# # This file contains the configuration for experimental modules. # # By default, it is NOT included in the build. # # $Id$ # # Configuration for the Python module. # # Where radiusd is a Python module, radiusd.py, and the # function 'authorize' is called. Here is a dummy piece # of code: # # def authorize(params): # print params # return (5, ('Reply-Message', 'banned')) # # The RADIUS value-pairs are passed as a tuple of tuple # pairs as the first argument, e.g. (('attribute1', # 'value1'), ('attribute2', 'value2')) # # The function return is a tuple with the first element # being the return value of the function. # The 5 corresponds to RLM_MODULE_USERLOCK. I plan to # write the return values as Python symbols to avoid # confusion. # # The remaining tuple members are the string form of # value-pairs which are passed on to pairmake(). # python { mod_instantiate = radiusd_test func_instantiate = instantiate mod_authorize = radiusd_test func_authorize = authorize mod_accounting = radiusd_test func_accounting = accounting mod_pre_proxy = radiusd_test func_pre_proxy = pre_proxy mod_post_proxy = radiusd_test func_post_proxy = post_proxy mod_post_auth = radiusd_test func_post_auth = post_auth mod_recv_coa = radiusd_test func_recv_coa = recv_coa mod_send_coa = radiusd_test func_send_coa = send_coa mod_detach = radiusd_test func_detach = detach } # Configuration for the example module. Uncommenting it will cause it # to get loaded and initialized, but should have no real effect as long # it is not referencened in one of the autz/auth/preacct/acct sections example { # Boolean variable. # allowed values: {no, yes} boolean = yes # An integer, of any value. integer = 16 # A string. string = "This is an example configuration string" # An IP address, either in dotted quad (1.2.3.4) or hostname # (example.com) ipaddr = 127.0.0.1 # A subsection mysubsection { anotherinteger = 1000 # They nest deeply nested { string = "This is a different string" } } } # # To create a dbm users file, do: # # cat test.users | rlm_dbm_parser -f /etc/raddb/users_db # # Then add 'dbm' in 'authorize' section. # # Note that even if the file has a ".db" or ".dbm" extension, # you may have to specify it here without that extension. This # is because the DBM libraries "helpfully" add a ".db" to the # filename, but don't check if it's already there. # dbm { usersfile = ${confdir}/users_db } # See doc/rlm_fastusers before using this # module or changing these values. # fastusers { usersfile = ${confdir}/users_fast hashsize = 1000 compat = no # Reload the hash every 600 seconds (10mins) hash_reload = 600 } # Another implementation of the EAP module. # # This module requires the libeap.so file from the hostap # software (http://hostap.epitest.fi/hostapd/). It has been # tested on the development version of hostapd (0.6.1) ONLY. # # In order to use it, you MUST build a "libeap.so" in hostapd, # which is not done by default. # # You MUST also edit the file: src/modules/rlm_eap2/Makefile # to point to the location of the hostap include files. # # This module CANNOT be used in the same way as the current # FreeRADIUS "eap" module. There is NO way to look inside of # a tunneled request. There is NO way to proxy a tunneled # request. There is NO way to even look at the user name inside # of the tunneled request. There is NO way to control the # choice of EAP types inside of the tunnel. You MUST force # the server to choose "eap2" for authentication, because this # module has no "authorize" section. # # If you want to use this module for experimentation, please # post your comments to the freeradius-devel list: # # http://lists.freeradius.org/mailman/listinfo/freeradius-devel # # If you want to use this module in a production (i.e. real-world) # environment: # # !!! DO NOT USE IT IN A PRODUCTION ENVIRONMENT !!! # # The module needs additional work to make it ready for # production use.. Please supply patches, or sponsor the # work by hiring a developer. Do NOT ask when the work will # be done, because there is no plan to finish this module # unless there is demand for it. # eap2 { # EAP types are chosen in the order that they are # listed in this section. There is no "default_eap_type" # as with rlm_eap. Instead, the *first* EAP type is # used as the default type. # peap { } ttls { } # This is the ONLY EAP type that has any configuration. # All other EAP types have no configuration. # tls { ca_cert = ${confdir}/certs/ca.pem server_cert = ${confdir}/certs/server.pem private_key_file = ${confdir}/certs/server.pem private_key_password = whatever } # # These next two methods do not supply keying material. # md5 { } mschapv2 { } fast { pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f eap_fast_a_id = xxxxxx eap_fast_a_id_info = my_server eap_fast_prov = 3 pac_key_lifetime = 604800 # 7 days pac_key_refresh_tim = 86400 } # LEAP is NOT supported by this module. # Use the "eap" module instead. # For other methods that MIGHT work, see the # configuration of hostap. The methods are statically # linked in at compile time, and cannot be controlled # here. } # Configuration for experimental EAP types. The sub-sections # can be copied into eap.conf. eap { ikev2 { # Server auth type # Allowed values are: # cert - for certificate based server authentication, # other required settings for this type are # 'private_key_file' and 'certificate_file' # secret - for shared secret based server authentication, # other required settings for this type is 'id' # Default value of this option is 'secret' # server_authtype=cert # Allowed default client auth types # Allowed values are: # secret - for shared secret based client authentication # cert - for certificate based client authentication # both - shared secret and certificate is allowed # none - authentication will always fail # Default value for this option is 'both'. This option could # be overwritten within 'usersfile' file by EAP-IKEv2-Auth # option. # default_authtype = both # path to trusted CA certificate file CA_file="/path/to/CA/cacert.pem" # path to CRL file, if not set, then there will be no # checks against CRL # crl_file="/path/to/crl.pem" # path to file with user settings # # Note that this file is read ONLY on module initialization! # # default ${confdir}/eap_ikev2_users # usersfile=${confdir}/eap_ikev2_users # # Sample "eap_ikev2_users" file entry: # #username EAP-IKEv2-IDType := KEY_ID, EAP-IKEv2-Secret := "tajne" ## where: ## username - client user name from IKE-AUTH (IDr) or CommonName ## from x509 certificate ## EAP-IKEv2-IDType - ID Type - same as in expected IDType payload ## allowable attributes for EAP-IKEv2-IDType: ## IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN ## DER_ASN1_GN KEY_ID ## EAP-IKEv2-Secret - shared secret ## EAP-IKEv2-AuthType - optional parameter which defines expected client auth ## type. Allowed values are: secret,cert,both,none. ## For the meaning of this values, please see the ## description of 'default_authtype'. ## This attribute can overwrite 'default_authtype' value. # path to file with server private key private_key_file="/path/to/srv-private-key.pem" # password to private key file private_key_password="passwd" # path to file with server certificate certificate_file="/path/to/srv-cert.pem" # server identity string id="deMaio" # Server identity type. Allowed values are: # IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN, # KEY_ID # Default value is: KEY_ID # id_type = KEY_ID # MTU (default: 1398) # fragment_size = 1398 # maximal allowed number of resends SA_INIT after receiving # 'invalid KEY' notification (default 3) # DH_counter_max = 3 # option which is used to control whenever send CERT REQ # payload or not. # Allowed values for this option are "yes" or "no". #Default value is "no". # certreq = "yes" # option which cotrols fast reconnect capability. # Allowed valuse for this option are "yes" or "no". # Default value is "yes". # enable_fast_reauth = "no" # option which is used to control performing of DH exchange # during fast rekeying protocol run. # Allowed values for this option are "yes" or "no". # Default value is "no" # fast_DH_exchange = "yes" # Option which is used to set up expiration time of inactive # IKEv2 session. # After selected period of time (in seconds), inactive # session data will be deleted. # Default value of this option is set to 900 seconds # fast_timer_expire = 900 # list of server proposals of available cryptographic # suites proposals { # proposal number #1 proposal { # Supported transforms types: encryption, # prf, integrity, dhgroup. For multiple # transforms just simple repeat key (i.e. # integity). # encryption algorithm # supported algorithms: # null,3des,aes_128_cbc,aes_192_cbc, # aes_256_cbc,idea # blowfish:n, where n range from 8 to 448 bits, # step 8 bits # cast:n, where n range from 40 to 128 bits, # step 8 bits encryption = 3des # pseudo random function. Supported prf's: # hmac_md5, hmac_sha1, hmac_tiger prf = hmac_sha1 # integrity algorithm. Supported algorithms: # hmac_md5_96, hmac_sha1_96,des_mac integrity = hmac_sha1_96 integrity = hmac_md5_96 # Diffie-Hellman groups: # modp768, modp1024, modp1536, modp2048, # modp3072, modp4096, modp6144, modp8192 dhgroup = modp2048 } # proposal number #2 proposal { encryption = 3des prf = hmac_md5 integrity = hmac_md5_96 dhgroup = modp1024 } # proposal number #3 proposal { encryption=3des prf=hmac_md5 integrity=hmac_md5_96 dhgroup=modp2048 } } } }