Index: freeradius-server-2.2.7/raddb/dictionary.in =================================================================== --- freeradius-server-2.2.7.orig/raddb/dictionary.in +++ freeradius-server-2.2.7/raddb/dictionary.in @@ -11,7 +11,7 @@ # # The filename given here should be an absolute path. # -$INCLUDE @prefix@/share/freeradius/dictionary +$INCLUDE @prefix@/share/freeradius2/dictionary # # Place additional attributes or $INCLUDEs here. They will Index: freeradius-server-2.2.7/raddb/eap.conf =================================================================== --- freeradius-server-2.2.7.orig/raddb/eap.conf +++ freeradius-server-2.2.7/raddb/eap.conf @@ -27,7 +27,7 @@ # then that EAP type takes precedence over the # default type configured here. # - default_eap_type = md5 + default_eap_type = peap # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a @@ -72,8 +72,8 @@ # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # - md5 { - } +# md5 { +# } # Cisco LEAP # @@ -87,8 +87,8 @@ # User-Password, or the NT-Password attributes. # 'System' authentication is impossible with LEAP. # - leap { - } +# leap { +# } # Generic Token Card. # @@ -101,7 +101,7 @@ # the users password will go over the wire in plain-text, # for anyone to see. # - gtc { +# gtc { # The default challenge, which many clients # ignore.. #challenge = "Password: " @@ -118,8 +118,8 @@ # configured for the request, and do the # authentication itself. # - auth_type = PAP - } +# auth_type = PAP +# } ## EAP-TLS # @@ -215,7 +215,7 @@ # In these cases, fragment size should be # 1024 or less. # - # fragment_size = 1024 + fragment_size = 1024 # include_length is a flag which is # by default set to yes If set to @@ -225,7 +225,7 @@ # message is included ONLY in the # First packet of a fragment series. # - # include_length = yes + include_length = yes # Check the Certificate Revocation List # @@ -297,7 +297,7 @@ # for the server to print out an error message, # and refuse to start. # - make_cert_command = "${certdir}/bootstrap" + # make_cert_command = "${certdir}/bootstrap" # # Elliptical cryptography configuration @@ -332,7 +332,7 @@ # You probably also want "use_tunneled_reply = yes" # when using fast session resumption. # - cache { + # cache { # # Enable it. The default is "no". # Deleting the entire "cache" subsection @@ -348,14 +348,14 @@ # enable resumption for just one user # by setting the above attribute to "yes". # - enable = no + # enable = no # # Lifetime of the cached entries, in hours. # The sessions will be deleted after this # time. # - lifetime = 24 # hours + # lifetime = 24 # hours # # The maximum number of entries in the @@ -364,8 +364,8 @@ # This could be set to the number of users # who are logged in... which can be a LOT. # - max_entries = 255 - } + # max_entries = 255 + # } # # As of version 2.1.10, client certificates can be @@ -503,7 +503,7 @@ # # in the control items for a request. # - ttls { +# ttls { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the @@ -511,7 +511,7 @@ # If the request does not contain an EAP # conversation, then this configuration entry # is ignored. - default_eap_type = md5 +# default_eap_type = mschapv2 # The tunneled authentication request does # not usually contain useful attributes @@ -527,7 +527,7 @@ # is copied to the tunneled request. # # allowed values: {no, yes} - copy_request_to_tunnel = no +# copy_request_to_tunnel = yes # The reply attributes sent to the NAS are # usually based on the name of the user @@ -540,7 +540,7 @@ # the tunneled request. # # allowed values: {no, yes} - use_tunneled_reply = no +# use_tunneled_reply = no # # The inner tunneled request can be sent @@ -552,13 +552,13 @@ # the virtual server that processed the # outer requests. # - virtual_server = "inner-tunnel" +# virtual_server = "inner-tunnel" # This has the same meaning as the # same field in the "tls" module, above. # The default value here is "yes". # include_length = yes - } +# } ################################################## # @@ -627,14 +627,14 @@ # the PEAP module also has these configuration # items, which are the same as for TTLS. - copy_request_to_tunnel = no - use_tunneled_reply = no + copy_request_to_tunnel = yes + use_tunneled_reply = yes # When the tunneled session is proxied, the # home server may not understand EAP-MSCHAP-V2. # Set this entry to "no" to proxy the tunneled # EAP-MSCHAP-V2 as normal MSCHAPv2. - # proxy_tunneled_request_as_eap = yes + proxy_tunneled_request_as_eap = no # # The inner tunneled request can be sent @@ -646,7 +646,8 @@ # the virtual server that processed the # outer requests. # - virtual_server = "inner-tunnel" + # virtual_server = "inner-tunnel" + EAP-TLS-Require-Client-Cert = no # This option enables support for MS-SoH # see doc/SoH.txt for more info. Index: freeradius-server-2.2.7/raddb/modules/counter =================================================================== --- freeradius-server-2.2.7.orig/raddb/modules/counter +++ freeradius-server-2.2.7/raddb/modules/counter @@ -69,7 +69,7 @@ # 'check-name' attribute. # counter daily { - filename = ${db_dir}/db.daily + filename = ${radacctdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily Index: freeradius-server-2.2.7/raddb/modules/pap =================================================================== --- freeradius-server-2.2.7.orig/raddb/modules/pap +++ freeradius-server-2.2.7/raddb/modules/pap @@ -18,5 +18,5 @@ # # http://www.openldap.org/faq/data/cache/347.html pap { - auto_header = no + auto_header = yes } Index: freeradius-server-2.2.7/raddb/modules/radutmp =================================================================== --- freeradius-server-2.2.7.orig/raddb/modules/radutmp +++ freeradius-server-2.2.7/raddb/modules/radutmp @@ -12,7 +12,7 @@ radutmp { # Where the file is stored. It's not a log file, # so it doesn't need rotating. # - filename = ${logdir}/radutmp + filename = ${radacctdir}/radutmp # The field in the packet to key on for the # 'user' name, If you have other fields which you want Index: freeradius-server-2.2.7/raddb/modules/sradutmp =================================================================== --- freeradius-server-2.2.7.orig/raddb/modules/sradutmp +++ freeradius-server-2.2.7/raddb/modules/sradutmp @@ -10,7 +10,7 @@ # then name "sradutmp" to identify it later in the "accounting" # section. radutmp sradutmp { - filename = ${logdir}/sradutmp + filename = ${radacctdir}/sradutmp perm = 0644 callerid = "no" } Index: freeradius-server-2.2.7/raddb/radiusd.conf.in =================================================================== --- freeradius-server-2.2.7.orig/raddb/radiusd.conf.in +++ freeradius-server-2.2.7/raddb/radiusd.conf.in @@ -66,7 +66,7 @@ name = radiusd # Location of config and logfiles. confdir = ${raddbdir} -run_dir = ${localstatedir}/run/${name} +run_dir = ${localstatedir}/run # Should likely be ${localstatedir}/lib/radiusd db_dir = ${raddbdir} @@ -323,7 +323,7 @@ listen { # If your system does not support this feature, you will # get an error if you try to use it. # -# interface = eth0 + interface = br-lan # Per-socket lists of clients. This is a very useful feature. # @@ -350,7 +350,7 @@ listen { # ipv6addr = :: port = 0 type = acct -# interface = eth0 + interface = br-lan # clients = per_socket_clients } @@ -576,8 +576,8 @@ security { # # allowed values: {no, yes} # -proxy_requests = yes -$INCLUDE proxy.conf +proxy_requests = no +#$INCLUDE proxy.conf # CLIENTS CONFIGURATION @@ -774,7 +774,7 @@ instantiate { # The entire command line (and output) must fit into 253 bytes. # # e.g. Framed-Pool = `%{exec:/bin/echo foo}` - exec +# exec # # The expression module doesn't do authorization, @@ -791,15 +791,15 @@ instantiate { # other xlat functions such as md5, sha1 and lc. # # We do not recommend removing it's listing here. - expr +# expr # # We add the counter module here so that it registers # the check-name attribute before any module which sets # it # daily - expiration - logintime +# expiration +# logintime # subsections here can be thought of as "virtual" modules. # @@ -823,7 +823,7 @@ instantiate { # to multiple times. # ###################################################################### -$INCLUDE policy.conf +#$INCLUDE policy.conf ###################################################################### # @@ -833,9 +833,9 @@ $INCLUDE policy.conf # match the regular expression: /[a-zA-Z0-9_.]+/ # # It allows you to define new virtual servers simply by placing -# a file into the raddb/sites-enabled/ directory. +# a file into the /etc/freeradius2/sites/ directory. # -$INCLUDE sites-enabled/ +$INCLUDE sites/ ###################################################################### # @@ -843,7 +843,7 @@ $INCLUDE sites-enabled/ # "authenticate {}", "accounting {}", have been moved to the # the file: # -# raddb/sites-available/default +# /etc/freeradius2/sites/default # # This is the "default" virtual server that has the same # configuration as in version 1.0.x and 1.1.x. The default Index: freeradius-server-2.2.7/raddb/sites-available/default =================================================================== --- freeradius-server-2.2.7.orig/raddb/sites-available/default +++ freeradius-server-2.2.7/raddb/sites-available/default @@ -85,7 +85,7 @@ authorize { # # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. - preprocess +# preprocess # # If you want to have a log of authentication requests, @@ -96,7 +96,7 @@ authorize { # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set - chap +# chap # # If the users are logging in with an MS-CHAP-Challenge @@ -104,13 +104,13 @@ authorize { # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. - mschap +# mschap # # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authenticate' section. - digest +# digest # # The WiMAX specification says that the Calling-Station-Id @@ -133,7 +133,7 @@ authorize { # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # - suffix +# suffix # ntdomain # @@ -197,8 +197,8 @@ authorize { # Use the checkval module # checkval - expiration - logintime +# expiration +# logintime # # If no other module has claimed responsibility for @@ -279,7 +279,7 @@ authenticate { # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section. - digest +# digest # # Pluggable Authentication Modules. @@ -296,7 +296,7 @@ authenticate { # be used for authentication ONLY for compatibility with legacy # FreeRADIUS configurations. # - unix +# unix # Uncomment it if you want to use ldap for authentication # @@ -332,8 +332,8 @@ authenticate { # # Pre-accounting. Decide which accounting type to use. # -preacct { - preprocess +#preacct { +# preprocess # # Session start times are *implied* in RADIUS. @@ -356,7 +356,7 @@ preacct { # # Ensure that we have a semi-unique identifier for every # request, and many NAS boxes are broken. - acct_unique +# acct_unique # # Look for IPASS-style 'realm/', and if not found, look for @@ -366,13 +366,13 @@ preacct { # Accounting requests are generally proxied to the same # home server as authentication requests. # IPASS - suffix +# suffix # ntdomain # # Read the 'acct_users' file - files -} +# files +#} # # Accounting. Log the accounting data. @@ -382,7 +382,7 @@ accounting { # Create a 'detail'ed log of the packets. # Note that accounting requests which are proxied # are also logged in the detail file. - detail +# detail # daily # Update the wtmp file @@ -434,7 +434,7 @@ accounting { exec # Filter attributes from the accounting response. - attr_filter.accounting_response + #attr_filter.accounting_response # # See "Autz-Type Status-Server" for how this works. @@ -460,7 +460,7 @@ session { # Post-Authentication # Once we KNOW that the user has been authenticated, there are # additional steps we can take. -post-auth { +#post-auth { # Get an address from the IP Pool. # main_pool @@ -490,7 +490,7 @@ post-auth { # ldap # For Exec-Program and Exec-Program-Wait - exec +# exec # # Calculate the various WiMAX keys. In order for this to work, @@ -574,18 +574,18 @@ post-auth { # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # - Post-Auth-Type REJECT { - # log failed authentications in SQL, too. +# Post-Auth-Type REJECT { +# # log failed authentications in SQL, too. # sql # Insert EAP-Failure message if the request was # rejected by policy instead of because of an # authentication failure - eap +# eap - attr_filter.access_reject - } -} +# attr_filter.access_reject +# } +#} # # When the server decides to proxy a request to a home server, @@ -595,7 +595,7 @@ post-auth { # # Only a few modules currently have this method. # -pre-proxy { +#pre-proxy { # attr_rewrite # Uncomment the following line if you want to change attributes @@ -611,14 +611,14 @@ pre-proxy { # server, un-comment the following line, and the # 'detail pre_proxy_log' section, above. # pre_proxy_log -} +#} # # When the server receives a reply to a request it proxied # to a home server, the request may be massaged here, in the # post-proxy stage. # -post-proxy { +#post-proxy { # If you want to have a log of replies from a home server, # un-comment the following line, and the 'detail post_proxy_log' @@ -642,7 +642,7 @@ post-proxy { # hidden inside of the EAP packet, and the end server will # reject the EAP request. # - eap +# eap # # If the server tries to proxy a request and fails, then the @@ -664,5 +664,5 @@ post-proxy { # Post-Proxy-Type Fail { # detail # } -} +#} Index: freeradius-server-2.2.7/raddb/users =================================================================== --- freeradius-server-2.2.7.orig/raddb/users +++ freeradius-server-2.2.7/raddb/users @@ -169,22 +169,22 @@ # by the terminal server in which case there may not be a "P" suffix. # The terminal server sends "Framed-Protocol = PPP" for auto PPP. # -DEFAULT Framed-Protocol == PPP - Framed-Protocol = PPP, - Framed-Compression = Van-Jacobson-TCP-IP +#DEFAULT Framed-Protocol == PPP +# Framed-Protocol = PPP, +# Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # -DEFAULT Hint == "CSLIP" - Framed-Protocol = SLIP, - Framed-Compression = Van-Jacobson-TCP-IP +#DEFAULT Hint == "CSLIP" +# Framed-Protocol = SLIP, +# Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # -DEFAULT Hint == "SLIP" - Framed-Protocol = SLIP +#DEFAULT Hint == "SLIP" +# Framed-Protocol = SLIP # # Last default: rlogin to our main server.