virtual modules, similar to those defined in the -# "instantate" section of radiusd.conf. -# -# Defining a policy here means that it can be referenced in multiple -# places as a *name*, rather than as a series of conditions to match, -# and actions to take. -# -# Policies are something like subroutines in a normal language, but -# they cannot be called recursively. They MUST be defined in order. -# If policy A calls policy B, then B MUST be defined before A. -# -policy { - # - # Forbid all EAP types. - # - forbid_eap { - if (EAP-Message) { - reject - } - } - - # - # Forbid all non-EAP types outside of an EAP tunnel. - # - permit_only_eap { - if (!EAP-Message) { - # We MAY be inside of a TTLS tunnel. - # PEAP and EAP-FAST require EAP inside of - # the tunnel, so this check is OK. - # If so, then there MUST be an outer EAP message. - if (!"%{outer.request:EAP-Message}") { - reject - } - } - } - - # - # Forbid all attempts to login via realms. - # - deny_realms { - if (User-Name =~ /@|\\/) { - reject - } - } - - # - # If you want the server to pretend that it is dead, - # then use the "do_not_respond" policy. - # - do_not_respond { - update control { - Response-Packet-Type := Do-Not-Respond - } - - handled - } - - # - # Force some sanity on User-Name. This helps to avoid issues - # issues where the back-end database is "forgiving" about - # what constitutes a user name. - # - filter_username { - - # - # reject mixed case - # e.g. "UseRNaMe" - # - #if (User-Name != "%{tolower:%{User-Name}}") { - # reject - #} - - # - # reject all whitespace - # e.g. "user@ site.com", or "us er", or " user", or "user " - # - if (User-Name =~ / /) { - update reply { - Reply-Message += "Rejected: Username contains whitespace" - } - reject - } - - # - # reject Multiple @'s - # e.g. "user@site.com@site.com" - # - if(User-Name =~ /@.*@/ ) { - update reply { - Reply-Message += "Rejected: Multiple @ in username" - } - reject - } - - # - # reject double dots - # e.g. "user@site..com" - # - if (User-Name =~ /\\.\\./ ) { - update reply { - Reply-Message += "Rejected: Username comtains ..s" - } - reject - } - - # - # must have at least 1 string-dot-string after @ - # e.g. "user@site.com" - # - if (User-Name !~ /@(.+)\\.(.+)$/) { - update reply { - Reply-Message += "Rejected: Realm does not have at least one dot seperator" - } - reject - } - - # - # Realm ends with a dot - # e.g. "user@site.com." - # - if (User-Name =~ /\\.$/) { - update reply { - Reply-Message += "Rejected: Realm ends with a dot" - } - reject - } - - # - # Realm begins with a dot - # e.g. "user@.site.com" - # - if (User-Name =~ /@\\./) { - update reply { - Reply-Message += "Rejected: Realm begins with a dot" - } - reject - } - } - - # - # The following policies are for the Chargeable-User-Identity - # (CUI) configuration. - # - - # - # The client indicates it can do CUI by sending a CUI attribute - # containing one zero byte - # - cui_authorize { - update request { - Chargeable-User-Identity:='\\000' - } - } - - # - # Add a CUI attribute based on the User-Name, and a secret key - # known only to this server. - # - cui_postauth { - if (FreeRadius-Proxied-To == 127.0.0.1) { - if (outer.request:Chargeable-User-Identity) { - update outer.reply { - Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}" - } - } - } - else { - if (Chargeable-User-Identity) { - update reply { - Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}" - } - } - } - } - - # - # If there is a CUI attribute in the reply, add it to the DB. - # - cui_updatedb { - if (reply:Chargeable-User-Identity) { - cui - } - } - - # - # If we had stored a CUI for the User, add it to the request. - # - cui_accounting { - # - # If the CUI isn't in the packet, see if we can find it - # in the DB. - # - if (!Chargeable-User-Identity) { - update request { - Chargeable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}" - } - } - - # - # If it exists now, then write out when we last saw - # this CUI. - # - if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) { - cui - } - } - - # - # Normalize the MAC Addresses in the Calling/Called-Station-Id - # - mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2}) - - # Add "rewrite.called_station_id" in the "authorize" and "preacct" - # sections. - rewrite.called_station_id { - if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) { - update request { - Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" - } - - # SSID component? - if ("%{8}") { - update request { - Called-Station-Id := "%{Called-Station-Id}:%{8}" - } - } - updated - } - else { - noop - } - } - - # Add "rewrite.calling_station_id" in the "authorize" and "preacct" - # sections. - rewrite.calling_station_id { - if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) { - update request { - Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" - } - updated - } - else { - noop - } - } - - # Assign compatibility data to request for sqlippool - dhcp_sqlippool.post-auth { - - - # Do some minor hacks to the request so that it looks - # like a RADIUS request to the SQL IP Pool module. - update request { - User-Name = "DHCP-%{DHCP-Client-Hardware-Address}" - Calling-Station-Id = "%{DHCP-Client-Hardware-Address}" - NAS-IP-Address = "%{%{DHCP-Gateway-IP-Address}:-127.0.0.1}" - Acct-Status-Type = Start - } - - # Call the actual module - # - # Uncomment this in order to really call it! -# dhcp_sqlippool - fail - - # Convert Framed-IP-Address to DHCP, but only if we - # actually allocated an address. - if (ok) { - update reply { - DHCP-Your-IP-Address = "%{reply:Framed-IP-Address}" - } - } - } -} diff --git a/roles/radius/files/raddb/preproxy_users b/roles/radius/files/raddb/preproxy_users deleted file mode 100644 index 6b198c9..0000000 --- a/roles/radius/files/raddb/preproxy_users +++ /dev/null @@ -1,31 +0,0 @@ -# -# Configuration file for the rlm_files module. -# Please see rlm_files(5) manpage for more information. -# -# $Id: 0f5d15ad8b2e96a4d65808ac949793aab5c1c639 $ -# -# This file is similar to the "users" file. The check items -# are compared against the request, but the "reply" items are -# used to update the proxied packet, not the reply to the NAS. -# -# You can use this file to re-write requests which are about to -# be sent to a home server. -# - -# -# Requests destinated to realm "extisp" are sent to a RADIUS -# home server hosted by an other company which doesn't know about -# the IP addresses of our NASes. Therefore we replace the value of -# the NAS-IP-Address attribute by a unique value we communicated -# to them. -# -#DEFAULT Realm == "extisp" -# NAS-IP-Address := 10.1.2.3 - -# -# For all proxied packets, set the User-Name in the proxied packet -# to the Stripped-User-Name, if it exists. If not, set it to the -# User-Name from the original request. -# -#DEFAULT -# User-Name := `%{Stripped-User-Name:-%{User-Name}}` diff --git a/roles/radius/files/raddb/proxy.conf b/roles/radius/files/raddb/proxy.conf deleted file mode 100644 index f50f1ee..0000000 --- a/roles/radius/files/raddb/proxy.conf +++ /dev/null @@ -1,759 +0,0 @@ -# -*- text -*- -## -## proxy.conf -- proxy radius and realm configuration directives -## -## $Id: 413fc1438f266669a8e8913307f465da190c1ce8 $ - -####################################################################### -# -# Proxy server configuration -# -# This entry controls the servers behaviour towards ALL other servers -# to which it sends proxy requests. -# -proxy server { - # - # Note that as of 2.0, the "synchronous", "retry_delay", - # "retry_count", and "dead_time" have all been deprecated. - # For backwards compatibility, they are are still accepted - # by the server, but they ONLY apply to the old-style realm - # configuration. i.e. realms with "authhost" and/or "accthost" - # entries. - # - # i.e. "retry_delay" and "retry_count" have been replaced - # with per-home-server configuration. See the "home_server" - # example below for details. - # - # i.e. "dead_time" has been replaced with a per-home-server - # "revive_interval". We strongly recommend that this not - # be used, however. The new method is much better. - - # - # In 2.0, the server is always "synchronous", and setting - # "synchronous = no" is impossible. This simplifies the - # server and increases the stability of the network. - # However, it means that the server (i.e. proxy) NEVER - # originates packets. It proxies packets ONLY when it receives - # a packet or a re-transmission from the NAS. If the NAS never - # re-transmits, the proxy never re-transmits, either. This can - # affect fail-over, where a packet does *not* fail over to a - # second home server.. because the NAS never retransmits the - # packet. - # - # If you need to set "synchronous = no", please send a - # message to the list - # explaining why this feature is vital for your network. - - # - # If a realm exists, but there are no live home servers for - # it, we can fall back to using the "DEFAULT" realm. This is - # most useful for accounting, where the server can proxy - # accounting requests to home servers, but if they're down, - # use a DEFAULT realm that is LOCAL (i.e. accthost = LOCAL), - # and then store the packets in the "detail" file. That data - # can be later proxied to the home servers by radrelay, when - # those home servers come back up again. - - # Setting this to "yes" may have issues for authentication. - # i.e. If you are proxying for two different ISP's, and then - # act as a general dial-up for Gric. If one of the first two - # ISP's has their RADIUS server go down, you do NOT want to - # proxy those requests to GRIC. Instead, you probably want - # to just drop the requests on the floor. In that case, set - # this value to 'no'. - # - # allowed values: {yes, no} - # - default_fallback = no - -} - -####################################################################### -# -# Configuration for the proxy realms. -# -# As of 2.0. the old-style "realms" file is deprecated, and is not -# used by FreeRADIUS. -# -# As of 2.0, the "realm" configuration has changed. Instead of -# specifying "authhost" and "accthost" in a realm section, the home -# servers are specified seperately in a "home_server" section. For -# backwards compatibility, you can still use the "authhost" and -# "accthost" directives. If you only have one home server for a -# realm, it is easier to use the old-style configuration. -# -# However, if you have multiple servers for a realm, we STRONGLY -# suggest moving to the new-style configuration. -# -# -# Load-balancing and failover between home servers is handled via -# a "home_server_pool" section. -# -# Finally, The "realm" section defines the realm, some options, and -# indicates which server pool should be used for the realm. -# -# This change means that simple configurations now require multiple -# sections to define a realm. However, complex configurations -# are much simpler than before, as multiple realms can share the same -# server pool. -# -# That is, realms point to server pools, and server pools point to -# home servers. Multiple realms can point to one server pool. One -# server pool can point to multiple home servers. Each home server -# can appear in one or more pools. -# - -###################################################################### -# -# This section defines a "Home Server" which is another RADIUS -# server that gets sent proxied requests. In earlier versions -# of FreeRADIUS, home servers were defined in "realm" sections, -# which was awkward. In 2.0, they have been made independent -# from realms, which is better for a number of reasons. -# -home_server localhost { - # - # Home servers can be sent Access-Request packets - # or Accounting-Request packets. - # - # Allowed values are: - # auth - Handles Access-Request packets - # acct - Handles Accounting-Request packets - # auth+acct - Handles Access-Request packets at "port", - # and Accounting-Request packets at "port + 1" - # coa - Handles CoA-Request and Disconnect-Request packets. - # See also raddb/sites-available/originate-coa - type = auth - - # - # Configure ONE OF the following entries: - # - # IPv4 address - # - ipaddr = 127.0.0.1 - - # OR IPv6 address - # ipv6addr = ::1 - - # OR virtual server - # virtual_server = foo - - # Note that while both ipaddr and ipv6addr will accept - # both addresses and host names, we do NOT recommend - # using host names. When you specify a host name, the - # server has to do a DNS lookup to find the IP address - # of the home server. If the DNS server is slow or - # unresponsive, it means that FreeRADIUS will NOT be - # able to determine the address, and will therefore NOT - # start. - # - # Also, the mapping of host name to address is done ONCE - # when the server starts. If DNS is later updated to - # change the address, FreeRADIUS will NOT discover that - # until after a re-start, or a HUP. - # - # If you specify a virtual_server here, then requests - # will be proxied internally to that virtual server. - # These requests CANNOT be proxied again, however. The - # intent is to have the local server handle packets - # when all home servers are dead. - # - # Requests proxied to a virtual server will be passed - # through the pre-proxy and post-proxy sections, just - # like any other request. See also the sample "realm" - # configuration, below. - # - # None of the rest of the home_server configuration is used - # for the "virtual_server" configuration. - - # - # The port to which packets are sent. - # - # Usually 1812 for type "auth", and 1813 for type "acct". - # Older servers may use 1645 and 1646. - # Use 3799 for type "coa" - # - port = 1812 - - # - # The shared secret use to "encrypt" and "sign" packets between - # FreeRADIUS and the home server. - # - # The secret can be any string, up to 8k characters in length. - # - # Control codes can be entered vi octal encoding, - # e.g. "\101\102" == "AB" - # Quotation marks can be entered by escaping them, - # e.g. "foo\"bar" - # Spaces or other "special" characters can be entered - # by putting quotes around the string. - # e.g. "foo bar" - # "foo;bar" - # - secret = testing123 - - ############################################################ - # - # The rest of the configuration items listed here are optional, - # and do not have to appear in every home server definition. - # - ############################################################ - - # - # You can optionally specify the source IP address used when - # proxying requests to this home server. When the src_ipaddr - # it set, the server will automatically create a proxy - # listener for that IP address. - # - # If you specify this field for one home server, you will - # likely need to specify it for ALL home servers. - # - # If you don't care about the source IP address, leave this - # entry commented. - # -# src_ipaddr = 127.0.0.1 - - # RFC 5080 suggests that all clients SHOULD include it in an - # Access-Request. The configuration item below tells the - # proxying server (i.e. this one) whether or not the home - # server requires a Message-Authenticator attribute. If it - # is required (value set to "yes"), then all Access-Request - # packets sent to that home server will have a - # Message-Authenticator attribute. - # - # We STRONGLY recommend that this flag be set to "yes" - # for ALL home servers. Doing so will have no performance - # impact on the proxy or on the home servers. It will, - # however, allow administrators to detect problems earlier. - # - # allowed values: yes, no - require_message_authenticator = yes - - # - # If the home server does not respond to a request within - # this time, this server will initiate "zombie_period". - # - # The response window is large because responses MAY be slow, - # especially when proxying across the Internet. - # - # Useful range of values: 5 to 60 - response_window = 20 - - # - # If you want the old behavior of the server rejecting - # proxied requests after "response_window" timeout, set - # the following configuration item to "yes". - # - # This configuration WILL be removed in a future release - # If you believe you need it, email the freeradius-users - # list, and explain why it should stay in the server. - # -# no_response_fail = no - - # - # If the home server does not respond to ANY packets during - # the "zombie period", it will be considered to be dead. - # - # A home server that is marked "zombie" will be used for - # proxying as a low priority. If there are live servers, - # they will always be preferred to a zombie. Requests will - # be proxied to a zombie server ONLY when there are no - # live servers. - # - # Any request that is proxied to a home server will continue - # to be sent to that home server until the home server is - # marked dead. At that point, it will fail over to another - # server, if a live server is available. If none is available, - # then the "post-proxy-type fail" handler will be called. - # - # If "status_check" below is something other than "none", then - # the server will start sending status checks at the start of - # the zombie period. It will continue sending status checks - # until the home server is marked "alive". - # - # Useful range of values: 20 to 120 - zombie_period = 40 - - ############################################################ - # - # As of 2.0, FreeRADIUS supports RADIUS layer "status - # checks". These are used by a proxy server to see if a home - # server is alive. - # - # These status packets are sent ONLY if the proxying server - # believes that the home server is dead. They are NOT sent - # if the proxying server believes that the home server is - # alive. They are NOT sent if the proxying server is not - # proxying packets. - # - # If the home server responds to the status check packet, - # then it is marked alive again, and is returned to use. - # - ############################################################ - - # - # Some home servers do not support status checks via the - # Status-Server packet. Others may not have a "test" user - # configured that can be used to query the server, to see if - # it is alive. For those servers, we have NO WAY of knowing - # when it becomes alive again. Therefore, after the server - # has been marked dead, we wait a period of time, and mark - # it alive again, in the hope that it has come back to - # life. - # - # If it has NOT come back to life, then FreeRADIUS will wait - # for "zombie_period" before marking it dead again. During - # the "zombie_period", ALL AUTHENTICATIONS WILL FAIL, because - # the home server is still dead. There is NOTHING that can - # be done about this, other than to enable the status checks, - # as documented below. - # - # e.g. if "zombie_period" is 40 seconds, and "revive_interval" - # is 300 seconds, the for 40 seconds out of every 340, or about - # 10% of the time, all authentications will fail. - # - # If the "zombie_period" and "revive_interval" configurations - # are set smaller, than it is possible for up to 50% of - # authentications to fail. - # - # As a result, we recommend enabling status checks, and - # we do NOT recommend using "revive_interval". - # - # The "revive_interval" is used ONLY if the "status_check" - # entry below is "none". Otherwise, it will not be used, - # and should be deleted. - # - # Useful range of values: 60 to 3600 - revive_interval = 120 - - # - # The proxying server (i.e. this one) can do periodic status - # checks to see if a dead home server has come back alive. - # - # If set to "none", then the other configuration items listed - # below are not used, and the "revive_interval" time is used - # instead. - # - # If set to "status-server", the Status-Server packets are - # sent. Many RADIUS servers support Status-Server. If a - # server does not support it, please contact the server - # vendor and request that they add it. - # - # If set to "request", then Access-Request, or Accounting-Request - # packets are sent, depending on the "type" entry above (auth/acct). - # - # Allowed values: none, status-server, request - status_check = status-server - - # - # If the home server does not support Status-Server packets, - # then the server can still send Access-Request or - # Accounting-Request packets, with a pre-defined user name. - # - # This practice is NOT recommended, as it may potentially let - # users gain network access by using these "test" accounts! - # - # If it is used, we recommend that the home server ALWAYS - # respond to these Access-Request status checks with - # Access-Reject. The status check just needs an answer, it - # does not need an Access-Accept. - # - # For Accounting-Request status checks, only the username - # needs to be set. The rest of the accounting attribute are - # set to default values. The home server that receives these - # accounting packets SHOULD NOT treat them like normal user - # accounting packets. i.e It should probably NOT log them to - # a database. - # - # username = "test_user_please_reject_me" - # password = "this is really secret" - - # - # Configure the interval between sending status check packets. - # - # Setting it too low increases the probability of spurious - # fail-over and fallback attempts. - # - # Useful range of values: 6 to 120 - check_interval = 30 - - # - # Configure the number of status checks in a row that the - # home server needs to respond to before it is marked alive. - # - # If you want to mark a home server as alive after a short - # time period of being responsive, it is best to use a small - # "check_interval", and a large value for - # "num_answers_to_alive". Using a long "check_interval" and - # a small number for "num_answers_to_alive" increases the - # probability of spurious fail-over and fallback attempts. - # - # Useful range of values: 3 to 10 - num_answers_to_alive = 3 - - # - # Limit the total number of outstanding packets to the home - # server. - # - # if ((#request sent) - (#requests received)) > max_outstanding - # then stop sending more packets to the home server - # - # This lets us gracefully fall over when the home server - # is overloaded. - max_outstanding = 65536 - - # - # The configuration items in the next sub-section are used ONLY - # when "type = coa". It is ignored for all other type of home - # servers. - # - # See RFC 5080 for the definitions of the following terms. - # RAND is a function (internal to FreeRADIUS) returning - # random numbers between -0.1 and +0.1 - # - # First Re-transmit occurs after: - # - # RT = IRT + RAND*IRT - # - # Subsequent Re-transmits occur after: - # - # RT = 2 * RTprev + RAND * RTprev - # - # Re-trasnmits are capped at: - # - # if (MRT && (RT > MRT)) RT = MRT + RAND * MRT - # - # For a maximum number of attempts: MRC - # - # For a maximum (total) period of time: MRD. - # - coa { - # Initial retransmit interval: 1..5 - irt = 2 - - # Maximum Retransmit Timeout: 1..30 (0 == no maximum) - mrt = 16 - - # Maximum Retransmit Count: 1..20 (0 == retransmit forever) - mrc = 5 - - # Maximum Retransmit Duration: 5..60 - mrd = 30 - } -} - -# Sample virtual home server. -# -# -#home_server virtual.example.com { -# virtual_server = virtual.example.com -#} - -###################################################################### -# -# This section defines a pool of home servers that is used -# for fail-over and load-balancing. In earlier versions of -# FreeRADIUS, fail-over and load-balancing were defined per-realm. -# As a result, if a server had 5 home servers, each of which served -# the same 10 realms, you would need 50 "realm" entries. -# -# In version 2.0, you would need 5 "home_server" sections, -# 10 'realm" sections, and one "home_server_pool" section to tie the -# two together. -# -home_server_pool my_auth_failover { - # - # The type of this pool controls how home servers are chosen. - # - # fail-over - the request is sent to the first live - # home server in the list. i.e. If the first home server - # is marked "dead", the second one is chosen, etc. - # - # load-balance - the least busy home server is chosen, - # where "least busy" is counted by taking the number of - # requests sent to that home server, and subtracting the - # number of responses received from that home server. - # - # If there are two or more servers with the same low - # load, then one of those servers is chosen at random. - # This configuration is most similar to the old - # "round-robin" method, though it is not exactly the same. - # - # Note that load balancing does not work well with EAP, - # as EAP requires packets for an EAP conversation to be - # sent to the same home server. The load balancing method - # does not keep state in between packets, meaning that - # EAP packets for the same conversation may be sent to - # different home servers. This will prevent EAP from - # working. - # - # For non-EAP authentication methods, and for accounting - # packets, we recommend using "load-balance". It will - # ensure the highest availability for your network. - # - # client-balance - the home server is chosen by hashing the - # source IP address of the packet. If that home server - # is down, the next one in the list is used, just as - # with "fail-over". - # - # There is no way of predicting which source IP will map - # to which home server. - # - # This configuration is most useful to do simple load - # balancing for EAP sessions, as the EAP session will - # always be sent to the same home server. - # - # client-port-balance - the home server is chosen by hashing - # the source IP address and source port of the packet. - # If that home server is down, the next one in the list - # is used, just as with "fail-over". - # - # This method provides slightly better load balancing - # for EAP sessions than "client-balance". However, it - # also means that authentication and accounting packets - # for the same session MAY go to different home servers. - # - # keyed-balance - the home server is chosen by hashing (FNV) - # the contents of the Load-Balance-Key attribute from the - # control items. The request is then sent to home server - # chosen by taking: - # - # server = (hash % num_servers_in_pool). - # - # If there is no Load-Balance-Key in the control items, - # the load balancing method is identical to "load-balance". - # - # For most non-EAP authentication methods, The User-Name - # attribute provides a good key. An "unlang" policy can - # be used to copy the User-Name to the Load-Balance-Key - # attribute. This method may not work for EAP sessions, - # as the User-Name outside of the TLS tunnel is often - # static, e.g. "anonymous@realm". - # - # - # The default type is fail-over. - type = fail-over - - # - # A virtual_server may be specified here. If so, the - # "pre-proxy" and "post-proxy" sections are called when - # the request is proxied, and when a response is received. - # - # This lets you have one policy for all requests that are proxied - # to a home server. This policy is completely independent of - # any policies used to receive, or process the request. - # - #virtual_server = pre_post_proxy_for_pool - - # - # Next, a list of one or more home servers. The names - # of the home servers are NOT the hostnames, but the names - # of the sections. (e.g. home_server foo {...} has name "foo". - # - # Note that ALL home servers listed here have to be of the same - # type. i.e. they all have to be "auth", or they all have to - # be "acct", or the all have to be "auth+acct". - # - home_server = localhost - - # Additional home servers can be listed. - # There is NO LIMIT to the number of home servers that can - # be listed, though using more than 10 or so will become - # difficult to manage. - # - # home_server = foo.example.com - # home_server = bar.example.com - # home_server = baz.example.com - # home_server = ... - - - # - # If ALL home servers are dead, then this "fallback" home server - # is used. If set, it takes precedence over any realm-based - # fallback, such as the DEFAULT realm. - # - # For reasons of stability, this home server SHOULD be a virtual - # server. Otherwise, the fallback may itself be dead! - # - #fallback = virtual.example.com -} - -###################################################################### -# -# -# This section defines a new-style "realm". Note the in version 2.0, -# there are many fewer configuration items than in 1.x for a realm. -# -# Automatic proxying is done via the "realms" module (see "man -# rlm_realm"). To manually proxy the request put this entry in the -# "users" file: - -# -# -#DEFAULT Proxy-To-Realm := "realm_name" -# -# -realm example.com { - # - # Realms point to pools of home servers. -# - # For authentication, the "auth_pool" configuration item - # should point to a "home_server_pool" that was previously - # defined. All of the home servers in the "auth_pool" must - # be of type "auth". - # - # For accounting, the "acct_pool" configuration item - # should point to a "home_server_pool" that was previously - # defined. All of the home servers in the "acct_pool" must - # be of type "acct". - # - # If you have a "home_server_pool" where all of the home servers - # are of type "auth+acct", you can just use the "pool" - # configuration item, instead of specifying both "auth_pool" - # and "acct_pool". - - auth_pool = my_auth_failover -# acct_pool = acct - - # - # Normally, when an incoming User-Name is matched against the - # realm, the realm name is "stripped" off, and the "stripped" - # user name is used to perform matches. - # - # e.g. User-Name = "bob@example.com" will result in two new - # attributes being created by the "realms" module: - # - # Stripped-User-Name = "bob" - # Realm = "example.com" - # - # The Stripped-User-Name is then used as a key in the "users" - # file, for example. - # - # If you do not want this to happen, uncomment "nostrip" below. - # - # nostrip - - # There are no more configuration entries for a realm. -} - - -# -# This is a sample entry for iPass. -# Note that you have to define "ipass_auth_pool" and -# "ipass_acct_pool", along with home_servers for them, too. -# -#realm IPASS { -# nostrip -# -# auth_pool = ipass_auth_pool -# acct_pool = ipass_acct_pool -#} - -# -# This realm is used mainly to cancel proxying. You can have -# the "realm suffix" module configured to proxy all requests for -# a realm, and then later cancel the proxying, based on other -# configuration. -# -# For example, you want to terminate PEAP or EAP-TTLS locally, -# you can add the following to the "users" file: -# -# DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL -# -realm LOCAL { - # If we do not specify a server pool, the realm is LOCAL, and - # requests are not proxied to it. -} - -# -# This realm is for requests which don't have an explicit realm -# prefix or suffix. User names like "bob" will match this one. -# -#realm NULL { -# authhost = radius.company.com:1600 -# accthost = radius.company.com:1601 -# secret = testing123 -#} - -# -# This realm is for ALL OTHER requests. -# -#realm DEFAULT { -# authhost = radius.company.com:1600 -# accthost = radius.company.com:1601 -# secret = testing123 -#} - - -# This realm "proxies" requests internally to a virtual server. -# The pre-proxy and post-proxy sections are run just as with any -# other kind of home server. The virtual server then receives -# the request, and replies, just as with any other packet. -# -# Once proxied internally like this, the request CANNOT be proxied -# internally or externally. -# -#realm virtual.example.com { -# virtual_server = virtual.example.com -#} -# - -# -# Regular expressions may also be used as realm names. If these are used, -# then the "find matching realm" process is as follows: -# -# 1) Look for a non-regex realm with an *exact* match for the name. -# If found, it is used in preference to any regex matching realm. -# -# 2) Look for a regex realm, in the order that they are listed -# in the configuration files. Any regex match is performed in -# a case-insensitive fashion. -# -# 3) If no realm is found, return the DEFAULT realm, if any. -# -# The order of the realms matters in step (2). For example, defining -# two realms ".*\.example.net$" and ".*\.test\.example\.net$" will result in -# the second realm NEVER matching. This is because all of the realms -# which match the second regex also match the first one. Since the -# first regex matches, it is returned. -# -# The solution is to list the realms in the opposite order,. e.g. -# ".*\.test\.example.net$", followed by ".*\.example\.net$". -# -# -# Some helpful rules: -# -# - always place a '~' character at the start of the realm name. -# This signifies that it is a regex match, and not an exact match -# for the realm. -# -# - place the regex in double quotes. This helps the configuration -# file parser ignore any "special" characters in the regex. -# Yes, this rule is different than the normal "unlang" rules for -# regular expressions. That may be fixed in a future release. -# -# - use two back-slashes '\\' whenever you need one backslash in the -# regex. e.g. "~.*\\.example\\.net$", and not "~\.example\.net$". -# This is because the regex is in a double-quoted string, and normal -# rules apply for double-quoted strings. -# -# - If you are matching domain names, use two backslashes in front of -# every '.' (dot or period). This is because '.' has special meaning -# in a regular expression: match any character. If you do not do this, -# then "~.*.example.net$" will match "fooXexampleYnet", which is likely -# not what you want -# -# - If you are matching domain names, put a '$' at the end of the regex -# that matches the domain name. This tells the regex matching code -# that the realm ENDS with the domain name, so it does not match -# realms with the domain name in the middle. e.g. "~.*\\.example\\.net" -# will match "test.example.netFOO", which is likely not what you want. -# Using "~(.*\\.)example\\.net$" is better. -# -# The more regex realms that are defined, the more time it takes to -# process them. You should define as few regex realms as possible -# in order to maximize server performance. -# -#realm "~(.*\\.)*example\\.net$" { -# auth_pool = my_auth_failover -#} diff --git a/roles/radius/files/raddb/radiusd.conf b/roles/radius/files/raddb/radiusd.conf deleted file mode 100644 index 7c604c5..0000000 --- a/roles/radius/files/raddb/radiusd.conf +++ /dev/null @@ -1,865 +0,0 @@ -# -*- text -*- -## -## radiusd.conf -- FreeRADIUS server configuration file. -## -## http://www.freeradius.org/ -## $Id: 201b70b31b5bb4c2ef98c102690daa3462d5e1e3 $ -## - -###################################################################### -# -# Read "man radiusd" before editing this file. See the section -# titled DEBUGGING. It outlines a method where you can quickly -# obtain the configuration you want, without running into -# trouble. -# -# Run the server in debugging mode, and READ the output. -# -# $ radiusd -X -# -# We cannot emphasize this point strongly enough. The vast -# majority of problems can be solved by carefully reading the -# debugging output, which includes warnings about common issues, -# and suggestions for how they may be fixed. -# -# There may be a lot of output, but look carefully for words like: -# "warning", "error", "reject", or "failure". The messages there -# will usually be enough to guide you to a solution. -# -# If you are going to ask a question on the mailing list, then -# explain what you are trying to do, and include the output from -# debugging mode (radiusd -X). Failure to do so means that all -# of the responses to your question will be people telling you -# to "post the output of radiusd -X". - -###################################################################### -# -# The location of other config files and logfiles are declared -# in this file. -# -# Also general configuration for modules can be done in this -# file, it is exported through the API to modules that ask for -# it. -# -# See "man radiusd.conf" for documentation on the format of this -# file. Note that the individual configuration items are NOT -# documented in that "man" page. They are only documented here, -# in the comments. -# -# As of 2.0.0, FreeRADIUS supports a simple processing language -# in the "authorize", "authenticate", "accounting", etc. sections. -# See "man unlang" for details. -# - -prefix = /usr -exec_prefix = /usr -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = /var/log/freeradius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# -# name of the running server. See also the "-n" command-line option. -name = freeradius - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/${name} - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# -# libdir: Where to find the rlm_* modules. -# -# This should be automatically set at configuration time. -# -# If the server builds and installs, but fails at execution time -# with an 'undefined symbol' error, then you can use the libdir -# directive to work around the problem. -# -# The cause is usually that a library has been installed on your -# system in a place where the dynamic linker CANNOT find it. When -# executing as root (or another user), your personal environment MAY -# be set up to allow the dynamic linker to find the library. When -# executing as a daemon, FreeRADIUS MAY NOT have the same -# personalized configuration. -# -# To work around the problem, find out which library contains that symbol, -# and add the directory containing that library to the end of 'libdir', -# with a colon separating the directory names. NO spaces are allowed. -# -# e.g. libdir = /usr/local/lib:/opt/package/lib -# -# You can also try setting the LD_LIBRARY_PATH environment variable -# in a script which starts the server. -# -# If that does not work, then you can re-configure and re-build the -# server to NOT use shared libraries, via: -# -# ./configure --disable-shared -# make -# make install -# -libdir = /usr/lib/freeradius - -# pidfile: Where to place the PID of the RADIUS server. -# -# The server may be signalled while it's running by using this -# file. -# -# This file is written when ONLY running in daemon mode. -# -# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` -# -pidfile = ${run_dir}/${name}.pid - -# chroot: directory where the server does "chroot". -# -# The chroot is done very early in the process of starting the server. -# After the chroot has been performed it switches to the "user" listed -# below (which MUST be specified). If "group" is specified, it switchs -# to that group, too. Any other groups listed for the specified "user" -# in "/etc/group" are also added as part of this process. -# -# The current working directory (chdir / cd) is left *outside* of the -# chroot until all of the modules have been initialized. This allows -# the "raddb" directory to be left outside of the chroot. Once the -# modules have been initialized, it does a "chdir" to ${logdir}. This -# means that it should be impossible to break out of the chroot. -# -# If you are worried about security issues related to this use of chdir, -# then simply ensure that the "raddb" directory is inside of the chroot, -# end be sure to do "cd raddb" BEFORE starting the server. -# -# If the server is statically linked, then the only files that have -# to exist in the chroot are ${run_dir} and ${logdir}. If you do the -# "cd raddb" as discussed above, then the "raddb" directory has to be -# inside of the chroot directory, too. -# -#chroot = /path/to/chroot/directory - -# user/group: The name (or #number) of the user/group to run radiusd as. -# -# If these are commented out, the server will run as the user/group -# that started it. In order to change to a different user/group, you -# MUST be root ( or have root privleges ) to start the server. -# -# We STRONGLY recommend that you run the server with as few permissions -# as possible. That is, if you're not using shadow passwords, the -# user and group items below should be set to radius'. -# -# NOTE that some kernels refuse to setgid(group) when the value of -# (unsigned)group is above 60000; don't use group nobody on these systems! -# -# On systems with shadow passwords, you might have to set 'group = shadow' -# for the server to be able to read the shadow password file. If you can -# authenticate users while in debug mode, but not in daemon mode, it may be -# that the debugging mode server is running as a user that can read the -# shadow info, and the user listed below can not. -# -# The server will also try to use "initgroups" to read /etc/groups. -# It will join all groups where "user" is a member. This can allow -# for some finer-grained access controls. -# -user = freerad -group = freerad - -# panic_action: Command to execute if the server dies unexpectedly. -# -# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT. -# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS. -# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART. -# -# The panic action is a command which will be executed if the server -# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS, -# SIGABRT or SIGFPE. -# -# This can be used to start an interactive debugging session so -# that information regarding the current state of the server can -# be acquired. -# -# The following string substitutions are available: -# - %e The currently executing program e.g. /sbin/radiusd -# - %p The PID of the currently executing program e.g. 12345 -# -# Standard ${} substitutions are also allowed. -# -# An example panic action for opening an interactive session in GDB would be: -# -#panic_action = "gdb %e %p" -# -# Again, don't use that on a production system. -# -# An example panic action for opening an automated session in GDB would be: -# -#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p > ${logdir}/gdb-%e-%p.log 2>&1" -# -# That command can be used on a production system. -# - -# max_request_time: The maximum time (in seconds) to handle a request. -# -# Requests which take more time than this to process may be killed, and -# a REJECT message is returned. -# -# WARNING: If you notice that requests take a long time to be handled, -# then this MAY INDICATE a bug in the server, in one of the modules -# used to handle a request, OR in your local configuration. -# -# This problem is most often seen when using an SQL database. If it takes -# more than a second or two to receive an answer from the SQL database, -# then it probably means that you haven't indexed the database. See your -# SQL server documentation for more information. -# -# Useful range of values: 5 to 120 -# -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -# a reply which was sent to the NAS. -# -# The RADIUS request is normally cached internally for a short period -# of time, after the reply is sent to the NAS. The reply packet may be -# lost in the network, and the NAS will not see it. The NAS will then -# re-send the request, and the server will respond quickly with the -# cached reply. -# -# If this value is set too low, then duplicate requests from the NAS -# MAY NOT be detected, and will instead be handled as seperate requests. -# -# If this value is set too high, then the server will cache too many -# requests, and some new requests may get blocked. (See 'max_requests'.) -# -# Useful range of values: 2 to 10 -# -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -# track of. This should be 256 multiplied by the number of clients. -# e.g. With 4 clients, this number should be 1024. -# -# If this number is too low, then when the server becomes busy, -# it will not respond to any new requests, until the 'cleanup_delay' -# time has passed, and it has removed the old requests. -# -# If this number is set too high, then the server will use a bit more -# memory for no real benefit. -# -# If you aren't sure what it should be set to, it's better to set it -# too high than too low. Setting it to 1000 per client is probably -# the highest it should be. -# -# Useful range of values: 256 to infinity -# -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -# replies out from that address. This directive is most useful for -# hosts with multiple IP addresses on one interface. -# -# If you want the server to listen on additional addresses, or on -# additionnal ports, you can use multiple "listen" sections. -# -# Each section make the server listen for only one type of packet, -# therefore authentication and accounting have to be configured in -# different sections. -# -# The server ignore all "listen" section if you are using '-i' and '-p' -# on the command line. -# -listen { - # Type of packets to listen for. - # Allowed values are: - # auth listen for authentication packets - # acct listen for accounting packets - # proxy IP to use for sending proxied packets - # detail Read from the detail file. For examples, see - # raddb/sites-available/copy-acct-to-home-server - # status listen for Status-Server packets. For examples, - # see raddb/sites-available/status - # coa listen for CoA-Request and Disconnect-Request - # packets. For examples, see the file - # raddb/sites-available/coa - # - type = auth - - # Note: "type = proxy" lets you control the source IP used for - # proxying packets, with some limitations: - # - # * A proxy listener CANNOT be used in a virtual server section. - # * You should probably set "port = 0". - # * Any "clients" configuration will be ignored. - # - # See also proxy.conf, and the "src_ipaddr" configuration entry - # in the sample "home_server" section. When you specify the - # source IP address for packets sent to a home server, the - # proxy listeners are automatically created. - - # IP address on which to listen. - # Allowed values are: - # dotted quad (1.2.3.4) - # hostname (radius.example.com) - # wildcard (*) - ipaddr = * - - # OR, you can use an IPv6 address, but not both - # at the same time. -# ipv6addr = :: # any. ::1 == localhost - - # Port on which to listen. - # Allowed values are: - # integer port number (1812) - # 0 means "use /etc/services for the proper port" - port = 0 - - # Some systems support binding to an interface, in addition - # to the IP address. This feature isn't strictly necessary, - # but for sites with many IP addresses on one interface, - # it's useful to say "listen on all addresses for eth0". - # - # If your system does not support this feature, you will - # get an error if you try to use it. - # -# interface = eth0 - - # Per-socket lists of clients. This is a very useful feature. - # - # The name here is a reference to a section elsewhere in - # radiusd.conf, or clients.conf. Having the name as - # a reference allows multiple sockets to use the same - # set of clients. - # - # If this configuration is used, then the global list of clients - # is IGNORED for this "listen" section. Take care configuring - # this feature, to ensure you don't accidentally disable a - # client you need. - # - # See clients.conf for the configuration of "per_socket_clients". - # -# clients = per_socket_clients -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - ipaddr = * -# ipv6addr = :: - port = 0 - type = acct -# interface = eth0 -# clients = per_socket_clients -} - -# hostname_lookups: Log the names of clients or just their IP addresses -# e.g., www.freeradius.org (on) or 206.47.27.232 (off). -# -# The default is 'off' because it would be overall better for the net -# if people had to knowingly turn this feature on, since enabling it -# means that each client request will result in AT LEAST one lookup -# request to the nameserver. Enabling hostname_lookups will also -# mean that your server may stop randomly for 30 seconds from time -# to time, if the DNS requests take too long. -# -# Turning hostname lookups off also means that the server won't block -# for 30 seconds, if it sees an IP address which has no name associated -# with it. -# -# allowed values: {no, yes} -# -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -# if you're debugging a problem with the server. -# -# allowed values: {no, yes} -# -allow_core_dumps = no - -# Regular expressions -# -# These items are set at configure time. If they're set to "yes", -# then setting them to "no" turns off regular expression support. -# -# If they're set to "no" at configure time, then setting them to "yes" -# WILL NOT WORK. It will give you an error. -# -regular_expressions = yes -extended_expressions = yes - -# -# Logging section. The various "log_*" configuration items -# will eventually be moved here. -# -log { - # - # Destination for log messages. This can be one of: - # - # files - log to "file", as defined below. - # syslog - to syslog (see also the "syslog_facility", below. - # stdout - standard output - # stderr - standard error. - # - # The command-line option "-X" over-rides this option, and forces - # logging to go to stdout. - # - destination = files - - # - # The logging messages for the server are appended to the - # tail of this file if destination == "files" - # - # If the server is running in debugging mode, this file is - # NOT used. - # - file = ${logdir}/radius.log - - # - # If this configuration parameter is set, then log messages for - # a *request* go to this file, rather than to radius.log. - # - # i.e. This is a log file per request, once the server has accepted - # the request as being from a valid client. Messages that are - # not associated with a request still go to radius.log. - # - # Not all log messages in the server core have been updated to use - # this new internal API. As a result, some messages will still - # go to radius.log. Please submit patches to fix this behavior. - # - # The file name is expanded dynamically. You should ONLY user - # server-side attributes for the filename (e.g. things you control). - # Using this feature MAY also slow down the server substantially, - # especially if you do thinks like SQL calls as part of the - # expansion of the filename. - # - # The name of the log file should use attributes that don't change - # over the lifetime of a request, such as User-Name, - # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log - # messages will be distributed over multiple files. - # - # Logging can be enabled for an individual request by a special - # dynamic expansion macro: %{debug: 1}, where the debug level - # for this request is set to '1' (or 2, 3, etc.). e.g. - # - # ... - # update control { - # Tmp-String-0 = "%{debug:1}" - # } - # ... - # - # The attribute that the value is assigned to is unimportant, - # and should be a "throw-away" attribute with no side effects. - # - #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log - - # - # Which syslog facility to use, if ${destination} == "syslog" - # - # The exact values permitted here are OS-dependent. You probably - # don't want to change this. - # - syslog_facility = daemon - - # Log the full User-Name attribute, as it was found in the request. - # - # allowed values: {no, yes} - # - stripped_names = no - - # Log authentication requests to the log file. - # - # allowed values: {no, yes} - # - auth = no - - # Log passwords with the authentication requests. - # auth_badpass - logs password if it's rejected - # auth_goodpass - logs password if it's correct - # - # allowed values: {no, yes} - # - auth_badpass = no - auth_goodpass = no - - # Log additional text at the end of the "Login OK" messages. - # for these to work, the "auth" and "auth_goopass" or "auth_badpass" - # configurations above have to be set to "yes". - # - # The strings below are dynamically expanded, which means that - # you can put anything you want in them. However, note that - # this expansion can be slow, and can negatively impact server - # performance. - # -# msg_goodpass = "" -# msg_badpass = "" -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# SECURITY CONFIGURATION -# -# There may be multiple methods of attacking on the server. This -# section holds the configuration items which minimize the impact -# of those attacks -# -security { - # - # max_attributes: The maximum number of attributes - # permitted in a RADIUS packet. Packets which have MORE - # than this number of attributes in them will be dropped. - # - # If this number is set too low, then no RADIUS packets - # will be accepted. - # - # If this number is set too high, then an attacker may be - # able to send a small number of packets which will cause - # the server to use all available memory on the machine. - # - # Setting this number to 0 means "allow any number of attributes" - max_attributes = 200 - - # - # reject_delay: When sending an Access-Reject, it can be - # delayed for a few seconds. This may help slow down a DoS - # attack. It also helps to slow down people trying to brute-force - # crack a users password. - # - # Setting this number to 0 means "send rejects immediately" - # - # If this number is set higher than 'cleanup_delay', then the - # rejects will be sent at 'cleanup_delay' time, when the request - # is deleted from the internal cache of requests. - # - # Useful ranges: 1 to 5 - reject_delay = 1 - - # - # status_server: Whether or not the server will respond - # to Status-Server requests. - # - # When sent a Status-Server message, the server responds with - # an Access-Accept or Accounting-Response packet. - # - # This is mainly useful for administrators who want to "ping" - # the server, without adding test users, or creating fake - # accounting packets. - # - # It's also useful when a NAS marks a RADIUS server "dead". - # The NAS can periodically "ping" the server with a Status-Server - # packet. If the server responds, it must be alive, and the - # NAS can start using it for real requests. - # - # See also raddb/sites-available/status - # - status_server = yes - - # - # allow_vulnerable_openssl: Allow the server to start with - # versions of OpenSSL known to have critical vulnerabilities. - # - # This check is based on the version number reported by libssl - # and may not reflect patches applied to libssl by - # distribution maintainers. - # - allow_vulnerable_openssl = no -} - -# PROXY CONFIGURATION -# -# proxy_requests: Turns proxying of RADIUS requests on or off. -# -# The server has proxying turned on by default. If your system is NOT -# set up to proxy requests to another server, then you can turn proxying -# off here. This will save a small amount of resources on the server. -# -# If you have proxying turned off, and your configuration files say -# to proxy a request, then an error message will be logged. -# -# To disable proxying, change the "yes" to "no", and comment the -# $INCLUDE line. -# -# allowed values: {no, yes} -# -proxy_requests = yes -$INCLUDE proxy.conf - - -# CLIENTS CONFIGURATION -# -# Client configuration is defined in "clients.conf". -# - -# The 'clients.conf' file contains all of the information from the old -# 'clients' and 'naslist' configuration files. We recommend that you -# do NOT use 'client's or 'naslist', although they are still -# supported. -# -# Anything listed in 'clients.conf' will take precedence over the -# information from the old-style configuration files. -# -$INCLUDE clients.conf - - -# THREAD POOL CONFIGURATION -# -# The thread pool is a long-lived group of threads which -# take turns (round-robin) handling any incoming requests. -# -# You probably want to have a few spare threads around, -# so that high-load situations can be handled immediately. If you -# don't have any spare threads, then the request handling will -# be delayed while a new thread is created, and added to the pool. -# -# You probably don't want too many spare threads around, -# otherwise they'll be sitting there taking up resources, and -# not doing anything productive. -# -# The numbers given below should be adequate for most situations. -# -thread pool { - # Number of servers to start initially --- should be a reasonable - # ballpark figure. - start_servers = 5 - - # Limit on the total number of servers running. - # - # If this limit is ever reached, clients will be LOCKED OUT, so it - # should NOT BE SET TOO LOW. It is intended mainly as a brake to - # keep a runaway server from taking the system with it as it spirals - # down... - # - # You may find that the server is regularly reaching the - # 'max_servers' number of threads, and that increasing - # 'max_servers' doesn't seem to make much difference. - # - # If this is the case, then the problem is MOST LIKELY that - # your back-end databases are taking too long to respond, and - # are preventing the server from responding in a timely manner. - # - # The solution is NOT do keep increasing the 'max_servers' - # value, but instead to fix the underlying cause of the - # problem: slow database, or 'hostname_lookups=yes'. - # - # For more information, see 'max_request_time', above. - # - max_servers = 32 - - # Server-pool size regulation. Rather than making you guess - # how many servers you need, FreeRADIUS dynamically adapts to - # the load it sees, that is, it tries to maintain enough - # servers to handle the current load, plus a few spare - # servers to handle transient load spikes. - # - # It does this by periodically checking how many servers are - # waiting for a request. If there are fewer than - # min_spare_servers, it creates a new spare. If there are - # more than max_spare_servers, some of the spares die off. - # The default values are probably OK for most sites. - # - min_spare_servers = 3 - max_spare_servers = 10 - - # When the server receives a packet, it places it onto an - # internal queue, where the worker threads (configured above) - # pick it up for processing. The maximum size of that queue - # is given here. - # - # When the queue is full, any new packets will be silently - # discarded. - # - # The most common cause of the queue being full is that the - # server is dependent on a slow database, and it has received - # a large "spike" of traffic. When that happens, there is - # very little you can do other than make sure the server - # receives less traffic, or make sure that the database can - # handle the load. - # -# max_queue_size = 65536 - - # There may be memory leaks or resource allocation problems with - # the server. If so, set this value to 300 or so, so that the - # resources will be cleaned up periodically. - # - # This should only be necessary if there are serious bugs in the - # server which have not yet been fixed. - # - # '0' is a special value meaning 'infinity', or 'the servers never - # exit' - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -# -# The names and configuration of each module is located in this section. -# -# After the modules are defined here, they may be referred to by name, -# in other sections of this configuration file. -# -modules { - # - # Each module has a configuration as follows: - # - # name [ instance ] { - # config_item = value - # ... - # } - # - # The 'name' is used to load the 'rlm_name' library - # which implements the functionality of the module. - # - # The 'instance' is optional. To have two different instances - # of a module, it first must be referred to by 'name'. - # The different copies of the module are then created by - # inventing two 'instance' names, e.g. 'instance1' and 'instance2' - # - # The instance names can then be used in later configuration - # INSTEAD of the original 'name'. See the 'radutmp' configuration - # for an example. - # - - # - # As of 2.0.5, most of the module configurations are in a - # sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/ - # are loaded. The modules are initialized ONLY if they are - # referenced in a processing section, such as authorize, - # authenticate, accounting, pre/post-proxy, etc. - # - $INCLUDE ${confdir}/modules/ - - # Extensible Authentication Protocol - # - # For all EAP related authentications. - # Now in another file, because it is very large. - # - $INCLUDE eap.conf - - # Include another file that has the SQL-related configuration. - # This is another file only because it tends to be big. - # -# $INCLUDE sql.conf - - # - # This module is an SQL enabled version of the counter module. - # - # Rather than maintaining seperate (GDBM) databases of - # accounting info for each counter, this module uses the data - # stored in the raddacct table by the sql modules. This - # module NEVER does any database INSERTs or UPDATEs. It is - # totally dependent on the SQL module to process Accounting - # packets. - # -# $INCLUDE sql/mysql/counter.conf - - # - # IP addresses managed in an SQL table. - # -# $INCLUDE sqlippool.conf -} - -# Instantiation -# -# This section orders the loading of the modules. Modules -# listed here will get loaded BEFORE the later sections like -# authorize, authenticate, etc. get examined. -# -# This section is not strictly needed. When a section like -# authorize refers to a module, it's automatically loaded and -# initialized. However, some modules may not be listed in any -# of the following sections, so they can be listed here. -# -# Also, listing modules here ensures that you have control over -# the order in which they are initalized. If one module needs -# something defined by another module, you can list them in order -# here, and ensure that the configuration will be OK. -# -instantiate { - # - # Allows the execution of external scripts. - # The entire command line (and output) must fit into 253 bytes. - # - # e.g. Framed-Pool = `%{exec:/bin/echo foo}` - exec - - # - # The expression module doesn't do authorization, - # authentication, or accounting. It only does dynamic - # translation, of the form: - # - # Session-Timeout = `%{expr:2 + 3}` - # - # This module needs to be instantiated, but CANNOT be - # listed in any other section. See 'doc/rlm_expr' for - # more information. - # - # rlm_expr is also responsible for registering many - # other xlat functions such as md5, sha1 and lc. - # - # We do not recommend removing it's listing here. - expr - - # - # We add the counter module here so that it registers - # the check-name attribute before any module which sets - # it -# daily - expiration - logintime - - # subsections here can be thought of as "virtual" modules. - # - # e.g. If you have two redundant SQL servers, and you want to - # use them in the authorize and accounting sections, you could - # place a "redundant" block in each section, containing the - # exact same text. Or, you could uncomment the following - # lines, and list "redundant_sql" in the authorize and - # accounting sections. - # - #redundant redundant_sql { - # sql1 - # sql2 - #} -} - -###################################################################### -# -# Policies that can be applied in multiple places are listed -# globally. That way, they can be defined once, and referred -# to multiple times. -# -###################################################################### -$INCLUDE policy.conf - -###################################################################### -# -# Load virtual servers. -# -# This next $INCLUDE line loads files in the directory that -# match the regular expression: /[a-zA-Z0-9_.]+/ -# -# It allows you to define new virtual servers simply by placing -# a file into the raddb/sites-enabled/ directory. -# -$INCLUDE sites-enabled/ - -###################################################################### -# -# All of the other configuration sections like "authorize {}", -# "authenticate {}", "accounting {}", have been moved to the -# the file: -# -# raddb/sites-available/default -# -# This is the "default" virtual server that has the same -# configuration as in version 1.0.x and 1.1.x. The default -# installation enables this virtual server. You should -# edit it to create policies for your local site. -# -# For more documentation on virtual servers, see: -# -# raddb/sites-available/README -# -###################################################################### diff --git a/roles/radius/files/raddb/sites-enabled/control-socket b/roles/radius/files/raddb/sites-enabled/control-socket deleted file mode 100644 index 4675e1e..0000000 --- a/roles/radius/files/raddb/sites-enabled/control-socket +++ /dev/null @@ -1,73 +0,0 @@ -# -*- text -*- -###################################################################### -# -# Control socket interface. -# -# In the future, we will add username/password checking for -# connections to the control socket. We will also add -# command authorization, where the commands entered by the -# administrator are run through a virtual server before -# they are executed. -# -# For now, anyone who has permission to connect to the socket -# has nearly complete control over the server. Be warned! -# -# This functionality is NOT enabled by default. -# -# See also the "radmin" program, which is used to communicate -# with the server over the control socket. -# -# $Id: 6a6f2b9428713083720b145d12c90b9747510ec1 $ -# -###################################################################### -listen { - # - # Listen on the control socket. - # - type = control - - # - # Socket location. - # - # This file is created with the server's uid and gid. - # It's permissions are r/w for that user and group, and - # no permissions for "other" users. These permissions form - # minimal security, and should not be relied on. - # - socket = ${run_dir}/${name}.sock - - # - # The following two parameters perform authentication and - # authorization of connections to the control socket. - # - # If not set, then ANYONE can connect to the control socket, - # and have complete control over the server. This is likely - # not what you want. - # - # One, or both, of "uid" and "gid" should be set. If set, the - # corresponding value is checked. Unauthorized users result - # in an error message in the log file, and the connection is - # closed. - # - - # - # Name of user that is allowed to connect to the control socket. - # -# uid = radius - - # - # Name of group that is allowed to connect to the control socket. - # -# gid = radius - - # - # Access mode. - # - # This can be used to give *some* administrators access to - # monitor the system, but not to change it. - # - # ro = read only access (default) - # rw = read/write access. - # -# mode = rw -} diff --git a/roles/radius/files/raddb/sites-enabled/inner-tunnel b/roles/radius/files/raddb/sites-enabled/inner-tunnel deleted file mode 100644 index 1ca1487..0000000 --- a/roles/radius/files/raddb/sites-enabled/inner-tunnel +++ /dev/null @@ -1,421 +0,0 @@ -# -*- text -*- -###################################################################### -# -# This is a virtual server that handles *only* inner tunnel -# requests for EAP-TTLS and PEAP types. -# -# $Id: bb0b93bc9cc9ade4e78725ea113d6f228937fef7 $ -# -###################################################################### - -server inner-tunnel { - -# -# This next section is here to allow testing of the "inner-tunnel" -# authentication methods, independently from the "default" server. -# It is listening on "localhost", so that it can only be used from -# the same machine. -# -# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123 -# -# If it works, you have configured the inner tunnel correctly. To check -# if PEAP will work, use: -# -# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123 -# -# If that works, PEAP should work. If that command doesn't work, then -# -# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS. -# -# Do NOT do any PEAP tests. It won't help. Instead, concentrate -# on fixing the inner tunnel configuration. DO NOTHING ELSE. -# -listen { - ipaddr = 127.0.0.1 - port = 18120 - type = auth -} - - -# Authorization. First preprocess (hints and huntgroups files), -# then realms, and finally look in the "users" file. -# -# The order of the realm modules will determine the order that -# we try to find a matching realm. -# -# Make *sure* that 'preprocess' comes before any realm if you -# need to setup hints for the remote radius server -authorize { - # - # The chap module will set 'Auth-Type := CHAP' if we are - # handling a CHAP request and Auth-Type has not already been set - chap - - # - # If the users are logging in with an MS-CHAP-Challenge - # attribute for authentication, the mschap module will find - # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' - # to the request, which will cause the server to then use - # the mschap module for authentication. - mschap - - # - # Pull crypt'd passwords from /etc/passwd or /etc/shadow, - # using the system API's to get the password. If you want - # to read /etc/passwd or /etc/shadow directly, see the - # passwd module, above. - # -# unix - - # - # Look for IPASS style 'realm/', and if not found, look for - # '@realm', and decide whether or not to proxy, based on - # that. -# IPASS - - # - # If you are using multiple kinds of realms, you probably - # want to set "ignore_null = yes" for all of them. - # Otherwise, when the first style of realm doesn't match, - # the other styles won't be checked. - # - # Note that proxying the inner tunnel authentication means - # that the user MAY use one identity in the outer session - # (e.g. "anonymous", and a different one here - # (e.g. "user@example.com"). The inner session will then be - # proxied elsewhere for authentication. If you are not - # careful, this means that the user can cause you to forward - # the authentication to another RADIUS server, and have the - # accounting logs *not* sent to the other server. This makes - # it difficult to bill people for their network activity. - # - suffix -# ntdomain - - # - # The "suffix" module takes care of stripping the domain - # (e.g. "@example.com") from the User-Name attribute, and the - # next few lines ensure that the request is not proxied. - # - # If you want the inner tunnel request to be proxied, delete - # the next few lines. - # - update control { - Proxy-To-Realm := LOCAL - } - - # - # This module takes care of EAP-MSCHAPv2 authentication. - # - # It also sets the EAP-Type attribute in the request - # attribute list to the EAP type from the packet. - # - # The example below uses module failover to avoid querying all - # of the following modules if the EAP module returns "ok". - # Therefore, your LDAP and/or SQL servers will not be queried - # for the many packets that go back and forth to set up TTLS - # or PEAP. The load on those servers will therefore be reduced. - # - eap { - ok = return - } - - # - # Read the 'users' file -# files - - # - # Look in an SQL database. The schema of the database - # is meant to mirror the "users" file. - # - # See "Authorization Queries" in sql.conf -# sql - - # - # If you are using /etc/smbpasswd, and are also doing - # mschap authentication, the un-comment this line, and - # configure the 'etc_smbpasswd' module, above. -# etc_smbpasswd - - # - # The ldap module will set Auth-Type to LDAP if it has not - # already been set - ldap - - # - # Enforce daily limits on time spent logged in. -# daily - - # - # Use the checkval module -# checkval - - expiration - logintime - - # - # If no other module has claimed responsibility for - # authentication, then try to use PAP. This allows the - # other modules listed above to add a "known good" password - # to the request, and to do nothing else. The PAP module - # will then see that password, and use it to do PAP - # authentication. - # - # This module should be listed last, so that the other modules - # get a chance to set Auth-Type for themselves. - # - pap -} - - -# Authentication. -# -# -# This section lists which modules are available for authentication. -# Note that it does NOT mean 'try each module in order'. It means -# that a module from the 'authorize' section adds a configuration -# attribute 'Auth-Type := FOO'. That authentication type is then -# used to pick the apropriate module from the list below. -# - -# In general, you SHOULD NOT set the Auth-Type attribute. The server -# will figure it out on its own, and will do the right thing. The -# most common side effect of erroneously setting the Auth-Type -# attribute is that one authentication method will work, but the -# others will not. -# -# The common reasons to set the Auth-Type attribute by hand -# is to either forcibly reject the user, or forcibly accept him. -# -authenticate { - # - # PAP authentication, when a back-end database listed - # in the 'authorize' section supplies a password. The - # password can be clear-text, or encrypted. - Auth-Type PAP { - pap - } - - # - # Most people want CHAP authentication - # A back-end database listed in the 'authorize' section - # MUST supply a CLEAR TEXT password. Encrypted passwords - # won't work. - Auth-Type CHAP { - chap - } - - # - # MSCHAP authentication. - Auth-Type MS-CHAP { - mschap - } - - # - # Pluggable Authentication Modules. -# pam - - # - # See 'man getpwent' for information on how the 'unix' - # module checks the users password. Note that packets - # containing CHAP-Password attributes CANNOT be authenticated - # against /etc/passwd! See the FAQ for details. - # - unix - - # Uncomment it if you want to use ldap for authentication - # - # Note that this means "check plain-text password against - # the ldap database", which means that EAP won't work, - # as it does not supply a plain-text password. -# Auth-Type LDAP { -# ldap -# } - - # - # Allow EAP authentication. - eap -} - -###################################################################### -# -# There are no accounting requests inside of EAP-TTLS or PEAP -# tunnels. -# -###################################################################### - - -# Session database, used for checking Simultaneous-Use. Either the radutmp -# or rlm_sql module can handle this. -# The rlm_sql module is *much* faster -session { - radutmp - - # - # See "Simultaneous Use Checking Queries" in sql.conf -# sql -} - - -# Post-Authentication -# Once we KNOW that the user has been authenticated, there are -# additional steps we can take. -post-auth { - # Note that we do NOT assign IP addresses here. - # If you try to assign IP addresses for EAP authentication types, - # it WILL NOT WORK. You MUST use DHCP. - - # - # If you want to have a log of authentication replies, - # un-comment the following line, and the 'detail reply_log' - # section, above. -# reply_log - - # - # After authenticating the user, do another SQL query. - # - # See "Authentication Logging Queries" in sql.conf -# sql - - # - # Instead of sending the query to the SQL server, - # write it into a log file. - # -# sql_log - - # - # Un-comment the following if you have set - # 'edir_account_policy_check = yes' in the ldap module sub-section of - # the 'modules' section. - # -# ldap - - # - # Access-Reject packets are sent through the REJECT sub-section of the - # post-auth section. - # - # Add the ldap module name (or instance) if you have set - # 'edir_account_policy_check = yes' in the ldap module configuration - # - Post-Auth-Type REJECT { - # log failed authentications in SQL, too. -# sql - attr_filter.access_reject - } - - # - # The example policy below updates the outer tunnel reply - # (usually Access-Accept) with the User-Name from the inner - # tunnel User-Name. Since this section is processed in the - # context of the inner tunnel, "request" here means "inner - # tunnel request", and "outer.reply" means "outer tunnel - # reply attributes". - # - # This example is most useful when the outer session contains - # a User-Name of "anonymous@....", or a MAC address. If it - # is enabled, the NAS SHOULD use the inner tunnel User-Name - # in subsequent accounting packets. This makes it easier to - # track user sessions, as they will all be based on the real - # name, and not on "anonymous". - # - # The problem with doing this is that it ALSO exposes the - # real user name to any intermediate proxies. People use - # "anonymous" identifiers outside of the tunnel for a very - # good reason: it gives them more privacy. Setting the reply - # to contain the real user name removes ALL privacy from - # their session. - # - # If you want privacy to remain, see the - # Chargeable-User-Identity attribute from RFC 4372. In order - # to use that attribute, you will have to allocate a - # per-session identifier for the user, and store it in a - # long-term database (e.g. SQL). You should also use that - # attribute INSTEAD of the configuration below. - # - #update outer.reply { - # User-Name = "%{request:User-Name}" - #} - -} - -# -# When the server decides to proxy a request to a home server, -# the proxied request is first passed through the pre-proxy -# stage. This stage can re-write the request, or decide to -# cancel the proxy. -# -# Only a few modules currently have this method. -# -pre-proxy { -# attr_rewrite - - # Uncomment the following line if you want to change attributes - # as defined in the preproxy_users file. -# files - - # Uncomment the following line if you want to filter requests - # sent to remote servers based on the rules defined in the - # 'attrs.pre-proxy' file. -# attr_filter.pre-proxy - - # If you want to have a log of packets proxied to a home - # server, un-comment the following line, and the - # 'detail pre_proxy_log' section, above. -# pre_proxy_log -} - -# -# When the server receives a reply to a request it proxied -# to a home server, the request may be massaged here, in the -# post-proxy stage. -# -post-proxy { - - # If you want to have a log of replies from a home server, - # un-comment the following line, and the 'detail post_proxy_log' - # section, above. -# post_proxy_log - -# attr_rewrite - - # Uncomment the following line if you want to filter replies from - # remote proxies based on the rules defined in the 'attrs' file. -# attr_filter.post-proxy - - # - # If you are proxying LEAP, you MUST configure the EAP - # module, and you MUST list it here, in the post-proxy - # stage. - # - # You MUST also use the 'nostrip' option in the 'realm' - # configuration. Otherwise, the User-Name attribute - # in the proxied request will not match the user name - # hidden inside of the EAP packet, and the end server will - # reject the EAP request. - # - eap - - # - # If the server tries to proxy a request and fails, then the - # request is processed through the modules in this section. - # - # The main use of this section is to permit robust proxying - # of accounting packets. The server can be configured to - # proxy accounting packets as part of normal processing. - # Then, if the home server goes down, accounting packets can - # be logged to a local "detail" file, for processing with - # radrelay. When the home server comes back up, radrelay - # will read the detail file, and send the packets to the - # home server. - # - # With this configuration, the server always responds to - # Accounting-Requests from the NAS, but only writes - # accounting packets to disk if the home server is down. - # -# Post-Proxy-Type Fail { -# detail -# } - -} - -} # inner-tunnel server block diff --git a/roles/radius/files/raddb/sites-enabled/default b/roles/radius/files/sites-available/default similarity index 57% rename from roles/radius/files/raddb/sites-enabled/default rename to roles/radius/files/sites-available/default index 5029902..a49fd06 100644 --- a/roles/radius/files/raddb/sites-enabled/default +++ b/roles/radius/files/sites-available/default @@ -8,10 +8,10 @@ # directory to these files. This is done in a normal installation. # # If you are using 802.1X (EAP) authentication, please see also -# the "inner-tunnel" virtual server. You wll likely have to edit +# the "inner-tunnel" virtual server. You will likely have to edit # that, too, for authentication to work. # -# $Id: 520ccbc90f3a09cd6a80e1e3b16000b7ba94d884 $ +# $Id: 083407596aa5074d665adac9606e7de655b634aa $ # ###################################################################### # @@ -44,16 +44,201 @@ # ###################################################################### +server default { # -# In 1.x, the "authorize", etc. sections were global in -# radiusd.conf. As of 2.0, they SHOULD be in a server section. +# If you want the server to listen on additional addresses, or on +# additional ports, you can use multiple "listen" sections. # -# The server section with no virtual server name is the "default" -# section. It is used when no server name is specified. +# Each section make the server listen for only one type of packet, +# therefore authentication and accounting have to be configured in +# different sections. # -# We don't indent the rest of this file, because doing so -# would make it harder to read. +# The server ignore all "listen" section if you are using '-i' and '-p' +# on the command line. # +listen { + # Type of packets to listen for. + # Allowed values are: + # auth listen for authentication packets + # acct listen for accounting packets + # proxy IP to use for sending proxied packets + # detail Read from the detail file. For examples, see + # raddb/sites-available/copy-acct-to-home-server + # status listen for Status-Server packets. For examples, + # see raddb/sites-available/status + # coa listen for CoA-Request and Disconnect-Request + # packets. For examples, see the file + # raddb/sites-available/coa + # + type = auth + + # Note: "type = proxy" lets you control the source IP used for + # proxying packets, with some limitations: + # + # * A proxy listener CANNOT be used in a virtual server section. + # * You should probably set "port = 0". + # * Any "clients" configuration will be ignored. + # + # See also proxy.conf, and the "src_ipaddr" configuration entry + # in the sample "home_server" section. When you specify the + # source IP address for packets sent to a home server, the + # proxy listeners are automatically created. + + # ipaddr/ipv4addr/ipv6addr - IP address on which to listen. + # Out of several options the first one will be used. + # + # Allowed values are: + # IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr) + # IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr) + # hostname (radius.example.com, + # A record for ipv4addr, + # AAAA record for ipv6addr, + # A or AAAA record for ipaddr) + # wildcard (*) + # + # ipv4addr = * + # ipv6addr = * + ipaddr = * + + # Port on which to listen. + # Allowed values are: + # integer port number (1812) + # 0 means "use /etc/services for the proper port" + port = 0 + + # Some systems support binding to an interface, in addition + # to the IP address. This feature isn't strictly necessary, + # but for sites with many IP addresses on one interface, + # it's useful to say "listen on all addresses for eth0". + # + # If your system does not support this feature, you will + # get an error if you try to use it. + # +# interface = eth0 + + # Per-socket lists of clients. This is a very useful feature. + # + # The name here is a reference to a section elsewhere in + # radiusd.conf, or clients.conf. Having the name as + # a reference allows multiple sockets to use the same + # set of clients. + # + # If this configuration is used, then the global list of clients + # is IGNORED for this "listen" section. Take care configuring + # this feature, to ensure you don't accidentally disable a + # client you need. + # + # See clients.conf for the configuration of "per_socket_clients". + # +# clients = per_socket_clients + + # + # Connection limiting for sockets with "proto = tcp". + # + # This section is ignored for other kinds of sockets. + # + limit { + # + # Limit the number of simultaneous TCP connections to the socket + # + # The default is 16. + # Setting this to 0 means "no limit" + max_connections = 16 + + # The per-socket "max_requests" option does not exist. + + # + # The lifetime, in seconds, of a TCP connection. After + # this lifetime, the connection will be closed. + # + # Setting this to 0 means "forever". + lifetime = 0 + + # + # The idle timeout, in seconds, of a TCP connection. + # If no packets have been received over the connection for + # this time, the connection will be closed. + # + # Setting this to 0 means "no timeout". + # + # We STRONGLY RECOMMEND that you set an idle timeout. + # + idle_timeout = 30 + } +} + +# +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + ipaddr = * +# ipv6addr = :: + port = 0 + type = acct +# interface = eth0 +# clients = per_socket_clients + + limit { + # The number of packets received can be rate limited via the + # "max_pps" configuration item. When it is set, the server + # tracks the total number of packets received in the previous + # second. If the count is greater than "max_pps", then the + # new packet is silently discarded. This helps the server + # deal with overload situations. + # + # The packets/s counter is tracked in a sliding window. This + # means that the pps calculation is done for the second + # before the current packet was received. NOT for the current + # wall-clock second, and NOT for the previous wall-clock second. + # + # Useful values are 0 (no limit), or 100 to 10000. + # Values lower than 100 will likely cause the server to ignore + # normal traffic. Few systems are capable of handling more than + # 10K packets/s. + # + # It is most useful for accounting systems. Set it to 50% + # more than the normal accounting load, and you can be sure that + # the server will never get overloaded + # +# max_pps = 0 + + # Only for "proto = tcp". These are ignored for "udp" sockets. + # +# idle_timeout = 0 +# lifetime = 0 +# max_connections = 0 + } +} + +# IPv6 versions of the above - read their full config to understand options +listen { + type = auth + ipv6addr = :: # any. ::1 == localhost + port = 0 +# interface = eth0 +# clients = per_socket_clients + limit { + max_connections = 16 + lifetime = 0 + idle_timeout = 30 + } +} + +listen { + ipv6addr = :: + port = 0 + type = acct +# interface = eth0 +# clients = per_socket_clients + + limit { +# max_pps = 0 +# idle_timeout = 0 +# lifetime = 0 +# max_connections = 0 + } +} # Authorization. First preprocess (hints and huntgroups files), # then realms, and finally look in the "users" file. @@ -64,39 +249,58 @@ # The order of the realm modules will determine the order that # we try to find a matching realm. # -# Make *sure* that 'preprocess' comes before any realm if you +# Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { # - # Security settings. Take a User-Name, and do some simple - # checks on it, for spaces and other invalid characters. If - # it looks like the user is trying to play games, reject it. + # Take a User-Name, and perform some checks on it, for spaces and other + # invalid characters. If the User-Name appears invalid, reject the + # request. # - # This should probably be enabled by default. + # See policy.d/filter for the definition of the filter_username policy. # - # See policy.conf for the definition of the filter_username policy. + filter_username + # -# filter_username + # Some broken equipment sends passwords with embedded zeros. + # i.e. the debug output will show + # + # User-Password = "password\000\000" + # + # This policy will fix it to just be "password". + # +# filter_password # # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # - # It takes care of processing the 'raddb/hints' and the - # 'raddb/huntgroups' files. + # It takes care of processing the 'raddb/mods-config/preprocess/hints' + # and the 'raddb/mods-config/preprocess/huntgroups' files. preprocess + # If you intend to use CUI and you require that the Operator-Name + # be set for CUI generation and you want to generate CUI also + # for your local clients then uncomment the operator-name + # below and set the operator-name for your clients in clients.conf +# operator-name + + # + # If you want to generate CUI for some clients that do not + # send proper CUI requests, then uncomment the + # cui below and set "add_cui = yes" for these clients in clients.conf +# cui + # # If you want to have a log of authentication requests, - # un-comment the following line, and the 'detail auth_log' - # section, above. + # un-comment the following line. # auth_log # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set - chap +# chap # # If the users are logging in with an MS-CHAP-Challenge @@ -104,13 +308,13 @@ authorize { # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. - mschap +# mschap # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section. - digest +# digest # # The WiMAX specification says that the Calling-Station-Id @@ -143,15 +347,14 @@ authorize { # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. # - # As of 2.0, the EAP module returns "ok" in the authorize stage - # for TTLS and PEAP. In 1.x, it never returned "ok" here, so - # this change is compatible with older configurations. + # The EAP module returns "ok" if it is not yet ready to + # authenticate the user. The configuration below checks for + # that code, and stops processing the "authorize" section if + # so. # - # The example below uses module failover to avoid querying all - # of the following modules if the EAP module returns "ok". - # Therefore, your LDAP and/or SQL servers will not be queried - # for the many packets that go back and forth to set up TTLS - # or PEAP. The load on those servers will therefore be reduced. + # Any LDAP and/or SQL servers will not be queried for the + # initial set of packets that go back and forth to set up + # TTLS or PEAP. # eap { ok = return @@ -161,20 +364,21 @@ authorize { # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want # to read /etc/passwd or /etc/shadow directly, see the - # passwd module in radiusd.conf. + # mods-available/passwd module. # # unix # - # Read the 'users' file + # Read the 'users' file. In v3, this is located in + # raddb/mods-config/files/authorize files # # Look in an SQL database. The schema of the database # is meant to mirror the "users" file. # - # See "Authorization Queries" in sql.conf -# sql + # See "Authorization Queries" in mods-available/sql +# -sql # # If you are using /etc/smbpasswd, and are also doing @@ -183,20 +387,16 @@ authorize { # smbpasswd # - # The ldap module will set Auth-Type to LDAP if it has not - # already been set -# ldap + # The ldap module reads passwords from the LDAP database. +# -ldap # # Enforce daily limits on time spent logged in. # daily # - # Use the checkval module -# checkval - - expiration - logintime +# expiration +# logintime # # If no other module has claimed responsibility for @@ -209,7 +409,7 @@ authorize { # This module should be listed last, so that the other modules # get a chance to set Auth-Type for themselves. # - pap +# pap # # If "status_server = yes", then Status-Server messages are passed @@ -230,7 +430,7 @@ authorize { # Note that it does NOT mean 'try each module in order'. It means # that a module from the 'authorize' section adds a configuration # attribute 'Auth-Type := FOO'. That authentication type is then -# used to pick the apropriate module from the list below. +# used to pick the appropriate module from the list below. # # In general, you SHOULD NOT set the Auth-Type attribute. The server @@ -263,9 +463,9 @@ authenticate { # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. - Auth-Type CHAP { - chap - } +# Auth-Type CHAP { +# chap +# } # # MSCHAP authentication. @@ -273,34 +473,32 @@ authenticate { mschap } + # + # For old names, too. + # + mschap + # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. - digest +# digest # # Pluggable Authentication Modules. # pam + # Uncomment it if you want to use ldap for authentication # - # See 'man getpwent' for information on how the 'unix' - # module checks the users password. Note that packets - # containing CHAP-Password attributes CANNOT be authenticated - # against /etc/passwd! See the FAQ for details. + # Note that this means "check plain-text password against + # the ldap database", which means that EAP won't work, + # as it does not supply a plain-text password. # - # For normal "crypt" authentication, the "pap" module should - # be used instead of the "unix" module. The "unix" module should - # be used for authentication ONLY for compatibility with legacy - # FreeRADIUS configurations. + # We do NOT recommend using this. LDAP servers are databases. + # They are NOT authentication servers. FreeRADIUS is an + # authentication server, and knows what to do with authentication. + # LDAP servers do not. # - unix - - # Uncomment it if you want to use ldap for authentication - # - # Note that this means "check plain-text password against - # the ldap database", which means that EAP won't work, - # as it does not supply a plain-text password. # Auth-Type LDAP { # ldap # } @@ -317,7 +515,7 @@ authenticate { # # Auth-Type eap { # eap { -# handled = 1 +# handled = 1 # } # if (handled && (Response-Packet-Type == Access-Challenge)) { # attr_filter.access_challenge.post-auth @@ -333,6 +531,12 @@ authenticate { preacct { preprocess + # + # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets + # into a single 64bit counter Acct-[Input|Output]-Octets64. + # +# acct_counters64 + # # Session start times are *implied* in RADIUS. # The NAS never sends a "start time". Instead, it sends @@ -341,12 +545,14 @@ preacct { # was "Acct-Delay-Time" seconds in the past. # # The code below creates an explicit start time, which can - # then be used in other modules. + # then be used in other modules. It will be *mostly* correct. + # Any errors are due to the 1-second resolution of RADIUS, + # and the possibility that the time on the NAS may be off. # # The start time is: NOW - delay - session_length # -# update request { +# update request { # FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" # } @@ -376,6 +582,10 @@ preacct { # Accounting. Log the accounting data. # accounting { + # Update accounting packet by adding the CUI attribute + # recorded from the corresponding Access-Accept + # use it only if your NAS boxes do not support CUI themselves +# cui # # Create a 'detail'ed log of the packets. # Note that accounting requests which are proxied @@ -386,7 +596,7 @@ accounting { # Update the wtmp file # # If you don't use "radlast", you can delete this line. -# unix + unix # # For Simultaneous-Use tracking. @@ -402,8 +612,8 @@ accounting { # # Log traffic to an SQL database. # - # See "Accounting queries" in sql.conf -# sql + # See "Accounting queries" in mods-available/sql + -sql # # If you receive stop packets with zero session length, @@ -443,14 +653,14 @@ accounting { } -# Session database, used for checking Simultaneous-Use. Either the radutmp +# Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { - radutmp +# radutmp # - # See "Simultaneous Use Checking Queries" in sql.conf + # See "Simultaneous Use Checking Queries" in mods-available/sql # sql } @@ -459,20 +669,49 @@ session { # Once we KNOW that the user has been authenticated, there are # additional steps we can take. post-auth { + # + # If you need to have a State attribute, you can + # add it here. e.g. for later CoA-Request with + # State, and Service-Type = Authorize-Only. + # +# if (!&reply:State) { +# update reply { +# State := "0x%{randstr:16h}" +# } +# } + + # + # For EAP-TTLS and PEAP, add the cached attributes to the reply. + # The "session-state" attributes are automatically cached when + # an Access-Challenge is sent, and automatically retrieved + # when an Access-Request is received. + # + # The session-state attributes are automatically deleted after + # an Access-Reject or Access-Accept is sent. + # + update { + &reply: += &session-state: + } + # Get an address from the IP Pool. # main_pool + + # Create the CUI value and add the attribute to Access-Accept. + # Uncomment the line below if *returning* the CUI. +# cui + # # If you want to have a log of authentication replies, - # un-comment the following line, and the 'detail reply_log' - # section, above. + # un-comment the following line, and enable the + # 'detail reply_log' module. # reply_log # # After authenticating the user, do another SQL query. # - # See "Authentication Logging Queries" in sql.conf -# sql + # See "Authentication Logging Queries" in mods-available/sql +# -sql # # Instead of sending the query to the SQL server, @@ -481,14 +720,13 @@ post-auth { # sql_log # - # Un-comment the following if you have set - # 'edir_account_policy_check = yes' in the ldap module sub-section of - # the 'modules' section. + # Un-comment the following if you want to modify the user's object + # in LDAP after a successful login. # # ldap # For Exec-Program and Exec-Program-Wait - exec +# exec # # Calculate the various WiMAX keys. In order for this to work, @@ -515,6 +753,7 @@ post-auth { # # wimax + # If there is a client certificate (EAP-TLS, sometimes PEAP # and TTLS), then some attributes are filled out after the # certificate verification has been performed. These fields @@ -542,6 +781,14 @@ post-auth { # Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" # } + # Insert class attribute (with unique value) into response, + # aids matching auth and acct records, and protects against duplicate + # Acct-Session-Id. Note: Only works if the NAS has implemented + # RFC 2865 behaviour for the class attribute, AND if the NAS + # supports long Class attributes. Many older or cheap NASes + # only support 16-octet Class attributes. +# insert_acct_class + # MacSEC requires the use of EAP-Key-Name. However, we don't # want to send it for all EAP sessions. Therefore, the EAP # modules put required data into the EAP-Session-Id attribute. @@ -549,33 +796,36 @@ post-auth { # # Uncomment the next few lines to copy the required data into # the EAP-Key-Name attribute -# if (reply:EAP-Session-Id) { +# if (&reply:EAP-Session-Id) { # update reply { -# EAP-Key-Name := "%{reply:EAP-Session-Id}" +# EAP-Key-Name := &reply:EAP-Session-Id # } # } - # If the WiMAX module did it's work, you may want to do more - # things here, like delete the MS-MPPE-*-Key attributes. - # - # if (updated) { - # update reply { - # MS-MPPE-Recv-Key !* 0x00 - # MS-MPPE-Send-Key !* 0x00 - # } - # } + # Remove reply message if the response contains an EAP-Message + remove_reply_message_if_eap # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # - # Add the ldap module name (or instance) if you have set + # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # + # The "session-state" attributes are not available here. + # Post-Auth-Type REJECT { # log failed authentications in SQL, too. -# sql +# -sql attr_filter.access_reject + + # Insert EAP-Failure message if the request was + # rejected by policy instead of because of an + # authentication failure + eap + + # Remove reply message if the response contains an EAP-Message + remove_reply_message_if_eap } } @@ -588,7 +838,16 @@ post-auth { # Only a few modules currently have this method. # pre-proxy { -# attr_rewrite + # Before proxing the request add an Operator-Name attribute identifying + # if the operator-name is found for this client. + # No need to uncomment this if you have already enabled this in + # the authorize section. +# operator-name + + # The client requests the CUI by sending a CUI attribute + # containing one zero byte. + # Uncomment the line below if *requesting* the CUI. +# cui # Uncomment the following line if you want to change attributes # as defined in the preproxy_users file. @@ -617,8 +876,6 @@ post-proxy { # section, above. # post_proxy_log -# attr_rewrite - # Uncomment the following line if you want to filter replies from # remote proxies based on the rules defined in the 'attrs' file. # attr_filter.post-proxy @@ -653,8 +910,8 @@ post-proxy { # Accounting-Requests from the NAS, but only writes # accounting packets to disk if the home server is down. # -# Post-Proxy-Type Fail { +# Post-Proxy-Type Fail-Accounting { # detail # } } - +} diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 87abe00..1f65a80 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -1,87 +1,35 @@ --- - name: Install radius server - apt: name={{item}} state=latest - tags: radius - with_items: - - freeradius - - freeradius-ldap - -- name: Create configuration directories - file: path={{item}} state=directory owner=freerad group=freerad - tags: radius - with_items: - - /etc/raddb - - /etc/raddb/certs - - /etc/raddb/modules - - /etc/raddb/sites-enabled + apt: name=freeradius - name: Ensure certificates are available - command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/raddb/certs/srv.key -out /etc/raddb/certs/srv.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/raddb/certs/srv.crt - tags: radius + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/freeradius/3.0/certs/srv.key -out /etc/freeradius/3.0/certs/srv.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/freeradius/3.0/certs/srv.crt notify: Restart freeradius - name: Ensure correct certificate permissions - file: path=/etc/raddb/certs/srv.key owner=freerad mode=0400 - tags: radius + file: path=/etc/freeradius/3.0/certs/srv.key owner=freerad mode=0400 notify: Restart freeradius - name: Create DH parameters command: openssl dhparam -outform PEM -out {{ item }} 2048 creates={{ item }} - tags: radius - notify: Restart freeradius with_items: - - /etc/raddb/certs/dh - -- name: Set radiusd options - copy: src=default/freeradius dest=/etc/default/freeradius - tags: radius + - /etc/freeradius/3.0/certs/dh notify: Restart freeradius - name: Configure radius server - copy: src={{item}} dest=/etc/{{item}} owner=root group=freerad - tags: radius - notify: Restart freeradius + template: src={{ item }}.j2 dest=/etc/freeradius/3.0/{{ item }} owner=freerad group=freerad with_items: - - raddb/acct_users - - raddb/attrs - - raddb/attrs.access_challenge - - raddb/attrs.access_reject - - raddb/attrs.accounting_response - - raddb/attrs.pre-proxy - - raddb/clients.conf - - raddb/dictionary - - raddb/eap.conf - - raddb/hints - - raddb/huntgroups - - raddb/ldap.attrmap - - raddb/policy.conf - - raddb/proxy.conf - - raddb/radiusd.conf - - raddb/preproxy_users - - raddb/users - - raddb/modules/acct_unique - - raddb/modules/attr_filter - - raddb/modules/chap - - raddb/modules/detail - - raddb/modules/digest - - raddb/modules/exec - - raddb/modules/expr - - raddb/modules/expiration - - raddb/modules/files - - raddb/modules/ldap - - raddb/modules/logintime - - raddb/modules/mschap - - raddb/modules/pap - - raddb/modules/preprocess - - raddb/modules/pap - - raddb/modules/radutmp - - raddb/modules/realm - - raddb/modules/unix - - raddb/sites-enabled/control-socket - - raddb/sites-enabled/default - - raddb/sites-enabled/inner-tunnel + - clients.conf + notify: Restart freeradius + +- name: Configure radius server + copy: src={{ item }} dest=/etc/freeradius/3.0/{{ item }} owner=freerad group=freerad + with_items: + - mods-available/eap + - mods-config/files/authorize + - sites-available/default + notify: Restart freeradius - name: Start the radius server service: name=freeradius state=started enabled=yes - tags: radius diff --git a/roles/radius/templates/clients.conf.j2 b/roles/radius/templates/clients.conf.j2 new file mode 100644 index 0000000..0217d6b --- /dev/null +++ b/roles/radius/templates/clients.conf.j2 @@ -0,0 +1,15 @@ +# -*- text -*- +## +## clients.conf -- client configuration directives +## +## $Id: 76b300d3c55f1c5c052289b76bf28ac3a370bbb2 $ + +####################################################################### +# +# Define RADIUS clients (usually a NAS, Access Point, etc.). + +# Access Points via the management subnet +client ap { + ipaddr = 172.23.1.0/24 + secret = {{ radius_secret }} +}