Mercurial > hg > fD-testbed

comparison conf/radpxy.eap.testbed.aaa/freeradius/experimental.conf @ 11:44f87917c579

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added a RADIUS proxy using freeradius in the eap testbed
author Sebastien Decugis <sdecugis@nict.go.jp>
date Thu, 16 Sep 2010 14:23:42 +0900
parents
children
comparison
equal deleted inserted replaced
10:7b569c198c7c 11:44f87917c579
1 #
2 # This file contains the configuration for experimental modules.
3 #
4 # By default, it is NOT included in the build.
5 #
6 # $Id: experimental.conf,v 1.42 2008/01/19 22:26:30 aland Exp $
7 #
8
9 # Configuration for the Python module.
10 #
11 # Where radiusd is a Python module, radiusd.py, and the
12 # function 'authorize' is called. Here is a dummy piece
13 # of code:
14 #
15 # def authorize(params):
16 # print params
17 # return (5, ('Reply-Message', 'banned'))
18 #
19 # The RADIUS value-pairs are passed as a tuple of tuple
20 # pairs as the first argument, e.g. (('attribute1',
21 # 'value1'), ('attribute2', 'value2'))
22 #
23 # The function return is a tuple with the first element
24 # being the return value of the function.
25 # The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
26 # write the return values as Python symbols to avoid
27 # confusion.
28 #
29 # The remaining tuple members are the string form of
30 # value-pairs which are passed on to pairmake().
31 #
32 python {
33 mod_instantiate = radiusd_test
34 func_instantiate = instantiate
35
36 mod_authorize = radiusd_test
37 func_authorize = authorize
38
39 mod_accounting = radiusd_test
40 func_accounting = accounting
41
42 mod_preproxy = radiusd_test
43 func_preproxy = preproxy
44
45 mod_postproxy = radiusd_test
46 func_postproxy = postproxy
47
48 mod_postauth = radiusd_test
49 func_postauth = postauth
50
51 mod_detach = radiusd_test
52 func_detach = detach
53 }
54
55
56 # Configuration for the example module. Uncommenting it will cause it
57 # to get loaded and initialized, but should have no real effect as long
58 # it is not referencened in one of the autz/auth/preacct/acct sections
59 example {
60 # Boolean variable.
61 # allowed values: {no, yes}
62 boolean = yes
63
64 # An integer, of any value.
65 integer = 16
66
67 # A string.
68 string = "This is an example configuration string"
69
70 # An IP address, either in dotted quad (1.2.3.4) or hostname
71 # (example.com)
72 ipaddr = 127.0.0.1
73
74 # A subsection
75 mysubsection {
76 anotherinteger = 1000
77 # They nest
78 deeply nested {
79 string = "This is a different string"
80 }
81 }
82 }
83
84 #
85 # To create a dbm users file, do:
86 #
87 # cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
88 #
89 # Then add 'dbm' in 'authorize' section.
90 #
91 # Note that even if the file has a ".db" or ".dbm" extension,
92 # you may have to specify it here without that extension. This
93 # is because the DBM libraries "helpfully" add a ".db" to the
94 # filename, but don't check if it's already there.
95 #
96 dbm {
97 usersfile = ${confdir}/users_db
98 }
99
100 #
101 # Persistent, embedded Perl interpreter.
102 #
103 perl {
104 #
105 # The Perl script to execute on authorize, authenticate,
106 # accounting, xlat, etc. This is very similar to using
107 # 'rlm_exec' module, but it is persistent, and therefore
108 # faster.
109 #
110 module = /path/to/your/perl_module.pm
111
112 #
113 # The following hashes are given to the module and
114 # filled with value-pairs (Attribute names and values)
115 #
116 # %RAD_CHECK Read-only Check items
117 # %RAD_REQUEST Read-only Attributes from the request
118 # %RAD_REPLY Read-write Attributes for the reply
119 #
120 # The return codes from functions in the perl_script
121 # are passed directly back to the server. These
122 # codes are defined in doc/configurable_failover,
123 # src/include/modules.h (RLM_MODULE_REJECT, etc),
124 # and are pre-defined in the 'example.pl' program
125 # which is included.
126 #
127
128 #
129 # List of functions in the module to call.
130 # Uncomment and change if you want to use function
131 # names other than the defaults.
132 #
133 #func_authenticate = authenticate
134 #func_authorize = authorize
135 #func_preacct = preacct
136 #func_accounting = accounting
137 #func_checksimul = checksimul
138 #func_pre_proxy = pre_proxy
139 #func_post_proxy = post_proxy
140 #func_post_auth = post_auth
141 #func_xlat = xlat
142 #func_detach = detach
143
144 #
145 # Uncomment the following lines if you wish
146 # to use separate functions for Start and Stop
147 # accounting packets. In that case, the
148 # func_accounting function is not called.
149 #
150 #func_start_accounting = accounting_start
151 #func_stop_accounting = accounting_stop
152
153 # Uncomment the following lines if your perl is
154 # compiled with threads support.
155 # The settings below are the defaults.
156 #
157 #max_clones = 32
158 #start_clones = 32
159 #min_spare_clones = 0
160 #max_spare_clones = 32
161 #cleanup_delay = 5
162 #max_request_per_clone = 0
163
164 }
165
166 #
167 # Perform NT-Domain authentication. This only works
168 # with PAP authentication. That is, Authentication-Request
169 # packets containing a User-Password attribute.
170 #
171 # To use it, add 'smb' into the 'authenticate' section,
172 # and then in another module (usually the 'users' file),
173 # set 'Auth-Type := SMB'
174 #
175 # WARNING: this module is not only experimental, it's also
176 # a security threat. It's not recommended to use it until
177 # it gets fixed.
178 #
179 smb {
180 server = ntdomain.server.example.com
181 backup = backup.server.example.com
182 domain = NTDOMAIN
183 }
184
185 # See doc/rlm_fastusers before using this
186 # module or changing these values.
187 #
188 fastusers {
189 usersfile = ${confdir}/users_fast
190 hashsize = 1000
191 compat = no
192 # Reload the hash every 600 seconds (10mins)
193 hash_reload = 600
194 }
195
196 # Caching module
197 #
198 # Should be added in the post-auth section (after all other modules)
199 # and in the authorize section (before any other modules)
200 #
201 # authorize {
202 # caching {
203 # ok = return
204 # }
205 # [... other modules ...]
206 # }
207 # post-auth {
208 # [... other modules ...]
209 # caching
210 # }
211 #
212 # The caching module will cache the Auth-Type and reply items
213 # and send them back on any subsequent requests for the same key
214 #
215 # Configuration:
216 #
217 # filename: The gdbm file to use for the cache database
218 # (can be memory mapped for more speed)
219 #
220 # key: A string to xlat and use as a key. For instance,
221 # "%{Acct-Unique-Session-Id}"
222 #
223 # post-auth: If we find a cached entry, set the post-auth to that value
224 #
225 # cache-ttl: The time to cache the entry. The same time format
226 # as the counter module apply here.
227 # num[hdwm] where:
228 # h: hours, d: days, w: weeks, m: months
229 # If the letter is ommited days will be assumed.
230 # e.g. 1d == one day
231 #
232 # cache-size: The gdbm cache size to request (default 1000)
233 #
234 # hit-ratio: If set to non-zero we print out statistical
235 # information after so many cache requests
236 #
237 # cache-rejects: Do we also cache rejects, or not? (default 'yes')
238 #
239 caching {
240 filename = ${db_dir}/db.cache
241 cache-ttl = 1d
242 hit-ratio = 1000
243 key = "%{Acct-Unique-Session-Id}"
244 #post-auth = ""
245 # cache-size = 2000
246 # cache-rejects = yes
247 }
248
249
250 # Simple module for logging of Account packets to radiusd.log
251 # You need to declare it in the accounting section for it to work
252 acctlog {
253 acctlog_update = ""
254 acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
255 acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
256 acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online"
257 acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline"
258 }
259
260 # Another implementation of the EAP module.
261 #
262 # This module requires the libeap.so file from the hostap
263 # software (http://hostap.epitest.fi/hostapd/). It has been
264 # tested on the development version of hostapd (0.6.1) ONLY.
265 #
266 # In order to use it, you MUST build a "libeap.so" in hostapd,
267 # which is not done by default.
268 #
269 # You MUST also edit the file: src/modules/rlm_eap2/Makefile
270 # to point to the location of the hostap include files.
271 #
272 # This module CANNOT be used in the same way as the current
273 # FreeRADIUS "eap" module. There is NO way to look inside of
274 # a tunneled request. There is NO way to proxy a tunneled
275 # request. There is NO way to even look at the user name inside
276 # of the tunneled request. There is NO way to control the
277 # choice of EAP types inside of the tunnel. You MUST force
278 # the server to choose "eap2" for authentication, because this
279 # module has no "authorize" section.
280 #
281 # If you want to use this module for experimentation, please
282 # post your comments to the freeradius-devel list:
283 #
284 # http://lists.freeradius.org/mailman/listinfo/freeradius-devel
285 #
286 # If you want to use this module in a production (i.e. real-world)
287 # environment:
288 #
289 # !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!!
290 #
291 # The module needs additional work to make it ready for
292 # production use.. Please supply patches, or sponsor the
293 # work by hiring a developer. Do NOT ask when the work will
294 # be done, because there is no plan to finish this module
295 # unless there is demand for it.
296 #
297 eap2 {
298 # EAP types are chosen in the order that they are
299 # listed in this section. There is no "default_eap_type"
300 # as with rlm_eap. Instead, the *first* EAP type is
301 # used as the default type.
302 #
303 peap {
304 }
305
306 ttls {
307 }
308
309 # This is the ONLY EAP type that has any configuration.
310 # All other EAP types have no configuration.
311 #
312 tls {
313 ca_cert = ${confdir}/certs/ca.pem
314 server_cert = ${confdir}/certs/server.pem
315 private_key_file = ${confdir}/certs/server.pem
316 private_key_password = whatever
317 }
318
319 #
320 # These next two methods do not supply keying material.
321 #
322 md5 {
323 }
324
325 mschapv2 {
326 }
327
328 # LEAP is NOT supported by this module.
329 # Use the "eap" module instead.
330
331 # For other methods that MIGHT work, see the
332 # configuration of hostap. The methods are statically
333 # linked in at compile time, and cannot be controlled
334 # here.
335 }
336
337 # Configuration for experimental EAP types. The sub-sections
338 # can be copied into eap.conf.
339 eap {
340 ikev2 {
341
342 # Server auth type
343 # Allowed values are:
344 # cert - for certificate based server authentication,
345 # other required settings for this type are
346 # 'private_key_file' and 'certificate_file'
347 # secret - for shared secret based server authentication,
348 # other required settings for this type is 'id'
349 # Default value of this option is 'secret'
350 # server_authtype=cert
351
352 # Allowed default client auth types
353 # Allowed values are:
354 # secret - for shared secret based client authentication
355 # cert - for certificate based client authentication
356 # both - shared secret and certificate is allowed
357 # none - authentication will always fail
358 # Default value for this option is 'both'. This option could
359 # be overwritten within 'usersfile' file by EAP-IKEv2-Auth
360 # option.
361 # default_authtype = both
362
363 # path to trusted CA certificate file
364 CA_file="/path/to/CA/cacert.pem"
365
366 # path to CRL file, if not set, then there will be no
367 # checks against CRL
368 # crl_file="/path/to/crl.pem"
369
370 # path to file with user settings
371 #
372 # Note that this file is read ONLY on module initialization!
373 #
374 # default ${confdir}/eap_ikev2_users
375 # usersfile=${confdir}/eap_ikev2_users
376
377 #
378 # Sample "eap_ikev2_users" file entry:
379 #
380 #username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne"
381
382 ## where:
383 ## username - client user name from IKE-AUTH (IDr) or CommonName
384 ## from x509 certificate
385 ## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload
386 ## allowable attributes for EAP-IKEv2-IDType:
387 ## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN
388 ## DER_ASN1_GN KEY_ID
389 ## EAP-IKEv2-Secret - shared secret
390 ## EAP-IKEv2-AuthType - optional parameter which defines expected client auth
391 ## type. Allowed values are: secret,cert,both,none.
392 ## For the meaning of this values, please see the
393 ## description of 'default_authtype'.
394 ## This attribute can overwrite 'default_authtype' value.
395
396
397
398 # path to file with server private key
399 private_key_file="/path/to/srv-private-key.pem"
400
401 # password to private key file
402 private_key_password="passwd"
403
404 # path to file with server certificate
405 certificate_file="/path/to/srv-cert.pem"
406
407 # server identity string
408 id="deMaio"
409
410 # Server identity type. Allowed values are:
411 # IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN,
412 # KEY_ID
413 # Default value is: KEY_ID
414 # id_type = KEY_ID
415
416
417 # MTU (default: 1398)
418 # fragment_size = 1398
419
420 # maximal allowed number of resends SA_INIT after receiving
421 # 'invalid KEY' notification (default 3)
422 # DH_counter_max = 3
423
424 # option which is used to control whenever send CERT REQ
425 # payload or not.
426 # Allowed values for this option are "yes" or "no".
427 #Default value is "no".
428 # certreq = "yes"
429
430 # option which cotrols fast reconnect capability.
431 # Allowed valuse for this option are "yes" or "no".
432 # Default value is "yes".
433 # enable_fast_reauth = "no"
434
435 # option which is used to control performing of DH exchange
436 # during fast rekeying protocol run.
437 # Allowed values for this option are "yes" or "no".
438 # Default value is "no"
439 # fast_DH_exchange = "yes"
440
441 # Option which is used to set up expiration time of inactive
442 # IKEv2 session.
443 # After selected period of time (in seconds), inactive
444 # session data will be deleted.
445 # Default value of this option is set to 900 seconds
446 # fast_timer_expire = 900
447
448 # list of server proposals of available cryptographic
449 # suites
450 proposals {
451 # proposal number #1
452 proposal {
453
454 # Supported transforms types: encryption,
455 # prf, integrity, dhgroup. For multiple
456 # transforms just simple repeat key (i.e.
457 # integity).
458
459 # encryption algorithm
460 # supported algorithms:
461 # null,3des,aes_128_cbc,aes_192_cbc,
462 # aes_256_cbc,idea
463 # blowfish:n, where n range from 8 to 448 bits,
464 # step 8 bits
465 # cast:n, where n range from 40 to 128 bits,
466 # step 8 bits
467 encryption = 3des
468
469 # pseudo random function. Supported prf's:
470 # hmac_md5, hmac_sha1, hmac_tiger
471 prf = hmac_sha1
472
473 # integrity algorithm. Supported algorithms:
474 # hmac_md5_96, hmac_sha1_96,des_mac
475 integrity = hmac_sha1_96
476 integrity = hmac_md5_96
477
478 # Diffie-Hellman groups:
479 # modp768, modp1024, modp1536, modp2048,
480 # modp3072, modp4096, modp6144, modp8192
481 dhgroup = modp2048
482 }
483
484 # proposal number #2
485 proposal {
486 encryption = 3des
487 prf = hmac_md5
488 integrity = hmac_md5_96
489 dhgroup = modp1024
490 }
491
492 # proposal number #3
493 proposal {
494 encryption=3des
495 prf=hmac_md5
496 integrity=hmac_md5_96
497 dhgroup=modp2048
498 }
499 }
500 }
501 }
"Welcome to our mercurial repository"