--- a/raddb/dictionary.in
|
|
+++ b/raddb/dictionary.in
|
|
@@ -11,7 +11,7 @@
|
|
#
|
|
# The filename given here should be an absolute path.
|
|
#
|
|
-$INCLUDE @prefix@/share/freeradius/dictionary
|
|
+$INCLUDE @prefix@/share/freeradius2/dictionary
|
|
|
|
#
|
|
# Place additional attributes or $INCLUDEs here. They will
|
|
--- a/raddb/eap.conf
|
|
+++ b/raddb/eap.conf
|
|
@@ -27,7 +27,7 @@
|
|
# then that EAP type takes precedence over the
|
|
# default type configured here.
|
|
#
|
|
- default_eap_type = md5
|
|
+ default_eap_type = peap
|
|
|
|
# A list is maintained to correlate EAP-Response
|
|
# packets with EAP-Request packets. After a
|
|
@@ -72,8 +72,8 @@
|
|
# for wireless connections. It is insecure, and does
|
|
# not provide for dynamic WEP keys.
|
|
#
|
|
- md5 {
|
|
- }
|
|
+# md5 {
|
|
+# }
|
|
|
|
# Cisco LEAP
|
|
#
|
|
@@ -87,8 +87,8 @@
|
|
# User-Password, or the NT-Password attributes.
|
|
# 'System' authentication is impossible with LEAP.
|
|
#
|
|
- leap {
|
|
- }
|
|
+# leap {
|
|
+# }
|
|
|
|
# Generic Token Card.
|
|
#
|
|
@@ -101,7 +101,7 @@
|
|
# the users password will go over the wire in plain-text,
|
|
# for anyone to see.
|
|
#
|
|
- gtc {
|
|
+# gtc {
|
|
# The default challenge, which many clients
|
|
# ignore..
|
|
#challenge = "Password: "
|
|
@@ -118,8 +118,8 @@
|
|
# configured for the request, and do the
|
|
# authentication itself.
|
|
#
|
|
- auth_type = PAP
|
|
- }
|
|
+# auth_type = PAP
|
|
+# }
|
|
|
|
## EAP-TLS
|
|
#
|
|
@@ -215,7 +215,7 @@
|
|
# In these cases, fragment size should be
|
|
# 1024 or less.
|
|
#
|
|
- # fragment_size = 1024
|
|
+ fragment_size = 1024
|
|
|
|
# include_length is a flag which is
|
|
# by default set to yes If set to
|
|
@@ -225,7 +225,7 @@
|
|
# message is included ONLY in the
|
|
# First packet of a fragment series.
|
|
#
|
|
- # include_length = yes
|
|
+ include_length = yes
|
|
|
|
# Check the Certificate Revocation List
|
|
#
|
|
@@ -297,7 +297,7 @@
|
|
# for the server to print out an error message,
|
|
# and refuse to start.
|
|
#
|
|
- make_cert_command = "${certdir}/bootstrap"
|
|
+ # make_cert_command = "${certdir}/bootstrap"
|
|
|
|
#
|
|
# Elliptical cryptography configuration
|
|
@@ -332,7 +332,7 @@
|
|
# You probably also want "use_tunneled_reply = yes"
|
|
# when using fast session resumption.
|
|
#
|
|
- cache {
|
|
+ # cache {
|
|
#
|
|
# Enable it. The default is "no".
|
|
# Deleting the entire "cache" subsection
|
|
@@ -348,14 +348,14 @@
|
|
# enable resumption for just one user
|
|
# by setting the above attribute to "yes".
|
|
#
|
|
- enable = no
|
|
+ # enable = no
|
|
|
|
#
|
|
# Lifetime of the cached entries, in hours.
|
|
# The sessions will be deleted after this
|
|
# time.
|
|
#
|
|
- lifetime = 24 # hours
|
|
+ # lifetime = 24 # hours
|
|
|
|
#
|
|
# The maximum number of entries in the
|
|
@@ -364,8 +364,8 @@
|
|
# This could be set to the number of users
|
|
# who are logged in... which can be a LOT.
|
|
#
|
|
- max_entries = 255
|
|
- }
|
|
+ # max_entries = 255
|
|
+ # }
|
|
|
|
#
|
|
# As of version 2.1.10, client certificates can be
|
|
@@ -503,7 +503,7 @@
|
|
#
|
|
# in the control items for a request.
|
|
#
|
|
- ttls {
|
|
+# ttls {
|
|
# The tunneled EAP session needs a default
|
|
# EAP type which is separate from the one for
|
|
# the non-tunneled EAP module. Inside of the
|
|
@@ -511,7 +511,7 @@
|
|
# If the request does not contain an EAP
|
|
# conversation, then this configuration entry
|
|
# is ignored.
|
|
- default_eap_type = md5
|
|
+# default_eap_type = mschapv2
|
|
|
|
# The tunneled authentication request does
|
|
# not usually contain useful attributes
|
|
@@ -527,7 +527,7 @@
|
|
# is copied to the tunneled request.
|
|
#
|
|
# allowed values: {no, yes}
|
|
- copy_request_to_tunnel = no
|
|
+# copy_request_to_tunnel = yes
|
|
|
|
# The reply attributes sent to the NAS are
|
|
# usually based on the name of the user
|
|
@@ -540,7 +540,7 @@
|
|
# the tunneled request.
|
|
#
|
|
# allowed values: {no, yes}
|
|
- use_tunneled_reply = no
|
|
+# use_tunneled_reply = no
|
|
|
|
#
|
|
# The inner tunneled request can be sent
|
|
@@ -552,13 +552,13 @@
|
|
# the virtual server that processed the
|
|
# outer requests.
|
|
#
|
|
- virtual_server = "inner-tunnel"
|
|
+# virtual_server = "inner-tunnel"
|
|
|
|
# This has the same meaning as the
|
|
# same field in the "tls" module, above.
|
|
# The default value here is "yes".
|
|
# include_length = yes
|
|
- }
|
|
+# }
|
|
|
|
##################################################
|
|
#
|
|
@@ -627,14 +627,14 @@
|
|
|
|
# the PEAP module also has these configuration
|
|
# items, which are the same as for TTLS.
|
|
- copy_request_to_tunnel = no
|
|
- use_tunneled_reply = no
|
|
+ copy_request_to_tunnel = yes
|
|
+ use_tunneled_reply = yes
|
|
|
|
# When the tunneled session is proxied, the
|
|
# home server may not understand EAP-MSCHAP-V2.
|
|
# Set this entry to "no" to proxy the tunneled
|
|
# EAP-MSCHAP-V2 as normal MSCHAPv2.
|
|
- # proxy_tunneled_request_as_eap = yes
|
|
+ proxy_tunneled_request_as_eap = no
|
|
|
|
#
|
|
# The inner tunneled request can be sent
|
|
@@ -646,7 +646,8 @@
|
|
# the virtual server that processed the
|
|
# outer requests.
|
|
#
|
|
- virtual_server = "inner-tunnel"
|
|
+ # virtual_server = "inner-tunnel"
|
|
+ EAP-TLS-Require-Client-Cert = no
|
|
|
|
# This option enables support for MS-SoH
|
|
# see doc/SoH.txt for more info.
|
|
--- a/raddb/modules/counter
|
|
+++ b/raddb/modules/counter
|
|
@@ -69,7 +69,7 @@
|
|
# 'check-name' attribute.
|
|
#
|
|
counter daily {
|
|
- filename = ${db_dir}/db.daily
|
|
+ filename = ${radacctdir}/db.daily
|
|
key = User-Name
|
|
count-attribute = Acct-Session-Time
|
|
reset = daily
|
|
--- a/raddb/modules/pap
|
|
+++ b/raddb/modules/pap
|
|
@@ -18,5 +18,5 @@
|
|
#
|
|
# http://www.openldap.org/faq/data/cache/347.html
|
|
pap {
|
|
- auto_header = no
|
|
+ auto_header = yes
|
|
}
|
|
--- a/raddb/modules/radutmp
|
|
+++ b/raddb/modules/radutmp
|
|
@@ -12,7 +12,7 @@ radutmp {
|
|
# Where the file is stored. It's not a log file,
|
|
# so it doesn't need rotating.
|
|
#
|
|
- filename = ${logdir}/radutmp
|
|
+ filename = ${radacctdir}/radutmp
|
|
|
|
# The field in the packet to key on for the
|
|
# 'user' name, If you have other fields which you want
|
|
--- a/raddb/modules/sradutmp
|
|
+++ b/raddb/modules/sradutmp
|
|
@@ -10,7 +10,7 @@
|
|
# then name "sradutmp" to identify it later in the "accounting"
|
|
# section.
|
|
radutmp sradutmp {
|
|
- filename = ${logdir}/sradutmp
|
|
+ filename = ${radacctdir}/sradutmp
|
|
perm = 0644
|
|
callerid = "no"
|
|
}
|
|
--- a/raddb/radiusd.conf.in
|
|
+++ b/raddb/radiusd.conf.in
|
|
@@ -66,7 +66,7 @@ name = radiusd
|
|
|
|
# Location of config and logfiles.
|
|
confdir = ${raddbdir}
|
|
-run_dir = ${localstatedir}/run/${name}
|
|
+run_dir = ${localstatedir}/run
|
|
|
|
# Should likely be ${localstatedir}/lib/radiusd
|
|
db_dir = ${raddbdir}
|
|
@@ -323,7 +323,7 @@ listen {
|
|
# If your system does not support this feature, you will
|
|
# get an error if you try to use it.
|
|
#
|
|
-# interface = eth0
|
|
+ interface = br-lan
|
|
|
|
# Per-socket lists of clients. This is a very useful feature.
|
|
#
|
|
@@ -350,7 +350,7 @@ listen {
|
|
# ipv6addr = ::
|
|
port = 0
|
|
type = acct
|
|
-# interface = eth0
|
|
+ interface = br-lan
|
|
# clients = per_socket_clients
|
|
}
|
|
|
|
@@ -584,8 +584,8 @@ security {
|
|
#
|
|
# allowed values: {no, yes}
|
|
#
|
|
-proxy_requests = yes
|
|
-$INCLUDE proxy.conf
|
|
+proxy_requests = no
|
|
+#$INCLUDE proxy.conf
|
|
|
|
|
|
# CLIENTS CONFIGURATION
|
|
@@ -782,7 +782,7 @@ instantiate {
|
|
# The entire command line (and output) must fit into 253 bytes.
|
|
#
|
|
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
|
|
- exec
|
|
+# exec
|
|
|
|
#
|
|
# The expression module doesn't do authorization,
|
|
@@ -799,15 +799,15 @@ instantiate {
|
|
# other xlat functions such as md5, sha1 and lc.
|
|
#
|
|
# We do not recommend removing it's listing here.
|
|
- expr
|
|
+# expr
|
|
|
|
#
|
|
# We add the counter module here so that it registers
|
|
# the check-name attribute before any module which sets
|
|
# it
|
|
# daily
|
|
- expiration
|
|
- logintime
|
|
+# expiration
|
|
+# logintime
|
|
|
|
# subsections here can be thought of as "virtual" modules.
|
|
#
|
|
@@ -831,7 +831,7 @@ instantiate {
|
|
# to multiple times.
|
|
#
|
|
######################################################################
|
|
-$INCLUDE policy.conf
|
|
+#$INCLUDE policy.conf
|
|
|
|
######################################################################
|
|
#
|
|
@@ -841,9 +841,9 @@ $INCLUDE policy.conf
|
|
# match the regular expression: /[a-zA-Z0-9_.]+/
|
|
#
|
|
# It allows you to define new virtual servers simply by placing
|
|
-# a file into the raddb/sites-enabled/ directory.
|
|
+# a file into the /etc/freeradius2/sites/ directory.
|
|
#
|
|
-$INCLUDE sites-enabled/
|
|
+$INCLUDE sites/
|
|
|
|
######################################################################
|
|
#
|
|
@@ -851,7 +851,7 @@ $INCLUDE sites-enabled/
|
|
# "authenticate {}", "accounting {}", have been moved to the
|
|
# the file:
|
|
#
|
|
-# raddb/sites-available/default
|
|
+# /etc/freeradius2/sites/default
|
|
#
|
|
# This is the "default" virtual server that has the same
|
|
# configuration as in version 1.0.x and 1.1.x. The default
|
|
--- a/raddb/sites-available/default
|
|
+++ b/raddb/sites-available/default
|
|
@@ -85,7 +85,7 @@ authorize {
|
|
#
|
|
# It takes care of processing the 'raddb/hints' and the
|
|
# 'raddb/huntgroups' files.
|
|
- preprocess
|
|
+# preprocess
|
|
|
|
#
|
|
# If you want to have a log of authentication requests,
|
|
@@ -96,7 +96,7 @@ authorize {
|
|
#
|
|
# The chap module will set 'Auth-Type := CHAP' if we are
|
|
# handling a CHAP request and Auth-Type has not already been set
|
|
- chap
|
|
+# chap
|
|
|
|
#
|
|
# If the users are logging in with an MS-CHAP-Challenge
|
|
@@ -104,13 +104,13 @@ authorize {
|
|
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
|
|
# to the request, which will cause the server to then use
|
|
# the mschap module for authentication.
|
|
- mschap
|
|
+# mschap
|
|
|
|
#
|
|
# If you have a Cisco SIP server authenticating against
|
|
# FreeRADIUS, uncomment the following line, and the 'digest'
|
|
# line in the 'authenticate' section.
|
|
- digest
|
|
+# digest
|
|
|
|
#
|
|
# The WiMAX specification says that the Calling-Station-Id
|
|
@@ -133,7 +133,7 @@ authorize {
|
|
# Otherwise, when the first style of realm doesn't match,
|
|
# the other styles won't be checked.
|
|
#
|
|
- suffix
|
|
+# suffix
|
|
# ntdomain
|
|
|
|
#
|
|
@@ -195,8 +195,8 @@ authorize {
|
|
# Use the checkval module
|
|
# checkval
|
|
|
|
- expiration
|
|
- logintime
|
|
+# expiration
|
|
+# logintime
|
|
|
|
#
|
|
# If no other module has claimed responsibility for
|
|
@@ -277,7 +277,7 @@ authenticate {
|
|
# If you have a Cisco SIP server authenticating against
|
|
# FreeRADIUS, uncomment the following line, and the 'digest'
|
|
# line in the 'authorize' section.
|
|
- digest
|
|
+# digest
|
|
|
|
#
|
|
# Pluggable Authentication Modules.
|
|
@@ -294,7 +294,7 @@ authenticate {
|
|
# be used for authentication ONLY for compatibility with legacy
|
|
# FreeRADIUS configurations.
|
|
#
|
|
- unix
|
|
+# unix
|
|
|
|
# Uncomment it if you want to use ldap for authentication
|
|
#
|
|
@@ -330,8 +330,8 @@ authenticate {
|
|
#
|
|
# Pre-accounting. Decide which accounting type to use.
|
|
#
|
|
-preacct {
|
|
- preprocess
|
|
+#preacct {
|
|
+# preprocess
|
|
|
|
#
|
|
# Session start times are *implied* in RADIUS.
|
|
@@ -354,7 +354,7 @@ preacct {
|
|
#
|
|
# Ensure that we have a semi-unique identifier for every
|
|
# request, and many NAS boxes are broken.
|
|
- acct_unique
|
|
+# acct_unique
|
|
|
|
#
|
|
# Look for IPASS-style 'realm/', and if not found, look for
|
|
@@ -364,13 +364,13 @@ preacct {
|
|
# Accounting requests are generally proxied to the same
|
|
# home server as authentication requests.
|
|
# IPASS
|
|
- suffix
|
|
+# suffix
|
|
# ntdomain
|
|
|
|
#
|
|
# Read the 'acct_users' file
|
|
- files
|
|
-}
|
|
+# files
|
|
+#}
|
|
|
|
#
|
|
# Accounting. Log the accounting data.
|
|
@@ -380,7 +380,7 @@ accounting {
|
|
# Create a 'detail'ed log of the packets.
|
|
# Note that accounting requests which are proxied
|
|
# are also logged in the detail file.
|
|
- detail
|
|
+# detail
|
|
# daily
|
|
|
|
# Update the wtmp file
|
|
@@ -432,7 +432,7 @@ accounting {
|
|
exec
|
|
|
|
# Filter attributes from the accounting response.
|
|
- attr_filter.accounting_response
|
|
+ #attr_filter.accounting_response
|
|
|
|
#
|
|
# See "Autz-Type Status-Server" for how this works.
|
|
@@ -458,7 +458,7 @@ session {
|
|
# Post-Authentication
|
|
# Once we KNOW that the user has been authenticated, there are
|
|
# additional steps we can take.
|
|
-post-auth {
|
|
+#post-auth {
|
|
# Get an address from the IP Pool.
|
|
# main_pool
|
|
|
|
@@ -488,7 +488,7 @@ post-auth {
|
|
# ldap
|
|
|
|
# For Exec-Program and Exec-Program-Wait
|
|
- exec
|
|
+# exec
|
|
|
|
#
|
|
# Calculate the various WiMAX keys. In order for this to work,
|
|
@@ -572,12 +572,12 @@ post-auth {
|
|
# Add the ldap module name (or instance) if you have set
|
|
# 'edir_account_policy_check = yes' in the ldap module configuration
|
|
#
|
|
- Post-Auth-Type REJECT {
|
|
- # log failed authentications in SQL, too.
|
|
+# Post-Auth-Type REJECT {
|
|
+# # log failed authentications in SQL, too.
|
|
# sql
|
|
- attr_filter.access_reject
|
|
- }
|
|
-}
|
|
+# attr_filter.access_reject
|
|
+# }
|
|
+#}
|
|
|
|
#
|
|
# When the server decides to proxy a request to a home server,
|
|
@@ -587,7 +587,7 @@ post-auth {
|
|
#
|
|
# Only a few modules currently have this method.
|
|
#
|
|
-pre-proxy {
|
|
+#pre-proxy {
|
|
# attr_rewrite
|
|
|
|
# Uncomment the following line if you want to change attributes
|
|
@@ -603,14 +603,14 @@ pre-proxy {
|
|
# server, un-comment the following line, and the
|
|
# 'detail pre_proxy_log' section, above.
|
|
# pre_proxy_log
|
|
-}
|
|
+#}
|
|
|
|
#
|
|
# When the server receives a reply to a request it proxied
|
|
# to a home server, the request may be massaged here, in the
|
|
# post-proxy stage.
|
|
#
|
|
-post-proxy {
|
|
+#post-proxy {
|
|
|
|
# If you want to have a log of replies from a home server,
|
|
# un-comment the following line, and the 'detail post_proxy_log'
|
|
@@ -634,7 +634,7 @@ post-proxy {
|
|
# hidden inside of the EAP packet, and the end server will
|
|
# reject the EAP request.
|
|
#
|
|
- eap
|
|
+# eap
|
|
|
|
#
|
|
# If the server tries to proxy a request and fails, then the
|
|
@@ -656,5 +656,5 @@ post-proxy {
|
|
# Post-Proxy-Type Fail {
|
|
# detail
|
|
# }
|
|
-}
|
|
+#}
|
|
|
|
--- a/raddb/users
|
|
+++ b/raddb/users
|
|
@@ -169,22 +169,22 @@
|
|
# by the terminal server in which case there may not be a "P" suffix.
|
|
# The terminal server sends "Framed-Protocol = PPP" for auto PPP.
|
|
#
|
|
-DEFAULT Framed-Protocol == PPP
|
|
- Framed-Protocol = PPP,
|
|
- Framed-Compression = Van-Jacobson-TCP-IP
|
|
+#DEFAULT Framed-Protocol == PPP
|
|
+# Framed-Protocol = PPP,
|
|
+# Framed-Compression = Van-Jacobson-TCP-IP
|
|
|
|
#
|
|
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
|
|
#
|
|
-DEFAULT Hint == "CSLIP"
|
|
- Framed-Protocol = SLIP,
|
|
- Framed-Compression = Van-Jacobson-TCP-IP
|
|
+#DEFAULT Hint == "CSLIP"
|
|
+# Framed-Protocol = SLIP,
|
|
+# Framed-Compression = Van-Jacobson-TCP-IP
|
|
|
|
#
|
|
# Default for SLIP: dynamic IP address, SLIP mode.
|
|
#
|
|
-DEFAULT Hint == "SLIP"
|
|
- Framed-Protocol = SLIP
|
|
+#DEFAULT Hint == "SLIP"
|
|
+# Framed-Protocol = SLIP
|
|
|
|
#
|
|
# Last default: rlogin to our main server.
|