Adding upstream version 3.2.3+dfsg.upstream/3.2.3+dfsgupstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

4 files changed, 248 insertions, 0 deletions

diff --git a/doc/vendor/ascend b/doc/vendor/ascend
new file mode 100644
index 0000000..57a44be
--- /dev/null
+++ b/doc/vendor/ascend
@@ -0,0 +1,57 @@
+                          Ascend Radius Options
+                                  or
+              What happens when a big vendor ignores an RFC
+
+
+  FreeRADIUS uses Vendor-Specific attributes to send the Ascend attributes.
+By default, Ascend NASes send the Ascend specific attributes as NON VSA's,
+which conflict with new RADIUS attributes assigned by the IETF.  This was
+a very bad screw-up by Ascend that still causes many headaches, but sometimes
+we have to live with it, so we try to cope the best we can.
+
+  If you see a large number of messages about invalid Message-Authenticator
+attribute, you most likely are affected by this problem, and should implement
+the first option.
+
+You have two options:
+
+o Enable VSA's on the Ascend/Lucent MAX:
+
+  This is by far the preferred method ( as it solves many other problems ).
+
+  Max6000/4000 Series TAOS with Menued Interface:
+
+    Go to Ethernet->Mod Config->Auth.
+    At the bottom of the menu, change Auth-Compat from "OLD" to "VSA".
+    Save your changes, no reboot is needed.
+
+    Go to Ethernet->Mod Config->Acct.
+    At the bottom of the menu, change Acct-Compat from "OLD" to "VSA".
+    Save your changes, no reboot is needed.
+
+  Max TNT/Apex 8000 Series TAOS with CLI:
+
+    nas> read external-auth
+    nas> set rad-auth-client auth-radius-compat = vendor-specific
+    nas> set rad-acct-client acct-radius-compat = vendor-specific
+    nas> write
+
+o Enable OLD attributes in FreeRADIUS
+
+  One note on this, Ciscos have an Ascend compatibility mode that
+  accepts only the OLD style Ascend attributes, just to make life more
+  interesting.  :)
+
+  You can make FreeRADIUS send the OLD style attributes by prefixing the
+  Ascend attributes with 'X-' in the 'users' file, sql table, ldap directory,
+  attr_filter module, etc...
+
+  Thus the VSA Ascend attribute:
+
+     Ascend-Data-Filter
+
+  becomes the OLD Ascend attribute:
+
+     X-Ascend-Data-Filter
+
+$Id$
diff --git a/doc/vendor/bay b/doc/vendor/bay
new file mode 100644
index 0000000..a23cacd
--- /dev/null
+++ b/doc/vendor/bay
@@ -0,0 +1,11 @@
+  All versions of the BAY software prior to 18.0.2 are broken in
+regards to the Message-Authenticator.  They send a strictly MD5
+encoded secret instead of the encoding required by the RFC.  This has
+been fixed in 18.0.2 and only 18.0.2.
+
+  If you see messages in the radius log like:
+
+Received packet from xxx.xxx.xxx.xxx with invalid Message-Authenticator!
+
+  and you are using a Bay Annex, then you MUST upgrade the software on
+your Annex.  There is NO other solution to the problem.
diff --git a/doc/vendor/cisco.rst b/doc/vendor/cisco.rst
new file mode 100644
index 0000000..12270cb
--- /dev/null
+++ b/doc/vendor/cisco.rst
@@ -0,0 +1,168 @@
+Cisco IOS and Radius
+====================
+
+Introduction
+------------
+
+Cisco NAS equipment has become quite popular of late, but being Cisco
+equipment running IOS, the configuration can be a bit non-obvious to the
+unfamiliar.  This document aims to describe the most common configuration
+options to make your Ciscos interoperate with radius as you would expect a
+well-behaved NAS to do.
+
+IOS 12.x
+--------
+
+For Cisco 12.x ( 12.0 and 12.1 ), the following AAA configuration directives
+are suggested:
+
+::
+
+  aaa new-model
+  aaa authentication login default group radius local
+  aaa authentication login localauth local
+  aaa authentication ppp default if-needed group radius local
+  aaa authorization exec default group radius local
+  aaa authorization network default group radius local
+  aaa accounting delay-start
+  aaa accounting exec default start-stop group radius
+  aaa accounting network default start-stop group radius
+  aaa processes 6
+
+this configuration works very well with most radius servers.  One of the more
+important configurations is:
+
+::
+
+  aaa accounting delay-start
+
+This directive will delay the sending of the Accounting Start packet until
+after an IP address has been assigned during the PPP negotiation process.
+This will supersede the need to enable the sending of "Alive" packets as
+described below for IOS versions 11.x
+
+*Note* with the above it will use the radius server to authenticate
+your inbound 'telnet' connections.  You will need to create an entry
+in your users file similar to the following to allow access:
+
+::
+
+  !root Cleartext-Password := "somepass" Service-Type = NAS-Prompt-User
+
+This will let a user in for the first level of access to your Cisco.  You
+will still need to 'enable' ( using the locally configured enable secret )
+to perform any configuration changes or anything requiring a higher level
+of access.  The username '!root' was used as an example here, you can make
+this any username you want, of course.
+
+Unique Acct-Session-Id's
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+From: http://isp-lists.isp-planet.com/isp-australia/0201/msg05143.html
+
+Just a note to all cisco ISPs out there who want RFC2866 compliance need to
+enable the hidden command ``radius-server unique-ident <n>``
+
+Minimum IOS: 12.1(4.1)T.
+
+Acct-Session-Id should be unique and wrap after every 256 reboots.
+
+You must reboot after entering this command to take effect. If not, you
+will observe after 10 minutes
+of entering this command, the following message.
+
+::
+
+  %RADIUS-3-IDENTFAIL: Save of unique accounting ident aborted.
+
+IOS 11.x
+--------
+
+For Cisco 11.1, you normally use
+
+::
+
+  aaa new-model
+  aaa authentication ppp radppp if-needed radius
+  aaa authorization network radius none
+  aaa accounting network wait-start radius
+
+to get the Cisco to talk to a radius server.
+
+With IOS 11.3
+^^^^^^^^^^^^^
+
+::
+
+  aaa accounting update newinfo
+
+If you want the IP address of the user to show up in the radutmp file
+(and thus, the output of "radwho").
+
+This is because with IOS 11.3, the Cisco first sends a "Start" accounting
+packet without the IP address included. By setting "update newinfo" it
+will send an account "Alive" packet which updates the information.
+
+Also you might see a lot of "duplicates" in the logfile. That can be
+fixed by:
+
+::
+
+  aaa accounting network wait radius
+  radius-server timeout 3
+
+To disable the Ascend style attributes (which is a VERY good idea!):
+
+::
+
+  radius-server host X.Y.Z.A auth-port 1645 acct-port 1646
+
+To enable the Ascend style attributes (which we do NOT recommend!):
+
+::
+
+  radius-server host X.Y.Z.A auth-port 1645 acct-port 1646 non-standard
+
+To see Cisco-AVPair attributes in the Cisco debugging log:
+
+  radius-server vsa accounting
+
+Cisco 36xx & 26xx, keeping the NAS IP static
+--------------------------------------------
+
+The Cisco 36/26 by default selects (it seems at random) any IP address
+assigned to it (serial, ethernet etc.) as it's RADIUS client source
+address, thus the access request may be dropped by the RADIUS server,
+because it can not verify the client. To make the cisco box always use
+one fixed address, add the following to your configuration:
+
+::
+
+  ip radius source-interface Loopback0
+
+and configure the loopback interface on your router as follows:
+
+::
+
+  interface Loopback0
+   ip address 192.0.2.250 255.255.255.255
+
+Use a real world IP address and check the Cisco documentation for why
+it is a good idea to have working loopback interface configured on
+your router.
+
+If you don't want to use the loopback interface of course you can set
+the source-interface to any interface on your Cisco box which has an
+IP address.
+
+Credits
+-------
+
+Original  - Alan DeKok <aland@ox.org>
+12.x Info - Chris Parker <cparker@starnetusa.net>  2000-10-12
+
+More Information
+----------------
+For more information, the following page on Cisco's web site may help:
+
+http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/vapp_dev/vsaig3.htm
diff --git a/doc/vendor/proxim b/doc/vendor/proxim
new file mode 100644
index 0000000..3a8f2b9
--- /dev/null
+++ b/doc/vendor/proxim
@@ -0,0 +1,12 @@
+Proxim
+^^^^^^
+
+Proxim AP-2000 NASes up to and including firmware version 2.4.5 ignore
+the Session-Timeout attribute, despite the fact that Proxim's firmware
+release notes specifically state that it is supported.  On top of
+this, firmware version 2.4.5 (the latest as of this writing) has a bug
+in which the reauthentication interval on the AP cannot be set to any
+value less than 2 hours.  As such, fine-grained control of client
+session times is not currently possible with this NAS.  Note that this
+NAS is OEMed to several vendors, including Avaya, and may be listed
+under different names with different vendors.