diff options
Diffstat (limited to '')
-rw-r--r-- | raddb/mods-config/attr_filter/access_challenge | 19 | ||||
-rw-r--r-- | raddb/mods-config/attr_filter/access_reject | 18 | ||||
-rw-r--r-- | raddb/mods-config/attr_filter/accounting_response | 16 | ||||
-rw-r--r-- | raddb/mods-config/attr_filter/coa | 22 | ||||
-rw-r--r-- | raddb/mods-config/attr_filter/post-proxy | 119 | ||||
-rw-r--r-- | raddb/mods-config/attr_filter/pre-proxy | 65 |
6 files changed, 259 insertions, 0 deletions
diff --git a/raddb/mods-config/attr_filter/access_challenge b/raddb/mods-config/attr_filter/access_challenge new file mode 100644 index 0000000..12ed619 --- /dev/null +++ b/raddb/mods-config/attr_filter/access_challenge @@ -0,0 +1,19 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id$ +# +# This configuration file is used to remove almost all of the +# attributes From an Access-Challenge message. The RFCs say +# that an Access-Challenge packet can contain only a few +# attributes. We enforce that here. +# +DEFAULT + EAP-Message =* ANY, + State =* ANY, + Message-Authenticator =* ANY, + Reply-Message =* ANY, + Proxy-State =* ANY, + Session-Timeout =* ANY, + Idle-Timeout =* ANY diff --git a/raddb/mods-config/attr_filter/access_reject b/raddb/mods-config/attr_filter/access_reject new file mode 100644 index 0000000..47f167b --- /dev/null +++ b/raddb/mods-config/attr_filter/access_reject @@ -0,0 +1,18 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id$ +# +# This configuration file is used to remove almost all of the attributes +# From an Access-Reject message. The RFCs say that an Access-Reject +# packet can contain only a few attributes. We enforce that here. +# +DEFAULT + EAP-Message =* ANY, + State =* ANY, + Message-Authenticator =* ANY, + Error-Cause =* ANY, + Reply-Message =* ANY, + MS-CHAP-Error =* ANY, + Proxy-State =* ANY diff --git a/raddb/mods-config/attr_filter/accounting_response b/raddb/mods-config/attr_filter/accounting_response new file mode 100644 index 0000000..01e9c6f --- /dev/null +++ b/raddb/mods-config/attr_filter/accounting_response @@ -0,0 +1,16 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id$ +# +# This configuration file is used to remove almost all of the attributes +# From an Accounting-Response message. The RFC's say that an +# Accounting-Response packet can contain only a few attributes. +# We enforce that here. +# +DEFAULT + Vendor-Specific =* ANY, + Message-Authenticator =* ANY, + Error-Cause =* ANY, + Proxy-State =* ANY diff --git a/raddb/mods-config/attr_filter/coa b/raddb/mods-config/attr_filter/coa new file mode 100644 index 0000000..89cea2e --- /dev/null +++ b/raddb/mods-config/attr_filter/coa @@ -0,0 +1,22 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id$ +# +# This configuration file is used to remove attributes From an +# CoA-Request or Disconnect-Request message. We have specified +# a sample list here. This will have to be modified to add +# attributes needed by your local configuration. +# +DEFAULT + User-Name =* ANY, + NAS-IP-Address =* ANY, + NAS-IPv6-Address =* ANY, + NAS-Port =* ANY, + NAS-Identifier =* ANY, + NAS-Port-Type =* ANY, + Calling-Station-Id =* ANY, + State =* ANY, + Message-Authenticator =* ANY, + Proxy-State =* ANY diff --git a/raddb/mods-config/attr_filter/post-proxy b/raddb/mods-config/attr_filter/post-proxy new file mode 100644 index 0000000..5d889ea --- /dev/null +++ b/raddb/mods-config/attr_filter/post-proxy @@ -0,0 +1,119 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id$ +# +# This file contains security and configuration information +# for each realm. The first field is the realm name and +# can be up to 253 characters in length. This is followed (on +# the next line) with the list of filter rules to be used to +# decide what attributes and/or values we allow proxy servers +# to pass to the NAS for this realm. +# +# When a proxy-reply packet is received from a home server, +# these attributes and values are tested. Only the first match +# is used unless the "Fall-Through" variable is set to "Yes". +# In that case the rules defined in the DEFAULT case are +# processed as well. +# +# A special realm named "DEFAULT" matches on all realm names. +# You can have only one DEFAULT entry. All entries are processed +# in the order they appear in this file. The first entry that +# matches the login-request will stop processing unless you use +# the Fall-Through variable. +# +# Indented (with the tab character) lines following the first +# line indicate the filter rules. +# +# You can include another `attrs' file with `$INCLUDE attrs.other' +# + +# +# This is a complete entry for realm "fisp". Note that there is no +# Fall-Through entry so that no DEFAULT entry will be used, and the +# server will NOT allow any other a/v pairs other than the ones +# listed here. +# +# These rules allow: +# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear ) +# o PPP sessions ( no SLIP, CSLIP, etc. ) +# o dynamic ip assignment ( can't assign a static ip ) +# o an idle timeout value set to 600 seconds (10 min) or less +# o a max session time set to 28800 seconds (8 hours) or less +# +#fisp +# Service-Type == Framed-User, +# Framed-Protocol == PPP, +# Framed-IP-Address == 255.255.255.254, +# Idle-Timeout <= 600, +# Session-Timeout <= 28800 + +# +# This is a complete entry for realm "tisp". Note that there is no +# Fall-Through entry so that no DEFAULT entry will be used, and the +# server will NOT allow any other a/v pairs other than the ones +# listed here. +# +# These rules allow: +# o Only Login-User Service-Type ( no framed/ppp sessions ) +# o Telnet sessions only ( no rlogin, tcp-clear ) +# o Login host of 192.0.2.1 +# +#tisp +# Service-Type == Login-User, +# Login-Service == Telnet, +# Login-TCP-Port == 23, +# Login-IP-Host == 192.0.2.1 + +# +# The following example can be used for a home server which is only +# allowed to supply a Reply-Message, a Session-Timeout attribute of +# maximum 86400, a Idle-Timeout attribute of maximum 600 and a +# Acct-Interim-Interval attribute between 300 and 3600. +# All other attributes sent back will be filtered out. +# +#strictrealm +# Reply-Message =* ANY, +# Session-Timeout <= 86400, +# Idle-Timeout <= 600, +# Acct-Interim-Interval >= 300, +# Acct-Interim-Interval <= 3600 + +# +# This is a complete entry for realm "spamrealm". Fall-Through is used, +# so that the DEFAULT filter rules are used in addition to these. +# +# These rules allow: +# o Force the application of Filter-ID attribute to be returned +# in the proxy reply, whether the proxy sent it or not. +# o The standard DEFAULT rules as defined below +# +#spamrealm +# Framed-Filter-Id := "nosmtp.in", +# Fall-Through = Yes + +# +# The rest of this file contains the DEFAULT entry. +# DEFAULT matches with all realm names. (except if the realm previously +# matched an entry with no Fall-Through) +# + +DEFAULT + Framed-IP-Address == 255.255.255.254, + Framed-IP-Netmask == 255.255.255.255, + Framed-MTU >= 576, + Framed-Filter-ID =* ANY, + Reply-Message =* ANY, + Proxy-State =* ANY, + EAP-Message =* ANY, + Message-Authenticator =* ANY, + MS-MPPE-Recv-Key =* ANY, + MS-MPPE-Send-Key =* ANY, + MS-CHAP-MPPE-Keys =* ANY, + State =* ANY, + Session-Timeout <= 28800, + Idle-Timeout <= 600, + Calling-Station-Id =* ANY, + Operator-Name =* ANY, + Port-Limit <= 2 diff --git a/raddb/mods-config/attr_filter/pre-proxy b/raddb/mods-config/attr_filter/pre-proxy new file mode 100644 index 0000000..47b0126 --- /dev/null +++ b/raddb/mods-config/attr_filter/pre-proxy @@ -0,0 +1,65 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id$ +# +# This file contains security and configuration information +# for each realm. It can be used be an rlm_attr_filter module +# instance to filter attributes before sending packets to the +# home server of a realm. +# +# When a packet is sent to a home server, these attributes +# and values are tested. Only the first match is used unless +# the "Fall-Through" variable is set to "Yes". In that case +# the rules defined in the DEFAULT case are processed as well. +# +# A special realm named "DEFAULT" matches on all realm names. +# You can have only one DEFAULT entry. All entries are processed +# in the order they appear in this file. The first entry that +# matches the login-request will stop processing unless you use +# the Fall-Through variable. +# +# The first line indicates the realm to which the rules apply. +# Indented (with the tab character) lines following the first +# line indicate the filter rules. +# + +# This is a complete entry for 'nochap' realm. It allows to send very +# basic attributes to the home server. Note that there is no Fall-Through +# entry so that no DEFAULT entry will be used. Only the listed attributes +# will be sent in the packet, all other attributes will be filtered out. +# +#nochap +# User-Name =* ANY, +# User-Password =* ANY, +# NAS-IP-Address =* ANY, +# NAS-Identifier =* ANY + +# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type +# if its value is different from 'Ethernet'. Then the default rules are +# applied. +# +#brokenas +# NAS-Port-Type == Ethernet +# Fall-Through = Yes + +# The rest of this file contains the DEFAULT entry. +# DEFAULT matches with all realm names. + +DEFAULT + User-Name =* ANY, + User-Password =* ANY, + CHAP-Password =* ANY, + CHAP-Challenge =* ANY, + MS-CHAP-Challenge =* ANY, + MS-CHAP-Response =* ANY, + EAP-Message =* ANY, + Message-Authenticator =* ANY, + State =* ANY, + NAS-IP-Address =* ANY, + NAS-Identifier =* ANY, + Operator-Name =* ANY, + Calling-Station-Id =* ANY, + Chargeable-User-Identity =* ANY, + Proxy-State =* ANY |