lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

bvm-radius: add freeradius configuration

Browse source
This commit is contained in:
Luke Granger-Brown 2021-09-25 18:28:45 +00:00
parent a8718864c1
commit d6bd6e85ca
88 changed files with 4448 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
ops/nixos/bvm-radius/default.nix
View file

@ -8,6 +8,7 @@ let
in {
imports = [
../lib/bvm.nix
./radius.nix
];
# Networking!
@ -60,10 +61,5 @@ in {
};
};
environment.systemPackages = with pkgs; [
freeradius
depot.pkgs.eapol-test
];
system.stateVersion = "21.05";
}

34
ops/nixos/bvm-radius/raddb/clients.conf Normal file
View file

@ -0,0 +1,34 @@
client localhost {
ipaddr = 127.0.0.1
secret = testing123
}
client eduroam_flr_server_1_v4 {
# roaming0.ja.net
ipaddr = 194.82.174.185
secret = {{JANET_ROAMING0_SECRET}}
nastype = 'eduroam_flr'
}
client eduroam_flr_server_1_v6 {
# roaming0.ja.net
ipv6addr = 2001:630:1:128::185
secret = {{JANET_ROAMING0_SECRET}}
nastype = 'eduroam_flr'
}
client eduroam_flr_server_2_v4 {
# roaming1.ja.net
ipaddr = 194.83.56.233
secret = {{JANET_ROAMING1_SECRET}}
nastype = 'eduroam_flr'
}
client eduroam_flr_server_2_v6 {
# roaming1.ja.net
ipv6addr = 2001:630:1:12a::233
secret = {{JANET_ROAMING1_SECRET}}
nastype = 'eduroam_flr'
}
client wireless_access_points_mgmt {
ipaddr = 92.118.30.0/24
secret = {{WLC_SECRET}}
}

49
ops/nixos/bvm-radius/raddb/dictionary Normal file
View file

@ -0,0 +1,49 @@
#
# This is the local dictionary file which can be
# edited by local administrators. It will be loaded
# AFTER the main dictionary files are loaded.
#
# As of version 3.0.2, FreeRADIUS will automatically
# load the main dictionary files from
#
# ${prefix}/share/freeradius/dictionary
#
# It is no longer necessary for this file to $INCLUDE
# the main dictionaries. However, if the $INCLUDE
# line is here, nothing bad will happen.
#
# Any new/changed attributes MUST be placed in this file.
# The pre-defined dictionaries SHOULD NOT be edited.
#
# See "man dictionary" for documentation on its format.
#
# $Id: eed5d70f41b314f9ed3f006a22d9f9a2be2c9516 $
#
#
# All local attributes and $INCLUDE's should go into
# this file.
#
# If you want to add entries to the dictionary file,
# which are NOT going to be placed in a RADIUS packet,
# add them to the 'dictionary.local' file.
#
# The numbers you pick should be between 3000 and 4000.
# These attributes will NOT go into a RADIUS packet.
#
# If you want that, you will need to use VSAs. This means
# requesting allocation of a Private Enterprise Code from
# http://iana.org. We STRONGLY suggest doing that only if
# you are a vendor of RADIUS equipment.
#
# See RFC 6158 for more details.
# http://ietf.org/rfc/rfc6158.txt
#
#
# These attributes are examples
#
#ATTRIBUTE My-Local-String 3000 string
#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
#ATTRIBUTE My-Local-Integer 3002 integer

1
ops/nixos/bvm-radius/raddb/hints Symbolic link
View file

@ -0,0 +1 @@
./mods-config/preprocess/hints

1
ops/nixos/bvm-radius/raddb/huntgroups Symbolic link
View file

@ -0,0 +1 @@
./mods-config/preprocess/huntgroups

116
ops/nixos/bvm-radius/raddb/mods-available/README.rst Normal file
View file

@ -0,0 +1,116 @@
Modules in Version 3
====================
As of Version 3, all of the modules have been placed in the
"mods-available/" directory. This practice follows that used by other
servers such as Nginx, Apache, etc. The "modules" directory should
not be used.
Modules are enabled by creating a file in the mods-enabled/ directory.
You can also create a soft-link from one directory to another::
$ cd raddb/mods-enabled
$ ln -s ../mods-available/foo
This will enable module "foo". Be sure that you have configured the
module correctly before enabling it, otherwise the server will not
start. You can verify the server configuration by running
"radiusd -XC".
A large number of modules are enabled by default. This allows the
server to work with the largest number of authentication protocols.
Please be careful when disabling modules. You will likely need to
edit the "sites-enabled/" files to remove references to any disabled
modules.
Conditional Modules
-------------------
Version 3 allows modules to be conditionally loaded. This is useful
when you want to have a virtual server which references a module, but
does not require it. Instead of editing the virtual server file, you
can just conditionally enable the module.
Modules are conditionally enabled by adding a "-" before their name in
a virtual server. For example, you can do::
server {
authorize {
...
ldap
-sql
...
}
}
This says "require the LDAP module, but use the SQL module only if it
is configured."
This feature is not very useful for production configurations. It is,
however, very useful for the default examples that ship with the
server.
Ignoring module
---------------
If you see this message::
Ignoring module (see raddb/mods-available/README.rst)
Then you are in the right place. Most of the time this message can be
ignored. The message can be fixed by finding the references to "-module"
in the virtual server, and deleting them.
Another way to fix it is to configure the module, as described above.
Simplification
--------------
Allowing conditional modules simplifies the default virtual servers
that are shipped with FreeRADIUS. This means that if you want to
enable LDAP (for example), you no longer need to edit the files in
raddb/sites-available/ in order to enable it.
Instead, you should edit the raddb/mods-available/ldap file to point
to your local LDAP server. Then, enable the module via the soft-link
method described above.
Once the module is enabled, it will automatically be used in the
default configuration.
Multiple Instances
------------------
It is sometimes necessary to have the same module do two different
things. The server supports this functionality via "instances" of
modules.
Normally, a module configuration looks like this:
sql {
... sql stuff ...
}
This module is then refereed to as the "sql" module.
But what happens if you want to connect to two different SQL
databases? The solution is simple; copy the "sql" module
configuration, and add an instance name after the "sql" string:
sql mysql1 {
... configuration for connecting to mysql11 ...
}
sql mysql2 {
... configuration for connecting to mysql12 ...
}
This configuration says "load the SQL module, but create two copies of
it, with different configurations". The different configurations can
be referred to by name, as "mysql1" and "mysql2". That is, anywhere
you would normally use "sql", you could use either "mysql1" or
"mysql2".
For further examples of using module instances, see the "attr_filter"
module configuration in this directory.

61
ops/nixos/bvm-radius/raddb/mods-available/always Normal file
View file

@ -0,0 +1,61 @@
# -*- text -*-
#
# $Id: de3f13089d8951f4c822ebc4007df58e0487de14 $
#
# The "always" module is here for debugging purposes, or
# for use in complex policies.
# Instance simply returns the same result, always, without
# doing anything.
#
# rcode may be one of the following values:
# - reject - Reject the user.
# - fail - Simulate or indicate a failure.
# - ok - Simulate or indicate a success.
# - handled - Indicate that the request has been handled,
# stop processing, and send response if set.
# - invalid - Indicate that the request is invalid.
# - userlock - Indicate that the user account has been
# locked out.
# - notfound - Indicate that a user account can't be found.
# - noop - Simulate a no-op.
# - updated - Indicate that the request has been updated.
#
# If an instance is listed in a session {} section,
# this simulates a user having <integer> sessions.
#
# simulcount = <integer>
#
# If an instance is listed in a session {} section,
# this simulates the user having multilink
# sessions.
#
# mpp = <integer>
#
always reject {
rcode = reject
}
always fail {
rcode = fail
}
always ok {
rcode = ok
}
always handled {
rcode = handled
}
always invalid {
rcode = invalid
}
always userlock {
rcode = userlock
}
always notfound {
rcode = notfound
}
always noop {
rcode = noop
}
always updated {
rcode = updated
}

50
ops/nixos/bvm-radius/raddb/mods-available/attr_filter Normal file
View file

@ -0,0 +1,50 @@
# -*- text -*-
#
# $Id: 1caff077b2429c948a04777fcd619be901ac83dc $
#
# This file defines a number of instances of the "attr_filter" module.
#
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter attr_filter.post-proxy {
key = "%{Realm}"
filename = ${modconfdir}/${.:name}/post-proxy
}
# attr_filter - filters the attributes in the packets we send to
# the RADIUS home servers.
attr_filter attr_filter.pre-proxy {
key = "%{Realm}"
filename = ${modconfdir}/${.:name}/pre-proxy
}
# Enforce RFC requirements on the contents of Access-Reject
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_reject {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/access_reject
}
# Enforce RFC requirements on the contents of Access-Challenge
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_challenge {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/access_challenge
}
# Enforce RFC requirements on the contents of the
# Accounting-Response packets. See the comments at the
# top of the file for more details.
#
attr_filter attr_filter.accounting_response {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/accounting_response
}

13
ops/nixos/bvm-radius/raddb/mods-available/cache_eap Normal file
View file

@ -0,0 +1,13 @@
#
# Cache EAP responses for resiliency on intermediary proxy fail-over
#
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
update reply {
reply: += &reply:
&control:State := &request:State
}
}

11
ops/nixos/bvm-radius/raddb/mods-available/chap Normal file
View file

@ -0,0 +1,11 @@
# -*- text -*-
#
# $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $
# CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
# no configuration
}

35
ops/nixos/bvm-radius/raddb/mods-available/date Normal file
View file

@ -0,0 +1,35 @@
#
# Registers xlat to convert between time formats.
#
# xlat input string is an attribute name. If this attribute is of date
# or integer type, the date xlat will convert it to a time string in
# the format of the format config item.
#
# If the attribute is a string type, date will attempt to parse it in
# the format specified by the format config item, and will expand
# to a Unix timestamp.
#
date {
format = "%b %e %Y %H:%M:%S %Z"
# Use UTC instead of local time.
#
# default = no
# utc = yes
}
#
# The WISPr-Session-Terminate-Time attribute is of type "string",
# and not "date". Use this expansion to create an attribute
# that holds an actual date:
#
# Tmp-Date-0 := "%{wispr2date:&reply:WISPr-Session-Terminate-Time}"
#
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
# Use UTC instead of local time.
#
# default = no
# utc = yes
}

100
ops/nixos/bvm-radius/raddb/mods-available/detail Normal file
View file

@ -0,0 +1,100 @@
# -*- text -*-
#
# $Id: e91e12d0b4de8f3cb084c179b321924d0248cfbb $
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want to add
# a ':%H' (see doc/configuration/variables.rst) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
# If you are reading detail files via the "listen" section
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
# you MUST use a unique directory for each combination of a
# detail file writer, and reader. That is, there can only
# be ONE "listen" section reading detail files from a
# particular directory.
#
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
#
# If you are using radrelay, delete the above line for "file",
# and use this one instead:
#
# filename = ${radacctdir}/detail
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
escape_filenames = no
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
permissions = 0600
# The Unix group of the log file.
#
# The user that the server runs as must be in the specified
# system group otherwise this will fail to work.
#
# group = ${security.group}
#
# Every entry in the detail file has a header which
# is a timestamp. By default, we use the ctime
# format (see "man ctime" for details).
#
# The header can be customised by editing this
# string. See "doc/configuration/variables.rst" for a
# description of what can be put here.
#
header = "%t"
#
# Uncomment this line if the detail file reader will be
# reading this detail file.
#
# locking = yes
#
# Log the Packet src/dst IP/port. This is disabled by
# default, as that information isn't used by many people.
#
# log_packet_header = yes
#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
#suppress {
# User-Password
#}
}

75
ops/nixos/bvm-radius/raddb/mods-available/detail.log Normal file
View file

@ -0,0 +1,75 @@
# -*- text -*-
#
# $Id: b91cf7cb24744ee96e390aa4d7bd5f3ad4c0c0ee $
#
# More examples of doing detail logs.
#
# Many people want to log authentication requests.
# Rather than modifying the server core to print out more
# messages, we can use a different instance of the 'detail'
# module, to log the authentication requests to a file.
#
# You will also need to un-comment the 'auth_log' line
# in the 'authorize' section, below.
#
detail auth_log {
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
permissions = 0600
# You may also strip out passwords completely
suppress {
User-Password
}
}
#
# This module logs authentication reply packets sent
# to a NAS. Both Access-Accept and Access-Reject packets
# are logged.
#
# You will also need to un-comment the 'reply_log' line
# in the 'post-auth' section, below.
#
detail reply_log {
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
permissions = 0600
}
#
# This module logs packets proxied to a home server.
#
# You will also need to un-comment the 'pre_proxy_log' line
# in the 'pre-proxy' section, below.
#
detail pre_proxy_log {
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
permissions = 0600
# You may also strip out passwords completely
#suppress {
# User-Password
#}
}
#
# This module logs response packets from a home server.
#
# You will also need to un-comment the 'post_proxy_log' line
# in the 'post-proxy' section, below.
#
detail post_proxy_log {
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
permissions = 0600
}

13
ops/nixos/bvm-radius/raddb/mods-available/digest Normal file
View file

@ -0,0 +1,13 @@
# -*- text -*-
#
# $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $
#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}

32
ops/nixos/bvm-radius/raddb/mods-available/dynamic_clients Normal file
View file

@ -0,0 +1,32 @@
# -*- text -*-
#
# $Id: cc2bd5fd22aa473b98af5dde3fac7a66e39a9e9d $
# This module loads RADIUS clients as needed, rather than when the server
# starts.
#
# There are no configuration entries for this module. Instead, it
# relies on the "client" configuration. You must:
#
# 1) link raddb/sites-enabled/dynamic_clients to
# raddb/sites-available/dynamic_clients
#
# 2) Define a client network/mask (see top of the above file)
#
# 3) uncomment the "directory" entry in that client definition
#
# 4) list "dynamic_clients" in the "authorize" section of the
# "dynamic_clients' virtual server. The default example already
# does this.
#
# 5) put files into the above directory, one per IP.
# e.g. file "192.0.2.1" should contain a normal client definition
# for a client with IP address 192.0.2.1.
#
# For more documentation, see the file:
#
# raddb/sites-available/dynamic-clients
#
dynamic_clients {
}

791
ops/nixos/bvm-radius/raddb/mods-available/eap-custom Normal file
View file

@ -0,0 +1,791 @@
# -*- text -*-
##
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
## $Id: a89a783663588017b12bcc076362e728261ba8f2 $
#######################################################################
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = ttls
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to "yes", you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
#
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
#
cisco_accounting_username_bug = no
# Help prevent DoS attacks by limiting the number of
# sessions that the server is tracking. For simplicity,
# this is taken from the "max_requests" directive in
# radiusd.conf.
#
max_sessions = ${max_requests}
############################################################
#
# Supported EAP-types
#
# EAP-MD5
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Common TLS configuration for TLS-based EAP types
# ------------------------------------------------
#
# See raddb/certs/README for additional comments
# on certificates.
#
# If OpenSSL was not found at the time the server was
# built, the "tls", "ttls", and "peap" sections will
# be ignored.
#
# If you do not currently have certificates signed by
# a trusted CA you may use the 'snakeoil' certificates.
# Included with the server in raddb/certs.
#
# If these certificates have not been auto-generated:
# cd raddb/certs
# make
#
# These test certificates SHOULD NOT be used in a normal
# deployment. They are created only to make it easier
# to install the server, and to perform some simple
# tests with EAP-TLS, TTLS, or PEAP.
#
# Note that you should NOT use a globally known CA here!
# e.g. using a Verisign cert as a "known CA" means that
# ANYONE who has a certificate signed by them can
# authenticate via EAP-TLS! This is likely not what you want.
#
tls-config tls-common {
#private_key_password = whatever
private_key_file = /var/lib/acme/as205479.net/key.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If ca_file (below) is not used, then the
# certificate_file below SHOULD also include all of
# the intermediate CA certificates used to sign the
# server certificate, but NOT the root CA.
#
# Including the ROOT CA certificate is not useful and
# merely inflates the exchanged data volume during
# the TLS negotiation.
#
# This file should contain the server certificate,
# followed by intermediate certificates, in order.
# i.e. If we have a server certificate signed by CA1,
# which is signed by CA2, which is signed by a root
# CA, then the "certificate_file" should contain
# server.pem, followed by CA1.pem, followed by
# CA2.pem.
#
# When using "ca_file" or "ca_dir", the
# "certificate_file" should contain only
# "server.pem". And then you may (or may not) need
# to set "auto_chain", depending on your version of
# OpenSSL.
#
# In short, SSL / TLS certificates are complex.
# There are many versions of software, each of which
# behave slightly differently. It is impossible to
# give advice which will work everywhere. Instead,
# we give general guidelines.
#
certificate_file = /var/lib/acme/as205479.net/cert.pem
# Trusted Root CA list
#
# This file can contain multiple CA certificates.
# ALL of the CA's in this list will be trusted to
# issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
#ca_file = ${cadir}/ca.pem
# OpenSSL will automatically create certificate chains,
# unless we tell it to not do that. The problem is that
# it sometimes gets the chains right from a certificate
# signature view, but wrong from the clients view.
#
# When setting "auto_chain = no", the server certificate
# file MUST include the full certificate chain.
#
# auto_chain = yes
# If OpenSSL supports TLS-PSK, then we can use a
# fixed PSK identity and (hex) password. As of
# 3.0.18, these can be used at the same time as the
# certificate configuration, but only for TLS 1.0
# through 1.2.
#
# If PSK and certificates are configured at the same
# time for TLS 1.3, then the server will warn you,
# and will disable TLS 1.3, as it will not work.
#
# The work around is to have two modules (or for
# RadSec, two listen sections). One will have PSK
# configured, and the other will have certificates
# configured.
#
# psk_identity = "test"
# psk_hexphrase = "036363823"
# Dynamic queries for the PSK. If TLS-PSK is used,
# and psk_query is set, then you MUST NOT use
# psk_identity or psk_hexphrase.
#
# Instead, use a dynamic expansion similar to the one
# below. It keys off of TLS-PSK-Identity. It should
# return a of string no more than 512 hex characters.
# That string will be converted to binary, and will
# be used as the dynamic PSK hexphrase.
#
# Note that this query is just an example. You will
# need to customize it for your installation.
#
# psk_query = "%{sql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
# openssl dhparam -out certs/dh 2048
#
dh_file = /var/lib/freeradius/dh
# If your system doesn't have /dev/urandom,
# you will need to create this file, and
# periodically change its contents.
#
# For security reasons, FreeRADIUS doesn't
# write to files in its configuration
# directory.
#
# random_file = /dev/urandom
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accommodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
# fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
# include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the lines below.
# 5) Restart radiusd
# check_crl = yes
# Check if intermediate CAs have been revoked.
# check_all_crl = yes
#ca_path = ${cadir}
# Accept an expired Certificate Revocation List
#
# allow_expired_crl = no
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the certificate verification will fail,
# rejecting the user.
#
# This check can be done more generally by checking
# the value of the TLS-Client-Cert-Issuer attribute.
# This check can be done via any mechanism you
# choose.
#
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
# In 2.1.10 and later, this check can be done
# more generally by checking the value of the
# TLS-Client-Cert-Common-Name attribute. This check
# can be done via any mechanism you choose.
#
# check_cert_cn = %{User-Name}
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
#
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
#
cipher_list = "DEFAULT"
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
# for choosing right cipher suite rather than
# using client-specified list which is OpenSSl default
# behavior. Setting this to "yes" means that OpenSSL
# will choose the servers ciphers, even if they do not
# best match what the client sends.
#
# TLS negotiation is usually good, but can be imperfect.
# This setting allows administrators to "fine tune" it
# if necessary.
#
cipher_server_preference = no
# You can selectively disable TLS versions for
# compatability with old client devices.
#
# If your system has OpenSSL 1.1.0 or greater, do NOT
# use these. Instead, set tls_min_version and
# tls_max_version.
#
# disable_tlsv1_2 = no
disable_tlsv1_1 = yes
disable_tlsv1 = yes
# Set min / max TLS version. Mainly for Debian
# "trusty", which disables older versions of TLS, and
# requires the application to manually enable them.
#
# If you are running Debian trusty, you should set
# these options, otherwise older clients will not be
# able to connect.
#
# Allowed values are "1.0", "1.1", "1.2", and "1.3".
#
# Note that the server WILL NOT permit negotiation of
# TLS 1.3. The EAP-TLS standards for TLS 1.3 are NOT
# finished. It is therefore impossible for the server
# to negotiate EAP-TLS correctly with TLS 1.3.
#
# The values must be in quotes.
#
tls_min_version = "1.2"
tls_max_version = "1.2"
# Elliptical cryptography configuration
#
# Only for OpenSSL >= 0.9.8.f
#
ecdh_curve = "prime256v1"
# Session resumption / fast reauthentication
# cache.
#
# The cache contains the following information:
#
# session Id - unique identifier, managed by SSL
# User-Name - from the Access-Accept
# Stripped-User-Name - from the Access-Request
# Cached-Session-Policy - from the Access-Accept
#
# See also the "store" subsection below for
# additional attributes which can be cached.
#
# The "Cached-Session-Policy" is the name of a
# policy which should be applied to the cached
# session. This policy can be used to assign
# VLANs, IP addresses, etc. It serves as a useful
# way to re-apply the policy from the original
# Access-Accept to the subsequent Access-Accept
# for the cached session.
#
# On session resumption, these attributes are
# copied from the cache, and placed into the
# reply list.
#
# You probably also want "use_tunneled_reply = yes"
# when using fast session resumption.
#
# You can check if a session has been resumed by
# looking for the existence of the EAP-Session-Resumed
# attribute. Note that this attribute will *only*
# exist in the "post-auth" section.
#
# CAVEATS: The cache is stored and reloaded BEFORE
# the "post-auth" section is run. This limitation
# makes caching more difficult than it should be. In
# practice, it means that the first authentication
# session must set the reply attributes before the
# post-auth section is run.
#
# When the session is resumed, the attributes are
# restored and placed into the session-state list.
#
cache {
# Enable it. The default is "no". Deleting the entire "cache"
# subsection also disables caching.
#
# As of version 3.0.14, the session cache requires the use
# of the "name" and "persist_dir" configuration items, below.
#
# The internal OpenSSL session cache has been permanently
# disabled.
#
# You can disallow resumption for a particular user by adding the
# following attribute to the control item list:
#
# Allow-Session-Resumption = No
#
# If "enable = no" below, you CANNOT enable resumption for just one
# user by setting the above attribute to "yes".
#
enable = no
# Lifetime of the cached entries, in hours. The sessions will be
# deleted/invalidated after this time.
#
lifetime = 24 # hours
# Internal "name" of the session cache. Used to
# distinguish which TLS context sessions belong to.
#
# The server will generate a random value if unset.
# This will change across server restart so you MUST
# set the "name" if you want to persist sessions (see
# below).
#
# name = "EAP module"
# Simple directory-based storage of sessions.
# Two files per session will be written, the SSL
# state and the cached VPs. This will persist session
# across server restarts.
#
# The default directory is ${logdir}, for historical
# reasons. You should ${db_dir} instead. And check
# the value of db_dir in the main radiusd.conf file.
# It should not point to ${raddb}
#
# The server will need write perms, and the directory
# should be secured from anyone else. You might want
# a script to remove old files from here periodically:
#
# find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
#
# This feature REQUIRES "name" option be set above.
#
# persist_dir = "${logdir}/tlscache"
#
# As of 3.0.20, it is possible to partially
# control which attributes exist in the
# session cache. This subsection lists
# attributes which are taken from the reply,
# and saved to the on-disk cache. When the
# session is resumed, these attributes are
# added to the "session-state" list. The
# default configuration will then take care
# of copying them to the reply.
#
store {
Tunnel-Private-Group-Id
}
}
}
# EAP-TLS
#
# As of Version 3.0, the TLS configuration for TLS-based
# EAP types is above in the "tls-config" section.
#
#tls {
# # Point to the common TLS configuration
# #
# #tls = tls-common
# # As part of checking a client certificate, the EAP-TLS
# # sets some attributes such as TLS-Client-Cert-Common-Name. This
# # virtual server has access to these attributes, and can
# # be used to accept or reject the request.
# #
## virtual_server = check-eap-tls
#}
# EAP-TTLS -- Tunneled TLS
#
# The TTLS module implements the EAP-TTLS protocol,
# which can be described as EAP inside of Diameter,
# inside of TLS, inside of EAP, inside of RADIUS...
#
# Surprisingly, it works quite well.
#
ttls {
# Which tls-config section the TLS negotiation parameters
# are in - see EAP-TLS above for an explanation.
#
# In the case that an old configuration from FreeRADIUS
# v2.x is being used, all the options of the tls-config
# section may also appear instead in the 'tls' section
# above. If that is done, the tls= option here (and in
# tls above) MUST be commented out.
#
tls = tls-common
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TTLS tunnel, we recommend
# using EAP-MD5. If the request does not contain an
# EAP conversation, then this configuration entry is
# ignored.
#
default_eap_type = md5
# The tunneled authentication request does not usually
# contain useful attributes like 'Calling-Station-Id',
# etc. These attributes are outside of the tunnel,
# and normally unavailable to the tunneled
# authentication request.
#
# By setting this configuration entry to 'yes',
# any attribute which is NOT in the tunneled
# authentication request, but which IS available
# outside of the tunnel, is copied to the tunneled
# request.
#
# allowed values: {no, yes}
#
copy_request_to_tunnel = no
# As of version 3.0.5, this configuration item
# is deprecated. Instead, you should use
#
# update outer.session-state {
# ...
# }
#
# This will cache attributes for the final Access-Accept.
#
# The reply attributes sent to the NAS are usually
# based on the name of the user 'outside' of the
# tunnel (usually 'anonymous'). If you want to send
# the reply attributes based on the user name inside
# of the tunnel, then set this configuration entry to
# 'yes', and the reply to the NAS will be taken from
# the reply to the tunneled request.
#
# allowed values: {no, yes}
#
use_tunneled_reply = no
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# A virtual server MUST be specified.
#
virtual_server = "inner-tunnel"
# This has the same meaning, and overwrites, the
# same field in the "tls" configuration, above.
# The default value here is "yes".
#
# include_length = yes
# Unlike EAP-TLS, EAP-TTLS does not require a client
# certificate. However, you can require one by setting the
# following option. You can also override this option by
# setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
# Note that the majority of supplicants do not support using a
# client certificate with EAP-TTLS, so this option is unlikely
# to be usable for most people.
#
# require_client_cert = yes
}
# EAP-PEAP
#
##################################################
#
# !!!!! WARNINGS for Windows compatibility !!!!!
#
##################################################
#
# If you see the server send an Access-Challenge,
# and the client never sends another Access-Request,
# then
#
# STOP!
#
# The server certificate has to have special OID's
# in it, or else the Microsoft clients will silently
# fail. See the "scripts/xpextensions" file for
# details, and the following page:
#
# https://support.microsoft.com/en-us/help/814394/
#
# If is still doesn't work, and you're using Samba,
# you may be encountering a Samba bug. See:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
# Note that we do not necessarily agree with their
# explanation... but the fix does appear to work.
#
##################################################
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TLS/PEAP tunnel, we
# recommend using EAP-MS-CHAPv2.
#
peap {
# Which tls-config section the TLS negotiation parameters
# are in - see EAP-TLS above for an explanation.
#
# In the case that an old configuration from FreeRADIUS
# v2.x is being used, all the options of the tls-config
# section may also appear instead in the 'tls' section
# above. If that is done, the tls= option here (and in
# tls above) MUST be commented out.
#
tls = tls-common
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
#
default_eap_type = mschapv2
# The PEAP module also has these configuration
# items, which are the same as for TTLS.
#
copy_request_to_tunnel = no
# As of version 3.0.5, this configuration item
# is deprecated. Instead, you should use
#
# update outer.session-state {
# ...
# }
#
# This will cache attributes for the final Access-Accept.
#
use_tunneled_reply = no
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
#
# proxy_tunneled_request_as_eap = yes
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# A virtual server MUST be specified.
#
virtual_server = "inner-tunnel"
# This option enables support for MS-SoH
# see doc/SoH.txt for more info.
# It is disabled by default.
#
# soh = yes
# The SoH reply will be turned into a request which
# can be sent to a specific virtual server:
#
# soh_virtual_server = "soh-server"
# Unlike EAP-TLS, PEAP does not require a client certificate.
# However, you can require one by setting the following
# option. You can also override this option by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
# Note that the majority of supplicants do not support using a
# client certificate with PEAP, so this option is unlikely to
# be usable for most people.
#
# require_client_cert = yes
}
# EAP-MSCHAPv2
#
# Note that it is the EAP MS-CHAPv2 sub-module, not
# the main 'mschap' module.
#
# Note also that in order for this sub-module to work,
# the main 'mschap' module MUST ALSO be configured.
#
# This module is the *Microsoft* implementation of MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
#
mschapv2 {
# Prior to version 2.1.11, the module never
# sent the MS-CHAP-Error message to the
# client. This worked, but it had issues
# when the cached password was wrong. The
# server *should* send "E=691 R=0" to the
# client, which tells it to prompt the user
# for a new password.
#
# The default is to behave as in 2.1.10 and
# earlier, which is known to work. If you
# set "send_error = yes", then the error
# message will be sent back to the client.
# This *may* help some clients work better,
# but *may* also cause other clients to stop
# working.
#
# send_error = no
# Server identifier to send back in the challenge.
# This should generally be the host name of the
# RADIUS server. Or, some information to uniquely
# identify it.
#
# identity = "FreeRADIUS"
}
# EAP-FAST
#
# The FAST module implements the EAP-FAST protocol
#
#fast {
# Point to the common TLS configuration
#
# tls = tls-common
# If 'cipher_list' is set here, it will over-ride the
# 'cipher_list' configuration from the 'tls-common'
# configuration. The EAP-FAST module has it's own
# over-ride for 'cipher_list' because the
# specifications mandata a different set of ciphers
# than are used by the other EAP methods.
#
# cipher_list though must include "ADH" for anonymous provisioning.
# This is not as straight forward as appending "ADH" alongside
# "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
# recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
#
# Note - for OpenSSL 1.1.0 and above you may need
# to add ":@SECLEVEL=0"
#
# cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
# PAC lifetime in seconds (default: seven days)
#
# pac_lifetime = 604800
# Authority ID of the server
#
# If you are running a cluster of RADIUS servers, you should make
# the value chosen here (and for "pac_opaque_key") the same on all
# your RADIUS servers. This value should be unique to your
# installation. We suggest using a domain name.
#
# authority_identity = "1234"
# PAC Opaque encryption key (must be exactly 32 bytes in size)
#
# This value MUST be secret, and MUST be generated using
# a secure method, such as via 'openssl rand -hex 32'
#
# pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
# Same as for TTLS, PEAP, etc.
#
# virtual_server = inner-tunnel
#}
}

123
ops/nixos/bvm-radius/raddb/mods-available/echo Normal file
View file

@ -0,0 +1,123 @@
# -*- text -*-
#
# $Id: ad3e15933f9e85c5566810432a5fec8f23d877c1 $
#
# This is a more general example of the execute module.
#
# This one is called "echo".
#
# Attribute-Name = `%{echo:/path/to/program args}`
#
# If you wish to execute an external program in more than
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
#
# The return value of the program run determines the result
# of the exec instance call as follows:
# (See doc/configurable_failover for details)
#
# < 0 : fail the module failed
# = 0 : ok the module succeeded
# = 1 : reject the module rejected the user
# = 2 : fail the module failed
# = 3 : ok the module succeeded
# = 4 : handled the module has done everything to handle the request
# = 5 : invalid the user's configuration entry was invalid
# = 6 : userlock the user was locked out
# = 7 : notfound the user was not found
# = 8 : noop the module did nothing
# = 9 : updated the module updated information in the request
# > 9 : fail the module failed
#
exec echo {
#
# Wait for the program to finish.
#
# If we do NOT wait, then the program is "fire and
# forget", and any output attributes from it are ignored.
#
# If we are looking for the program to output
# attributes, and want to add those attributes to the
# request, then we MUST wait for the program to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes
#
# The name of the program to execute, and it's
# arguments. Dynamic translation is done on this
# field, so things like the following example will
# work.
#
program = "/bin/echo %{User-Name}"
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
#
input_pairs = request
#
# Where to place the output attributes (if any) from
# the executed program. The values allowed, and the
# restrictions as to availability, are the same as
# for the input_pairs.
#
output_pairs = reply
#
# When to execute the program. If the packet
# type does NOT match what's listed here, then
# the module does NOT execute the program.
#
# For a list of allowed packet types, see
# the 'dictionary' file, and look for VALUEs
# of the Packet-Type attribute.
#
# By default, the module executes on ANY packet.
# Un-comment out the following line to tell the
# module to execute only if an Access-Accept is
# being sent to the NAS.
#
#packet_type = Access-Accept
#
# Should we escape the environment variables?
#
# If this is set, all the RADIUS attributes
# are capitalised and dashes replaced with
# underscores. Also, RADIUS values are surrounded
# with double-quotes.
#
# That is to say: User-Name=BobUser => USER_NAME="BobUser"
shell_escape = yes
#
# How long should we wait for the program to finish?
#
# Default is 10 seconds, which should be plenty for nearly
# anything. Range is 1 to 30 seconds. You are strongly
# encouraged to NOT increase this value. Decreasing can
# be used to cause authentication to fail sooner when you
# know it's going to fail anyway due to the time taken,
# thereby saving resources.
#
#timeout = 10
}

29
ops/nixos/bvm-radius/raddb/mods-available/exec Normal file
View file

@ -0,0 +1,29 @@
# -*- text -*-
#
# $Id: bb1d4374b741a7bfcdfc098fc57af650509ceae2 $
#
# Execute external programs
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{exec:/path/to/program args}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The RADIUS attributes from the user request will be placed
# into environment variables of the executed program, as
# described in "man unlang" and in doc/configuration/variables.rst
#
# See also "echo" for more sample configuration.
#
exec {
wait = no
input_pairs = request
shell_escape = yes
timeout = 10
}

13
ops/nixos/bvm-radius/raddb/mods-available/expiration Normal file
View file

@ -0,0 +1,13 @@
# -*- text -*-
#
# $Id: 5d06454d0a8ccce7f50ddf7b01ba01c4ace6560a $
#
# The expiration module. This handles the Expiration attribute
# It should be included in the *end* of the authorize section
# in order to handle user Expiration. It should also be included
# in the instantiate section in order to register the Expiration
# compare function
#
expiration {
}

146
ops/nixos/bvm-radius/raddb/mods-available/expr Normal file
View file

@ -0,0 +1,146 @@
# -*- text -*-
#
# $Id: 43dbea35e41698f8ced22c1cf4ad128b08dee7ca $
#
# This module performs mathematical calculations:
#
# Attribute-Name = "%{expr:2 + 3 + &NAS-Port}"
#
# It supports the following operators (in order of precedence)
#
# & binary AND
# | binary OR
# << left shift
# >> right shift
# + addition
# - subtraction
# * multiply
# / divide
# %% remainder
# ^ exponentiation
# (...) sub-expression
#
# Operator precedence follows the normal rules.
# Division by zero means that the entire expression is invalid.
#
# Note that in versions before 3.0.5, the expression
# was parsed strictly left to right, and ignored operator
# precedence.
#
# It also allows unary negation: -1
# And twos complement: ~1
#
# All calculations are done on signed 63-bit integers.
# e.g. int64_t. This should be sufficient for all normal
# purposes.
#
# Hex numbers are supported: 0xabcdef
#
# As with all string expansions, you can nest the expansions:
#
# %{expr: %{NAS-Port} + 1}
# %{expr: %{sql:SELECT ... } + 1}
#
# Attribute references are supported for integer attributes.
# e.g. &NAS-Port. The benefit of using attribute references
# is that the expression is calculated directly on the
# attribute. It skips the step of "print to string, and then
# parse to number". This means it's a little faster.
#
# Otherwise, all numbers are decimal.
#
#
# The module also registers a few paircompare functions, and
# many string manipulation functions, including:
#
# rand get random number from 0 to n-1
# "%{rand:10}" == "9"
#
# randstr get random string built from character classes:
# c lowercase letters
# C uppercase letters
# n numbers
# a alphanumeric
# ! punctuation
# . alphanumeric + punctuation
# s alphanumeric + "./"
# o characters suitable for OTP (easily confused removed)
# h binary data as lowercase hex
# H binary data as uppercase hex
#
# "%{randstr:CCCC!!cccnnn}" == "IPFL>{saf874"
# "%{randstr:oooooooo}" == "rfVzyA4y"
# "%{randstr:hhhh}" == "68d60de3"
#
# urlquote quote special characters in URI
# "%{urlquote:http://example.org/}" == "http%3A%47%47example.org%47"
#
# urlunquote unquote URL special characters
# "%{urlunquote:http%%3A%%47%%47example.org%%47}" == "http://example.org/"
#
# escape escape string similar to rlm_sql safe_characters
# "%{escape:<img>foo.jpg</img>}" == "=60img=62foo.jpg=60/img=62"
#
# unescape reverse of escape
# "%{unescape:=60img=62foo.jpg=60/img=62}" == "<img>foo.jpg</img>"
#
# tolower convert to lowercase
# "%{tolower:Bar}" == "bar"
#
# toupper convert to uppercase
# "%{toupper:Foo}" == "FOO"
#
# md5 get md5sum hash
# "%{md5:foo}" == "acbd18db4cc2f85cedef654fccc4a4d8"
#
# sha1 get sha1 hash
# "%{sha1:foo}" == "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33"
#
# sha256 get sha256 hash
# "%{sha256:foo}" == "2c26b46b68ffc68ff99b453c1d30413413422d706..."
#
# sha512 get sha512 hash
# "%{sha512:foo}" == "f7fbba6e0636f890e56fbbf3283e524c6fa3204ae29838..."
#
# hmacmd5 generate HMAC-MD5 of string
# "%{hmacmd5:foo bar}" == "31b6db9e5eb4addb42f1a6ca07367adc"
#
# hmacsha1 generate HMAC-SHA1 of string
# "%{hmacsha1:foo bar}" == "85d155c55ed286a300bd1cf124de08d87e914f3a"
#
# crypt encrypt with a salt: %{crypt:salt:password}
# "%{crypt:aa:foo}" == "aaKNIEDOaueR6"
# "%{crypt:$1$abcdefgh:foo}" == "$1$abcdefgh$XxzGe9Muun7wTYbZO4sdr0"
# "%{crypt:$5$%{randstr:aaaaaaaaaaaaaaaa}:foo}" == "$1$fu4P2fcAdo9gM..."
#
# pairs serialize attributes as comma-delimited string
# "%{pairs:request:}" == "User-Name = 'foo', User-Password = 'bar', ..."
#
# base64 encode string as base64
# "%{base64:foo}" == "Zm9v"
#
# base64tohex convert base64 to hex
# "%{base64tohex:Zm9v}" == "666f6f"
#
# explode split an attribute into multiple new attributes based on a delimiter
# "%{explode:&ref <delim>}"
#
# nexttime calculate number of seconds until next n hour(s), day(s), week(s), year(s)
# if it were 16:18, %{nexttime:1h} would expand to 2520
#
# lpad left-pad a string
# if User-Name is "foo": "%{lpad:&User-Name 6 x}" == "xxxfoo"
#
# rpad right-pad a string
# if User-Name is "foo": "%{rpad:&User-Name 5 -}" == "foo--"
#
expr {
#
# Characters that will not be encoded by the %{escape}
# xlat function.
#
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}

30
ops/nixos/bvm-radius/raddb/mods-available/files Normal file
View file

@ -0,0 +1,30 @@
# -*- text -*-
#
# $Id: e3f3bf568d92eba8eb17bbad590f846f2d9e1ac8 $
# Livingston-style 'users' file
#
# See "man users" for more information.
#
files {
# Search for files in a subdirectory of mods-config which
# matches this instance of the files module.
moddir = ${modconfdir}/${.:instance}
# The default key attribute to use for matches. The content
# of this attribute is used to match the "name" of the
# entry.
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
# The old "users" style file is now located here.
filename = ${moddir}/authorize
# This is accepted for backwards compatibility
# It will be removed in a future release.
# usersfile = ${moddir}/authorize
# These are accepted for backwards compatibility.
# They will be renamed in a future release.
acctusersfile = ${moddir}/accounting
preproxy_usersfile = ${moddir}/pre-proxy
}

9
ops/nixos/bvm-radius/raddb/mods-available/inner-eap-eduroam Normal file
View file

@ -0,0 +1,9 @@
eap inner-eap {
default_eap_type = mschapv2
timer_expire = 60
max_sessions = ${max_requests}
mschapv2 {
send_error = yes
}
}

39
ops/nixos/bvm-radius/raddb/mods-available/linelog-eduroam Normal file
View file

@ -0,0 +1,39 @@
linelog linelog_recv_request {
filename = syslog
syslog_facility = local0
syslog_severity = debug
format = "action = Recv-Request, %{pairs:request:}"
}
linelog linelog_send_accept {
filename = syslog
syslog_facility = local0
syslog_severity = debug
format = "action = Send-Accept, %{pairs:request:}"
}
linelog linelog_send_reject {
filename = syslog
syslog_facility = local0
syslog_severity = debug
format = "action = Send-Reject, %{pairs:request:}"
}
linelog linelog_send_proxy_request {
filename = syslog
syslog_facility = local0
syslog_severity = debug
format = "action = Send-Proxy-Request, %{pairs:proxy-request:}"
}
linelog linelog_recv_proxy_response {
filename = syslog
syslog_facility = local0
syslog_severity = debug
reference = "messages.%{proxy-reply:Response-Packet-Type}"
messages {
Access-Accept = "action = Recv-Proxy-Accept, User-Name = %{User-Name}, Calling-Station-Id = %{Calling-Station-Id}, %{pairs:proxy-reply:}"
Access-Reject = "action = Recv-Proxy-Reject, User-Name = %{User-Name}, Calling-Station-Id = %{Calling-Station-Id}, %{pairs:proxy-reply:}"
Access-Challenge = "action = Recv-Proxy-Challenge, User-Name = %{User-Name}, Calling-Station-ID = %{Calling-Station-Id}, %{pairs:proxy-reply:}"
}
}

23
ops/nixos/bvm-radius/raddb/mods-available/logintime Normal file
View file

@ -0,0 +1,23 @@
# -*- text -*-
#
# $Id: 25344527759d22b49b5e990fd83f0e506442fa76 $
# The logintime module. This handles the Login-Time,
# Current-Time, and Time-Of-Day attributes. It should be
# included in the *end* of the authorize section in order to
# handle Login-Time checks. It should also be included in the
# instantiate section in order to register the Current-Time
# and Time-Of-Day comparison functions.
#
# When the Login-Time attribute is set to some value, and the
# user has been permitted to log in, a Session-Timeout is
# calculated based on the remaining time. See "doc/README".
#
logintime {
# The minimum timeout (in seconds) a user is allowed
# to have. If the calculated timeout is lower we don't
# allow the login. Some NAS do not handle values
# lower than 60 seconds well.
minimum_timeout = 60
}

253
ops/nixos/bvm-radius/raddb/mods-available/mschap Normal file
View file

@ -0,0 +1,253 @@
# -*- text -*-
#
# $Id: 2fbc9278e39516c4fc2e8119d2a5be35858f1e33 $
#
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
#
#
# If use_mppe is not set to no mschap, will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
# use_mppe = no
#
# If MPPE is enabled, require_encryption makes
# encryption moderate
#
# require_encryption = yes
#
# require_strong always requires 128 bit key
# encryption
#
# require_strong = yes
#
# This module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# If ntlm_auth is configured below, then the mschap
# module will call ntlm_auth for every MS-CHAP
# authentication request. If there is a cleartext
# or NT hashed password available, you can set
# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
# and the mschap module will do the authentication itself,
# without calling ntlm_auth.
#
# Be VERY careful when editing the following line!
#
# You can also try setting the user name as:
#
# ... --username=%{mschap:User-Name} ...
#
# In that case, the mschap module will look at the User-Name
# attribute, and do prefix/suffix checks in order to obtain
# the "best" user name for the request.
#
# For Samba 4, you should also set the "ntlm auth" parameter
# in the Samba configuration:
#
# ntlm auth = yes
#
# or
#
# ntlm auth = mschapv2-and-ntlmv2-only
#
# This will let Samba 4 accept the MS-CHAP authentication
# method that is needed by FreeRADIUS.
#
# Depending on the Samba version, you may also need to add:
#
# --allow-mschapv2
#
# to the command-line parameters.
#
# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
#
# The default is to wait 10 seconds for ntlm_auth to
# complete. This is a long time, and if it's taking that
# long then you likely have other problems in your domain.
# The length of time can be decreased with the following
# option, which can save clients waiting if your ntlm_auth
# usually finishes quicker. Range 1 to 10 seconds.
#
# ntlm_auth_timeout = 10
#
# An alternative to using ntlm_auth is to connect to the
# winbind daemon directly for authentication. This option
# is likely to be faster and may be useful on busy systems,
# but is less well tested.
#
# Using this option requires libwbclient from Samba 4.2.1
# or later to be installed. Make sure that ntlm_auth above is
# commented out.
#
# winbind_username = "%{mschap:User-Name}"
# winbind_domain = "%{mschap:NT-Domain}"
#
# When using single sign-on with a winbind connection and the
# client uses a different casing for the username than the
# casing is according to the backend, reauth may fail because
# of some Windows internals. This switch tries to find the
# user in the correct casing in the backend, and retry
# authentication with that username.
#
# winbind_retry_with_normalised_username = no
#
# Information for the winbind connection pool. The configuration
# items below are the same for all modules which use the new
# connection pool.
#
pool {
#
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# winbind daemon being available.
#
start = ${thread[pool].start_servers}
#
# Minimum number of connections to keep open
#
min = ${thread[pool].min_spare_servers}
#
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
#
max = ${thread[pool].max_servers}
#
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
#
spare = ${thread[pool].max_spare_servers}
#
# Number of uses before the connection is closed
#
# 0 means "infinite"
#
uses = 0
#
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
#
retry_delay = 30
#
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
#
lifetime = 86400
#
# The pool is checked for free connections every
# "cleanup_interval". If there are free connections,
# then one of them is closed.
#
cleanup_interval = 300
#
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
#
idle_timeout = 600
#
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
#
}
passchange {
#
# This support MS-CHAPv2 (not v1) password change
# requests. See doc/mschap.rst for more IMPORTANT
# information.
#
# Samba/ntlm_auth - if you are using ntlm_auth to
# validate passwords, you will need to use ntlm_auth
# to change passwords. Uncomment the three lines
# below, and change the path to ntlm_auth.
#
# ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
# ntlm_auth_username = "username: %{mschap:User-Name}"
# ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
#
# To implement a local password change, you need to
# supply a string which is then expanded, so that the
# password can be placed somewhere. e.g. passed to a
# script (exec), or written to SQL (UPDATE/INSERT).
# We give both examples here, but only one will be
# used.
#
# local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
#
# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
}
#
# For Apple Server, when running on the same machine as
# Open Directory. It has no effect on other systems.
#
# use_open_directory = yes
#
# On failure, set (or not) the MS-CHAP error code saying
# "retries allowed".
#
# allow_retry = yes
#
# An optional retry message.
#
# retry_msg = "Re-enter (or reset) the password"
}

18
ops/nixos/bvm-radius/raddb/mods-available/ntlm_auth Normal file
View file

@ -0,0 +1,18 @@
#
# For testing ntlm_auth authentication with PAP.
#
# If you have problems with authentication failing, even when the
# password is good, it may be a bug in Samba:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
# Depending on the AD / Samba configuration, you may also need to add:
#
# --allow-mschapv2
#
# to the list of command-line options.
#
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}

18
ops/nixos/bvm-radius/raddb/mods-available/pap Normal file
View file

@ -0,0 +1,18 @@
# -*- text -*-
#
# $Id: 0038ecd154840c71ceff33ddfdd936e4e28e0bcd $
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption/hash schemes. See "man rlm_pap"
# for details.
#
# For instructions on creating the various types of passwords, see:
#
# http://www.openldap.org/faq/data/cache/347.html
pap {
# By default the server will use heuristics to try and automatically
# handle base64 or hex encoded passwords. This behaviour can be
# stopped by setting the following to "no".
# normalise = yes
}

55
ops/nixos/bvm-radius/raddb/mods-available/passwd Normal file
View file

@ -0,0 +1,55 @@
# -*- text -*-
#
# $Id: 11bd2246642bf3c080327c7f4a67dc42603f3a6c $
# passwd module allows to do authorization via any passwd-like
# file and to extract any attributes from these files.
#
# See the "smbpasswd" and "etc_group" files for more examples.
#
# parameters are:
# filename - path to file
#
# format - format for filename record. This parameters
# correlates record in the passwd file and RADIUS
# attributes.
#
# Field marked as '*' is a key field. That is, the parameter
# with this name from the request is used to search for
# the record from passwd file
#
# Attributes marked as '=' are added to reply_items instead
# of default configure_items
#
# Attributes marked as '~' are added to request_items
#
# Field marked as ',' may contain a comma separated list
# of attributes.
#
# hash_size - hashtable size. Setting it to 0 is no longer permitted
# A future version of the server will have the module
# automatically determine the hash size. Having it set
# manually should not be necessary.
#
# allow_multiple_keys - if many records for a key are allowed
#
# ignore_nislike - ignore NIS-related records
#
# delimiter - symbol to use as a field separator in passwd file,
# for format ':' symbol is always used. '\0', '\n' are
# not allowed
#
# An example configuration for using /etc/passwd.
#
# This is an example which will NOT WORK if you have shadow passwords,
# NIS, etc. The "unix" module is normally responsible for reading
# system passwords. You should use it instead of this example.
#
passwd etc_passwd {
filename = /etc/passwd
format = "*User-Name:Crypt-Password:"
hash_size = 100
ignore_nislike = no
allow_multiple_keys = no
}

62
ops/nixos/bvm-radius/raddb/mods-available/preprocess Normal file
View file

@ -0,0 +1,62 @@
# -*- text -*-
#
# $Id: 8baec7961ba75fe52546cb1331868b0b2b1c38f4 $
# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
# This module processes the 'huntgroups' and 'hints' files.
# In addition, it re-writes some weird attributes created
# by some NAS, and converts the attributes into a form which
# is a little more standard.
#
preprocess {
# Search for files in a subdirectory of mods-config which
# matches this instance of the preprocess module.
moddir = ${modconfdir}/${.:instance}
huntgroups = ${moddir}/huntgroups
hints = ${moddir}/hints
# This hack changes Ascend's weird port numbering
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = no
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you don't
# need this hack.
with_cisco_vsa_hack = no
}

53
ops/nixos/bvm-radius/raddb/mods-available/radutmp Normal file
View file

@ -0,0 +1,53 @@
# -*- text -*-
#
# $Id: 82319c033bbf349991a46b8f198a5bf5487b5da8 $
# Write a 'utmp' style file, of which users are currently
# logged in, and where they've logged in from.
#
# This file is used mainly for Simultaneous-Use checking,
# and also 'radwho', to see who's currently logged in.
#
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{%{Stripped-User-Name}:-%{User-Name}}
username = %{User-Name}
# Whether or not we want to treat "user" the same
# as "USER", or "User". Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
permissions = 0600
caller_id = "yes"
}

75
ops/nixos/bvm-radius/raddb/mods-available/realm Normal file
View file

@ -0,0 +1,75 @@
# -*- text -*-
#
# $Id: 8ff95a9e9a652c2df9f992b0eb528084b6a7a2dc $
# Realm module, for proxying.
#
# You can have multiple instances of the realm module to
# support multiple realm syntaxes at the same time. The
# search order is defined by the order that the modules are listed
# in the authorize and preacct sections.
#
# Four config options:
# format - must be "prefix" or "suffix"
# The special cases of "DEFAULT"
# and "NULL" are allowed, too.
# delimiter - must be a single character
# 'realm/username'
#
# Using this entry, IPASS users have their realm set to "IPASS".
realm IPASS {
format = prefix
delimiter = "/"
}
# 'username@realm'
#
realm suffix {
format = suffix
delimiter = "@"
# The next configuration items are valid ONLY for a trust-router.
# For all other realms, they are ignored.
# trust_router = "localhost"
# tr_port = 12309
# rp_realm = "realm.example.com"
# default_community = "apc.communities.example.com"
# # if rekey_enabled is enabled, dynamic realms are automatically rekeyed
# # before they expire to avoid having to recreate them from scrach on
# # demand (implying lengthy authentications)
# rekey_enabled = no
# # if realm_lifetime is > 0, the rekey is scheduled to happen the
# # specified number of seconds after its creation or rekeying. Otherwise,
# # the key material expiration timestamp is used
# realm_lifetime = 0
}
# 'realm!username'
#
realm bangpath {
format = prefix
delimiter = "!"
# trust_router = "localhost"
# tr_port = 12309
# rp_realm = "realm.example.com"
# default_community = "apc.communities.example.com"
# rekey_enabled = no
# realm_lifetime = 0
}
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
}
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
}

40
ops/nixos/bvm-radius/raddb/mods-available/replicate Normal file
View file

@ -0,0 +1,40 @@
# Replicate packet(s) to a home server.
#
# This module will open a new socket for each packet, and "clone"
# the incoming packet to the destination realm (i.e. home server).
#
# Use it by setting "Replicate-To-Realm = name" in the control list,
# just like Proxy-To-Realm. The configurations for the two attributes
# are identical. The realm must exist, the home_server_pool must exist,
# and the home_server must exist.
#
# The only difference is that the "replicate" module sends requests
# and does not expect a reply. Any reply is ignored.
#
# Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time.
#
# To use this module, list "replicate" in the "authorize" or
# "accounting" section. Then, ensure that Replicate-To-Realm is set.
# The contents of the "packet" attribute list will be sent to the
# home server. The usual load-balancing, etc. features of the home
# server will be used.
#
# "radmin" can be used to mark home servers alive/dead, in order to
# enable/disable replication to specific servers.
#
# Packets can be replicated to multiple destinations. Just set
# Replicate-To-Realm multiple times. One packet will be sent for
# each of the Replicate-To-Realm attribute in the "control" list.
#
# If no packets are sent, the module returns "noop". If at least one
# packet is sent, the module returns "ok". If an error occurs, the
# module returns "fail"
#
# Note that replication does NOT change any of the packet statistics.
# If you use "radmin" to look at the statistics for a home server,
# the replicated packets will cause NO counters to increment. This
# is not a bug, this is how replication works.
#
replicate {
}

4
ops/nixos/bvm-radius/raddb/mods-available/soh Normal file
View file

@ -0,0 +1,4 @@
# SoH module
soh {
dhcp = yes
}

16
ops/nixos/bvm-radius/raddb/mods-available/sradutmp Normal file
View file

@ -0,0 +1,16 @@
# -*- text -*-
#
# $Id: 3a2a0e502e76ec00d4ec17e70132448e1547da46 $
# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another 'instance' of the radutmp module, but it is given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
permissions = 0644
caller_id = "no"
}

25
ops/nixos/bvm-radius/raddb/mods-available/unix Normal file
View file

@ -0,0 +1,25 @@
# -*- text -*-
#
# $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $
# Unix /etc/passwd style authentication
#
# This module calls the system functions to get the "known good"
# password. This password is usually in the "crypt" form, and is
# incompatible with CHAP, MS-CHAP, PEAP, etc.
#
# If passwords are in /etc/shadow, you will need to set the "group"
# configuration in radiusd.conf. Look for "shadow", and follow the
# instructions there.
#
unix {
#
# The location of the "wtmp" file.
# The only use for 'radlast'. If you don't use
# 'radlast', then you can comment out this item.
#
# Note that the radwtmp file may get large! You should
# rotate it (cp /dev/null radwtmp), or just not use it.
#
radwtmp = ${logdir}/radwtmp
}

59
ops/nixos/bvm-radius/raddb/mods-available/unpack Normal file
View file

@ -0,0 +1,59 @@
# -*- text -*-
#
# $Id: 665dd2aca16b9498a4d2b8a91e41d27741185738 $
#
# This module is useful only for 'xlat'. To use it,
# add it to the raddb/mods-enabled/ directory. Then,
# use it on the right-hand side of a variable assignment.
#
# ... = "%{unpack:data 1 integer}"
#
# The arguments are three fields:
#
# data
# Either &Attribute-Name
# the name of the attribute to unpack.
# MUST be a "string" or "octets" type.
#
# or 0xabcdef
# e.g. hex data.
#
# 1
# The offset into the string from which
# it starts unpacking. The offset starts
# at zero, for the first attribute.
#
# integer
# the data type to unpack at that offset.
# e.g. integer, ipaddr, byte, short, etc.
#
# e.g. if we have Class = 0x0000000102030405, then
#
# %{unpack:&Class 4 short}
#
# will unpack octets 4 and 5 as a "short", which has
# value 0x0304.
#
# This module is used when vendors put multiple fields
# into one attribute of type "octets".
#
# The module can also be used to unpack substrings, by specifing a
# data type of "string(len)" or "octets(len)". Where "len" is an
# actual number. For example:
#
# %{unpack:&User-Name 1 string(2)}
#
# When given a User-Name of "hello", it will start taking the
# substring at offset 1 (i.e. "e"), and it will take two characters
# from that offset, i.e. "el".
#
# When "octets(len)" is used, the output is printed as hex. e.g. for
# the above example with Class:
#
# %{unpack:&Class 4 octets(4)}
#
# Will return the hex string "02030405"
#
unpack {
}

14
ops/nixos/bvm-radius/raddb/mods-available/utf8 Normal file
View file

@ -0,0 +1,14 @@
#
# Enforces UTF-8 on strings coming in from the NAS.
#
# An attribute of type "string" containing UTF-8 makes
# the module return NOOP.
#
# An attribute of type "string" containing non-UTF-8 data
# makes the module return FAIL.
#
# This module takes no configuration.
#
utf8 {
}

22
ops/nixos/bvm-radius/raddb/mods-config/README.rst Normal file
View file

@ -0,0 +1,22 @@
The mods-config Directory
=========================
This directory contains module-specific configuration files. These
files are in a format different from the one used by the main
`radiusd.conf` files. Earlier versions of the server had many
module-specific files in the main `raddb` directory. The directory
contained many files, and it was not clear which files did what.
For Version 3 of FreeRADIUS, we have moved to a consistent naming
scheme. Each module-specific configuration file is placed in this
directory, in a subdirectory named for the module. Where necessary,
files in the subdirectory have been named for the processing section
where they are used.
For example, the `users` file is now located in
`mods-config/files/authorize`. That filename tells us three things:
1. The file is used in the `authorize` section.
2. The file is used by the `files` module.
3. It is a "module configuration" file, which is a specific format.

19
ops/nixos/bvm-radius/raddb/mods-config/attr_filter/access_challenge Normal file
View file

@ -0,0 +1,19 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 12ed619cf16f7322221ef2dfaf28f9c36c616e3c $
#
# This configuration file is used to remove almost all of the
# attributes From an Access-Challenge message. The RFCs say
# that an Access-Challenge packet can contain only a few
# attributes. We enforce that here.
#
DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout =* ANY,
Idle-Timeout =* ANY

18
ops/nixos/bvm-radius/raddb/mods-config/attr_filter/access_reject Normal file
View file

@ -0,0 +1,18 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 47f167b085c2a4e22701fe9fe74b8fe0b9575421 $
#
# This configuration file is used to remove almost all of the attributes
# From an Access-Reject message. The RFCs say that an Access-Reject
# packet can contain only a few attributes. We enforce that here.
#
DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Error-Cause =* ANY,
Reply-Message =* ANY,
MS-CHAP-Error =* ANY,
Proxy-State =* ANY

16
ops/nixos/bvm-radius/raddb/mods-config/attr_filter/accounting_response Normal file
View file

@ -0,0 +1,16 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 01e9c6f5bda7a138f45da5010c624d92b6d398a0 $
#
# This configuration file is used to remove almost all of the attributes
# From an Accounting-Response message. The RFC's say that an
# Accounting-Response packet can contain only a few attributes.
# We enforce that here.
#
DEFAULT
Vendor-Specific =* ANY,
Message-Authenticator =* ANY,
Error-Cause =* ANY,
Proxy-State =* ANY

119
ops/nixos/bvm-radius/raddb/mods-config/attr_filter/post-proxy Normal file
View file

@ -0,0 +1,119 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 5d889ea733ec8e6b246335f86bf6e122b54f23aa $
#
# This file contains security and configuration information
# for each realm. The first field is the realm name and
# can be up to 253 characters in length. This is followed (on
# the next line) with the list of filter rules to be used to
# decide what attributes and/or values we allow proxy servers
# to pass to the NAS for this realm.
#
# When a proxy-reply packet is received from a home server,
# these attributes and values are tested. Only the first match
# is used unless the "Fall-Through" variable is set to "Yes".
# In that case the rules defined in the DEFAULT case are
# processed as well.
#
# A special realm named "DEFAULT" matches on all realm names.
# You can have only one DEFAULT entry. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# Indented (with the tab character) lines following the first
# line indicate the filter rules.
#
# You can include another `attrs' file with `$INCLUDE attrs.other'
#
#
# This is a complete entry for realm "fisp". Note that there is no
# Fall-Through entry so that no DEFAULT entry will be used, and the
# server will NOT allow any other a/v pairs other than the ones
# listed here.
#
# These rules allow:
# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear )
# o PPP sessions ( no SLIP, CSLIP, etc. )
# o dynamic ip assignment ( can't assign a static ip )
# o an idle timeout value set to 600 seconds (10 min) or less
# o a max session time set to 28800 seconds (8 hours) or less
#
#fisp
# Service-Type == Framed-User,
# Framed-Protocol == PPP,
# Framed-IP-Address == 255.255.255.254,
# Idle-Timeout <= 600,
# Session-Timeout <= 28800
#
# This is a complete entry for realm "tisp". Note that there is no
# Fall-Through entry so that no DEFAULT entry will be used, and the
# server will NOT allow any other a/v pairs other than the ones
# listed here.
#
# These rules allow:
# o Only Login-User Service-Type ( no framed/ppp sessions )
# o Telnet sessions only ( no rlogin, tcp-clear )
# o Login host of 192.0.2.1
#
#tisp
# Service-Type == Login-User,
# Login-Service == Telnet,
# Login-TCP-Port == 23,
# Login-IP-Host == 192.0.2.1
#
# The following example can be used for a home server which is only
# allowed to supply a Reply-Message, a Session-Timeout attribute of
# maximum 86400, a Idle-Timeout attribute of maximum 600 and a
# Acct-Interim-Interval attribute between 300 and 3600.
# All other attributes sent back will be filtered out.
#
#strictrealm
# Reply-Message =* ANY,
# Session-Timeout <= 86400,
# Idle-Timeout <= 600,
# Acct-Interim-Interval >= 300,
# Acct-Interim-Interval <= 3600
#
# This is a complete entry for realm "spamrealm". Fall-Through is used,
# so that the DEFAULT filter rules are used in addition to these.
#
# These rules allow:
# o Force the application of Filter-ID attribute to be returned
# in the proxy reply, whether the proxy sent it or not.
# o The standard DEFAULT rules as defined below
#
#spamrealm
# Framed-Filter-Id := "nosmtp.in",
# Fall-Through = Yes
#
# The rest of this file contains the DEFAULT entry.
# DEFAULT matches with all realm names. (except if the realm previously
# matched an entry with no Fall-Through)
#
DEFAULT
Framed-IP-Address == 255.255.255.254,
Framed-IP-Netmask == 255.255.255.255,
Framed-MTU >= 576,
Framed-Filter-ID =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
EAP-Message =* ANY,
Message-Authenticator =* ANY,
MS-MPPE-Recv-Key =* ANY,
MS-MPPE-Send-Key =* ANY,
MS-CHAP-MPPE-Keys =* ANY,
State =* ANY,
Session-Timeout <= 28800,
Idle-Timeout <= 600,
Calling-Station-Id =* ANY,
Operator-Name =* ANY,
Port-Limit <= 2

65
ops/nixos/bvm-radius/raddb/mods-config/attr_filter/pre-proxy Normal file
View file

@ -0,0 +1,65 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 47b01266f44d0475261c6ea16f74ca17d8838749 $
#
# This file contains security and configuration information
# for each realm. It can be used be an rlm_attr_filter module
# instance to filter attributes before sending packets to the
# home server of a realm.
#
# When a packet is sent to a home server, these attributes
# and values are tested. Only the first match is used unless
# the "Fall-Through" variable is set to "Yes". In that case
# the rules defined in the DEFAULT case are processed as well.
#
# A special realm named "DEFAULT" matches on all realm names.
# You can have only one DEFAULT entry. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# The first line indicates the realm to which the rules apply.
# Indented (with the tab character) lines following the first
# line indicate the filter rules.
#
# This is a complete entry for 'nochap' realm. It allows to send very
# basic attributes to the home server. Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used. Only the listed attributes
# will be sent in the packet, all other attributes will be filtered out.
#
#nochap
# User-Name =* ANY,
# User-Password =* ANY,
# NAS-IP-Address =* ANY,
# NAS-Identifier =* ANY
# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type
# if its value is different from 'Ethernet'. Then the default rules are
# applied.
#
#brokenas
# NAS-Port-Type == Ethernet
# Fall-Through = Yes
# The rest of this file contains the DEFAULT entry.
# DEFAULT matches with all realm names.
DEFAULT
User-Name =* ANY,
User-Password =* ANY,
CHAP-Password =* ANY,
CHAP-Challenge =* ANY,
MS-CHAP-Challenge =* ANY,
MS-CHAP-Response =* ANY,
EAP-Message =* ANY,
Message-Authenticator =* ANY,
State =* ANY,
NAS-IP-Address =* ANY,
NAS-Identifier =* ANY,
Operator-Name =* ANY,
Calling-Station-Id =* ANY,
Chargeable-User-Identity =* ANY,
Proxy-State =* ANY

27
ops/nixos/bvm-radius/raddb/mods-config/files/accounting Normal file
View file

@ -0,0 +1,27 @@
#
# $Id: eaf952a72dc9d19387af4d2056d7f7027b2435e8 $
#
# This is like the 'users' file, but it is processed only for
# accounting packets.
#
# Select between different accounting methods based for example on the
# Realm, the Huntgroup-Name or any combinaison of the attribute/value
# pairs contained in an accounting packet.
#
# You will need to add an "Acct-Type foo {...}" subsection to the
# main "accounting" section in order for these sample configurations
# to work.
#
#DEFAULT Realm == "foo.net", Acct-Type := foo
#
#DEFAULT Huntgroup-Name == "wifi", Acct-Type := wifi
#
#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := other
#
#DEFAULT Acct-Status-Type == Start, Acct-Type := start
# Replace the User-Name with the Stripped-User-Name, if it exists.
#
#DEFAULT
# User-Name := "%{%{Stripped-User-Name}:-%{User-Name}}"

208
ops/nixos/bvm-radius/raddb/mods-config/files/authorize Normal file
View file

@ -0,0 +1,208 @@
#
# Configuration file for the rlm_files module.
# Please see rlm_files(5) manpage for more information.
#
# This file contains authentication security and configuration
# information for each user. Accounting requests are NOT processed
# through this file. Instead, see 'accounting', in this directory.
#
# The first field is the user's name and can be up to
# 253 characters in length. This is followed (on the same line) with
# the list of authentication requirements for that user. This can
# include password, comm server name, comm server port number, protocol
# type (perhaps set by the "hints" file), and huntgroup name (set by
# the "huntgroups" file).
#
# If you are not sure why a particular reply is being sent by the
# server, then run the server in debugging mode (radiusd -X), and
# you will see which entries in this file are matched.
#
# When an authentication request is received from the comm server,
# these values are tested. Only the first match is used unless the
# "Fall-Through" variable is set to "Yes".
#
# A special user named "DEFAULT" matches on all usernames.
# You can have several DEFAULT entries. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# Indented (with the tab character) lines following the first
# line indicate the configuration values to be passed back to
# the comm server to allow the initiation of a user session.
# This can include things like the PPP configuration values
# or the host to log the user onto.
#
# You can include another `users' file with `$INCLUDE users.other'
#
# For a list of RADIUS attributes, and links to their definitions,
# see: http://www.freeradius.org/rfc/attributes.html
#
# Entries below this point are examples included in the server for
# educational purposes. They may be deleted from the deployed
# configuration without impacting the operation of the server.
#
#
# Deny access for a specific user. Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#lameuser Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT Group == "disabled", Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steve Cleartext-Password := "testing"
# Service-Type = Framed-User,
# Framed-Protocol = PPP,
# Framed-IP-Address = 172.16.3.33,
# Framed-IP-Netmask = 255.255.255.0,
# Framed-Routing = Broadcast-Listen,
# Framed-Filter-Id = "std.ppp",
# Framed-MTU = 1500,
# Framed-Compression = Van-Jacobsen-TCP-IP
#
# The canonical testing user which is in most of the
# examples.
#
#bob Cleartext-Password := "hello"
# Reply-Message := "Hello, %{User-Name}"
lukegb Cleartext-Password := "{{USER_LUKEGB_PASSWORD}}"
testuser Cleartext-Password := "{{USER_TESTUSER_PASSWORD}}"
#
#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name. If you have
# users with spaces in their names, you must also change
# the "filter_username" policy to allow spaces.
#
# See raddb/policy.d/filter, filter_username {} section.
#
#"John Doe" Cleartext-Password := "hello"
# Reply-Message = "Hello, %{User-Name}"
#
# Dial user back and telnet to the default host for that port
#
#Deg Cleartext-Password := "ge55ged"
# Service-Type = Callback-Login-User,
# Login-IP-Host = 0.0.0.0,
# Callback-Number = "9,5551212",
# Login-Service = Telnet,
# Login-TCP-Port = Telnet
#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk Cleartext-Password := "callme"
# Service-Type = Callback-Login-User,
# Login-IP-Host = timeshare1,
# Login-Service = PortMaster,
# Callback-Number = "9,1-800-555-1212"
#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
# Note that by setting "Fall-Through", other attributes will be added from
# the following DEFAULT entries
#
#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"
# Framed-IP-Address = 192.0.2.65,
# Fall-Through = Yes
#
# If the user logs in as 'username.shell', then authenticate them
# using the default method, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULT Suffix == ".shell"
# Service-Type = Login-User,
# Login-Service = Telnet,
# Login-IP-Host = your.shell.machine
#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#
# Sample defaults for all framed connections.
#
#DEFAULT Service-Type == Framed-User
# Framed-IP-Address = 255.255.255.254,
# Framed-MTU = 576,
# Service-Type = Framed-User,
# Fall-Through = Yes
#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
# by the terminal server in which case there may not be a "P" suffix.
# The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
#
# Last default: rlogin to our main server.
#
#DEFAULT
# Service-Type = Login-User,
# Login-Service = Rlogin,
# Login-IP-Host = shellbox.ispdomain.com
# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
# Service-Type = Administrative-User
# On no match, the user is denied access.
#########################################################
# You should add test accounts to the TOP of this file! #
# See the example user "bob" above. #
#########################################################

31
ops/nixos/bvm-radius/raddb/mods-config/files/pre-proxy Normal file
View file

@ -0,0 +1,31 @@
#
# Configuration file for the rlm_files module.
# Please see rlm_files(5) manpage for more information.
#
# $Id: 7292e23ea51717ee5cb50c4b9b609e91ebe4a41c $
#
# This file is similar to the "users" file. The check items
# are compared against the request, but the "reply" items are
# used to update the proxied packet, not the reply to the NAS.
#
# You can use this file to re-write requests which are about to
# be sent to a home server.
#
#
# Requests destinated to realm "extisp" are sent to a RADIUS
# home server hosted by an other company which doesn't know about
# the IP addresses of our NASes. Therefore we replace the value of
# the NAS-IP-Address attribute by a unique value we communicated
# to them.
#
#DEFAULT Realm == "extisp"
# NAS-IP-Address := 10.1.2.3
#
# For all proxied packets, set the User-Name in the proxied packet
# to the Stripped-User-Name, if it exists. If not, set it to the
# User-Name from the original request.
#
#DEFAULT
# User-Name := `%{%{Stripped-User-Name}:-%{User-Name}}`

86
ops/nixos/bvm-radius/raddb/mods-config/preprocess/hints Normal file
View file

@ -0,0 +1,86 @@
#
# hints
#
# The hints file. This file is used to match
# a request, and then add attributes to it. This
# process allows a user to login as "bob.ppp" (for example),
# and receive a PPP connection, even if the NAS doesn't
# ask for PPP. The "hints" file is used to match the
# ".ppp" portion of the username, and to add a set of
# "user requested PPP" attributes to the request.
#
# Matching can take place with the the Prefix and Suffix
# attributes, just like in the "users" file.
# These attributes operate ONLY on the username, though.
#
# Note that the attributes that are set for each entry are
# NOT added to the reply attributes passed back to the NAS.
# Instead they are added to the list of attributes in the
# request that has been SENT by the NAS.
#
# This extra information can be used in the users file to
# match on. Usually this is done in the DEFAULT entries,
# of which there can be more than one.
#
# In addition a matching entry can transform a username
# for authentication purposes if the "Strip-User-Name"
# variable is set to Yes in an entry (default is Yes).
#
# A special non-protocol name-value pair called "Hint"
# can be set to match on in the "users" file.
#
# As with the "users" file, the first entry that matches the
# incoming request will cause the server to stop looking for
# more hints. If the "Fall-Through" attribute is set to
# "Yes" in an entry then the server will not stop, but
# continue to process further hints from the file. Matches
# on subsequent hints will be against the altered request
# from the previous hints, not against the original request.
#
# The following is how most dial-up ISPs want to set this up.
#
# Version: $Id: 84d4d78d5dc8613f6205fc2ef48f454101caaf33 $
#
DEFAULT Suffix == ".ppp", Strip-User-Name = Yes
Hint = "PPP",
Service-Type = Framed-User,
Framed-Protocol = PPP
DEFAULT Suffix == ".slip", Strip-User-Name = Yes
Hint = "SLIP",
Service-Type = Framed-User,
Framed-Protocol = SLIP
DEFAULT Suffix == ".cslip", Strip-User-Name = Yes
Hint = "CSLIP",
Service-Type = Framed-User,
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
######################################################################
#
# These entries are old, and commented out by default.
# They confuse too many people when "Peter" logs in, and the
# server thinks that the user "eter" is asking for PPP.
#
#DEFAULT Prefix == "U", Strip-User-Name = No
# Hint = "UUCP"
#DEFAULT Prefix == "P", Strip-User-Name = Yes
# Hint = "PPP",
# Service-Type = Framed-User,
# Framed-Protocol = PPP
#DEFAULT Prefix == "S", Strip-User-Name = Yes
# Hint = "SLIP",
# Service-Type = Framed-User,
# Framed-Protocol = SLIP
#DEFAULT Prefix == "C", Strip-User-Name = Yes
# Hint = "CSLIP",
# Service-Type = Framed-User,
# Framed-Protocol = SLIP,
# Framed-Compression = Van-Jacobson-TCP-IP

43
ops/nixos/bvm-radius/raddb/mods-config/preprocess/huntgroups Normal file
View file

@ -0,0 +1,43 @@
#
# huntgroups This file defines the `huntgroups' that you have. A
# huntgroup is defined by specifying the IP address of
# the NAS and possibly a port.
#
# Matching is done while RADIUS scans the user file; if it
# includes the selection criteria "Huntgroup-Name == XXX"
# the huntgroup is looked up in this file to see if it
# matches. There can be multiple definitions of the same
# huntgroup; the first one that matches will be used.
#
# This file can also be used to define restricted access
# to certain huntgroups. The second and following lines
# define the access restrictions (based on username and
# UNIX usergroup) for the huntgroup.
#
#
# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name
# called Alphen that matches on all three terminal servers.
#
#alphen NAS-IP-Address == 192.0.2.5
#alphen NAS-IP-Address == 192.0.2.6
#alphen NAS-IP-Address == 192.0.2.7
#
# The POP in Delft consists of only one terminal server.
#
#delft NAS-IP-Address == 198.51.100.5
#
# Port 0 on the first terminal server in Alphen are connected to
# a huntgroup that is for business users only. Note that only one
# of the username or groupname has to match to get access (OR/OR).
#
# Note that this huntgroup is a subset of the "alphen" huntgroup.
#
#business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0
# User-Name == rogerl,
# User-Name == henks,
# Group == business,
# Group == staff

1
ops/nixos/bvm-radius/raddb/mods-enabled/always Symbolic link
View file

@ -0,0 +1 @@
../mods-available/always

1
ops/nixos/bvm-radius/raddb/mods-enabled/attr_filter Symbolic link
View file

@ -0,0 +1 @@
../mods-available/attr_filter

1
ops/nixos/bvm-radius/raddb/mods-enabled/cache_eap Symbolic link
View file

@ -0,0 +1 @@
../mods-available/cache_eap

1
ops/nixos/bvm-radius/raddb/mods-enabled/chap Symbolic link
View file

@ -0,0 +1 @@
../mods-available/chap

1
ops/nixos/bvm-radius/raddb/mods-enabled/date Symbolic link
View file

@ -0,0 +1 @@
../mods-available/date

1
ops/nixos/bvm-radius/raddb/mods-enabled/detail Symbolic link
View file

@ -0,0 +1 @@
../mods-available/detail

1
ops/nixos/bvm-radius/raddb/mods-enabled/detail.log Symbolic link
View file

@ -0,0 +1 @@
../mods-available/detail.log

1
ops/nixos/bvm-radius/raddb/mods-enabled/digest Symbolic link
View file

@ -0,0 +1 @@
../mods-available/digest

1
ops/nixos/bvm-radius/raddb/mods-enabled/dynamic_clients Symbolic link
View file

@ -0,0 +1 @@
../mods-available/dynamic_clients

1
ops/nixos/bvm-radius/raddb/mods-enabled/eap-custom Symbolic link
View file

@ -0,0 +1 @@
../mods-available/eap-custom

1
ops/nixos/bvm-radius/raddb/mods-enabled/echo Symbolic link
View file

@ -0,0 +1 @@
../mods-available/echo

1
ops/nixos/bvm-radius/raddb/mods-enabled/exec Symbolic link
View file

@ -0,0 +1 @@
../mods-available/exec

1
ops/nixos/bvm-radius/raddb/mods-enabled/expiration Symbolic link
View file

@ -0,0 +1 @@
../mods-available/expiration

1
ops/nixos/bvm-radius/raddb/mods-enabled/expr Symbolic link
View file

@ -0,0 +1 @@
../mods-available/expr

1
ops/nixos/bvm-radius/raddb/mods-enabled/files Symbolic link
View file

@ -0,0 +1 @@
../mods-available/files

1
ops/nixos/bvm-radius/raddb/mods-enabled/inner-eap-eduroam Symbolic link
View file

@ -0,0 +1 @@
../mods-available/inner-eap-eduroam

1
ops/nixos/bvm-radius/raddb/mods-enabled/linelog-eduroam Symbolic link
View file

@ -0,0 +1 @@
../mods-available/linelog-eduroam

1
ops/nixos/bvm-radius/raddb/mods-enabled/logintime Symbolic link
View file

@ -0,0 +1 @@
../mods-available/logintime

1
ops/nixos/bvm-radius/raddb/mods-enabled/mschap Symbolic link
View file

@ -0,0 +1 @@
../mods-available/mschap

1
ops/nixos/bvm-radius/raddb/mods-enabled/ntlm_auth Symbolic link
View file

@ -0,0 +1 @@
../mods-available/ntlm_auth

1
ops/nixos/bvm-radius/raddb/mods-enabled/pap Symbolic link
View file

@ -0,0 +1 @@
../mods-available/pap

1
ops/nixos/bvm-radius/raddb/mods-enabled/passwd Symbolic link
View file

@ -0,0 +1 @@
../mods-available/passwd

1
ops/nixos/bvm-radius/raddb/mods-enabled/preprocess Symbolic link
View file

@ -0,0 +1 @@
../mods-available/preprocess

1
ops/nixos/bvm-radius/raddb/mods-enabled/radutmp Symbolic link
View file

@ -0,0 +1 @@
../mods-available/radutmp

1
ops/nixos/bvm-radius/raddb/mods-enabled/realm Symbolic link
View file

@ -0,0 +1 @@
../mods-available/realm

1
ops/nixos/bvm-radius/raddb/mods-enabled/replicate Symbolic link
View file

@ -0,0 +1 @@
../mods-available/replicate

1
ops/nixos/bvm-radius/raddb/mods-enabled/soh Symbolic link
View file

@ -0,0 +1 @@
../mods-available/soh

1
ops/nixos/bvm-radius/raddb/mods-enabled/sradutmp Symbolic link
View file

@ -0,0 +1 @@
../mods-available/sradutmp

1
ops/nixos/bvm-radius/raddb/mods-enabled/unix Symbolic link
View file

@ -0,0 +1 @@
../mods-available/unix

1
ops/nixos/bvm-radius/raddb/mods-enabled/unpack Symbolic link
View file

@ -0,0 +1 @@
../mods-available/unpack

1
ops/nixos/bvm-radius/raddb/mods-enabled/utf8 Symbolic link
View file

@ -0,0 +1 @@
../mods-available/utf8

113
ops/nixos/bvm-radius/raddb/policy.d/canonicalization Normal file
View file

@ -0,0 +1,113 @@
#
# Split User-Name in NAI format (RFC 4282) into components
#
# This policy writes the Username and Domain portions of the
# NAI into the Stripped-User-Name and Stripped-User-Domain
# attributes.
#
# The regular expression to do this is not strictly compliant
# with the standard, but it is not possible to write a
# compliant regexp without perl style regular expressions (or
# at least not a legible one).
#
nai_regexp = '^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$'
split_username_nai {
if (&User-Name && (&User-Name =~ /${policy.nai_regexp}/)) {
update request {
&Stripped-User-Name := "%{1}"
}
# Only add the Stripped-User-Domain attribute if
# we have a domain. This means presence checks
# for Stripped-User-Domain work.
if ("%{3}" != '') {
update request {
&Stripped-User-Domain = "%{3}"
}
}
# If any of the expansions result in a null
# string, the update section may return
# something other than updated...
updated
}
else {
noop
}
}
#
# If called in post-proxy we modify the proxy-reply message
#
split_username_nai.post-proxy {
if (&proxy-reply:User-Name && (&proxy-reply:User-Name =~ /${policy.nai_regexp}/)) {
update proxy-reply {
&Stripped-User-Name := "%{1}"
}
# Only add the Stripped-User-Domain attribute if
# we have a domain. This means presence checks
# for Stripped-User-Domain work.
if ("%{3}" != '') {
update proxy-reply {
&Stripped-User-Domain = "%{3}"
}
}
updated
}
else {
noop
}
}
#
# Normalize the MAC Addresses in the Calling/Called-Station-Id
#
mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})'
#
# Add "rewrite_called_station_id" in the "authorize" and
# "preacct" sections.
#
# Makes Called-Station-ID conform to what RFC3580 says should
# be provided by 802.1X authenticators.
#
rewrite_called_station_id {
if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) {
update request {
&Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
}
# SSID component?
if ("%{8}") {
update request {
&Called-Station-SSID := "%{8}"
}
}
updated
}
else {
noop
}
}
#
# Add "rewrite_calling_station_id" in the "authorize" and
# "preacct" sections.
#
# Makes Calling-Station-ID conform to what RFC3580 says should
# be provided by 802.1X authenticators.
#
rewrite_calling_station_id {
if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) {
update request {
&Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
}
updated
}
else {
noop
}
}

28
ops/nixos/bvm-radius/raddb/proxy.conf Normal file
View file

@ -0,0 +1,28 @@
home_server eduroam_flr_server_1 {
# roaming0.ja.net
ipv6addr = 2001:630:1:128::185
secret = {{JANET_ROAMING0_SECRET}}
status_check = status-server
response_window = 5
check_interval = 10
check_timeout = 5
}
home_server eduroam_flr_server_2 {
# roaming1.ja.net
ipv6addr = 2001:630:1:12a::233
secret = {{JANET_ROAMING1_SECRET}}
status_check = status-server
response_window = 5
check_interval = 10
check_timeout = 5
}
home_server_pool eduroam_flr_pool {
type = keyed-balance
home_server = eduroam_flr_server_1
home_server = eduroam_flr_server_2
}
realm eduroam_flr {
auth_pool = eduroam_flr_pool
nostrip
}

902
ops/nixos/bvm-radius/raddb/radiusd.conf Normal file
View file

@ -0,0 +1,902 @@
# -*- text -*-
##
## radiusd.conf -- FreeRADIUS server configuration file - 3.0.21
##
## http://www.freeradius.org/
## $Id: e8aee3c00193127177cd65e31156c1d0f4b124d3 $
##
######################################################################
#
# The format of this (and other) configuration file is
# documented in "man unlang". There are also READMEs in many
# subdirectories:
#
# raddb/README.rst
# How to upgrade from v2.
#
# raddb/mods-available/README.rst
# How to use mods-available / mods-enabled.
# All of the modules are in individual files,
# along with configuration items and full documentation.
#
# raddb/sites-available/README
# virtual servers, "listen" sections, clients, etc.
# The "sites-available" directory contains many
# worked examples of common configurations.
#
# raddb/certs/README
# How to create certificates for EAP or RadSec.
#
# Every configuration item in the server is documented
# extensively in the comments in the example configuration
# files.
#
# Before editing this (or any other) configuration file, PLEASE
# read "man radiusd". See the section titled DEBUGGING. It
# outlines a method where you can quickly create the
# configuration you want, with minimal effort.
#
# Run the server in debugging mode, and READ the output.
#
# $ radiusd -X
#
# We cannot emphasize this point strongly enough. The vast
# majority of problems can be solved by carefully reading the
# debugging output, which includes warnings about common issues,
# and suggestions for how they may be fixed.
#
# There may be a lot of output, but look carefully for words like:
# "warning", "error", "reject", or "failure". The messages there
# will usually be enough to guide you to a solution.
#
# More documentation on "radiusd -X" is available on the wiki:
# https://wiki.freeradius.org/radiusd-X
#
# If you are going to ask a question on the mailing list, then
# explain what you are trying to do, and include the output from
# debugging mode (radiusd -X). Failure to do so means that all
# of the responses to your question will be people telling you
# to "post the output of radiusd -X".
#
# Guidelines for posting to the mailing list are on the wiki:
# https://wiki.freeradius.org/list-help
#
# Please read those guidelines before posting to the list.
#
# Further documentation is available in the "doc" directory
# of the server distribution, or on the wiki at:
# https://wiki.freeradius.org/
#
# New users to RADIUS should read the Technical Guide. That guide
# explains how RADIUS works, how FreeRADIUS works, and what each
# part of a RADIUS system does. It is not just "configure FreeRADIUS"!
# https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf
#
# More documentation on dictionaries, modules, unlang, etc. is also
# available on the Network RADIUS web site:
# https://networkradius.com/freeradius-documentation/
#
######################################################################
prefix = {{FREERADIUS_LOC}}
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
#
# name of the running server. See also the "-n" command-line option.
name = radiusd
# Location of config and logfiles.
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}
#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that symbol,
# and add the directory containing that library to the end of 'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = ${prefix}/lib
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/${name}.pid
#
# correct_escapes: use correct backslash escaping
#
# Prior to version 3.0.5, the handling of backslashes was a little
# awkward, i.e. "wrong". In some cases, to get one backslash into
# a regex, you had to put 4 in the config files.
#
# Version 3.0.5 fixes that. However, for backwards compatibility,
# the new method of escaping is DISABLED BY DEFAULT. This means
# that upgrading to 3.0.5 won't break your configuration.
#
# If you don't have double backslashes (i.e. \\) in your configuration,
# this won't matter to you. If you do have them, fix that to use only
# one backslash, and then set "correct_escapes = true".
#
# You can check for this by doing:
#
# $ grep '\\\\' $(find raddb -type f -print)
#
correct_escapes = true
# panic_action: Command to execute if the server dies unexpectedly.
#
# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
#
# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
# PATTACH CAN BE USED AS AN ATTACK VECTOR.
#
# The panic action is a command which will be executed if the server
# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
# SIGABRT or SIGFPE.
#
# This can be used to start an interactive debugging session so
# that information regarding the current state of the server can
# be acquired.
#
# The following string substitutions are available:
# - %e The currently executing program e.g. /sbin/radiusd
# - %p The PID of the currently executing program e.g. 12345
#
# Standard ${} substitutions are also allowed.
#
# An example panic action for opening an interactive session in GDB would be:
#
#panic_action = "gdb %e %p"
#
# Again, don't use that on a production system.
#
# An example panic action for opening an automated session in GDB would be:
#
#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
#
# That command can be used on a production system.
#
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as separate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 30
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 16384
# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
# The default is 'off' because it would be overall better for the net
# if people had to knowingly turn this feature on, since enabling it
# means that each client request will result in AT LEAST one lookup
# request to the nameserver. Enabling hostname_lookups will also
# mean that your server may stop randomly for 30 seconds from time
# to time, if the DNS requests take too long.
#
# Turning hostname lookups off also means that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no
#
# Logging section. The various "log_*" configuration items
# will eventually be moved here.
#
log {
#
# Destination for log messages. This can be one of:
#
# files - log to "file", as defined below.
# syslog - to syslog (see also the "syslog_facility", below.
# stdout - standard output
# stderr - standard error.
#
# The command-line option "-X" over-rides this option, and forces
# logging to go to stdout.
#
destination = files
#
# Highlight important messages sent to stderr and stdout.
#
# Option will be ignored (disabled) if output if TERM is not
# an xterm or output is not to a TTY.
#
colourise = yes
#
# The logging messages for the server are appended to the
# tail of this file if destination == "files"
#
# If the server is running in debugging mode, this file is
# NOT used.
#
file = ${logdir}/radius.log
#
# Which syslog facility to use, if ${destination} == "syslog"
#
# The exact values permitted here are OS-dependent. You probably
# don't want to change this.
#
syslog_facility = daemon
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
stripped_names = no
# Log all (accept and reject) authentication results to the log file.
#
# This is the same as setting "auth_accept = yes" and
# "auth_reject = yes"
#
# allowed values: {no, yes}
#
auth = no
# Log Access-Accept results to the log file.
#
# This is only used if "auth = no"
#
# allowed values: {no, yes}
#
# auth_accept = no
# Log Access-Reject results to the log file.
#
# This is only used if "auth = no"
#
# allowed values: {no, yes}
#
# auth_reject = no
# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
auth_badpass = no
auth_goodpass = no
# Log additional text at the end of the "Login OK" messages.
# for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
# configurations above have to be set to "yes".
#
# The strings below are dynamically expanded, which means that
# you can put anything you want in them. However, note that
# this expansion can be slow, and can negatively impact server
# performance.
#
# msg_goodpass = ""
# msg_badpass = ""
# The message when the user exceeds the Simultaneous-Use limit.
#
msg_denied = "You are already logged in - access denied"
}
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
#
# ENVIRONMENT VARIABLES
#
# You can reference environment variables using an expansion like
# `$ENV{PATH}`. However it is sometimes useful to be able to also set
# environment variables. This section lets you do that.
#
# The main purpose of this section is to allow administrators to keep
# RADIUS-specific configuration in the RADIUS configuration files.
# For example, if you need to set an environment variable which is
# used by a module. You could put that variable into a shell script,
# but that's awkward. Instead, just list it here.
#
# Note that these environment variables are set AFTER the
# configuration file is loaded. So you cannot set FOO here, and
# expect to reference it via `$ENV{FOO}` in another configuration file.
# You should instead just use a normal configuration variable for
# that.
#
ENV {
#
# Set environment varable `FOO` to value '/bar/baz'.
#
# NOTE: Note that you MUST use '='. You CANNOT use '+=' to append
# values.
#
# FOO = '/bar/baz'
#
# Delete environment variable `BAR`.
#
# BAR
#
# `LD_PRELOAD` is special. It is normally set before the
# application runs, and is interpreted by the dynamic linker.
# Which means you cannot set it inside of an application, and
# expect it to load libraries.
#
# Since this functionality is useful, we extend it here.
#
# You can set
#
# LD_PRELOAD = /path/to/library.so
#
# and the server will load the named libraries. Multiple
# libraries can be loaded by specificing multiple individual
# `LD_PRELOAD` entries.
#
#
# LD_PRELOAD = /path/to/library1.so
# LD_PRELOAD = /path/to/library2.so
}
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
# section holds the configuration items which minimize the impact
# of those attacks
#
security {
# chroot: directory where the server does "chroot".
#
# The chroot is done very early in the process of starting
# the server. After the chroot has been performed it
# switches to the "user" listed below (which MUST be
# specified). If "group" is specified, it switches to that
# group, too. Any other groups listed for the specified
# "user" in "/etc/group" are also added as part of this
# process.
#
# The current working directory (chdir / cd) is left
# *outside* of the chroot until all of the modules have been
# initialized. This allows the "raddb" directory to be left
# outside of the chroot. Once the modules have been
# initialized, it does a "chdir" to ${logdir}. This means
# that it should be impossible to break out of the chroot.
#
# If you are worried about security issues related to this
# use of chdir, then simply ensure that the "raddb" directory
# is inside of the chroot, end be sure to do "cd raddb"
# BEFORE starting the server.
#
# If the server is statically linked, then the only files
# that have to exist in the chroot are ${run_dir} and
# ${logdir}. If you do the "cd raddb" as discussed above,
# then the "raddb" directory has to be inside of the chroot
# directory, too.
#
# chroot = /path/to/chroot/directory
# user/group: The name (or #number) of the user/group to run radiusd as.
#
# If these are commented out, the server will run as the
# user/group that started it. In order to change to a
# different user/group, you MUST be root ( or have root
# privileges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few
# permissions as possible. That is, if you're not using
# shadow passwords, the user and group items below should be
# set to radius'.
#
# NOTE that some kernels refuse to setgid(group) when the
# value of (unsigned)group is above 60000; don't use group
# "nobody" on these systems!
#
# On systems with shadow passwords, you might have to set
# 'group = shadow' for the server to be able to read the
# shadow password file. If you can authenticate users while
# in debug mode, but not in daemon mode, it may be that the
# debugging mode server is running as a user that can read
# the shadow info, and the user listed below can not.
#
# The server will also try to use "initgroups" to read
# /etc/groups. It will join all groups where "user" is a
# member. This can allow for some finer-grained access
# controls.
#
# user = radius
# group = radius
# Core dumps are a bad thing. This should only be set to
# 'yes' if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no RADIUS packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the server to use all available memory on the machine.
#
# Setting this number to 0 means "allow any number of attributes"
max_attributes = 200
#
# reject_delay: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to brute-force
# crack a users password.
#
# Setting this number to 0 means "send rejects immediately"
#
# If this number is set higher than 'cleanup_delay', then the
# rejects will be sent at 'cleanup_delay' time, when the request
# is deleted from the internal cache of requests.
#
# As of Version 3.0.5, "reject_delay" has sub-second resolution.
# e.g. "reject_delay = 1.4" seconds is possible.
#
# Useful ranges: 1 to 5
reject_delay = 1
#
# status_server: Whether or not the server will respond
# to Status-Server requests.
#
# When sent a Status-Server message, the server responds with
# an Access-Accept or Accounting-Response packet.
#
# This is mainly useful for administrators who want to "ping"
# the server, without adding test users, or creating fake
# accounting packets.
#
# It's also useful when a NAS marks a RADIUS server "dead".
# The NAS can periodically "ping" the server with a Status-Server
# packet. If the server responds, it must be alive, and the
# NAS can start using it for real requests.
#
# See also raddb/sites-available/status
#
status_server = yes
#
# allow_vulnerable_openssl: Allow the server to start with
# versions of OpenSSL known to have critical vulnerabilities.
#
# This check is based on the version number reported by libssl
# and may not reflect patches applied to libssl by
# distribution maintainers.
#
allow_vulnerable_openssl = no
}
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE proxy.conf
# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf".
#
# The 'clients.conf' file contains all of the information from the old
# 'clients' and 'naslist' configuration files. We recommend that you
# do NOT use 'client's or 'naslist', although they are still
# supported.
#
# Anything listed in 'clients.conf' will take precedence over the
# information from the old-style configuration files.
#
$INCLUDE clients.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 32
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10
# When the server receives a packet, it places it onto an
# internal queue, where the worker threads (configured above)
# pick it up for processing. The maximum size of that queue
# is given here.
#
# When the queue is full, any new packets will be silently
# discarded.
#
# The most common cause of the queue being full is that the
# server is dependent on a slow database, and it has received
# a large "spike" of traffic. When that happens, there is
# very little you can do other than make sure the server
# receives less traffic, or make sure that the database can
# handle the load.
#
# max_queue_size = 65536
# Clean up old threads periodically. For no reason other than
# it might be useful.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
# Automatically limit the number of accounting requests.
# This configuration item tracks how many requests per second
# the server can handle. It does this by tracking the
# packets/s received by the server for processing, and
# comparing that to the packets/s handled by the child
# threads.
#
# If the received PPS is larger than the processed PPS, *and*
# the queue is more than half full, then new accounting
# requests are probabilistically discarded. This lowers the
# number of packets that the server needs to process. Over
# time, the server will "catch up" with the traffic.
#
# Throwing away accounting packets is usually safe and low
# impact. The NAS will retransmit them in a few seconds, or
# even a few minutes. Vendors should read RFC 5080 Section 2.2.1
# to see how accounting packets should be retransmitted. Using
# any other method is likely to cause network meltdowns.
#
auto_limit_acct = no
}
######################################################################
#
# SNMP notifications. Uncomment the following line to enable
# snmptraps. Note that you MUST also configure the full path
# to the "snmptrap" command in the "trigger.conf" file.
#
#$INCLUDE trigger.conf
# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# ...
# }
#
# The 'name' is used to load the 'rlm_name' library
# which implements the functionality of the module.
#
# The 'instance' is optional. To have two different instances
# of a module, it first must be referred to by 'name'.
# The different copies of the module are then created by
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
#
# The instance names can then be used in later configuration
# INSTEAD of the original 'name'. See the 'radutmp' configuration
# for an example.
#
#
# Some modules have ordering issues. e.g. "sqlippool" uses
# the configuration from "sql". In that case, the "sql"
# module must be read off of disk before the "sqlippool".
# However, the directory inclusion below just reads the
# directory from start to finish. Which means that the
# modules are read off of disk randomly.
#
# As of 3.0.18, you can list individual modules *before* the
# directory inclusion. Those modules will be loaded first.
# Then, when the directory is read, those modules will be
# skipped and not read twice.
#
# $INCLUDE mods-enabled/sql
#
# As of 3.0, modules are in mods-enabled/. Files matching
# the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are
# initialized ONLY if they are referenced in a processing
# section, such as authorize, authenticate, accounting,
# pre/post-proxy, etc.
#
$INCLUDE mods-enabled/
}
# Instantiation
#
# This section sets the instantiation order of the modules. listed
# here will get started up BEFORE the sections like authorize,
# authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like authorize
# refers to a module, the module is automatically loaded and
# initialized. However, some modules may not be listed in any of the
# processing sections, so they should be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initialized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
# After the modules listed here have been loaded, all of the modules
# in the "mods-enabled" directory will be loaded. Loading the
# "mods-enabled" directory means that unlike Version 2, you usually
# don't need to list modules here.
#
instantiate {
#
# We list the counter module here so that it registers
# the check_name attribute before any module which sets
# it
# daily
# subsections here can be thought of as "virtual" modules.
#
# e.g. If you have two redundant SQL servers, and you want to
# use them in the authorize and accounting sections, you could
# place a "redundant" block in each section, containing the
# exact same text. Or, you could uncomment the following
# lines, and list "redundant_sql" in the authorize and
# accounting sections.
#
# The "virtual" module defined here can also be used with
# dynamic expansions, under a few conditions:
#
# * The section is "redundant", or "load-balance", or
# "redundant-load-balance"
# * The section contains modules ONLY, and no sub-sections
# * all modules in the section are using the same rlm_
# driver, e.g. They are all sql, or all ldap, etc.
#
# When those conditions are satisfied, the server will
# automatically register a dynamic expansion, using the
# name of the "virtual" module. In the example below,
# it will be "redundant_sql". You can then use this expansion
# just like any other:
#
# update reply {
# Filter-Id := "%{redundant_sql: ... }"
# }
#
# In this example, the expansion is done via module "sql1",
# and if that expansion fails, using module "sql2".
#
# For best results, configure the "pool" subsection of the
# module so that "retry_delay" is non-zero. That will allow
# the redundant block to quickly ignore all "down" SQL
# databases. If instead we have "retry_delay = 0", then
# every time the redundant block is used, the server will try
# to open a connection to every "down" database, causing
# problems.
#
#redundant redundant_sql {
# sql1
# sql2
#}
}
######################################################################
#
# Policies are virtual modules, similar to those defined in the
# "instantiate" section above.
#
# Defining a policy in one of the policy.d files means that it can be
# referenced in multiple places as a *name*, rather than as a series of
# conditions to match, and actions to take.
#
# Policies are something like subroutines in a normal language, but
# they cannot be called recursively. They MUST be defined in order.
# If policy A calls policy B, then B MUST be defined before A.
#
######################################################################
policy {
$INCLUDE policy.d/
}
######################################################################
#
# Load virtual servers.
#
# This next $INCLUDE line loads files in the directory that
# match the regular expression: /[a-zA-Z0-9_.]+/
#
# It allows you to define new virtual servers simply by placing
# a file into the raddb/sites-enabled/ directory.
#
$INCLUDE sites-enabled/
######################################################################
#
# All of the other configuration sections like "authorize {}",
# "authenticate {}", "accounting {}", have been moved to the
# the file:
#
# raddb/sites-available/default
#
# This is the "default" virtual server that has the same
# configuration as in version 1.0.x and 1.1.x. The default
# installation enables this virtual server. You should
# edit it to create policies for your local site.
#
# For more documentation on virtual servers, see:
#
# raddb/sites-available/README
#
######################################################################

113
ops/nixos/bvm-radius/raddb/sites-available/eduroam Normal file
View file

@ -0,0 +1,113 @@
operator_name = "as205479.net"
# The VLAN to assign eduroam visitors
eduroam_default_guest_vlan = "100"
# The VLAN to assign your students/staff
eduroam_default_local_vlan = "100"
server eduroam {
listen {
type = auth
ipv6addr = *
port = 1812
}
listen {
type = auth
ipv4addr = *
port = 1812
}
authorize {
# Log requests before we change them
linelog_recv_request
# split_username_nai is a policy in the default distribution to
# split a username into username and domain. We reject user-name
# strings without domains, as they're not routable.
split_username_nai
if (noop || !&Stripped-User-Domain) {
reject
}
# Send the request to the NRO for your region.
# The details of the FLRs (Federation Level RADIUS servers)
# are in proxy.conf.
# You can make this condition as complex as you like, to
# include additional subdomains just concatenate the conditions
# with &&.
if (&Stripped-User-Domain != "${operator_name}") {
update {
control:Load-Balance-Key := &Calling-Station-ID
control:Proxy-To-Realm := 'eduroam_flr'
# Operator name (RFC 5580) identifies the network the
# request originated from. It's not absolutely necessary
# but it helps with debugging.
request:Operator-Name := "1${operator_name}"
}
return
}
# If the EAP module returns 'ok' or 'updated', it means it has handled
# the request and we don't need to call any other modules in this
# section.
eap {
ok = return
updated = return
}
}
pre-proxy {
attr_filter.pre-proxy
linelog_send_proxy_request
}
post-proxy {
attr_filter.post-proxy
linelog_recv_proxy_response
}
authenticate {
eap
}
post-auth {
# To implement eduroam you must:
# - Use wireless access points or a controller which supports
# dynamic VLAN assignments.
# - Have that feature enabled.
# - Have the guest_vlan/local_vlan available to the controller,
# or to all your access points.
# eduroam user traffic *MUST* be segregated, this is *NOT* optional.
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
}
if (&control:Proxy-To-Realm) {
update reply {
Tunnel-Private-Group-ID = ${eduroam_default_guest_vlan}
}
}
else {
update reply {
Tunnel-Private-Group-ID = ${eduroam_default_local_vlan}
}
}
# We're sending a response to one of OUR network devices for one of
# OUR users so provide it with the real user-identity.
if (&session-state:Stripped-User-Name) {
update reply {
User-Name := "%{session-state:Stripped-User-Name}@%{Stripped-User-Domain}"
}
}
linelog_send_accept
Post-Auth-Type REJECT {
attr_filter.access_reject
linelog_send_reject
}
}
}

71
ops/nixos/bvm-radius/raddb/sites-available/inner-tunnel-eduroam Normal file
View file

@ -0,0 +1,71 @@
server eduroam-inner {
listen {
type = auth
ipv6addr = *
port = 18120 # Used for testing only. Requests proxied internally.
}
listen {
type = auth
ipv4addr = *
port = 18120 # Used for testing only. Requests proxied internally.
}
authorize {
# The outer username is considered garabage for autz purposes, but
# the domain portion of the outer and inner identities must match.
split_username_nai
if (noop || (&Stripped-User-Domain && \
(&outer.Stripped-User-Domain != &Stripped-User-Domain))) {
reject
}
# Make the user's real identity available to anything that needs
# it in the outer server.
if (&outer.session-state:)
update {
&outer.session-state:Stripped-User-Name := &Stripped-User-Name
}
}
# EAP for PEAPv0 (EAP-MSCHAPv2)
inner-eap {
ok = return
}
# THIS IS SITE SPECIFIC
#
# The files module is *ONLY* used for testing. It lets you define
# credentials in a flat file, IT WILL NOT SCALE.
#
# - If you use OpenLDAP with salted password hashes you should
# call the 'ldap' module here and use EAP-TTLS-PAP as your EAP method.
# - If you use OpenLDAP with cleartext passwords you should
# call the 'ldap' module here and use EAP-TTLS or PEAPv0.
# - If you use an SQL DB with salted password hashes you should call
# the 'sql' module here and use EAP-TTLS-PAP as your EAP method.
# - If you use an SQL DB with cleartext passwords you should call
# the 'sql' module here and use EAP-TTLS or PEAPv0.
# - If you use Novell you should call the 'ldap' module here and
# set ``edir = yes`` in ``mods-available/ldap`` and use EAP-TTLS or
# PEAPv0.
# - If you use Active Directory, you don't need anything here (remove
# the call to files) but you'll need to follow this
# [guide](freeradius-active-directory-integration-howto) and use
# EAP-TTLS-PAP or PEAPv0.
# - If you're using EAP-TLS (i'm impressed!) remove the call to files.
#
# EAP-TTLS-PAP and PEAPv0 are equally secure/insecure depending on how the
# supplicant is configured. PEAPv0 has a slight edge in that you need to
# crack MSCHAPv2 to get the user's password (but this is not hard).
files
pap
mschap
}
authenticate {
inner-eap
mschap
pap
}
}

1
ops/nixos/bvm-radius/raddb/sites-enabled/eduroam Symbolic link
View file

@ -0,0 +1 @@
../sites-available/eduroam

1
ops/nixos/bvm-radius/raddb/sites-enabled/inner-tunnel-eduroam Symbolic link
View file

@ -0,0 +1 @@
../sites-available/inner-tunnel-eduroam

1
ops/nixos/bvm-radius/raddb/users Symbolic link
View file

@ -0,0 +1 @@
./mods-config/files/authorize

46
ops/nixos/bvm-radius/radius.nix Normal file
View file

@ -0,0 +1,46 @@
# SPDX-FileCopyrightText: 2021 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ pkgs, depot, ... }:
let
freeradiusConfig = pkgs.runCommandLocal "freeradius-config" (depot.ops.secrets.radius // {
freeradius = pkgs.freeradius;
raddb = ./raddb;
}) ''
cp -R $raddb $out
chmod -R +w $out
for f in $out/{radiusd,clients,proxy}.conf $out/mods-config/files/authorize; do
substituteInPlace "$f" \
--replace "{{FREERADIUS_LOC}}" "$freeradius" \
--replace "{{JANET_ROAMING0_SECRET}}" "$janetroaming0" \
--replace "{{JANET_ROAMING1_SECRET}}" "$janetroaming1" \
--replace "{{JANET_ROAMING2_SECRET}}" "$janetroaming2" \
--replace "{{WLC_SECRET}}" "$wlc" \
--replace "{{USER_TESTUSER_PASSWORD}}" "$testuser" \
--replace "{{USER_LUKEGB_PASSWORD}}" "$lukegb"
done
# can't check the config; it relies on things out-of-store
# ${pkgs.freeradius}/bin/radiusd -C -sxl stdout -d $out
'';
in {
environment.systemPackages = [
pkgs.freeradius
depot.pkgs.eapol-test
];
services.freeradius = {
enable = true;
configDir = freeradiusConfig;
};
users.users.radius = {
group = "radius";
extraGroups = [ "acme" ];
isSystemUser = true;
};
users.groups.radius = {};
}