summaryrefslogtreecommitdiffstats
path: root/raddb
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--raddb/all.mk8
-rw-r--r--raddb/certs/Makefile2
-rw-r--r--raddb/clients.conf97
-rw-r--r--raddb/mods-available/date45
-rw-r--r--raddb/mods-available/detail33
-rw-r--r--raddb/mods-available/dpsk145
-rw-r--r--raddb/mods-available/eap75
-rw-r--r--raddb/mods-available/json2
-rw-r--r--raddb/mods-available/ldap27
-rw-r--r--raddb/mods-available/ldap_google2
-rw-r--r--raddb/mods-available/mschap38
-rw-r--r--raddb/mods-available/sql32
-rw-r--r--raddb/mods-available/sql_map5
-rw-r--r--raddb/mods-available/totp45
-rw-r--r--raddb/mods-config/sql/counter/sqlite/dailycounter.conf2
-rw-r--r--raddb/mods-config/sql/counter/sqlite/expire_on_login.conf2
-rw-r--r--raddb/mods-config/sql/counter/sqlite/monthlycounter.conf2
-rw-r--r--raddb/mods-config/sql/counter/sqlite/weeklycounter.conf2
-rw-r--r--raddb/mods-config/sql/cui/mysql/schema.sql2
-rw-r--r--raddb/mods-config/sql/dhcp/mysql/queries.conf2
-rw-r--r--raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql2
-rw-r--r--raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql2
-rw-r--r--raddb/mods-config/sql/ippool/mongo/queries.conf12
-rw-r--r--raddb/mods-config/sql/ippool/oracle/queries.conf5
-rw-r--r--raddb/mods-config/sql/ippool/sqlite/schema.sql2
-rw-r--r--raddb/mods-config/sql/main/mongo/queries.conf10
-rw-r--r--raddb/mods-config/sql/main/mssql/queries.conf2
-rw-r--r--raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql2
-rw-r--r--raddb/mods-config/sql/main/mysql/process-radacct.sql2
-rw-r--r--raddb/mods-config/sql/main/postgresql/queries.conf2
-rw-r--r--raddb/mods-config/sql/moonshot-targeted-ids/mysql/schema.sql2
-rw-r--r--raddb/policy.d/canonicalization1
-rw-r--r--raddb/proxy.conf18
-rw-r--r--raddb/radiusd.conf.in216
-rw-r--r--raddb/sites-available/aws-nlb9
-rw-r--r--raddb/sites-available/default16
-rw-r--r--raddb/sites-available/inner-tunnel9
-rw-r--r--raddb/sites-available/tls44
38 files changed, 850 insertions, 74 deletions
diff --git a/raddb/all.mk b/raddb/all.mk
index a7f4f14..6ab8c78 100644
--- a/raddb/all.mk
+++ b/raddb/all.mk
@@ -13,11 +13,15 @@ DEFAULT_MODULES := always attr_filter chap date \
mschap ntlm_auth pap passwd preprocess radutmp realm \
replicate soh sradutmp totp unix unpack utf8
+ifneq "$(OPENSSL_LIBS)" ""
+DEFAULT_MODULE += dpsk
+endif
+
LOCAL_MODULES := $(addprefix raddb/mods-enabled/,$(DEFAULT_MODULES))
LOCAL_CERT_FILES := Makefile README.md xpextensions \
ca.cnf server.cnf inner-server.cnf \
- client.cnf bootstrap
+ client.cnf realms/README.md bootstrap
#
# We don't create the installed certs if we're building a package,
@@ -32,7 +36,7 @@ endif
LEGACY_LINKS := $(addprefix $(R)$(raddbdir)/,users huntgroups hints)
-RADDB_DIRS := certs mods-available mods-enabled policy.d \
+RADDB_DIRS := certs certs/realms mods-available mods-enabled policy.d \
sites-available sites-enabled \
$(patsubst raddb/%,%,$(shell find raddb/mods-config -type d -print))
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
index c9fbc9e..34948bd 100644
--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
@@ -28,7 +28,7 @@ include passwords.mk
#
######################################################################
.PHONY: all
-all: index.txt serial dh ca server client
+all: index.txt serial ca server client
.PHONY: client
client: client.pem
diff --git a/raddb/clients.conf b/raddb/clients.conf
index 60f9f4b..5f39ff1 100644
--- a/raddb/clients.conf
+++ b/raddb/clients.conf
@@ -9,6 +9,25 @@
# Define RADIUS clients (usually a NAS, Access Point, etc.).
#
+# There are a number of security practices which are critical in the
+# modern era.
+#
+# * don't use RADIUS/UDP or RADIUS/TCP over the Internet. Use RADIUS/TLS.
+#
+# * If you do send RADIUS over UDP or TCP, don't send MS-CHAPv2.
+# Anyone who can see the MS-CHAPv2 data can crack it in milliseconds.
+#
+# * use the "radsecret" program to generate secrets. It uses Perl (sorry).
+# Every time you run it, it will generate a new strong secret.
+#
+# * don't create shared secrets yourself. Anything you create is likely to
+# be in a "cracking" dictionary, and will allow a hobbyist attacker
+# to crack the shared secret in a few minutes.
+#
+# * Don't trust anyone who tells you to ignore the above recommendations.
+#
+
+#
# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
@@ -82,17 +101,33 @@ client localhost {
# Quotation marks can be entered by escaping them,
# e.g. "foo\"bar"
#
- # A note on security: The security of the RADIUS protocol
+ # A note on security: The security of the RADIUS protocol
# depends COMPLETELY on this secret! We recommend using a
- # shared secret that is composed of:
+ # shared secret that at LEAST 16 characters long. It should
+ # preferably be 32 characters in length. The secret MUST be
+ # random, and should not be words, phrase, or anything else
+ # that is recognisable.
+ #
+ # Computing power has increased enormously since RADIUS was
+ # first defined. A hobbyist with a high-end GPU can try ALL
+ # of the 8-character shared secrets in about a day. The
+ # security of shared secrets increases MUCH more with the
+ # length of the shared secret, than with number of different
+ # characters used in it. So don't bother trying to use
+ # "special characters" or anything else in an attempt to get
+ # un-guessable secrets. Instead, just get data from a secure
+ # random number generator, and use that.
+ #
+ # You should create shared secrets using a method like this:
+ #
+ # dd if=/dev/random bs=1 count=24 | base64
#
- # upper case letters
- # lower case letters
- # numbers
+ # This process will give output which takes 24 random bytes,
+ # and converts them to 32 characters of ASCII. The output
+ # should be accepted by all RADIUS clients.
#
- # And is at LEAST 8 characters long, preferably 16 characters in
- # length. The secret MUST be random, and should not be words,
- # phrase, or anything else that is recognisable.
+ # You should NOT create shared secrets by hand. They will
+ # not be random. They will will be trivial to crack.
#
# The default secret below is only for testing, and should
# not be used in any real environment.
@@ -100,15 +135,45 @@ client localhost {
secret = testing123
#
- # Old-style clients do not send a Message-Authenticator
- # in an Access-Request. RFC 5080 suggests that all clients
- # SHOULD include it in an Access-Request. The configuration
- # item below allows the server to require it. If a client
- # is required to include a Message-Authenticator and it does
- # not, then the packet will be silently discarded.
+ # The global configuration "security.require_message_authenticator"
+ # flag sets the default for all clients. That default can be
+ # over-ridden here, by setting it to a value. If no value is set,
+ # then the default from the "radiusd.conf" file is used.
+ #
+ # See that file for full documentation on the flag, along
+ # with allowed values and meanings.
+ #
+ # This flag exists solely for legacy clients which do not send
+ # Message-Authenticator in all Access-Request packets. We do not
+ # recommend setting it to "no".
+ #
+ # The number one way to protect yourself from the BlastRADIUS
+ # attack is to update all RADIUS servers, and then set this
+ # flag to "yes". If all RADIUS servers are updated, and if
+ # all of them have this flag set to "yes" for all clients,
+ # then your network is safe. You can then upgrade the
+ # clients when it is convenient, instead of rushing the
+ # upgrades.
+ #
+ # allowed values: yes, no, auto
+ #
+# require_message_authenticator = no
+
+ #
+ # The global configuration "security.limit_proxy_state"
+ # flag sets the default for all clients. That default can be
+ # over-ridden here, by setting it to "no".
+ #
+ # See that file for full documentation on the flag, along
+ # with allowed values,and meanings.
+ #
+ # This flag exists solely for legacy clients which do not send
+ # Message-Authenticator in all Access-Request packets. We do not
+ # recommend setting it to "no".
+ #
+ # allowed values: yes, no, auto
#
- # allowed values: yes, no
- require_message_authenticator = no
+# limit_proxy_state = yes
#
# The short name is used as an alias for the fully qualified
diff --git a/raddb/mods-available/date b/raddb/mods-available/date
index 25a64da..2d7d85e 100644
--- a/raddb/mods-available/date
+++ b/raddb/mods-available/date
@@ -33,3 +33,48 @@ date wispr2date {
# default = no
# utc = yes
}
+
+#
+# The date module also provides the %{time_since:} xlat, which
+# makes it possible to both:
+# - get the time since the epoch in seconds, milliseconds or
+# microseconds; and
+# - calculate the time elapsed since a given time.
+#
+# Syntax is: %{time_since:BASE[ (number|&attribute)]}
+# where "BASE" is "s", "ms" or "us".
+#
+# Examples:
+# %{time_since:s}
+# - time in seconds since the epoch, same as %c
+#
+# %{time_since:s 1695753388}
+# - time in seconds since Tue 26 Sep 19:36:28 BST 2023
+# (which is 1695753388 in UNIX time)
+#
+# %{time_since:s &Tmp-Integer-0}
+# - Time since the number of seconds in Tmp-Integer-0
+#
+# %{time_since:ms}
+# - Milliseconds since the epoch
+#
+# %{time_since:us}
+# - Microseconds since the epoch
+#
+# The provided attribute should be an Integer (or Integer64 for
+# ms or us bases). However, other attributes will be converted if
+# possible, with a warning given. The only one that might make
+# sense is a Date attribute (which will be scaled appropriately
+# according to the base, as Date is always in seconds).
+#
+# Primary usage would be for taking latenct measurements, for
+# example to calculate the number of microseconds an LDAP call
+# took:
+#
+# update request {
+# &Tmp-Integer64-0 := %{time_since:us}"
+# }
+# ldap
+# update request {
+# &Tmp-Integer64-1 := %{time_since:us &Tmp-Integer64-0}"
+# }
diff --git a/raddb/mods-available/detail b/raddb/mods-available/detail
index ccf65f9..665b677 100644
--- a/raddb/mods-available/detail
+++ b/raddb/mods-available/detail
@@ -94,6 +94,39 @@ detail {
#
# log_packet_header = yes
+
+ #
+ # There are many, many, issues with dates being printed as
+ # humanly-readable strings. The server tries hard to both
+ # print and parse dates correctly, however this is not always
+ # possible.
+ #
+ # The detail files may be generated on one machine, and read
+ # on another. The two systems may have different languages,
+ # so the names of the month may not be parseable. The two
+ # systems may have different time zones. Time zone parsing
+ # is pretty much impossible, as there are multiple time zones
+ # with the same name!
+ #
+ # In some cases, the local libraries may not be able to
+ # correctly parse the time zone it printed! i.e. the system
+ # documentation for the C library time functions sometimes
+ # even says that the time zones are ignored, and the dates
+ # are parsed as UTC.
+ #
+ # All of these issues can be avoided by printing the dates as
+ # integer. In nearly all cases, the integer printed is
+ # exactly what was received in the packet.
+ #
+ # This may resolve some issues, but it's not perfect. The
+ # dates received by FreeRADIUS are sent by the NAS, and
+ # created on the NAS. So if the time on the NAS is wrong,
+ # the dates printed by FreeRADIUS will also be wrong. The
+ # only solution is to make sure that the NAS is using the
+ # correct time.
+ #
+# dates_as_integer = yes
+
#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
diff --git a/raddb/mods-available/dpsk b/raddb/mods-available/dpsk
new file mode 100644
index 0000000..3cd8411
--- /dev/null
+++ b/raddb/mods-available/dpsk
@@ -0,0 +1,145 @@
+# -*- text -*-
+#
+# $Id$
+
+#
+# Calculate dynamic PSKs
+#
+# This module needs the following attributes as input:
+#
+# * control:Pre-Shared-Key - the PSK for the user
+# * User-Name - the supplicant MAC in hex format, e.g. "abcdef012345"
+# * Called-Station-MAC - the AP MAC in binary
+# this attribute is set by the "rewrite_called_station_id" policy.
+# * FreeRADIUS-802.1X-Anonce - from the AP
+# * FreeRADIUS-802.1X-EAPoL-Key-Msg - from the AP
+#
+# Note that you MUST run the "rewrite_called_station_id" policy before calling this module.
+#
+# That policy MUST also create the Called-Station-MAC attribute.
+#
+# Then place the following configuration into the "authorize" section:
+#
+# authorize {
+# ...
+# rewrite_called_station_id
+#
+# update control {
+# &PSK-Identity := "bob"
+# &Pre-Shared-Key := "this-is-super-secret"
+# }
+# dpsk
+#
+# }
+#
+# And update the "authenticate" section to list the "dpsk" module:
+#
+# authenticate {
+# ...
+# dpsk
+# ...
+# }
+#
+# The module will return "fail" if the PSK is not correct. It will return "ok"
+# if the PSK is correct.
+#
+# It also updates &reply:Pre-Shared-Key with the found key, along with
+# &reply:PSK-Identity with the found identity.
+#
+# We STRONGLY RECOMMEND THAT NO ONE USE THIS MODULE.
+#
+# While it works, it needs to use a brute-force method to match MAC
+# to PSK. That process is extremely slow, and scales very poorly.
+#
+# i.e. if you have 10 PSKs, it's not too bad. If you have 10,000
+# PSKs, then the module can comsume 100% of CPU trying to
+# brute-force every PSK.
+#
+# This is a limitation of how DPSK works. There is no way to make it
+# better. The only thing we've done is to add a cache which can help
+# to minimize the amount of brute-force attempts.
+#
+
+#
+# The modules configuration.
+#
+dpsk {
+ #
+ # The maximum number of entries to cache.
+ #
+ # The cache is keyed by (supplicant MAC + SSID)
+ #
+ # The cache entry is the PSK-Identity and Pre-Sharedd-Key,
+ # and/or the PMK which are used to verify the information in
+ # the Access-Request.
+ #
+ cache_size = 1024
+
+ #
+ # The lifetime of an entry in the cache.
+ #
+ cache_lifetime = 86400
+
+ #
+ # PSKs can also be stored in a CSV file. The format of the file is:
+ #
+ # identity,psk,mac
+ #
+ # If there are commas in a field, then the field can be
+ # double quoted: "psk".
+ #
+ # The mac field is optional. If it exists, then that PSK
+ # will be used. It is highly recommended that the MAC *not* be placed
+ # into the CSV file. Instead, the MAC and PSK should be placed into a
+ # database. The server can then be configured to look up the MAC in the
+ # database, which returns the PSK. That way this module will only ever
+ # check one PSK, which is fast.
+ #
+ # i.e. the CSV file should only contain the small number of PSKs where
+ # you do not yet know the MAC. As soon as you know the MAC, you should
+ # put the MAC and PSK into a database, and then remove the MAC and PSK
+ # from the CSV file.
+ #
+ # NOTE: the file is opened and read from top to bottom for every
+ # new request which comes in. This process can be very slow!
+ #
+ # However, opening the file for every new request means that the
+ # server does not have to be reloaded when the file changes. Instead,
+ # the file can be generated, and then moved into place atomically:
+ #
+ # create csv file > psk.csv.new
+ # mv psk.csv.new psk.csv
+ #
+ # Any process which writes a new "psk.csv" file MUST NOT
+ # write to the file directly, as that will cause the dpsk
+ # module to read partial entries and fail. Instead, use "mv"
+ # to atomically overwrite the old file with a new one.
+ #
+ # Both "cache_size" and "filename" can be configured at the
+ # same time, which is recommended. When an entry in the file
+ # is found, the identity, PSK, and MAC are saved in the cache.
+ #
+ # If a cache entry is found, then the filename is NOT read.
+ #
+ # The resulting combination of features means that the module
+ # should be as fast as possible, given the limitations of DPSK.
+ #
+ # NOTE: Tests show that the module can do ~100K PSK / DPSK
+ # checks per second. This means that if you have 10,000
+ # users and 10 packets a second, the system will be 100% busy
+ # checking PSKs.
+ #
+ # As a result, the DPSK functionality is scales poorly. It
+ # should be used only with a small number of PSKs (100s
+ # perhaps), and only at low packet rates. If the server is
+ # getting 1000 packets per second, then it can only handle
+ # 100 PSKs before running out of CPU.
+ #
+ # Using the cache will help substantially. But the cache is
+ # only in memory, which means that all cache entries are lost
+ # when the server restarts. As a result, the combination of
+ # number of PSKs and packet rates should be kept as low as
+ # possible.
+ #
+# filename = "${modconfdir}/${..:name}/psk.csv"
+}
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index ee9e539..d149707 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -33,6 +33,28 @@ eap {
#
timer_expire = 60
+ #
+ # Some supplicants may misbehave by starting many thousands
+ # of EAP sessions, but never finishing them. These sessions
+ # can cause the server to hit 'max_sessions' very quickly.
+ # The 'timer_expire' configuration above does not help as
+ # much as it could, because the old (duplicate) session
+ # should be deleted as soon as the new one comes in.
+ #
+ # If you set the 'dedup_key' below, whenever the EAP module
+ # starts a new session, it will check for a previous session
+ # which has the same dedup key. If a previous session
+ # is found, it is deleted.
+ #
+ # Setting this configuration item may cause issues if the
+ # same device uses multiple EAP sessions at the same time.
+ # But that device behavior should be rare to non-existent.
+ #
+ # The configuration item is commented out so that upgrades
+ # do not change existing behavior.
+ #
+# dedup_key = "%{Calling-Station-Id}"
+
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
@@ -231,6 +253,9 @@ eap {
# Directory where multiple CAs are stored. Both
# "ca_file" and "ca_path" can be used at the same time.
#
+ # Each file in this directory must contain one
+ # certificate, and ONLY one certificate.
+ #
ca_path = ${cadir}
# OpenSSL does not reload contents of ca_path dir over time.
@@ -1112,4 +1137,54 @@ eap {
#
# virtual_server = inner-tunnel
#}
+
+ # EAP-TEAP
+ #
+ # The TEAP module implements the EAP-TEAP protocol
+ #
+ #teap {
+ # Point to the common TLS configuration
+ #
+ # tls = tls-common
+
+ # default_eap_type = mschapv2
+
+ # If 'cipher_list' is set here, it will over-ride the
+ # 'cipher_list' configuration from the 'tls-common'
+ # configuration. The EAP-TEAP module has it's own
+ # over-ride for 'cipher_list' because the
+ # specifications mandata a different set of ciphers
+ # than are used by the other EAP methods.
+ #
+ # cipher_list though must include "ADH" for anonymous provisioning.
+ # This is not as straight forward as appending "ADH" alongside
+ # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
+ # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
+ #
+ # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
+
+ # PAC lifetime in seconds (default: seven days)
+ #
+ # pac_lifetime = 604800
+
+ # Authority ID of the server
+ #
+ # If you are running a cluster of RADIUS servers, you should make
+ # the value chosen here (and for "pac_opaque_key") the same on all
+ # your RADIUS servers. This value should be unique to your
+ # installation. We suggest using a domain name.
+ #
+ # authority_identity = "1234"
+
+ # PAC Opaque encryption key (must be exactly 32 bytes in size)
+ #
+ # This value MUST be secret, and MUST be generated using
+ # a secure method, such as via 'openssl rand -hex 32'
+ #
+ # pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
+
+ # Same as for TTLS, PEAP, etc.
+ #
+ # virtual_server = inner-tunnel
+ #}
}
diff --git a/raddb/mods-available/json b/raddb/mods-available/json
index 02a62ae..88f17c0 100644
--- a/raddb/mods-available/json
+++ b/raddb/mods-available/json
@@ -142,7 +142,7 @@ json {
# .Example
#
# ```
-# %{json_encode:&request[*] !&reply[*] &control.User-Name}
+# %{json_encode:&request[*] !&reply[*] &control:User-Name}
# ```
#
# #### Output format modes
diff --git a/raddb/mods-available/ldap b/raddb/mods-available/ldap
index 997d41e..d5838ff 100644
--- a/raddb/mods-available/ldap
+++ b/raddb/mods-available/ldap
@@ -41,7 +41,7 @@ ldap {
# That will give you the LDAP information for 'user'.
#
# Group membership can be queried by using the above "ldapsearch" string,
- # and adding "memberof" qualifiers. For ActiveDirectory, use:
+ # and adding "memberof" qualifiers. For Active Directory, use:
#
# ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))'
#
@@ -152,10 +152,10 @@ ldap {
# LDAP "bind as user" configuration to check PAP passwords.
#
- # Active Directory needs "bind as user", which can be done by
- # adding the following "if" statement to the authorize {} section
- # of the virtual server, after the "ldap" module. For
- # example:
+ # Active Directory (or Azure AD) needs "bind as user", which
+ # can be done by adding the following "if" statement to the
+ # authorize {} section of the virtual server, after the
+ # "ldap" module. For example:
#
# ...
# ldap
@@ -174,6 +174,23 @@ ldap {
# "Auth-Type LDAP" in order to do an LDAP "bind as user", which will hand
# the user name / password to AD for verification.
#
+ # Note that this ONLY works if FreeRADIUS receives a
+ # User-Password attribute in the Access-Request packet.
+ # e.g. PAP, or TTLS/PAP.
+ #
+ # USING MS-CHAP OR PEAP/MS-CHAP WITH ACTIVE DIRECTORY OVER LDAP WILL NOT WORK.
+ #
+ # ** EVER ***.
+ #
+ # THERE IS NOTHING YOU CAN DO TO MAKE IT WORK.
+ #
+ # If you have a local Active Directory server, you can use
+ # Samba and ntlm_auth. See the "mschap" and "ntlm_auth"
+ # modules for more information.
+ #
+ # Unfortunately, you cannot use Samba with Azure AD. You
+ # MUST use PAP or TTLS/PAP.
+ #
#
# Name of the attribute that contains the user DN.
diff --git a/raddb/mods-available/ldap_google b/raddb/mods-available/ldap_google
index 03c98d3..9487c4b 100644
--- a/raddb/mods-available/ldap_google
+++ b/raddb/mods-available/ldap_google
@@ -21,7 +21,7 @@
# username and password. That username and password should be used
# below.
#
-# Ensure the Goolge client configuration which is used for FreeRADIUS
+# Ensure the Google client configuration which is used for FreeRADIUS
# has sufficient permissions to read user information, and, if group
# membership is part of the FreeRADIUS policy, ensure that the client
# can read group information. This configuration is done on Google's
diff --git a/raddb/mods-available/mschap b/raddb/mods-available/mschap
index 1748d57..5fbdcee 100644
--- a/raddb/mods-available/mschap
+++ b/raddb/mods-available/mschap
@@ -51,9 +51,26 @@ mschap {
# and the mschap module will do the authentication itself,
# without calling ntlm_auth.
#
- # Be VERY careful when editing the following line!
+ # This authentication can go wrong for a number of reasons:
+ # 1) the user does not exist in AD
+ # 2) the password entered by the user is not the same as
+ # what is in AD
+ # 3) some magic MS-CHAP data is wrong.
#
- # You can also try setting the user name as:
+ # These situations can be checked by running ntlm_auth
+ # from the command line with a name and a password:
+ #
+ # ntlm_auth --username=NAME --password=PASSWORD
+ #
+ # If that works, you know both that the user exists, and the
+ # password is correct. You also know what AD expects for the
+ # username.
+ #
+ # There is often confusion between different formats of the
+ # username. Is it "user", or "user@domain" or "DOMAIN\\user"?
+ # The answer is "that depends on your local AD system".
+ #
+ # One solution is to use this for the username:
#
# ... --username=%{mschap:User-Name} ...
#
@@ -61,6 +78,23 @@ mschap {
# attribute, and do prefix/suffix checks in order to obtain
# the "best" user name for the request.
#
+ # Another option is to use the Stripped-User-Name, as in the
+ # example configuration below.
+ #
+ # You can test which format works by running the server in
+ # debug mode, and copying the hex strings from the
+ # --challenge=... and --nt-response=... output.
+ #
+ # Then, run ntlm_auth from the command line, using the same
+ # command-line options as given below. Since you can't
+ # change the challenge or nt-response strings, try changing
+ # the --username=... and --domain=... parameters. Try
+ # different formats for them until one works. There should only
+ # be a small number of variations possible.
+ #
+ # That is the username and domain format which you need to
+ # configure here in this file.
+ #
# For Samba 4, you should also set the "ntlm auth" parameter
# in the Samba configuration:
#
diff --git a/raddb/mods-available/sql b/raddb/mods-available/sql
index 0f435ad..68ac4da 100644
--- a/raddb/mods-available/sql
+++ b/raddb/mods-available/sql
@@ -291,6 +291,23 @@ sql {
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
+ #
+ # The setting here should be lower than the maximum
+ # number of connections allowed by the database.
+ #
+ # i.e. There is no point in telling FreeRADIUS to use
+ # 64 connections, while the database is limited to 32
+ # connections. That configuration will cause the
+ # server to be "starved" of connections, and it will
+ # block during normal operations, even when the
+ # database is largely idle.
+ #
+ # At the same time, if the database is slow, there is
+ # no point in increasing "max". More connections
+ # will just cause the database to run more slowly.
+ # The correct fix for a slow database is to fix it, so
+ # that it responds to FreeRADIUS quickly.
+ #
max = ${thread[pool].max_servers}
# Spare connections to be left idle
@@ -371,6 +388,21 @@ sql {
# of the SQL module.
group_attribute = "SQL-Group"
+ # When attributes read from the network are used in SQL queries
+ # their values are escaped to make them safe.
+ # By default FreeRADIUS uses its escaping routine which replaces
+ # unsafe characters with their mime-encoded equivalent.
+ # The list of safe characters is conservative, to allow for differences
+ # between different SQL implementations.
+ #
+ # If you are using the mysql or postgresql drivers, those have their
+ # own escaping functions which only escape characters as required
+ # by those databases.
+ #
+ # Set this option to yes to use the database driver provided escape
+ # function.
+# auto_escape = no
+
# Read database-specific queries
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}
diff --git a/raddb/mods-available/sql_map b/raddb/mods-available/sql_map
index 93b2636..a0b32ef 100644
--- a/raddb/mods-available/sql_map
+++ b/raddb/mods-available/sql_map
@@ -6,11 +6,6 @@ sql_map {
# use the *instance* name here: sql1.
sql_module_instance = "sql"
- # This is duplicative of info available in the SQL module, but
- # we have to list it here as we do not yet support nested
- # reference expansions.
- dialect = "mysql"
-
# Name of the check item attribute to be used as a key in the SQL queries
query = "SELECT ... FROM ... "
diff --git a/raddb/mods-available/totp b/raddb/mods-available/totp
index 695365f..a68a317 100644
--- a/raddb/mods-available/totp
+++ b/raddb/mods-available/totp
@@ -13,6 +13,12 @@
#
# &control:TOTP-Secret
#
+# Any "bare" key should be placed into:
+#
+# &control:TOTP-Key
+#
+# If TOTP-Key exists, then it will be used instead of TOTP-Secret.
+#
# The TOTP password entered by the user should be placed into:
#
# &request:TOTP-Password
@@ -32,9 +38,44 @@
# https://linux.die.net/man/1/qrencode
#
# and then run that locally to get an image.
-#
#
-# The module takes no configuration items.
+#
+# Some tokens get severely out of sync with local time. It is
+# possible to offset the definition of "now" for one token by setting:
+#
+# &control:TOTP-Time-Offset := 120
+#
+# This is a signed integer, with allowed values between -600 to +600.
+# The offset is added to to the current time, to get the tokens idea
+# of "now".
#
totp {
+ #
+ # Default time step between time changes
+ #
+ time_step = 30
+
+ #
+ # Length of the one-time password.
+ #
+ # Must be 6 or 8
+ #
+ otp_length = 6
+
+ #
+ # How many steps backward in time we look for a matching OTP
+ #
+ lookback_steps = 1
+
+ #
+ # How many steps forward in time we look for a matching OTP
+ #
+ lookforward_steps = 0
+
+ #
+ # Time delta between steps.
+ #
+ # Cannot be larger than time_step
+ #
+ lookback_interval = 30
}
diff --git a/raddb/mods-config/sql/counter/sqlite/dailycounter.conf b/raddb/mods-config/sql/counter/sqlite/dailycounter.conf
index 9a2ec38..b95afdf 100644
--- a/raddb/mods-config/sql/counter/sqlite/dailycounter.conf
+++ b/raddb/mods-config/sql/counter/sqlite/dailycounter.conf
@@ -5,7 +5,7 @@
# below
#
query = "\
- SELECT SUM(acctsessiontime - GREATEST((%%b - strftime('%%s', acctstarttime)), 0)) \
+ SELECT SUM(acctsessiontime - MAX((%%b - strftime('%%s', acctstarttime)), 0)) \
FROM radacct \
WHERE username = '%{${key}}' \
AND (strftime('%%s', acctstarttime) + acctsessiontime) > %%b"
diff --git a/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf b/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf
index f4e95a5..6c1c086 100644
--- a/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf
+++ b/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf
@@ -1,5 +1,5 @@
query = "\
- SELECT GREATEST(strftime('%%s', NOW()) - strftime('%%s', acctstarttime), 0) AS expires \
+ SELECT MAX(strftime('%%s', NOW()) - strftime('%%s', acctstarttime), 0) AS expires \
FROM radacct \
WHERE username = '%{${key}}' \
ORDER BY acctstarttime \
diff --git a/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf b/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf
index 5262097..3f5d427 100644
--- a/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf
+++ b/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf
@@ -5,7 +5,7 @@
# below
#
query = "\
- SELECT SUM(acctsessiontime - GREATEST((%%b - strftime('%%s', acctstarttime)), 0)) \
+ SELECT SUM(acctsessiontime - MAX((%%b - strftime('%%s', acctstarttime)), 0)) \
FROM radacct \
WHERE username = '%{${key}}' AND \
(strftime('%%s', acctstarttime) + acctsessiontime) > %%b"
diff --git a/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf b/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf
index 06ce3b6..90a8566 100644
--- a/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf
+++ b/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf
@@ -5,7 +5,7 @@
# below
#
query = "\
- SELECT SUM(acctsessiontime - GREATEST((%%b - strftime('%%s', acctstarttime)), 0)) \
+ SELECT SUM(acctsessiontime - MAX((%%b - strftime('%%s', acctstarttime)), 0)) \
FROM radacct \
WHERE username = '%{${key}}' \
AND (strftime('%%s', acctstarttime) + acctsessiontime) > %%b"
diff --git a/raddb/mods-config/sql/cui/mysql/schema.sql b/raddb/mods-config/sql/cui/mysql/schema.sql
index da9b2f7..01cc615 100644
--- a/raddb/mods-config/sql/cui/mysql/schema.sql
+++ b/raddb/mods-config/sql/cui/mysql/schema.sql
@@ -1,4 +1,4 @@
-CREATE TABLE `cui` (
+CREATE TABLE IF NOT EXISTS `cui` (
`clientipaddress` varchar(46) NOT NULL default '',
`callingstationid` varchar(50) NOT NULL default '',
`username` varchar(64) NOT NULL default '',
diff --git a/raddb/mods-config/sql/dhcp/mysql/queries.conf b/raddb/mods-config/sql/dhcp/mysql/queries.conf
index a28037b..b0254e5 100644
--- a/raddb/mods-config/sql/dhcp/mysql/queries.conf
+++ b/raddb/mods-config/sql/dhcp/mysql/queries.conf
@@ -69,7 +69,7 @@ authorize_group_reply_query = "\
ORDER BY id"
group_membership_query = "\
- SELECT groupnme \
+ SELECT groupname \
FROM ${dhcpgroup_table} \
WHERE identifier='%{SQL-User-Name}' AND context = '%{control:DHCP-SQL-Option-Context}' \
ORDER BY priority"
diff --git a/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql b/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql
index d8b1219..f996ba3 100644
--- a/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql
+++ b/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql
@@ -5,7 +5,7 @@
-- that is much faster.
--
-CREATE TABLE dhcpippool (
+CREATE TABLE IF NOT EXISTS dhcpippool (
id int unsigned NOT NULL auto_increment,
pool_name varchar(30) NOT NULL,
framedipaddress varchar(15) NOT NULL default '',
diff --git a/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql b/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql
index 339d58d..f7af667 100644
--- a/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql
+++ b/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql
@@ -9,7 +9,7 @@ CREATE TABLE dhcpstatus (
INSERT INTO dhcpstatus (status_id, status) VALUES (1, 'dynamic'), (2, 'static'), (3, 'declined'), (4, 'disabled');
CREATE TABLE dhcpippool (
- id int(11) PRIMARY KEY,
+ id INTEGER PRIMARY KEY,
pool_name varchar(30) NOT NULL,
framedipaddress varchar(15) NOT NULL default '',
pool_key varchar(30) NOT NULL default '',
diff --git a/raddb/mods-config/sql/ippool/mongo/queries.conf b/raddb/mods-config/sql/ippool/mongo/queries.conf
index 9d7d070..eedf0a0 100644
--- a/raddb/mods-config/sql/ippool/mongo/queries.conf
+++ b/raddb/mods-config/sql/ippool/mongo/queries.conf
@@ -22,12 +22,6 @@
# parser.
#
-#
-# TBD
-#
-on_begin = ""
-off_begin = ""
-
allocate_begin = ""
#
@@ -92,17 +86,11 @@ allocate_clear = "db.mypool_collection.findAndModify( \
allocate_commit = ""
-start_begin = ""
start_update = ""
-start_commit = ""
-stop_begin = ""
stop_clear = ""
-stop_commit = ""
-alive_begin = ""
alive_update = ""
-alive_commit = ""
on_clear = ""
off_clear = ""
diff --git a/raddb/mods-config/sql/ippool/oracle/queries.conf b/raddb/mods-config/sql/ippool/oracle/queries.conf
index 1a64b28..9704f56 100644
--- a/raddb/mods-config/sql/ippool/oracle/queries.conf
+++ b/raddb/mods-config/sql/ippool/oracle/queries.conf
@@ -13,11 +13,6 @@
skip_locked = ""
allocate_begin = "commit"
-start_begin = "commit"
-alive_begin = "commit"
-stop_begin = "commit"
-on_begin = "commit"
-off_begin = "commit"
#
# Attempt to allocate the address a client previously had. This is based on pool_key
diff --git a/raddb/mods-config/sql/ippool/sqlite/schema.sql b/raddb/mods-config/sql/ippool/sqlite/schema.sql
index b020c62..4dc25d1 100644
--- a/raddb/mods-config/sql/ippool/sqlite/schema.sql
+++ b/raddb/mods-config/sql/ippool/sqlite/schema.sql
@@ -2,7 +2,7 @@
-- Table structure for table 'radippool'
--
CREATE TABLE radippool (
- id int(11) PRIMARY KEY,
+ id INTEGER PRIMARY KEY,
pool_name varchar(30) NOT NULL,
framedipaddress varchar(15) NOT NULL default '',
nasipaddress varchar(15) NOT NULL default '',
diff --git a/raddb/mods-config/sql/main/mongo/queries.conf b/raddb/mods-config/sql/main/mongo/queries.conf
index 732e1e8..a496932 100644
--- a/raddb/mods-config/sql/main/mongo/queries.conf
+++ b/raddb/mods-config/sql/main/mongo/queries.conf
@@ -91,7 +91,7 @@ authorize_check_query = "db.${authcheck_table}.aggregate([ \
'op': ':=' \
} \
} \
-])" \
+])"
# TBD: fill in things here
authorize_reply_query = ""
@@ -150,7 +150,7 @@ accounting {
}, \
'$push': { \
'events_data': { \
- 'event_id': '%{sha256:%{tolower:%{Calling-Station-Id}', \
+ 'event_id': '%{sha256:%{tolower:%{Calling-Station-Id}}}', \
'event_type': 'Accounting-Start', \
'event_time': '%{Packet-Original-Timestamp}', \
'creation_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } } \
@@ -202,7 +202,7 @@ accounting {
}, \
'$push': { \
'events_data': { \
- 'event_id': '%{sha256:%{tolower:%{Calling-Station-Id}', \
+ 'event_id': '%{sha256:%{tolower:%{Calling-Station-Id}}}', \
'event_type': 'Accounting-Interim-Update', \
'event_time': '%{Packet-Original-Timestamp}', \
'creation_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } } \
@@ -214,7 +214,7 @@ accounting {
'closed': false, \
'creation_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } } \
} \
- },
+ }, \
'upsert': true \
})"
# End Interim-Update
@@ -235,7 +235,7 @@ accounting {
}, \
'$push': { \
'events_data': { \
- 'event_id': '%{sha256:%{tolower:%{Calling-Station-Id}', \
+ 'event_id': '%{sha256:%{tolower:%{Calling-Station-Id}}}', \
'event_type': 'Accounting-Stop', \
'event_time': '%{Packet-Original-Timestamp}', \
'creation_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } } \
diff --git a/raddb/mods-config/sql/main/mssql/queries.conf b/raddb/mods-config/sql/main/mssql/queries.conf
index 1978463..d83a27d 100644
--- a/raddb/mods-config/sql/main/mssql/queries.conf
+++ b/raddb/mods-config/sql/main/mssql/queries.conf
@@ -373,7 +373,7 @@ accounting {
UPDATE ${....acct_table1} \
SET \
AcctStartTime = ${....event_timestamp}, \
- AcctUpdateTime = ${....event_timestamp }, \
+ AcctUpdateTime = ${....event_timestamp}, \
AcctStartDelay = '%{%{Acct-Delay-Time}:-0}', \
ConnectInfo_start = '%{Connect-Info}' \
WHERE AcctUniqueId = '%{Acct-Unique-Session-ID}' \
diff --git a/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql b/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql
index e32224a..bc2e7da 100644
--- a/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql
+++ b/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql
@@ -3,7 +3,7 @@
# which replaces the "radpostauth" table.
#
-CREATE TABLE wimax (
+CREATE TABLE IF NOT EXISTS wimax (
id int(11) NOT NULL auto_increment,
username varchar(64) NOT NULL default '',
authdate timestamp NOT NULL,
diff --git a/raddb/mods-config/sql/main/mysql/process-radacct.sql b/raddb/mods-config/sql/main/mysql/process-radacct.sql
index 8902338..0696603 100644
--- a/raddb/mods-config/sql/main/mysql/process-radacct.sql
+++ b/raddb/mods-config/sql/main/mysql/process-radacct.sql
@@ -45,7 +45,7 @@
-- +----------------+----------------+-----------------+
-- 7 rows in set (0.000 sec)
--
-CREATE TABLE data_usage_by_period (
+CREATE TABLE IF NOT EXISTS data_usage_by_period (
username VARCHAR(64),
period_start DATETIME,
period_end DATETIME,
diff --git a/raddb/mods-config/sql/main/postgresql/queries.conf b/raddb/mods-config/sql/main/postgresql/queries.conf
index 18a1ed0..80953e0 100644
--- a/raddb/mods-config/sql/main/postgresql/queries.conf
+++ b/raddb/mods-config/sql/main/postgresql/queries.conf
@@ -534,7 +534,7 @@ accounting {
'%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', \
NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), \
'%{NAS-Port-Type}', \
- ${....event_timestamp}, \
+ TO_TIMESTAMP(${....event_timestamp_epoch} - %{%{Acct-Session-Time}:-0}), \
${....event_timestamp}, \
NULL, \
%{%{Acct-Session-Time}:-NULL}, \
diff --git a/raddb/mods-config/sql/moonshot-targeted-ids/mysql/schema.sql b/raddb/mods-config/sql/moonshot-targeted-ids/mysql/schema.sql
index 8a33dc1..bca2ba8 100644
--- a/raddb/mods-config/sql/moonshot-targeted-ids/mysql/schema.sql
+++ b/raddb/mods-config/sql/moonshot-targeted-ids/mysql/schema.sql
@@ -1,4 +1,4 @@
-CREATE TABLE `moonshot_targeted_ids` (
+CREATE TABLE IF NOT EXISTS `moonshot_targeted_ids` (
`gss_acceptor` varchar(254) NOT NULL default '',
`namespace` varchar(36) NOT NULL default '',
`username` varchar(64) NOT NULL default '',
diff --git a/raddb/policy.d/canonicalization b/raddb/policy.d/canonicalization
index 6d90e37..1b2f6e3 100644
--- a/raddb/policy.d/canonicalization
+++ b/raddb/policy.d/canonicalization
@@ -77,6 +77,7 @@ rewrite_called_station_id {
if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) {
update request {
&Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
+ &Called-Station-MAC := "0x%{toupper:%{1}%{2}%{3}%{4}%{5}%{6}}"
}
# SSID component?
diff --git a/raddb/proxy.conf b/raddb/proxy.conf
index 26f620c..cf0697d 100644
--- a/raddb/proxy.conf
+++ b/raddb/proxy.conf
@@ -252,6 +252,24 @@ home_server localhost {
#
secret = testing123
+ #
+ # The global configuration "security.require_message_authenticator"
+ # flag sets the default for all home servers. That default can be
+ # over-ridden here, by setting it to a value. If no value is set,
+ # then the default from the "radiusd.conf" file is used.
+ #
+ # See that file for full documentation on the flag, along
+ # with allowed values and meanings.
+ #
+ # This flag exists solely for legacy home servers which do
+ # not send Message-Authenticator in all Access-Accept,
+ # Access-Reject, or Access-Challenge packets. We do not
+ # recommend setting it to "no".
+ #
+ # allowed values: yes, no, auto
+ #
+# require_message_authenticator = no
+
############################################################
#
# The rest of the configuration items listed here are optional,
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index 366dce4..44fee62 100644
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -270,6 +270,27 @@ hostname_lookups = no
#postauth_client_lost = no
#
+# Some NASes will aggressively retransmit packets, and cause a DoS of
+# the RADIUS infrastructure. They should follow he recommended
+# retransmission behavior of RFC 5080 Section 2.2.2, but it seems
+# that only (some) RADIUS servers follow that guidance.
+#
+# When a duplicate packet is received from the NAS, the server will
+# see when the last retransmission was done. If it is within the
+# "proxy_dedup_window", the retransmitted packet is dropped.
+#
+# i.e. There is zero benefit to sending the same RADIUS packet
+# multiple times in one second. There is, in fact, serious harm
+# in doing so. Aggressive retransmissions can result in network
+# congestion, and ultimately failure of the RADIUS infrastructure.
+#
+# This behavior *cannot* be disabled.
+#
+# Allowed values here are 1..10. Only integers are supported.
+#
+#proxy_dedup_window = 1
+
+#
# Logging section. The various "log_*" configuration items
# will eventually be moved here.
#
@@ -424,6 +445,16 @@ ENV {
#
# BAR
+
+ #
+ # If the server needs kerberos credentials, then they can be placed
+ # into the following keytab file.
+ #
+ # This also permits the server to use those credentials when it is
+ # run in debug mode.
+ #
+# KRB5_CLIENT_KTNAME = ${raddbdir}/radiusd.keytab
+
#
# `LD_PRELOAD` is special. It is normally set before the
# application runs, and is interpreted by the dynamic linker.
@@ -572,6 +603,191 @@ security {
#
status_server = yes
+ #
+ # Global configuration for requiring Message-Authenticator in
+ # all Access-* packets sent over UDP or TCP. This flag is
+ # ignored for TLS.
+ #
+ # The number one way to protect yourself from the BlastRADIUS
+ # attack is to update all RADIUS servers, and then set this
+ # flag to "yes". If all RADIUS servers are updated, and if
+ # all of them have this flag set to "yes" for all clients,
+ # then your network is safe. You can then upgrade the
+ # clients when it is convenient, instead of rushing the
+ # upgrades.
+ #
+ # This flag sets the global default for all clients and home
+ # servers. It can be over-ridden in an individual client or
+ # home_server definition by adding the same flag to that
+ # section with an appropriate value.
+ #
+ # All upgraded RADIUS implementations should send
+ # Message-Authenticator in all Access-Request, Access-Accept,
+ # Access-Reject, and Access-Challenge packets. Once all
+ # systems are upgraded, setting this flag to "yes" is the
+ # best protection from the attack.
+ #
+ # The possible values and meanings for
+ # "require_message_authenticator" are;
+ #
+ # * "no" - allow Access-* packet which do not contain
+ # Message-Authenticator
+ #
+ # For a client, if this flag is set to "no", then the
+ # "limit_proxy_state" flag, below, is also checked.
+ #
+ # For a home_server, if this flag is set to "no", then the
+ # Access-Accept, Access-Reject, and Access-Challenge
+ # packets do not need to contain Message-Authenticator.
+ #
+ # The only reason to set this flag to "no" is when the
+ # RADIUS client or home server has not been updated. It is
+ # always safer to set this flag "no" in the individual
+ # client or home_server definition. The global flag SHOULD
+ # still be set to a safe value: "yes".
+ #
+ # WARNING: Setting this flag and the "limit_proxy_state"
+ # flag to "no" will allow MITM attackers to create fake
+ # Access-Accept packets to the NAS! At least one of them
+ # MUST be set to "yes" for the system to have any
+ # protection against the attack.
+ #
+ # * "yes" - Require that all Access-* packets (client and
+ # home_server) contain Message-Authenticator. If a packet
+ # does not contain Message-Authenticator, then it is
+ # discarded.
+ #
+ # * "auto" - Automatically determine the value of the flag,
+ # based on the first packet received from that client or
+ # home_server.
+ #
+ # If the packet does not contain Message-Authenticator,
+ # then the value of the flag is automatically switched to
+ # "no".
+ #
+ # If the packet contains Message-Authenticator but not
+ # EAP-Message, then the value of the flag is automatically
+ # switched to "yes". The server has to check for
+ # EAP-Message, because the previous RFCs require that the
+ # packet contains Message-Authenticator when it also
+ # contains EAP-Message. So having a Message-Authenticator
+ # in those packets doesn't give the server enough
+ # information to determined if the client or home_server
+ # has been updated.
+ #
+ # If the packet contains Message-Authenticator and
+ # EAP-Message, then the flag is left at the "auto" value.
+ #
+ # WARNING: This switch is done for the first packet
+ # received from that client or home server. The change
+ # does NOT persist across server restarts. You MUST change
+ # the to "yes" manually, in order to make a permanent
+ # change to the configuration.
+ #
+ # WARNING: If there are multiple NASes with the same source
+ # IP and client definitions, BUT the NASes have different
+ # behavior, then this flag WILL LIKELY BREAK YOUR NETWORK.
+ #
+ # That is, when there are multiple different RADIUS clients
+ # behind one NATed IP address, then these security settings
+ # have to be set to allow the MOST INSECURE packets to be
+ # processed. This is a terrible idea, and will leave your
+ # network vulnerable to the attack. Please upgrade all
+ # clients immediately.
+ #
+ # The only solution to that rare configuration is to set
+ # this flag to "no", in which case the network will work,
+ # but will be vulnerable to the attack.
+ #
+ require_message_authenticator = auto
+
+ #
+ # Global configuration for limiting the combination of
+ # Proxy-State and Message-Authenticator. This flag only
+ # applies to packets sent over UDP or TCP. This flag is
+ # ignored for TLS.
+ #
+ # This flag sets the global default for all clients. It can
+ # be over-ridden in an individual client definition by adding
+ # the same flag to that section with an appropriate value.
+ #
+ # If "require_message_authenticator" is set to "yes", this
+ # configuration item is ignored.
+ #
+ # If "require_message_authenticator" is set to "no", this
+ # configuration item is checked.
+ #
+ # The possible values and meanings for "limit_proxy_state" are;
+ #
+ # * "no" - allow any packets from the client, even packets
+ # which contain the BlastRADIUS attack. Please be aware
+ # that in this configuration the server will complain for
+ # EVERY packet which it receives.
+ #
+ # The only reason to set this flag to "no" is when the
+ # client is a proxy, AND the proxy does not send
+ # Message-Authenticator in Access-Request packets. Even
+ # then, the best approach to fix the issue is to (1) update
+ # the proxy to send Message-Authenticator, and if that
+ # can't be done, then (2) set this flag to "no", but ONLY
+ # for that one client. The global flag SHOULD still be set
+ # to a safe value: "yes".
+ #
+ # WARNING: Setting both this flag and the
+ # "require_message_authenticator" flag to "no" will allow
+ # MITM attackers to create fake Access-Accept packets to the
+ # NAS! At least one of them MUST be set to "yes" for the
+ # system to have any protection against the attack.
+ #
+ # * "yes" - Allow packets without Message-Authenticator,
+ # but only when they do not contain Proxy-State.
+ # packets which contain Proxy-State MUST also contain
+ # Message-Authenticator, otherwise they are discarded.
+ #
+ # This setting is safe for most NASes, GGSNs, BRAS, etc.
+ # Most regular RADIUS clients do not send Proxy-State
+ # attributes for Access-Request packets that they originate.
+ # However some aggregators (e.g. Wireless LAN Controllers)
+ # may act as a RADIUS proxy for requests from their cohort
+ # of managed devices, and in such cases will provide a
+ # Proxy-State attribute. For those systems, you _must_ look
+ # at the actual packets to determine what to do. It may be
+ # that the only way to fix the vulnerability is to upgrade
+ # the WLC, and set "require_message_authenticator" to "yes".
+ #
+ # * "auto" - Automatically determine the value of the flag,
+ # based on the first packet received from that client.
+ #
+ # If the packet contains Proxy-State but no
+ # Message-Authenticator, then the value of the flag is
+ # automatically switched to "no".
+ #
+ # For all other situations, the value of the flag is
+ # automatically switched to "yes".
+ #
+ # WARNING: This switch is done for the first packet
+ # received from that client. The change does NOT persist
+ # across server restarts. You MUST change the to "yes"
+ # manually, in order to make a permanent change to the
+ # configuration.
+ #
+ # WARNING: If there are multiple NASes with the same source
+ # IP and client definitions, BUT the NASes have different
+ # behavior, then this flag WILL LIKELY BREAK YOUR NETWORK.
+ #
+ # That is, when there are multiple different RADIUS clients
+ # behind one NATed IP address, then these security settings
+ # have to be set to allow the MOST INSECURE packets to be
+ # processed. This is a terrible idea, and will leave your
+ # network vulnerable to the attack. Please upgrade all
+ # clients immediately.
+ #
+ # The only solution to that rare configuration is to set
+ # this flag to "no", in which case the network will work,
+ # but will be vulnerable to the attack.
+ #
+ limit_proxy_state = auto
+
@openssl_version_check_config@
}
diff --git a/raddb/sites-available/aws-nlb b/raddb/sites-available/aws-nlb
index acea81e..06ca632 100644
--- a/raddb/sites-available/aws-nlb
+++ b/raddb/sites-available/aws-nlb
@@ -33,6 +33,15 @@ listen {
proto = tcp
ipaddr = *
port = 8000
+
+ #
+ # Set limits so that unused connections get cleaned up quickly.
+ #
+ limit {
+ max_connections = 16
+ lifetime = 5
+ idle_timeout = 5
+ }
}
#
diff --git a/raddb/sites-available/default b/raddb/sites-available/default
index 78b7ae7..b4339bd 100644
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -348,6 +348,20 @@ authorize {
digest
#
+ # The dpsk module implements dynamic PSK.
+ #
+ # If the request contains FreeRADIUS-802.1X-Anonce
+ # and FreeRADIUS-802.1X-EAPoL-Key-Msg, then it will set
+ # &control:Auth-Type := dpsk
+ #
+ # The "rewrite_called_station_id" policy creates the
+ # Called-Station-MAC attribute, which is needed by
+ # the dpsk module.
+ #
+# rewrite_called_station_id
+# dpsk
+
+ #
# The WiMAX specification says that the Calling-Station-Id
# is 6 octets of the MAC. This definition conflicts with
# RFC 3580, and all common RADIUS practices. If you are using
@@ -534,6 +548,8 @@ authenticate {
pap
}
+# dpsk
+
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
diff --git a/raddb/sites-available/inner-tunnel b/raddb/sites-available/inner-tunnel
index c178baa..1197e08 100644
--- a/raddb/sites-available/inner-tunnel
+++ b/raddb/sites-available/inner-tunnel
@@ -194,7 +194,7 @@ authorize {
# LDAP servers can only do PAP. They cannot do CHAP, MS-CHAP,
# or EAP.
#
-# if (!&control.Auth-Type && &User-Password) {
+# if (!&control:Auth-Type && &User-Password) {
# update control {
# &Auth-Type := LDAP
# }
@@ -409,6 +409,13 @@ post-auth {
&Module-Failure-Message := &request:Module-Failure-Message
}
}
+
+ #
+ # Access-Challenge packets are sent through the Challenge sub-section
+ # of the post-auth section.
+ #
+ #Post-Auth-Type Challenge {
+ #}
}
#
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index 137fcbc..6eab1fe 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -56,12 +56,15 @@ listen {
#
type = auth+acct
- # For now, only TCP transport is allowed.
+ # For now, only TCP transport is allowed.
proto = tcp
- # Send packets to the default virtual server
+ # Send packets to the default virtual server
virtual_server = default
+ #
+ # We have clients specifically for TLS.
+ #
clients = radsec
#
@@ -88,6 +91,22 @@ listen {
# proxy_protocol = no
#
+ # This configuration item should be enabled for all listen
+ # sections which do TLS.
+ #
+ # It is only disabled because we are careful about changing
+ # existing behavior in a stable release.
+ #
+ # Setting this configuration item to "yes" means that the
+ # server will be able to gracefully recover if a TLS
+ # connection is blocking at the network layer.
+ #
+ # Note that setting "nonblock = yes" is NOT possible for bare
+ # TCP connections. RADIUS/TCP should generally be avoided.
+ #
+# nonblock = yes
+
+ #
# When this is set to "yes", new TLS connections
# are processed through a section called
#
@@ -310,6 +329,11 @@ listen {
tls_max_version = "1.3"
#
+ # See mods-available/eap for documentation
+ #
+ ecdh_curve = ""
+
+ #
# Session resumption / fast reauthentication
# cache.
#
@@ -514,6 +538,22 @@ home_server tls {
proto = tcp
status_check = none
+ #
+ # This configuration item should be enabled for all
+ # home_server sections which do TLS.
+ #
+ # It is only disabled because we are careful about changing
+ # existing behavior in a stable release.
+ #
+ # Setting this configuration item to "yes" means that the
+ # server will be able to gracefully recover if a TLS
+ # connection is blocking at the network layer.
+ #
+ # Note that setting "nonblock = yes" is NOT possible for bare
+ # TCP connections. RADIUS/TCP should generally be avoided.
+ #
+# nonblock = yes
+
tls {
#
# Similarly to HTTP, the client can use Server Name