Alan T. DeKok [Fri, 30 Sep 2011 14:12:07 +0000 (16:12 +0200)]
Last set of changes
Peter Lemenkov [Fri, 30 Sep 2011 11:48:58 +0000 (15:48 +0400)]
Drop dead link
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
Peter Lemenkov [Fri, 30 Sep 2011 11:48:10 +0000 (15:48 +0400)]
Now it's possible to include Zyxel's dictionary by default
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
Peter Lemenkov [Fri, 30 Sep 2011 11:44:29 +0000 (15:44 +0400)]
Another one attribute
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
Peter Lemenkov [Fri, 30 Sep 2011 11:44:02 +0000 (15:44 +0400)]
Proper VENDOR value for Zyxel
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
Alan T. DeKok [Thu, 29 Sep 2011 16:03:23 +0000 (18:03 +0200)]
Load "server {...}" sections properly
Alan T. DeKok [Thu, 29 Sep 2011 09:26:03 +0000 (11:26 +0200)]
Be more graceful if caller passes us a NULL ptr
Alan T. DeKok [Wed, 28 Sep 2011 11:06:10 +0000 (13:06 +0200)]
Note changes for 2.1.12
Alan T. DeKok [Wed, 28 Sep 2011 10:59:59 +0000 (12:59 +0200)]
Added SecurID module
Alan T. DeKok [Thu, 22 Sep 2011 16:43:11 +0000 (18:43 +0200)]
Don't really open sockets if we're doing -C
Alan T. DeKok [Thu, 22 Sep 2011 13:53:51 +0000 (15:53 +0200)]
Acct-Session-Id from Cisco exceeds 64 bytes. Extend it.
Add radpostauth/radhuntgroup tables to the oracle schema
Alan T. DeKok [Thu, 22 Sep 2011 13:53:13 +0000 (15:53 +0200)]
Added missing post-auth configuration
John Dennis [Tue, 20 Sep 2011 21:56:22 +0000 (17:56 -0400)]
Always send Message-Authenticator in radtest
Originally Message-Authenticator was introduced to provide message
integrity for EAP messages and originally the Message-Authenticator
attribute was only required for EAP messages.
But then RFC 5080 came along and suggested Message-Authenticator
always be sent as best practice.
Any Access-Request packet that performs authorization checks,
including Call Check, SHOULD contain a Message-Authenticator
attribute.
RFC 5080 then goes on to say:
... server implementations may be configured to require the
presence of a Message-Authenticator attribute in Access-Request
packets. Requests not containing a Message-Authenticator attribute
MAY then be silently discarded.
The raddb/clients.conf has this configuration option to satisfy the
above suggestion in RFC 5080:
require_message_authenticator = no|yes
If require_message_authenticator == yes then non-EAP auth-requests
generated by radtest will fail because currently radtest only supplies
the Message-Authenticator if EAP is being performed. With modern
Radius servers (e.g. FreeRADIUS) there is no harm in providing the
Message-Authenticator attribute for non-EAP packets, in fact it's
actually recommended in RFC 5080.
Therefore radtest should ALWAYS send the Message-Authenticator
attribute. If it's EAP or if the server is configured with
require_message_authenticator it must be present. If those conditions
do not hold it's benign. However if require_message_authenticator is
configured radtest will fail for non-EAP.
Alan T. DeKok [Tue, 20 Sep 2011 17:56:02 +0000 (19:56 +0200)]
As posted to the list
Alan T. DeKok [Tue, 20 Sep 2011 07:25:51 +0000 (09:25 +0200)]
Fixed typo
Alan T. DeKok [Mon, 19 Sep 2011 17:45:35 +0000 (19:45 +0200)]
Add missing "man" files
Alan T. DeKok [Mon, 19 Sep 2011 13:34:26 +0000 (15:34 +0200)]
Note changes
Bjørn Mork [Fri, 16 Sep 2011 17:50:07 +0000 (19:50 +0200)]
radsniff: decoding encrypted attributes
Save authentication requests and use them to properly decode
entrypted attributes in matching replies.
Also decode encrypted attributes in CoA requests. Some VSAs
can be encrypted in CoA requests using a null vector.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Alan DeKok [Sun, 18 Sep 2011 11:56:04 +0000 (04:56 -0700)]
Merge pull request #19 from angdraug/v2.1.x_rlm_sql_acct_noop_start
rlm_sql acct noop Accounting-Start fix
Alan T. DeKok [Sun, 18 Sep 2011 11:23:35 +0000 (13:23 +0200)]
Revert "Remove values for Auth-Type, these values were only defined for legacy reasons"
This reverts commit
296fcf9576394de5bf943e257a8d64751feaf636.
Removing Auth-Type = {Accept, Reject, MS-CHAP} breaks the server
Dmitry Borodaenko [Sat, 6 Aug 2011 17:15:59 +0000 (20:15 +0300)]
Fix rlm_sql noop for accounting start
When 6ed9727 was merged, else{} in the START case got placed against the
wrong if(). Unlike STOP and ALIVE cases, in START insert comes first,
and we only care if that affects 0 rows. If insert fails and we have to
go for an update, we don't have to check for NOOP because we can assume
the insert failed due to a conflicting row already in the database.
Alan T. DeKok [Sun, 18 Sep 2011 07:25:47 +0000 (09:25 +0200)]
Note more changes
John Dennis [Sun, 18 Sep 2011 07:17:45 +0000 (09:17 +0200)]
Document all command line args & add missing man pages
Go through every installed command and verify:
* There exists a man page for the command, if not create one
* For every command line arg in each command:
- Assure the arg appears in the synopis section of the man page
- Assure the arg is documented in the options section of the man page
- Assure the arg is documented in the "usage" emitted by the command
In addition to the above this patch also does:
* Clean up captitalization & the use of terminating periods.
* Removed superfluous unused l option from the getopt format string
of radwho
* Remove rlm_ippool_tool.pod, superseded by rlm_ippool_tool.8 man page
The follow new man pages were added:
man/man1/smbencrypt.1
man/man5/checkrad.5
man/man8/radconf2xml.8
man/man8/radcrypt.8
man/man8/radsniff.8
src/modules/rlm_dbm/rlm_dbm_cat.8
src/modules/rlm_dbm//rlm_dbm_parse.8
src/modules/rlm_ippool/rlm_ippool_tool.8
Alan T. DeKok [Wed, 14 Sep 2011 10:11:07 +0000 (12:11 +0200)]
Note which Auth-Type we're creating
Alan T. DeKok [Wed, 14 Sep 2011 10:01:31 +0000 (12:01 +0200)]
Note recent changes
Alan T. DeKok [Wed, 14 Sep 2011 09:57:04 +0000 (11:57 +0200)]
Make warning message more coherent
Alan T. DeKok [Wed, 14 Sep 2011 09:56:24 +0000 (11:56 +0200)]
WARNING on potential proxy loop
Alan T. DeKok [Mon, 12 Sep 2011 21:41:23 +0000 (23:41 +0200)]
Fixed long-standing typos
I guess no one ever used this...
Arran Cudbard-Bell [Mon, 12 Sep 2011 14:04:28 +0000 (16:04 +0200)]
Remove values for Auth-Type, these values were only defined for legacy reasons
Alan T. DeKok [Mon, 12 Sep 2011 13:00:00 +0000 (15:00 +0200)]
Fixed typo
Alan T. DeKok [Sat, 10 Sep 2011 18:12:01 +0000 (20:12 +0200)]
Document max_queue_size
Alan T. DeKok [Sat, 10 Sep 2011 18:04:20 +0000 (20:04 +0200)]
Limit complaints to 1/s, not 1/packet
Alan T. DeKok [Wed, 7 Sep 2011 15:34:49 +0000 (17:34 +0200)]
Fixed typo
Alan T. DeKok [Wed, 7 Sep 2011 10:59:21 +0000 (12:59 +0200)]
Document keepalive
Alan T. DeKok [Mon, 5 Sep 2011 17:57:54 +0000 (13:57 -0400)]
Fixed typo
Alan T. DeKok [Mon, 5 Sep 2011 15:39:53 +0000 (11:39 -0400)]
Updated copyright year
Alan T. DeKok [Mon, 5 Sep 2011 14:05:21 +0000 (10:05 -0400)]
Complain if password is !UTF-8
for the "shared secret is incorrect" check. The old code
checked for "printable" characters. Changing it to a check for
!UTF-8 is more general, and likely more robust with fewer false
positives
Alan T. DeKok [Sat, 3 Sep 2011 13:01:21 +0000 (09:01 -0400)]
Allow entry if UID or GID match
Alan T. DeKok [Fri, 2 Sep 2011 21:38:56 +0000 (17:38 -0400)]
More updates
Alan T. DeKok [Fri, 2 Sep 2011 21:38:00 +0000 (17:38 -0400)]
Added %{rand:...} to generate uniformly distributed random numbers
Arran Cudbard-Bell [Wed, 31 Aug 2011 16:17:26 +0000 (18:17 +0200)]
Add support for NAS implementing standard IEEE802.1X mib (Tested against ProCurve 3500)
Fix regular expressions to work with recent versions of snmp_get (should still be backwards compatible)
Alan T. DeKok [Mon, 29 Aug 2011 14:06:31 +0000 (10:06 -0400)]
Bump for 2.1.12
Alan T. DeKok [Mon, 29 Aug 2011 14:03:11 +0000 (10:03 -0400)]
Note policy for filtering user names
Alan T. DeKok [Sun, 28 Aug 2011 15:01:50 +0000 (11:01 -0400)]
Enable possibility for ecdh by default
Alan T. DeKok [Sun, 28 Aug 2011 14:58:16 +0000 (10:58 -0400)]
Note recent changes
Alan T. DeKok [Sun, 28 Aug 2011 14:57:23 +0000 (10:57 -0400)]
Enable elliptical curve cryptography
Alan T. DeKok [Fri, 26 Aug 2011 11:09:05 +0000 (07:09 -0400)]
More/better documentation
Bjørn Mork [Wed, 24 Aug 2011 10:33:13 +0000 (12:33 +0200)]
radmin: fixup error message when attemting to delete non-dynamic client
commit
b9e5dd2c changed the command syntax in line with docs, but failed
to update the error message accordingly.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Bjørn Mork [Tue, 23 Aug 2011 09:07:39 +0000 (11:07 +0200)]
radmin: make "del client ipaddr" command behave as documented
Fixes this error:
radmin> del client ipaddr 192.168.168.111
ERROR: Must specify <ipaddr>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Alan T. DeKok [Sat, 20 Aug 2011 01:09:13 +0000 (21:09 -0400)]
Note recent changes
Alan T. DeKok [Thu, 18 Aug 2011 01:23:50 +0000 (21:23 -0400)]
Add mkdir, based on patch from Oliver Schroder
This lets the module put logs into automagically created subdirs
Arran Cudbard-Bell [Fri, 19 Aug 2011 14:51:02 +0000 (16:51 +0200)]
Should use 8th capture group for Called-Station-ID rewrite
Alan T. DeKok [Mon, 15 Aug 2011 13:20:45 +0000 (09:20 -0400)]
Catch sub-realms && example.net, too
Alan T. DeKok [Mon, 15 Aug 2011 13:01:54 +0000 (09:01 -0400)]
Clean up debug message
Alan T. DeKok [Sat, 13 Aug 2011 14:56:28 +0000 (10:56 -0400)]
Allow empty strings to mean NULL
this lets us specify the default (i.e. NULL) virtual server
Alan T. DeKok [Fri, 12 Aug 2011 14:32:34 +0000 (10:32 -0400)]
Note recent updates
Alan T. DeKok [Fri, 12 Aug 2011 14:25:47 +0000 (10:25 -0400)]
Add conflicting starent dictionary from bug #159
Alan T. DeKok [Fri, 12 Aug 2011 14:20:03 +0000 (10:20 -0400)]
Updated with edits from bug #159
Alan T. DeKok [Fri, 12 Aug 2011 11:51:00 +0000 (07:51 -0400)]
Added siemens dictionary
Bjørn Mork [Mon, 1 Aug 2011 08:57:55 +0000 (10:57 +0200)]
Adding new attributes to the ERX dictionary
This should make it compatible with JUNOSe version 12.1.1
and JUNOS version 11.2.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Arran Cudbard-Bell [Thu, 28 Jul 2011 14:32:40 +0000 (16:32 +0200)]
Replace stale version of oracle configure script with one generated from current version of configure.in (now supports library versions 9, 10, 11 instead of just 10
Alan T. DeKok [Wed, 27 Jul 2011 22:36:20 +0000 (18:36 -0400)]
Check cert validity
In the process of checking the OCSP response there are only checks for the
correct signed OCSP answer in the function ocsp_check()
(src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c:349).
The problem is that the current code does not check the status of the certificate.
For example if a certificate is revoked. Thus, a user with a revoked certificate
is able to bypass the verification.
Alan T. DeKok [Fri, 22 Jul 2011 12:32:00 +0000 (14:32 +0200)]
Added HUP on log rotate
Alan T. DeKok [Sat, 16 Jul 2011 12:01:30 +0000 (08:01 -0400)]
Note URL on how to create various passwords
Alan T. DeKok [Wed, 13 Jul 2011 12:50:41 +0000 (14:50 +0200)]
More fixes for DHCP relaying
Alan T. DeKok [Wed, 13 Jul 2011 12:50:26 +0000 (14:50 +0200)]
Allow it to send offers
Alan T. DeKok [Wed, 13 Jul 2011 12:50:08 +0000 (14:50 +0200)]
When in debugging mode, print out VPs from header
Alan DeKok [Wed, 13 Jul 2011 09:40:20 +0000 (02:40 -0700)]
Merge pull request #12 from angdraug/v2.1.x_linelog_permissions_v2
Configurable file permissions in rlm_linelog
Phil Mayers [Thu, 7 Jul 2011 15:39:11 +0000 (16:39 +0100)]
save all attributes in the Access-Accept when proxying EAP-MSCHAPv2 as plain MSCHAP, and restore on the final Access-Accept
Arran Cudbard-Bell [Thu, 7 Jul 2011 11:33:48 +0000 (13:33 +0200)]
Fix xlat expansion of values assigned in rlm_attr_filter
Remove comparison that was generating compiler warning
Alan T. DeKok [Thu, 7 Jul 2011 10:51:07 +0000 (12:51 +0200)]
Initialize answer variable
Dmitry Borodaenko [Tue, 5 Jul 2011 13:23:06 +0000 (16:23 +0300)]
Configurable file permissions in rlm_linelog
Alan T. DeKok [Tue, 5 Jul 2011 15:54:59 +0000 (17:54 +0200)]
chown if uid or gid is set
Alan T. DeKok [Tue, 5 Jul 2011 10:42:19 +0000 (12:42 +0200)]
Don't need original packet when proxying
Alan T. DeKok [Mon, 4 Jul 2011 17:08:12 +0000 (19:08 +0200)]
Get peer id on new socket, not old one
Alan T. DeKok [Mon, 4 Jul 2011 16:55:43 +0000 (18:55 +0200)]
tr.freeradius.org seems to be dead
Alan T. DeKok [Mon, 4 Jul 2011 16:55:20 +0000 (18:55 +0200)]
Note recent changes
Alan T. DeKok [Mon, 4 Jul 2011 16:09:00 +0000 (18:09 +0200)]
Set ownership of domain socket when starting
Alan T. DeKok [Mon, 4 Jul 2011 16:02:54 +0000 (18:02 +0200)]
Allow root to connect to control socket
Even if the configured "allowed UID" has a different value.
They're root, so they can do anything. We might as well be polite.
Alan T. DeKok [Mon, 4 Jul 2011 15:59:31 +0000 (17:59 +0200)]
Server closing connection returns 0
We should close our end and complain in that case.
Bug found by Brian Candler
Arran Cudbard-Bell [Mon, 4 Jul 2011 08:47:04 +0000 (10:47 +0200)]
Add relax-filter check item to override the relaxed config item on a filter by filter basis
Conflicts:
src/modules/rlm_attr_filter/rlm_attr_filter.c
Arran Cudbard-Bell [Sun, 3 Jul 2011 17:10:59 +0000 (19:10 +0200)]
Add 'relaxed' option to rlm_attr_filter, when 'yes' attributes which do not explicitly match any filter rules are still copied.
Alan T. DeKok [Sun, 3 Jul 2011 15:35:13 +0000 (17:35 +0200)]
Use correct length
Alan T. DeKok [Sun, 3 Jul 2011 09:07:49 +0000 (11:07 +0200)]
Fix offset bug in %{string:...}
It prints the correct amount with the correct limits, but
to the wrong location
Alan T. DeKok [Thu, 30 Jun 2011 14:01:56 +0000 (16:01 +0200)]
Be less strict about duplicate virtual servers
If they share the same top-level CONF_SECTION, they're duplicates.
Otherwise, the server is reloading it's configuration, so the new
configuration should be allowed to be loaded.
Alan T. DeKok [Tue, 28 Jun 2011 15:28:00 +0000 (17:28 +0200)]
Handle relayed packets better...
If the request a client packet, we can relay it using
the existing code.
If the request is a server packet, then it MUST be from
the real server, and we MUST be acting as a relay. In that
case, set the giaddr to 0.0.0.0, and forward the packet to the
yiaddr.
And do something with broadcast replies...
Alan T. DeKok [Tue, 28 Jun 2011 13:54:12 +0000 (15:54 +0200)]
Allow DHCP-Opcode and DHCP-Hop-Count to be set from VPs.
This makes it easier to relay && respond to clients
Alan T. DeKok [Tue, 28 Jun 2011 13:38:33 +0000 (15:38 +0200)]
Allow giaddr to be updated when relaying
Alan T. DeKok [Mon, 27 Jun 2011 15:03:38 +0000 (17:03 +0200)]
Fix typo
Petr Uzel [Mon, 27 Jun 2011 07:21:18 +0000 (09:21 +0200)]
rlm_mschap: silence gcc buffer overflow detection mechanism
Signed-off-by: Petr Uzel <petr.uzel@suse.cz>
Alan T. DeKok [Mon, 27 Jun 2011 11:04:46 +0000 (13:04 +0200)]
Fix calculation of response authenticator
The Status-Server packet can get an Accounting-Response
packet in return. Since the Status-Server has a random
authentication vector, the response needs to be calculated
using that. We can't use the normal Accounting-Response
calculation.
Oops. No one found this in RFC 5997.
Alan T. DeKok [Mon, 27 Jun 2011 10:55:32 +0000 (12:55 +0200)]
Prepare for 2.1.12
Alan T. DeKok [Mon, 27 Jun 2011 09:16:43 +0000 (11:16 +0200)]
Fix > vs >= bug
Alan T. DeKok [Fri, 24 Jun 2011 10:41:17 +0000 (12:41 +0200)]
fclose() frees buffers, too
Alan T. DeKok [Tue, 21 Jun 2011 09:23:56 +0000 (11:23 +0200)]
If a child process gets a signal to exit, then just exit.
Alan T. DeKok [Tue, 21 Jun 2011 09:22:36 +0000 (11:22 +0200)]
Print out *which* program is causing the delay
Alan T. DeKok [Tue, 21 Jun 2011 09:19:29 +0000 (11:19 +0200)]
Update copyright year
Alan T. DeKok [Tue, 21 Jun 2011 07:06:38 +0000 (09:06 +0200)]
Fix > vs >= bug
Alan T. DeKok [Mon, 20 Jun 2011 14:57:14 +0000 (16:57 +0200)]
Don't go too far ahead
if (..){
is OK. The previous code skipped over the curly brace, assuming
that it was there... the code to check for syntax errors assumed
that the curly brace was not skipped over. This change fixes
that conflict
Alan T. DeKok [Mon, 20 Jun 2011 10:58:09 +0000 (12:58 +0200)]
Made the date today