fablab-nea/nix-gscheits
1
0
Fork 0
Code Issues 7 Pull requests 3 Projects Releases Packages Wiki Activity Actions

Draft: Add anonymous WPA enterprise access #29

Merged
jalr merged 5 commits from wpa-enterprise-anon-access into main 2022-11-04 22:45:15 +00:00
Conversation 5 Commits 5 Files changed 292 +29528
292 changed files with 29528 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
machines/raven/configuration.nix
View file

@ -21,6 +21,10 @@
id = 5;
interface = "eno1";
};
pubevent = {
id = 6;
interface = "eno1";
};
};
interfaces = {
eno2.useDHCP = true;
@ -28,6 +32,10 @@
address = "192.168.94.1";
prefixLength = 24;
}];
pubevent.ipv4.addresses = [{
address = "10.10.0.1";
prefixLength = 20;
}];
voip.ipv4.addresses = [{
address = "192.168.93.1";
prefixLength = 24;
@ -38,6 +46,7 @@
externalInterface = "eno2";
internalInterfaces = [
"labprod"
"pubevent"
"voip"
];
};

1
machines/raven/services/default.nix
View file

@ -3,6 +3,7 @@
./asterisk.nix
./dnsmasq.nix
./dyndns.nix
./freeradius.nix
./labsync
./unifi-controller.nix
];

41
machines/raven/services/dnsmasq.nix
View file

@ -1,11 +1,31 @@
{ pkgs, ... }:
let
stateDir = "/var/lib/dnsmasq";
dnsmasqEventsConf = pkgs.writeText "dnsmasq-events.conf" ''
dhcp-leasefile=${stateDir}/dnsmasq-events.leases
bind-dynamic
listen-address=10.10.0.1
except-interface=lo
domain=events.fablab-nea.de
dhcp-range=10.10.0.20,10.10.15.254,24h
cache-size=10000
dns-forward-max=1000
no-hosts
'';
in
{
services.dnsmasq = {
enable = true;
extraConfig = ''
bind-dynamic
listen-address=192.168.93.1
listen-address=192.168.94.1
interface=lo
expand-hosts
domain=lab.fablab-nea.de
@ -34,6 +54,27 @@
];
};
systemd.services."dnsmasq-events" = {
description = "dnsmasq daemon for public event network";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.dnsmasq ];
preStart = ''
mkdir -m 755 -p ${stateDir}
dnsmasq --test -C ${dnsmasqEventsConf}
'';
serviceConfig = {
Type = "dbus";
BusName = "uk.org.thekelleys.dnsmasq-events";
ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq -k --enable-dbus --user=dnsmasq -C ${dnsmasqEventsConf}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
PrivateTmp = true;
ProtectSystem = true;
ProtectHome = true;
Restart = "on-failure";
};
};
networking.firewall = {
allowedUDPPorts = [ 53 67 ];
allowedTCPPorts = [ 53 ];

17
machines/raven/services/freeradius.nix Normal file
View file

@ -0,0 +1,17 @@
# service for unifi wifi
# provides anonymous access via WPA2 enterprise (PEAP)
{ pkgs, ... }:
{
services.freeradius = {
enable = true;
configDir = "${pkgs.fablab.freeradius-anon-access}/raddb";
debug = true;
};
users.users.radius.group = "radius";
users.groups.radius = { };
networking.firewall.allowedUDPPorts = [
1812
1813
];
}

1
pkgs/fablab/default.nix
View file

@ -1,5 +1,6 @@
{ callPackage }:
{
freeradius-anon-access = callPackage ./freeradius-anon-access { };
mitgliedsantrag = callPackage ./mitgliedsantrag { };
}

14
pkgs/fablab/freeradius-anon-access/default.nix Normal file
View file

@ -0,0 +1,14 @@
{ lib, stdenvNoCC, ... }:
stdenvNoCC.mkDerivation {
name = "freeradius-anon-access";
src = ./.;
dontBuild = true;
installPhase = ''
mkdir $out
cp -r raddb $out
'';
meta = with lib; {
platforms = platforms.unix;
};
}

665
pkgs/fablab/freeradius-anon-access/raddb/README.rst Normal file
View file

@ -0,0 +1,665 @@
Upgrading to Version 3.0
========================
.. contents:: Sections
:depth: 2
.. important::
The configuration for 3.0 is *largely* compatible with the 2.x.x
configuration. However, it is NOT possible to simply use the 2.x.x
configuration as-is. Instead, you should re-create it.
Security
--------
A number of configuration items have moved into the "security"
subsection of radiusd.conf. If you use these, you should move them.
Otherwise, they can be ignored.
The list of moved options is::
chroot
user
group
allow_core_dumps
reject_delay
status_server
These entries should be moved from "radiusd.conf" to the "security"
subsection of that file.
Naming
------
Many names used by configuration items were inconsistent in earlier
versions of the server. These names have been unified in version 3.0.
If a file is being referenced or created the config item ``filename``
is used.
If a file is being created, the initial permissions are set by the
``permissions`` config item.
If a directory hierarchy needs to be created, the permissions are set
by ``dir_permissions``.
If an external host is referenced in the context of a module the
``server`` config item is used.
Unless the config item is a well recognised portmanteau
(as ``filename`` is for example), it must be written as multiple
distinct words separated by underscores ``_``.
The configuration items ``file``, ``script_file``, ``module``,
``detail``, ``detailfile``, ``attrsfile``, ``perm``, ``dirperm``,
``detailperm``, and ``hostname`` are deprecated. As well as any false
portmanteaus, and configuration items that used hyphens as word
delimiters. e.g. ``foo-bar`` has been changed to ``foo_bar``. Please
update your module configuration to use the new syntax.
In most cases the server will tell you the replacement config item to
use. As always, run the server in debugging mode to see these
messages.
Modules Directory
-----------------
As of version 3.0, the ``modules/`` directory no longer exists.
Instead, all "example" modules have been put into the
``mods-available/`` directory. Modules which can be loaded by the
server are placed in the ``mods-enabled/`` directory. All of the
modules in that directory will be loaded. This means that the
``instantiate`` section of radiusd.conf is less important. The only
reason to list a module in the ``instantiate`` section is to force
ordering when the modules are loaded.
Modules can be enabled by creating a soft link. For module ``foo``, do::
$ cd raddb/mods-enabled
$ ln -s ../mods-available/foo
To create "local" versions of the modules, we suggest copying the file
instead. This leaves the original file (with documentation) in the
``mods-available/`` directory. Local changes should go into the
``mods-enabled/`` directory.
Module-specific configuration files are now in the ``mods-config/``
directory. This change allows for better organization, and means that
there are fewer files in the main ``raddb`` directory. See
``mods-config/README.rst`` for more details.
Changed Modules
---------------
The following modules have been changed.
rlm_sql
~~~~~~~
The SQL configuration has been moved from ``sql.conf`` to
``mods-available/sql``. The ``sqlippool.conf`` file has also been
moved to ``mods-available/sqlippool``.
The SQL module configuration has been changed. The old connection
pool options are no longer accepted::
num_sql_socks
connect_failure_retry_delay
lifetime
max_queries
Instead, a connection pool configuration is used. This configuration
contains all of the functionality of the previous configuration, but
in a more generic form. It also is used in multiple modules, meaning
that there are fewer different configuration items. The mapping
between the configuration items is::
num_sql_socks -> pool { max }
connect_failure_retry_delay -> pool { retry_delay }
lifetime -> pool { lifetime }
max_queries -> pool { uses }
The pool configuration adds a number of new configuration options,
which allow the administrator to better control how FreeRADIUS uses
SQL connection pools.
The following parameters have been changed::
trace -> removed
tracefile -> logfile
The logfile is intended to log SQL queries performed. If you need to
debug the server, use debugging mode. If ``logfile`` is set, then
*all* SQL queries will go to ``logfile``.
You can now use a NULL SQL database::
driver = rlm_sql_null
This is an empty driver which will always return "success". It is
intended to be used to replace the ``sql_log`` module, and to work in
conjunction with the ``radsqlrelay`` program. Simply take your normal
configuration for raddb/mods-enabled/sql, and set::
driver = rlm_sql_null
...
logfile = ${radacctdir}/sql.log
All of the SQL queries will be logged to that file. The connection
pool does not need to be configured for the ``null`` SQL driver. It
can be left as-is, or deleted from the SQL configuration file.
rlm_sql_sybase
~~~~~~~~~~~~~~
The ``rlm_sql_sybase`` module has been renamed to ``rlm_sql_freetds``
and the old ``rlm_sql_freetds`` module has been removed.
``rlm_sql_sybase`` used the newer ct-lib API, and ``rlm_sql_freetds``
used an older API and was incomplete.
The new ``rlm_sql_freetds`` module now also supports database
selection on connection startup so ``use`` statements no longer
have to be included in queries.
sql/dialup.conf
~~~~~~~~~~~~~~~
Queries for post-auth and accounting calls have been re-arranged. The
SQL module will now expand the 'reference' configuration item in the
appropriate sub-section, and resolve this to a configuration
item. This behaviour is similar to rlm_linelog. This dynamic
expansion allows for a dynamic mapping between accounting types and
SQL queries. Previously, the mapping was fixed. Any "new" accounting
type was ignored by the module. Now, support for any accounting type
can be added by just adding a new target, as below.
Queries from v2.x.x may be manually copied to the new v3.0
``dialup.conf`` file (``raddb/mods-config/sql/main/<dialect>/queries.conf``).
When doing this you may also need to update references to the
accounting tables, as their definitions will now be outside of
the subsection containing the query.
The mapping from old "fixed" query to new "dynamic" query is as follows::
accounting_onoff_query -> accounting.type.accounting-on.query
accounting_update_query -> accounting.type.interim-update.query
accounting_update_query_alt +> accounting.type.interim-update.query
accounting_start_query -> accounting.type.start.query
accounting_start_query_alt +> accounting.type.start.query
accounting_stop_query -> accounting.type.stop.query
accounting_stop_query_alt +> accounting.type.stop.query
postauth_query -> post-auth.query
Alternatively a 2.x.x config may be patched to work with the
3.0 module by adding the following::
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "${....accounting_onoff_query}"
}
accounting-off {
query = "${....accounting_onoff_query}"
}
start {
query = "${....accounting_start_query}"
query = "${....accounting_start_query_alt}"
}
interim-update {
query = "${....accounting_update_query}"
query = "${....accounting_update_query_alt}"
}
stop {
query = "${....accounting_stop_query}"
query = "${....accounting_stop_query_alt}"
}
}
}
post-auth {
query = "${..postauth_query}"
}
In general, it is safer to migrate the configuration rather than
trying to "patch" it, to make it look like a v2 configuration.
Note that the sub-sections holding the queries are labelled
``accounting-on``, and not ``accounting_on``. The reason is that the
names of these sections are taken directly from the
``Accounting-Request`` packet, and the ``Acct-Status-Type`` field.
The ``sql`` module looks at the value of that field, and then looks
for a section of that name, in order to find the query to use.
That process means that the server can be extended to support any new
value of ``Acct-Status-Type``, simply by adding a named sub-section,
and a query. This behavior is preferable to that of v2, which had
hard-coded queries for certain ``Acct-Status-Type`` values, and was
ignored all other values.
rlm_ldap
~~~~~~~~
The LDAP module configuration has been substantially changed. Please
read ``raddb/mods-available/ldap``. It now uses a connection pool,
just like the SQL module.
Many of the configuration items remain the same, but they have been
moved into subsections. This change is largely cosmetic, but it makes
the configuration clearer. Instead of having a large set of random
configuration items, they are now organized into logical groups.
You will need to read your old LDAP configuration, and migrate it
manually to the new configuration. Simply copying the old
configuration WILL NOT WORK.
Users upgrading from 2.x.x who used to call the ldap module in
``post-auth`` should now set ``edir_autz = yes``, and remove the ``ldap``
module from the ``post-auth`` section.
rlm_ldap and LDAP-Group
~~~~~~~~~~~~~~~~~~~~~~~
In 2.x.x the registration of the ``LDAP-Group`` pair comparison was done
by the last instance of rlm_ldap to be instantiated. In 3.0 this has
changed so that only the default ``ldap {}`` instance registers
``LDAP-Group``.
If ``<instance>-LDAP-Group`` is already used throughout your configuration
no changes will be needed.
rlm_ldap authentication
~~~~~~~~~~~~~~~~~~~~~~~
In 2.x.x the LDAP module had a ``set_auth_type`` configuration item,
which forced ``Auth-Type := ldap``. This was removed in 3.x.x as it
often did not work, and was not consistent with the rest of the
server. We generally recommend that LDAP should be used as a
database, and that FreeRADIUS should do authentication.
The only reason to use ``Auth-Type := ldap`` is when the LDAP server
will not supply the "known good" password to FreeRADIUS, *and* where
the Access-Request contains User-Password. This situation happens
only for Active Directory. If you think you need to force ``Auth-Type
:= ldap`` in other situations, you are very likely to be wrong.
The following is an example of what should be inserted into the
``authorize {}`` and ``authenticate {}`` sections of the relevant
virtual-servers, to get functionality equivalent to v2.x::
authorize {
...
ldap
if ((ok || updated) && User-Password) {
update control {
Auth-Type := ldap
}
}
...
}
authenticate {
...
Auth-Type ldap {
ldap
}
...
}
rlm_eap
~~~~~~~
The EAP configuration has been moved from ``eap.conf`` to
``mods-available/eap``. A new ``pwd`` subsection has been added for
EAP-PWD.
rlm_expiration & rlm_logintime
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The rlm_expiration and rlm_logintime modules no longer add a ``Reply-Message``,
the same behaviour can be achieved checking the return code of the module and
adding the ``Reply-Message`` with unlang::
expiration
if (userlock) {
update reply {
Reply-Message := "Your account has expired"
}
}
rlm_unix
~~~~~~~~
The ``unix`` module does not have an ``authenticate`` section. So you
cannot set ``Auth-Type := System``. The ``unix`` module has also been
deleted from the examples in ``sites-available/``. Listing it there
has been deprecated for many years.
The PAP module can do crypt authentication. It should be used instead
of Unix authentication.
The Unix module still can pull the passwords from ``/etc/passwd``, or
``/etc/shadow``. This is done by listing it in the ``authorize``
section, as is done in the examples in ``sites-available/``. However,
some systems using NIS or NSS will not supply passwords to the
``unix`` module. For those systems, we recommend putting users and
passwords into a database, instead of relying on ``/etc/passwd``.
rlm_preprocess
~~~~~~~~~~~~~~
In 2.x.x ``huntroups`` and ``users`` files were loaded from default locations
without being configured explicitly. Since 3.x.x you need to set
``huntgroups`` and ``users`` configuration item(s) in module section in order
to get them being processed.
New Modules
-----------
rlm_date
~~~~~~~~
Instances of rlm_date register an xlat method which can translate
integer and date values to an arbitrarily formatted date time
string, or an arbitrarily formated time string to an integer,
depending on the attribute type passed.
rlm_rest
~~~~~~~~
The ``rest`` module is used to translate RADIUS requests into
RESTfull HTTP requests. Currently supported body types are JSON
and POST.
rlm_unpack
~~~~~~~~~~
The ``unpack`` module is used to turn data buried inside of binary
attributes. e.g. if we have ``Class = 0x00000001020304`` then::
Tmp-Integer-0 := "%{unpack:&Class 4 short}"
will unpack octets 4 and 5 as a "short", which has value 0x0304.
All integers are assumed to be in network byte order.
rlm_yubikey
~~~~~~~~~~~
The ``yubikey`` module can be used to forward yubikey OTP token
values to a Yubico validation server, or decrypt the token
using a PSK.
Deleted Modules
---------------
The following modules have been deleted, and are no longer supported
in Version 3. If you are using one of these modules, your
configuration can probably be changed to not need it. Otherwise email
the freeradius-devel list, and ask about the module.
rlm_acct_unique
~~~~~~~~~~~~~~~
This module has been replaced by the "acct_unique" policy. See
raddb/policy.d/accounting.
The method for calculating the value of acct_unique has changed.
However, as this method was configurable, this change should not
matter. The only issue is in having a v2 and v3 server writing to the
same database at the same time. They will calculate different values
for Acct-Unique-Id.
rlm_acctlog
~~~~~~~~~~~
You should use rlm_linelog instead. That module has a superset of the
acctlog functionality.
rlm_attr_rewrite
~~~~~~~~~~~~~~~~
The attr_rewrite module looked for an attribute, and then re-wrote it,
or created a new attribute. All of that can be done in "unlang".
A sample configuration in "unlang" is::
if (request:Calling-Station-Id) {
update request {
Calling-Station-Id := "...."
}
}
We suggest updating all uses of attr_rewrite to use unlang instead.
rlm_checkval
~~~~~~~~~~~~
The checkval module compared two attributes. All of that can be done in "unlang"::
if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
ok
}
We suggest updating all uses of checkval to use unlang instead.
rlm_dbm
~~~~~~~
No one seems to use it. There is no sample configuration for it.
There is no speed advantage to using it over the "files" module.
Modern systems are fast enough that 10K entries can be read from the
"users" file in about 10ms. If you need more users than that, use a
real database such as SQL.
rlm_fastusers
~~~~~~~~~~~~~
No one seems to use it. It has been deprecated since Version 2.0.0.
The "files" module was rewritten so that the "fastusers" module was no
longer necessary.
rlm_policy
~~~~~~~~~~
No one seems to use it. Almost all of its functionality is available
via "unlang".
rlm_sim_files
~~~~~~~~~~~~~
The rlm_sim_files module has been deleted. It was never marked "stable",
and was never used in a production environment. There are better ways
to test EAP.
If you want similar functionality, see rlm_passwd. It can read CSV
files, and create attributes from them.
rlm_sql_log
~~~~~~~~~~~
This has been replaced with the "null" sql driver. See
raddb/mods-available/sql for an example configuration.
The main SQL module has more functionality than rlm_sql_log, and
results in less code in the server.
Other Functionality
-------------------
The following is a list of new / changed functionality.
RadSec
~~~~~~
RadSec (or RADIUS over TLS) is now supported. RADIUS over bare TCP
is also supported, but is recommended only for secure networks.
See ``sites-available/tls`` for complete details on using TLS. The server
can both receive incoming TLS connections, and also originate outgoing
TLS connections.
The TLS configuration is taken from the old EAP-TLS configuration. It
is largely identical to the old EAP-TLS configuration, so it should be
simple to use and configure. It re-uses much of the EAP-TLS code,
so it is well-tested and reliable.
Once RadSec is enabled, normal debugging mode will not work. This is
because the TLS code requires threading to work properly. Instead of doing::
$ radiusd -X
you will need to do::
$ radiusd -fxx -l stdout
That's the price to pay for using RadSec. This limitation may be
lifted in a future version of the server.
PAP and User-Password
~~~~~~~~~~~~~~~~~~~~~
From version 3.0 onwards the server no longer supports authenticating
against a cleartext password in the 'User-Password' attribute. Any
occurences of this (for instance, in the users file) should now be changed
to 'Cleartext-Password' instead.
e.g. change entries like this::
bob User-Password == "hello"
to ones like this::
bob Cleartext-Password := "hello"
If this is not done, authentication will likely fail. The server will
also print a helpful message in debugging mode.
If it really is impossible to do this, the following unlang inserted above
the call to the pap module may be used to copy User-Password to the correct
attribute::
if (!control:Cleartext-Password && control:User-Password) {
update control {
Cleartext-Password := "%{control:User-Password}"
}
}
However, this should only be seen as a temporary, not permanent, fix.
It is better to fix your databases to use the correct configuration.
Unlang
~~~~~~
The unlang policy language is compatible with v2, but has a number of
new features. See ``man unlang`` for complete documentation.
ERRORS
Many more errors are caught when the server is starting up. Syntax
errors in ``unlang`` are caught, and a helpful error message is
printed. The error message points to the exact place where the error
occurred::
./raddb/sites-enabled/default[230]: Parse error in condition
ERROR: if (User-Name ! "bob") {
ERROR: ^ Invalid operator
``update`` sections are more generic. Instead of doing ``update
reply``, you can do the following::
update {
reply:Class := 0x0000
control:Cleartext-Password := "hello"
}
This change means that you need fewer ``update`` sections.
COMPARISONS
Attribute comparisons can be done via the ``&`` operator. When you
needed to compare two attributes, the old comparison style was::
if (User-Name == "%{control:Tmp-String-0}") {
This syntax is inefficient, as the ``Tmp-String-0`` attribute would be
printed to an intermediate string, causing unnecessary work. You can
now instead compare the two attributes directly::
if (&User-Name == &control:Tmp-String-0) {
See ``man unlang`` for more details.
CASTS
Casts are now permitted. This allows you to force type-specific
comparisons::
if (<ipaddr>"%{sql: SELECT...}" == 127.0.0.1) {
This forces the string returned by the SELECT to be treated as an IP
address, and compare to ``127.0.0.1``. Previously, the comparison
would have been done as a simple string comparison.
NETWORKS
IP networks are now supported::
if (127.0.0.1/32 == 127.0.0.1) {
Will be ``true``. The various comparison operators can be used to
check IP network membership::
if (127/8 > 127.0.0.1) {
Returns ``true``, because ``127.0.0.1`` is within the ``127/8``
network. However, the following comparison will return ``false``::
if (127/8 > 192.168.0.1) {
because ``192.168.0.1`` is outside of the ``127/8`` network.
OPTIMIZATION
As ``unlang`` is now pre-compiled, many compile-time optimizations are
done. This means that the debug output may not be exactly the same as
what is in the configuration files::
if (0 && (User-Name == "bob')) {
The result will always be ``false``, as the ``if 0`` prevents the
following ``&& ...`` from being evaluated.
Not only that, but the entire contents of that section will be ignored
entirely::
if (0) {
this_module_does_not_exist
and_this_one_does_not_exist_either
}
In v2, that configuration would result in a parse error, as there is
no module called ``this_module_does_not_exist``. In v3, that text is
ignored. This ability allows you to have dynamic configurations where
certain parts are used (or not) depending on compile-time configuration.
Similarly, conditions which always evaluate to ``true`` will be
optimized away::
if (1) {
files
}
That configuration will never show the ``if (1)`` output in debugging mode.
Dialup_admin
------------
The dialup_admin directory has been removed. No one stepped forward
to maintain it, and the code had not been changed in many years.

24
pkgs/fablab/freeradius-anon-access/raddb/certs/ca.conf Normal file
View file

@ -0,0 +1,24 @@
[ req ]
default_bits = 1024
distinguished_name = req_DN
string_mask = nombstr
[ req_DN ]
countryName = "1. Country Name (2 letter code)"
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = "2. State or Province Name (full name) "
stateOrProvinceName_default = Berlin
localityName = "3. Locality Name (eg, city) "
localityName_default = Berlin
0.organizationName = "4. Organization Name (eg, company) "
0.organizationName_default = Mustermann
organizationalUnitName = "5. Organizational Unit Name (eg, section) "
organizationalUnitName_default = Certificate Authority
commonName = "6. Common Name (eg, CA name) "
commonName_max = 64
commonName_default = Mustermann CA
emailAddress = "7. Email Address (eg, name@FQDN)"
emailAddress_max = 40
emailAddress_default = ca@mustermann.de

22
pkgs/fablab/freeradius-anon-access/raddb/certs/ca.crt Normal file
View file

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDuDCCAyGgAwIBAgIUC44282GCaqhMci2pf2HDSMTwsxAwDQYJKoZIhvcNAQEL
BQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB
FhBjYUBtdXN0ZXJtYW5uLmRlMB4XDTIyMDgwMTAxMDU0NVoXDTI1MDczMTAxMDU0
NVowgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB
FhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt
tSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD269CjbbbgmOD
yHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFnOyAiAkQq6IuX
H8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABo4HyMIHvMA8GA1Ud
EwQIMAYBAf8CAQAwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL3d3dy5tdXN0ZXJt
YW5uLmRlL2NhL211c3Rlcm1hbm4uY3JsMBEGCWCGSAGG+EIBAQQEAwIABzA1Bglg
hkgBhvhCAQgEKBYmaHR0cDovL3d3dy5tdXN0ZXJtYW5uLmRlL2NhL3BvbGljeS5o
dG0wNwYJYIZIAYb4QgEEBCoWKGh0dHA6Ly93d3cubXVzdGVybWFubi5kZS9jYS9o
ZWltcG9sZC5jcmwwHAYJYIZIAYb4QgENBA8WDU11c3Rlcm1hbm4gQ0EwDQYJKoZI
hvcNAQELBQADgYEAW/8LzHdDyhB+33GuxH+m/ECOs8cKwP95xw0Sr8ic6L3/AIWX
cO13XXCCSe1ukRy0G/IXJsiZmqfLQZWYYS1YUEWtoW3S7InSLQEHsbGDAiZSzoXY
hiplBvng6sslNX2vFHjdpIdCyvI8OGrzUHegcnQTNBVHGX/t7fYFRgbA7bg=
-----END CERTIFICATE-----

13
pkgs/fablab/freeradius-anon-access/raddb/certs/ca.csr Normal file
View file

@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCAQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzAN
BgNVBAcTBkJlcmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJ
KoZIhvcNAQkBFhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQCttSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD
269CjbbbgmODyHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFn
OyAiAkQq6IuXH8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABoAAw
DQYJKoZIhvcNAQELBQADgYEAK+Fbl3mG7m0gBkekWwU4BvC92eMs93GYCtYQECu7
/Dc0J2K1ItGC7JrRVlQvStbEFCw3cXzlbSec2v+8rvvIbn6MB+StRRYjPUiIYS3h
qly2FpcAo3Cg5GcnNf4keDGBzClo37MF2wlT0DAQIVPHMlTbkfgAQYwQS+uKLBre
TwM=
-----END CERTIFICATE REQUEST-----

9
pkgs/fablab/freeradius-anon-access/raddb/certs/ca.ext Normal file
View file

@ -0,0 +1,9 @@
extensions = x509v3
[ x509v3 ]
basicConstraints = CA:true,pathlen:0
crlDistributionPoints = URI:http://www.mustermann.de/ca/mustermann.crl
nsCertType = sslCA,emailCA,objCA
nsCaPolicyUrl = "http://www.mustermann.de/ca/policy.htm"
nsCaRevocationUrl = "http://www.mustermann.de/ca/heimpold.crl"
nsComment = "Mustermann CA"

15
pkgs/fablab/freeradius-anon-access/raddb/certs/ca.key Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCttSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5
OFlD269CjbbbgmODyHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrE
IvFnOyAiAkQq6IuXH8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQAB
AoGAQaCF2idVGbRSVF3ae1qHGOj3Hive3WcReKg/8EittAPpNuP3tqiLUQ/WjxZr
V1NTtZ4syvM+LXlDW186rU21iGpQqj9ce2zjxpWMco6GFf0qKBO1ZoYSyD6jW6ny
M82TtCOVjH1LnyAz5AKRH6Wv5sG99gndK5AriEZEYrsnjQECQQDmK5EU5yVzz2o0
X02Lolz0dRDy5J3x3hlaYKLoszMv4L04MAZ9XaMtGjqmKSOWsbMkIvp/d5A+2uJm
42sULKC9AkEAwTN8+4Kd8d5qpNfaKiYU6x5I2qUwvkE6V7x+ttPoFzbzeHr5CM2z
jkpA+x5u1fCtbl319zOb3ApVsrJ3o0+XqQJASeIgPxJ3jjY9RDR3YuQqbHoLh7xl
CtedUcqFYKbtPmgotRmNa76b+4VY4C+CcgP2mhn0SOhrUBHY7OgBXkd5DQJBAIat
ksFtAxdZGXRB+BYLp+dinBy2rKzjoX0JrDdcrtyH9N8WskU9x544CuZDB7ZhaTSX
kV+6fTq9hZHlMNsKH8kCQQCGnlQIy3U3cN6E1O9UI4DRwPhSwl+xEfc3n0DB/Kcy
faIPo3HnlNw/+4cIyc/7i1Ilkrj4zHtdrnAjP+OvZD7+
-----END RSA PRIVATE KEY-----

22
pkgs/fablab/freeradius-anon-access/raddb/certs/ca.pem Normal file
View file

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDuDCCAyGgAwIBAgIUC44282GCaqhMci2pf2HDSMTwsxAwDQYJKoZIhvcNAQEL
BQAwgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB
FhBjYUBtdXN0ZXJtYW5uLmRlMB4XDTIyMDgwMTAxMDU0NVoXDTI1MDczMTAxMDU0
NVowgZ0xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJl
cmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
QXV0aG9yaXR5MRYwFAYDVQQDEw1NdXN0ZXJtYW5uIENBMR8wHQYJKoZIhvcNAQkB
FhBjYUBtdXN0ZXJtYW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt
tSNt5drKFcumLKdXz7hnuVzL1pzBnLtDBCRRJhxBB6nsc0n5OFlD269CjbbbgmOD
yHDqk9JZaHn367cCpp2Orf/l8rSl9xUDBEITD/Ks9vw0JVrEIvFnOyAiAkQq6IuX
H8U4IUJhBzCVAdwmONnCRkpDV1pqsS1u4BCPlZiXxQIDAQABo4HyMIHvMA8GA1Ud
EwQIMAYBAf8CAQAwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL3d3dy5tdXN0ZXJt
YW5uLmRlL2NhL211c3Rlcm1hbm4uY3JsMBEGCWCGSAGG+EIBAQQEAwIABzA1Bglg
hkgBhvhCAQgEKBYmaHR0cDovL3d3dy5tdXN0ZXJtYW5uLmRlL2NhL3BvbGljeS5o
dG0wNwYJYIZIAYb4QgEEBCoWKGh0dHA6Ly93d3cubXVzdGVybWFubi5kZS9jYS9o
ZWltcG9sZC5jcmwwHAYJYIZIAYb4QgENBA8WDU11c3Rlcm1hbm4gQ0EwDQYJKoZI
hvcNAQELBQADgYEAW/8LzHdDyhB+33GuxH+m/ECOs8cKwP95xw0Sr8ic6L3/AIWX
cO13XXCCSe1ukRy0G/IXJsiZmqfLQZWYYS1YUEWtoW3S7InSLQEHsbGDAiZSzoXY
hiplBvng6sslNX2vFHjdpIdCyvI8OGrzUHegcnQTNBVHGX/t7fYFRgbA7bg=
-----END CERTIFICATE-----

1
pkgs/fablab/freeradius-anon-access/raddb/certs/ca.serial Normal file
View file

@ -0,0 +1 @@
03

24
pkgs/fablab/freeradius-anon-access/raddb/certs/client.conf Normal file
View file

@ -0,0 +1,24 @@
[ req ]
default_bits = 1024
distinguished_name = req_DN
string_mask = nombstr
[ req_DN ]
countryName = "1. Country Name (2 letter code)"
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = "2. State or Province Name (full name) "
stateOrProvinceName_default = Berlin
localityName = "3. Locality Name (eg, city) "
localityName_default = Berlin
0.organizationName = "4. Organization Name (eg, company) "
0.organizationName_default = Mustermann
organizationalUnitName = "5. Organizational Unit Name (eg, section) "
#organizationalUnitName_default =
commonName = "6. Common Name (eg, CA name) "
commonName_max = 64
commonName_default = Max Mustermann
emailAddress = "7. Email Address (eg, name@FQDN)"
emailAddress_max = 40
emailAddress_default = max@mustermann.de

17
pkgs/fablab/freeradius-anon-access/raddb/certs/client.crt Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICtTCCAh6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0
ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT
DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw
HhcNMjIwODAxMDEwNzMzWhcNMjQwNzMxMDEwNzMzWjB/MQswCQYDVQQGEwJERTEP
MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgNVBAoTCk11c3Rl
cm1hbm4xFzAVBgNVBAMTDk1heCBNdXN0ZXJtYW5uMSAwHgYJKoZIhvcNAQkBFhFt
YXhAbXVzdGVybWFubi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0U/O
I+XJ0T4PWUoT7laH9ocO5DgcF8XY8NZ60Tu6bZ3Tqd7BzdFmf7UmOl51fe3S7fx4
jlsnaY4+Ppt92FVAGgzT/pkT6t+XcRuNPr0aqIA9iUDtmWAyDPZOA7WVbC/Ku4w6
ePaXe4cRmiZjqGVr2nFOOonufxQdVVNS9mKGhD8CAwEAAaMiMCAwEQYJYIZIAYb4
QgEBBAQDAgSwMAsGA1UdDwQEAwIE8DANBgkqhkiG9w0BAQsFAAOBgQARf8RRxuIB
R7xVUg6ktwTNilSlB3MfpGyN8ZwEK2Op+ypO7Hog2kIaUVDp1mO2vlNHfkblYNm0
oXUp9BFeXzA8WevfIJTqImyQMPwni0tNFmuIOOQKfGEQU46Q0KNtAteNHiB65wg1
/ueDyYO0GNgTnbwlBHKYdiL4rXdjBVz3Sw==
-----END CERTIFICATE-----

12
pkgs/fablab/freeradius-anon-access/raddb/certs/client.csr Normal file
View file

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0G
A1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0ZXJtYW5uMRcwFQYDVQQDEw5NYXgg
TXVzdGVybWFubjEgMB4GCSqGSIb3DQEJARYRbWF4QG11c3Rlcm1hbm4uZGUwgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANFPziPlydE+D1lKE+5Wh/aHDuQ4HBfF
2PDWetE7um2d06newc3RZn+1JjpedX3t0u38eI5bJ2mOPj6bfdhVQBoM0/6ZE+rf
l3EbjT69GqiAPYlA7ZlgMgz2TgO1lWwvyruMOnj2l3uHEZomY6hla9pxTjqJ7n8U
HVVTUvZihoQ/AgMBAAGgADANBgkqhkiG9w0BAQsFAAOBgQBX3obDa6757IR9ejEb
1cY0k6S1SioC8ufX0Z2veFKoDLXKHL4kCZ89ie74hBf7mqx6O9ZscASXNcyuKFBz
uaae2MSoh+DBJH6I7j23PMhs9ziaSJYLmawja0sWK/J8RaR7JNjVAzb/eU2zBQlq
GTc8H8je+e2+aRUFYNgdGxgQ0g==
-----END CERTIFICATE REQUEST-----

5
pkgs/fablab/freeradius-anon-access/raddb/certs/client.ext Normal file
View file

@ -0,0 +1,5 @@
extensions = x509v3
[ x509v3 ]
nsCertType = client,email,objsign
keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

15
pkgs/fablab/freeradius-anon-access/raddb/certs/client.key Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDRT84j5cnRPg9ZShPuVof2hw7kOBwXxdjw1nrRO7ptndOp3sHN
0WZ/tSY6XnV97dLt/HiOWydpjj4+m33YVUAaDNP+mRPq35dxG40+vRqogD2JQO2Z
YDIM9k4DtZVsL8q7jDp49pd7hxGaJmOoZWvacU46ie5/FB1VU1L2YoaEPwIDAQAB
AoGAam1EqJYPfxgqH8F9zuMqsNxNYxdwmVndC+BShI71JQVp+WatbmR51JecP3OG
FCjX5nBIMEIDETXlSlovq871Dx487exiqI1pfpt2HevvaHEPoQSIwr5AOUwJeKa+
MGOrVasjsdIE2QbwSVxxqGKCaQRzq9wpLijknGnqQKYYW1ECQQDw+xbEdYd7/FHn
s0aSTwT8wJXKp2bR/SNrxtlZqg174Hlmh4DJzxtYp0PH6/yW7JLlVHqT3vRhihuF
B/pvZ/wnAkEA3lttkhmlFKF1rva2xEOM1OXSlnz2imd3P5KhReM3yPGhgUkhK5oo
fFXalboIaKVPl172e/zDejv5gghP6GMOKQJAZntx2ETfRHQu5OmSBqDCTzcbvN5q
VL1htfEP+BjguSDioB7aP3jreU1Q/xG2Dv03D35YztAPf/e68l1NPNmtGwJALn4B
aAXyrWChIac2Sc0x+iXfpVWVmxTNKz62d81tkZdsRIMM63f9NRoibSILtg2ymZzi
fsQ3/yvhHJ4uTxG/GQJBAMcB5xnz1VZlngrvZTezn52W7VVfEVBn4OfJSBnS1VUb
tT+NqIgQ7cKVIwtM+rnt/msRoPd+bixziXakkfpbTL8=
-----END RSA PRIVATE KEY-----

32
pkgs/fablab/freeradius-anon-access/raddb/certs/client.pem.crt Normal file
View file

@ -0,0 +1,32 @@
-----BEGIN CERTIFICATE-----
MIICtTCCAh6gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0
ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT
DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw
HhcNMjIwODAxMDEwNzMzWhcNMjQwNzMxMDEwNzMzWjB/MQswCQYDVQQGEwJERTEP
MA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgNVBAoTCk11c3Rl
cm1hbm4xFzAVBgNVBAMTDk1heCBNdXN0ZXJtYW5uMSAwHgYJKoZIhvcNAQkBFhFt
YXhAbXVzdGVybWFubi5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0U/O
I+XJ0T4PWUoT7laH9ocO5DgcF8XY8NZ60Tu6bZ3Tqd7BzdFmf7UmOl51fe3S7fx4
jlsnaY4+Ppt92FVAGgzT/pkT6t+XcRuNPr0aqIA9iUDtmWAyDPZOA7WVbC/Ku4w6
ePaXe4cRmiZjqGVr2nFOOonufxQdVVNS9mKGhD8CAwEAAaMiMCAwEQYJYIZIAYb4
QgEBBAQDAgSwMAsGA1UdDwQEAwIE8DANBgkqhkiG9w0BAQsFAAOBgQARf8RRxuIB
R7xVUg6ktwTNilSlB3MfpGyN8ZwEK2Op+ypO7Hog2kIaUVDp1mO2vlNHfkblYNm0
oXUp9BFeXzA8WevfIJTqImyQMPwni0tNFmuIOOQKfGEQU46Q0KNtAteNHiB65wg1
/ueDyYO0GNgTnbwlBHKYdiL4rXdjBVz3Sw==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDRT84j5cnRPg9ZShPuVof2hw7kOBwXxdjw1nrRO7ptndOp3sHN
0WZ/tSY6XnV97dLt/HiOWydpjj4+m33YVUAaDNP+mRPq35dxG40+vRqogD2JQO2Z
YDIM9k4DtZVsL8q7jDp49pd7hxGaJmOoZWvacU46ie5/FB1VU1L2YoaEPwIDAQAB
AoGAam1EqJYPfxgqH8F9zuMqsNxNYxdwmVndC+BShI71JQVp+WatbmR51JecP3OG
FCjX5nBIMEIDETXlSlovq871Dx487exiqI1pfpt2HevvaHEPoQSIwr5AOUwJeKa+
MGOrVasjsdIE2QbwSVxxqGKCaQRzq9wpLijknGnqQKYYW1ECQQDw+xbEdYd7/FHn
s0aSTwT8wJXKp2bR/SNrxtlZqg174Hlmh4DJzxtYp0PH6/yW7JLlVHqT3vRhihuF
B/pvZ/wnAkEA3lttkhmlFKF1rva2xEOM1OXSlnz2imd3P5KhReM3yPGhgUkhK5oo
fFXalboIaKVPl172e/zDejv5gghP6GMOKQJAZntx2ETfRHQu5OmSBqDCTzcbvN5q
VL1htfEP+BjguSDioB7aP3jreU1Q/xG2Dv03D35YztAPf/e68l1NPNmtGwJALn4B
aAXyrWChIac2Sc0x+iXfpVWVmxTNKz62d81tkZdsRIMM63f9NRoibSILtg2ymZzi
fsQ3/yvhHJ4uTxG/GQJBAMcB5xnz1VZlngrvZTezn52W7VVfEVBn4OfJSBnS1VUb
tT+NqIgQ7cKVIwtM+rnt/msRoPd+bixziXakkfpbTL8=
-----END RSA PRIVATE KEY-----

8
pkgs/fablab/freeradius-anon-access/raddb/certs/dh Normal file
View file

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAzQsuxnwr0ccOV+/wIsI4Kfj5eyBINjb5KjeFvdZec65Xj5IzJSqo
kw2JaBhqN4Jtsq60doyev3tPtZn6YmBoVH/71CWOtibeZeSBjk67zQj7O0VKHHaG
9OXyjGIyzUKtJl1VpD+mXvlrhZEjnnApf3fp4i8K8Ei7oHFu+6teEyei3qGKobEg
Y+aYse5noocftCOj7QOpqLZU5BjYn+j1CVnivB3kCEuqYYTJJvyvVpTbWhAWTibY
mZU2Sq7GCLn+hbX5R/d3hOAqISJXwloshipHv7pTvipEMF5Q9thbq/Lc8j+DQS1Y
3KZMuq5+aDV2DVeVI5HSNv/uJJsN48hRkwIBAg==
-----END DH PARAMETERS-----

24
pkgs/fablab/freeradius-anon-access/raddb/certs/server.conf Normal file
View file

@ -0,0 +1,24 @@
[ req ]
default_bits = 1024
distinguished_name = req_DN
string_mask = nombstr
[ req_DN ]
countryName = "1. Country Name (2 letter code)"
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = "2. State or Province Name (full name) "
#stateOrProvinceName_default =
localityName = "3. Locality Name (eg, city) "
localityName_default = Berlin
0.organizationName = "4. Organization Name (eg, company) "
0.organizationName_default = Mustermann
organizationalUnitName = "5. Organizational Unit Name (eg, section) "
organizationalUnitName_default = Server
commonName = "6. Common Name (eg, CA name) "
commonName_max = 64
commonName_default = www.mustermann.de
emailAddress = "7. Email Address (eg, name@FQDN)"
emailAddress_max = 40
emailAddress_default = webmaster@mustermann.de

18
pkgs/fablab/freeradius-anon-access/raddb/certs/server.crt Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC6zCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRMwEQYDVQQKEwpNdXN0
ZXJtYW5uMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFjAUBgNVBAMT
DU11c3Rlcm1hbm4gQ0ExHzAdBgkqhkiG9w0BCQEWEGNhQG11c3Rlcm1hbm4uZGUw
HhcNMjIwODAxMDEwNjQ1WhcNMjQwNzMxMDEwNjQ1WjCBiDELMAkGA1UEBhMCREUx
DzANBgNVBAcTBkJlcmxpbjETMBEGA1UEChMKTXVzdGVybWFubjEPMA0GA1UECxMG
U2VydmVyMRowGAYDVQQDExF3d3cubXVzdGVybWFubi5kZTEmMCQGCSqGSIb3DQEJ
ARYXd2VibWFzdGVyQG11c3Rlcm1hbm4uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAOGRdBwkcWMlXj5ZIez2OjadgD7JBVqXS06rZopONcFil9O4OvFHSeMP
mGDIeeggZvh1hpcpKq2+zgY6640zlTbXK7J0T8QUXs0XHDJd9uMI5nDovaG37tah
G83YIPKmLBB87p511amdUviPc4QJGaGRJeYnAC4ou2RX/ko6y4yfAgMBAAGjTjBM
MBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwKgYDVR0lBCMwIQYKKwYB
BAGCNwoDAwYJYIZIAYb4QgQBBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOBgQAQ
wU4rNIuiakUH60u9m983BHddCl81Fy4nf2BExbxXSW/B+yj3adHQ/0RF/xGCcVrI
ORtGlyt8OW83VEfGFFpNPMR6XdxPMyoSUEFaEyVbYGQigQUXoa5k5vINmUD6bgxF
5o5taGIFnfnjEncwRTHADFEIN5hKHjtIdXcNRue2kg==
-----END CERTIFICATE-----

12
pkgs/fablab/freeradius-anon-access/raddb/certs/server.csr Normal file
View file

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIByTCCATICAQAwgYgxCzAJBgNVBAYTAkRFMQ8wDQYDVQQHEwZCZXJsaW4xEzAR
BgNVBAoTCk11c3Rlcm1hbm4xDzANBgNVBAsTBlNlcnZlcjEaMBgGA1UEAxMRd3d3
Lm11c3Rlcm1hbm4uZGUxJjAkBgkqhkiG9w0BCQEWF3dlYm1hc3RlckBtdXN0ZXJt
YW5uLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhkXQcJHFjJV4+WSHs
9jo2nYA+yQVal0tOq2aKTjXBYpfTuDrxR0njD5hgyHnoIGb4dYaXKSqtvs4GOuuN
M5U21yuydE/EFF7NFxwyXfbjCOZw6L2ht+7WoRvN2CDypiwQfO6eddWpnVL4j3OE
CRmhkSXmJwAuKLtkV/5KOsuMnwIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEADZZ5
+z8oUdzM0aDxMt2KyNSc8+NUkL4u+h38ZuDasHMXCncfWqp7I42qev1FHqKaI1Rn
GWZsWd943kOeMjFgxGkQoesLsyuqRslyUHAACnqHit2ZKz51reiiakK7v/qYxiV6
aZOZBv5s2eaG6iT1ea5f5j2SKKOyhuDwfs7q4hQ=
-----END CERTIFICATE REQUEST-----

6
pkgs/fablab/freeradius-anon-access/raddb/certs/server.ext Normal file
View file

@ -0,0 +1,6 @@
extensions = x509v3
[ x509v3 ]
nsCertType = server
keyUsage = digitalSignature,nonRepudiation,keyEncipherment
extendedKeyUsage = msSGC,nsSGC,serverAuth

15
pkgs/fablab/freeradius-anon-access/raddb/certs/server.key Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDhkXQcJHFjJV4+WSHs9jo2nYA+yQVal0tOq2aKTjXBYpfTuDrx
R0njD5hgyHnoIGb4dYaXKSqtvs4GOuuNM5U21yuydE/EFF7NFxwyXfbjCOZw6L2h
t+7WoRvN2CDypiwQfO6eddWpnVL4j3OECRmhkSXmJwAuKLtkV/5KOsuMnwIDAQAB
AoGAO1kEvp7MAnUDfc3/whPqrxHzexFyyioCU1l/aiY3uIDTR44yW+cQxqAEzHoS
sQNNdFOfrMfVBc+s7zCzZvxKZpvapg2HGATkk9I8AFUTuSh7n3oUT/AZ1KGdd04G
wS/6QsLR3G8c+0RB9DPWpMVgg1OlQ1U3ESB+eaeQ28/hLFECQQD6LRHnLfLrGlz9
0htFV3JD19qPNmwRCEa/bHeK4dICuEikgpQZ18nbOCrfUvR4GltkQA8w6CMGmebJ
5COHx+epAkEA5tG7fsnA8ut/AfA3HoBRi1YtoE4YLOE8b+Jdt72LDE6jaR9mBc0N
gwxDBhdgZf9HTSaWB65j1V1sik8DqkjfBwJABE5SSJBZ5gIGJ7g+D+t5ZAGLGXvu
UDy8Ov8674EDhFh3p503v1ofd054Lm/XFVoeyJLxr/3O3IY5mq/6jJO8QQJBANcC
V51rYojmRZEQqseG0G7y/91r4aksxpeSTapyravxNNcfoHGW6RdBvM1XyTw557k+
UFMnZ2fBdvH/WHKvHtECQEvLTxtmdxKMrndFJiTObeItdl/iHU9JujW4ib64CysI
RdwEverbouogjHfyeDjazXIsgpIUSIbZNHL13bICpBg=
-----END RSA PRIVATE KEY-----

4
pkgs/fablab/freeradius-anon-access/raddb/clients.conf Normal file
View file

@ -0,0 +1,4 @@
client 0.0.0.0/0 {
secret = anonymous
require_message_authenticator = no
}

49
pkgs/fablab/freeradius-anon-access/raddb/dictionary Normal file
View file

@ -0,0 +1,49 @@
#
# This is the local dictionary file which can be
# edited by local administrators. It will be loaded
# AFTER the main dictionary files are loaded.
#
# As of version 3.0.2, FreeRADIUS will automatically
# load the main dictionary files from
#
# ${prefix}/share/freeradius/dictionary
#
# It is no longer necessary for this file to $INCLUDE
# the main dictionaries. However, if the $INCLUDE
# line is here, nothing bad will happen.
#
# Any new/changed attributes MUST be placed in this file.
# The pre-defined dictionaries SHOULD NOT be edited.
#
# See "man dictionary" for documentation on its format.
#
# $Id: eed5d70f41b314f9ed3f006a22d9f9a2be2c9516 $
#
#
# All local attributes and $INCLUDE's should go into
# this file.
#
# If you want to add entries to the dictionary file,
# which are NOT going to be placed in a RADIUS packet,
# add them to the 'dictionary.local' file.
#
# The numbers you pick should be between 3000 and 4000.
# These attributes will NOT go into a RADIUS packet.
#
# If you want that, you will need to use VSAs. This means
# requesting allocation of a Private Enterprise Code from
# http://iana.org. We STRONGLY suggest doing that only if
# you are a vendor of RADIUS equipment.
#
# See RFC 6158 for more details.
# http://ietf.org/rfc/rfc6158.txt
#
#
# These attributes are examples
#
#ATTRIBUTE My-Local-String 3000 string
#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
#ATTRIBUTE My-Local-Integer 3002 integer

116
pkgs/fablab/freeradius-anon-access/raddb/experimental.conf Normal file
View file

@ -0,0 +1,116 @@
#
# This file contains the configuration for experimental modules.
#
# By default, it is NOT included in the build.
#
# $Id: 87d9744a4f0fa7b9b06b4908ddd6b7d2f1a7fd62 $
#
# Configuration for the Python module.
#
# Where radiusd is a Python module, radiusd.py, and the
# function 'authorize' is called. Here is a dummy piece
# of code:
#
# def authorize(params):
# print params
# return (5, ('Reply-Message', 'banned'))
#
# The RADIUS value-pairs are passed as a tuple of tuple
# pairs as the first argument, e.g. (('attribute1',
# 'value1'), ('attribute2', 'value2'))
#
# The function return is a tuple with the first element
# being the return value of the function.
# The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
# write the return values as Python symbols to avoid
# confusion.
#
# The remaining tuple members are the string form of
# value-pairs which are passed on to pairmake().
#
python {
mod_instantiate = radiusd_test
func_instantiate = instantiate
mod_authorize = radiusd_test
func_authorize = authorize
mod_accounting = radiusd_test
func_accounting = accounting
mod_pre_proxy = radiusd_test
func_pre_proxy = pre_proxy
mod_post_proxy = radiusd_test
func_post_proxy = post_proxy
mod_post_auth = radiusd_test
func_post_auth = post_auth
mod_recv_coa = radiusd_test
func_recv_coa = recv_coa
mod_send_coa = radiusd_test
func_send_coa = send_coa
mod_detach = radiusd_test
func_detach = detach
}
# Configuration for the example module. Uncommenting it will cause it
# to get loaded and initialised, but should have no real effect as long
# it is not referenced in one of the autz/auth/preacct/acct sections
example {
# Boolean variable.
# allowed values: {no, yes}
boolean = yes
# An integer, of any value.
integer = 16
# A string.
string = "This is an example configuration string"
# An IP address, either in dotted quad (1.2.3.4) or hostname
# (example.com)
ipaddr = 127.0.0.1
# A subsection
mysubsection {
anotherinteger = 1000
# They nest
deeply nested {
string = "This is a different string"
}
}
}
#
# To create a dbm users file, do:
#
# cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
#
# Then add 'dbm' in 'authorize' section.
#
# Note that even if the file has a ".db" or ".dbm" extension,
# you may have to specify it here without that extension. This
# is because the DBM libraries "helpfully" add a ".db" to the
# filename, but don't check if it's already there.
#
dbm {
usersfile = ${confdir}/users_db
}
# Instantiate a couple instances of the idn module
idn {
}
# ...more commonly known as...
idn idna {
}
idn idna_lenient {
UseSTD3ASCIIRules = no
}

1
pkgs/fablab/freeradius-anon-access/raddb/hints Symbolic link
View file

@ -0,0 +1 @@
./mods-config/preprocess/hints

1
pkgs/fablab/freeradius-anon-access/raddb/huntgroups Symbolic link
View file

@ -0,0 +1 @@
./mods-config/preprocess/huntgroups

116
pkgs/fablab/freeradius-anon-access/raddb/mods-available/README.rst Normal file
View file

@ -0,0 +1,116 @@
Modules in Version 3
====================
As of Version 3, all of the modules have been placed in the
"mods-available/" directory. This practice follows that used by other
servers such as Nginx, Apache, etc. The "modules" directory should
not be used.
Modules are enabled by creating a file in the mods-enabled/ directory.
You can also create a soft-link from one directory to another::
$ cd raddb/mods-enabled
$ ln -s ../mods-available/foo
This will enable module "foo". Be sure that you have configured the
module correctly before enabling it, otherwise the server will not
start. You can verify the server configuration by running
"radiusd -XC".
A large number of modules are enabled by default. This allows the
server to work with the largest number of authentication protocols.
Please be careful when disabling modules. You will likely need to
edit the "sites-enabled/" files to remove references to any disabled
modules.
Conditional Modules
-------------------
Version 3 allows modules to be conditionally loaded. This is useful
when you want to have a virtual server which references a module, but
does not require it. Instead of editing the virtual server file, you
can just conditionally enable the module.
Modules are conditionally enabled by adding a "-" before their name in
a virtual server. For example, you can do::
server {
authorize {
...
ldap
-sql
...
}
}
This says "require the LDAP module, but use the SQL module only if it
is configured."
This feature is not very useful for production configurations. It is,
however, very useful for the default examples that ship with the
server.
Ignoring module
---------------
If you see this message::
Ignoring module (see raddb/mods-available/README.rst)
Then you are in the right place. Most of the time this message can be
ignored. The message can be fixed by finding the references to "-module"
in the virtual server, and deleting them.
Another way to fix it is to configure the module, as described above.
Simplification
--------------
Allowing conditional modules simplifies the default virtual servers
that are shipped with FreeRADIUS. This means that if you want to
enable LDAP (for example), you no longer need to edit the files in
raddb/sites-available/ in order to enable it.
Instead, you should edit the raddb/mods-available/ldap file to point
to your local LDAP server. Then, enable the module via the soft-link
method described above.
Once the module is enabled, it will automatically be used in the
default configuration.
Multiple Instances
------------------
It is sometimes necessary to have the same module do two different
things. The server supports this functionality via "instances" of
modules.
Normally, a module configuration looks like this:
sql {
... sql stuff ...
}
This module is then refereed to as the "sql" module.
But what happens if you want to connect to two different SQL
databases? The solution is simple; copy the "sql" module
configuration, and add an instance name after the "sql" string:
sql mysql1 {
... configuration for connecting to mysql11 ...
}
sql mysql2 {
... configuration for connecting to mysql12 ...
}
This configuration says "load the SQL module, but create two copies of
it, with different configurations". The different configurations can
be referred to by name, as "mysql1" and "mysql2". That is, anywhere
you would normally use "sql", you could use either "mysql1" or
"mysql2".
For further examples of using module instances, see the "attr_filter"
module configuration in this directory.

15
pkgs/fablab/freeradius-anon-access/raddb/mods-available/abfab_psk_sql Normal file
View file

@ -0,0 +1,15 @@
# -*- text -*-
##
## Module for PSK authorizations from ABFAB trust router
##
## $Id: d75130da8a9faeb9712619bf49e68afadc30b73a $
sql psksql {
driver = "rlm_sql_sqlite"
sqlite {
filename = "/var/lib/trust_router/keys"
}
}

81
pkgs/fablab/freeradius-anon-access/raddb/mods-available/always Normal file
View file

@ -0,0 +1,81 @@
# -*- text -*-
#
# $Id: b77d00c55d46741a3ca1cfc135dee4615466e912 $
#
# The "always" module is here for debugging purposes, or
# for use in complex policies.
# Instance simply returns the same result, always, without
# doing anything.
#
# rcode may be one of the following values:
# - reject - Reject the user.
# - fail - Simulate or indicate a failure.
# - ok - Simulate or indicate a success.
# - handled - Indicate that the request has been handled,
# stop processing, and send response if set.
# - invalid - Indicate that the request is invalid.
# - userlock - Indicate that the user account has been
# locked out.
# - notfound - Indicate that a user account can't be found.
# - noop - Simulate a no-op.
# - updated - Indicate that the request has been updated.
#
# If an instance is listed in a session {} section,
# this simulates a user having <integer> sessions.
#
# simulcount = <integer>
#
# If an instance is listed in a session {} section,
# this simulates the user having multilink
# sessions.
#
# mpp = <integer>
#
# An xlat based on the instance name can be called to change the status
# returned by the instance, in this example "always db_status { ... }"
#
# Force the module status to be alive or dead:
#
# %{db_status:alive}
# %{db_status:dead}
#
# Update the rcode returned by an alive module (a dead module returns fail):
#
# %{db_status:ok}
# %{db_status:fail}
# %{db_status:notfound}
# ...
#
# The above xlats expand to the current status of the module. To fetch the
# current status without affecting it call the xlat with an empty argument:
#
# %{db_status:}
#
always reject {
rcode = reject
}
always fail {
rcode = fail
}
always ok {
rcode = ok
}
always handled {
rcode = handled
}
always invalid {
rcode = invalid
}
always userlock {
rcode = userlock
}
always notfound {
rcode = notfound
}
always noop {
rcode = noop
}
always updated {
rcode = updated
}

61
pkgs/fablab/freeradius-anon-access/raddb/mods-available/attr_filter Normal file
View file

@ -0,0 +1,61 @@
# -*- text -*-
#
# $Id: a23d3c0f11267a6c0f1afca599f71a6a76c49a1a $
#
# This file defines a number of instances of the "attr_filter" module.
#
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter attr_filter.post-proxy {
key = "%{Realm}"
filename = ${modconfdir}/${.:name}/post-proxy
}
# attr_filter - filters the attributes in the packets we send to
# the RADIUS home servers.
attr_filter attr_filter.pre-proxy {
key = "%{Realm}"
filename = ${modconfdir}/${.:name}/pre-proxy
}
# Enforce RFC requirements on the contents of Access-Reject
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_reject {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/access_reject
}
# Enforce RFC requirements on the contents of Access-Challenge
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_challenge {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/access_challenge
}
# Enforce RFC requirements on the contents of the
# Accounting-Response packets. See the comments at the
# top of the file for more details.
#
attr_filter attr_filter.accounting_response {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/accounting_response
}
#
# Enforce CoA or Disconnect packets.
#
# Note that you MUST edit the "coa" file below for your
# local configuration. Add in any attributes needed by the NAS.
#
attr_filter attr_filter.coa {
key = "%{User-Name}"
filename = ${modconfdir}/${.:name}/coa
}

132
pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache Normal file
View file

@ -0,0 +1,132 @@
# -*- text -*-
#
# $Id: 8bd4730cf570fdfedc9c516dc6974eab39981600 $
#
# A module to cache attributes. The idea is that you can look
# up information in a database, and then cache it. Repeated
# requests for the same information will then have the cached
# values added to the request.
#
# The module can cache a fixed set of attributes per key.
# It can be listed in "authorize", "post-auth", "pre-proxy"
# and "post-proxy".
#
# If you want different things cached for authorize and post-auth,
# you will need to define two instances of the "cache" module.
#
# The module returns "ok" if it found or created a cache entry.
# The module returns "updated" if it merged a cached entry.
# The module returns "noop" if it did nothing.
# The module returns "fail" on error.
#
cache {
# The backend datastore used to store the cache entries.
# Current datastores are
# rlm_cache_rbtree - An in memory, non persistent rbtree based datastore.
# Useful for caching data locally.
# rlm_cache_memcached - A non persistent "webscale" distributed datastore.
# Useful if the cached data need to be shared between
# a cluster of RADIUS servers.
# driver = "rlm_cache_rbtree"
#
# Some drivers accept specific options, to set them a
# config section with the the name as the driver should be added
# to the cache instance.
#
# Driver specific options are:
#
# memcached {
# # Memcached configuration options, as documented here:
# # http://docs.libmemcached.org/libmemcached_configuration.html#memcached
# options = "--SERVER=localhost"
#
# pool {
# start = ${thread[pool].start_servers}
# min = ${thread[pool].min_spare_servers}
# max = ${thread[pool].max_servers}
# spare = ${thread[pool].max_spare_servers}
# uses = 0
# lifetime = 0
# idle_timeout = 60
# }
# }
# The key used to index the cache. It is dynamically expanded
# at run time.
key = "%{User-Name}"
# The TTL of cache entries, in seconds. Entries older than this
# will be expired.
#
# This value should be between 10 and 86400.
ttl = 10
# If yes the following attributes will be added to the request:
# * &request:Cache-Entry-Hits - The number of times this entry
# has been retrieved.
#
# Note: Not supported by the rlm_cache_memcached module.
add_stats = no
#
# The list of attributes to cache for a particular key.
#
# Each key gets the same set of cached attributes. The attributes
# are dynamically expanded at run time.
#
# The semantics of this construct are identical to an unlang
# update block, except the left hand side of the expression
# represents the cache entry. see man unlang for more information
# on update blocks.
#
# Note: Only request, reply, control and session-state lists
# are available in cache entries. Attempting to store attributes
# in other lists will raise an error during config validation.
#
update {
# <list>:<attribute> <op> <value>
# Cache all instances of Reply-Message in the reply list
&reply:Reply-Message += &reply:Reply-Message[*]
# Add our own to show when the cache was last updated
&reply:Reply-Message += "Cache last updated at %t"
&reply:Class := "%{randstr:ssssssssssssssssssssssssssssssss}"
}
# This module supports a number of runtime configuration parameters
# represented by attributes in the &control: list.
#
# &control:Cache-TTL - Sets the TTL of an entry to be created, or
# modifies the TTL of an existing entry.
# - Setting a Cache-TTL of > 0 means set the TTL of the entry to
# the new value (and reset the expiry timer).
# - Setting a Cache-TTL of < 0 means expire the existing entry
# (without merging) and create a new one with TTL set to
# value * -1.
# - Setting a Cache-TTL of 0 means expire the existing entry
# (without merging) and don't create a new one.
#
# &control:Cache-Status-Only - If present and set to 'yes' will
# prevent a new entry from being created, and existing entries from
# being merged. It will also alter the module's return codes.
# - The module will return "ok" if a cache entry was found.
# - The module will return "notfound" if no cache entry was found.
#
# &control:Cache-Read-Only - If present and set to 'yes' will
# prevent a new entry from being created, but will allow existing
# entries to be merged. It will also alter the module's return codes.
# - The module will return "updated" if a cache entry was found.
# - The module will return "notfound" if no cache was found.
#
# &control:Cache-Merge - If present and set to 'yes' will merge new
# cache entries into the current request. Useful if results
# of execs or expansions are stored directly in the cache.
#
# All runtime configuration attributes will be removed from the
# &control: list after the cache module is called.
}

13
pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache_eap Normal file
View file

@ -0,0 +1,13 @@
#
# Cache EAP responses for resiliency on intermediary proxy fail-over
#
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
update reply {
reply: += &reply:
&control:State := &request:State
}
}

11
pkgs/fablab/freeradius-anon-access/raddb/mods-available/chap Normal file
View file

@ -0,0 +1,11 @@
# -*- text -*-
#
# $Id: e2a3cd3b110ffffdbcff86c7fc65a9275ddc3379 $
# CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
# no configuration
}

205
pkgs/fablab/freeradius-anon-access/raddb/mods-available/couchbase Normal file
View file

@ -0,0 +1,205 @@
couchbase {
#
# List of Couchbase hosts (hosts may be space, tab, comma or semi-colon separated).
# Ports are optional if servers are listening on the standard port.
# Complete pool urls are preferred.
#
server = "http://cb01.blargs.com:8091/pools/ http://cb04.blargs.com:8091/pools/"
# Couchbase bucket name
bucket = "radius"
# Couchbase bucket password (optional)
#password = "password"
# Couchbase accounting document key (unlang supported)
acct_key = "radacct_%{%{Acct-Unique-Session-Id}:-%{Acct-Session-Id}}"
# Value for the 'docType' element in the json body for accounting documents
doctype = "radacct"
## Accounting document expire time in seconds (0 = never)
expire = 2592000
#
# Map attribute names to json element names for accounting.
#
# Configuration items are in the format:
# <radius attribute> = '<element name>'
#
# Element names should be single quoted.
#
# Note: Attributes not in this map will not be recorded.
#
update {
Acct-Session-Id = 'sessionId'
Acct-Unique-Session-Id = 'uniqueId'
Acct-Status-Type = 'lastStatus'
Acct-Authentic = 'authentic'
User-Name = 'userName'
Stripped-User-Name = 'strippedUserName'
Stripped-User-Domain = 'strippedUserDomain'
Realm = 'realm'
NAS-IP-Address = 'nasIpAddress'
NAS-Identifier = 'nasIdentifier'
NAS-Port = 'nasPort'
Called-Station-Id = 'calledStationId'
Called-Station-SSID = 'calledStationSSID'
Calling-Station-Id = 'callingStationId'
Framed-Protocol = 'framedProtocol'
Framed-IP-Address = 'framedIpAddress'
NAS-Port-Type = 'nasPortType'
Connect-Info = 'connectInfo'
Acct-Session-Time = 'sessionTime'
Acct-Input-Packets = 'inputPackets'
Acct-Output-Packets = 'outputPackets'
Acct-Input-Octets = 'inputOctets'
Acct-Output-Octets = 'outputOctets'
Acct-Input-Gigawords = 'inputGigawords'
Acct-Output-Gigawords = 'outputGigawords'
Event-Timestamp = 'lastUpdated'
}
# Couchbase document key for user documents (unlang supported)
user_key = "raduser_%{md5:%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}}"
# Set to 'yes' to read radius clients from the Couchbase view specified below.
# NOTE: Clients will ONLY be read on server startup.
#read_clients = no
#
# Map attribute names to json element names when loading clients.
#
# Configuration follows the same rules as the accounting map above.
#
client {
# Couchbase view that should return all available client documents.
view = "_design/client/_view/by_id"
#
# Sets default values (not obtained from couchbase) for new client entries
#
template {
# login = 'test'
# password = 'test'
# proto = tcp
# require_message_authenticator = yes
# Uncomment to add a home_server with the same
# attributes as the client.
# coa_server {
# response_window = 2.0
# }
}
#
# Client mappings are in the format:
# <client attribute> = '<element name>'
#
# Element names should be single quoted.
#
# The following attributes are required:
# * ipaddr | ipv4addr | ipv6addr - Client IP Address.
# * secret - RADIUS shared secret.
#
# All attributes usually supported in a client
# definition are also supported here.
#
attribute {
ipaddr = 'clientIdentifier'
secret = 'clientSecret'
shortname = 'clientShortname'
nas_type = 'nasType'
virtual_server = 'virtualServer'
require_message_authenticator = 'requireMessageAuthenticator'
limit {
max_connections = 'maxConnections'
lifetime = 'clientLifetime'
idle_timeout = 'idleTimeout'
}
}
}
# Set to 'yes' to enable simultaneous use checking (multiple logins).
# NOTE: This will cause the execution of a view request on every check
# and may be a performance penalty.
# check_simul = no
# Couchbase view that should return all account documents keyed by username.
# simul_view = "_design/acct/_view/by_user"
# The key to the above view.
# NOTE: This will need to match EXACTLY what you emit from your view.
# simul_vkey = "%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}"
# Set to 'yes' to enable verification of the results returned from the above view.
# NOTE: This may be an additional performance penalty to the actual check and
# should be avoided unless absolutely neccessary.
# verify_simul = no
# Remove stale session if checkrad does not see a double login.
# NOTE: This will only be executed if both check_simul and verify_simul
# are set to 'yes' above.
# delete_stale_sessions = yes
#
# The connection pool is new for 3.0, and will be used in many
# modules, for all kinds of connection-related activity.
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# couchbase being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 1200
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}

82
pkgs/fablab/freeradius-anon-access/raddb/mods-available/counter Normal file
View file

@ -0,0 +1,82 @@
# -*- text -*-
#
# $Id: a5ac1e60ef117a2c59ace1a9d061d8f70d1da538 $
# counter module:
# This module takes an attribute (count-attribute).
# It also takes a key, and creates a counter for each unique
# key. The count is incremented when accounting packets are
# received by the server. The value of the increment depends
# on the attribute type.
# If the attribute is Acct-Session-Time or of an integer type we add
# the value of the attribute. If it is anything else we increase the
# counter by one.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, monthly or never.
#
# hourly: Reset on 00:00 of every hour
# daily: Reset on 00:00:00 every day
# weekly: Reset on 00:00:00 on sunday
# monthly: Reset on 00:00:00 of the first day of each month
#
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is omitted days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
#
# The check_name attribute defines an attribute which will be
# registered by the counter module and can be used to set the
# maximum allowed value for the counter after which the user
# is rejected.
# Something like:
#
# DEFAULT Max-Daily-Session := 36000
# Fall-Through = 1
#
# You should add the counter module in the instantiate
# section so that it registers check_name before the files
# module reads the users file.
#
# If check_name is set and the user is to be rejected then we
# send back a Reply-Message and we log a Failure-Message in
# the radius.log
#
# If the count attribute is Acct-Session-Time then on each
# login we send back the remaining online time as a
# Session-Timeout attribute ELSE and if the reply_name is
# set, we send back that attribute. The reply_name attribute
# MUST be of an integer type.
#
# The counter-name can also be used instead of using the check_name
# like below:
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The allowed_service_type attribute can be used to only take
# into account specific sessions. For example if a user first
# logs in through a login menu and then selects ppp there will
# be two sessions. One for Login-User and one for Framed-User
# service type. We only need to take into account the second one.
#
# The module should be added in the instantiate, authorize and
# accounting sections. Make sure that in the authorize
# section it comes after any module which sets the
# 'check_name' attribute.
#
counter daily {
filename = ${db_dir}/db.daily
key = User-Name
count_attribute = Acct-Session-Time
reset = daily
counter_name = Daily-Session-Time
check_name = Max-Daily-Session
reply_name = Session-Timeout
allowed_service_type = Framed-User
cache_size = 5000
}

53
pkgs/fablab/freeradius-anon-access/raddb/mods-available/cui Normal file
View file

@ -0,0 +1,53 @@
# -*- text -*-
#
# $Id: 54842d4106800babe8db1d58d2e8b7a5cad017db $
#
# Write Chargeable-User-Identity to the database.
#
# Schema raddb/mods-config/sql/cui/<DB>/schema.sql
# Queries raddb/mods-config/sql/cui/<DB>/queries.conf
#
sql cuisql {
# The dialect of SQL you want to use, this should usually match
# the driver below.
#
# If you're using rlm_sql_null, then it should be the type of
# database the logged queries are going to be executed against.
dialect = "sqlite"
# The sub-module to use to execute queries. This should match
# the database you're attempting to connect to.
#
# There are CUI queries available for:
# * rlm_sql_mysql
# * rlm_sql_postgresql
# * rlm_sql_sqlite
# * rlm_sql_null (log queries to disk)
#
driver = "rlm_sql_${dialect}"
sqlite {
filename = ${radacctdir}/cui.sqlite
bootstrap = ${modconfdir}/${..:name}/cui/sqlite/schema.sql
}
# Write CUI queries to a logfile. Useful for debugging.
# logfile = ${logdir}/cuilog.sql
pool {
start = 5
min = 4
max = 10
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
}
cui_table = "cui"
sql_user_name = "%{User-Name}"
$INCLUDE ${modconfdir}/${.:name}/cui/${dialect}/queries.conf
}

35
pkgs/fablab/freeradius-anon-access/raddb/mods-available/date Normal file
View file

@ -0,0 +1,35 @@
#
# Registers xlat to convert between time formats.
#
# xlat input string is an attribute name. If this attribute is of date
# or integer type, the date xlat will convert it to a time string in
# the format of the format config item.
#
# If the attribute is a string type, date will attempt to parse it in
# the format specified by the format config item, and will expand
# to a Unix timestamp.
#
date {
format = "%b %e %Y %H:%M:%S %Z"
# Use UTC instead of local time.
#
# default = no
# utc = yes
}
#
# The WISPr-Session-Terminate-Time attribute is of type "string",
# and not "date". Use this expansion to create an attribute
# that holds an actual date:
#
# Tmp-Date-0 := "%{wispr2date:&reply:WISPr-Session-Terminate-Time}"
#
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
# Use UTC instead of local time.
#
# default = no
# utc = yes
}

109
pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail Normal file
View file

@ -0,0 +1,109 @@
# -*- text -*-
#
# $Id: ccf65f9c839a6d9ea35fae4d9cd208ddca1a0acd $
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want to add
# a ':%H' (see doc/configuration/variables.rst) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
# If you are reading detail files via the "listen" section
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
# you MUST use a unique directory for each combination of a
# detail file writer, and reader. That is, there can only
# be ONE "listen" section reading detail files from a
# particular directory.
#
# The configuration below puts the detail files into separate
# directories for each client. If you are reading the detail
# files via the "listen" section, just use one directory.
#
# e.g. filename = ${radacctdir}/reader1/detail-%Y%m%d
#
# AND use a separate directory (reader2, reader3, etc.) for each
# reader.
#
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
#
# If you are using radrelay, delete the above line for "file",
# and use this one instead:
#
# filename = ${radacctdir}/detail
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
escape_filenames = no
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
permissions = 0600
# The Unix group of the log file.
#
# The user that the server runs as must be in the specified
# system group otherwise this will fail to work.
#
# group = ${security.group}
#
# Every entry in the detail file has a header which
# is a timestamp. By default, we use the ctime
# format (see "man ctime" for details).
#
# The header can be customised by editing this
# string. See "doc/configuration/variables.rst" for a
# description of what can be put here.
#
header = "%t"
#
# Uncomment this line if the detail file reader will be
# reading this detail file.
#
# locking = yes
#
# Log the Packet src/dst IP/port. This is disabled by
# default, as that information isn't used by many people.
#
# log_packet_header = yes
#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
#suppress {
# User-Password
#}
}

27
pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.example.com Normal file
View file

@ -0,0 +1,27 @@
# -*- text -*-
#
# Detail file writer, used in the following examples:
#
# raddb/sites-available/robust-proxy-accounting
# raddb/sites-available/decoupled-accounting
#
# Note that this module can write detail files that are read by
# only ONE "listen" section. If you use BOTH of the examples
# above, you will need to define TWO "detail" modules.
#
# e.g. detail1.example.com && detail2.example.com
#
#
# We write *multiple* detail files here. They will be processed by
# the detail "listen" section in the order that they were created.
# The directory containing these files should NOT be used for any
# other purposes. i.e. It should have NO other files in it.
#
# Writing multiple detail enables the server to process the pieces
# in smaller chunks. This helps in certain catastrophic corner cases.
#
# $Id: 827cdf57e70dc2ff2252016194f4bb846eecead2 $
#
detail detail.example.com {
filename = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G
}

75
pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.log Normal file
View file

@ -0,0 +1,75 @@
# -*- text -*-
#
# $Id: b91cf7cb24744ee96e390aa4d7bd5f3ad4c0c0ee $
#
# More examples of doing detail logs.
#
# Many people want to log authentication requests.
# Rather than modifying the server core to print out more
# messages, we can use a different instance of the 'detail'
# module, to log the authentication requests to a file.
#
# You will also need to un-comment the 'auth_log' line
# in the 'authorize' section, below.
#
detail auth_log {
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
permissions = 0600
# You may also strip out passwords completely
suppress {
User-Password
}
}
#
# This module logs authentication reply packets sent
# to a NAS. Both Access-Accept and Access-Reject packets
# are logged.
#
# You will also need to un-comment the 'reply_log' line
# in the 'post-auth' section, below.
#
detail reply_log {
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
permissions = 0600
}
#
# This module logs packets proxied to a home server.
#
# You will also need to un-comment the 'pre_proxy_log' line
# in the 'pre-proxy' section, below.
#
detail pre_proxy_log {
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
permissions = 0600
# You may also strip out passwords completely
#suppress {
# User-Password
#}
}
#
# This module logs response packets from a home server.
#
# You will also need to un-comment the 'post_proxy_log' line
# in the 'post-proxy' section, below.
#
detail post_proxy_log {
filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
permissions = 0600
}

19
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp Normal file
View file

@ -0,0 +1,19 @@
# -*- text -*-
#
# $Id: a4316335d7f73b37ec5aa9278de91d37dd28eddc $
#
# This module is useful only for 'xlat'. To use it,
# put 'dhcp' into the 'instantiate' section.
#
# %{dhcp_options:<Attribute-ref>} may be used to decode
# DHCP options data included in RADIUS packets by vendors
# of DHCP to RADIUS gateways.
#
# This is known to work with the following VSAs:
# * Juniper - ERX-Dhcp-Options
# * Alcatel lucent SR - Alc-ToServer-Dhcp-Options
# - Alc-ToClient-Dhcp-Options
#
dhcp {
}

56
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_files Normal file
View file

@ -0,0 +1,56 @@
# -*- text -*-
#
# $Id: 243a241a8d28d8de9696e5364c59e25558789219 $
# Instances of the "files" module for managing DHCP options
#
files dhcp_network {
# The file containing network-specific DHCP options mapping
filename = ${modconfdir}/files/dhcp
# For network lookups we use a fixed key. Matching
# actual networks is done by additional filtering within
# the file
key = "network"
}
files dhcp_subnet {
# The file containing subnet-specific DHCP options mapping
filename = ${modconfdir}/files/dhcp
# For subnet lookups we use a fixed key. Matching
# actual subnets is done by additional filtering within
# the file
key = "subnet"
}
files dhcp_set_group_options {
# An example of looking up DHCP group options. This
# is designed to be called from a policy configured in
# policy.d/dhcp.
#
# If clients are never members of more than one group,
# then this could be simplified such that DHCP-Group-Name
# is used here in place of Foreach-Variable-0 and this
# module instance called directly rather than the policy
# Use the same file as for subnets - could be split
# for large, complex installations
filename = ${modconfdir}/files/dhcp
# The key is a temporary string populated by the calling policy
# which uses a foreach loop.
key = "%{Foreach-Variable-0}"
}
files dhcp_hosts {
# An example of a DHCP host mapping for option setting
# Use the same file as for subnets - could be split
# for large, complex installations
filename = ${modconfdir}/files/dhcp
# If a different identifier is needed for looking up
# host specific entries then amend this key.
key = "host-%{DHCP-Client-Hardware-Address}"
}

20
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_passwd Normal file
View file

@ -0,0 +1,20 @@
# -*- text -*-
#
# $Id: 7884a00298935db8e33fd9f850c2619e61d9b5a9 $
# An instance of the passwd module designed for looking up
# DHCP client membership. This example is based on hardware
# address.
# The "groups" file should be of the format:
# <group name>|<hardware address>,<hardware address>,<hardware address>
# <group name>|<hardware address>,<hardware address>,<hardware address>
#
# See the passwd module for more details.
passwd dhcp_group_membership {
filename = "${modconfdir}/files/dhcp_groups"
format = "~DHCP-Group-Name:*,DHCP-Client-Hardware-Address"
hash_size = 100
allow_multiple_keys = yes
delimiter = "|"
}

92
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sql Normal file
View file

@ -0,0 +1,92 @@
# -*- text -*-
##
## mods-available/sql -- SQL modules
##
## $Id: 20dbe3a35be942acaaec8ee0ced7e85786fc46a7 $
######################################################################
#
# Configuration for the DHCP-specific instance of the SQL module
#
# The database schemas and queries are located in subdirectories:
#
# sql/dhcp/<DB>/schema.sql Schema
# sql/dhcp/<DB>/queries.conf Reply options lookup queries
#
# Where "DB" is mysql, mssql, oracle, or postgresql.
#
#
# See raddb/mods-available/sql for a description of the configuration items
# for the sql module.
#
sql dhcp_sql {
dialect = "sqlite"
driver = "rlm_sql_null"
# driver = "rlm_sql_${dialect}"
sqlite {
filename = "/tmp/freeradius.db"
busy_timeout = 200
bootstrap = "${modconfdir}/${..:name}/dhcp/sqlite/schema.sql"
}
mysql {
tls {
ca_file = "/etc/ssl/certs/my_ca.crt"
ca_path = "/etc/ssl/certs/"
certificate_file = "/etc/ssl/certs/private/client.crt"
private_key_file = "/etc/ssl/certs/private/client.key"
cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
tls_required = yes
tls_check_cert = no
tls_check_cert_cn = no
}
warnings = auto
}
postgresql {
send_application_name = yes
}
mongo {
appname = "freeradius"
tls {
certificate_file = /path/to/file
certificate_password = "password"
ca_file = /path/to/file
ca_dir = /path/to/directory
crl_file = /path/to/file
weak_cert_validation = false
allow_invalid_hostname = false
}
}
# server = "localhost"
# port = 3306
# login = "radius"
# password = "radpass"
radius_db = "radius"
dhcpreply_table = "dhcpreply"
groupreply_table = "dhcpgroupreply"
dhcpgroup_table = "dhcpgroup"
read_groups = no
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
group_attribute = "${.:instance}-SQL-Group"
$INCLUDE ${modconfdir}/${.:name}/dhcp/${dialect}/queries.conf
}

101
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sqlippool Normal file
View file

@ -0,0 +1,101 @@
# Configuration for DHCP for the SQL based IP Pools module (rlm_sqlippool).
#
# See raddb/mods-available/sqlippool for common configuration explanation
#
# See raddb/policy.d/dhcp_sqlippool for the "glue" code that allows
# the RADIUS based "sqlippool" module to be used for DHCP.
#
# See raddb/sites-available/dhcp for instructions on how to configure
# the DHCP server.
#
# The database schemas are available at:
#
# raddb/mods-config/sql/ippool-dhcp/<DB>/schema.sql
#
# $Id: 909b93c7ebcbbeb16b123ca38e696790b5771dda $
sqlippool dhcp_sqlippool {
# SQL instance to use (from mods-available/sql)
#
# If you have multiple sql instances, such as "sql sql1 {...}",
# use the *instance* name here: sql1.
sql_module_instance = "dhcp_sql"
# This is duplicative of info available in the SQL module, but
# we have to list it here as we do not yet support nested
# reference expansions.
dialect = "mysql"
# Name of the check item attribute to be used as a key in the SQL queries
pool_name = "Pool-Name"
# SQL table to use for ippool range and lease info
ippool_table = "dhcpippool"
# The duration for which a lease is reserved whilst under offer
offer_duration = 10
# IP lease duration. (Leases expire even if no DHCP-Release packet is received)
# Either use the value to be sent to the client or a hard coded one.
lease_duration = "%{reply:DHCP-IP-Address-Lease-Time}"
#lease_duration = 7200
# The attribute in which the IP address is returned in the reply
attribute_name = "DHCP-Your-IP-Address"
# Assign the IP address, even if the above attribute already exists in
# the reply.
#
# allow_duplicates = no
# The attribute in which an IP address hint may be supplied
req_attribute_name = "DHCP-Requested-IP-Address"
#
# RFC 2132 allows the DHCP client to supply a unique
# identifier ("uid") using Option 61 (DHCP-Client-Identifier)
# in which case it must be used as the lookup key for
# configuration data.
#
pool_key = "%{%{DHCP-Client-Identifier}:-%{DHCP-Client-Hardware-Address}}"
#
# The "uid" is generated by the OS which means that clients
# whose BMC piggybacks on the main interface (sharing its MAC,
# but generating a distinct uid) and dual-booting clients can
# be allocated multiple IPs, consuming more pool entries. To
# avoid this you can ignore the RFCs and key the configuration
# data based only on the client MAC address.
#
# pool_key = "%{DHCP-Client-Hardware-Address}"
################################################################
#
# WARNING: MySQL (MyISAM) has certain limitations that means it can
# hand out the same IP address to 2 different users.
#
# We suggest using an SQL DB with proper transaction
# support, such as PostgreSQL, or using MySQL
# with InnoDB.
#
################################################################
# These messages are added to the "control" items, as
# Module-Success-Message. They are not logged anywhere else,
# unlike previous versions. If you want to have them logged
# to a file, see the "linelog" module, and create an entry
# which writes Module-Success-Message message.
#
messages {
exists = "DHCP: Existing IP: %{reply:${..attribute_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
success = "DHCP: Allocated IP: %{reply:${..attribute_name}} from %{control:${..pool_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
clear = "DHCP: Released IP %{DHCP-Client-IP-Address} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
failed = "DHCP: IP Allocation FAILED from %{control:${..pool_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
nopool = "DHCP: No ${..pool_name} defined (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
}
$INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf
}

13
pkgs/fablab/freeradius-anon-access/raddb/mods-available/digest Normal file
View file

@ -0,0 +1,13 @@
# -*- text -*-
#
# $Id: f0aa9edf9da33d63fe03e7d1ed3cbca848eec54d $
#
# The 'digest' module currently has no configuration.
#
# "Digest" authentication against a Cisco SIP server.
# See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
# on performing digest authentication for Cisco SIP servers.
#
digest {
}

32
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dynamic_clients Normal file
View file

@ -0,0 +1,32 @@
# -*- text -*-
#
# $Id: cc2bd5fd22aa473b98af5dde3fac7a66e39a9e9d $
# This module loads RADIUS clients as needed, rather than when the server
# starts.
#
# There are no configuration entries for this module. Instead, it
# relies on the "client" configuration. You must:
#
# 1) link raddb/sites-enabled/dynamic_clients to
# raddb/sites-available/dynamic_clients
#
# 2) Define a client network/mask (see top of the above file)
#
# 3) uncomment the "directory" entry in that client definition
#
# 4) list "dynamic_clients" in the "authorize" section of the
# "dynamic_clients' virtual server. The default example already
# does this.
#
# 5) put files into the above directory, one per IP.
# e.g. file "192.0.2.1" should contain a normal client definition
# for a client with IP address 192.0.2.1.
#
# For more documentation, see the file:
#
# raddb/sites-available/dynamic-clients
#
dynamic_clients {
}

1082
pkgs/fablab/freeradius-anon-access/raddb/mods-available/eap Normal file
View file

File diff suppressed because it is too large Load diff

123
pkgs/fablab/freeradius-anon-access/raddb/mods-available/echo Normal file
View file

@ -0,0 +1,123 @@
# -*- text -*-
#
# $Id: ad3e15933f9e85c5566810432a5fec8f23d877c1 $
#
# This is a more general example of the execute module.
#
# This one is called "echo".
#
# Attribute-Name = `%{echo:/path/to/program args}`
#
# If you wish to execute an external program in more than
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
#
# The return value of the program run determines the result
# of the exec instance call as follows:
# (See doc/configurable_failover for details)
#
# < 0 : fail the module failed
# = 0 : ok the module succeeded
# = 1 : reject the module rejected the user
# = 2 : fail the module failed
# = 3 : ok the module succeeded
# = 4 : handled the module has done everything to handle the request
# = 5 : invalid the user's configuration entry was invalid
# = 6 : userlock the user was locked out
# = 7 : notfound the user was not found
# = 8 : noop the module did nothing
# = 9 : updated the module updated information in the request
# > 9 : fail the module failed
#
exec echo {
#
# Wait for the program to finish.
#
# If we do NOT wait, then the program is "fire and
# forget", and any output attributes from it are ignored.
#
# If we are looking for the program to output
# attributes, and want to add those attributes to the
# request, then we MUST wait for the program to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes
#
# The name of the program to execute, and it's
# arguments. Dynamic translation is done on this
# field, so things like the following example will
# work.
#
program = "/bin/echo %{User-Name}"
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
#
input_pairs = request
#
# Where to place the output attributes (if any) from
# the executed program. The values allowed, and the
# restrictions as to availability, are the same as
# for the input_pairs.
#
output_pairs = reply
#
# When to execute the program. If the packet
# type does NOT match what's listed here, then
# the module does NOT execute the program.
#
# For a list of allowed packet types, see
# the 'dictionary' file, and look for VALUEs
# of the Packet-Type attribute.
#
# By default, the module executes on ANY packet.
# Un-comment out the following line to tell the
# module to execute only if an Access-Accept is
# being sent to the NAS.
#
#packet_type = Access-Accept
#
# Should we escape the environment variables?
#
# If this is set, all the RADIUS attributes
# are capitalised and dashes replaced with
# underscores. Also, RADIUS values are surrounded
# with double-quotes.
#
# That is to say: User-Name=BobUser => USER_NAME="BobUser"
shell_escape = yes
#
# How long should we wait for the program to finish?
#
# Default is 10 seconds, which should be plenty for nearly
# anything. Range is 1 to 30 seconds. You are strongly
# encouraged to NOT increase this value. Decreasing can
# be used to cause authentication to fail sooner when you
# know it's going to fail anyway due to the time taken,
# thereby saving resources.
#
#timeout = 10
}

28
pkgs/fablab/freeradius-anon-access/raddb/mods-available/etc_group Normal file
View file

@ -0,0 +1,28 @@
# -*- text -*-
#
# $Id: f58b72f560ba067991d67295b546691bcd992d44 $
# "passwd" configuration, for the /etc/group file. Adds a Etc-Group-Name
# attribute for every group that the user is member of.
#
# You will have to define the Etc-Group-Name in the 'dictionary' file
# as a 'string' type.
#
# The Group and Group-Name attributes are automatically created by
# the Unix module, and do checking against /etc/group automatically.
# This means that you CANNOT use Group or Group-Name to do any other
# kind of grouping in the server. You MUST define a new group
# attribute.
#
# i.e. this module should NOT be used as-is, but should be edited to
# point to a different group file.
#
passwd etc_group {
filename = /etc/group
format = "=Etc-Group-Name:::*,User-Name"
hash_size = 50
ignore_nislike = yes
allow_multiple_keys = yes
delimiter = ":"
}

29
pkgs/fablab/freeradius-anon-access/raddb/mods-available/exec Normal file
View file

@ -0,0 +1,29 @@
# -*- text -*-
#
# $Id: bb1d4374b741a7bfcdfc098fc57af650509ceae2 $
#
# Execute external programs
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{exec:/path/to/program args}`
#
# The value of the attribute will be replaced with the output
# of the program which is executed. Due to RADIUS protocol
# limitations, any output over 253 bytes will be ignored.
#
# The RADIUS attributes from the user request will be placed
# into environment variables of the executed program, as
# described in "man unlang" and in doc/configuration/variables.rst
#
# See also "echo" for more sample configuration.
#
exec {
wait = no
input_pairs = request
shell_escape = yes
timeout = 10
}

13
pkgs/fablab/freeradius-anon-access/raddb/mods-available/expiration Normal file
View file

@ -0,0 +1,13 @@
# -*- text -*-
#
# $Id: 5d06454d0a8ccce7f50ddf7b01ba01c4ace6560a $
#
# The expiration module. This handles the Expiration attribute
# It should be included in the *end* of the authorize section
# in order to handle user Expiration. It should also be included
# in the instantiate section in order to register the Expiration
# compare function
#
expiration {
}

146
pkgs/fablab/freeradius-anon-access/raddb/mods-available/expr Normal file
View file

@ -0,0 +1,146 @@
# -*- text -*-
#
# $Id: 43dbea35e41698f8ced22c1cf4ad128b08dee7ca $
#
# This module performs mathematical calculations:
#
# Attribute-Name = "%{expr:2 + 3 + &NAS-Port}"
#
# It supports the following operators (in order of precedence)
#
# & binary AND
# | binary OR
# << left shift
# >> right shift
# + addition
# - subtraction
# * multiply
# / divide
# %% remainder
# ^ exponentiation
# (...) sub-expression
#
# Operator precedence follows the normal rules.
# Division by zero means that the entire expression is invalid.
#
# Note that in versions before 3.0.5, the expression
# was parsed strictly left to right, and ignored operator
# precedence.
#
# It also allows unary negation: -1
# And twos complement: ~1
#
# All calculations are done on signed 63-bit integers.
# e.g. int64_t. This should be sufficient for all normal
# purposes.
#
# Hex numbers are supported: 0xabcdef
#
# As with all string expansions, you can nest the expansions:
#
# %{expr: %{NAS-Port} + 1}
# %{expr: %{sql:SELECT ... } + 1}
#
# Attribute references are supported for integer attributes.
# e.g. &NAS-Port. The benefit of using attribute references
# is that the expression is calculated directly on the
# attribute. It skips the step of "print to string, and then
# parse to number". This means it's a little faster.
#
# Otherwise, all numbers are decimal.
#
#
# The module also registers a few paircompare functions, and
# many string manipulation functions, including:
#
# rand get random number from 0 to n-1
# "%{rand:10}" == "9"
#
# randstr get random string built from character classes:
# c lowercase letters
# C uppercase letters
# n numbers
# a alphanumeric
# ! punctuation
# . alphanumeric + punctuation
# s alphanumeric + "./"
# o characters suitable for OTP (easily confused removed)
# h binary data as lowercase hex
# H binary data as uppercase hex
#
# "%{randstr:CCCC!!cccnnn}" == "IPFL>{saf874"
# "%{randstr:oooooooo}" == "rfVzyA4y"
# "%{randstr:hhhh}" == "68d60de3"
#
# urlquote quote special characters in URI
# "%{urlquote:http://example.org/}" == "http%3A%47%47example.org%47"
#
# urlunquote unquote URL special characters
# "%{urlunquote:http%%3A%%47%%47example.org%%47}" == "http://example.org/"
#
# escape escape string similar to rlm_sql safe_characters
# "%{escape:<img>foo.jpg</img>}" == "=60img=62foo.jpg=60/img=62"
#
# unescape reverse of escape
# "%{unescape:=60img=62foo.jpg=60/img=62}" == "<img>foo.jpg</img>"
#
# tolower convert to lowercase
# "%{tolower:Bar}" == "bar"
#
# toupper convert to uppercase
# "%{toupper:Foo}" == "FOO"
#
# md5 get md5sum hash
# "%{md5:foo}" == "acbd18db4cc2f85cedef654fccc4a4d8"
#
# sha1 get sha1 hash
# "%{sha1:foo}" == "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33"
#
# sha256 get sha256 hash
# "%{sha256:foo}" == "2c26b46b68ffc68ff99b453c1d30413413422d706..."
#
# sha512 get sha512 hash
# "%{sha512:foo}" == "f7fbba6e0636f890e56fbbf3283e524c6fa3204ae29838..."
#
# hmacmd5 generate HMAC-MD5 of string
# "%{hmacmd5:foo bar}" == "31b6db9e5eb4addb42f1a6ca07367adc"
#
# hmacsha1 generate HMAC-SHA1 of string
# "%{hmacsha1:foo bar}" == "85d155c55ed286a300bd1cf124de08d87e914f3a"
#
# crypt encrypt with a salt: %{crypt:salt:password}
# "%{crypt:aa:foo}" == "aaKNIEDOaueR6"
# "%{crypt:$1$abcdefgh:foo}" == "$1$abcdefgh$XxzGe9Muun7wTYbZO4sdr0"
# "%{crypt:$5$%{randstr:aaaaaaaaaaaaaaaa}:foo}" == "$1$fu4P2fcAdo9gM..."
#
# pairs serialize attributes as comma-delimited string
# "%{pairs:request:}" == "User-Name = 'foo', User-Password = 'bar', ..."
#
# base64 encode string as base64
# "%{base64:foo}" == "Zm9v"
#
# base64tohex convert base64 to hex
# "%{base64tohex:Zm9v}" == "666f6f"
#
# explode split an attribute into multiple new attributes based on a delimiter
# "%{explode:&ref <delim>}"
#
# nexttime calculate number of seconds until next n hour(s), day(s), week(s), year(s)
# if it were 16:18, %{nexttime:1h} would expand to 2520
#
# lpad left-pad a string
# if User-Name is "foo": "%{lpad:&User-Name 6 x}" == "xxxfoo"
#
# rpad right-pad a string
# if User-Name is "foo": "%{rpad:&User-Name 5 -}" == "foo--"
#
expr {
#
# Characters that will not be encoded by the %{escape}
# xlat function.
#
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}

30
pkgs/fablab/freeradius-anon-access/raddb/mods-available/files Normal file
View file

@ -0,0 +1,30 @@
# -*- text -*-
#
# $Id: e3f3bf568d92eba8eb17bbad590f846f2d9e1ac8 $
# Livingston-style 'users' file
#
# See "man users" for more information.
#
files {
# Search for files in a subdirectory of mods-config which
# matches this instance of the files module.
moddir = ${modconfdir}/${.:instance}
# The default key attribute to use for matches. The content
# of this attribute is used to match the "name" of the
# entry.
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
# The old "users" style file is now located here.
filename = ${moddir}/authorize
# This is accepted for backwards compatibility
# It will be removed in a future release.
# usersfile = ${moddir}/authorize
# These are accepted for backwards compatibility.
# They will be renamed in a future release.
acctusersfile = ${moddir}/accounting
preproxy_usersfile = ${moddir}/pre-proxy
}

28
pkgs/fablab/freeradius-anon-access/raddb/mods-available/idn Normal file
View file

@ -0,0 +1,28 @@
# -*- text -*-
#
# $Id: 534054077d52a7bb0bf8e02c1e861e5c86b76df9 $
#
# Internationalised domain names.
#
# The expansion string: %{idn: example.com} results in an ASCII
# punycode version of the domain name. That version can then be used
# for name comparisons. Using an i18n version of the name is NOT
# RECOMMENDED, as that version is not canonical.
#
# i.e. the "same" domain name can be represented in many, many,
# different ways. Only the idn version has *one* representation.
#
idn {
#
# Allow use of unassigned Unicode code points.
#
allow_unassigned = no
#
# Prohibit underscores and other invalid characters in domain
# names.
use_std3_ascii_rules = yes
}

107
pkgs/fablab/freeradius-anon-access/raddb/mods-available/inner-eap Normal file
View file

@ -0,0 +1,107 @@
# -*- text -*-
#
# $Id: 576eb7739ebf18ca6323cb740a7d4278ff6d6ea2 $
#
# Sample configuration for an EAP module that occurs *inside*
# of a tunneled method. It is used to limit the EAP types that
# can occur inside of the inner tunnel.
#
# See also raddb/sites-available/inner-tunnel
#
# See raddb/mods-available/eap for full documentation on the meaning of these
# configuration entries.
#
eap inner-eap {
# This is the best choice for PEAP.
default_eap_type = mschapv2
timer_expire = 60
# This should be the same as the outer eap "max sessions"
max_sessions = 2048
# Supported EAP-types
md5 {
}
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
auth_type = PAP
}
mschapv2 {
# See eap for documentation
# send_error = no
}
# No TTLS or PEAP configuration should be listed here.
## EAP-TLS
#
# You SHOULD use different certificates than are used
# for the outer EAP configuration!
#
# You can create the "inner-server.pem" file by doing:
#
# cd raddb/certs
# vi inner-server.cnf
# make inner-server
#
# The certificate MUST be different from the "server.cnf"
# file.
#
# Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.
# It might work, or it might not.
#
tls {
private_key_password = whatever
private_key_file = ${certdir}/inner-server.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/inner-server.pem
# You may want different CAs for inner and outer
# certificates. If so, edit this file.
ca_file = ${cadir}/ca.pem
cipher_list = "DEFAULT"
# You may want to set a very small fragment size.
# The TLS data here needs to go inside of the
# outer EAP-TLS protocol.
#
# Try values and see if they work...
# fragment_size = 1024
# Other needful things
dh_file = ${certdir}/dh
random_file = /dev/urandom
# CRL and OCSP things go here. See the main "eap"
# file for details.
# check_crl = yes
# ca_path = /path/to/directory/with/ca_certs/and/crls/
# Accept an expired Certificate Revocation List
#
# allow_expired_crl = no
#
# The session resumption / fast re-authentication
# cache CANNOT be used for inner sessions.
#
}
}

66
pkgs/fablab/freeradius-anon-access/raddb/mods-available/ippool Normal file
View file

@ -0,0 +1,66 @@
# -*- text -*-
#
# $Id: 1d3305ba45ec71336f55f8f1db05f183772e1b82 $
# Do server side ip pool management. Should be added in
# post-auth and accounting sections.
#
# The module also requires the existence of the Pool-Name
# attribute. That way the administrator can add the Pool-Name
# attribute in the user profiles and use different pools for
# different users. The Pool-Name attribute is a *check* item
# not a reply item.
#
# The Pool-Name should be set to the ippool module instance
# name or to DEFAULT to match any module.
#
# Example:
# radiusd.conf: ippool students { [...] }
# ippool teachers { [...] }
# users file : DEFAULT Group == students, Pool-Name := "students"
# DEFAULT Group == teachers, Pool-Name := "teachers"
# DEFAULT Group == other, Pool-Name := "DEFAULT"
#
# Note: If you change the range parameters you must then erase the
# db files.
#
ippool main_pool {
# The main db file used to allocate addresses.
filename = ${db_dir}/db.ippool
# The start and end ip addresses for this pool.
range_start = 192.0.2.1
range_stop = 192.0.2.254
# The network mask used for this pool.
netmask = 255.255.255.0
# The gdbm cache size for the db files. Should
# be equal to the number of ip's available in
# the ip pool
cache_size = 800
# Helper db index file used in multilink
ip_index = ${db_dir}/db.ipindex
# If set, the Framed-IP-Address already in the
# reply (if any) will be discarded, and replaced
# ith a Framed-IP-Address assigned here.
override = no
# Specifies the maximum time in seconds that an
# entry may be active. If set to zero, means
# "no timeout". The default value is 0
maximum_timeout = 0
# The key to use for the session database (which
# holds the allocated ip's) normally it should
# just be the nas ip/port (which is the default).
#
# If your NAS sends the same value of NAS-Port
# all requests, the key should be based on some
# other attribute that is in ALL requests, AND
# is unique to each machine needing an IP address.
# key = "%{NAS-IP-Address} %{NAS-Port}"
}

82
pkgs/fablab/freeradius-anon-access/raddb/mods-available/krb5 Normal file
View file

@ -0,0 +1,82 @@
# -*- text -*-
#
# $Id: c88b5fbb4b35cc4e61bfb93a616d891fb79ebc0c $
#
# Kerberos. See doc/modules/rlm_krb5 for minimal docs.
#
krb5 {
#
# The keytab file MUST be owned by the UID/GID used by the server.
# The keytab file MUST be writable by the server.
# The keytab file MUST NOT be readable by other users on the system.
# The keytab file MUST exist before the server is started.
#
keytab = ${localstatedir}/lib/radiusd/keytab
service_principal = name_of_principle
# Pool of krb5 contexts, this allows us to make the module multithreaded
# and to avoid expensive operations like resolving and opening keytabs
# on every request. It may also allow TCP connections to the KDC to be
# cached if that is supported by the version of libkrb5 used.
#
# The context pool is only used if the underlying libkrb5 reported
# that it was thread safe at compile time.
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# KDC being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 0
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}

666
pkgs/fablab/freeradius-anon-access/raddb/mods-available/ldap Normal file
View file

@ -0,0 +1,666 @@
# -*- text -*-
#
# $Id: 015ae6907b8113771691ae3a3c1d53b05756d143 $
#
# Lightweight Directory Access Protocol (LDAP)
#
ldap {
# Note that this needs to match the name(s) in the LDAP server
# certificate, if you're using ldaps. See OpenLDAP documentation
# for the behavioral semantics of specifying more than one host.
#
# Depending on the libldap in use, server may be an LDAP URI.
# In the case of OpenLDAP this allows additional the following
# additional schemes:
# - ldaps:// (LDAP over SSL)
# - ldapi:// (LDAP over Unix socket)
# - ldapc:// (Connectionless LDAP)
server = 'localhost'
# server = 'ldap.rrdns.example.org'
# server = 'ldap.rrdns.example.org'
# Port to connect on, defaults to 389, will be ignored for LDAP URIs.
# port = 389
# Administrator account for searching and possibly modifying.
# If using SASL + KRB5 these should be commented out.
# identity = 'cn=admin,dc=example,dc=org'
# password = mypass
# Unless overridden in another section, the dn from which all
# searches will start from.
base_dn = 'dc=example,dc=org'
#
# You can run the 'ldapsearch' command line tool using the
# parameters from this module's configuration.
#
# ldapsearch -D ${identity} -w ${password} -h ${server} -b 'CN=user,${base_dn}'
#
# That will give you the LDAP information for 'user'.
#
# Group membership can be queried by using the above "ldapsearch" string,
# and adding "memberof" qualifiers. For ActiveDirectory, use:
#
# ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))'
#
# Where 'user' is the user as above, and 'group' is the group you are querying for.
#
#
# SASL parameters to use for admin binds
#
# When we're prompted by the SASL library, these control
# the responses given, as well as the identity and password
# directives above.
#
# If any directive is commented out, a NULL response will be
# provided to cyrus-sasl.
#
# Unfortunately the only way to control Keberos here is through
# environmental variables, as cyrus-sasl provides no API to
# set the krb5 config directly.
#
# Full documentation for MIT krb5 can be found here:
#
# http://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html
#
# At a minimum you probably want to set KRB5_CLIENT_KTNAME.
#
sasl {
# SASL mechanism
# mech = 'PLAIN'
# SASL authorisation identity to proxy.
# proxy = 'autz_id'
# SASL realm. Used for kerberos.
# realm = 'example.org'
}
#
# Generic valuepair attribute
#
# If set, this will attribute will be retrieved in addition to any
# mapped attributes.
#
# Values should be in the format:
# <radius attr> <op> <value>
#
# Where:
# <radius attr>: Is the attribute you wish to create
# with any valid list and request qualifiers.
# <op>: Is any assignment operator (=, :=, +=, -=).
# <value>: Is the value to parse into the new valuepair.
# If the value is wrapped in double quotes it
# will be xlat expanded.
# valuepair_attribute = 'radiusAttribute'
#
# Mapping of LDAP directory attributes to RADIUS dictionary attributes.
#
# WARNING: Although this format is almost identical to the unlang
# update section format, it does *NOT* mean that you can use other
# unlang constructs in module configuration files.
#
# Configuration items are in the format:
# <radius attr> <op> <ldap attr>
#
# Where:
# <radius attr>: Is the destination RADIUS attribute
# with any valid list and request qualifiers.
# <op>: Is any assignment attribute (=, :=, +=, -=).
# <ldap attr>: Is the attribute associated with user or
# profile objects in the LDAP directory.
# If the attribute name is wrapped in double
# quotes it will be xlat expanded.
#
# Request and list qualifiers may also be placed after the 'update'
# section name to set defaults destination requests/lists
# for unqualified RADIUS attributes.
#
# Note: LDAP attribute names should be single quoted unless you want
# the name value to be derived from an xlat expansion, or an
# attribute ref.
update {
control:Password-With-Header += 'userPassword'
# control:NT-Password := 'ntPassword'
# reply:Reply-Message := 'radiusReplyMessage'
# reply:Tunnel-Type := 'radiusTunnelType'
# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
# Where only a list is specified as the RADIUS attribute,
# the value of the LDAP attribute is parsed as a valuepair
# in the same format as the 'valuepair_attribute' (above).
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
# Set to yes if you have eDirectory and want to use the universal
# password mechanism.
# edir = no
# Set to yes if you want to bind as the user after retrieving the
# Cleartext-Password. This will consume the login grace, and
# verify user authorization.
# edir_autz = no
# Note: set_auth_type was removed in v3.x.x
#
# Equivalent functionality can be achieved by adding the
# following "if" statement to the authorize {} section of
# the virtual server, after the "ldap" module. For example:
#
# ...
# ldap
# if ((ok || updated) && User-Password && !control:Auth-Type) {
# update {
# control:Auth-Type := ldap
# }
# }
# ...
#
# You will also need to uncomment the "Auth-Type LDAP" block in the
# "authenticate" section.
#
#
# Name of the attribute that contains the user DN.
# The default name is LDAP-UserDn.
#
# If you have multiple LDAP instances, you should
# change this configuration item to:
#
# ${.:instance}-LDAP-UserDn
#
# That change allows the modules to set their own
# User DN, and to not conflict with each other.
#
user_dn = "LDAP-UserDn"
#
# User object identification.
#
user {
# Where to start searching in the tree for users
base_dn = "${..base_dn}"
# Filter for user objects, should be specific enough
# to identify a single user object.
#
# For Active Directory, you should use
# "samaccountname=" instead of "uid="
#
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
# For Active Directory nested group, you should comment out the previous 'filter = ...'
# and use the below. Where 'group' is the group you are querying for.
#
# NOTE: The string '1.2.840.113556.1.4.1941' specifies LDAP_MATCHING_RULE_IN_CHAIN.
# This applies only to DN attributes. This is an extended match operator that walks
# the chain of ancestry in objects all the way to the root until it finds a match.
# This reveals group nesting. It is available only on domain controllers with
# Windows Server 2003 SP2 or Windows Server 2008 (or above).
#
# See: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
#
# filter = "(&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"
# SASL parameters to use for user binds
#
# When we're prompted by the SASL library, these control
# the responses given.
#
# Any of the config items below may be an attribute ref
# or and expansion, so different SASL mechs, proxy IDs
# and realms may be used for different users.
sasl {
# SASL mechanism
# mech = 'PLAIN'
# SASL authorisation identity to proxy.
# proxy = &User-Name
# SASL realm. Used for kerberos.
# realm = 'example.org'
}
# Search scope, may be 'base', 'one', sub' or 'children'
# scope = 'sub'
# Server side result sorting
#
# A list of space delimited attributes to order the result
# set by, if the filter matches multiple objects.
# Only the first result in the set will be processed.
#
# If the attribute name is prefixed with a hyphen '-' the
# sorting order will be reversed for that attribute.
#
# If sort_by is set, and the server does not support sorting
# the search will fail.
# sort_by = '-uid'
# If this is undefined, anyone is authorised.
# If it is defined, the contents of this attribute
# determine whether or not the user is authorised
# access_attribute = 'dialupAccess'
# Control whether the presence of 'access_attribute'
# allows access, or denys access.
#
# If 'yes', and the access_attribute is present, or
# 'no' and the access_attribute is absent then access
# will be allowed.
#
# If 'yes', and the access_attribute is absent, or
# 'no' and the access_attribute is present, then
# access will not be allowed.
#
# If the value of the access_attribute is 'false', it
# will negate the result.
#
# e.g.
# access_positive = yes
# access_attribute = userAccessAllowed
#
# With an LDAP object containing:
# userAccessAllowed: false
#
# Will result in the user being locked out.
# access_positive = yes
}
#
# User membership checking.
#
group {
# Where to start searching in the tree for groups
base_dn = "${..base_dn}"
# Filter for group objects, should match all available
# group objects a user might be a member of.
#
# If using Active Directory you are likely to need "group"
# instead of "posixGroup".
filter = '(objectClass=posixGroup)'
# Search scope, may be 'base', 'one', sub' or 'children'
# scope = 'sub'
# Attribute that uniquely identifies a group.
# Is used when converting group DNs to group
# names.
# name_attribute = cn
# Filter to find all group objects a user is a member of.
# That is, group objects with attributes that
# identify members (the inverse of membership_attribute).
#
# Note that this configuration references the "user_dn"
# configuration defined above.
#
# membership_filter = "(|(member=%{control:${..user_dn}})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
# The attribute, in user objects, which contain the names
# or DNs of groups a user is a member of.
#
# Unless a conversion between group name and group DN is
# needed, there's no requirement for the group objects
# referenced to actually exist.
#
# If the LDAP server does not support the "memberOf"
# attribute (or equivalent), then you will need to use the
# membership_filter option above instead. If you can't see
# the memberOf attribute then it is also possible that the
# LDAP bind user does not have the correct permissions to
# view it.
membership_attribute = 'memberOf'
# If cacheable_name or cacheable_dn are enabled,
# all group information for the user will be
# retrieved from the directory and written to LDAP-Group
# attributes appropriate for the instance of rlm_ldap.
#
# For group comparisons these attributes will be checked
# instead of querying the LDAP directory directly.
#
# This feature is intended to be used with rlm_cache.
#
# If you wish to use this feature, you should enable
# the type that matches the format of your check items
# i.e. if your groups are specified as DNs then enable
# cacheable_dn else enable cacheable_name.
# cacheable_name = 'no'
# cacheable_dn = 'no'
# Override the normal cache attribute (<inst>-LDAP-Group or
# LDAP-Group if using the default instance) and create a
# custom attribute. This can help if multiple module instances
# are used in fail-over.
# cache_attribute = 'LDAP-Cached-Membership'
# If the group being checked is specified as a name, but
# the user's groups are referenced by DN, and one of those
# group DNs is invalid, the whole group check is treated as
# invalid, and a negative result will be returned.
# When set to 'yes', this option ignores invalid DN
# references.
# allow_dangling_group_ref = 'no'
}
#
# User profiles. RADIUS profile objects contain sets of attributes
# to insert into the request. These attributes are mapped using
# the same mapping scheme applied to user objects (the update section above).
#
profile {
# Filter for RADIUS profile objects
# filter = '(objectclass=radiusprofile)'
# The default profile. This may be a DN or an attribute
# reference.
# To get old v2.2.x style behaviour, or to use the
# &User-Profile attribute to specify the default profile,
# set this to &control:User-Profile.
# default = 'cn=radprofile,dc=example,dc=org'
# The LDAP attribute containing profile DNs to apply
# in addition to the default profile above. These are
# retrieved from the user object, at the same time as the
# attributes from the update section, are are applied
# if authorization is successful.
# attribute = 'radiusProfileDn'
}
#
# Bulk load clients from the directory
#
client {
# Where to start searching in the tree for clients
base_dn = "${..base_dn}"
#
# Filter to match client objects
#
filter = '(objectClass=radiusClient)'
# Search scope, may be 'base', 'one', 'sub' or 'children'
# scope = 'sub'
#
# Sets default values (not obtained from LDAP) for new client entries
#
template {
# login = 'test'
# password = 'test'
# proto = tcp
# require_message_authenticator = yes
# Uncomment to add a home_server with the same
# attributes as the client.
# coa_server {
# response_window = 2.0
# }
}
#
# Client attribute mappings are in the format:
# <client attribute> = <ldap attribute>
#
# The following attributes are required:
# * ipaddr | ipv4addr | ipv6addr - Client IP Address.
# * secret - RADIUS shared secret.
#
# All other attributes usually supported in a client
# definition are also supported here.
#
# Schemas are available in doc/schemas/ldap for openldap and eDirectory
#
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
# shortname = 'radiusClientShortname'
# nas_type = 'radiusClientType'
# virtual_server = 'radiusClientVirtualServer'
# require_message_authenticator = 'radiusClientRequireMa'
}
}
# Load clients on startup
# read_clients = no
#
# Modify user object on receiving Accounting-Request
#
# Useful for recording things like the last time the user logged
# in, or the Acct-Session-ID for CoA/DM.
#
# LDAP modification items are in the format:
# <ldap attr> <op> <value>
#
# Where:
# <ldap attr>: The LDAP attribute to add modify or delete.
# <op>: One of the assignment operators:
# (:=, +=, -=, ++).
# Note: '=' is *not* supported.
# <value>: The value to add modify or delete.
#
# WARNING: If using the ':=' operator with a multi-valued LDAP
# attribute, all instances of the attribute will be removed and
# replaced with a single attribute.
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
#
# Post-Auth can modify LDAP objects too
#
post-auth {
update {
description := "Authenticated at %S"
}
}
#
# LDAP connection-specific options.
#
# These options set timeouts, keep-alives, etc. for the connections.
#
options {
# Control under which situations aliases are followed.
# May be one of 'never', 'searching', 'finding' or 'always'
# default: libldap's default which is usually 'never'.
#
# LDAP_OPT_DEREF is set to this value.
# dereference = 'always'
#
# The following two configuration items control whether the
# server follows references returned by LDAP directory.
# They are mostly for Active Directory compatibility.
# If you set these to 'no', then searches will likely return
# 'operations error', instead of a useful result.
#
chase_referrals = yes
rebind = yes
# SASL Security Properties (see SASL_SECPROPS in ldap.conf man page).
# Note - uncomment when using GSS-API sasl mechanism along with TLS
# encryption against Active-Directory LDAP servers (this disables
# sealing and signing at the GSS level as required by AD).
#sasl_secprops = 'noanonymous,noplain,maxssf=0'
# Seconds to wait for LDAP query to finish. default: 20
res_timeout = 10
# Seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
srv_timelimit = 3
# Seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
ldap_debug = 0x0028
}
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the 'tls_*' configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 636) connections
# start_tls = yes
# ca_file = ${certdir}/cacert.pem
# ca_path = ${certdir}
# certificate_file = /path/to/radius.crt
# private_key_file = /path/to/radius.key
# random_file = /dev/urandom
# Certificate Verification requirements. Can be:
# 'never' (do not even bother trying)
# 'allow' (try, but don't fail if the certificate
# cannot be verified)
# 'demand' (fail if the certificate does not verify)
# 'hard' (similar to 'demand' but fails if TLS
# cannot negotiate)
#
# The default is libldap's default, which varies based
# on the contents of ldap.conf.
# require_cert = 'demand'
#
# Minimum TLS version to accept. We STRONGLY recommend
# setting this to "1.2"
#
# tls_min_version = "1.2"
}
# As of version 3.0, the 'pool' section has replaced the
# following configuration items:
#
# ldap_connections_number
# The connection pool is new for 3.0, and will be used in many
# modules, for all kinds of connection-related activity.
#
# When the server is not threaded, the connection pool
# limits are ignored, and only one connection is used.
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# directory being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
lifetime = 0
# Idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
idle_timeout = 60
# NOTE: All configuration settings are enforced. If a
# connection is closed because of 'idle_timeout',
# 'uses', or 'lifetime', then the total number of
# connections MAY fall below 'min'. When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the 'min' connections,
# or increase lifetime/idle_timeout.
}
}

161
pkgs/fablab/freeradius-anon-access/raddb/mods-available/linelog Normal file
View file

@ -0,0 +1,161 @@
# -*- text -*-
#
# $Id: dc2a8195b3c1c2251fc37651ea4a598898c33d12 $
#
# The "linelog" module will log one line of text to a file.
# Both the filename and the line of text are dynamically expanded.
#
# We STRONGLY suggest that you do not use data from the
# packet as part of the filename.
#
linelog {
#
# The file where the logs will go.
#
# If the filename is "syslog", then the log messages will
# go to syslog.
filename = ${logdir}/linelog
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
escape_filenames = no
#
# The Unix-style permissions on the log file.
#
# Depending on format string, the log file may contain secret or
# private information about users. Keep the file permissions as
# restrictive as possible.
permissions = 0600
# The Unix group which owns the log file.
#
# The user that freeradius runs as must be in the specified
# group, otherwise it will not be possible to set the group.
# group = ${security.group}
# Syslog facility (if logging via syslog).
# Defaults to the syslog_facility config item in radiusd.conf.
# Standard facilities are:
# - kern Messages generated by the kernel. These cannot
# be generated by any user processes.
# - user Messages generated by random user processes.
# This is the default facility identifier if
# none is specified.
# - mail The mail system.
# - daemon System daemons, such as routed(8), that are not
# provided for explicitly by other facilities.
# - auth The authorization system: login(1), su(1),
# getty(8), etc.
# - lpr The line printer spooling system: cups-lpd(8),
# cupsd(8), etc.
# - news The network news system.
# - uucp The uucp system.
# - cron The cron daemon: cron(8).
# - authpriv The same as LOG_AUTH, but logged to a file
# readable only by selected individuals.
# - ftp The file transfer protocol daemons: ftpd(8),
# tftpd(8).
# - local[0-7] Reserved for local use.
# syslog_facility = daemon
# Syslog severity (if logging via syslog). Defaults to info.
# Possible values are:
# - emergency A panic condition. This is normally broadcast
# to all users.
# - alert A condition that should be corrected immediately,
# such as a corrupted system database.
# - critical Critical conditions, e.g., hard device errors.
# - error Errors.
# - warning Warning messages.
# - notice Conditions that are not error conditions, but
# should possibly be handled specially.
# - info Informational messages.
# - debug Messages that contain information normally of use
# only when debugging a program.
# syslog_severity = info
# If logging via syslog, the severity can be set here.
# Defaults to info.
#
# The default format string.
format = "This is a log message for %{User-Name}"
#
# This next line can be omitted. If it is omitted, then
# the log message is static, and is always given by "format",
# above.
#
# If it is defined, then the string is dynamically expanded,
# and the result is used to find another configuration entry
# here, with the given name. That name is then used as the
# format string.
#
# If the configuration entry cannot be found, then no log
# message is printed.
#
# i.e. You can have many log messages in one "linelog" module.
# If this two-step expansion did not exist, you would have
# needed to configure one "linelog" module for each log message.
#
# Reference the Packet-Type (Access-Accept, etc.) If it doesn't
# exist, reference the "default" entry.
#
# This is for "linelog" being used in the post-auth section
# If you want to use it in "authorize", you need to change
# the reference to "messages.%{%{Packet-Type}:-default}",
# and then add the appropriate messages.
#
reference = "messages.%{%{reply:Packet-Type}:-default}"
#
# The messages defined here are taken from the "reference"
# expansion, above.
#
messages {
default = "Unknown packet type %{Packet-Type}"
Access-Accept = "Accepted user: %{User-Name}"
Access-Reject = "Rejected user: %{User-Name}"
Access-Challenge = "Sent challenge: %{User-Name}"
}
}
#
# Another example, for accounting packets.
#
linelog log_accounting {
#
# Used if the expansion of "reference" fails.
#
format = ""
filename = ${logdir}/linelog-accounting
permissions = 0600
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
#
# Another example:
#
#
Accounting-Request {
Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
# Don't log anything for these packets.
Alive = ""
Accounting-On = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just came online"
Accounting-Off = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just went offline"
# don't log anything for other Acct-Status-Types.
unknown = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) sent unknown Acct-Status-Type %{Acct-Status-Type}"
}
}

23
pkgs/fablab/freeradius-anon-access/raddb/mods-available/logintime Normal file
View file

@ -0,0 +1,23 @@
# -*- text -*-
#
# $Id: 25344527759d22b49b5e990fd83f0e506442fa76 $
# The logintime module. This handles the Login-Time,
# Current-Time, and Time-Of-Day attributes. It should be
# included in the *end* of the authorize section in order to
# handle Login-Time checks. It should also be included in the
# instantiate section in order to register the Current-Time
# and Time-Of-Day comparison functions.
#
# When the Login-Time attribute is set to some value, and the
# user has been permitted to log in, a Session-Timeout is
# calculated based on the remaining time. See "doc/README".
#
logintime {
# The minimum timeout (in seconds) a user is allowed
# to have. If the calculated timeout is lower we don't
# allow the login. Some NAS do not handle values
# lower than 60 seconds well.
minimum_timeout = 60
}

25
pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2ip Normal file
View file

@ -0,0 +1,25 @@
# -*- text -*-
#
# $Id: a4ead1d64e8220344b483718ece4712bef5e9e36 $
######################################################################
#
# This next section is a sample configuration for the "passwd"
# module, that reads flat-text files.
#
# The file is in the format <mac>,<ip>
#
# 00:01:02:03:04:05,192.0.2.100
# 01:01:02:03:04:05,192.0.2.101
# 02:01:02:03:04:05,192.0.2.102
#
# This lets you perform simple static IP assignments from a flat-text
# file. You will have to define lease times yourself.
#
######################################################################
passwd mac2ip {
filename = ${modconfdir}/${.:name}/${.:instance}
format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
delimiter = ","
}

18
pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2vlan Normal file
View file

@ -0,0 +1,18 @@
# -*- text -*-
#
# $Id: a1db803a71cddbb98daeeeda515cff2fc77ea318 $
# A simple file to map a MAC address to a VLAN.
#
# The file should be in the format MAC,VLAN
# the VLAN name cannot have spaces in it, for example:
#
# 00:01:02:03:04:05,VLAN1
# 03:04:05:06:07:08,VLAN2
# ...
#
passwd mac2vlan {
filename = ${modconfdir}/${.:name}/${.:instance}
format = "*VMPS-Mac:=VMPS-VLAN-Name"
delimiter = ","
}

57
pkgs/fablab/freeradius-anon-access/raddb/mods-available/moonshot-targeted-ids Normal file
View file

@ -0,0 +1,57 @@
# -*- text -*-
#
# $Id: 1b27b44b5a2d82e23d67c07ba19f0ef3293960d2 $
#
# Write Moonshot-*-TargetedId (MSTID) to the database.
#
# Schema raddb/mods-config/sql/moonshot-targeted-ids/<DB>/schema.sql
# Queries raddb/mods-config/sql/moonshot-targeted-ids/<DB>/queries.conf
#
sql moonshot_tid_sql {
# The dialect of SQL you want to use, this should usually match
# the driver below.
#
# If you're using rlm_sql_null, then it should be the type of
# database the logged queries are going to be executed against.
dialect = "sqlite"
# The sub-module to use to execute queries. This should match
# the database you're attempting to connect to.
#
# There are MSTID queries available for:
# * rlm_sql_mysql
# * rlm_sql_postgresql
# * rlm_sql_sqlite
# * rlm_sql_null (log queries to disk)
#
driver = "rlm_sql_${dialect}"
sqlite {
filename = ${radacctdir}/moonshot-targeted-ids.sqlite
bootstrap = ${modconfdir}/${..:name}/moonshot-targeted-ids/sqlite/schema.sql
}
# Write MSTID queries to a logfile. Useful for debugging.
# logfile = ${logdir}/moonshot-targeted-id-log.sql
pool {
start = 5
min = 4
max = 10
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
}
# If you adjust the table name here, you must also modify the table name in
# the moonshot_get_targeted_id.post-auth policy in policy.d/moonshot-targeted-ids
# and the schema.sql files in the mods-config/sql/moonshot-targeted-ids tree.
#
moonshot_tid_table = "moonshot_targeted_ids"
sql_user_name = "%{User-Name}"
$INCLUDE ${modconfdir}/${.:name}/moonshot-targeted-ids/${dialect}/queries.conf
}

253
pkgs/fablab/freeradius-anon-access/raddb/mods-available/mschap Normal file
View file

@ -0,0 +1,253 @@
# -*- text -*-
#
# $Id: 1748d5747f5b2fda08a017ad3095d9b96b0c2ee0 $
#
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
#
#
# If use_mppe is not set to no mschap, will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
# use_mppe = no
#
# If MPPE is enabled, require_encryption makes
# encryption moderate
#
# require_encryption = yes
#
# require_strong always requires 128 bit key
# encryption
#
# require_strong = yes
#
# This module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# If ntlm_auth is configured below, then the mschap
# module will call ntlm_auth for every MS-CHAP
# authentication request. If there is a cleartext
# or NT hashed password available, you can set
# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
# and the mschap module will do the authentication itself,
# without calling ntlm_auth.
#
# Be VERY careful when editing the following line!
#
# You can also try setting the user name as:
#
# ... --username=%{mschap:User-Name} ...
#
# In that case, the mschap module will look at the User-Name
# attribute, and do prefix/suffix checks in order to obtain
# the "best" user name for the request.
#
# For Samba 4, you should also set the "ntlm auth" parameter
# in the Samba configuration:
#
# ntlm auth = yes
#
# or
#
# ntlm auth = mschapv2-and-ntlmv2-only
#
# This will let Samba 4 accept the MS-CHAP authentication
# method that is needed by FreeRADIUS.
#
# Depending on the Samba version, you may also need to add:
#
# --allow-mschapv2
#
# to the command-line parameters.
#
# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
#
# The default is to wait 10 seconds for ntlm_auth to
# complete. This is a long time, and if it's taking that
# long then you likely have other problems in your domain.
# The length of time can be decreased with the following
# option, which can save clients waiting if your ntlm_auth
# usually finishes quicker. Range 1 to 10 seconds.
#
# ntlm_auth_timeout = 10
#
# An alternative to using ntlm_auth is to connect to the
# winbind daemon directly for authentication. This option
# is likely to be faster and may be useful on busy systems,
# but is less well tested.
#
# Using this option requires libwbclient from Samba 4.2.1
# or later to be installed. Make sure that ntlm_auth above is
# commented out.
#
# winbind_username = "%{mschap:User-Name}"
# winbind_domain = "%{mschap:NT-Domain}"
#
# When using single sign-on with a winbind connection and the
# client uses a different casing for the username than the
# casing is according to the backend, reauth may fail because
# of some Windows internals. This switch tries to find the
# user in the correct casing in the backend, and retry
# authentication with that username.
#
# winbind_retry_with_normalised_username = no
#
# Information for the winbind connection pool. The configuration
# items below are the same for all modules which use the new
# connection pool.
#
pool {
#
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# winbind daemon being available.
#
start = ${thread[pool].start_servers}
#
# Minimum number of connections to keep open
#
min = ${thread[pool].min_spare_servers}
#
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
#
max = ${thread[pool].max_servers}
#
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
#
spare = ${thread[pool].max_spare_servers}
#
# Number of uses before the connection is closed
#
# 0 means "infinite"
#
uses = 0
#
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
#
retry_delay = 30
#
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
#
lifetime = 86400
#
# The pool is checked for free connections every
# "cleanup_interval". If there are free connections,
# then one of them is closed.
#
cleanup_interval = 300
#
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
#
idle_timeout = 600
#
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
#
}
passchange {
#
# This support MS-CHAPv2 (not v1) password change
# requests. See doc/mschap.rst for more IMPORTANT
# information.
#
# Samba/ntlm_auth - if you are using ntlm_auth to
# validate passwords, you will need to use ntlm_auth
# to change passwords. Uncomment the three lines
# below, and change the path to ntlm_auth.
#
# ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
# ntlm_auth_username = "username: %{mschap:User-Name}"
# ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
#
# To implement a local password change, you need to
# supply a string which is then expanded, so that the
# password can be placed somewhere. e.g. passed to a
# script (exec), or written to SQL (UPDATE/INSERT).
# We give both examples here, but only one will be
# used.
#
# local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
#
# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
}
#
# For Apple Server, when running on the same machine as
# Open Directory. It has no effect on other systems.
#
# use_open_directory = yes
#
# On failure, set (or not) the MS-CHAP error code saying
# "retries allowed".
#
# allow_retry = yes
#
# An optional retry message.
#
# retry_msg = "Re-enter (or reset) the password"
}

18
pkgs/fablab/freeradius-anon-access/raddb/mods-available/ntlm_auth Normal file
View file

@ -0,0 +1,18 @@
#
# For testing ntlm_auth authentication with PAP.
#
# If you have problems with authentication failing, even when the
# password is good, it may be a bug in Samba:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
# Depending on the AD / Samba configuration, you may also need to add:
#
# --allow-mschapv2
#
# to the list of command-line options.
#
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}

26
pkgs/fablab/freeradius-anon-access/raddb/mods-available/opendirectory Normal file
View file

@ -0,0 +1,26 @@
# -*- text -*-
#
# $Id: 443d74dc08f19ddb59ea342f756c90066623e1c6 $
# This module is only used when the server is running on the same
# system as OpenDirectory. The configuration of the module is hard-coded
# by Apple, and cannot be changed here.
#
# There are no configuration entries for this module.
#
# The MS-CHAP module will automatically talk to OpenDirectory, if the
# server is built on an OSX machine. However, you must also set
# dsAttrTypeNative:apple-enabled-auth-mech attribute in the
# /config/dirserv OpenDirectory record. You will probably also need
# to change the user passwords in order to re-generate the
# appropriate hashes.
#
# Complete OSX configuration information is available on Apple's web site:
#
# https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf
#
# See also https://discussions.apple.com/thread/6053980?tstart=0
#
opendirectory {
}

75
pkgs/fablab/freeradius-anon-access/raddb/mods-available/otp Normal file
View file

@ -0,0 +1,75 @@
#
# Configuration for the OTP module.
#
# This module allows you to use various handheld OTP tokens
# for authentication (Auth-Type := otp). These tokens are
# available from various vendors.
#
# It works in conjunction with otpd, which implements token
# management and OTP verification functions; and lsmd or gsmd,
# which implements synchronous state management functions.
# You must list this module in BOTH the authorize and authenticate
# sections in order to use it.
otp {
# otpd rendezvous point.
# (default: /var/run/otpd/socket)
#otpd_rp = /var/run/otpd/socket
# Text to use for the challenge.
# Default "Challenge: %{reply:OTP-Challenge}\n Response: "
challenge_prompt = "Challenge: %{reply:OTP-Challenge} \n Response: "
# Length of the challenge. Most tokens probably support a
# max of 8 digits. (range: 5-32 digits, default 6)
#challenge_length = 6
# Maximum time, in seconds, that a challenge is valid.
# (The user must respond to a challenge within this time.)
# It is also the minimal time between consecutive async mode
# authentications, a necessary restriction due to an inherent
# weakness of the RADIUS protocol which allows replay attacks.
# (default: 30)
#challenge_delay = 30
# Whether or not to allow asynchronous ("pure" challenge/
# response) mode authentication. Since sync mode is much more
# usable, and all reasonable tokens support it, the typical
# use of async mode is to allow re-sync of event based tokens.
# But because of the vulnerability of async mode with some tokens,
# you probably want to disable this and require that out-of-sync
# users re-sync from specifically secured terminals.
# See the otpd docs for more info.
# (default: no)
#allow_async = no
# Whether or not to allow synchronous mode authentication.
# When using otpd with lsmd, it is *CRITICALLY IMPORTANT*
# that if your OTP users can authenticate to multiple RADIUS
# servers, this must be "yes" for the primary/default server,
# and "no" for the others. This is because lsmd does not
# share state information across multiple servers. Using "yes"
# on all your RADIUS servers would allow replay attacks!
# Also, for event based tokens, the user will be out of sync
# on the "other" servers. In order to use "yes" on all your
# servers, you must either use gsmd, which synchronises state
# globally, or implement your own state synchronisation method.
# (default: yes)
#allow_sync = yes
# If both allow_async and allow_sync are "yes", a challenge is
# always presented to the user. This is incompatible with NAS
# that can't present or don't handle Access-Challenge's, e.g.
# PPTP servers. Even though a challenge is presented, the user
# can still enter their synchronous passcode.
# The following are MPPE settings. Note that MS-CHAP (v1) is
# strongly discouraged. All possible values are listed as
# {value = meaning}. Default values are first.
#mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden}
#mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40}
#mschap_mppe = {2 = required, 1 = optional, 0 = forbidden}
#mschap_mppe_bits = {2 = 128}
}

26
pkgs/fablab/freeradius-anon-access/raddb/mods-available/pam Normal file
View file

@ -0,0 +1,26 @@
# -*- text -*-
#
# $Id: f4a91a948637bb2f42f613ed9faa6f9ae9ae6099 $
# Pluggable Authentication Modules
#
# For Linux, see:
# http://www.kernel.org/pub/linux/libs/pam/index.html
#
# WARNING: On many systems, the system PAM libraries have
# memory leaks! We STRONGLY SUGGEST that you do not
# use PAM for authentication, due to those memory leaks.
#
pam {
#
# The name to use for PAM authentication.
# PAM looks in /etc/pam.d/${pam_auth_name}
# for it's configuration. See 'redhat/radiusd-pam'
# for a sample PAM configuration file.
#
# Note that any Pam-Auth attribute set in the 'authorize'
# section will over-ride this one.
#
pam_auth = radiusd
}

18
pkgs/fablab/freeradius-anon-access/raddb/mods-available/pap Normal file
View file

@ -0,0 +1,18 @@
# -*- text -*-
#
# $Id: 0038ecd154840c71ceff33ddfdd936e4e28e0bcd $
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption/hash schemes. See "man rlm_pap"
# for details.
#
# For instructions on creating the various types of passwords, see:
#
# http://www.openldap.org/faq/data/cache/347.html
pap {
# By default the server will use heuristics to try and automatically
# handle base64 or hex encoded passwords. This behaviour can be
# stopped by setting the following to "no".
# normalise = yes
}

55
pkgs/fablab/freeradius-anon-access/raddb/mods-available/passwd Normal file
View file

@ -0,0 +1,55 @@
# -*- text -*-
#
# $Id: 11bd2246642bf3c080327c7f4a67dc42603f3a6c $
# passwd module allows to do authorization via any passwd-like
# file and to extract any attributes from these files.
#
# See the "smbpasswd" and "etc_group" files for more examples.
#
# parameters are:
# filename - path to file
#
# format - format for filename record. This parameters
# correlates record in the passwd file and RADIUS
# attributes.
#
# Field marked as '*' is a key field. That is, the parameter
# with this name from the request is used to search for
# the record from passwd file
#
# Attributes marked as '=' are added to reply_items instead
# of default configure_items
#
# Attributes marked as '~' are added to request_items
#
# Field marked as ',' may contain a comma separated list
# of attributes.
#
# hash_size - hashtable size. Setting it to 0 is no longer permitted
# A future version of the server will have the module
# automatically determine the hash size. Having it set
# manually should not be necessary.
#
# allow_multiple_keys - if many records for a key are allowed
#
# ignore_nislike - ignore NIS-related records
#
# delimiter - symbol to use as a field separator in passwd file,
# for format ':' symbol is always used. '\0', '\n' are
# not allowed
#
# An example configuration for using /etc/passwd.
#
# This is an example which will NOT WORK if you have shadow passwords,
# NIS, etc. The "unix" module is normally responsible for reading
# system passwords. You should use it instead of this example.
#
passwd etc_passwd {
filename = /etc/passwd
format = "*User-Name:Crypt-Password:"
hash_size = 100
ignore_nislike = no
allow_multiple_keys = no
}

94
pkgs/fablab/freeradius-anon-access/raddb/mods-available/perl Normal file
View file

@ -0,0 +1,94 @@
# -*- text -*-
#
# $Id: fa04cdabb71767050aaa0664da792fd6086adb19 $
# Persistent, embedded Perl interpreter.
#
perl {
#
# The Perl script to execute on authorize, authenticate,
# accounting, xlat, etc. This is very similar to using
# 'rlm_exec' module, but it is persistent, and therefore
# faster.
#
filename = ${modconfdir}/${.:instance}/example.pl
#
# Options which are passed to the Perl interpreter.
# These are (mostly) the same options as are passed
# to the "perl" command line.
#
# The most useful flag is "-T". This sets tainting on. And
# as of 3.0.18, makes it impossible to leverage bad
# User-Names into local command execution.
#
perl_flags = "-T"
#
# The following hashes are given to the module and
# filled with value-pairs (Attribute names and values)
#
# %RAD_CHECK Check items
# %RAD_REQUEST Attributes from the request
# %RAD_REPLY Attributes for the reply
# %RAD_REQUEST_PROXY Attributes from the proxied request
# %RAD_REQUEST_PROXY_REPLY Attributes from the proxy reply
#
# The interface between FreeRADIUS and Perl is strings.
# That is, attributes of type "octets" are converted to
# printable strings, such as "0xabcdef". If you want to
# access the binary values of the attributes, you should
# call the Perl "pack" function. Then to send any binary
# data back to FreeRADIUS, call the Perl "unpack" function,
# so that the contents of the hashes are printable strings.
#
# IP addresses are sent as strings, e.g. "192.0.2.25", and
# not as a 4-byte binary value. The same applies to other
# attribute data types.
#
# Attributes of type "string" are copied to Perl as-is.
# They are not escaped or interpreted.
#
# The return codes from functions in the perl_script
# are passed directly back to the server. These
# codes are defined in mods-config/example.pl
#
# You can define configuration items (and nested sub-sections) in perl "config" section.
# These items will be accessible in the perl script through %RAD_PERLCONF hash.
# For instance: $RAD_PERLCONF{'name'} $RAD_PERLCONF{'sub-config'}->{'name'}
#
#config {
# name = "value"
# sub-config {
# name = "value of name from config.sub-config"
# }
#}
#
# List of functions in the module to call.
# Uncomment and change if you want to use function
# names other than the defaults.
#
#func_authenticate = authenticate
#func_authorize = authorize
#func_preacct = preacct
#func_accounting = accounting
#func_checksimul = checksimul
#func_pre_proxy = pre_proxy
#func_post_proxy = post_proxy
#func_post_auth = post_auth
#func_recv_coa = recv_coa
#func_send_coa = send_coa
#func_xlat = xlat
#func_detach = detach
#
# Uncomment the following lines if you wish
# to use separate functions for Start and Stop
# accounting packets. In that case, the
# func_accounting function is not called.
#
#func_start_accounting = accounting_start
#func_stop_accounting = accounting_stop
}

62
pkgs/fablab/freeradius-anon-access/raddb/mods-available/preprocess Normal file
View file

@ -0,0 +1,62 @@
# -*- text -*-
#
# $Id: 8baec7961ba75fe52546cb1331868b0b2b1c38f4 $
# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
# This module processes the 'huntgroups' and 'hints' files.
# In addition, it re-writes some weird attributes created
# by some NAS, and converts the attributes into a form which
# is a little more standard.
#
preprocess {
# Search for files in a subdirectory of mods-config which
# matches this instance of the preprocess module.
moddir = ${modconfdir}/${.:instance}
huntgroups = ${moddir}/huntgroups
hints = ${moddir}/hints
# This hack changes Ascend's weird port numbering
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = no
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you don't
# need this hack.
with_cisco_vsa_hack = no
}

65
pkgs/fablab/freeradius-anon-access/raddb/mods-available/python Normal file
View file

@ -0,0 +1,65 @@
#
# Make sure the PYTHONPATH environmental variable contains the
# directory(s) for the modules listed below.
#
# Uncomment any func_* which are included in your module. If
# rlm_python is called for a section which does not have
# a function defined, it will return NOOP.
#
python {
# Path to the python modules
#
# Note that due to limitations on Python, this configuration
# item is GLOBAL TO THE SERVER. That is, you cannot have two
# instances of the python module, each with a different path.
#
# python_path="${modconfdir}/${.:name}:/path/to/python/files:/another_path/to/python_files/"
module = example
# Pass all VPS lists as a 6-tuple to the callbacks
# (request, reply, config, state, proxy_req, proxy_reply)
# pass_all_vps = no
# Pass all VPS lists as a dictionary to the callbacks
# Keys: "request", "reply", "config", "session-state", "proxy-request",
# "proxy-reply"
# This option prevales over "pass_all_vps"
# pass_all_vps_dict = no
# mod_instantiate = ${.module}
# func_instantiate = instantiate
# mod_detach = ${.module}
# func_detach = detach
# mod_authorize = ${.module}
# func_authorize = authorize
# mod_authenticate = ${.module}
# func_authenticate = authenticate
# mod_preacct = ${.module}
# func_preacct = preacct
# mod_accounting = ${.module}
# func_accounting = accounting
# mod_checksimul = ${.module}
# func_checksimul = checksimul
# mod_pre_proxy = ${.module}
# func_pre_proxy = pre_proxy
# mod_post_proxy = ${.module}
# func_post_proxy = post_proxy
# mod_post_auth = ${.module}
# func_post_auth = post_auth
# mod_recv_coa = ${.module}
# func_recv_coa = recv_coa
# mod_send_coa = ${.module}
# func_send_coa = send_coa
}

65
pkgs/fablab/freeradius-anon-access/raddb/mods-available/python3 Normal file
View file

@ -0,0 +1,65 @@
#
# Make sure the PYTHONPATH environmental variable contains the
# directory(s) for the modules listed below.
#
# Uncomment any func_* which are included in your module. If
# rlm_python is called for a section which does not have
# a function defined, it will return NOOP.
#
python3 {
# Path to the python modules
#
# Note that due to limitations on Python, this configuration
# item is GLOBAL TO THE SERVER. That is, you cannot have two
# instances of the python module, each with a different path.
#
# python_path="${modconfdir}/${.:name}:/another_path/to/python_files"
module = example
# Pass all VPS lists as a 6-tuple to the callbacks
# (request, reply, config, state, proxy_req, proxy_reply)
# pass_all_vps = no
# Pass all VPS lists as a dictionary to the callbacks
# Keys: "request", "reply", "config", "session-state", "proxy-request",
# "proxy-reply"
# This option prevales over "pass_all_vps"
# pass_all_vps_dict = no
# mod_instantiate = ${.module}
# func_instantiate = instantiate
# mod_detach = ${.module}
# func_detach = detach
# mod_authorize = ${.module}
# func_authorize = authorize
# mod_authenticate = ${.module}
# func_authenticate = authenticate
# mod_preacct = ${.module}
# func_preacct = preacct
# mod_accounting = ${.module}
# func_accounting = accounting
# mod_checksimul = ${.module}
# func_checksimul = checksimul
# mod_pre_proxy = ${.module}
# func_pre_proxy = pre_proxy
# mod_post_proxy = ${.module}
# func_post_proxy = post_proxy
# mod_post_auth = ${.module}
# func_post_auth = post_auth
# mod_recv_coa = ${.module}
# func_recv_coa = recv_coa
# mod_send_coa = ${.module}
# func_send_coa = send_coa
}

53
pkgs/fablab/freeradius-anon-access/raddb/mods-available/radutmp Normal file
View file

@ -0,0 +1,53 @@
# -*- text -*-
#
# $Id: 82319c033bbf349991a46b8f198a5bf5487b5da8 $
# Write a 'utmp' style file, of which users are currently
# logged in, and where they've logged in from.
#
# This file is used mainly for Simultaneous-Use checking,
# and also 'radwho', to see who's currently logged in.
#
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{%{Stripped-User-Name}:-%{User-Name}}
username = %{User-Name}
# Whether or not we want to treat "user" the same
# as "USER", or "User". Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
permissions = 0600
caller_id = "yes"
}

75
pkgs/fablab/freeradius-anon-access/raddb/mods-available/realm Normal file
View file

@ -0,0 +1,75 @@
# -*- text -*-
#
# $Id: 8ff95a9e9a652c2df9f992b0eb528084b6a7a2dc $
# Realm module, for proxying.
#
# You can have multiple instances of the realm module to
# support multiple realm syntaxes at the same time. The
# search order is defined by the order that the modules are listed
# in the authorize and preacct sections.
#
# Four config options:
# format - must be "prefix" or "suffix"
# The special cases of "DEFAULT"
# and "NULL" are allowed, too.
# delimiter - must be a single character
# 'realm/username'
#
# Using this entry, IPASS users have their realm set to "IPASS".
realm IPASS {
format = prefix
delimiter = "/"
}
# 'username@realm'
#
realm suffix {
format = suffix
delimiter = "@"
# The next configuration items are valid ONLY for a trust-router.
# For all other realms, they are ignored.
# trust_router = "localhost"
# tr_port = 12309
# rp_realm = "realm.example.com"
# default_community = "apc.communities.example.com"
# # if rekey_enabled is enabled, dynamic realms are automatically rekeyed
# # before they expire to avoid having to recreate them from scrach on
# # demand (implying lengthy authentications)
# rekey_enabled = no
# # if realm_lifetime is > 0, the rekey is scheduled to happen the
# # specified number of seconds after its creation or rekeying. Otherwise,
# # the key material expiration timestamp is used
# realm_lifetime = 0
}
# 'realm!username'
#
realm bangpath {
format = prefix
delimiter = "!"
# trust_router = "localhost"
# tr_port = 12309
# rp_realm = "realm.example.com"
# default_community = "apc.communities.example.com"
# rekey_enabled = no
# realm_lifetime = 0
}
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
}
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
}

99
pkgs/fablab/freeradius-anon-access/raddb/mods-available/redis Normal file
View file

@ -0,0 +1,99 @@
# -*- text -*-
#
# $Id: 64789f58a7f937b7b9f4c7ff783153fb5194ba25 $
#
# Configuration file for the "redis" module. This module does nothing
# Other than provide connections to a redis database, and a %{redis: ...}
# expansion.
#
redis {
# Host where the redis server is located.
# We recommend using ONLY 127.0.0.1 !
server = 127.0.0.1
# Select the Redis logical database having the specified zero-based numeric index.
# database = 0
# The default port.
port = 6379
# The password used to authenticate to the server.
# We recommend using a strong password.
# password = thisisreallysecretandhardtoguess
# Set connection and query timeout for rlm_redis
query_timeout = 5
#
# Information for the connection pool. The configuration items
# below are the same for all modules which use the new
# connection pool.
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# web service being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 86400
# The pool is checked for free connections every
# "cleanup_interval". If there are free connections,
# then one of them is closed.
cleanup_interval = 300
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 600
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}

52
pkgs/fablab/freeradius-anon-access/raddb/mods-available/rediswho Normal file
View file

@ -0,0 +1,52 @@
# -*- text -*-
#
# $Id: d303550fa48460f9583c051795ad7f179fcbd36b $
#
# Configuration file for the "rediswho" module.
#
# This module tracks the last set of login sessions for a user.
#
rediswho {
# REDIS instance to use (from mods-available/redis)
#
# If you have multiple redis instances, such as "redis redis1 {...}",
# use the *instance* name here: redis1.
# redis_module_instance = redis
# How many sessions to keep track of per user.
# If there are more than this number, older sessions are deleted.
trim_count = 15
# Expiry time in seconds. Any sessions which have not received
# an update in this time will be automatically expired.
expire_time = 86400
#
# Each subsection contains insert / trim / expire queries.
# The subsections are named after the contents of the
# Acct-Status-Type attribute. See dictionary.rfc2866 for names
# of the various Acct-Status-Type values, or look at the output
# of debug mode.
#
# This module supports *any* Acct-Status-Type. Just add a subsection
# of the appropriate name, along with insert / trim / expire queries.
#
Start {
insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
trim = "LTRIM %{User-Name} 0 ${..trim_count}"
expire = "EXPIRE %{User-Name} ${..expire_time}"
}
Interim-Update {
insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
trim = "LTRIM %{User-Name} 0 ${..trim_count}"
expire = "EXPIRE %{User-Name} ${..expire_time}"
}
Stop {
insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
trim = "LTRIM %{User-Name} 0 ${..trim_count}"
expire = "EXPIRE %{User-Name} ${..expire_time}"
}
}

42
pkgs/fablab/freeradius-anon-access/raddb/mods-available/replicate Normal file
View file

@ -0,0 +1,42 @@
# Replicate packet(s) to a home server.
#
# This module will open a new socket for each packet, and "clone"
# the incoming packet to the destination realm (i.e. home server).
# These packets are only sent to UDP home servers. TCP and TLS
# are not supported.
#
# Use it by setting "Replicate-To-Realm = name" in the control list,
# just like Proxy-To-Realm. The configurations for the two attributes
# are identical. The realm must exist, the home_server_pool must exist,
# and the home_server must exist.
#
# The only difference is that the "replicate" module sends requests
# and does not expect a reply. Any reply is ignored.
#
# Both Replicate-To-Realm and Proxy-To-Realm can be used at the same time.
#
# To use this module, list "replicate" in the "authorize" or
# "accounting" section. Then, ensure that Replicate-To-Realm is set.
# The contents of the "packet" attribute list will be sent to the
# home server. The usual load-balancing, etc. features of the home
# server will be used.
#
# "radmin" can be used to mark home servers alive/dead, in order to
# enable/disable replication to specific servers.
#
# Packets can be replicated to multiple destinations. Just set
# Replicate-To-Realm multiple times. One packet will be sent for
# each of the Replicate-To-Realm attribute in the "control" list.
#
# If no packets are sent, the module returns "noop". If at least one
# packet is sent, the module returns "ok". If an error occurs, the
# module returns "fail"
#
# Note that replication does NOT change any of the packet statistics.
# If you use "radmin" to look at the statistics for a home server,
# the replicated packets will cause NO counters to increment. This
# is not a bug, this is how replication works.
#
replicate {
}

290
pkgs/fablab/freeradius-anon-access/raddb/mods-available/rest Normal file
View file

@ -0,0 +1,290 @@
rest {
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to a HTTPS
# server.
#
tls {
# Certificate Authorities:
# "ca_file" (libcurl option CURLOPT_ISSUERCERT).
# File containing a single CA, which is the issuer of the server
# certificate.
# "ca_info_file" (libcurl option CURLOPT_CAINFO).
# File containing a bundle of certificates, which allow to handle
# certificate chain validation.
# "ca_path" (libcurl option CURLOPT_CAPATH).
# Directory holding CA certificates to verify the peer with.
# ca_file = ${certdir}/cacert.pem
# ca_info_file = ${certdir}/cacert_bundle.pem
# ca_path = ${certdir}
# certificate_file = /path/to/radius.crt
# private_key_file = /path/to/radius.key
# private_key_password = "supersecret"
# random_file = /dev/urandom
# Server certificate verification requirements. Can be:
# "no" (don't even bother trying)
# "yes" (verify the cert was issued by one of the
# trusted CAs)
#
# The default is "yes"
# check_cert = yes
# Server certificate CN verification requirements. Can be:
# "no" (don't even bother trying)
# "yes" (verify the CN in the certificate matches the host
# in the URI)
#
# The default is "yes"
# check_cert_cn = yes
}
# rlm_rest will open a connection to the server specified in connect_uri
# to populate the connection cache, ready for the first request.
# The server will not start if the server specified is unreachable.
#
# If you wish to disable this pre-caching and reachability check,
# comment out the configuration item below.
connect_uri = "http://127.0.0.1/"
#
# How long before new connection attempts timeout, defaults to 4.0 seconds.
#
# connect_timeout = 4.0
#
# Specify HTTP protocol version to use. one of '1.0', '1.1', '2.0', '2.0+auto',
# '2.0+tls' or 'default'. (libcurl option CURLOPT_HTTP_VERSION)
#
# http_negotiation = 1.1
#
# The following config items can be used in each of the sections.
# The sections themselves reflect the sections in the server.
# For example if you list rest in the authorize section of a virtual server,
# the settings from the authorize section here will be used.
#
# The following config items may be listed in any of the sections:
# uri - to send the request to.
# method - HTTP method to use, one of 'get', 'post', 'put', 'patch',
# 'delete' or any custom HTTP method.
# body - The format of the HTTP body sent to the remote server.
# May be 'none', 'post' or 'json', defaults to 'none'.
# attr_num - If true, the attribute number is supplied for each attribute.
# Defaults to false.
# raw_value - If true, enumerated attribute values are provided as numeric
# values. Defaults to false.
# data - Send custom freeform data in the HTTP body. Content-type
# may be specified with 'body'. Will be expanded.
# Values from expansion will not be escaped, this should be
# done using the appropriate xlat method e.g. %{urlencode:<attr>}.
# force_to - Force the response to be decoded with this decoder.
# May be 'plain' (creates reply:REST-HTTP-Body), 'post'
# or 'json'.
# tls - TLS settings for HTTPS.
# auth - HTTP auth method to use, one of 'none', 'srp', 'basic',
# 'digest', 'digest-ie', 'gss-negotiate', 'ntlm',
# 'ntlm-winbind', 'any', 'safe'. defaults to 'none'.
# username - User to authenticate as, will be expanded.
# password - Password to use for authentication, will be expanded.
# require_auth - Require HTTP authentication.
# timeout - HTTP request timeout in seconds, defaults to 4.0.
# chunk - Chunk size to use. If set, HTTP chunked encoding is used to
# send data to the REST server. Make sure that this is large
# enough to fit your largest attribute value's text
#  representation.
# A number like 8192 is good.
#
# Additional HTTP headers may be specified with control:REST-HTTP-Header.
# The values of those attributes should be in the format:
#
# control:REST-HTTP-Header := "<HTTP attribute>: <value>"
#
# The control:REST-HTTP-Header attributes will be consumed
# (i.e. deleted) after each call to the rest module, and each
# %{rest:} expansion. This is so that headers from one REST
# call do not affect headers from a different REST call.
#
# Body encodings are the same for requests and responses
#
# POST - All attributes and values are urlencoded
# [outer.][<list>:]<attribute0>=<value0>&[outer.][<list>:]<attributeN>=<valueN>
#
# JSON - All attributes and values are escaped according to the JSON specification
# - attribute Name of the attribute.
# - attr_num Number of the attribute. Only available if the configuration item
# 'attr_num' is enabled.
# - type Type of the attribute (e.g. "integer", "string", "ipaddr", "octets", ...).
# - value Attribute value, for enumerated attributes the human readable value is
# provided and not the numeric value (Depends on the 'raw_value' config item).
# {
# "<attribute0>":{
# "attr_num":<attr_num0>,
# "type":"<type0>",
# "value":[<value0>,<value1>,<valueN>]
# },
# "<attribute1>":{
# "attr_num":<attr_num1>,
# "type":"<type1>",
# "value":[...]
# },
# "<attributeN>":{
# "attr_num":<attr_numN>,
# "type":"<typeN>",
# "value":[...]
# },
# }
#
# The response format adds three optional fields:
# - do_xlat If true, any values will be xlat expanded. Defaults to true.
# - is_json If true, any nested JSON data will be copied to the attribute
# in string form. Defaults to true.
# - op Controls how the attribute is inserted into the target list.
# Defaults to ':='. To create multiple attributes from multiple
# values, this should be set to '+=', otherwise only the last
# value will be used, and it will be assigned to a single
# attribute.
# {
# "<attribute0>":{
# "is_json":<bool>,
# "do_xlat":<bool>,
# "op":"<operator>",
# "value":[<value0>,<value1>,<valueN>]
# },
# "<attribute1>":"value",
# "<attributeN>":{
# "value":[<value0>,<value1>,<valueN>],
# "op":"+="
# }
# }
#
# Module return codes are determined by HTTP response codes. These vary depending on the
# section.
#
# If the body is processed and found to be malformed or unsupported fail will be returned.
# If the body is processed and found to contain attribute updated will be returned,
# except in the case of a 401 code.
#
# Authorize/Authenticate
#
# Code Meaning Process body Module code
# 404 not found no notfound
# 410 gone no notfound
# 403 forbidden no userlock
# 401 unauthorized yes reject
# 204 no content no ok
# 2xx successful yes ok/updated
# 5xx server error no fail
# xxx - no invalid
#
# The status code is held in %{reply:REST-HTTP-Status-Code}.
#
authorize {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authorize"
method = 'get'
tls = ${..tls}
}
authenticate {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authenticate"
method = 'get'
tls = ${..tls}
}
# Preacct/Accounting/Post-auth/Pre-Proxy/Post-Proxy
#
# Code Meaning Process body Module code
# 204 no content no ok
# 2xx successful yes ok/updated
# 5xx server error no fail
# xxx - no invalid
preacct {
uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=preacct"
method = 'post'
tls = ${..tls}
}
accounting {
uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=accounting"
method = 'post'
tls = ${..tls}
}
post-auth {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth"
method = 'post'
tls = ${..tls}
}
pre-proxy {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=pre-proxy"
method = 'post'
tls = ${..tls}
}
post-proxy {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-proxy"
method = 'post'
tls = ${..tls}
}
#
# The connection pool is new for 3.0, and will be used in many
# modules, for all kinds of connection-related activity.
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# web service being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
lifetime = 0
# idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
idle_timeout = 60
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}

16
pkgs/fablab/freeradius-anon-access/raddb/mods-available/smbpasswd Normal file
View file

@ -0,0 +1,16 @@
# -*- text -*-
#
# $Id: d5ad2a06c767f07722dc9b9c4b13d00c26b5a280 $
# An example configuration for using /etc/smbpasswd.
#
# See the "passwd" file for documentation on the configuration items
# for this module.
#
passwd smbpasswd {
filename = /etc/smbpasswd
format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
hash_size = 100
ignore_nislike = no
allow_multiple_keys = no
}

94
pkgs/fablab/freeradius-anon-access/raddb/mods-available/smsotp Normal file
View file

@ -0,0 +1,94 @@
# -*- text -*-
#
# $Id: 3be32b85f56a84725fe1a6bf508e459dbe6c4e02 $
# SMS One-time Password system.
#
# This module will extend FreeRadius with a socks interface to create and
# validate One-Time-Passwords. The program for that creates the socket
# and interacts with this module is not included here.
#
# The module does not check the User-Password, this should be done with
# the "pap" module. See the example below.
#
# The module must be used in the "authorize" section to set
# Auth-Type properly. The first time through, the module is called
# in the "authenticate" section to authenticate the user password, and
# to send the challenge. The second time through, it authenticates
# the response to the challenge. e.g.:
#
# authorize {
# ...
# smsotp
# ...
# }
#
# authenticate {
# ...
# Auth-Type smsotp {
# pap
# smsotp
# }
#
# Auth-Type smsotp-reply {
# smsotp
# }
# ...
# }
#
smsotp {
# The location of the socket.
socket = "/var/run/smsotp_socket"
# Defines the challenge message that will be send to the
# NAS. Default is "Enter Mobile PIN" }
challenge_message = "Enter Mobile PIN:"
# Defines the Auth-Type section that is run for the response to
# the challenge. Default is "smsotp-reply".
challenge_type = "smsotp-reply"
# Control how many sockets are used to talk to the SMSOTPd
#
pool {
# Number of connections to start
start = 5
# Minimum number of connections to keep open
min = 4
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
max = 10
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set.
spare = 3
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The lifetime (in seconds) of the connection
lifetime = 0
# idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
idle_timeout = 60
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}

4
pkgs/fablab/freeradius-anon-access/raddb/mods-available/soh Normal file
View file

@ -0,0 +1,4 @@
# SoH module
soh {
dhcp = yes
}

12
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sometimes Normal file
View file

@ -0,0 +1,12 @@
# -*- text -*-
#
# $Id: 3a96622cc938f558b023e1110769a46861716a12 $
#
# The "sometimes" module is here for debugging purposes. Each instance
# randomly returns the configured result, or "noop".
#
# It is based on the "always" module.
sometimes {
rcode = fail
}

366
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql Normal file
View file

@ -0,0 +1,366 @@
# -*- text -*-
##
## mods-available/sql -- SQL modules
##
## $Id: cfeac63ea87c30fead8457af6d10f5c3a0f48aef $
######################################################################
#
# Configuration for the SQL module
#
# The database schemas and queries are located in subdirectories:
#
# sql/<DB>/main/schema.sql Schema
# sql/<DB>/main/queries.conf Authorisation and Accounting queries
#
# Where "DB" is mysql, mssql, oracle, or postgresql.
#
# The name used to query SQL is sql_user_name, which is set in the file
#
# raddb/mods-config/sql/main/${dialect}/queries.conf
#
# If you are using realms, that configuration should be changed to use
# the Stripped-User-Name attribute. See the comments around sql_user_name
# for more information.
#
sql {
#
# The dialect of SQL being used.
#
# Allowed dialects are:
#
# mssql
# mysql
# oracle
# postgresql
# sqlite
# mongo
#
dialect = "sqlite"
#
# The driver module used to execute the queries. Since we
# don't know which SQL drivers are being used, the default is
# "rlm_sql_null", which just logs the queries to disk via the
# "logfile" directive, below.
#
# In order to talk to a real database, delete the next line,
# and uncomment the one after it.
#
# If the dialect is "mssql", then the driver should be set to
# one of the following values, depending on your system:
#
# rlm_sql_db2
# rlm_sql_firebird
# rlm_sql_freetds
# rlm_sql_iodbc
# rlm_sql_unixodbc
#
driver = "rlm_sql_null"
# driver = "rlm_sql_${dialect}"
#
# Driver-specific subsections. They will only be loaded and
# used if "driver" is something other than "rlm_sql_null".
# When a real driver is used, the relevant driver
# configuration section is loaded, and all other driver
# configuration sections are ignored.
#
sqlite {
# Path to the sqlite database
filename = "/tmp/freeradius.db"
# How long to wait for write locks on the database to be
# released (in ms) before giving up.
busy_timeout = 200
# If the file above does not exist and bootstrap is set
# a new database file will be created, and the SQL statements
# contained within the bootstrap file will be executed.
bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
}
mysql {
# If any of the files below are set, TLS encryption is enabled
tls {
ca_file = "/etc/ssl/certs/my_ca.crt"
ca_path = "/etc/ssl/certs/"
certificate_file = "/etc/ssl/certs/private/client.crt"
private_key_file = "/etc/ssl/certs/private/client.key"
cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
tls_required = yes
tls_check_cert = no
tls_check_cert_cn = no
}
# If yes, (or auto and libmysqlclient reports warnings are
# available), will retrieve and log additional warnings from
# the server if an error has occured. Defaults to 'auto'
warnings = auto
}
postgresql {
# unlike MySQL, which has a tls{} connection configuration, postgresql
# uses its connection parameters - see the radius_db option below in
# this file
# Send application_name to the postgres server
# Only supported in PG 9.0 and greater. Defaults to no.
send_application_name = yes
}
#
# Configuration for Mongo.
#
# Note that the Mongo driver is experimental. The FreeRADIUS developers
# are unable to help with the syntax of the Mongo queries. Please see
# the Mongo documentation for that syntax.
#
# The Mongo driver supports only the following methods:
#
# aggregate
# findAndModify
# findOne
# insert
#
# For examples, see the query files:
#
# raddb/mods-config/sql/main/mongo/queries.conf
# raddb/mods-config/sql/main/ippool/queries.conf
#
# In order to use findAndModify with an aggretation pipleline, make
# sure that you are running MongoDB version 4.2 or greater. FreeRADIUS
# assumes that the paramaters passed to the methods are supported by the
# version of MongoDB which it is connected to.
#
mongo {
#
# The application name to use.
#
appname = "freeradius"
#
# The TLS parameters here map directly to the Mongo TLS configuration
#
tls {
certificate_file = /path/to/file
certificate_password = "password"
ca_file = /path/to/file
ca_dir = /path/to/directory
crl_file = /path/to/file
weak_cert_validation = false
allow_invalid_hostname = false
}
}
# Connection info:
#
# server = "localhost"
# port = 3306
# login = "radius"
# password = "radpass"
# Connection info for Mongo
# Authentication Without SSL
# server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=false"
# Authentication With SSL
# server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=true"
# Authentication with Certificate
# Use this command for retrieve Derived username:
# openssl x509 -in mycert.pem -inform PEM -subject -nameopt RFC2253
# server = mongodb://<DERIVED USERNAME>@192.168.0.2:PORT/DATABASE?authSource=$external&ssl=true&authMechanism=MONGODB-X509
# Database table configuration for everything except Oracle
radius_db = "radius"
# If you are using Oracle then use this instead
# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
# If you're using postgresql this can also be used instead of the connection info parameters
# radius_db = "dbname=radius host=localhost user=radius password=raddpass"
# Postgreql doesn't take tls{} options in its module config like mysql does - if you want to
# use SSL connections then use this form of connection info parameter
# radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt"
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = "radacct"
acct_table2 = "radacct"
# Allow for storing data after authentication
postauth_table = "radpostauth"
# Tables containing 'check' items
authcheck_table = "radcheck"
groupcheck_table = "radgroupcheck"
# Tables containing 'reply' items
authreply_table = "radreply"
groupreply_table = "radgroupreply"
# Table to keep group info
usergroup_table = "radusergroup"
# If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table.
# If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table.
# read_groups = yes
# If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table.
# If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table.
# read_profiles = yes
# Remove stale session if checkrad does not see a double login
delete_stale_sessions = yes
# Write SQL queries to a logfile. This is potentially useful for tracing
# issues with authorization queries. See also "logfile" directives in
# mods-config/sql/main/*/queries.conf. You can enable per-section logging
# by enabling "logfile" there, or global logging by enabling "logfile" here.
#
# Per-section logging can be disabled by setting "logfile = ''"
# logfile = ${logdir}/sqllog.sql
# Set the maximum query duration and connection timeout
# for rlm_sql_mysql.
# query_timeout = 5
# As of version 3.0, the "pool" section has replaced the
# following configuration items:
#
# num_sql_socks
# connect_failure_retry_delay
# lifetime
# max_queries
#
# The connection pool is new for 3.0, and will be used in many
# modules, for all kinds of connection-related activity.
#
# When the server is not threaded, the connection pool
# limits are ignored, and only one connection is used.
#
# If you want to have multiple SQL modules re-use the same
# connection pool, use "pool = name" instead of a "pool"
# section. e.g.
#
# sql sql1 {
# ...
# pool {
# ...
# }
# }
#
# # sql2 will use the connection pool from sql1
# sql sql2 {
# ...
# pool = sql1
# }
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# database being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
lifetime = 0
# idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
idle_timeout = 60
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
# Set to 'yes' to read radius clients from the database ('nas' table)
# Clients will ONLY be read on server startup.
#
# A client can be link to a virtual server via the SQL
# module. This link is done via the following process:
#
# If there is no listener in a virtual server, SQL clients
# are added to the global list for that virtual server.
#
# If there is a listener, and the first listener does not
# have a "clients=..." configuration item, SQL clients are
# added to the global list.
#
# If there is a listener, and the first one does have a
# "clients=..." configuration item, SQL clients are added to
# that list. The client { ...} ` configured in that list are
# also added for that listener.
#
# The only issue is if you have multiple listeners in a
# virtual server, each with a different client list, then
# the SQL clients are added only to the first listener.
#
# read_clients = yes
# Table to keep radius client info
client_table = "nas"
#
# The group attribute specific to this instance of rlm_sql
#
# This entry should be used for additional instances (sql foo {})
# of the SQL module.
# group_attribute = "${.:instance}-SQL-Group"
# This entry should be used for the default instance (sql {})
# of the SQL module.
group_attribute = "SQL-Group"
# Read database-specific queries
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}

49
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql_map Normal file
View file

@ -0,0 +1,49 @@
# Configuration for the SQL based Map (rlm_sql_map)
sql_map {
# SQL instance to use (from mods-available/sql)
#
# If you have multiple sql instances, such as "sql sql1 {...}",
# use the *instance* name here: sql1.
sql_module_instance = "sql"
# This is duplicative of info available in the SQL module, but
# we have to list it here as we do not yet support nested
# reference expansions.
dialect = "mysql"
# Name of the check item attribute to be used as a key in the SQL queries
query = "SELECT ... FROM ... "
#
# Mapping of SQL columns to RADIUS dictionary attributes.
#
# WARNING: Although this format is almost identical to the unlang
# update section format, it does *NOT* mean that you can use other
# unlang constructs in module configuration files.
#
# Configuration items are in the format:
# <radius attr> <op> <sql column number>
#
# Where:
# <radius attr>: Is the destination RADIUS attribute
# with any valid list and request qualifiers.
# <op>: Is any assignment attribute (=, :=, +=, -=).
# <column num>: The column number (not name), starting from 0
#
# Request and list qualifiers may also be placed after the 'update'
# section name to set defaults destination requests/lists
# for unqualified RADIUS attributes.
#
update {
control:Password-With-Header += 0
# control:NT-Password := 1
# reply:Reply-Message := 2
# reply:Tunnel-Type := 3
# reply:Tunnel-Medium-Type := 4
# reply:Tunnel-Private-Group-ID := 5
}
# If the 'query' results in multiple rows, it creates the <radius attr>[*] array entry.
# multiple_rows = yes
}

115
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlcounter Normal file
View file

@ -0,0 +1,115 @@
# Rather than maintaining separate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
# totally dependent on the SQL module to process Accounting
# packets.
#
# The sql-module-instance' parameter holds the instance of the sql
# module to use when querying the SQL database. Normally it
# is just "sql". If you define more and one SQL module
# instance (usually for failover situations), you can
# specify which module has access to the Accounting Data
# (radacct table).
#
# The 'reset' parameter defines when the counters are all
# reset to zero. It can be hourly, daily, weekly, monthly or
# never. It can also be user defined. It should be of the
# form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
# The 'key' parameter specifies the unique identifier for the
# counter records (usually 'User-Name').
#
# The 'query' parameter specifies the SQL query used to get
# the current Counter value from the database. There are 2
# parameters that can be used in the query:
# %%b unix time value of beginning of reset period
# %%e unix time value of end of reset period
#
# The 'check_name' parameter is the name of the 'check'
# attribute to use to access the counter in the 'users' file
# or SQL radcheck or radgroupcheck tables.
#
# DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The "dailycounter" (or any other sqlcounter module) should be added
# to "post-auth" section. It will then update the Session-Timeout
# attribute in the reply. If there is no Session-Timeout attribute,
# the module will add one. If there is an attribute, the sqlcounter
# module will make sure that the value is no higher than the limit.
#
sqlcounter dailycounter {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = Daily-Session-Time
check_name = Max-Daily-Session
reply_name = Session-Timeout
key = User-Name
reset = daily
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}
sqlcounter weeklycounter {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = Weekly-Session-Time
check_name = Max-Weekly-Session
reply_name = Session-Timeout
key = User-Name
reset = weekly
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}
sqlcounter monthlycounter {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = Monthly-Session-Time
check_name = Max-Monthly-Session
reply_name = Session-Timeout
key = User-Name
reset = monthly
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}
sqlcounter noresetcounter {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = Max-All-Session-Time
check_name = Max-All-Session
key = User-Name
reset = never
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}
#
# Set an account to expire T seconds after first login.
# Requires the Expire-After attribute to be set, in seconds.
# You may need to edit raddb/dictionary to add the Expire-After
# attribute.
sqlcounter expire_on_login {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = Expire-After-Initial-Login
check_name = Expire-After
key = User-Name
reset = never
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}

115
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlippool Normal file
View file

@ -0,0 +1,115 @@
# Configuration for the SQL based IP Pool module (rlm_sqlippool)
#
# The database schemas are available at:
#
# raddb/mods-config/sql/ippool/<DB>/schema.sql
#
# $Id: 3d98ca9e0fca4f8df2657d53a15a2c52756b45e1 $
sqlippool {
# SQL instance to use (from mods-available/sql)
#
# If you have multiple sql instances, such as "sql sql1 {...}",
# use the *instance* name here: sql1.
sql_module_instance = "sql"
# This is duplicative of info available in the SQL module, but
# we have to list it here as we do not yet support nested
# reference expansions.
dialect = "mysql"
# Name of the check item attribute to be used as a key in the SQL queries
pool_name = "Pool-Name"
# SQL table to use for ippool range and lease info
ippool_table = "radippool"
# IP lease duration. (Leases expire even if Acct Stop packet is lost)
#
# Note that you SHOULD also set Session-Timeout to this value!
# That way the NAS will automatically kick the user offline when the
# lease expires.
#
lease_duration = 3600
#
# Timeout between each consecutive 'allocate_clear' queries (default: 1s)
# This will avoid having too many deadlock issues, especially on MySQL backend.
#
allocate_clear_timeout = 1
#
# As of 3.0.16, the 'ipv6 = yes' configuration is deprecated.
# You should use the "attribute_name" configuration item
# below, instead.
#
#
# The attribute to use for IP address assignment. The
# default is Framed-IP-Address. You can change this to any
# attribute which is IPv4 or IPv6.
#
# e.g. Framed-IPv6-Prefix, or Delegated-IPv6-Prefix.
#
# As of 3.0.16, all of the default queries have been updated to use
# this attribute_name. So you can do IPv6 address assignment simply
# by putting IPv6 addresses into the pool, and changing the following
# line to "Framed-IPv6-Prefix"
#
# Note that you MUST use separate pools for each attribute. i.e. one pool
# for Framed-IP-Address, a different one for Framed-IPv6-prefix, etc.
#
# This means configuring separate "sqlippool" instances, and different
# "ippool_table" in SQL. Then, populate the pool with addresses and
# it will all just work.
#
attribute_name = Framed-IP-Address
#
# Assign the IP address, even if the above attribute already exists
# in the reply.
#
# allow_duplicates = no
# The attribute in which an IP address hint may be supplied
req_attribute_name = Framed-IP-Address
# Attribute which should be considered unique per NAS
#
# Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS)
# Using Calling-Station-Id works for NAS that send fixed NAS-Port
# ONLY change this if you know what you are doing!
pool_key = "%{NAS-Port}"
# pool_key = "%{Calling-Station-Id}"
################################################################
#
# WARNING: MySQL (MyISAM) has certain limitations that means it can
# hand out the same IP address to 2 different users.
#
# We suggest using an SQL DB with proper transaction
# support, such as PostgreSQL, or using MySQL
# with InnoDB.
#
################################################################
# These messages are added to the "control" items, as
# Module-Success-Message. They are not logged anywhere else,
# unlike previous versions. If you want to have them logged
# to a file, see the "linelog" module, and create an entry
# which writes Module-Success-Message message.
#
messages {
exists = "Existing IP: %{reply:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:${..attribute_name}} from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP %{request:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No ${..pool_name} defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
$INCLUDE ${modconfdir}/sql/ippool/${dialect}/queries.conf
}

16
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sradutmp Normal file
View file

@ -0,0 +1,16 @@
# -*- text -*-
#
# $Id: 3a2a0e502e76ec00d4ec17e70132448e1547da46 $
# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another 'instance' of the radutmp module, but it is given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
filename = ${logdir}/sradutmp
permissions = 0644
caller_id = "no"
}

40
pkgs/fablab/freeradius-anon-access/raddb/mods-available/totp Normal file
View file

@ -0,0 +1,40 @@
# -*- text -*-
#
# $Id: 695365f7d2c05a34da935ea2a9ca0dec55518195 $
#
# Time-based One-Time Passwords (TOTP)
#
# Defined in RFC 6238, and used in Google Authenticator.
#
# This module can only be used in the "authenticate" section.
#
# The Base32-encoded secret should be placed into:
#
# &control:TOTP-Secret
#
# The TOTP password entered by the user should be placed into:
#
# &request:TOTP-Password
#
# The module will return "ok" if the passwords match, and "fail"
# if the passwords do not match.
#
# Note that this module will NOT interact with Google. The module is
# intended to be used where the local administrator knows the TOTP
# secret key, and user has an authenticator app on their phone.
#
# Note also that while you can use the Google "chart" APIs to
# generate a QR code, doing this will give the secret to Google!
#
# Administrators should instead install a tool such as "qrcode"
#
# https://linux.die.net/man/1/qrencode
#
# and then run that locally to get an image.
#
#
# The module takes no configuration items.
#
totp {
}

4
pkgs/fablab/freeradius-anon-access/raddb/mods-available/unbound Normal file
View file

@ -0,0 +1,4 @@
unbound dns {
# filename = "${raddbdir}/mods-config/unbound/default.conf"
# timeout = 3000
}

25
pkgs/fablab/freeradius-anon-access/raddb/mods-available/unix Normal file
View file

@ -0,0 +1,25 @@
# -*- text -*-
#
# $Id: 5165139aaf39d533581161871542b48a6e3e8c42 $
# Unix /etc/passwd style authentication
#
# This module calls the system functions to get the "known good"
# password. This password is usually in the "crypt" form, and is
# incompatible with CHAP, MS-CHAP, PEAP, etc.
#
# If passwords are in /etc/shadow, you will need to set the "group"
# configuration in radiusd.conf. Look for "shadow", and follow the
# instructions there.
#
unix {
#
# The location of the "wtmp" file.
# The only use for 'radlast'. If you don't use
# 'radlast', then you can comment out this item.
#
# Note that the radwtmp file may get large! You should
# rotate it (cp /dev/null radwtmp), or just not use it.
#
radwtmp = ${logdir}/radwtmp
}

105
pkgs/fablab/freeradius-anon-access/raddb/mods-available/unpack Normal file
View file

@ -0,0 +1,105 @@
# -*- text -*-
#
# $Id: 89ef1699a1af78374b1af0a3787a088af3ba320c $
#
# This module is useful only for 'xlat'.
# To use it, add it to the raddb/mods-enabled/ directory.
#
# Two xlat functions are provided by this module:
# - unpack
# - substring
#
# Both are for use on the right-hand side of a variable assignment.
#
# unpack
# ======
#
# ... = "%{unpack:data 1 integer}"
#
# The arguments are three fields:
#
# data
# Either &Attribute-Name
# the name of the attribute to unpack.
# MUST be a "string" or "octets" type.
#
# or 0xabcdef
# e.g. hex data.
#
# 1
# The offset into the string from which
# it starts unpacking. The offset starts
# at zero, for the first attribute.
#
# integer
# the data type to unpack at that offset.
# e.g. integer, ipaddr, byte, short, etc.
#
# e.g. if we have Class = 0x0000000102030405, then
#
# %{unpack:&Class 4 short}
#
# will unpack octets 4 and 5 as a "short", which has
# value 0x0304.
#
# This module is used when vendors put multiple fields
# into one attribute of type "octets".
#
# The module can also be used to unpack substrings, by specifing a
# data type of "string(len)" or "octets(len)". Where "len" is an
# actual number. For example:
#
# %{unpack:&User-Name 1 string(2)}
#
# When given a User-Name of "hello", it will start taking the
# substring at offset 1 (i.e. "e"), and it will take two characters
# from that offset, i.e. "el".
#
# As a special case, you can unpack an entire string by specifying
# the offset, and nothing for the length:
#
# %{unpack:&User-Name 1 string()}
#
# When "octets(len)" is used, the output is printed as hex. e.g. for
# the above example with Class:
#
# %{unpack:&Class 4 octets(4)}
#
# Will return the hex string "02030405"
#
#
# substring
# =========
#
# substring will return a substring of a string or attribute using
# the syntax
#
# %{substring:data start len}
#
# data
# Either an attribute name or string data. String data
# can have leading or trailing spaces. Only a single
# space before "start" is taken as the separator.
#
# start
# the zero based offset for the start of the substring.
# A negative value will count in from the end of the
# string.
#
# len
# the number of characters to return. A Negative value
# will remove that number of characters from the end.
# If len is more than the available number of characters
# then only the available number will be returned.
#
# Examples:
#
# "%{substring:foobar 2 3}" == "oba"
# "%{substring:foobar -3 2}" == "ba"
# "%{substring:foobar 1 -1}" == "ooba"
# if User-Name is "foobar" "%{substring:&User-Name 1 -2}" == "oob"
#
unpack {
}

14
pkgs/fablab/freeradius-anon-access/raddb/mods-available/utf8 Normal file
View file

@ -0,0 +1,14 @@
#
# Enforces UTF-8 on strings coming in from the NAS.
#
# An attribute of type "string" containing UTF-8 makes
# the module return NOOP.
#
# An attribute of type "string" containing non-UTF-8 data
# makes the module return FAIL.
#
# This module takes no configuration.
#
utf8 {
}

Some files were not shown because too many files have changed in this diff Show more