LILiK
/
openwrt-packages-dist

--- a/raddb/dictionary.in
+++ b/raddb/dictionary.in
@@ -11,7 +11,7 @@
 # #	The filename given here should be an absolute path.  #-$INCLUDE	@prefix@/share/freeradius/dictionary
+$INCLUDE	@prefix@/share/freeradius2/dictionary
  # #	Place additional attributes or $INCLUDEs here.  They will--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -27,7 +27,7 @@
 		#  then that EAP type takes precedence over the 		#  default type configured here. 		#-		default_eap_type = md5
+		default_eap_type = peap
  		#  A list is maintained to correlate EAP-Response 		#  packets with EAP-Request packets.  After a@@ -72,8 +72,8 @@
 		#  for wireless connections.  It is insecure, and does 		#  not provide for dynamic WEP keys. 		#-		md5 {
-		}
+#		md5 {
+#		}
  		# Cisco LEAP 		#@@ -87,8 +87,8 @@
 		#  User-Password, or the NT-Password attributes. 		#  'System' authentication is impossible with LEAP. 		#-		leap {
-		}
+#		leap {
+#		}
  		#  Generic Token Card. 		#@@ -101,7 +101,7 @@
 		#  the users password will go over the wire in plain-text, 		#  for anyone to see. 		#-		gtc {
+#		gtc {
 			#  The default challenge, which many clients 			#  ignore.. 			#challenge = "Password: "@@ -118,8 +118,8 @@
 			#  configured for the request, and do the 			#  authentication itself. 			#-			auth_type = PAP
-		}
+#			auth_type = PAP
+#		}
  		## EAP-TLS 		#@@ -215,7 +215,7 @@
 			#  In these cases, fragment size should be 			#  1024 or less. 			#-		#	fragment_size = 1024
+			fragment_size = 1024
  			#  include_length is a flag which is 			#  by default set to yes If set to@@ -225,7 +225,7 @@
 			#  message is included ONLY in the 			#  First packet of a fragment series. 			#-		#	include_length = yes
+			include_length = yes
  			#  Check the Certificate Revocation List 			#@@ -297,7 +297,7 @@
 			# for the server to print out an error message, 			# and refuse to start. 			#-			make_cert_command = "${certdir}/bootstrap"
+		#	make_cert_command = "${certdir}/bootstrap"
  			# 			#  Elliptical cryptography configuration@@ -332,7 +332,7 @@
 			#  You probably also want "use_tunneled_reply = yes" 			#  when using fast session resumption. 			#-			cache {
+		#	cache {
 			      # 			      #  Enable it.  The default is "no". 			      #  Deleting the entire "cache" subsection@@ -348,14 +348,14 @@
 			      #  enable resumption for just one user 			      #  by setting the above attribute to "yes". 			      #-			      enable = no
+		#	      enable = no
  			      # 			      #  Lifetime of the cached entries, in hours. 			      #  The sessions will be deleted after this 			      #  time. 			      #-			      lifetime = 24 # hours
+		#	      lifetime = 24 # hours
  			      # 			      #  The maximum number of entries in the@@ -364,8 +364,8 @@
 			      #  This could be set to the number of users 			      #  who are logged in... which can be a LOT. 			      #-			      max_entries = 255
-			}
+		#	      max_entries = 255
+		#	}
  			# 			#  As of version 2.1.10, client certificates can be@@ -503,7 +503,7 @@
 		# 		#  in the control items for a request. 		#-		ttls {
+#		ttls {
 			#  The tunneled EAP session needs a default 			#  EAP type which is separate from the one for 			#  the non-tunneled EAP module.  Inside of the@@ -511,7 +511,7 @@
 			#  If the request does not contain an EAP 			#  conversation, then this configuration entry 			#  is ignored.-			default_eap_type = md5
+#			default_eap_type = mschapv2
  			#  The tunneled authentication request does 			#  not usually contain useful attributes@@ -527,7 +527,7 @@
 			#  is copied to the tunneled request. 			# 			# allowed values: {no, yes}-			copy_request_to_tunnel = no
+#			copy_request_to_tunnel = yes
  			#  The reply attributes sent to the NAS are 			#  usually based on the name of the user@@ -540,7 +540,7 @@
 			#  the tunneled request. 			# 			# allowed values: {no, yes}-			use_tunneled_reply = no
+#			use_tunneled_reply = no
  			# 			#  The inner tunneled request can be sent@@ -552,13 +552,13 @@
 			#  the virtual server that processed the 			#  outer requests. 			#-			virtual_server = "inner-tunnel"
+#			virtual_server = "inner-tunnel"
  			#  This has the same meaning as the 			#  same field in the "tls" module, above. 			#  The default value here is "yes". 		#	include_length = yes-		}
+#		}
  		################################################## 		#@@ -627,14 +627,14 @@
  			#  the PEAP module also has these configuration 			#  items, which are the same as for TTLS.-			copy_request_to_tunnel = no
-			use_tunneled_reply = no
+			copy_request_to_tunnel = yes
+			use_tunneled_reply = yes
  			#  When the tunneled session is proxied, the 			#  home server may not understand EAP-MSCHAP-V2. 			#  Set this entry to "no" to proxy the tunneled 			#  EAP-MSCHAP-V2 as normal MSCHAPv2.-		#	proxy_tunneled_request_as_eap = yes
+			proxy_tunneled_request_as_eap = no
  			# 			#  The inner tunneled request can be sent@@ -646,7 +646,8 @@
 			#  the virtual server that processed the 			#  outer requests. 			#-			virtual_server = "inner-tunnel"
+		#	virtual_server = "inner-tunnel"
+			EAP-TLS-Require-Client-Cert = no
  			# This option enables support for MS-SoH 			# see doc/SoH.txt for more info.--- a/raddb/modules/counter
+++ b/raddb/modules/counter
@@ -69,7 +69,7 @@
 #  'check-name' attribute. # counter daily {-	filename = ${db_dir}/db.daily
+	filename = ${radacctdir}/db.daily
 	key = User-Name 	count-attribute = Acct-Session-Time 	reset = daily--- a/raddb/modules/pap
+++ b/raddb/modules/pap
@@ -18,5 +18,5 @@
 # #  http://www.openldap.org/faq/data/cache/347.html pap {-	auto_header = no
+	auto_header = yes
 }--- a/raddb/modules/radutmp
+++ b/raddb/modules/radutmp
@@ -12,7 +12,7 @@ radutmp {
 	#  Where the file is stored.  It's not a log file, 	#  so it doesn't need rotating. 	#-	filename = ${logdir}/radutmp
+	filename = ${radacctdir}/radutmp
  	#  The field in the packet to key on for the 	#  'user' name,  If you have other fields which you want--- a/raddb/modules/sradutmp
+++ b/raddb/modules/sradutmp
@@ -10,7 +10,7 @@
 # then name "sradutmp" to identify it later in the "accounting" # section. radutmp sradutmp {-	filename = ${logdir}/sradutmp
+	filename = ${radacctdir}/sradutmp
 	perm = 0644 	callerid = "no" }--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -66,7 +66,7 @@ name = radiusd
  #  Location of config and logfiles. confdir = ${raddbdir}-run_dir = ${localstatedir}/run/${name}
+run_dir = ${localstatedir}/run
  # Should likely be ${localstatedir}/lib/radiusd db_dir = ${raddbdir}@@ -323,7 +323,7 @@ listen {
 	#  If your system does not support this feature, you will 	#  get an error if you try to use it. 	#-#	interface = eth0
+	interface = br-lan
  	#  Per-socket lists of clients.  This is a very useful feature. 	#@@ -350,7 +350,7 @@ listen {
 #	ipv6addr = :: 	port = 0 	type = acct-#	interface = eth0
+	interface = br-lan
 #	clients = per_socket_clients } @@ -584,8 +584,8 @@ security {
 # #  allowed values: {no, yes} #-proxy_requests  = yes
-$INCLUDE proxy.conf
+proxy_requests  = no
+#$INCLUDE proxy.conf
   # CLIENTS CONFIGURATION@@ -782,7 +782,7 @@ instantiate {
 	#  The entire command line (and output) must fit into 253 bytes. 	# 	#  e.g. Framed-Pool = `%{exec:/bin/echo foo}`-	exec
+#	exec
  	# 	#  The expression module doesn't do authorization,@@ -799,15 +799,15 @@ instantiate {
 	#  other xlat functions such as md5, sha1 and lc. 	# 	#  We do not recommend removing it's listing here.-	expr
+#	expr
  	# 	# We add the counter module here so that it registers 	# the check-name attribute before any module which sets 	# it #	daily-	expiration
-	logintime
+#	expiration
+#	logintime
  	# subsections here can be thought of as "virtual" modules. 	#@@ -831,7 +831,7 @@ instantiate {
 #	to multiple times. # ######################################################################-$INCLUDE policy.conf
+#$INCLUDE policy.conf
  ###################################################################### #@@ -841,9 +841,9 @@ $INCLUDE policy.conf
 #	match the regular expression: /[a-zA-Z0-9_.]+/ # #	It allows you to define new virtual servers simply by placing-#	a file into the raddb/sites-enabled/ directory.
+#	a file into the /etc/freeradius2/sites/ directory.
 #-$INCLUDE sites-enabled/
+$INCLUDE sites/
  ###################################################################### #@@ -851,7 +851,7 @@ $INCLUDE sites-enabled/
 #	"authenticate {}", "accounting {}", have been moved to the #	the file: #-#		raddb/sites-available/default
+#		/etc/freeradius2/sites/default
 # #	This is the "default" virtual server that has the same #	configuration as in version 1.0.x and 1.1.x.  The default--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -85,7 +85,7 @@ authorize {
 	# 	#  It takes care of processing the 'raddb/hints' and the 	#  'raddb/huntgroups' files.-	preprocess
+#	preprocess
  	# 	#  If you want to have a log of authentication requests,@@ -96,7 +96,7 @@ authorize {
 	# 	#  The chap module will set 'Auth-Type := CHAP' if we are 	#  handling a CHAP request and Auth-Type has not already been set-	chap
+#	chap
  	# 	#  If the users are logging in with an MS-CHAP-Challenge@@ -104,13 +104,13 @@ authorize {
 	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' 	#  to the request, which will cause the server to then use 	#  the mschap module for authentication.-	mschap
+#	mschap
  	# 	#  If you have a Cisco SIP server authenticating against 	#  FreeRADIUS, uncomment the following line, and the 'digest' 	#  line in the 'authenticate' section.-	digest
+#	digest
  	# 	#  The WiMAX specification says that the Calling-Station-Id@@ -133,7 +133,7 @@ authorize {
 	#  Otherwise, when the first style of realm doesn't match, 	#  the other styles won't be checked. 	#-	suffix
+#	suffix
 #	ntdomain  	#@@ -195,8 +195,8 @@ authorize {
 	# Use the checkval module #	checkval -	expiration
-	logintime
+#	expiration
+#	logintime
  	# 	#  If no other module has claimed responsibility for@@ -277,7 +277,7 @@ authenticate {
 	#  If you have a Cisco SIP server authenticating against 	#  FreeRADIUS, uncomment the following line, and the 'digest' 	#  line in the 'authorize' section.-	digest
+#	digest
  	# 	#  Pluggable Authentication Modules.@@ -294,7 +294,7 @@ authenticate {
 	#  be used for authentication ONLY for compatibility with legacy 	#  FreeRADIUS configurations. 	#-	unix
+#	unix
  	# Uncomment it if you want to use ldap for authentication 	#@@ -330,8 +330,8 @@ authenticate {
 # #  Pre-accounting.  Decide which accounting type to use. #-preacct {
-	preprocess
+#preacct {
+#	preprocess
  	# 	#  Session start times are *implied* in RADIUS.@@ -354,7 +354,7 @@ preacct {
 	# 	#  Ensure that we have a semi-unique identifier for every 	#  request, and many NAS boxes are broken.-	acct_unique
+#	acct_unique
  	# 	#  Look for IPASS-style 'realm/', and if not found, look for@@ -364,13 +364,13 @@ preacct {
 	#  Accounting requests are generally proxied to the same 	#  home server as authentication requests. #	IPASS-	suffix
+#	suffix
 #	ntdomain  	# 	#  Read the 'acct_users' file-	files
-}
+#	files
+#}
  # #  Accounting.  Log the accounting data.@@ -380,7 +380,7 @@ accounting {
 	#  Create a 'detail'ed log of the packets. 	#  Note that accounting requests which are proxied 	#  are also logged in the detail file.-	detail
+#	detail
 #	daily  	#  Update the wtmp file@@ -432,7 +432,7 @@ accounting {
 	exec  	#  Filter attributes from the accounting response.-	attr_filter.accounting_response
+	#attr_filter.accounting_response
  	# 	#  See "Autz-Type Status-Server" for how this works.@@ -458,7 +458,7 @@ session {
 #  Post-Authentication #  Once we KNOW that the user has been authenticated, there are #  additional steps we can take.-post-auth {
+#post-auth {
 	#  Get an address from the IP Pool. #	main_pool @@ -488,7 +488,7 @@ post-auth {
 #	ldap  	# For Exec-Program and Exec-Program-Wait-	exec
+#	exec
  	# 	#  Calculate the various WiMAX keys.  In order for this to work,@@ -572,12 +572,12 @@ post-auth {
 	#  Add the ldap module name (or instance) if you have set  	#  'edir_account_policy_check = yes' in the ldap module configuration 	#-	Post-Auth-Type REJECT {
-		# log failed authentications in SQL, too.
+#	Post-Auth-Type REJECT {
+#		# log failed authentications in SQL, too.
 #		sql-		attr_filter.access_reject
-	}
-}
+#		attr_filter.access_reject
+#	}
+#}
  # #  When the server decides to proxy a request to a home server,@@ -587,7 +587,7 @@ post-auth {
 # #  Only a few modules currently have this method. #-pre-proxy {
+#pre-proxy {
 #	attr_rewrite  	#  Uncomment the following line if you want to change attributes@@ -603,14 +603,14 @@ pre-proxy {
 	#  server, un-comment the following line, and the 	#  'detail pre_proxy_log' section, above. #	pre_proxy_log-}
+#}
  # #  When the server receives a reply to a request it proxied #  to a home server, the request may be massaged here, in the #  post-proxy stage. #-post-proxy {
+#post-proxy {
  	#  If you want to have a log of replies from a home server, 	#  un-comment the following line, and the 'detail post_proxy_log'@@ -634,7 +634,7 @@ post-proxy {
 	#  hidden inside of the EAP packet, and the end server will 	#  reject the EAP request. 	#-	eap
+#	eap
  	# 	#  If the server tries to proxy a request and fails, then the@@ -656,5 +656,5 @@ post-proxy {
 #	Post-Proxy-Type Fail { #			detail #	}-}
+#}
 --- a/raddb/users
+++ b/raddb/users
@@ -169,22 +169,22 @@
 #	by the terminal server in which case there may not be a "P" suffix. #	The terminal server sends "Framed-Protocol = PPP" for auto PPP. #-DEFAULT	Framed-Protocol == PPP
-	Framed-Protocol = PPP,
-	Framed-Compression = Van-Jacobson-TCP-IP
+#DEFAULT	Framed-Protocol == PPP
+#	Framed-Protocol = PPP,
+#	Framed-Compression = Van-Jacobson-TCP-IP
  # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. #-DEFAULT	Hint == "CSLIP"
-	Framed-Protocol = SLIP,
-	Framed-Compression = Van-Jacobson-TCP-IP
+#DEFAULT	Hint == "CSLIP"
+#	Framed-Protocol = SLIP,
+#	Framed-Compression = Van-Jacobson-TCP-IP
  # # Default for SLIP: dynamic IP address, SLIP mode. #-DEFAULT	Hint == "SLIP"
-	Framed-Protocol = SLIP
+#DEFAULT	Hint == "SLIP"
+#	Framed-Protocol = SLIP
  # # Last default: rlogin to our main server.