diff options
Diffstat (limited to '')
38 files changed, 850 insertions, 74 deletions
diff --git a/raddb/all.mk b/raddb/all.mk index a7f4f14..6ab8c78 100644 --- a/raddb/all.mk +++ b/raddb/all.mk @@ -13,11 +13,15 @@ DEFAULT_MODULES := always attr_filter chap date \ mschap ntlm_auth pap passwd preprocess radutmp realm \ replicate soh sradutmp totp unix unpack utf8 +ifneq "$(OPENSSL_LIBS)" "" +DEFAULT_MODULE += dpsk +endif + LOCAL_MODULES := $(addprefix raddb/mods-enabled/,$(DEFAULT_MODULES)) LOCAL_CERT_FILES := Makefile README.md xpextensions \ ca.cnf server.cnf inner-server.cnf \ - client.cnf bootstrap + client.cnf realms/README.md bootstrap # # We don't create the installed certs if we're building a package, @@ -32,7 +36,7 @@ endif LEGACY_LINKS := $(addprefix $(R)$(raddbdir)/,users huntgroups hints) -RADDB_DIRS := certs mods-available mods-enabled policy.d \ +RADDB_DIRS := certs certs/realms mods-available mods-enabled policy.d \ sites-available sites-enabled \ $(patsubst raddb/%,%,$(shell find raddb/mods-config -type d -print)) diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile index c9fbc9e..34948bd 100644 --- a/raddb/certs/Makefile +++ b/raddb/certs/Makefile @@ -28,7 +28,7 @@ include passwords.mk # ###################################################################### .PHONY: all -all: index.txt serial dh ca server client +all: index.txt serial ca server client .PHONY: client client: client.pem diff --git a/raddb/clients.conf b/raddb/clients.conf index 60f9f4b..5f39ff1 100644 --- a/raddb/clients.conf +++ b/raddb/clients.conf @@ -9,6 +9,25 @@ # Define RADIUS clients (usually a NAS, Access Point, etc.). # +# There are a number of security practices which are critical in the +# modern era. +# +# * don't use RADIUS/UDP or RADIUS/TCP over the Internet. Use RADIUS/TLS. +# +# * If you do send RADIUS over UDP or TCP, don't send MS-CHAPv2. +# Anyone who can see the MS-CHAPv2 data can crack it in milliseconds. +# +# * use the "radsecret" program to generate secrets. It uses Perl (sorry). +# Every time you run it, it will generate a new strong secret. +# +# * don't create shared secrets yourself. Anything you create is likely to +# be in a "cracking" dictionary, and will allow a hobbyist attacker +# to crack the shared secret in a few minutes. +# +# * Don't trust anyone who tells you to ignore the above recommendations. +# + +# # Defines a RADIUS client. # # '127.0.0.1' is another name for 'localhost'. It is enabled by default, @@ -82,17 +101,33 @@ client localhost { # Quotation marks can be entered by escaping them, # e.g. "foo\"bar" # - # A note on security: The security of the RADIUS protocol + # A note on security: The security of the RADIUS protocol # depends COMPLETELY on this secret! We recommend using a - # shared secret that is composed of: + # shared secret that at LEAST 16 characters long. It should + # preferably be 32 characters in length. The secret MUST be + # random, and should not be words, phrase, or anything else + # that is recognisable. + # + # Computing power has increased enormously since RADIUS was + # first defined. A hobbyist with a high-end GPU can try ALL + # of the 8-character shared secrets in about a day. The + # security of shared secrets increases MUCH more with the + # length of the shared secret, than with number of different + # characters used in it. So don't bother trying to use + # "special characters" or anything else in an attempt to get + # un-guessable secrets. Instead, just get data from a secure + # random number generator, and use that. + # + # You should create shared secrets using a method like this: + # + # dd if=/dev/random bs=1 count=24 | base64 # - # upper case letters - # lower case letters - # numbers + # This process will give output which takes 24 random bytes, + # and converts them to 32 characters of ASCII. The output + # should be accepted by all RADIUS clients. # - # And is at LEAST 8 characters long, preferably 16 characters in - # length. The secret MUST be random, and should not be words, - # phrase, or anything else that is recognisable. + # You should NOT create shared secrets by hand. They will + # not be random. They will will be trivial to crack. # # The default secret below is only for testing, and should # not be used in any real environment. @@ -100,15 +135,45 @@ client localhost { secret = testing123 # - # Old-style clients do not send a Message-Authenticator - # in an Access-Request. RFC 5080 suggests that all clients - # SHOULD include it in an Access-Request. The configuration - # item below allows the server to require it. If a client - # is required to include a Message-Authenticator and it does - # not, then the packet will be silently discarded. + # The global configuration "security.require_message_authenticator" + # flag sets the default for all clients. That default can be + # over-ridden here, by setting it to a value. If no value is set, + # then the default from the "radiusd.conf" file is used. + # + # See that file for full documentation on the flag, along + # with allowed values and meanings. + # + # This flag exists solely for legacy clients which do not send + # Message-Authenticator in all Access-Request packets. We do not + # recommend setting it to "no". + # + # The number one way to protect yourself from the BlastRADIUS + # attack is to update all RADIUS servers, and then set this + # flag to "yes". If all RADIUS servers are updated, and if + # all of them have this flag set to "yes" for all clients, + # then your network is safe. You can then upgrade the + # clients when it is convenient, instead of rushing the + # upgrades. + # + # allowed values: yes, no, auto + # +# require_message_authenticator = no + + # + # The global configuration "security.limit_proxy_state" + # flag sets the default for all clients. That default can be + # over-ridden here, by setting it to "no". + # + # See that file for full documentation on the flag, along + # with allowed values,and meanings. + # + # This flag exists solely for legacy clients which do not send + # Message-Authenticator in all Access-Request packets. We do not + # recommend setting it to "no". + # + # allowed values: yes, no, auto # - # allowed values: yes, no - require_message_authenticator = no +# limit_proxy_state = yes # # The short name is used as an alias for the fully qualified diff --git a/raddb/mods-available/date b/raddb/mods-available/date index 25a64da..2d7d85e 100644 --- a/raddb/mods-available/date +++ b/raddb/mods-available/date @@ -33,3 +33,48 @@ date wispr2date { # default = no # utc = yes } + +# +# The date module also provides the %{time_since:} xlat, which +# makes it possible to both: +# - get the time since the epoch in seconds, milliseconds or +# microseconds; and +# - calculate the time elapsed since a given time. +# +# Syntax is: %{time_since:BASE[ (number|&attribute)]} +# where "BASE" is "s", "ms" or "us". +# +# Examples: +# %{time_since:s} +# - time in seconds since the epoch, same as %c +# +# %{time_since:s 1695753388} +# - time in seconds since Tue 26 Sep 19:36:28 BST 2023 +# (which is 1695753388 in UNIX time) +# +# %{time_since:s &Tmp-Integer-0} +# - Time since the number of seconds in Tmp-Integer-0 +# +# %{time_since:ms} +# - Milliseconds since the epoch +# +# %{time_since:us} +# - Microseconds since the epoch +# +# The provided attribute should be an Integer (or Integer64 for +# ms or us bases). However, other attributes will be converted if +# possible, with a warning given. The only one that might make +# sense is a Date attribute (which will be scaled appropriately +# according to the base, as Date is always in seconds). +# +# Primary usage would be for taking latenct measurements, for +# example to calculate the number of microseconds an LDAP call +# took: +# +# update request { +# &Tmp-Integer64-0 := %{time_since:us}" +# } +# ldap +# update request { +# &Tmp-Integer64-1 := %{time_since:us &Tmp-Integer64-0}" +# } diff --git a/raddb/mods-available/detail b/raddb/mods-available/detail index ccf65f9..665b677 100644 --- a/raddb/mods-available/detail +++ b/raddb/mods-available/detail @@ -94,6 +94,39 @@ detail { # # log_packet_header = yes + + # + # There are many, many, issues with dates being printed as + # humanly-readable strings. The server tries hard to both + # print and parse dates correctly, however this is not always + # possible. + # + # The detail files may be generated on one machine, and read + # on another. The two systems may have different languages, + # so the names of the month may not be parseable. The two + # systems may have different time zones. Time zone parsing + # is pretty much impossible, as there are multiple time zones + # with the same name! + # + # In some cases, the local libraries may not be able to + # correctly parse the time zone it printed! i.e. the system + # documentation for the C library time functions sometimes + # even says that the time zones are ignored, and the dates + # are parsed as UTC. + # + # All of these issues can be avoided by printing the dates as + # integer. In nearly all cases, the integer printed is + # exactly what was received in the packet. + # + # This may resolve some issues, but it's not perfect. The + # dates received by FreeRADIUS are sent by the NAS, and + # created on the NAS. So if the time on the NAS is wrong, + # the dates printed by FreeRADIUS will also be wrong. The + # only solution is to make sure that the NAS is using the + # correct time. + # +# dates_as_integer = yes + # # Certain attributes such as User-Password may be # "sensitive", so they should not be printed in the diff --git a/raddb/mods-available/dpsk b/raddb/mods-available/dpsk new file mode 100644 index 0000000..3cd8411 --- /dev/null +++ b/raddb/mods-available/dpsk @@ -0,0 +1,145 @@ +# -*- text -*- +# +# $Id$ + +# +# Calculate dynamic PSKs +# +# This module needs the following attributes as input: +# +# * control:Pre-Shared-Key - the PSK for the user +# * User-Name - the supplicant MAC in hex format, e.g. "abcdef012345" +# * Called-Station-MAC - the AP MAC in binary +# this attribute is set by the "rewrite_called_station_id" policy. +# * FreeRADIUS-802.1X-Anonce - from the AP +# * FreeRADIUS-802.1X-EAPoL-Key-Msg - from the AP +# +# Note that you MUST run the "rewrite_called_station_id" policy before calling this module. +# +# That policy MUST also create the Called-Station-MAC attribute. +# +# Then place the following configuration into the "authorize" section: +# +# authorize { +# ... +# rewrite_called_station_id +# +# update control { +# &PSK-Identity := "bob" +# &Pre-Shared-Key := "this-is-super-secret" +# } +# dpsk +# +# } +# +# And update the "authenticate" section to list the "dpsk" module: +# +# authenticate { +# ... +# dpsk +# ... +# } +# +# The module will return "fail" if the PSK is not correct. It will return "ok" +# if the PSK is correct. +# +# It also updates &reply:Pre-Shared-Key with the found key, along with +# &reply:PSK-Identity with the found identity. +# +# We STRONGLY RECOMMEND THAT NO ONE USE THIS MODULE. +# +# While it works, it needs to use a brute-force method to match MAC +# to PSK. That process is extremely slow, and scales very poorly. +# +# i.e. if you have 10 PSKs, it's not too bad. If you have 10,000 +# PSKs, then the module can comsume 100% of CPU trying to +# brute-force every PSK. +# +# This is a limitation of how DPSK works. There is no way to make it +# better. The only thing we've done is to add a cache which can help +# to minimize the amount of brute-force attempts. +# + +# +# The modules configuration. +# +dpsk { + # + # The maximum number of entries to cache. + # + # The cache is keyed by (supplicant MAC + SSID) + # + # The cache entry is the PSK-Identity and Pre-Sharedd-Key, + # and/or the PMK which are used to verify the information in + # the Access-Request. + # + cache_size = 1024 + + # + # The lifetime of an entry in the cache. + # + cache_lifetime = 86400 + + # + # PSKs can also be stored in a CSV file. The format of the file is: + # + # identity,psk,mac + # + # If there are commas in a field, then the field can be + # double quoted: "psk". + # + # The mac field is optional. If it exists, then that PSK + # will be used. It is highly recommended that the MAC *not* be placed + # into the CSV file. Instead, the MAC and PSK should be placed into a + # database. The server can then be configured to look up the MAC in the + # database, which returns the PSK. That way this module will only ever + # check one PSK, which is fast. + # + # i.e. the CSV file should only contain the small number of PSKs where + # you do not yet know the MAC. As soon as you know the MAC, you should + # put the MAC and PSK into a database, and then remove the MAC and PSK + # from the CSV file. + # + # NOTE: the file is opened and read from top to bottom for every + # new request which comes in. This process can be very slow! + # + # However, opening the file for every new request means that the + # server does not have to be reloaded when the file changes. Instead, + # the file can be generated, and then moved into place atomically: + # + # create csv file > psk.csv.new + # mv psk.csv.new psk.csv + # + # Any process which writes a new "psk.csv" file MUST NOT + # write to the file directly, as that will cause the dpsk + # module to read partial entries and fail. Instead, use "mv" + # to atomically overwrite the old file with a new one. + # + # Both "cache_size" and "filename" can be configured at the + # same time, which is recommended. When an entry in the file + # is found, the identity, PSK, and MAC are saved in the cache. + # + # If a cache entry is found, then the filename is NOT read. + # + # The resulting combination of features means that the module + # should be as fast as possible, given the limitations of DPSK. + # + # NOTE: Tests show that the module can do ~100K PSK / DPSK + # checks per second. This means that if you have 10,000 + # users and 10 packets a second, the system will be 100% busy + # checking PSKs. + # + # As a result, the DPSK functionality is scales poorly. It + # should be used only with a small number of PSKs (100s + # perhaps), and only at low packet rates. If the server is + # getting 1000 packets per second, then it can only handle + # 100 PSKs before running out of CPU. + # + # Using the cache will help substantially. But the cache is + # only in memory, which means that all cache entries are lost + # when the server restarts. As a result, the combination of + # number of PSKs and packet rates should be kept as low as + # possible. + # +# filename = "${modconfdir}/${..:name}/psk.csv" +} diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap index ee9e539..d149707 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap @@ -33,6 +33,28 @@ eap { # timer_expire = 60 + # + # Some supplicants may misbehave by starting many thousands + # of EAP sessions, but never finishing them. These sessions + # can cause the server to hit 'max_sessions' very quickly. + # The 'timer_expire' configuration above does not help as + # much as it could, because the old (duplicate) session + # should be deleted as soon as the new one comes in. + # + # If you set the 'dedup_key' below, whenever the EAP module + # starts a new session, it will check for a previous session + # which has the same dedup key. If a previous session + # is found, it is deleted. + # + # Setting this configuration item may cause issues if the + # same device uses multiple EAP sessions at the same time. + # But that device behavior should be rare to non-existent. + # + # The configuration item is commented out so that upgrades + # do not change existing behavior. + # +# dedup_key = "%{Calling-Station-Id}" + # There are many EAP types, but the server has support # for only a limited subset. If the server receives # a request for an EAP type it does not support, then @@ -231,6 +253,9 @@ eap { # Directory where multiple CAs are stored. Both # "ca_file" and "ca_path" can be used at the same time. # + # Each file in this directory must contain one + # certificate, and ONLY one certificate. + # ca_path = ${cadir} # OpenSSL does not reload contents of ca_path dir over time. @@ -1112,4 +1137,54 @@ eap { # # virtual_server = inner-tunnel #} + + # EAP-TEAP + # + # The TEAP module implements the EAP-TEAP protocol + # + #teap { + # Point to the common TLS configuration + # + # tls = tls-common + + # default_eap_type = mschapv2 + + # If 'cipher_list' is set here, it will over-ride the + # 'cipher_list' configuration from the 'tls-common' + # configuration. The EAP-TEAP module has it's own + # over-ride for 'cipher_list' because the + # specifications mandata a different set of ciphers + # than are used by the other EAP methods. + # + # cipher_list though must include "ADH" for anonymous provisioning. + # This is not as straight forward as appending "ADH" alongside + # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is + # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used + # + # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2" + + # PAC lifetime in seconds (default: seven days) + # + # pac_lifetime = 604800 + + # Authority ID of the server + # + # If you are running a cluster of RADIUS servers, you should make + # the value chosen here (and for "pac_opaque_key") the same on all + # your RADIUS servers. This value should be unique to your + # installation. We suggest using a domain name. + # + # authority_identity = "1234" + + # PAC Opaque encryption key (must be exactly 32 bytes in size) + # + # This value MUST be secret, and MUST be generated using + # a secure method, such as via 'openssl rand -hex 32' + # + # pac_opaque_key = "0123456789abcdef0123456789ABCDEF" + + # Same as for TTLS, PEAP, etc. + # + # virtual_server = inner-tunnel + #} } diff --git a/raddb/mods-available/json b/raddb/mods-available/json index 02a62ae..88f17c0 100644 --- a/raddb/mods-available/json +++ b/raddb/mods-available/json @@ -142,7 +142,7 @@ json { # .Example # # ``` -# %{json_encode:&request[*] !&reply[*] &control.User-Name} +# %{json_encode:&request[*] !&reply[*] &control:User-Name} # ``` # # #### Output format modes diff --git a/raddb/mods-available/ldap b/raddb/mods-available/ldap index 997d41e..d5838ff 100644 --- a/raddb/mods-available/ldap +++ b/raddb/mods-available/ldap @@ -41,7 +41,7 @@ ldap { # That will give you the LDAP information for 'user'. # # Group membership can be queried by using the above "ldapsearch" string, - # and adding "memberof" qualifiers. For ActiveDirectory, use: + # and adding "memberof" qualifiers. For Active Directory, use: # # ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))' # @@ -152,10 +152,10 @@ ldap { # LDAP "bind as user" configuration to check PAP passwords. # - # Active Directory needs "bind as user", which can be done by - # adding the following "if" statement to the authorize {} section - # of the virtual server, after the "ldap" module. For - # example: + # Active Directory (or Azure AD) needs "bind as user", which + # can be done by adding the following "if" statement to the + # authorize {} section of the virtual server, after the + # "ldap" module. For example: # # ... # ldap @@ -174,6 +174,23 @@ ldap { # "Auth-Type LDAP" in order to do an LDAP "bind as user", which will hand # the user name / password to AD for verification. # + # Note that this ONLY works if FreeRADIUS receives a + # User-Password attribute in the Access-Request packet. + # e.g. PAP, or TTLS/PAP. + # + # USING MS-CHAP OR PEAP/MS-CHAP WITH ACTIVE DIRECTORY OVER LDAP WILL NOT WORK. + # + # ** EVER ***. + # + # THERE IS NOTHING YOU CAN DO TO MAKE IT WORK. + # + # If you have a local Active Directory server, you can use + # Samba and ntlm_auth. See the "mschap" and "ntlm_auth" + # modules for more information. + # + # Unfortunately, you cannot use Samba with Azure AD. You + # MUST use PAP or TTLS/PAP. + # # # Name of the attribute that contains the user DN. diff --git a/raddb/mods-available/ldap_google b/raddb/mods-available/ldap_google index 03c98d3..9487c4b 100644 --- a/raddb/mods-available/ldap_google +++ b/raddb/mods-available/ldap_google @@ -21,7 +21,7 @@ # username and password. That username and password should be used # below. # -# Ensure the Goolge client configuration which is used for FreeRADIUS +# Ensure the Google client configuration which is used for FreeRADIUS # has sufficient permissions to read user information, and, if group # membership is part of the FreeRADIUS policy, ensure that the client # can read group information. This configuration is done on Google's diff --git a/raddb/mods-available/mschap b/raddb/mods-available/mschap index 1748d57..5fbdcee 100644 --- a/raddb/mods-available/mschap +++ b/raddb/mods-available/mschap @@ -51,9 +51,26 @@ mschap { # and the mschap module will do the authentication itself, # without calling ntlm_auth. # - # Be VERY careful when editing the following line! + # This authentication can go wrong for a number of reasons: + # 1) the user does not exist in AD + # 2) the password entered by the user is not the same as + # what is in AD + # 3) some magic MS-CHAP data is wrong. # - # You can also try setting the user name as: + # These situations can be checked by running ntlm_auth + # from the command line with a name and a password: + # + # ntlm_auth --username=NAME --password=PASSWORD + # + # If that works, you know both that the user exists, and the + # password is correct. You also know what AD expects for the + # username. + # + # There is often confusion between different formats of the + # username. Is it "user", or "user@domain" or "DOMAIN\\user"? + # The answer is "that depends on your local AD system". + # + # One solution is to use this for the username: # # ... --username=%{mschap:User-Name} ... # @@ -61,6 +78,23 @@ mschap { # attribute, and do prefix/suffix checks in order to obtain # the "best" user name for the request. # + # Another option is to use the Stripped-User-Name, as in the + # example configuration below. + # + # You can test which format works by running the server in + # debug mode, and copying the hex strings from the + # --challenge=... and --nt-response=... output. + # + # Then, run ntlm_auth from the command line, using the same + # command-line options as given below. Since you can't + # change the challenge or nt-response strings, try changing + # the --username=... and --domain=... parameters. Try + # different formats for them until one works. There should only + # be a small number of variations possible. + # + # That is the username and domain format which you need to + # configure here in this file. + # # For Samba 4, you should also set the "ntlm auth" parameter # in the Samba configuration: # diff --git a/raddb/mods-available/sql b/raddb/mods-available/sql index 0f435ad..68ac4da 100644 --- a/raddb/mods-available/sql +++ b/raddb/mods-available/sql @@ -291,6 +291,23 @@ sql { # # Setting 'max' to MORE than the number of threads means # that there are more connections than necessary. + # + # The setting here should be lower than the maximum + # number of connections allowed by the database. + # + # i.e. There is no point in telling FreeRADIUS to use + # 64 connections, while the database is limited to 32 + # connections. That configuration will cause the + # server to be "starved" of connections, and it will + # block during normal operations, even when the + # database is largely idle. + # + # At the same time, if the database is slow, there is + # no point in increasing "max". More connections + # will just cause the database to run more slowly. + # The correct fix for a slow database is to fix it, so + # that it responds to FreeRADIUS quickly. + # max = ${thread[pool].max_servers} # Spare connections to be left idle @@ -371,6 +388,21 @@ sql { # of the SQL module. group_attribute = "SQL-Group" + # When attributes read from the network are used in SQL queries + # their values are escaped to make them safe. + # By default FreeRADIUS uses its escaping routine which replaces + # unsafe characters with their mime-encoded equivalent. + # The list of safe characters is conservative, to allow for differences + # between different SQL implementations. + # + # If you are using the mysql or postgresql drivers, those have their + # own escaping functions which only escape characters as required + # by those databases. + # + # Set this option to yes to use the database driver provided escape + # function. +# auto_escape = no + # Read database-specific queries $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf } diff --git a/raddb/mods-available/sql_map b/raddb/mods-available/sql_map index 93b2636..a0b32ef 100644 --- a/raddb/mods-available/sql_map +++ b/raddb/mods-available/sql_map @@ -6,11 +6,6 @@ sql_map { # use the *instance* name here: sql1. sql_module_instance = "sql" - # This is duplicative of info available in the SQL module, but - # we have to list it here as we do not yet support nested - # reference expansions. - dialect = "mysql" - # Name of the check item attribute to be used as a key in the SQL queries query = "SELECT ... FROM ... " diff --git a/raddb/mods-available/totp b/raddb/mods-available/totp index 695365f..a68a317 100644 --- a/raddb/mods-available/totp +++ b/raddb/mods-available/totp @@ -13,6 +13,12 @@ # # &control:TOTP-Secret # +# Any "bare" key should be placed into: +# +# &control:TOTP-Key +# +# If TOTP-Key exists, then it will be used instead of TOTP-Secret. +# # The TOTP password entered by the user should be placed into: # # &request:TOTP-Password @@ -32,9 +38,44 @@ # https://linux.die.net/man/1/qrencode # # and then run that locally to get an image. -# # -# The module takes no configuration items. +# +# Some tokens get severely out of sync with local time. It is +# possible to offset the definition of "now" for one token by setting: +# +# &control:TOTP-Time-Offset := 120 +# +# This is a signed integer, with allowed values between -600 to +600. +# The offset is added to to the current time, to get the tokens idea +# of "now". # totp { + # + # Default time step between time changes + # + time_step = 30 + + # + # Length of the one-time password. + # + # Must be 6 or 8 + # + otp_length = 6 + + # + # How many steps backward in time we look for a matching OTP + # + lookback_steps = 1 + + # + # How many steps forward in time we look for a matching OTP + # + lookforward_steps = 0 + + # + # Time delta between steps. + # + # Cannot be larger than time_step + # + lookback_interval = 30 } diff --git a/raddb/mods-config/sql/counter/sqlite/dailycounter.conf b/raddb/mods-config/sql/counter/sqlite/dailycounter.conf index 9a2ec38..b95afdf 100644 --- a/raddb/mods-config/sql/counter/sqlite/dailycounter.conf +++ b/raddb/mods-config/sql/counter/sqlite/dailycounter.conf @@ -5,7 +5,7 @@ # below # query = "\ - SELECT SUM(acctsessiontime - GREATEST((%%b - strftime('%%s', acctstarttime)), 0)) \ + SELECT SUM(acctsessiontime - MAX((%%b - strftime('%%s', acctstarttime)), 0)) \ FROM radacct \ WHERE username = '%{${key}}' \ AND (strftime('%%s', acctstarttime) + acctsessiontime) > %%b" diff --git a/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf b/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf index f4e95a5..6c1c086 100644 --- a/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf +++ b/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf @@ -1,5 +1,5 @@ query = "\ - SELECT GREATEST(strftime('%%s', NOW()) - strftime('%%s', acctstarttime), 0) AS expires \ + SELECT MAX(strftime('%%s', NOW()) - strftime('%%s', acctstarttime), 0) AS expires \ FROM radacct \ WHERE username = '%{${key}}' \ ORDER BY acctstarttime \ diff --git a/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf b/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf index 5262097..3f5d427 100644 --- a/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf +++ b/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf @@ -5,7 +5,7 @@ # below # query = "\ - SELECT SUM(acctsessiontime - GREATEST((%%b - strftime('%%s', acctstarttime)), 0)) \ + SELECT SUM(acctsessiontime - MAX((%%b - strftime('%%s', acctstarttime)), 0)) \ FROM radacct \ WHERE username = '%{${key}}' AND \ (strftime('%%s', acctstarttime) + acctsessiontime) > %%b" diff --git a/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf b/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf index 06ce3b6..90a8566 100644 --- a/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf +++ b/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf @@ -5,7 +5,7 @@ # below # query = "\ - SELECT SUM(acctsessiontime - GREATEST((%%b - strftime('%%s', acctstarttime)), 0)) \ + SELECT SUM(acctsessiontime - MAX((%%b - strftime('%%s', acctstarttime)), 0)) \ FROM radacct \ WHERE username = '%{${key}}' \ AND (strftime('%%s', acctstarttime) + acctsessiontime) > %%b" diff --git a/raddb/mods-config/sql/cui/mysql/schema.sql b/raddb/mods-config/sql/cui/mysql/schema.sql index da9b2f7..01cc615 100644 --- a/raddb/mods-config/sql/cui/mysql/schema.sql +++ b/raddb/mods-config/sql/cui/mysql/schema.sql @@ -1,4 +1,4 @@ -CREATE TABLE `cui` ( +CREATE TABLE IF NOT EXISTS `cui` ( `clientipaddress` varchar(46) NOT NULL default '', `callingstationid` varchar(50) NOT NULL default '', `username` varchar(64) NOT NULL default '', diff --git a/raddb/mods-config/sql/dhcp/mysql/queries.conf b/raddb/mods-config/sql/dhcp/mysql/queries.conf index a28037b..b0254e5 100644 --- a/raddb/mods-config/sql/dhcp/mysql/queries.conf +++ b/raddb/mods-config/sql/dhcp/mysql/queries.conf @@ -69,7 +69,7 @@ authorize_group_reply_query = "\ ORDER BY id" group_membership_query = "\ - SELECT groupnme \ + SELECT groupname \ FROM ${dhcpgroup_table} \ WHERE identifier='%{SQL-User-Name}' AND context = '%{control:DHCP-SQL-Option-Context}' \ ORDER BY priority" diff --git a/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql b/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql index d8b1219..f996ba3 100644 --- a/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql +++ b/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql @@ -5,7 +5,7 @@ -- that is much faster. -- -CREATE TABLE dhcpippool ( +CREATE TABLE IF NOT EXISTS dhcpippool ( id int unsigned NOT NULL auto_increment, pool_name varchar(30) NOT NULL, framedipaddress varchar(15) NOT NULL default '', diff --git a/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql b/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql index 339d58d..f7af667 100644 --- a/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql +++ b/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql @@ -9,7 +9,7 @@ CREATE TABLE dhcpstatus ( INSERT INTO dhcpstatus (status_id, status) VALUES (1, 'dynamic'), (2, 'static'), (3, 'declined'), (4, 'disabled'); CREATE TABLE dhcpippool ( - id int(11) PRIMARY KEY, + id INTEGER PRIMARY KEY, pool_name varchar(30) NOT NULL, framedipaddress varchar(15) NOT NULL default '', pool_key varchar(30) NOT NULL default '', diff --git a/raddb/mods-config/sql/ippool/mongo/queries.conf b/raddb/mods-config/sql/ippool/mongo/queries.conf index 9d7d070..eedf0a0 100644 --- a/raddb/mods-config/sql/ippool/mongo/queries.conf +++ b/raddb/mods-config/sql/ippool/mongo/queries.conf @@ -22,12 +22,6 @@ # parser. # -# -# TBD -# -on_begin = "" -off_begin = "" - allocate_begin = "" # @@ -92,17 +86,11 @@ allocate_clear = "db.mypool_collection.findAndModify( \ allocate_commit = "" -start_begin = "" start_update = "" -start_commit = "" -stop_begin = "" stop_clear = "" -stop_commit = "" -alive_begin = "" alive_update = "" -alive_commit = "" on_clear = "" off_clear = "" diff --git a/raddb/mods-config/sql/ippool/oracle/queries.conf b/raddb/mods-config/sql/ippool/oracle/queries.conf index 1a64b28..9704f56 100644 --- a/raddb/mods-config/sql/ippool/oracle/queries.conf +++ b/raddb/mods-config/sql/ippool/oracle/queries.conf @@ -13,11 +13,6 @@ skip_locked = "" allocate_begin = "commit" -start_begin = "commit" -alive_begin = "commit" -stop_begin = "commit" -on_begin = "commit" -off_begin = "commit" # # Attempt to allocate the address a client previously had. This is based on pool_key diff --git a/raddb/mods-config/sql/ippool/sqlite/schema.sql b/raddb/mods-config/sql/ippool/sqlite/schema.sql index b020c62..4dc25d1 100644 --- a/raddb/mods-config/sql/ippool/sqlite/schema.sql +++ b/raddb/mods-config/sql/ippool/sqlite/schema.sql @@ -2,7 +2,7 @@ -- Table structure for table 'radippool' -- CREATE TABLE radippool ( - id int(11) PRIMARY KEY, + id INTEGER PRIMARY KEY, pool_name varchar(30) NOT NULL, framedipaddress varchar(15) NOT NULL default '', nasipaddress varchar(15) NOT NULL default '', diff --git a/raddb/mods-config/sql/main/mongo/queries.conf b/raddb/mods-config/sql/main/mongo/queries.conf index 732e1e8..a496932 100644 --- a/raddb/mods-config/sql/main/mongo/queries.conf +++ b/raddb/mods-config/sql/main/mongo/queries.conf @@ -91,7 +91,7 @@ authorize_check_query = "db.${authcheck_table}.aggregate([ \ 'op': ':=' \ } \ } \ -])" \ +])" # TBD: fill in things here authorize_reply_query = "" @@ -150,7 +150,7 @@ accounting { }, \ '$push': { \ 'events_data': { \ - 'event_id': '%{sha256:%{tolower:%{Calling-Station-Id}', \ + 'event_id': '%{sha256:%{tolower:%{Calling-Station-Id}}}', \ 'event_type': 'Accounting-Start', \ 'event_time': '%{Packet-Original-Timestamp}', \ 'creation_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } } \ @@ -202,7 +202,7 @@ accounting { }, \ '$push': { \ 'events_data': { \ - 'event_id': '%{sha256:%{tolower:%{Calling-Station-Id}', \ + 'event_id': '%{sha256:%{tolower:%{Calling-Station-Id}}}', \ 'event_type': 'Accounting-Interim-Update', \ 'event_time': '%{Packet-Original-Timestamp}', \ 'creation_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } } \ @@ -214,7 +214,7 @@ accounting { 'closed': false, \ 'creation_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } } \ } \ - }, + }, \ 'upsert': true \ })" # End Interim-Update @@ -235,7 +235,7 @@ accounting { }, \ '$push': { \ 'events_data': { \ - 'event_id': '%{sha256:%{tolower:%{Calling-Station-Id}', \ + 'event_id': '%{sha256:%{tolower:%{Calling-Station-Id}}}', \ 'event_type': 'Accounting-Stop', \ 'event_time': '%{Packet-Original-Timestamp}', \ 'creation_date': { '$date': { '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' } } \ diff --git a/raddb/mods-config/sql/main/mssql/queries.conf b/raddb/mods-config/sql/main/mssql/queries.conf index 1978463..d83a27d 100644 --- a/raddb/mods-config/sql/main/mssql/queries.conf +++ b/raddb/mods-config/sql/main/mssql/queries.conf @@ -373,7 +373,7 @@ accounting { UPDATE ${....acct_table1} \ SET \ AcctStartTime = ${....event_timestamp}, \ - AcctUpdateTime = ${....event_timestamp }, \ + AcctUpdateTime = ${....event_timestamp}, \ AcctStartDelay = '%{%{Acct-Delay-Time}:-0}', \ ConnectInfo_start = '%{Connect-Info}' \ WHERE AcctUniqueId = '%{Acct-Unique-Session-ID}' \ diff --git a/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql b/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql index e32224a..bc2e7da 100644 --- a/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql +++ b/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql @@ -3,7 +3,7 @@ # which replaces the "radpostauth" table. # -CREATE TABLE wimax ( +CREATE TABLE IF NOT EXISTS wimax ( id int(11) NOT NULL auto_increment, username varchar(64) NOT NULL default '', authdate timestamp NOT NULL, diff --git a/raddb/mods-config/sql/main/mysql/process-radacct.sql b/raddb/mods-config/sql/main/mysql/process-radacct.sql index 8902338..0696603 100644 --- a/raddb/mods-config/sql/main/mysql/process-radacct.sql +++ b/raddb/mods-config/sql/main/mysql/process-radacct.sql @@ -45,7 +45,7 @@ -- +----------------+----------------+-----------------+ -- 7 rows in set (0.000 sec) -- -CREATE TABLE data_usage_by_period ( +CREATE TABLE IF NOT EXISTS data_usage_by_period ( username VARCHAR(64), period_start DATETIME, period_end DATETIME, diff --git a/raddb/mods-config/sql/main/postgresql/queries.conf b/raddb/mods-config/sql/main/postgresql/queries.conf index 18a1ed0..80953e0 100644 --- a/raddb/mods-config/sql/main/postgresql/queries.conf +++ b/raddb/mods-config/sql/main/postgresql/queries.conf @@ -534,7 +534,7 @@ accounting { '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', \ NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), \ '%{NAS-Port-Type}', \ - ${....event_timestamp}, \ + TO_TIMESTAMP(${....event_timestamp_epoch} - %{%{Acct-Session-Time}:-0}), \ ${....event_timestamp}, \ NULL, \ %{%{Acct-Session-Time}:-NULL}, \ diff --git a/raddb/mods-config/sql/moonshot-targeted-ids/mysql/schema.sql b/raddb/mods-config/sql/moonshot-targeted-ids/mysql/schema.sql index 8a33dc1..bca2ba8 100644 --- a/raddb/mods-config/sql/moonshot-targeted-ids/mysql/schema.sql +++ b/raddb/mods-config/sql/moonshot-targeted-ids/mysql/schema.sql @@ -1,4 +1,4 @@ -CREATE TABLE `moonshot_targeted_ids` ( +CREATE TABLE IF NOT EXISTS `moonshot_targeted_ids` ( `gss_acceptor` varchar(254) NOT NULL default '', `namespace` varchar(36) NOT NULL default '', `username` varchar(64) NOT NULL default '', diff --git a/raddb/policy.d/canonicalization b/raddb/policy.d/canonicalization index 6d90e37..1b2f6e3 100644 --- a/raddb/policy.d/canonicalization +++ b/raddb/policy.d/canonicalization @@ -77,6 +77,7 @@ rewrite_called_station_id { if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) { update request { &Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" + &Called-Station-MAC := "0x%{toupper:%{1}%{2}%{3}%{4}%{5}%{6}}" } # SSID component? diff --git a/raddb/proxy.conf b/raddb/proxy.conf index 26f620c..cf0697d 100644 --- a/raddb/proxy.conf +++ b/raddb/proxy.conf @@ -252,6 +252,24 @@ home_server localhost { # secret = testing123 + # + # The global configuration "security.require_message_authenticator" + # flag sets the default for all home servers. That default can be + # over-ridden here, by setting it to a value. If no value is set, + # then the default from the "radiusd.conf" file is used. + # + # See that file for full documentation on the flag, along + # with allowed values and meanings. + # + # This flag exists solely for legacy home servers which do + # not send Message-Authenticator in all Access-Accept, + # Access-Reject, or Access-Challenge packets. We do not + # recommend setting it to "no". + # + # allowed values: yes, no, auto + # +# require_message_authenticator = no + ############################################################ # # The rest of the configuration items listed here are optional, diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in index 366dce4..44fee62 100644 --- a/raddb/radiusd.conf.in +++ b/raddb/radiusd.conf.in @@ -270,6 +270,27 @@ hostname_lookups = no #postauth_client_lost = no # +# Some NASes will aggressively retransmit packets, and cause a DoS of +# the RADIUS infrastructure. They should follow he recommended +# retransmission behavior of RFC 5080 Section 2.2.2, but it seems +# that only (some) RADIUS servers follow that guidance. +# +# When a duplicate packet is received from the NAS, the server will +# see when the last retransmission was done. If it is within the +# "proxy_dedup_window", the retransmitted packet is dropped. +# +# i.e. There is zero benefit to sending the same RADIUS packet +# multiple times in one second. There is, in fact, serious harm +# in doing so. Aggressive retransmissions can result in network +# congestion, and ultimately failure of the RADIUS infrastructure. +# +# This behavior *cannot* be disabled. +# +# Allowed values here are 1..10. Only integers are supported. +# +#proxy_dedup_window = 1 + +# # Logging section. The various "log_*" configuration items # will eventually be moved here. # @@ -424,6 +445,16 @@ ENV { # # BAR + + # + # If the server needs kerberos credentials, then they can be placed + # into the following keytab file. + # + # This also permits the server to use those credentials when it is + # run in debug mode. + # +# KRB5_CLIENT_KTNAME = ${raddbdir}/radiusd.keytab + # # `LD_PRELOAD` is special. It is normally set before the # application runs, and is interpreted by the dynamic linker. @@ -572,6 +603,191 @@ security { # status_server = yes + # + # Global configuration for requiring Message-Authenticator in + # all Access-* packets sent over UDP or TCP. This flag is + # ignored for TLS. + # + # The number one way to protect yourself from the BlastRADIUS + # attack is to update all RADIUS servers, and then set this + # flag to "yes". If all RADIUS servers are updated, and if + # all of them have this flag set to "yes" for all clients, + # then your network is safe. You can then upgrade the + # clients when it is convenient, instead of rushing the + # upgrades. + # + # This flag sets the global default for all clients and home + # servers. It can be over-ridden in an individual client or + # home_server definition by adding the same flag to that + # section with an appropriate value. + # + # All upgraded RADIUS implementations should send + # Message-Authenticator in all Access-Request, Access-Accept, + # Access-Reject, and Access-Challenge packets. Once all + # systems are upgraded, setting this flag to "yes" is the + # best protection from the attack. + # + # The possible values and meanings for + # "require_message_authenticator" are; + # + # * "no" - allow Access-* packet which do not contain + # Message-Authenticator + # + # For a client, if this flag is set to "no", then the + # "limit_proxy_state" flag, below, is also checked. + # + # For a home_server, if this flag is set to "no", then the + # Access-Accept, Access-Reject, and Access-Challenge + # packets do not need to contain Message-Authenticator. + # + # The only reason to set this flag to "no" is when the + # RADIUS client or home server has not been updated. It is + # always safer to set this flag "no" in the individual + # client or home_server definition. The global flag SHOULD + # still be set to a safe value: "yes". + # + # WARNING: Setting this flag and the "limit_proxy_state" + # flag to "no" will allow MITM attackers to create fake + # Access-Accept packets to the NAS! At least one of them + # MUST be set to "yes" for the system to have any + # protection against the attack. + # + # * "yes" - Require that all Access-* packets (client and + # home_server) contain Message-Authenticator. If a packet + # does not contain Message-Authenticator, then it is + # discarded. + # + # * "auto" - Automatically determine the value of the flag, + # based on the first packet received from that client or + # home_server. + # + # If the packet does not contain Message-Authenticator, + # then the value of the flag is automatically switched to + # "no". + # + # If the packet contains Message-Authenticator but not + # EAP-Message, then the value of the flag is automatically + # switched to "yes". The server has to check for + # EAP-Message, because the previous RFCs require that the + # packet contains Message-Authenticator when it also + # contains EAP-Message. So having a Message-Authenticator + # in those packets doesn't give the server enough + # information to determined if the client or home_server + # has been updated. + # + # If the packet contains Message-Authenticator and + # EAP-Message, then the flag is left at the "auto" value. + # + # WARNING: This switch is done for the first packet + # received from that client or home server. The change + # does NOT persist across server restarts. You MUST change + # the to "yes" manually, in order to make a permanent + # change to the configuration. + # + # WARNING: If there are multiple NASes with the same source + # IP and client definitions, BUT the NASes have different + # behavior, then this flag WILL LIKELY BREAK YOUR NETWORK. + # + # That is, when there are multiple different RADIUS clients + # behind one NATed IP address, then these security settings + # have to be set to allow the MOST INSECURE packets to be + # processed. This is a terrible idea, and will leave your + # network vulnerable to the attack. Please upgrade all + # clients immediately. + # + # The only solution to that rare configuration is to set + # this flag to "no", in which case the network will work, + # but will be vulnerable to the attack. + # + require_message_authenticator = auto + + # + # Global configuration for limiting the combination of + # Proxy-State and Message-Authenticator. This flag only + # applies to packets sent over UDP or TCP. This flag is + # ignored for TLS. + # + # This flag sets the global default for all clients. It can + # be over-ridden in an individual client definition by adding + # the same flag to that section with an appropriate value. + # + # If "require_message_authenticator" is set to "yes", this + # configuration item is ignored. + # + # If "require_message_authenticator" is set to "no", this + # configuration item is checked. + # + # The possible values and meanings for "limit_proxy_state" are; + # + # * "no" - allow any packets from the client, even packets + # which contain the BlastRADIUS attack. Please be aware + # that in this configuration the server will complain for + # EVERY packet which it receives. + # + # The only reason to set this flag to "no" is when the + # client is a proxy, AND the proxy does not send + # Message-Authenticator in Access-Request packets. Even + # then, the best approach to fix the issue is to (1) update + # the proxy to send Message-Authenticator, and if that + # can't be done, then (2) set this flag to "no", but ONLY + # for that one client. The global flag SHOULD still be set + # to a safe value: "yes". + # + # WARNING: Setting both this flag and the + # "require_message_authenticator" flag to "no" will allow + # MITM attackers to create fake Access-Accept packets to the + # NAS! At least one of them MUST be set to "yes" for the + # system to have any protection against the attack. + # + # * "yes" - Allow packets without Message-Authenticator, + # but only when they do not contain Proxy-State. + # packets which contain Proxy-State MUST also contain + # Message-Authenticator, otherwise they are discarded. + # + # This setting is safe for most NASes, GGSNs, BRAS, etc. + # Most regular RADIUS clients do not send Proxy-State + # attributes for Access-Request packets that they originate. + # However some aggregators (e.g. Wireless LAN Controllers) + # may act as a RADIUS proxy for requests from their cohort + # of managed devices, and in such cases will provide a + # Proxy-State attribute. For those systems, you _must_ look + # at the actual packets to determine what to do. It may be + # that the only way to fix the vulnerability is to upgrade + # the WLC, and set "require_message_authenticator" to "yes". + # + # * "auto" - Automatically determine the value of the flag, + # based on the first packet received from that client. + # + # If the packet contains Proxy-State but no + # Message-Authenticator, then the value of the flag is + # automatically switched to "no". + # + # For all other situations, the value of the flag is + # automatically switched to "yes". + # + # WARNING: This switch is done for the first packet + # received from that client. The change does NOT persist + # across server restarts. You MUST change the to "yes" + # manually, in order to make a permanent change to the + # configuration. + # + # WARNING: If there are multiple NASes with the same source + # IP and client definitions, BUT the NASes have different + # behavior, then this flag WILL LIKELY BREAK YOUR NETWORK. + # + # That is, when there are multiple different RADIUS clients + # behind one NATed IP address, then these security settings + # have to be set to allow the MOST INSECURE packets to be + # processed. This is a terrible idea, and will leave your + # network vulnerable to the attack. Please upgrade all + # clients immediately. + # + # The only solution to that rare configuration is to set + # this flag to "no", in which case the network will work, + # but will be vulnerable to the attack. + # + limit_proxy_state = auto + @openssl_version_check_config@ } diff --git a/raddb/sites-available/aws-nlb b/raddb/sites-available/aws-nlb index acea81e..06ca632 100644 --- a/raddb/sites-available/aws-nlb +++ b/raddb/sites-available/aws-nlb @@ -33,6 +33,15 @@ listen { proto = tcp ipaddr = * port = 8000 + + # + # Set limits so that unused connections get cleaned up quickly. + # + limit { + max_connections = 16 + lifetime = 5 + idle_timeout = 5 + } } # diff --git a/raddb/sites-available/default b/raddb/sites-available/default index 78b7ae7..b4339bd 100644 --- a/raddb/sites-available/default +++ b/raddb/sites-available/default @@ -348,6 +348,20 @@ authorize { digest # + # The dpsk module implements dynamic PSK. + # + # If the request contains FreeRADIUS-802.1X-Anonce + # and FreeRADIUS-802.1X-EAPoL-Key-Msg, then it will set + # &control:Auth-Type := dpsk + # + # The "rewrite_called_station_id" policy creates the + # Called-Station-MAC attribute, which is needed by + # the dpsk module. + # +# rewrite_called_station_id +# dpsk + + # # The WiMAX specification says that the Calling-Station-Id # is 6 octets of the MAC. This definition conflicts with # RFC 3580, and all common RADIUS practices. If you are using @@ -534,6 +548,8 @@ authenticate { pap } +# dpsk + # # Most people want CHAP authentication # A back-end database listed in the 'authorize' section diff --git a/raddb/sites-available/inner-tunnel b/raddb/sites-available/inner-tunnel index c178baa..1197e08 100644 --- a/raddb/sites-available/inner-tunnel +++ b/raddb/sites-available/inner-tunnel @@ -194,7 +194,7 @@ authorize { # LDAP servers can only do PAP. They cannot do CHAP, MS-CHAP, # or EAP. # -# if (!&control.Auth-Type && &User-Password) { +# if (!&control:Auth-Type && &User-Password) { # update control { # &Auth-Type := LDAP # } @@ -409,6 +409,13 @@ post-auth { &Module-Failure-Message := &request:Module-Failure-Message } } + + # + # Access-Challenge packets are sent through the Challenge sub-section + # of the post-auth section. + # + #Post-Auth-Type Challenge { + #} } # diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls index 137fcbc..6eab1fe 100644 --- a/raddb/sites-available/tls +++ b/raddb/sites-available/tls @@ -56,12 +56,15 @@ listen { # type = auth+acct - # For now, only TCP transport is allowed. + # For now, only TCP transport is allowed. proto = tcp - # Send packets to the default virtual server + # Send packets to the default virtual server virtual_server = default + # + # We have clients specifically for TLS. + # clients = radsec # @@ -88,6 +91,22 @@ listen { # proxy_protocol = no # + # This configuration item should be enabled for all listen + # sections which do TLS. + # + # It is only disabled because we are careful about changing + # existing behavior in a stable release. + # + # Setting this configuration item to "yes" means that the + # server will be able to gracefully recover if a TLS + # connection is blocking at the network layer. + # + # Note that setting "nonblock = yes" is NOT possible for bare + # TCP connections. RADIUS/TCP should generally be avoided. + # +# nonblock = yes + + # # When this is set to "yes", new TLS connections # are processed through a section called # @@ -310,6 +329,11 @@ listen { tls_max_version = "1.3" # + # See mods-available/eap for documentation + # + ecdh_curve = "" + + # # Session resumption / fast reauthentication # cache. # @@ -514,6 +538,22 @@ home_server tls { proto = tcp status_check = none + # + # This configuration item should be enabled for all + # home_server sections which do TLS. + # + # It is only disabled because we are careful about changing + # existing behavior in a stable release. + # + # Setting this configuration item to "yes" means that the + # server will be able to gracefully recover if a TLS + # connection is blocking at the network layer. + # + # Note that setting "nonblock = yes" is NOT possible for bare + # TCP connections. RADIUS/TCP should generally be avoided. + # +# nonblock = yes + tls { # # Similarly to HTTP, the client can use Server Name |