fablab-nea/nix-gscheits
1
0
Fork 0
Code Issues 7 Pull requests 3 Projects Releases Packages Wiki Activity Actions

Add default freeradius config

Browse source
This commit is contained in:
Jakob Lechner 2022-08-03 02:29:50 +00:00
parent 5a1c42c2bc
commit d2f277b138
No known key found for this signature in database
GPG key ID: 996082EFB5906C10
267 changed files with 29628 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

665
pkgs/fablab/freeradius-anon-access/raddb/README.rst Normal file
View file

@ -0,0 +1,665 @@
Upgrading to Version 3.0
========================
.. contents:: Sections
:depth: 2
.. important::
The configuration for 3.0 is *largely* compatible with the 2.x.x
configuration. However, it is NOT possible to simply use the 2.x.x
configuration as-is. Instead, you should re-create it.
Security
--------
A number of configuration items have moved into the "security"
subsection of radiusd.conf. If you use these, you should move them.
Otherwise, they can be ignored.
The list of moved options is::
chroot
user
group
allow_core_dumps
reject_delay
status_server
These entries should be moved from "radiusd.conf" to the "security"
subsection of that file.
Naming
------
Many names used by configuration items were inconsistent in earlier
versions of the server. These names have been unified in version 3.0.
If a file is being referenced or created the config item ``filename``
is used.
If a file is being created, the initial permissions are set by the
``permissions`` config item.
If a directory hierarchy needs to be created, the permissions are set
by ``dir_permissions``.
If an external host is referenced in the context of a module the
``server`` config item is used.
Unless the config item is a well recognised portmanteau
(as ``filename`` is for example), it must be written as multiple
distinct words separated by underscores ``_``.
The configuration items ``file``, ``script_file``, ``module``,
``detail``, ``detailfile``, ``attrsfile``, ``perm``, ``dirperm``,
``detailperm``, and ``hostname`` are deprecated. As well as any false
portmanteaus, and configuration items that used hyphens as word
delimiters. e.g. ``foo-bar`` has been changed to ``foo_bar``. Please
update your module configuration to use the new syntax.
In most cases the server will tell you the replacement config item to
use. As always, run the server in debugging mode to see these
messages.
Modules Directory
-----------------
As of version 3.0, the ``modules/`` directory no longer exists.
Instead, all "example" modules have been put into the
``mods-available/`` directory. Modules which can be loaded by the
server are placed in the ``mods-enabled/`` directory. All of the
modules in that directory will be loaded. This means that the
``instantiate`` section of radiusd.conf is less important. The only
reason to list a module in the ``instantiate`` section is to force
ordering when the modules are loaded.
Modules can be enabled by creating a soft link. For module ``foo``, do::
$ cd raddb/mods-enabled
$ ln -s ../mods-available/foo
To create "local" versions of the modules, we suggest copying the file
instead. This leaves the original file (with documentation) in the
``mods-available/`` directory. Local changes should go into the
``mods-enabled/`` directory.
Module-specific configuration files are now in the ``mods-config/``
directory. This change allows for better organization, and means that
there are fewer files in the main ``raddb`` directory. See
``mods-config/README.rst`` for more details.
Changed Modules
---------------
The following modules have been changed.
rlm_sql
~~~~~~~
The SQL configuration has been moved from ``sql.conf`` to
``mods-available/sql``. The ``sqlippool.conf`` file has also been
moved to ``mods-available/sqlippool``.
The SQL module configuration has been changed. The old connection
pool options are no longer accepted::
num_sql_socks
connect_failure_retry_delay
lifetime
max_queries
Instead, a connection pool configuration is used. This configuration
contains all of the functionality of the previous configuration, but
in a more generic form. It also is used in multiple modules, meaning
that there are fewer different configuration items. The mapping
between the configuration items is::
num_sql_socks -> pool { max }
connect_failure_retry_delay -> pool { retry_delay }
lifetime -> pool { lifetime }
max_queries -> pool { uses }
The pool configuration adds a number of new configuration options,
which allow the administrator to better control how FreeRADIUS uses
SQL connection pools.
The following parameters have been changed::
trace -> removed
tracefile -> logfile
The logfile is intended to log SQL queries performed. If you need to
debug the server, use debugging mode. If ``logfile`` is set, then
*all* SQL queries will go to ``logfile``.
You can now use a NULL SQL database::
driver = rlm_sql_null
This is an empty driver which will always return "success". It is
intended to be used to replace the ``sql_log`` module, and to work in
conjunction with the ``radsqlrelay`` program. Simply take your normal
configuration for raddb/mods-enabled/sql, and set::
driver = rlm_sql_null
...
logfile = ${radacctdir}/sql.log
All of the SQL queries will be logged to that file. The connection
pool does not need to be configured for the ``null`` SQL driver. It
can be left as-is, or deleted from the SQL configuration file.
rlm_sql_sybase
~~~~~~~~~~~~~~
The ``rlm_sql_sybase`` module has been renamed to ``rlm_sql_freetds``
and the old ``rlm_sql_freetds`` module has been removed.
``rlm_sql_sybase`` used the newer ct-lib API, and ``rlm_sql_freetds``
used an older API and was incomplete.
The new ``rlm_sql_freetds`` module now also supports database
selection on connection startup so ``use`` statements no longer
have to be included in queries.
sql/dialup.conf
~~~~~~~~~~~~~~~
Queries for post-auth and accounting calls have been re-arranged. The
SQL module will now expand the 'reference' configuration item in the
appropriate sub-section, and resolve this to a configuration
item. This behaviour is similar to rlm_linelog. This dynamic
expansion allows for a dynamic mapping between accounting types and
SQL queries. Previously, the mapping was fixed. Any "new" accounting
type was ignored by the module. Now, support for any accounting type
can be added by just adding a new target, as below.
Queries from v2.x.x may be manually copied to the new v3.0
``dialup.conf`` file (``raddb/mods-config/sql/main/<dialect>/queries.conf``).
When doing this you may also need to update references to the
accounting tables, as their definitions will now be outside of
the subsection containing the query.
The mapping from old "fixed" query to new "dynamic" query is as follows::
accounting_onoff_query -> accounting.type.accounting-on.query
accounting_update_query -> accounting.type.interim-update.query
accounting_update_query_alt +> accounting.type.interim-update.query
accounting_start_query -> accounting.type.start.query
accounting_start_query_alt +> accounting.type.start.query
accounting_stop_query -> accounting.type.stop.query
accounting_stop_query_alt +> accounting.type.stop.query
postauth_query -> post-auth.query
Alternatively a 2.x.x config may be patched to work with the
3.0 module by adding the following::
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "${....accounting_onoff_query}"
}
accounting-off {
query = "${....accounting_onoff_query}"
}
start {
query = "${....accounting_start_query}"
query = "${....accounting_start_query_alt}"
}
interim-update {
query = "${....accounting_update_query}"
query = "${....accounting_update_query_alt}"
}
stop {
query = "${....accounting_stop_query}"
query = "${....accounting_stop_query_alt}"
}
}
}
post-auth {
query = "${..postauth_query}"
}
In general, it is safer to migrate the configuration rather than
trying to "patch" it, to make it look like a v2 configuration.
Note that the sub-sections holding the queries are labelled
``accounting-on``, and not ``accounting_on``. The reason is that the
names of these sections are taken directly from the
``Accounting-Request`` packet, and the ``Acct-Status-Type`` field.
The ``sql`` module looks at the value of that field, and then looks
for a section of that name, in order to find the query to use.
That process means that the server can be extended to support any new
value of ``Acct-Status-Type``, simply by adding a named sub-section,
and a query. This behavior is preferable to that of v2, which had
hard-coded queries for certain ``Acct-Status-Type`` values, and was
ignored all other values.
rlm_ldap
~~~~~~~~
The LDAP module configuration has been substantially changed. Please
read ``raddb/mods-available/ldap``. It now uses a connection pool,
just like the SQL module.
Many of the configuration items remain the same, but they have been
moved into subsections. This change is largely cosmetic, but it makes
the configuration clearer. Instead of having a large set of random
configuration items, they are now organized into logical groups.
You will need to read your old LDAP configuration, and migrate it
manually to the new configuration. Simply copying the old
configuration WILL NOT WORK.
Users upgrading from 2.x.x who used to call the ldap module in
``post-auth`` should now set ``edir_autz = yes``, and remove the ``ldap``
module from the ``post-auth`` section.
rlm_ldap and LDAP-Group
~~~~~~~~~~~~~~~~~~~~~~~
In 2.x.x the registration of the ``LDAP-Group`` pair comparison was done
by the last instance of rlm_ldap to be instantiated. In 3.0 this has
changed so that only the default ``ldap {}`` instance registers
``LDAP-Group``.
If ``<instance>-LDAP-Group`` is already used throughout your configuration
no changes will be needed.
rlm_ldap authentication
~~~~~~~~~~~~~~~~~~~~~~~
In 2.x.x the LDAP module had a ``set_auth_type`` configuration item,
which forced ``Auth-Type := ldap``. This was removed in 3.x.x as it
often did not work, and was not consistent with the rest of the
server. We generally recommend that LDAP should be used as a
database, and that FreeRADIUS should do authentication.
The only reason to use ``Auth-Type := ldap`` is when the LDAP server
will not supply the "known good" password to FreeRADIUS, *and* where
the Access-Request contains User-Password. This situation happens
only for Active Directory. If you think you need to force ``Auth-Type
:= ldap`` in other situations, you are very likely to be wrong.
The following is an example of what should be inserted into the
``authorize {}`` and ``authenticate {}`` sections of the relevant
virtual-servers, to get functionality equivalent to v2.x::
authorize {
...
ldap
if ((ok || updated) && User-Password) {
update control {
Auth-Type := ldap
}
}
...
}
authenticate {
...
Auth-Type ldap {
ldap
}
...
}
rlm_eap
~~~~~~~
The EAP configuration has been moved from ``eap.conf`` to
``mods-available/eap``. A new ``pwd`` subsection has been added for
EAP-PWD.
rlm_expiration & rlm_logintime
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The rlm_expiration and rlm_logintime modules no longer add a ``Reply-Message``,
the same behaviour can be achieved checking the return code of the module and
adding the ``Reply-Message`` with unlang::
expiration
if (userlock) {
update reply {
Reply-Message := "Your account has expired"
}
}
rlm_unix
~~~~~~~~
The ``unix`` module does not have an ``authenticate`` section. So you
cannot set ``Auth-Type := System``. The ``unix`` module has also been
deleted from the examples in ``sites-available/``. Listing it there
has been deprecated for many years.
The PAP module can do crypt authentication. It should be used instead
of Unix authentication.
The Unix module still can pull the passwords from ``/etc/passwd``, or
``/etc/shadow``. This is done by listing it in the ``authorize``
section, as is done in the examples in ``sites-available/``. However,
some systems using NIS or NSS will not supply passwords to the
``unix`` module. For those systems, we recommend putting users and
passwords into a database, instead of relying on ``/etc/passwd``.
rlm_preprocess
~~~~~~~~~~~~~~
In 2.x.x ``huntroups`` and ``users`` files were loaded from default locations
without being configured explicitly. Since 3.x.x you need to set
``huntgroups`` and ``users`` configuration item(s) in module section in order
to get them being processed.
New Modules
-----------
rlm_date
~~~~~~~~
Instances of rlm_date register an xlat method which can translate
integer and date values to an arbitrarily formatted date time
string, or an arbitrarily formated time string to an integer,
depending on the attribute type passed.
rlm_rest
~~~~~~~~
The ``rest`` module is used to translate RADIUS requests into
RESTfull HTTP requests. Currently supported body types are JSON
and POST.
rlm_unpack
~~~~~~~~~~
The ``unpack`` module is used to turn data buried inside of binary
attributes. e.g. if we have ``Class = 0x00000001020304`` then::
Tmp-Integer-0 := "%{unpack:&Class 4 short}"
will unpack octets 4 and 5 as a "short", which has value 0x0304.
All integers are assumed to be in network byte order.
rlm_yubikey
~~~~~~~~~~~
The ``yubikey`` module can be used to forward yubikey OTP token
values to a Yubico validation server, or decrypt the token
using a PSK.
Deleted Modules
---------------
The following modules have been deleted, and are no longer supported
in Version 3. If you are using one of these modules, your
configuration can probably be changed to not need it. Otherwise email
the freeradius-devel list, and ask about the module.
rlm_acct_unique
~~~~~~~~~~~~~~~
This module has been replaced by the "acct_unique" policy. See
raddb/policy.d/accounting.
The method for calculating the value of acct_unique has changed.
However, as this method was configurable, this change should not
matter. The only issue is in having a v2 and v3 server writing to the
same database at the same time. They will calculate different values
for Acct-Unique-Id.
rlm_acctlog
~~~~~~~~~~~
You should use rlm_linelog instead. That module has a superset of the
acctlog functionality.
rlm_attr_rewrite
~~~~~~~~~~~~~~~~
The attr_rewrite module looked for an attribute, and then re-wrote it,
or created a new attribute. All of that can be done in "unlang".
A sample configuration in "unlang" is::
if (request:Calling-Station-Id) {
update request {
Calling-Station-Id := "...."
}
}
We suggest updating all uses of attr_rewrite to use unlang instead.
rlm_checkval
~~~~~~~~~~~~
The checkval module compared two attributes. All of that can be done in "unlang"::
if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
ok
}
We suggest updating all uses of checkval to use unlang instead.
rlm_dbm
~~~~~~~
No one seems to use it. There is no sample configuration for it.
There is no speed advantage to using it over the "files" module.
Modern systems are fast enough that 10K entries can be read from the
"users" file in about 10ms. If you need more users than that, use a
real database such as SQL.
rlm_fastusers
~~~~~~~~~~~~~
No one seems to use it. It has been deprecated since Version 2.0.0.
The "files" module was rewritten so that the "fastusers" module was no
longer necessary.
rlm_policy
~~~~~~~~~~
No one seems to use it. Almost all of its functionality is available
via "unlang".
rlm_sim_files
~~~~~~~~~~~~~
The rlm_sim_files module has been deleted. It was never marked "stable",
and was never used in a production environment. There are better ways
to test EAP.
If you want similar functionality, see rlm_passwd. It can read CSV
files, and create attributes from them.
rlm_sql_log
~~~~~~~~~~~
This has been replaced with the "null" sql driver. See
raddb/mods-available/sql for an example configuration.
The main SQL module has more functionality than rlm_sql_log, and
results in less code in the server.
Other Functionality
-------------------
The following is a list of new / changed functionality.
RadSec
~~~~~~
RadSec (or RADIUS over TLS) is now supported. RADIUS over bare TCP
is also supported, but is recommended only for secure networks.
See ``sites-available/tls`` for complete details on using TLS. The server
can both receive incoming TLS connections, and also originate outgoing
TLS connections.
The TLS configuration is taken from the old EAP-TLS configuration. It
is largely identical to the old EAP-TLS configuration, so it should be
simple to use and configure. It re-uses much of the EAP-TLS code,
so it is well-tested and reliable.
Once RadSec is enabled, normal debugging mode will not work. This is
because the TLS code requires threading to work properly. Instead of doing::
$ radiusd -X
you will need to do::
$ radiusd -fxx -l stdout
That's the price to pay for using RadSec. This limitation may be
lifted in a future version of the server.
PAP and User-Password
~~~~~~~~~~~~~~~~~~~~~
From version 3.0 onwards the server no longer supports authenticating
against a cleartext password in the 'User-Password' attribute. Any
occurences of this (for instance, in the users file) should now be changed
to 'Cleartext-Password' instead.
e.g. change entries like this::
bob User-Password == "hello"
to ones like this::
bob Cleartext-Password := "hello"
If this is not done, authentication will likely fail. The server will
also print a helpful message in debugging mode.
If it really is impossible to do this, the following unlang inserted above
the call to the pap module may be used to copy User-Password to the correct
attribute::
if (!control:Cleartext-Password && control:User-Password) {
update control {
Cleartext-Password := "%{control:User-Password}"
}
}
However, this should only be seen as a temporary, not permanent, fix.
It is better to fix your databases to use the correct configuration.
Unlang
~~~~~~
The unlang policy language is compatible with v2, but has a number of
new features. See ``man unlang`` for complete documentation.
ERRORS
Many more errors are caught when the server is starting up. Syntax
errors in ``unlang`` are caught, and a helpful error message is
printed. The error message points to the exact place where the error
occurred::
./raddb/sites-enabled/default[230]: Parse error in condition
ERROR: if (User-Name ! "bob") {
ERROR: ^ Invalid operator
``update`` sections are more generic. Instead of doing ``update
reply``, you can do the following::
update {
reply:Class := 0x0000
control:Cleartext-Password := "hello"
}
This change means that you need fewer ``update`` sections.
COMPARISONS
Attribute comparisons can be done via the ``&`` operator. When you
needed to compare two attributes, the old comparison style was::
if (User-Name == "%{control:Tmp-String-0}") {
This syntax is inefficient, as the ``Tmp-String-0`` attribute would be
printed to an intermediate string, causing unnecessary work. You can
now instead compare the two attributes directly::
if (&User-Name == &control:Tmp-String-0) {
See ``man unlang`` for more details.
CASTS
Casts are now permitted. This allows you to force type-specific
comparisons::
if (<ipaddr>"%{sql: SELECT...}" == 127.0.0.1) {
This forces the string returned by the SELECT to be treated as an IP
address, and compare to ``127.0.0.1``. Previously, the comparison
would have been done as a simple string comparison.
NETWORKS
IP networks are now supported::
if (127.0.0.1/32 == 127.0.0.1) {
Will be ``true``. The various comparison operators can be used to
check IP network membership::
if (127/8 > 127.0.0.1) {
Returns ``true``, because ``127.0.0.1`` is within the ``127/8``
network. However, the following comparison will return ``false``::
if (127/8 > 192.168.0.1) {
because ``192.168.0.1`` is outside of the ``127/8`` network.
OPTIMIZATION
As ``unlang`` is now pre-compiled, many compile-time optimizations are
done. This means that the debug output may not be exactly the same as
what is in the configuration files::
if (0 && (User-Name == "bob')) {
The result will always be ``false``, as the ``if 0`` prevents the
following ``&& ...`` from being evaluated.
Not only that, but the entire contents of that section will be ignored
entirely::
if (0) {
this_module_does_not_exist
and_this_one_does_not_exist_either
}
In v2, that configuration would result in a parse error, as there is
no module called ``this_module_does_not_exist``. In v3, that text is
ignored. This ability allows you to have dynamic configurations where
certain parts are used (or not) depending on compile-time configuration.
Similarly, conditions which always evaluate to ``true`` will be
optimized away::
if (1) {
files
}
That configuration will never show the ``if (1)`` output in debugging mode.
Dialup_admin
------------
The dialup_admin directory has been removed. No one stepped forward
to maintain it, and the code had not been changed in many years.

288
pkgs/fablab/freeradius-anon-access/raddb/clients.conf Normal file
View file

@ -0,0 +1,288 @@
# -*- text -*-
##
## clients.conf -- client configuration directives
##
## $Id: 60f9f4bf8a32804182e4516ac69ac510d25215d1 $
#######################################################################
#
# Define RADIUS clients (usually a NAS, Access Point, etc.).
#
# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
#
#
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
# In version 1.x, the string after the word "client" was the IP
# address of the client. In 2.0, the IP address is configured via
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
# format is still accepted.
#
client localhost {
# Only *one* of ipaddr, ipv4addr, ipv6addr may be specified for
# a client.
#
# ipaddr will accept IPv4 or IPv6 addresses with optional CIDR
# notation '/<mask>' to specify ranges.
#
# ipaddr will accept domain names e.g. example.org resolving
# them via DNS.
#
# If both A and AAAA records are found, A records will be
# used in preference to AAAA.
ipaddr = 127.0.0.1
# Same as ipaddr but allows v4 addresses only. Requires A
# record for domain names.
# ipv4addr = * # any. 127.0.0.1 == localhost
# Same as ipaddr but allows v6 addresses only. Requires AAAA
# record for domain names.
# ipv6addr = :: # any. ::1 == localhost
#
# A note on DNS: We STRONGLY recommend using IP addresses
# rather than host names. Using host names means that the
# server will do DNS lookups when it starts, making it
# dependent on DNS. i.e. If anything goes wrong with DNS,
# the server won't start!
#
# The server also looks up the IP address from DNS once, and
# only once, when it starts. If the DNS record is later
# updated, the server WILL NOT see that update.
#
#
# The transport protocol.
#
# If unspecified, defaults to "udp", which is the traditional
# RADIUS transport. It may also be "tcp", in which case the
# server will accept connections from this client ONLY over TCP.
#
proto = *
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 8k characters in length.
#
# Control codes can be entered vi octal encoding,
# e.g. "\101\102" == "AB"
# Quotation marks can be entered by escaping them,
# e.g. "foo\"bar"
#
# A note on security: The security of the RADIUS protocol
# depends COMPLETELY on this secret! We recommend using a
# shared secret that is composed of:
#
# upper case letters
# lower case letters
# numbers
#
# And is at LEAST 8 characters long, preferably 16 characters in
# length. The secret MUST be random, and should not be words,
# phrase, or anything else that is recognisable.
#
# The default secret below is only for testing, and should
# not be used in any real environment.
#
secret = testing123
#
# Old-style clients do not send a Message-Authenticator
# in an Access-Request. RFC 5080 suggests that all clients
# SHOULD include it in an Access-Request. The configuration
# item below allows the server to require it. If a client
# is required to include a Message-Authenticator and it does
# not, then the packet will be silently discarded.
#
# allowed values: yes, no
require_message_authenticator = no
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
# It is accepted for compatibility with 1.x, but it is no
# longer necessary in >= 2.0
#
# shortname = localhost
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nas_type tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# juniper
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
#
nas_type = other # localhost isn't usually a NAS...
#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password = someadminpas
#
# As of 2.0, clients can also be tied to a virtual server.
# This is done by setting the "virtual_server" configuration
# item, as in the example below.
#
# virtual_server = home1
#
# A pointer to the "home_server_pool" OR a "home_server"
# section that contains the CoA configuration for this
# client. For an example of a coa home server or pool,
# see raddb/sites-available/originate-coa
# coa_server = coa
#
# Response window for proxied packets. If non-zero,
# then the lower of (home, client) response_window
# will be used.
#
# i.e. it can be used to lower the response_window
# packets from one client to a home server. It cannot
# be used to raise the response_window.
#
# response_window = 10.0
#
# Connection limiting for clients using "proto = tcp".
#
# This section is ignored for clients sending UDP traffic
#
limit {
#
# Limit the number of simultaneous TCP connections from a client
#
# The default is 16.
# Setting this to 0 means "no limit"
max_connections = 16
# The per-socket "max_requests" option does not exist.
#
# The lifetime, in seconds, of a TCP connection. After
# this lifetime, the connection will be closed.
#
# Setting this to 0 means "forever".
lifetime = 0
#
# The idle timeout, in seconds, of a TCP connection.
# If no packets have been received over the connection for
# this time, the connection will be closed.
#
# Setting this to 0 means "no timeout".
#
# We STRONGLY RECOMMEND that you set an idle timeout.
#
idle_timeout = 30
}
}
# IPv6 Client
client localhost_ipv6 {
ipv6addr = ::1
secret = testing123
}
# All IPv6 Site-local clients
#client sitelocal_ipv6 {
# ipv6addr = fe80::/16
# secret = testing123
#}
#client example.org {
# ipaddr = radius.example.org
# secret = testing123
#}
#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
#client private-network-1 {
# ipaddr = 192.0.2.0/24
# secret = testing123-1
#}
#client private-network-2 {
# ipaddr = 198.51.100.0/24
# secret = testing123-2
#}
#######################################################################
#
# Per-socket client lists. The configuration entries are exactly
# the same as above, but they are nested inside of a section.
#
# You can have as many per-socket client lists as you have "listen"
# sections, or you can re-use a list among multiple "listen" sections.
#
# Un-comment this section, and edit a "listen" section to add:
# "clients = per_socket_clients". That IP address/port combination
# will then accept ONLY the clients listed in this section.
#
# There are additional considerations when using clients from SQL.
#
# A client can be link to a virtual server via modules such as SQL.
# This link is done via the following process:
#
# If there is no listener in a virtual server, SQL clients are added
# to the global list for that virtual server.
#
# If there is a listener, and the first listener does not have a
# "clients=..." configuration item, SQL clients are added to the
# global list.
#
# If there is a listener, and the first one does have a "clients=..."
# configuration item, SQL clients are added to that list. The client
# { ...} ` configured in that list are also added for that listener.
#
# The only issue is if you have multiple listeners in a virtual
# server, each with a different client list, then the SQL clients are
# added only to the first listener.
#
#clients per_socket_clients {
# client socket_client {
# ipaddr = 192.0.2.4
# secret = testing123
# }
#}

49
pkgs/fablab/freeradius-anon-access/raddb/dictionary Normal file
View file

@ -0,0 +1,49 @@
#
# This is the local dictionary file which can be
# edited by local administrators. It will be loaded
# AFTER the main dictionary files are loaded.
#
# As of version 3.0.2, FreeRADIUS will automatically
# load the main dictionary files from
#
# ${prefix}/share/freeradius/dictionary
#
# It is no longer necessary for this file to $INCLUDE
# the main dictionaries. However, if the $INCLUDE
# line is here, nothing bad will happen.
#
# Any new/changed attributes MUST be placed in this file.
# The pre-defined dictionaries SHOULD NOT be edited.
#
# See "man dictionary" for documentation on its format.
#
# $Id: eed5d70f41b314f9ed3f006a22d9f9a2be2c9516 $
#
#
# All local attributes and $INCLUDE's should go into
# this file.
#
# If you want to add entries to the dictionary file,
# which are NOT going to be placed in a RADIUS packet,
# add them to the 'dictionary.local' file.
#
# The numbers you pick should be between 3000 and 4000.
# These attributes will NOT go into a RADIUS packet.
#
# If you want that, you will need to use VSAs. This means
# requesting allocation of a Private Enterprise Code from
# http://iana.org. We STRONGLY suggest doing that only if
# you are a vendor of RADIUS equipment.
#
# See RFC 6158 for more details.
# http://ietf.org/rfc/rfc6158.txt
#
#
# These attributes are examples
#
#ATTRIBUTE My-Local-String 3000 string
#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
#ATTRIBUTE My-Local-Integer 3002 integer

116
pkgs/fablab/freeradius-anon-access/raddb/experimental.conf Normal file
View file

@ -0,0 +1,116 @@
#
# This file contains the configuration for experimental modules.
#
# By default, it is NOT included in the build.
#
# $Id: 87d9744a4f0fa7b9b06b4908ddd6b7d2f1a7fd62 $
#
# Configuration for the Python module.
#
# Where radiusd is a Python module, radiusd.py, and the
# function 'authorize' is called. Here is a dummy piece
# of code:
#
# def authorize(params):
# print params
# return (5, ('Reply-Message', 'banned'))
#
# The RADIUS value-pairs are passed as a tuple of tuple
# pairs as the first argument, e.g. (('attribute1',
# 'value1'), ('attribute2', 'value2'))
#
# The function return is a tuple with the first element
# being the return value of the function.
# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
# write the return values as Python symbols to avoid
# confusion.
#
# The remaining tuple members are the string form of
# value-pairs which are passed on to pairmake().
#
python {
mod_instantiate = radiusd_test
func_instantiate = instantiate
mod_authorize = radiusd_test
func_authorize = authorize
mod_accounting = radiusd_test
func_accounting = accounting
mod_pre_proxy = radiusd_test
func_pre_proxy = pre_proxy
mod_post_proxy = radiusd_test
func_post_proxy = post_proxy
mod_post_auth = radiusd_test
func_post_auth = post_auth
mod_recv_coa = radiusd_test
func_recv_coa = recv_coa
mod_send_coa = radiusd_test
func_send_coa = send_coa
mod_detach = radiusd_test
func_detach = detach
}
# Configuration for the example module. Uncommenting it will cause it
# to get loaded and initialised, but should have no real effect as long
# it is not referenced in one of the autz/auth/preacct/acct sections
example {
# Boolean variable.
# allowed values: {no, yes}
boolean = yes
# An integer, of any value.
integer = 16
# A string.
string = "This is an example configuration string"
# An IP address, either in dotted quad (1.2.3.4) or hostname
# (example.com)
ipaddr = 127.0.0.1
# A subsection
mysubsection {
anotherinteger = 1000
# They nest
deeply nested {
string = "This is a different string"
}
}
}
#
# To create a dbm users file, do:
#
# cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
#
# Then add 'dbm' in 'authorize' section.
#
# Note that even if the file has a ".db" or ".dbm" extension,
# you may have to specify it here without that extension. This
# is because the DBM libraries "helpfully" add a ".db" to the
# filename, but don't check if it's already there.
#
dbm {
usersfile = ${confdir}/users_db
}
# Instantiate a couple instances of the idn module
idn {
}
# ...more commonly known as...
idn idna {
}
idn idna_lenient {
UseSTD3ASCIIRules = no
}

1
pkgs/fablab/freeradius-anon-access/raddb/hints Symbolic link
View file

@ -0,0 +1 @@
./mods-config/preprocess/hints

1
pkgs/fablab/freeradius-anon-access/raddb/huntgroups Symbolic link
View file

@ -0,0 +1 @@
./mods-config/preprocess/huntgroups

116
pkgs/fablab/freeradius-anon-access/raddb/mods-available/README.rst Normal file
View file

@ -0,0 +1,116 @@
Modules in Version 3
====================
As of Version 3, all of the modules have been placed in the
"mods-available/" directory. This practice follows that used by other
servers such as Nginx, Apache, etc. The "modules" directory should
not be used.
Modules are enabled by creating a file in the mods-enabled/ directory.
You can also create a soft-link from one directory to another::
$ cd raddb/mods-enabled
$ ln -s ../mods-available/foo
This will enable module "foo". Be sure that you have configured the
module correctly before enabling it, otherwise the server will not
start. You can verify the server configuration by running
"radiusd -XC".
A large number of modules are enabled by default. This allows the
server to work with the largest number of authentication protocols.
Please be careful when disabling modules. You will likely need to
edit the "sites-enabled/" files to remove references to any disabled
modules.
Conditional Modules
-------------------
Version 3 allows modules to be conditionally loaded. This is useful
when you want to have a virtual server which references a module, but
does not require it. Instead of editing the virtual server file, you
can just conditionally enable the module.
Modules are conditionally enabled by adding a "-" before their name in
a virtual server. For example, you can do::
server {
authorize {
...
ldap
-sql
...
}
}
This says "require the LDAP module, but use the SQL module only if it
is configured."
This feature is not very useful for production configurations. It is,
however, very useful for the default examples that ship with the
server.
Ignoring module
---------------
If you see this message::
Ignoring module (see raddb/mods-available/README.rst)
Then you are in the right place. Most of the time this message can be
ignored. The message can be fixed by finding the references to "-module"
in the virtual server, and deleting them.
Another way to fix it is to configure the module, as described above.
Simplification
--------------
Allowing conditional modules simplifies the default virtual servers
that are shipped with FreeRADIUS. This means that if you want to
enable LDAP (for example), you no longer need to edit the files in
raddb/sites-available/ in order to enable it.
Instead, you should edit the raddb/mods-available/ldap file to point
to your local LDAP server. Then, enable the module via the soft-link
method described above.
Once the module is enabled, it will automatically be used in the
default configuration.
Multiple Instances
------------------
It is sometimes necessary to have the same module do two different
things. The server supports this functionality via "instances" of
modules.
Normally, a module configuration looks like this:
sql {
... sql stuff ...
}
This module is then refereed to as the "sql" module.
But what happens if you want to connect to two different SQL
databases? The solution is simple; copy the "sql" module
configuration, and add an instance name after the "sql" string:
sql mysql1 {
... configuration for connecting to mysql11 ...
}
sql mysql2 {
... configuration for connecting to mysql12 ...
}
This configuration says "load the SQL module, but create two copies of
it, with different configurations". The different configurations can
be referred to by name, as "mysql1" and "mysql2". That is, anywhere
you would normally use "sql", you could use either "mysql1" or
"mysql2".
For further examples of using module instances, see the "attr_filter"
module configuration in this directory.

15
pkgs/fablab/freeradius-anon-access/raddb/mods-available/abfab_psk_sql Normal file
View file

@ -0,0 +1,15 @@
# -*- text -*-
##
## Module for PSK authorizations from ABFAB trust router
##
## $Id: d75130da8a9faeb9712619bf49e68afadc30b73a $
sql psksql {
driver = "rlm_sql_sqlite"
sqlite {
filename = "/var/lib/trust_router/keys"
}
}

81
pkgs/fablab/freeradius-anon-access/raddb/mods-available/always Normal file
View file

@ -0,0 +1,81 @@
# -*- text -*-
#
# $Id: b77d00c55d46741a3ca1cfc135dee4615466e912 $
#
# The "always" module is here for debugging purposes, or
# for use in complex policies.
# Instance simply returns the same result, always, without
# doing anything.
#
# rcode may be one of the following values:
# - reject - Reject the user.
# - fail - Simulate or indicate a failure.
# - ok - Simulate or indicate a success.
# - handled - Indicate that the request has been handled,
# stop processing, and send response if set.
# - invalid - Indicate that the request is invalid.
# - userlock - Indicate that the user account has been
# locked out.
# - notfound - Indicate that a user account can't be found.
# - noop - Simulate a no-op.
# - updated - Indicate that the request has been updated.
#
# If an instance is listed in a session {} section,
# this simulates a user having <integer> sessions.
#
# simulcount = <integer>
#
# If an instance is listed in a session {} section,
# this simulates the user having multilink
# sessions.
#
# mpp = <integer>
#
# An xlat based on the instance name can be called to change the status
# returned by the instance, in this example "always db_status { ... }"
#
# Force the module status to be alive or dead:
#
# %{db_status:alive}
# %{db_status:dead}
#
# Update the rcode returned by an alive module (a dead module returns fail):
#
# %{db_status:ok}
# %{db_status:fail}
# %{db_status:notfound}
# ...
#
# The above xlats expand to the current status of the module. To fetch the
# current status without affecting it call the xlat with an empty argument:
#
# %{db_status:}
#
always reject {
rcode = reject
}
always fail {
rcode = fail
}
always ok {
rcode = ok
}
always handled {
rcode = handled
}
always invalid {
rcode = invalid
}
always userlock {
rcode = userlock
}
always notfound {
rcode = notfound
}
always noop {
rcode = noop
}
always updated {
rcode = updated
}

61
pkgs/fablab/freeradius-anon-access/raddb/mods-available/attr_filter Normal file
View file

@ -0,0 +1,61 @@
# -*- text -*-
#
# $Id: a23d3c0f11267a6c0f1afca599f71a6a76c49a1a $
#
# This file defines a number of instances of the "attr_filter" module.
#
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter attr_filter.post-proxy {
key = "%{Realm}"
filename = ${modconfdir}/${.:name}/post-proxy
}
# attr_filter - filters the attributes in the packets we send to
# the RADIUS home servers.
attr_filter attr_filter.pre-proxy {
key = "%{Realm}"
filename = ${modconfdir}/${.:name}/pre-proxy
}
# Enforce RFC requirements on the contents of Access-Reject
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_reject {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/access_reject
}
# Enforce RFC requirements on the contents of Access-Challenge
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_challenge {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/access_challenge
}
# Enforce RFC requirements on the contents of the
# Accounting-Response packets. See the comments at the
# top of the file for more details.
#
attr_filter attr_filter.accounting_response {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/accounting_response
}
#
# Enforce CoA or Disconnect packets.
#
# Note that you MUST edit the "coa" file below for your
# local configuration. Add in any attributes needed by the NAS.
#
attr_filter attr_filter.coa {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/coa
}

132
pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache Normal file
View file

@ -0,0 +1,132 @@
# -*- text -*-
#
# $Id: 8bd4730cf570fdfedc9c516dc6974eab39981600 $
#
# A module to cache attributes. The idea is that you can look
# up information in a database, and then cache it. Repeated
# requests for the same information will then have the cached
# values added to the request.
#
# The module can cache a fixed set of attributes per key.
# It can be listed in "authorize", "post-auth", "pre-proxy"
# and "post-proxy".
#
# If you want different things cached for authorize and post-auth,
# you will need to define two instances of the "cache" module.
#
# The module returns "ok" if it found or created a cache entry.
# The module returns "updated" if it merged a cached entry.
# The module returns "noop" if it did nothing.
# The module returns "fail" on error.
#
cache {
# The backend datastore used to store the cache entries.
# Current datastores are
# rlm_cache_rbtree - An in memory, non persistent rbtree based datastore.
# Useful for caching data locally.
# rlm_cache_memcached - A non persistent "webscale" distributed datastore.
# Useful if the cached data need to be shared between
# a cluster of RADIUS servers.
# driver = "rlm_cache_rbtree"
#
# Some drivers accept specific options, to set them a
# config section with the the name as the driver should be added
# to the cache instance.
#
# Driver specific options are:
#
# memcached {
# # Memcached configuration options, as documented here:
# # http://docs.libmemcached.org/libmemcached_configuration.html#memcached
# options = "--SERVER=localhost"
#
# pool {
# start = ${thread[pool].start_servers}
# min = ${thread[pool].min_spare_servers}
# max = ${thread[pool].max_servers}
# spare = ${thread[pool].max_spare_servers}
# uses = 0
# lifetime = 0
# idle_timeout = 60
# }
# }
# The key used to index the cache. It is dynamically expanded
# at run time.
key = "%{User-Name}"
# The TTL of cache entries, in seconds. Entries older than this
# will be expired.
#
# This value should be between 10 and 86400.
ttl = 10
# If yes the following attributes will be added to the request:
# * &request:Cache-Entry-Hits - The number of times this entry
# has been retrieved.
#
# Note: Not supported by the rlm_cache_memcached module.
add_stats = no
#
# The list of attributes to cache for a particular key.
#
# Each key gets the same set of cached attributes. The attributes
# are dynamically expanded at run time.
#
# The semantics of this construct are identical to an unlang
# update block, except the left hand side of the expression
# represents the cache entry. see man unlang for more information
# on update blocks.
#
# Note: Only request, reply, control and session-state lists
# are available in cache entries. Attempting to store attributes
# in other lists will raise an error during config validation.
#
update {
# <list>:<attribute> <op> <value>
# Cache all instances of Reply-Message in the reply list
&reply:Reply-Message += &reply:Reply-Message[*]
# Add our own to show when the cache was last updated
&reply:Reply-Message += "Cache last updated at %t"
&reply:Class := "%{randstr:ssssssssssssssssssssssssssssssss}"
}
# This module supports a number of runtime configuration parameters
# represented by attributes in the &control: list.
#
# &control:Cache-TTL - Sets the TTL of an entry to be created, or
# modifies the TTL of an existing entry.
# - Setting a Cache-TTL of > 0 means set the TTL of the entry to
# the new value (and reset the expiry timer).
# - Setting a Cache-TTL of < 0 means expire the existing entry
# (without merging) and create a new one with TTL set to
# value * -1.
# - Setting a Cache-TTL of 0 means expire the existing entry
# (without merging) and don't create a new one.
#
# &control:Cache-Status-Only - If present and set to 'yes' will
# prevent a new entry from being created, and existing entries from
# being merged. It will also alter the module's return codes.
# - The module will return "ok" if a cache entry was found.
# - The module will return "notfound" if no cache entry was found.
#
# &control:Cache-Read-Only - If present and set to 'yes' will
# prevent a new entry from being created, but will allow existing
# entries to be merged. It will also alter the module's return codes.
# - The module will return "updated" if a cache entry was found.
# - The module will return "notfound" if no cache was found.
#
# &control:Cache-Merge - If present and set to 'yes' will merge new
# cache entries into the current request. Useful if results
# of execs or expansions are stored directly in the cache.
#
# All runtime configuration attributes will be removed from the
# &control: list after the cache module is called.
}

13
pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache_eap Normal file
View file

@ -0,0 +1,13 @@
#
# Cache EAP responses for resiliency on intermediary proxy fail-over
#
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
update reply {
reply: += &reply:
&control:State := &request:State
}
}

11
pkgs/fablab/freeradius-anon-access/raddb/mods-available/chap Normal file
View file

@ -0,0 +1,11 @@
# -*- text -*-
#
# $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $
# CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
# no configuration
}

205
pkgs/fablab/freeradius-anon-access/raddb/mods-available/couchbase Normal file
View file

@ -0,0 +1,205 @@
couchbase {
#
# List of Couchbase hosts (hosts may be space, tab, comma or semi-colon separated).
# Ports are optional if servers are listening on the standard port.
# Complete pool urls are preferred.
#
server = "http://cb01.blargs.com:8091/pools/ http://cb04.blargs.com:8091/pools/"
# Couchbase bucket name
bucket = "radius"
# Couchbase bucket password (optional)
#password = "password"
# Couchbase accounting document key (unlang supported)
acct_key = "radacct_%{%{Acct-Unique-Session-Id}:-%{Acct-Session-Id}}"
# Value for the 'docType' element in the json body for accounting documents
doctype = "radacct"
## Accounting document expire time in seconds (0 = never)
expire = 2592000
#
# Map attribute names to json element names for accounting.
#
# Configuration items are in the format:
# <radius attribute> = '<element name>'
#
# Element names should be single quoted.
#
# Note: Attributes not in this map will not be recorded.
#
update {
Acct-Session-Id = 'sessionId'
Acct-Unique-Session-Id = 'uniqueId'
Acct-Status-Type = 'lastStatus'
Acct-Authentic = 'authentic'
User-Name = 'userName'
Stripped-User-Name = 'strippedUserName'
Stripped-User-Domain = 'strippedUserDomain'
Realm = 'realm'
NAS-IP-Address = 'nasIpAddress'
NAS-Identifier = 'nasIdentifier'
NAS-Port = 'nasPort'
Called-Station-Id = 'calledStationId'
Called-Station-SSID = 'calledStationSSID'
Calling-Station-Id = 'callingStationId'
Framed-Protocol = 'framedProtocol'
Framed-IP-Address = 'framedIpAddress'
NAS-Port-Type = 'nasPortType'
Connect-Info = 'connectInfo'
Acct-Session-Time = 'sessionTime'
Acct-Input-Packets = 'inputPackets'
Acct-Output-Packets = 'outputPackets'
Acct-Input-Octets = 'inputOctets'
Acct-Output-Octets = 'outputOctets'
Acct-Input-Gigawords = 'inputGigawords'
Acct-Output-Gigawords = 'outputGigawords'
Event-Timestamp = 'lastUpdated'
}
# Couchbase document key for user documents (unlang supported)
user_key = "raduser_%{md5:%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}}"
# Set to 'yes' to read radius clients from the Couchbase view specified below.
# NOTE: Clients will ONLY be read on server startup.
#read_clients = no
#
# Map attribute names to json element names when loading clients.
#
# Configuration follows the same rules as the accounting map above.
#
client {
# Couchbase view that should return all available client documents.
view = "_design/client/_view/by_id"
#
# Sets default values (not obtained from couchbase) for new client entries
#
template {
# login = 'test'
# password = 'test'
# proto = tcp
# require_message_authenticator = yes
# Uncomment to add a home_server with the same
# attributes as the client.
# coa_server {
# response_window = 2.0
# }
}
#
# Client mappings are in the format:
# <client attribute> = '<element name>'
#
# Element names should be single quoted.
#
# The following attributes are required:
# * ipaddr | ipv4addr | ipv6addr - Client IP Address.
# * secret - RADIUS shared secret.
#
# All attributes usually supported in a client
# definition are also supported here.
#
attribute {
ipaddr = 'clientIdentifier'
secret = 'clientSecret'
shortname = 'clientShortname'
nas_type = 'nasType'
virtual_server = 'virtualServer'
require_message_authenticator = 'requireMessageAuthenticator'
limit {
max_connections = 'maxConnections'
lifetime = 'clientLifetime'
idle_timeout = 'idleTimeout'
}
}
}
# Set to 'yes' to enable simultaneous use checking (multiple logins).
# NOTE: This will cause the execution of a view request on every check
# and may be a performance penalty.
# check_simul = no
# Couchbase view that should return all account documents keyed by username.
# simul_view = "_design/acct/_view/by_user"
# The key to the above view.
# NOTE: This will need to match EXACTLY what you emit from your view.
# simul_vkey = "%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}"
# Set to 'yes' to enable verification of the results returned from the above view.
# NOTE: This may be an additional performance penalty to the actual check and
# should be avoided unless absolutely neccessary.
# verify_simul = no
# Remove stale session if checkrad does not see a double login.
# NOTE: This will only be executed if both check_simul and verify_simul
# are set to 'yes' above.
# delete_stale_sessions = yes
#
# The connection pool is new for 3.0, and will be used in many
# modules, for all kinds of connection-related activity.
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# couchbase being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 1200
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}

82
pkgs/fablab/freeradius-anon-access/raddb/mods-available/counter Normal file
View file

@ -0,0 +1,82 @@
# -*- text -*-
#
# $Id: a5ac1e60ef117a2c59ace1a9d061d8f70d1da538 $
# counter module:
# This module takes an attribute (count-attribute).
# It also takes a key, and creates a counter for each unique
# key. The count is incremented when accounting packets are
# received by the server. The value of the increment depends
# on the attribute type.
# If the attribute is Acct-Session-Time or of an integer type we add
# the value of the attribute. If it is anything else we increase the
# counter by one.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, monthly or never.
#
# hourly: Reset on 00:00 of every hour
# daily: Reset on 00:00:00 every day
# weekly: Reset on 00:00:00 on sunday
# monthly: Reset on 00:00:00 of the first day of each month
#
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is omitted days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
#
# The check_name attribute defines an attribute which will be
# registered by the counter module and can be used to set the
# maximum allowed value for the counter after which the user
# is rejected.
# Something like:
#
# DEFAULT Max-Daily-Session := 36000
# Fall-Through = 1
#
# You should add the counter module in the instantiate
# section so that it registers check_name before the files
# module reads the users file.
#
# If check_name is set and the user is to be rejected then we
# send back a Reply-Message and we log a Failure-Message in
# the radius.log
#
# If the count attribute is Acct-Session-Time then on each
# login we send back the remaining online time as a
# Session-Timeout attribute ELSE and if the reply_name is
# set, we send back that attribute. The reply_name attribute
# MUST be of an integer type.
#
# The counter-name can also be used instead of using the check_name
# like below:
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The allowed_service_type attribute can be used to only take
# into account specific sessions. For example if a user first
# logs in through a login menu and then selects ppp there will
# be two sessions. One for Login-User and one for Framed-User
# service type. We only need to take into account the second one.
#
# The module should be added in the instantiate, authorize and
# accounting sections. Make sure that in the authorize
# section it comes after any module which sets the
# 'check_name' attribute.
#
counter daily {
filename = ${db_dir}/db.daily
key = User-Name
count_attribute = Acct-Session-Time
reset = daily
counter_name = Daily-Session-Time
check_name = Max-Daily-Session
reply_name = Session-Timeout
allowed_service_type = Framed-User
cache_size = 5000
}

53
pkgs/fablab/freeradius-anon-access/raddb/mods-available/cui Normal file
View file

@ -0,0 +1,53 @@
# -*- text -*-
#
# $Id: 54842d4106800babe8db1d58d2e8b7a5cad017db $
#
# Write Chargeable-User-Identity to the database.
#
# Schema raddb/mods-config/sql/cui/<DB>/schema.sql
# Queries raddb/mods-config/sql/cui/<DB>/queries.conf
#
sql cuisql {
# The dialect of SQL you want to use, this should usually match
# the driver below.
#
# If you're using rlm_sql_null, then it should be the type of
# database the logged queries are going to be executed against.
dialect = "sqlite"
# The sub-module to use to execute queries. This should match
# the database you're attempting to connect to.
#
# There are CUI queries available for:
# * rlm_sql_mysql
# * rlm_sql_postgresql
# * rlm_sql_sqlite
# * rlm_sql_null (log queries to disk)
#
driver = "rlm_sql_${dialect}"
sqlite {
filename = ${radacctdir}/cui.sqlite
bootstrap = ${modconfdir}/${..:name}/cui/sqlite/schema.sql
}
# Write CUI queries to a logfile. Useful for debugging.
# logfile = ${logdir}/cuilog.sql
pool {
start = 5
min = 4
max = 10
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
}
cui_table = "cui"
sql_user_name = "%{User-Name}"
$INCLUDE ${modconfdir}/${.:name}/cui/${dialect}/queries.conf
}

35
pkgs/fablab/freeradius-anon-access/raddb/mods-available/date Normal file
View file

@ -0,0 +1,35 @@
#
# Registers xlat to convert between time formats.
#
# xlat input string is an attribute name. If this attribute is of date
# or integer type, the date xlat will convert it to a time string in
# the format of the format config item.
#
# If the attribute is a string type, date will attempt to parse it in
# the format specified by the format config item, and will expand
# to a Unix timestamp.
#
date {
format = "%b %e %Y %H:%M:%S %Z"
# Use UTC instead of local time.
#
# default = no
# utc = yes
}
#
# The WISPr-Session-Terminate-Time attribute is of type "string",
# and not "date". Use this expansion to create an attribute
# that holds an actual date:
#
# Tmp-Date-0 := "%{wispr2date:&reply:WISPr-Session-Terminate-Time}"
#
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
# Use UTC instead of local time.
#
# default = no
# utc = yes
}

109
pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail Normal file
View file

@ -0,0 +1,109 @@
# -*- text -*-
#
# $Id: ccf65f9c839a6d9ea35fae4d9cd208ddca1a0acd $
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want to add
# a ':%H' (see doc/configuration/variables.rst) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
# If you are reading detail files via the "listen" section
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
# you MUST use a unique directory for each combination of a
# detail file writer, and reader. That is, there can only
# be ONE "listen" section reading detail files from a
# particular directory.
#
# The configuration below puts the detail files into separate
# directories for each client. If you are reading the detail
# files via the "listen" section, just use one directory.
#
# e.g. filename = ${radacctdir}/reader1/detail-%Y%m%d
#
# AND use a separate directory (reader2, reader3, etc.) for each
# reader.
#
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
#
# If you are using radrelay, delete the above line for "file",
# and use this one instead:
#
# filename = ${radacctdir}/detail
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
escape_filenames = no
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
permissions = 0600
# The Unix group of the log file.
#
# The user that the server runs as must be in the specified
# system group otherwise this will fail to work.
#
# group = ${security.group}
#
# Every entry in the detail file has a header which
# is a timestamp. By default, we use the ctime
# format (see "man ctime" for details).
#
# The header can be customised by editing this
# string. See "doc/configuration/variables.rst" for a
# description of what can be put here.
#
header = "%t"
#
# Uncomment this line if the detail file reader will be
# reading this detail file.
#
# locking = yes
#
# Log the Packet src/dst IP/port. This is disabled by
# default, as that information isn't used by many people.
#
# log_packet_header = yes
#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
#suppress {
# User-Password
#}
}

27
pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.example.com Normal file
View file

@ -0,0 +1,27 @@
# -*- text -*-
#
# Detail file writer, used in the following examples:
#
# raddb/sites-available/robust-proxy-accounting
# raddb/sites-available/decoupled-accounting
#
# Note that this module can write detail files that are read by
# only ONE "listen" section. If you use BOTH of the examples
# above, you will need to define TWO "detail" modules.
#
# e.g. detail1.example.com && detail2.example.com
#
#
# We write *multiple* detail files here. They will be processed by
# the detail "listen" section in the order that they were created.
# The directory containing these files should NOT be used for any
# other purposes. i.e. It should have NO other files in it.
#
# Writing multiple detail enables the server to process the pieces
# in smaller chunks. This helps in certain catastrophic corner cases.
#
# $Id: 827cdf57e70dc2ff2252016194f4bb846eecead2 $
#
detail detail.example.com {
filename = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G
}

75
pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.log Normal file
View file

@ -0,0 +1,75 @@
# -*- text -*-
#
# $Id: b91cf7cb24744ee96e390aa4d7bd5f3ad4c0c0ee $
#
# More examples of doing detail logs.
#
# Many people want to log authentication requests.
# Rather than modifying the server core to print out more
# messages, we can use a different instance of the 'detail'
# module, to log the authentication requests to a file.
#
# You will also need to un-comment the 'auth_log' line
# in the 'authorize' section, below.
#
detail auth_log {
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
permissions = 0600
# You may also strip out passwords completely
suppress {
User-Password
}
}
#
# This module logs authentication reply packets sent
# to a NAS. Both Access-Accept and Access-Reject packets
# are logged.
#
# You will also need to un-comment the 'reply_log' line
# in the 'post-auth' section, below.
#
detail reply_log {
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
permissions = 0600
}
#
# This module logs packets proxied to a home server.
#
# You will also need to un-comment the 'pre_proxy_log' line
# in the 'pre-proxy' section, below.
#
detail pre_proxy_log {
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
permissions = 0600
# You may also strip out passwords completely
#suppress {
# User-Password
#}
}
#
# This module logs response packets from a home server.
#
# You will also need to un-comment the 'post_proxy_log' line
# in the 'post-proxy' section, below.
#
detail post_proxy_log {
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
permissions = 0600
}

19
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp Normal file
View file

@ -0,0 +1,19 @@
# -*- text -*-
#
# $Id: a4316335d7f73b37ec5aa9278de91d37dd28eddc $
#
# This module is useful only for 'xlat'. To use it,
# put 'dhcp' into the 'instantiate' section.
#
# %{dhcp_options:<Attribute-ref>} may be used to decode
# DHCP options data included in RADIUS packets by vendors
# of DHCP to RADIUS gateways.
#
# This is known to work with the following VSAs:
# * Juniper - ERX-Dhcp-Options
# * Alcatel lucent SR - Alc-ToServer-Dhcp-Options
# - Alc-ToClient-Dhcp-Options
#
dhcp {
}

56
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_files Normal file
View file

@ -0,0 +1,56 @@
# -*- text -*-
#
# $Id: 243a241a8d28d8de9696e5364c59e25558789219 $
# Instances of the "files" module for managing DHCP options
#
files dhcp_network {
# The file containing network-specific DHCP options mapping
filename = ${modconfdir}/files/dhcp
# For network lookups we use a fixed key. Matching
# actual networks is done by additional filtering within
# the file
key = "network"
}
files dhcp_subnet {
# The file containing subnet-specific DHCP options mapping
filename = ${modconfdir}/files/dhcp
# For subnet lookups we use a fixed key. Matching
# actual subnets is done by additional filtering within
# the file
key = "subnet"
}
files dhcp_set_group_options {
# An example of looking up DHCP group options. This
# is designed to be called from a policy configured in
# policy.d/dhcp.
#
# If clients are never members of more than one group,
# then this could be simplified such that DHCP-Group-Name
# is used here in place of Foreach-Variable-0 and this
# module instance called directly rather than the policy
# Use the same file as for subnets - could be split
# for large, complex installations
filename = ${modconfdir}/files/dhcp
# The key is a temporary string populated by the calling policy
# which uses a foreach loop.
key = "%{Foreach-Variable-0}"
}
files dhcp_hosts {
# An example of a DHCP host mapping for option setting
# Use the same file as for subnets - could be split
# for large, complex installations
filename = ${modconfdir}/files/dhcp
# If a different identifier is needed for looking up
# host specific entries then amend this key.
key = "host-%{DHCP-Client-Hardware-Address}"
}

20
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_passwd Normal file
View file

@ -0,0 +1,20 @@
# -*- text -*-
#
# $Id: 7884a00298935db8e33fd9f850c2619e61d9b5a9 $
# An instance of the passwd module designed for looking up
# DHCP client membership. This example is based on hardware
# address.
# The "groups" file should be of the format:
# <group name>|<hardware address>,<hardware address>,<hardware address>
# <group name>|<hardware address>,<hardware address>,<hardware address>
#
# See the passwd module for more details.
passwd dhcp_group_membership {
filename = "${modconfdir}/files/dhcp_groups"
format = "~DHCP-Group-Name:*,DHCP-Client-Hardware-Address"
hash_size = 100
allow_multiple_keys = yes
delimiter = "|"
}

92
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sql Normal file
View file

@ -0,0 +1,92 @@
# -*- text -*-
##
## mods-available/sql -- SQL modules
##
## $Id: 20dbe3a35be942acaaec8ee0ced7e85786fc46a7 $
######################################################################
#
# Configuration for the DHCP-specific instance of the SQL module
#
# The database schemas and queries are located in subdirectories:
#
# sql/dhcp/<DB>/schema.sql Schema
# sql/dhcp/<DB>/queries.conf Reply options lookup queries
#
# Where "DB" is mysql, mssql, oracle, or postgresql.
#
#
# See raddb/mods-available/sql for a description of the configuration items
# for the sql module.
#
sql dhcp_sql {
dialect = "sqlite"
driver = "rlm_sql_null"
# driver = "rlm_sql_${dialect}"
sqlite {
filename = "/tmp/freeradius.db"
busy_timeout = 200
bootstrap = "${modconfdir}/${..:name}/dhcp/sqlite/schema.sql"
}
mysql {
tls {
ca_file = "/etc/ssl/certs/my_ca.crt"
ca_path = "/etc/ssl/certs/"
certificate_file = "/etc/ssl/certs/private/client.crt"
private_key_file = "/etc/ssl/certs/private/client.key"
cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
tls_required = yes
tls_check_cert = no
tls_check_cert_cn = no
}
warnings = auto
}
postgresql {
send_application_name = yes
}
mongo {
appname = "freeradius"
tls {
certificate_file = /path/to/file
certificate_password = "password"
ca_file = /path/to/file
ca_dir = /path/to/directory
crl_file = /path/to/file
weak_cert_validation = false
allow_invalid_hostname = false
}
}
# server = "localhost"
# port = 3306
# login = "radius"
# password = "radpass"
radius_db = "radius"
dhcpreply_table = "dhcpreply"
groupreply_table = "dhcpgroupreply"
dhcpgroup_table = "dhcpgroup"
read_groups = no
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
group_attribute = "${.:instance}-SQL-Group"
$INCLUDE ${modconfdir}/${.:name}/dhcp/${dialect}/queries.conf
}

101
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sqlippool Normal file
View file

@ -0,0 +1,101 @@
# Configuration for DHCP for the SQL based IP Pools module (rlm_sqlippool).
#
# See raddb/mods-available/sqlippool for common configuration explanation
#
# See raddb/policy.d/dhcp_sqlippool for the "glue" code that allows
# the RADIUS based "sqlippool" module to be used for DHCP.
#
# See raddb/sites-available/dhcp for instructions on how to configure
# the DHCP server.
#
# The database schemas are available at:
#
# raddb/mods-config/sql/ippool-dhcp/<DB>/schema.sql
#
# $Id: 909b93c7ebcbbeb16b123ca38e696790b5771dda $
sqlippool dhcp_sqlippool {
# SQL instance to use (from mods-available/sql)
#
# If you have multiple sql instances, such as "sql sql1 {...}",
# use the *instance* name here: sql1.
sql_module_instance = "dhcp_sql"
# This is duplicative of info available in the SQL module, but
# we have to list it here as we do not yet support nested
# reference expansions.
dialect = "mysql"
# Name of the check item attribute to be used as a key in the SQL queries
pool_name = "Pool-Name"
# SQL table to use for ippool range and lease info
ippool_table = "dhcpippool"
# The duration for which a lease is reserved whilst under offer
offer_duration = 10
# IP lease duration. (Leases expire even if no DHCP-Release packet is received)
# Either use the value to be sent to the client or a hard coded one.
lease_duration = "%{reply:DHCP-IP-Address-Lease-Time}"
#lease_duration = 7200
# The attribute in which the IP address is returned in the reply
attribute_name = "DHCP-Your-IP-Address"
# Assign the IP address, even if the above attribute already exists in
# the reply.
#
# allow_duplicates = no
# The attribute in which an IP address hint may be supplied
req_attribute_name = "DHCP-Requested-IP-Address"
#
# RFC 2132 allows the DHCP client to supply a unique
# identifier ("uid") using Option 61 (DHCP-Client-Identifier)
# in which case it must be used as the lookup key for
# configuration data.
#
pool_key = "%{%{DHCP-Client-Identifier}:-%{DHCP-Client-Hardware-Address}}"
#
# The "uid" is generated by the OS which means that clients
# whose BMC piggybacks on the main interface (sharing its MAC,
# but generating a distinct uid) and dual-booting clients can
# be allocated multiple IPs, consuming more pool entries. To
# avoid this you can ignore the RFCs and key the configuration
# data based only on the client MAC address.
#
# pool_key = "%{DHCP-Client-Hardware-Address}"
################################################################
#
# WARNING: MySQL (MyISAM) has certain limitations that means it can
# hand out the same IP address to 2 different users.
#
# We suggest using an SQL DB with proper transaction
# support, such as PostgreSQL, or using MySQL
# with InnoDB.
#
################################################################
# These messages are added to the "control" items, as
# Module-Success-Message. They are not logged anywhere else,
# unlike previous versions. If you want to have them logged
# to a file, see the "linelog" module, and create an entry
# which writes Module-Success-Message message.
#
messages {
exists = "DHCP: Existing IP: %{reply:${..attribute_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
success = "DHCP: Allocated IP: %{reply:${..attribute_name}} from %{control:${..pool_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
clear = "DHCP: Released IP %{DHCP-Client-IP-Address} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
failed = "DHCP: IP Allocation FAILED from %{control:${..pool_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
nopool = "DHCP: No ${..pool_name} defined (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
}
$INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf
}

13
pkgs/fablab/freeradius-anon-access/raddb/mods-available/digest Normal file
View file

@ -0,0 +1,13 @@
# -*- text -*-
#
# $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $
#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}

32
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dynamic_clients Normal file
View file

@ -0,0 +1,32 @@
# -*- text -*-
#
# $Id: cc2bd5fd22aa473b98af5dde3fac7a66e39a9e9d $
# This module loads RADIUS clients as needed, rather than when the server
# starts.
#
# There are no configuration entries for this module. Instead, it
# relies on the "client" configuration. You must:
#
# 1) link raddb/sites-enabled/dynamic_clients to
# raddb/sites-available/dynamic_clients
#
# 2) Define a client network/mask (see top of the above file)
#
# 3) uncomment the "directory" entry in that client definition
#
# 4) list "dynamic_clients" in the "authorize" section of the
# "dynamic_clients' virtual server. The default example already
# does this.
#
# 5) put files into the above directory, one per IP.
# e.g. file "192.0.2.1" should contain a normal client definition
# for a client with IP address 192.0.2.1.
#
# For more documentation, see the file:
#
# raddb/sites-available/dynamic-clients
#
dynamic_clients {
}

1082
pkgs/fablab/freeradius-anon-access/raddb/mods-available/eap Normal file
View file

File diff suppressed because it is too large Load diff

123
pkgs/fablab/freeradius-anon-access/raddb/mods-available/echo Normal file
View file

@ -0,0 +1,123 @@
# -*- text -*-
#
# $Id: ad3e15933f9e85c5566810432a5fec8f23d877c1 $
#
# This is a more general example of the execute module.
#
# This one is called "echo".
#
# Attribute-Name = `%{echo:/path/to/program args}`
#
# If you wish to execute an external program in more than
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
#
# The return value of the program run determines the result
# of the exec instance call as follows:
# (See doc/configurable_failover for details)
#
# < 0 : fail the module failed
# = 0 : ok the module succeeded
# = 1 : reject the module rejected the user
# = 2 : fail the module failed
# = 3 : ok the module succeeded
# = 4 : handled the module has done everything to handle the request
# = 5 : invalid the user's configuration entry was invalid
# = 6 : userlock the user was locked out
# = 7 : notfound the user was not found
# = 8 : noop the module did nothing
# = 9 : updated the module updated information in the request
# > 9 : fail the module failed
#
exec echo {
#
# Wait for the program to finish.
#
# If we do NOT wait, then the program is "fire and
# forget", and any output attributes from it are ignored.
#
# If we are looking for the program to output
# attributes, and want to add those attributes to the
# request, then we MUST wait for the program to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes
#
# The name of the program to execute, and it's
# arguments. Dynamic translation is done on this
# field, so things like the following example will
# work.
#
program = "/bin/echo %{User-Name}"
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
#
input_pairs = request
#
# Where to place the output attributes (if any) from
# the executed program. The values allowed, and the
# restrictions as to availability, are the same as
# for the input_pairs.
#
output_pairs = reply
#
# When to execute the program. If the packet
# type does NOT match what's listed here, then
# the module does NOT execute the program.
#
# For a list of allowed packet types, see
# the 'dictionary' file, and look for VALUEs
# of the Packet-Type attribute.
#
# By default, the module executes on ANY packet.
# Un-comment out the following line to tell the
# module to execute only if an Access-Accept is
# being sent to the NAS.
#
#packet_type = Access-Accept
#
# Should we escape the environment variables?
#
# If this is set, all the RADIUS attributes
# are capitalised and dashes replaced with
# underscores. Also, RADIUS values are surrounded
# with double-quotes.
#
# That is to say: User-Name=BobUser => USER_NAME="BobUser"
shell_escape = yes
#
# How long should we wait for the program to finish?
#
# Default is 10 seconds, which should be plenty for nearly
# anything. Range is 1 to 30 seconds. You are strongly
# encouraged to NOT increase this value. Decreasing can
# be used to cause authentication to fail sooner when you
# know it's going to fail anyway due to the time taken,
# thereby saving resources.
#
#timeout = 10
}

28
pkgs/fablab/freeradius-anon-access/raddb/mods-available/etc_group Normal file
View file

@ -0,0 +1,28 @@
# -*- text -*-
#
# $Id: f58b72f560ba067991d67295b546691bcd992d44 $
# "passwd" configuration, for the /etc/group file. Adds a Etc-Group-Name
# attribute for every group that the user is member of.
#
# You will have to define the Etc-Group-Name in the 'dictionary' file
# as a 'string' type.
#
# The Group and Group-Name attributes are automatically created by
# the Unix module, and do checking against /etc/group automatically.
# This means that you CANNOT use Group or Group-Name to do any other
# kind of grouping in the server. You MUST define a new group
# attribute.
#
# i.e. this module should NOT be used as-is, but should be edited to
# point to a different group file.
#
passwd etc_group {
filename = /etc/group
format = "=Etc-Group-Name:::*,User-Name"
hash_size = 50
ignore_nislike = yes
allow_multiple_keys = yes
delimiter = ":"
}

29
pkgs/fablab/freeradius-anon-access/raddb/mods-available/exec Normal file
View file

@ -0,0 +1,29 @@
# -*- text -*-
#
# $Id: bb1d4374b741a7bfcdfc098fc57af650509ceae2 $
#
# Execute external programs
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{exec:/path/to/program args}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The RADIUS attributes from the user request will be placed
# into environment variables of the executed program, as
# described in "man unlang" and in doc/configuration/variables.rst
#
# See also "echo" for more sample configuration.
#
exec {
wait = no
input_pairs = request
shell_escape = yes
timeout = 10
}

13
pkgs/fablab/freeradius-anon-access/raddb/mods-available/expiration Normal file
View file

@ -0,0 +1,13 @@
# -*- text -*-
#
# $Id: 5d06454d0a8ccce7f50ddf7b01ba01c4ace6560a $
#
# The expiration module. This handles the Expiration attribute
# It should be included in the *end* of the authorize section
# in order to handle user Expiration. It should also be included
# in the instantiate section in order to register the Expiration
# compare function
#
expiration {
}

146
pkgs/fablab/freeradius-anon-access/raddb/mods-available/expr Normal file
View file

@ -0,0 +1,146 @@
# -*- text -*-
#
# $Id: 43dbea35e41698f8ced22c1cf4ad128b08dee7ca $
#
# This module performs mathematical calculations:
#
# Attribute-Name = "%{expr:2 + 3 + &NAS-Port}"
#
# It supports the following operators (in order of precedence)
#
# & binary AND
# | binary OR
# << left shift
# >> right shift
# + addition
# - subtraction
# * multiply
# / divide
# %% remainder
# ^ exponentiation
# (...) sub-expression
#
# Operator precedence follows the normal rules.
# Division by zero means that the entire expression is invalid.
#
# Note that in versions before 3.0.5, the expression
# was parsed strictly left to right, and ignored operator
# precedence.
#
# It also allows unary negation: -1
# And twos complement: ~1
#
# All calculations are done on signed 63-bit integers.
# e.g. int64_t. This should be sufficient for all normal
# purposes.
#
# Hex numbers are supported: 0xabcdef
#
# As with all string expansions, you can nest the expansions:
#
# %{expr: %{NAS-Port} + 1}
# %{expr: %{sql:SELECT ... } + 1}
#
# Attribute references are supported for integer attributes.
# e.g. &NAS-Port. The benefit of using attribute references
# is that the expression is calculated directly on the
# attribute. It skips the step of "print to string, and then
# parse to number". This means it's a little faster.
#
# Otherwise, all numbers are decimal.
#
#
# The module also registers a few paircompare functions, and
# many string manipulation functions, including:
#
# rand get random number from 0 to n-1
# "%{rand:10}" == "9"
#
# randstr get random string built from character classes:
# c lowercase letters
# C uppercase letters
# n numbers
# a alphanumeric
# ! punctuation
# . alphanumeric + punctuation
# s alphanumeric + "./"
# o characters suitable for OTP (easily confused removed)
# h binary data as lowercase hex
# H binary data as uppercase hex
#
# "%{randstr:CCCC!!cccnnn}" == "IPFL>{saf874"
# "%{randstr:oooooooo}" == "rfVzyA4y"
# "%{randstr:hhhh}" == "68d60de3"
#
# urlquote quote special characters in URI
# "%{urlquote:http://example.org/}" == "http%3A%47%47example.org%47"
#
# urlunquote unquote URL special characters
# "%{urlunquote:http%%3A%%47%%47example.org%%47}" == "http://example.org/"
#
# escape escape string similar to rlm_sql safe_characters
# "%{escape:<img>foo.jpg</img>}" == "=60img=62foo.jpg=60/img=62"
#
# unescape reverse of escape
# "%{unescape:=60img=62foo.jpg=60/img=62}" == "<img>foo.jpg</img>"
#
# tolower convert to lowercase
# "%{tolower:Bar}" == "bar"
#
# toupper convert to uppercase
# "%{toupper:Foo}" == "FOO"
#
# md5 get md5sum hash
# "%{md5:foo}" == "acbd18db4cc2f85cedef654fccc4a4d8"
#
# sha1 get sha1 hash
# "%{sha1:foo}" == "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33"
#
# sha256 get sha256 hash
# "%{sha256:foo}" == "2c26b46b68ffc68ff99b453c1d30413413422d706..."
#
# sha512 get sha512 hash
# "%{sha512:foo}" == "f7fbba6e0636f890e56fbbf3283e524c6fa3204ae29838..."
#
# hmacmd5 generate HMAC-MD5 of string
# "%{hmacmd5:foo bar}" == "31b6db9e5eb4addb42f1a6ca07367adc"
#
# hmacsha1 generate HMAC-SHA1 of string
# "%{hmacsha1:foo bar}" == "85d155c55ed286a300bd1cf124de08d87e914f3a"
#
# crypt encrypt with a salt: %{crypt:salt:password}
# "%{crypt:aa:foo}" == "aaKNIEDOaueR6"
# "%{crypt:$1$abcdefgh:foo}" == "$1$abcdefgh$XxzGe9Muun7wTYbZO4sdr0"
# "%{crypt:$5$%{randstr:aaaaaaaaaaaaaaaa}:foo}" == "$1$fu4P2fcAdo9gM..."
#
# pairs serialize attributes as comma-delimited string
# "%{pairs:request:}" == "User-Name = 'foo', User-Password = 'bar', ..."
#
# base64 encode string as base64
# "%{base64:foo}" == "Zm9v"
#
# base64tohex convert base64 to hex
# "%{base64tohex:Zm9v}" == "666f6f"
#
# explode split an attribute into multiple new attributes based on a delimiter
# "%{explode:&ref <delim>}"
#
# nexttime calculate number of seconds until next n hour(s), day(s), week(s), year(s)
# if it were 16:18, %{nexttime:1h} would expand to 2520
#
# lpad left-pad a string
# if User-Name is "foo": "%{lpad:&User-Name 6 x}" == "xxxfoo"
#
# rpad right-pad a string
# if User-Name is "foo": "%{rpad:&User-Name 5 -}" == "foo--"
#
expr {
#
# Characters that will not be encoded by the %{escape}
# xlat function.
#
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}

30
pkgs/fablab/freeradius-anon-access/raddb/mods-available/files Normal file
View file

@ -0,0 +1,30 @@
# -*- text -*-
#
# $Id: e3f3bf568d92eba8eb17bbad590f846f2d9e1ac8 $
# Livingston-style 'users' file
#
# See "man users" for more information.
#
files {
# Search for files in a subdirectory of mods-config which
# matches this instance of the files module.
moddir = ${modconfdir}/${.:instance}
# The default key attribute to use for matches. The content
# of this attribute is used to match the "name" of the
# entry.
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
# The old "users" style file is now located here.
filename = ${moddir}/authorize
# This is accepted for backwards compatibility
# It will be removed in a future release.
# usersfile = ${moddir}/authorize
# These are accepted for backwards compatibility.
# They will be renamed in a future release.
acctusersfile = ${moddir}/accounting
preproxy_usersfile = ${moddir}/pre-proxy
}

28
pkgs/fablab/freeradius-anon-access/raddb/mods-available/idn Normal file
View file

@ -0,0 +1,28 @@
# -*- text -*-
#
# $Id: 534054077d52a7bb0bf8e02c1e861e5c86b76df9 $
#
# Internationalised domain names.
#
# The expansion string: %{idn: example.com} results in an ASCII
# punycode version of the domain name. That version can then be used
# for name comparisons. Using an i18n version of the name is NOT
# RECOMMENDED, as that version is not canonical.
#
# i.e. the "same" domain name can be represented in many, many,
# different ways. Only the idn version has *one* representation.
#
idn {
#
# Allow use of unassigned Unicode code points.
#
allow_unassigned = no
#
# Prohibit underscores and other invalid characters in domain
# names.
use_std3_ascii_rules = yes
}

107
pkgs/fablab/freeradius-anon-access/raddb/mods-available/inner-eap Normal file
View file

@ -0,0 +1,107 @@
# -*- text -*-
#
# $Id: 576eb7739ebf18ca6323cb740a7d4278ff6d6ea2 $
#
# Sample configuration for an EAP module that occurs *inside*
# of a tunneled method. It is used to limit the EAP types that
# can occur inside of the inner tunnel.
#
# See also raddb/sites-available/inner-tunnel
#
# See raddb/mods-available/eap for full documentation on the meaning of these
# configuration entries.
#
eap inner-eap {
# This is the best choice for PEAP.
default_eap_type = mschapv2
timer_expire = 60
# This should be the same as the outer eap "max sessions"
max_sessions = 2048
# Supported EAP-types
md5 {
}
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
auth_type = PAP
}
mschapv2 {
# See eap for documentation
# send_error = no
}
# No TTLS or PEAP configuration should be listed here.
## EAP-TLS
#
# You SHOULD use different certificates than are used
# for the outer EAP configuration!
#
# You can create the "inner-server.pem" file by doing:
#
# cd raddb/certs
# vi inner-server.cnf
# make inner-server
#
# The certificate MUST be different from the "server.cnf"
# file.
#
# Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.
# It might work, or it might not.
#
tls {
private_key_password = whatever
private_key_file = ${certdir}/inner-server.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/inner-server.pem
# You may want different CAs for inner and outer
# certificates. If so, edit this file.
ca_file = ${cadir}/ca.pem
cipher_list = "DEFAULT"
# You may want to set a very small fragment size.
# The TLS data here needs to go inside of the
# outer EAP-TLS protocol.
#
# Try values and see if they work...
# fragment_size = 1024
# Other needful things
dh_file = ${certdir}/dh
random_file = /dev/urandom
# CRL and OCSP things go here. See the main "eap"
# file for details.
# check_crl = yes
# ca_path = /path/to/directory/with/ca_certs/and/crls/
# Accept an expired Certificate Revocation List
#
# allow_expired_crl = no
#
# The session resumption / fast re-authentication
# cache CANNOT be used for inner sessions.
#
}
}

66
pkgs/fablab/freeradius-anon-access/raddb/mods-available/ippool Normal file
View file

@ -0,0 +1,66 @@
# -*- text -*-
#
# $Id: 1d3305ba45ec71336f55f8f1db05f183772e1b82 $
# Do server side ip pool management. Should be added in
# post-auth and accounting sections.
#
# The module also requires the existence of the Pool-Name
# attribute. That way the administrator can add the Pool-Name
# attribute in the user profiles and use different pools for
# different users. The Pool-Name attribute is a *check* item
# not a reply item.
#
# The Pool-Name should be set to the ippool module instance
# name or to DEFAULT to match any module.
#
# Example:
# radiusd.conf: ippool students { [...] }
# ippool teachers { [...] }
# users file : DEFAULT Group == students, Pool-Name := "students"
# DEFAULT Group == teachers, Pool-Name := "teachers"
# DEFAULT Group == other, Pool-Name := "DEFAULT"
#
# Note: If you change the range parameters you must then erase the
# db files.
#
ippool main_pool {
# The main db file used to allocate addresses.
filename = ${db_dir}/db.ippool
# The start and end ip addresses for this pool.
range_start = 192.0.2.1
range_stop = 192.0.2.254
# The network mask used for this pool.
netmask = 255.255.255.0
# The gdbm cache size for the db files. Should
# be equal to the number of ip's available in
# the ip pool
cache_size = 800
# Helper db index file used in multilink
ip_index = ${db_dir}/db.ipindex
# If set, the Framed-IP-Address already in the
# reply (if any) will be discarded, and replaced
# ith a Framed-IP-Address assigned here.
override = no
# Specifies the maximum time in seconds that an
# entry may be active. If set to zero, means
# "no timeout". The default value is 0
maximum_timeout = 0
# The key to use for the session database (which
# holds the allocated ip's) normally it should
# just be the nas ip/port (which is the default).
#
# If your NAS sends the same value of NAS-Port
# all requests, the key should be based on some
# other attribute that is in ALL requests, AND
# is unique to each machine needing an IP address.
# key = "%{NAS-IP-Address} %{NAS-Port}"
}

82
pkgs/fablab/freeradius-anon-access/raddb/mods-available/krb5 Normal file
View file

@ -0,0 +1,82 @@
# -*- text -*-
#
# $Id: c88b5fbb4b35cc4e61bfb93a616d891fb79ebc0c $
#
# Kerberos. See doc/modules/rlm_krb5 for minimal docs.
#
krb5 {
#
# The keytab file MUST be owned by the UID/GID used by the server.
# The keytab file MUST be writable by the server.
# The keytab file MUST NOT be readable by other users on the system.
# The keytab file MUST exist before the server is started.
#
keytab = ${localstatedir}/lib/radiusd/keytab
service_principal = name_of_principle
# Pool of krb5 contexts, this allows us to make the module multithreaded
# and to avoid expensive operations like resolving and opening keytabs
# on every request. It may also allow TCP connections to the KDC to be
# cached if that is supported by the version of libkrb5 used.
#
# The context pool is only used if the underlying libkrb5 reported
# that it was thread safe at compile time.
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# KDC being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 0
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}

666
pkgs/fablab/freeradius-anon-access/raddb/mods-available/ldap Normal file
View file

@ -0,0 +1,666 @@
# -*- text -*-
#
# $Id: 015ae6907b8113771691ae3a3c1d53b05756d143 $
#
# Lightweight Directory Access Protocol (LDAP)
#
ldap {
# Note that this needs to match the name(s) in the LDAP server
# certificate, if you're using ldaps. See OpenLDAP documentation
# for the behavioral semantics of specifying more than one host.
#
# Depending on the libldap in use, server may be an LDAP URI.
# In the case of OpenLDAP this allows additional the following
# additional schemes:
# - ldaps:// (LDAP over SSL)
# - ldapi:// (LDAP over Unix socket)
# - ldapc:// (Connectionless LDAP)
server = 'localhost'
# server = 'ldap.rrdns.example.org'
# server = 'ldap.rrdns.example.org'
# Port to connect on, defaults to 389, will be ignored for LDAP URIs.
# port = 389
# Administrator account for searching and possibly modifying.
# If using SASL + KRB5 these should be commented out.
# identity = 'cn=admin,dc=example,dc=org'
# password = mypass
# Unless overridden in another section, the dn from which all
# searches will start from.
base_dn = 'dc=example,dc=org'
#
# You can run the 'ldapsearch' command line tool using the
# parameters from this module's configuration.
#
# ldapsearch -D ${identity} -w ${password} -h ${server} -b 'CN=user,${base_dn}'
#
# That will give you the LDAP information for 'user'.
#
# Group membership can be queried by using the above "ldapsearch" string,
# and adding "memberof" qualifiers. For ActiveDirectory, use:
#
# ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))'
#
# Where 'user' is the user as above, and 'group' is the group you are querying for.
#
#
# SASL parameters to use for admin binds
#
# When we're prompted by the SASL library, these control
# the responses given, as well as the identity and password
# directives above.
#
# If any directive is commented out, a NULL response will be
# provided to cyrus-sasl.
#
# Unfortunately the only way to control Keberos here is through
# environmental variables, as cyrus-sasl provides no API to
# set the krb5 config directly.
#
# Full documentation for MIT krb5 can be found here:
#
# http://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html
#
# At a minimum you probably want to set KRB5_CLIENT_KTNAME.
#
sasl {
# SASL mechanism
# mech = 'PLAIN'
# SASL authorisation identity to proxy.
# proxy = 'autz_id'
# SASL realm. Used for kerberos.
# realm = 'example.org'
}
#
# Generic valuepair attribute
#
# If set, this will attribute will be retrieved in addition to any
# mapped attributes.
#
# Values should be in the format:
# <radius attr> <op> <value>
#
# Where:
# <radius attr>: Is the attribute you wish to create
# with any valid list and request qualifiers.
# <op>: Is any assignment operator (=, :=, +=, -=).
# <value>: Is the value to parse into the new valuepair.
# If the value is wrapped in double quotes it
# will be xlat expanded.
# valuepair_attribute = 'radiusAttribute'
#
# Mapping of LDAP directory attributes to RADIUS dictionary attributes.
#
# WARNING: Although this format is almost identical to the unlang
# update section format, it does *NOT* mean that you can use other
# unlang constructs in module configuration files.
#
# Configuration items are in the format:
# <radius attr> <op> <ldap attr>
#
# Where:
# <radius attr>: Is the destination RADIUS attribute
# with any valid list and request qualifiers.
# <op>: Is any assignment attribute (=, :=, +=, -=).
# <ldap attr>: Is the attribute associated with user or
# profile objects in the LDAP directory.
# If the attribute name is wrapped in double
# quotes it will be xlat expanded.
#
# Request and list qualifiers may also be placed after the 'update'
# section name to set defaults destination requests/lists
# for unqualified RADIUS attributes.
#
# Note: LDAP attribute names should be single quoted unless you want
# the name value to be derived from an xlat expansion, or an
# attribute ref.
update {
control:Password-With-Header += 'userPassword'
# control:NT-Password := 'ntPassword'
# reply:Reply-Message := 'radiusReplyMessage'
# reply:Tunnel-Type := 'radiusTunnelType'
# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
# Where only a list is specified as the RADIUS attribute,
# the value of the LDAP attribute is parsed as a valuepair
# in the same format as the 'valuepair_attribute' (above).
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
# Set to yes if you have eDirectory and want to use the universal
# password mechanism.
# edir = no
# Set to yes if you want to bind as the user after retrieving the
# Cleartext-Password. This will consume the login grace, and
# verify user authorization.
# edir_autz = no
# Note: set_auth_type was removed in v3.x.x
#
# Equivalent functionality can be achieved by adding the
# following "if" statement to the authorize {} section of
# the virtual server, after the "ldap" module. For example:
#
# ...
# ldap
# if ((ok || updated) && User-Password && !control:Auth-Type) {
# update {
# control:Auth-Type := ldap
# }
# }
# ...
#
# You will also need to uncomment the "Auth-Type LDAP" block in the
# "authenticate" section.
#
#
# Name of the attribute that contains the user DN.
# The default name is LDAP-UserDn.
#
# If you have multiple LDAP instances, you should
# change this configuration item to:
#
# ${.:instance}-LDAP-UserDn
#
# That change allows the modules to set their own
# User DN, and to not conflict with each other.
#
user_dn = "LDAP-UserDn"
#
# User object identification.
#
user {
# Where to start searching in the tree for users
base_dn = "${..base_dn}"
# Filter for user objects, should be specific enough
# to identify a single user object.
#
# For Active Directory, you should use
# "samaccountname=" instead of "uid="
#
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
# For Active Directory nested group, you should comment out the previous 'filter = ...'
# and use the below. Where 'group' is the group you are querying for.
#
# NOTE: The string '1.2.840.113556.1.4.1941' specifies LDAP_MATCHING_RULE_IN_CHAIN.
# This applies only to DN attributes. This is an extended match operator that walks
# the chain of ancestry in objects all the way to the root until it finds a match.
# This reveals group nesting. It is available only on domain controllers with
# Windows Server 2003 SP2 or Windows Server 2008 (or above).
#
# See: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
#
# filter = "(&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"
# SASL parameters to use for user binds
#
# When we're prompted by the SASL library, these control
# the responses given.
#
# Any of the config items below may be an attribute ref
# or and expansion, so different SASL mechs, proxy IDs
# and realms may be used for different users.
sasl {
# SASL mechanism
# mech = 'PLAIN'
# SASL authorisation identity to proxy.
# proxy = &User-Name
# SASL realm. Used for kerberos.
# realm = 'example.org'
}
# Search scope, may be 'base', 'one', sub' or 'children'
# scope = 'sub'
# Server side result sorting
#
# A list of space delimited attributes to order the result
# set by, if the filter matches multiple objects.
# Only the first result in the set will be processed.
#
# If the attribute name is prefixed with a hyphen '-' the
# sorting order will be reversed for that attribute.
#
# If sort_by is set, and the server does not support sorting
# the search will fail.
# sort_by = '-uid'
# If this is undefined, anyone is authorised.
# If it is defined, the contents of this attribute
# determine whether or not the user is authorised
# access_attribute = 'dialupAccess'
# Control whether the presence of 'access_attribute'
# allows access, or denys access.
#
# If 'yes', and the access_attribute is present, or
# 'no' and the access_attribute is absent then access
# will be allowed.
#
# If 'yes', and the access_attribute is absent, or
# 'no' and the access_attribute is present, then
# access will not be allowed.
#
# If the value of the access_attribute is 'false', it
# will negate the result.
#
# e.g.
# access_positive = yes
# access_attribute = userAccessAllowed
#
# With an LDAP object containing:
# userAccessAllowed: false
#
# Will result in the user being locked out.
# access_positive = yes
}
#
# User membership checking.
#
group {
# Where to start searching in the tree for groups
base_dn = "${..base_dn}"
# Filter for group objects, should match all available
# group objects a user might be a member of.
#
# If using Active Directory you are likely to need "group"
# instead of "posixGroup".
filter = '(objectClass=posixGroup)'
# Search scope, may be 'base', 'one', sub' or 'children'
# scope = 'sub'
# Attribute that uniquely identifies a group.
# Is used when converting group DNs to group
# names.
# name_attribute = cn
# Filter to find all group objects a user is a member of.
# That is, group objects with attributes that
# identify members (the inverse of membership_attribute).
#
# Note that this configuration references the "user_dn"
# configuration defined above.
#
# membership_filter = "(|(member=%{control:${..user_dn}})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
# The attribute, in user objects, which contain the names
# or DNs of groups a user is a member of.
#
# Unless a conversion between group name and group DN is
# needed, there's no requirement for the group objects
# referenced to actually exist.
#
# If the LDAP server does not support the "memberOf"
# attribute (or equivalent), then you will need to use the
# membership_filter option above instead. If you can't see
# the memberOf attribute then it is also possible that the
# LDAP bind user does not have the correct permissions to
# view it.
membership_attribute = 'memberOf'
# If cacheable_name or cacheable_dn are enabled,
# all group information for the user will be
# retrieved from the directory and written to LDAP-Group
# attributes appropriate for the instance of rlm_ldap.
#
# For group comparisons these attributes will be checked
# instead of querying the LDAP directory directly.
#
# This feature is intended to be used with rlm_cache.
#
# If you wish to use this feature, you should enable
# the type that matches the format of your check items
# i.e. if your groups are specified as DNs then enable
# cacheable_dn else enable cacheable_name.
# cacheable_name = 'no'
# cacheable_dn = 'no'
# Override the normal cache attribute (<inst>-LDAP-Group or
# LDAP-Group if using the default instance) and create a
# custom attribute. This can help if multiple module instances
# are used in fail-over.
# cache_attribute = 'LDAP-Cached-Membership'
# If the group being checked is specified as a name, but
# the user's groups are referenced by DN, and one of those
# group DNs is invalid, the whole group check is treated as
# invalid, and a negative result will be returned.
# When set to 'yes', this option ignores invalid DN
# references.
# allow_dangling_group_ref = 'no'
}
#
# User profiles. RADIUS profile objects contain sets of attributes
# to insert into the request. These attributes are mapped using
# the same mapping scheme applied to user objects (the update section above).
#
profile {
# Filter for RADIUS profile objects
# filter = '(objectclass=radiusprofile)'
# The default profile. This may be a DN or an attribute
# reference.
# To get old v2.2.x style behaviour, or to use the
# &User-Profile attribute to specify the default profile,
# set this to &control:User-Profile.
# default = 'cn=radprofile,dc=example,dc=org'
# The LDAP attribute containing profile DNs to apply
# in addition to the default profile above. These are
# retrieved from the user object, at the same time as the
# attributes from the update section, are are applied
# if authorization is successful.
# attribute = 'radiusProfileDn'
}
#
# Bulk load clients from the directory
#
client {
# Where to start searching in the tree for clients
base_dn = "${..base_dn}"
#
# Filter to match client objects
#
filter = '(objectClass=radiusClient)'
# Search scope, may be 'base', 'one', 'sub' or 'children'
# scope = 'sub'
#
# Sets default values (not obtained from LDAP) for new client entries
#
template {
# login = 'test'
# password = 'test'
# proto = tcp
# require_message_authenticator = yes
# Uncomment to add a home_server with the same
# attributes as the client.
# coa_server {
# response_window = 2.0
# }
}
#
# Client attribute mappings are in the format:
# <client attribute> = <ldap attribute>
#
# The following attributes are required:
# * ipaddr | ipv4addr | ipv6addr - Client IP Address.
# * secret - RADIUS shared secret.
#
# All other attributes usually supported in a client
# definition are also supported here.
#
# Schemas are available in doc/schemas/ldap for openldap and eDirectory
#
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
# shortname = 'radiusClientShortname'
# nas_type = 'radiusClientType'
# virtual_server = 'radiusClientVirtualServer'
# require_message_authenticator = 'radiusClientRequireMa'
}
}
# Load clients on startup
# read_clients = no
#
# Modify user object on receiving Accounting-Request
#
# Useful for recording things like the last time the user logged
# in, or the Acct-Session-ID for CoA/DM.
#
# LDAP modification items are in the format:
# <ldap attr> <op> <value>
#
# Where:
# <ldap attr>: The LDAP attribute to add modify or delete.
# <op>: One of the assignment operators:
# (:=, +=, -=, ++).
# Note: '=' is *not* supported.
# <value>: The value to add modify or delete.
#
# WARNING: If using the ':=' operator with a multi-valued LDAP
# attribute, all instances of the attribute will be removed and
# replaced with a single attribute.
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
#
# Post-Auth can modify LDAP objects too
#
post-auth {
update {
description := "Authenticated at %S"
}
}
#
# LDAP connection-specific options.
#
# These options set timeouts, keep-alives, etc. for the connections.
#
options {
# Control under which situations aliases are followed.
# May be one of 'never', 'searching', 'finding' or 'always'
# default: libldap's default which is usually 'never'.
#
# LDAP_OPT_DEREF is set to this value.
# dereference = 'always'
#
# The following two configuration items control whether the
# server follows references returned by LDAP directory.
# They are mostly for Active Directory compatibility.
# If you set these to 'no', then searches will likely return
# 'operations error', instead of a useful result.
#
chase_referrals = yes
rebind = yes
# SASL Security Properties (see SASL_SECPROPS in ldap.conf man page).
# Note - uncomment when using GSS-API sasl mechanism along with TLS
# encryption against Active-Directory LDAP servers (this disables
# sealing and signing at the GSS level as required by AD).
#sasl_secprops = 'noanonymous,noplain,maxssf=0'
# Seconds to wait for LDAP query to finish. default: 20
res_timeout = 10
# Seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
srv_timelimit = 3
# Seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
ldap_debug = 0x0028
}
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the 'tls_*' configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 636) connections
# start_tls = yes
# ca_file = ${certdir}/cacert.pem
# ca_path = ${certdir}
# certificate_file = /path/to/radius.crt
# private_key_file = /path/to/radius.key
# random_file = /dev/urandom
# Certificate Verification requirements. Can be:
# 'never' (do not even bother trying)
# 'allow' (try, but don't fail if the certificate
# cannot be verified)
# 'demand' (fail if the certificate does not verify)
# 'hard' (similar to 'demand' but fails if TLS
# cannot negotiate)
#
# The default is libldap's default, which varies based
# on the contents of ldap.conf.
# require_cert = 'demand'
#
# Minimum TLS version to accept. We STRONGLY recommend
# setting this to "1.2"
#
# tls_min_version = "1.2"
}
# As of version 3.0, the 'pool' section has replaced the
# following configuration items:
#
# ldap_connections_number
# The connection pool is new for 3.0, and will be used in many
# modules, for all kinds of connection-related activity.
#
# When the server is not threaded, the connection pool
# limits are ignored, and only one connection is used.
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# directory being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
lifetime = 0
# Idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
idle_timeout = 60
# NOTE: All configuration settings are enforced. If a
# connection is closed because of 'idle_timeout',
# 'uses', or 'lifetime', then the total number of
# connections MAY fall below 'min'. When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the 'min' connections,
# or increase lifetime/idle_timeout.
}
}

161
pkgs/fablab/freeradius-anon-access/raddb/mods-available/linelog Normal file
View file

@ -0,0 +1,161 @@
# -*- text -*-
#
# $Id: dc2a8195b3c1c2251fc37651ea4a598898c33d12 $
#
# The "linelog" module will log one line of text to a file.
# Both the filename and the line of text are dynamically expanded.
#
# We STRONGLY suggest that you do not use data from the
# packet as part of the filename.
#
linelog {
#
# The file where the logs will go.
#
# If the filename is "syslog", then the log messages will
# go to syslog.
filename = ${logdir}/linelog
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
escape_filenames = no
#
# The Unix-style permissions on the log file.
#
# Depending on format string, the log file may contain secret or
# private information about users. Keep the file permissions as
# restrictive as possible.
permissions = 0600
# The Unix group which owns the log file.
#
# The user that freeradius runs as must be in the specified
# group, otherwise it will not be possible to set the group.
# group = ${security.group}
# Syslog facility (if logging via syslog).
# Defaults to the syslog_facility config item in radiusd.conf.
# Standard facilities are:
# - kern Messages generated by the kernel. These cannot
# be generated by any user processes.
# - user Messages generated by random user processes.
# This is the default facility identifier if
# none is specified.
# - mail The mail system.
# - daemon System daemons, such as routed(8), that are not
# provided for explicitly by other facilities.
# - auth The authorization system: login(1), su(1),
# getty(8), etc.
# - lpr The line printer spooling system: cups-lpd(8),
# cupsd(8), etc.
# - news The network news system.
# - uucp The uucp system.
# - cron The cron daemon: cron(8).
# - authpriv The same as LOG_AUTH, but logged to a file
# readable only by selected individuals.
# - ftp The file transfer protocol daemons: ftpd(8),
# tftpd(8).
# - local[0-7] Reserved for local use.
# syslog_facility = daemon
# Syslog severity (if logging via syslog). Defaults to info.
# Possible values are:
# - emergency A panic condition. This is normally broadcast
# to all users.
# - alert A condition that should be corrected immediately,
# such as a corrupted system database.
# - critical Critical conditions, e.g., hard device errors.
# - error Errors.
# - warning Warning messages.
# - notice Conditions that are not error conditions, but
# should possibly be handled specially.
# - info Informational messages.
# - debug Messages that contain information normally of use
# only when debugging a program.
# syslog_severity = info
# If logging via syslog, the severity can be set here.
# Defaults to info.
#
# The default format string.
format = "This is a log message for %{User-Name}"
#
# This next line can be omitted. If it is omitted, then
# the log message is static, and is always given by "format",
# above.
#
# If it is defined, then the string is dynamically expanded,
# and the result is used to find another configuration entry
# here, with the given name. That name is then used as the
# format string.
#
# If the configuration entry cannot be found, then no log
# message is printed.
#
# i.e. You can have many log messages in one "linelog" module.
# If this two-step expansion did not exist, you would have
# needed to configure one "linelog" module for each log message.
#
# Reference the Packet-Type (Access-Accept, etc.) If it doesn't
# exist, reference the "default" entry.
#
# This is for "linelog" being used in the post-auth section
# If you want to use it in "authorize", you need to change
# the reference to "messages.%{%{Packet-Type}:-default}",
# and then add the appropriate messages.
#
reference = "messages.%{%{reply:Packet-Type}:-default}"
#
# The messages defined here are taken from the "reference"
# expansion, above.
#
messages {
default = "Unknown packet type %{Packet-Type}"
Access-Accept = "Accepted user: %{User-Name}"
Access-Reject = "Rejected user: %{User-Name}"
Access-Challenge = "Sent challenge: %{User-Name}"
}
}
#
# Another example, for accounting packets.
#
linelog log_accounting {
#
# Used if the expansion of "reference" fails.
#
format = ""
filename = ${logdir}/linelog-accounting
permissions = 0600
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
#
# Another example:
#
#
Accounting-Request {
Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
# Don't log anything for these packets.
Alive = ""
Accounting-On = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just came online"
Accounting-Off = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just went offline"
# don't log anything for other Acct-Status-Types.
unknown = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) sent unknown Acct-Status-Type %{Acct-Status-Type}"
}
}

23
pkgs/fablab/freeradius-anon-access/raddb/mods-available/logintime Normal file
View file

@ -0,0 +1,23 @@
# -*- text -*-
#
# $Id: 25344527759d22b49b5e990fd83f0e506442fa76 $
# The logintime module. This handles the Login-Time,
# Current-Time, and Time-Of-Day attributes. It should be
# included in the *end* of the authorize section in order to
# handle Login-Time checks. It should also be included in the
# instantiate section in order to register the Current-Time
# and Time-Of-Day comparison functions.
#
# When the Login-Time attribute is set to some value, and the
# user has been permitted to log in, a Session-Timeout is
# calculated based on the remaining time. See "doc/README".
#
logintime {
# The minimum timeout (in seconds) a user is allowed
# to have. If the calculated timeout is lower we don't
# allow the login. Some NAS do not handle values
# lower than 60 seconds well.
minimum_timeout = 60
}

25
pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2ip Normal file
View file

@ -0,0 +1,25 @@
# -*- text -*-
#
# $Id: a4ead1d64e8220344b483718ece4712bef5e9e36 $
######################################################################
#
# This next section is a sample configuration for the "passwd"
# module, that reads flat-text files.
#
# The file is in the format <mac>,<ip>
#
# 00:01:02:03:04:05,192.0.2.100
# 01:01:02:03:04:05,192.0.2.101
# 02:01:02:03:04:05,192.0.2.102
#
# This lets you perform simple static IP assignments from a flat-text
# file. You will have to define lease times yourself.
#
######################################################################
passwd mac2ip {
filename = ${modconfdir}/${.:name}/${.:instance}
format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
delimiter = ","
}

18
pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2vlan Normal file
View file

@ -0,0 +1,18 @@
# -*- text -*-
#
# $Id: a1db803a71cddbb98daeeeda515cff2fc77ea318 $
# A simple file to map a MAC address to a VLAN.
#
# The file should be in the format MAC,VLAN
# the VLAN name cannot have spaces in it, for example:
#
# 00:01:02:03:04:05,VLAN1
# 03:04:05:06:07:08,VLAN2
# ...
#
passwd mac2vlan {
filename = ${modconfdir}/${.:name}/${.:instance}
format = "*VMPS-Mac:=VMPS-VLAN-Name"
delimiter = ","
}

57
pkgs/fablab/freeradius-anon-access/raddb/mods-available/moonshot-targeted-ids Normal file
View file

@ -0,0 +1,57 @@
# -*- text -*-
#
# $Id: 1b27b44b5a2d82e23d67c07ba19f0ef3293960d2 $
#
# Write Moonshot-*-TargetedId (MSTID) to the database.
#
# Schema raddb/mods-config/sql/moonshot-targeted-ids/<DB>/schema.sql
# Queries raddb/mods-config/sql/moonshot-targeted-ids/<DB>/queries.conf
#
sql moonshot_tid_sql {
# The dialect of SQL you want to use, this should usually match
# the driver below.
#
# If you're using rlm_sql_null, then it should be the type of
# database the logged queries are going to be executed against.
dialect = "sqlite"
# The sub-module to use to execute queries. This should match
# the database you're attempting to connect to.
#
# There are MSTID queries available for:
# * rlm_sql_mysql
# * rlm_sql_postgresql
# * rlm_sql_sqlite
# * rlm_sql_null (log queries to disk)
#
driver = "rlm_sql_${dialect}"
sqlite {
filename = ${radacctdir}/moonshot-targeted-ids.sqlite
bootstrap = ${modconfdir}/${..:name}/moonshot-targeted-ids/sqlite/schema.sql
}
# Write MSTID queries to a logfile. Useful for debugging.
# logfile = ${logdir}/moonshot-targeted-id-log.sql
pool {
start = 5
min = 4
max = 10
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
}
# If you adjust the table name here, you must also modify the table name in
# the moonshot_get_targeted_id.post-auth policy in policy.d/moonshot-targeted-ids
# and the schema.sql files in the mods-config/sql/moonshot-targeted-ids tree.
#
moonshot_tid_table = "moonshot_targeted_ids"
sql_user_name = "%{User-Name}"
$INCLUDE ${modconfdir}/${.:name}/moonshot-targeted-ids/${dialect}/queries.conf
}

253
pkgs/fablab/freeradius-anon-access/raddb/mods-available/mschap Normal file
View file

@ -0,0 +1,253 @@
# -*- text -*-
#
# $Id: 1748d5747f5b2fda08a017ad3095d9b96b0c2ee0 $
#
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
#
#
# If use_mppe is not set to no mschap, will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
# use_mppe = no
#
# If MPPE is enabled, require_encryption makes
# encryption moderate
#
# require_encryption = yes
#
# require_strong always requires 128 bit key
# encryption
#
# require_strong = yes
#
# This module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# If ntlm_auth is configured below, then the mschap
# module will call ntlm_auth for every MS-CHAP
# authentication request. If there is a cleartext
# or NT hashed password available, you can set
# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
# and the mschap module will do the authentication itself,
# without calling ntlm_auth.
#
# Be VERY careful when editing the following line!
#
# You can also try setting the user name as:
#
# ... --username=%{mschap:User-Name} ...
#
# In that case, the mschap module will look at the User-Name
# attribute, and do prefix/suffix checks in order to obtain
# the "best" user name for the request.
#
# For Samba 4, you should also set the "ntlm auth" parameter
# in the Samba configuration:
#
# ntlm auth = yes
#
# or
#
# ntlm auth = mschapv2-and-ntlmv2-only
#
# This will let Samba 4 accept the MS-CHAP authentication
# method that is needed by FreeRADIUS.
#
# Depending on the Samba version, you may also need to add:
#
# --allow-mschapv2
#
# to the command-line parameters.
#
# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
#
# The default is to wait 10 seconds for ntlm_auth to
# complete. This is a long time, and if it's taking that
# long then you likely have other problems in your domain.
# The length of time can be decreased with the following
# option, which can save clients waiting if your ntlm_auth
# usually finishes quicker. Range 1 to 10 seconds.
#
# ntlm_auth_timeout = 10
#
# An alternative to using ntlm_auth is to connect to the
# winbind daemon directly for authentication. This option
# is likely to be faster and may be useful on busy systems,
# but is less well tested.
#
# Using this option requires libwbclient from Samba 4.2.1
# or later to be installed. Make sure that ntlm_auth above is
# commented out.
#
# winbind_username = "%{mschap:User-Name}"
# winbind_domain = "%{mschap:NT-Domain}"
#
# When using single sign-on with a winbind connection and the
# client uses a different casing for the username than the
# casing is according to the backend, reauth may fail because
# of some Windows internals. This switch tries to find the
# user in the correct casing in the backend, and retry
# authentication with that username.
#
# winbind_retry_with_normalised_username = no
#
# Information for the winbind connection pool. The configuration
# items below are the same for all modules which use the new
# connection pool.
#
pool {
#
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# winbind daemon being available.
#
start = ${thread[pool].start_servers}
#
# Minimum number of connections to keep open
#
min = ${thread[pool].min_spare_servers}
#
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
#
max = ${thread[pool].max_servers}
#
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
#
spare = ${thread[pool].max_spare_servers}
#
# Number of uses before the connection is closed
#
# 0 means "infinite"
#
uses = 0
#
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
#
retry_delay = 30
#
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
#
lifetime = 86400
#
# The pool is checked for free connections every
# "cleanup_interval". If there are free connections,
# then one of them is closed.
#
cleanup_interval = 300
#
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
#
idle_timeout = 600
#
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
#
}
passchange {
#
# This support MS-CHAPv2 (not v1) password change
# requests. See doc/mschap.rst for more IMPORTANT
# information.
#
# Samba/ntlm_auth - if you are using ntlm_auth to
# validate passwords, you will need to use ntlm_auth
# to change passwords. Uncomment the three lines
# below, and change the path to ntlm_auth.
#
# ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
# ntlm_auth_username = "username: %{mschap:User-Name}"
# ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
#
# To implement a local password change, you need to
# supply a string which is then expanded, so that the
# password can be placed somewhere. e.g. passed to a
# script (exec), or written to SQL (UPDATE/INSERT).
# We give both examples here, but only one will be
# used.
#
# local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
#
# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
}
#
# For Apple Server, when running on the same machine as
# Open Directory. It has no effect on other systems.
#
# use_open_directory = yes
#
# On failure, set (or not) the MS-CHAP error code saying
# "retries allowed".
#
# allow_retry = yes
#
# An optional retry message.
#
# retry_msg = "Re-enter (or reset) the password"
}

18
pkgs/fablab/freeradius-anon-access/raddb/mods-available/ntlm_auth Normal file
View file

@ -0,0 +1,18 @@
#
# For testing ntlm_auth authentication with PAP.
#
# If you have problems with authentication failing, even when the
# password is good, it may be a bug in Samba:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
# Depending on the AD / Samba configuration, you may also need to add:
#
# --allow-mschapv2
#
# to the list of command-line options.
#
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}

26
pkgs/fablab/freeradius-anon-access/raddb/mods-available/opendirectory Normal file
View file

@ -0,0 +1,26 @@
# -*- text -*-
#
# $Id: 443d74dc08f19ddb59ea342f756c90066623e1c6 $
# This module is only used when the server is running on the same
# system as OpenDirectory. The configuration of the module is hard-coded
# by Apple, and cannot be changed here.
#
# There are no configuration entries for this module.
#
# The MS-CHAP module will automatically talk to OpenDirectory, if the
# server is built on an OSX machine. However, you must also set
# dsAttrTypeNative:apple-enabled-auth-mech attribute in the
# /config/dirserv OpenDirectory record. You will probably also need
# to change the user passwords in order to re-generate the
# appropriate hashes.
#
# Complete OSX configuration information is available on Apple's web site:
#
# https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf
#
# See also https://discussions.apple.com/thread/6053980?tstart=0
#
opendirectory {
}

75
pkgs/fablab/freeradius-anon-access/raddb/mods-available/otp Normal file
View file

@ -0,0 +1,75 @@
#
# Configuration for the OTP module.
#
# This module allows you to use various handheld OTP tokens
# for authentication (Auth-Type := otp). These tokens are
# available from various vendors.
#
# It works in conjunction with otpd, which implements token
# management and OTP verification functions; and lsmd or gsmd,
# which implements synchronous state management functions.
# You must list this module in BOTH the authorize and authenticate
# sections in order to use it.
otp {
# otpd rendezvous point.
# (default: /var/run/otpd/socket)
#otpd_rp = /var/run/otpd/socket
# Text to use for the challenge.
# Default "Challenge: %{reply:OTP-Challenge}\n Response: "
challenge_prompt = "Challenge: %{reply:OTP-Challenge} \n Response: "
# Length of the challenge. Most tokens probably support a
# max of 8 digits. (range: 5-32 digits, default 6)
#challenge_length = 6
# Maximum time, in seconds, that a challenge is valid.
# (The user must respond to a challenge within this time.)
# It is also the minimal time between consecutive async mode
# authentications, a necessary restriction due to an inherent
# weakness of the RADIUS protocol which allows replay attacks.
# (default: 30)
#challenge_delay = 30
# Whether or not to allow asynchronous ("pure" challenge/
# response) mode authentication. Since sync mode is much more
# usable, and all reasonable tokens support it, the typical
# use of async mode is to allow re-sync of event based tokens.
# But because of the vulnerability of async mode with some tokens,
# you probably want to disable this and require that out-of-sync
# users re-sync from specifically secured terminals.
# See the otpd docs for more info.
# (default: no)
#allow_async = no
# Whether or not to allow synchronous mode authentication.
# When using otpd with lsmd, it is *CRITICALLY IMPORTANT*
# that if your OTP users can authenticate to multiple RADIUS
# servers, this must be "yes" for the primary/default server,
# and "no" for the others. This is because lsmd does not
# share state information across multiple servers. Using "yes"
# on all your RADIUS servers would allow replay attacks!
# Also, for event based tokens, the user will be out of sync
# on the "other" servers. In order to use "yes" on all your
# servers, you must either use gsmd, which synchronises state
# globally, or implement your own state synchronisation method.
# (default: yes)
#allow_sync = yes
# If both allow_async and allow_sync are "yes", a challenge is
# always presented to the user. This is incompatible with NAS
# that can't present or don't handle Access-Challenge's, e.g.
# PPTP servers. Even though a challenge is presented, the user
# can still enter their synchronous passcode.
# The following are MPPE settings. Note that MS-CHAP (v1) is
# strongly discouraged. All possible values are listed as
# {value = meaning}. Default values are first.
#mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden}
#mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40}
#mschap_mppe = {2 = required, 1 = optional, 0 = forbidden}
#mschap_mppe_bits = {2 = 128}
}

26
pkgs/fablab/freeradius-anon-access/raddb/mods-available/pam Normal file
View file

@ -0,0 +1,26 @@
# -*- text -*-
#
# $Id: f4a91a948637bb2f42f613ed9faa6f9ae9ae6099 $
# Pluggable Authentication Modules
#
# For Linux, see:
# http://www.kernel.org/pub/linux/libs/pam/index.html
#
# WARNING: On many systems, the system PAM libraries have
# memory leaks! We STRONGLY SUGGEST that you do not
# use PAM for authentication, due to those memory leaks.
#
pam {
#
# The name to use for PAM authentication.
# PAM looks in /etc/pam.d/${pam_auth_name}
# for it's configuration. See 'redhat/radiusd-pam'
# for a sample PAM configuration file.
#
# Note that any Pam-Auth attribute set in the 'authorize'
# section will over-ride this one.
#
pam_auth = radiusd
}

18
pkgs/fablab/freeradius-anon-access/raddb/mods-available/pap Normal file
View file

@ -0,0 +1,18 @@
# -*- text -*-
#
# $Id: 0038ecd154840c71ceff33ddfdd936e4e28e0bcd $
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption/hash schemes. See "man rlm_pap"
# for details.
#
# For instructions on creating the various types of passwords, see:
#
# http://www.openldap.org/faq/data/cache/347.html
pap {
# By default the server will use heuristics to try and automatically
# handle base64 or hex encoded passwords. This behaviour can be
# stopped by setting the following to "no".
# normalise = yes
}

55
pkgs/fablab/freeradius-anon-access/raddb/mods-available/passwd Normal file
View file

@ -0,0 +1,55 @@
# -*- text -*-
#
# $Id: 11bd2246642bf3c080327c7f4a67dc42603f3a6c $
# passwd module allows to do authorization via any passwd-like
# file and to extract any attributes from these files.
#
# See the "smbpasswd" and "etc_group" files for more examples.
#
# parameters are:
# filename - path to file
#
# format - format for filename record. This parameters
# correlates record in the passwd file and RADIUS
# attributes.
#
# Field marked as '*' is a key field. That is, the parameter
# with this name from the request is used to search for
# the record from passwd file
#
# Attributes marked as '=' are added to reply_items instead
# of default configure_items
#
# Attributes marked as '~' are added to request_items
#
# Field marked as ',' may contain a comma separated list
# of attributes.
#
# hash_size - hashtable size. Setting it to 0 is no longer permitted
# A future version of the server will have the module
# automatically determine the hash size. Having it set
# manually should not be necessary.
#
# allow_multiple_keys - if many records for a key are allowed
#
# ignore_nislike - ignore NIS-related records
#
# delimiter - symbol to use as a field separator in passwd file,
# for format ':' symbol is always used. '\0', '\n' are
# not allowed
#
# An example configuration for using /etc/passwd.
#
# This is an example which will NOT WORK if you have shadow passwords,
# NIS, etc. The "unix" module is normally responsible for reading
# system passwords. You should use it instead of this example.
#
passwd etc_passwd {
filename = /etc/passwd
format = "*User-Name:Crypt-Password:"
hash_size = 100
ignore_nislike = no
allow_multiple_keys = no
}

94
pkgs/fablab/freeradius-anon-access/raddb/mods-available/perl Normal file
View file

@ -0,0 +1,94 @@
# -*- text -*-
#
# $Id: fa04cdabb71767050aaa0664da792fd6086adb19 $
# Persistent, embedded Perl interpreter.
#
perl {
#
# The Perl script to execute on authorize, authenticate,
# accounting, xlat, etc. This is very similar to using
# 'rlm_exec' module, but it is persistent, and therefore
# faster.
#
filename = ${modconfdir}/${.:instance}/example.pl
#
# Options which are passed to the Perl interpreter.
# These are (mostly) the same options as are passed
# to the "perl" command line.
#
# The most useful flag is "-T". This sets tainting on. And
# as of 3.0.18, makes it impossible to leverage bad
# User-Names into local command execution.
#
perl_flags = "-T"
#
# The following hashes are given to the module and
# filled with value-pairs (Attribute names and values)
#
# %RAD_CHECK Check items
# %RAD_REQUEST Attributes from the request
# %RAD_REPLY Attributes for the reply
# %RAD_REQUEST_PROXY Attributes from the proxied request
# %RAD_REQUEST_PROXY_REPLY Attributes from the proxy reply
#
# The interface between FreeRADIUS and Perl is strings.
# That is, attributes of type "octets" are converted to
# printable strings, such as "0xabcdef". If you want to
# access the binary values of the attributes, you should
# call the Perl "pack" function. Then to send any binary
# data back to FreeRADIUS, call the Perl "unpack" function,
# so that the contents of the hashes are printable strings.
#
# IP addresses are sent as strings, e.g. "192.0.2.25", and
# not as a 4-byte binary value. The same applies to other
# attribute data types.
#
# Attributes of type "string" are copied to Perl as-is.
# They are not escaped or interpreted.
#
# The return codes from functions in the perl_script
# are passed directly back to the server. These
# codes are defined in mods-config/example.pl
#
# You can define configuration items (and nested sub-sections) in perl "config" section.
# These items will be accessible in the perl script through %RAD_PERLCONF hash.
# For instance: $RAD_PERLCONF{'name'} $RAD_PERLCONF{'sub-config'}->{'name'}
#
#config {
# name = "value"
# sub-config {
# name = "value of name from config.sub-config"
# }
#}
#
# List of functions in the module to call.
# Uncomment and change if you want to use function
# names other than the defaults.
#
#func_authenticate = authenticate
#func_authorize = authorize
#func_preacct = preacct
#func_accounting = accounting
#func_checksimul = checksimul
#func_pre_proxy = pre_proxy
#func_post_proxy = post_proxy
#func_post_auth = post_auth
#func_recv_coa = recv_coa
#func_send_coa = send_coa
#func_xlat = xlat
#func_detach = detach
#
# Uncomment the following lines if you wish
# to use separate functions for Start and Stop
# accounting packets. In that case, the
# func_accounting function is not called.
#
#func_start_accounting = accounting_start
#func_stop_accounting = accounting_stop
}

62
pkgs/fablab/freeradius-anon-access/raddb/mods-available/preprocess Normal file
View file

@ -0,0 +1,62 @@
# -*- text -*-
#
# $Id: 8baec7961ba75fe52546cb1331868b0b2b1c38f4 $
# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
# This module processes the 'huntgroups' and 'hints' files.
# In addition, it re-writes some weird attributes created
# by some NAS, and converts the attributes into a form which
# is a little more standard.
#
preprocess {
# Search for files in a subdirectory of mods-config which
# matches this instance of the preprocess module.
moddir = ${modconfdir}/${.:instance}
huntgroups = ${moddir}/huntgroups
hints = ${moddir}/hints
# This hack changes Ascend's weird port numbering
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = no
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you don't
# need this hack.
with_cisco_vsa_hack = no
}

65
pkgs/fablab/freeradius-anon-access/raddb/mods-available/python Normal file
View file

@ -0,0 +1,65 @@
#
# Make sure the PYTHONPATH environmental variable contains the
# directory(s) for the modules listed below.
#
# Uncomment any func_* which are included in your module. If
# rlm_python is called for a section which does not have
# a function defined, it will return NOOP.
#
python {
# Path to the python modules
#
# Note that due to limitations on Python, this configuration
# item is GLOBAL TO THE SERVER. That is, you cannot have two
# instances of the python module, each with a different path.
#
# python_path="${modconfdir}/${.:name}:/path/to/python/files:/another_path/to/python_files/"
module = example
# Pass all VPS lists as a 6-tuple to the callbacks
# (request, reply, config, state, proxy_req, proxy_reply)
# pass_all_vps = no
# Pass all VPS lists as a dictionary to the callbacks
# Keys: "request", "reply", "config", "session-state", "proxy-request",
# "proxy-reply"
# This option prevales over "pass_all_vps"
# pass_all_vps_dict = no
# mod_instantiate = ${.module}
# func_instantiate = instantiate
# mod_detach = ${.module}
# func_detach = detach
# mod_authorize = ${.module}
# func_authorize = authorize
# mod_authenticate = ${.module}
# func_authenticate = authenticate
# mod_preacct = ${.module}
# func_preacct = preacct
# mod_accounting = ${.module}
# func_accounting = accounting
# mod_checksimul = ${.module}
# func_checksimul = checksimul
# mod_pre_proxy = ${.module}
# func_pre_proxy = pre_proxy
# mod_post_proxy = ${.module}
# func_post_proxy = post_proxy
# mod_post_auth = ${.module}
# func_post_auth = post_auth
# mod_recv_coa = ${.module}
# func_recv_coa = recv_coa
# mod_send_coa = ${.module}
# func_send_coa = send_coa
}

65
pkgs/fablab/freeradius-anon-access/raddb/mods-available/python3 Normal file
View file

@ -0,0 +1,65 @@
#
# Make sure the PYTHONPATH environmental variable contains the
# directory(s) for the modules listed below.
#
# Uncomment any func_* which are included in your module. If
# rlm_python is called for a section which does not have
# a function defined, it will return NOOP.
#
python3 {
# Path to the python modules
#
# Note that due to limitations on Python, this configuration
# item is GLOBAL TO THE SERVER. That is, you cannot have two
# instances of the python module, each with a different path.
#
# python_path="${modconfdir}/${.:name}:/another_path/to/python_files"
module = example
# Pass all VPS lists as a 6-tuple to the callbacks
# (request, reply, config, state, proxy_req, proxy_reply)
# pass_all_vps = no
# Pass all VPS lists as a dictionary to the callbacks
# Keys: "request", "reply", "config", "session-state", "proxy-request",
# "proxy-reply"
# This option prevales over "pass_all_vps"
# pass_all_vps_dict = no
# mod_instantiate = ${.module}
# func_instantiate = instantiate
# mod_detach = ${.module}
# func_detach = detach
# mod_authorize = ${.module}
# func_authorize = authorize
# mod_authenticate = ${.module}
# func_authenticate = authenticate
# mod_preacct = ${.module}
# func_preacct = preacct
# mod_accounting = ${.module}
# func_accounting = accounting
# mod_checksimul = ${.module}
# func_checksimul = checksimul
# mod_pre_proxy = ${.module}
# func_pre_proxy = pre_proxy
# mod_post_proxy = ${.module}
# func_post_proxy = post_proxy
# mod_post_auth = ${.module}
# func_post_auth = post_auth
# mod_recv_coa = ${.module}
# func_recv_coa = recv_coa
# mod_send_coa = ${.module}
# func_send_coa = send_coa
}

53
pkgs/fablab/freeradius-anon-access/raddb/mods-available/radutmp Normal file
View file

@ -0,0 +1,53 @@
# -*- text -*-
#
# $Id: 82319c033bbf349991a46b8f198a5bf5487b5da8 $
# Write a 'utmp' style file, of which users are currently
# logged in, and where they've logged in from.
#
# This file is used mainly for Simultaneous-Use checking,
# and also 'radwho', to see who's currently logged in.
#
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{%{Stripped-User-Name}:-%{User-Name}}
username = %{User-Name}
# Whether or not we want to treat "user" the same
# as "USER", or "User". Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
permissions = 0600
caller_id = "yes"
}

75
pkgs/fablab/freeradius-anon-access/raddb/mods-available/realm Normal file
View file

@ -0,0 +1,75 @@
# -*- text -*-
#
# $Id: 8ff95a9e9a652c2df9f992b0eb528084b6a7a2dc $
# Realm module, for proxying.
#
# You can have multiple instances of the realm module to
# support multiple realm syntaxes at the same time. The
# search order is defined by the order that the modules are listed
# in the authorize and preacct sections.
#
# Four config options:
# format - must be "prefix" or "suffix"
# The special cases of "DEFAULT"
# and "NULL" are allowed, too.
# delimiter - must be a single character
# 'realm/username'
#
# Using this entry, IPASS users have their realm set to "IPASS".
realm IPASS {
format = prefix
delimiter = "/"
}
# 'username@realm'
#
realm suffix {
format = suffix
delimiter = "@"
# The next configuration items are valid ONLY for a trust-router.
# For all other realms, they are ignored.
# trust_router = "localhost"
# tr_port = 12309
# rp_realm = "realm.example.com"
# default_community = "apc.communities.example.com"
# # if rekey_enabled is enabled, dynamic realms are automatically rekeyed
# # before they expire to avoid having to recreate them from scrach on
# # demand (implying lengthy authentications)
# rekey_enabled = no
# # if realm_lifetime is > 0, the rekey is scheduled to happen the
# # specified number of seconds after its creation or rekeying. Otherwise,
# # the key material expiration timestamp is used
# realm_lifetime = 0
}
# 'realm!username'
#
realm bangpath {
format = prefix
delimiter = "!"
# trust_router = "localhost"
# tr_port = 12309
# rp_realm = "realm.example.com"
# default_community = "apc.communities.example.com"
# rekey_enabled = no
# realm_lifetime = 0
}
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
}
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
}

99
pkgs/fablab/freeradius-anon-access/raddb/mods-available/redis Normal file
View file

@ -0,0 +1,99 @@
# -*- text -*-
#
# $Id: 64789f58a7f937b7b9f4c7ff783153fb5194ba25 $
#
# Configuration file for the "redis" module. This module does nothing
# Other than provide connections to a redis database, and a %{redis: ...}
# expansion.
#
redis {
# Host where the redis server is located.
# We recommend using ONLY 127.0.0.1 !
server = 127.0.0.1
# Select the Redis logical database having the specified zero-based numeric index.
# database = 0
# The default port.
port = 6379
# The password used to authenticate to the server.
# We recommend using a strong password.
# password = thisisreallysecretandhardtoguess
# Set connection and query timeout for rlm_redis
query_timeout = 5
#
# Information for the connection pool. The configuration items
# below are the same for all modules which use the new
# connection pool.
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# web service being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 86400
# The pool is checked for free connections every
# "cleanup_interval". If there are free connections,
# then one of them is closed.
cleanup_interval = 300
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 600
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}

52
pkgs/fablab/freeradius-anon-access/raddb/mods-available/rediswho Normal file
View file

@ -0,0 +1,52 @@
# -*- text -*-
#
# $Id: d303550fa48460f9583c051795ad7f179fcbd36b $
#
# Configuration file for the "rediswho" module.
#
# This module tracks the last set of login sessions for a user.
#
rediswho {
# REDIS instance to use (from mods-available/redis)
#
# If you have multiple redis instances, such as "redis redis1 {...}",
# use the *instance* name here: redis1.
# redis_module_instance = redis
# How many sessions to keep track of per user.
# If there are more than this number, older sessions are deleted.
trim_count = 15
# Expiry time in seconds. Any sessions which have not received
# an update in this time will be automatically expired.
expire_time = 86400
#
# Each subsection contains insert / trim / expire queries.
# The subsections are named after the contents of the
# Acct-Status-Type attribute. See dictionary.rfc2866 for names
# of the various Acct-Status-Type values, or look at the output
# of debug mode.
#
# This module supports *any* Acct-Status-Type. Just add a subsection
# of the appropriate name, along with insert / trim / expire queries.
#
Start {
insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
trim = "LTRIM %{User-Name} 0 ${..trim_count}"
expire = "EXPIRE %{User-Name} ${..expire_time}"
}
Interim-Update {
insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
trim = "LTRIM %{User-Name} 0 ${..trim_count}"
expire = "EXPIRE %{User-Name} ${..expire_time}"
}
Stop {
insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
trim = "LTRIM %{User-Name} 0 ${..trim_count}"
expire = "EXPIRE %{User-Name} ${..expire_time}"
}
}

42
pkgs/fablab/freeradius-anon-access/raddb/mods-available/replicate Normal file
View file

@ -0,0 +1,42 @@
# Replicate packet(s) to a home server.
#
# This module will open a new socket for each packet, and "clone"
# the incoming packet to the destination realm (i.e. home server).
# These packets are only sent to UDP home servers. TCP and TLS
# are not supported.
#
# Use it by setting "Replicate-To-Realm = name" in the control list,
# just like Proxy-To-Realm. The configurations for the two attributes
# are identical. The realm must exist, the home_server_pool must exist,
# and the home_server must exist.
#
# The only difference is that the "replicate" module sends requests
# and does not expect a reply. Any reply is ignored.
#
# Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time.
#
# To use this module, list "replicate" in the "authorize" or
# "accounting" section. Then, ensure that Replicate-To-Realm is set.
# The contents of the "packet" attribute list will be sent to the
# home server. The usual load-balancing, etc. features of the home
# server will be used.
#
# "radmin" can be used to mark home servers alive/dead, in order to
# enable/disable replication to specific servers.
#
# Packets can be replicated to multiple destinations. Just set
# Replicate-To-Realm multiple times. One packet will be sent for
# each of the Replicate-To-Realm attribute in the "control" list.
#
# If no packets are sent, the module returns "noop". If at least one
# packet is sent, the module returns "ok". If an error occurs, the
# module returns "fail"
#
# Note that replication does NOT change any of the packet statistics.
# If you use "radmin" to look at the statistics for a home server,
# the replicated packets will cause NO counters to increment. This
# is not a bug, this is how replication works.
#
replicate {
}

290
pkgs/fablab/freeradius-anon-access/raddb/mods-available/rest Normal file
View file

@ -0,0 +1,290 @@
rest {
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to a HTTPS
# server.
#
tls {
# Certificate Authorities:
# "ca_file" (libcurl option CURLOPT_ISSUERCERT).
# File containing a single CA, which is the issuer of the server
# certificate.
# "ca_info_file" (libcurl option CURLOPT_CAINFO).
# File containing a bundle of certificates, which allow to handle
# certificate chain validation.
# "ca_path" (libcurl option CURLOPT_CAPATH).
# Directory holding CA certificates to verify the peer with.
# ca_file = ${certdir}/cacert.pem
# ca_info_file = ${certdir}/cacert_bundle.pem
# ca_path = ${certdir}
# certificate_file = /path/to/radius.crt
# private_key_file = /path/to/radius.key
# private_key_password = "supersecret"
# random_file = /dev/urandom
# Server certificate verification requirements. Can be:
# "no" (don't even bother trying)
# "yes" (verify the cert was issued by one of the
# trusted CAs)
#
# The default is "yes"
# check_cert = yes
# Server certificate CN verification requirements. Can be:
# "no" (don't even bother trying)
# "yes" (verify the CN in the certificate matches the host
# in the URI)
#
# The default is "yes"
# check_cert_cn = yes
}
# rlm_rest will open a connection to the server specified in connect_uri
# to populate the connection cache, ready for the first request.
# The server will not start if the server specified is unreachable.
#
# If you wish to disable this pre-caching and reachability check,
# comment out the configuration item below.
connect_uri = "http://127.0.0.1/"
#
# How long before new connection attempts timeout, defaults to 4.0 seconds.
#
# connect_timeout = 4.0
#
# Specify HTTP protocol version to use. one of '1.0', '1.1', '2.0', '2.0+auto',
# '2.0+tls' or 'default'. (libcurl option CURLOPT_HTTP_VERSION)
#
# http_negotiation = 1.1
#
# The following config items can be used in each of the sections.
# The sections themselves reflect the sections in the server.
# For example if you list rest in the authorize section of a virtual server,
# the settings from the authorize section here will be used.
#
# The following config items may be listed in any of the sections:
# uri - to send the request to.
# method - HTTP method to use, one of 'get', 'post', 'put', 'patch',
# 'delete' or any custom HTTP method.
# body - The format of the HTTP body sent to the remote server.
# May be 'none', 'post' or 'json', defaults to 'none'.
# attr_num - If true, the attribute number is supplied for each attribute.
# Defaults to false.
# raw_value - If true, enumerated attribute values are provided as numeric
# values. Defaults to false.
# data - Send custom freeform data in the HTTP body. Content-type
# may be specified with 'body'. Will be expanded.
# Values from expansion will not be escaped, this should be
# done using the appropriate xlat method e.g. %{urlencode:<attr>}.
# force_to - Force the response to be decoded with this decoder.
# May be 'plain' (creates reply:REST-HTTP-Body), 'post'
# or 'json'.
# tls - TLS settings for HTTPS.
# auth - HTTP auth method to use, one of 'none', 'srp', 'basic',
# 'digest', 'digest-ie', 'gss-negotiate', 'ntlm',
# 'ntlm-winbind', 'any', 'safe'. defaults to 'none'.
# username - User to authenticate as, will be expanded.
# password - Password to use for authentication, will be expanded.
# require_auth - Require HTTP authentication.
# timeout - HTTP request timeout in seconds, defaults to 4.0.
# chunk - Chunk size to use. If set, HTTP chunked encoding is used to
# send data to the REST server. Make sure that this is large
# enough to fit your largest attribute value's text
#  representation.
# A number like 8192 is good.
#
# Additional HTTP headers may be specified with control:REST-HTTP-Header.
# The values of those attributes should be in the format:
#
# control:REST-HTTP-Header := "<HTTP attribute>: <value>"
#
# The control:REST-HTTP-Header attributes will be consumed
# (i.e. deleted) after each call to the rest module, and each
# %{rest:} expansion. This is so that headers from one REST
# call do not affect headers from a different REST call.
#
# Body encodings are the same for requests and responses
#
# POST - All attributes and values are urlencoded
# [outer.][<list>:]<attribute0>=<value0>&[outer.][<list>:]<attributeN>=<valueN>
#
# JSON - All attributes and values are escaped according to the JSON specification
# - attribute Name of the attribute.
# - attr_num Number of the attribute. Only available if the configuration item
# 'attr_num' is enabled.
# - type Type of the attribute (e.g. "integer", "string", "ipaddr", "octets", ...).
# - value Attribute value, for enumerated attributes the human readable value is
# provided and not the numeric value (Depends on the 'raw_value' config item).
# {
# "<attribute0>":{
# "attr_num":<attr_num0>,
# "type":"<type0>",
# "value":[<value0>,<value1>,<valueN>]
# },
# "<attribute1>":{
# "attr_num":<attr_num1>,
# "type":"<type1>",
# "value":[...]
# },
# "<attributeN>":{
# "attr_num":<attr_numN>,
# "type":"<typeN>",
# "value":[...]
# },
# }
#
# The response format adds three optional fields:
# - do_xlat If true, any values will be xlat expanded. Defaults to true.
# - is_json If true, any nested JSON data will be copied to the attribute
# in string form. Defaults to true.
# - op Controls how the attribute is inserted into the target list.
# Defaults to ':='. To create multiple attributes from multiple
# values, this should be set to '+=', otherwise only the last
# value will be used, and it will be assigned to a single
# attribute.
# {
# "<attribute0>":{
# "is_json":<bool>,
# "do_xlat":<bool>,
# "op":"<operator>",
# "value":[<value0>,<value1>,<valueN>]
# },
# "<attribute1>":"value",
# "<attributeN>":{
# "value":[<value0>,<value1>,<valueN>],
# "op":"+="
# }
# }
#
# Module return codes are determined by HTTP response codes. These vary depending on the
# section.
#
# If the body is processed and found to be malformed or unsupported fail will be returned.
# If the body is processed and found to contain attribute updated will be returned,
# except in the case of a 401 code.
#
# Authorize/Authenticate
#
# Code Meaning Process body Module code
# 404 not found no notfound
# 410 gone no notfound
# 403 forbidden no userlock
# 401 unauthorized yes reject
# 204 no content no ok
# 2xx successful yes ok/updated
# 5xx server error no fail
# xxx - no invalid
#
# The status code is held in %{reply:REST-HTTP-Status-Code}.
#
authorize {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authorize"
method = 'get'
tls = ${..tls}
}
authenticate {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authenticate"
method = 'get'
tls = ${..tls}
}
# Preacct/Accounting/Post-auth/Pre-Proxy/Post-Proxy
#
# Code Meaning Process body Module code
# 204 no content no ok
# 2xx successful yes ok/updated
# 5xx server error no fail
# xxx - no invalid
preacct {
uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=preacct"
method = 'post'
tls = ${..tls}
}
accounting {
uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=accounting"
method = 'post'
tls = ${..tls}
}
post-auth {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth"
method = 'post'
tls = ${..tls}
}
pre-proxy {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=pre-proxy"
method = 'post'
tls = ${..tls}
}
post-proxy {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-proxy"
method = 'post'
tls = ${..tls}
}
#
# The connection pool is new for 3.0, and will be used in many
# modules, for all kinds of connection-related activity.
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# web service being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
lifetime = 0
# idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
idle_timeout = 60
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}

16
pkgs/fablab/freeradius-anon-access/raddb/mods-available/smbpasswd Normal file
View file

@ -0,0 +1,16 @@
# -*- text -*-
#
# $Id: d5ad2a06c767f07722dc9b9c4b13d00c26b5a280 $
# An example configuration for using /etc/smbpasswd.
#
# See the "passwd" file for documentation on the configuration items
# for this module.
#
passwd smbpasswd {
filename = /etc/smbpasswd
format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
hash_size = 100
ignore_nislike = no
allow_multiple_keys = no
}

94
pkgs/fablab/freeradius-anon-access/raddb/mods-available/smsotp Normal file
View file

@ -0,0 +1,94 @@
# -*- text -*-
#
# $Id: 3be32b85f56a84725fe1a6bf508e459dbe6c4e02 $
# SMS One-time Password system.
#
# This module will extend FreeRadius with a socks interface to create and
# validate One-Time-Passwords. The program for that creates the socket
# and interacts with this module is not included here.
#
# The module does not check the User-Password, this should be done with
# the "pap" module. See the example below.
#
# The module must be used in the "authorize" section to set
# Auth-Type properly. The first time through, the module is called
# in the "authenticate" section to authenticate the user password, and
# to send the challenge. The second time through, it authenticates
# the response to the challenge. e.g.:
#
# authorize {
# ...
# smsotp
# ...
# }
#
# authenticate {
# ...
# Auth-Type smsotp {
# pap
# smsotp
# }
#
# Auth-Type smsotp-reply {
# smsotp
# }
# ...
# }
#
smsotp {
# The location of the socket.
socket = "/var/run/smsotp_socket"
# Defines the challenge message that will be send to the
# NAS. Default is "Enter Mobile PIN" }
challenge_message = "Enter Mobile PIN:"
# Defines the Auth-Type section that is run for the response to
# the challenge. Default is "smsotp-reply".
challenge_type = "smsotp-reply"
# Control how many sockets are used to talk to the SMSOTPd
#
pool {
# Number of connections to start
start = 5
# Minimum number of connections to keep open
min = 4
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
max = 10
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set.
spare = 3
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The lifetime (in seconds) of the connection
lifetime = 0
# idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
idle_timeout = 60
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}

4
pkgs/fablab/freeradius-anon-access/raddb/mods-available/soh Normal file
View file

@ -0,0 +1,4 @@
# SoH module
soh {
dhcp = yes
}

12
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sometimes Normal file
View file

@ -0,0 +1,12 @@
# -*- text -*-
#
# $Id: 3a96622cc938f558b023e1110769a46861716a12 $
#
# The "sometimes" module is here for debugging purposes. Each instance
# randomly returns the configured result, or "noop".
#
# It is based on the "always" module.
sometimes {
rcode = fail
}

366
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql Normal file
View file

@ -0,0 +1,366 @@
# -*- text -*-
##
## mods-available/sql -- SQL modules
##
## $Id: cfeac63ea87c30fead8457af6d10f5c3a0f48aef $
######################################################################
#
# Configuration for the SQL module
#
# The database schemas and queries are located in subdirectories:
#
# sql/<DB>/main/schema.sql Schema
# sql/<DB>/main/queries.conf Authorisation and Accounting queries
#
# Where "DB" is mysql, mssql, oracle, or postgresql.
#
# The name used to query SQL is sql_user_name, which is set in the file
#
# raddb/mods-config/sql/main/${dialect}/queries.conf
#
# If you are using realms, that configuration should be changed to use
# the Stripped-User-Name attribute. See the comments around sql_user_name
# for more information.
#
sql {
#
# The dialect of SQL being used.
#
# Allowed dialects are:
#
# mssql
# mysql
# oracle
# postgresql
# sqlite
# mongo
#
dialect = "sqlite"
#
# The driver module used to execute the queries. Since we
# don't know which SQL drivers are being used, the default is
# "rlm_sql_null", which just logs the queries to disk via the
# "logfile" directive, below.
#
# In order to talk to a real database, delete the next line,
# and uncomment the one after it.
#
# If the dialect is "mssql", then the driver should be set to
# one of the following values, depending on your system:
#
# rlm_sql_db2
# rlm_sql_firebird
# rlm_sql_freetds
# rlm_sql_iodbc
# rlm_sql_unixodbc
#
driver = "rlm_sql_null"
# driver = "rlm_sql_${dialect}"
#
# Driver-specific subsections. They will only be loaded and
# used if "driver" is something other than "rlm_sql_null".
# When a real driver is used, the relevant driver
# configuration section is loaded, and all other driver
# configuration sections are ignored.
#
sqlite {
# Path to the sqlite database
filename = "/tmp/freeradius.db"
# How long to wait for write locks on the database to be
# released (in ms) before giving up.
busy_timeout = 200
# If the file above does not exist and bootstrap is set
# a new database file will be created, and the SQL statements
# contained within the bootstrap file will be executed.
bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
}
mysql {
# If any of the files below are set, TLS encryption is enabled
tls {
ca_file = "/etc/ssl/certs/my_ca.crt"
ca_path = "/etc/ssl/certs/"
certificate_file = "/etc/ssl/certs/private/client.crt"
private_key_file = "/etc/ssl/certs/private/client.key"
cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
tls_required = yes
tls_check_cert = no
tls_check_cert_cn = no
}
# If yes, (or auto and libmysqlclient reports warnings are
# available), will retrieve and log additional warnings from
# the server if an error has occured. Defaults to 'auto'
warnings = auto
}
postgresql {
# unlike MySQL, which has a tls{} connection configuration, postgresql
# uses its connection parameters - see the radius_db option below in
# this file
# Send application_name to the postgres server
# Only supported in PG 9.0 and greater. Defaults to no.
send_application_name = yes
}
#
# Configuration for Mongo.
#
# Note that the Mongo driver is experimental. The FreeRADIUS developers
# are unable to help with the syntax of the Mongo queries. Please see
# the Mongo documentation for that syntax.
#
# The Mongo driver supports only the following methods:
#
# aggregate
# findAndModify
# findOne
# insert
#
# For examples, see the query files:
#
# raddb/mods-config/sql/main/mongo/queries.conf
# raddb/mods-config/sql/main/ippool/queries.conf
#
# In order to use findAndModify with an aggretation pipleline, make
# sure that you are running MongoDB version 4.2 or greater. FreeRADIUS
# assumes that the paramaters passed to the methods are supported by the
# version of MongoDB which it is connected to.
#
mongo {
#
# The application name to use.
#
appname = "freeradius"
#
# The TLS parameters here map directly to the Mongo TLS configuration
#
tls {
certificate_file = /path/to/file
certificate_password = "password"
ca_file = /path/to/file
ca_dir = /path/to/directory
crl_file = /path/to/file
weak_cert_validation = false
allow_invalid_hostname = false
}
}
# Connection info:
#
# server = "localhost"
# port = 3306
# login = "radius"
# password = "radpass"
# Connection info for Mongo
# Authentication Without SSL
# server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=false"
# Authentication With SSL
# server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=true"
# Authentication with Certificate
# Use this command for retrieve Derived username:
# openssl x509 -in mycert.pem -inform PEM -subject -nameopt RFC2253
# server = mongodb://<DERIVED USERNAME>@192.168.0.2:PORT/DATABASE?authSource=$external&ssl=true&authMechanism=MONGODB-X509
# Database table configuration for everything except Oracle
radius_db = "radius"
# If you are using Oracle then use this instead
# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
# If you're using postgresql this can also be used instead of the connection info parameters
# radius_db = "dbname=radius host=localhost user=radius password=raddpass"
# Postgreql doesn't take tls{} options in its module config like mysql does - if you want to
# use SSL connections then use this form of connection info parameter
# radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt"
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = "radacct"
acct_table2 = "radacct"
# Allow for storing data after authentication
postauth_table = "radpostauth"
# Tables containing 'check' items
authcheck_table = "radcheck"
groupcheck_table = "radgroupcheck"
# Tables containing 'reply' items
authreply_table = "radreply"
groupreply_table = "radgroupreply"
# Table to keep group info
usergroup_table = "radusergroup"
# If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table.
# If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table.
# read_groups = yes
# If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table.
# If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table.
# read_profiles = yes
# Remove stale session if checkrad does not see a double login
delete_stale_sessions = yes
# Write SQL queries to a logfile. This is potentially useful for tracing
# issues with authorization queries. See also "logfile" directives in
# mods-config/sql/main/*/queries.conf. You can enable per-section logging
# by enabling "logfile" there, or global logging by enabling "logfile" here.
#
# Per-section logging can be disabled by setting "logfile = ''"
# logfile = ${logdir}/sqllog.sql
# Set the maximum query duration and connection timeout
# for rlm_sql_mysql.
# query_timeout = 5
# As of version 3.0, the "pool" section has replaced the
# following configuration items:
#
# num_sql_socks
# connect_failure_retry_delay
# lifetime
# max_queries
#
# The connection pool is new for 3.0, and will be used in many
# modules, for all kinds of connection-related activity.
#
# When the server is not threaded, the connection pool
# limits are ignored, and only one connection is used.
#
# If you want to have multiple SQL modules re-use the same
# connection pool, use "pool = name" instead of a "pool"
# section. e.g.
#
# sql sql1 {
# ...
# pool {
# ...
# }
# }
#
# # sql2 will use the connection pool from sql1
# sql sql2 {
# ...
# pool = sql1
# }
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# database being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
lifetime = 0
# idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
idle_timeout = 60
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
# Set to 'yes' to read radius clients from the database ('nas' table)
# Clients will ONLY be read on server startup.
#
# A client can be link to a virtual server via the SQL
# module. This link is done via the following process:
#
# If there is no listener in a virtual server, SQL clients
# are added to the global list for that virtual server.
#
# If there is a listener, and the first listener does not
# have a "clients=..." configuration item, SQL clients are
# added to the global list.
#
# If there is a listener, and the first one does have a
# "clients=..." configuration item, SQL clients are added to
# that list. The client { ...} ` configured in that list are
# also added for that listener.
#
# The only issue is if you have multiple listeners in a
# virtual server, each with a different client list, then
# the SQL clients are added only to the first listener.
#
# read_clients = yes
# Table to keep radius client info
client_table = "nas"
#
# The group attribute specific to this instance of rlm_sql
#
# This entry should be used for additional instances (sql foo {})
# of the SQL module.
# group_attribute = "${.:instance}-SQL-Group"
# This entry should be used for the default instance (sql {})
# of the SQL module.
group_attribute = "SQL-Group"
# Read database-specific queries
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}

49
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql_map Normal file
View file

@ -0,0 +1,49 @@
# Configuration for the SQL based Map (rlm_sql_map)
sql_map {
# SQL instance to use (from mods-available/sql)
#
# If you have multiple sql instances, such as "sql sql1 {...}",
# use the *instance* name here: sql1.
sql_module_instance = "sql"
# This is duplicative of info available in the SQL module, but
# we have to list it here as we do not yet support nested
# reference expansions.
dialect = "mysql"
# Name of the check item attribute to be used as a key in the SQL queries
query = "SELECT ... FROM ... "
#
# Mapping of SQL columns to RADIUS dictionary attributes.
#
# WARNING: Although this format is almost identical to the unlang
# update section format, it does *NOT* mean that you can use other
# unlang constructs in module configuration files.
#
# Configuration items are in the format:
# <radius attr> <op> <sql column number>
#
# Where:
# <radius attr>: Is the destination RADIUS attribute
# with any valid list and request qualifiers.
# <op>: Is any assignment attribute (=, :=, +=, -=).
# <column num>: The column number (not name), starting from 0
#
# Request and list qualifiers may also be placed after the 'update'
# section name to set defaults destination requests/lists
# for unqualified RADIUS attributes.
#
update {
control:Password-With-Header += 0
# control:NT-Password := 1
# reply:Reply-Message := 2
# reply:Tunnel-Type := 3
# reply:Tunnel-Medium-Type := 4
# reply:Tunnel-Private-Group-ID := 5
}
# If the 'query' results in multiple rows, it creates the <radius attr>[*] array entry.
# multiple_rows = yes
}

115
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlcounter Normal file
View file

@ -0,0 +1,115 @@
# Rather than maintaining separate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
# totally dependent on the SQL module to process Accounting
# packets.
#
# The sql-module-instance' parameter holds the instance of the sql
# module to use when querying the SQL database. Normally it
# is just "sql". If you define more and one SQL module
# instance (usually for failover situations), you can
# specify which module has access to the Accounting Data
# (radacct table).
#
# The 'reset' parameter defines when the counters are all
# reset to zero. It can be hourly, daily, weekly, monthly or
# never. It can also be user defined. It should be of the
# form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
# The 'key' parameter specifies the unique identifier for the
# counter records (usually 'User-Name').
#
# The 'query' parameter specifies the SQL query used to get
# the current Counter value from the database. There are 2
# parameters that can be used in the query:
# %%b unix time value of beginning of reset period
# %%e unix time value of end of reset period
#
# The 'check_name' parameter is the name of the 'check'
# attribute to use to access the counter in the 'users' file
# or SQL radcheck or radgroupcheck tables.
#
# DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The "dailycounter" (or any other sqlcounter module) should be added
# to "post-auth" section. It will then update the Session-Timeout
# attribute in the reply. If there is no Session-Timeout attribute,
# the module will add one. If there is an attribute, the sqlcounter
# module will make sure that the value is no higher than the limit.
#
sqlcounter dailycounter {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = Daily-Session-Time
check_name = Max-Daily-Session
reply_name = Session-Timeout
key = User-Name
reset = daily
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}
sqlcounter weeklycounter {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = Weekly-Session-Time
check_name = Max-Weekly-Session
reply_name = Session-Timeout
key = User-Name
reset = weekly
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}
sqlcounter monthlycounter {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = Monthly-Session-Time
check_name = Max-Monthly-Session
reply_name = Session-Timeout
key = User-Name
reset = monthly
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}
sqlcounter noresetcounter {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = Max-All-Session-Time
check_name = Max-All-Session
key = User-Name
reset = never
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}
#
# Set an account to expire T seconds after first login.
# Requires the Expire-After attribute to be set, in seconds.
# You may need to edit raddb/dictionary to add the Expire-After
# attribute.
sqlcounter expire_on_login {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = Expire-After-Initial-Login
check_name = Expire-After
key = User-Name
reset = never
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}

115
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlippool Normal file
View file

@ -0,0 +1,115 @@
# Configuration for the SQL based IP Pool module (rlm_sqlippool)
#
# The database schemas are available at:
#
# raddb/mods-config/sql/ippool/<DB>/schema.sql
#
# $Id: 3d98ca9e0fca4f8df2657d53a15a2c52756b45e1 $
sqlippool {
# SQL instance to use (from mods-available/sql)
#
# If you have multiple sql instances, such as "sql sql1 {...}",
# use the *instance* name here: sql1.
sql_module_instance = "sql"
# This is duplicative of info available in the SQL module, but
# we have to list it here as we do not yet support nested
# reference expansions.
dialect = "mysql"
# Name of the check item attribute to be used as a key in the SQL queries
pool_name = "Pool-Name"
# SQL table to use for ippool range and lease info
ippool_table = "radippool"
# IP lease duration. (Leases expire even if Acct Stop packet is lost)
#
# Note that you SHOULD also set Session-Timeout to this value!
# That way the NAS will automatically kick the user offline when the
# lease expires.
#
lease_duration = 3600
#
# Timeout between each consecutive 'allocate_clear' queries (default: 1s)
# This will avoid having too many deadlock issues, especially on MySQL backend.
#
allocate_clear_timeout = 1
#
# As of 3.0.16, the 'ipv6 = yes' configuration is deprecated.
# You should use the "attribute_name" configuration item
# below, instead.
#
#
# The attribute to use for IP address assignment. The
# default is Framed-IP-Address. You can change this to any
# attribute which is IPv4 or IPv6.
#
# e.g. Framed-IPv6-Prefix, or Delegated-IPv6-Prefix.
#
# As of 3.0.16, all of the default queries have been updated to use
# this attribute_name. So you can do IPv6 address assignment simply
# by putting IPv6 addresses into the pool, and changing the following
# line to "Framed-IPv6-Prefix"
#
# Note that you MUST use separate pools for each attribute. i.e. one pool
# for Framed-IP-Address, a different one for Framed-IPv6-prefix, etc.
#
# This means configuring separate "sqlippool" instances, and different
# "ippool_table" in SQL. Then, populate the pool with addresses and
# it will all just work.
#
attribute_name = Framed-IP-Address
#
# Assign the IP address, even if the above attribute already exists
# in the reply.
#
# allow_duplicates = no
# The attribute in which an IP address hint may be supplied
req_attribute_name = Framed-IP-Address
# Attribute which should be considered unique per NAS
#
# Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS)
# Using Calling-Station-Id works for NAS that send fixed NAS-Port
# ONLY change this if you know what you are doing!
pool_key = "%{NAS-Port}"
# pool_key = "%{Calling-Station-Id}"
################################################################
#
# WARNING: MySQL (MyISAM) has certain limitations that means it can
# hand out the same IP address to 2 different users.
#
# We suggest using an SQL DB with proper transaction
# support, such as PostgreSQL, or using MySQL
# with InnoDB.
#
################################################################
# These messages are added to the "control" items, as
# Module-Success-Message. They are not logged anywhere else,
# unlike previous versions. If you want to have them logged
# to a file, see the "linelog" module, and create an entry
# which writes Module-Success-Message message.
#
messages {
exists = "Existing IP: %{reply:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:${..attribute_name}} from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP %{request:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No ${..pool_name} defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
$INCLUDE ${modconfdir}/sql/ippool/${dialect}/queries.conf
}

16
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sradutmp Normal file
View file

@ -0,0 +1,16 @@
# -*- text -*-
#
# $Id: 3a2a0e502e76ec00d4ec17e70132448e1547da46 $
# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another 'instance' of the radutmp module, but it is given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
permissions = 0644
caller_id = "no"
}

40
pkgs/fablab/freeradius-anon-access/raddb/mods-available/totp Normal file
View file

@ -0,0 +1,40 @@
# -*- text -*-
#
# $Id: 695365f7d2c05a34da935ea2a9ca0dec55518195 $
#
# Time-based One-Time Passwords (TOTP)
#
# Defined in RFC 6238, and used in Google Authenticator.
#
# This module can only be used in the "authenticate" section.
#
# The Base32-encoded secret should be placed into:
#
# &control:TOTP-Secret
#
# The TOTP password entered by the user should be placed into:
#
# &request:TOTP-Password
#
# The module will return "ok" if the passwords match, and "fail"
# if the passwords do not match.
#
# Note that this module will NOT interact with Google. The module is
# intended to be used where the local administrator knows the TOTP
# secret key, and user has an authenticator app on their phone.
#
# Note also that while you can use the Google "chart" APIs to
# generate a QR code, doing this will give the secret to Google!
#
# Administrators should instead install a tool such as "qrcode"
#
# https://linux.die.net/man/1/qrencode
#
# and then run that locally to get an image.
#
#
# The module takes no configuration items.
#
totp {
}

4
pkgs/fablab/freeradius-anon-access/raddb/mods-available/unbound Normal file
View file

@ -0,0 +1,4 @@
unbound dns {
# filename = "${raddbdir}/mods-config/unbound/default.conf"
# timeout = 3000
}

25
pkgs/fablab/freeradius-anon-access/raddb/mods-available/unix Normal file
View file

@ -0,0 +1,25 @@
# -*- text -*-
#
# $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $
# Unix /etc/passwd style authentication
#
# This module calls the system functions to get the "known good"
# password. This password is usually in the "crypt" form, and is
# incompatible with CHAP, MS-CHAP, PEAP, etc.
#
# If passwords are in /etc/shadow, you will need to set the "group"
# configuration in radiusd.conf. Look for "shadow", and follow the
# instructions there.
#
unix {
#
# The location of the "wtmp" file.
# The only use for 'radlast'. If you don't use
# 'radlast', then you can comment out this item.
#
# Note that the radwtmp file may get large! You should
# rotate it (cp /dev/null radwtmp), or just not use it.
#
radwtmp = ${logdir}/radwtmp
}

105
pkgs/fablab/freeradius-anon-access/raddb/mods-available/unpack Normal file
View file

@ -0,0 +1,105 @@
# -*- text -*-
#
# $Id: 89ef1699a1af78374b1af0a3787a088af3ba320c $
#
# This module is useful only for 'xlat'.
# To use it, add it to the raddb/mods-enabled/ directory.
#
# Two xlat functions are provided by this module:
# - unpack
# - substring
#
# Both are for use on the right-hand side of a variable assignment.
#
# unpack
# ======
#
# ... = "%{unpack:data 1 integer}"
#
# The arguments are three fields:
#
# data
# Either &Attribute-Name
# the name of the attribute to unpack.
# MUST be a "string" or "octets" type.
#
# or 0xabcdef
# e.g. hex data.
#
# 1
# The offset into the string from which
# it starts unpacking. The offset starts
# at zero, for the first attribute.
#
# integer
# the data type to unpack at that offset.
# e.g. integer, ipaddr, byte, short, etc.
#
# e.g. if we have Class = 0x0000000102030405, then
#
# %{unpack:&Class 4 short}
#
# will unpack octets 4 and 5 as a "short", which has
# value 0x0304.
#
# This module is used when vendors put multiple fields
# into one attribute of type "octets".
#
# The module can also be used to unpack substrings, by specifing a
# data type of "string(len)" or "octets(len)". Where "len" is an
# actual number. For example:
#
# %{unpack:&User-Name 1 string(2)}
#
# When given a User-Name of "hello", it will start taking the
# substring at offset 1 (i.e. "e"), and it will take two characters
# from that offset, i.e. "el".
#
# As a special case, you can unpack an entire string by specifying
# the offset, and nothing for the length:
#
# %{unpack:&User-Name 1 string()}
#
# When "octets(len)" is used, the output is printed as hex. e.g. for
# the above example with Class:
#
# %{unpack:&Class 4 octets(4)}
#
# Will return the hex string "02030405"
#
#
# substring
# =========
#
# substring will return a substring of a string or attribute using
# the syntax
#
# %{substring:data start len}
#
# data
# Either an attribute name or string data. String data
# can have leading or trailing spaces. Only a single
# space before "start" is taken as the separator.
#
# start
# the zero based offset for the start of the substring.
# A negative value will count in from the end of the
# string.
#
# len
# the number of characters to return. A Negative value
# will remove that number of characters from the end.
# If len is more than the available number of characters
# then only the available number will be returned.
#
# Examples:
#
# "%{substring:foobar 2 3}" == "oba"
# "%{substring:foobar -3 2}" == "ba"
# "%{substring:foobar 1 -1}" == "ooba"
# if User-Name is "foobar" "%{substring:&User-Name 1 -2}" == "oob"
#
unpack {
}

14
pkgs/fablab/freeradius-anon-access/raddb/mods-available/utf8 Normal file
View file

@ -0,0 +1,14 @@
#
# Enforces UTF-8 on strings coming in from the NAS.
#
# An attribute of type "string" containing UTF-8 makes
# the module return NOOP.
#
# An attribute of type "string" containing non-UTF-8 data
# makes the module return FAIL.
#
# This module takes no configuration.
#
utf8 {
}

165
pkgs/fablab/freeradius-anon-access/raddb/mods-available/wimax Normal file
View file

@ -0,0 +1,165 @@
#
# The WiMAX module currently takes no configuration.
#
# ## Instructions for v1 and v2.0 WiMAX
#
# It should be listed in the "authorize" and "preacct" sections.
# This enables the module to fix the horrible binary version
# of Calling-Station-Id to the normal format, as specified in
# RFC 3580, Section 3.21.
#
# In order to calculate the various WiMAX keys, the module should
# be listed in the "post-auth" section. If EAP authentication
# has been used, AND the EAP method derives MSK and EMSK, then
# the various WiMAX keys can be calculated.
#
# Some useful things to remember:
#
# WiMAX-MSK = EAP MSK, but is 64 octets.
#
# MIP-RK-1 = HMAC-SHA256(ESMK, "miprk@wimaxforum.org" | 0x00020001)
# MIP-RK-2 = HMAC-SHA256(ESMK, MIP-RK-1 | "miprk@wimaxforum.org" | 0x00020002)
# MIP-RK = MIP-RK-1 | MIP-RK-2
#
# MIP-SPI = first 4 octets of HMAC-SHA256(MIP-RK, "SPI CMIP PMIP")
# plus some magic... you've got to track *all* MIP-SPI's
# on your system!
#
# SPI-CMIP4 = MIP-SPI
# SPI-PMIP4 = MIP-SPI + 1
# SPI-CMIP6 = MIP-SPI + 2
#
# MN-NAI is the Mobile node NAI. You have to create it, and put
# it into the request or reply as something like:
#
# WiMAX-MN-NAI = "%{User-Name}"
#
# You will also have to have the appropriate IP address (v4 or v6)
# in order to calculate the keys below.
#
# Lifetimes are derived from Session-Timeout. It needs to be set
# to some useful number.
#
# The hash function below H() is HMAC-SHA1.
#
#
# MN-HA-CMIP4 = H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI)
#
# Where HA-IPv4 is WiMAX-hHA-IP-MIP4
# or maybe WiMAX-vHA-IP-MIP4
#
# Which goes into WiMAX-MN-hHA-MIP4-Key
# or maybe WiMAX-RRQ-MN-HA-Key
# or maybe even WiMAX-vHA-MIP4-Key
#
# The corresponding SPI is SPI-CMIP4, which is MIP-SPI,
#
# which goes into WiMAX-MN-hHA-MIP4-SPI
# or maybe WiMAX-RRQ-MN-HA-SPI
# or even WiMAX-MN-vHA-MIP4-SPI
#
# MN-HA-PMIP4 = H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI)
# MN-HA-CMIP6 = H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI)
#
# both with similar comments to above for MN-HA-CMIP4.
#
# In order to tell which one to use (CMIP4, PMIP4, or CMIP6),
# you have to set WiMAX-IP-Technology in the reply to one of
# the appropriate values.
#
#
# FA-RK = H(MIP-RK, "FA-RK")
#
# MN-FA = H(FA-RK, "MN FA" | FA-IP | MN-NAI)
#
# Where does the FA-IP come from? No idea...
#
#
# The next two keys (HA-RK and FA-HA) are not generated
# for every authentication request, but only on demand.
#
# HA-RK = 160-bit random number assigned by the AAA server
# to a specific HA.
#
# FA-HA = H(HA-RK, "FA-HA" | HA-IPv4 | FA-CoAv4 | SPI)
#
# where HA-IPv4 is as above.
# and FA-CoAv4 address of the FA as seen by the HA
# and SPI is the relevant SPI for the HA-RK.
#
# DHCP-RK = 160-bit random number assigned by the AAA server
# to a specific DHCP server. vDHCP-RK is the same
# thing.
#
#
#
# ## Instructions for v2.1 (LTE) WiMAX:
#
# When called from the "authorize" this module will detect the
# presence of the following attributes:
#
# request:WiMAX-Re-synchronization-Info
# control:WiMAX-SIM-Ki
# control:WiMAX-SIM-OPc
#
# If all attributes are present, (i.e. a known SIM is requesting a
# resync) then the module will attempt to extract the new SQN and
# save it in control:WiMAX-SIM-SQN. It will also save a copy of
# RAND from the request in control:WiMAX-SIM-RAND.
#
# The resulting value of SQN can then be saved in a database
# e.g. via a call to the sql module using some unlang
#
# When called in the "post_auth" section it looks for:
#
# control:WiMAX-SIM-Ki
# control:WiMAX-SIM-OPc
# control:WiMAX-SIM-AMF
# control:WiMAX-SIM-SQN
# request:WiMAX-Visited-PLMN-ID
#
# If all these are present then it will attempt to generate the
# keys for EPS AKA.
#
# First it checks for the presence of control:WiMAX-SIM-RAND and
# if it is not present it generates a new RAND value which is
# stored in reply:WiMAX-E-UTRAN-Vector-RAND. If it is present then
# the value is simply copied to the reply attribute.
#
# Then it calls the Milenage algorithm to generate:
#
# reply:WiMAX-E-UTRAN-Vector-XRES
# reply:WiMAX-E-UTRAN-Vector-AUTN
#
# And finally generates KASME which is stored in:
# reply:WiMAX-E-UTRAN-Vector-KASME
#
#
# NOTE: It is up to the system administrator to make sure that all
# the necessary "control" attributes are populated with the
# required values. The IMSI is likely to be found in User-Name in
# the request and this can be used as the key to grab the values
# from a database.
#
#
wimax {
#
# Some WiMAX equipment requires that the MS-MPPE-*-Key
# attributes are sent in the Access-Accept, in addition to
# the WiMAX-MSK attribute.
#
# Other WiMAX equipment request that the MS-MPPE-*-Key
# attributes are NOT sent in the Access-Accept.
#
# By default, the EAP modules sends MS-MPPE-*-Key attributes.
# The default virtual server (raddb/sites-available/default)
# contains examples of adding the WiMAX-MSK.
#
# This configuration option makes the WiMAX module delete
# the MS-MPPE-*-Key attributes. The default is to leave
# them in place.
#
# If the keys are deleted (by setting this to "yes"), then
# the WiMAX-MSK attribute is automatically added to the reply.
delete_mppe_keys = no
}

158
pkgs/fablab/freeradius-anon-access/raddb/mods-available/yubikey Normal file
View file

@ -0,0 +1,158 @@
#
# This module decrypts and validates Yubikey static and dynamic
# OTP tokens.
#
yubikey {
#
# The length (number of ASCII bytes) of the Public-ID portion
# of the OTP string.
#
# Yubikey defaults to a 6 byte ID (2 * 6 = 12)
# id_length = 12
#
# If true, the authorize method of rlm_yubikey will attempt to split the
# value of User-Password, into the user's password, and the OTP token.
#
# If enabled and successful, the value of &request:User-Password will be
# truncated and &request:Yubikey-OTP will be added.
#
# split = yes
#
# Decrypt mode - Tokens will be decrypted and processed locally
#
# The module itself does not provide persistent storage as this
# would be duplicative of functionality already in the server.
#
# Yubikey authentication needs two attributes retrieved from
# persistent storage:
# * &control:Yubikey-Key - The AES key used to decrypt the OTP data.
# The Yubikey-Public-Id and/or User-Name
# attributes may be used to retrieve the key.
# * &control:Yubikey-Counter - This is compared with the counter in the OTP
# data and used to prevent replay attacks.
# This attribute will also be available in
# the request list after successful
# decryption.
#
# Yubikey-Counter isn't strictly required, but the server will
# generate warnings if it's not present when yubikey.authenticate
# is called.
#
# These attributes are available after authorization:
# * &request:Yubikey-Public-ID - The public portion of the OTP string.
# and additionally if 'split' is set:
# * &request:Yubikey-OTP - The OTP portion of User-Password.
#
# These attributes are available after authentication (if successful):
# * &request:Yubikey-Private-ID - The encrypted ID included in OTP data,
# must be verified if tokens share keys.
# * &request:Yubikey-Counter - The last counter value (should be recorded).
# * &request:Yubikey-Timestamp - Token's internal clock (mainly useful for
# debugging).
# * &request:Yubikey-Random - Randomly generated value from the token.
#
decrypt = no
#
# Validation mode - Tokens will be validated against a Yubicloud server
#
validate = no
#
# Settings for validation mode.
#
validation {
#
# URL of validation server, multiple URL config items may be used
# to list multiple servers.
#
# - %d is a placeholder for public ID of the token
# - %s is a placeholder for the token string itself
#
# If no URLs are listed, will default to the default URLs in the
# ykclient library, which point to the yubico validation servers.
servers {
# uri = 'https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
# uri = 'https://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
}
#
# API Client ID
#
# Must be set to your client id for the validation server.
#
# client_id = 00000
#
# API Secret key (Base64 encoded)
#
# Must be set to your API key for the validation server.
#
# api_key = '000000000000000000000000'
#
# Connection pool parameters
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# yubikey server being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Number of uses before the connection is closed
#
# NOTE: A setting of 0 means infinite (no limit).
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 60
# Cycle over all connections in a pool instead of concentrating
# connection use on a few connections.
spread = yes
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}
}

22
pkgs/fablab/freeradius-anon-access/raddb/mods-config/README.rst Normal file
View file

@ -0,0 +1,22 @@
The mods-config Directory
=========================
This directory contains module-specific configuration files. These
files are in a format different from the one used by the main
`radiusd.conf` files. Earlier versions of the server had many
module-specific files in the main `raddb` directory. The directory
contained many files, and it was not clear which files did what.
For Version 3 of FreeRADIUS, we have moved to a consistent naming
scheme. Each module-specific configuration file is placed in this
directory, in a subdirectory named for the module. Where necessary,
files in the subdirectory have been named for the processing section
where they are used.
For example, the `users` file is now located in
`mods-config/files/authorize`. That filename tells us three things:
1. The file is used in the `authorize` section.
2. The file is used by the `files` module.
3. It is a "module configuration" file, which is a specific format.

19
pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_challenge Normal file
View file

@ -0,0 +1,19 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 12ed619cf16f7322221ef2dfaf28f9c36c616e3c $
#
# This configuration file is used to remove almost all of the
# attributes From an Access-Challenge message. The RFCs say
# that an Access-Challenge packet can contain only a few
# attributes. We enforce that here.
#
DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout =* ANY,
Idle-Timeout =* ANY

18
pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/access_reject Normal file
View file

@ -0,0 +1,18 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 47f167b085c2a4e22701fe9fe74b8fe0b9575421 $
#
# This configuration file is used to remove almost all of the attributes
# From an Access-Reject message. The RFCs say that an Access-Reject
# packet can contain only a few attributes. We enforce that here.
#
DEFAULT
EAP-Message =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Error-Cause =* ANY,
Reply-Message =* ANY,
MS-CHAP-Error =* ANY,
Proxy-State =* ANY

16
pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/accounting_response Normal file
View file

@ -0,0 +1,16 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 01e9c6f5bda7a138f45da5010c624d92b6d398a0 $
#
# This configuration file is used to remove almost all of the attributes
# From an Accounting-Response message. The RFC's say that an
# Accounting-Response packet can contain only a few attributes.
# We enforce that here.
#
DEFAULT
Vendor-Specific =* ANY,
Message-Authenticator =* ANY,
Error-Cause =* ANY,
Proxy-State =* ANY

22
pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/coa Normal file
View file

@ -0,0 +1,22 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 89cea2ea97dea10b82a8146cfeeeb1d7dd33b2f8 $
#
# This configuration file is used to remove attributes From an
# CoA-Request or Disconnect-Request message. We have specified
# a sample list here. This will have to be modified to add
# attributes needed by your local configuration.
#
DEFAULT
User-Name =* ANY,
NAS-IP-Address =* ANY,
NAS-IPv6-Address =* ANY,
NAS-Port =* ANY,
NAS-Identifier =* ANY,
NAS-Port-Type =* ANY,
Calling-Station-Id =* ANY,
State =* ANY,
Message-Authenticator =* ANY,
Proxy-State =* ANY

119
pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/post-proxy Normal file
View file

@ -0,0 +1,119 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 5d889ea733ec8e6b246335f86bf6e122b54f23aa $
#
# This file contains security and configuration information
# for each realm. The first field is the realm name and
# can be up to 253 characters in length. This is followed (on
# the next line) with the list of filter rules to be used to
# decide what attributes and/or values we allow proxy servers
# to pass to the NAS for this realm.
#
# When a proxy-reply packet is received from a home server,
# these attributes and values are tested. Only the first match
# is used unless the "Fall-Through" variable is set to "Yes".
# In that case the rules defined in the DEFAULT case are
# processed as well.
#
# A special realm named "DEFAULT" matches on all realm names.
# You can have only one DEFAULT entry. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# Indented (with the tab character) lines following the first
# line indicate the filter rules.
#
# You can include another `attrs' file with `$INCLUDE attrs.other'
#
#
# This is a complete entry for realm "fisp". Note that there is no
# Fall-Through entry so that no DEFAULT entry will be used, and the
# server will NOT allow any other a/v pairs other than the ones
# listed here.
#
# These rules allow:
# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear )
# o PPP sessions ( no SLIP, CSLIP, etc. )
# o dynamic ip assignment ( can't assign a static ip )
# o an idle timeout value set to 600 seconds (10 min) or less
# o a max session time set to 28800 seconds (8 hours) or less
#
#fisp
# Service-Type == Framed-User,
# Framed-Protocol == PPP,
# Framed-IP-Address == 255.255.255.254,
# Idle-Timeout <= 600,
# Session-Timeout <= 28800
#
# This is a complete entry for realm "tisp". Note that there is no
# Fall-Through entry so that no DEFAULT entry will be used, and the
# server will NOT allow any other a/v pairs other than the ones
# listed here.
#
# These rules allow:
# o Only Login-User Service-Type ( no framed/ppp sessions )
# o Telnet sessions only ( no rlogin, tcp-clear )
# o Login host of 192.0.2.1
#
#tisp
# Service-Type == Login-User,
# Login-Service == Telnet,
# Login-TCP-Port == 23,
# Login-IP-Host == 192.0.2.1
#
# The following example can be used for a home server which is only
# allowed to supply a Reply-Message, a Session-Timeout attribute of
# maximum 86400, a Idle-Timeout attribute of maximum 600 and a
# Acct-Interim-Interval attribute between 300 and 3600.
# All other attributes sent back will be filtered out.
#
#strictrealm
# Reply-Message =* ANY,
# Session-Timeout <= 86400,
# Idle-Timeout <= 600,
# Acct-Interim-Interval >= 300,
# Acct-Interim-Interval <= 3600
#
# This is a complete entry for realm "spamrealm". Fall-Through is used,
# so that the DEFAULT filter rules are used in addition to these.
#
# These rules allow:
# o Force the application of Filter-ID attribute to be returned
# in the proxy reply, whether the proxy sent it or not.
# o The standard DEFAULT rules as defined below
#
#spamrealm
# Framed-Filter-Id := "nosmtp.in",
# Fall-Through = Yes
#
# The rest of this file contains the DEFAULT entry.
# DEFAULT matches with all realm names. (except if the realm previously
# matched an entry with no Fall-Through)
#
DEFAULT
Framed-IP-Address == 255.255.255.254,
Framed-IP-Netmask == 255.255.255.255,
Framed-MTU >= 576,
Framed-Filter-ID =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
EAP-Message =* ANY,
Message-Authenticator =* ANY,
MS-MPPE-Recv-Key =* ANY,
MS-MPPE-Send-Key =* ANY,
MS-CHAP-MPPE-Keys =* ANY,
State =* ANY,
Session-Timeout <= 28800,
Idle-Timeout <= 600,
Calling-Station-Id =* ANY,
Operator-Name =* ANY,
Port-Limit <= 2

65
pkgs/fablab/freeradius-anon-access/raddb/mods-config/attr_filter/pre-proxy Normal file
View file

@ -0,0 +1,65 @@
#
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
# $Id: 47b01266f44d0475261c6ea16f74ca17d8838749 $
#
# This file contains security and configuration information
# for each realm. It can be used be an rlm_attr_filter module
# instance to filter attributes before sending packets to the
# home server of a realm.
#
# When a packet is sent to a home server, these attributes
# and values are tested. Only the first match is used unless
# the "Fall-Through" variable is set to "Yes". In that case
# the rules defined in the DEFAULT case are processed as well.
#
# A special realm named "DEFAULT" matches on all realm names.
# You can have only one DEFAULT entry. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# The first line indicates the realm to which the rules apply.
# Indented (with the tab character) lines following the first
# line indicate the filter rules.
#
# This is a complete entry for 'nochap' realm. It allows to send very
# basic attributes to the home server. Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used. Only the listed attributes
# will be sent in the packet, all other attributes will be filtered out.
#
#nochap
# User-Name =* ANY,
# User-Password =* ANY,
# NAS-IP-Address =* ANY,
# NAS-Identifier =* ANY
# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type
# if its value is different from 'Ethernet'. Then the default rules are
# applied.
#
#brokenas
# NAS-Port-Type == Ethernet
# Fall-Through = Yes
# The rest of this file contains the DEFAULT entry.
# DEFAULT matches with all realm names.
DEFAULT
User-Name =* ANY,
User-Password =* ANY,
CHAP-Password =* ANY,
CHAP-Challenge =* ANY,
MS-CHAP-Challenge =* ANY,
MS-CHAP-Response =* ANY,
EAP-Message =* ANY,
Message-Authenticator =* ANY,
State =* ANY,
NAS-IP-Address =* ANY,
NAS-Identifier =* ANY,
Operator-Name =* ANY,
Calling-Station-Id =* ANY,
Chargeable-User-Identity =* ANY,
Proxy-State =* ANY

27
pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/accounting Normal file
View file

@ -0,0 +1,27 @@
#
# $Id: eaf952a72dc9d19387af4d2056d7f7027b2435e8 $
#
# This is like the 'users' file, but it is processed only for
# accounting packets.
#
# Select between different accounting methods based for example on the
# Realm, the Huntgroup-Name or any combinaison of the attribute/value
# pairs contained in an accounting packet.
#
# You will need to add an "Acct-Type foo {...}" subsection to the
# main "accounting" section in order for these sample configurations
# to work.
#
#DEFAULT Realm == "foo.net", Acct-Type := foo
#
#DEFAULT Huntgroup-Name == "wifi", Acct-Type := wifi
#
#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := other
#
#DEFAULT Acct-Status-Type == Start, Acct-Type := start
# Replace the User-Name with the Stripped-User-Name, if it exists.
#
#DEFAULT
# User-Name := "%{%{Stripped-User-Name}:-%{User-Name}}"

206
pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/authorize Normal file
View file

@ -0,0 +1,206 @@
#
# Configuration file for the rlm_files module.
# Please see rlm_files(5) manpage for more information.
#
# This file contains authentication security and configuration
# information for each user. Accounting requests are NOT processed
# through this file. Instead, see 'accounting', in this directory.
#
# The first field is the user's name and can be up to
# 253 characters in length. This is followed (on the same line) with
# the list of authentication requirements for that user. This can
# include password, comm server name, comm server port number, protocol
# type (perhaps set by the "hints" file), and huntgroup name (set by
# the "huntgroups" file).
#
# If you are not sure why a particular reply is being sent by the
# server, then run the server in debugging mode (radiusd -X), and
# you will see which entries in this file are matched.
#
# When an authentication request is received from the comm server,
# these values are tested. Only the first match is used unless the
# "Fall-Through" variable is set to "Yes".
#
# A special user named "DEFAULT" matches on all usernames.
# You can have several DEFAULT entries. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# Indented (with the tab character) lines following the first
# line indicate the configuration values to be passed back to
# the comm server to allow the initiation of a user session.
# This can include things like the PPP configuration values
# or the host to log the user onto.
#
# You can include another `users' file with `$INCLUDE users.other'
#
# For a list of RADIUS attributes, and links to their definitions,
# see: http://www.freeradius.org/rfc/attributes.html
#
# Entries below this point are examples included in the server for
# educational purposes. They may be deleted from the deployed
# configuration without impacting the operation of the server.
#
#
# Deny access for a specific user. Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#lameuser Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT Group == "disabled", Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steve Cleartext-Password := "testing"
# Service-Type = Framed-User,
# Framed-Protocol = PPP,
# Framed-IP-Address = 172.16.3.33,
# Framed-IP-Netmask = 255.255.255.0,
# Framed-Routing = Broadcast-Listen,
# Framed-Filter-Id = "std.ppp",
# Framed-MTU = 1500,
# Framed-Compression = Van-Jacobsen-TCP-IP
#
# The canonical testing user which is in most of the
# examples.
#
#bob Cleartext-Password := "hello"
# Reply-Message := "Hello, %{User-Name}"
#
#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name. If you have
# users with spaces in their names, you must also change
# the "filter_username" policy to allow spaces.
#
# See raddb/policy.d/filter, filter_username {} section.
#
#"John Doe" Cleartext-Password := "hello"
# Reply-Message = "Hello, %{User-Name}"
#
# Dial user back and telnet to the default host for that port
#
#Deg Cleartext-Password := "ge55ged"
# Service-Type = Callback-Login-User,
# Login-IP-Host = 0.0.0.0,
# Callback-Number = "9,5551212",
# Login-Service = Telnet,
# Login-TCP-Port = Telnet
#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk Cleartext-Password := "callme"
# Service-Type = Callback-Login-User,
# Login-IP-Host = timeshare1,
# Login-Service = PortMaster,
# Callback-Number = "9,1-800-555-1212"
#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
# Note that by setting "Fall-Through", other attributes will be added from
# the following DEFAULT entries
#
#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"
# Framed-IP-Address = 192.0.2.65,
# Fall-Through = Yes
#
# If the user logs in as 'username.shell', then authenticate them
# using the default method, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULT Suffix == ".shell"
# Service-Type = Login-User,
# Login-Service = Telnet,
# Login-IP-Host = your.shell.machine
#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#
# Sample defaults for all framed connections.
#
#DEFAULT Service-Type == Framed-User
# Framed-IP-Address = 255.255.255.254,
# Framed-MTU = 576,
# Service-Type = Framed-User,
# Fall-Through = Yes
#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
# by the terminal server in which case there may not be a "P" suffix.
# The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
#
# Last default: rlogin to our main server.
#
#DEFAULT
# Service-Type = Login-User,
# Login-Service = Rlogin,
# Login-IP-Host = shellbox.ispdomain.com
# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
# Service-Type = Administrative-User
# On no match, the user is denied access.
#########################################################
# You should add test accounts to the TOP of this file! #
# See the example user "bob" above. #
#########################################################

153
pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/dhcp Normal file
View file

@ -0,0 +1,153 @@
#
# This configuration file that may be used by multiple instances of rlm_files
# to set reply and control options for defining DHCP replies.
#
# The content of this file is all made up and needs to be set appropriate to
# the network being served.
#
############################################
# Global and network-specific parameters #
############################################
#
# Note: This section is matched by calling the dhcp_network instance of the
# files module.
#
#
# Default options that can be overridden by subsequent matches.
#
network
DHCP-Domain-Name-Server := 192.0.1.100,
DHCP-Domain-Name-Server += 192.0.1.101,
DHCP-Time-Server := 192.0.1.200,
DHCP-Domain-Name := "example.org",
DHCP-IP-Address-Lease-Time := 7200,
Fall-Through := yes
#
# The following examples set options specific to the Layer 2 network, matched
# on whether the internal attribute DHCP-Network-Subnet (that acts as a
# network identifier) is within the indicated range. This is equivalent to a
# "shared-network" or "multinet" configuration (i.e. one that is possibly
# composed of multiple subnets) as defined by some other DHCP servers.
#
#
# Here is an example for a network containing a single IP subnet. We can set
# the network-specific options *and* we directly set the DHCP-Subnet-Mask,
# DHCP-Router-Address and DHCP-Broadcast-Address since it is a common reply
# parameter for all DHCP requests originating from this network.
#
# The use of the ^= "prepend" operator for setting DHCP-Domain-Name-Server
# results in this new value being inserted at the start of the list, meaning
# this will become the first DNS server presented in the reply.
#
# Note: If the architecture has only a single subnet for each Layer 2 network
# then by placing all subnet-related options here we can avoid calling the
# dhcp_subnet policy after IP allocation.
#
network DHCP-Network-Subnet < 10.20.0.0/16, Pool-Name := "smalldept"
DHCP-IP-Address-Lease-Time := 3600,
DHCP-Domain-Name := "smalldept.example.org",
DHCP-Subnet-Mask := 255.255.0.0,
DHCP-Router-Address := 10.20.0.1,
DHCP-Domain-Name-Server ^= 10.20.0.2,
DHCP-Broadcast-Address := 10.20.255.255
#
# Here is an example for a network that consists of multiple IP subnets, each
# of which is valid for a DHCP request originating from the network. We set
# the Pool-Name parameter to identify a single pool that contains the IP
# address within each subnet, any of which is suitable.
#
# We set the options that are common to the network but we defer the setting
# of DHCP-Subnet-Mask, DHCP-Router-Address and DHCP-Broadcast-Address until an
# address has been allocated. Only then do we know which subnet parameters are
# required. See the next section.
#
network DHCP-Network-Subnet < 10.30.0.0/16, Pool-Name := "bigdept"
DHCP-Domain-Name := "bigdept.example.org"
#
# Here is an example for a network that has a dedicated pool for admin staff
# and a seperate pool for everything else.
#
network DHCP-Network-Subnet < 192.0.2.0/24, DHCP-Group-Name == "admin", Pool-Name := "admin-only"
network DHCP-Network-Subnet < 192.0.2.0/24, Pool-Name := "general"
################################
# Subnet-specific parameters #
################################
#
# Note: This section is matched by calling the dhcp_subnet policy which sets
# DHCP-Network-Subnet to the allocated IP address of the device and then
# calls the dhcp_subnet instance of the files module.
#
# Layer 2 networks many contain multiple subnets, each with their own gateway.
# We call this section *after* the allocation of an IP address (e.g. from a
# single pool containing addresses within multiple equally-valid subnets for
# the network) so that we then know which subnet-specific parameters to
# return.
#
#
# Subnet-specific options, matched on whether the allocated IP address is
# within the indicated range.
#
subnet DHCP-Network-Subnet < 10.30.10.0/24
DHCP-Subnet-Mask := 255.255.255.0,
DHCP-Router-Address := 10.30.10.1,
DHCP-Broadcast-Address := 10.30.10.255
subnet DHCP-Network-Subnet < 10.30.20.0/24
DHCP-Subnet-Mask := 255.255.255.0,
DHCP-Router-Address := 10.30.20.1,
DHCP-Broadcast-Address := 10.30.20.255
###############################
# Group-specific parameters #
###############################
#
# Note: This section is matched by calling the dhcp_group_options policy.
#
# It should be called *after* defining the device's group memberships in
# DHCP-Group-Name request attributes. In the default dhcp virtual server this
# is demonstrated with the help of the dhcp_group_membership instance of the
# passwd module.
#
#
# Group-specific options, keyed by DHCP-Group-Name
#
group1
DHCP-Server-Host-Name := "terminal-booter.example.org",
DHCP-Boot-Filename := "bootfile.pxe"
##############################
# Host-specific parameters #
##############################
#
# Note: This section is matched by calling the dhcp_hosts instance of the
# files module.
#
#
# Host-specific options, keyed by DHCP-Client-Hardware-Address
#
host-00:10:20:30:40:50
DHCP-Boot-Filename := "customboot.pxe"
host-10:90:80:70:aa:bb
DHCP-X-Window-Font-Server := 10.20.1.10,
DHCP-Impress-Server := 10.20.1.20

31
pkgs/fablab/freeradius-anon-access/raddb/mods-config/files/pre-proxy Normal file
View file

@ -0,0 +1,31 @@
#
# Configuration file for the rlm_files module.
# Please see rlm_files(5) manpage for more information.
#
# $Id: 7292e23ea51717ee5cb50c4b9b609e91ebe4a41c $
#
# This file is similar to the "users" file. The check items
# are compared against the request, but the "reply" items are
# used to update the proxied packet, not the reply to the NAS.
#
# You can use this file to re-write requests which are about to
# be sent to a home server.
#
#
# Requests destinated to realm "extisp" are sent to a RADIUS
# home server hosted by an other company which doesn't know about
# the IP addresses of our NASes. Therefore we replace the value of
# the NAS-IP-Address attribute by a unique value we communicated
# to them.
#
#DEFAULT Realm == "extisp"
# NAS-IP-Address := 10.1.2.3
#
# For all proxied packets, set the User-Name in the proxied packet
# to the Stripped-User-Name, if it exists. If not, set it to the
# User-Name from the original request.
#
#DEFAULT
# User-Name := `%{%{Stripped-User-Name}:-%{User-Name}}`

230
pkgs/fablab/freeradius-anon-access/raddb/mods-config/perl/example.pl Normal file
View file

@ -0,0 +1,230 @@
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
#
# Copyright 2002 The FreeRADIUS server project
# Copyright 2002 Boian Jordanov <bjordanov@orbitel.bg>
#
#
# Example code for use with rlm_perl
#
# You can use every module that comes with your perl distribution!
#
# If you are using DBI and do some queries to DB, please be sure to
# use the CLONE function to initialize the DBI connection to DB.
#
use strict;
use warnings;
# use ...
use Data::Dumper;
# Bring the global hashes into the package scope
our (%RAD_REQUEST, %RAD_REPLY, %RAD_CHECK, %RAD_STATE, %RAD_PERLCONF);
# This is hash wich hold original request from radius
#my %RAD_REQUEST;
# In this hash you add values that will be returned to NAS.
#my %RAD_REPLY;
#This is for check items
#my %RAD_CHECK;
# This is the session-sate
#my %RAD_STATE;
# This is configuration items from "config" perl module configuration section
#my %RAD_PERLCONF;
# Multi-value attributes are mapped to perl arrayrefs.
#
# update request {
# Filter-Id := 'foo'
# Filter-Id += 'bar'
# }
#
# This results to the following entry in %RAD_REQUEST:
#
# $RAD_REQUEST{'Filter-Id'} = [ 'foo', 'bar' ];
#
# Likewise, you can assign an arrayref to return multi-value attributes
#
# This the remapping of return values
#
use constant {
RLM_MODULE_REJECT => 0, # immediately reject the request
RLM_MODULE_OK => 2, # the module is OK, continue
RLM_MODULE_HANDLED => 3, # the module handled the request, so stop
RLM_MODULE_INVALID => 4, # the module considers the request invalid
RLM_MODULE_USERLOCK => 5, # reject the request (user is locked out)
RLM_MODULE_NOTFOUND => 6, # user not found
RLM_MODULE_NOOP => 7, # module succeeded without doing anything
RLM_MODULE_UPDATED => 8, # OK (pairs modified)
RLM_MODULE_NUMCODES => 9 # How many return codes there are
};
# Same as src/include/log.h
use constant {
L_AUTH => 2, # Authentication message
L_INFO => 3, # Informational message
L_ERR => 4, # Error message
L_WARN => 5, # Warning
L_PROXY => 6, # Proxy messages
L_ACCT => 7, # Accounting messages
L_DBG => 16, # Only displayed when debugging is enabled
L_DBG_WARN => 17, # Warning only displayed when debugging is enabled
L_DBG_ERR => 18, # Error only displayed when debugging is enabled
L_DBG_WARN_REQ => 19, # Less severe warning only displayed when debugging is enabled
L_DBG_ERR_REQ => 20, # Less severe error only displayed when debugging is enabled
};
# Global variables can persist across different calls to the module.
#
#
# {
# my %static_global_hash = ();
#
# sub post_auth {
# ...
# }
# ...
# }
# Function to handle authorize
sub authorize {
# For debugging purposes only
# &log_request_attributes;
# Here's where your authorization code comes
# You can call another function from here:
&test_call;
return RLM_MODULE_OK;
}
# Function to handle authenticate
sub authenticate {
# For debugging purposes only
# &log_request_attributes;
if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) {
# Reject user and tell him why
$RAD_REPLY{'Reply-Message'} = "Denied access by rlm_perl function";
return RLM_MODULE_REJECT;
} else {
# Accept user and set some attribute
if (&radiusd::xlat("%{client:group}") eq 'UltraAllInclusive') {
# User called from NAS with unlim plan set, set higher limits
$RAD_REPLY{'h323-credit-amount'} = "1000000";
} else {
$RAD_REPLY{'h323-credit-amount'} = "100";
}
return RLM_MODULE_OK;
}
}
# Function to handle preacct
sub preacct {
# For debugging purposes only
# &log_request_attributes;
return RLM_MODULE_OK;
}
# Function to handle accounting
sub accounting {
# For debugging purposes only
# &log_request_attributes;
# You can call another subroutine from here
&test_call;
return RLM_MODULE_OK;
}
# Function to handle checksimul
sub checksimul {
# For debugging purposes only
# &log_request_attributes;
return RLM_MODULE_OK;
}
# Function to handle pre_proxy
sub pre_proxy {
# For debugging purposes only
# &log_request_attributes;
return RLM_MODULE_OK;
}
# Function to handle post_proxy
sub post_proxy {
# For debugging purposes only
# &log_request_attributes;
return RLM_MODULE_OK;
}
# Function to handle post_auth
sub post_auth {
# For debugging purposes only
# &log_request_attributes;
return RLM_MODULE_OK;
}
# Function to handle xlat
sub xlat {
# For debugging purposes only
# &log_request_attributes;
# Loads some external perl and evaluate it
my ($filename,$a,$b,$c,$d) = @_;
&radiusd::radlog(L_DBG, "From xlat $filename ");
&radiusd::radlog(L_DBG,"From xlat $a $b $c $d ");
local *FH;
open FH, $filename or die "open '$filename' $!";
local($/) = undef;
my $sub = <FH>;
close FH;
my $eval = qq{ sub handler{ $sub;} };
eval $eval;
eval {main->handler;};
}
# Function to handle detach
sub detach {
# For debugging purposes only
# &log_request_attributes;
}
#
# Some functions that can be called from other functions
#
sub test_call {
# Some code goes here
}
sub log_request_attributes {
# This shouldn't be done in production environments!
# This is only meant for debugging!
for (keys %RAD_REQUEST) {
&radiusd::radlog(L_DBG, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}");
}
}

86
pkgs/fablab/freeradius-anon-access/raddb/mods-config/preprocess/hints Normal file
View file

@ -0,0 +1,86 @@
#
# hints
#
# The hints file. This file is used to match
# a request, and then add attributes to it. This
# process allows a user to login as "bob.ppp" (for example),
# and receive a PPP connection, even if the NAS doesn't
# ask for PPP. The "hints" file is used to match the
# ".ppp" portion of the username, and to add a set of
# "user requested PPP" attributes to the request.
#
# Matching can take place with the the Prefix and Suffix
# attributes, just like in the "users" file.
# These attributes operate ONLY on the username, though.
#
# Note that the attributes that are set for each entry are
# NOT added to the reply attributes passed back to the NAS.
# Instead they are added to the list of attributes in the
# request that has been SENT by the NAS.
#
# This extra information can be used in the users file to
# match on. Usually this is done in the DEFAULT entries,
# of which there can be more than one.
#
# In addition a matching entry can transform a username
# for authentication purposes if the "Strip-User-Name"
# variable is set to Yes in an entry (default is Yes).
#
# A special non-protocol name-value pair called "Hint"
# can be set to match on in the "users" file.
#
# As with the "users" file, the first entry that matches the
# incoming request will cause the server to stop looking for
# more hints. If the "Fall-Through" attribute is set to
# "Yes" in an entry then the server will not stop, but
# continue to process further hints from the file. Matches
# on subsequent hints will be against the altered request
# from the previous hints, not against the original request.
#
# The following is how most dial-up ISPs want to set this up.
#
# Version: $Id: 84d4d78d5dc8613f6205fc2ef48f454101caaf33 $
#
DEFAULT Suffix == ".ppp", Strip-User-Name = Yes
Hint = "PPP",
Service-Type = Framed-User,
Framed-Protocol = PPP
DEFAULT Suffix == ".slip", Strip-User-Name = Yes
Hint = "SLIP",
Service-Type = Framed-User,
Framed-Protocol = SLIP
DEFAULT Suffix == ".cslip", Strip-User-Name = Yes
Hint = "CSLIP",
Service-Type = Framed-User,
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
######################################################################
#
# These entries are old, and commented out by default.
# They confuse too many people when "Peter" logs in, and the
# server thinks that the user "eter" is asking for PPP.
#
#DEFAULT Prefix == "U", Strip-User-Name = No
# Hint = "UUCP"
#DEFAULT Prefix == "P", Strip-User-Name = Yes
# Hint = "PPP",
# Service-Type = Framed-User,
# Framed-Protocol = PPP
#DEFAULT Prefix == "S", Strip-User-Name = Yes
# Hint = "SLIP",
# Service-Type = Framed-User,
# Framed-Protocol = SLIP
#DEFAULT Prefix == "C", Strip-User-Name = Yes
# Hint = "CSLIP",
# Service-Type = Framed-User,
# Framed-Protocol = SLIP,
# Framed-Compression = Van-Jacobson-TCP-IP

43
pkgs/fablab/freeradius-anon-access/raddb/mods-config/preprocess/huntgroups Normal file
View file

@ -0,0 +1,43 @@
#
# huntgroups This file defines the `huntgroups' that you have. A
# huntgroup is defined by specifying the IP address of
# the NAS and possibly a port.
#
# Matching is done while RADIUS scans the user file; if it
# includes the selection criteria "Huntgroup-Name == XXX"
# the huntgroup is looked up in this file to see if it
# matches. There can be multiple definitions of the same
# huntgroup; the first one that matches will be used.
#
# This file can also be used to define restricted access
# to certain huntgroups. The second and following lines
# define the access restrictions (based on username and
# UNIX usergroup) for the huntgroup.
#
#
# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name
# called Alphen that matches on all three terminal servers.
#
#alphen NAS-IP-Address == 192.0.2.5
#alphen NAS-IP-Address == 192.0.2.6
#alphen NAS-IP-Address == 192.0.2.7
#
# The POP in Delft consists of only one terminal server.
#
#delft NAS-IP-Address == 198.51.100.5
#
# Port 0 on the first terminal server in Alphen are connected to
# a huntgroup that is for business users only. Note that only one
# of the username or groupname has to match to get access (OR/OR).
#
# Note that this huntgroup is a subset of the "alphen" huntgroup.
#
#business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0
# User-Name == rogerl,
# User-Name == henks,
# Group == business,
# Group == staff

33
pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/dailycounter.conf Normal file
View file

@ -0,0 +1,33 @@
#
# This query properly handles calls that span from the
# previous reset period into the current period but
# involves more work for the SQL server than those
# below
#
query = "\
SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \
FROM radacct \
WHERE username = '%{${key}}' \
AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'"
#
# This query ignores calls that started in a previous
# reset period and continue into into this one. But it
# is a little easier on the SQL server
#
#query = "\
# SELECT SUM(acctsessiontime) \
# FROM radacct \
# WHERE username = '%{${key}}' \
# AND acctstarttime > FROM_UNIXTIME('%%b')"
#
# This query is the same as above, but demonstrates an
# additional counter parameter '%%e' which is the
# timestamp for the end of the period
#
#query = "\
# SELECT SUM(acctsessiontime) \
# FROM radacct \
# WHERE username = '%{${key}}' \
# AND acctstarttime BETWEEN FROM_UNIXTIME('%%b') AND FROM_UNIXTIME('%%e')"

6
pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/expire_on_login.conf Normal file
View file

@ -0,0 +1,6 @@
query = "\
SELECT IFNULL( MAX(TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime))),0) \
FROM radacct \
WHERE UserName='%{${key}}' \
ORDER BY acctstarttime \
LIMIT 1;"

34
pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/monthlycounter.conf Normal file
View file

@ -0,0 +1,34 @@
#
# This query properly handles calls that span from the
# previous reset period into the current period but
# involves more work for the SQL server than those
# below
#
query = "\
SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \
FROM radacct \
WHERE username='%{${key}}' \
AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'"
#
# This query ignores calls that started in a previous
# reset period and continue into into this one. But it
# is a little easier on the SQL server
#
#query = "\
# SELECT SUM(acctsessiontime) \
# FROM radacct\
# WHERE username='%{${key}}' \
# AND acctstarttime > FROM_UNIXTIME('%%b')"
#
# This query is the same as above, but demonstrates an
# additional counter parameter '%%e' which is the
# timestamp for the end of the period
#
#query = "\
# SELECT SUM(acctsessiontime) \
# FROM radacct \
# WHERE username='%{${key}}' \
# AND acctstarttime BETWEEN FROM_UNIXTIME('%%b') \
# AND FROM_UNIXTIME('%%e')"

4
pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/noresetcounter.conf Normal file
View file

@ -0,0 +1,4 @@
query = "\
SELECT IFNULL(SUM(AcctSessionTime),0) \
FROM radacct \
WHERE UserName='%{${key}}'"

11
pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/mysql/weeklycounter.conf Normal file
View file

@ -0,0 +1,11 @@
#
# This query properly handles calls that span from the
# previous reset period into the current period but
# involves more work for the SQL server than those
# below
#
query = "\
SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \
FROM radacct \
WHERE username = '%{${key}}' \
AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'"

34
pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/dailycounter.conf Normal file
View file

@ -0,0 +1,34 @@
#
# This query properly handles calls that span from the
# previous reset period into the current period but
# involves more work for the SQL server than those
# below
#
query = "\
SELECT SUM(AcctSessionTime - GREATEST((%%b - EXTRACT(epoch FROM AcctStartTime)), 0)) \
FROM radacct \
WHERE UserName='%{${key}}' \
AND EXTRACT(epoch FROM AcctStartTime) + AcctSessionTime > '%%b'"
#
# This query ignores calls that started in a previous
# reset period and continue into into this one. But it
# is a little easier on the SQL server
#
#query = "\
# SELECT SUM(AcctSessionTime) \
# FROM radacct \
# WHERE UserName='%{${key}}' \
# AND EXTRACT(epoch FROM AcctStartTime) > '%%b'"
#
# This query is the same as above, but demonstrates an
# additional counter parameter '%%e' which is the
# timestamp for the end of the period
#
#query = "\
# SELECT SUM(AcctSessionTime) \
# FROM radacct \
# WHERE UserName='%{${key}}' \
# AND EXTRACT(epoch FROM AcctStartTime) BETWEEN '%%b' \
# AND '%%e'"

6
pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/expire_on_login.conf Normal file
View file

@ -0,0 +1,6 @@
query = "\
SELECT EXTRACT(EPOCH FROM (NOW() - acctstarttime)) \
FROM radacct \
WHERE UserName='%{${key}}' \
ORDER BY acctstarttime \
LIMIT 1;"

31
pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/monthlycounter.conf Normal file
View file

@ -0,0 +1,31 @@
# This query properly handles calls that span from the
# previous reset period into the current period but
# involves more work for the SQL server than those
# below
query = "\
SELECT SUM(AcctSessionTime - GREATEST((%%b - EXTRACT(epoch FROM AcctStartTime)), 0)) \
FROM radacct \
WHERE UserName='%{${key}}' \
AND EXTRACT(epoch FROM AcctStartTime) + AcctSessionTime > '%%b'"
#
# This query ignores calls that started in a previous
# reset period and continue into into this one. But it
# is a little easier on the SQL server
#
#query = "\
# SELECT SUM(AcctSessionTime) \
# FROM radacct \
# WHERE UserName='%{${key}}' \
# AND EXTRACT(epoch FROM AcctStartTime) > '%%b'"
#
# This query is the same as above, but demonstrates an
# additional counter parameter '%%e' which is the
# timestamp for the end of the period
#
#query = "\
# SELECT SUM(AcctSessionTime) \
# FROM radacct \
# WHERE UserName='%{${key}}' \
# AND EXTRACT(epoch FROM AcctStartTime) BETWEEN '%%b' AND '%%e'"

4
pkgs/fablab/freeradius-anon-access/raddb/mods-config/sql/counter/postgresql/noresetcounter.conf Normal file
View file

@ -0,0 +1,4 @@
query = "\
SELECT SUM(AcctSessionTime) \
FROM radacct \
WHERE UserName='%{${key}}'"

Some files were not shown because too many files have changed in this diff Show more