X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=raddb%2Fexperimental.conf;h=e2488af94a447319d25692a6e4da4ad2c41b4dd1;hb=HEAD;hp=523ce448035c6318205bd7b5e6a289851e9d4bdd;hpb=50b4679469ee5ede28248a9c298f08fdb9ef45ac;p=freeradius.git diff --git a/raddb/experimental.conf b/raddb/experimental.conf index 523ce44..e2488af 100644 --- a/raddb/experimental.conf +++ b/raddb/experimental.conf @@ -39,8 +39,20 @@ mod_accounting = radiusd_test func_accounting = accounting - mod_preacct = radiusd_test - func_preacct = preacct + mod_pre_proxy = radiusd_test + func_pre_proxy = pre_proxy + + mod_post_proxy = radiusd_test + func_post_proxy = post_proxy + + mod_post_auth = radiusd_test + func_post_auth = post_auth + + mod_recv_coa = radiusd_test + func_recv_coa = recv_coa + + mod_send_coa = radiusd_test + func_send_coa = send_coa mod_detach = radiusd_test func_detach = detach @@ -75,139 +87,7 @@ } } - - # This module is an SQL enabled version of the counter module. - # - # Rather than maintaining seperate (GDBM) databases of - # accounting info for each counter, this module uses the data - # stored in the raddacct table by the sql modules. This - # module NEVER does any database INSERTs or UPDATEs. It is - # totally dependent on the SQL module to process Accounting - # packets. - # - # The 'sqlmod_inst' parameter holds the instance of the sql - # module to use when querying the SQL database. Normally it - # is just "sql". If you define more and one SQL module - # instance (usually for failover situations), you can - # specify which module has access to the Accounting Data - # (radacct table). - # - # The 'reset' parameter defines when the counters are all - # reset to zero. It can be hourly, daily, weekly, monthly or - # never. It can also be user defined. It should be of the - # form: - # num[hdwm] where: - # h: hours, d: days, w: weeks, m: months - # If the letter is ommited days will be assumed. In example: - # reset = 10h (reset every 10 hours) - # reset = 12 (reset every 12 days) - # - # The 'key' parameter specifies the unique identifier for the - # counter records (usually 'User-Name'). - # - # The 'query' parameter specifies the SQL query used to get - # the current Counter value from the database. There are 3 - # parameters that can be used in the query: - # %k 'key' parameter - # %b unix time value of beginning of reset period - # %e unix time value of end of reset period - # - # - # The 'check-name' parameter is the name of the 'check' - # attribute to use to access the counter in the 'users' file - # or SQL radcheck or radcheckgroup tables. - # - # DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject - # Reply-Message = "You've used up more than one hour today" - # - sqlcounter dailycounter { - counter-name = Daily-Session-Time - check-name = Max-Daily-Session - sqlmod-inst = sqlcca3 - key = User-Name - reset = daily - - # This query properly handles calls that span from the - # previous reset period into the current period but - # involves more work for the SQL server than those - # below - query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" - - # This query ignores calls that started in a previous - # reset period and continue into into this one. But it - # is a little easier on the SQL server - # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')" - - # This query is the same as above, but demonstrates an - # additional counter parameter '%e' which is the - # timestamp for the end of the period - # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime BETWEEN FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')" - } - - sqlcounter monthlycounter { - counter-name = Monthly-Session-Time - check-name = Max-Monthly-Session - sqlmod-inst = sqlcca3 - key = User-Name - reset = monthly - - # This query properly handles calls that span from the - # previous reset period into the current period but - # involves more work for the SQL server than those - # below - query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" - - # This query ignores calls that started in a previous - # reset period and continue into into this one. But it - # is a little easier on the SQL server - # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')" - - # This query is the same as above, but demonstrates an - # additional counter parameter '%e' which is the - # timestamp for the end of the period - # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime BETWEEN FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')" - } - - # Do server side ip pool management. Should be added in post-auth and - # accounting sections. - # - ## This module is highly experimental at the moment. Please - ## give feedback on the mailing list. - # - # The module also requires the existance of the Pool-Name - # attribute. That way the administrator can add the Pool-Name - # attribute in the user profiles and use different pools - # for different users. The Pool-Name attribute is a *check* item not - # a reply item. # - # Example: - # radiusd.conf: ippool students { [...] } - # users file : DEFAULT Group == students, Pool-Name := "students" - # - # ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST THEN ERASE THE DB FILES ******* - # - ippool main_pool { - - # range-start,range-stop: The start and end ip - # addresses for the ip pool - range-start = 192.168.1.1 - range-stop = 192.168.3.254 - - # netmask: The network mask used for the ip's - netmask = 255.255.255.0 - - # cache-size: The gdbm cache size for the db - # files. Should be equal to the number of ip's - # available in the ip pool - cache-size = 800 - - # session-db: The main db file used to allocate ip's to clients - session-db = ${raddbdir}/db.ippool - - # ip-index: Helper db index file used in multilink - ip-index = ${raddbdir}/db.ipindex - } - # To create a dbm users file, do: # # cat test.users | rlm_dbm_parser -f /etc/raddb/users_db @@ -220,57 +100,7 @@ # filename, but don't check if it's already there. # dbm { - usersfile = ${raddbdir}/users_db - } - - # - # Persistent, embedded Perl interpreter. - # - perl { - # - # The Perl script to execute on authorize, authenticate, - # accounting, xlat, etc. This is very similar to using - # Exec-Program-Wait = "/path/foo.pl", but it is persistent, - # and therefore faster. - # - module = /path/to/your/perl_program - - # - # The following hashes are given to the module and - # filled with value-pairs (Attribute names and values) - # - # %RAD_REPLY Attributes to go into the reply - # %RAD_REQUEST Attributes from the request - # %RAD_CHECK Check items - # - # Only the %RAD_REPLY hash can be modified. - # All of the other hashes are read only. - # - # The return codes from functions in the perl_script - # are passed directly back to the server. These - # codes are defined in doc/configurable_failover, - # src/include/modules.h (RLM_MODULE_REJECT, etc), - # and are pre-defined in the 'example.pl' program - # which is included. - # - func_accounting = accounting - func_authentication = authenticate - func_preacct = preacct - func_checksimul = checksimul - func_xlat = xlat - } - - # - # The digest module. It doesn't take any configuration - # parameters, but it does require a configuration section, - # otherwise the parser complains. - # - # - # - # See '../doc/rfc/draft-sterman-aaa-sip-00.txt' for details - # on performing digest authentication for Cisco SIP servers. - # - digest { + usersfile = ${confdir}/users_db } # @@ -282,6 +112,10 @@ # and then in another module (usually the 'users' file), # set 'Auth-Type := SMB' # + # WARNING: this module is not only experimental, it's also + # a security threat. It's not recommended to use it until + # it gets fixed. + # smb { server = ntdomain.server.example.com backup = backup.server.example.com @@ -298,3 +132,316 @@ # Reload the hash every 600 seconds (10mins) hash_reload = 600 } + + # Caching module + # + # Should be added in the post-auth section (after all other modules) + # and in the authorize section (before any other modules) + # + # authorize { + # caching { + # ok = return + # } + # [... other modules ...] + # } + # post-auth { + # [... other modules ...] + # caching + # } + # + # The caching module will cache the Auth-Type and reply items + # and send them back on any subsequent requests for the same key + # + # Configuration: + # + # filename: The gdbm file to use for the cache database + # (can be memory mapped for more speed) + # + # key: A string to xlat and use as a key. For instance, + # "%{Acct-Unique-Session-Id}" + # + # post-auth: If we find a cached entry, set the post-auth to that value + # + # cache-ttl: The time to cache the entry. The same time format + # as the counter module apply here. + # num[hdwm] where: + # h: hours, d: days, w: weeks, m: months + # If the letter is ommited days will be assumed. + # e.g. 1d == one day + # + # cache-size: The gdbm cache size to request (default 1000) + # + # hit-ratio: If set to non-zero we print out statistical + # information after so many cache requests + # + # cache-rejects: Do we also cache rejects, or not? (default 'yes') + # + caching { + filename = ${db_dir}/db.cache + cache-ttl = 1d + hit-ratio = 1000 + key = "%{Acct-Unique-Session-Id}" + #post-auth = "" + # cache-size = 2000 + # cache-rejects = yes + } + + + # Simple module for logging of Account packets to radiusd.log + # You need to declare it in the accounting section for it to work + acctlog { + acctlog_update = "" + acctlog_start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})" + acctlog_stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds" + acctlog_on = "NAS %C (%{NAS-IP-Address}) just came online" + acctlog_off = "NAS %C (%{NAS-IP-Address}) just went offline" + } + + # Another implementation of the EAP module. + # + # This module requires the libeap.so file from the hostap + # software (http://hostap.epitest.fi/hostapd/). It has been + # tested on the development version of hostapd (0.6.1) ONLY. + # + # In order to use it, you MUST build a "libeap.so" in hostapd, + # which is not done by default. + # + # You MUST also edit the file: src/modules/rlm_eap2/Makefile + # to point to the location of the hostap include files. + # + # This module CANNOT be used in the same way as the current + # FreeRADIUS "eap" module. There is NO way to look inside of + # a tunneled request. There is NO way to proxy a tunneled + # request. There is NO way to even look at the user name inside + # of the tunneled request. There is NO way to control the + # choice of EAP types inside of the tunnel. You MUST force + # the server to choose "eap2" for authentication, because this + # module has no "authorize" section. + # + # If you want to use this module for experimentation, please + # post your comments to the freeradius-devel list: + # + # http://lists.freeradius.org/mailman/listinfo/freeradius-devel + # + # If you want to use this module in a production (i.e. real-world) + # environment: + # + # !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!! + # + # The module needs additional work to make it ready for + # production use.. Please supply patches, or sponsor the + # work by hiring a developer. Do NOT ask when the work will + # be done, because there is no plan to finish this module + # unless there is demand for it. + # + eap2 { + # EAP types are chosen in the order that they are + # listed in this section. There is no "default_eap_type" + # as with rlm_eap. Instead, the *first* EAP type is + # used as the default type. + # + peap { + } + + ttls { + } + + # This is the ONLY EAP type that has any configuration. + # All other EAP types have no configuration. + # + tls { + ca_cert = ${confdir}/certs/ca.pem + server_cert = ${confdir}/certs/server.pem + private_key_file = ${confdir}/certs/server.pem + private_key_password = whatever + } + + # + # These next two methods do not supply keying material. + # + md5 { + } + + mschapv2 { + } + + # LEAP is NOT supported by this module. + # Use the "eap" module instead. + + # For other methods that MIGHT work, see the + # configuration of hostap. The methods are statically + # linked in at compile time, and cannot be controlled + # here. + } + + # Configuration for experimental EAP types. The sub-sections + # can be copied into eap.conf. + eap { + ikev2 { + + # Server auth type + # Allowed values are: + # cert - for certificate based server authentication, + # other required settings for this type are + # 'private_key_file' and 'certificate_file' + # secret - for shared secret based server authentication, + # other required settings for this type is 'id' + # Default value of this option is 'secret' + # server_authtype=cert + + # Allowed default client auth types + # Allowed values are: + # secret - for shared secret based client authentication + # cert - for certificate based client authentication + # both - shared secret and certificate is allowed + # none - authentication will always fail + # Default value for this option is 'both'. This option could + # be overwritten within 'usersfile' file by EAP-IKEv2-Auth + # option. + # default_authtype = both + + # path to trusted CA certificate file + CA_file="/path/to/CA/cacert.pem" + + # path to CRL file, if not set, then there will be no + # checks against CRL + # crl_file="/path/to/crl.pem" + + # path to file with user settings + # + # Note that this file is read ONLY on module initialization! + # + # default ${confdir}/eap_ikev2_users + # usersfile=${confdir}/eap_ikev2_users + +# +# Sample "eap_ikev2_users" file entry: +# +#username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne" + +## where: +## username - client user name from IKE-AUTH (IDr) or CommonName +## from x509 certificate +## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload +## allowable attributes for EAP-IKEv2-IDType: +## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN +## DER_ASN1_GN KEY_ID +## EAP-IKEv2-Secret - shared secret +## EAP-IKEv2-AuthType - optional parameter which defines expected client auth +## type. Allowed values are: secret,cert,both,none. +## For the meaning of this values, please see the +## description of 'default_authtype'. +## This attribute can overwrite 'default_authtype' value. + + + + # path to file with server private key + private_key_file="/path/to/srv-private-key.pem" + + # password to private key file + private_key_password="passwd" + + # path to file with server certificate + certificate_file="/path/to/srv-cert.pem" + + # server identity string + id="deMaio" + + # Server identity type. Allowed values are: + # IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN, + # KEY_ID + # Default value is: KEY_ID + # id_type = KEY_ID + + + # MTU (default: 1398) + # fragment_size = 1398 + + # maximal allowed number of resends SA_INIT after receiving + # 'invalid KEY' notification (default 3) + # DH_counter_max = 3 + + # option which is used to control whenever send CERT REQ + # payload or not. + # Allowed values for this option are "yes" or "no". + #Default value is "no". + # certreq = "yes" + + # option which cotrols fast reconnect capability. + # Allowed valuse for this option are "yes" or "no". + # Default value is "yes". + # enable_fast_reauth = "no" + + # option which is used to control performing of DH exchange + # during fast rekeying protocol run. + # Allowed values for this option are "yes" or "no". + # Default value is "no" + # fast_DH_exchange = "yes" + + # Option which is used to set up expiration time of inactive + # IKEv2 session. + # After selected period of time (in seconds), inactive + # session data will be deleted. + # Default value of this option is set to 900 seconds + # fast_timer_expire = 900 + + # list of server proposals of available cryptographic + # suites + proposals { + # proposal number #1 + proposal { + + # Supported transforms types: encryption, + # prf, integrity, dhgroup. For multiple + # transforms just simple repeat key (i.e. + # integity). + + # encryption algorithm + # supported algorithms: + # null,3des,aes_128_cbc,aes_192_cbc, + # aes_256_cbc,idea + # blowfish:n, where n range from 8 to 448 bits, + # step 8 bits + # cast:n, where n range from 40 to 128 bits, + # step 8 bits + encryption = 3des + + # pseudo random function. Supported prf's: + # hmac_md5, hmac_sha1, hmac_tiger + prf = hmac_sha1 + + # integrity algorithm. Supported algorithms: + # hmac_md5_96, hmac_sha1_96,des_mac + integrity = hmac_sha1_96 + integrity = hmac_md5_96 + + # Diffie-Hellman groups: + # modp768, modp1024, modp1536, modp2048, + # modp3072, modp4096, modp6144, modp8192 + dhgroup = modp2048 + } + + # proposal number #2 + proposal { + encryption = 3des + prf = hmac_md5 + integrity = hmac_md5_96 + dhgroup = modp1024 + } + + # proposal number #3 + proposal { + encryption=3des + prf=hmac_md5 + integrity=hmac_md5_96 + dhgroup=modp2048 + } + } + } + + fast { + pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f + eap_fast_a_id = xxxxxx + eap_fast_a_id_info = my_server + } + }