Mercurial > hg > fD-testbed
changeset 11:44f87917c579
Added a RADIUS proxy using freeradius in the eap testbed
line wrap: on
line diff
--- a/conf/gw.eap.testbed.aaa/freeDiameter/freeDiameter.conf Mon Aug 30 15:24:36 2010 +0900 +++ b/conf/gw.eap.testbed.aaa/freeDiameter/freeDiameter.conf Thu Sep 16 14:23:42 2010 +0900 @@ -3,7 +3,7 @@ TLS_CA = "/root/ca_data/ca.pem"; NoRelay; -LoadExtension = "/root/freeDiameter/extensions/dbg_monitor.fdx"; +# LoadExtension = "/root/freeDiameter/extensions/dbg_monitor.fdx"; LoadExtension = "/root/freeDiameter/extensions/dict_nasreq.fdx"; LoadExtension = "/root/freeDiameter/extensions/dict_eap.fdx";
--- a/conf/gw.eap.testbed.aaa/freeDiameter/rgw.conf Mon Aug 30 15:24:36 2010 +0900 +++ b/conf/gw.eap.testbed.aaa/freeDiameter/rgw.conf Thu Sep 16 14:23:42 2010 +0900 @@ -14,7 +14,8 @@ ################## -cli = 192.168.105.10 / "radiusecret" ; -cli = 192.168.105.50 / "radiusecret2" ; +nas = 192.168.105.10 / "radiusecret" ; +nas = 192.168.105.50 / "radiusecret2" ; +pxy = 192.168.105.60 / "radiusecret3.2" ;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/acct_users Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,1 @@ +DEFAULT Proxy-To-Realm := "eap.testbed.aaa"
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/attrs Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,127 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: attrs,v 1.8 2008/04/09 07:18:25 aland Exp $ +# +# This file contains security and configuration information +# for each realm. The first field is the realm name and +# can be up to 253 characters in length. This is followed (on +# the next line) with the list of filter rules to be used to +# decide what attributes and/or values we allow proxy servers +# to pass to the NAS for this realm. +# +# When a proxy-reply packet is received from a home server, +# these attributes and values are tested. Only the first match +# is used unless the "Fall-Through" variable is set to "Yes". +# In that case the rules defined in the DEFAULT case are +# processed as well. +# +# A special realm named "DEFAULT" matches on all realm names. +# You can have only one DEFAULT entry. All entries are processed +# in the order they appear in this file. The first entry that +# matches the login-request will stop processing unless you use +# the Fall-Through variable. +# +# Indented (with the tab character) lines following the first +# line indicate the filter rules. +# +# You can include another `attrs' file with `$INCLUDE attrs.other' +# + +# +# This is a complete entry for realm "fisp". Note that there is no +# Fall-Through entry so that no DEFAULT entry will be used, and the +# server will NOT allow any other a/v pairs other than the ones +# listed here. +# +# These rules allow: +# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear ) +# o PPP sessions ( no SLIP, CSLIP, etc. ) +# o dynamic ip assignment ( can't assign a static ip ) +# o an idle timeout value set to 600 seconds (10 min) or less +# o a max session time set to 28800 seconds (8 hours) or less +# +#fisp +# Service-Type == Framed-User, +# Framed-Protocol == PPP, +# Framed-IP-Address == 255.255.255.254, +# Idle-Timeout <= 600, +# Session-Timeout <= 28800 + +# +# This is a complete entry for realm "tisp". Note that there is no +# Fall-Through entry so that no DEFAULT entry will be used, and the +# server will NOT allow any other a/v pairs other than the ones +# listed here. +# +# These rules allow: +# o Only Login-User Service-Type ( no framed/ppp sessions ) +# o Telnet sessions only ( no rlogin, tcp-clear ) +# o Login hosts of either 192.168.1.1 or 192.168.1.2 +# +#tisp +# Service-Type == Login-User, +# Login-Service == Telnet, +# Login-TCP-Port == 23, +# Login-IP-Host == 192.168.1.1, +# Login-IP-Host == 192.168.1.2 + +# +# The following example can be used for a home server which is only +# allowed to supply a Reply-Message, a Session-Timeout attribute of +# maximum 86400, a Idle-Timeout attribute of maximum 600 and a +# Acct-Interim-Interval attribute between 300 and 3600. +# All other attributes sent back will be filtered out. +# +#strictrealm +# Reply-Message =* ANY, +# Session-Timeout <= 86400, +# Idle-Timeout <= 600, +# Acct-Interim-Interval >= 300, +# Acct-Interim-Interval <= 3600 + +# +# This is a complete entry for realm "spamrealm". Fall-Through is used, +# so that the DEFAULT filter rules are used in addition to these. +# +# These rules allow: +# o Force the application of Filter-ID attribute to be returned +# in the proxy reply, whether the proxy sent it or not. +# o The standard DEFAULT rules as defined below +# +#spamrealm +# Framed-Filter-Id := "nosmtp.in", +# Fall-Through = Yes + +# +# The rest of this file contains the DEFAULT entry. +# DEFAULT matches with all realm names. (except if the realm previously +# matched an entry with no Fall-Through) +# + +DEFAULT + Service-Type == Framed-User, + Service-Type == Login-User, + Login-Service == Telnet, + Login-Service == Rlogin, + Login-Service == TCP-Clear, + Login-TCP-Port <= 65536, + Framed-IP-Address == 255.255.255.254, + Framed-IP-Netmask == 255.255.255.255, + Framed-Protocol == PPP, + Framed-Protocol == SLIP, + Framed-Compression == Van-Jacobson-TCP-IP, + Framed-MTU >= 576, + Framed-Filter-ID =* ANY, + Reply-Message =* ANY, + Proxy-State =* ANY, + EAP-Message =* ANY, + Message-Authenticator =* ANY, + MS-MPPE-Recv-Key =* ANY, + MS-MPPE-Send-Key =* ANY, + MS-CHAP-MPPE-Keys =* ANY, + State =* ANY, + Session-Timeout <= 28800, + Idle-Timeout <= 600, + Port-Limit <= 2
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/attrs.access_reject Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,16 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: attrs.access_reject,v 1.1 2006/11/22 21:48:35 aland Exp $ +# +# This configuration file is used to remove almost all of the attributes +# From an Access-Reject message. The RFC's say that an Access-Reject +# packet can contain only a few attributes. We enforce that here. +# +DEFAULT + EAP-Message =* ANY, + State =* ANY, + Message-Authenticator =* ANY, + Reply-Message =* ANY, + Proxy-State =* ANY
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/attrs.accounting_response Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,15 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: attrs.accounting_response,v 1.1 2006/11/22 21:48:35 aland Exp $ +# +# This configuration file is used to remove almost all of the attributes +# From an Accounting-Response message. The RFC's say that an +# Accounting-Response packet can contain only a few attributes. +# We enforce that here. +# +DEFAULT + Vendor-Specific =* ANY, + Message-Authenticator =* ANY, + Proxy-State =* ANY
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/attrs.pre-proxy Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,62 @@ +# +# Configuration file for the rlm_attr_filter module. +# Please see rlm_attr_filter(5) manpage for more information. +# +# $Id: attrs.pre-proxy,v 1.3 2008/04/09 07:18:25 aland Exp $ +# +# This file contains security and configuration information +# for each realm. It can be used be an rlm_attr_filter module +# instance to filter attributes before sending packets to the +# home server of a realm. +# +# When a packet is sent to a home server, these attributes +# and values are tested. Only the first match is used unless +# the "Fall-Through" variable is set to "Yes". In that case +# the rules defined in the DEFAULT case are processed as well. +# +# A special realm named "DEFAULT" matches on all realm names. +# You can have only one DEFAULT entry. All entries are processed +# in the order they appear in this file. The first entry that +# matches the login-request will stop processing unless you use +# the Fall-Through variable. +# +# The first line indicates the realm to which the rules apply. +# Indented (with the tab character) lines following the first +# line indicate the filter rules. +# + +# This is a complete entry for 'nochap' realm. It allows to send very +# basic attributes to the home server. Note that there is no Fall-Through +# entry so that no DEFAULT entry will be used. Only the listed attributes +# will be sent in the packet, all other attributes will be filtered out. +# +#nochap +# User-Name =* ANY, +# User-Password =* ANY, +# NAS-Ip-Address =* ANY, +# NAS-Identifier =* ANY + +# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type +# if its value is different from 'Ethernet'. Then the default rules are +# applied. +# +#brokenas +# NAS-Port-Type == Ethernet +# Fall-Through = Yes + +# The rest of this file contains the DEFAULT entry. +# DEFAULT matches with all realm names. + +DEFAULT + User-Name =* ANY, + User-Password =* ANY, + CHAP-Password =* ANY, + CHAP-Challenge =* ANY, + MS-CHAP-Challenge =* ANY, + MS-CHAP-Response =* ANY, + EAP-Message =* ANY, + Message-Authenticator =* ANY, + State =* ANY, + NAS-IP-Address =* ANY, + NAS-Identifier =* ANY, + Proxy-State =* ANY
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/clients.conf Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,10 @@ +# -*- text -*- + +client supauth3.eap.testbed.aaa { + ipaddr = 192.168.105.70 + secret = radiusecret3.1 + require_message_authenticator = no + + nastype = other # localhost isn't usually a NAS... +} +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/dictionary Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,32 @@ +# +# This is the master dictionary file, which references the +# pre-defined dictionary files included with the server. +# +# Any new/changed attributes MUST be placed in this file, as +# the pre-defined dictionaries SHOULD NOT be edited. +# +# $Id: dictionary.in,v 1.4 2004/04/14 15:26:20 aland Exp $ +# + +# +# The filename given here should be an absolute path. +# +$INCLUDE /usr/share/freeradius/dictionary + +# +# Place additional attributes or $INCLUDEs here. They will +# over-ride the definitions in the pre-defined dictionaries. +# +# See the 'man' page for 'dictionary' for information on +# the format of the dictionary files. + +# +# If you want to add entries to the dictionary file, +# which are NOT going to be placed in a RADIUS packet, +# add them here. The numbers you pick should be between +# 3000 and 4000. +# + +#ATTRIBUTE My-Local-String 3000 string +#ATTRIBUTE My-Local-IPAddr 3001 ipaddr +#ATTRIBUTE My-Local-Integer 3002 integer
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/experimental.conf Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,501 @@ +# +# This file contains the configuration for experimental modules. +# +# By default, it is NOT included in the build. +# +# $Id: experimental.conf,v 1.42 2008/01/19 22:26:30 aland Exp $ +# + + # Configuration for the Python module. + # + # Where radiusd is a Python module, radiusd.py, and the + # function 'authorize' is called. Here is a dummy piece + # of code: + # + # def authorize(params): + # print params + # return (5, ('Reply-Message', 'banned')) + # + # The RADIUS value-pairs are passed as a tuple of tuple + # pairs as the first argument, e.g. (('attribute1', + # 'value1'), ('attribute2', 'value2')) + # + # The function return is a tuple with the first element + # being the return value of the function. + # The 5 corresponds to RLM_MODULE_USERLOCK. I plan to + # write the return values as Python symbols to avoid + # confusion. + # + # The remaining tuple members are the string form of + # value-pairs which are passed on to pairmake(). + # + python { + mod_instantiate = radiusd_test + func_instantiate = instantiate + + mod_authorize = radiusd_test + func_authorize = authorize + + mod_accounting = radiusd_test + func_accounting = accounting + + mod_preproxy = radiusd_test + func_preproxy = preproxy + + mod_postproxy = radiusd_test + func_postproxy = postproxy + + mod_postauth = radiusd_test + func_postauth = postauth + + mod_detach = radiusd_test + func_detach = detach + } + + + # Configuration for the example module. Uncommenting it will cause it + # to get loaded and initialized, but should have no real effect as long + # it is not referencened in one of the autz/auth/preacct/acct sections + example { + # Boolean variable. + # allowed values: {no, yes} + boolean = yes + + # An integer, of any value. + integer = 16 + + # A string. + string = "This is an example configuration string" + + # An IP address, either in dotted quad (1.2.3.4) or hostname + # (example.com) + ipaddr = 127.0.0.1 + + # A subsection + mysubsection { + anotherinteger = 1000 + # They nest + deeply nested { + string = "This is a different string" + } + } + } + + # + # To create a dbm users file, do: + # + # cat test.users | rlm_dbm_parser -f /etc/raddb/users_db + # + # Then add 'dbm' in 'authorize' section. + # + # Note that even if the file has a ".db" or ".dbm" extension, + # you may have to specify it here without that extension. This + # is because the DBM libraries "helpfully" add a ".db" to the + # filename, but don't check if it's already there. + # + dbm { + usersfile = ${confdir}/users_db + } + + # + # Persistent, embedded Perl interpreter. + # + perl { + # + # The Perl script to execute on authorize, authenticate, + # accounting, xlat, etc. This is very similar to using + # 'rlm_exec' module, but it is persistent, and therefore + # faster. + # + module = /path/to/your/perl_module.pm + + # + # The following hashes are given to the module and + # filled with value-pairs (Attribute names and values) + # + # %RAD_CHECK Read-only Check items + # %RAD_REQUEST Read-only Attributes from the request + # %RAD_REPLY Read-write Attributes for the reply + # + # The return codes from functions in the perl_script + # are passed directly back to the server. These + # codes are defined in doc/configurable_failover, + # src/include/modules.h (RLM_MODULE_REJECT, etc), + # and are pre-defined in the 'example.pl' program + # which is included. + # + + # + # List of functions in the module to call. + # Uncomment and change if you want to use function + # names other than the defaults. + # + #func_authenticate = authenticate + #func_authorize = authorize + #func_preacct = preacct + #func_accounting = accounting + #func_checksimul = checksimul + #func_pre_proxy = pre_proxy + #func_post_proxy = post_proxy + #func_post_auth = post_auth + #func_xlat = xlat + #func_detach = detach + + # + # Uncomment the following lines if you wish + # to use separate functions for Start and Stop + # accounting packets. In that case, the + # func_accounting function is not called. + # + #func_start_accounting = accounting_start + #func_stop_accounting = accounting_stop + + # Uncomment the following lines if your perl is + # compiled with threads support. + # The settings below are the defaults. + # + #max_clones = 32 + #start_clones = 32 + #min_spare_clones = 0 + #max_spare_clones = 32 + #cleanup_delay = 5 + #max_request_per_clone = 0 + + } + + # + # Perform NT-Domain authentication. This only works + # with PAP authentication. That is, Authentication-Request + # packets containing a User-Password attribute. + # + # To use it, add 'smb' into the 'authenticate' section, + # and then in another module (usually the 'users' file), + # set 'Auth-Type := SMB' + # + # WARNING: this module is not only experimental, it's also + # a security threat. It's not recommended to use it until + # it gets fixed. + # + smb { + server = ntdomain.server.example.com + backup = backup.server.example.com + domain = NTDOMAIN + } + + # See doc/rlm_fastusers before using this + # module or changing these values. + # + fastusers { + usersfile = ${confdir}/users_fast + hashsize = 1000 + compat = no + # Reload the hash every 600 seconds (10mins) + hash_reload = 600 + } + + # Caching module + # + # Should be added in the post-auth section (after all other modules) + # and in the authorize section (before any other modules) + # + # authorize { + # caching { + # ok = return + # } + # [... other modules ...] + # } + # post-auth { + # [... other modules ...] + # caching + # } + # + # The caching module will cache the Auth-Type and reply items + # and send them back on any subsequent requests for the same key + # + # Configuration: + # + # filename: The gdbm file to use for the cache database + # (can be memory mapped for more speed) + # + # key: A string to xlat and use as a key. For instance, + # "%{Acct-Unique-Session-Id}" + # + # post-auth: If we find a cached entry, set the post-auth to that value + # + # cache-ttl: The time to cache the entry. The same time format + # as the counter module apply here. + # num[hdwm] where: + # h: hours, d: days, w: weeks, m: months + # If the letter is ommited days will be assumed. + # e.g. 1d == one day + # + # cache-size: The gdbm cache size to request (default 1000) + # + # hit-ratio: If set to non-zero we print out statistical + # information after so many cache requests + # + # cache-rejects: Do we also cache rejects, or not? (default 'yes') + # + caching { + filename = ${db_dir}/db.cache + cache-ttl = 1d + hit-ratio = 1000 + key = "%{Acct-Unique-Session-Id}" + #post-auth = "" + # cache-size = 2000 + # cache-rejects = yes + } + + + # Simple module for logging of Account packets to radiusd.log + # You need to declare it in the accounting section for it to work + acctlog { + acctlog_update = "" + acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})" + acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds" + acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online" + acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline" + } + + # Another implementation of the EAP module. + # + # This module requires the libeap.so file from the hostap + # software (http://hostap.epitest.fi/hostapd/). It has been + # tested on the development version of hostapd (0.6.1) ONLY. + # + # In order to use it, you MUST build a "libeap.so" in hostapd, + # which is not done by default. + # + # You MUST also edit the file: src/modules/rlm_eap2/Makefile + # to point to the location of the hostap include files. + # + # This module CANNOT be used in the same way as the current + # FreeRADIUS "eap" module. There is NO way to look inside of + # a tunneled request. There is NO way to proxy a tunneled + # request. There is NO way to even look at the user name inside + # of the tunneled request. There is NO way to control the + # choice of EAP types inside of the tunnel. You MUST force + # the server to choose "eap2" for authentication, because this + # module has no "authorize" section. + # + # If you want to use this module for experimentation, please + # post your comments to the freeradius-devel list: + # + # http://lists.freeradius.org/mailman/listinfo/freeradius-devel + # + # If you want to use this module in a production (i.e. real-world) + # environment: + # + # !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!! + # + # The module needs additional work to make it ready for + # production use.. Please supply patches, or sponsor the + # work by hiring a developer. Do NOT ask when the work will + # be done, because there is no plan to finish this module + # unless there is demand for it. + # + eap2 { + # EAP types are chosen in the order that they are + # listed in this section. There is no "default_eap_type" + # as with rlm_eap. Instead, the *first* EAP type is + # used as the default type. + # + peap { + } + + ttls { + } + + # This is the ONLY EAP type that has any configuration. + # All other EAP types have no configuration. + # + tls { + ca_cert = ${confdir}/certs/ca.pem + server_cert = ${confdir}/certs/server.pem + private_key_file = ${confdir}/certs/server.pem + private_key_password = whatever + } + + # + # These next two methods do not supply keying material. + # + md5 { + } + + mschapv2 { + } + + # LEAP is NOT supported by this module. + # Use the "eap" module instead. + + # For other methods that MIGHT work, see the + # configuration of hostap. The methods are statically + # linked in at compile time, and cannot be controlled + # here. + } + + # Configuration for experimental EAP types. The sub-sections + # can be copied into eap.conf. + eap { + ikev2 { + + # Server auth type + # Allowed values are: + # cert - for certificate based server authentication, + # other required settings for this type are + # 'private_key_file' and 'certificate_file' + # secret - for shared secret based server authentication, + # other required settings for this type is 'id' + # Default value of this option is 'secret' + # server_authtype=cert + + # Allowed default client auth types + # Allowed values are: + # secret - for shared secret based client authentication + # cert - for certificate based client authentication + # both - shared secret and certificate is allowed + # none - authentication will always fail + # Default value for this option is 'both'. This option could + # be overwritten within 'usersfile' file by EAP-IKEv2-Auth + # option. + # default_authtype = both + + # path to trusted CA certificate file + CA_file="/path/to/CA/cacert.pem" + + # path to CRL file, if not set, then there will be no + # checks against CRL + # crl_file="/path/to/crl.pem" + + # path to file with user settings + # + # Note that this file is read ONLY on module initialization! + # + # default ${confdir}/eap_ikev2_users + # usersfile=${confdir}/eap_ikev2_users + +# +# Sample "eap_ikev2_users" file entry: +# +#username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne" + +## where: +## username - client user name from IKE-AUTH (IDr) or CommonName +## from x509 certificate +## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload +## allowable attributes for EAP-IKEv2-IDType: +## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN +## DER_ASN1_GN KEY_ID +## EAP-IKEv2-Secret - shared secret +## EAP-IKEv2-AuthType - optional parameter which defines expected client auth +## type. Allowed values are: secret,cert,both,none. +## For the meaning of this values, please see the +## description of 'default_authtype'. +## This attribute can overwrite 'default_authtype' value. + + + + # path to file with server private key + private_key_file="/path/to/srv-private-key.pem" + + # password to private key file + private_key_password="passwd" + + # path to file with server certificate + certificate_file="/path/to/srv-cert.pem" + + # server identity string + id="deMaio" + + # Server identity type. Allowed values are: + # IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN, + # KEY_ID + # Default value is: KEY_ID + # id_type = KEY_ID + + + # MTU (default: 1398) + # fragment_size = 1398 + + # maximal allowed number of resends SA_INIT after receiving + # 'invalid KEY' notification (default 3) + # DH_counter_max = 3 + + # option which is used to control whenever send CERT REQ + # payload or not. + # Allowed values for this option are "yes" or "no". + #Default value is "no". + # certreq = "yes" + + # option which cotrols fast reconnect capability. + # Allowed valuse for this option are "yes" or "no". + # Default value is "yes". + # enable_fast_reauth = "no" + + # option which is used to control performing of DH exchange + # during fast rekeying protocol run. + # Allowed values for this option are "yes" or "no". + # Default value is "no" + # fast_DH_exchange = "yes" + + # Option which is used to set up expiration time of inactive + # IKEv2 session. + # After selected period of time (in seconds), inactive + # session data will be deleted. + # Default value of this option is set to 900 seconds + # fast_timer_expire = 900 + + # list of server proposals of available cryptographic + # suites + proposals { + # proposal number #1 + proposal { + + # Supported transforms types: encryption, + # prf, integrity, dhgroup. For multiple + # transforms just simple repeat key (i.e. + # integity). + + # encryption algorithm + # supported algorithms: + # null,3des,aes_128_cbc,aes_192_cbc, + # aes_256_cbc,idea + # blowfish:n, where n range from 8 to 448 bits, + # step 8 bits + # cast:n, where n range from 40 to 128 bits, + # step 8 bits + encryption = 3des + + # pseudo random function. Supported prf's: + # hmac_md5, hmac_sha1, hmac_tiger + prf = hmac_sha1 + + # integrity algorithm. Supported algorithms: + # hmac_md5_96, hmac_sha1_96,des_mac + integrity = hmac_sha1_96 + integrity = hmac_md5_96 + + # Diffie-Hellman groups: + # modp768, modp1024, modp1536, modp2048, + # modp3072, modp4096, modp6144, modp8192 + dhgroup = modp2048 + } + + # proposal number #2 + proposal { + encryption = 3des + prf = hmac_md5 + integrity = hmac_md5_96 + dhgroup = modp1024 + } + + # proposal number #3 + proposal { + encryption=3des + prf=hmac_md5 + integrity=hmac_md5_96 + dhgroup=modp2048 + } + } + } + }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/hints Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,77 @@ +# hints +# +# The hints file. This file is used to match +# a request, and then add attributes to it. This +# process allows a user to login as "bob.ppp" (for example), +# and receive a PPP connection, even if the NAS doesn't +# ask for PPP. The "hints" file is used to match the +# ".ppp" portion of the username, and to add a set of +# "user requested PPP" attributes to the request. +# +# Matching can take place with the the Prefix and Suffix +# attributes, just like in the "users" file. +# These attributes operate ONLY on the username, though. +# +# Note that the attributes that are set for each +# entry are _NOT_ passed back to the terminal server. +# Instead they are added to the information that has +# been _SENT_ by the terminal server. +# +# This extra information can be used in the users file to +# match on. Usually this is done in the DEFAULT entries, +# of which there can be more than one. +# +# In addition a matching entry can transform a username +# for authentication purposes if the "Strip-User-Name" +# variable is set to Yes in an entry (default is Yes). +# +# A special non-protocol name-value pair called "Hint" +# can be set to match on in the "users" file. +# +# The following is how most ISPs want to set this up. +# +# Version: $Id: hints,v 1.4 2004/01/29 16:42:43 aland Exp $ +# + + +DEFAULT Suffix == ".ppp", Strip-User-Name = Yes + Hint = "PPP", + Service-Type = Framed-User, + Framed-Protocol = PPP + +DEFAULT Suffix == ".slip", Strip-User-Name = Yes + Hint = "SLIP", + Service-Type = Framed-User, + Framed-Protocol = SLIP + +DEFAULT Suffix == ".cslip", Strip-User-Name = Yes + Hint = "CSLIP", + Service-Type = Framed-User, + Framed-Protocol = SLIP, + Framed-Compression = Van-Jacobson-TCP-IP + +###################################################################### +# +# These entries are old, and commented out by default. +# They confuse too many people when "Peter" logs in, and the +# server thinks that the user "eter" is asking for PPP. +# +#DEFAULT Prefix == "U", Strip-User-Name = No +# Hint = "UUCP" + +#DEFAULT Prefix == "P", Strip-User-Name = Yes +# Hint = "PPP", +# Service-Type = Framed-User, +# Framed-Protocol = PPP + +#DEFAULT Prefix == "S", Strip-User-Name = Yes +# Hint = "SLIP", +# Service-Type = Framed-User, +# Framed-Protocol = SLIP + +#DEFAULT Prefix == "C", Strip-User-Name = Yes +# Hint = "CSLIP", +# Service-Type = Framed-User, +# Framed-Protocol = SLIP, +# Framed-Compression = Van-Jacobson-TCP-IP +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/huntgroups Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,47 @@ +# +# huntgroups This file defines the `huntgroups' that you have. A +# huntgroup is defined by specifying the IP address of +# the NAS and possibly a port range. Port can be identified +# as just one port, or a range (from-to), and multiple ports +# or ranges of ports must be seperated by a comma. For +# example: 1,2,3-8 +# +# Matching is done while RADIUS scans the user file; if it +# includes the selection criterium "Huntgroup-Name == XXX" +# the huntgroup is looked up in this file to see if it +# matches. There can be multiple definitions of the same +# huntgroup; the first one that matches will be used. +# +# This file can also be used to define restricted access +# to certain huntgroups. The second and following lines +# define the access restrictions (based on username and +# UNIX usergroup) for the huntgroup. +# + +# +# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name +# called Alphen that matches on all three terminal servers. +# +#alphen NAS-IP-Address == 192.168.2.5 +#alphen NAS-IP-Address == 192.168.2.6 +#alphen NAS-IP-Address == 192.168.2.7 + +# +# The POP in Delft consists of only one terminal server. +# +#delft NAS-IP-Address == 192.168.3.5 + +# +# Ports 0-7 on the first terminal server in Alphen are connected to +# a huntgroup that is for business users only. Note that only one +# of the username or groupname has to match to get access (OR/OR). +# +# Note that this huntgroup is a subset of the "alphen" huntgroup. +# +#business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 0-7 +# User-Name = rogerl, +# User-Name = henks, +# Group = business, +# Group = staff + +supauths NAS-IP-Address == 192.168.105.70
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/ldap.attrmap Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,71 @@ +# +# Mapping of RADIUS dictionary attributes to LDAP directory attributes +# to be used by LDAP authentication and authorization module (rlm_ldap) +# +# Format: +# ItemType RADIUS-Attribute-Name ldapAttributeName [operator] +# +# Where: +# ItemType = checkItem or replyItem +# RADIUS-Attribute-Name = attribute name in RADIUS dictionary +# ldapAttributeName = attribute name in LDAP schema +# operator = optional, and may not be present. +# If not present, defaults to "==" for checkItems, +# and "=" for replyItems. +# If present, the operator here should be one +# of the same operators as defined in the "users"3 +# file ("man users", or "man 5 users"). +# If an operator is present in the value of the +# LDAP entry (i.e. ":=foo"), then it over-rides +# both the default, and any operator given here. +# +# If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies +# a LDAP attribute which can be used to store any RADIUS +# attribute/value-pair in LDAP directory. +# +# You should edit this file to suit it to your needs. +# + +checkItem $GENERIC$ radiusCheckItem +replyItem $GENERIC$ radiusReplyItem + +checkItem Auth-Type radiusAuthType +checkItem Simultaneous-Use radiusSimultaneousUse +checkItem Called-Station-Id radiusCalledStationId +checkItem Calling-Station-Id radiusCallingStationId +checkItem LM-Password lmPassword +checkItem NT-Password ntPassword +checkItem LM-Password sambaLmPassword +checkItem NT-Password sambaNtPassword +checkItem SMB-Account-CTRL-TEXT acctFlags +checkItem Expiration radiusExpiration +checkItem NAS-IP-Address radiusNASIpAddress + +replyItem Service-Type radiusServiceType +replyItem Framed-Protocol radiusFramedProtocol +replyItem Framed-IP-Address radiusFramedIPAddress +replyItem Framed-IP-Netmask radiusFramedIPNetmask +replyItem Framed-Route radiusFramedRoute +replyItem Framed-Routing radiusFramedRouting +replyItem Filter-Id radiusFilterId +replyItem Framed-MTU radiusFramedMTU +replyItem Framed-Compression radiusFramedCompression +replyItem Login-IP-Host radiusLoginIPHost +replyItem Login-Service radiusLoginService +replyItem Login-TCP-Port radiusLoginTCPPort +replyItem Callback-Number radiusCallbackNumber +replyItem Callback-Id radiusCallbackId +replyItem Framed-IPX-Network radiusFramedIPXNetwork +replyItem Class radiusClass +replyItem Session-Timeout radiusSessionTimeout +replyItem Idle-Timeout radiusIdleTimeout +replyItem Termination-Action radiusTerminationAction +replyItem Login-LAT-Service radiusLoginLATService +replyItem Login-LAT-Node radiusLoginLATNode +replyItem Login-LAT-Group radiusLoginLATGroup +replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink +replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork +replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone +replyItem Port-Limit radiusPortLimit +replyItem Login-LAT-Port radiusLoginLATPort +replyItem Reply-Message radiusReplyMessage
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/otp.conf Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,78 @@ +# +# Configuration for the OTP module. +# + +# This module allows you to use various handheld OTP tokens +# for authentication (Auth-Type := otp). These tokens are +# available from various vendors. +# +# It works in conjunction with otpd, which implements token +# management and OTP verification functions; and lsmd or gsmd, +# which implements synchronous state management functions. +# otpd, lsmd and gsmd are available from TRI-D Systems: +# <http://www.tri-dsystems.com/> + +# You must list this module in BOTH the authorize and authenticate +# sections in order to use it. +otp { + # otpd rendezvous point. + # (default: /var/run/otpd/socket) + #otpd_rp = /var/run/otpd/socket + + # Text to use for the challenge. The '%' character is + # disallowed, except that you MUST have a single "%s" + # sequence in the string; the challenge itself is + # inserted there. (default "Challenge: %s\n Response: ") + #challenge_prompt = "Challenge: %s\n Response: " + + # Length of the challenge. Most tokens probably support a + # max of 8 digits. (range: 5-32 digits, default 6) + #challenge_length = 6 + + # Maximum time, in seconds, that a challenge is valid. + # (The user must respond to a challenge within this time.) + # It is also the minimal time between consecutive async mode + # authentications, a necessary restriction due to an inherent + # weakness of the RADIUS protocol which allows replay attacks. + # (default: 30) + #challenge_delay = 30 + + # Whether or not to allow asynchronous ("pure" challenge/ + # response) mode authentication. Since sync mode is much more + # usable, and all reasonable tokens support it, the typical + # use of async mode is to allow resync of event based tokens. + # But because of the vulnerability of async mode with some tokens, + # you probably want to disable this and require that out-of-sync + # users resync from specifically secured terminals. + # See the otpd docs for more info. + # (default: no) + #allow_async = no + + # Whether or not to allow synchronous mode authentication. + # When using otpd with lsmd, it is *CRITICALLY IMPORTANT* + # that if your OTP users can authenticate to multiple RADIUS + # servers, this must be "yes" for the primary/default server, + # and "no" for the others. This is because lsmd does not + # share state information across multiple servers. Using "yes" + # on all your RADIUS servers would allow replay attacks! + # Also, for event based tokens, the user will be out of sync + # on the "other" servers. In order to use "yes" on all your + # servers, you must either use gsmd, which synchronizes state + # globally, or implement your own state synchronization method. + # (default: yes) + #allow_sync = yes + + # If both allow_async and allow_sync are "yes", a challenge is + # always presented to the user. This is incompatible with NAS's + # that can't present or don't handle Access-Challenge's, e.g. + # PPTP servers. Even though a challenge is presented, the user + # can still enter their synchronous passcode. + + # The following are MPPE settings. Note that MS-CHAP (v1) is + # strongly discouraged. All possible values are listed as + # {value = meaning}. Default values are first. + #mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden} + #mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40} + #mschap_mppe = {2 = required, 1 = optional, 0 = forbidden} + #mschap_mppe_bits = {2 = 128} +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/policy.conf Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,54 @@ +# -*- text -*- +## +## policy.conf -- FreeRADIUS server configuration file. +## +## http://www.freeradius.org/ +## $Id: policy.conf,v 1.2 2008/01/15 16:29:55 aland Exp $ +## + +# +# Policies are virtual modules, similar to those defined in the +# "instantate" section of radiusd.conf. +# +# Defining a policy here means that it can be referenced in multiple +# places as a *name*, rather than as a series of conditions to match, +# and actions to take. +# +# Policies are something like subroutines in a normal language, but +# they cannot be called recursively. They MUST be defined in order. +# If policy A calls policy B, then B MUST be defined before A. +# +policy { + # + # Forbid all EAP types. + # +## forbid_eap { +## if (EAP-Message) { +## reject +## } +## } + + # + # Forbid all non-EAP types outside of an EAP tunnel. + # +## permit_only_eap { +## if (!EAP-Message) { + # We MAY be inside of a TTLS tunnel. + # PEAP and EAP-FAST require EAP inside of + # the tunnel, so this check is OK. + # If so, then there MUST be an outer EAP message. +## if (!"%{outer.request:EAP-Message}") { +## reject +## } +## } +## } + + # + # Forbid all attempts to login via realms. + # +## deny_realms { +## if (User-Name =~ /@|\\/) { +## reject +## } +## } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/policy.txt Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,185 @@ +# +# Sample of a policy language for rlm_policy. +# +# This is NOT the "unlang" policy, and has NO RELATION to "unlang"! +# The syntax is different, and the functionality is different. +# + +# As of 2.0.0, the new configuration "un-language" is better +# tested, has more features, and is better integrated into the +# server than the rlm_policy module. rlm_policy is deprecated, +# and will likely be removed in a future release. +# +# There is no documentation other than this file. +# +# The syntax is odd, but it sort of works. +# +# A number of sites are using it in production servers, +# so it appears to be stable. However, we cannot answer +# questions about it, because we use "unlang", instead of +# this file. +# +# $Id: policy.txt,v 1.5 2007/12/29 05:01:45 aland Exp $ +# +# Debugging statements +# +#debug print_tokens # as we're parsing this file +debug print_policy # once the file has been parsed + +# Using this requires code edits to rlm_policy/evaluate.c +#debug evaluate # print limited information during evaluation + +# +# A named policy. +# +policy 3pm { +if (Time-Of-Day < "15:00") { + # + # The general form of edits to the attribute lists: + # + # name s-operator { + # Attribute-Name = Value + # } + # + # name is: request, reply, control, proxy-request, proxy-reply + # + # s-operator is operator for section, not attributes: + # + # = append, using operators from attributes + # .= append attributes, ignoring operators from attributes + # ^= add to head of list + # ^== add BEFORE matching attribute + # ^. append + # ^.= append BEFORE matching attribute + # $= add AFTER (same as =) + # $== add AFTER matching attribute + # $. add after (same as .=) + # $.= add after matching + # + # If the above explanation confuses you, don't ask. Try various + # configurations to see what happens. The results are difficult + # to explain, but easy to understand once you see them in action. + # + # The "matching attribute" text above refers to the syntax: + # + # name s-operator (match) { + # Attribute-Name = Value + # } + # + # Where "match" is something like: User-Name == "bob" + # + # This lets you insert/edit/update attributes by selected + # position, which can be useful. + # + reply .= { + # Use ARAP-Password for testing because it's an attribute + # no one cares about. + ARAP-Password = "< 15:00" + } +} + +} + +# +# A named policy, executed during the "authorize" phase, +# because it's named "authorize". +# +policy authorize { + if (CHAP-Password) { + if (!CHAP-Challenge) { + print "Adding CHAP-Challenge = %{request:Packet-Authentication-Vector}\n" + + # + # Append all attributes to the specified list. + # The per-attribute operators MUST be '=' + # + request .= { + CHAP-Challenge = "%{request:Packet-Authentication-Vector}" + } + } + + # + # Use per-attribute operators to do override, replace, etc. + # It's "control", not "check items", because "check items" + # is a hold-over from the "users" file, and we no longer like that. + # + control = { + Auth-Type := CHAP + } + } + +# +# This could just as well be "%{ldap: query...}" =~ ... +# +# if ("%{User-Name}" =~ "^(b)") { +# reply .= { +# Arap-Password = "Hello, %{1}" +# } +# } + + # + # Execute "3pm", as if it was in-line here. + # +# call 3pm +} + +###################################################################### +# +# The following entries are for example purposes only. +# + +# Insert the attribute at the top of the list. +# +#reply ^= { +# Attribute1 += "Value1" +#} + + +# Insert attribute1 before Attribute2 if found, otherwise it behaves +# like ^= +#reply ^== ( Attribute2 == "Value2" ) { +# Attribute1 += "Value1" +#} + +# ^. and ^.= have the same difference as .= and = +# namely they append the attribute list instead of looking at the +# attribute operators. +# +# Otherwise they are the same. + +# Motivation: +# +# Cisco NAS's will kick users who assign a VRF after assigning an IP +# address. The VRF must come first. +# +# A sample policy to fix this is: +# +policy add_inter_vrf { + # + # If there's a matching lcp:..., + # then add the vrf entry before it. + # + reply ^== ( reply:Cisco-Avpair =~ "lcp:interface-config") { + Cisco-Avpair += "lcp:interface-config=ip vrf forwarding CHL-PRIVATE" + } + + # + # If there's no ip address thingy, + # add ip unnumbered after the vrf stuff. + # + if (!reply:Cisco-Avpair =~ "lcp:interface-config=ip address.*") { + reply $== (reply:Cisco-AVpair == "lcp:interface-config=ip vrf forwarding CHL-PRIVATE") { + Cisco-Avpair += "lcp:interface-config=ip unnumbered l10" + } + } + + # + # No IP address assigned through RADIUS, tell the Cisco + # NAS to assign it from it's own private IP pool. + # + if (!reply:Framed-IP-Address =* "") { + reply = { + Cisco-Avpair += "ip:addr-pool=privatepool" + } + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/preproxy_users Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,2 @@ + +DEFAULT
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/proxy.conf Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,45 @@ +# -*- text -*- +proxy server { + default_fallback = no + +} + +home_server gw.eap.testbed.aaa { + type = auth+acct + ipaddr = 192.168.105.30 + port = 1812 + secret = radiusecret3.2 + response_window = 20 + zombie_period = 40 + + revive_interval = 120 +} + +home_server_pool my_pool { + type = fail-over + home_server = gw.eap.testbed.aaa +} + +###################################################################### +# +# +# This section defines a new-style "realm". Note the in version 2.0, +# there are many fewer configuration items than in 1.x for a realm. +# +# Automatic proxying is done via the "realms" module (see "man +# rlm_realm"). To manually proxy the request put this entry in the +# "users" file: + +# +# +#DEFAULT Proxy-To-Realm := "realm_name" +# +# + + +realm DEFAULT { + pool = my_pool + nostrip +} + +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/radiusd.conf Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,260 @@ +# -*- text -*- + +prefix = /usr +exec_prefix = /usr +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = /var/log/freeradius + +raddbdir = /root/conf/freeradius + +radacctdir = ${logdir}/radacct +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/freeradius +db_dir = $(raddbdir) +libdir = /usr/lib/freeradius +pidfile = ${run_dir}/freeradius.pid +user = freerad +group = freerad +max_request_time = 30 +cleanup_delay = 5 +max_requests = 1024 +listen { + type = auth + ipaddr = * + port = 0 +} +listen { + ipaddr = * + port = 0 + type = acct +} +hostname_lookups = no +allow_core_dumps = yes +regular_expressions = yes +extended_expressions = yes +log { + destination = files + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = no + auth_badpass = no + auth_goodpass = no +} +checkrad = ${sbindir}/checkrad +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +# +# proxy_requests: Turns proxying of RADIUS requests on or off. +# +# The server has proxying turned on by default. If your system is NOT +# set up to proxy requests to another server, then you can turn proxying +# off here. This will save a small amount of resources on the server. +# +# If you have proxying turned off, and your configuration files say +# to proxy a request, then an error message will be logged. +# +# To disable proxying, change the "yes" to "no", and comment the +# $INCLUDE line. +# +# allowed values: {no, yes} +# +proxy_requests = yes +$INCLUDE proxy.conf + + +# CLIENTS CONFIGURATION +# +# Client configuration is defined in "clients.conf". +# + +# The 'clients.conf' file contains all of the information from the old +# 'clients' and 'naslist' configuration files. We recommend that you +# do NOT use 'client's or 'naslist', although they are still +# supported. +# +# Anything listed in 'clients.conf' will take precedence over the +# information from the old-style configuration files. +# +$INCLUDE clients.conf + + +snmp = no +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +modules { + # 'username@realm' + # + realm suffix { + format = suffix + delimiter = "@" + } + + preprocess { + huntgroups = ${confdir}/huntgroups + hints = ${confdir}/hints + with_ascend_hack = no + ascend_channels_per_line = 23 + with_ntdomain_hack = no + with_specialix_jetstream_hack = no + with_cisco_vsa_hack = no + } + + files { + # The default key attribute to use for matches. The content + # of this attribute is used to match the "name" of the + # entry. + #key = "%{Stripped-User-Name:-%{User-Name}}" + + usersfile = ${confdir}/users + acctusersfile = ${confdir}/acct_users + preproxy_usersfile = ${confdir}/preproxy_users + + compat = no + } + + # Write a detailed log of all accounting records received. + # + detail { + detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d + detailperm = 0600 + header = "%t" + } + + + detail auth_log { + detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + # detailperm = 0600 + + # You may also strip out passwords completely + #suppress { + # User-Password + #} + } + + # This module logs packets proxied to a home server. + # + # You will also need to un-comment the 'pre_proxy_log' line + # in the 'pre-proxy' section, below. + # + detail pre_proxy_log { + detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + # detailperm = 0600 + + # You may also strip out passwords completely + #suppress { + # User-Password + #} + } + + # + # This module logs response packets from a home server. + # + # You will also need to un-comment the 'post_proxy_log' line + # in the 'post-proxy' section, below. + # + detail post_proxy_log { + detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d + + # detailperm = 0600 + } + + radutmp { + filename = ${logdir}/radutmp + username = %{User-Name} + case_sensitive = yes + check_with_nas = yes + perm = 0600 + callerid = "yes" + } + radutmp sradutmp { + filename = ${logdir}/sradutmp + perm = 0644 + callerid = "no" + } + + attr_filter attr_filter.post-proxy { + attrsfile = ${confdir}/attrs + } + attr_filter attr_filter.pre-proxy { + attrsfile = ${confdir}/attrs.pre-proxy + } + attr_filter attr_filter.access_reject { + key = %{User-Name} + attrsfile = ${confdir}/attrs.access_reject + } + attr_filter attr_filter.accounting_response { + key = %{User-Name} + attrsfile = ${confdir}/attrs.accounting_response + } + always fail { + rcode = fail + } + always reject { + rcode = reject + } + always noop { + rcode = noop + } + always handled { + rcode = handled + } + always updated { + rcode = updated + } + always notfound { + rcode = notfound + } + always ok { + rcode = ok + simulcount = 0 + mpp = no + } +} + +instantiate { +} + + + + + +authorize { + preprocess + auth_log + suffix + files +} +preacct { + preprocess + suffix + files +} +pre-proxy { + files + pre_proxy_log +} +post-proxy { + post_proxy_log +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/sites-available/README Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,335 @@ +1. Virtual Servers. + + FreeRADIUS 2.0 supports virtual servers. This is probably the +single largest change that is NOT backwards compatible with 1.x. + + The virtual servers do NOT have to be set up with the +"sites-available" and "sites-enabled" directories. You can still have +one "radiusd.conf" file, and put the server configuration there: + + ... + server { + authorize { + ... + } + authenticate { + ... + } + ... + } + ... + + The power of virtual servers lies in their ability to separate +policies. A policy can be placed into a virtual server, where it is +guaranteed to affect only the requests that are passed through that +virtual server. In 1.x, the policies were global, and it sometimes +took much effort to write a policy so that it only applied in certain +limited situations. + + +2. What do we mean by "virtual server"? + + + A virtual server is a (nearly complete) RADIUS server, just like a +configuration for FreeRADIUS 1.x. However, FreeRADIUS can now run +multiple virtual servers at the same time. The virtual servers can +even proxy requests to each other! + + The simplest way to create a virtual server is to take the all of +the request processing sections from radius.conf, ("authorize" , +"authenticate", etc.) and wrap them in a "server {}" block, as above. + + You can create another virtual server by: + + 1) defining a new "server foo {...}" section in radiusd.conf + 2) Putting the normal "authorize", etc. sections inside of it + 3) Adding a "listen" section *inside* of the "server" section. + + e.g. + + ... + server foo { + listen { + ipaddr = 127.0.0.1 + port = 2000 + type = auth + } + + authorize { + update control { + Cleartext-Password := "bob" + } + pap + } + + authenticate { + pap + } + } + ... + + With that text added to "radiusd.conf", run the server in debugging +mode (radiusd -X), and in another terminal window, type: + +$ radtest bob bob localhost:2000 0 testing123 + + You should see the server return an Access-Accept. + + +3. Capabilities and limitations + + + The only sub-sections that can appear in a virtual server section +are: + + listen + client + authorize + authenticate + post-auth + pre-proxy + post-proxy + preacct + accounting + session + + All other configuration parameters (modules, etc.) are global. + + Inside of a virtual server, the authorize, etc. sections have their +normal meaning, and can contain anything that an authorize section +could contain in 1.x. + + When a "listen" section is inside of a virtual server definition, it +means that all requests sent to that IP/port will be processed through +the virtual server. There cannot be two "listen" sections with the +same IP address and port number. + + When a "client" section is inside of a virtual server definition, it +means that that client is known only to the "listen" sections that are +also inside of that virtual server. Not only is this client +definition available only to this virtual server, but the details of +the client configuration is also available only to this virtual +server. + + i.e. Two virtual servers can listen on different IP address and +ports, but both can have a client with IP address 127.0.0.1. The +shared secret for that client can be different for each virtual +server. + + +4. More complex "listen" capabilities + + The "listen" sections have a few additional configuration items that +were not in 1.x, and were not mentioned above. These configuration +items enable almost any mapping of IP / port to clients to virtual +servers. + + The configuration items are: + + virtual_server = <name> + + If set, all requests sent to this IP / port are processed + through the named virtual server. + + This directive can be used only for "listen" sections + that are global. i.e. It CANNOT be used if the + "listen" section is inside of a virtual server. + + clients = <name> + + If set, the "listen" section looks for a "clients" section: + + clients <name> { + ... + } + + It looks inside of that named "clients" section for + "client" subsections, at least one of which must + exist. Each client in that section is added to the + list of known clients for this IP / port. No other + clients are known. + + If it is set, it over-rides the list of clients (if + any) in the same virtual server. Note that the + clients are NOT additive! + + If it is not set, then the clients from the current + virtual server (if any) are used. If there are no + clients in this virtual server, then the global + clients are used. + + i.e. The most specific directive is used: + * configuration in this "listen" section + * clients in the same virtual server + * global clients + + The directives are also *exclusive*, not *additive*. + If you have one client in a virtual server, and + another client referenced from a "listen" section, + then that "listen" section will ONLY use the second + client. It will NOT use both clients. + + +5. More complex "client" capabilities + + The "client" sections have a few additional configuration items that +were not in 1.x, and were not mentioned above. These configuration +items enable almost any mapping of IP / port to clients to virtual +servers. + + The configuration items are: + + virtual_server = <name> + + If set, all requests from this client are processed + through the named virtual server. + + This directive can be used only for "client" sections + that are global. i.e. It CANNOT be used if the + "client" section is inside of a virtual server. + + If the "listen" section has a "server" entry, and a matching +client is found ALSO with a "server" entry, then the clients server is +used for that request. + + +6. Worked examples + + + Listening on one socket, and mapping requests from two clients to +two different servers. + + listen { + ... + } + client one { + ... + virtual_server = server_one + } + client two { + ... + virtual_server = server_two + } + server server_one { + authorize { + ... + } + ... + } + server server_two { + authorize { + ... + } + ... + } + + This could also be done as: + + + listen { + ... + virtual_server = server_one + } + client one { + ... + } + client two { + ... + virtual_server = server_two + } + server server_one { + authorize { + ... + } + ... + } + server server_two { + authorize { + ... + } + ... + } + + In this case, the default server for the socket is "server_one", so +there is no need to set that in the client "one" configuration. The +"server_two" configuration for client "two" over-rides the default +setting for the socket. + + Note that the following configuration will NOT work: + + listen { + ... + virtual_server = server_one + } + client one { + ... + } + server server_one { + authorize { + ... + } + ... + } + server server_two { + client two { + ... + } + authorize { + ... + } + ... + } + + In this example, client "two" is hidden inside of the virtual +server, where the "listen" section cannot find it. + + +7. Outlined examples + + This section outlines a number of examples, with alternatives. + + One server, multiple sockets + - multiple "listen" sections in a "server" section + + one server per client + - define multiple servers + - have a global "listen" section + - have multiple global "clients", each with "virtual_server = X" + + two servers, each with their own sockets + - define multiple servers + - put "client" sections into each "server" + - put a "listen" section into each "server" + + Each server can list the same client IP, and the secret + can be different + + two sockets, sharing a list of clients, but pointing to different servers + - define global "listen" sections + - in each, set "virtual_server = X" + - in each, set "clients = Y" + - define "clients Y" section, containing multiple clients. + + This also means that you can have a third socket, which + doesn't share any of these clients. + + +8. How to decide what to do + + + If you want *completely* separate policies for a socket or a client, +then create a separate virtual server. Then, map the request to that +server by setting configuration entries in a "listen" section or in a +"client" section. + + Start off with the common cases first. If most of the clients +and/or sockets get a particular policy, make that policy the default. +Configure it without paying attention to the sockets or clients you +want to add later, and without adding a second virtual server. Once +it works, then add the second virtual server. + + If you want to re-use the previously defined sockets with the second +virtual server, then you will need one or more global "client" +sections. Those clients will contain a "virtual_server = ..." entry +that will direct requests from those clients to the appropriate +virtual server.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/sites-available/buffered-sql Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,111 @@ +# -*- text -*- +###################################################################### +# +# In 2.0.0, radrelay functionality is integrated into the +# server core. This virtual server gives an example of +# using radrelay functionality inside of the server. +# +# In this example, the detail file is read, and the data +# is put into SQL. This configuration is used when a RADIUS +# server on this machine is receiving accounting packets, +# and writing them to the detail file. +# +# The purpose of this virtual server is to de-couple the storage +# of long-term accounting data in SQL from "live" information +# needed by the RADIUS server as it is running. +# +# The benefit of this approach is that for a busy server, the +# overhead of performing SQL qeuries may be significant. Also, +# if the SQL databases are large (as is typical for ones storing +# months of data), the INSERTs and UPDATEs may take a relatively +# long time. Rather than slowing down the RADIUS server by +# having it interact with a database, you can just log the +# packets to a detail file, and then read that file later at a +# time when the RADIUS server is typically lightly loaded. +# +# If you use on virtual server to log to the detail file, +# and another virtual server (i.e. this one) to read from +# the detail file, then this process will happen automatically. +# A sudden spike of RADIUS traffic means that the detail file +# will grow in size, and the server will be able to handle +# large volumes of traffic quickly. When the traffic dies down, +# the server will have time to read the detail file, and insert +# the data into a long-term SQL database. +# +# $Id: buffered-sql,v 1.1 2007/10/23 03:53:19 aland Exp $ +# +###################################################################### + +server buffered-sql { + listen { + type = detail + + # The location where the detail file is located. + # This should be on local disk, and NOT on an NFS + # mounted location! + filename = ${radacctdir}/detail + + # + # The server can read accounting packets from the + # detail file much more quickly than those packets + # can be written to a database. If the database is + # overloaded, then bad things can happen. + # + # The server will keep track of how long it takes to + # process an entry from the detail file. It will + # then pause between handling entries. This pause + # allows databases to "catch up", and gives the + # server time to notice that other packets may have + # arrived. + # + # The pause is calculated dynamically, to ensure that + # the load due to reading the detail files is limited + # to a small percentage of CPU time. The + # "load_factor" configuration item is a number + # between 1 and 100. The server will try to keep the + # percentage of time taken by "detail" file entries + # to "load_factor" percentage of the CPU time. + # + # If the "load_factor" is set to 100, then the server + # will read packets as fast as it can, usually + # causing databases to go into overload. + # + load_factor = 10 + } + + # + # Pre-accounting. Decide which accounting type to use. + # + preacct { + preprocess + + # + # Ensure that we have a semi-unique identifier for every + # request, and many NAS boxes are broken. + acct_unique + + # + # Read the 'acct_users' file. This isn't always + # necessary, and can be deleted if you do not use it. + files + } + + # + # Accounting. Log the accounting data. + # + accounting { + # + # Log traffic to an SQL database. + # + # See "Accounting queries" in sql.conf + # sql + + + # Cisco VoIP specific bulk accounting + # pgsql-voip + + } + + # The requests are not being proxied, so no pre/post-proxy + # sections are necessary. +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/sites-available/copy-acct-to-home-server Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,149 @@ +# -*- text -*- +###################################################################### +# +# In 2.0.0, radrelay functionality is integrated into the +# server core. This virtual server gives an example of +# using radrelay functionality inside of the server. +# +# In this example, the detail file is read, and the packets +# are proxied to a home server. You will have to configure +# realms, home_server_pool, and home_server in proxy.conf +# for this to work. +# +# The purpose of this virtual server is to enable duplication +# of information across a load-balanced, or fail-over set of +# servers. For example, if a group of clients lists two +# home servers (primary, secondary), then RADIUS accounting +# messages will go only to one server at a time. This file +# configures a server (primary, secondary) to send copies of +# the accounting information to each other. +# +# That way, each server has the same set of information, and +# can make the same decision about the user. +# +# $Id: copy-acct-to-home-server,v 1.3 2008/04/26 15:23:43 aland Exp $ +# +###################################################################### + +server copy-acct-to-home-server { + listen { + type = detail + + # The location where the detail file is located. + # This should be on local disk, and NOT on an NFS + # mounted location! + # + # On most systems, this should support file globbing + # e.g. "${radacctdir}/detail-*:*" + # This lets you write many smaller detail files as in + # the example in radiusd.conf: ".../detail-%Y%m%d:%H" + # Writing many small files is often better than writing + # one large file. File globbing also means that with + # a common naming scheme for detail files, then you can + # have many detail file writers, and only one reader. + filename = ${radacctdir}/detail + + # + # The server can read accounting packets from the + # detail file much more quickly than those packets + # can be written to a database. If the database is + # overloaded, then bad things can happen. + # + # The server will keep track of how long it takes to + # process an entry from the detail file. It will + # then pause between handling entries. This pause + # allows databases to "catch up", and gives the + # server time to notice that other packets may have + # arrived. + # + # The pause is calculated dynamically, to ensure that + # the load due to reading the detail files is limited + # to a small percentage of CPU time. The + # "load_factor" configuration item is a number + # between 1 and 100. The server will try to keep the + # percentage of time taken by "detail" file entries + # to "load_factor" percentage of the CPU time. + # + # If the "load_factor" is set to 100, then the server + # will read packets as fast as it can, usually + # causing databases to go into overload. + # + load_factor = 10 + } + + # + # Pre-accounting. Decide which accounting type to use. + # + preacct { + preprocess + + # Since we're just proxying, we don't need acct_unique. + + # + # Look for IPASS-style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. + # + # Accounting requests are generally proxied to the same + # home server as authentication requests. + # IPASS + suffix + # ntdomain + + # + # Read the 'acct_users' file. This isn't always + # necessary, and can be deleted if you do not use it. + files + } + + # + # Accounting. Log the accounting data. + # + accounting { + # + # Since we're proxying, we don't log anything + # locally. Ensure that the accounting section + # "succeeds" by forcing an "ok" return. + ok + } + + + # + # When the server decides to proxy a request to a home server, + # the proxied request is first passed through the pre-proxy + # stage. This stage can re-write the request, or decide to + # cancel the proxy. + # + # Only a few modules currently have this method. + # + pre-proxy { + # attr_rewrite + + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section in radiusd.conf. + # pre_proxy_log + } + + # + # When the server receives a reply to a request it proxied + # to a home server, the request may be massaged here, in the + # post-proxy stage. + # + post-proxy { + # + + # If you want to have a log of replies from a home + # server, un-comment the following line, and the + # 'detail post_proxy_log' section in radiusd.conf. + # post_proxy_log + + # attr_rewrite + + # Uncomment the following line if you want to filter + # replies from remote proxies based on the rules + # defined in the 'attrs' file. + + # attr_filter + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/sites-available/default Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,502 @@ +###################################################################### +# +# As of 2.0.0, FreeRADIUS supports virtual hosts using the +# "server" section, and configuration directives. +# +# Virtual hosts should be put into the "sites-available" +# directory. Soft links should be created in the "sites-enabled" +# directory to these files. This is done in a normal installation. +# +# $Id: default,v 1.8 2008/04/01 08:34:31 aland Exp $ +# +###################################################################### +# +# Read "man radiusd" before editing this file. See the section +# titled DEBUGGING. It outlines a method where you can quickly +# obtain the configuration you want, without running into +# trouble. See also "man unlang", which documents the format +# of this file. +# +# This configuration is designed to work in the widest possible +# set of circumstances, with the widest possible number of +# authentication methods. This means that in general, you should +# need to make very few changes to this file. +# +# The best way to configure the server for your local system +# is to CAREFULLY edit this file. Most attempts to make large +# edits to this file will BREAK THE SERVER. Any edits should +# be small, and tested by running the server with "radiusd -X". +# Once the edits have been verified to work, save a copy of these +# configuration files somewhere. (e.g. as a "tar" file). Then, +# make more edits, and test, as above. +# +# There are many "commented out" references to modules such +# as ldap, sql, etc. These references serve as place-holders. +# If you need the functionality of that module, then configure +# it in radiusd.conf, and un-comment the references to it in +# this file. In most cases, those small changes will result +# in the server being able to connect to the DB, and to +# authenticate users. +# +###################################################################### + +# +# In 1.x, the "authorize", etc. sections were global in +# radiusd.conf. As of 2.0, they SHOULD be in a server section. +# +# The server section with no virtual server name is the "default" +# section. It is used when no server name is specified. +# +# We don't indent the rest of this file, because doing so +# would make it harder to read. +# + +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +authorize { + # + # The preprocess module takes care of sanitizing some bizarre + # attributes in the request, and turning them into attributes + # which are more standard. + # + # It takes care of processing the 'raddb/hints' and the + # 'raddb/huntgroups' files. + # + # It also adds the %{Client-IP-Address} attribute to the request. + preprocess + + # + # If you want to have a log of authentication requests, + # un-comment the following line, and the 'detail auth_log' + # section, above. +# auth_log + + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set + chap + + # + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. + mschap + + # + # If you have a Cisco SIP server authenticating against + # FreeRADIUS, uncomment the following line, and the 'digest' + # line in the 'authenticate' section. +# digest + + # + # Look for IPASS style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. +# IPASS + + # + # If you are using multiple kinds of realms, you probably + # want to set "ignore_null = yes" for all of them. + # Otherwise, when the first style of realm doesn't match, + # the other styles won't be checked. + # + suffix +# ntdomain + + # + # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP + # authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + # + # As of 2.0, the EAP module returns "ok" in the authorize stage + # for TTLS and PEAP. In 1.x, it never returned "ok" here, so + # this change is compatible with older configurations. + # + # The example below uses module failover to avoid querying all + # of the following modules if the EAP module returns "ok". + # Therefore, your LDAP and/or SQL servers will not be queried + # for the many packets that go back and forth to set up TTLS + # or PEAP. The load on those servers will therefore be reduced. + # + eap { + ok = return + } + + # + # Pull crypt'd passwords from /etc/passwd or /etc/shadow, + # using the system API's to get the password. If you want + # to read /etc/passwd or /etc/shadow directly, see the + # passwd module in radiusd.conf. + # + unix + + # + # Read the 'users' file + files + + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in sql.conf +# sql + + # + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # configure the 'etc_smbpasswd' module, above. +# etc_smbpasswd + + # + # The ldap module will set Auth-Type to LDAP if it has not + # already been set +# ldap + + # + # Enforce daily limits on time spent logged in. +# daily + + # + # Use the checkval module +# checkval + + expiration + logintime + + # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password + # to the request, and to do nothing else. The PAP module + # will then see that password, and use it to do PAP + # authentication. + # + # This module should be listed last, so that the other modules + # get a chance to set Auth-Type for themselves. + # + pap + + # + # If "status_server = yes", then Status-Server messages are passed + # through the following section, and ONLY the following section. + # This permits you to do DB queries, for example. If the modules + # listed here return "fail", then NO response is sent. + # +# Autz-Type Status-Server { +# +# } +} + + +# Authentication. +# +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the apropriate module from the list below. +# + +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user (Auth-Type := Reject), +# or to or forcibly accept the user (Auth-Type := Accept). +# +# Note that Auth-Type := Accept will NOT work with EAP. +# +# Please do not put "unlang" configurations into the "authenticate" +# section. Put them in the "post-auth" section instead. That's what +# the post-auth section is for. +# +authenticate { + # + # PAP authentication, when a back-end database listed + # in the 'authorize' section supplies a password. The + # password can be clear-text, or encrypted. + Auth-Type PAP { + pap + } + + # + # Most people want CHAP authentication + # A back-end database listed in the 'authorize' section + # MUST supply a CLEAR TEXT password. Encrypted passwords + # won't work. + Auth-Type CHAP { + chap + } + + # + # MSCHAP authentication. + Auth-Type MS-CHAP { + mschap + } + + # + # If you have a Cisco SIP server authenticating against + # FreeRADIUS, uncomment the following line, and the 'digest' + # line in the 'authorize' section. +# digest + + # + # Pluggable Authentication Modules. +# pam + + # + # See 'man getpwent' for information on how the 'unix' + # module checks the users password. Note that packets + # containing CHAP-Password attributes CANNOT be authenticated + # against /etc/passwd! See the FAQ for details. + # + unix + + # Uncomment it if you want to use ldap for authentication + # + # Note that this means "check plain-text password against + # the ldap database", which means that EAP won't work, + # as it does not supply a plain-text password. +# Auth-Type LDAP { +# ldap +# } + + # + # Allow EAP authentication. + eap +} + + +# +# Pre-accounting. Decide which accounting type to use. +# +preacct { + preprocess + + # + # Ensure that we have a semi-unique identifier for every + # request, and many NAS boxes are broken. + acct_unique + + # + # Look for IPASS-style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. + # + # Accounting requests are generally proxied to the same + # home server as authentication requests. +# IPASS + suffix +# ntdomain + + # + # Read the 'acct_users' file + files +} + +# +# Accounting. Log the accounting data. +# +accounting { + # + # Create a 'detail'ed log of the packets. + # Note that accounting requests which are proxied + # are also logged in the detail file. + detail +# daily + + # Update the wtmp file + # + # If you don't use "radlast", you can delete this line. + unix + + # + # For Simultaneous-Use tracking. + # + # Due to packet losses in the network, the data here + # may be incorrect. There is little we can do about it. + radutmp +# sradutmp + + # Return an address to the IP Pool when we see a stop record. +# main_pool + + # + # Log traffic to an SQL database. + # + # See "Accounting queries" in sql.conf +# sql + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # Cisco VoIP specific bulk accounting +# pgsql-voip + + # Filter attributes from the accounting response. + attr_filter.accounting_response + + # + # See "Autz-Type Status-Server" for how this works. + # +# Acct-Type Status-Server { +# +# } +} + + +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +session { + radutmp + + # + # See "Simultaneous Use Checking Queries" in sql.conf +# sql +} + + +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +post-auth { + # Get an address from the IP Pool. +# main_pool + + # + # If you want to have a log of authentication replies, + # un-comment the following line, and the 'detail reply_log' + # section, above. +# reply_log + + # + # After authenticating the user, do another SQL query. + # + # See "Authentication Logging Queries" in sql.conf +# sql + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # + # Un-comment the following if you have set + # 'edir_account_policy_check = yes' in the ldap module sub-section of + # the 'modules' section. + # +# ldap + + exec + + # + # Access-Reject packets are sent through the REJECT sub-section of the + # post-auth section. + # + # Add the ldap module name (or instance) if you have set + # 'edir_account_policy_check = yes' in the ldap module configuration + # + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +# +# When the server decides to proxy a request to a home server, +# the proxied request is first passed through the pre-proxy +# stage. This stage can re-write the request, or decide to +# cancel the proxy. +# +# Only a few modules currently have this method. +# +pre-proxy { +# attr_rewrite + + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +# files + + # Uncomment the following line if you want to filter requests + # sent to remote servers based on the rules defined in the + # 'attrs.pre-proxy' file. +# attr_filter.pre-proxy + + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. +# pre_proxy_log +} + +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +post-proxy { + + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. +# post_proxy_log + +# attr_rewrite + + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. +# attr_filter.post-proxy + + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # + eap + + # + # If the server tries to proxy a request and fails, then the + # request is processed through the modules in this section. + # + # The main use of this section is to permit robust proxying + # of accounting packets. The server can be configured to + # proxy accounting packets as part of normal processing. + # Then, if the home server goes down, accounting packets can + # be logged to a local "detail" file, for processing with + # radrelay. When the home server comes back up, radrelay + # will read the detail file, and send the packets to the + # home server. + # + # With this configuration, the server always responds to + # Accounting-Requests from the NAS, but only writes + # accounting packets to disk if the home server is down. + # +# Post-Proxy-Type Fail { +# detail +# } + +} +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/sites-available/dhcp Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,193 @@ +# -*- text -*- +###################################################################### +# +# This is a virtual server that handles DHCP. +# +# !!!! WARNING !!!! +# +# This code is experimental, and SHOULD NOT be used in a +# production system. It is intended for validation and +# experimentation ONLY. +# +# In order for this to work, you will need to run configure: +# +# $ ./configure --with-dhcp +# $ make +# $ make install +# +# DHCP is NOT enabled by default. +# +# The goal of this effort is to get the code in front of +# people who are interested in another DHCP server. +# We NEED FEEDBACK, patches, bug reports, etc. Especially patches! +# +# Please contribute, or this work will be nothing more than +# a curiosity. +# +# +# Q: What does it do? +# A: It allows the server to receive DHCP packets, and to +# respond with static, pre-configured DHCP responses. +# +# Q: Does it do static/dynamic IP assignment? +# A: No. Or, maybe. Try it and see. +# +# Q: Does it read ISC configuration or lease files? +# A: No. Please submit patches. +# +# Q: Does it have DHCP feature X? +# A: No. Please submit patches. +# +# Q: Does it support option 82? +# A: Yes. +# +# Q: Does it support other options? +# A: Maybe. See dictionary.dhcp. Please submit patches. +# +# Q: It doesn't seem to do much of anything! +# A: Exactly. +# +# $Id: dhcp,v 1.1 2008/04/20 14:52:18 aland Exp $ +# +###################################################################### + +# +# The DHCP functionality goes into a virtual server. +# +server dhcp { + +# This is part RADIUS legacy (sorry). Clients have to be defined for +# DHCP. This is not normal practice for a DHCP server, but it does +# enable a simple filter list of "known clients". +# + +# DHCP packets are normally sent with source IP address 0.0.0.0. +# If you want to accept packets from any IP, uncomment the "netmask" +# entry below, and delete the other "client" sections in this file. +client any { + ipaddr = 0.0.0.0 + #netmask = 0 + dhcp = yes +} + +# For local testing. +client localnet { + ipaddr = 127.0.0.0 + netmask = 8 + dhcp = yes +} + +# Define a DHCP socket. +# +# The default port below is 6700, so you don't break your network. +# If you want it to do real DHCP, change this to 67, and good luck! +# +# You can also bind the DHCP socket to an interface. +# See raddb/radiusd.conf for examples. +# +# This lets you run *one* DHCP server instance and have it listen on +# multiple interfaces, each with a separate policy. +listen { + ipaddr = * + port = 6700 + type = dhcp +} + +# Packets received on the socket will be processed through one +# of the following sections, named after the DHCP packet type. +# See dictionary.dhcp for the packet types. +dhcp DHCP-Discover { + update reply { + DHCP-Message-Type = DHCP-Offer + } + + # The contents here are invented. Change them! + update reply { + DHCP-Domain-Name-Server = 127.0.0.1 + DHCP-Domain-Name-Server = 127.0.0.2 + DHCP-Subnet-Mask = 255.255.255.0 + DHCP-Router-Address = 192.168.1.1 + DHCP-IP-Address-Lease-Time = 86400 + DHCP-DHCP-Server-Identifier = 192.168.1.1 + } + + # Do a simple mapping of MAC to assigned IP. + # + # See below for the definition of the "mac2ip" + # module. + # + #mac2ip + + # If the MAC wasn't found in that list, do something else. + # You could call a Perl, Python, or Java script here. + + #if (notfound) { + # ... + #} + + ok +} + +dhcp DHCP-Request { + update reply { + DHCP-Message-Type = DHCP-Ack + } + + # The contents here are invented. Change them! + update reply { + DHCP-Domain-Name-Server = 127.0.0.1 + DHCP-Domain-Name-Server = 127.0.0.2 + DHCP-Subnet-Mask = 255.255.255.0 + DHCP-Router-Address = 192.168.1.1 + DHCP-IP-Address-Lease-Time = 86400 + DHCP-DHCP-Server-Identifier = 192.168.1.1 + } + + # Do a simple mapping of MAC to assigned IP. + # + # See below for the definition of the "mac2ip" + # module. + # + #mac2ip + + # If the MAC wasn't found in that list, do something else. + # You could call a Perl, Python, or Java script here. + + #if (notfound) { + # ... + #} + + ok +} + +# If there's no named section for the packet type, then the packet +# is processed through this section. +dhcp { + # send a DHCP NAK. + reject +} + + +} + +###################################################################### +# +# This next section is a sample configuration for the "passwd" +# module, that reads flat-text files. It should go into +# radiusd.conf, in the "modules" section. +# +# The file is in the format <mac>,<ip> +# +# 00:01:02:03:04:05,192.168.1.100 +# 01:01:02:03:04:05,192.168.1.101 +# 02:01:02:03:04:05,192.168.1.102 +# +# This lets you perform simple static IP assignment. +# +###################################################################### + +#passwd mac2vlan { +# filename = ${confdir}/mac2ip +# format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address" +# delimiter = "," +#}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/sites-available/example Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,122 @@ +###################################################################### +# +# An example virtual server configuration. +# +# $Id: example,v 1.2 2007/10/09 14:25:36 aland Exp $ +# +###################################################################### + + +# +# This client will be available to any "listen" section that +# are defined outside of a virtual server section. However, +# when the server receives a packet from this client, the +# request will be processed through the "example" virtual +# server, as the "client" section contains a configuration item +# to that effect. +# +# Note that this client will be able to send requests to any +# port defined in a global "listen" section. It will NOT, +# however, be able to send requests to a port defined in a +# "listen" section that is contained in a "server" section. +# +# With careful matching of configurations, you should be able +# to: +# +# - Define one authentication port, but process each client +# through a separate virtual server. +# +# - define multiple authentication ports, each with a private +# list of clients. +# +# - define multiple authentication ports, each of which may +# have the same client listed, but with different shared +# secrets +# +# FYI: We use an address in the 192.0.2.* space for this example, +# as RFC 3330 says that that /24 range is used for documenation +# and examples, and should not appear on the net. You shouldn't +# use it for anything, either. +# +client 192.0.2.10 { + shortname = example-client + secret = testing123 + virtual_server = example +} + +###################################################################### +# +# An example virtual server. It starts off with "server name {" +# The "name" is used to reference this server from a "listen" +# or "client" section. +# +###################################################################### +server example { + # + # Listen on 192.0.2.1:1812 for Access-Requests + # + # When the server receives a packet, it is processed + # through the "authorize", etc. sections listed here, + # NOT the global ones the "default" site. + # + listen { + ipaddr = 192.0.2.1 + port = 1821 + type = auth + } + + # + # This client is listed within the "server" section, + # and is therefore known ONLY to the socket defined + # in the "listen" section above. If the client IP + # sends a request to a different socket, the server + # will treat it as an unknown client, and will not + # respond. + # + # In contrast, the client listed at the top of this file + # is outside of any "server" section, and is therefore + # global in scope. It can send packets to any port + # defined in a global "listen" section. It CANNOT send + # packets to the listen section defined above, though. + # + # Note that you don't have to have a "virtual_server = example" + # line here, as the client is encapsulated within + # the "server" section. + # + client 192.0.2.9 { + shortname = example-client + secret = testing123 + } + + authorize { + # + # Some example policies. See "man unlang" for more. + # + if ("%{User-Name}" == "bob") { + update control { + Cleartext-Password := "bob" + } + } + + # + # And then reject the user. The next line requires + # that the "always reject {}" section is defined in + # the "modules" section of radiusd.conf. + # + reject + } + + authenticate { + + } + + post-auth { + + Post-Auth-Type Reject { + update reply { + Reply-Message = "This is only an example." + } + } + } + +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/sites-available/inner-tunnel Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,405 @@ +# -*- text -*- +###################################################################### +# +# This is a virtual server that handles *only* inner tunnel +# requests for EAP-TTLS and PEAP types. +# +# $Id: inner-tunnel,v 1.6 2008/03/29 21:33:12 aland Exp $ +# +###################################################################### + +server inner-tunnel { + +# +# Un-comment the next section to perform test on the inner tunnel +# without needing an outer tunnel session. The tests will not be +# exactly the same as when TTLS or PEAP are used, but they will +# be close enough for many tests. +# +#listen { +# ipaddr = 127.0.0.1 +# port = 18120 +# type = auth +#} + + +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +authorize { + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set + chap + + # + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. + mschap + + # + # Pull crypt'd passwords from /etc/passwd or /etc/shadow, + # using the system API's to get the password. If you want + # to read /etc/passwd or /etc/shadow directly, see the + # passwd module, above. + # + unix + + # + # Look for IPASS style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. +# IPASS + + # + # If you are using multiple kinds of realms, you probably + # want to set "ignore_null = yes" for all of them. + # Otherwise, when the first style of realm doesn't match, + # the other styles won't be checked. + # + # Note that proxying the inner tunnel authentication means + # that the user MAY use one identity in the outer session + # (e.g. "anonymous", and a different one here + # (e.g. "user@example.com"). The inner session will then be + # proxied elsewhere for authentication. If you are not + # careful, this means that the user can cause you to forward + # the authentication to another RADIUS server, and have the + # accounting logs *not* sent to the other server. This makes + # it difficult to bill people for their network activity. + # + suffix +# ntdomain + + # + # The "suffix" module takes care of stripping the domain + # (e.g. "@example.com") from the User-Name attribute, and the + # next few lines ensure that the request is not proxied. + # + # If you want the inner tunnel request to be proxied, delete + # the next few lines. + # + update control { + Proxy-To-Realm := LOCAL + } + + # + # This module takes care of EAP-MSCHAPv2 authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + # + # The example below uses module failover to avoid querying all + # of the following modules if the EAP module returns "ok". + # Therefore, your LDAP and/or SQL servers will not be queried + # for the many packets that go back and forth to set up TTLS + # or PEAP. The load on those servers will therefore be reduced. + # + eap { + ok = return + } + + # + # Read the 'users' file + files + + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in sql.conf +# sql + + # + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # configure the 'etc_smbpasswd' module, above. +# etc_smbpasswd + + # + # The ldap module will set Auth-Type to LDAP if it has not + # already been set +# ldap + + # + # Enforce daily limits on time spent logged in. +# daily + + # + # Use the checkval module +# checkval + + expiration + logintime + + # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password + # to the request, and to do nothing else. The PAP module + # will then see that password, and use it to do PAP + # authentication. + # + # This module should be listed last, so that the other modules + # get a chance to set Auth-Type for themselves. + # + pap +} + + +# Authentication. +# +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the apropriate module from the list below. +# + +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user, or forcibly accept him. +# +authenticate { + # + # PAP authentication, when a back-end database listed + # in the 'authorize' section supplies a password. The + # password can be clear-text, or encrypted. + Auth-Type PAP { + pap + } + + # + # Most people want CHAP authentication + # A back-end database listed in the 'authorize' section + # MUST supply a CLEAR TEXT password. Encrypted passwords + # won't work. + Auth-Type CHAP { + chap + } + + # + # MSCHAP authentication. + Auth-Type MS-CHAP { + mschap + } + + # + # Pluggable Authentication Modules. +# pam + + # + # See 'man getpwent' for information on how the 'unix' + # module checks the users password. Note that packets + # containing CHAP-Password attributes CANNOT be authenticated + # against /etc/passwd! See the FAQ for details. + # + unix + + # Uncomment it if you want to use ldap for authentication + # + # Note that this means "check plain-text password against + # the ldap database", which means that EAP won't work, + # as it does not supply a plain-text password. +# Auth-Type LDAP { +# ldap +# } + + # + # Allow EAP authentication. + eap +} + +###################################################################### +# +# There are no accounting requests inside of EAP-TTLS or PEAP +# tunnels. +# +###################################################################### + + +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +session { + radutmp + + # + # See "Simultaneous Use Checking Queries" in sql.conf +# sql +} + + +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +post-auth { + # Note that we do NOT assign IP addresses here. + # If you try to assign IP addresses for EAP authentication types, + # it WILL NOT WORK. You MUST use DHCP. + + # + # If you want to have a log of authentication replies, + # un-comment the following line, and the 'detail reply_log' + # section, above. +# reply_log + + # + # After authenticating the user, do another SQL query. + # + # See "Authentication Logging Queries" in sql.conf +# sql + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # + # Un-comment the following if you have set + # 'edir_account_policy_check = yes' in the ldap module sub-section of + # the 'modules' section. + # +# ldap + + # + # Access-Reject packets are sent through the REJECT sub-section of the + # post-auth section. + # + # Add the ldap module name (or instance) if you have set + # 'edir_account_policy_check = yes' in the ldap module configuration + # + Post-Auth-Type REJECT { + attr_filter.access_reject + } + + # + # The example policy below updates the outer tunnel reply + # (usually Access-Accept) with the User-Name from the inner + # tunnel User-Name. Since this section is processed in the + # context of the inner tunnel, "request" here means "inner + # tunnel request", and "outer.reply" means "outer tunnel + # reply attributes". + # + # This example is most useful when the outer session contains + # a User-Name of "anonymous@....", or a MAC address. If it + # is enabled, the NAS SHOULD use the inner tunnel User-Name + # in subsequent accounting packets. This makes it easier to + # track user sessions, as they will all be based on the real + # name, and not on "anonymous". + # + # The problem with doing this is that it ALSO exposes the + # real user name to any intermediate proxies. People use + # "anonymous" identifiers outside of the tunnel for a very + # good reason: it gives them more privacy. Setting the reply + # to contain the real user name removes ALL privacy from + # their session. + # + # If you want privacy to remain, see the + # Chargeable-User-Identity attribute from RFC 4372. In order + # to use that attribute, you will have to allocate a + # per-session identifier for the user, and store it in a + # long-term database (e.g. SQL). You should also use that + # attribute INSTEAD of the configuration below. + # + #update outer.reply { + # User-Name = "%{request:User-Name}" + #} + +} + +# +# When the server decides to proxy a request to a home server, +# the proxied request is first passed through the pre-proxy +# stage. This stage can re-write the request, or decide to +# cancel the proxy. +# +# Only a few modules currently have this method. +# +pre-proxy { +# attr_rewrite + + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +# files + + # Uncomment the following line if you want to filter requests + # sent to remote servers based on the rules defined in the + # 'attrs.pre-proxy' file. +# attr_filter.pre-proxy + + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. +# pre_proxy_log +} + +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +post-proxy { + + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. +# post_proxy_log + +# attr_rewrite + + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. +# attr_filter.post-proxy + + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # + eap + + # + # If the server tries to proxy a request and fails, then the + # request is processed through the modules in this section. + # + # The main use of this section is to permit robust proxying + # of accounting packets. The server can be configured to + # proxy accounting packets as part of normal processing. + # Then, if the home server goes down, accounting packets can + # be logged to a local "detail" file, for processing with + # radrelay. When the home server comes back up, radrelay + # will read the detail file, and send the packets to the + # home server. + # + # With this configuration, the server always responds to + # Accounting-Requests from the NAS, but only writes + # accounting packets to disk if the home server is down. + # +# Post-Proxy-Type Fail { +# detail +# } + +} + +} # inner-tunnel server block
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/sites-available/proxy-inner-tunnel Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,47 @@ +# -*- text -*- +###################################################################### +# +# This is a virtual server that handles *only* inner tunnel +# requests for EAP-TTLS and PEAP types. +# +# $Id: proxy-inner-tunnel,v 1.3 2008/02/13 09:27:18 aland Exp $ +# +###################################################################### + +server proxy-inner-tunnel { + +# +# This example is very simple. All inner tunnel requests get +# proxied to another RADIUS server. +# +authorize { + # + # Do other things here, as necessary. + # + # e.g. run the "realms" module, to decide how to proxy + # the inner tunnel request. + # + + update control { + # You should update this to be one of your realms. + Proxy-To-Realm := "example.com" + } +} + +authenticate { + # + # This is necessary so that the inner tunnel EAP-MSCHAPv2 + # method can be called. That method takes care of turning + # EAP-MSCHAPv2 into plain MS-CHAPv2, if necessary. + eap +} + +post-proxy { + # + # This is necessary for LEAP, or if you set: + # + # proxy_tunneled_request_as_eap = no + # + eap +} +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/sites-available/robust-proxy-accounting Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,174 @@ +# -*- text -*- +###################################################################### +# +# This is a sample configuration for robust proxy accounting. +# accounting packets are proxied, OR logged locally if all +# home servers are down. When the home servers come back up, +# the accounting packets are forwarded. +# +# This method enables the server to proxy all packets to the +# home servers when they're up, AND to avoid writing to the +# detail file in most situations. +# +# In most situations, proxying of accounting messages is done +# in a "pass-through" fashion. If the home server does not +# respond, then the proxy server does not respond to the NAS. +# That means that the NAS must retransmit packets, sometimes +# forever. This example shows how the proxy server can still +# respond to the NAS, even if all home servers are down. +# +# This configuration could be done MUCH more simply if ALL +# packets were written to the detail file. But that would +# involve a lot more disk writes, which may not be a good idea. +# +# This file is NOT meant to be used as-is. It needs to be +# edited to match your local configuration. +# +# $Id: robust-proxy-accounting,v 1.2 2008/04/28 14:53:17 aland Exp $ +# +###################################################################### + +# (1) Define two home servers. +home_server home1.example.com { + type = acct + ipaddr = 192.0.2.10 + port = 1813 + secret = testing123 + + # Mark this home server alive ONLY when it starts being responsive + status_check = request + username = "test_user_status_check" + + # Set the response timeout aggressively low. + # You MAY have to increase this, depending on tests with + # your local installation. + response_window = 6 +} + +home_server home2.example.com { + type = acct + ipaddr = 192.0.2.20 + port = 1813 + secret = testing123 + + # Mark this home server alive ONLY when it starts being responsive + status_check = request + username = "test_user_status_check" + + # Set the response timeout aggressively low. + # You MAY have to increase this, depending on tests with + # your local installation. + response_window = 6 +} + +# (2) Define a virtual server to be used when both of the +# home servers are down. +home_server acct_detail.example.com { + virtual_server = acct_detail.example.com +} + +# Put all of the servers into a pool. +home_server_pool acct_pool.example.com { + type = load-balance # other types are OK, too. + + home_server = home1.example.com + home_server = home2.example.com + # add more home_server's here. + + # If all home servers are down, try a home server that + # is a local virtual server. + fallback = acct_detail.example.com + + # for pre/post-proxy policies + virtual_server = home.example.com +} + +# (3) Define a realm for these home servers. +# It should NOT be used as part of normal proxying decisions! +realm acct_realm.example.com { + acct_pool = acct_pool.example.com +} + +# (4) Define a detail file writer. This next section MUST be +# copied to the "modules" section of radiusd.conf, and un-commented +# +# We write *multiple* detail files here. They will be processed +# in the order that they were created. The directory containing +# these files should NOT be used for any other purposes. That is, +# it should have NO other files in it. +# +# Writing multiple detail enables the server to process the pieces +# in smaller chunks. This helps in certain catastrophic corner cases. +# (e.g. home servers down for days...) +# +#detail detail.example.com { +# detailfile = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H +#} + + +# (5) Define the virtual server to write the packets to the detail file +# This will be called when ALL home servers are down, because of the +# "fallback" configuration in the home server pool. +virtual_server acct_detail.example.com { + accounting { + detail.example.com + } +} + +# (6) Define a virtual server to handle pre/post-proxy re-writing +virtual_server home.example.com { + pre-proxy { + # Insert pre-proxy rules here + } + + post-proxy { + # Insert post-proxy rules here + + # This will be called when the CURRENT packet failed + # to be proxied. This may happen when one home server + # suddenly goes down, even though another home server + # may be alive. + # + # i.e. the current request has run out of time, so it + # cannot fail over to another (possibly) alive server. + # + # We want to respond to the NAS, so that it can stop + # re-sending the packet. We write the packet to the + # "detail" file, where it will be read, and sent to + # another home server. + # + Post-Proxy-Type Fail { + detail.example.com + } + } + + + # Read accounting packets from the detail file(s) for + # the home server. + listen { + type = detail + filename = "${radacctdir}/detail.example.com/detail-*:*" + load_factor = 10 + } + + # All packets read from the detail file are proxied back to + # the home servers. + # + # The normal pre/post-proxy rules are applied to them, too. + # + # If the home servers are STILL down, then the server stops + # reading the detail file, and queues the packets for a later + # retransmission. The Post-Proxy-Type "Fail" handler is NOT + # called. + # + # When the home servers come back up, the packets are forwarded, + # and the detail file processed as normal. + accounting { + # You may want accounting policies here... + + update control { + Proxy-To-Realm := "acct_realm.example.com" + } + } + +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/sites-available/virtual.example.com Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,26 @@ +# -*- text -*- +###################################################################### +# +# Sample virtual server for internally proxied requests. +# +# See the "realm virtual.example.com" example in "proxy.conf". +# +# $Id: virtual.example.com,v 1.1 2008/04/01 10:20:59 aland Exp $ +# +###################################################################### + +# +# Sample contents: just do everything that the default configuration does. +# +# You WILL want to edit this to your local needs. We suggest copying +# the "default" file here, and then editing it. That way, any +# changes to the 'default" file will not affect this virtual server, +# and vice-versa. +# +# When this virtual server receives the request, the original +# attributes can be accessed as "outer.request", "outer.control", etc. +# See "man unlang" for more details. +# +server virtual.example.com { +$INCLUDE ${confdir}/sites-available/default +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/sites-available/vmps Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,90 @@ +# -*- text -*- +###################################################################### +# +# As of version 2.0.0, the server also supports the VMPS +# protocol. +# +# $Id: vmps,v 1.7 2008/04/01 08:20:13 aland Exp $ +# +###################################################################### + +server vmps { + listen { + # VMPS sockets only support IPv4 addresses. + ipaddr = * + + # Port on which to listen. + # Allowed values are: + # integer port number + # 1589 is the default VMPS port. + port = 1589 + + # Type of packets to listen for. Here, it is VMPS. + type = vmps + + # Some systems support binding to an interface, in addition + # to the IP address. This feature isn't strictly necessary, + # but for sites with many IP addresses on one interface, + # it's useful to say "listen on all addresses for + # eth0". + # + # If your system does not support this feature, you will + # get an error if you try to use it. + # + # interface = eth0 + } + + # If you have switches that are allowed to send VMPS, but NOT + # RADIUS packets, then list them here as "client" sections. + # + # Note that for compatibility with RADIUS, you still have to + # list a "secret" for each client, though that secret will not + # be used for anything. + + + # And the REAL contents. This section is just like the + # "post-auth" section of radiusd.conf. In fact, it calls the + # "post-auth" component of the modules that are listed here. + # But it's called "vmps" to highlight that it's for VMPS. + # + vmps { + # + # Some requests may not have a MAC address. Try to + # create one using other attributes. + if (!VMPS-Mac) { + if (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) { + update request { + VMPS-Mac = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}" + } + } + else { + update request { + VMPS-Mac = "%{VMPS-Cookie}" + } + } + } + + # Do a simple mapping of MAC to VLAN. + # + # See radiusd.conf for the definition of the "mac2vlan" + # module. + # + #mac2vlan + + # required VMPS reply attributes + update reply { + VMPS-Packet-Type = VMPS-Join-Response + VMPS-Cookie = "%{VMPS-Mac}" + + VMPS-VLAN-Name = "please_use_real_vlan_here" + + # + # If you have VLAN's in a database, you can select + # the VLAN name based on the MAC address. + # + #VMPS-VLAN-Name = "%{sql:select ... where mac='%{VMPS-Mac}'}" + } + } + + # Proxying of VMPS requests is NOT supported. +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/snmp.conf Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,46 @@ +# -*- text -*- +## +## snmp.conf -- snmp configuration directives +## +## $Id: snmp.conf,v 1.4 2007/12/31 03:31:16 aland Exp $ + +####################################################################### +# +# SNMP configuration +# +# NOTE: This part is only working if your radiusd is compiled with SNMP +# support. +# +# smux_password: Password used for SMUX registration. +# +# Specifies password used when connecting to the SNMP master agent. +# This must match the password as configured on the agent. The OID +# used to register the radius subagent is 1.3.6.1.4.1.11344.1.1.1. +# A sample entry for the ucd-snmp deamon looks like this: +# +# smuxpeer .1.3.6.1.4.1.11344.1.1.1 verysecret +# +# A sample entry for AIX 4.3 is: +# +# smux 1.3.6.1.4.1.11344.1.1.1 verysecret +# +# The default password is an empty password. +# +#smux_password = verysecret + +# +# snmp_write_access: +# +# Controls if write access to the radiusd via SNMP is enabled or not. +# Set this value to yes, if you want to be able to reload radiusd from +# your network management station. +# +# For this to work, you also have to make sure that your master agent +# is configured to allow SNMP set requests. For security reasons, this +# setting defaults to no. +# +# allowed values: {no, yes} +# +#snmp_write_access = yes + +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/sql.conf Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,94 @@ +# -*- text -*- +## +## sql.conf -- SQL modules +## +## $Id: sql.conf,v 1.61 2007/12/31 03:31:16 aland Exp $ + +###################################################################### +# +# Configuration for the SQL module +# +# The database schemas and queries are located in subdirectories: +# +# sql/DB/schema.sql Schema +# sql/DB/dialup.conf Basic dialup (including policy) queries +# sql/DB/counter.conf counter +# sql/DB/ippool.conf IP Pools in SQL +# sql/DB/ippool.sql schema for IP pools. +# +# Where "DB" is mysql, mssql, oracle, or postgresql. +# + +sql { + # + # Set the database to one of: + # + # mysql, mssql, oracle, postgresql + # + database = "mysql" + + # + # Which FreeRADIUS driver to use. + # + driver = "rlm_sql_${database}" + + # Connection info: + server = "localhost" + login = "radius" + password = "radpass" + + # Database table configuration for everything except Oracle + radius_db = "radius" + # If you are using Oracle then use this instead + # radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))" + + # If you want both stop and start records logged to the + # same SQL table, leave this as is. If you want them in + # different tables, put the start table in acct_table1 + # and stop table in acct_table2 + acct_table1 = "radacct" + acct_table2 = "radacct" + + # Allow for storing data after authentication + postauth_table = "radpostauth" + + authcheck_table = "radcheck" + authreply_table = "radreply" + + groupcheck_table = "radgroupcheck" + groupreply_table = "radgroupreply" + + # Table to keep group info + usergroup_table = "radusergroup" + + # If set to 'yes' (default) we read the group tables + # If set to 'no' the user MUST have Fall-Through = Yes in the radreply table + # read_groups = yes + + # Remove stale session if checkrad does not see a double login + deletestalesessions = yes + + # Print all SQL statements when in debug mode (-x) + sqltrace = no + sqltracefile = ${logdir}/sqltrace.sql + + # number of sql connections to make to server + num_sql_socks = 5 + + # number of seconds to dely retrying on a failed database + # connection (per_socket) + connect_failure_retry_delay = 60 + + # Set to 'yes' to read radius clients from the database ('nas' table) + # Clients will ONLY be read on server startup. For performance + # and security reasons, finding clients via SQL queries CANNOT + # be done "live" while the server is running. + # + #readclients = yes + + # Table to keep radius client info + nas_table = "nas" + + # Read driver-specific configuration + $INCLUDE sql/${database}/dialup.conf +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/sqlippool.conf Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,53 @@ +## Configuration for the SQL based IP Pool module (rlm_sqlippool) +## +## The database schemas are available at: +## +## doc/examples/*.sql +## +## $Id: sqlippool.conf,v 1.15 2007/12/23 13:54:55 pnixon Exp $ + +sqlippool { + + ######################################### + ## SQL instance to use (from sql.conf) ## + ######################################### + sql-instance-name = "sql" + + ## SQL table to use for ippool range and lease info + ippool_table = "radippool" + + ## IP lease duration. (Leases expire even if Acct Stop packet is lost) + lease-duration = 3600 + + ## Attribute which should be considered unique per NAS + ## Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS) + ## Using Calling-Station-Id works for NAS that send fixed NAS-Port + ## ONLY change this if you know what you are doing! + pool-key = "%{NAS-Port}" + # pool-key = "%{Calling-Station-Id}" + + ################################################################ + ## Uncomment the appropriate config file for your SQL dialect ## + ################################################################ + + # $INCLUDE sql/mysql/ippool.conf + $INCLUDE sql/postgresql/ippool.conf + + + ## Logging configuration. (Comment out to disable logging) + sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} \ + (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" + + sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} \ + (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" + + sqlippool_log_clear = "Released IP %{Framed-IP-Address}\ + (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})" + + sqlippool_log_failed = "IP Allocation FAILED from %{control:Pool-Name} \ + (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" + + sqlippool_log_nopool = "No Pool-Name defined \ + (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" + +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/templates.conf Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,104 @@ +# -*- text -*- +## +## templates.conf -- configurations to be used in multiple places +## +## $Id: templates.conf,v 1.3 2007/12/31 03:26:59 aland Exp $ + +###################################################################### +# +# Version 2.0 has a useful new feature called "templates". +# +# Use templates by adding a line in radiusd.conf: +# +# $INCLUDE templates.conf +# +# The goal of the templates is to have common configuration located +# in this file, and to list only the *differences* in the individual +# sections. This feature is most useful for sections like "clients" +# or "home_servers", where many may be defined, and each one has +# similar repeated configuration. +# +# Something similar to templates can be done by putting common +# configuration into separate files, and using "$INCLUDE file...", +# but this is more flexible, and simpler to understand. It's also +# cheaper for the server, because "$INCLUDE" makes a copy of the +# configuration for inclusion, and templates are simply referenced. +# +# The templates are defined in the "templates" section, so that they +# do not affect the rest of the server configuration. +# +# A section can reference a template by using "$template name" +# +templates { + # + # The contents of the templates section are other + # configuration sections that would normally go into + # the configuration files. + # + + # + # This is a default template for the "home_server" section. + # Note that there is no name for the section. + # + # Any configuration item that is valid for a "home_server" + # section is also valid here. When a "home_server" section + # is defined in proxy.conf, this section is referenced as + # the template. + # + # Configuration items that are explicitly listed in a + # "home_server" section of proxy.conf are used in + # preference to the configuration items listed here. + # + # However, if a configuration item is NOT listed in a + # "home_server" section of proxy.conf, then the value here + # is used. + # + # This functionality lets you put common configuration into + # a template, and to put only the unique configuration + # items in "proxy.conf". Each section in proxy.conf can + # then contain a line "$template home_server", which will + # cause it to reference this template. + # + home_server { + response_window = 20 + zombie_period = 40 + revive_interval = 120 + # + # Etc. + } + + # + # You can also have named templates. For example, if you + # are proxying to 3 different home servers all at the same + # site, with identical configurations (other than IP + # addresses), you can use this named template. + # + + # Then, each "home_server" section in "proxy.conf" would + # only list the IP address of that home server, and a + # line saying + # + # template = example.com + # + # That would tell FreeRADIUS to look in the section below + # for the rest of the configuration items. + # + home_server example.com { + type = auth + port = 1812 + secret = testing123 + response_window = 20 + # + # Etc... + } + + # + # You can have templates for other sections, too, but they + # seem to be most useful for home_servers. + # + # For now, you can use templates only for sections in + # radiusd.conf, not sub-sections. So you still have to use + # the "$INCLUDE file.." method for things like defining + # multiple "sql" modules, each with similar configuration. + # +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/radpxy.eap.testbed.aaa/freeradius/users Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,1 @@ +DEFAULT Proxy-To-Realm := "eap.testbed.aaa"
--- a/conf/supauth3.eap.testbed.aaa/hostapd/hostapd.conf Mon Aug 30 15:24:36 2010 +0900 +++ b/conf/supauth3.eap.testbed.aaa/hostapd/hostapd.conf Thu Sep 16 14:23:42 2010 +0900 @@ -24,7 +24,7 @@ nas_identifier=supauth3.eap.testbed.aaa auth_server_addr=192.168.105.60 auth_server_port=1812 -auth_server_shared_secret=radiusecret3.1a +auth_server_shared_secret=radiusecret3.1 acct_server_addr=192.168.105.60 acct_server_port=1813 -acct_server_shared_secret=radiusecret3.1b +acct_server_shared_secret=radiusecret3.1
--- a/mrb/eap_testbed.sh Mon Aug 30 15:24:36 2010 +0900 +++ b/mrb/eap_testbed.sh Thu Sep 16 14:23:42 2010 +0900 @@ -24,6 +24,10 @@ ./vm_start.sh "eap-gw.eap.testbed.aaa" & sleep 3 ./vm_start.sh "eap-backend.eap.testbed.aaa" & + sleep 3 + ./vm_start.sh "eap-supauth3.eap.testbed.aaa" & + sleep 3 + ./vm_start.sh "eap-radpxy.eap.testbed.aaa" & #sleep 3 #./vm_start.sh "eap-opendiam.eap.testbed.aaa" & @@ -38,6 +42,8 @@ ./vm_pause.sh "eap-supauth2.eap.testbed.aaa" & ./vm_pause.sh "eap-gw.eap.testbed.aaa" & ./vm_pause.sh "eap-backend.eap.testbed.aaa" & + ./vm_pause.sh "eap-supauth3.eap.testbed.aaa" & + ./vm_pause.sh "eap-radpxy.eap.testbed.aaa" & #./vm_pause.sh "eap-opendiam.eap.testbed.aaa" & wait ;; @@ -49,6 +55,8 @@ ./vm_stop.sh "eap-supauth2.eap.testbed.aaa" & ./vm_stop.sh "eap-gw.eap.testbed.aaa" & ./vm_stop.sh "eap-backend.eap.testbed.aaa" & + ./vm_stop.sh "eap-supauth3.eap.testbed.aaa" & + ./vm_stop.sh "eap-radpxy.eap.testbed.aaa" & #./vm_stop.sh "eap-opendiam.eap.testbed.aaa" & wait ;;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/scripts/freeradius-install.sh Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,9 @@ +#!/bin/bash -x + +# Install software +aptitude -y install freeradius || exit 1 + +# Install the link to the configuration +/home/aaa/installvm.sh conflink + +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/scripts/freeradius-run.sh Thu Sep 16 14:23:42 2010 +0900 @@ -0,0 +1,11 @@ +#!/bin/bash -x + +DATE=`date +%Y%m%d-%H%M%S`; +HOST=`hostname --fqdn`; + +ulimit -c 1000000 +rm -f core* + +echo fr-$HOST-$DATE.log > /home/aaa/logs/LATEST-$HOST-fr.log +freeradius -d /root/conf/freeradius -f -X 2>&1 | tee -i /home/aaa/logs/fr-$HOST-$DATE.log +