bvm-radius: add freeradius configuration
This commit is contained in:
parent
a8718864c1
commit
d6bd6e85ca
88 changed files with 4448 additions and 5 deletions
|
@ -8,6 +8,7 @@ let
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../lib/bvm.nix
|
../lib/bvm.nix
|
||||||
|
./radius.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
# Networking!
|
# Networking!
|
||||||
|
@ -60,10 +61,5 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
freeradius
|
|
||||||
depot.pkgs.eapol-test
|
|
||||||
];
|
|
||||||
|
|
||||||
system.stateVersion = "21.05";
|
system.stateVersion = "21.05";
|
||||||
}
|
}
|
||||||
|
|
34
ops/nixos/bvm-radius/raddb/clients.conf
Normal file
34
ops/nixos/bvm-radius/raddb/clients.conf
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
client localhost {
|
||||||
|
ipaddr = 127.0.0.1
|
||||||
|
secret = testing123
|
||||||
|
}
|
||||||
|
|
||||||
|
client eduroam_flr_server_1_v4 {
|
||||||
|
# roaming0.ja.net
|
||||||
|
ipaddr = 194.82.174.185
|
||||||
|
secret = {{JANET_ROAMING0_SECRET}}
|
||||||
|
nastype = 'eduroam_flr'
|
||||||
|
}
|
||||||
|
client eduroam_flr_server_1_v6 {
|
||||||
|
# roaming0.ja.net
|
||||||
|
ipv6addr = 2001:630:1:128::185
|
||||||
|
secret = {{JANET_ROAMING0_SECRET}}
|
||||||
|
nastype = 'eduroam_flr'
|
||||||
|
}
|
||||||
|
client eduroam_flr_server_2_v4 {
|
||||||
|
# roaming1.ja.net
|
||||||
|
ipaddr = 194.83.56.233
|
||||||
|
secret = {{JANET_ROAMING1_SECRET}}
|
||||||
|
nastype = 'eduroam_flr'
|
||||||
|
}
|
||||||
|
client eduroam_flr_server_2_v6 {
|
||||||
|
# roaming1.ja.net
|
||||||
|
ipv6addr = 2001:630:1:12a::233
|
||||||
|
secret = {{JANET_ROAMING1_SECRET}}
|
||||||
|
nastype = 'eduroam_flr'
|
||||||
|
}
|
||||||
|
|
||||||
|
client wireless_access_points_mgmt {
|
||||||
|
ipaddr = 92.118.30.0/24
|
||||||
|
secret = {{WLC_SECRET}}
|
||||||
|
}
|
49
ops/nixos/bvm-radius/raddb/dictionary
Normal file
49
ops/nixos/bvm-radius/raddb/dictionary
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
#
|
||||||
|
# This is the local dictionary file which can be
|
||||||
|
# edited by local administrators. It will be loaded
|
||||||
|
# AFTER the main dictionary files are loaded.
|
||||||
|
#
|
||||||
|
# As of version 3.0.2, FreeRADIUS will automatically
|
||||||
|
# load the main dictionary files from
|
||||||
|
#
|
||||||
|
# ${prefix}/share/freeradius/dictionary
|
||||||
|
#
|
||||||
|
# It is no longer necessary for this file to $INCLUDE
|
||||||
|
# the main dictionaries. However, if the $INCLUDE
|
||||||
|
# line is here, nothing bad will happen.
|
||||||
|
#
|
||||||
|
# Any new/changed attributes MUST be placed in this file.
|
||||||
|
# The pre-defined dictionaries SHOULD NOT be edited.
|
||||||
|
#
|
||||||
|
# See "man dictionary" for documentation on its format.
|
||||||
|
#
|
||||||
|
# $Id: eed5d70f41b314f9ed3f006a22d9f9a2be2c9516 $
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# All local attributes and $INCLUDE's should go into
|
||||||
|
# this file.
|
||||||
|
#
|
||||||
|
|
||||||
|
# If you want to add entries to the dictionary file,
|
||||||
|
# which are NOT going to be placed in a RADIUS packet,
|
||||||
|
# add them to the 'dictionary.local' file.
|
||||||
|
#
|
||||||
|
# The numbers you pick should be between 3000 and 4000.
|
||||||
|
# These attributes will NOT go into a RADIUS packet.
|
||||||
|
#
|
||||||
|
# If you want that, you will need to use VSAs. This means
|
||||||
|
# requesting allocation of a Private Enterprise Code from
|
||||||
|
# http://iana.org. We STRONGLY suggest doing that only if
|
||||||
|
# you are a vendor of RADIUS equipment.
|
||||||
|
#
|
||||||
|
# See RFC 6158 for more details.
|
||||||
|
# http://ietf.org/rfc/rfc6158.txt
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# These attributes are examples
|
||||||
|
#
|
||||||
|
#ATTRIBUTE My-Local-String 3000 string
|
||||||
|
#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
|
||||||
|
#ATTRIBUTE My-Local-Integer 3002 integer
|
1
ops/nixos/bvm-radius/raddb/hints
Symbolic link
1
ops/nixos/bvm-radius/raddb/hints
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
./mods-config/preprocess/hints
|
1
ops/nixos/bvm-radius/raddb/huntgroups
Symbolic link
1
ops/nixos/bvm-radius/raddb/huntgroups
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
./mods-config/preprocess/huntgroups
|
116
ops/nixos/bvm-radius/raddb/mods-available/README.rst
Normal file
116
ops/nixos/bvm-radius/raddb/mods-available/README.rst
Normal file
|
@ -0,0 +1,116 @@
|
||||||
|
Modules in Version 3
|
||||||
|
====================
|
||||||
|
|
||||||
|
As of Version 3, all of the modules have been placed in the
|
||||||
|
"mods-available/" directory. This practice follows that used by other
|
||||||
|
servers such as Nginx, Apache, etc. The "modules" directory should
|
||||||
|
not be used.
|
||||||
|
|
||||||
|
Modules are enabled by creating a file in the mods-enabled/ directory.
|
||||||
|
You can also create a soft-link from one directory to another::
|
||||||
|
|
||||||
|
$ cd raddb/mods-enabled
|
||||||
|
$ ln -s ../mods-available/foo
|
||||||
|
|
||||||
|
This will enable module "foo". Be sure that you have configured the
|
||||||
|
module correctly before enabling it, otherwise the server will not
|
||||||
|
start. You can verify the server configuration by running
|
||||||
|
"radiusd -XC".
|
||||||
|
|
||||||
|
A large number of modules are enabled by default. This allows the
|
||||||
|
server to work with the largest number of authentication protocols.
|
||||||
|
Please be careful when disabling modules. You will likely need to
|
||||||
|
edit the "sites-enabled/" files to remove references to any disabled
|
||||||
|
modules.
|
||||||
|
|
||||||
|
Conditional Modules
|
||||||
|
-------------------
|
||||||
|
|
||||||
|
Version 3 allows modules to be conditionally loaded. This is useful
|
||||||
|
when you want to have a virtual server which references a module, but
|
||||||
|
does not require it. Instead of editing the virtual server file, you
|
||||||
|
can just conditionally enable the module.
|
||||||
|
|
||||||
|
Modules are conditionally enabled by adding a "-" before their name in
|
||||||
|
a virtual server. For example, you can do::
|
||||||
|
|
||||||
|
server {
|
||||||
|
authorize {
|
||||||
|
...
|
||||||
|
ldap
|
||||||
|
-sql
|
||||||
|
...
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
This says "require the LDAP module, but use the SQL module only if it
|
||||||
|
is configured."
|
||||||
|
|
||||||
|
This feature is not very useful for production configurations. It is,
|
||||||
|
however, very useful for the default examples that ship with the
|
||||||
|
server.
|
||||||
|
|
||||||
|
Ignoring module
|
||||||
|
---------------
|
||||||
|
|
||||||
|
If you see this message::
|
||||||
|
|
||||||
|
Ignoring module (see raddb/mods-available/README.rst)
|
||||||
|
|
||||||
|
Then you are in the right place. Most of the time this message can be
|
||||||
|
ignored. The message can be fixed by finding the references to "-module"
|
||||||
|
in the virtual server, and deleting them.
|
||||||
|
|
||||||
|
Another way to fix it is to configure the module, as described above.
|
||||||
|
|
||||||
|
Simplification
|
||||||
|
--------------
|
||||||
|
|
||||||
|
Allowing conditional modules simplifies the default virtual servers
|
||||||
|
that are shipped with FreeRADIUS. This means that if you want to
|
||||||
|
enable LDAP (for example), you no longer need to edit the files in
|
||||||
|
raddb/sites-available/ in order to enable it.
|
||||||
|
|
||||||
|
Instead, you should edit the raddb/mods-available/ldap file to point
|
||||||
|
to your local LDAP server. Then, enable the module via the soft-link
|
||||||
|
method described above.
|
||||||
|
|
||||||
|
Once the module is enabled, it will automatically be used in the
|
||||||
|
default configuration.
|
||||||
|
|
||||||
|
Multiple Instances
|
||||||
|
------------------
|
||||||
|
|
||||||
|
It is sometimes necessary to have the same module do two different
|
||||||
|
things. The server supports this functionality via "instances" of
|
||||||
|
modules.
|
||||||
|
|
||||||
|
Normally, a module configuration looks like this:
|
||||||
|
|
||||||
|
sql {
|
||||||
|
... sql stuff ...
|
||||||
|
}
|
||||||
|
|
||||||
|
This module is then refereed to as the "sql" module.
|
||||||
|
|
||||||
|
|
||||||
|
But what happens if you want to connect to two different SQL
|
||||||
|
databases? The solution is simple; copy the "sql" module
|
||||||
|
configuration, and add an instance name after the "sql" string:
|
||||||
|
|
||||||
|
sql mysql1 {
|
||||||
|
... configuration for connecting to mysql11 ...
|
||||||
|
}
|
||||||
|
|
||||||
|
sql mysql2 {
|
||||||
|
... configuration for connecting to mysql12 ...
|
||||||
|
}
|
||||||
|
|
||||||
|
This configuration says "load the SQL module, but create two copies of
|
||||||
|
it, with different configurations". The different configurations can
|
||||||
|
be referred to by name, as "mysql1" and "mysql2". That is, anywhere
|
||||||
|
you would normally use "sql", you could use either "mysql1" or
|
||||||
|
"mysql2".
|
||||||
|
|
||||||
|
For further examples of using module instances, see the "attr_filter"
|
||||||
|
module configuration in this directory.
|
61
ops/nixos/bvm-radius/raddb/mods-available/always
Normal file
61
ops/nixos/bvm-radius/raddb/mods-available/always
Normal file
|
@ -0,0 +1,61 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: de3f13089d8951f4c822ebc4007df58e0487de14 $
|
||||||
|
|
||||||
|
#
|
||||||
|
# The "always" module is here for debugging purposes, or
|
||||||
|
# for use in complex policies.
|
||||||
|
# Instance simply returns the same result, always, without
|
||||||
|
# doing anything.
|
||||||
|
#
|
||||||
|
# rcode may be one of the following values:
|
||||||
|
# - reject - Reject the user.
|
||||||
|
# - fail - Simulate or indicate a failure.
|
||||||
|
# - ok - Simulate or indicate a success.
|
||||||
|
# - handled - Indicate that the request has been handled,
|
||||||
|
# stop processing, and send response if set.
|
||||||
|
# - invalid - Indicate that the request is invalid.
|
||||||
|
# - userlock - Indicate that the user account has been
|
||||||
|
# locked out.
|
||||||
|
# - notfound - Indicate that a user account can't be found.
|
||||||
|
# - noop - Simulate a no-op.
|
||||||
|
# - updated - Indicate that the request has been updated.
|
||||||
|
#
|
||||||
|
# If an instance is listed in a session {} section,
|
||||||
|
# this simulates a user having <integer> sessions.
|
||||||
|
#
|
||||||
|
# simulcount = <integer>
|
||||||
|
#
|
||||||
|
# If an instance is listed in a session {} section,
|
||||||
|
# this simulates the user having multilink
|
||||||
|
# sessions.
|
||||||
|
#
|
||||||
|
# mpp = <integer>
|
||||||
|
#
|
||||||
|
always reject {
|
||||||
|
rcode = reject
|
||||||
|
}
|
||||||
|
always fail {
|
||||||
|
rcode = fail
|
||||||
|
}
|
||||||
|
always ok {
|
||||||
|
rcode = ok
|
||||||
|
}
|
||||||
|
always handled {
|
||||||
|
rcode = handled
|
||||||
|
}
|
||||||
|
always invalid {
|
||||||
|
rcode = invalid
|
||||||
|
}
|
||||||
|
always userlock {
|
||||||
|
rcode = userlock
|
||||||
|
}
|
||||||
|
always notfound {
|
||||||
|
rcode = notfound
|
||||||
|
}
|
||||||
|
always noop {
|
||||||
|
rcode = noop
|
||||||
|
}
|
||||||
|
always updated {
|
||||||
|
rcode = updated
|
||||||
|
}
|
50
ops/nixos/bvm-radius/raddb/mods-available/attr_filter
Normal file
50
ops/nixos/bvm-radius/raddb/mods-available/attr_filter
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 1caff077b2429c948a04777fcd619be901ac83dc $
|
||||||
|
|
||||||
|
#
|
||||||
|
# This file defines a number of instances of the "attr_filter" module.
|
||||||
|
#
|
||||||
|
|
||||||
|
# attr_filter - filters the attributes received in replies from
|
||||||
|
# proxied servers, to make sure we send back to our RADIUS client
|
||||||
|
# only allowed attributes.
|
||||||
|
attr_filter attr_filter.post-proxy {
|
||||||
|
key = "%{Realm}"
|
||||||
|
filename = ${modconfdir}/${.:name}/post-proxy
|
||||||
|
}
|
||||||
|
|
||||||
|
# attr_filter - filters the attributes in the packets we send to
|
||||||
|
# the RADIUS home servers.
|
||||||
|
attr_filter attr_filter.pre-proxy {
|
||||||
|
key = "%{Realm}"
|
||||||
|
filename = ${modconfdir}/${.:name}/pre-proxy
|
||||||
|
}
|
||||||
|
|
||||||
|
# Enforce RFC requirements on the contents of Access-Reject
|
||||||
|
# packets. See the comments at the top of the file for
|
||||||
|
# more details.
|
||||||
|
#
|
||||||
|
attr_filter attr_filter.access_reject {
|
||||||
|
key = "%{User-Name}"
|
||||||
|
filename = ${modconfdir}/${.:name}/access_reject
|
||||||
|
}
|
||||||
|
|
||||||
|
# Enforce RFC requirements on the contents of Access-Challenge
|
||||||
|
# packets. See the comments at the top of the file for
|
||||||
|
# more details.
|
||||||
|
#
|
||||||
|
attr_filter attr_filter.access_challenge {
|
||||||
|
key = "%{User-Name}"
|
||||||
|
filename = ${modconfdir}/${.:name}/access_challenge
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Enforce RFC requirements on the contents of the
|
||||||
|
# Accounting-Response packets. See the comments at the
|
||||||
|
# top of the file for more details.
|
||||||
|
#
|
||||||
|
attr_filter attr_filter.accounting_response {
|
||||||
|
key = "%{User-Name}"
|
||||||
|
filename = ${modconfdir}/${.:name}/accounting_response
|
||||||
|
}
|
13
ops/nixos/bvm-radius/raddb/mods-available/cache_eap
Normal file
13
ops/nixos/bvm-radius/raddb/mods-available/cache_eap
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
#
|
||||||
|
# Cache EAP responses for resiliency on intermediary proxy fail-over
|
||||||
|
#
|
||||||
|
cache cache_eap {
|
||||||
|
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
|
||||||
|
|
||||||
|
ttl = 15
|
||||||
|
|
||||||
|
update reply {
|
||||||
|
reply: += &reply:
|
||||||
|
&control:State := &request:State
|
||||||
|
}
|
||||||
|
}
|
11
ops/nixos/bvm-radius/raddb/mods-available/chap
Normal file
11
ops/nixos/bvm-radius/raddb/mods-available/chap
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $
|
||||||
|
|
||||||
|
# CHAP module
|
||||||
|
#
|
||||||
|
# To authenticate requests containing a CHAP-Password attribute.
|
||||||
|
#
|
||||||
|
chap {
|
||||||
|
# no configuration
|
||||||
|
}
|
35
ops/nixos/bvm-radius/raddb/mods-available/date
Normal file
35
ops/nixos/bvm-radius/raddb/mods-available/date
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
#
|
||||||
|
# Registers xlat to convert between time formats.
|
||||||
|
#
|
||||||
|
# xlat input string is an attribute name. If this attribute is of date
|
||||||
|
# or integer type, the date xlat will convert it to a time string in
|
||||||
|
# the format of the format config item.
|
||||||
|
#
|
||||||
|
# If the attribute is a string type, date will attempt to parse it in
|
||||||
|
# the format specified by the format config item, and will expand
|
||||||
|
# to a Unix timestamp.
|
||||||
|
#
|
||||||
|
date {
|
||||||
|
format = "%b %e %Y %H:%M:%S %Z"
|
||||||
|
|
||||||
|
# Use UTC instead of local time.
|
||||||
|
#
|
||||||
|
# default = no
|
||||||
|
# utc = yes
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# The WISPr-Session-Terminate-Time attribute is of type "string",
|
||||||
|
# and not "date". Use this expansion to create an attribute
|
||||||
|
# that holds an actual date:
|
||||||
|
#
|
||||||
|
# Tmp-Date-0 := "%{wispr2date:&reply:WISPr-Session-Terminate-Time}"
|
||||||
|
#
|
||||||
|
date wispr2date {
|
||||||
|
format = "%Y-%m-%dT%H:%M:%S"
|
||||||
|
|
||||||
|
# Use UTC instead of local time.
|
||||||
|
#
|
||||||
|
# default = no
|
||||||
|
# utc = yes
|
||||||
|
}
|
100
ops/nixos/bvm-radius/raddb/mods-available/detail
Normal file
100
ops/nixos/bvm-radius/raddb/mods-available/detail
Normal file
|
@ -0,0 +1,100 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: e91e12d0b4de8f3cb084c179b321924d0248cfbb $
|
||||||
|
|
||||||
|
# Write a detailed log of all accounting records received.
|
||||||
|
#
|
||||||
|
detail {
|
||||||
|
# Note that we do NOT use NAS-IP-Address here, as
|
||||||
|
# that attribute MAY BE from the originating NAS, and
|
||||||
|
# NOT from the proxy which actually sent us the
|
||||||
|
# request.
|
||||||
|
#
|
||||||
|
# The following line creates a new detail file for
|
||||||
|
# every radius client (by IP address or hostname).
|
||||||
|
# In addition, a new detail file is created every
|
||||||
|
# day, so that the detail file doesn't have to go
|
||||||
|
# through a 'log rotation'
|
||||||
|
#
|
||||||
|
# If your detail files are large, you may also want to add
|
||||||
|
# a ':%H' (see doc/configuration/variables.rst) to the end
|
||||||
|
# of it, to create a new detail file every hour, e.g.:
|
||||||
|
#
|
||||||
|
# ..../detail-%Y%m%d:%H
|
||||||
|
#
|
||||||
|
# This will create a new detail file for every hour.
|
||||||
|
#
|
||||||
|
# If you are reading detail files via the "listen" section
|
||||||
|
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
|
||||||
|
# you MUST use a unique directory for each combination of a
|
||||||
|
# detail file writer, and reader. That is, there can only
|
||||||
|
# be ONE "listen" section reading detail files from a
|
||||||
|
# particular directory.
|
||||||
|
#
|
||||||
|
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you are using radrelay, delete the above line for "file",
|
||||||
|
# and use this one instead:
|
||||||
|
#
|
||||||
|
# filename = ${radacctdir}/detail
|
||||||
|
|
||||||
|
#
|
||||||
|
# Most file systems can handly nearly the full range of UTF-8
|
||||||
|
# characters. Ones that can deal with a limited range should
|
||||||
|
# set this to "yes".
|
||||||
|
#
|
||||||
|
escape_filenames = no
|
||||||
|
|
||||||
|
#
|
||||||
|
# The Unix-style permissions on the 'detail' file.
|
||||||
|
#
|
||||||
|
# The detail file often contains secret or private
|
||||||
|
# information about users. So by keeping the file
|
||||||
|
# permissions restrictive, we can prevent unwanted
|
||||||
|
# people from seeing that information.
|
||||||
|
permissions = 0600
|
||||||
|
|
||||||
|
# The Unix group of the log file.
|
||||||
|
#
|
||||||
|
# The user that the server runs as must be in the specified
|
||||||
|
# system group otherwise this will fail to work.
|
||||||
|
#
|
||||||
|
# group = ${security.group}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Every entry in the detail file has a header which
|
||||||
|
# is a timestamp. By default, we use the ctime
|
||||||
|
# format (see "man ctime" for details).
|
||||||
|
#
|
||||||
|
# The header can be customised by editing this
|
||||||
|
# string. See "doc/configuration/variables.rst" for a
|
||||||
|
# description of what can be put here.
|
||||||
|
#
|
||||||
|
header = "%t"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Uncomment this line if the detail file reader will be
|
||||||
|
# reading this detail file.
|
||||||
|
#
|
||||||
|
# locking = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# Log the Packet src/dst IP/port. This is disabled by
|
||||||
|
# default, as that information isn't used by many people.
|
||||||
|
#
|
||||||
|
# log_packet_header = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# Certain attributes such as User-Password may be
|
||||||
|
# "sensitive", so they should not be printed in the
|
||||||
|
# detail file. This section lists the attributes
|
||||||
|
# that should be suppressed.
|
||||||
|
#
|
||||||
|
# The attributes should be listed one to a line.
|
||||||
|
#
|
||||||
|
#suppress {
|
||||||
|
# User-Password
|
||||||
|
#}
|
||||||
|
|
||||||
|
}
|
75
ops/nixos/bvm-radius/raddb/mods-available/detail.log
Normal file
75
ops/nixos/bvm-radius/raddb/mods-available/detail.log
Normal file
|
@ -0,0 +1,75 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: b91cf7cb24744ee96e390aa4d7bd5f3ad4c0c0ee $
|
||||||
|
|
||||||
|
#
|
||||||
|
# More examples of doing detail logs.
|
||||||
|
|
||||||
|
#
|
||||||
|
# Many people want to log authentication requests.
|
||||||
|
# Rather than modifying the server core to print out more
|
||||||
|
# messages, we can use a different instance of the 'detail'
|
||||||
|
# module, to log the authentication requests to a file.
|
||||||
|
#
|
||||||
|
# You will also need to un-comment the 'auth_log' line
|
||||||
|
# in the 'authorize' section, below.
|
||||||
|
#
|
||||||
|
detail auth_log {
|
||||||
|
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
|
||||||
|
|
||||||
|
#
|
||||||
|
# This MUST be 0600, otherwise anyone can read
|
||||||
|
# the users passwords!
|
||||||
|
permissions = 0600
|
||||||
|
|
||||||
|
# You may also strip out passwords completely
|
||||||
|
suppress {
|
||||||
|
User-Password
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This module logs authentication reply packets sent
|
||||||
|
# to a NAS. Both Access-Accept and Access-Reject packets
|
||||||
|
# are logged.
|
||||||
|
#
|
||||||
|
# You will also need to un-comment the 'reply_log' line
|
||||||
|
# in the 'post-auth' section, below.
|
||||||
|
#
|
||||||
|
detail reply_log {
|
||||||
|
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
|
||||||
|
|
||||||
|
permissions = 0600
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This module logs packets proxied to a home server.
|
||||||
|
#
|
||||||
|
# You will also need to un-comment the 'pre_proxy_log' line
|
||||||
|
# in the 'pre-proxy' section, below.
|
||||||
|
#
|
||||||
|
detail pre_proxy_log {
|
||||||
|
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
|
||||||
|
|
||||||
|
#
|
||||||
|
# This MUST be 0600, otherwise anyone can read
|
||||||
|
# the users passwords!
|
||||||
|
permissions = 0600
|
||||||
|
|
||||||
|
# You may also strip out passwords completely
|
||||||
|
#suppress {
|
||||||
|
# User-Password
|
||||||
|
#}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This module logs response packets from a home server.
|
||||||
|
#
|
||||||
|
# You will also need to un-comment the 'post_proxy_log' line
|
||||||
|
# in the 'post-proxy' section, below.
|
||||||
|
#
|
||||||
|
detail post_proxy_log {
|
||||||
|
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
|
||||||
|
|
||||||
|
permissions = 0600
|
||||||
|
}
|
13
ops/nixos/bvm-radius/raddb/mods-available/digest
Normal file
13
ops/nixos/bvm-radius/raddb/mods-available/digest
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $
|
||||||
|
|
||||||
|
#
|
||||||
|
# The 'digest' module currently has no configuration.
|
||||||
|
#
|
||||||
|
# "Digest" authentication against a Cisco SIP server.
|
||||||
|
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
|
||||||
|
# on performing digest authentication for Cisco SIP servers.
|
||||||
|
#
|
||||||
|
digest {
|
||||||
|
}
|
32
ops/nixos/bvm-radius/raddb/mods-available/dynamic_clients
Normal file
32
ops/nixos/bvm-radius/raddb/mods-available/dynamic_clients
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: cc2bd5fd22aa473b98af5dde3fac7a66e39a9e9d $
|
||||||
|
|
||||||
|
# This module loads RADIUS clients as needed, rather than when the server
|
||||||
|
# starts.
|
||||||
|
#
|
||||||
|
# There are no configuration entries for this module. Instead, it
|
||||||
|
# relies on the "client" configuration. You must:
|
||||||
|
#
|
||||||
|
# 1) link raddb/sites-enabled/dynamic_clients to
|
||||||
|
# raddb/sites-available/dynamic_clients
|
||||||
|
#
|
||||||
|
# 2) Define a client network/mask (see top of the above file)
|
||||||
|
#
|
||||||
|
# 3) uncomment the "directory" entry in that client definition
|
||||||
|
#
|
||||||
|
# 4) list "dynamic_clients" in the "authorize" section of the
|
||||||
|
# "dynamic_clients' virtual server. The default example already
|
||||||
|
# does this.
|
||||||
|
#
|
||||||
|
# 5) put files into the above directory, one per IP.
|
||||||
|
# e.g. file "192.0.2.1" should contain a normal client definition
|
||||||
|
# for a client with IP address 192.0.2.1.
|
||||||
|
#
|
||||||
|
# For more documentation, see the file:
|
||||||
|
#
|
||||||
|
# raddb/sites-available/dynamic-clients
|
||||||
|
#
|
||||||
|
dynamic_clients {
|
||||||
|
|
||||||
|
}
|
791
ops/nixos/bvm-radius/raddb/mods-available/eap-custom
Normal file
791
ops/nixos/bvm-radius/raddb/mods-available/eap-custom
Normal file
|
@ -0,0 +1,791 @@
|
||||||
|
# -*- text -*-
|
||||||
|
##
|
||||||
|
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
|
||||||
|
##
|
||||||
|
## $Id: a89a783663588017b12bcc076362e728261ba8f2 $
|
||||||
|
|
||||||
|
#######################################################################
|
||||||
|
#
|
||||||
|
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
|
||||||
|
# is smart enough to figure this out on its own. The most
|
||||||
|
# common side effect of setting 'Auth-Type := EAP' is that the
|
||||||
|
# users then cannot use ANY other authentication method.
|
||||||
|
#
|
||||||
|
eap {
|
||||||
|
# Invoke the default supported EAP type when
|
||||||
|
# EAP-Identity response is received.
|
||||||
|
#
|
||||||
|
# The incoming EAP messages DO NOT specify which EAP
|
||||||
|
# type they will be using, so it MUST be set here.
|
||||||
|
#
|
||||||
|
# For now, only one default EAP type may be used at a time.
|
||||||
|
#
|
||||||
|
# If the EAP-Type attribute is set by another module,
|
||||||
|
# then that EAP type takes precedence over the
|
||||||
|
# default type configured here.
|
||||||
|
#
|
||||||
|
default_eap_type = ttls
|
||||||
|
|
||||||
|
# A list is maintained to correlate EAP-Response
|
||||||
|
# packets with EAP-Request packets. After a
|
||||||
|
# configurable length of time, entries in the list
|
||||||
|
# expire, and are deleted.
|
||||||
|
#
|
||||||
|
timer_expire = 60
|
||||||
|
|
||||||
|
# There are many EAP types, but the server has support
|
||||||
|
# for only a limited subset. If the server receives
|
||||||
|
# a request for an EAP type it does not support, then
|
||||||
|
# it normally rejects the request. By setting this
|
||||||
|
# configuration to "yes", you can tell the server to
|
||||||
|
# instead keep processing the request. Another module
|
||||||
|
# MUST then be configured to proxy the request to
|
||||||
|
# another RADIUS server which supports that EAP type.
|
||||||
|
#
|
||||||
|
# If another module is NOT configured to handle the
|
||||||
|
# request, then the request will still end up being
|
||||||
|
# rejected.
|
||||||
|
#
|
||||||
|
ignore_unknown_eap_types = no
|
||||||
|
|
||||||
|
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
|
||||||
|
# a User-Name attribute in an Access-Accept, it copies one
|
||||||
|
# more byte than it should.
|
||||||
|
#
|
||||||
|
# We can work around it by configurably adding an extra
|
||||||
|
# zero byte.
|
||||||
|
#
|
||||||
|
cisco_accounting_username_bug = no
|
||||||
|
|
||||||
|
# Help prevent DoS attacks by limiting the number of
|
||||||
|
# sessions that the server is tracking. For simplicity,
|
||||||
|
# this is taken from the "max_requests" directive in
|
||||||
|
# radiusd.conf.
|
||||||
|
#
|
||||||
|
max_sessions = ${max_requests}
|
||||||
|
|
||||||
|
|
||||||
|
############################################################
|
||||||
|
#
|
||||||
|
# Supported EAP-types
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
# EAP-MD5
|
||||||
|
#
|
||||||
|
# We do NOT recommend using EAP-MD5 authentication
|
||||||
|
# for wireless connections. It is insecure, and does
|
||||||
|
# not provide for dynamic WEP keys.
|
||||||
|
#
|
||||||
|
md5 {
|
||||||
|
}
|
||||||
|
|
||||||
|
# Common TLS configuration for TLS-based EAP types
|
||||||
|
# ------------------------------------------------
|
||||||
|
#
|
||||||
|
# See raddb/certs/README for additional comments
|
||||||
|
# on certificates.
|
||||||
|
#
|
||||||
|
# If OpenSSL was not found at the time the server was
|
||||||
|
# built, the "tls", "ttls", and "peap" sections will
|
||||||
|
# be ignored.
|
||||||
|
#
|
||||||
|
# If you do not currently have certificates signed by
|
||||||
|
# a trusted CA you may use the 'snakeoil' certificates.
|
||||||
|
# Included with the server in raddb/certs.
|
||||||
|
#
|
||||||
|
# If these certificates have not been auto-generated:
|
||||||
|
# cd raddb/certs
|
||||||
|
# make
|
||||||
|
#
|
||||||
|
# These test certificates SHOULD NOT be used in a normal
|
||||||
|
# deployment. They are created only to make it easier
|
||||||
|
# to install the server, and to perform some simple
|
||||||
|
# tests with EAP-TLS, TTLS, or PEAP.
|
||||||
|
#
|
||||||
|
# Note that you should NOT use a globally known CA here!
|
||||||
|
# e.g. using a Verisign cert as a "known CA" means that
|
||||||
|
# ANYONE who has a certificate signed by them can
|
||||||
|
# authenticate via EAP-TLS! This is likely not what you want.
|
||||||
|
#
|
||||||
|
tls-config tls-common {
|
||||||
|
#private_key_password = whatever
|
||||||
|
private_key_file = /var/lib/acme/as205479.net/key.pem
|
||||||
|
|
||||||
|
# If Private key & Certificate are located in
|
||||||
|
# the same file, then private_key_file &
|
||||||
|
# certificate_file must contain the same file
|
||||||
|
# name.
|
||||||
|
#
|
||||||
|
# If ca_file (below) is not used, then the
|
||||||
|
# certificate_file below SHOULD also include all of
|
||||||
|
# the intermediate CA certificates used to sign the
|
||||||
|
# server certificate, but NOT the root CA.
|
||||||
|
#
|
||||||
|
# Including the ROOT CA certificate is not useful and
|
||||||
|
# merely inflates the exchanged data volume during
|
||||||
|
# the TLS negotiation.
|
||||||
|
#
|
||||||
|
# This file should contain the server certificate,
|
||||||
|
# followed by intermediate certificates, in order.
|
||||||
|
# i.e. If we have a server certificate signed by CA1,
|
||||||
|
# which is signed by CA2, which is signed by a root
|
||||||
|
# CA, then the "certificate_file" should contain
|
||||||
|
# server.pem, followed by CA1.pem, followed by
|
||||||
|
# CA2.pem.
|
||||||
|
#
|
||||||
|
# When using "ca_file" or "ca_dir", the
|
||||||
|
# "certificate_file" should contain only
|
||||||
|
# "server.pem". And then you may (or may not) need
|
||||||
|
# to set "auto_chain", depending on your version of
|
||||||
|
# OpenSSL.
|
||||||
|
#
|
||||||
|
# In short, SSL / TLS certificates are complex.
|
||||||
|
# There are many versions of software, each of which
|
||||||
|
# behave slightly differently. It is impossible to
|
||||||
|
# give advice which will work everywhere. Instead,
|
||||||
|
# we give general guidelines.
|
||||||
|
#
|
||||||
|
certificate_file = /var/lib/acme/as205479.net/cert.pem
|
||||||
|
|
||||||
|
# Trusted Root CA list
|
||||||
|
#
|
||||||
|
# This file can contain multiple CA certificates.
|
||||||
|
# ALL of the CA's in this list will be trusted to
|
||||||
|
# issue client certificates for authentication.
|
||||||
|
#
|
||||||
|
# In general, you should use self-signed
|
||||||
|
# certificates for 802.1x (EAP) authentication.
|
||||||
|
# In that case, this CA file should contain
|
||||||
|
# *one* CA certificate.
|
||||||
|
#
|
||||||
|
#ca_file = ${cadir}/ca.pem
|
||||||
|
|
||||||
|
# OpenSSL will automatically create certificate chains,
|
||||||
|
# unless we tell it to not do that. The problem is that
|
||||||
|
# it sometimes gets the chains right from a certificate
|
||||||
|
# signature view, but wrong from the clients view.
|
||||||
|
#
|
||||||
|
# When setting "auto_chain = no", the server certificate
|
||||||
|
# file MUST include the full certificate chain.
|
||||||
|
#
|
||||||
|
# auto_chain = yes
|
||||||
|
|
||||||
|
# If OpenSSL supports TLS-PSK, then we can use a
|
||||||
|
# fixed PSK identity and (hex) password. As of
|
||||||
|
# 3.0.18, these can be used at the same time as the
|
||||||
|
# certificate configuration, but only for TLS 1.0
|
||||||
|
# through 1.2.
|
||||||
|
#
|
||||||
|
# If PSK and certificates are configured at the same
|
||||||
|
# time for TLS 1.3, then the server will warn you,
|
||||||
|
# and will disable TLS 1.3, as it will not work.
|
||||||
|
#
|
||||||
|
# The work around is to have two modules (or for
|
||||||
|
# RadSec, two listen sections). One will have PSK
|
||||||
|
# configured, and the other will have certificates
|
||||||
|
# configured.
|
||||||
|
#
|
||||||
|
# psk_identity = "test"
|
||||||
|
# psk_hexphrase = "036363823"
|
||||||
|
|
||||||
|
# Dynamic queries for the PSK. If TLS-PSK is used,
|
||||||
|
# and psk_query is set, then you MUST NOT use
|
||||||
|
# psk_identity or psk_hexphrase.
|
||||||
|
#
|
||||||
|
# Instead, use a dynamic expansion similar to the one
|
||||||
|
# below. It keys off of TLS-PSK-Identity. It should
|
||||||
|
# return a of string no more than 512 hex characters.
|
||||||
|
# That string will be converted to binary, and will
|
||||||
|
# be used as the dynamic PSK hexphrase.
|
||||||
|
#
|
||||||
|
# Note that this query is just an example. You will
|
||||||
|
# need to customize it for your installation.
|
||||||
|
#
|
||||||
|
# psk_query = "%{sql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
|
||||||
|
|
||||||
|
# For DH cipher suites to work, you have to
|
||||||
|
# run OpenSSL to create the DH file first:
|
||||||
|
#
|
||||||
|
# openssl dhparam -out certs/dh 2048
|
||||||
|
#
|
||||||
|
dh_file = /var/lib/freeradius/dh
|
||||||
|
|
||||||
|
# If your system doesn't have /dev/urandom,
|
||||||
|
# you will need to create this file, and
|
||||||
|
# periodically change its contents.
|
||||||
|
#
|
||||||
|
# For security reasons, FreeRADIUS doesn't
|
||||||
|
# write to files in its configuration
|
||||||
|
# directory.
|
||||||
|
#
|
||||||
|
# random_file = /dev/urandom
|
||||||
|
|
||||||
|
# This can never exceed the size of a RADIUS
|
||||||
|
# packet (4096 bytes), and is preferably half
|
||||||
|
# that, to accommodate other attributes in
|
||||||
|
# RADIUS packet. On most APs the MAX packet
|
||||||
|
# length is configured between 1500 - 1600
|
||||||
|
# In these cases, fragment size should be
|
||||||
|
# 1024 or less.
|
||||||
|
#
|
||||||
|
# fragment_size = 1024
|
||||||
|
|
||||||
|
# include_length is a flag which is
|
||||||
|
# by default set to yes If set to
|
||||||
|
# yes, Total Length of the message is
|
||||||
|
# included in EVERY packet we send.
|
||||||
|
# If set to no, Total Length of the
|
||||||
|
# message is included ONLY in the
|
||||||
|
# First packet of a fragment series.
|
||||||
|
#
|
||||||
|
# include_length = yes
|
||||||
|
|
||||||
|
|
||||||
|
# Check the Certificate Revocation List
|
||||||
|
#
|
||||||
|
# 1) Copy CA certificates and CRLs to same directory.
|
||||||
|
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
|
||||||
|
# 'c_rehash' is OpenSSL's command.
|
||||||
|
# 3) uncomment the lines below.
|
||||||
|
# 5) Restart radiusd
|
||||||
|
# check_crl = yes
|
||||||
|
|
||||||
|
# Check if intermediate CAs have been revoked.
|
||||||
|
# check_all_crl = yes
|
||||||
|
|
||||||
|
#ca_path = ${cadir}
|
||||||
|
|
||||||
|
# Accept an expired Certificate Revocation List
|
||||||
|
#
|
||||||
|
# allow_expired_crl = no
|
||||||
|
|
||||||
|
# If check_cert_issuer is set, the value will
|
||||||
|
# be checked against the DN of the issuer in
|
||||||
|
# the client certificate. If the values do not
|
||||||
|
# match, the certificate verification will fail,
|
||||||
|
# rejecting the user.
|
||||||
|
#
|
||||||
|
# This check can be done more generally by checking
|
||||||
|
# the value of the TLS-Client-Cert-Issuer attribute.
|
||||||
|
# This check can be done via any mechanism you
|
||||||
|
# choose.
|
||||||
|
#
|
||||||
|
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
|
||||||
|
|
||||||
|
# If check_cert_cn is set, the value will
|
||||||
|
# be xlat'ed and checked against the CN
|
||||||
|
# in the client certificate. If the values
|
||||||
|
# do not match, the certificate verification
|
||||||
|
# will fail rejecting the user.
|
||||||
|
#
|
||||||
|
# This check is done only if the previous
|
||||||
|
# "check_cert_issuer" is not set, or if
|
||||||
|
# the check succeeds.
|
||||||
|
#
|
||||||
|
# In 2.1.10 and later, this check can be done
|
||||||
|
# more generally by checking the value of the
|
||||||
|
# TLS-Client-Cert-Common-Name attribute. This check
|
||||||
|
# can be done via any mechanism you choose.
|
||||||
|
#
|
||||||
|
# check_cert_cn = %{User-Name}
|
||||||
|
|
||||||
|
# Set this option to specify the allowed
|
||||||
|
# TLS cipher suites. The format is listed
|
||||||
|
# in "man 1 ciphers".
|
||||||
|
#
|
||||||
|
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
|
||||||
|
#
|
||||||
|
cipher_list = "DEFAULT"
|
||||||
|
|
||||||
|
# If enabled, OpenSSL will use server cipher list
|
||||||
|
# (possibly defined by cipher_list option above)
|
||||||
|
# for choosing right cipher suite rather than
|
||||||
|
# using client-specified list which is OpenSSl default
|
||||||
|
# behavior. Setting this to "yes" means that OpenSSL
|
||||||
|
# will choose the servers ciphers, even if they do not
|
||||||
|
# best match what the client sends.
|
||||||
|
#
|
||||||
|
# TLS negotiation is usually good, but can be imperfect.
|
||||||
|
# This setting allows administrators to "fine tune" it
|
||||||
|
# if necessary.
|
||||||
|
#
|
||||||
|
cipher_server_preference = no
|
||||||
|
|
||||||
|
# You can selectively disable TLS versions for
|
||||||
|
# compatability with old client devices.
|
||||||
|
#
|
||||||
|
# If your system has OpenSSL 1.1.0 or greater, do NOT
|
||||||
|
# use these. Instead, set tls_min_version and
|
||||||
|
# tls_max_version.
|
||||||
|
#
|
||||||
|
# disable_tlsv1_2 = no
|
||||||
|
disable_tlsv1_1 = yes
|
||||||
|
disable_tlsv1 = yes
|
||||||
|
|
||||||
|
# Set min / max TLS version. Mainly for Debian
|
||||||
|
# "trusty", which disables older versions of TLS, and
|
||||||
|
# requires the application to manually enable them.
|
||||||
|
#
|
||||||
|
# If you are running Debian trusty, you should set
|
||||||
|
# these options, otherwise older clients will not be
|
||||||
|
# able to connect.
|
||||||
|
#
|
||||||
|
# Allowed values are "1.0", "1.1", "1.2", and "1.3".
|
||||||
|
#
|
||||||
|
# Note that the server WILL NOT permit negotiation of
|
||||||
|
# TLS 1.3. The EAP-TLS standards for TLS 1.3 are NOT
|
||||||
|
# finished. It is therefore impossible for the server
|
||||||
|
# to negotiate EAP-TLS correctly with TLS 1.3.
|
||||||
|
#
|
||||||
|
# The values must be in quotes.
|
||||||
|
#
|
||||||
|
tls_min_version = "1.2"
|
||||||
|
tls_max_version = "1.2"
|
||||||
|
|
||||||
|
# Elliptical cryptography configuration
|
||||||
|
#
|
||||||
|
# Only for OpenSSL >= 0.9.8.f
|
||||||
|
#
|
||||||
|
ecdh_curve = "prime256v1"
|
||||||
|
|
||||||
|
# Session resumption / fast reauthentication
|
||||||
|
# cache.
|
||||||
|
#
|
||||||
|
# The cache contains the following information:
|
||||||
|
#
|
||||||
|
# session Id - unique identifier, managed by SSL
|
||||||
|
# User-Name - from the Access-Accept
|
||||||
|
# Stripped-User-Name - from the Access-Request
|
||||||
|
# Cached-Session-Policy - from the Access-Accept
|
||||||
|
#
|
||||||
|
# See also the "store" subsection below for
|
||||||
|
# additional attributes which can be cached.
|
||||||
|
#
|
||||||
|
# The "Cached-Session-Policy" is the name of a
|
||||||
|
# policy which should be applied to the cached
|
||||||
|
# session. This policy can be used to assign
|
||||||
|
# VLANs, IP addresses, etc. It serves as a useful
|
||||||
|
# way to re-apply the policy from the original
|
||||||
|
# Access-Accept to the subsequent Access-Accept
|
||||||
|
# for the cached session.
|
||||||
|
#
|
||||||
|
# On session resumption, these attributes are
|
||||||
|
# copied from the cache, and placed into the
|
||||||
|
# reply list.
|
||||||
|
#
|
||||||
|
# You probably also want "use_tunneled_reply = yes"
|
||||||
|
# when using fast session resumption.
|
||||||
|
#
|
||||||
|
# You can check if a session has been resumed by
|
||||||
|
# looking for the existence of the EAP-Session-Resumed
|
||||||
|
# attribute. Note that this attribute will *only*
|
||||||
|
# exist in the "post-auth" section.
|
||||||
|
#
|
||||||
|
# CAVEATS: The cache is stored and reloaded BEFORE
|
||||||
|
# the "post-auth" section is run. This limitation
|
||||||
|
# makes caching more difficult than it should be. In
|
||||||
|
# practice, it means that the first authentication
|
||||||
|
# session must set the reply attributes before the
|
||||||
|
# post-auth section is run.
|
||||||
|
#
|
||||||
|
# When the session is resumed, the attributes are
|
||||||
|
# restored and placed into the session-state list.
|
||||||
|
#
|
||||||
|
cache {
|
||||||
|
# Enable it. The default is "no". Deleting the entire "cache"
|
||||||
|
# subsection also disables caching.
|
||||||
|
#
|
||||||
|
# As of version 3.0.14, the session cache requires the use
|
||||||
|
# of the "name" and "persist_dir" configuration items, below.
|
||||||
|
#
|
||||||
|
# The internal OpenSSL session cache has been permanently
|
||||||
|
# disabled.
|
||||||
|
#
|
||||||
|
# You can disallow resumption for a particular user by adding the
|
||||||
|
# following attribute to the control item list:
|
||||||
|
#
|
||||||
|
# Allow-Session-Resumption = No
|
||||||
|
#
|
||||||
|
# If "enable = no" below, you CANNOT enable resumption for just one
|
||||||
|
# user by setting the above attribute to "yes".
|
||||||
|
#
|
||||||
|
enable = no
|
||||||
|
|
||||||
|
# Lifetime of the cached entries, in hours. The sessions will be
|
||||||
|
# deleted/invalidated after this time.
|
||||||
|
#
|
||||||
|
lifetime = 24 # hours
|
||||||
|
|
||||||
|
# Internal "name" of the session cache. Used to
|
||||||
|
# distinguish which TLS context sessions belong to.
|
||||||
|
#
|
||||||
|
# The server will generate a random value if unset.
|
||||||
|
# This will change across server restart so you MUST
|
||||||
|
# set the "name" if you want to persist sessions (see
|
||||||
|
# below).
|
||||||
|
#
|
||||||
|
# name = "EAP module"
|
||||||
|
|
||||||
|
# Simple directory-based storage of sessions.
|
||||||
|
# Two files per session will be written, the SSL
|
||||||
|
# state and the cached VPs. This will persist session
|
||||||
|
# across server restarts.
|
||||||
|
#
|
||||||
|
# The default directory is ${logdir}, for historical
|
||||||
|
# reasons. You should ${db_dir} instead. And check
|
||||||
|
# the value of db_dir in the main radiusd.conf file.
|
||||||
|
# It should not point to ${raddb}
|
||||||
|
#
|
||||||
|
# The server will need write perms, and the directory
|
||||||
|
# should be secured from anyone else. You might want
|
||||||
|
# a script to remove old files from here periodically:
|
||||||
|
#
|
||||||
|
# find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
|
||||||
|
#
|
||||||
|
# This feature REQUIRES "name" option be set above.
|
||||||
|
#
|
||||||
|
# persist_dir = "${logdir}/tlscache"
|
||||||
|
|
||||||
|
#
|
||||||
|
# As of 3.0.20, it is possible to partially
|
||||||
|
# control which attributes exist in the
|
||||||
|
# session cache. This subsection lists
|
||||||
|
# attributes which are taken from the reply,
|
||||||
|
# and saved to the on-disk cache. When the
|
||||||
|
# session is resumed, these attributes are
|
||||||
|
# added to the "session-state" list. The
|
||||||
|
# default configuration will then take care
|
||||||
|
# of copying them to the reply.
|
||||||
|
#
|
||||||
|
store {
|
||||||
|
Tunnel-Private-Group-Id
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# EAP-TLS
|
||||||
|
#
|
||||||
|
# As of Version 3.0, the TLS configuration for TLS-based
|
||||||
|
# EAP types is above in the "tls-config" section.
|
||||||
|
#
|
||||||
|
#tls {
|
||||||
|
# # Point to the common TLS configuration
|
||||||
|
# #
|
||||||
|
# #tls = tls-common
|
||||||
|
|
||||||
|
# # As part of checking a client certificate, the EAP-TLS
|
||||||
|
# # sets some attributes such as TLS-Client-Cert-Common-Name. This
|
||||||
|
# # virtual server has access to these attributes, and can
|
||||||
|
# # be used to accept or reject the request.
|
||||||
|
# #
|
||||||
|
## virtual_server = check-eap-tls
|
||||||
|
#}
|
||||||
|
|
||||||
|
|
||||||
|
# EAP-TTLS -- Tunneled TLS
|
||||||
|
#
|
||||||
|
# The TTLS module implements the EAP-TTLS protocol,
|
||||||
|
# which can be described as EAP inside of Diameter,
|
||||||
|
# inside of TLS, inside of EAP, inside of RADIUS...
|
||||||
|
#
|
||||||
|
# Surprisingly, it works quite well.
|
||||||
|
#
|
||||||
|
ttls {
|
||||||
|
# Which tls-config section the TLS negotiation parameters
|
||||||
|
# are in - see EAP-TLS above for an explanation.
|
||||||
|
#
|
||||||
|
# In the case that an old configuration from FreeRADIUS
|
||||||
|
# v2.x is being used, all the options of the tls-config
|
||||||
|
# section may also appear instead in the 'tls' section
|
||||||
|
# above. If that is done, the tls= option here (and in
|
||||||
|
# tls above) MUST be commented out.
|
||||||
|
#
|
||||||
|
tls = tls-common
|
||||||
|
|
||||||
|
# The tunneled EAP session needs a default EAP type
|
||||||
|
# which is separate from the one for the non-tunneled
|
||||||
|
# EAP module. Inside of the TTLS tunnel, we recommend
|
||||||
|
# using EAP-MD5. If the request does not contain an
|
||||||
|
# EAP conversation, then this configuration entry is
|
||||||
|
# ignored.
|
||||||
|
#
|
||||||
|
default_eap_type = md5
|
||||||
|
|
||||||
|
# The tunneled authentication request does not usually
|
||||||
|
# contain useful attributes like 'Calling-Station-Id',
|
||||||
|
# etc. These attributes are outside of the tunnel,
|
||||||
|
# and normally unavailable to the tunneled
|
||||||
|
# authentication request.
|
||||||
|
#
|
||||||
|
# By setting this configuration entry to 'yes',
|
||||||
|
# any attribute which is NOT in the tunneled
|
||||||
|
# authentication request, but which IS available
|
||||||
|
# outside of the tunnel, is copied to the tunneled
|
||||||
|
# request.
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
#
|
||||||
|
copy_request_to_tunnel = no
|
||||||
|
|
||||||
|
# As of version 3.0.5, this configuration item
|
||||||
|
# is deprecated. Instead, you should use
|
||||||
|
#
|
||||||
|
# update outer.session-state {
|
||||||
|
# ...
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# This will cache attributes for the final Access-Accept.
|
||||||
|
#
|
||||||
|
# The reply attributes sent to the NAS are usually
|
||||||
|
# based on the name of the user 'outside' of the
|
||||||
|
# tunnel (usually 'anonymous'). If you want to send
|
||||||
|
# the reply attributes based on the user name inside
|
||||||
|
# of the tunnel, then set this configuration entry to
|
||||||
|
# 'yes', and the reply to the NAS will be taken from
|
||||||
|
# the reply to the tunneled request.
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
#
|
||||||
|
use_tunneled_reply = no
|
||||||
|
|
||||||
|
# The inner tunneled request can be sent
|
||||||
|
# through a virtual server constructed
|
||||||
|
# specifically for this purpose.
|
||||||
|
#
|
||||||
|
# A virtual server MUST be specified.
|
||||||
|
#
|
||||||
|
virtual_server = "inner-tunnel"
|
||||||
|
|
||||||
|
# This has the same meaning, and overwrites, the
|
||||||
|
# same field in the "tls" configuration, above.
|
||||||
|
# The default value here is "yes".
|
||||||
|
#
|
||||||
|
# include_length = yes
|
||||||
|
|
||||||
|
# Unlike EAP-TLS, EAP-TTLS does not require a client
|
||||||
|
# certificate. However, you can require one by setting the
|
||||||
|
# following option. You can also override this option by
|
||||||
|
# setting
|
||||||
|
#
|
||||||
|
# EAP-TLS-Require-Client-Cert = Yes
|
||||||
|
#
|
||||||
|
# in the control items for a request.
|
||||||
|
#
|
||||||
|
# Note that the majority of supplicants do not support using a
|
||||||
|
# client certificate with EAP-TTLS, so this option is unlikely
|
||||||
|
# to be usable for most people.
|
||||||
|
#
|
||||||
|
# require_client_cert = yes
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# EAP-PEAP
|
||||||
|
#
|
||||||
|
|
||||||
|
##################################################
|
||||||
|
#
|
||||||
|
# !!!!! WARNINGS for Windows compatibility !!!!!
|
||||||
|
#
|
||||||
|
##################################################
|
||||||
|
#
|
||||||
|
# If you see the server send an Access-Challenge,
|
||||||
|
# and the client never sends another Access-Request,
|
||||||
|
# then
|
||||||
|
#
|
||||||
|
# STOP!
|
||||||
|
#
|
||||||
|
# The server certificate has to have special OID's
|
||||||
|
# in it, or else the Microsoft clients will silently
|
||||||
|
# fail. See the "scripts/xpextensions" file for
|
||||||
|
# details, and the following page:
|
||||||
|
#
|
||||||
|
# https://support.microsoft.com/en-us/help/814394/
|
||||||
|
#
|
||||||
|
# If is still doesn't work, and you're using Samba,
|
||||||
|
# you may be encountering a Samba bug. See:
|
||||||
|
#
|
||||||
|
# https://bugzilla.samba.org/show_bug.cgi?id=6563
|
||||||
|
#
|
||||||
|
# Note that we do not necessarily agree with their
|
||||||
|
# explanation... but the fix does appear to work.
|
||||||
|
#
|
||||||
|
##################################################
|
||||||
|
|
||||||
|
# The tunneled EAP session needs a default EAP type
|
||||||
|
# which is separate from the one for the non-tunneled
|
||||||
|
# EAP module. Inside of the TLS/PEAP tunnel, we
|
||||||
|
# recommend using EAP-MS-CHAPv2.
|
||||||
|
#
|
||||||
|
peap {
|
||||||
|
# Which tls-config section the TLS negotiation parameters
|
||||||
|
# are in - see EAP-TLS above for an explanation.
|
||||||
|
#
|
||||||
|
# In the case that an old configuration from FreeRADIUS
|
||||||
|
# v2.x is being used, all the options of the tls-config
|
||||||
|
# section may also appear instead in the 'tls' section
|
||||||
|
# above. If that is done, the tls= option here (and in
|
||||||
|
# tls above) MUST be commented out.
|
||||||
|
#
|
||||||
|
tls = tls-common
|
||||||
|
|
||||||
|
# The tunneled EAP session needs a default
|
||||||
|
# EAP type which is separate from the one for
|
||||||
|
# the non-tunneled EAP module. Inside of the
|
||||||
|
# PEAP tunnel, we recommend using MS-CHAPv2,
|
||||||
|
# as that is the default type supported by
|
||||||
|
# Windows clients.
|
||||||
|
#
|
||||||
|
default_eap_type = mschapv2
|
||||||
|
|
||||||
|
# The PEAP module also has these configuration
|
||||||
|
# items, which are the same as for TTLS.
|
||||||
|
#
|
||||||
|
copy_request_to_tunnel = no
|
||||||
|
|
||||||
|
# As of version 3.0.5, this configuration item
|
||||||
|
# is deprecated. Instead, you should use
|
||||||
|
#
|
||||||
|
# update outer.session-state {
|
||||||
|
# ...
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# This will cache attributes for the final Access-Accept.
|
||||||
|
#
|
||||||
|
use_tunneled_reply = no
|
||||||
|
|
||||||
|
# When the tunneled session is proxied, the
|
||||||
|
# home server may not understand EAP-MSCHAP-V2.
|
||||||
|
# Set this entry to "no" to proxy the tunneled
|
||||||
|
# EAP-MSCHAP-V2 as normal MSCHAPv2.
|
||||||
|
#
|
||||||
|
# proxy_tunneled_request_as_eap = yes
|
||||||
|
|
||||||
|
# The inner tunneled request can be sent
|
||||||
|
# through a virtual server constructed
|
||||||
|
# specifically for this purpose.
|
||||||
|
#
|
||||||
|
# A virtual server MUST be specified.
|
||||||
|
#
|
||||||
|
virtual_server = "inner-tunnel"
|
||||||
|
|
||||||
|
# This option enables support for MS-SoH
|
||||||
|
# see doc/SoH.txt for more info.
|
||||||
|
# It is disabled by default.
|
||||||
|
#
|
||||||
|
# soh = yes
|
||||||
|
|
||||||
|
# The SoH reply will be turned into a request which
|
||||||
|
# can be sent to a specific virtual server:
|
||||||
|
#
|
||||||
|
# soh_virtual_server = "soh-server"
|
||||||
|
|
||||||
|
# Unlike EAP-TLS, PEAP does not require a client certificate.
|
||||||
|
# However, you can require one by setting the following
|
||||||
|
# option. You can also override this option by setting
|
||||||
|
#
|
||||||
|
# EAP-TLS-Require-Client-Cert = Yes
|
||||||
|
#
|
||||||
|
# in the control items for a request.
|
||||||
|
#
|
||||||
|
# Note that the majority of supplicants do not support using a
|
||||||
|
# client certificate with PEAP, so this option is unlikely to
|
||||||
|
# be usable for most people.
|
||||||
|
#
|
||||||
|
# require_client_cert = yes
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# EAP-MSCHAPv2
|
||||||
|
#
|
||||||
|
# Note that it is the EAP MS-CHAPv2 sub-module, not
|
||||||
|
# the main 'mschap' module.
|
||||||
|
#
|
||||||
|
# Note also that in order for this sub-module to work,
|
||||||
|
# the main 'mschap' module MUST ALSO be configured.
|
||||||
|
#
|
||||||
|
# This module is the *Microsoft* implementation of MS-CHAPv2
|
||||||
|
# in EAP. There is another (incompatible) implementation
|
||||||
|
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
|
||||||
|
# currently support.
|
||||||
|
#
|
||||||
|
mschapv2 {
|
||||||
|
# Prior to version 2.1.11, the module never
|
||||||
|
# sent the MS-CHAP-Error message to the
|
||||||
|
# client. This worked, but it had issues
|
||||||
|
# when the cached password was wrong. The
|
||||||
|
# server *should* send "E=691 R=0" to the
|
||||||
|
# client, which tells it to prompt the user
|
||||||
|
# for a new password.
|
||||||
|
#
|
||||||
|
# The default is to behave as in 2.1.10 and
|
||||||
|
# earlier, which is known to work. If you
|
||||||
|
# set "send_error = yes", then the error
|
||||||
|
# message will be sent back to the client.
|
||||||
|
# This *may* help some clients work better,
|
||||||
|
# but *may* also cause other clients to stop
|
||||||
|
# working.
|
||||||
|
#
|
||||||
|
# send_error = no
|
||||||
|
|
||||||
|
# Server identifier to send back in the challenge.
|
||||||
|
# This should generally be the host name of the
|
||||||
|
# RADIUS server. Or, some information to uniquely
|
||||||
|
# identify it.
|
||||||
|
#
|
||||||
|
# identity = "FreeRADIUS"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# EAP-FAST
|
||||||
|
#
|
||||||
|
# The FAST module implements the EAP-FAST protocol
|
||||||
|
#
|
||||||
|
#fast {
|
||||||
|
# Point to the common TLS configuration
|
||||||
|
#
|
||||||
|
# tls = tls-common
|
||||||
|
|
||||||
|
# If 'cipher_list' is set here, it will over-ride the
|
||||||
|
# 'cipher_list' configuration from the 'tls-common'
|
||||||
|
# configuration. The EAP-FAST module has it's own
|
||||||
|
# over-ride for 'cipher_list' because the
|
||||||
|
# specifications mandata a different set of ciphers
|
||||||
|
# than are used by the other EAP methods.
|
||||||
|
#
|
||||||
|
# cipher_list though must include "ADH" for anonymous provisioning.
|
||||||
|
# This is not as straight forward as appending "ADH" alongside
|
||||||
|
# "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
|
||||||
|
# recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
|
||||||
|
#
|
||||||
|
# Note - for OpenSSL 1.1.0 and above you may need
|
||||||
|
# to add ":@SECLEVEL=0"
|
||||||
|
#
|
||||||
|
# cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
|
||||||
|
|
||||||
|
# PAC lifetime in seconds (default: seven days)
|
||||||
|
#
|
||||||
|
# pac_lifetime = 604800
|
||||||
|
|
||||||
|
# Authority ID of the server
|
||||||
|
#
|
||||||
|
# If you are running a cluster of RADIUS servers, you should make
|
||||||
|
# the value chosen here (and for "pac_opaque_key") the same on all
|
||||||
|
# your RADIUS servers. This value should be unique to your
|
||||||
|
# installation. We suggest using a domain name.
|
||||||
|
#
|
||||||
|
# authority_identity = "1234"
|
||||||
|
|
||||||
|
# PAC Opaque encryption key (must be exactly 32 bytes in size)
|
||||||
|
#
|
||||||
|
# This value MUST be secret, and MUST be generated using
|
||||||
|
# a secure method, such as via 'openssl rand -hex 32'
|
||||||
|
#
|
||||||
|
# pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
|
||||||
|
|
||||||
|
# Same as for TTLS, PEAP, etc.
|
||||||
|
#
|
||||||
|
# virtual_server = inner-tunnel
|
||||||
|
#}
|
||||||
|
}
|
123
ops/nixos/bvm-radius/raddb/mods-available/echo
Normal file
123
ops/nixos/bvm-radius/raddb/mods-available/echo
Normal file
|
@ -0,0 +1,123 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: ad3e15933f9e85c5566810432a5fec8f23d877c1 $
|
||||||
|
|
||||||
|
#
|
||||||
|
# This is a more general example of the execute module.
|
||||||
|
#
|
||||||
|
# This one is called "echo".
|
||||||
|
#
|
||||||
|
# Attribute-Name = `%{echo:/path/to/program args}`
|
||||||
|
#
|
||||||
|
# If you wish to execute an external program in more than
|
||||||
|
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
|
||||||
|
# is probably best to define a different instance of the
|
||||||
|
# 'exec' module for every section.
|
||||||
|
#
|
||||||
|
# The return value of the program run determines the result
|
||||||
|
# of the exec instance call as follows:
|
||||||
|
# (See doc/configurable_failover for details)
|
||||||
|
#
|
||||||
|
# < 0 : fail the module failed
|
||||||
|
# = 0 : ok the module succeeded
|
||||||
|
# = 1 : reject the module rejected the user
|
||||||
|
# = 2 : fail the module failed
|
||||||
|
# = 3 : ok the module succeeded
|
||||||
|
# = 4 : handled the module has done everything to handle the request
|
||||||
|
# = 5 : invalid the user's configuration entry was invalid
|
||||||
|
# = 6 : userlock the user was locked out
|
||||||
|
# = 7 : notfound the user was not found
|
||||||
|
# = 8 : noop the module did nothing
|
||||||
|
# = 9 : updated the module updated information in the request
|
||||||
|
# > 9 : fail the module failed
|
||||||
|
#
|
||||||
|
exec echo {
|
||||||
|
#
|
||||||
|
# Wait for the program to finish.
|
||||||
|
#
|
||||||
|
# If we do NOT wait, then the program is "fire and
|
||||||
|
# forget", and any output attributes from it are ignored.
|
||||||
|
#
|
||||||
|
# If we are looking for the program to output
|
||||||
|
# attributes, and want to add those attributes to the
|
||||||
|
# request, then we MUST wait for the program to
|
||||||
|
# finish, and therefore set 'wait=yes'
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
wait = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# The name of the program to execute, and it's
|
||||||
|
# arguments. Dynamic translation is done on this
|
||||||
|
# field, so things like the following example will
|
||||||
|
# work.
|
||||||
|
#
|
||||||
|
program = "/bin/echo %{User-Name}"
|
||||||
|
|
||||||
|
#
|
||||||
|
# The attributes which are placed into the
|
||||||
|
# environment variables for the program.
|
||||||
|
#
|
||||||
|
# Allowed values are:
|
||||||
|
#
|
||||||
|
# request attributes from the request
|
||||||
|
# config attributes from the configuration items list
|
||||||
|
# reply attributes from the reply
|
||||||
|
# proxy-request attributes from the proxy request
|
||||||
|
# proxy-reply attributes from the proxy reply
|
||||||
|
#
|
||||||
|
# Note that some attributes may not exist at some
|
||||||
|
# stages. e.g. There may be no proxy-reply
|
||||||
|
# attributes if this module is used in the
|
||||||
|
# 'authorize' section.
|
||||||
|
#
|
||||||
|
input_pairs = request
|
||||||
|
|
||||||
|
#
|
||||||
|
# Where to place the output attributes (if any) from
|
||||||
|
# the executed program. The values allowed, and the
|
||||||
|
# restrictions as to availability, are the same as
|
||||||
|
# for the input_pairs.
|
||||||
|
#
|
||||||
|
output_pairs = reply
|
||||||
|
|
||||||
|
#
|
||||||
|
# When to execute the program. If the packet
|
||||||
|
# type does NOT match what's listed here, then
|
||||||
|
# the module does NOT execute the program.
|
||||||
|
#
|
||||||
|
# For a list of allowed packet types, see
|
||||||
|
# the 'dictionary' file, and look for VALUEs
|
||||||
|
# of the Packet-Type attribute.
|
||||||
|
#
|
||||||
|
# By default, the module executes on ANY packet.
|
||||||
|
# Un-comment out the following line to tell the
|
||||||
|
# module to execute only if an Access-Accept is
|
||||||
|
# being sent to the NAS.
|
||||||
|
#
|
||||||
|
#packet_type = Access-Accept
|
||||||
|
|
||||||
|
#
|
||||||
|
# Should we escape the environment variables?
|
||||||
|
#
|
||||||
|
# If this is set, all the RADIUS attributes
|
||||||
|
# are capitalised and dashes replaced with
|
||||||
|
# underscores. Also, RADIUS values are surrounded
|
||||||
|
# with double-quotes.
|
||||||
|
#
|
||||||
|
# That is to say: User-Name=BobUser => USER_NAME="BobUser"
|
||||||
|
shell_escape = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# How long should we wait for the program to finish?
|
||||||
|
#
|
||||||
|
# Default is 10 seconds, which should be plenty for nearly
|
||||||
|
# anything. Range is 1 to 30 seconds. You are strongly
|
||||||
|
# encouraged to NOT increase this value. Decreasing can
|
||||||
|
# be used to cause authentication to fail sooner when you
|
||||||
|
# know it's going to fail anyway due to the time taken,
|
||||||
|
# thereby saving resources.
|
||||||
|
#
|
||||||
|
#timeout = 10
|
||||||
|
|
||||||
|
}
|
29
ops/nixos/bvm-radius/raddb/mods-available/exec
Normal file
29
ops/nixos/bvm-radius/raddb/mods-available/exec
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: bb1d4374b741a7bfcdfc098fc57af650509ceae2 $
|
||||||
|
|
||||||
|
#
|
||||||
|
# Execute external programs
|
||||||
|
#
|
||||||
|
# This module is useful only for 'xlat'. To use it,
|
||||||
|
# put 'exec' into the 'instantiate' section. You can then
|
||||||
|
# do dynamic translation of attributes like:
|
||||||
|
#
|
||||||
|
# Attribute-Name = `%{exec:/path/to/program args}`
|
||||||
|
#
|
||||||
|
# The value of the attribute will be replaced with the output
|
||||||
|
# of the program which is executed. Due to RADIUS protocol
|
||||||
|
# limitations, any output over 253 bytes will be ignored.
|
||||||
|
#
|
||||||
|
# The RADIUS attributes from the user request will be placed
|
||||||
|
# into environment variables of the executed program, as
|
||||||
|
# described in "man unlang" and in doc/configuration/variables.rst
|
||||||
|
#
|
||||||
|
# See also "echo" for more sample configuration.
|
||||||
|
#
|
||||||
|
exec {
|
||||||
|
wait = no
|
||||||
|
input_pairs = request
|
||||||
|
shell_escape = yes
|
||||||
|
timeout = 10
|
||||||
|
}
|
13
ops/nixos/bvm-radius/raddb/mods-available/expiration
Normal file
13
ops/nixos/bvm-radius/raddb/mods-available/expiration
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 5d06454d0a8ccce7f50ddf7b01ba01c4ace6560a $
|
||||||
|
|
||||||
|
#
|
||||||
|
# The expiration module. This handles the Expiration attribute
|
||||||
|
# It should be included in the *end* of the authorize section
|
||||||
|
# in order to handle user Expiration. It should also be included
|
||||||
|
# in the instantiate section in order to register the Expiration
|
||||||
|
# compare function
|
||||||
|
#
|
||||||
|
expiration {
|
||||||
|
}
|
146
ops/nixos/bvm-radius/raddb/mods-available/expr
Normal file
146
ops/nixos/bvm-radius/raddb/mods-available/expr
Normal file
|
@ -0,0 +1,146 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 43dbea35e41698f8ced22c1cf4ad128b08dee7ca $
|
||||||
|
|
||||||
|
#
|
||||||
|
# This module performs mathematical calculations:
|
||||||
|
#
|
||||||
|
# Attribute-Name = "%{expr:2 + 3 + &NAS-Port}"
|
||||||
|
#
|
||||||
|
# It supports the following operators (in order of precedence)
|
||||||
|
#
|
||||||
|
# & binary AND
|
||||||
|
# | binary OR
|
||||||
|
# << left shift
|
||||||
|
# >> right shift
|
||||||
|
# + addition
|
||||||
|
# - subtraction
|
||||||
|
# * multiply
|
||||||
|
# / divide
|
||||||
|
# %% remainder
|
||||||
|
# ^ exponentiation
|
||||||
|
# (...) sub-expression
|
||||||
|
#
|
||||||
|
# Operator precedence follows the normal rules.
|
||||||
|
# Division by zero means that the entire expression is invalid.
|
||||||
|
#
|
||||||
|
# Note that in versions before 3.0.5, the expression
|
||||||
|
# was parsed strictly left to right, and ignored operator
|
||||||
|
# precedence.
|
||||||
|
#
|
||||||
|
# It also allows unary negation: -1
|
||||||
|
# And twos complement: ~1
|
||||||
|
#
|
||||||
|
# All calculations are done on signed 63-bit integers.
|
||||||
|
# e.g. int64_t. This should be sufficient for all normal
|
||||||
|
# purposes.
|
||||||
|
#
|
||||||
|
# Hex numbers are supported: 0xabcdef
|
||||||
|
#
|
||||||
|
# As with all string expansions, you can nest the expansions:
|
||||||
|
#
|
||||||
|
# %{expr: %{NAS-Port} + 1}
|
||||||
|
# %{expr: %{sql:SELECT ... } + 1}
|
||||||
|
#
|
||||||
|
# Attribute references are supported for integer attributes.
|
||||||
|
# e.g. &NAS-Port. The benefit of using attribute references
|
||||||
|
# is that the expression is calculated directly on the
|
||||||
|
# attribute. It skips the step of "print to string, and then
|
||||||
|
# parse to number". This means it's a little faster.
|
||||||
|
#
|
||||||
|
# Otherwise, all numbers are decimal.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# The module also registers a few paircompare functions, and
|
||||||
|
# many string manipulation functions, including:
|
||||||
|
#
|
||||||
|
# rand get random number from 0 to n-1
|
||||||
|
# "%{rand:10}" == "9"
|
||||||
|
#
|
||||||
|
# randstr get random string built from character classes:
|
||||||
|
# c lowercase letters
|
||||||
|
# C uppercase letters
|
||||||
|
# n numbers
|
||||||
|
# a alphanumeric
|
||||||
|
# ! punctuation
|
||||||
|
# . alphanumeric + punctuation
|
||||||
|
# s alphanumeric + "./"
|
||||||
|
# o characters suitable for OTP (easily confused removed)
|
||||||
|
# h binary data as lowercase hex
|
||||||
|
# H binary data as uppercase hex
|
||||||
|
#
|
||||||
|
# "%{randstr:CCCC!!cccnnn}" == "IPFL>{saf874"
|
||||||
|
# "%{randstr:oooooooo}" == "rfVzyA4y"
|
||||||
|
# "%{randstr:hhhh}" == "68d60de3"
|
||||||
|
#
|
||||||
|
# urlquote quote special characters in URI
|
||||||
|
# "%{urlquote:http://example.org/}" == "http%3A%47%47example.org%47"
|
||||||
|
#
|
||||||
|
# urlunquote unquote URL special characters
|
||||||
|
# "%{urlunquote:http%%3A%%47%%47example.org%%47}" == "http://example.org/"
|
||||||
|
#
|
||||||
|
# escape escape string similar to rlm_sql safe_characters
|
||||||
|
# "%{escape:<img>foo.jpg</img>}" == "=60img=62foo.jpg=60/img=62"
|
||||||
|
#
|
||||||
|
# unescape reverse of escape
|
||||||
|
# "%{unescape:=60img=62foo.jpg=60/img=62}" == "<img>foo.jpg</img>"
|
||||||
|
#
|
||||||
|
# tolower convert to lowercase
|
||||||
|
# "%{tolower:Bar}" == "bar"
|
||||||
|
#
|
||||||
|
# toupper convert to uppercase
|
||||||
|
# "%{toupper:Foo}" == "FOO"
|
||||||
|
#
|
||||||
|
# md5 get md5sum hash
|
||||||
|
# "%{md5:foo}" == "acbd18db4cc2f85cedef654fccc4a4d8"
|
||||||
|
#
|
||||||
|
# sha1 get sha1 hash
|
||||||
|
# "%{sha1:foo}" == "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33"
|
||||||
|
#
|
||||||
|
# sha256 get sha256 hash
|
||||||
|
# "%{sha256:foo}" == "2c26b46b68ffc68ff99b453c1d30413413422d706..."
|
||||||
|
#
|
||||||
|
# sha512 get sha512 hash
|
||||||
|
# "%{sha512:foo}" == "f7fbba6e0636f890e56fbbf3283e524c6fa3204ae29838..."
|
||||||
|
#
|
||||||
|
# hmacmd5 generate HMAC-MD5 of string
|
||||||
|
# "%{hmacmd5:foo bar}" == "31b6db9e5eb4addb42f1a6ca07367adc"
|
||||||
|
#
|
||||||
|
# hmacsha1 generate HMAC-SHA1 of string
|
||||||
|
# "%{hmacsha1:foo bar}" == "85d155c55ed286a300bd1cf124de08d87e914f3a"
|
||||||
|
#
|
||||||
|
# crypt encrypt with a salt: %{crypt:salt:password}
|
||||||
|
# "%{crypt:aa:foo}" == "aaKNIEDOaueR6"
|
||||||
|
# "%{crypt:$1$abcdefgh:foo}" == "$1$abcdefgh$XxzGe9Muun7wTYbZO4sdr0"
|
||||||
|
# "%{crypt:$5$%{randstr:aaaaaaaaaaaaaaaa}:foo}" == "$1$fu4P2fcAdo9gM..."
|
||||||
|
#
|
||||||
|
# pairs serialize attributes as comma-delimited string
|
||||||
|
# "%{pairs:request:}" == "User-Name = 'foo', User-Password = 'bar', ..."
|
||||||
|
#
|
||||||
|
# base64 encode string as base64
|
||||||
|
# "%{base64:foo}" == "Zm9v"
|
||||||
|
#
|
||||||
|
# base64tohex convert base64 to hex
|
||||||
|
# "%{base64tohex:Zm9v}" == "666f6f"
|
||||||
|
#
|
||||||
|
# explode split an attribute into multiple new attributes based on a delimiter
|
||||||
|
# "%{explode:&ref <delim>}"
|
||||||
|
#
|
||||||
|
# nexttime calculate number of seconds until next n hour(s), day(s), week(s), year(s)
|
||||||
|
# if it were 16:18, %{nexttime:1h} would expand to 2520
|
||||||
|
#
|
||||||
|
# lpad left-pad a string
|
||||||
|
# if User-Name is "foo": "%{lpad:&User-Name 6 x}" == "xxxfoo"
|
||||||
|
#
|
||||||
|
# rpad right-pad a string
|
||||||
|
# if User-Name is "foo": "%{rpad:&User-Name 5 -}" == "foo--"
|
||||||
|
#
|
||||||
|
|
||||||
|
expr {
|
||||||
|
#
|
||||||
|
# Characters that will not be encoded by the %{escape}
|
||||||
|
# xlat function.
|
||||||
|
#
|
||||||
|
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
|
||||||
|
}
|
30
ops/nixos/bvm-radius/raddb/mods-available/files
Normal file
30
ops/nixos/bvm-radius/raddb/mods-available/files
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: e3f3bf568d92eba8eb17bbad590f846f2d9e1ac8 $
|
||||||
|
|
||||||
|
# Livingston-style 'users' file
|
||||||
|
#
|
||||||
|
# See "man users" for more information.
|
||||||
|
#
|
||||||
|
files {
|
||||||
|
# Search for files in a subdirectory of mods-config which
|
||||||
|
# matches this instance of the files module.
|
||||||
|
moddir = ${modconfdir}/${.:instance}
|
||||||
|
|
||||||
|
# The default key attribute to use for matches. The content
|
||||||
|
# of this attribute is used to match the "name" of the
|
||||||
|
# entry.
|
||||||
|
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
|
||||||
|
|
||||||
|
# The old "users" style file is now located here.
|
||||||
|
filename = ${moddir}/authorize
|
||||||
|
|
||||||
|
# This is accepted for backwards compatibility
|
||||||
|
# It will be removed in a future release.
|
||||||
|
# usersfile = ${moddir}/authorize
|
||||||
|
|
||||||
|
# These are accepted for backwards compatibility.
|
||||||
|
# They will be renamed in a future release.
|
||||||
|
acctusersfile = ${moddir}/accounting
|
||||||
|
preproxy_usersfile = ${moddir}/pre-proxy
|
||||||
|
}
|
|
@ -0,0 +1,9 @@
|
||||||
|
eap inner-eap {
|
||||||
|
default_eap_type = mschapv2
|
||||||
|
timer_expire = 60
|
||||||
|
max_sessions = ${max_requests}
|
||||||
|
|
||||||
|
mschapv2 {
|
||||||
|
send_error = yes
|
||||||
|
}
|
||||||
|
}
|
39
ops/nixos/bvm-radius/raddb/mods-available/linelog-eduroam
Normal file
39
ops/nixos/bvm-radius/raddb/mods-available/linelog-eduroam
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
linelog linelog_recv_request {
|
||||||
|
filename = syslog
|
||||||
|
syslog_facility = local0
|
||||||
|
syslog_severity = debug
|
||||||
|
format = "action = Recv-Request, %{pairs:request:}"
|
||||||
|
}
|
||||||
|
|
||||||
|
linelog linelog_send_accept {
|
||||||
|
filename = syslog
|
||||||
|
syslog_facility = local0
|
||||||
|
syslog_severity = debug
|
||||||
|
format = "action = Send-Accept, %{pairs:request:}"
|
||||||
|
}
|
||||||
|
|
||||||
|
linelog linelog_send_reject {
|
||||||
|
filename = syslog
|
||||||
|
syslog_facility = local0
|
||||||
|
syslog_severity = debug
|
||||||
|
format = "action = Send-Reject, %{pairs:request:}"
|
||||||
|
}
|
||||||
|
|
||||||
|
linelog linelog_send_proxy_request {
|
||||||
|
filename = syslog
|
||||||
|
syslog_facility = local0
|
||||||
|
syslog_severity = debug
|
||||||
|
format = "action = Send-Proxy-Request, %{pairs:proxy-request:}"
|
||||||
|
}
|
||||||
|
|
||||||
|
linelog linelog_recv_proxy_response {
|
||||||
|
filename = syslog
|
||||||
|
syslog_facility = local0
|
||||||
|
syslog_severity = debug
|
||||||
|
reference = "messages.%{proxy-reply:Response-Packet-Type}"
|
||||||
|
messages {
|
||||||
|
Access-Accept = "action = Recv-Proxy-Accept, User-Name = %{User-Name}, Calling-Station-Id = %{Calling-Station-Id}, %{pairs:proxy-reply:}"
|
||||||
|
Access-Reject = "action = Recv-Proxy-Reject, User-Name = %{User-Name}, Calling-Station-Id = %{Calling-Station-Id}, %{pairs:proxy-reply:}"
|
||||||
|
Access-Challenge = "action = Recv-Proxy-Challenge, User-Name = %{User-Name}, Calling-Station-ID = %{Calling-Station-Id}, %{pairs:proxy-reply:}"
|
||||||
|
}
|
||||||
|
}
|
23
ops/nixos/bvm-radius/raddb/mods-available/logintime
Normal file
23
ops/nixos/bvm-radius/raddb/mods-available/logintime
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 25344527759d22b49b5e990fd83f0e506442fa76 $
|
||||||
|
|
||||||
|
# The logintime module. This handles the Login-Time,
|
||||||
|
# Current-Time, and Time-Of-Day attributes. It should be
|
||||||
|
# included in the *end* of the authorize section in order to
|
||||||
|
# handle Login-Time checks. It should also be included in the
|
||||||
|
# instantiate section in order to register the Current-Time
|
||||||
|
# and Time-Of-Day comparison functions.
|
||||||
|
#
|
||||||
|
# When the Login-Time attribute is set to some value, and the
|
||||||
|
# user has been permitted to log in, a Session-Timeout is
|
||||||
|
# calculated based on the remaining time. See "doc/README".
|
||||||
|
#
|
||||||
|
logintime {
|
||||||
|
# The minimum timeout (in seconds) a user is allowed
|
||||||
|
# to have. If the calculated timeout is lower we don't
|
||||||
|
# allow the login. Some NAS do not handle values
|
||||||
|
# lower than 60 seconds well.
|
||||||
|
minimum_timeout = 60
|
||||||
|
}
|
||||||
|
|
253
ops/nixos/bvm-radius/raddb/mods-available/mschap
Normal file
253
ops/nixos/bvm-radius/raddb/mods-available/mschap
Normal file
|
@ -0,0 +1,253 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 2fbc9278e39516c4fc2e8119d2a5be35858f1e33 $
|
||||||
|
|
||||||
|
#
|
||||||
|
# Microsoft CHAP authentication
|
||||||
|
#
|
||||||
|
# This module supports MS-CHAP and MS-CHAPv2 authentication.
|
||||||
|
# It also enforces the SMB-Account-Ctrl attribute.
|
||||||
|
#
|
||||||
|
mschap {
|
||||||
|
#
|
||||||
|
# If you are using /etc/smbpasswd, see the 'passwd'
|
||||||
|
# module for an example of how to use /etc/smbpasswd
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# If use_mppe is not set to no mschap, will
|
||||||
|
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
|
||||||
|
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
|
||||||
|
#
|
||||||
|
# use_mppe = no
|
||||||
|
|
||||||
|
#
|
||||||
|
# If MPPE is enabled, require_encryption makes
|
||||||
|
# encryption moderate
|
||||||
|
#
|
||||||
|
# require_encryption = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# require_strong always requires 128 bit key
|
||||||
|
# encryption
|
||||||
|
#
|
||||||
|
# require_strong = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# This module can perform authentication itself, OR
|
||||||
|
# use a Windows Domain Controller. This configuration
|
||||||
|
# directive tells the module to call the ntlm_auth
|
||||||
|
# program, which will do the authentication, and return
|
||||||
|
# the NT-Key. Note that you MUST have "winbindd" and
|
||||||
|
# "nmbd" running on the local machine for ntlm_auth
|
||||||
|
# to work. See the ntlm_auth program documentation
|
||||||
|
# for details.
|
||||||
|
#
|
||||||
|
# If ntlm_auth is configured below, then the mschap
|
||||||
|
# module will call ntlm_auth for every MS-CHAP
|
||||||
|
# authentication request. If there is a cleartext
|
||||||
|
# or NT hashed password available, you can set
|
||||||
|
# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
|
||||||
|
# and the mschap module will do the authentication itself,
|
||||||
|
# without calling ntlm_auth.
|
||||||
|
#
|
||||||
|
# Be VERY careful when editing the following line!
|
||||||
|
#
|
||||||
|
# You can also try setting the user name as:
|
||||||
|
#
|
||||||
|
# ... --username=%{mschap:User-Name} ...
|
||||||
|
#
|
||||||
|
# In that case, the mschap module will look at the User-Name
|
||||||
|
# attribute, and do prefix/suffix checks in order to obtain
|
||||||
|
# the "best" user name for the request.
|
||||||
|
#
|
||||||
|
# For Samba 4, you should also set the "ntlm auth" parameter
|
||||||
|
# in the Samba configuration:
|
||||||
|
#
|
||||||
|
# ntlm auth = yes
|
||||||
|
#
|
||||||
|
# or
|
||||||
|
#
|
||||||
|
# ntlm auth = mschapv2-and-ntlmv2-only
|
||||||
|
#
|
||||||
|
# This will let Samba 4 accept the MS-CHAP authentication
|
||||||
|
# method that is needed by FreeRADIUS.
|
||||||
|
#
|
||||||
|
# Depending on the Samba version, you may also need to add:
|
||||||
|
#
|
||||||
|
# --allow-mschapv2
|
||||||
|
#
|
||||||
|
# to the command-line parameters.
|
||||||
|
#
|
||||||
|
# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
|
||||||
|
|
||||||
|
#
|
||||||
|
# The default is to wait 10 seconds for ntlm_auth to
|
||||||
|
# complete. This is a long time, and if it's taking that
|
||||||
|
# long then you likely have other problems in your domain.
|
||||||
|
# The length of time can be decreased with the following
|
||||||
|
# option, which can save clients waiting if your ntlm_auth
|
||||||
|
# usually finishes quicker. Range 1 to 10 seconds.
|
||||||
|
#
|
||||||
|
# ntlm_auth_timeout = 10
|
||||||
|
|
||||||
|
#
|
||||||
|
# An alternative to using ntlm_auth is to connect to the
|
||||||
|
# winbind daemon directly for authentication. This option
|
||||||
|
# is likely to be faster and may be useful on busy systems,
|
||||||
|
# but is less well tested.
|
||||||
|
#
|
||||||
|
# Using this option requires libwbclient from Samba 4.2.1
|
||||||
|
# or later to be installed. Make sure that ntlm_auth above is
|
||||||
|
# commented out.
|
||||||
|
#
|
||||||
|
# winbind_username = "%{mschap:User-Name}"
|
||||||
|
# winbind_domain = "%{mschap:NT-Domain}"
|
||||||
|
|
||||||
|
#
|
||||||
|
# When using single sign-on with a winbind connection and the
|
||||||
|
# client uses a different casing for the username than the
|
||||||
|
# casing is according to the backend, reauth may fail because
|
||||||
|
# of some Windows internals. This switch tries to find the
|
||||||
|
# user in the correct casing in the backend, and retry
|
||||||
|
# authentication with that username.
|
||||||
|
#
|
||||||
|
# winbind_retry_with_normalised_username = no
|
||||||
|
|
||||||
|
#
|
||||||
|
# Information for the winbind connection pool. The configuration
|
||||||
|
# items below are the same for all modules which use the new
|
||||||
|
# connection pool.
|
||||||
|
#
|
||||||
|
pool {
|
||||||
|
#
|
||||||
|
# Connections to create during module instantiation.
|
||||||
|
# If the server cannot create specified number of
|
||||||
|
# connections during instantiation it will exit.
|
||||||
|
# Set to 0 to allow the server to start without the
|
||||||
|
# winbind daemon being available.
|
||||||
|
#
|
||||||
|
start = ${thread[pool].start_servers}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Minimum number of connections to keep open
|
||||||
|
#
|
||||||
|
min = ${thread[pool].min_spare_servers}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Maximum number of connections
|
||||||
|
#
|
||||||
|
# If these connections are all in use and a new one
|
||||||
|
# is requested, the request will NOT get a connection.
|
||||||
|
#
|
||||||
|
# Setting 'max' to LESS than the number of threads means
|
||||||
|
# that some threads may starve, and you will see errors
|
||||||
|
# like 'No connections available and at max connection limit'
|
||||||
|
#
|
||||||
|
# Setting 'max' to MORE than the number of threads means
|
||||||
|
# that there are more connections than necessary.
|
||||||
|
#
|
||||||
|
max = ${thread[pool].max_servers}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Spare connections to be left idle
|
||||||
|
#
|
||||||
|
# NOTE: Idle connections WILL be closed if "idle_timeout"
|
||||||
|
# is set. This should be less than or equal to "max" above.
|
||||||
|
#
|
||||||
|
spare = ${thread[pool].max_spare_servers}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Number of uses before the connection is closed
|
||||||
|
#
|
||||||
|
# 0 means "infinite"
|
||||||
|
#
|
||||||
|
uses = 0
|
||||||
|
|
||||||
|
#
|
||||||
|
# The number of seconds to wait after the server tries
|
||||||
|
# to open a connection, and fails. During this time,
|
||||||
|
# no new connections will be opened.
|
||||||
|
#
|
||||||
|
retry_delay = 30
|
||||||
|
|
||||||
|
#
|
||||||
|
# The lifetime (in seconds) of the connection
|
||||||
|
#
|
||||||
|
# NOTE: A setting of 0 means infinite (no limit).
|
||||||
|
#
|
||||||
|
lifetime = 86400
|
||||||
|
|
||||||
|
#
|
||||||
|
# The pool is checked for free connections every
|
||||||
|
# "cleanup_interval". If there are free connections,
|
||||||
|
# then one of them is closed.
|
||||||
|
#
|
||||||
|
cleanup_interval = 300
|
||||||
|
|
||||||
|
#
|
||||||
|
# The idle timeout (in seconds). A connection which is
|
||||||
|
# unused for this length of time will be closed.
|
||||||
|
#
|
||||||
|
# NOTE: A setting of 0 means infinite (no timeout).
|
||||||
|
#
|
||||||
|
idle_timeout = 600
|
||||||
|
|
||||||
|
#
|
||||||
|
# NOTE: All configuration settings are enforced. If a
|
||||||
|
# connection is closed because of "idle_timeout",
|
||||||
|
# "uses", or "lifetime", then the total number of
|
||||||
|
# connections MAY fall below "min". When that
|
||||||
|
# happens, it will open a new connection. It will
|
||||||
|
# also log a WARNING message.
|
||||||
|
#
|
||||||
|
# The solution is to either lower the "min" connections,
|
||||||
|
# or increase lifetime/idle_timeout.
|
||||||
|
#
|
||||||
|
}
|
||||||
|
|
||||||
|
passchange {
|
||||||
|
#
|
||||||
|
# This support MS-CHAPv2 (not v1) password change
|
||||||
|
# requests. See doc/mschap.rst for more IMPORTANT
|
||||||
|
# information.
|
||||||
|
#
|
||||||
|
# Samba/ntlm_auth - if you are using ntlm_auth to
|
||||||
|
# validate passwords, you will need to use ntlm_auth
|
||||||
|
# to change passwords. Uncomment the three lines
|
||||||
|
# below, and change the path to ntlm_auth.
|
||||||
|
#
|
||||||
|
# ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
|
||||||
|
# ntlm_auth_username = "username: %{mschap:User-Name}"
|
||||||
|
# ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
|
||||||
|
|
||||||
|
#
|
||||||
|
# To implement a local password change, you need to
|
||||||
|
# supply a string which is then expanded, so that the
|
||||||
|
# password can be placed somewhere. e.g. passed to a
|
||||||
|
# script (exec), or written to SQL (UPDATE/INSERT).
|
||||||
|
# We give both examples here, but only one will be
|
||||||
|
# used.
|
||||||
|
#
|
||||||
|
# local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
|
||||||
|
#
|
||||||
|
# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# For Apple Server, when running on the same machine as
|
||||||
|
# Open Directory. It has no effect on other systems.
|
||||||
|
#
|
||||||
|
# use_open_directory = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# On failure, set (or not) the MS-CHAP error code saying
|
||||||
|
# "retries allowed".
|
||||||
|
#
|
||||||
|
# allow_retry = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# An optional retry message.
|
||||||
|
#
|
||||||
|
# retry_msg = "Re-enter (or reset) the password"
|
||||||
|
}
|
18
ops/nixos/bvm-radius/raddb/mods-available/ntlm_auth
Normal file
18
ops/nixos/bvm-radius/raddb/mods-available/ntlm_auth
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
#
|
||||||
|
# For testing ntlm_auth authentication with PAP.
|
||||||
|
#
|
||||||
|
# If you have problems with authentication failing, even when the
|
||||||
|
# password is good, it may be a bug in Samba:
|
||||||
|
#
|
||||||
|
# https://bugzilla.samba.org/show_bug.cgi?id=6563
|
||||||
|
#
|
||||||
|
# Depending on the AD / Samba configuration, you may also need to add:
|
||||||
|
#
|
||||||
|
# --allow-mschapv2
|
||||||
|
#
|
||||||
|
# to the list of command-line options.
|
||||||
|
#
|
||||||
|
exec ntlm_auth {
|
||||||
|
wait = yes
|
||||||
|
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
|
||||||
|
}
|
18
ops/nixos/bvm-radius/raddb/mods-available/pap
Normal file
18
ops/nixos/bvm-radius/raddb/mods-available/pap
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 0038ecd154840c71ceff33ddfdd936e4e28e0bcd $
|
||||||
|
|
||||||
|
# PAP module to authenticate users based on their stored password
|
||||||
|
#
|
||||||
|
# Supports multiple encryption/hash schemes. See "man rlm_pap"
|
||||||
|
# for details.
|
||||||
|
#
|
||||||
|
# For instructions on creating the various types of passwords, see:
|
||||||
|
#
|
||||||
|
# http://www.openldap.org/faq/data/cache/347.html
|
||||||
|
pap {
|
||||||
|
# By default the server will use heuristics to try and automatically
|
||||||
|
# handle base64 or hex encoded passwords. This behaviour can be
|
||||||
|
# stopped by setting the following to "no".
|
||||||
|
# normalise = yes
|
||||||
|
}
|
55
ops/nixos/bvm-radius/raddb/mods-available/passwd
Normal file
55
ops/nixos/bvm-radius/raddb/mods-available/passwd
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 11bd2246642bf3c080327c7f4a67dc42603f3a6c $
|
||||||
|
|
||||||
|
# passwd module allows to do authorization via any passwd-like
|
||||||
|
# file and to extract any attributes from these files.
|
||||||
|
#
|
||||||
|
# See the "smbpasswd" and "etc_group" files for more examples.
|
||||||
|
#
|
||||||
|
# parameters are:
|
||||||
|
# filename - path to file
|
||||||
|
#
|
||||||
|
# format - format for filename record. This parameters
|
||||||
|
# correlates record in the passwd file and RADIUS
|
||||||
|
# attributes.
|
||||||
|
#
|
||||||
|
# Field marked as '*' is a key field. That is, the parameter
|
||||||
|
# with this name from the request is used to search for
|
||||||
|
# the record from passwd file
|
||||||
|
#
|
||||||
|
# Attributes marked as '=' are added to reply_items instead
|
||||||
|
# of default configure_items
|
||||||
|
#
|
||||||
|
# Attributes marked as '~' are added to request_items
|
||||||
|
#
|
||||||
|
# Field marked as ',' may contain a comma separated list
|
||||||
|
# of attributes.
|
||||||
|
#
|
||||||
|
# hash_size - hashtable size. Setting it to 0 is no longer permitted
|
||||||
|
# A future version of the server will have the module
|
||||||
|
# automatically determine the hash size. Having it set
|
||||||
|
# manually should not be necessary.
|
||||||
|
#
|
||||||
|
# allow_multiple_keys - if many records for a key are allowed
|
||||||
|
#
|
||||||
|
# ignore_nislike - ignore NIS-related records
|
||||||
|
#
|
||||||
|
# delimiter - symbol to use as a field separator in passwd file,
|
||||||
|
# for format ':' symbol is always used. '\0', '\n' are
|
||||||
|
# not allowed
|
||||||
|
#
|
||||||
|
|
||||||
|
# An example configuration for using /etc/passwd.
|
||||||
|
#
|
||||||
|
# This is an example which will NOT WORK if you have shadow passwords,
|
||||||
|
# NIS, etc. The "unix" module is normally responsible for reading
|
||||||
|
# system passwords. You should use it instead of this example.
|
||||||
|
#
|
||||||
|
passwd etc_passwd {
|
||||||
|
filename = /etc/passwd
|
||||||
|
format = "*User-Name:Crypt-Password:"
|
||||||
|
hash_size = 100
|
||||||
|
ignore_nislike = no
|
||||||
|
allow_multiple_keys = no
|
||||||
|
}
|
62
ops/nixos/bvm-radius/raddb/mods-available/preprocess
Normal file
62
ops/nixos/bvm-radius/raddb/mods-available/preprocess
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 8baec7961ba75fe52546cb1331868b0b2b1c38f4 $
|
||||||
|
|
||||||
|
# Preprocess the incoming RADIUS request, before handing it off
|
||||||
|
# to other modules.
|
||||||
|
#
|
||||||
|
# This module processes the 'huntgroups' and 'hints' files.
|
||||||
|
# In addition, it re-writes some weird attributes created
|
||||||
|
# by some NAS, and converts the attributes into a form which
|
||||||
|
# is a little more standard.
|
||||||
|
#
|
||||||
|
preprocess {
|
||||||
|
# Search for files in a subdirectory of mods-config which
|
||||||
|
# matches this instance of the preprocess module.
|
||||||
|
moddir = ${modconfdir}/${.:instance}
|
||||||
|
|
||||||
|
huntgroups = ${moddir}/huntgroups
|
||||||
|
hints = ${moddir}/hints
|
||||||
|
|
||||||
|
# This hack changes Ascend's weird port numbering
|
||||||
|
# to standard 0-??? port numbers so that the "+" works
|
||||||
|
# for IP address assignments.
|
||||||
|
with_ascend_hack = no
|
||||||
|
ascend_channels_per_line = 23
|
||||||
|
|
||||||
|
# Windows NT machines often authenticate themselves as
|
||||||
|
# NT_DOMAIN\username
|
||||||
|
#
|
||||||
|
# If this is set to 'yes', then the NT_DOMAIN portion
|
||||||
|
# of the user-name is silently discarded.
|
||||||
|
#
|
||||||
|
# This configuration entry SHOULD NOT be used.
|
||||||
|
# See the "realms" module for a better way to handle
|
||||||
|
# NT domains.
|
||||||
|
with_ntdomain_hack = no
|
||||||
|
|
||||||
|
# Specialix Jetstream 8500 24 port access server.
|
||||||
|
#
|
||||||
|
# If the user name is 10 characters or longer, a "/"
|
||||||
|
# and the excess characters after the 10th are
|
||||||
|
# appended to the user name.
|
||||||
|
#
|
||||||
|
# If you're not running that NAS, you don't need
|
||||||
|
# this hack.
|
||||||
|
with_specialix_jetstream_hack = no
|
||||||
|
|
||||||
|
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
|
||||||
|
# with the attribute name *again* in the string, like:
|
||||||
|
#
|
||||||
|
# H323-Attribute = "h323-attribute=value".
|
||||||
|
#
|
||||||
|
# If this configuration item is set to 'yes', then
|
||||||
|
# the redundant data in the the attribute text is stripped
|
||||||
|
# out. The result is:
|
||||||
|
#
|
||||||
|
# H323-Attribute = "value"
|
||||||
|
#
|
||||||
|
# If you're not running a Cisco or Quintum NAS, you don't
|
||||||
|
# need this hack.
|
||||||
|
with_cisco_vsa_hack = no
|
||||||
|
}
|
53
ops/nixos/bvm-radius/raddb/mods-available/radutmp
Normal file
53
ops/nixos/bvm-radius/raddb/mods-available/radutmp
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 82319c033bbf349991a46b8f198a5bf5487b5da8 $
|
||||||
|
|
||||||
|
# Write a 'utmp' style file, of which users are currently
|
||||||
|
# logged in, and where they've logged in from.
|
||||||
|
#
|
||||||
|
# This file is used mainly for Simultaneous-Use checking,
|
||||||
|
# and also 'radwho', to see who's currently logged in.
|
||||||
|
#
|
||||||
|
radutmp {
|
||||||
|
# Where the file is stored. It's not a log file,
|
||||||
|
# so it doesn't need rotating.
|
||||||
|
#
|
||||||
|
filename = ${logdir}/radutmp
|
||||||
|
|
||||||
|
# The field in the packet to key on for the
|
||||||
|
# 'user' name, If you have other fields which you want
|
||||||
|
# to use to key on to control Simultaneous-Use,
|
||||||
|
# then you can use them here.
|
||||||
|
#
|
||||||
|
# Note, however, that the size of the field in the
|
||||||
|
# 'utmp' data structure is small, around 32
|
||||||
|
# characters, so that will limit the possible choices
|
||||||
|
# of keys.
|
||||||
|
#
|
||||||
|
# You may want instead: %{%{Stripped-User-Name}:-%{User-Name}}
|
||||||
|
username = %{User-Name}
|
||||||
|
|
||||||
|
|
||||||
|
# Whether or not we want to treat "user" the same
|
||||||
|
# as "USER", or "User". Some systems have problems
|
||||||
|
# with case sensitivity, so this should be set to
|
||||||
|
# 'no' to enable the comparisons of the key attribute
|
||||||
|
# to be case insensitive.
|
||||||
|
#
|
||||||
|
case_sensitive = yes
|
||||||
|
|
||||||
|
# Accounting information may be lost, so the user MAY
|
||||||
|
# have logged off of the NAS, but we haven't noticed.
|
||||||
|
# If so, we can verify this information with the NAS,
|
||||||
|
#
|
||||||
|
# If we want to believe the 'utmp' file, then this
|
||||||
|
# configuration entry can be set to 'no'.
|
||||||
|
#
|
||||||
|
check_with_nas = yes
|
||||||
|
|
||||||
|
# Set the file permissions, as the contents of this file
|
||||||
|
# are usually private.
|
||||||
|
permissions = 0600
|
||||||
|
|
||||||
|
caller_id = "yes"
|
||||||
|
}
|
75
ops/nixos/bvm-radius/raddb/mods-available/realm
Normal file
75
ops/nixos/bvm-radius/raddb/mods-available/realm
Normal file
|
@ -0,0 +1,75 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 8ff95a9e9a652c2df9f992b0eb528084b6a7a2dc $
|
||||||
|
|
||||||
|
# Realm module, for proxying.
|
||||||
|
#
|
||||||
|
# You can have multiple instances of the realm module to
|
||||||
|
# support multiple realm syntaxes at the same time. The
|
||||||
|
# search order is defined by the order that the modules are listed
|
||||||
|
# in the authorize and preacct sections.
|
||||||
|
#
|
||||||
|
# Four config options:
|
||||||
|
# format - must be "prefix" or "suffix"
|
||||||
|
# The special cases of "DEFAULT"
|
||||||
|
# and "NULL" are allowed, too.
|
||||||
|
# delimiter - must be a single character
|
||||||
|
|
||||||
|
# 'realm/username'
|
||||||
|
#
|
||||||
|
# Using this entry, IPASS users have their realm set to "IPASS".
|
||||||
|
realm IPASS {
|
||||||
|
format = prefix
|
||||||
|
delimiter = "/"
|
||||||
|
}
|
||||||
|
|
||||||
|
# 'username@realm'
|
||||||
|
#
|
||||||
|
realm suffix {
|
||||||
|
format = suffix
|
||||||
|
delimiter = "@"
|
||||||
|
|
||||||
|
# The next configuration items are valid ONLY for a trust-router.
|
||||||
|
# For all other realms, they are ignored.
|
||||||
|
# trust_router = "localhost"
|
||||||
|
# tr_port = 12309
|
||||||
|
# rp_realm = "realm.example.com"
|
||||||
|
# default_community = "apc.communities.example.com"
|
||||||
|
# # if rekey_enabled is enabled, dynamic realms are automatically rekeyed
|
||||||
|
# # before they expire to avoid having to recreate them from scrach on
|
||||||
|
# # demand (implying lengthy authentications)
|
||||||
|
# rekey_enabled = no
|
||||||
|
# # if realm_lifetime is > 0, the rekey is scheduled to happen the
|
||||||
|
# # specified number of seconds after its creation or rekeying. Otherwise,
|
||||||
|
# # the key material expiration timestamp is used
|
||||||
|
# realm_lifetime = 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# 'realm!username'
|
||||||
|
#
|
||||||
|
realm bangpath {
|
||||||
|
format = prefix
|
||||||
|
delimiter = "!"
|
||||||
|
|
||||||
|
# trust_router = "localhost"
|
||||||
|
# tr_port = 12309
|
||||||
|
# rp_realm = "realm.example.com"
|
||||||
|
# default_community = "apc.communities.example.com"
|
||||||
|
# rekey_enabled = no
|
||||||
|
# realm_lifetime = 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# 'username%realm'
|
||||||
|
#
|
||||||
|
realm realmpercent {
|
||||||
|
format = suffix
|
||||||
|
delimiter = "%"
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# 'domain\user'
|
||||||
|
#
|
||||||
|
realm ntdomain {
|
||||||
|
format = prefix
|
||||||
|
delimiter = "\\"
|
||||||
|
}
|
40
ops/nixos/bvm-radius/raddb/mods-available/replicate
Normal file
40
ops/nixos/bvm-radius/raddb/mods-available/replicate
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
# Replicate packet(s) to a home server.
|
||||||
|
#
|
||||||
|
# This module will open a new socket for each packet, and "clone"
|
||||||
|
# the incoming packet to the destination realm (i.e. home server).
|
||||||
|
#
|
||||||
|
# Use it by setting "Replicate-To-Realm = name" in the control list,
|
||||||
|
# just like Proxy-To-Realm. The configurations for the two attributes
|
||||||
|
# are identical. The realm must exist, the home_server_pool must exist,
|
||||||
|
# and the home_server must exist.
|
||||||
|
#
|
||||||
|
# The only difference is that the "replicate" module sends requests
|
||||||
|
# and does not expect a reply. Any reply is ignored.
|
||||||
|
#
|
||||||
|
# Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time.
|
||||||
|
#
|
||||||
|
# To use this module, list "replicate" in the "authorize" or
|
||||||
|
# "accounting" section. Then, ensure that Replicate-To-Realm is set.
|
||||||
|
# The contents of the "packet" attribute list will be sent to the
|
||||||
|
# home server. The usual load-balancing, etc. features of the home
|
||||||
|
# server will be used.
|
||||||
|
#
|
||||||
|
# "radmin" can be used to mark home servers alive/dead, in order to
|
||||||
|
# enable/disable replication to specific servers.
|
||||||
|
#
|
||||||
|
# Packets can be replicated to multiple destinations. Just set
|
||||||
|
# Replicate-To-Realm multiple times. One packet will be sent for
|
||||||
|
# each of the Replicate-To-Realm attribute in the "control" list.
|
||||||
|
#
|
||||||
|
# If no packets are sent, the module returns "noop". If at least one
|
||||||
|
# packet is sent, the module returns "ok". If an error occurs, the
|
||||||
|
# module returns "fail"
|
||||||
|
#
|
||||||
|
# Note that replication does NOT change any of the packet statistics.
|
||||||
|
# If you use "radmin" to look at the statistics for a home server,
|
||||||
|
# the replicated packets will cause NO counters to increment. This
|
||||||
|
# is not a bug, this is how replication works.
|
||||||
|
#
|
||||||
|
replicate {
|
||||||
|
|
||||||
|
}
|
4
ops/nixos/bvm-radius/raddb/mods-available/soh
Normal file
4
ops/nixos/bvm-radius/raddb/mods-available/soh
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
# SoH module
|
||||||
|
soh {
|
||||||
|
dhcp = yes
|
||||||
|
}
|
16
ops/nixos/bvm-radius/raddb/mods-available/sradutmp
Normal file
16
ops/nixos/bvm-radius/raddb/mods-available/sradutmp
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 3a2a0e502e76ec00d4ec17e70132448e1547da46 $
|
||||||
|
|
||||||
|
# "Safe" radutmp - does not contain caller ID, so it can be
|
||||||
|
# world-readable, and radwho can work for normal users, without
|
||||||
|
# exposing any information that isn't already exposed by who(1).
|
||||||
|
#
|
||||||
|
# This is another 'instance' of the radutmp module, but it is given
|
||||||
|
# then name "sradutmp" to identify it later in the "accounting"
|
||||||
|
# section.
|
||||||
|
radutmp sradutmp {
|
||||||
|
filename = ${logdir}/sradutmp
|
||||||
|
permissions = 0644
|
||||||
|
caller_id = "no"
|
||||||
|
}
|
25
ops/nixos/bvm-radius/raddb/mods-available/unix
Normal file
25
ops/nixos/bvm-radius/raddb/mods-available/unix
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $
|
||||||
|
|
||||||
|
# Unix /etc/passwd style authentication
|
||||||
|
#
|
||||||
|
# This module calls the system functions to get the "known good"
|
||||||
|
# password. This password is usually in the "crypt" form, and is
|
||||||
|
# incompatible with CHAP, MS-CHAP, PEAP, etc.
|
||||||
|
#
|
||||||
|
# If passwords are in /etc/shadow, you will need to set the "group"
|
||||||
|
# configuration in radiusd.conf. Look for "shadow", and follow the
|
||||||
|
# instructions there.
|
||||||
|
#
|
||||||
|
unix {
|
||||||
|
#
|
||||||
|
# The location of the "wtmp" file.
|
||||||
|
# The only use for 'radlast'. If you don't use
|
||||||
|
# 'radlast', then you can comment out this item.
|
||||||
|
#
|
||||||
|
# Note that the radwtmp file may get large! You should
|
||||||
|
# rotate it (cp /dev/null radwtmp), or just not use it.
|
||||||
|
#
|
||||||
|
radwtmp = ${logdir}/radwtmp
|
||||||
|
}
|
59
ops/nixos/bvm-radius/raddb/mods-available/unpack
Normal file
59
ops/nixos/bvm-radius/raddb/mods-available/unpack
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
# -*- text -*-
|
||||||
|
#
|
||||||
|
# $Id: 665dd2aca16b9498a4d2b8a91e41d27741185738 $
|
||||||
|
|
||||||
|
#
|
||||||
|
# This module is useful only for 'xlat'. To use it,
|
||||||
|
# add it to the raddb/mods-enabled/ directory. Then,
|
||||||
|
# use it on the right-hand side of a variable assignment.
|
||||||
|
#
|
||||||
|
# ... = "%{unpack:data 1 integer}"
|
||||||
|
#
|
||||||
|
# The arguments are three fields:
|
||||||
|
#
|
||||||
|
# data
|
||||||
|
# Either &Attribute-Name
|
||||||
|
# the name of the attribute to unpack.
|
||||||
|
# MUST be a "string" or "octets" type.
|
||||||
|
#
|
||||||
|
# or 0xabcdef
|
||||||
|
# e.g. hex data.
|
||||||
|
#
|
||||||
|
# 1
|
||||||
|
# The offset into the string from which
|
||||||
|
# it starts unpacking. The offset starts
|
||||||
|
# at zero, for the first attribute.
|
||||||
|
#
|
||||||
|
# integer
|
||||||
|
# the data type to unpack at that offset.
|
||||||
|
# e.g. integer, ipaddr, byte, short, etc.
|
||||||
|
#
|
||||||
|
# e.g. if we have Class = 0x0000000102030405, then
|
||||||
|
#
|
||||||
|
# %{unpack:&Class 4 short}
|
||||||
|
#
|
||||||
|
# will unpack octets 4 and 5 as a "short", which has
|
||||||
|
# value 0x0304.
|
||||||
|
#
|
||||||
|
# This module is used when vendors put multiple fields
|
||||||
|
# into one attribute of type "octets".
|
||||||
|
#
|
||||||
|
# The module can also be used to unpack substrings, by specifing a
|
||||||
|
# data type of "string(len)" or "octets(len)". Where "len" is an
|
||||||
|
# actual number. For example:
|
||||||
|
#
|
||||||
|
# %{unpack:&User-Name 1 string(2)}
|
||||||
|
#
|
||||||
|
# When given a User-Name of "hello", it will start taking the
|
||||||
|
# substring at offset 1 (i.e. "e"), and it will take two characters
|
||||||
|
# from that offset, i.e. "el".
|
||||||
|
#
|
||||||
|
# When "octets(len)" is used, the output is printed as hex. e.g. for
|
||||||
|
# the above example with Class:
|
||||||
|
#
|
||||||
|
# %{unpack:&Class 4 octets(4)}
|
||||||
|
#
|
||||||
|
# Will return the hex string "02030405"
|
||||||
|
#
|
||||||
|
unpack {
|
||||||
|
}
|
14
ops/nixos/bvm-radius/raddb/mods-available/utf8
Normal file
14
ops/nixos/bvm-radius/raddb/mods-available/utf8
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
#
|
||||||
|
# Enforces UTF-8 on strings coming in from the NAS.
|
||||||
|
#
|
||||||
|
# An attribute of type "string" containing UTF-8 makes
|
||||||
|
# the module return NOOP.
|
||||||
|
#
|
||||||
|
# An attribute of type "string" containing non-UTF-8 data
|
||||||
|
# makes the module return FAIL.
|
||||||
|
#
|
||||||
|
# This module takes no configuration.
|
||||||
|
#
|
||||||
|
utf8 {
|
||||||
|
|
||||||
|
}
|
22
ops/nixos/bvm-radius/raddb/mods-config/README.rst
Normal file
22
ops/nixos/bvm-radius/raddb/mods-config/README.rst
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
The mods-config Directory
|
||||||
|
=========================
|
||||||
|
|
||||||
|
This directory contains module-specific configuration files. These
|
||||||
|
files are in a format different from the one used by the main
|
||||||
|
`radiusd.conf` files. Earlier versions of the server had many
|
||||||
|
module-specific files in the main `raddb` directory. The directory
|
||||||
|
contained many files, and it was not clear which files did what.
|
||||||
|
|
||||||
|
For Version 3 of FreeRADIUS, we have moved to a consistent naming
|
||||||
|
scheme. Each module-specific configuration file is placed in this
|
||||||
|
directory, in a subdirectory named for the module. Where necessary,
|
||||||
|
files in the subdirectory have been named for the processing section
|
||||||
|
where they are used.
|
||||||
|
|
||||||
|
For example, the `users` file is now located in
|
||||||
|
`mods-config/files/authorize`. That filename tells us three things:
|
||||||
|
|
||||||
|
1. The file is used in the `authorize` section.
|
||||||
|
2. The file is used by the `files` module.
|
||||||
|
3. It is a "module configuration" file, which is a specific format.
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
#
|
||||||
|
# Configuration file for the rlm_attr_filter module.
|
||||||
|
# Please see rlm_attr_filter(5) manpage for more information.
|
||||||
|
#
|
||||||
|
# $Id: 12ed619cf16f7322221ef2dfaf28f9c36c616e3c $
|
||||||
|
#
|
||||||
|
# This configuration file is used to remove almost all of the
|
||||||
|
# attributes From an Access-Challenge message. The RFCs say
|
||||||
|
# that an Access-Challenge packet can contain only a few
|
||||||
|
# attributes. We enforce that here.
|
||||||
|
#
|
||||||
|
DEFAULT
|
||||||
|
EAP-Message =* ANY,
|
||||||
|
State =* ANY,
|
||||||
|
Message-Authenticator =* ANY,
|
||||||
|
Reply-Message =* ANY,
|
||||||
|
Proxy-State =* ANY,
|
||||||
|
Session-Timeout =* ANY,
|
||||||
|
Idle-Timeout =* ANY
|
|
@ -0,0 +1,18 @@
|
||||||
|
#
|
||||||
|
# Configuration file for the rlm_attr_filter module.
|
||||||
|
# Please see rlm_attr_filter(5) manpage for more information.
|
||||||
|
#
|
||||||
|
# $Id: 47f167b085c2a4e22701fe9fe74b8fe0b9575421 $
|
||||||
|
#
|
||||||
|
# This configuration file is used to remove almost all of the attributes
|
||||||
|
# From an Access-Reject message. The RFCs say that an Access-Reject
|
||||||
|
# packet can contain only a few attributes. We enforce that here.
|
||||||
|
#
|
||||||
|
DEFAULT
|
||||||
|
EAP-Message =* ANY,
|
||||||
|
State =* ANY,
|
||||||
|
Message-Authenticator =* ANY,
|
||||||
|
Error-Cause =* ANY,
|
||||||
|
Reply-Message =* ANY,
|
||||||
|
MS-CHAP-Error =* ANY,
|
||||||
|
Proxy-State =* ANY
|
|
@ -0,0 +1,16 @@
|
||||||
|
#
|
||||||
|
# Configuration file for the rlm_attr_filter module.
|
||||||
|
# Please see rlm_attr_filter(5) manpage for more information.
|
||||||
|
#
|
||||||
|
# $Id: 01e9c6f5bda7a138f45da5010c624d92b6d398a0 $
|
||||||
|
#
|
||||||
|
# This configuration file is used to remove almost all of the attributes
|
||||||
|
# From an Accounting-Response message. The RFC's say that an
|
||||||
|
# Accounting-Response packet can contain only a few attributes.
|
||||||
|
# We enforce that here.
|
||||||
|
#
|
||||||
|
DEFAULT
|
||||||
|
Vendor-Specific =* ANY,
|
||||||
|
Message-Authenticator =* ANY,
|
||||||
|
Error-Cause =* ANY,
|
||||||
|
Proxy-State =* ANY
|
119
ops/nixos/bvm-radius/raddb/mods-config/attr_filter/post-proxy
Normal file
119
ops/nixos/bvm-radius/raddb/mods-config/attr_filter/post-proxy
Normal file
|
@ -0,0 +1,119 @@
|
||||||
|
#
|
||||||
|
# Configuration file for the rlm_attr_filter module.
|
||||||
|
# Please see rlm_attr_filter(5) manpage for more information.
|
||||||
|
#
|
||||||
|
# $Id: 5d889ea733ec8e6b246335f86bf6e122b54f23aa $
|
||||||
|
#
|
||||||
|
# This file contains security and configuration information
|
||||||
|
# for each realm. The first field is the realm name and
|
||||||
|
# can be up to 253 characters in length. This is followed (on
|
||||||
|
# the next line) with the list of filter rules to be used to
|
||||||
|
# decide what attributes and/or values we allow proxy servers
|
||||||
|
# to pass to the NAS for this realm.
|
||||||
|
#
|
||||||
|
# When a proxy-reply packet is received from a home server,
|
||||||
|
# these attributes and values are tested. Only the first match
|
||||||
|
# is used unless the "Fall-Through" variable is set to "Yes".
|
||||||
|
# In that case the rules defined in the DEFAULT case are
|
||||||
|
# processed as well.
|
||||||
|
#
|
||||||
|
# A special realm named "DEFAULT" matches on all realm names.
|
||||||
|
# You can have only one DEFAULT entry. All entries are processed
|
||||||
|
# in the order they appear in this file. The first entry that
|
||||||
|
# matches the login-request will stop processing unless you use
|
||||||
|
# the Fall-Through variable.
|
||||||
|
#
|
||||||
|
# Indented (with the tab character) lines following the first
|
||||||
|
# line indicate the filter rules.
|
||||||
|
#
|
||||||
|
# You can include another `attrs' file with `$INCLUDE attrs.other'
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# This is a complete entry for realm "fisp". Note that there is no
|
||||||
|
# Fall-Through entry so that no DEFAULT entry will be used, and the
|
||||||
|
# server will NOT allow any other a/v pairs other than the ones
|
||||||
|
# listed here.
|
||||||
|
#
|
||||||
|
# These rules allow:
|
||||||
|
# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear )
|
||||||
|
# o PPP sessions ( no SLIP, CSLIP, etc. )
|
||||||
|
# o dynamic ip assignment ( can't assign a static ip )
|
||||||
|
# o an idle timeout value set to 600 seconds (10 min) or less
|
||||||
|
# o a max session time set to 28800 seconds (8 hours) or less
|
||||||
|
#
|
||||||
|
#fisp
|
||||||
|
# Service-Type == Framed-User,
|
||||||
|
# Framed-Protocol == PPP,
|
||||||
|
# Framed-IP-Address == 255.255.255.254,
|
||||||
|
# Idle-Timeout <= 600,
|
||||||
|
# Session-Timeout <= 28800
|
||||||
|
|
||||||
|
#
|
||||||
|
# This is a complete entry for realm "tisp". Note that there is no
|
||||||
|
# Fall-Through entry so that no DEFAULT entry will be used, and the
|
||||||
|
# server will NOT allow any other a/v pairs other than the ones
|
||||||
|
# listed here.
|
||||||
|
#
|
||||||
|
# These rules allow:
|
||||||
|
# o Only Login-User Service-Type ( no framed/ppp sessions )
|
||||||
|
# o Telnet sessions only ( no rlogin, tcp-clear )
|
||||||
|
# o Login host of 192.0.2.1
|
||||||
|
#
|
||||||
|
#tisp
|
||||||
|
# Service-Type == Login-User,
|
||||||
|
# Login-Service == Telnet,
|
||||||
|
# Login-TCP-Port == 23,
|
||||||
|
# Login-IP-Host == 192.0.2.1
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following example can be used for a home server which is only
|
||||||
|
# allowed to supply a Reply-Message, a Session-Timeout attribute of
|
||||||
|
# maximum 86400, a Idle-Timeout attribute of maximum 600 and a
|
||||||
|
# Acct-Interim-Interval attribute between 300 and 3600.
|
||||||
|
# All other attributes sent back will be filtered out.
|
||||||
|
#
|
||||||
|
#strictrealm
|
||||||
|
# Reply-Message =* ANY,
|
||||||
|
# Session-Timeout <= 86400,
|
||||||
|
# Idle-Timeout <= 600,
|
||||||
|
# Acct-Interim-Interval >= 300,
|
||||||
|
# Acct-Interim-Interval <= 3600
|
||||||
|
|
||||||
|
#
|
||||||
|
# This is a complete entry for realm "spamrealm". Fall-Through is used,
|
||||||
|
# so that the DEFAULT filter rules are used in addition to these.
|
||||||
|
#
|
||||||
|
# These rules allow:
|
||||||
|
# o Force the application of Filter-ID attribute to be returned
|
||||||
|
# in the proxy reply, whether the proxy sent it or not.
|
||||||
|
# o The standard DEFAULT rules as defined below
|
||||||
|
#
|
||||||
|
#spamrealm
|
||||||
|
# Framed-Filter-Id := "nosmtp.in",
|
||||||
|
# Fall-Through = Yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# The rest of this file contains the DEFAULT entry.
|
||||||
|
# DEFAULT matches with all realm names. (except if the realm previously
|
||||||
|
# matched an entry with no Fall-Through)
|
||||||
|
#
|
||||||
|
|
||||||
|
DEFAULT
|
||||||
|
Framed-IP-Address == 255.255.255.254,
|
||||||
|
Framed-IP-Netmask == 255.255.255.255,
|
||||||
|
Framed-MTU >= 576,
|
||||||
|
Framed-Filter-ID =* ANY,
|
||||||
|
Reply-Message =* ANY,
|
||||||
|
Proxy-State =* ANY,
|
||||||
|
EAP-Message =* ANY,
|
||||||
|
Message-Authenticator =* ANY,
|
||||||
|
MS-MPPE-Recv-Key =* ANY,
|
||||||
|
MS-MPPE-Send-Key =* ANY,
|
||||||
|
MS-CHAP-MPPE-Keys =* ANY,
|
||||||
|
State =* ANY,
|
||||||
|
Session-Timeout <= 28800,
|
||||||
|
Idle-Timeout <= 600,
|
||||||
|
Calling-Station-Id =* ANY,
|
||||||
|
Operator-Name =* ANY,
|
||||||
|
Port-Limit <= 2
|
65
ops/nixos/bvm-radius/raddb/mods-config/attr_filter/pre-proxy
Normal file
65
ops/nixos/bvm-radius/raddb/mods-config/attr_filter/pre-proxy
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
#
|
||||||
|
# Configuration file for the rlm_attr_filter module.
|
||||||
|
# Please see rlm_attr_filter(5) manpage for more information.
|
||||||
|
#
|
||||||
|
# $Id: 47b01266f44d0475261c6ea16f74ca17d8838749 $
|
||||||
|
#
|
||||||
|
# This file contains security and configuration information
|
||||||
|
# for each realm. It can be used be an rlm_attr_filter module
|
||||||
|
# instance to filter attributes before sending packets to the
|
||||||
|
# home server of a realm.
|
||||||
|
#
|
||||||
|
# When a packet is sent to a home server, these attributes
|
||||||
|
# and values are tested. Only the first match is used unless
|
||||||
|
# the "Fall-Through" variable is set to "Yes". In that case
|
||||||
|
# the rules defined in the DEFAULT case are processed as well.
|
||||||
|
#
|
||||||
|
# A special realm named "DEFAULT" matches on all realm names.
|
||||||
|
# You can have only one DEFAULT entry. All entries are processed
|
||||||
|
# in the order they appear in this file. The first entry that
|
||||||
|
# matches the login-request will stop processing unless you use
|
||||||
|
# the Fall-Through variable.
|
||||||
|
#
|
||||||
|
# The first line indicates the realm to which the rules apply.
|
||||||
|
# Indented (with the tab character) lines following the first
|
||||||
|
# line indicate the filter rules.
|
||||||
|
#
|
||||||
|
|
||||||
|
# This is a complete entry for 'nochap' realm. It allows to send very
|
||||||
|
# basic attributes to the home server. Note that there is no Fall-Through
|
||||||
|
# entry so that no DEFAULT entry will be used. Only the listed attributes
|
||||||
|
# will be sent in the packet, all other attributes will be filtered out.
|
||||||
|
#
|
||||||
|
#nochap
|
||||||
|
# User-Name =* ANY,
|
||||||
|
# User-Password =* ANY,
|
||||||
|
# NAS-IP-Address =* ANY,
|
||||||
|
# NAS-Identifier =* ANY
|
||||||
|
|
||||||
|
# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type
|
||||||
|
# if its value is different from 'Ethernet'. Then the default rules are
|
||||||
|
# applied.
|
||||||
|
#
|
||||||
|
#brokenas
|
||||||
|
# NAS-Port-Type == Ethernet
|
||||||
|
# Fall-Through = Yes
|
||||||
|
|
||||||
|
# The rest of this file contains the DEFAULT entry.
|
||||||
|
# DEFAULT matches with all realm names.
|
||||||
|
|
||||||
|
DEFAULT
|
||||||
|
User-Name =* ANY,
|
||||||
|
User-Password =* ANY,
|
||||||
|
CHAP-Password =* ANY,
|
||||||
|
CHAP-Challenge =* ANY,
|
||||||
|
MS-CHAP-Challenge =* ANY,
|
||||||
|
MS-CHAP-Response =* ANY,
|
||||||
|
EAP-Message =* ANY,
|
||||||
|
Message-Authenticator =* ANY,
|
||||||
|
State =* ANY,
|
||||||
|
NAS-IP-Address =* ANY,
|
||||||
|
NAS-Identifier =* ANY,
|
||||||
|
Operator-Name =* ANY,
|
||||||
|
Calling-Station-Id =* ANY,
|
||||||
|
Chargeable-User-Identity =* ANY,
|
||||||
|
Proxy-State =* ANY
|
27
ops/nixos/bvm-radius/raddb/mods-config/files/accounting
Normal file
27
ops/nixos/bvm-radius/raddb/mods-config/files/accounting
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
#
|
||||||
|
# $Id: eaf952a72dc9d19387af4d2056d7f7027b2435e8 $
|
||||||
|
#
|
||||||
|
# This is like the 'users' file, but it is processed only for
|
||||||
|
# accounting packets.
|
||||||
|
#
|
||||||
|
|
||||||
|
# Select between different accounting methods based for example on the
|
||||||
|
# Realm, the Huntgroup-Name or any combinaison of the attribute/value
|
||||||
|
# pairs contained in an accounting packet.
|
||||||
|
#
|
||||||
|
# You will need to add an "Acct-Type foo {...}" subsection to the
|
||||||
|
# main "accounting" section in order for these sample configurations
|
||||||
|
# to work.
|
||||||
|
#
|
||||||
|
#DEFAULT Realm == "foo.net", Acct-Type := foo
|
||||||
|
#
|
||||||
|
#DEFAULT Huntgroup-Name == "wifi", Acct-Type := wifi
|
||||||
|
#
|
||||||
|
#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := other
|
||||||
|
#
|
||||||
|
#DEFAULT Acct-Status-Type == Start, Acct-Type := start
|
||||||
|
|
||||||
|
# Replace the User-Name with the Stripped-User-Name, if it exists.
|
||||||
|
#
|
||||||
|
#DEFAULT
|
||||||
|
# User-Name := "%{%{Stripped-User-Name}:-%{User-Name}}"
|
208
ops/nixos/bvm-radius/raddb/mods-config/files/authorize
Normal file
208
ops/nixos/bvm-radius/raddb/mods-config/files/authorize
Normal file
|
@ -0,0 +1,208 @@
|
||||||
|
#
|
||||||
|
# Configuration file for the rlm_files module.
|
||||||
|
# Please see rlm_files(5) manpage for more information.
|
||||||
|
#
|
||||||
|
# This file contains authentication security and configuration
|
||||||
|
# information for each user. Accounting requests are NOT processed
|
||||||
|
# through this file. Instead, see 'accounting', in this directory.
|
||||||
|
#
|
||||||
|
# The first field is the user's name and can be up to
|
||||||
|
# 253 characters in length. This is followed (on the same line) with
|
||||||
|
# the list of authentication requirements for that user. This can
|
||||||
|
# include password, comm server name, comm server port number, protocol
|
||||||
|
# type (perhaps set by the "hints" file), and huntgroup name (set by
|
||||||
|
# the "huntgroups" file).
|
||||||
|
#
|
||||||
|
# If you are not sure why a particular reply is being sent by the
|
||||||
|
# server, then run the server in debugging mode (radiusd -X), and
|
||||||
|
# you will see which entries in this file are matched.
|
||||||
|
#
|
||||||
|
# When an authentication request is received from the comm server,
|
||||||
|
# these values are tested. Only the first match is used unless the
|
||||||
|
# "Fall-Through" variable is set to "Yes".
|
||||||
|
#
|
||||||
|
# A special user named "DEFAULT" matches on all usernames.
|
||||||
|
# You can have several DEFAULT entries. All entries are processed
|
||||||
|
# in the order they appear in this file. The first entry that
|
||||||
|
# matches the login-request will stop processing unless you use
|
||||||
|
# the Fall-Through variable.
|
||||||
|
#
|
||||||
|
# Indented (with the tab character) lines following the first
|
||||||
|
# line indicate the configuration values to be passed back to
|
||||||
|
# the comm server to allow the initiation of a user session.
|
||||||
|
# This can include things like the PPP configuration values
|
||||||
|
# or the host to log the user onto.
|
||||||
|
#
|
||||||
|
# You can include another `users' file with `$INCLUDE users.other'
|
||||||
|
|
||||||
|
#
|
||||||
|
# For a list of RADIUS attributes, and links to their definitions,
|
||||||
|
# see: http://www.freeradius.org/rfc/attributes.html
|
||||||
|
#
|
||||||
|
# Entries below this point are examples included in the server for
|
||||||
|
# educational purposes. They may be deleted from the deployed
|
||||||
|
# configuration without impacting the operation of the server.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Deny access for a specific user. Note that this entry MUST
|
||||||
|
# be before any other 'Auth-Type' attribute which results in the user
|
||||||
|
# being authenticated.
|
||||||
|
#
|
||||||
|
# Note that there is NO 'Fall-Through' attribute, so the user will not
|
||||||
|
# be given any additional resources.
|
||||||
|
#
|
||||||
|
#lameuser Auth-Type := Reject
|
||||||
|
# Reply-Message = "Your account has been disabled."
|
||||||
|
|
||||||
|
#
|
||||||
|
# Deny access for a group of users.
|
||||||
|
#
|
||||||
|
# Note that there is NO 'Fall-Through' attribute, so the user will not
|
||||||
|
# be given any additional resources.
|
||||||
|
#
|
||||||
|
#DEFAULT Group == "disabled", Auth-Type := Reject
|
||||||
|
# Reply-Message = "Your account has been disabled."
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# This is a complete entry for "steve". Note that there is no Fall-Through
|
||||||
|
# entry so that no DEFAULT entry will be used, and the user will NOT
|
||||||
|
# get any attributes in addition to the ones listed here.
|
||||||
|
#
|
||||||
|
#steve Cleartext-Password := "testing"
|
||||||
|
# Service-Type = Framed-User,
|
||||||
|
# Framed-Protocol = PPP,
|
||||||
|
# Framed-IP-Address = 172.16.3.33,
|
||||||
|
# Framed-IP-Netmask = 255.255.255.0,
|
||||||
|
# Framed-Routing = Broadcast-Listen,
|
||||||
|
# Framed-Filter-Id = "std.ppp",
|
||||||
|
# Framed-MTU = 1500,
|
||||||
|
# Framed-Compression = Van-Jacobsen-TCP-IP
|
||||||
|
|
||||||
|
#
|
||||||
|
# The canonical testing user which is in most of the
|
||||||
|
# examples.
|
||||||
|
#
|
||||||
|
#bob Cleartext-Password := "hello"
|
||||||
|
# Reply-Message := "Hello, %{User-Name}"
|
||||||
|
lukegb Cleartext-Password := "{{USER_LUKEGB_PASSWORD}}"
|
||||||
|
testuser Cleartext-Password := "{{USER_TESTUSER_PASSWORD}}"
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# This is an entry for a user with a space in their name.
|
||||||
|
# Note the double quotes surrounding the name. If you have
|
||||||
|
# users with spaces in their names, you must also change
|
||||||
|
# the "filter_username" policy to allow spaces.
|
||||||
|
#
|
||||||
|
# See raddb/policy.d/filter, filter_username {} section.
|
||||||
|
#
|
||||||
|
#"John Doe" Cleartext-Password := "hello"
|
||||||
|
# Reply-Message = "Hello, %{User-Name}"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Dial user back and telnet to the default host for that port
|
||||||
|
#
|
||||||
|
#Deg Cleartext-Password := "ge55ged"
|
||||||
|
# Service-Type = Callback-Login-User,
|
||||||
|
# Login-IP-Host = 0.0.0.0,
|
||||||
|
# Callback-Number = "9,5551212",
|
||||||
|
# Login-Service = Telnet,
|
||||||
|
# Login-TCP-Port = Telnet
|
||||||
|
|
||||||
|
#
|
||||||
|
# Another complete entry. After the user "dialbk" has logged in, the
|
||||||
|
# connection will be broken and the user will be dialed back after which
|
||||||
|
# he will get a connection to the host "timeshare1".
|
||||||
|
#
|
||||||
|
#dialbk Cleartext-Password := "callme"
|
||||||
|
# Service-Type = Callback-Login-User,
|
||||||
|
# Login-IP-Host = timeshare1,
|
||||||
|
# Login-Service = PortMaster,
|
||||||
|
# Callback-Number = "9,1-800-555-1212"
|
||||||
|
|
||||||
|
#
|
||||||
|
# user "swilson" will only get a static IP number if he logs in with
|
||||||
|
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
|
||||||
|
#
|
||||||
|
# Note that by setting "Fall-Through", other attributes will be added from
|
||||||
|
# the following DEFAULT entries
|
||||||
|
#
|
||||||
|
#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"
|
||||||
|
# Framed-IP-Address = 192.0.2.65,
|
||||||
|
# Fall-Through = Yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the user logs in as 'username.shell', then authenticate them
|
||||||
|
# using the default method, give them shell access, and stop processing
|
||||||
|
# the rest of the file.
|
||||||
|
#
|
||||||
|
#DEFAULT Suffix == ".shell"
|
||||||
|
# Service-Type = Login-User,
|
||||||
|
# Login-Service = Telnet,
|
||||||
|
# Login-IP-Host = your.shell.machine
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# The rest of this file contains the several DEFAULT entries.
|
||||||
|
# DEFAULT entries match with all login names.
|
||||||
|
# Note that DEFAULT entries can also Fall-Through (see first entry).
|
||||||
|
# A name-value pair from a DEFAULT entry will _NEVER_ override
|
||||||
|
# an already existing name-value pair.
|
||||||
|
#
|
||||||
|
|
||||||
|
# Sample defaults for all framed connections.
|
||||||
|
#
|
||||||
|
#DEFAULT Service-Type == Framed-User
|
||||||
|
# Framed-IP-Address = 255.255.255.254,
|
||||||
|
# Framed-MTU = 576,
|
||||||
|
# Service-Type = Framed-User,
|
||||||
|
# Fall-Through = Yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
|
||||||
|
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
|
||||||
|
# by the terminal server in which case there may not be a "P" suffix.
|
||||||
|
# The terminal server sends "Framed-Protocol = PPP" for auto PPP.
|
||||||
|
#
|
||||||
|
DEFAULT Framed-Protocol == PPP
|
||||||
|
Framed-Protocol = PPP,
|
||||||
|
Framed-Compression = Van-Jacobson-TCP-IP
|
||||||
|
|
||||||
|
#
|
||||||
|
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
|
||||||
|
#
|
||||||
|
DEFAULT Hint == "CSLIP"
|
||||||
|
Framed-Protocol = SLIP,
|
||||||
|
Framed-Compression = Van-Jacobson-TCP-IP
|
||||||
|
|
||||||
|
#
|
||||||
|
# Default for SLIP: dynamic IP address, SLIP mode.
|
||||||
|
#
|
||||||
|
DEFAULT Hint == "SLIP"
|
||||||
|
Framed-Protocol = SLIP
|
||||||
|
|
||||||
|
#
|
||||||
|
# Last default: rlogin to our main server.
|
||||||
|
#
|
||||||
|
#DEFAULT
|
||||||
|
# Service-Type = Login-User,
|
||||||
|
# Login-Service = Rlogin,
|
||||||
|
# Login-IP-Host = shellbox.ispdomain.com
|
||||||
|
|
||||||
|
# #
|
||||||
|
# # Last default: shell on the local terminal server.
|
||||||
|
# #
|
||||||
|
# DEFAULT
|
||||||
|
# Service-Type = Administrative-User
|
||||||
|
|
||||||
|
|
||||||
|
# On no match, the user is denied access.
|
||||||
|
|
||||||
|
|
||||||
|
#########################################################
|
||||||
|
# You should add test accounts to the TOP of this file! #
|
||||||
|
# See the example user "bob" above. #
|
||||||
|
#########################################################
|
||||||
|
|
31
ops/nixos/bvm-radius/raddb/mods-config/files/pre-proxy
Normal file
31
ops/nixos/bvm-radius/raddb/mods-config/files/pre-proxy
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
#
|
||||||
|
# Configuration file for the rlm_files module.
|
||||||
|
# Please see rlm_files(5) manpage for more information.
|
||||||
|
#
|
||||||
|
# $Id: 7292e23ea51717ee5cb50c4b9b609e91ebe4a41c $
|
||||||
|
#
|
||||||
|
# This file is similar to the "users" file. The check items
|
||||||
|
# are compared against the request, but the "reply" items are
|
||||||
|
# used to update the proxied packet, not the reply to the NAS.
|
||||||
|
#
|
||||||
|
# You can use this file to re-write requests which are about to
|
||||||
|
# be sent to a home server.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Requests destinated to realm "extisp" are sent to a RADIUS
|
||||||
|
# home server hosted by an other company which doesn't know about
|
||||||
|
# the IP addresses of our NASes. Therefore we replace the value of
|
||||||
|
# the NAS-IP-Address attribute by a unique value we communicated
|
||||||
|
# to them.
|
||||||
|
#
|
||||||
|
#DEFAULT Realm == "extisp"
|
||||||
|
# NAS-IP-Address := 10.1.2.3
|
||||||
|
|
||||||
|
#
|
||||||
|
# For all proxied packets, set the User-Name in the proxied packet
|
||||||
|
# to the Stripped-User-Name, if it exists. If not, set it to the
|
||||||
|
# User-Name from the original request.
|
||||||
|
#
|
||||||
|
#DEFAULT
|
||||||
|
# User-Name := `%{%{Stripped-User-Name}:-%{User-Name}}`
|
86
ops/nixos/bvm-radius/raddb/mods-config/preprocess/hints
Normal file
86
ops/nixos/bvm-radius/raddb/mods-config/preprocess/hints
Normal file
|
@ -0,0 +1,86 @@
|
||||||
|
#
|
||||||
|
# hints
|
||||||
|
#
|
||||||
|
# The hints file. This file is used to match
|
||||||
|
# a request, and then add attributes to it. This
|
||||||
|
# process allows a user to login as "bob.ppp" (for example),
|
||||||
|
# and receive a PPP connection, even if the NAS doesn't
|
||||||
|
# ask for PPP. The "hints" file is used to match the
|
||||||
|
# ".ppp" portion of the username, and to add a set of
|
||||||
|
# "user requested PPP" attributes to the request.
|
||||||
|
#
|
||||||
|
# Matching can take place with the the Prefix and Suffix
|
||||||
|
# attributes, just like in the "users" file.
|
||||||
|
# These attributes operate ONLY on the username, though.
|
||||||
|
#
|
||||||
|
# Note that the attributes that are set for each entry are
|
||||||
|
# NOT added to the reply attributes passed back to the NAS.
|
||||||
|
# Instead they are added to the list of attributes in the
|
||||||
|
# request that has been SENT by the NAS.
|
||||||
|
#
|
||||||
|
# This extra information can be used in the users file to
|
||||||
|
# match on. Usually this is done in the DEFAULT entries,
|
||||||
|
# of which there can be more than one.
|
||||||
|
#
|
||||||
|
# In addition a matching entry can transform a username
|
||||||
|
# for authentication purposes if the "Strip-User-Name"
|
||||||
|
# variable is set to Yes in an entry (default is Yes).
|
||||||
|
#
|
||||||
|
# A special non-protocol name-value pair called "Hint"
|
||||||
|
# can be set to match on in the "users" file.
|
||||||
|
#
|
||||||
|
# As with the "users" file, the first entry that matches the
|
||||||
|
# incoming request will cause the server to stop looking for
|
||||||
|
# more hints. If the "Fall-Through" attribute is set to
|
||||||
|
# "Yes" in an entry then the server will not stop, but
|
||||||
|
# continue to process further hints from the file. Matches
|
||||||
|
# on subsequent hints will be against the altered request
|
||||||
|
# from the previous hints, not against the original request.
|
||||||
|
#
|
||||||
|
# The following is how most dial-up ISPs want to set this up.
|
||||||
|
#
|
||||||
|
# Version: $Id: 84d4d78d5dc8613f6205fc2ef48f454101caaf33 $
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
DEFAULT Suffix == ".ppp", Strip-User-Name = Yes
|
||||||
|
Hint = "PPP",
|
||||||
|
Service-Type = Framed-User,
|
||||||
|
Framed-Protocol = PPP
|
||||||
|
|
||||||
|
DEFAULT Suffix == ".slip", Strip-User-Name = Yes
|
||||||
|
Hint = "SLIP",
|
||||||
|
Service-Type = Framed-User,
|
||||||
|
Framed-Protocol = SLIP
|
||||||
|
|
||||||
|
DEFAULT Suffix == ".cslip", Strip-User-Name = Yes
|
||||||
|
Hint = "CSLIP",
|
||||||
|
Service-Type = Framed-User,
|
||||||
|
Framed-Protocol = SLIP,
|
||||||
|
Framed-Compression = Van-Jacobson-TCP-IP
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# These entries are old, and commented out by default.
|
||||||
|
# They confuse too many people when "Peter" logs in, and the
|
||||||
|
# server thinks that the user "eter" is asking for PPP.
|
||||||
|
#
|
||||||
|
#DEFAULT Prefix == "U", Strip-User-Name = No
|
||||||
|
# Hint = "UUCP"
|
||||||
|
|
||||||
|
#DEFAULT Prefix == "P", Strip-User-Name = Yes
|
||||||
|
# Hint = "PPP",
|
||||||
|
# Service-Type = Framed-User,
|
||||||
|
# Framed-Protocol = PPP
|
||||||
|
|
||||||
|
#DEFAULT Prefix == "S", Strip-User-Name = Yes
|
||||||
|
# Hint = "SLIP",
|
||||||
|
# Service-Type = Framed-User,
|
||||||
|
# Framed-Protocol = SLIP
|
||||||
|
|
||||||
|
#DEFAULT Prefix == "C", Strip-User-Name = Yes
|
||||||
|
# Hint = "CSLIP",
|
||||||
|
# Service-Type = Framed-User,
|
||||||
|
# Framed-Protocol = SLIP,
|
||||||
|
# Framed-Compression = Van-Jacobson-TCP-IP
|
||||||
|
|
43
ops/nixos/bvm-radius/raddb/mods-config/preprocess/huntgroups
Normal file
43
ops/nixos/bvm-radius/raddb/mods-config/preprocess/huntgroups
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
#
|
||||||
|
# huntgroups This file defines the `huntgroups' that you have. A
|
||||||
|
# huntgroup is defined by specifying the IP address of
|
||||||
|
# the NAS and possibly a port.
|
||||||
|
#
|
||||||
|
# Matching is done while RADIUS scans the user file; if it
|
||||||
|
# includes the selection criteria "Huntgroup-Name == XXX"
|
||||||
|
# the huntgroup is looked up in this file to see if it
|
||||||
|
# matches. There can be multiple definitions of the same
|
||||||
|
# huntgroup; the first one that matches will be used.
|
||||||
|
#
|
||||||
|
# This file can also be used to define restricted access
|
||||||
|
# to certain huntgroups. The second and following lines
|
||||||
|
# define the access restrictions (based on username and
|
||||||
|
# UNIX usergroup) for the huntgroup.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name
|
||||||
|
# called Alphen that matches on all three terminal servers.
|
||||||
|
#
|
||||||
|
#alphen NAS-IP-Address == 192.0.2.5
|
||||||
|
#alphen NAS-IP-Address == 192.0.2.6
|
||||||
|
#alphen NAS-IP-Address == 192.0.2.7
|
||||||
|
|
||||||
|
#
|
||||||
|
# The POP in Delft consists of only one terminal server.
|
||||||
|
#
|
||||||
|
#delft NAS-IP-Address == 198.51.100.5
|
||||||
|
|
||||||
|
#
|
||||||
|
# Port 0 on the first terminal server in Alphen are connected to
|
||||||
|
# a huntgroup that is for business users only. Note that only one
|
||||||
|
# of the username or groupname has to match to get access (OR/OR).
|
||||||
|
#
|
||||||
|
# Note that this huntgroup is a subset of the "alphen" huntgroup.
|
||||||
|
#
|
||||||
|
#business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0
|
||||||
|
# User-Name == rogerl,
|
||||||
|
# User-Name == henks,
|
||||||
|
# Group == business,
|
||||||
|
# Group == staff
|
||||||
|
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/always
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/always
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/always
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/attr_filter
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/attr_filter
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/attr_filter
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/cache_eap
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/cache_eap
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/cache_eap
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/chap
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/chap
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/chap
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/date
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/date
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/date
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/detail
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/detail
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/detail
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/detail.log
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/detail.log
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/detail.log
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/digest
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/digest
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/digest
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/dynamic_clients
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/dynamic_clients
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/dynamic_clients
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/eap-custom
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/eap-custom
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/eap-custom
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/echo
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/echo
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/echo
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/exec
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/exec
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/exec
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/expiration
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/expiration
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/expiration
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/expr
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/expr
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/expr
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/files
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/files
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/files
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/inner-eap-eduroam
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/inner-eap-eduroam
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/inner-eap-eduroam
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/linelog-eduroam
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/linelog-eduroam
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/linelog-eduroam
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/logintime
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/logintime
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/logintime
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/mschap
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/mschap
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/mschap
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/ntlm_auth
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/ntlm_auth
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/ntlm_auth
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/pap
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/pap
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/pap
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/passwd
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/passwd
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/passwd
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/preprocess
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/preprocess
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/preprocess
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/radutmp
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/radutmp
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/radutmp
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/realm
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/realm
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/realm
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/replicate
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/replicate
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/replicate
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/soh
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/soh
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/soh
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/sradutmp
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/sradutmp
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/sradutmp
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/unix
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/unix
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/unix
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/unpack
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/unpack
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/unpack
|
1
ops/nixos/bvm-radius/raddb/mods-enabled/utf8
Symbolic link
1
ops/nixos/bvm-radius/raddb/mods-enabled/utf8
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../mods-available/utf8
|
113
ops/nixos/bvm-radius/raddb/policy.d/canonicalization
Normal file
113
ops/nixos/bvm-radius/raddb/policy.d/canonicalization
Normal file
|
@ -0,0 +1,113 @@
|
||||||
|
#
|
||||||
|
# Split User-Name in NAI format (RFC 4282) into components
|
||||||
|
#
|
||||||
|
# This policy writes the Username and Domain portions of the
|
||||||
|
# NAI into the Stripped-User-Name and Stripped-User-Domain
|
||||||
|
# attributes.
|
||||||
|
#
|
||||||
|
# The regular expression to do this is not strictly compliant
|
||||||
|
# with the standard, but it is not possible to write a
|
||||||
|
# compliant regexp without perl style regular expressions (or
|
||||||
|
# at least not a legible one).
|
||||||
|
#
|
||||||
|
nai_regexp = '^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$'
|
||||||
|
|
||||||
|
split_username_nai {
|
||||||
|
if (&User-Name && (&User-Name =~ /${policy.nai_regexp}/)) {
|
||||||
|
update request {
|
||||||
|
&Stripped-User-Name := "%{1}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Only add the Stripped-User-Domain attribute if
|
||||||
|
# we have a domain. This means presence checks
|
||||||
|
# for Stripped-User-Domain work.
|
||||||
|
if ("%{3}" != '') {
|
||||||
|
update request {
|
||||||
|
&Stripped-User-Domain = "%{3}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# If any of the expansions result in a null
|
||||||
|
# string, the update section may return
|
||||||
|
# something other than updated...
|
||||||
|
updated
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
noop
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# If called in post-proxy we modify the proxy-reply message
|
||||||
|
#
|
||||||
|
split_username_nai.post-proxy {
|
||||||
|
if (&proxy-reply:User-Name && (&proxy-reply:User-Name =~ /${policy.nai_regexp}/)) {
|
||||||
|
update proxy-reply {
|
||||||
|
&Stripped-User-Name := "%{1}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Only add the Stripped-User-Domain attribute if
|
||||||
|
# we have a domain. This means presence checks
|
||||||
|
# for Stripped-User-Domain work.
|
||||||
|
if ("%{3}" != '') {
|
||||||
|
update proxy-reply {
|
||||||
|
&Stripped-User-Domain = "%{3}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
updated
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
noop
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Normalize the MAC Addresses in the Calling/Called-Station-Id
|
||||||
|
#
|
||||||
|
mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})'
|
||||||
|
|
||||||
|
#
|
||||||
|
# Add "rewrite_called_station_id" in the "authorize" and
|
||||||
|
# "preacct" sections.
|
||||||
|
#
|
||||||
|
# Makes Called-Station-ID conform to what RFC3580 says should
|
||||||
|
# be provided by 802.1X authenticators.
|
||||||
|
#
|
||||||
|
rewrite_called_station_id {
|
||||||
|
if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) {
|
||||||
|
update request {
|
||||||
|
&Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# SSID component?
|
||||||
|
if ("%{8}") {
|
||||||
|
update request {
|
||||||
|
&Called-Station-SSID := "%{8}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
updated
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
noop
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Add "rewrite_calling_station_id" in the "authorize" and
|
||||||
|
# "preacct" sections.
|
||||||
|
#
|
||||||
|
# Makes Calling-Station-ID conform to what RFC3580 says should
|
||||||
|
# be provided by 802.1X authenticators.
|
||||||
|
#
|
||||||
|
rewrite_calling_station_id {
|
||||||
|
if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) {
|
||||||
|
update request {
|
||||||
|
&Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
|
||||||
|
}
|
||||||
|
updated
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
noop
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
28
ops/nixos/bvm-radius/raddb/proxy.conf
Normal file
28
ops/nixos/bvm-radius/raddb/proxy.conf
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
home_server eduroam_flr_server_1 {
|
||||||
|
# roaming0.ja.net
|
||||||
|
ipv6addr = 2001:630:1:128::185
|
||||||
|
secret = {{JANET_ROAMING0_SECRET}}
|
||||||
|
status_check = status-server
|
||||||
|
response_window = 5
|
||||||
|
check_interval = 10
|
||||||
|
check_timeout = 5
|
||||||
|
}
|
||||||
|
home_server eduroam_flr_server_2 {
|
||||||
|
# roaming1.ja.net
|
||||||
|
ipv6addr = 2001:630:1:12a::233
|
||||||
|
secret = {{JANET_ROAMING1_SECRET}}
|
||||||
|
status_check = status-server
|
||||||
|
response_window = 5
|
||||||
|
check_interval = 10
|
||||||
|
check_timeout = 5
|
||||||
|
}
|
||||||
|
|
||||||
|
home_server_pool eduroam_flr_pool {
|
||||||
|
type = keyed-balance
|
||||||
|
home_server = eduroam_flr_server_1
|
||||||
|
home_server = eduroam_flr_server_2
|
||||||
|
}
|
||||||
|
realm eduroam_flr {
|
||||||
|
auth_pool = eduroam_flr_pool
|
||||||
|
nostrip
|
||||||
|
}
|
902
ops/nixos/bvm-radius/raddb/radiusd.conf
Normal file
902
ops/nixos/bvm-radius/raddb/radiusd.conf
Normal file
|
@ -0,0 +1,902 @@
|
||||||
|
# -*- text -*-
|
||||||
|
##
|
||||||
|
## radiusd.conf -- FreeRADIUS server configuration file - 3.0.21
|
||||||
|
##
|
||||||
|
## http://www.freeradius.org/
|
||||||
|
## $Id: e8aee3c00193127177cd65e31156c1d0f4b124d3 $
|
||||||
|
##
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# The format of this (and other) configuration file is
|
||||||
|
# documented in "man unlang". There are also READMEs in many
|
||||||
|
# subdirectories:
|
||||||
|
#
|
||||||
|
# raddb/README.rst
|
||||||
|
# How to upgrade from v2.
|
||||||
|
#
|
||||||
|
# raddb/mods-available/README.rst
|
||||||
|
# How to use mods-available / mods-enabled.
|
||||||
|
# All of the modules are in individual files,
|
||||||
|
# along with configuration items and full documentation.
|
||||||
|
#
|
||||||
|
# raddb/sites-available/README
|
||||||
|
# virtual servers, "listen" sections, clients, etc.
|
||||||
|
# The "sites-available" directory contains many
|
||||||
|
# worked examples of common configurations.
|
||||||
|
#
|
||||||
|
# raddb/certs/README
|
||||||
|
# How to create certificates for EAP or RadSec.
|
||||||
|
#
|
||||||
|
# Every configuration item in the server is documented
|
||||||
|
# extensively in the comments in the example configuration
|
||||||
|
# files.
|
||||||
|
#
|
||||||
|
# Before editing this (or any other) configuration file, PLEASE
|
||||||
|
# read "man radiusd". See the section titled DEBUGGING. It
|
||||||
|
# outlines a method where you can quickly create the
|
||||||
|
# configuration you want, with minimal effort.
|
||||||
|
#
|
||||||
|
# Run the server in debugging mode, and READ the output.
|
||||||
|
#
|
||||||
|
# $ radiusd -X
|
||||||
|
#
|
||||||
|
# We cannot emphasize this point strongly enough. The vast
|
||||||
|
# majority of problems can be solved by carefully reading the
|
||||||
|
# debugging output, which includes warnings about common issues,
|
||||||
|
# and suggestions for how they may be fixed.
|
||||||
|
#
|
||||||
|
# There may be a lot of output, but look carefully for words like:
|
||||||
|
# "warning", "error", "reject", or "failure". The messages there
|
||||||
|
# will usually be enough to guide you to a solution.
|
||||||
|
#
|
||||||
|
# More documentation on "radiusd -X" is available on the wiki:
|
||||||
|
# https://wiki.freeradius.org/radiusd-X
|
||||||
|
#
|
||||||
|
# If you are going to ask a question on the mailing list, then
|
||||||
|
# explain what you are trying to do, and include the output from
|
||||||
|
# debugging mode (radiusd -X). Failure to do so means that all
|
||||||
|
# of the responses to your question will be people telling you
|
||||||
|
# to "post the output of radiusd -X".
|
||||||
|
#
|
||||||
|
# Guidelines for posting to the mailing list are on the wiki:
|
||||||
|
# https://wiki.freeradius.org/list-help
|
||||||
|
#
|
||||||
|
# Please read those guidelines before posting to the list.
|
||||||
|
#
|
||||||
|
# Further documentation is available in the "doc" directory
|
||||||
|
# of the server distribution, or on the wiki at:
|
||||||
|
# https://wiki.freeradius.org/
|
||||||
|
#
|
||||||
|
# New users to RADIUS should read the Technical Guide. That guide
|
||||||
|
# explains how RADIUS works, how FreeRADIUS works, and what each
|
||||||
|
# part of a RADIUS system does. It is not just "configure FreeRADIUS"!
|
||||||
|
# https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf
|
||||||
|
#
|
||||||
|
# More documentation on dictionaries, modules, unlang, etc. is also
|
||||||
|
# available on the Network RADIUS web site:
|
||||||
|
# https://networkradius.com/freeradius-documentation/
|
||||||
|
#
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
prefix = {{FREERADIUS_LOC}}
|
||||||
|
exec_prefix = ${prefix}
|
||||||
|
sysconfdir = /etc
|
||||||
|
localstatedir = /var
|
||||||
|
sbindir = ${prefix}/sbin
|
||||||
|
logdir = ${localstatedir}/log/radius
|
||||||
|
raddbdir = ${sysconfdir}/raddb
|
||||||
|
radacctdir = ${logdir}/radacct
|
||||||
|
|
||||||
|
#
|
||||||
|
# name of the running server. See also the "-n" command-line option.
|
||||||
|
name = radiusd
|
||||||
|
|
||||||
|
# Location of config and logfiles.
|
||||||
|
confdir = ${raddbdir}
|
||||||
|
modconfdir = ${confdir}/mods-config
|
||||||
|
certdir = ${confdir}/certs
|
||||||
|
cadir = ${confdir}/certs
|
||||||
|
run_dir = ${localstatedir}/run/${name}
|
||||||
|
|
||||||
|
# Should likely be ${localstatedir}/lib/radiusd
|
||||||
|
db_dir = ${raddbdir}
|
||||||
|
|
||||||
|
#
|
||||||
|
# libdir: Where to find the rlm_* modules.
|
||||||
|
#
|
||||||
|
# This should be automatically set at configuration time.
|
||||||
|
#
|
||||||
|
# If the server builds and installs, but fails at execution time
|
||||||
|
# with an 'undefined symbol' error, then you can use the libdir
|
||||||
|
# directive to work around the problem.
|
||||||
|
#
|
||||||
|
# The cause is usually that a library has been installed on your
|
||||||
|
# system in a place where the dynamic linker CANNOT find it. When
|
||||||
|
# executing as root (or another user), your personal environment MAY
|
||||||
|
# be set up to allow the dynamic linker to find the library. When
|
||||||
|
# executing as a daemon, FreeRADIUS MAY NOT have the same
|
||||||
|
# personalized configuration.
|
||||||
|
#
|
||||||
|
# To work around the problem, find out which library contains that symbol,
|
||||||
|
# and add the directory containing that library to the end of 'libdir',
|
||||||
|
# with a colon separating the directory names. NO spaces are allowed.
|
||||||
|
#
|
||||||
|
# e.g. libdir = /usr/local/lib:/opt/package/lib
|
||||||
|
#
|
||||||
|
# You can also try setting the LD_LIBRARY_PATH environment variable
|
||||||
|
# in a script which starts the server.
|
||||||
|
#
|
||||||
|
# If that does not work, then you can re-configure and re-build the
|
||||||
|
# server to NOT use shared libraries, via:
|
||||||
|
#
|
||||||
|
# ./configure --disable-shared
|
||||||
|
# make
|
||||||
|
# make install
|
||||||
|
#
|
||||||
|
libdir = ${prefix}/lib
|
||||||
|
|
||||||
|
# pidfile: Where to place the PID of the RADIUS server.
|
||||||
|
#
|
||||||
|
# The server may be signalled while it's running by using this
|
||||||
|
# file.
|
||||||
|
#
|
||||||
|
# This file is written when ONLY running in daemon mode.
|
||||||
|
#
|
||||||
|
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
|
||||||
|
#
|
||||||
|
pidfile = ${run_dir}/${name}.pid
|
||||||
|
|
||||||
|
#
|
||||||
|
# correct_escapes: use correct backslash escaping
|
||||||
|
#
|
||||||
|
# Prior to version 3.0.5, the handling of backslashes was a little
|
||||||
|
# awkward, i.e. "wrong". In some cases, to get one backslash into
|
||||||
|
# a regex, you had to put 4 in the config files.
|
||||||
|
#
|
||||||
|
# Version 3.0.5 fixes that. However, for backwards compatibility,
|
||||||
|
# the new method of escaping is DISABLED BY DEFAULT. This means
|
||||||
|
# that upgrading to 3.0.5 won't break your configuration.
|
||||||
|
#
|
||||||
|
# If you don't have double backslashes (i.e. \\) in your configuration,
|
||||||
|
# this won't matter to you. If you do have them, fix that to use only
|
||||||
|
# one backslash, and then set "correct_escapes = true".
|
||||||
|
#
|
||||||
|
# You can check for this by doing:
|
||||||
|
#
|
||||||
|
# $ grep '\\\\' $(find raddb -type f -print)
|
||||||
|
#
|
||||||
|
correct_escapes = true
|
||||||
|
|
||||||
|
# panic_action: Command to execute if the server dies unexpectedly.
|
||||||
|
#
|
||||||
|
# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
|
||||||
|
# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
|
||||||
|
# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
|
||||||
|
#
|
||||||
|
# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
|
||||||
|
# PATTACH CAN BE USED AS AN ATTACK VECTOR.
|
||||||
|
#
|
||||||
|
# The panic action is a command which will be executed if the server
|
||||||
|
# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
|
||||||
|
# SIGABRT or SIGFPE.
|
||||||
|
#
|
||||||
|
# This can be used to start an interactive debugging session so
|
||||||
|
# that information regarding the current state of the server can
|
||||||
|
# be acquired.
|
||||||
|
#
|
||||||
|
# The following string substitutions are available:
|
||||||
|
# - %e The currently executing program e.g. /sbin/radiusd
|
||||||
|
# - %p The PID of the currently executing program e.g. 12345
|
||||||
|
#
|
||||||
|
# Standard ${} substitutions are also allowed.
|
||||||
|
#
|
||||||
|
# An example panic action for opening an interactive session in GDB would be:
|
||||||
|
#
|
||||||
|
#panic_action = "gdb %e %p"
|
||||||
|
#
|
||||||
|
# Again, don't use that on a production system.
|
||||||
|
#
|
||||||
|
# An example panic action for opening an automated session in GDB would be:
|
||||||
|
#
|
||||||
|
#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
|
||||||
|
#
|
||||||
|
# That command can be used on a production system.
|
||||||
|
#
|
||||||
|
|
||||||
|
# max_request_time: The maximum time (in seconds) to handle a request.
|
||||||
|
#
|
||||||
|
# Requests which take more time than this to process may be killed, and
|
||||||
|
# a REJECT message is returned.
|
||||||
|
#
|
||||||
|
# WARNING: If you notice that requests take a long time to be handled,
|
||||||
|
# then this MAY INDICATE a bug in the server, in one of the modules
|
||||||
|
# used to handle a request, OR in your local configuration.
|
||||||
|
#
|
||||||
|
# This problem is most often seen when using an SQL database. If it takes
|
||||||
|
# more than a second or two to receive an answer from the SQL database,
|
||||||
|
# then it probably means that you haven't indexed the database. See your
|
||||||
|
# SQL server documentation for more information.
|
||||||
|
#
|
||||||
|
# Useful range of values: 5 to 120
|
||||||
|
#
|
||||||
|
max_request_time = 30
|
||||||
|
|
||||||
|
# cleanup_delay: The time to wait (in seconds) before cleaning up
|
||||||
|
# a reply which was sent to the NAS.
|
||||||
|
#
|
||||||
|
# The RADIUS request is normally cached internally for a short period
|
||||||
|
# of time, after the reply is sent to the NAS. The reply packet may be
|
||||||
|
# lost in the network, and the NAS will not see it. The NAS will then
|
||||||
|
# re-send the request, and the server will respond quickly with the
|
||||||
|
# cached reply.
|
||||||
|
#
|
||||||
|
# If this value is set too low, then duplicate requests from the NAS
|
||||||
|
# MAY NOT be detected, and will instead be handled as separate requests.
|
||||||
|
#
|
||||||
|
# If this value is set too high, then the server will cache too many
|
||||||
|
# requests, and some new requests may get blocked. (See 'max_requests'.)
|
||||||
|
#
|
||||||
|
# Useful range of values: 2 to 30
|
||||||
|
#
|
||||||
|
cleanup_delay = 5
|
||||||
|
|
||||||
|
# max_requests: The maximum number of requests which the server keeps
|
||||||
|
# track of. This should be 256 multiplied by the number of clients.
|
||||||
|
# e.g. With 4 clients, this number should be 1024.
|
||||||
|
#
|
||||||
|
# If this number is too low, then when the server becomes busy,
|
||||||
|
# it will not respond to any new requests, until the 'cleanup_delay'
|
||||||
|
# time has passed, and it has removed the old requests.
|
||||||
|
#
|
||||||
|
# If this number is set too high, then the server will use a bit more
|
||||||
|
# memory for no real benefit.
|
||||||
|
#
|
||||||
|
# If you aren't sure what it should be set to, it's better to set it
|
||||||
|
# too high than too low. Setting it to 1000 per client is probably
|
||||||
|
# the highest it should be.
|
||||||
|
#
|
||||||
|
# Useful range of values: 256 to infinity
|
||||||
|
#
|
||||||
|
max_requests = 16384
|
||||||
|
|
||||||
|
# hostname_lookups: Log the names of clients or just their IP addresses
|
||||||
|
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
|
||||||
|
#
|
||||||
|
# The default is 'off' because it would be overall better for the net
|
||||||
|
# if people had to knowingly turn this feature on, since enabling it
|
||||||
|
# means that each client request will result in AT LEAST one lookup
|
||||||
|
# request to the nameserver. Enabling hostname_lookups will also
|
||||||
|
# mean that your server may stop randomly for 30 seconds from time
|
||||||
|
# to time, if the DNS requests take too long.
|
||||||
|
#
|
||||||
|
# Turning hostname lookups off also means that the server won't block
|
||||||
|
# for 30 seconds, if it sees an IP address which has no name associated
|
||||||
|
# with it.
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
#
|
||||||
|
hostname_lookups = no
|
||||||
|
|
||||||
|
#
|
||||||
|
# Logging section. The various "log_*" configuration items
|
||||||
|
# will eventually be moved here.
|
||||||
|
#
|
||||||
|
log {
|
||||||
|
#
|
||||||
|
# Destination for log messages. This can be one of:
|
||||||
|
#
|
||||||
|
# files - log to "file", as defined below.
|
||||||
|
# syslog - to syslog (see also the "syslog_facility", below.
|
||||||
|
# stdout - standard output
|
||||||
|
# stderr - standard error.
|
||||||
|
#
|
||||||
|
# The command-line option "-X" over-rides this option, and forces
|
||||||
|
# logging to go to stdout.
|
||||||
|
#
|
||||||
|
destination = files
|
||||||
|
|
||||||
|
#
|
||||||
|
# Highlight important messages sent to stderr and stdout.
|
||||||
|
#
|
||||||
|
# Option will be ignored (disabled) if output if TERM is not
|
||||||
|
# an xterm or output is not to a TTY.
|
||||||
|
#
|
||||||
|
colourise = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# The logging messages for the server are appended to the
|
||||||
|
# tail of this file if destination == "files"
|
||||||
|
#
|
||||||
|
# If the server is running in debugging mode, this file is
|
||||||
|
# NOT used.
|
||||||
|
#
|
||||||
|
file = ${logdir}/radius.log
|
||||||
|
|
||||||
|
#
|
||||||
|
# Which syslog facility to use, if ${destination} == "syslog"
|
||||||
|
#
|
||||||
|
# The exact values permitted here are OS-dependent. You probably
|
||||||
|
# don't want to change this.
|
||||||
|
#
|
||||||
|
syslog_facility = daemon
|
||||||
|
|
||||||
|
# Log the full User-Name attribute, as it was found in the request.
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
#
|
||||||
|
stripped_names = no
|
||||||
|
|
||||||
|
# Log all (accept and reject) authentication results to the log file.
|
||||||
|
#
|
||||||
|
# This is the same as setting "auth_accept = yes" and
|
||||||
|
# "auth_reject = yes"
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
#
|
||||||
|
auth = no
|
||||||
|
|
||||||
|
# Log Access-Accept results to the log file.
|
||||||
|
#
|
||||||
|
# This is only used if "auth = no"
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
#
|
||||||
|
# auth_accept = no
|
||||||
|
|
||||||
|
# Log Access-Reject results to the log file.
|
||||||
|
#
|
||||||
|
# This is only used if "auth = no"
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
#
|
||||||
|
# auth_reject = no
|
||||||
|
|
||||||
|
# Log passwords with the authentication requests.
|
||||||
|
# auth_badpass - logs password if it's rejected
|
||||||
|
# auth_goodpass - logs password if it's correct
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
#
|
||||||
|
auth_badpass = no
|
||||||
|
auth_goodpass = no
|
||||||
|
|
||||||
|
# Log additional text at the end of the "Login OK" messages.
|
||||||
|
# for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
|
||||||
|
# configurations above have to be set to "yes".
|
||||||
|
#
|
||||||
|
# The strings below are dynamically expanded, which means that
|
||||||
|
# you can put anything you want in them. However, note that
|
||||||
|
# this expansion can be slow, and can negatively impact server
|
||||||
|
# performance.
|
||||||
|
#
|
||||||
|
# msg_goodpass = ""
|
||||||
|
# msg_badpass = ""
|
||||||
|
|
||||||
|
# The message when the user exceeds the Simultaneous-Use limit.
|
||||||
|
#
|
||||||
|
msg_denied = "You are already logged in - access denied"
|
||||||
|
}
|
||||||
|
|
||||||
|
# The program to execute to do concurrency checks.
|
||||||
|
checkrad = ${sbindir}/checkrad
|
||||||
|
|
||||||
|
#
|
||||||
|
# ENVIRONMENT VARIABLES
|
||||||
|
#
|
||||||
|
# You can reference environment variables using an expansion like
|
||||||
|
# `$ENV{PATH}`. However it is sometimes useful to be able to also set
|
||||||
|
# environment variables. This section lets you do that.
|
||||||
|
#
|
||||||
|
# The main purpose of this section is to allow administrators to keep
|
||||||
|
# RADIUS-specific configuration in the RADIUS configuration files.
|
||||||
|
# For example, if you need to set an environment variable which is
|
||||||
|
# used by a module. You could put that variable into a shell script,
|
||||||
|
# but that's awkward. Instead, just list it here.
|
||||||
|
#
|
||||||
|
# Note that these environment variables are set AFTER the
|
||||||
|
# configuration file is loaded. So you cannot set FOO here, and
|
||||||
|
# expect to reference it via `$ENV{FOO}` in another configuration file.
|
||||||
|
# You should instead just use a normal configuration variable for
|
||||||
|
# that.
|
||||||
|
#
|
||||||
|
ENV {
|
||||||
|
#
|
||||||
|
# Set environment varable `FOO` to value '/bar/baz'.
|
||||||
|
#
|
||||||
|
# NOTE: Note that you MUST use '='. You CANNOT use '+=' to append
|
||||||
|
# values.
|
||||||
|
#
|
||||||
|
# FOO = '/bar/baz'
|
||||||
|
|
||||||
|
#
|
||||||
|
# Delete environment variable `BAR`.
|
||||||
|
#
|
||||||
|
# BAR
|
||||||
|
|
||||||
|
#
|
||||||
|
# `LD_PRELOAD` is special. It is normally set before the
|
||||||
|
# application runs, and is interpreted by the dynamic linker.
|
||||||
|
# Which means you cannot set it inside of an application, and
|
||||||
|
# expect it to load libraries.
|
||||||
|
#
|
||||||
|
# Since this functionality is useful, we extend it here.
|
||||||
|
#
|
||||||
|
# You can set
|
||||||
|
#
|
||||||
|
# LD_PRELOAD = /path/to/library.so
|
||||||
|
#
|
||||||
|
# and the server will load the named libraries. Multiple
|
||||||
|
# libraries can be loaded by specificing multiple individual
|
||||||
|
# `LD_PRELOAD` entries.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# LD_PRELOAD = /path/to/library1.so
|
||||||
|
# LD_PRELOAD = /path/to/library2.so
|
||||||
|
}
|
||||||
|
|
||||||
|
# SECURITY CONFIGURATION
|
||||||
|
#
|
||||||
|
# There may be multiple methods of attacking on the server. This
|
||||||
|
# section holds the configuration items which minimize the impact
|
||||||
|
# of those attacks
|
||||||
|
#
|
||||||
|
security {
|
||||||
|
# chroot: directory where the server does "chroot".
|
||||||
|
#
|
||||||
|
# The chroot is done very early in the process of starting
|
||||||
|
# the server. After the chroot has been performed it
|
||||||
|
# switches to the "user" listed below (which MUST be
|
||||||
|
# specified). If "group" is specified, it switches to that
|
||||||
|
# group, too. Any other groups listed for the specified
|
||||||
|
# "user" in "/etc/group" are also added as part of this
|
||||||
|
# process.
|
||||||
|
#
|
||||||
|
# The current working directory (chdir / cd) is left
|
||||||
|
# *outside* of the chroot until all of the modules have been
|
||||||
|
# initialized. This allows the "raddb" directory to be left
|
||||||
|
# outside of the chroot. Once the modules have been
|
||||||
|
# initialized, it does a "chdir" to ${logdir}. This means
|
||||||
|
# that it should be impossible to break out of the chroot.
|
||||||
|
#
|
||||||
|
# If you are worried about security issues related to this
|
||||||
|
# use of chdir, then simply ensure that the "raddb" directory
|
||||||
|
# is inside of the chroot, end be sure to do "cd raddb"
|
||||||
|
# BEFORE starting the server.
|
||||||
|
#
|
||||||
|
# If the server is statically linked, then the only files
|
||||||
|
# that have to exist in the chroot are ${run_dir} and
|
||||||
|
# ${logdir}. If you do the "cd raddb" as discussed above,
|
||||||
|
# then the "raddb" directory has to be inside of the chroot
|
||||||
|
# directory, too.
|
||||||
|
#
|
||||||
|
# chroot = /path/to/chroot/directory
|
||||||
|
|
||||||
|
# user/group: The name (or #number) of the user/group to run radiusd as.
|
||||||
|
#
|
||||||
|
# If these are commented out, the server will run as the
|
||||||
|
# user/group that started it. In order to change to a
|
||||||
|
# different user/group, you MUST be root ( or have root
|
||||||
|
# privileges ) to start the server.
|
||||||
|
#
|
||||||
|
# We STRONGLY recommend that you run the server with as few
|
||||||
|
# permissions as possible. That is, if you're not using
|
||||||
|
# shadow passwords, the user and group items below should be
|
||||||
|
# set to radius'.
|
||||||
|
#
|
||||||
|
# NOTE that some kernels refuse to setgid(group) when the
|
||||||
|
# value of (unsigned)group is above 60000; don't use group
|
||||||
|
# "nobody" on these systems!
|
||||||
|
#
|
||||||
|
# On systems with shadow passwords, you might have to set
|
||||||
|
# 'group = shadow' for the server to be able to read the
|
||||||
|
# shadow password file. If you can authenticate users while
|
||||||
|
# in debug mode, but not in daemon mode, it may be that the
|
||||||
|
# debugging mode server is running as a user that can read
|
||||||
|
# the shadow info, and the user listed below can not.
|
||||||
|
#
|
||||||
|
# The server will also try to use "initgroups" to read
|
||||||
|
# /etc/groups. It will join all groups where "user" is a
|
||||||
|
# member. This can allow for some finer-grained access
|
||||||
|
# controls.
|
||||||
|
#
|
||||||
|
# user = radius
|
||||||
|
# group = radius
|
||||||
|
|
||||||
|
# Core dumps are a bad thing. This should only be set to
|
||||||
|
# 'yes' if you're debugging a problem with the server.
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
#
|
||||||
|
allow_core_dumps = no
|
||||||
|
|
||||||
|
#
|
||||||
|
# max_attributes: The maximum number of attributes
|
||||||
|
# permitted in a RADIUS packet. Packets which have MORE
|
||||||
|
# than this number of attributes in them will be dropped.
|
||||||
|
#
|
||||||
|
# If this number is set too low, then no RADIUS packets
|
||||||
|
# will be accepted.
|
||||||
|
#
|
||||||
|
# If this number is set too high, then an attacker may be
|
||||||
|
# able to send a small number of packets which will cause
|
||||||
|
# the server to use all available memory on the machine.
|
||||||
|
#
|
||||||
|
# Setting this number to 0 means "allow any number of attributes"
|
||||||
|
max_attributes = 200
|
||||||
|
|
||||||
|
#
|
||||||
|
# reject_delay: When sending an Access-Reject, it can be
|
||||||
|
# delayed for a few seconds. This may help slow down a DoS
|
||||||
|
# attack. It also helps to slow down people trying to brute-force
|
||||||
|
# crack a users password.
|
||||||
|
#
|
||||||
|
# Setting this number to 0 means "send rejects immediately"
|
||||||
|
#
|
||||||
|
# If this number is set higher than 'cleanup_delay', then the
|
||||||
|
# rejects will be sent at 'cleanup_delay' time, when the request
|
||||||
|
# is deleted from the internal cache of requests.
|
||||||
|
#
|
||||||
|
# As of Version 3.0.5, "reject_delay" has sub-second resolution.
|
||||||
|
# e.g. "reject_delay = 1.4" seconds is possible.
|
||||||
|
#
|
||||||
|
# Useful ranges: 1 to 5
|
||||||
|
reject_delay = 1
|
||||||
|
|
||||||
|
#
|
||||||
|
# status_server: Whether or not the server will respond
|
||||||
|
# to Status-Server requests.
|
||||||
|
#
|
||||||
|
# When sent a Status-Server message, the server responds with
|
||||||
|
# an Access-Accept or Accounting-Response packet.
|
||||||
|
#
|
||||||
|
# This is mainly useful for administrators who want to "ping"
|
||||||
|
# the server, without adding test users, or creating fake
|
||||||
|
# accounting packets.
|
||||||
|
#
|
||||||
|
# It's also useful when a NAS marks a RADIUS server "dead".
|
||||||
|
# The NAS can periodically "ping" the server with a Status-Server
|
||||||
|
# packet. If the server responds, it must be alive, and the
|
||||||
|
# NAS can start using it for real requests.
|
||||||
|
#
|
||||||
|
# See also raddb/sites-available/status
|
||||||
|
#
|
||||||
|
status_server = yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# allow_vulnerable_openssl: Allow the server to start with
|
||||||
|
# versions of OpenSSL known to have critical vulnerabilities.
|
||||||
|
#
|
||||||
|
# This check is based on the version number reported by libssl
|
||||||
|
# and may not reflect patches applied to libssl by
|
||||||
|
# distribution maintainers.
|
||||||
|
#
|
||||||
|
allow_vulnerable_openssl = no
|
||||||
|
}
|
||||||
|
|
||||||
|
# PROXY CONFIGURATION
|
||||||
|
#
|
||||||
|
# proxy_requests: Turns proxying of RADIUS requests on or off.
|
||||||
|
#
|
||||||
|
# The server has proxying turned on by default. If your system is NOT
|
||||||
|
# set up to proxy requests to another server, then you can turn proxying
|
||||||
|
# off here. This will save a small amount of resources on the server.
|
||||||
|
#
|
||||||
|
# If you have proxying turned off, and your configuration files say
|
||||||
|
# to proxy a request, then an error message will be logged.
|
||||||
|
#
|
||||||
|
# To disable proxying, change the "yes" to "no", and comment the
|
||||||
|
# $INCLUDE line.
|
||||||
|
#
|
||||||
|
# allowed values: {no, yes}
|
||||||
|
#
|
||||||
|
proxy_requests = yes
|
||||||
|
$INCLUDE proxy.conf
|
||||||
|
|
||||||
|
|
||||||
|
# CLIENTS CONFIGURATION
|
||||||
|
#
|
||||||
|
# Client configuration is defined in "clients.conf".
|
||||||
|
#
|
||||||
|
|
||||||
|
# The 'clients.conf' file contains all of the information from the old
|
||||||
|
# 'clients' and 'naslist' configuration files. We recommend that you
|
||||||
|
# do NOT use 'client's or 'naslist', although they are still
|
||||||
|
# supported.
|
||||||
|
#
|
||||||
|
# Anything listed in 'clients.conf' will take precedence over the
|
||||||
|
# information from the old-style configuration files.
|
||||||
|
#
|
||||||
|
$INCLUDE clients.conf
|
||||||
|
|
||||||
|
|
||||||
|
# THREAD POOL CONFIGURATION
|
||||||
|
#
|
||||||
|
# The thread pool is a long-lived group of threads which
|
||||||
|
# take turns (round-robin) handling any incoming requests.
|
||||||
|
#
|
||||||
|
# You probably want to have a few spare threads around,
|
||||||
|
# so that high-load situations can be handled immediately. If you
|
||||||
|
# don't have any spare threads, then the request handling will
|
||||||
|
# be delayed while a new thread is created, and added to the pool.
|
||||||
|
#
|
||||||
|
# You probably don't want too many spare threads around,
|
||||||
|
# otherwise they'll be sitting there taking up resources, and
|
||||||
|
# not doing anything productive.
|
||||||
|
#
|
||||||
|
# The numbers given below should be adequate for most situations.
|
||||||
|
#
|
||||||
|
thread pool {
|
||||||
|
# Number of servers to start initially --- should be a reasonable
|
||||||
|
# ballpark figure.
|
||||||
|
start_servers = 5
|
||||||
|
|
||||||
|
# Limit on the total number of servers running.
|
||||||
|
#
|
||||||
|
# If this limit is ever reached, clients will be LOCKED OUT, so it
|
||||||
|
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
|
||||||
|
# keep a runaway server from taking the system with it as it spirals
|
||||||
|
# down...
|
||||||
|
#
|
||||||
|
# You may find that the server is regularly reaching the
|
||||||
|
# 'max_servers' number of threads, and that increasing
|
||||||
|
# 'max_servers' doesn't seem to make much difference.
|
||||||
|
#
|
||||||
|
# If this is the case, then the problem is MOST LIKELY that
|
||||||
|
# your back-end databases are taking too long to respond, and
|
||||||
|
# are preventing the server from responding in a timely manner.
|
||||||
|
#
|
||||||
|
# The solution is NOT do keep increasing the 'max_servers'
|
||||||
|
# value, but instead to fix the underlying cause of the
|
||||||
|
# problem: slow database, or 'hostname_lookups=yes'.
|
||||||
|
#
|
||||||
|
# For more information, see 'max_request_time', above.
|
||||||
|
#
|
||||||
|
max_servers = 32
|
||||||
|
|
||||||
|
# Server-pool size regulation. Rather than making you guess
|
||||||
|
# how many servers you need, FreeRADIUS dynamically adapts to
|
||||||
|
# the load it sees, that is, it tries to maintain enough
|
||||||
|
# servers to handle the current load, plus a few spare
|
||||||
|
# servers to handle transient load spikes.
|
||||||
|
#
|
||||||
|
# It does this by periodically checking how many servers are
|
||||||
|
# waiting for a request. If there are fewer than
|
||||||
|
# min_spare_servers, it creates a new spare. If there are
|
||||||
|
# more than max_spare_servers, some of the spares die off.
|
||||||
|
# The default values are probably OK for most sites.
|
||||||
|
#
|
||||||
|
min_spare_servers = 3
|
||||||
|
max_spare_servers = 10
|
||||||
|
|
||||||
|
# When the server receives a packet, it places it onto an
|
||||||
|
# internal queue, where the worker threads (configured above)
|
||||||
|
# pick it up for processing. The maximum size of that queue
|
||||||
|
# is given here.
|
||||||
|
#
|
||||||
|
# When the queue is full, any new packets will be silently
|
||||||
|
# discarded.
|
||||||
|
#
|
||||||
|
# The most common cause of the queue being full is that the
|
||||||
|
# server is dependent on a slow database, and it has received
|
||||||
|
# a large "spike" of traffic. When that happens, there is
|
||||||
|
# very little you can do other than make sure the server
|
||||||
|
# receives less traffic, or make sure that the database can
|
||||||
|
# handle the load.
|
||||||
|
#
|
||||||
|
# max_queue_size = 65536
|
||||||
|
|
||||||
|
# Clean up old threads periodically. For no reason other than
|
||||||
|
# it might be useful.
|
||||||
|
#
|
||||||
|
# '0' is a special value meaning 'infinity', or 'the servers never
|
||||||
|
# exit'
|
||||||
|
max_requests_per_server = 0
|
||||||
|
|
||||||
|
# Automatically limit the number of accounting requests.
|
||||||
|
# This configuration item tracks how many requests per second
|
||||||
|
# the server can handle. It does this by tracking the
|
||||||
|
# packets/s received by the server for processing, and
|
||||||
|
# comparing that to the packets/s handled by the child
|
||||||
|
# threads.
|
||||||
|
#
|
||||||
|
|
||||||
|
# If the received PPS is larger than the processed PPS, *and*
|
||||||
|
# the queue is more than half full, then new accounting
|
||||||
|
# requests are probabilistically discarded. This lowers the
|
||||||
|
# number of packets that the server needs to process. Over
|
||||||
|
# time, the server will "catch up" with the traffic.
|
||||||
|
#
|
||||||
|
# Throwing away accounting packets is usually safe and low
|
||||||
|
# impact. The NAS will retransmit them in a few seconds, or
|
||||||
|
# even a few minutes. Vendors should read RFC 5080 Section 2.2.1
|
||||||
|
# to see how accounting packets should be retransmitted. Using
|
||||||
|
# any other method is likely to cause network meltdowns.
|
||||||
|
#
|
||||||
|
auto_limit_acct = no
|
||||||
|
}
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# SNMP notifications. Uncomment the following line to enable
|
||||||
|
# snmptraps. Note that you MUST also configure the full path
|
||||||
|
# to the "snmptrap" command in the "trigger.conf" file.
|
||||||
|
#
|
||||||
|
#$INCLUDE trigger.conf
|
||||||
|
|
||||||
|
# MODULE CONFIGURATION
|
||||||
|
#
|
||||||
|
# The names and configuration of each module is located in this section.
|
||||||
|
#
|
||||||
|
# After the modules are defined here, they may be referred to by name,
|
||||||
|
# in other sections of this configuration file.
|
||||||
|
#
|
||||||
|
modules {
|
||||||
|
#
|
||||||
|
# Each module has a configuration as follows:
|
||||||
|
#
|
||||||
|
# name [ instance ] {
|
||||||
|
# config_item = value
|
||||||
|
# ...
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# The 'name' is used to load the 'rlm_name' library
|
||||||
|
# which implements the functionality of the module.
|
||||||
|
#
|
||||||
|
# The 'instance' is optional. To have two different instances
|
||||||
|
# of a module, it first must be referred to by 'name'.
|
||||||
|
# The different copies of the module are then created by
|
||||||
|
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
|
||||||
|
#
|
||||||
|
# The instance names can then be used in later configuration
|
||||||
|
# INSTEAD of the original 'name'. See the 'radutmp' configuration
|
||||||
|
# for an example.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Some modules have ordering issues. e.g. "sqlippool" uses
|
||||||
|
# the configuration from "sql". In that case, the "sql"
|
||||||
|
# module must be read off of disk before the "sqlippool".
|
||||||
|
# However, the directory inclusion below just reads the
|
||||||
|
# directory from start to finish. Which means that the
|
||||||
|
# modules are read off of disk randomly.
|
||||||
|
#
|
||||||
|
# As of 3.0.18, you can list individual modules *before* the
|
||||||
|
# directory inclusion. Those modules will be loaded first.
|
||||||
|
# Then, when the directory is read, those modules will be
|
||||||
|
# skipped and not read twice.
|
||||||
|
#
|
||||||
|
# $INCLUDE mods-enabled/sql
|
||||||
|
|
||||||
|
#
|
||||||
|
# As of 3.0, modules are in mods-enabled/. Files matching
|
||||||
|
# the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are
|
||||||
|
# initialized ONLY if they are referenced in a processing
|
||||||
|
# section, such as authorize, authenticate, accounting,
|
||||||
|
# pre/post-proxy, etc.
|
||||||
|
#
|
||||||
|
$INCLUDE mods-enabled/
|
||||||
|
}
|
||||||
|
|
||||||
|
# Instantiation
|
||||||
|
#
|
||||||
|
# This section sets the instantiation order of the modules. listed
|
||||||
|
# here will get started up BEFORE the sections like authorize,
|
||||||
|
# authenticate, etc. get examined.
|
||||||
|
#
|
||||||
|
# This section is not strictly needed. When a section like authorize
|
||||||
|
# refers to a module, the module is automatically loaded and
|
||||||
|
# initialized. However, some modules may not be listed in any of the
|
||||||
|
# processing sections, so they should be listed here.
|
||||||
|
#
|
||||||
|
# Also, listing modules here ensures that you have control over
|
||||||
|
# the order in which they are initialized. If one module needs
|
||||||
|
# something defined by another module, you can list them in order
|
||||||
|
# here, and ensure that the configuration will be OK.
|
||||||
|
#
|
||||||
|
# After the modules listed here have been loaded, all of the modules
|
||||||
|
# in the "mods-enabled" directory will be loaded. Loading the
|
||||||
|
# "mods-enabled" directory means that unlike Version 2, you usually
|
||||||
|
# don't need to list modules here.
|
||||||
|
#
|
||||||
|
instantiate {
|
||||||
|
#
|
||||||
|
# We list the counter module here so that it registers
|
||||||
|
# the check_name attribute before any module which sets
|
||||||
|
# it
|
||||||
|
# daily
|
||||||
|
|
||||||
|
# subsections here can be thought of as "virtual" modules.
|
||||||
|
#
|
||||||
|
# e.g. If you have two redundant SQL servers, and you want to
|
||||||
|
# use them in the authorize and accounting sections, you could
|
||||||
|
# place a "redundant" block in each section, containing the
|
||||||
|
# exact same text. Or, you could uncomment the following
|
||||||
|
# lines, and list "redundant_sql" in the authorize and
|
||||||
|
# accounting sections.
|
||||||
|
#
|
||||||
|
# The "virtual" module defined here can also be used with
|
||||||
|
# dynamic expansions, under a few conditions:
|
||||||
|
#
|
||||||
|
# * The section is "redundant", or "load-balance", or
|
||||||
|
# "redundant-load-balance"
|
||||||
|
# * The section contains modules ONLY, and no sub-sections
|
||||||
|
# * all modules in the section are using the same rlm_
|
||||||
|
# driver, e.g. They are all sql, or all ldap, etc.
|
||||||
|
#
|
||||||
|
# When those conditions are satisfied, the server will
|
||||||
|
# automatically register a dynamic expansion, using the
|
||||||
|
# name of the "virtual" module. In the example below,
|
||||||
|
# it will be "redundant_sql". You can then use this expansion
|
||||||
|
# just like any other:
|
||||||
|
#
|
||||||
|
# update reply {
|
||||||
|
# Filter-Id := "%{redundant_sql: ... }"
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# In this example, the expansion is done via module "sql1",
|
||||||
|
# and if that expansion fails, using module "sql2".
|
||||||
|
#
|
||||||
|
# For best results, configure the "pool" subsection of the
|
||||||
|
# module so that "retry_delay" is non-zero. That will allow
|
||||||
|
# the redundant block to quickly ignore all "down" SQL
|
||||||
|
# databases. If instead we have "retry_delay = 0", then
|
||||||
|
# every time the redundant block is used, the server will try
|
||||||
|
# to open a connection to every "down" database, causing
|
||||||
|
# problems.
|
||||||
|
#
|
||||||
|
#redundant redundant_sql {
|
||||||
|
# sql1
|
||||||
|
# sql2
|
||||||
|
#}
|
||||||
|
}
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# Policies are virtual modules, similar to those defined in the
|
||||||
|
# "instantiate" section above.
|
||||||
|
#
|
||||||
|
# Defining a policy in one of the policy.d files means that it can be
|
||||||
|
# referenced in multiple places as a *name*, rather than as a series of
|
||||||
|
# conditions to match, and actions to take.
|
||||||
|
#
|
||||||
|
# Policies are something like subroutines in a normal language, but
|
||||||
|
# they cannot be called recursively. They MUST be defined in order.
|
||||||
|
# If policy A calls policy B, then B MUST be defined before A.
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
policy {
|
||||||
|
$INCLUDE policy.d/
|
||||||
|
}
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# Load virtual servers.
|
||||||
|
#
|
||||||
|
# This next $INCLUDE line loads files in the directory that
|
||||||
|
# match the regular expression: /[a-zA-Z0-9_.]+/
|
||||||
|
#
|
||||||
|
# It allows you to define new virtual servers simply by placing
|
||||||
|
# a file into the raddb/sites-enabled/ directory.
|
||||||
|
#
|
||||||
|
$INCLUDE sites-enabled/
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
# All of the other configuration sections like "authorize {}",
|
||||||
|
# "authenticate {}", "accounting {}", have been moved to the
|
||||||
|
# the file:
|
||||||
|
#
|
||||||
|
# raddb/sites-available/default
|
||||||
|
#
|
||||||
|
# This is the "default" virtual server that has the same
|
||||||
|
# configuration as in version 1.0.x and 1.1.x. The default
|
||||||
|
# installation enables this virtual server. You should
|
||||||
|
# edit it to create policies for your local site.
|
||||||
|
#
|
||||||
|
# For more documentation on virtual servers, see:
|
||||||
|
#
|
||||||
|
# raddb/sites-available/README
|
||||||
|
#
|
||||||
|
######################################################################
|
113
ops/nixos/bvm-radius/raddb/sites-available/eduroam
Normal file
113
ops/nixos/bvm-radius/raddb/sites-available/eduroam
Normal file
|
@ -0,0 +1,113 @@
|
||||||
|
operator_name = "as205479.net"
|
||||||
|
|
||||||
|
# The VLAN to assign eduroam visitors
|
||||||
|
eduroam_default_guest_vlan = "100"
|
||||||
|
|
||||||
|
# The VLAN to assign your students/staff
|
||||||
|
eduroam_default_local_vlan = "100"
|
||||||
|
|
||||||
|
server eduroam {
|
||||||
|
listen {
|
||||||
|
type = auth
|
||||||
|
ipv6addr = *
|
||||||
|
port = 1812
|
||||||
|
}
|
||||||
|
listen {
|
||||||
|
type = auth
|
||||||
|
ipv4addr = *
|
||||||
|
port = 1812
|
||||||
|
}
|
||||||
|
|
||||||
|
authorize {
|
||||||
|
# Log requests before we change them
|
||||||
|
linelog_recv_request
|
||||||
|
|
||||||
|
# split_username_nai is a policy in the default distribution to
|
||||||
|
# split a username into username and domain. We reject user-name
|
||||||
|
# strings without domains, as they're not routable.
|
||||||
|
split_username_nai
|
||||||
|
if (noop || !&Stripped-User-Domain) {
|
||||||
|
reject
|
||||||
|
}
|
||||||
|
|
||||||
|
# Send the request to the NRO for your region.
|
||||||
|
# The details of the FLRs (Federation Level RADIUS servers)
|
||||||
|
# are in proxy.conf.
|
||||||
|
# You can make this condition as complex as you like, to
|
||||||
|
# include additional subdomains just concatenate the conditions
|
||||||
|
# with &&.
|
||||||
|
if (&Stripped-User-Domain != "${operator_name}") {
|
||||||
|
update {
|
||||||
|
control:Load-Balance-Key := &Calling-Station-ID
|
||||||
|
control:Proxy-To-Realm := 'eduroam_flr'
|
||||||
|
|
||||||
|
# Operator name (RFC 5580) identifies the network the
|
||||||
|
# request originated from. It's not absolutely necessary
|
||||||
|
# but it helps with debugging.
|
||||||
|
request:Operator-Name := "1${operator_name}"
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
# If the EAP module returns 'ok' or 'updated', it means it has handled
|
||||||
|
# the request and we don't need to call any other modules in this
|
||||||
|
# section.
|
||||||
|
eap {
|
||||||
|
ok = return
|
||||||
|
updated = return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pre-proxy {
|
||||||
|
attr_filter.pre-proxy
|
||||||
|
linelog_send_proxy_request
|
||||||
|
}
|
||||||
|
|
||||||
|
post-proxy {
|
||||||
|
attr_filter.post-proxy
|
||||||
|
linelog_recv_proxy_response
|
||||||
|
}
|
||||||
|
|
||||||
|
authenticate {
|
||||||
|
eap
|
||||||
|
}
|
||||||
|
|
||||||
|
post-auth {
|
||||||
|
# To implement eduroam you must:
|
||||||
|
# - Use wireless access points or a controller which supports
|
||||||
|
# dynamic VLAN assignments.
|
||||||
|
# - Have that feature enabled.
|
||||||
|
# - Have the guest_vlan/local_vlan available to the controller,
|
||||||
|
# or to all your access points.
|
||||||
|
# eduroam user traffic *MUST* be segregated, this is *NOT* optional.
|
||||||
|
update reply {
|
||||||
|
Tunnel-Type := VLAN
|
||||||
|
Tunnel-Medium-Type := IEEE-802
|
||||||
|
}
|
||||||
|
if (&control:Proxy-To-Realm) {
|
||||||
|
update reply {
|
||||||
|
Tunnel-Private-Group-ID = ${eduroam_default_guest_vlan}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
update reply {
|
||||||
|
Tunnel-Private-Group-ID = ${eduroam_default_local_vlan}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# We're sending a response to one of OUR network devices for one of
|
||||||
|
# OUR users so provide it with the real user-identity.
|
||||||
|
if (&session-state:Stripped-User-Name) {
|
||||||
|
update reply {
|
||||||
|
User-Name := "%{session-state:Stripped-User-Name}@%{Stripped-User-Domain}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
linelog_send_accept
|
||||||
|
|
||||||
|
Post-Auth-Type REJECT {
|
||||||
|
attr_filter.access_reject
|
||||||
|
linelog_send_reject
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,71 @@
|
||||||
|
server eduroam-inner {
|
||||||
|
listen {
|
||||||
|
type = auth
|
||||||
|
ipv6addr = *
|
||||||
|
port = 18120 # Used for testing only. Requests proxied internally.
|
||||||
|
}
|
||||||
|
listen {
|
||||||
|
type = auth
|
||||||
|
ipv4addr = *
|
||||||
|
port = 18120 # Used for testing only. Requests proxied internally.
|
||||||
|
}
|
||||||
|
|
||||||
|
authorize {
|
||||||
|
# The outer username is considered garabage for autz purposes, but
|
||||||
|
# the domain portion of the outer and inner identities must match.
|
||||||
|
split_username_nai
|
||||||
|
if (noop || (&Stripped-User-Domain && \
|
||||||
|
(&outer.Stripped-User-Domain != &Stripped-User-Domain))) {
|
||||||
|
reject
|
||||||
|
}
|
||||||
|
|
||||||
|
# Make the user's real identity available to anything that needs
|
||||||
|
# it in the outer server.
|
||||||
|
if (&outer.session-state:)
|
||||||
|
update {
|
||||||
|
&outer.session-state:Stripped-User-Name := &Stripped-User-Name
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# EAP for PEAPv0 (EAP-MSCHAPv2)
|
||||||
|
inner-eap {
|
||||||
|
ok = return
|
||||||
|
}
|
||||||
|
|
||||||
|
# THIS IS SITE SPECIFIC
|
||||||
|
#
|
||||||
|
# The files module is *ONLY* used for testing. It lets you define
|
||||||
|
# credentials in a flat file, IT WILL NOT SCALE.
|
||||||
|
#
|
||||||
|
# - If you use OpenLDAP with salted password hashes you should
|
||||||
|
# call the 'ldap' module here and use EAP-TTLS-PAP as your EAP method.
|
||||||
|
# - If you use OpenLDAP with cleartext passwords you should
|
||||||
|
# call the 'ldap' module here and use EAP-TTLS or PEAPv0.
|
||||||
|
# - If you use an SQL DB with salted password hashes you should call
|
||||||
|
# the 'sql' module here and use EAP-TTLS-PAP as your EAP method.
|
||||||
|
# - If you use an SQL DB with cleartext passwords you should call
|
||||||
|
# the 'sql' module here and use EAP-TTLS or PEAPv0.
|
||||||
|
# - If you use Novell you should call the 'ldap' module here and
|
||||||
|
# set ``edir = yes`` in ``mods-available/ldap`` and use EAP-TTLS or
|
||||||
|
# PEAPv0.
|
||||||
|
# - If you use Active Directory, you don't need anything here (remove
|
||||||
|
# the call to files) but you'll need to follow this
|
||||||
|
# [guide](freeradius-active-directory-integration-howto) and use
|
||||||
|
# EAP-TTLS-PAP or PEAPv0.
|
||||||
|
# - If you're using EAP-TLS (i'm impressed!) remove the call to files.
|
||||||
|
#
|
||||||
|
# EAP-TTLS-PAP and PEAPv0 are equally secure/insecure depending on how the
|
||||||
|
# supplicant is configured. PEAPv0 has a slight edge in that you need to
|
||||||
|
# crack MSCHAPv2 to get the user's password (but this is not hard).
|
||||||
|
files
|
||||||
|
|
||||||
|
pap
|
||||||
|
mschap
|
||||||
|
}
|
||||||
|
|
||||||
|
authenticate {
|
||||||
|
inner-eap
|
||||||
|
mschap
|
||||||
|
pap
|
||||||
|
}
|
||||||
|
}
|
1
ops/nixos/bvm-radius/raddb/sites-enabled/eduroam
Symbolic link
1
ops/nixos/bvm-radius/raddb/sites-enabled/eduroam
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../sites-available/eduroam
|
1
ops/nixos/bvm-radius/raddb/sites-enabled/inner-tunnel-eduroam
Symbolic link
1
ops/nixos/bvm-radius/raddb/sites-enabled/inner-tunnel-eduroam
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../sites-available/inner-tunnel-eduroam
|
1
ops/nixos/bvm-radius/raddb/users
Symbolic link
1
ops/nixos/bvm-radius/raddb/users
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
./mods-config/files/authorize
|
46
ops/nixos/bvm-radius/radius.nix
Normal file
46
ops/nixos/bvm-radius/radius.nix
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
# SPDX-FileCopyrightText: 2021 Luke Granger-Brown <depot@lukegb.com>
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
{ pkgs, depot, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
freeradiusConfig = pkgs.runCommandLocal "freeradius-config" (depot.ops.secrets.radius // {
|
||||||
|
freeradius = pkgs.freeradius;
|
||||||
|
raddb = ./raddb;
|
||||||
|
}) ''
|
||||||
|
cp -R $raddb $out
|
||||||
|
chmod -R +w $out
|
||||||
|
|
||||||
|
for f in $out/{radiusd,clients,proxy}.conf $out/mods-config/files/authorize; do
|
||||||
|
substituteInPlace "$f" \
|
||||||
|
--replace "{{FREERADIUS_LOC}}" "$freeradius" \
|
||||||
|
--replace "{{JANET_ROAMING0_SECRET}}" "$janetroaming0" \
|
||||||
|
--replace "{{JANET_ROAMING1_SECRET}}" "$janetroaming1" \
|
||||||
|
--replace "{{JANET_ROAMING2_SECRET}}" "$janetroaming2" \
|
||||||
|
--replace "{{WLC_SECRET}}" "$wlc" \
|
||||||
|
--replace "{{USER_TESTUSER_PASSWORD}}" "$testuser" \
|
||||||
|
--replace "{{USER_LUKEGB_PASSWORD}}" "$lukegb"
|
||||||
|
done
|
||||||
|
|
||||||
|
# can't check the config; it relies on things out-of-store
|
||||||
|
# ${pkgs.freeradius}/bin/radiusd -C -sxl stdout -d $out
|
||||||
|
'';
|
||||||
|
in {
|
||||||
|
environment.systemPackages = [
|
||||||
|
pkgs.freeradius
|
||||||
|
depot.pkgs.eapol-test
|
||||||
|
];
|
||||||
|
|
||||||
|
services.freeradius = {
|
||||||
|
enable = true;
|
||||||
|
configDir = freeradiusConfig;
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.radius = {
|
||||||
|
group = "radius";
|
||||||
|
extraGroups = [ "acme" ];
|
||||||
|
isSystemUser = true;
|
||||||
|
};
|
||||||
|
users.groups.radius = {};
|
||||||
|
}
|
Loading…
Reference in a new issue