diff --git a/ops/nixos/bvm-radius/default.nix b/ops/nixos/bvm-radius/default.nix index d1770a803a..fcc007a78a 100644 --- a/ops/nixos/bvm-radius/default.nix +++ b/ops/nixos/bvm-radius/default.nix @@ -8,6 +8,7 @@ let in { imports = [ ../lib/bvm.nix + ./radius.nix ]; # Networking! @@ -60,10 +61,5 @@ in { }; }; - environment.systemPackages = with pkgs; [ - freeradius - depot.pkgs.eapol-test - ]; - system.stateVersion = "21.05"; } diff --git a/ops/nixos/bvm-radius/raddb/clients.conf b/ops/nixos/bvm-radius/raddb/clients.conf new file mode 100644 index 0000000000..c6ec19d019 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/clients.conf @@ -0,0 +1,34 @@ +client localhost { + ipaddr = 127.0.0.1 + secret = testing123 +} + +client eduroam_flr_server_1_v4 { + # roaming0.ja.net + ipaddr = 194.82.174.185 + secret = {{JANET_ROAMING0_SECRET}} + nastype = 'eduroam_flr' +} +client eduroam_flr_server_1_v6 { + # roaming0.ja.net + ipv6addr = 2001:630:1:128::185 + secret = {{JANET_ROAMING0_SECRET}} + nastype = 'eduroam_flr' +} +client eduroam_flr_server_2_v4 { + # roaming1.ja.net + ipaddr = 194.83.56.233 + secret = {{JANET_ROAMING1_SECRET}} + nastype = 'eduroam_flr' +} +client eduroam_flr_server_2_v6 { + # roaming1.ja.net + ipv6addr = 2001:630:1:12a::233 + secret = {{JANET_ROAMING1_SECRET}} + nastype = 'eduroam_flr' +} + +client wireless_access_points_mgmt { + ipaddr = 92.118.30.0/24 + secret = {{WLC_SECRET}} +} diff --git a/ops/nixos/bvm-radius/raddb/dictionary b/ops/nixos/bvm-radius/raddb/dictionary new file mode 100644 index 0000000000..1f7dc903f5 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/dictionary @@ -0,0 +1,49 @@ +# +# This is the local dictionary file which can be +# edited by local administrators. It will be loaded +# AFTER the main dictionary files are loaded. +# +# As of version 3.0.2, FreeRADIUS will automatically +# load the main dictionary files from +# +# ${prefix}/share/freeradius/dictionary +# +# It is no longer necessary for this file to $INCLUDE +# the main dictionaries. However, if the $INCLUDE +# line is here, nothing bad will happen. +# +# Any new/changed attributes MUST be placed in this file. +# The pre-defined dictionaries SHOULD NOT be edited. +# +# See "man dictionary" for documentation on its format. +# +# $Id: eed5d70f41b314f9ed3f006a22d9f9a2be2c9516 $ +# + +# +# All local attributes and $INCLUDE's should go into +# this file. +# + +# If you want to add entries to the dictionary file, +# which are NOT going to be placed in a RADIUS packet, +# add them to the 'dictionary.local' file. +# +# The numbers you pick should be between 3000 and 4000. +# These attributes will NOT go into a RADIUS packet. +# +# If you want that, you will need to use VSAs. This means +# requesting allocation of a Private Enterprise Code from +# http://iana.org. We STRONGLY suggest doing that only if +# you are a vendor of RADIUS equipment. +# +# See RFC 6158 for more details. +# http://ietf.org/rfc/rfc6158.txt +# + +# +# These attributes are examples +# +#ATTRIBUTE My-Local-String 3000 string +#ATTRIBUTE My-Local-IPAddr 3001 ipaddr +#ATTRIBUTE My-Local-Integer 3002 integer diff --git a/ops/nixos/bvm-radius/raddb/hints b/ops/nixos/bvm-radius/raddb/hints new file mode 120000 index 0000000000..d700878c4f --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/hints @@ -0,0 +1 @@ +./mods-config/preprocess/hints \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/huntgroups b/ops/nixos/bvm-radius/raddb/huntgroups new file mode 120000 index 0000000000..40da471e1d --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/huntgroups @@ -0,0 +1 @@ +./mods-config/preprocess/huntgroups \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-available/README.rst b/ops/nixos/bvm-radius/raddb/mods-available/README.rst new file mode 100644 index 0000000000..79ed5c3fdc --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/README.rst @@ -0,0 +1,116 @@ +Modules in Version 3 +==================== + +As of Version 3, all of the modules have been placed in the +"mods-available/" directory. This practice follows that used by other +servers such as Nginx, Apache, etc. The "modules" directory should +not be used. + +Modules are enabled by creating a file in the mods-enabled/ directory. +You can also create a soft-link from one directory to another:: + + $ cd raddb/mods-enabled + $ ln -s ../mods-available/foo + +This will enable module "foo". Be sure that you have configured the +module correctly before enabling it, otherwise the server will not +start. You can verify the server configuration by running +"radiusd -XC". + +A large number of modules are enabled by default. This allows the +server to work with the largest number of authentication protocols. +Please be careful when disabling modules. You will likely need to +edit the "sites-enabled/" files to remove references to any disabled +modules. + +Conditional Modules +------------------- + +Version 3 allows modules to be conditionally loaded. This is useful +when you want to have a virtual server which references a module, but +does not require it. Instead of editing the virtual server file, you +can just conditionally enable the module. + +Modules are conditionally enabled by adding a "-" before their name in +a virtual server. For example, you can do:: + + server { + authorize { + ... + ldap + -sql + ... + } + } + +This says "require the LDAP module, but use the SQL module only if it +is configured." + +This feature is not very useful for production configurations. It is, +however, very useful for the default examples that ship with the +server. + +Ignoring module +--------------- + +If you see this message:: + + Ignoring module (see raddb/mods-available/README.rst) + +Then you are in the right place. Most of the time this message can be +ignored. The message can be fixed by finding the references to "-module" +in the virtual server, and deleting them. + +Another way to fix it is to configure the module, as described above. + +Simplification +-------------- + +Allowing conditional modules simplifies the default virtual servers +that are shipped with FreeRADIUS. This means that if you want to +enable LDAP (for example), you no longer need to edit the files in +raddb/sites-available/ in order to enable it. + +Instead, you should edit the raddb/mods-available/ldap file to point +to your local LDAP server. Then, enable the module via the soft-link +method described above. + +Once the module is enabled, it will automatically be used in the +default configuration. + +Multiple Instances +------------------ + +It is sometimes necessary to have the same module do two different +things. The server supports this functionality via "instances" of +modules. + +Normally, a module configuration looks like this: + + sql { + ... sql stuff ... + } + +This module is then refereed to as the "sql" module. + + +But what happens if you want to connect to two different SQL +databases? The solution is simple; copy the "sql" module +configuration, and add an instance name after the "sql" string: + + sql mysql1 { + ... configuration for connecting to mysql11 ... + } + + sql mysql2 { + ... configuration for connecting to mysql12 ... + } + +This configuration says "load the SQL module, but create two copies of +it, with different configurations". The different configurations can +be referred to by name, as "mysql1" and "mysql2". That is, anywhere +you would normally use "sql", you could use either "mysql1" or +"mysql2". + +For further examples of using module instances, see the "attr_filter" +module configuration in this directory. diff --git a/ops/nixos/bvm-radius/raddb/mods-available/always b/ops/nixos/bvm-radius/raddb/mods-available/always new file mode 100644 index 0000000000..bba5b79c0b --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/always @@ -0,0 +1,61 @@ +# -*- text -*- +# +# $Id: de3f13089d8951f4c822ebc4007df58e0487de14 $ + +# +# The "always" module is here for debugging purposes, or +# for use in complex policies. +# Instance simply returns the same result, always, without +# doing anything. +# +# rcode may be one of the following values: +# - reject - Reject the user. +# - fail - Simulate or indicate a failure. +# - ok - Simulate or indicate a success. +# - handled - Indicate that the request has been handled, +# stop processing, and send response if set. +# - invalid - Indicate that the request is invalid. +# - userlock - Indicate that the user account has been +# locked out. +# - notfound - Indicate that a user account can't be found. +# - noop - Simulate a no-op. +# - updated - Indicate that the request has been updated. +# +# If an instance is listed in a session {} section, +# this simulates a user having sessions. +# +# simulcount = +# +# If an instance is listed in a session {} section, +# this simulates the user having multilink +# sessions. +# +# mpp = +# +always reject { + rcode = reject +} +always fail { + rcode = fail +} +always ok { + rcode = ok +} +always handled { + rcode = handled +} +always invalid { + rcode = invalid +} +always userlock { + rcode = userlock +} +always notfound { + rcode = notfound +} +always noop { + rcode = noop +} +always updated { + rcode = updated +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/attr_filter b/ops/nixos/bvm-radius/raddb/mods-available/attr_filter new file mode 100644 index 0000000000..360e23049f --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/attr_filter @@ -0,0 +1,50 @@ +# -*- text -*- +# +# $Id: 1caff077b2429c948a04777fcd619be901ac83dc $ + +# +# This file defines a number of instances of the "attr_filter" module. +# + +# attr_filter - filters the attributes received in replies from +# proxied servers, to make sure we send back to our RADIUS client +# only allowed attributes. +attr_filter attr_filter.post-proxy { + key = "%{Realm}" + filename = ${modconfdir}/${.:name}/post-proxy +} + +# attr_filter - filters the attributes in the packets we send to +# the RADIUS home servers. +attr_filter attr_filter.pre-proxy { + key = "%{Realm}" + filename = ${modconfdir}/${.:name}/pre-proxy +} + +# Enforce RFC requirements on the contents of Access-Reject +# packets. See the comments at the top of the file for +# more details. +# +attr_filter attr_filter.access_reject { + key = "%{User-Name}" + filename = ${modconfdir}/${.:name}/access_reject +} + +# Enforce RFC requirements on the contents of Access-Challenge +# packets. See the comments at the top of the file for +# more details. +# +attr_filter attr_filter.access_challenge { + key = "%{User-Name}" + filename = ${modconfdir}/${.:name}/access_challenge +} + + +# Enforce RFC requirements on the contents of the +# Accounting-Response packets. See the comments at the +# top of the file for more details. +# +attr_filter attr_filter.accounting_response { + key = "%{User-Name}" + filename = ${modconfdir}/${.:name}/accounting_response +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/cache_eap b/ops/nixos/bvm-radius/raddb/mods-available/cache_eap new file mode 100644 index 0000000000..376fc5b520 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/cache_eap @@ -0,0 +1,13 @@ +# +# Cache EAP responses for resiliency on intermediary proxy fail-over +# +cache cache_eap { + key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" + + ttl = 15 + + update reply { + reply: += &reply: + &control:State := &request:State + } +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/chap b/ops/nixos/bvm-radius/raddb/mods-available/chap new file mode 100644 index 0000000000..97d965b7f8 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/chap @@ -0,0 +1,11 @@ +# -*- text -*- +# +# $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $ + +# CHAP module +# +# To authenticate requests containing a CHAP-Password attribute. +# +chap { + # no configuration +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/date b/ops/nixos/bvm-radius/raddb/mods-available/date new file mode 100644 index 0000000000..25a64da17d --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/date @@ -0,0 +1,35 @@ +# +# Registers xlat to convert between time formats. +# +# xlat input string is an attribute name. If this attribute is of date +# or integer type, the date xlat will convert it to a time string in +# the format of the format config item. +# +# If the attribute is a string type, date will attempt to parse it in +# the format specified by the format config item, and will expand +# to a Unix timestamp. +# +date { + format = "%b %e %Y %H:%M:%S %Z" + + # Use UTC instead of local time. + # + # default = no +# utc = yes +} + +# +# The WISPr-Session-Terminate-Time attribute is of type "string", +# and not "date". Use this expansion to create an attribute +# that holds an actual date: +# +# Tmp-Date-0 := "%{wispr2date:&reply:WISPr-Session-Terminate-Time}" +# +date wispr2date { + format = "%Y-%m-%dT%H:%M:%S" + + # Use UTC instead of local time. + # + # default = no +# utc = yes +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/detail b/ops/nixos/bvm-radius/raddb/mods-available/detail new file mode 100644 index 0000000000..5ca5cefbfc --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/detail @@ -0,0 +1,100 @@ +# -*- text -*- +# +# $Id: e91e12d0b4de8f3cb084c179b321924d0248cfbb $ + +# Write a detailed log of all accounting records received. +# +detail { + # Note that we do NOT use NAS-IP-Address here, as + # that attribute MAY BE from the originating NAS, and + # NOT from the proxy which actually sent us the + # request. + # + # The following line creates a new detail file for + # every radius client (by IP address or hostname). + # In addition, a new detail file is created every + # day, so that the detail file doesn't have to go + # through a 'log rotation' + # + # If your detail files are large, you may also want to add + # a ':%H' (see doc/configuration/variables.rst) to the end + # of it, to create a new detail file every hour, e.g.: + # + # ..../detail-%Y%m%d:%H + # + # This will create a new detail file for every hour. + # + # If you are reading detail files via the "listen" section + # (e.g. as in raddb/sites-available/robust-proxy-accounting), + # you MUST use a unique directory for each combination of a + # detail file writer, and reader. That is, there can only + # be ONE "listen" section reading detail files from a + # particular directory. + # + filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d + + # + # If you are using radrelay, delete the above line for "file", + # and use this one instead: + # +# filename = ${radacctdir}/detail + + # + # Most file systems can handly nearly the full range of UTF-8 + # characters. Ones that can deal with a limited range should + # set this to "yes". + # + escape_filenames = no + + # + # The Unix-style permissions on the 'detail' file. + # + # The detail file often contains secret or private + # information about users. So by keeping the file + # permissions restrictive, we can prevent unwanted + # people from seeing that information. + permissions = 0600 + + # The Unix group of the log file. + # + # The user that the server runs as must be in the specified + # system group otherwise this will fail to work. + # +# group = ${security.group} + + # + # Every entry in the detail file has a header which + # is a timestamp. By default, we use the ctime + # format (see "man ctime" for details). + # + # The header can be customised by editing this + # string. See "doc/configuration/variables.rst" for a + # description of what can be put here. + # + header = "%t" + + # + # Uncomment this line if the detail file reader will be + # reading this detail file. + # +# locking = yes + + # + # Log the Packet src/dst IP/port. This is disabled by + # default, as that information isn't used by many people. + # +# log_packet_header = yes + + # + # Certain attributes such as User-Password may be + # "sensitive", so they should not be printed in the + # detail file. This section lists the attributes + # that should be suppressed. + # + # The attributes should be listed one to a line. + # + #suppress { + # User-Password + #} + +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/detail.log b/ops/nixos/bvm-radius/raddb/mods-available/detail.log new file mode 100644 index 0000000000..f99566d3c6 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/detail.log @@ -0,0 +1,75 @@ +# -*- text -*- +# +# $Id: b91cf7cb24744ee96e390aa4d7bd5f3ad4c0c0ee $ + +# +# More examples of doing detail logs. + +# +# Many people want to log authentication requests. +# Rather than modifying the server core to print out more +# messages, we can use a different instance of the 'detail' +# module, to log the authentication requests to a file. +# +# You will also need to un-comment the 'auth_log' line +# in the 'authorize' section, below. +# +detail auth_log { + filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + permissions = 0600 + + # You may also strip out passwords completely + suppress { + User-Password + } +} + +# +# This module logs authentication reply packets sent +# to a NAS. Both Access-Accept and Access-Reject packets +# are logged. +# +# You will also need to un-comment the 'reply_log' line +# in the 'post-auth' section, below. +# +detail reply_log { + filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d + + permissions = 0600 +} + +# +# This module logs packets proxied to a home server. +# +# You will also need to un-comment the 'pre_proxy_log' line +# in the 'pre-proxy' section, below. +# +detail pre_proxy_log { + filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + permissions = 0600 + + # You may also strip out passwords completely + #suppress { + # User-Password + #} +} + +# +# This module logs response packets from a home server. +# +# You will also need to un-comment the 'post_proxy_log' line +# in the 'post-proxy' section, below. +# +detail post_proxy_log { + filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d + + permissions = 0600 +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/digest b/ops/nixos/bvm-radius/raddb/mods-available/digest new file mode 100644 index 0000000000..af52017cc8 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/digest @@ -0,0 +1,13 @@ +# -*- text -*- +# +# $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $ + +# +# The 'digest' module currently has no configuration. +# +# "Digest" authentication against a Cisco SIP server. +# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details +# on performing digest authentication for Cisco SIP servers. +# +digest { +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/dynamic_clients b/ops/nixos/bvm-radius/raddb/mods-available/dynamic_clients new file mode 100644 index 0000000000..c5c9c8a206 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/dynamic_clients @@ -0,0 +1,32 @@ +# -*- text -*- +# +# $Id: cc2bd5fd22aa473b98af5dde3fac7a66e39a9e9d $ + +# This module loads RADIUS clients as needed, rather than when the server +# starts. +# +# There are no configuration entries for this module. Instead, it +# relies on the "client" configuration. You must: +# +# 1) link raddb/sites-enabled/dynamic_clients to +# raddb/sites-available/dynamic_clients +# +# 2) Define a client network/mask (see top of the above file) +# +# 3) uncomment the "directory" entry in that client definition +# +# 4) list "dynamic_clients" in the "authorize" section of the +# "dynamic_clients' virtual server. The default example already +# does this. +# +# 5) put files into the above directory, one per IP. +# e.g. file "192.0.2.1" should contain a normal client definition +# for a client with IP address 192.0.2.1. +# +# For more documentation, see the file: +# +# raddb/sites-available/dynamic-clients +# +dynamic_clients { + +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/eap-custom b/ops/nixos/bvm-radius/raddb/mods-available/eap-custom new file mode 100644 index 0000000000..6d39325057 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/eap-custom @@ -0,0 +1,791 @@ +# -*- text -*- +## +## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) +## +## $Id: a89a783663588017b12bcc076362e728261ba8f2 $ + +####################################################################### +# +# Whatever you do, do NOT set 'Auth-Type := EAP'. The server +# is smart enough to figure this out on its own. The most +# common side effect of setting 'Auth-Type := EAP' is that the +# users then cannot use ANY other authentication method. +# +eap { + # Invoke the default supported EAP type when + # EAP-Identity response is received. + # + # The incoming EAP messages DO NOT specify which EAP + # type they will be using, so it MUST be set here. + # + # For now, only one default EAP type may be used at a time. + # + # If the EAP-Type attribute is set by another module, + # then that EAP type takes precedence over the + # default type configured here. + # + default_eap_type = ttls + + # A list is maintained to correlate EAP-Response + # packets with EAP-Request packets. After a + # configurable length of time, entries in the list + # expire, and are deleted. + # + timer_expire = 60 + + # There are many EAP types, but the server has support + # for only a limited subset. If the server receives + # a request for an EAP type it does not support, then + # it normally rejects the request. By setting this + # configuration to "yes", you can tell the server to + # instead keep processing the request. Another module + # MUST then be configured to proxy the request to + # another RADIUS server which supports that EAP type. + # + # If another module is NOT configured to handle the + # request, then the request will still end up being + # rejected. + # + ignore_unknown_eap_types = no + + # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given + # a User-Name attribute in an Access-Accept, it copies one + # more byte than it should. + # + # We can work around it by configurably adding an extra + # zero byte. + # + cisco_accounting_username_bug = no + + # Help prevent DoS attacks by limiting the number of + # sessions that the server is tracking. For simplicity, + # this is taken from the "max_requests" directive in + # radiusd.conf. + # + max_sessions = ${max_requests} + + + ############################################################ + # + # Supported EAP-types + # + + + # EAP-MD5 + # + # We do NOT recommend using EAP-MD5 authentication + # for wireless connections. It is insecure, and does + # not provide for dynamic WEP keys. + # + md5 { + } + + # Common TLS configuration for TLS-based EAP types + # ------------------------------------------------ + # + # See raddb/certs/README for additional comments + # on certificates. + # + # If OpenSSL was not found at the time the server was + # built, the "tls", "ttls", and "peap" sections will + # be ignored. + # + # If you do not currently have certificates signed by + # a trusted CA you may use the 'snakeoil' certificates. + # Included with the server in raddb/certs. + # + # If these certificates have not been auto-generated: + # cd raddb/certs + # make + # + # These test certificates SHOULD NOT be used in a normal + # deployment. They are created only to make it easier + # to install the server, and to perform some simple + # tests with EAP-TLS, TTLS, or PEAP. + # + # Note that you should NOT use a globally known CA here! + # e.g. using a Verisign cert as a "known CA" means that + # ANYONE who has a certificate signed by them can + # authenticate via EAP-TLS! This is likely not what you want. + # + tls-config tls-common { + #private_key_password = whatever + private_key_file = /var/lib/acme/as205479.net/key.pem + + # If Private key & Certificate are located in + # the same file, then private_key_file & + # certificate_file must contain the same file + # name. + # + # If ca_file (below) is not used, then the + # certificate_file below SHOULD also include all of + # the intermediate CA certificates used to sign the + # server certificate, but NOT the root CA. + # + # Including the ROOT CA certificate is not useful and + # merely inflates the exchanged data volume during + # the TLS negotiation. + # + # This file should contain the server certificate, + # followed by intermediate certificates, in order. + # i.e. If we have a server certificate signed by CA1, + # which is signed by CA2, which is signed by a root + # CA, then the "certificate_file" should contain + # server.pem, followed by CA1.pem, followed by + # CA2.pem. + # + # When using "ca_file" or "ca_dir", the + # "certificate_file" should contain only + # "server.pem". And then you may (or may not) need + # to set "auto_chain", depending on your version of + # OpenSSL. + # + # In short, SSL / TLS certificates are complex. + # There are many versions of software, each of which + # behave slightly differently. It is impossible to + # give advice which will work everywhere. Instead, + # we give general guidelines. + # + certificate_file = /var/lib/acme/as205479.net/cert.pem + + # Trusted Root CA list + # + # This file can contain multiple CA certificates. + # ALL of the CA's in this list will be trusted to + # issue client certificates for authentication. + # + # In general, you should use self-signed + # certificates for 802.1x (EAP) authentication. + # In that case, this CA file should contain + # *one* CA certificate. + # + #ca_file = ${cadir}/ca.pem + + # OpenSSL will automatically create certificate chains, + # unless we tell it to not do that. The problem is that + # it sometimes gets the chains right from a certificate + # signature view, but wrong from the clients view. + # + # When setting "auto_chain = no", the server certificate + # file MUST include the full certificate chain. + # + # auto_chain = yes + + # If OpenSSL supports TLS-PSK, then we can use a + # fixed PSK identity and (hex) password. As of + # 3.0.18, these can be used at the same time as the + # certificate configuration, but only for TLS 1.0 + # through 1.2. + # + # If PSK and certificates are configured at the same + # time for TLS 1.3, then the server will warn you, + # and will disable TLS 1.3, as it will not work. + # + # The work around is to have two modules (or for + # RadSec, two listen sections). One will have PSK + # configured, and the other will have certificates + # configured. + # + # psk_identity = "test" + # psk_hexphrase = "036363823" + + # Dynamic queries for the PSK. If TLS-PSK is used, + # and psk_query is set, then you MUST NOT use + # psk_identity or psk_hexphrase. + # + # Instead, use a dynamic expansion similar to the one + # below. It keys off of TLS-PSK-Identity. It should + # return a of string no more than 512 hex characters. + # That string will be converted to binary, and will + # be used as the dynamic PSK hexphrase. + # + # Note that this query is just an example. You will + # need to customize it for your installation. + # + # psk_query = "%{sql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}" + + # For DH cipher suites to work, you have to + # run OpenSSL to create the DH file first: + # + # openssl dhparam -out certs/dh 2048 + # + dh_file = /var/lib/freeradius/dh + + # If your system doesn't have /dev/urandom, + # you will need to create this file, and + # periodically change its contents. + # + # For security reasons, FreeRADIUS doesn't + # write to files in its configuration + # directory. + # + # random_file = /dev/urandom + + # This can never exceed the size of a RADIUS + # packet (4096 bytes), and is preferably half + # that, to accommodate other attributes in + # RADIUS packet. On most APs the MAX packet + # length is configured between 1500 - 1600 + # In these cases, fragment size should be + # 1024 or less. + # + # fragment_size = 1024 + + # include_length is a flag which is + # by default set to yes If set to + # yes, Total Length of the message is + # included in EVERY packet we send. + # If set to no, Total Length of the + # message is included ONLY in the + # First packet of a fragment series. + # + # include_length = yes + + + # Check the Certificate Revocation List + # + # 1) Copy CA certificates and CRLs to same directory. + # 2) Execute 'c_rehash '. + # 'c_rehash' is OpenSSL's command. + # 3) uncomment the lines below. + # 5) Restart radiusd + # check_crl = yes + + # Check if intermediate CAs have been revoked. + # check_all_crl = yes + + #ca_path = ${cadir} + + # Accept an expired Certificate Revocation List + # + # allow_expired_crl = no + + # If check_cert_issuer is set, the value will + # be checked against the DN of the issuer in + # the client certificate. If the values do not + # match, the certificate verification will fail, + # rejecting the user. + # + # This check can be done more generally by checking + # the value of the TLS-Client-Cert-Issuer attribute. + # This check can be done via any mechanism you + # choose. + # + # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" + + # If check_cert_cn is set, the value will + # be xlat'ed and checked against the CN + # in the client certificate. If the values + # do not match, the certificate verification + # will fail rejecting the user. + # + # This check is done only if the previous + # "check_cert_issuer" is not set, or if + # the check succeeds. + # + # In 2.1.10 and later, this check can be done + # more generally by checking the value of the + # TLS-Client-Cert-Common-Name attribute. This check + # can be done via any mechanism you choose. + # + # check_cert_cn = %{User-Name} + + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". + # + # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2" + # + cipher_list = "DEFAULT" + + # If enabled, OpenSSL will use server cipher list + # (possibly defined by cipher_list option above) + # for choosing right cipher suite rather than + # using client-specified list which is OpenSSl default + # behavior. Setting this to "yes" means that OpenSSL + # will choose the servers ciphers, even if they do not + # best match what the client sends. + # + # TLS negotiation is usually good, but can be imperfect. + # This setting allows administrators to "fine tune" it + # if necessary. + # + cipher_server_preference = no + + # You can selectively disable TLS versions for + # compatability with old client devices. + # + # If your system has OpenSSL 1.1.0 or greater, do NOT + # use these. Instead, set tls_min_version and + # tls_max_version. + # + # disable_tlsv1_2 = no + disable_tlsv1_1 = yes + disable_tlsv1 = yes + + # Set min / max TLS version. Mainly for Debian + # "trusty", which disables older versions of TLS, and + # requires the application to manually enable them. + # + # If you are running Debian trusty, you should set + # these options, otherwise older clients will not be + # able to connect. + # + # Allowed values are "1.0", "1.1", "1.2", and "1.3". + # + # Note that the server WILL NOT permit negotiation of + # TLS 1.3. The EAP-TLS standards for TLS 1.3 are NOT + # finished. It is therefore impossible for the server + # to negotiate EAP-TLS correctly with TLS 1.3. + # + # The values must be in quotes. + # + tls_min_version = "1.2" + tls_max_version = "1.2" + + # Elliptical cryptography configuration + # + # Only for OpenSSL >= 0.9.8.f + # + ecdh_curve = "prime256v1" + + # Session resumption / fast reauthentication + # cache. + # + # The cache contains the following information: + # + # session Id - unique identifier, managed by SSL + # User-Name - from the Access-Accept + # Stripped-User-Name - from the Access-Request + # Cached-Session-Policy - from the Access-Accept + # + # See also the "store" subsection below for + # additional attributes which can be cached. + # + # The "Cached-Session-Policy" is the name of a + # policy which should be applied to the cached + # session. This policy can be used to assign + # VLANs, IP addresses, etc. It serves as a useful + # way to re-apply the policy from the original + # Access-Accept to the subsequent Access-Accept + # for the cached session. + # + # On session resumption, these attributes are + # copied from the cache, and placed into the + # reply list. + # + # You probably also want "use_tunneled_reply = yes" + # when using fast session resumption. + # + # You can check if a session has been resumed by + # looking for the existence of the EAP-Session-Resumed + # attribute. Note that this attribute will *only* + # exist in the "post-auth" section. + # + # CAVEATS: The cache is stored and reloaded BEFORE + # the "post-auth" section is run. This limitation + # makes caching more difficult than it should be. In + # practice, it means that the first authentication + # session must set the reply attributes before the + # post-auth section is run. + # + # When the session is resumed, the attributes are + # restored and placed into the session-state list. + # + cache { + # Enable it. The default is "no". Deleting the entire "cache" + # subsection also disables caching. + # + # As of version 3.0.14, the session cache requires the use + # of the "name" and "persist_dir" configuration items, below. + # + # The internal OpenSSL session cache has been permanently + # disabled. + # + # You can disallow resumption for a particular user by adding the + # following attribute to the control item list: + # + # Allow-Session-Resumption = No + # + # If "enable = no" below, you CANNOT enable resumption for just one + # user by setting the above attribute to "yes". + # + enable = no + + # Lifetime of the cached entries, in hours. The sessions will be + # deleted/invalidated after this time. + # + lifetime = 24 # hours + + # Internal "name" of the session cache. Used to + # distinguish which TLS context sessions belong to. + # + # The server will generate a random value if unset. + # This will change across server restart so you MUST + # set the "name" if you want to persist sessions (see + # below). + # + # name = "EAP module" + + # Simple directory-based storage of sessions. + # Two files per session will be written, the SSL + # state and the cached VPs. This will persist session + # across server restarts. + # + # The default directory is ${logdir}, for historical + # reasons. You should ${db_dir} instead. And check + # the value of db_dir in the main radiusd.conf file. + # It should not point to ${raddb} + # + # The server will need write perms, and the directory + # should be secured from anyone else. You might want + # a script to remove old files from here periodically: + # + # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; + # + # This feature REQUIRES "name" option be set above. + # + # persist_dir = "${logdir}/tlscache" + + # + # As of 3.0.20, it is possible to partially + # control which attributes exist in the + # session cache. This subsection lists + # attributes which are taken from the reply, + # and saved to the on-disk cache. When the + # session is resumed, these attributes are + # added to the "session-state" list. The + # default configuration will then take care + # of copying them to the reply. + # + store { + Tunnel-Private-Group-Id + } + } + } + + + # EAP-TLS + # + # As of Version 3.0, the TLS configuration for TLS-based + # EAP types is above in the "tls-config" section. + # + #tls { + # # Point to the common TLS configuration + # # + # #tls = tls-common + + # # As part of checking a client certificate, the EAP-TLS + # # sets some attributes such as TLS-Client-Cert-Common-Name. This + # # virtual server has access to these attributes, and can + # # be used to accept or reject the request. + # # + ## virtual_server = check-eap-tls + #} + + + # EAP-TTLS -- Tunneled TLS + # + # The TTLS module implements the EAP-TTLS protocol, + # which can be described as EAP inside of Diameter, + # inside of TLS, inside of EAP, inside of RADIUS... + # + # Surprisingly, it works quite well. + # + ttls { + # Which tls-config section the TLS negotiation parameters + # are in - see EAP-TLS above for an explanation. + # + # In the case that an old configuration from FreeRADIUS + # v2.x is being used, all the options of the tls-config + # section may also appear instead in the 'tls' section + # above. If that is done, the tls= option here (and in + # tls above) MUST be commented out. + # + tls = tls-common + + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TTLS tunnel, we recommend + # using EAP-MD5. If the request does not contain an + # EAP conversation, then this configuration entry is + # ignored. + # + default_eap_type = md5 + + # The tunneled authentication request does not usually + # contain useful attributes like 'Calling-Station-Id', + # etc. These attributes are outside of the tunnel, + # and normally unavailable to the tunneled + # authentication request. + # + # By setting this configuration entry to 'yes', + # any attribute which is NOT in the tunneled + # authentication request, but which IS available + # outside of the tunnel, is copied to the tunneled + # request. + # + # allowed values: {no, yes} + # + copy_request_to_tunnel = no + + # As of version 3.0.5, this configuration item + # is deprecated. Instead, you should use + # + # update outer.session-state { + # ... + # } + # + # This will cache attributes for the final Access-Accept. + # + # The reply attributes sent to the NAS are usually + # based on the name of the user 'outside' of the + # tunnel (usually 'anonymous'). If you want to send + # the reply attributes based on the user name inside + # of the tunnel, then set this configuration entry to + # 'yes', and the reply to the NAS will be taken from + # the reply to the tunneled request. + # + # allowed values: {no, yes} + # + use_tunneled_reply = no + + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # A virtual server MUST be specified. + # + virtual_server = "inner-tunnel" + + # This has the same meaning, and overwrites, the + # same field in the "tls" configuration, above. + # The default value here is "yes". + # + # include_length = yes + + # Unlike EAP-TLS, EAP-TTLS does not require a client + # certificate. However, you can require one by setting the + # following option. You can also override this option by + # setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # + # Note that the majority of supplicants do not support using a + # client certificate with EAP-TTLS, so this option is unlikely + # to be usable for most people. + # + # require_client_cert = yes + } + + + # EAP-PEAP + # + + ################################################## + # + # !!!!! WARNINGS for Windows compatibility !!!!! + # + ################################################## + # + # If you see the server send an Access-Challenge, + # and the client never sends another Access-Request, + # then + # + # STOP! + # + # The server certificate has to have special OID's + # in it, or else the Microsoft clients will silently + # fail. See the "scripts/xpextensions" file for + # details, and the following page: + # + # https://support.microsoft.com/en-us/help/814394/ + # + # If is still doesn't work, and you're using Samba, + # you may be encountering a Samba bug. See: + # + # https://bugzilla.samba.org/show_bug.cgi?id=6563 + # + # Note that we do not necessarily agree with their + # explanation... but the fix does appear to work. + # + ################################################## + + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TLS/PEAP tunnel, we + # recommend using EAP-MS-CHAPv2. + # + peap { + # Which tls-config section the TLS negotiation parameters + # are in - see EAP-TLS above for an explanation. + # + # In the case that an old configuration from FreeRADIUS + # v2.x is being used, all the options of the tls-config + # section may also appear instead in the 'tls' section + # above. If that is done, the tls= option here (and in + # tls above) MUST be commented out. + # + tls = tls-common + + # The tunneled EAP session needs a default + # EAP type which is separate from the one for + # the non-tunneled EAP module. Inside of the + # PEAP tunnel, we recommend using MS-CHAPv2, + # as that is the default type supported by + # Windows clients. + # + default_eap_type = mschapv2 + + # The PEAP module also has these configuration + # items, which are the same as for TTLS. + # + copy_request_to_tunnel = no + + # As of version 3.0.5, this configuration item + # is deprecated. Instead, you should use + # + # update outer.session-state { + # ... + # } + # + # This will cache attributes for the final Access-Accept. + # + use_tunneled_reply = no + + # When the tunneled session is proxied, the + # home server may not understand EAP-MSCHAP-V2. + # Set this entry to "no" to proxy the tunneled + # EAP-MSCHAP-V2 as normal MSCHAPv2. + # + # proxy_tunneled_request_as_eap = yes + + # The inner tunneled request can be sent + # through a virtual server constructed + # specifically for this purpose. + # + # A virtual server MUST be specified. + # + virtual_server = "inner-tunnel" + + # This option enables support for MS-SoH + # see doc/SoH.txt for more info. + # It is disabled by default. + # + # soh = yes + + # The SoH reply will be turned into a request which + # can be sent to a specific virtual server: + # + # soh_virtual_server = "soh-server" + + # Unlike EAP-TLS, PEAP does not require a client certificate. + # However, you can require one by setting the following + # option. You can also override this option by setting + # + # EAP-TLS-Require-Client-Cert = Yes + # + # in the control items for a request. + # + # Note that the majority of supplicants do not support using a + # client certificate with PEAP, so this option is unlikely to + # be usable for most people. + # + # require_client_cert = yes + } + + + # EAP-MSCHAPv2 + # + # Note that it is the EAP MS-CHAPv2 sub-module, not + # the main 'mschap' module. + # + # Note also that in order for this sub-module to work, + # the main 'mschap' module MUST ALSO be configured. + # + # This module is the *Microsoft* implementation of MS-CHAPv2 + # in EAP. There is another (incompatible) implementation + # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not + # currently support. + # + mschapv2 { + # Prior to version 2.1.11, the module never + # sent the MS-CHAP-Error message to the + # client. This worked, but it had issues + # when the cached password was wrong. The + # server *should* send "E=691 R=0" to the + # client, which tells it to prompt the user + # for a new password. + # + # The default is to behave as in 2.1.10 and + # earlier, which is known to work. If you + # set "send_error = yes", then the error + # message will be sent back to the client. + # This *may* help some clients work better, + # but *may* also cause other clients to stop + # working. + # + # send_error = no + + # Server identifier to send back in the challenge. + # This should generally be the host name of the + # RADIUS server. Or, some information to uniquely + # identify it. + # + # identity = "FreeRADIUS" + } + + + # EAP-FAST + # + # The FAST module implements the EAP-FAST protocol + # + #fast { + # Point to the common TLS configuration + # + # tls = tls-common + + # If 'cipher_list' is set here, it will over-ride the + # 'cipher_list' configuration from the 'tls-common' + # configuration. The EAP-FAST module has it's own + # over-ride for 'cipher_list' because the + # specifications mandata a different set of ciphers + # than are used by the other EAP methods. + # + # cipher_list though must include "ADH" for anonymous provisioning. + # This is not as straight forward as appending "ADH" alongside + # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is + # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used + # + # Note - for OpenSSL 1.1.0 and above you may need + # to add ":@SECLEVEL=0" + # + # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2" + + # PAC lifetime in seconds (default: seven days) + # + # pac_lifetime = 604800 + + # Authority ID of the server + # + # If you are running a cluster of RADIUS servers, you should make + # the value chosen here (and for "pac_opaque_key") the same on all + # your RADIUS servers. This value should be unique to your + # installation. We suggest using a domain name. + # + # authority_identity = "1234" + + # PAC Opaque encryption key (must be exactly 32 bytes in size) + # + # This value MUST be secret, and MUST be generated using + # a secure method, such as via 'openssl rand -hex 32' + # + # pac_opaque_key = "0123456789abcdef0123456789ABCDEF" + + # Same as for TTLS, PEAP, etc. + # + # virtual_server = inner-tunnel + #} +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/echo b/ops/nixos/bvm-radius/raddb/mods-available/echo new file mode 100644 index 0000000000..c21a8ffafe --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/echo @@ -0,0 +1,123 @@ +# -*- text -*- +# +# $Id: ad3e15933f9e85c5566810432a5fec8f23d877c1 $ + +# +# This is a more general example of the execute module. +# +# This one is called "echo". +# +# Attribute-Name = `%{echo:/path/to/program args}` +# +# If you wish to execute an external program in more than +# one section (e.g. 'authorize', 'pre_proxy', etc), then it +# is probably best to define a different instance of the +# 'exec' module for every section. +# +# The return value of the program run determines the result +# of the exec instance call as follows: +# (See doc/configurable_failover for details) +# +# < 0 : fail the module failed +# = 0 : ok the module succeeded +# = 1 : reject the module rejected the user +# = 2 : fail the module failed +# = 3 : ok the module succeeded +# = 4 : handled the module has done everything to handle the request +# = 5 : invalid the user's configuration entry was invalid +# = 6 : userlock the user was locked out +# = 7 : notfound the user was not found +# = 8 : noop the module did nothing +# = 9 : updated the module updated information in the request +# > 9 : fail the module failed +# +exec echo { + # + # Wait for the program to finish. + # + # If we do NOT wait, then the program is "fire and + # forget", and any output attributes from it are ignored. + # + # If we are looking for the program to output + # attributes, and want to add those attributes to the + # request, then we MUST wait for the program to + # finish, and therefore set 'wait=yes' + # + # allowed values: {no, yes} + wait = yes + + # + # The name of the program to execute, and it's + # arguments. Dynamic translation is done on this + # field, so things like the following example will + # work. + # + program = "/bin/echo %{User-Name}" + + # + # The attributes which are placed into the + # environment variables for the program. + # + # Allowed values are: + # + # request attributes from the request + # config attributes from the configuration items list + # reply attributes from the reply + # proxy-request attributes from the proxy request + # proxy-reply attributes from the proxy reply + # + # Note that some attributes may not exist at some + # stages. e.g. There may be no proxy-reply + # attributes if this module is used in the + # 'authorize' section. + # + input_pairs = request + + # + # Where to place the output attributes (if any) from + # the executed program. The values allowed, and the + # restrictions as to availability, are the same as + # for the input_pairs. + # + output_pairs = reply + + # + # When to execute the program. If the packet + # type does NOT match what's listed here, then + # the module does NOT execute the program. + # + # For a list of allowed packet types, see + # the 'dictionary' file, and look for VALUEs + # of the Packet-Type attribute. + # + # By default, the module executes on ANY packet. + # Un-comment out the following line to tell the + # module to execute only if an Access-Accept is + # being sent to the NAS. + # + #packet_type = Access-Accept + + # + # Should we escape the environment variables? + # + # If this is set, all the RADIUS attributes + # are capitalised and dashes replaced with + # underscores. Also, RADIUS values are surrounded + # with double-quotes. + # + # That is to say: User-Name=BobUser => USER_NAME="BobUser" + shell_escape = yes + + # + # How long should we wait for the program to finish? + # + # Default is 10 seconds, which should be plenty for nearly + # anything. Range is 1 to 30 seconds. You are strongly + # encouraged to NOT increase this value. Decreasing can + # be used to cause authentication to fail sooner when you + # know it's going to fail anyway due to the time taken, + # thereby saving resources. + # + #timeout = 10 + +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/exec b/ops/nixos/bvm-radius/raddb/mods-available/exec new file mode 100644 index 0000000000..8f07a82ce9 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/exec @@ -0,0 +1,29 @@ +# -*- text -*- +# +# $Id: bb1d4374b741a7bfcdfc098fc57af650509ceae2 $ + +# +# Execute external programs +# +# This module is useful only for 'xlat'. To use it, +# put 'exec' into the 'instantiate' section. You can then +# do dynamic translation of attributes like: +# +# Attribute-Name = `%{exec:/path/to/program args}` +# +# The value of the attribute will be replaced with the output +# of the program which is executed. Due to RADIUS protocol +# limitations, any output over 253 bytes will be ignored. +# +# The RADIUS attributes from the user request will be placed +# into environment variables of the executed program, as +# described in "man unlang" and in doc/configuration/variables.rst +# +# See also "echo" for more sample configuration. +# +exec { + wait = no + input_pairs = request + shell_escape = yes + timeout = 10 +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/expiration b/ops/nixos/bvm-radius/raddb/mods-available/expiration new file mode 100644 index 0000000000..dfc0550a8b --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/expiration @@ -0,0 +1,13 @@ +# -*- text -*- +# +# $Id: 5d06454d0a8ccce7f50ddf7b01ba01c4ace6560a $ + +# +# The expiration module. This handles the Expiration attribute +# It should be included in the *end* of the authorize section +# in order to handle user Expiration. It should also be included +# in the instantiate section in order to register the Expiration +# compare function +# +expiration { +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/expr b/ops/nixos/bvm-radius/raddb/mods-available/expr new file mode 100644 index 0000000000..b0bfc73185 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/expr @@ -0,0 +1,146 @@ +# -*- text -*- +# +# $Id: 43dbea35e41698f8ced22c1cf4ad128b08dee7ca $ + +# +# This module performs mathematical calculations: +# +# Attribute-Name = "%{expr:2 + 3 + &NAS-Port}" +# +# It supports the following operators (in order of precedence) +# +# & binary AND +# | binary OR +# << left shift +# >> right shift +# + addition +# - subtraction +# * multiply +# / divide +# %% remainder +# ^ exponentiation +# (...) sub-expression +# +# Operator precedence follows the normal rules. +# Division by zero means that the entire expression is invalid. +# +# Note that in versions before 3.0.5, the expression +# was parsed strictly left to right, and ignored operator +# precedence. +# +# It also allows unary negation: -1 +# And twos complement: ~1 +# +# All calculations are done on signed 63-bit integers. +# e.g. int64_t. This should be sufficient for all normal +# purposes. +# +# Hex numbers are supported: 0xabcdef +# +# As with all string expansions, you can nest the expansions: +# +# %{expr: %{NAS-Port} + 1} +# %{expr: %{sql:SELECT ... } + 1} +# +# Attribute references are supported for integer attributes. +# e.g. &NAS-Port. The benefit of using attribute references +# is that the expression is calculated directly on the +# attribute. It skips the step of "print to string, and then +# parse to number". This means it's a little faster. +# +# Otherwise, all numbers are decimal. +# + +# +# The module also registers a few paircompare functions, and +# many string manipulation functions, including: +# +# rand get random number from 0 to n-1 +# "%{rand:10}" == "9" +# +# randstr get random string built from character classes: +# c lowercase letters +# C uppercase letters +# n numbers +# a alphanumeric +# ! punctuation +# . alphanumeric + punctuation +# s alphanumeric + "./" +# o characters suitable for OTP (easily confused removed) +# h binary data as lowercase hex +# H binary data as uppercase hex +# +# "%{randstr:CCCC!!cccnnn}" == "IPFL>{saf874" +# "%{randstr:oooooooo}" == "rfVzyA4y" +# "%{randstr:hhhh}" == "68d60de3" +# +# urlquote quote special characters in URI +# "%{urlquote:http://example.org/}" == "http%3A%47%47example.org%47" +# +# urlunquote unquote URL special characters +# "%{urlunquote:http%%3A%%47%%47example.org%%47}" == "http://example.org/" +# +# escape escape string similar to rlm_sql safe_characters +# "%{escape:foo.jpg}" == "=60img=62foo.jpg=60/img=62" +# +# unescape reverse of escape +# "%{unescape:=60img=62foo.jpg=60/img=62}" == "foo.jpg" +# +# tolower convert to lowercase +# "%{tolower:Bar}" == "bar" +# +# toupper convert to uppercase +# "%{toupper:Foo}" == "FOO" +# +# md5 get md5sum hash +# "%{md5:foo}" == "acbd18db4cc2f85cedef654fccc4a4d8" +# +# sha1 get sha1 hash +# "%{sha1:foo}" == "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33" +# +# sha256 get sha256 hash +# "%{sha256:foo}" == "2c26b46b68ffc68ff99b453c1d30413413422d706..." +# +# sha512 get sha512 hash +# "%{sha512:foo}" == "f7fbba6e0636f890e56fbbf3283e524c6fa3204ae29838..." +# +# hmacmd5 generate HMAC-MD5 of string +# "%{hmacmd5:foo bar}" == "31b6db9e5eb4addb42f1a6ca07367adc" +# +# hmacsha1 generate HMAC-SHA1 of string +# "%{hmacsha1:foo bar}" == "85d155c55ed286a300bd1cf124de08d87e914f3a" +# +# crypt encrypt with a salt: %{crypt:salt:password} +# "%{crypt:aa:foo}" == "aaKNIEDOaueR6" +# "%{crypt:$1$abcdefgh:foo}" == "$1$abcdefgh$XxzGe9Muun7wTYbZO4sdr0" +# "%{crypt:$5$%{randstr:aaaaaaaaaaaaaaaa}:foo}" == "$1$fu4P2fcAdo9gM..." +# +# pairs serialize attributes as comma-delimited string +# "%{pairs:request:}" == "User-Name = 'foo', User-Password = 'bar', ..." +# +# base64 encode string as base64 +# "%{base64:foo}" == "Zm9v" +# +# base64tohex convert base64 to hex +# "%{base64tohex:Zm9v}" == "666f6f" +# +# explode split an attribute into multiple new attributes based on a delimiter +# "%{explode:&ref }" +# +# nexttime calculate number of seconds until next n hour(s), day(s), week(s), year(s) +# if it were 16:18, %{nexttime:1h} would expand to 2520 +# +# lpad left-pad a string +# if User-Name is "foo": "%{lpad:&User-Name 6 x}" == "xxxfoo" +# +# rpad right-pad a string +# if User-Name is "foo": "%{rpad:&User-Name 5 -}" == "foo--" +# + +expr { + # + # Characters that will not be encoded by the %{escape} + # xlat function. + # + safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/files b/ops/nixos/bvm-radius/raddb/mods-available/files new file mode 100644 index 0000000000..bf968c5331 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/files @@ -0,0 +1,30 @@ +# -*- text -*- +# +# $Id: e3f3bf568d92eba8eb17bbad590f846f2d9e1ac8 $ + +# Livingston-style 'users' file +# +# See "man users" for more information. +# +files { + # Search for files in a subdirectory of mods-config which + # matches this instance of the files module. + moddir = ${modconfdir}/${.:instance} + + # The default key attribute to use for matches. The content + # of this attribute is used to match the "name" of the + # entry. + #key = "%{%{Stripped-User-Name}:-%{User-Name}}" + + # The old "users" style file is now located here. + filename = ${moddir}/authorize + + # This is accepted for backwards compatibility + # It will be removed in a future release. +# usersfile = ${moddir}/authorize + + # These are accepted for backwards compatibility. + # They will be renamed in a future release. + acctusersfile = ${moddir}/accounting + preproxy_usersfile = ${moddir}/pre-proxy +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/inner-eap-eduroam b/ops/nixos/bvm-radius/raddb/mods-available/inner-eap-eduroam new file mode 100644 index 0000000000..51b72f788e --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/inner-eap-eduroam @@ -0,0 +1,9 @@ +eap inner-eap { + default_eap_type = mschapv2 + timer_expire = 60 + max_sessions = ${max_requests} + + mschapv2 { + send_error = yes + } +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/linelog-eduroam b/ops/nixos/bvm-radius/raddb/mods-available/linelog-eduroam new file mode 100644 index 0000000000..b7241e51c6 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/linelog-eduroam @@ -0,0 +1,39 @@ +linelog linelog_recv_request { + filename = syslog + syslog_facility = local0 + syslog_severity = debug + format = "action = Recv-Request, %{pairs:request:}" +} + +linelog linelog_send_accept { + filename = syslog + syslog_facility = local0 + syslog_severity = debug + format = "action = Send-Accept, %{pairs:request:}" +} + +linelog linelog_send_reject { + filename = syslog + syslog_facility = local0 + syslog_severity = debug + format = "action = Send-Reject, %{pairs:request:}" +} + +linelog linelog_send_proxy_request { + filename = syslog + syslog_facility = local0 + syslog_severity = debug + format = "action = Send-Proxy-Request, %{pairs:proxy-request:}" +} + +linelog linelog_recv_proxy_response { + filename = syslog + syslog_facility = local0 + syslog_severity = debug + reference = "messages.%{proxy-reply:Response-Packet-Type}" + messages { + Access-Accept = "action = Recv-Proxy-Accept, User-Name = %{User-Name}, Calling-Station-Id = %{Calling-Station-Id}, %{pairs:proxy-reply:}" + Access-Reject = "action = Recv-Proxy-Reject, User-Name = %{User-Name}, Calling-Station-Id = %{Calling-Station-Id}, %{pairs:proxy-reply:}" + Access-Challenge = "action = Recv-Proxy-Challenge, User-Name = %{User-Name}, Calling-Station-ID = %{Calling-Station-Id}, %{pairs:proxy-reply:}" + } +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/logintime b/ops/nixos/bvm-radius/raddb/mods-available/logintime new file mode 100644 index 0000000000..d4f6f3ef64 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/logintime @@ -0,0 +1,23 @@ +# -*- text -*- +# +# $Id: 25344527759d22b49b5e990fd83f0e506442fa76 $ + +# The logintime module. This handles the Login-Time, +# Current-Time, and Time-Of-Day attributes. It should be +# included in the *end* of the authorize section in order to +# handle Login-Time checks. It should also be included in the +# instantiate section in order to register the Current-Time +# and Time-Of-Day comparison functions. +# +# When the Login-Time attribute is set to some value, and the +# user has been permitted to log in, a Session-Timeout is +# calculated based on the remaining time. See "doc/README". +# +logintime { + # The minimum timeout (in seconds) a user is allowed + # to have. If the calculated timeout is lower we don't + # allow the login. Some NAS do not handle values + # lower than 60 seconds well. + minimum_timeout = 60 +} + diff --git a/ops/nixos/bvm-radius/raddb/mods-available/mschap b/ops/nixos/bvm-radius/raddb/mods-available/mschap new file mode 100644 index 0000000000..3264f6eb2c --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/mschap @@ -0,0 +1,253 @@ +# -*- text -*- +# +# $Id: 2fbc9278e39516c4fc2e8119d2a5be35858f1e33 $ + +# +# Microsoft CHAP authentication +# +# This module supports MS-CHAP and MS-CHAPv2 authentication. +# It also enforces the SMB-Account-Ctrl attribute. +# +mschap { + # + # If you are using /etc/smbpasswd, see the 'passwd' + # module for an example of how to use /etc/smbpasswd + # + + # + # If use_mppe is not set to no mschap, will + # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and + # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 + # +# use_mppe = no + + # + # If MPPE is enabled, require_encryption makes + # encryption moderate + # +# require_encryption = yes + + # + # require_strong always requires 128 bit key + # encryption + # +# require_strong = yes + + # + # This module can perform authentication itself, OR + # use a Windows Domain Controller. This configuration + # directive tells the module to call the ntlm_auth + # program, which will do the authentication, and return + # the NT-Key. Note that you MUST have "winbindd" and + # "nmbd" running on the local machine for ntlm_auth + # to work. See the ntlm_auth program documentation + # for details. + # + # If ntlm_auth is configured below, then the mschap + # module will call ntlm_auth for every MS-CHAP + # authentication request. If there is a cleartext + # or NT hashed password available, you can set + # "MS-CHAP-Use-NTLM-Auth := No" in the control items, + # and the mschap module will do the authentication itself, + # without calling ntlm_auth. + # + # Be VERY careful when editing the following line! + # + # You can also try setting the user name as: + # + # ... --username=%{mschap:User-Name} ... + # + # In that case, the mschap module will look at the User-Name + # attribute, and do prefix/suffix checks in order to obtain + # the "best" user name for the request. + # + # For Samba 4, you should also set the "ntlm auth" parameter + # in the Samba configuration: + # + # ntlm auth = yes + # + # or + # + # ntlm auth = mschapv2-and-ntlmv2-only + # + # This will let Samba 4 accept the MS-CHAP authentication + # method that is needed by FreeRADIUS. + # + # Depending on the Samba version, you may also need to add: + # + # --allow-mschapv2 + # + # to the command-line parameters. + # +# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" + + # + # The default is to wait 10 seconds for ntlm_auth to + # complete. This is a long time, and if it's taking that + # long then you likely have other problems in your domain. + # The length of time can be decreased with the following + # option, which can save clients waiting if your ntlm_auth + # usually finishes quicker. Range 1 to 10 seconds. + # +# ntlm_auth_timeout = 10 + + # + # An alternative to using ntlm_auth is to connect to the + # winbind daemon directly for authentication. This option + # is likely to be faster and may be useful on busy systems, + # but is less well tested. + # + # Using this option requires libwbclient from Samba 4.2.1 + # or later to be installed. Make sure that ntlm_auth above is + # commented out. + # +# winbind_username = "%{mschap:User-Name}" +# winbind_domain = "%{mschap:NT-Domain}" + + # + # When using single sign-on with a winbind connection and the + # client uses a different casing for the username than the + # casing is according to the backend, reauth may fail because + # of some Windows internals. This switch tries to find the + # user in the correct casing in the backend, and retry + # authentication with that username. + # +# winbind_retry_with_normalised_username = no + + # + # Information for the winbind connection pool. The configuration + # items below are the same for all modules which use the new + # connection pool. + # + pool { + # + # Connections to create during module instantiation. + # If the server cannot create specified number of + # connections during instantiation it will exit. + # Set to 0 to allow the server to start without the + # winbind daemon being available. + # + start = ${thread[pool].start_servers} + + # + # Minimum number of connections to keep open + # + min = ${thread[pool].min_spare_servers} + + # + # Maximum number of connections + # + # If these connections are all in use and a new one + # is requested, the request will NOT get a connection. + # + # Setting 'max' to LESS than the number of threads means + # that some threads may starve, and you will see errors + # like 'No connections available and at max connection limit' + # + # Setting 'max' to MORE than the number of threads means + # that there are more connections than necessary. + # + max = ${thread[pool].max_servers} + + # + # Spare connections to be left idle + # + # NOTE: Idle connections WILL be closed if "idle_timeout" + # is set. This should be less than or equal to "max" above. + # + spare = ${thread[pool].max_spare_servers} + + # + # Number of uses before the connection is closed + # + # 0 means "infinite" + # + uses = 0 + + # + # The number of seconds to wait after the server tries + # to open a connection, and fails. During this time, + # no new connections will be opened. + # + retry_delay = 30 + + # + # The lifetime (in seconds) of the connection + # + # NOTE: A setting of 0 means infinite (no limit). + # + lifetime = 86400 + + # + # The pool is checked for free connections every + # "cleanup_interval". If there are free connections, + # then one of them is closed. + # + cleanup_interval = 300 + + # + # The idle timeout (in seconds). A connection which is + # unused for this length of time will be closed. + # + # NOTE: A setting of 0 means infinite (no timeout). + # + idle_timeout = 600 + + # + # NOTE: All configuration settings are enforced. If a + # connection is closed because of "idle_timeout", + # "uses", or "lifetime", then the total number of + # connections MAY fall below "min". When that + # happens, it will open a new connection. It will + # also log a WARNING message. + # + # The solution is to either lower the "min" connections, + # or increase lifetime/idle_timeout. + # + } + + passchange { + # + # This support MS-CHAPv2 (not v1) password change + # requests. See doc/mschap.rst for more IMPORTANT + # information. + # + # Samba/ntlm_auth - if you are using ntlm_auth to + # validate passwords, you will need to use ntlm_auth + # to change passwords. Uncomment the three lines + # below, and change the path to ntlm_auth. + # +# ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1" +# ntlm_auth_username = "username: %{mschap:User-Name}" +# ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}" + + # + # To implement a local password change, you need to + # supply a string which is then expanded, so that the + # password can be placed somewhere. e.g. passed to a + # script (exec), or written to SQL (UPDATE/INSERT). + # We give both examples here, but only one will be + # used. + # +# local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}" + # +# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}" + } + + # + # For Apple Server, when running on the same machine as + # Open Directory. It has no effect on other systems. + # +# use_open_directory = yes + + # + # On failure, set (or not) the MS-CHAP error code saying + # "retries allowed". + # +# allow_retry = yes + + # + # An optional retry message. + # +# retry_msg = "Re-enter (or reset) the password" +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/ntlm_auth b/ops/nixos/bvm-radius/raddb/mods-available/ntlm_auth new file mode 100644 index 0000000000..ab0017c9b5 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/ntlm_auth @@ -0,0 +1,18 @@ +# +# For testing ntlm_auth authentication with PAP. +# +# If you have problems with authentication failing, even when the +# password is good, it may be a bug in Samba: +# +# https://bugzilla.samba.org/show_bug.cgi?id=6563 +# +# Depending on the AD / Samba configuration, you may also need to add: +# +# --allow-mschapv2 +# +# to the list of command-line options. +# +exec ntlm_auth { + wait = yes + program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/pap b/ops/nixos/bvm-radius/raddb/mods-available/pap new file mode 100644 index 0000000000..f766843e07 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/pap @@ -0,0 +1,18 @@ +# -*- text -*- +# +# $Id: 0038ecd154840c71ceff33ddfdd936e4e28e0bcd $ + +# PAP module to authenticate users based on their stored password +# +# Supports multiple encryption/hash schemes. See "man rlm_pap" +# for details. +# +# For instructions on creating the various types of passwords, see: +# +# http://www.openldap.org/faq/data/cache/347.html +pap { + # By default the server will use heuristics to try and automatically + # handle base64 or hex encoded passwords. This behaviour can be + # stopped by setting the following to "no". +# normalise = yes +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/passwd b/ops/nixos/bvm-radius/raddb/mods-available/passwd new file mode 100644 index 0000000000..bf77f3a07d --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/passwd @@ -0,0 +1,55 @@ +# -*- text -*- +# +# $Id: 11bd2246642bf3c080327c7f4a67dc42603f3a6c $ + +# passwd module allows to do authorization via any passwd-like +# file and to extract any attributes from these files. +# +# See the "smbpasswd" and "etc_group" files for more examples. +# +# parameters are: +# filename - path to file +# +# format - format for filename record. This parameters +# correlates record in the passwd file and RADIUS +# attributes. +# +# Field marked as '*' is a key field. That is, the parameter +# with this name from the request is used to search for +# the record from passwd file +# +# Attributes marked as '=' are added to reply_items instead +# of default configure_items +# +# Attributes marked as '~' are added to request_items +# +# Field marked as ',' may contain a comma separated list +# of attributes. +# +# hash_size - hashtable size. Setting it to 0 is no longer permitted +# A future version of the server will have the module +# automatically determine the hash size. Having it set +# manually should not be necessary. +# +# allow_multiple_keys - if many records for a key are allowed +# +# ignore_nislike - ignore NIS-related records +# +# delimiter - symbol to use as a field separator in passwd file, +# for format ':' symbol is always used. '\0', '\n' are +# not allowed +# + +# An example configuration for using /etc/passwd. +# +# This is an example which will NOT WORK if you have shadow passwords, +# NIS, etc. The "unix" module is normally responsible for reading +# system passwords. You should use it instead of this example. +# +passwd etc_passwd { + filename = /etc/passwd + format = "*User-Name:Crypt-Password:" + hash_size = 100 + ignore_nislike = no + allow_multiple_keys = no +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/preprocess b/ops/nixos/bvm-radius/raddb/mods-available/preprocess new file mode 100644 index 0000000000..ae349e9e85 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/preprocess @@ -0,0 +1,62 @@ +# -*- text -*- +# +# $Id: 8baec7961ba75fe52546cb1331868b0b2b1c38f4 $ + +# Preprocess the incoming RADIUS request, before handing it off +# to other modules. +# +# This module processes the 'huntgroups' and 'hints' files. +# In addition, it re-writes some weird attributes created +# by some NAS, and converts the attributes into a form which +# is a little more standard. +# +preprocess { + # Search for files in a subdirectory of mods-config which + # matches this instance of the preprocess module. + moddir = ${modconfdir}/${.:instance} + + huntgroups = ${moddir}/huntgroups + hints = ${moddir}/hints + + # This hack changes Ascend's weird port numbering + # to standard 0-??? port numbers so that the "+" works + # for IP address assignments. + with_ascend_hack = no + ascend_channels_per_line = 23 + + # Windows NT machines often authenticate themselves as + # NT_DOMAIN\username + # + # If this is set to 'yes', then the NT_DOMAIN portion + # of the user-name is silently discarded. + # + # This configuration entry SHOULD NOT be used. + # See the "realms" module for a better way to handle + # NT domains. + with_ntdomain_hack = no + + # Specialix Jetstream 8500 24 port access server. + # + # If the user name is 10 characters or longer, a "/" + # and the excess characters after the 10th are + # appended to the user name. + # + # If you're not running that NAS, you don't need + # this hack. + with_specialix_jetstream_hack = no + + # Cisco (and Quintum in Cisco mode) sends it's VSA attributes + # with the attribute name *again* in the string, like: + # + # H323-Attribute = "h323-attribute=value". + # + # If this configuration item is set to 'yes', then + # the redundant data in the the attribute text is stripped + # out. The result is: + # + # H323-Attribute = "value" + # + # If you're not running a Cisco or Quintum NAS, you don't + # need this hack. + with_cisco_vsa_hack = no +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/radutmp b/ops/nixos/bvm-radius/raddb/mods-available/radutmp new file mode 100644 index 0000000000..8430fc119c --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/radutmp @@ -0,0 +1,53 @@ +# -*- text -*- +# +# $Id: 82319c033bbf349991a46b8f198a5bf5487b5da8 $ + +# Write a 'utmp' style file, of which users are currently +# logged in, and where they've logged in from. +# +# This file is used mainly for Simultaneous-Use checking, +# and also 'radwho', to see who's currently logged in. +# +radutmp { + # Where the file is stored. It's not a log file, + # so it doesn't need rotating. + # + filename = ${logdir}/radutmp + + # The field in the packet to key on for the + # 'user' name, If you have other fields which you want + # to use to key on to control Simultaneous-Use, + # then you can use them here. + # + # Note, however, that the size of the field in the + # 'utmp' data structure is small, around 32 + # characters, so that will limit the possible choices + # of keys. + # + # You may want instead: %{%{Stripped-User-Name}:-%{User-Name}} + username = %{User-Name} + + + # Whether or not we want to treat "user" the same + # as "USER", or "User". Some systems have problems + # with case sensitivity, so this should be set to + # 'no' to enable the comparisons of the key attribute + # to be case insensitive. + # + case_sensitive = yes + + # Accounting information may be lost, so the user MAY + # have logged off of the NAS, but we haven't noticed. + # If so, we can verify this information with the NAS, + # + # If we want to believe the 'utmp' file, then this + # configuration entry can be set to 'no'. + # + check_with_nas = yes + + # Set the file permissions, as the contents of this file + # are usually private. + permissions = 0600 + + caller_id = "yes" +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/realm b/ops/nixos/bvm-radius/raddb/mods-available/realm new file mode 100644 index 0000000000..fb014f7bb0 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/realm @@ -0,0 +1,75 @@ +# -*- text -*- +# +# $Id: 8ff95a9e9a652c2df9f992b0eb528084b6a7a2dc $ + +# Realm module, for proxying. +# +# You can have multiple instances of the realm module to +# support multiple realm syntaxes at the same time. The +# search order is defined by the order that the modules are listed +# in the authorize and preacct sections. +# +# Four config options: +# format - must be "prefix" or "suffix" +# The special cases of "DEFAULT" +# and "NULL" are allowed, too. +# delimiter - must be a single character + +# 'realm/username' +# +# Using this entry, IPASS users have their realm set to "IPASS". +realm IPASS { + format = prefix + delimiter = "/" +} + +# 'username@realm' +# +realm suffix { + format = suffix + delimiter = "@" + + # The next configuration items are valid ONLY for a trust-router. + # For all other realms, they are ignored. +# trust_router = "localhost" +# tr_port = 12309 +# rp_realm = "realm.example.com" +# default_community = "apc.communities.example.com" +# # if rekey_enabled is enabled, dynamic realms are automatically rekeyed +# # before they expire to avoid having to recreate them from scrach on +# # demand (implying lengthy authentications) +# rekey_enabled = no +# # if realm_lifetime is > 0, the rekey is scheduled to happen the +# # specified number of seconds after its creation or rekeying. Otherwise, +# # the key material expiration timestamp is used +# realm_lifetime = 0 +} + +# 'realm!username' +# +realm bangpath { + format = prefix + delimiter = "!" + +# trust_router = "localhost" +# tr_port = 12309 +# rp_realm = "realm.example.com" +# default_community = "apc.communities.example.com" +# rekey_enabled = no +# realm_lifetime = 0 +} + +# 'username%realm' +# +realm realmpercent { + format = suffix + delimiter = "%" +} + +# +# 'domain\user' +# +realm ntdomain { + format = prefix + delimiter = "\\" +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/replicate b/ops/nixos/bvm-radius/raddb/mods-available/replicate new file mode 100644 index 0000000000..6df4523cc1 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/replicate @@ -0,0 +1,40 @@ +# Replicate packet(s) to a home server. +# +# This module will open a new socket for each packet, and "clone" +# the incoming packet to the destination realm (i.e. home server). +# +# Use it by setting "Replicate-To-Realm = name" in the control list, +# just like Proxy-To-Realm. The configurations for the two attributes +# are identical. The realm must exist, the home_server_pool must exist, +# and the home_server must exist. +# +# The only difference is that the "replicate" module sends requests +# and does not expect a reply. Any reply is ignored. +# +# Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time. +# +# To use this module, list "replicate" in the "authorize" or +# "accounting" section. Then, ensure that Replicate-To-Realm is set. +# The contents of the "packet" attribute list will be sent to the +# home server. The usual load-balancing, etc. features of the home +# server will be used. +# +# "radmin" can be used to mark home servers alive/dead, in order to +# enable/disable replication to specific servers. +# +# Packets can be replicated to multiple destinations. Just set +# Replicate-To-Realm multiple times. One packet will be sent for +# each of the Replicate-To-Realm attribute in the "control" list. +# +# If no packets are sent, the module returns "noop". If at least one +# packet is sent, the module returns "ok". If an error occurs, the +# module returns "fail" +# +# Note that replication does NOT change any of the packet statistics. +# If you use "radmin" to look at the statistics for a home server, +# the replicated packets will cause NO counters to increment. This +# is not a bug, this is how replication works. +# +replicate { + +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/soh b/ops/nixos/bvm-radius/raddb/mods-available/soh new file mode 100644 index 0000000000..d125ce4852 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/soh @@ -0,0 +1,4 @@ +# SoH module +soh { + dhcp = yes +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/sradutmp b/ops/nixos/bvm-radius/raddb/mods-available/sradutmp new file mode 100644 index 0000000000..8e28704313 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/sradutmp @@ -0,0 +1,16 @@ +# -*- text -*- +# +# $Id: 3a2a0e502e76ec00d4ec17e70132448e1547da46 $ + +# "Safe" radutmp - does not contain caller ID, so it can be +# world-readable, and radwho can work for normal users, without +# exposing any information that isn't already exposed by who(1). +# +# This is another 'instance' of the radutmp module, but it is given +# then name "sradutmp" to identify it later in the "accounting" +# section. +radutmp sradutmp { + filename = ${logdir}/sradutmp + permissions = 0644 + caller_id = "no" +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/unix b/ops/nixos/bvm-radius/raddb/mods-available/unix new file mode 100644 index 0000000000..a5798d582a --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/unix @@ -0,0 +1,25 @@ +# -*- text -*- +# +# $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $ + +# Unix /etc/passwd style authentication +# +# This module calls the system functions to get the "known good" +# password. This password is usually in the "crypt" form, and is +# incompatible with CHAP, MS-CHAP, PEAP, etc. +# +# If passwords are in /etc/shadow, you will need to set the "group" +# configuration in radiusd.conf. Look for "shadow", and follow the +# instructions there. +# +unix { + # + # The location of the "wtmp" file. + # The only use for 'radlast'. If you don't use + # 'radlast', then you can comment out this item. + # + # Note that the radwtmp file may get large! You should + # rotate it (cp /dev/null radwtmp), or just not use it. + # + radwtmp = ${logdir}/radwtmp +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/unpack b/ops/nixos/bvm-radius/raddb/mods-available/unpack new file mode 100644 index 0000000000..694cd9f3b6 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/unpack @@ -0,0 +1,59 @@ +# -*- text -*- +# +# $Id: 665dd2aca16b9498a4d2b8a91e41d27741185738 $ + +# +# This module is useful only for 'xlat'. To use it, +# add it to the raddb/mods-enabled/ directory. Then, +# use it on the right-hand side of a variable assignment. +# +# ... = "%{unpack:data 1 integer}" +# +# The arguments are three fields: +# +# data +# Either &Attribute-Name +# the name of the attribute to unpack. +# MUST be a "string" or "octets" type. +# +# or 0xabcdef +# e.g. hex data. +# +# 1 +# The offset into the string from which +# it starts unpacking. The offset starts +# at zero, for the first attribute. +# +# integer +# the data type to unpack at that offset. +# e.g. integer, ipaddr, byte, short, etc. +# +# e.g. if we have Class = 0x0000000102030405, then +# +# %{unpack:&Class 4 short} +# +# will unpack octets 4 and 5 as a "short", which has +# value 0x0304. +# +# This module is used when vendors put multiple fields +# into one attribute of type "octets". +# +# The module can also be used to unpack substrings, by specifing a +# data type of "string(len)" or "octets(len)". Where "len" is an +# actual number. For example: +# +# %{unpack:&User-Name 1 string(2)} +# +# When given a User-Name of "hello", it will start taking the +# substring at offset 1 (i.e. "e"), and it will take two characters +# from that offset, i.e. "el". +# +# When "octets(len)" is used, the output is printed as hex. e.g. for +# the above example with Class: +# +# %{unpack:&Class 4 octets(4)} +# +# Will return the hex string "02030405" +# +unpack { +} diff --git a/ops/nixos/bvm-radius/raddb/mods-available/utf8 b/ops/nixos/bvm-radius/raddb/mods-available/utf8 new file mode 100644 index 0000000000..00812fa514 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-available/utf8 @@ -0,0 +1,14 @@ +# +# Enforces UTF-8 on strings coming in from the NAS. +# +# An attribute of type "string" containing UTF-8 makes +# the module return NOOP. +# +# An attribute of type "string" containing non-UTF-8 data +# makes the module return FAIL. +# +# This module takes no configuration. +# +utf8 { + +} diff --git a/ops/nixos/bvm-radius/raddb/mods-config/README.rst b/ops/nixos/bvm-radius/raddb/mods-config/README.rst new file mode 100644 index 0000000000..abb4c8d65e --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-config/README.rst @@ -0,0 +1,22 @@ +The mods-config Directory +========================= + +This directory contains module-specific configuration files. These +files are in a format different from the one used by the main +`radiusd.conf` files. Earlier versions of the server had many +module-specific files in the main `raddb` directory. The directory +contained many files, and it was not clear which files did what. + +For Version 3 of FreeRADIUS, we have moved to a consistent naming +scheme. Each module-specific configuration file is placed in this +directory, in a subdirectory named for the module. Where necessary, +files in the subdirectory have been named for the processing section +where they are used. + +For example, the `users` file is now located in +`mods-config/files/authorize`. That filename tells us three things: + +1. The file is used in the `authorize` section. +2. The file is used by the `files` module. +3. It is a "module configuration" file, which is a specific format. + diff --git a/ops/nixos/bvm-radius/raddb/mods-config/attr_filter/access_challenge b/ops/nixos/bvm-radius/raddb/mods-config/attr_filter/access_challenge new file mode 100644 index 0000000000..528670c9dd --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-config/attr_filter/access_challenge @@ -0,0 +1,19 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: 12ed619cf16f7322221ef2dfaf28f9c36c616e3c $ +# +# This configuration file is used to remove almost all of the +# attributes From an Access-Challenge message. The RFCs say +# that an Access-Challenge packet can contain only a few +# attributes. We enforce that here. +# +DEFAULT + EAP-Message =* ANY, + State =* ANY, + Message-Authenticator =* ANY, + Reply-Message =* ANY, + Proxy-State =* ANY, + Session-Timeout =* ANY, + Idle-Timeout =* ANY diff --git a/ops/nixos/bvm-radius/raddb/mods-config/attr_filter/access_reject b/ops/nixos/bvm-radius/raddb/mods-config/attr_filter/access_reject new file mode 100644 index 0000000000..54668f7027 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-config/attr_filter/access_reject @@ -0,0 +1,18 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: 47f167b085c2a4e22701fe9fe74b8fe0b9575421 $ +# +# This configuration file is used to remove almost all of the attributes +# From an Access-Reject message. The RFCs say that an Access-Reject +# packet can contain only a few attributes. We enforce that here. +# +DEFAULT + EAP-Message =* ANY, + State =* ANY, + Message-Authenticator =* ANY, + Error-Cause =* ANY, + Reply-Message =* ANY, + MS-CHAP-Error =* ANY, + Proxy-State =* ANY diff --git a/ops/nixos/bvm-radius/raddb/mods-config/attr_filter/accounting_response b/ops/nixos/bvm-radius/raddb/mods-config/attr_filter/accounting_response new file mode 100644 index 0000000000..23456b8f88 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-config/attr_filter/accounting_response @@ -0,0 +1,16 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: 01e9c6f5bda7a138f45da5010c624d92b6d398a0 $ +# +# This configuration file is used to remove almost all of the attributes +# From an Accounting-Response message. The RFC's say that an +# Accounting-Response packet can contain only a few attributes. +# We enforce that here. +# +DEFAULT + Vendor-Specific =* ANY, + Message-Authenticator =* ANY, + Error-Cause =* ANY, + Proxy-State =* ANY diff --git a/ops/nixos/bvm-radius/raddb/mods-config/attr_filter/post-proxy b/ops/nixos/bvm-radius/raddb/mods-config/attr_filter/post-proxy new file mode 100644 index 0000000000..3ecddaf7e4 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-config/attr_filter/post-proxy @@ -0,0 +1,119 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: 5d889ea733ec8e6b246335f86bf6e122b54f23aa $ +# +# This file contains security and configuration information +# for each realm. The first field is the realm name and +# can be up to 253 characters in length. This is followed (on +# the next line) with the list of filter rules to be used to +# decide what attributes and/or values we allow proxy servers +# to pass to the NAS for this realm. +# +# When a proxy-reply packet is received from a home server, +# these attributes and values are tested. Only the first match +# is used unless the "Fall-Through" variable is set to "Yes". +# In that case the rules defined in the DEFAULT case are +# processed as well. +# +# A special realm named "DEFAULT" matches on all realm names. +# You can have only one DEFAULT entry. All entries are processed +# in the order they appear in this file. The first entry that +# matches the login-request will stop processing unless you use +# the Fall-Through variable. +# +# Indented (with the tab character) lines following the first +# line indicate the filter rules. +# +# You can include another `attrs' file with `$INCLUDE attrs.other' +# + +# +# This is a complete entry for realm "fisp". Note that there is no +# Fall-Through entry so that no DEFAULT entry will be used, and the +# server will NOT allow any other a/v pairs other than the ones +# listed here. +# +# These rules allow: +# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear ) +# o PPP sessions ( no SLIP, CSLIP, etc. ) +# o dynamic ip assignment ( can't assign a static ip ) +# o an idle timeout value set to 600 seconds (10 min) or less +# o a max session time set to 28800 seconds (8 hours) or less +# +#fisp +# Service-Type == Framed-User, +# Framed-Protocol == PPP, +# Framed-IP-Address == 255.255.255.254, +# Idle-Timeout <= 600, +# Session-Timeout <= 28800 + +# +# This is a complete entry for realm "tisp". Note that there is no +# Fall-Through entry so that no DEFAULT entry will be used, and the +# server will NOT allow any other a/v pairs other than the ones +# listed here. +# +# These rules allow: +# o Only Login-User Service-Type ( no framed/ppp sessions ) +# o Telnet sessions only ( no rlogin, tcp-clear ) +# o Login host of 192.0.2.1 +# +#tisp +# Service-Type == Login-User, +# Login-Service == Telnet, +# Login-TCP-Port == 23, +# Login-IP-Host == 192.0.2.1 + +# +# The following example can be used for a home server which is only +# allowed to supply a Reply-Message, a Session-Timeout attribute of +# maximum 86400, a Idle-Timeout attribute of maximum 600 and a +# Acct-Interim-Interval attribute between 300 and 3600. +# All other attributes sent back will be filtered out. +# +#strictrealm +# Reply-Message =* ANY, +# Session-Timeout <= 86400, +# Idle-Timeout <= 600, +# Acct-Interim-Interval >= 300, +# Acct-Interim-Interval <= 3600 + +# +# This is a complete entry for realm "spamrealm". Fall-Through is used, +# so that the DEFAULT filter rules are used in addition to these. +# +# These rules allow: +# o Force the application of Filter-ID attribute to be returned +# in the proxy reply, whether the proxy sent it or not. +# o The standard DEFAULT rules as defined below +# +#spamrealm +# Framed-Filter-Id := "nosmtp.in", +# Fall-Through = Yes + +# +# The rest of this file contains the DEFAULT entry. +# DEFAULT matches with all realm names. (except if the realm previously +# matched an entry with no Fall-Through) +# + +DEFAULT + Framed-IP-Address == 255.255.255.254, + Framed-IP-Netmask == 255.255.255.255, + Framed-MTU >= 576, + Framed-Filter-ID =* ANY, + Reply-Message =* ANY, + Proxy-State =* ANY, + EAP-Message =* ANY, + Message-Authenticator =* ANY, + MS-MPPE-Recv-Key =* ANY, + MS-MPPE-Send-Key =* ANY, + MS-CHAP-MPPE-Keys =* ANY, + State =* ANY, + Session-Timeout <= 28800, + Idle-Timeout <= 600, + Calling-Station-Id =* ANY, + Operator-Name =* ANY, + Port-Limit <= 2 diff --git a/ops/nixos/bvm-radius/raddb/mods-config/attr_filter/pre-proxy b/ops/nixos/bvm-radius/raddb/mods-config/attr_filter/pre-proxy new file mode 100644 index 0000000000..7144d70610 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-config/attr_filter/pre-proxy @@ -0,0 +1,65 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: 47b01266f44d0475261c6ea16f74ca17d8838749 $ +# +# This file contains security and configuration information +# for each realm. It can be used be an rlm_attr_filter module +# instance to filter attributes before sending packets to the +# home server of a realm. +# +# When a packet is sent to a home server, these attributes +# and values are tested. Only the first match is used unless +# the "Fall-Through" variable is set to "Yes". In that case +# the rules defined in the DEFAULT case are processed as well. +# +# A special realm named "DEFAULT" matches on all realm names. +# You can have only one DEFAULT entry. All entries are processed +# in the order they appear in this file. The first entry that +# matches the login-request will stop processing unless you use +# the Fall-Through variable. +# +# The first line indicates the realm to which the rules apply. +# Indented (with the tab character) lines following the first +# line indicate the filter rules. +# + +# This is a complete entry for 'nochap' realm. It allows to send very +# basic attributes to the home server. Note that there is no Fall-Through +# entry so that no DEFAULT entry will be used. Only the listed attributes +# will be sent in the packet, all other attributes will be filtered out. +# +#nochap +# User-Name =* ANY, +# User-Password =* ANY, +# NAS-IP-Address =* ANY, +# NAS-Identifier =* ANY + +# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type +# if its value is different from 'Ethernet'. Then the default rules are +# applied. +# +#brokenas +# NAS-Port-Type == Ethernet +# Fall-Through = Yes + +# The rest of this file contains the DEFAULT entry. +# DEFAULT matches with all realm names. + +DEFAULT + User-Name =* ANY, + User-Password =* ANY, + CHAP-Password =* ANY, + CHAP-Challenge =* ANY, + MS-CHAP-Challenge =* ANY, + MS-CHAP-Response =* ANY, + EAP-Message =* ANY, + Message-Authenticator =* ANY, + State =* ANY, + NAS-IP-Address =* ANY, + NAS-Identifier =* ANY, + Operator-Name =* ANY, + Calling-Station-Id =* ANY, + Chargeable-User-Identity =* ANY, + Proxy-State =* ANY diff --git a/ops/nixos/bvm-radius/raddb/mods-config/files/accounting b/ops/nixos/bvm-radius/raddb/mods-config/files/accounting new file mode 100644 index 0000000000..db7551569f --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-config/files/accounting @@ -0,0 +1,27 @@ +# +# $Id: eaf952a72dc9d19387af4d2056d7f7027b2435e8 $ +# +# This is like the 'users' file, but it is processed only for +# accounting packets. +# + +# Select between different accounting methods based for example on the +# Realm, the Huntgroup-Name or any combinaison of the attribute/value +# pairs contained in an accounting packet. +# +# You will need to add an "Acct-Type foo {...}" subsection to the +# main "accounting" section in order for these sample configurations +# to work. +# +#DEFAULT Realm == "foo.net", Acct-Type := foo +# +#DEFAULT Huntgroup-Name == "wifi", Acct-Type := wifi +# +#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := other +# +#DEFAULT Acct-Status-Type == Start, Acct-Type := start + +# Replace the User-Name with the Stripped-User-Name, if it exists. +# +#DEFAULT +# User-Name := "%{%{Stripped-User-Name}:-%{User-Name}}" diff --git a/ops/nixos/bvm-radius/raddb/mods-config/files/authorize b/ops/nixos/bvm-radius/raddb/mods-config/files/authorize new file mode 100644 index 0000000000..46894851dc --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-config/files/authorize @@ -0,0 +1,208 @@ +# +# Configuration file for the rlm_files module. +# Please see rlm_files(5) manpage for more information. +# +# This file contains authentication security and configuration +# information for each user. Accounting requests are NOT processed +# through this file. Instead, see 'accounting', in this directory. +# +# The first field is the user's name and can be up to +# 253 characters in length. This is followed (on the same line) with +# the list of authentication requirements for that user. This can +# include password, comm server name, comm server port number, protocol +# type (perhaps set by the "hints" file), and huntgroup name (set by +# the "huntgroups" file). +# +# If you are not sure why a particular reply is being sent by the +# server, then run the server in debugging mode (radiusd -X), and +# you will see which entries in this file are matched. +# +# When an authentication request is received from the comm server, +# these values are tested. Only the first match is used unless the +# "Fall-Through" variable is set to "Yes". +# +# A special user named "DEFAULT" matches on all usernames. +# You can have several DEFAULT entries. All entries are processed +# in the order they appear in this file. The first entry that +# matches the login-request will stop processing unless you use +# the Fall-Through variable. +# +# Indented (with the tab character) lines following the first +# line indicate the configuration values to be passed back to +# the comm server to allow the initiation of a user session. +# This can include things like the PPP configuration values +# or the host to log the user onto. +# +# You can include another `users' file with `$INCLUDE users.other' + +# +# For a list of RADIUS attributes, and links to their definitions, +# see: http://www.freeradius.org/rfc/attributes.html +# +# Entries below this point are examples included in the server for +# educational purposes. They may be deleted from the deployed +# configuration without impacting the operation of the server. +# + +# +# Deny access for a specific user. Note that this entry MUST +# be before any other 'Auth-Type' attribute which results in the user +# being authenticated. +# +# Note that there is NO 'Fall-Through' attribute, so the user will not +# be given any additional resources. +# +#lameuser Auth-Type := Reject +# Reply-Message = "Your account has been disabled." + +# +# Deny access for a group of users. +# +# Note that there is NO 'Fall-Through' attribute, so the user will not +# be given any additional resources. +# +#DEFAULT Group == "disabled", Auth-Type := Reject +# Reply-Message = "Your account has been disabled." +# + +# +# This is a complete entry for "steve". Note that there is no Fall-Through +# entry so that no DEFAULT entry will be used, and the user will NOT +# get any attributes in addition to the ones listed here. +# +#steve Cleartext-Password := "testing" +# Service-Type = Framed-User, +# Framed-Protocol = PPP, +# Framed-IP-Address = 172.16.3.33, +# Framed-IP-Netmask = 255.255.255.0, +# Framed-Routing = Broadcast-Listen, +# Framed-Filter-Id = "std.ppp", +# Framed-MTU = 1500, +# Framed-Compression = Van-Jacobsen-TCP-IP + +# +# The canonical testing user which is in most of the +# examples. +# +#bob Cleartext-Password := "hello" +# Reply-Message := "Hello, %{User-Name}" +lukegb Cleartext-Password := "{{USER_LUKEGB_PASSWORD}}" +testuser Cleartext-Password := "{{USER_TESTUSER_PASSWORD}}" +# + +# +# This is an entry for a user with a space in their name. +# Note the double quotes surrounding the name. If you have +# users with spaces in their names, you must also change +# the "filter_username" policy to allow spaces. +# +# See raddb/policy.d/filter, filter_username {} section. +# +#"John Doe" Cleartext-Password := "hello" +# Reply-Message = "Hello, %{User-Name}" + +# +# Dial user back and telnet to the default host for that port +# +#Deg Cleartext-Password := "ge55ged" +# Service-Type = Callback-Login-User, +# Login-IP-Host = 0.0.0.0, +# Callback-Number = "9,5551212", +# Login-Service = Telnet, +# Login-TCP-Port = Telnet + +# +# Another complete entry. After the user "dialbk" has logged in, the +# connection will be broken and the user will be dialed back after which +# he will get a connection to the host "timeshare1". +# +#dialbk Cleartext-Password := "callme" +# Service-Type = Callback-Login-User, +# Login-IP-Host = timeshare1, +# Login-Service = PortMaster, +# Callback-Number = "9,1-800-555-1212" + +# +# user "swilson" will only get a static IP number if he logs in with +# a framed protocol on a terminal server in Alphen (see the huntgroups file). +# +# Note that by setting "Fall-Through", other attributes will be added from +# the following DEFAULT entries +# +#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen" +# Framed-IP-Address = 192.0.2.65, +# Fall-Through = Yes + +# +# If the user logs in as 'username.shell', then authenticate them +# using the default method, give them shell access, and stop processing +# the rest of the file. +# +#DEFAULT Suffix == ".shell" +# Service-Type = Login-User, +# Login-Service = Telnet, +# Login-IP-Host = your.shell.machine + + +# +# The rest of this file contains the several DEFAULT entries. +# DEFAULT entries match with all login names. +# Note that DEFAULT entries can also Fall-Through (see first entry). +# A name-value pair from a DEFAULT entry will _NEVER_ override +# an already existing name-value pair. +# + +# Sample defaults for all framed connections. +# +#DEFAULT Service-Type == Framed-User +# Framed-IP-Address = 255.255.255.254, +# Framed-MTU = 576, +# Service-Type = Framed-User, +# Fall-Through = Yes + +# +# Default for PPP: dynamic IP address, PPP mode, VJ-compression. +# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected +# by the terminal server in which case there may not be a "P" suffix. +# The terminal server sends "Framed-Protocol = PPP" for auto PPP. +# +DEFAULT Framed-Protocol == PPP + Framed-Protocol = PPP, + Framed-Compression = Van-Jacobson-TCP-IP + +# +# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. +# +DEFAULT Hint == "CSLIP" + Framed-Protocol = SLIP, + Framed-Compression = Van-Jacobson-TCP-IP + +# +# Default for SLIP: dynamic IP address, SLIP mode. +# +DEFAULT Hint == "SLIP" + Framed-Protocol = SLIP + +# +# Last default: rlogin to our main server. +# +#DEFAULT +# Service-Type = Login-User, +# Login-Service = Rlogin, +# Login-IP-Host = shellbox.ispdomain.com + +# # +# # Last default: shell on the local terminal server. +# # +# DEFAULT +# Service-Type = Administrative-User + + +# On no match, the user is denied access. + + +######################################################### +# You should add test accounts to the TOP of this file! # +# See the example user "bob" above. # +######################################################### + diff --git a/ops/nixos/bvm-radius/raddb/mods-config/files/pre-proxy b/ops/nixos/bvm-radius/raddb/mods-config/files/pre-proxy new file mode 100644 index 0000000000..9c848fd7f1 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-config/files/pre-proxy @@ -0,0 +1,31 @@ +# +# Configuration file for the rlm_files module. +# Please see rlm_files(5) manpage for more information. +# +# $Id: 7292e23ea51717ee5cb50c4b9b609e91ebe4a41c $ +# +# This file is similar to the "users" file. The check items +# are compared against the request, but the "reply" items are +# used to update the proxied packet, not the reply to the NAS. +# +# You can use this file to re-write requests which are about to +# be sent to a home server. +# + +# +# Requests destinated to realm "extisp" are sent to a RADIUS +# home server hosted by an other company which doesn't know about +# the IP addresses of our NASes. Therefore we replace the value of +# the NAS-IP-Address attribute by a unique value we communicated +# to them. +# +#DEFAULT Realm == "extisp" +# NAS-IP-Address := 10.1.2.3 + +# +# For all proxied packets, set the User-Name in the proxied packet +# to the Stripped-User-Name, if it exists. If not, set it to the +# User-Name from the original request. +# +#DEFAULT +# User-Name := `%{%{Stripped-User-Name}:-%{User-Name}}` diff --git a/ops/nixos/bvm-radius/raddb/mods-config/preprocess/hints b/ops/nixos/bvm-radius/raddb/mods-config/preprocess/hints new file mode 100644 index 0000000000..a78587952d --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-config/preprocess/hints @@ -0,0 +1,86 @@ +# +# hints +# +# The hints file. This file is used to match +# a request, and then add attributes to it. This +# process allows a user to login as "bob.ppp" (for example), +# and receive a PPP connection, even if the NAS doesn't +# ask for PPP. The "hints" file is used to match the +# ".ppp" portion of the username, and to add a set of +# "user requested PPP" attributes to the request. +# +# Matching can take place with the the Prefix and Suffix +# attributes, just like in the "users" file. +# These attributes operate ONLY on the username, though. +# +# Note that the attributes that are set for each entry are +# NOT added to the reply attributes passed back to the NAS. +# Instead they are added to the list of attributes in the +# request that has been SENT by the NAS. +# +# This extra information can be used in the users file to +# match on. Usually this is done in the DEFAULT entries, +# of which there can be more than one. +# +# In addition a matching entry can transform a username +# for authentication purposes if the "Strip-User-Name" +# variable is set to Yes in an entry (default is Yes). +# +# A special non-protocol name-value pair called "Hint" +# can be set to match on in the "users" file. +# +# As with the "users" file, the first entry that matches the +# incoming request will cause the server to stop looking for +# more hints. If the "Fall-Through" attribute is set to +# "Yes" in an entry then the server will not stop, but +# continue to process further hints from the file. Matches +# on subsequent hints will be against the altered request +# from the previous hints, not against the original request. +# +# The following is how most dial-up ISPs want to set this up. +# +# Version: $Id: 84d4d78d5dc8613f6205fc2ef48f454101caaf33 $ +# + + +DEFAULT Suffix == ".ppp", Strip-User-Name = Yes + Hint = "PPP", + Service-Type = Framed-User, + Framed-Protocol = PPP + +DEFAULT Suffix == ".slip", Strip-User-Name = Yes + Hint = "SLIP", + Service-Type = Framed-User, + Framed-Protocol = SLIP + +DEFAULT Suffix == ".cslip", Strip-User-Name = Yes + Hint = "CSLIP", + Service-Type = Framed-User, + Framed-Protocol = SLIP, + Framed-Compression = Van-Jacobson-TCP-IP + +###################################################################### +# +# These entries are old, and commented out by default. +# They confuse too many people when "Peter" logs in, and the +# server thinks that the user "eter" is asking for PPP. +# +#DEFAULT Prefix == "U", Strip-User-Name = No +# Hint = "UUCP" + +#DEFAULT Prefix == "P", Strip-User-Name = Yes +# Hint = "PPP", +# Service-Type = Framed-User, +# Framed-Protocol = PPP + +#DEFAULT Prefix == "S", Strip-User-Name = Yes +# Hint = "SLIP", +# Service-Type = Framed-User, +# Framed-Protocol = SLIP + +#DEFAULT Prefix == "C", Strip-User-Name = Yes +# Hint = "CSLIP", +# Service-Type = Framed-User, +# Framed-Protocol = SLIP, +# Framed-Compression = Van-Jacobson-TCP-IP + diff --git a/ops/nixos/bvm-radius/raddb/mods-config/preprocess/huntgroups b/ops/nixos/bvm-radius/raddb/mods-config/preprocess/huntgroups new file mode 100644 index 0000000000..da28dba43f --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-config/preprocess/huntgroups @@ -0,0 +1,43 @@ +# +# huntgroups This file defines the `huntgroups' that you have. A +# huntgroup is defined by specifying the IP address of +# the NAS and possibly a port. +# +# Matching is done while RADIUS scans the user file; if it +# includes the selection criteria "Huntgroup-Name == XXX" +# the huntgroup is looked up in this file to see if it +# matches. There can be multiple definitions of the same +# huntgroup; the first one that matches will be used. +# +# This file can also be used to define restricted access +# to certain huntgroups. The second and following lines +# define the access restrictions (based on username and +# UNIX usergroup) for the huntgroup. +# + +# +# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name +# called Alphen that matches on all three terminal servers. +# +#alphen NAS-IP-Address == 192.0.2.5 +#alphen NAS-IP-Address == 192.0.2.6 +#alphen NAS-IP-Address == 192.0.2.7 + +# +# The POP in Delft consists of only one terminal server. +# +#delft NAS-IP-Address == 198.51.100.5 + +# +# Port 0 on the first terminal server in Alphen are connected to +# a huntgroup that is for business users only. Note that only one +# of the username or groupname has to match to get access (OR/OR). +# +# Note that this huntgroup is a subset of the "alphen" huntgroup. +# +#business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0 +# User-Name == rogerl, +# User-Name == henks, +# Group == business, +# Group == staff + diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/always b/ops/nixos/bvm-radius/raddb/mods-enabled/always new file mode 120000 index 0000000000..2cc1029e28 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/always @@ -0,0 +1 @@ +../mods-available/always \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/attr_filter b/ops/nixos/bvm-radius/raddb/mods-enabled/attr_filter new file mode 120000 index 0000000000..400dfd1d52 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/attr_filter @@ -0,0 +1 @@ +../mods-available/attr_filter \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/cache_eap b/ops/nixos/bvm-radius/raddb/mods-enabled/cache_eap new file mode 120000 index 0000000000..22cfe44078 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/cache_eap @@ -0,0 +1 @@ +../mods-available/cache_eap \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/chap b/ops/nixos/bvm-radius/raddb/mods-enabled/chap new file mode 120000 index 0000000000..6ccd392a05 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/chap @@ -0,0 +1 @@ +../mods-available/chap \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/date b/ops/nixos/bvm-radius/raddb/mods-enabled/date new file mode 120000 index 0000000000..75aeb6487d --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/date @@ -0,0 +1 @@ +../mods-available/date \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/detail b/ops/nixos/bvm-radius/raddb/mods-enabled/detail new file mode 120000 index 0000000000..ad00d0eea6 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/detail @@ -0,0 +1 @@ +../mods-available/detail \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/detail.log b/ops/nixos/bvm-radius/raddb/mods-enabled/detail.log new file mode 120000 index 0000000000..155062dfcc --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/detail.log @@ -0,0 +1 @@ +../mods-available/detail.log \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/digest b/ops/nixos/bvm-radius/raddb/mods-enabled/digest new file mode 120000 index 0000000000..95d3d364f7 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/digest @@ -0,0 +1 @@ +../mods-available/digest \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/dynamic_clients b/ops/nixos/bvm-radius/raddb/mods-enabled/dynamic_clients new file mode 120000 index 0000000000..7b030ba916 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/dynamic_clients @@ -0,0 +1 @@ +../mods-available/dynamic_clients \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/eap-custom b/ops/nixos/bvm-radius/raddb/mods-enabled/eap-custom new file mode 120000 index 0000000000..763b32d831 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/eap-custom @@ -0,0 +1 @@ +../mods-available/eap-custom \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/echo b/ops/nixos/bvm-radius/raddb/mods-enabled/echo new file mode 120000 index 0000000000..a436e685e2 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/echo @@ -0,0 +1 @@ +../mods-available/echo \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/exec b/ops/nixos/bvm-radius/raddb/mods-enabled/exec new file mode 120000 index 0000000000..a42a481296 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/exec @@ -0,0 +1 @@ +../mods-available/exec \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/expiration b/ops/nixos/bvm-radius/raddb/mods-enabled/expiration new file mode 120000 index 0000000000..340f64109d --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/expiration @@ -0,0 +1 @@ +../mods-available/expiration \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/expr b/ops/nixos/bvm-radius/raddb/mods-enabled/expr new file mode 120000 index 0000000000..64dd3ab92d --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/expr @@ -0,0 +1 @@ +../mods-available/expr \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/files b/ops/nixos/bvm-radius/raddb/mods-enabled/files new file mode 120000 index 0000000000..372bc86dbf --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/files @@ -0,0 +1 @@ +../mods-available/files \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/inner-eap-eduroam b/ops/nixos/bvm-radius/raddb/mods-enabled/inner-eap-eduroam new file mode 120000 index 0000000000..048b6f2f98 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/inner-eap-eduroam @@ -0,0 +1 @@ +../mods-available/inner-eap-eduroam \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/linelog-eduroam b/ops/nixos/bvm-radius/raddb/mods-enabled/linelog-eduroam new file mode 120000 index 0000000000..ae3b333e13 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/linelog-eduroam @@ -0,0 +1 @@ +../mods-available/linelog-eduroam \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/logintime b/ops/nixos/bvm-radius/raddb/mods-enabled/logintime new file mode 120000 index 0000000000..99b698e074 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/logintime @@ -0,0 +1 @@ +../mods-available/logintime \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/mschap b/ops/nixos/bvm-radius/raddb/mods-enabled/mschap new file mode 120000 index 0000000000..c7523defb3 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/mschap @@ -0,0 +1 @@ +../mods-available/mschap \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/ntlm_auth b/ops/nixos/bvm-radius/raddb/mods-enabled/ntlm_auth new file mode 120000 index 0000000000..3d68f6720c --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/ntlm_auth @@ -0,0 +1 @@ +../mods-available/ntlm_auth \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/pap b/ops/nixos/bvm-radius/raddb/mods-enabled/pap new file mode 120000 index 0000000000..07f986ff2b --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/pap @@ -0,0 +1 @@ +../mods-available/pap \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/passwd b/ops/nixos/bvm-radius/raddb/mods-enabled/passwd new file mode 120000 index 0000000000..be64f8b43d --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/passwd @@ -0,0 +1 @@ +../mods-available/passwd \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/preprocess b/ops/nixos/bvm-radius/raddb/mods-enabled/preprocess new file mode 120000 index 0000000000..266822a510 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/preprocess @@ -0,0 +1 @@ +../mods-available/preprocess \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/radutmp b/ops/nixos/bvm-radius/raddb/mods-enabled/radutmp new file mode 120000 index 0000000000..e3c390cc97 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/radutmp @@ -0,0 +1 @@ +../mods-available/radutmp \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/realm b/ops/nixos/bvm-radius/raddb/mods-enabled/realm new file mode 120000 index 0000000000..acc66bee63 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/realm @@ -0,0 +1 @@ +../mods-available/realm \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/replicate b/ops/nixos/bvm-radius/raddb/mods-enabled/replicate new file mode 120000 index 0000000000..b03d8deea8 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/replicate @@ -0,0 +1 @@ +../mods-available/replicate \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/soh b/ops/nixos/bvm-radius/raddb/mods-enabled/soh new file mode 120000 index 0000000000..af8821618d --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/soh @@ -0,0 +1 @@ +../mods-available/soh \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/sradutmp b/ops/nixos/bvm-radius/raddb/mods-enabled/sradutmp new file mode 120000 index 0000000000..ac90674f4c --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/sradutmp @@ -0,0 +1 @@ +../mods-available/sradutmp \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/unix b/ops/nixos/bvm-radius/raddb/mods-enabled/unix new file mode 120000 index 0000000000..599fdefcab --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/unix @@ -0,0 +1 @@ +../mods-available/unix \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/unpack b/ops/nixos/bvm-radius/raddb/mods-enabled/unpack new file mode 120000 index 0000000000..dad4563a14 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/unpack @@ -0,0 +1 @@ +../mods-available/unpack \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/mods-enabled/utf8 b/ops/nixos/bvm-radius/raddb/mods-enabled/utf8 new file mode 120000 index 0000000000..7979255e0a --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/mods-enabled/utf8 @@ -0,0 +1 @@ +../mods-available/utf8 \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/policy.d/canonicalization b/ops/nixos/bvm-radius/raddb/policy.d/canonicalization new file mode 100644 index 0000000000..6d90e37b75 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/policy.d/canonicalization @@ -0,0 +1,113 @@ +# +# Split User-Name in NAI format (RFC 4282) into components +# +# This policy writes the Username and Domain portions of the +# NAI into the Stripped-User-Name and Stripped-User-Domain +# attributes. +# +# The regular expression to do this is not strictly compliant +# with the standard, but it is not possible to write a +# compliant regexp without perl style regular expressions (or +# at least not a legible one). +# +nai_regexp = '^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$' + +split_username_nai { + if (&User-Name && (&User-Name =~ /${policy.nai_regexp}/)) { + update request { + &Stripped-User-Name := "%{1}" + } + + # Only add the Stripped-User-Domain attribute if + # we have a domain. This means presence checks + # for Stripped-User-Domain work. + if ("%{3}" != '') { + update request { + &Stripped-User-Domain = "%{3}" + } + } + + # If any of the expansions result in a null + # string, the update section may return + # something other than updated... + updated + } + else { + noop + } +} + +# +# If called in post-proxy we modify the proxy-reply message +# +split_username_nai.post-proxy { + if (&proxy-reply:User-Name && (&proxy-reply:User-Name =~ /${policy.nai_regexp}/)) { + update proxy-reply { + &Stripped-User-Name := "%{1}" + } + + # Only add the Stripped-User-Domain attribute if + # we have a domain. This means presence checks + # for Stripped-User-Domain work. + if ("%{3}" != '') { + update proxy-reply { + &Stripped-User-Domain = "%{3}" + } + } + updated + } + else { + noop + } +} + +# +# Normalize the MAC Addresses in the Calling/Called-Station-Id +# +mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})' + +# +# Add "rewrite_called_station_id" in the "authorize" and +# "preacct" sections. +# +# Makes Called-Station-ID conform to what RFC3580 says should +# be provided by 802.1X authenticators. +# +rewrite_called_station_id { + if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) { + update request { + &Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" + } + + # SSID component? + if ("%{8}") { + update request { + &Called-Station-SSID := "%{8}" + } + } + updated + } + else { + noop + } +} + +# +# Add "rewrite_calling_station_id" in the "authorize" and +# "preacct" sections. +# +# Makes Calling-Station-ID conform to what RFC3580 says should +# be provided by 802.1X authenticators. +# +rewrite_calling_station_id { + if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) { + update request { + &Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" + } + updated + } + else { + noop + } +} + diff --git a/ops/nixos/bvm-radius/raddb/proxy.conf b/ops/nixos/bvm-radius/raddb/proxy.conf new file mode 100644 index 0000000000..fcf5232c70 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/proxy.conf @@ -0,0 +1,28 @@ +home_server eduroam_flr_server_1 { + # roaming0.ja.net + ipv6addr = 2001:630:1:128::185 + secret = {{JANET_ROAMING0_SECRET}} + status_check = status-server + response_window = 5 + check_interval = 10 + check_timeout = 5 +} +home_server eduroam_flr_server_2 { + # roaming1.ja.net + ipv6addr = 2001:630:1:12a::233 + secret = {{JANET_ROAMING1_SECRET}} + status_check = status-server + response_window = 5 + check_interval = 10 + check_timeout = 5 +} + +home_server_pool eduroam_flr_pool { + type = keyed-balance + home_server = eduroam_flr_server_1 + home_server = eduroam_flr_server_2 +} +realm eduroam_flr { + auth_pool = eduroam_flr_pool + nostrip +} diff --git a/ops/nixos/bvm-radius/raddb/radiusd.conf b/ops/nixos/bvm-radius/raddb/radiusd.conf new file mode 100644 index 0000000000..91c2eb49e3 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/radiusd.conf @@ -0,0 +1,902 @@ +# -*- text -*- +## +## radiusd.conf -- FreeRADIUS server configuration file - 3.0.21 +## +## http://www.freeradius.org/ +## $Id: e8aee3c00193127177cd65e31156c1d0f4b124d3 $ +## + +###################################################################### +# +# The format of this (and other) configuration file is +# documented in "man unlang". There are also READMEs in many +# subdirectories: +# +# raddb/README.rst +# How to upgrade from v2. +# +# raddb/mods-available/README.rst +# How to use mods-available / mods-enabled. +# All of the modules are in individual files, +# along with configuration items and full documentation. +# +# raddb/sites-available/README +# virtual servers, "listen" sections, clients, etc. +# The "sites-available" directory contains many +# worked examples of common configurations. +# +# raddb/certs/README +# How to create certificates for EAP or RadSec. +# +# Every configuration item in the server is documented +# extensively in the comments in the example configuration +# files. +# +# Before editing this (or any other) configuration file, PLEASE +# read "man radiusd". See the section titled DEBUGGING. It +# outlines a method where you can quickly create the +# configuration you want, with minimal effort. +# +# Run the server in debugging mode, and READ the output. +# +# $ radiusd -X +# +# We cannot emphasize this point strongly enough. The vast +# majority of problems can be solved by carefully reading the +# debugging output, which includes warnings about common issues, +# and suggestions for how they may be fixed. +# +# There may be a lot of output, but look carefully for words like: +# "warning", "error", "reject", or "failure". The messages there +# will usually be enough to guide you to a solution. +# +# More documentation on "radiusd -X" is available on the wiki: +# https://wiki.freeradius.org/radiusd-X +# +# If you are going to ask a question on the mailing list, then +# explain what you are trying to do, and include the output from +# debugging mode (radiusd -X). Failure to do so means that all +# of the responses to your question will be people telling you +# to "post the output of radiusd -X". +# +# Guidelines for posting to the mailing list are on the wiki: +# https://wiki.freeradius.org/list-help +# +# Please read those guidelines before posting to the list. +# +# Further documentation is available in the "doc" directory +# of the server distribution, or on the wiki at: +# https://wiki.freeradius.org/ +# +# New users to RADIUS should read the Technical Guide. That guide +# explains how RADIUS works, how FreeRADIUS works, and what each +# part of a RADIUS system does. It is not just "configure FreeRADIUS"! +# https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf +# +# More documentation on dictionaries, modules, unlang, etc. is also +# available on the Network RADIUS web site: +# https://networkradius.com/freeradius-documentation/ +# + +###################################################################### + +prefix = {{FREERADIUS_LOC}} +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +modconfdir = ${confdir}/mods-config +certdir = ${confdir}/certs +cadir = ${confdir}/certs +run_dir = ${localstatedir}/run/${name} + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# +# libdir: Where to find the rlm_* modules. +# +# This should be automatically set at configuration time. +# +# If the server builds and installs, but fails at execution time +# with an 'undefined symbol' error, then you can use the libdir +# directive to work around the problem. +# +# The cause is usually that a library has been installed on your +# system in a place where the dynamic linker CANNOT find it. When +# executing as root (or another user), your personal environment MAY +# be set up to allow the dynamic linker to find the library. When +# executing as a daemon, FreeRADIUS MAY NOT have the same +# personalized configuration. +# +# To work around the problem, find out which library contains that symbol, +# and add the directory containing that library to the end of 'libdir', +# with a colon separating the directory names. NO spaces are allowed. +# +# e.g. libdir = /usr/local/lib:/opt/package/lib +# +# You can also try setting the LD_LIBRARY_PATH environment variable +# in a script which starts the server. +# +# If that does not work, then you can re-configure and re-build the +# server to NOT use shared libraries, via: +# +# ./configure --disable-shared +# make +# make install +# +libdir = ${prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +# +# The server may be signalled while it's running by using this +# file. +# +# This file is written when ONLY running in daemon mode. +# +# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` +# +pidfile = ${run_dir}/${name}.pid + +# +# correct_escapes: use correct backslash escaping +# +# Prior to version 3.0.5, the handling of backslashes was a little +# awkward, i.e. "wrong". In some cases, to get one backslash into +# a regex, you had to put 4 in the config files. +# +# Version 3.0.5 fixes that. However, for backwards compatibility, +# the new method of escaping is DISABLED BY DEFAULT. This means +# that upgrading to 3.0.5 won't break your configuration. +# +# If you don't have double backslashes (i.e. \\) in your configuration, +# this won't matter to you. If you do have them, fix that to use only +# one backslash, and then set "correct_escapes = true". +# +# You can check for this by doing: +# +# $ grep '\\\\' $(find raddb -type f -print) +# +correct_escapes = true + +# panic_action: Command to execute if the server dies unexpectedly. +# +# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT. +# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS. +# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART. +# +# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE +# PATTACH CAN BE USED AS AN ATTACK VECTOR. +# +# The panic action is a command which will be executed if the server +# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS, +# SIGABRT or SIGFPE. +# +# This can be used to start an interactive debugging session so +# that information regarding the current state of the server can +# be acquired. +# +# The following string substitutions are available: +# - %e The currently executing program e.g. /sbin/radiusd +# - %p The PID of the currently executing program e.g. 12345 +# +# Standard ${} substitutions are also allowed. +# +# An example panic action for opening an interactive session in GDB would be: +# +#panic_action = "gdb %e %p" +# +# Again, don't use that on a production system. +# +# An example panic action for opening an automated session in GDB would be: +# +#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log" +# +# That command can be used on a production system. +# + +# max_request_time: The maximum time (in seconds) to handle a request. +# +# Requests which take more time than this to process may be killed, and +# a REJECT message is returned. +# +# WARNING: If you notice that requests take a long time to be handled, +# then this MAY INDICATE a bug in the server, in one of the modules +# used to handle a request, OR in your local configuration. +# +# This problem is most often seen when using an SQL database. If it takes +# more than a second or two to receive an answer from the SQL database, +# then it probably means that you haven't indexed the database. See your +# SQL server documentation for more information. +# +# Useful range of values: 5 to 120 +# +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +# a reply which was sent to the NAS. +# +# The RADIUS request is normally cached internally for a short period +# of time, after the reply is sent to the NAS. The reply packet may be +# lost in the network, and the NAS will not see it. The NAS will then +# re-send the request, and the server will respond quickly with the +# cached reply. +# +# If this value is set too low, then duplicate requests from the NAS +# MAY NOT be detected, and will instead be handled as separate requests. +# +# If this value is set too high, then the server will cache too many +# requests, and some new requests may get blocked. (See 'max_requests'.) +# +# Useful range of values: 2 to 30 +# +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +# track of. This should be 256 multiplied by the number of clients. +# e.g. With 4 clients, this number should be 1024. +# +# If this number is too low, then when the server becomes busy, +# it will not respond to any new requests, until the 'cleanup_delay' +# time has passed, and it has removed the old requests. +# +# If this number is set too high, then the server will use a bit more +# memory for no real benefit. +# +# If you aren't sure what it should be set to, it's better to set it +# too high than too low. Setting it to 1000 per client is probably +# the highest it should be. +# +# Useful range of values: 256 to infinity +# +max_requests = 16384 + +# hostname_lookups: Log the names of clients or just their IP addresses +# e.g., www.freeradius.org (on) or 206.47.27.232 (off). +# +# The default is 'off' because it would be overall better for the net +# if people had to knowingly turn this feature on, since enabling it +# means that each client request will result in AT LEAST one lookup +# request to the nameserver. Enabling hostname_lookups will also +# mean that your server may stop randomly for 30 seconds from time +# to time, if the DNS requests take too long. +# +# Turning hostname lookups off also means that the server won't block +# for 30 seconds, if it sees an IP address which has no name associated +# with it. +# +# allowed values: {no, yes} +# +hostname_lookups = no + +# +# Logging section. The various "log_*" configuration items +# will eventually be moved here. +# +log { + # + # Destination for log messages. This can be one of: + # + # files - log to "file", as defined below. + # syslog - to syslog (see also the "syslog_facility", below. + # stdout - standard output + # stderr - standard error. + # + # The command-line option "-X" over-rides this option, and forces + # logging to go to stdout. + # + destination = files + + # + # Highlight important messages sent to stderr and stdout. + # + # Option will be ignored (disabled) if output if TERM is not + # an xterm or output is not to a TTY. + # + colourise = yes + + # + # The logging messages for the server are appended to the + # tail of this file if destination == "files" + # + # If the server is running in debugging mode, this file is + # NOT used. + # + file = ${logdir}/radius.log + + # + # Which syslog facility to use, if ${destination} == "syslog" + # + # The exact values permitted here are OS-dependent. You probably + # don't want to change this. + # + syslog_facility = daemon + + # Log the full User-Name attribute, as it was found in the request. + # + # allowed values: {no, yes} + # + stripped_names = no + + # Log all (accept and reject) authentication results to the log file. + # + # This is the same as setting "auth_accept = yes" and + # "auth_reject = yes" + # + # allowed values: {no, yes} + # + auth = no + + # Log Access-Accept results to the log file. + # + # This is only used if "auth = no" + # + # allowed values: {no, yes} + # +# auth_accept = no + + # Log Access-Reject results to the log file. + # + # This is only used if "auth = no" + # + # allowed values: {no, yes} + # +# auth_reject = no + + # Log passwords with the authentication requests. + # auth_badpass - logs password if it's rejected + # auth_goodpass - logs password if it's correct + # + # allowed values: {no, yes} + # + auth_badpass = no + auth_goodpass = no + + # Log additional text at the end of the "Login OK" messages. + # for these to work, the "auth" and "auth_goodpass" or "auth_badpass" + # configurations above have to be set to "yes". + # + # The strings below are dynamically expanded, which means that + # you can put anything you want in them. However, note that + # this expansion can be slow, and can negatively impact server + # performance. + # +# msg_goodpass = "" +# msg_badpass = "" + + # The message when the user exceeds the Simultaneous-Use limit. + # + msg_denied = "You are already logged in - access denied" +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# +# ENVIRONMENT VARIABLES +# +# You can reference environment variables using an expansion like +# `$ENV{PATH}`. However it is sometimes useful to be able to also set +# environment variables. This section lets you do that. +# +# The main purpose of this section is to allow administrators to keep +# RADIUS-specific configuration in the RADIUS configuration files. +# For example, if you need to set an environment variable which is +# used by a module. You could put that variable into a shell script, +# but that's awkward. Instead, just list it here. +# +# Note that these environment variables are set AFTER the +# configuration file is loaded. So you cannot set FOO here, and +# expect to reference it via `$ENV{FOO}` in another configuration file. +# You should instead just use a normal configuration variable for +# that. +# +ENV { + # + # Set environment varable `FOO` to value '/bar/baz'. + # + # NOTE: Note that you MUST use '='. You CANNOT use '+=' to append + # values. + # +# FOO = '/bar/baz' + + # + # Delete environment variable `BAR`. + # +# BAR + + # + # `LD_PRELOAD` is special. It is normally set before the + # application runs, and is interpreted by the dynamic linker. + # Which means you cannot set it inside of an application, and + # expect it to load libraries. + # + # Since this functionality is useful, we extend it here. + # + # You can set + # + # LD_PRELOAD = /path/to/library.so + # + # and the server will load the named libraries. Multiple + # libraries can be loaded by specificing multiple individual + # `LD_PRELOAD` entries. + # + # +# LD_PRELOAD = /path/to/library1.so +# LD_PRELOAD = /path/to/library2.so +} + +# SECURITY CONFIGURATION +# +# There may be multiple methods of attacking on the server. This +# section holds the configuration items which minimize the impact +# of those attacks +# +security { + # chroot: directory where the server does "chroot". + # + # The chroot is done very early in the process of starting + # the server. After the chroot has been performed it + # switches to the "user" listed below (which MUST be + # specified). If "group" is specified, it switches to that + # group, too. Any other groups listed for the specified + # "user" in "/etc/group" are also added as part of this + # process. + # + # The current working directory (chdir / cd) is left + # *outside* of the chroot until all of the modules have been + # initialized. This allows the "raddb" directory to be left + # outside of the chroot. Once the modules have been + # initialized, it does a "chdir" to ${logdir}. This means + # that it should be impossible to break out of the chroot. + # + # If you are worried about security issues related to this + # use of chdir, then simply ensure that the "raddb" directory + # is inside of the chroot, end be sure to do "cd raddb" + # BEFORE starting the server. + # + # If the server is statically linked, then the only files + # that have to exist in the chroot are ${run_dir} and + # ${logdir}. If you do the "cd raddb" as discussed above, + # then the "raddb" directory has to be inside of the chroot + # directory, too. + # +# chroot = /path/to/chroot/directory + + # user/group: The name (or #number) of the user/group to run radiusd as. + # + # If these are commented out, the server will run as the + # user/group that started it. In order to change to a + # different user/group, you MUST be root ( or have root + # privileges ) to start the server. + # + # We STRONGLY recommend that you run the server with as few + # permissions as possible. That is, if you're not using + # shadow passwords, the user and group items below should be + # set to radius'. + # + # NOTE that some kernels refuse to setgid(group) when the + # value of (unsigned)group is above 60000; don't use group + # "nobody" on these systems! + # + # On systems with shadow passwords, you might have to set + # 'group = shadow' for the server to be able to read the + # shadow password file. If you can authenticate users while + # in debug mode, but not in daemon mode, it may be that the + # debugging mode server is running as a user that can read + # the shadow info, and the user listed below can not. + # + # The server will also try to use "initgroups" to read + # /etc/groups. It will join all groups where "user" is a + # member. This can allow for some finer-grained access + # controls. + # +# user = radius +# group = radius + + # Core dumps are a bad thing. This should only be set to + # 'yes' if you're debugging a problem with the server. + # + # allowed values: {no, yes} + # + allow_core_dumps = no + + # + # max_attributes: The maximum number of attributes + # permitted in a RADIUS packet. Packets which have MORE + # than this number of attributes in them will be dropped. + # + # If this number is set too low, then no RADIUS packets + # will be accepted. + # + # If this number is set too high, then an attacker may be + # able to send a small number of packets which will cause + # the server to use all available memory on the machine. + # + # Setting this number to 0 means "allow any number of attributes" + max_attributes = 200 + + # + # reject_delay: When sending an Access-Reject, it can be + # delayed for a few seconds. This may help slow down a DoS + # attack. It also helps to slow down people trying to brute-force + # crack a users password. + # + # Setting this number to 0 means "send rejects immediately" + # + # If this number is set higher than 'cleanup_delay', then the + # rejects will be sent at 'cleanup_delay' time, when the request + # is deleted from the internal cache of requests. + # + # As of Version 3.0.5, "reject_delay" has sub-second resolution. + # e.g. "reject_delay = 1.4" seconds is possible. + # + # Useful ranges: 1 to 5 + reject_delay = 1 + + # + # status_server: Whether or not the server will respond + # to Status-Server requests. + # + # When sent a Status-Server message, the server responds with + # an Access-Accept or Accounting-Response packet. + # + # This is mainly useful for administrators who want to "ping" + # the server, without adding test users, or creating fake + # accounting packets. + # + # It's also useful when a NAS marks a RADIUS server "dead". + # The NAS can periodically "ping" the server with a Status-Server + # packet. If the server responds, it must be alive, and the + # NAS can start using it for real requests. + # + # See also raddb/sites-available/status + # + status_server = yes + + # + # allow_vulnerable_openssl: Allow the server to start with + # versions of OpenSSL known to have critical vulnerabilities. + # + # This check is based on the version number reported by libssl + # and may not reflect patches applied to libssl by + # distribution maintainers. + # + allow_vulnerable_openssl = no +} + +# PROXY CONFIGURATION +# +# proxy_requests: Turns proxying of RADIUS requests on or off. +# +# The server has proxying turned on by default. If your system is NOT +# set up to proxy requests to another server, then you can turn proxying +# off here. This will save a small amount of resources on the server. +# +# If you have proxying turned off, and your configuration files say +# to proxy a request, then an error message will be logged. +# +# To disable proxying, change the "yes" to "no", and comment the +# $INCLUDE line. +# +# allowed values: {no, yes} +# +proxy_requests = yes +$INCLUDE proxy.conf + + +# CLIENTS CONFIGURATION +# +# Client configuration is defined in "clients.conf". +# + +# The 'clients.conf' file contains all of the information from the old +# 'clients' and 'naslist' configuration files. We recommend that you +# do NOT use 'client's or 'naslist', although they are still +# supported. +# +# Anything listed in 'clients.conf' will take precedence over the +# information from the old-style configuration files. +# +$INCLUDE clients.conf + + +# THREAD POOL CONFIGURATION +# +# The thread pool is a long-lived group of threads which +# take turns (round-robin) handling any incoming requests. +# +# You probably want to have a few spare threads around, +# so that high-load situations can be handled immediately. If you +# don't have any spare threads, then the request handling will +# be delayed while a new thread is created, and added to the pool. +# +# You probably don't want too many spare threads around, +# otherwise they'll be sitting there taking up resources, and +# not doing anything productive. +# +# The numbers given below should be adequate for most situations. +# +thread pool { + # Number of servers to start initially --- should be a reasonable + # ballpark figure. + start_servers = 5 + + # Limit on the total number of servers running. + # + # If this limit is ever reached, clients will be LOCKED OUT, so it + # should NOT BE SET TOO LOW. It is intended mainly as a brake to + # keep a runaway server from taking the system with it as it spirals + # down... + # + # You may find that the server is regularly reaching the + # 'max_servers' number of threads, and that increasing + # 'max_servers' doesn't seem to make much difference. + # + # If this is the case, then the problem is MOST LIKELY that + # your back-end databases are taking too long to respond, and + # are preventing the server from responding in a timely manner. + # + # The solution is NOT do keep increasing the 'max_servers' + # value, but instead to fix the underlying cause of the + # problem: slow database, or 'hostname_lookups=yes'. + # + # For more information, see 'max_request_time', above. + # + max_servers = 32 + + # Server-pool size regulation. Rather than making you guess + # how many servers you need, FreeRADIUS dynamically adapts to + # the load it sees, that is, it tries to maintain enough + # servers to handle the current load, plus a few spare + # servers to handle transient load spikes. + # + # It does this by periodically checking how many servers are + # waiting for a request. If there are fewer than + # min_spare_servers, it creates a new spare. If there are + # more than max_spare_servers, some of the spares die off. + # The default values are probably OK for most sites. + # + min_spare_servers = 3 + max_spare_servers = 10 + + # When the server receives a packet, it places it onto an + # internal queue, where the worker threads (configured above) + # pick it up for processing. The maximum size of that queue + # is given here. + # + # When the queue is full, any new packets will be silently + # discarded. + # + # The most common cause of the queue being full is that the + # server is dependent on a slow database, and it has received + # a large "spike" of traffic. When that happens, there is + # very little you can do other than make sure the server + # receives less traffic, or make sure that the database can + # handle the load. + # +# max_queue_size = 65536 + + # Clean up old threads periodically. For no reason other than + # it might be useful. + # + # '0' is a special value meaning 'infinity', or 'the servers never + # exit' + max_requests_per_server = 0 + + # Automatically limit the number of accounting requests. + # This configuration item tracks how many requests per second + # the server can handle. It does this by tracking the + # packets/s received by the server for processing, and + # comparing that to the packets/s handled by the child + # threads. + # + + # If the received PPS is larger than the processed PPS, *and* + # the queue is more than half full, then new accounting + # requests are probabilistically discarded. This lowers the + # number of packets that the server needs to process. Over + # time, the server will "catch up" with the traffic. + # + # Throwing away accounting packets is usually safe and low + # impact. The NAS will retransmit them in a few seconds, or + # even a few minutes. Vendors should read RFC 5080 Section 2.2.1 + # to see how accounting packets should be retransmitted. Using + # any other method is likely to cause network meltdowns. + # + auto_limit_acct = no +} + +###################################################################### +# +# SNMP notifications. Uncomment the following line to enable +# snmptraps. Note that you MUST also configure the full path +# to the "snmptrap" command in the "trigger.conf" file. +# +#$INCLUDE trigger.conf + +# MODULE CONFIGURATION +# +# The names and configuration of each module is located in this section. +# +# After the modules are defined here, they may be referred to by name, +# in other sections of this configuration file. +# +modules { + # + # Each module has a configuration as follows: + # + # name [ instance ] { + # config_item = value + # ... + # } + # + # The 'name' is used to load the 'rlm_name' library + # which implements the functionality of the module. + # + # The 'instance' is optional. To have two different instances + # of a module, it first must be referred to by 'name'. + # The different copies of the module are then created by + # inventing two 'instance' names, e.g. 'instance1' and 'instance2' + # + # The instance names can then be used in later configuration + # INSTEAD of the original 'name'. See the 'radutmp' configuration + # for an example. + # + + # + # Some modules have ordering issues. e.g. "sqlippool" uses + # the configuration from "sql". In that case, the "sql" + # module must be read off of disk before the "sqlippool". + # However, the directory inclusion below just reads the + # directory from start to finish. Which means that the + # modules are read off of disk randomly. + # + # As of 3.0.18, you can list individual modules *before* the + # directory inclusion. Those modules will be loaded first. + # Then, when the directory is read, those modules will be + # skipped and not read twice. + # +# $INCLUDE mods-enabled/sql + + # + # As of 3.0, modules are in mods-enabled/. Files matching + # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are + # initialized ONLY if they are referenced in a processing + # section, such as authorize, authenticate, accounting, + # pre/post-proxy, etc. + # + $INCLUDE mods-enabled/ +} + +# Instantiation +# +# This section sets the instantiation order of the modules. listed +# here will get started up BEFORE the sections like authorize, +# authenticate, etc. get examined. +# +# This section is not strictly needed. When a section like authorize +# refers to a module, the module is automatically loaded and +# initialized. However, some modules may not be listed in any of the +# processing sections, so they should be listed here. +# +# Also, listing modules here ensures that you have control over +# the order in which they are initialized. If one module needs +# something defined by another module, you can list them in order +# here, and ensure that the configuration will be OK. +# +# After the modules listed here have been loaded, all of the modules +# in the "mods-enabled" directory will be loaded. Loading the +# "mods-enabled" directory means that unlike Version 2, you usually +# don't need to list modules here. +# +instantiate { + # + # We list the counter module here so that it registers + # the check_name attribute before any module which sets + # it +# daily + + # subsections here can be thought of as "virtual" modules. + # + # e.g. If you have two redundant SQL servers, and you want to + # use them in the authorize and accounting sections, you could + # place a "redundant" block in each section, containing the + # exact same text. Or, you could uncomment the following + # lines, and list "redundant_sql" in the authorize and + # accounting sections. + # + # The "virtual" module defined here can also be used with + # dynamic expansions, under a few conditions: + # + # * The section is "redundant", or "load-balance", or + # "redundant-load-balance" + # * The section contains modules ONLY, and no sub-sections + # * all modules in the section are using the same rlm_ + # driver, e.g. They are all sql, or all ldap, etc. + # + # When those conditions are satisfied, the server will + # automatically register a dynamic expansion, using the + # name of the "virtual" module. In the example below, + # it will be "redundant_sql". You can then use this expansion + # just like any other: + # + # update reply { + # Filter-Id := "%{redundant_sql: ... }" + # } + # + # In this example, the expansion is done via module "sql1", + # and if that expansion fails, using module "sql2". + # + # For best results, configure the "pool" subsection of the + # module so that "retry_delay" is non-zero. That will allow + # the redundant block to quickly ignore all "down" SQL + # databases. If instead we have "retry_delay = 0", then + # every time the redundant block is used, the server will try + # to open a connection to every "down" database, causing + # problems. + # + #redundant redundant_sql { + # sql1 + # sql2 + #} +} + +###################################################################### +# +# Policies are virtual modules, similar to those defined in the +# "instantiate" section above. +# +# Defining a policy in one of the policy.d files means that it can be +# referenced in multiple places as a *name*, rather than as a series of +# conditions to match, and actions to take. +# +# Policies are something like subroutines in a normal language, but +# they cannot be called recursively. They MUST be defined in order. +# If policy A calls policy B, then B MUST be defined before A. +# +###################################################################### +policy { + $INCLUDE policy.d/ +} + +###################################################################### +# +# Load virtual servers. +# +# This next $INCLUDE line loads files in the directory that +# match the regular expression: /[a-zA-Z0-9_.]+/ +# +# It allows you to define new virtual servers simply by placing +# a file into the raddb/sites-enabled/ directory. +# +$INCLUDE sites-enabled/ + +###################################################################### +# +# All of the other configuration sections like "authorize {}", +# "authenticate {}", "accounting {}", have been moved to the +# the file: +# +# raddb/sites-available/default +# +# This is the "default" virtual server that has the same +# configuration as in version 1.0.x and 1.1.x. The default +# installation enables this virtual server. You should +# edit it to create policies for your local site. +# +# For more documentation on virtual servers, see: +# +# raddb/sites-available/README +# +###################################################################### diff --git a/ops/nixos/bvm-radius/raddb/sites-available/eduroam b/ops/nixos/bvm-radius/raddb/sites-available/eduroam new file mode 100644 index 0000000000..984b7202f7 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/sites-available/eduroam @@ -0,0 +1,113 @@ +operator_name = "as205479.net" + +# The VLAN to assign eduroam visitors +eduroam_default_guest_vlan = "100" + +# The VLAN to assign your students/staff +eduroam_default_local_vlan = "100" + +server eduroam { + listen { + type = auth + ipv6addr = * + port = 1812 + } + listen { + type = auth + ipv4addr = * + port = 1812 + } + + authorize { + # Log requests before we change them + linelog_recv_request + + # split_username_nai is a policy in the default distribution to + # split a username into username and domain. We reject user-name + # strings without domains, as they're not routable. + split_username_nai + if (noop || !&Stripped-User-Domain) { + reject + } + + # Send the request to the NRO for your region. + # The details of the FLRs (Federation Level RADIUS servers) + # are in proxy.conf. + # You can make this condition as complex as you like, to + # include additional subdomains just concatenate the conditions + # with &&. + if (&Stripped-User-Domain != "${operator_name}") { + update { + control:Load-Balance-Key := &Calling-Station-ID + control:Proxy-To-Realm := 'eduroam_flr' + + # Operator name (RFC 5580) identifies the network the + # request originated from. It's not absolutely necessary + # but it helps with debugging. + request:Operator-Name := "1${operator_name}" + } + return + } + + # If the EAP module returns 'ok' or 'updated', it means it has handled + # the request and we don't need to call any other modules in this + # section. + eap { + ok = return + updated = return + } + } + + pre-proxy { + attr_filter.pre-proxy + linelog_send_proxy_request + } + + post-proxy { + attr_filter.post-proxy + linelog_recv_proxy_response + } + + authenticate { + eap + } + + post-auth { + # To implement eduroam you must: + # - Use wireless access points or a controller which supports + # dynamic VLAN assignments. + # - Have that feature enabled. + # - Have the guest_vlan/local_vlan available to the controller, + # or to all your access points. + # eduroam user traffic *MUST* be segregated, this is *NOT* optional. + update reply { + Tunnel-Type := VLAN + Tunnel-Medium-Type := IEEE-802 + } + if (&control:Proxy-To-Realm) { + update reply { + Tunnel-Private-Group-ID = ${eduroam_default_guest_vlan} + } + } + else { + update reply { + Tunnel-Private-Group-ID = ${eduroam_default_local_vlan} + } + } + + # We're sending a response to one of OUR network devices for one of + # OUR users so provide it with the real user-identity. + if (&session-state:Stripped-User-Name) { + update reply { + User-Name := "%{session-state:Stripped-User-Name}@%{Stripped-User-Domain}" + } + } + + linelog_send_accept + + Post-Auth-Type REJECT { + attr_filter.access_reject + linelog_send_reject + } + } +} diff --git a/ops/nixos/bvm-radius/raddb/sites-available/inner-tunnel-eduroam b/ops/nixos/bvm-radius/raddb/sites-available/inner-tunnel-eduroam new file mode 100644 index 0000000000..bc08f6fc06 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/sites-available/inner-tunnel-eduroam @@ -0,0 +1,71 @@ +server eduroam-inner { + listen { + type = auth + ipv6addr = * + port = 18120 # Used for testing only. Requests proxied internally. + } + listen { + type = auth + ipv4addr = * + port = 18120 # Used for testing only. Requests proxied internally. + } + + authorize { + # The outer username is considered garabage for autz purposes, but + # the domain portion of the outer and inner identities must match. + split_username_nai + if (noop || (&Stripped-User-Domain && \ + (&outer.Stripped-User-Domain != &Stripped-User-Domain))) { + reject + } + + # Make the user's real identity available to anything that needs + # it in the outer server. + if (&outer.session-state:) + update { + &outer.session-state:Stripped-User-Name := &Stripped-User-Name + } + } + + # EAP for PEAPv0 (EAP-MSCHAPv2) + inner-eap { + ok = return + } + + # THIS IS SITE SPECIFIC + # + # The files module is *ONLY* used for testing. It lets you define + # credentials in a flat file, IT WILL NOT SCALE. + # + # - If you use OpenLDAP with salted password hashes you should + # call the 'ldap' module here and use EAP-TTLS-PAP as your EAP method. + # - If you use OpenLDAP with cleartext passwords you should + # call the 'ldap' module here and use EAP-TTLS or PEAPv0. + # - If you use an SQL DB with salted password hashes you should call + # the 'sql' module here and use EAP-TTLS-PAP as your EAP method. + # - If you use an SQL DB with cleartext passwords you should call + # the 'sql' module here and use EAP-TTLS or PEAPv0. + # - If you use Novell you should call the 'ldap' module here and + # set ``edir = yes`` in ``mods-available/ldap`` and use EAP-TTLS or + # PEAPv0. + # - If you use Active Directory, you don't need anything here (remove + # the call to files) but you'll need to follow this + # [guide](freeradius-active-directory-integration-howto) and use + # EAP-TTLS-PAP or PEAPv0. + # - If you're using EAP-TLS (i'm impressed!) remove the call to files. + # + # EAP-TTLS-PAP and PEAPv0 are equally secure/insecure depending on how the + # supplicant is configured. PEAPv0 has a slight edge in that you need to + # crack MSCHAPv2 to get the user's password (but this is not hard). + files + + pap + mschap + } + + authenticate { + inner-eap + mschap + pap + } +} diff --git a/ops/nixos/bvm-radius/raddb/sites-enabled/eduroam b/ops/nixos/bvm-radius/raddb/sites-enabled/eduroam new file mode 120000 index 0000000000..78ff563fd6 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/sites-enabled/eduroam @@ -0,0 +1 @@ +../sites-available/eduroam \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/sites-enabled/inner-tunnel-eduroam b/ops/nixos/bvm-radius/raddb/sites-enabled/inner-tunnel-eduroam new file mode 120000 index 0000000000..48b9b39f3e --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/sites-enabled/inner-tunnel-eduroam @@ -0,0 +1 @@ +../sites-available/inner-tunnel-eduroam \ No newline at end of file diff --git a/ops/nixos/bvm-radius/raddb/users b/ops/nixos/bvm-radius/raddb/users new file mode 120000 index 0000000000..458cce2563 --- /dev/null +++ b/ops/nixos/bvm-radius/raddb/users @@ -0,0 +1 @@ +./mods-config/files/authorize \ No newline at end of file diff --git a/ops/nixos/bvm-radius/radius.nix b/ops/nixos/bvm-radius/radius.nix new file mode 100644 index 0000000000..03a6bfd449 --- /dev/null +++ b/ops/nixos/bvm-radius/radius.nix @@ -0,0 +1,46 @@ +# SPDX-FileCopyrightText: 2021 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +{ pkgs, depot, ... }: + +let + freeradiusConfig = pkgs.runCommandLocal "freeradius-config" (depot.ops.secrets.radius // { + freeradius = pkgs.freeradius; + raddb = ./raddb; + }) '' + cp -R $raddb $out + chmod -R +w $out + + for f in $out/{radiusd,clients,proxy}.conf $out/mods-config/files/authorize; do + substituteInPlace "$f" \ + --replace "{{FREERADIUS_LOC}}" "$freeradius" \ + --replace "{{JANET_ROAMING0_SECRET}}" "$janetroaming0" \ + --replace "{{JANET_ROAMING1_SECRET}}" "$janetroaming1" \ + --replace "{{JANET_ROAMING2_SECRET}}" "$janetroaming2" \ + --replace "{{WLC_SECRET}}" "$wlc" \ + --replace "{{USER_TESTUSER_PASSWORD}}" "$testuser" \ + --replace "{{USER_LUKEGB_PASSWORD}}" "$lukegb" + done + + # can't check the config; it relies on things out-of-store + # ${pkgs.freeradius}/bin/radiusd -C -sxl stdout -d $out + ''; +in { + environment.systemPackages = [ + pkgs.freeradius + depot.pkgs.eapol-test + ]; + + services.freeradius = { + enable = true; + configDir = freeradiusConfig; + }; + + users.users.radius = { + group = "radius"; + extraGroups = [ "acme" ]; + isSystemUser = true; + }; + users.groups.radius = {}; +}