[Pkg-freeradius-maintainers] Bug#977590: freeradius: After upgrade to buster, freeradius doesn't talk over the network anymore
Harald Hannelius
harald.hannelius at arcada.fi
Mon Dec 21 09:21:58 GMT 2020
On Fri, 18 Dec 2020, Bernhard Schmidt wrote:
> Earlier Harald Hannelius wrote:
>> I have a recursive diff of both config dirs, but haven't been
>> able to see what has done what. I still have a test-server so
>> I can help with providing more info is so needed.
>
> Please attach the diff to this bug report.
I attached the diff. Thanks.
--
Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
-------------- next part --------------
diff -u -r freeradius-debian-9.0/3.0/README.rst freeradius-debian-10.0/3.0/README.rst
--- freeradius-debian-9.0/3.0/README.rst 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/README.rst 2019-04-23 00:23:36.000000000 +0300
@@ -76,8 +76,8 @@
Modules can be enabled by creating a soft link. For module ``foo``, do::
- $ cd raddb
- $ ln -s mods-available/foo mods-enabled/foo
+ $ cd raddb/mods-enabled
+ $ ln -s ../mods-available/foo
To create "local" versions of the modules, we suggest copying the file
instead. This leaves the original file (with documentation) in the
@@ -660,6 +660,6 @@
Dialup_admin
------------
-The dialip_admin directory has been removed. No one stepped forward
+The dialup_admin directory has been removed. No one stepped forward
to maintain it, and the code had not been changed in many years.
diff -u -r freeradius-debian-9.0/3.0/certs/Makefile freeradius-debian-10.0/3.0/certs/Makefile
--- freeradius-debian-9.0/3.0/certs/Makefile 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/certs/Makefile 2019-04-23 00:23:36.000000000 +0300
@@ -5,16 +5,22 @@
#
# See the README file in this directory for more information.
#
-# $Id: cc12464c6c7754aff2f0c8d6e116708c94ff2168 $
+# $Id: 16447a023d2cdce2d16d39cf31bcde4dba600df5 $
#
######################################################################
DH_KEY_SIZE = 2048
+OPENSSL = openssl
+EXTERNAL_CA = $(wildcard external_ca.*)
+
+ifneq "$(EXTERNAL_CA)" ""
+PARTIAL = -partial_chain
+endif
#
# Set the passwords
#
--include passwords.mk
+include passwords.mk
######################################################################
#
@@ -33,11 +39,15 @@
.PHONY: server
server: server.pem server.vrfy
+.PHONY: inner-server
+inner-server: inner-server.pem inner-server.vrfy
+
.PHONY: verify
verify: server.vrfy client.vrfy
-passwords.mk: server.cnf ca.cnf client.cnf
+passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
@echo "PASSWORD_SERVER = '$(shell grep output_password server.cnf | sed 's/.*=//;s/^ *//')'" > $@
+ @echo "PASSWORD_INNER = '$(shell grep output_password inner-server.cnf | sed 's/.*=//;s/^ *//')'" >> $@
@echo "PASSWORD_CA = '$(shell grep output_password ca.cnf | sed 's/.*=//;s/^ *//')'" >> $@
@echo "PASSWORD_CLIENT = '$(shell grep output_password client.cnf | sed 's/.*=//;s/^ *//')'" >> $@
@echo "USER_NAME = '$(shell grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//')'" >> $@
@@ -49,7 +59,7 @@
#
######################################################################
dh:
- openssl gendh -out dh -2 $(DH_KEY_SIZE)
+ $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
######################################################################
#
@@ -59,11 +69,12 @@
ca.key ca.pem: ca.cnf
@[ -f index.txt ] || $(MAKE) index.txt
@[ -f serial ] || $(MAKE) serial
- openssl req -new -x509 -keyout ca.key -out ca.pem \
+ $(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf
+ chmod g+r ca.key
ca.der: ca.pem
- openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
+ $(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
######################################################################
#
@@ -71,20 +82,23 @@
#
######################################################################
server.csr server.key: server.cnf
- openssl req -new -out server.csr -keyout server.key -config ./server.cnf
+ $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf
+ chmod g+r server.key
server.crt: server.csr ca.key ca.pem
- openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
+ $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
server.p12: server.crt
- openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+ $(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+ chmod g+r server.p12
server.pem: server.p12
- openssl pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+ $(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+ chmod g+r server.pem
.PHONY: server.vrfy
server.vrfy: ca.pem
- @openssl verify -CAfile ca.pem server.pem
+ @$(OPENSSL) verify $(PARTIAL) -CAfile ca.pem server.pem
######################################################################
#
@@ -93,22 +107,49 @@
#
######################################################################
client.csr client.key: client.cnf
- openssl req -new -out client.csr -keyout client.key -config ./client.cnf
+ $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf
+ chmod g+r client.key
client.crt: client.csr ca.pem ca.key
- openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
+ $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
client.p12: client.crt
- openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+ $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+ chmod g+r client.p12
client.pem: client.p12
- openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+ $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+ chmod g+r client.pem
cp client.pem $(USER_NAME).pem
.PHONY: client.vrfy
client.vrfy: ca.pem client.pem
c_rehash .
- openssl verify -CApath . client.pem
+ $(OPENSSL) verify -CApath . client.pem
+
+######################################################################
+#
+# Create a new inner-server certificate, signed by the above CA.
+#
+######################################################################
+inner-server.csr inner-server.key: inner-server.cnf
+ $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
+ chmod g+r inner-server.key
+
+inner-server.crt: inner-server.csr ca.key ca.pem
+ $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf
+
+inner-server.p12: inner-server.crt
+ $(OPENSSL) pkcs12 -export -in inner-server.crt -inkey inner-server.key -out inner-server.p12 -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
+ chmod g+r inner-server.p12
+
+inner-server.pem: inner-server.p12
+ $(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
+ chmod g+r inner-server.pem
+
+.PHONY: inner-server.vrfy
+inner-server.vrfy: ca.pem
+ @$(OPENSSL) verify $(PARTIAL) -CAfile ca.pem inner-server.pem
######################################################################
#
@@ -122,10 +163,10 @@
@echo '01' > serial
print:
- openssl x509 -text -in server.crt
+ $(OPENSSL) x509 -text -in server.crt
printca:
- openssl x509 -text -in ca.pem
+ $(OPENSSL) x509 -text -in ca.pem
clean:
@rm -f *~ *old client.csr client.key client.crt client.p12 client.pem
diff -u -r freeradius-debian-9.0/3.0/certs/README freeradius-debian-10.0/3.0/certs/README
--- freeradius-debian-9.0/3.0/certs/README 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/certs/README 2019-04-23 00:23:36.000000000 +0300
@@ -94,6 +94,11 @@
MAKING A SERVER CERTIFICATE
+The following steps will let you create a server certificate for use
+with TLS-based EAP methods, such as EAP-TLS, PEAP, and TTLS. Follow
+similar steps to create an "inner-server.pem" file, for use with
+EAP-TLS that is tunneled inside of another TLS-based EAP method.
+
$ vi server.cnf
Edit the "input_password" and "output_password" fields to be the
@@ -117,6 +122,7 @@
extensions needed by Microsoft clients.
+
MAKING A CLIENT CERTIFICATE
diff -u -r freeradius-debian-9.0/3.0/certs/bootstrap freeradius-debian-10.0/3.0/certs/bootstrap
--- freeradius-debian-9.0/3.0/certs/bootstrap 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/certs/bootstrap 2019-04-23 00:23:36.000000000 +0300
@@ -8,7 +8,7 @@
# binary package. The installation should also ensure that the permissions
# and owners are correct for the files generated by this script.
#
-# $Id: c9d939beac8d5bdc21ea1ff9233442f9ab933297 $
+# $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
#
umask 027
cd `dirname $0`
@@ -32,7 +32,7 @@
# re-generate these commands.
#
if [ ! -f dh ]; then
- openssl dhparam -out dh 1024 || exit 1
+ openssl dhparam -out dh 2048 || exit 1
if [ -e /dev/urandom ] ; then
ln -sf /dev/urandom random
else
Only in freeradius-debian-10.0/3.0/certs: inner-server.cnf
diff -u -r freeradius-debian-9.0/3.0/clients.conf freeradius-debian-10.0/3.0/clients.conf
--- freeradius-debian-9.0/3.0/clients.conf 2018-02-23 12:04:12.000000000 +0200
+++ freeradius-debian-10.0/3.0/clients.conf 2020-12-17 14:40:36.444164444 +0200
@@ -31,11 +31,13 @@
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
- ipaddr = 127.0.0.1
+ #ipaddr = 127.0.0.1
+ ipv4addr = 127.0.0.1
# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost
+ ipv6addr = ::1
#
# A note on DNS: We STRONGLY recommend using IP addresses
@@ -194,17 +196,22 @@
# i.e. The entry from the smallest possible network.
#
client 193.167.36.0/25 {
+ ipv4addr = 193.167.36.0/25
+ ipv6addr = 2001:708:170:36::/64
secret = removed
shortname = arcada-aps
}
client 10.0.36.0/24 {
+ ipv4addr = 10.0.36.0/24
secret = removed
shortname = arcada-aps
}
# The test aruba 7010 controller
client 10.0.36.253/32 {
+ ipv4addr = 10.0.36.253
+ ipv6addr = 2001:708:170:360::2
secret = removed
shortname = clustrum
}
diff -u -r freeradius-debian-9.0/3.0/huntgroups freeradius-debian-10.0/3.0/huntgroups
--- freeradius-debian-9.0/3.0/huntgroups 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/huntgroups 2019-04-23 00:23:36.000000000 +0300
@@ -1,13 +1,10 @@
#
# huntgroups This file defines the `huntgroups' that you have. A
# huntgroup is defined by specifying the IP address of
-# the NAS and possibly a port range. Port can be identified
-# as just one port, or a range (from-to), and multiple ports
-# or ranges of ports must be separated by a comma. For
-# example: 1,2,3-8
+# the NAS and possibly a port.
#
# Matching is done while RADIUS scans the user file; if it
-# includes the selection criterium "Huntgroup-Name == XXX"
+# includes the selection criteria "Huntgroup-Name == XXX"
# the huntgroup is looked up in this file to see if it
# matches. There can be multiple definitions of the same
# huntgroup; the first one that matches will be used.
@@ -32,15 +29,15 @@
#delft NAS-IP-Address == 198.51.100.5
#
-# Ports 0-7 on the first terminal server in Alphen are connected to
+# Port 0 on the first terminal server in Alphen are connected to
# a huntgroup that is for business users only. Note that only one
# of the username or groupname has to match to get access (OR/OR).
#
# Note that this huntgroup is a subset of the "alphen" huntgroup.
#
-#business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0-7
-# User-Name = rogerl,
-# User-Name = henks,
-# Group = business,
-# Group = staff
+#business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0
+# User-Name == rogerl,
+# User-Name == henks,
+# Group == business,
+# Group == staff
diff -u -r freeradius-debian-9.0/3.0/mods-available/README.rst freeradius-debian-10.0/3.0/mods-available/README.rst
--- freeradius-debian-9.0/3.0/mods-available/README.rst 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-available/README.rst 2019-04-23 00:23:36.000000000 +0300
@@ -1,7 +1,7 @@
Modules in Version 3
====================
-As of Version 3, all of the modules have been places in the
+As of Version 3, all of the modules have been placed in the
"mods-available/" directory. This practice follows that used by other
servers such as Nginx, Apache, etc. The "modules" directory should
not be used.
@@ -58,7 +58,7 @@
Ignoring module (see raddb/mods-available/README.rst)
Then you are in the right place. Most of the time this message can be
-ignored. The message can be fixed by find the references to "-module"
+ignored. The message can be fixed by finding the references to "-module"
in the virtual server, and deleting them.
Another way to fix it is to configure the module, as described above.
diff -u -r freeradius-debian-9.0/3.0/mods-available/cache freeradius-debian-10.0/3.0/mods-available/cache
--- freeradius-debian-9.0/3.0/mods-available/cache 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-available/cache 2019-04-23 00:23:36.000000000 +0300
@@ -1,6 +1,6 @@
# -*- text -*-
#
-# $Id: fe9ddd8fe9e99f9d8c97018db22afe46b661d7e1 $
+# $Id: 8bd4730cf570fdfedc9c516dc6974eab39981600 $
#
# A module to cache attributes. The idea is that you can look
@@ -63,15 +63,6 @@
# This value should be between 10 and 86400.
ttl = 10
- # You can flush the cache via
- #
- # radmin -e "set module config cache epoch 123456789"
- #
- # Where last value is a 32-bit Unix timestamp. Cache entries older
- # than this are expired, as new entries added.
- #
- # You should never set the "epoch" configuration item in this file.
-
# If yes the following attributes will be added to the request:
# * &request:Cache-Entry-Hits - The number of times this entry
# has been retrieved.
@@ -98,7 +89,7 @@
# <list>:<attribute> <op> <value>
# Cache all instances of Reply-Message in the reply list
- &reply:Reply-Message += &reply:Reply-Message
+ &reply:Reply-Message += &reply:Reply-Message[*]
# Add our own to show when the cache was last updated
&reply:Reply-Message += "Cache last updated at %t"
diff -u -r freeradius-debian-9.0/3.0/mods-available/couchbase freeradius-debian-10.0/3.0/mods-available/couchbase
--- freeradius-debian-9.0/3.0/mods-available/couchbase 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-available/couchbase 2019-04-23 00:23:36.000000000 +0300
@@ -29,7 +29,7 @@
#
# Element names should be single quoted.
#
- # Note: Atrributes not in this map will not be recorded.
+ # Note: Attributes not in this map will not be recorded.
#
update {
Acct-Session-Id = 'sessionId'
diff -u -r freeradius-debian-9.0/3.0/mods-available/date freeradius-debian-10.0/3.0/mods-available/date
--- freeradius-debian-9.0/3.0/mods-available/date 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-available/date 2019-04-23 00:23:36.000000000 +0300
@@ -11,4 +11,9 @@
#
date {
format = "%b %e %Y %H:%M:%S %Z"
+
+ # Use UTC instead of local time.
+ #
+ # default = no
+# utc = yes
}
Only in freeradius-debian-10.0/3.0/mods-available: eap.dpkg-dist
diff -u -r freeradius-debian-9.0/3.0/mods-available/inner-eap freeradius-debian-10.0/3.0/mods-available/inner-eap
--- freeradius-debian-9.0/3.0/mods-available/inner-eap 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-available/inner-eap 2019-04-23 00:23:36.000000000 +0300
@@ -1,6 +1,6 @@
# -*- text -*-
#
-# $Id: 2b4df6267d26dc58bbb273656480d55a0e60e8bf $
+# $Id: 576eb7739ebf18ca6323cb740a7d4278ff6d6ea2 $
#
# Sample configuration for an EAP module that occurs *inside*
@@ -45,6 +45,15 @@
# You SHOULD use different certificates than are used
# for the outer EAP configuration!
#
+ # You can create the "inner-server.pem" file by doing:
+ #
+ # cd raddb/certs
+ # vi inner-server.cnf
+ # make inner-server
+ #
+ # The certificate MUST be different from the "server.cnf"
+ # file.
+ #
# Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.
# It might work, or it might not.
#
@@ -86,6 +95,10 @@
# check_crl = yes
# ca_path = /path/to/directory/with/ca_certs/and/crls/
+ # Accept an expired Certificate Revocation List
+ #
+# allow_expired_crl = no
+
#
# The session resumption / fast re-authentication
# cache CANNOT be used for inner sessions.
Only in freeradius-debian-10.0/3.0/mods-available: ldap.dpkg-dist
diff -u -r freeradius-debian-9.0/3.0/mods-available/linelog freeradius-debian-10.0/3.0/mods-available/linelog
--- freeradius-debian-9.0/3.0/mods-available/linelog 2018-02-23 14:16:27.000000000 +0200
+++ freeradius-debian-10.0/3.0/mods-available/linelog 2019-04-23 00:23:36.000000000 +0300
@@ -1,6 +1,6 @@
# -*- text -*-
#
-# $Id: c646da0a05cbdf6e984f79cea105de41de4b0528 $
+# $Id: dc2a8195b3c1c2251fc37651ea4a598898c33d12 $
#
# The "linelog" module will log one line of text to a file.
@@ -104,7 +104,7 @@
#
# Reference the Packet-Type (Access-Accept, etc.) If it doesn't
- # exist, reference the "defaukt" entry.
+ # exist, reference the "default" entry.
#
# This is for "linelog" being used in the post-auth section
# If you want to use it in "authorize", you need to change
Only in freeradius-debian-10.0/3.0/mods-available: moonshot-targeted-ids
Only in freeradius-debian-10.0/3.0/mods-available: mschap.dpkg-dist
diff -u -r freeradius-debian-9.0/3.0/mods-available/ntlm_auth freeradius-debian-10.0/3.0/mods-available/ntlm_auth
--- freeradius-debian-9.0/3.0/mods-available/ntlm_auth 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-available/ntlm_auth 2019-04-23 00:23:36.000000000 +0300
@@ -6,6 +6,12 @@
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
+# Depending on the AD / Samba configuration, you may also need to add:
+#
+# --allow-mschapv2
+#
+# to the list of command-line options.
+#
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
diff -u -r freeradius-debian-9.0/3.0/mods-available/otp freeradius-debian-10.0/3.0/mods-available/otp
--- freeradius-debian-9.0/3.0/mods-available/otp 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-available/otp 2019-04-23 00:23:36.000000000 +0300
@@ -9,8 +9,6 @@
# It works in conjunction with otpd, which implements token
# management and OTP verification functions; and lsmd or gsmd,
# which implements synchronous state management functions.
-# otpd, lsmd and gsmd are available from TRI-D Systems:
-# <http://www.tri-dsystems.com/>
# You must list this module in BOTH the authorize and authenticate
# sections in order to use it.
diff -u -r freeradius-debian-9.0/3.0/mods-available/python freeradius-debian-10.0/3.0/mods-available/python
--- freeradius-debian-9.0/3.0/mods-available/python 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-available/python 2019-04-23 00:23:36.000000000 +0300
@@ -7,6 +7,14 @@
# a function defined, it will return NOOP.
#
python {
+ # Path to the python modules
+ #
+ # Note that due to limitations on Python, this configuration
+ # item is GLOBAL TO THE SERVER. That is, you cannot have two
+ # instances of the python module, each with a different path.
+ #
+# python_path="/path/to/python/files:/another_path/to/python_files/"
+
module = example
mod_instantiate = ${.module}
diff -u -r freeradius-debian-9.0/3.0/mods-available/realm freeradius-debian-10.0/3.0/mods-available/realm
--- freeradius-debian-9.0/3.0/mods-available/realm 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-available/realm 2019-04-23 00:23:36.000000000 +0300
@@ -1,6 +1,6 @@
# -*- text -*-
#
-# $Id: b4c8ee3d8534ece75f6129d4853e6bc081cf0aa5 $
+# $Id: 36825e0fe77cb515219ba7febc37192988ed9fba $
# Realm module, for proxying.
#
@@ -33,6 +33,7 @@
# for a trust-router. For all other realms,
# they are ignored.
# trust_router = "localhost"
+# tr_port = 12309
# rp_realm = "painless-security.com"
# default_community = "apc.moonshot.ja.net"
}
diff -u -r freeradius-debian-9.0/3.0/mods-available/redis freeradius-debian-10.0/3.0/mods-available/redis
--- freeradius-debian-9.0/3.0/mods-available/redis 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-available/redis 2019-04-23 00:23:36.000000000 +0300
@@ -1,6 +1,6 @@
# -*- text -*-
#
-# $Id: 0ef86751acd4389e7a6446e37856fde75fd4137c $
+# $Id: 7952ee4ecebf03496869c88c55a2f32dc689a364 $
#
# Configuration file for the "redis" module. This module does nothing
@@ -19,6 +19,9 @@
# We recommend using a strong password.
# password = thisisreallysecretandhardtoguess
+ # Set connection and query timeout for rlm_redis
+ query_timeout = 5
+
#
# Information for the connection pool. The configuration items
# below are the same for all modules which use the new
diff -u -r freeradius-debian-9.0/3.0/mods-available/rest freeradius-debian-10.0/3.0/mods-available/rest
--- freeradius-debian-9.0/3.0/mods-available/rest 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-available/rest 2019-04-23 00:23:36.000000000 +0300
@@ -5,8 +5,18 @@
# server.
#
tls {
-# ca_file = ${certdir}/cacert.pem
-# ca_path = ${certdir}
+ # Certificate Authorities:
+ # "ca_file" (libcurl option CURLOPT_ISSUERCERT).
+ # File containing a single CA, which is the issuer of the server
+ # certificate.
+ # "ca_info_file" (libcurl option CURLOPT_CAINFO).
+ # File containing a bundle of certificates, which allow to handle
+ # certificate chain validation.
+ # "ca_path" (libcurl option CURLOPT_CAPATH).
+ # Directory holding CA certificates to verify the peer with.
+# ca_file = ${certdir}/cacert.pem
+# ca_info_file = ${certdir}/cacert_bundle.pem
+# ca_path = ${certdir}
# certificate_file = /path/to/radius.crt
# private_key_file = /path/to/radius.key
@@ -105,7 +115,10 @@
# - is_json If true, any nested JSON data will be copied to the attribute
# in string form. Defaults to true.
# - op Controls how the attribute is inserted into the target list.
- # Defaults to ':='.
+ # Defaults to ':='. To create multiple attributes from multiple
+ # values, this should be set to '+=', otherwise only the last
+ # value will be used, and it will be assigned to a single
+ # attribute.
# {
# "<attribute0>":{
# "is_json":<bool>,
@@ -114,7 +127,10 @@
# "value":[<value0>,<value1>,<valueN>]
# },
# "<attribute1>":"value",
- # "<attributeN>":[<value0>,<value1>,<valueN>]
+ # "<attributeN>":{
+ # "value":[<value0>,<value1>,<valueN>],
+ # "op":"+="
+ # }
# }
#
diff -u -r freeradius-debian-9.0/3.0/mods-available/sqlippool freeradius-debian-10.0/3.0/mods-available/sqlippool
--- freeradius-debian-9.0/3.0/mods-available/sqlippool 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-available/sqlippool 2019-04-23 00:23:36.000000000 +0300
@@ -4,7 +4,7 @@
#
# raddb/sql/ippool/<DB>/schema.sql
#
-# $Id: b32b77aa4ca134d608a1140da73434bdc7d14895 $
+# $Id: 435921fb297812c11060859ce1066248ef53c4df $
sqlippool {
# SQL instance to use (from sql.conf)
@@ -24,8 +24,38 @@
# IP lease duration. (Leases expire even if Acct Stop packet is lost)
lease_duration = 3600
- # protocol to use. The default is IPv4.
-# ipv6 = yes
+ #
+ # As of 3.0.16, the 'ipv6 = yes' configuration is deprecated.
+ # You should use the "attribute_name" configuration item
+ # below, instead.
+ #
+
+ #
+ # The attribute to use for IP address assignment. The
+ # default is Framed-IP-Address. You can change this to any
+ # attribute which is IPv4 or IPv6.
+ #
+ # e.g. Framed-IPv6-Prefix, or Delegated-IPv6-Prefix.
+ #
+ # As of 3.0.16, all of the default queries have been updated to use
+ # this attribute_name. So you can do IPv6 address assignment simply
+ # by putting IPv6 addresses into the pool, and changing the following
+ # line to "Framed-IPv6-Prefix"
+ #
+ # Note that you MUST use separate pools for each attribute. i.e. one pool
+ # for Framed-IP-Address, a different one for Framed-IPv6-prefix, etc.
+ #
+ # This means configuring separate "sqlippool" instances, and different
+ # "ippool_table" in SQL. Then, populate the pool with addresses and
+ # it will all just work.
+ #
+ attribute_name = Framed-IP-Address
+
+ #
+ # Assign the IP address, even if the above attribute already exists
+ # in the reply.
+ #
+# allow_duplicates = no
# Attribute which should be considered unique per NAS
#
@@ -53,11 +83,11 @@
# which writes Module-Success-Message message.
#
messages {
- exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+ exists = "Existing IP: %{reply:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
- success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+ success = "Allocated IP: %{reply:${..attribute_name}} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
- clear = "Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
+ clear = "Released IP ${..attribute_name} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
diff -u -r freeradius-debian-9.0/3.0/mods-config/attr_filter/pre-proxy freeradius-debian-10.0/3.0/mods-config/attr_filter/pre-proxy
--- freeradius-debian-9.0/3.0/mods-config/attr_filter/pre-proxy 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-config/attr_filter/pre-proxy 2019-04-23 00:23:36.000000000 +0300
@@ -2,7 +2,7 @@
# Configuration file for the rlm_attr_filter module.
# Please see rlm_attr_filter(5) manpage for more information.
#
-# $Id: 3930fedfc0c638629198ff49f4bc3d5184261705 $
+# $Id: 47b01266f44d0475261c6ea16f74ca17d8838749 $
#
# This file contains security and configuration information
# for each realm. It can be used be an rlm_attr_filter module
@@ -60,4 +60,6 @@
NAS-IP-Address =* ANY,
NAS-Identifier =* ANY,
Operator-Name =* ANY,
+ Calling-Station-Id =* ANY,
+ Chargeable-User-Identity =* ANY,
Proxy-State =* ANY
diff -u -r freeradius-debian-9.0/3.0/mods-config/files/accounting freeradius-debian-10.0/3.0/mods-config/files/accounting
--- freeradius-debian-9.0/3.0/mods-config/files/accounting 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-config/files/accounting 2019-04-23 00:23:36.000000000 +0300
@@ -1,5 +1,5 @@
#
-# $Id: 322d33a01f26e3990ba19954b7847e6993ae389b $
+# $Id: eaf952a72dc9d19387af4d2056d7f7027b2435e8 $
#
# This is like the 'users' file, but it is processed only for
# accounting packets.
@@ -9,13 +9,17 @@
# Realm, the Huntgroup-Name or any combinaison of the attribute/value
# pairs contained in an accounting packet.
#
-#DEFAULT Realm == "foo.net", Acct-Type := sql_log.foo
+# You will need to add an "Acct-Type foo {...}" subsection to the
+# main "accounting" section in order for these sample configurations
+# to work.
#
-#DEFAULT Huntgroup-Name == "wifi", Acct-Type := sql_log.wifi
+#DEFAULT Realm == "foo.net", Acct-Type := foo
#
-#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := sql_log.other
+#DEFAULT Huntgroup-Name == "wifi", Acct-Type := wifi
#
-#DEFAULT Acct-Status-Type == Start, Acct-Type := sql_log.start
+#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := other
+#
+#DEFAULT Acct-Status-Type == Start, Acct-Type := start
# Replace the User-Name with the Stripped-User-Name, if it exists.
#
diff -u -r freeradius-debian-9.0/3.0/mods-config/perl/example.pl freeradius-debian-10.0/3.0/mods-config/perl/example.pl
--- freeradius-debian-9.0/3.0/mods-config/perl/example.pl 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-config/perl/example.pl 2019-04-23 00:23:36.000000000 +0300
@@ -126,7 +126,12 @@
return RLM_MODULE_REJECT;
} else {
# Accept user and set some attribute
- $RAD_REPLY{'h323-credit-amount'} = "100";
+ if (&radiusd::xlat("%{client:group}") eq 'UltraAllInclusive') {
+ # User called from NAS with unlim plan set, set higher limits
+ $RAD_REPLY{'h323-credit-amount'} = "1000000";
+ } else {
+ $RAD_REPLY{'h323-credit-amount'} = "100";
+ }
return RLM_MODULE_OK;
}
}
diff -u -r freeradius-debian-9.0/3.0/mods-config/preprocess/huntgroups freeradius-debian-10.0/3.0/mods-config/preprocess/huntgroups
--- freeradius-debian-9.0/3.0/mods-config/preprocess/huntgroups 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-config/preprocess/huntgroups 2019-04-23 00:23:36.000000000 +0300
@@ -1,13 +1,10 @@
#
# huntgroups This file defines the `huntgroups' that you have. A
# huntgroup is defined by specifying the IP address of
-# the NAS and possibly a port range. Port can be identified
-# as just one port, or a range (from-to), and multiple ports
-# or ranges of ports must be separated by a comma. For
-# example: 1,2,3-8
+# the NAS and possibly a port.
#
# Matching is done while RADIUS scans the user file; if it
-# includes the selection criterium "Huntgroup-Name == XXX"
+# includes the selection criteria "Huntgroup-Name == XXX"
# the huntgroup is looked up in this file to see if it
# matches. There can be multiple definitions of the same
# huntgroup; the first one that matches will be used.
@@ -32,15 +29,15 @@
#delft NAS-IP-Address == 198.51.100.5
#
-# Ports 0-7 on the first terminal server in Alphen are connected to
+# Port 0 on the first terminal server in Alphen are connected to
# a huntgroup that is for business users only. Note that only one
# of the username or groupname has to match to get access (OR/OR).
#
# Note that this huntgroup is a subset of the "alphen" huntgroup.
#
-#business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0-7
-# User-Name = rogerl,
-# User-Name = henks,
-# Group = business,
-# Group = staff
+#business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0
+# User-Name == rogerl,
+# User-Name == henks,
+# Group == business,
+# Group == staff
diff -u -r freeradius-debian-9.0/3.0/mods-config/python/radiusd.py freeradius-debian-10.0/3.0/mods-config/python/radiusd.py
--- freeradius-debian-9.0/3.0/mods-config/python/radiusd.py 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-config/python/radiusd.py 2019-04-23 00:23:36.000000000 +0300
@@ -8,7 +8,7 @@
# Inside freeradius, the 'radiusd' Python module is created by the C module
# and the definitions are automatically created.
#
-# $Id: e12bbd642b63d87024dba9530c7778308cf0e3a4 $
+# $Id: c535bb3caff5010ce06279f4e0d00d44377d0c4f $
# from modules.h
@@ -23,14 +23,19 @@
RLM_MODULE_UPDATED = 8
RLM_MODULE_NUMCODES = 9
-
-# from radiusd.h
-L_DBG = 1
+# from log.h
L_AUTH = 2
L_INFO = 3
L_ERR = 4
-L_PROXY = 5
-L_CONS = 128
+L_WARN = 5
+L_PROXY = 6
+L_ACCT = 7
+
+L_DBG = 16
+L_DBG_WARN = 17
+L_DBG_ERR = 18
+L_DBG_WARN_REQ = 19
+L_DBG_ERR_REQ = 20
# log function
def radlog(level, msg):
diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/ippool/mysql/queries.conf freeradius-debian-10.0/3.0/mods-config/sql/ippool/mysql/queries.conf
--- freeradius-debian-9.0/3.0/mods-config/sql/ippool/mysql/queries.conf 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-config/sql/ippool/mysql/queries.conf 2019-04-23 00:23:36.000000000 +0300
@@ -2,7 +2,7 @@
#
# ippool/mysql/queries.conf -- MySQL queries for rlm_sqlippool
#
-# $Id: ecdb8beda2fe841c07f513f3a6be9e535f73875b $
+# $Id: bc51b1b2e2482b116f21010f93959ec3182206cf $
#
# This series of queries allocates an IP address
@@ -20,7 +20,7 @@
#
# This series of queries allocates an IP address
# (Note: If your pool_key is set to Calling-Station-Id and not NAS-Port
-# then you may wish to delete the "AND nasipaddress = '%{Nas-IP-Address}'
+# then you may wish to delete the "AND nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'
# from the WHERE clause)
#
allocate_clear = "\
@@ -32,7 +32,7 @@
username = '', \
expiry_time = NULL \
WHERE expiry_time <= NOW() - INTERVAL 1 SECOND \
- AND nasipaddress = '%{Nas-IP-Address}'"
+ AND nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'"
#
# The ORDER BY clause of this query tries to allocate the same IP-address
@@ -96,7 +96,7 @@
AND pool_key = '${pool_key}' \
AND username = '%{User-Name}' \
AND callingstationid = '%{Calling-Station-Id}' \
- AND framedipaddress = '%{Framed-IP-Address}'"
+ AND framedipaddress = '%{${attribute_name}}'"
#
# This series of queries frees an IP number when an accounting STOP record arrives.
@@ -109,11 +109,11 @@
callingstationid = '', \
username = '', \
expiry_time = NULL \
- WHERE nasipaddress = '%{Nas-IP-Address}' \
+ WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \
AND pool_key = '${pool_key}' \
AND username = '%{User-Name}' \
AND callingstationid = '%{Calling-Station-Id}' \
- AND framedipaddress = '%{Framed-IP-Address}'"
+ AND framedipaddress = '%{${attribute_name}}'"
#
# This series of queries frees an IP number when an accounting ALIVE record arrives.
@@ -122,11 +122,11 @@
UPDATE ${ippool_table} \
SET \
expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \
- WHERE nasipaddress = '%{Nas-IP-Address}' \
+ WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \
AND pool_key = '${pool_key}' \
AND username = '%{User-Name}' \
AND callingstationid = '%{Calling-Station-Id}' \
- AND framedipaddress = '%{Framed-IP-Address}'"
+ AND framedipaddress = '%{${attribute_name}}'"
#
# This series of queries frees the IP numbers allocate to a
@@ -140,7 +140,7 @@
callingstationid = '', \
username = '', \
expiry_time = NULL \
- WHERE nasipaddress = '%{Nas-IP-Address}'"
+ WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'"
#
# This series of queries frees the IP numbers allocate to a
@@ -154,4 +154,4 @@
callingstationid = '', \
username = '', \
expiry_time = NULL \
- WHERE nasipaddress = '%{Nas-IP-Address}'"
+ WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'"
diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/ippool/oracle/queries.conf freeradius-debian-10.0/3.0/mods-config/sql/ippool/oracle/queries.conf
--- freeradius-debian-9.0/3.0/mods-config/sql/ippool/oracle/queries.conf 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-config/sql/ippool/oracle/queries.conf 2019-04-23 00:23:36.000000000 +0300
@@ -2,7 +2,7 @@
#
# ippool/oracle/queries.conf -- Oracle queries for rlm_sqlippool
#
-# $Id: 06d37f8985f3da1ac36276bdc9ca9c15a42d4059 $
+# $Id: 03b7f0ed281654d211a7e134c44e25679573a5fc $
allocate_begin = "commit"
start_begin = "commit"
@@ -83,7 +83,7 @@
# as your "pool_key" and your users are able to reconnect before your NAS
# has timed out their previous session. (Generally on wireless networks)
# (Note: If your pool_key is set to Calling-Station-Id and not NAS-Port
-# then you may wish to delete the "AND nasipaddress = '%{Nas-IP-Address}'
+# then you may wish to delete the "AND nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'
# from the WHERE clause)
#
allocate_clear = "\
@@ -116,7 +116,7 @@
pool_key = 0, \
callingstationid = '', \
expiry_time = current_timestamp - INTERVAL '1' second(1) \
- WHERE nasipaddress = '%{Nas-IP-Address}' \
+ WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \
AND pool_key = '${pool_key}' \
AND username = '%{SQL-User-Name}' \
AND callingstationid = '%{Calling-Station-Id}'"
@@ -129,9 +129,9 @@
UPDATE ${ippool_table} \
SET \
expiry_time = current_timestamp + INTERVAL '${lease_duration}' second(1) \
- WHERE nasipaddress = '%{Nas-IP-Address}' \
+ WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \
AND pool_key = '${pool_key}' \
- AND framedipaddress = '%{Framed-IP-Address}' \
+ AND framedipaddress = '%{${attribute_name}}' \
AND username = '%{SQL-User-Name}' \
AND callingstationid = '%{Calling-Station-Id}'"
@@ -146,7 +146,7 @@
pool_key = 0, \
callingstationid = '', \
expiry_time = current_timestamp - INTERVAL '1' second(1) \
- WHERE nasipaddress = '%{Nas-IP-Address}'"
+ WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'"
#
# This query frees all IP addresses allocated to a NAS when an
@@ -159,4 +159,4 @@
pool_key = 0, \
callingstationid = '', \
expiry_time = current_timestamp - INTERVAL '1' second(1) \
- WHERE nasipaddress = '%{Nas-IP-Address}'"
+ WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'"
diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/ippool/postgresql/queries.conf freeradius-debian-10.0/3.0/mods-config/sql/ippool/postgresql/queries.conf
--- freeradius-debian-9.0/3.0/mods-config/sql/ippool/postgresql/queries.conf 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-config/sql/ippool/postgresql/queries.conf 2019-04-23 00:23:36.000000000 +0300
@@ -2,7 +2,7 @@
#
# ippool/postgresql/queries.conf -- PostgreSQL queries for rlm_sqlippool
#
-# $Id: 38465e829f61efab50f565dc349ef64b29052f21 $
+# $Id: 9ceb5148e40c87056d408866d05ae3b52e38b734 $
#
# This query allocates an IP address from the Pool
@@ -64,7 +64,7 @@
# as your "pool_key" and your users are able to reconnect before your NAS
# has timed out their previous session. (Generally on wireless networks)
# (Note: If your pool_key is set to Calling-Station-Id and not NAS-Port
-# then you may wish to delete the "AND nasipaddress = '%{Nas-IP-Address}'
+# then you may wish to delete the "AND nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'
# from the WHERE clause)
#
allocate_clear = "\
@@ -99,11 +99,11 @@
pool_key = 0, \
callingstationid = '', \
expiry_time = 'now'::timestamp(0) - '1 second'::interval \
- WHERE nasipaddress = '%{Nas-IP-Address}' \
+ WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \
AND pool_key = '${pool_key}' \
AND username = '%{SQL-User-Name}' \
AND callingstationid = '%{Calling-Station-Id}' \
- AND framedipaddress = '%{Framed-IP-Address}'"
+ AND framedipaddress = '%{${attribute_name}}'"
#
# This query extends an IP address lease by "lease_duration" when an accounting
@@ -113,9 +113,9 @@
UPDATE ${ippool_table} \
SET \
expiry_time = 'now'::timestamp(0) + '${lease_duration} seconds'::interval \
- WHERE nasipaddress = '%{Nas-IP-Address}' \
+ WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \
AND pool_key = '${pool_key}' \
- AND framedipaddress = '%{Framed-IP-Address}' \
+ AND framedipaddress = '%{${attribute_name}}' \
AND username = '%{SQL-User-Name}' \
AND callingstationid = '%{Calling-Station-Id}'"
@@ -130,7 +130,7 @@
pool_key = 0, \
callingstationid = '', \
expiry_time = 'now'::timestamp(0) - '1 second'::interval \
- WHERE nasipaddress = '%{Nas-IP-Address}'"
+ WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'"
#
# This query frees all IP addresses allocated to a NAS when an
@@ -143,4 +143,4 @@
pool_key = 0, \
callingstationid = '', \
expiry_time = 'now'::timestamp(0) - '1 second'::interval \
- WHERE nasipaddress = '%{Nas-IP-Address}'"
+ WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'"
diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/ippool/sqlite/queries.conf freeradius-debian-10.0/3.0/mods-config/sql/ippool/sqlite/queries.conf
--- freeradius-debian-9.0/3.0/mods-config/sql/ippool/sqlite/queries.conf 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-config/sql/ippool/sqlite/queries.conf 2019-04-23 00:23:36.000000000 +0300
@@ -2,7 +2,7 @@
#
# ippool/sqlite/queries.conf -- SQLite queries for rlm_sqlippool
#
-# $Id: e912bd32a7485f6a505dbb67ad6f54138845cdee $
+# $Id: 76d07dfb43a1b5611bd6d5aa078d0c006271c56b $
#
# This series of queries allocates an IP address
@@ -18,7 +18,7 @@
#
# This series of queries allocates an IP address
# (Note: If your pool_key is set to Calling-Station-Id and not NAS-Port
-# then you may wish to delete the "AND nasipaddress = '%{Nas-IP-Address}'
+# then you may wish to delete the "AND nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'
# from the WHERE clause)
#
allocate_clear = "\
@@ -30,7 +30,7 @@
username = '', \
expiry_time = NULL \
WHERE expiry_time <= datetime(strftime('%%s', 'now') - 1, 'unixepoch') \
- AND nasipaddress = '%{Nas-IP-Address}'"
+ AND nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'"
#
# The ORDER BY clause of this query tries to allocate the same IP-address
@@ -99,7 +99,7 @@
AND pool_key = '${pool_key}' \
AND username = '%{User-Name}' \
AND callingstationid = '%{Calling-Station-Id}' \
- AND framedipaddress = '%{Framed-IP-Address}'"
+ AND framedipaddress = '%{${attribute_name}}'"
#
# This series of queries frees an IP number when an accounting STOP record arrives
@@ -112,11 +112,11 @@
callingstationid = '', \
username = '', \
expiry_time = NULL \
- WHERE nasipaddress = '%{Nas-IP-Address}' \
+ WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \
AND pool_key = '${pool_key}' \
AND username = '%{User-Name}' \
AND callingstationid = '%{Calling-Station-Id}' \
- AND framedipaddress = '%{Framed-IP-Address}'"
+ AND framedipaddress = '%{${attribute_name}}'"
#
# This series of queries frees an IP number when an accounting
@@ -126,11 +126,11 @@
UPDATE ${ippool_table} \
SET \
expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \
- WHERE nasipaddress = '%{Nas-IP-Address}' \
+ WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \
AND pool_key = '${pool_key}' \
AND username = '%{User-Name}' \
AND callingstationid = '%{Calling-Station-Id}' \
- AND framedipaddress = '%{Framed-IP-Address}'"
+ AND framedipaddress = '%{${attribute_name}}'"
#
# This series of queries frees the IP numbers allocate to a
@@ -144,7 +144,7 @@
callingstationid = '', \
username = '', \
expiry_time = NULL \
- WHERE nasipaddress = '%{Nas-IP-Address}'"
+ WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'"
#
# This series of queries frees the IP numbers allocate to a
@@ -158,5 +158,5 @@
callingstationid = '', \
username = '', \
expiry_time = NULL \
- WHERE nasipaddress = '%{Nas-IP-Address}'"
+ WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'"
diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/ippool/sqlite/schema.sql freeradius-debian-10.0/3.0/mods-config/sql/ippool/sqlite/schema.sql
--- freeradius-debian-9.0/3.0/mods-config/sql/ippool/sqlite/schema.sql 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-config/sql/ippool/sqlite/schema.sql 2019-04-23 00:23:36.000000000 +0300
@@ -1,7 +1,7 @@
--
-- Table structure for table 'radippool'
--
-CREATE TABLE (
+CREATE TABLE radippool (
id int(11) PRIMARY KEY,
pool_name varchar(30) NOT NULL,
framedipaddress varchar(15) NOT NULL default '',
diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/main/mssql/schema.sql freeradius-debian-10.0/3.0/mods-config/sql/main/mssql/schema.sql
--- freeradius-debian-9.0/3.0/mods-config/sql/main/mssql/schema.sql 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-config/sql/main/mssql/schema.sql 2019-04-23 00:23:36.000000000 +0300
@@ -1,5 +1,5 @@
/***************************************************************************
- * $Id: 80ccc116db8fa203260561a1db86111f16960992 $ *
+ * $Id: f3ca88cc829b9d496e9a49643f142e90224fd9b5 $ *
* *
* db_mssql.sql *
* *
@@ -19,7 +19,6 @@
[AcctSessionId] [varchar] (64) DEFAULT ('') FOR [AcctSessionId],
[AcctUniqueId] [varchar] (32) DEFAULT ('') FOR [AcctUniqueId],
[UserName] [varchar] (64) DEFAULT ('') FOR [UserName],
- [GroupName] [varchar] (64) DEFAULT ('') FOR [GroupName],
[Realm] [varchar] (64) DEFAULT ('') FOR [Realm],
[NASIPAddress] [varchar] (15) DEFAULT ('') FOR [NASIPAddress],
[NASPortId] [varchar] (15) NULL ,
diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/main/mysql/schema.sql freeradius-debian-10.0/3.0/mods-config/sql/main/mysql/schema.sql
--- freeradius-debian-9.0/3.0/mods-config/sql/main/mysql/schema.sql 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-config/sql/main/mysql/schema.sql 2019-04-23 00:23:36.000000000 +0300
@@ -1,5 +1,5 @@
###########################################################################
-# $Id: ca5ac77aa03dbb86ef714d1a1af647f7e63fda00 $ #
+# $Id: 1059b115282ea738353fe4fbc8d92b03a338f8c1 $ #
# #
# schema.sql rlm_sql - FreeRADIUS SQL Module #
# #
@@ -19,7 +19,6 @@
acctsessionid varchar(64) NOT NULL default '',
acctuniqueid varchar(32) NOT NULL default '',
username varchar(64) NOT NULL default '',
- groupname varchar(64) NOT NULL default '',
realm varchar(64) default '',
nasipaddress varchar(15) NOT NULL default '',
nasportid varchar(15) default NULL,
diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/main/ndb/schema.sql freeradius-debian-10.0/3.0/mods-config/sql/main/ndb/schema.sql
--- freeradius-debian-9.0/3.0/mods-config/sql/main/ndb/schema.sql 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-config/sql/main/ndb/schema.sql 2019-04-23 00:23:36.000000000 +0300
@@ -1,5 +1,5 @@
###########################################################################
-# $Id: a7f4c3121ded2b6557294de8bcab832c5715d038 $ #
+# $Id: 606599735415b041e17230d829834a94a3a678d8 $ #
# #
# schema.sql rlm_sql - FreeRADIUS SQL Module #
# #
@@ -21,7 +21,6 @@
acctsessionid varchar(64) NOT NULL default '',
acctuniqueid varchar(32) NOT NULL default '',
username varchar(64) NOT NULL default '',
- groupname varchar(64) NOT NULL default '',
realm varchar(64) default '',
nasipaddress varchar(15) NOT NULL default '',
nasportid varchar(15) default NULL,
diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/main/oracle/schema.sql freeradius-debian-10.0/3.0/mods-config/sql/main/oracle/schema.sql
--- freeradius-debian-9.0/3.0/mods-config/sql/main/oracle/schema.sql 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-config/sql/main/oracle/schema.sql 2019-04-23 00:23:36.000000000 +0300
@@ -1,5 +1,5 @@
/*
- * $Id: c11295fa7307a7c05a586f5354dd59de32c059de $
+ * $Id: d70cc522d1266eb92c7013c5a326dc6d89c7a05c $
*
* Oracle schema for FreeRADIUS
*
@@ -15,7 +15,6 @@
acctsessionid VARCHAR(96) NOT NULL,
acctuniqueid VARCHAR(32),
username VARCHAR(64) NOT NULL,
- groupname VARCHAR(32),
realm VARCHAR(30),
nasipaddress VARCHAR(15) NOT NULL,
nasportid VARCHAR(32),
@@ -86,7 +85,7 @@
*/
CREATE TABLE radgroupcheck (
id INT PRIMARY KEY,
- groupname VARCHAR(20) UNIQUE NOT NULL,
+ groupname VARCHAR(20) NOT NULL,
attribute VARCHAR(64),
op CHAR(2) NOT NULL,
value VARCHAR(40)
@@ -98,7 +97,7 @@
*/
CREATE TABLE radgroupreply (
id INT PRIMARY KEY,
- GroupName VARCHAR(20) UNIQUE NOT NULL,
+ GroupName VARCHAR(20) NOT NULL,
Attribute VARCHAR(64),
op CHAR(2) NOT NULL,
Value VARCHAR(40)
@@ -134,7 +133,7 @@
*/
CREATE TABLE radusergroup (
id INT PRIMARY KEY,
- UserName VARCHAR(30) UNIQUE NOT NULL,
+ UserName VARCHAR(30) NOT NULL,
GroupName VARCHAR(30)
);
CREATE SEQUENCE radusergroup_seq START WITH 1 INCREMENT BY 1;
@@ -151,43 +150,6 @@
/
-/*
- * Table structure for table 'realmgroup'
- */
-CREATE TABLE realmgroup (
- id INT PRIMARY KEY,
- RealmName VARCHAR(30) UNIQUE NOT NULL,
- GroupName VARCHAR(30)
-);
-CREATE SEQUENCE realmgroup_seq START WITH 1 INCREMENT BY 1;
-
-CREATE TABLE realms (
- id INT PRIMARY KEY,
- realmname VARCHAR(64),
- nas VARCHAR(128),
- authport INT,
- options VARCHAR(128)
-);
-CREATE SEQUENCE realms_seq START WITH 1 INCREMENT BY 1;
-
-CREATE TABLE radhuntgroup (
- id INT PRIMARY KEY,
- GroupName VARCHAR(64) NOT NULL,
- Nasipaddress VARCHAR(15) UNIQUE NOT NULL,
- NASPortID VARCHAR(15)
-);
-
-CREATE SEQUENCE radhuntgroup_seq START WITH 1 INCREMENT BY 1;
-
-CREATE OR REPLACE TRIGGER radhuntgroup_serialnumber
- BEFORE INSERT OR UPDATE OF id ON radhuntgroup
- FOR EACH ROW
- BEGIN
- if ( :new.id = 0 or :new.id is null ) then
- SELECT radhuntgroup_seq.nextval into :new.id from dual;
- end if;
- END;
-
CREATE TABLE radpostauth (
id INT PRIMARY KEY,
UserName VARCHAR(64) NOT NULL,
diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/main/postgresql/schema.sql freeradius-debian-10.0/3.0/mods-config/sql/main/postgresql/schema.sql
--- freeradius-debian-9.0/3.0/mods-config/sql/main/postgresql/schema.sql 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-config/sql/main/postgresql/schema.sql 2019-04-23 00:23:36.000000000 +0300
@@ -1,5 +1,5 @@
/*
- * $Id: 00b5e3b52b55f024e5ed91d7aaf26d78c309c741 $
+ * $Id: ccc77f926542bf0e05b627b7f78fdeaebd00364f $
*
* Postgresql schema for FreeRADIUS
*
@@ -18,7 +18,6 @@
AcctSessionId text NOT NULL,
AcctUniqueId text NOT NULL UNIQUE,
UserName text,
- GroupName text,
Realm text,
NASIPAddress inet NOT NULL,
NASPortId text,
diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/main/sqlite/schema.sql freeradius-debian-10.0/3.0/mods-config/sql/main/sqlite/schema.sql
--- freeradius-debian-9.0/3.0/mods-config/sql/main/sqlite/schema.sql 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-config/sql/main/sqlite/schema.sql 2019-04-23 00:23:36.000000000 +0300
@@ -1,5 +1,5 @@
-----------------------------------------------------------------------------
--- $Id: aa2c8ecaa40e22410f80d7b8ff179b79471beb6c $ --
+-- $Id: 83cd0df8c3764436abe5c4751a3a1fff90a5c4e5 $ --
-- --
-- schema.sql rlm_sql - FreeRADIUS SQLite Module --
-- --
@@ -15,7 +15,6 @@
acctsessionid varchar(64) NOT NULL default '',
acctuniqueid varchar(32) NOT NULL default '',
username varchar(64) NOT NULL default '',
- groupname varchar(64) NOT NULL default '',
realm varchar(64) default '',
nasipaddress varchar(15) NOT NULL default '',
nasportid varchar(15) default NULL,
Only in freeradius-debian-10.0/3.0/mods-config/sql: moonshot-targeted-ids
diff -u -r freeradius-debian-9.0/3.0/mods-enabled/inner-eap freeradius-debian-10.0/3.0/mods-enabled/inner-eap
--- freeradius-debian-9.0/3.0/mods-enabled/inner-eap 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-enabled/inner-eap 2019-04-23 00:23:36.000000000 +0300
@@ -1,6 +1,6 @@
# -*- text -*-
#
-# $Id: 2b4df6267d26dc58bbb273656480d55a0e60e8bf $
+# $Id: 576eb7739ebf18ca6323cb740a7d4278ff6d6ea2 $
#
# Sample configuration for an EAP module that occurs *inside*
@@ -45,6 +45,15 @@
# You SHOULD use different certificates than are used
# for the outer EAP configuration!
#
+ # You can create the "inner-server.pem" file by doing:
+ #
+ # cd raddb/certs
+ # vi inner-server.cnf
+ # make inner-server
+ #
+ # The certificate MUST be different from the "server.cnf"
+ # file.
+ #
# Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.
# It might work, or it might not.
#
@@ -86,6 +95,10 @@
# check_crl = yes
# ca_path = /path/to/directory/with/ca_certs/and/crls/
+ # Accept an expired Certificate Revocation List
+ #
+# allow_expired_crl = no
+
#
# The session resumption / fast re-authentication
# cache CANNOT be used for inner sessions.
diff -u -r freeradius-debian-9.0/3.0/mods-enabled/linelog freeradius-debian-10.0/3.0/mods-enabled/linelog
--- freeradius-debian-9.0/3.0/mods-enabled/linelog 2018-02-23 14:16:27.000000000 +0200
+++ freeradius-debian-10.0/3.0/mods-enabled/linelog 2019-04-23 00:23:36.000000000 +0300
@@ -1,6 +1,6 @@
# -*- text -*-
#
-# $Id: c646da0a05cbdf6e984f79cea105de41de4b0528 $
+# $Id: dc2a8195b3c1c2251fc37651ea4a598898c33d12 $
#
# The "linelog" module will log one line of text to a file.
@@ -104,7 +104,7 @@
#
# Reference the Packet-Type (Access-Accept, etc.) If it doesn't
- # exist, reference the "defaukt" entry.
+ # exist, reference the "default" entry.
#
# This is for "linelog" being used in the post-auth section
# If you want to use it in "authorize", you need to change
diff -u -r freeradius-debian-9.0/3.0/mods-enabled/ntlm_auth freeradius-debian-10.0/3.0/mods-enabled/ntlm_auth
--- freeradius-debian-9.0/3.0/mods-enabled/ntlm_auth 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-enabled/ntlm_auth 2019-04-23 00:23:36.000000000 +0300
@@ -6,6 +6,12 @@
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
+# Depending on the AD / Samba configuration, you may also need to add:
+#
+# --allow-mschapv2
+#
+# to the list of command-line options.
+#
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
diff -u -r freeradius-debian-9.0/3.0/mods-enabled/realm freeradius-debian-10.0/3.0/mods-enabled/realm
--- freeradius-debian-9.0/3.0/mods-enabled/realm 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/mods-enabled/realm 2019-04-23 00:23:36.000000000 +0300
@@ -1,6 +1,6 @@
# -*- text -*-
#
-# $Id: b4c8ee3d8534ece75f6129d4853e6bc081cf0aa5 $
+# $Id: 36825e0fe77cb515219ba7febc37192988ed9fba $
# Realm module, for proxying.
#
@@ -33,6 +33,7 @@
# for a trust-router. For all other realms,
# they are ignored.
# trust_router = "localhost"
+# tr_port = 12309
# rp_realm = "painless-security.com"
# default_community = "apc.moonshot.ja.net"
}
diff -u -r freeradius-debian-9.0/3.0/policy.d/abfab-tr freeradius-debian-10.0/3.0/policy.d/abfab-tr
--- freeradius-debian-9.0/3.0/policy.d/abfab-tr 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/policy.d/abfab-tr 2019-04-23 00:23:36.000000000 +0300
@@ -1,7 +1,7 @@
#
# ABFAB Trust router policies.
#
-# $Id: 87d01a5e71df1dbf548c4215e50e2ee271d0a83c $
+# $Id: 3a088538b5acc09aebc80b40391febf1d57a617a $
#
@@ -24,29 +24,46 @@
}
abfab_client_check {
- # check that the acceptor host name is correct
- if ("%{client:gss_acceptor_host_name}" && &gss-acceptor-host-name) {
- if ("%{client:gss_acceptor_host_name}" != "%{gss-acceptor-host-name}") {
- update reply {
- Reply-Message = "GSS-Acceptor-Host-Name incorrect"
- }
- reject
+ # check that GSS-Acceptor-Host-Name is correct
+ if ("%{client:gss_acceptor_host_name}") {
+ if (&request:GSS-Acceptor-Host-Name) {
+ if (&request:GSS-Acceptor-Host-Name != "%{client:gss_acceptor_host_name}") {
+ update reply {
+ Reply-Message = "GSS-Acceptor-Host-Name incorrect"
+ }
+ reject
+ }
+ }
+ else {
+ # set GSS-Acceptor-Host-Name if it is not set by the mechanism
+ # but it is defined in the client configuration
+ update request {
+ GSS-Acceptor-Host-Name = "%{client:gss_acceptor_host_name}"
+ }
}
}
- # set trust-router-coi attribute from the client configuration
+ # set Trust-Router-COI attribute from the client configuration
if ("%{client:trust_router_coi}") {
update request {
Trust-Router-COI := "%{client:trust_router_coi}"
}
}
- # set gss-acceptor-realm-name attribute from the client configuration
+ # set GSS-Acceptor-Realm-Name attribute from the client configuration
if ("%{client:gss_acceptor_realm_name}") {
update request {
GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}"
}
}
+
+ # set GSS-Acceptor-Service-Name attribute from the client configuration
+ if ("%{client:gss_acceptor_service_name}") {
+ update request {
+ GSS-Acceptor-Service-Name = "%{client:gss_acceptor_service_name}"
+ }
+ }
+
}
# A policy which is used to validate channel-bindings.
diff -u -r freeradius-debian-9.0/3.0/policy.d/accounting freeradius-debian-10.0/3.0/policy.d/accounting
--- freeradius-debian-9.0/3.0/policy.d/accounting 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/policy.d/accounting 2019-04-23 00:23:36.000000000 +0300
@@ -33,7 +33,7 @@
# wireless environment).
#
update request {
- Tmp-String-9 := "${policy.class_value_prefix}"
+ &Tmp-String-9 := "${policy.class_value_prefix}"
}
if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && \
diff -u -r freeradius-debian-9.0/3.0/policy.d/canonicalization freeradius-debian-10.0/3.0/policy.d/canonicalization
--- freeradius-debian-9.0/3.0/policy.d/canonicalization 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/policy.d/canonicalization 2019-04-23 00:23:36.000000000 +0300
@@ -16,7 +16,15 @@
if (&User-Name && (&User-Name =~ /${policy.nai_regexp}/)) {
update request {
&Stripped-User-Name := "%{1}"
- &Stripped-User-Domain = "%{3}"
+ }
+
+ # Only add the Stripped-User-Domain attribute if
+ # we have a domain. This means presence checks
+ # for Stripped-User-Domain work.
+ if ("%{3}" != '') {
+ update request {
+ &Stripped-User-Domain = "%{3}"
+ }
}
# If any of the expansions result in a null
@@ -36,7 +44,15 @@
if (&proxy-reply:User-Name && (&proxy-reply:User-Name =~ /${policy.nai_regexp}/)) {
update proxy-reply {
&Stripped-User-Name := "%{1}"
- &Stripped-User-Domain = "%{3}"
+ }
+
+ # Only add the Stripped-User-Domain attribute if
+ # we have a domain. This means presence checks
+ # for Stripped-User-Domain work.
+ if ("%{3}" != '') {
+ update proxy-reply {
+ &Stripped-User-Domain = "%{3}"
+ }
}
updated
}
diff -u -r freeradius-debian-9.0/3.0/policy.d/moonshot-targeted-ids freeradius-debian-10.0/3.0/policy.d/moonshot-targeted-ids
--- freeradius-debian-9.0/3.0/policy.d/moonshot-targeted-ids 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/policy.d/moonshot-targeted-ids 2019-04-23 00:23:36.000000000 +0300
@@ -8,6 +8,9 @@
# Moonshot-Host-TargetedId (138)
# Moonshot-Realm-TargetedId (139)
# Moonshot-TR-COI-TargetedId (140)
+# Moonshot-MSTID-GSS-Acceptor (141)
+# Moonshot-MSTID-Namespace (142)
+# Moonshot-MSTID-TargetedId (143)
#
# These attributes should also be listed in the attr_filter policies
# post-proxy and pre-proxy when you use attribute filtering:
@@ -22,52 +25,207 @@
# dictionary attacks, therefore should be chosen as a "random"
# string and kept secret.
#
-targeted_id_salt = "changeme"
+# If you use special characters %, { and }, escape them with a \ first
+#
+targeted_id_salt = 'changeme'
+
#
# Moonshot namespaces
# These namespaces are used for UUID generation.
# They should not be changed by implementors
#
-moonshot_host_namespace = "a574a04e-b7ff-4850-aa24-a8599c7de1c6"
-moonshot_realm_namespace = "dea5f26d-a013-4444-977d-d09fc990d2e6"
-moonshot_coi_namespace = "145d7e7e-7d54-43ee-bbcb-3c6ad9428247"
-
-# This policy generates a host-specific targeted ID
+moonshot_host_namespace = 'a574a04e-b7ff-4850-aa24-a8599c7de1c6'
+moonshot_realm_namespace = 'dea5f26d-a013-4444-977d-d09fc990d2e6'
+moonshot_coi_namespace = '145d7e7e-7d54-43ee-bbcb-3c6ad9428247'
+
+
+# This policy generates a host-specific TargetedId
#
moonshot_host_tid.post-auth {
- # generate a UUID for Moonshot-Host-TargetedId
- # targeted id = (uuid -v 5 [namespace] [username][salt][RP host name])@[IdP realm name]
+ # retrieve or generate a UUID for Moonshot-Host-TargetedId
if (&outer.request:GSS-Acceptor-Host-Name) {
- if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_host_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}}" =~ /^([^ ]+)([ ]*)$/) {
+ # prep some variables (used regardless of SQL backing or not!)
+ update control {
+ Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}"
+ Moonshot-MSTID-Namespace := "${policy.moonshot_host_namespace}"
+ }
+
+ # if you want to use SQL-based backing, remove the comment from
+ # this line. You also have to configure and enable the
+ # moonshot-targeted-ids sql module in mods-enabled.
+ #
+# moonshot_get_targeted_id
+
+ # generate a UUID for Moonshot-Host-TargetedId
+ if (!&control:Moonshot-MSTID-TargetedId) {
+ # generate the TID
+ moonshot_make_targeted_id
+
+ # if you want to store your TargetedId in SQL-based backing,
+ # remove the comment from this line. You also have to configure
+ # and enable the moonshot-targeted-ids sql module in mods-enabled.
+ #
+# moonshot_tid_sql
+ }
+
+ # set the actual TargetedId in the session-state list
+ if (&control:Moonshot-MSTID-TargetedId) {
update outer.session-state {
- Moonshot-Host-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
+ Moonshot-Host-TargetedId := &control:Moonshot-MSTID-TargetedId
+ }
+ update control {
+ Moonshot-MSTID-TargetedId !* ANY
}
}
}
}
-# This policy generates a realm-specific targeted ID
+
+# This policy generates a realm-specific TargetedId
#
moonshot_realm_tid.post-auth {
- # generate a UUID for Moonshot-Realm-TargetedId
- # targeted id = (uuid -v 5 [namespace] [username][salt][RP realm name])@[IdP realm name]
+ # retrieve or generate a UUID for Moonshot-Realm-TargetedId
if (&outer.request:GSS-Acceptor-Realm-Name) {
- if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_realm_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Realm-Name}}}" =~ /^([^ ]+)([ ]*)$/) {
+ # prep some variables (used regardless of SQL backing or not!)
+ update control {
+ Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:GSS-Acceptor-Realm-Name}}"
+ Moonshot-MSTID-Namespace := "${policy.moonshot_realm_namespace}"
+ }
+
+ # if you want to use SQL-based backing, remove the comment from
+ # this line. You also have to configure and enable the
+ # moonshot-targeted-ids sql module in mods-enabled.
+ #
+# moonshot_get_targeted_id
+
+ # generate a UUID for Moonshot-Realm-TargetedId
+ if (!&control:Moonshot-MSTID-TargetedId) {
+ # generate the TID
+ moonshot_make_targeted_id
+
+ # if you want to store your TargetedId in SQL-based backing,
+ # remove the comment from this line. You also have to configure
+ # and enable the moonshot-targeted-ids sql module in mods-enabled.
+ #
+# moonshot_tid_sql
+ }
+
+ # set the actual TargetedId in the session-state list
+ if (&control:Moonshot-MSTID-TargetedId) {
update outer.session-state {
- Moonshot-Realm-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
+ Moonshot-Realm-TargetedId := &control:Moonshot-MSTID-TargetedId
+ }
+ update control {
+ Moonshot-MSTID-TargetedId !* ANY
}
}
}
}
+
# This policy generates a COI-specific targeted ID
#
moonshot_coi_tid.post-auth {
- # generate a UUID for Moonshot-TR-COI-TargetedId
- # targeted id = (uuid -v 5 [namespace] [username][salt][RP COI name])@[IdP realm name]
+ # retrieve or generate a UUID for Moonshot-TR-COI-TargetedId
if (&outer.request:Trust-Router-COI) {
- if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_coi_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:Trust-Router-COI}}}" =~ /^([^ ]+)([ ]*)$/) {
+ # prep some variables (used regardless of SQL backing or not!)
+ update control {
+ Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:Trust-Router-COI}}"
+ Moonshot-MSTID-Namespace := "${policy.moonshot_coi_namespace}"
+ }
+
+ # if you want to use SQL-based backing, remove the comment from
+ # this line. You also have to configure and enable the
+ # moonshot-targeted-ids sql module in mods-enabled.
+ #
+# moonshot_get_targeted_id
+
+ # generate a UUID for Moonshot-TR-COI-TargetedId
+ if (!&control:Moonshot-MSTID-TargetedId) {
+ # generate the TID
+ moonshot_make_targeted_id
+
+ # if you want to store your TargetedId in SQL-based backing,
+ # remove the comment from this line. You also have to configure
+ # and enable the moonshot-targeted-ids sql module in mods-enabled.
+ #
+# moonshot_tid_sql
+ }
+
+ # set the actual TargetedId in the session-state list
+ if (&control:Moonshot-MSTID-TargetedId) {
update outer.session-state {
- Moonshot-TR-COI-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
+ Moonshot-TR-COI-TargetedId := &control:Moonshot-MSTID-TargetedId
+ }
+ update control {
+ Moonshot-MSTID-TargetedId !* ANY
+ }
+ }
+ }
+}
+
+# This is the generic generation policy. It requires moonshot_host_tid, moonshot_realm_tid, or moonshot_coi_tid to set variables
+#
+moonshot_make_targeted_id.post-auth {
+ # uses variables set in the control list
+ #
+ if (&control:Moonshot-MSTID-Namespace && &control:Moonshot-MSTID-GSS-Acceptor) {
+ # targeted id = (uuid -v 5 [namespace] [username][salt][GSS acceptor value])@[IdP realm name]
+ #
+ if ("%{echo:/usr/bin/uuid -v 5 %{control:Moonshot-MSTID-Namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{control:Moonshot-MSTID-GSS-Acceptor}}" =~ /^([^ ]+)([ ]*)$/) {
+ update control {
+ Moonshot-MSTID-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
+ }
+ if (&control:Moonshot-MSTID-TargetedId =~ /([\%\{\}]+)/) {
+ update control {
+ Moonshot-MSTID-TargetedId !* ANY
+ }
+ update outer.session-state {
+ Module-Failure-Message = 'Invalid TargetedId generated, check your targeted_id_salt!'
+ }
+ reject
+ }
+ }
+ else {
+ # we simply return the 'echo' error message as the Module-Failure-Message, usually a lack of 'uuid'
+ reject
+ }
+ }
+ else {
+ # Our variables were not set, so we'll throw an error because there's no point in continuing!
+ update outer.session-state {
+ Module-Failure-Message = 'Required variables for moonshot_make_targeted_id not set!'
+ }
+ reject
+ }
+}
+
+# This is the generic retrieval policy. It requires moonshot_host_tid, moonshot_realm_tid, or moonshot_coi_tid to set variables
+#
+moonshot_get_targeted_id.post-auth {
+ # uses variables set in the control list
+ #
+ if (&control:Moonshot-MSTID-Namespace && &control:Moonshot-MSTID-GSS-Acceptor) {
+ # retrieve the TargetedId
+ #
+ update control {
+ Moonshot-MSTID-TargetedId := "%{moonshot_tid_sql:\
+ SELECT targeted_id FROM moonshot_targeted_ids \
+ WHERE gss_acceptor = '%{control:Moonshot-MSTID-GSS-Acceptor}' \
+ AND namespace = '%{control:Moonshot-MSTID-Namespace}' \
+ AND username = '%{tolower:%{User-Name}}'}"
+ }
+
+ # if the value is empty, there's no point in setting it and delete it from the control list!
+ if (&control:Moonshot-MSTID-TargetedId == '') {
+ update control {
+ Moonshot-MSTID-TargetedId !* ANY
}
}
}
+ else {
+ # Our variables were not set, so we'll throw an error because there's no point in continuing!
+ update outer.session-state {
+ Module-Failure-Message = 'Required variables for moonshot_get_targeted_id not set!'
+ }
+ reject
+ }
}
Only in freeradius-debian-10.0/3.0: proxy.conf.dpkg-dist
Only in freeradius-debian-10.0/3.0: radiusd.conf.dpkg-dist
diff -u -r freeradius-debian-9.0/3.0/sites-available/abfab-tls freeradius-debian-10.0/3.0/sites-available/abfab-tls
--- freeradius-debian-9.0/3.0/sites-available/abfab-tls 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/sites-available/abfab-tls 2019-04-23 00:23:36.000000000 +0300
@@ -1,7 +1,7 @@
#
# Example configuration for ABFAB listening on TLS.
#
-# $Id: 79d74e6fcbb12b1226f026383b8e1043092dd6fb $
+# $Id: 5dbe143da6f170505fa1b0e1c4282ebe60b139bb $
#
listen {
ipaddr = *
@@ -24,7 +24,8 @@
cache {
enable = no
lifetime = 24 # hours
- max_entries = 255
+ name = "abfab-tls"
+# persist_dir = ${logdir}/abfab-tls
}
require_client_cert = yes
diff -u -r freeradius-debian-9.0/3.0/sites-available/abfab-tr-idp freeradius-debian-10.0/3.0/sites-available/abfab-tr-idp
--- freeradius-debian-9.0/3.0/sites-available/abfab-tr-idp 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/sites-available/abfab-tr-idp 2019-04-23 00:23:36.000000000 +0300
@@ -7,7 +7,7 @@
# This file does not include a TLS listener; see abfab-tls for a simple
# example of a RADSEC listener for ABFAB.
#
-# $Id: 3ef581e54dd7b397ea49e3d1db53f0c543a826d2 $
+# $Id: e0224864ec1d81405f57a6d872f86c8a7958fdab $
#
server abfab-idp {
@@ -81,12 +81,6 @@
-sql
#
- # Instead of sending the query to the SQL server,
- # write it into a log file.
- #
-# sql_log
-
- #
# Un-comment the following if you want to modify the user's object
# in LDAP after a successful login.
#
diff -u -r freeradius-debian-9.0/3.0/sites-available/buffered-sql freeradius-debian-10.0/3.0/sites-available/buffered-sql
--- freeradius-debian-9.0/3.0/sites-available/buffered-sql 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/sites-available/buffered-sql 2019-04-23 00:23:36.000000000 +0300
@@ -32,7 +32,7 @@
# the server will have time to read the detail file, and insert
# the data into a long-term SQL database.
#
-# $Id: ba71ea5ae42b054e8b43ad54092a768b76050bcb $
+# $Id: 81150448040b78c1cb1340f3329bfd9475aadf26 $
#
######################################################################
@@ -43,6 +43,16 @@
# The location where the detail file is located.
# This should be on local disk, and NOT on an NFS
# mounted location!
+ #
+ # On most systems, this should support file globbing
+ # e.g. "${radacctdir}/detail-*:*"
+ # This lets you write many smaller detail files as in
+ # the example in radiusd.conf: ".../detail-%Y%m%d:%H"
+ # Writing many small files is often better than writing
+ # one large file. File globbing also means that with
+ # a common naming scheme for detail files, then you can
+ # have many detail file writers, and only one reader.
+ #
filename = "${radacctdir}/detail-*"
#
@@ -78,6 +88,7 @@
# wake up, and poll for it every N seconds.
#
# Useful range of values: 1 to 60
+ #
poll_interval = 1
#
@@ -87,6 +98,7 @@
# home server responds.
#
# Useful range of values: 5 to 30
+ #
retry_interval = 30
#
@@ -98,6 +110,17 @@
# have already been processed. The default is "no".
#
# track = yes
+
+ #
+ # In some circumstances it may be desirable for the
+ # server to start up, process a detail file, and
+ # immediately quit. To do this enable the "one_shot"
+ # option below.
+ #
+ # Do not enable this for normal server operation. The
+ # default is "no".
+ #
+ # one_shot = no
}
#
diff -u -r freeradius-debian-9.0/3.0/sites-available/copy-acct-to-home-server freeradius-debian-10.0/3.0/sites-available/copy-acct-to-home-server
--- freeradius-debian-9.0/3.0/sites-available/copy-acct-to-home-server 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/sites-available/copy-acct-to-home-server 2019-04-23 00:23:36.000000000 +0300
@@ -21,7 +21,7 @@
# That way, each server has the same set of information, and
# can make the same decision about the user.
#
-# $Id: 3c38550b891847a29f717df082ba3075f3461bab $
+# $Id: ea3909830f6f453bb6dcda0f24570a331cab0216 $
#
######################################################################
@@ -29,6 +29,11 @@
listen {
type = detail
+ #
+ # See sites-available/buffered-sql for more details on
+ # all the options available for the detail reader.
+ #
+
######################################################
#
# !!!! WARNING !!!!
@@ -63,6 +68,7 @@
# one large file. File globbing also means that with
# a common naming scheme for detail files, then you can
# have many detail file writers, and only one reader.
+ #
filename = ${radacctdir}/detail
#
diff -u -r freeradius-debian-9.0/3.0/sites-available/decoupled-accounting freeradius-debian-10.0/3.0/sites-available/decoupled-accounting
--- freeradius-debian-9.0/3.0/sites-available/decoupled-accounting 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/sites-available/decoupled-accounting 2019-04-23 00:23:36.000000000 +0300
@@ -15,7 +15,7 @@
# This file is NOT meant to be used as-is. It needs to be
# edited to match your local configuration.
#
-# $Id: a440e77b8f4da0be1911d53dc64ec62517788d87 $
+# $Id: 6b1b5b337216e433498c1fdb85ced8a53b34df94 $
#
######################################################################
@@ -119,12 +119,6 @@
# See "Accounting queries" in sql.conf
# sql
- #
- # Instead of sending the query to the SQL server,
- # write it into a log file.
- #
-# sql_log
-
# Cisco VoIP specific bulk accounting
# pgsql-voip
diff -u -r freeradius-debian-9.0/3.0/sites-available/default freeradius-debian-10.0/3.0/sites-available/default
--- freeradius-debian-9.0/3.0/sites-available/default 2018-02-23 15:41:44.000000000 +0200
+++ freeradius-debian-10.0/3.0/sites-available/default 2019-04-23 00:23:36.000000000 +0300
@@ -11,7 +11,7 @@
# the "inner-tunnel" virtual server. You will likely have to edit
# that, too, for authentication to work.
#
-# $Id: 083407596aa5074d665adac9606e7de655b634aa $
+# $Id: 3616050e7625eb6b5e2ba44782fcb737b2ae6136 $
#
######################################################################
#
@@ -85,16 +85,35 @@
# proxy listeners are automatically created.
# ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
- # Out of several options the first one will be used.
+ # If multiple ones are listed, only the first one will
+ # be used, and the others will be ignored.
#
- # Allowed values are:
- # IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr)
- # IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr)
- # hostname (radius.example.com,
- # A record for ipv4addr,
- # AAAA record for ipv6addr,
- # A or AAAA record for ipaddr)
- # wildcard (*)
+ # The configuration options accept the following syntax:
+ #
+ # ipv4addr - IPv4 address (e.g.192.0.2.3)
+ # - wildcard (i.e. *)
+ # - hostname (radius.example.com)
+ # Only the A record for the host name is used.
+ # If there is no A record, an error is returned,
+ # and the server fails to start.
+ #
+ # ipv6addr - IPv6 address (e.g. 2001:db8::1)
+ # - wildcard (i.e. *)
+ # - hostname (radius.example.com)
+ # Only the AAAA record for the host name is used.
+ # If there is no AAAA record, an error is returned,
+ # and the server fails to start.
+ #
+ # ipaddr - IPv4 address as above
+ # - IPv6 address as above
+ # - wildcard (i.e. *), which means IPv4 wildcard.
+ # - hostname
+ # If there is only one A or AAAA record returned
+ # for the host name, it is used.
+ # If multiple A or AAAA records are returned
+ # for the host name, only the first one is used.
+ # If both A and AAAA records are returned
+ # for the host name, only the A record is used.
#
# ipv4addr = *
# ipv6addr = *
@@ -347,17 +366,22 @@
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
- # The EAP module returns "ok" if it is not yet ready to
- # authenticate the user. The configuration below checks for
- # that code, and stops processing the "authorize" section if
- # so.
+ # The EAP module returns "ok" or "updated" if it is not yet ready
+ # to authenticate the user. The configuration below checks for
+ # "ok", and stops processing the "authorize" section if so.
#
# Any LDAP and/or SQL servers will not be queried for the
# initial set of packets that go back and forth to set up
# TTLS or PEAP.
#
+ # The "updated" check is commented out for compatibility with
+ # previous versions of this configuration, but you may wish to
+ # uncomment it as well; this will further reduce the number of
+ # LDAP and/or SQL queries for TTLS or PEAP.
+ #
eap {
ok = return
+# updated = return
}
#
@@ -553,7 +577,7 @@
#
# update request {
-# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
+# &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
# }
@@ -629,12 +653,6 @@
# ok
# }
- #
- # Instead of sending the query to the SQL server,
- # write it into a log file.
- #
-# sql_log
-
# Cisco VoIP specific bulk accounting
# pgsql-voip
@@ -714,12 +732,6 @@
-sql
#
- # Instead of sending the query to the SQL server,
- # write it into a log file.
- #
-# sql_log
-
- #
# Un-comment the following if you want to modify the user's object
# in LDAP after a successful login.
#
@@ -827,6 +839,15 @@
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
}
+
+ #
+ # Filter access challenges.
+ #
+ Post-Auth-Type Challenge {
+# remove_reply_message_if_eap
+# attr_filter.access_challenge.post-auth
+ }
+
}
#
diff -u -r freeradius-debian-9.0/3.0/sites-available/inner-tunnel freeradius-debian-10.0/3.0/sites-available/inner-tunnel
--- freeradius-debian-9.0/3.0/sites-available/inner-tunnel 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/sites-available/inner-tunnel 2019-04-23 00:23:36.000000000 +0300
@@ -4,7 +4,7 @@
# This is a virtual server that handles *only* inner tunnel
# requests for EAP-TTLS and PEAP types.
#
-# $Id: 2c6f9611bfc7b4b782aeb9764e47e832690739c4 $
+# $Id: 70b1d8da255a740d2d1b59808393722766dc6a60 $
#
######################################################################
@@ -302,12 +302,6 @@
-sql
#
- # Instead of sending the query to the SQL server,
- # write it into a log file.
- #
-# sql_log
-
- #
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
@@ -317,37 +311,49 @@
#
# Un-comment the following if you want to generate Moonshot (ABFAB) TargetedIds
- # IMPORTANT: This requires the UUID package to be installed!
+ #
+ # IMPORTANT: This requires the UUID package to be installed, and a targeted_id_salt
+ # to be configured.
+ #
+ # This functionality also supports SQL backing. To use this functionality, enable
+ # and configure the moonshot-targeted-ids SQL module in the mods-enabled directory.
+ # Then remove the comments from the appropriate lines in each of the below
+ # policies in the policy.d/moonshot-targeted-ids file.
#
# moonshot_host_tid
# moonshot_realm_tid
# moonshot_coi_tid
#
- # Instead of "use_tunneled_reply", uncomment the
- # next two "update" blocks.
+ # Instead of "use_tunneled_reply", change this "if (0)" to an
+ # "if (1)".
#
-# update {
-# &outer.session-state: += &reply:
-# }
-
- #
- # These attributes are for the inner session only.
- # They MUST NOT be sent in the outer reply.
- #
- # If you uncomment the previous block and leave
- # this one commented out, WiFi WILL NOT WORK,
- # because the client will get two MS-MPPE-keys
- #
-# update outer.session-state {
-# MS-MPPE-Encryption-Policy !* ANY
-# MS-MPPE-Encryption-Types !* ANY
-# MS-MPPE-Send-Key !* ANY
-# MS-MPPE-Recv-Key !* ANY
-# Message-Authenticator !* ANY
-# EAP-Message !* ANY
-# Proxy-State !* ANY
-# }
+ if (0) {
+ #
+ # These attributes are for the inner-tunnel only,
+ # and MUST NOT be copied to the outer reply.
+ #
+ update reply {
+ User-Name !* ANY
+ Message-Authenticator !* ANY
+ EAP-Message !* ANY
+ Proxy-State !* ANY
+ MS-MPPE-Encryption-Types !* ANY
+ MS-MPPE-Encryption-Policy !* ANY
+ MS-MPPE-Send-Key !* ANY
+ MS-MPPE-Recv-Key !* ANY
+ }
+
+ #
+ # Copy the inner reply attributes to the outer
+ # session-state list. The post-auth policy will take
+ # care of copying the outer session-state list to the
+ # outer reply.
+ #
+ update {
+ &outer.session-state: += &reply:
+ }
+ }
#
# Access-Reject packets are sent through the REJECT sub-section of the
diff -u -r freeradius-debian-9.0/3.0/sites-available/tls freeradius-debian-10.0/3.0/sites-available/tls
--- freeradius-debian-9.0/3.0/sites-available/tls 2017-08-10 10:05:06.000000000 +0300
+++ freeradius-debian-10.0/3.0/sites-available/tls 2019-04-23 00:23:36.000000000 +0300
@@ -84,6 +84,10 @@
private_key_password = whatever
private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+ # Accept an expired Certificate Revocation List
+ #
+ # allow_expired_crl = no
+
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
@@ -169,10 +173,9 @@
# match, the certificate verification will fail,
# rejecting the user.
#
- # In 2.1.10 and later, this check can be done
- # more generally by checking the value of the
- # TLS-Client-Cert-Issuer attribute. This check
- # can be done via any mechanism you choose.
+ # This check can be done more generally by checking
+ # the value of the TLS-Client-Cert-Issuer attribute.
+ # This check can be done via any mechanism you choose.
#
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
@@ -199,6 +202,14 @@
# in "man 1 ciphers".
cipher_list = "DEFAULT"
+ # If enabled, OpenSSL will use server cipher list
+ # (possibly defined by cipher_list option above)
+ # for choosing right cipher suite rather than
+ # using client-specified list which is OpenSSl default
+ # behavior. Having it set to yes is a current best practice
+ # for TLS
+ cipher_server_preference = no
+
#
# Session resumption / fast reauthentication
# cache.
@@ -231,6 +242,13 @@
# Deleting the entire "cache" subsection
# Also disables caching.
#
+ #
+ # As of version 3.0.14, the session cache requires the use
+ # of the "name" and "persist_dir" configuration items, below.
+ #
+ # The internal OpenSSL session cache has been permanently
+ # disabled.
+ #
# You can disallow resumption for a
# particular user by adding the following
# attribute to the control item list:
@@ -251,15 +269,6 @@
lifetime = 24 # hours
#
- # The maximum number of entries in the
- # cache. Set to "0" for "infinite".
- #
- # This could be set to the number of users
- # who are logged in... which can be a LOT.
- #
- max_entries = 255
-
- #
# Internal "name" of the session cache.
# Used to distinguish which TLS context
# sessions belong to.
Only in freeradius-debian-9.0/3.0/sites-enabled: default
Only in freeradius-debian-9.0/3.0/sites-enabled: inner-tunnel
diff -u -r freeradius-debian-9.0/3.0/users freeradius-debian-10.0/3.0/users
--- freeradius-debian-9.0/3.0/users 2020-12-20 22:01:04.895507191 +0200
+++ freeradius-debian-10.0/3.0/users 2018-02-23 11:44:13.263490656 +0200
@@ -218,4 +218,4 @@
# See the example user "bob" above. #
#########################################################
-wlanguest Cleartext-Password := "removed"
+wlanguest Cleartext-Password := "removed"
More information about the Pkg-freeradius-maintainers
mailing list