Mercurial > hg > fD-testbed
comparison conf/radpxy.eap.testbed.aaa/freeradius/experimental.conf @ 11:44f87917c579
Added a RADIUS proxy using freeradius in the eap testbed
author | Sebastien Decugis <sdecugis@nict.go.jp> |
---|---|
date | Thu, 16 Sep 2010 14:23:42 +0900 |
parents | |
children |
comparison
equal
deleted
inserted
replaced
10:7b569c198c7c | 11:44f87917c579 |
---|---|
1 # | |
2 # This file contains the configuration for experimental modules. | |
3 # | |
4 # By default, it is NOT included in the build. | |
5 # | |
6 # $Id: experimental.conf,v 1.42 2008/01/19 22:26:30 aland Exp $ | |
7 # | |
8 | |
9 # Configuration for the Python module. | |
10 # | |
11 # Where radiusd is a Python module, radiusd.py, and the | |
12 # function 'authorize' is called. Here is a dummy piece | |
13 # of code: | |
14 # | |
15 # def authorize(params): | |
16 # print params | |
17 # return (5, ('Reply-Message', 'banned')) | |
18 # | |
19 # The RADIUS value-pairs are passed as a tuple of tuple | |
20 # pairs as the first argument, e.g. (('attribute1', | |
21 # 'value1'), ('attribute2', 'value2')) | |
22 # | |
23 # The function return is a tuple with the first element | |
24 # being the return value of the function. | |
25 # The 5 corresponds to RLM_MODULE_USERLOCK. I plan to | |
26 # write the return values as Python symbols to avoid | |
27 # confusion. | |
28 # | |
29 # The remaining tuple members are the string form of | |
30 # value-pairs which are passed on to pairmake(). | |
31 # | |
32 python { | |
33 mod_instantiate = radiusd_test | |
34 func_instantiate = instantiate | |
35 | |
36 mod_authorize = radiusd_test | |
37 func_authorize = authorize | |
38 | |
39 mod_accounting = radiusd_test | |
40 func_accounting = accounting | |
41 | |
42 mod_preproxy = radiusd_test | |
43 func_preproxy = preproxy | |
44 | |
45 mod_postproxy = radiusd_test | |
46 func_postproxy = postproxy | |
47 | |
48 mod_postauth = radiusd_test | |
49 func_postauth = postauth | |
50 | |
51 mod_detach = radiusd_test | |
52 func_detach = detach | |
53 } | |
54 | |
55 | |
56 # Configuration for the example module. Uncommenting it will cause it | |
57 # to get loaded and initialized, but should have no real effect as long | |
58 # it is not referencened in one of the autz/auth/preacct/acct sections | |
59 example { | |
60 # Boolean variable. | |
61 # allowed values: {no, yes} | |
62 boolean = yes | |
63 | |
64 # An integer, of any value. | |
65 integer = 16 | |
66 | |
67 # A string. | |
68 string = "This is an example configuration string" | |
69 | |
70 # An IP address, either in dotted quad (1.2.3.4) or hostname | |
71 # (example.com) | |
72 ipaddr = 127.0.0.1 | |
73 | |
74 # A subsection | |
75 mysubsection { | |
76 anotherinteger = 1000 | |
77 # They nest | |
78 deeply nested { | |
79 string = "This is a different string" | |
80 } | |
81 } | |
82 } | |
83 | |
84 # | |
85 # To create a dbm users file, do: | |
86 # | |
87 # cat test.users | rlm_dbm_parser -f /etc/raddb/users_db | |
88 # | |
89 # Then add 'dbm' in 'authorize' section. | |
90 # | |
91 # Note that even if the file has a ".db" or ".dbm" extension, | |
92 # you may have to specify it here without that extension. This | |
93 # is because the DBM libraries "helpfully" add a ".db" to the | |
94 # filename, but don't check if it's already there. | |
95 # | |
96 dbm { | |
97 usersfile = ${confdir}/users_db | |
98 } | |
99 | |
100 # | |
101 # Persistent, embedded Perl interpreter. | |
102 # | |
103 perl { | |
104 # | |
105 # The Perl script to execute on authorize, authenticate, | |
106 # accounting, xlat, etc. This is very similar to using | |
107 # 'rlm_exec' module, but it is persistent, and therefore | |
108 # faster. | |
109 # | |
110 module = /path/to/your/perl_module.pm | |
111 | |
112 # | |
113 # The following hashes are given to the module and | |
114 # filled with value-pairs (Attribute names and values) | |
115 # | |
116 # %RAD_CHECK Read-only Check items | |
117 # %RAD_REQUEST Read-only Attributes from the request | |
118 # %RAD_REPLY Read-write Attributes for the reply | |
119 # | |
120 # The return codes from functions in the perl_script | |
121 # are passed directly back to the server. These | |
122 # codes are defined in doc/configurable_failover, | |
123 # src/include/modules.h (RLM_MODULE_REJECT, etc), | |
124 # and are pre-defined in the 'example.pl' program | |
125 # which is included. | |
126 # | |
127 | |
128 # | |
129 # List of functions in the module to call. | |
130 # Uncomment and change if you want to use function | |
131 # names other than the defaults. | |
132 # | |
133 #func_authenticate = authenticate | |
134 #func_authorize = authorize | |
135 #func_preacct = preacct | |
136 #func_accounting = accounting | |
137 #func_checksimul = checksimul | |
138 #func_pre_proxy = pre_proxy | |
139 #func_post_proxy = post_proxy | |
140 #func_post_auth = post_auth | |
141 #func_xlat = xlat | |
142 #func_detach = detach | |
143 | |
144 # | |
145 # Uncomment the following lines if you wish | |
146 # to use separate functions for Start and Stop | |
147 # accounting packets. In that case, the | |
148 # func_accounting function is not called. | |
149 # | |
150 #func_start_accounting = accounting_start | |
151 #func_stop_accounting = accounting_stop | |
152 | |
153 # Uncomment the following lines if your perl is | |
154 # compiled with threads support. | |
155 # The settings below are the defaults. | |
156 # | |
157 #max_clones = 32 | |
158 #start_clones = 32 | |
159 #min_spare_clones = 0 | |
160 #max_spare_clones = 32 | |
161 #cleanup_delay = 5 | |
162 #max_request_per_clone = 0 | |
163 | |
164 } | |
165 | |
166 # | |
167 # Perform NT-Domain authentication. This only works | |
168 # with PAP authentication. That is, Authentication-Request | |
169 # packets containing a User-Password attribute. | |
170 # | |
171 # To use it, add 'smb' into the 'authenticate' section, | |
172 # and then in another module (usually the 'users' file), | |
173 # set 'Auth-Type := SMB' | |
174 # | |
175 # WARNING: this module is not only experimental, it's also | |
176 # a security threat. It's not recommended to use it until | |
177 # it gets fixed. | |
178 # | |
179 smb { | |
180 server = ntdomain.server.example.com | |
181 backup = backup.server.example.com | |
182 domain = NTDOMAIN | |
183 } | |
184 | |
185 # See doc/rlm_fastusers before using this | |
186 # module or changing these values. | |
187 # | |
188 fastusers { | |
189 usersfile = ${confdir}/users_fast | |
190 hashsize = 1000 | |
191 compat = no | |
192 # Reload the hash every 600 seconds (10mins) | |
193 hash_reload = 600 | |
194 } | |
195 | |
196 # Caching module | |
197 # | |
198 # Should be added in the post-auth section (after all other modules) | |
199 # and in the authorize section (before any other modules) | |
200 # | |
201 # authorize { | |
202 # caching { | |
203 # ok = return | |
204 # } | |
205 # [... other modules ...] | |
206 # } | |
207 # post-auth { | |
208 # [... other modules ...] | |
209 # caching | |
210 # } | |
211 # | |
212 # The caching module will cache the Auth-Type and reply items | |
213 # and send them back on any subsequent requests for the same key | |
214 # | |
215 # Configuration: | |
216 # | |
217 # filename: The gdbm file to use for the cache database | |
218 # (can be memory mapped for more speed) | |
219 # | |
220 # key: A string to xlat and use as a key. For instance, | |
221 # "%{Acct-Unique-Session-Id}" | |
222 # | |
223 # post-auth: If we find a cached entry, set the post-auth to that value | |
224 # | |
225 # cache-ttl: The time to cache the entry. The same time format | |
226 # as the counter module apply here. | |
227 # num[hdwm] where: | |
228 # h: hours, d: days, w: weeks, m: months | |
229 # If the letter is ommited days will be assumed. | |
230 # e.g. 1d == one day | |
231 # | |
232 # cache-size: The gdbm cache size to request (default 1000) | |
233 # | |
234 # hit-ratio: If set to non-zero we print out statistical | |
235 # information after so many cache requests | |
236 # | |
237 # cache-rejects: Do we also cache rejects, or not? (default 'yes') | |
238 # | |
239 caching { | |
240 filename = ${db_dir}/db.cache | |
241 cache-ttl = 1d | |
242 hit-ratio = 1000 | |
243 key = "%{Acct-Unique-Session-Id}" | |
244 #post-auth = "" | |
245 # cache-size = 2000 | |
246 # cache-rejects = yes | |
247 } | |
248 | |
249 | |
250 # Simple module for logging of Account packets to radiusd.log | |
251 # You need to declare it in the accounting section for it to work | |
252 acctlog { | |
253 acctlog_update = "" | |
254 acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})" | |
255 acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds" | |
256 acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online" | |
257 acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline" | |
258 } | |
259 | |
260 # Another implementation of the EAP module. | |
261 # | |
262 # This module requires the libeap.so file from the hostap | |
263 # software (http://hostap.epitest.fi/hostapd/). It has been | |
264 # tested on the development version of hostapd (0.6.1) ONLY. | |
265 # | |
266 # In order to use it, you MUST build a "libeap.so" in hostapd, | |
267 # which is not done by default. | |
268 # | |
269 # You MUST also edit the file: src/modules/rlm_eap2/Makefile | |
270 # to point to the location of the hostap include files. | |
271 # | |
272 # This module CANNOT be used in the same way as the current | |
273 # FreeRADIUS "eap" module. There is NO way to look inside of | |
274 # a tunneled request. There is NO way to proxy a tunneled | |
275 # request. There is NO way to even look at the user name inside | |
276 # of the tunneled request. There is NO way to control the | |
277 # choice of EAP types inside of the tunnel. You MUST force | |
278 # the server to choose "eap2" for authentication, because this | |
279 # module has no "authorize" section. | |
280 # | |
281 # If you want to use this module for experimentation, please | |
282 # post your comments to the freeradius-devel list: | |
283 # | |
284 # http://lists.freeradius.org/mailman/listinfo/freeradius-devel | |
285 # | |
286 # If you want to use this module in a production (i.e. real-world) | |
287 # environment: | |
288 # | |
289 # !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!! | |
290 # | |
291 # The module needs additional work to make it ready for | |
292 # production use.. Please supply patches, or sponsor the | |
293 # work by hiring a developer. Do NOT ask when the work will | |
294 # be done, because there is no plan to finish this module | |
295 # unless there is demand for it. | |
296 # | |
297 eap2 { | |
298 # EAP types are chosen in the order that they are | |
299 # listed in this section. There is no "default_eap_type" | |
300 # as with rlm_eap. Instead, the *first* EAP type is | |
301 # used as the default type. | |
302 # | |
303 peap { | |
304 } | |
305 | |
306 ttls { | |
307 } | |
308 | |
309 # This is the ONLY EAP type that has any configuration. | |
310 # All other EAP types have no configuration. | |
311 # | |
312 tls { | |
313 ca_cert = ${confdir}/certs/ca.pem | |
314 server_cert = ${confdir}/certs/server.pem | |
315 private_key_file = ${confdir}/certs/server.pem | |
316 private_key_password = whatever | |
317 } | |
318 | |
319 # | |
320 # These next two methods do not supply keying material. | |
321 # | |
322 md5 { | |
323 } | |
324 | |
325 mschapv2 { | |
326 } | |
327 | |
328 # LEAP is NOT supported by this module. | |
329 # Use the "eap" module instead. | |
330 | |
331 # For other methods that MIGHT work, see the | |
332 # configuration of hostap. The methods are statically | |
333 # linked in at compile time, and cannot be controlled | |
334 # here. | |
335 } | |
336 | |
337 # Configuration for experimental EAP types. The sub-sections | |
338 # can be copied into eap.conf. | |
339 eap { | |
340 ikev2 { | |
341 | |
342 # Server auth type | |
343 # Allowed values are: | |
344 # cert - for certificate based server authentication, | |
345 # other required settings for this type are | |
346 # 'private_key_file' and 'certificate_file' | |
347 # secret - for shared secret based server authentication, | |
348 # other required settings for this type is 'id' | |
349 # Default value of this option is 'secret' | |
350 # server_authtype=cert | |
351 | |
352 # Allowed default client auth types | |
353 # Allowed values are: | |
354 # secret - for shared secret based client authentication | |
355 # cert - for certificate based client authentication | |
356 # both - shared secret and certificate is allowed | |
357 # none - authentication will always fail | |
358 # Default value for this option is 'both'. This option could | |
359 # be overwritten within 'usersfile' file by EAP-IKEv2-Auth | |
360 # option. | |
361 # default_authtype = both | |
362 | |
363 # path to trusted CA certificate file | |
364 CA_file="/path/to/CA/cacert.pem" | |
365 | |
366 # path to CRL file, if not set, then there will be no | |
367 # checks against CRL | |
368 # crl_file="/path/to/crl.pem" | |
369 | |
370 # path to file with user settings | |
371 # | |
372 # Note that this file is read ONLY on module initialization! | |
373 # | |
374 # default ${confdir}/eap_ikev2_users | |
375 # usersfile=${confdir}/eap_ikev2_users | |
376 | |
377 # | |
378 # Sample "eap_ikev2_users" file entry: | |
379 # | |
380 #username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne" | |
381 | |
382 ## where: | |
383 ## username - client user name from IKE-AUTH (IDr) or CommonName | |
384 ## from x509 certificate | |
385 ## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload | |
386 ## allowable attributes for EAP-IKEv2-IDType: | |
387 ## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN | |
388 ## DER_ASN1_GN KEY_ID | |
389 ## EAP-IKEv2-Secret - shared secret | |
390 ## EAP-IKEv2-AuthType - optional parameter which defines expected client auth | |
391 ## type. Allowed values are: secret,cert,both,none. | |
392 ## For the meaning of this values, please see the | |
393 ## description of 'default_authtype'. | |
394 ## This attribute can overwrite 'default_authtype' value. | |
395 | |
396 | |
397 | |
398 # path to file with server private key | |
399 private_key_file="/path/to/srv-private-key.pem" | |
400 | |
401 # password to private key file | |
402 private_key_password="passwd" | |
403 | |
404 # path to file with server certificate | |
405 certificate_file="/path/to/srv-cert.pem" | |
406 | |
407 # server identity string | |
408 id="deMaio" | |
409 | |
410 # Server identity type. Allowed values are: | |
411 # IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN, | |
412 # KEY_ID | |
413 # Default value is: KEY_ID | |
414 # id_type = KEY_ID | |
415 | |
416 | |
417 # MTU (default: 1398) | |
418 # fragment_size = 1398 | |
419 | |
420 # maximal allowed number of resends SA_INIT after receiving | |
421 # 'invalid KEY' notification (default 3) | |
422 # DH_counter_max = 3 | |
423 | |
424 # option which is used to control whenever send CERT REQ | |
425 # payload or not. | |
426 # Allowed values for this option are "yes" or "no". | |
427 #Default value is "no". | |
428 # certreq = "yes" | |
429 | |
430 # option which cotrols fast reconnect capability. | |
431 # Allowed valuse for this option are "yes" or "no". | |
432 # Default value is "yes". | |
433 # enable_fast_reauth = "no" | |
434 | |
435 # option which is used to control performing of DH exchange | |
436 # during fast rekeying protocol run. | |
437 # Allowed values for this option are "yes" or "no". | |
438 # Default value is "no" | |
439 # fast_DH_exchange = "yes" | |
440 | |
441 # Option which is used to set up expiration time of inactive | |
442 # IKEv2 session. | |
443 # After selected period of time (in seconds), inactive | |
444 # session data will be deleted. | |
445 # Default value of this option is set to 900 seconds | |
446 # fast_timer_expire = 900 | |
447 | |
448 # list of server proposals of available cryptographic | |
449 # suites | |
450 proposals { | |
451 # proposal number #1 | |
452 proposal { | |
453 | |
454 # Supported transforms types: encryption, | |
455 # prf, integrity, dhgroup. For multiple | |
456 # transforms just simple repeat key (i.e. | |
457 # integity). | |
458 | |
459 # encryption algorithm | |
460 # supported algorithms: | |
461 # null,3des,aes_128_cbc,aes_192_cbc, | |
462 # aes_256_cbc,idea | |
463 # blowfish:n, where n range from 8 to 448 bits, | |
464 # step 8 bits | |
465 # cast:n, where n range from 40 to 128 bits, | |
466 # step 8 bits | |
467 encryption = 3des | |
468 | |
469 # pseudo random function. Supported prf's: | |
470 # hmac_md5, hmac_sha1, hmac_tiger | |
471 prf = hmac_sha1 | |
472 | |
473 # integrity algorithm. Supported algorithms: | |
474 # hmac_md5_96, hmac_sha1_96,des_mac | |
475 integrity = hmac_sha1_96 | |
476 integrity = hmac_md5_96 | |
477 | |
478 # Diffie-Hellman groups: | |
479 # modp768, modp1024, modp1536, modp2048, | |
480 # modp3072, modp4096, modp6144, modp8192 | |
481 dhgroup = modp2048 | |
482 } | |
483 | |
484 # proposal number #2 | |
485 proposal { | |
486 encryption = 3des | |
487 prf = hmac_md5 | |
488 integrity = hmac_md5_96 | |
489 dhgroup = modp1024 | |
490 } | |
491 | |
492 # proposal number #3 | |
493 proposal { | |
494 encryption=3des | |
495 prf=hmac_md5 | |
496 integrity=hmac_md5_96 | |
497 dhgroup=modp2048 | |
498 } | |
499 } | |
500 } | |
501 } |