002-config.patch 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613
  1. Index: freeradius-server-2.2.7/raddb/dictionary.in
  2. ===================================================================
  3. --- freeradius-server-2.2.7.orig/raddb/dictionary.in
  4. +++ freeradius-server-2.2.7/raddb/dictionary.in
  5. @@ -11,7 +11,7 @@
  6. #
  7. # The filename given here should be an absolute path.
  8. #
  9. -$INCLUDE @prefix@/share/freeradius/dictionary
  10. +$INCLUDE @prefix@/share/freeradius2/dictionary
  11. #
  12. # Place additional attributes or $INCLUDEs here. They will
  13. Index: freeradius-server-2.2.7/raddb/eap.conf
  14. ===================================================================
  15. --- freeradius-server-2.2.7.orig/raddb/eap.conf
  16. +++ freeradius-server-2.2.7/raddb/eap.conf
  17. @@ -27,7 +27,7 @@
  18. # then that EAP type takes precedence over the
  19. # default type configured here.
  20. #
  21. - default_eap_type = md5
  22. + default_eap_type = peap
  23. # A list is maintained to correlate EAP-Response
  24. # packets with EAP-Request packets. After a
  25. @@ -72,8 +72,8 @@
  26. # for wireless connections. It is insecure, and does
  27. # not provide for dynamic WEP keys.
  28. #
  29. - md5 {
  30. - }
  31. +# md5 {
  32. +# }
  33. # Cisco LEAP
  34. #
  35. @@ -87,8 +87,8 @@
  36. # User-Password, or the NT-Password attributes.
  37. # 'System' authentication is impossible with LEAP.
  38. #
  39. - leap {
  40. - }
  41. +# leap {
  42. +# }
  43. # Generic Token Card.
  44. #
  45. @@ -101,7 +101,7 @@
  46. # the users password will go over the wire in plain-text,
  47. # for anyone to see.
  48. #
  49. - gtc {
  50. +# gtc {
  51. # The default challenge, which many clients
  52. # ignore..
  53. #challenge = "Password: "
  54. @@ -118,8 +118,8 @@
  55. # configured for the request, and do the
  56. # authentication itself.
  57. #
  58. - auth_type = PAP
  59. - }
  60. +# auth_type = PAP
  61. +# }
  62. ## EAP-TLS
  63. #
  64. @@ -215,7 +215,7 @@
  65. # In these cases, fragment size should be
  66. # 1024 or less.
  67. #
  68. - # fragment_size = 1024
  69. + fragment_size = 1024
  70. # include_length is a flag which is
  71. # by default set to yes If set to
  72. @@ -225,7 +225,7 @@
  73. # message is included ONLY in the
  74. # First packet of a fragment series.
  75. #
  76. - # include_length = yes
  77. + include_length = yes
  78. # Check the Certificate Revocation List
  79. #
  80. @@ -297,7 +297,7 @@
  81. # for the server to print out an error message,
  82. # and refuse to start.
  83. #
  84. - make_cert_command = "${certdir}/bootstrap"
  85. + # make_cert_command = "${certdir}/bootstrap"
  86. #
  87. # Elliptical cryptography configuration
  88. @@ -332,7 +332,7 @@
  89. # You probably also want "use_tunneled_reply = yes"
  90. # when using fast session resumption.
  91. #
  92. - cache {
  93. + # cache {
  94. #
  95. # Enable it. The default is "no".
  96. # Deleting the entire "cache" subsection
  97. @@ -348,14 +348,14 @@
  98. # enable resumption for just one user
  99. # by setting the above attribute to "yes".
  100. #
  101. - enable = no
  102. + # enable = no
  103. #
  104. # Lifetime of the cached entries, in hours.
  105. # The sessions will be deleted after this
  106. # time.
  107. #
  108. - lifetime = 24 # hours
  109. + # lifetime = 24 # hours
  110. #
  111. # The maximum number of entries in the
  112. @@ -364,8 +364,8 @@
  113. # This could be set to the number of users
  114. # who are logged in... which can be a LOT.
  115. #
  116. - max_entries = 255
  117. - }
  118. + # max_entries = 255
  119. + # }
  120. #
  121. # As of version 2.1.10, client certificates can be
  122. @@ -503,7 +503,7 @@
  123. #
  124. # in the control items for a request.
  125. #
  126. - ttls {
  127. +# ttls {
  128. # The tunneled EAP session needs a default
  129. # EAP type which is separate from the one for
  130. # the non-tunneled EAP module. Inside of the
  131. @@ -511,7 +511,7 @@
  132. # If the request does not contain an EAP
  133. # conversation, then this configuration entry
  134. # is ignored.
  135. - default_eap_type = md5
  136. +# default_eap_type = mschapv2
  137. # The tunneled authentication request does
  138. # not usually contain useful attributes
  139. @@ -527,7 +527,7 @@
  140. # is copied to the tunneled request.
  141. #
  142. # allowed values: {no, yes}
  143. - copy_request_to_tunnel = no
  144. +# copy_request_to_tunnel = yes
  145. # The reply attributes sent to the NAS are
  146. # usually based on the name of the user
  147. @@ -540,7 +540,7 @@
  148. # the tunneled request.
  149. #
  150. # allowed values: {no, yes}
  151. - use_tunneled_reply = no
  152. +# use_tunneled_reply = no
  153. #
  154. # The inner tunneled request can be sent
  155. @@ -552,13 +552,13 @@
  156. # the virtual server that processed the
  157. # outer requests.
  158. #
  159. - virtual_server = "inner-tunnel"
  160. +# virtual_server = "inner-tunnel"
  161. # This has the same meaning as the
  162. # same field in the "tls" module, above.
  163. # The default value here is "yes".
  164. # include_length = yes
  165. - }
  166. +# }
  167. ##################################################
  168. #
  169. @@ -627,14 +627,14 @@
  170. # the PEAP module also has these configuration
  171. # items, which are the same as for TTLS.
  172. - copy_request_to_tunnel = no
  173. - use_tunneled_reply = no
  174. + copy_request_to_tunnel = yes
  175. + use_tunneled_reply = yes
  176. # When the tunneled session is proxied, the
  177. # home server may not understand EAP-MSCHAP-V2.
  178. # Set this entry to "no" to proxy the tunneled
  179. # EAP-MSCHAP-V2 as normal MSCHAPv2.
  180. - # proxy_tunneled_request_as_eap = yes
  181. + proxy_tunneled_request_as_eap = no
  182. #
  183. # The inner tunneled request can be sent
  184. @@ -646,7 +646,8 @@
  185. # the virtual server that processed the
  186. # outer requests.
  187. #
  188. - virtual_server = "inner-tunnel"
  189. + # virtual_server = "inner-tunnel"
  190. + EAP-TLS-Require-Client-Cert = no
  191. # This option enables support for MS-SoH
  192. # see doc/SoH.txt for more info.
  193. Index: freeradius-server-2.2.7/raddb/modules/counter
  194. ===================================================================
  195. --- freeradius-server-2.2.7.orig/raddb/modules/counter
  196. +++ freeradius-server-2.2.7/raddb/modules/counter
  197. @@ -69,7 +69,7 @@
  198. # 'check-name' attribute.
  199. #
  200. counter daily {
  201. - filename = ${db_dir}/db.daily
  202. + filename = ${radacctdir}/db.daily
  203. key = User-Name
  204. count-attribute = Acct-Session-Time
  205. reset = daily
  206. Index: freeradius-server-2.2.7/raddb/modules/pap
  207. ===================================================================
  208. --- freeradius-server-2.2.7.orig/raddb/modules/pap
  209. +++ freeradius-server-2.2.7/raddb/modules/pap
  210. @@ -18,5 +18,5 @@
  211. #
  212. # http://www.openldap.org/faq/data/cache/347.html
  213. pap {
  214. - auto_header = no
  215. + auto_header = yes
  216. }
  217. Index: freeradius-server-2.2.7/raddb/modules/radutmp
  218. ===================================================================
  219. --- freeradius-server-2.2.7.orig/raddb/modules/radutmp
  220. +++ freeradius-server-2.2.7/raddb/modules/radutmp
  221. @@ -12,7 +12,7 @@ radutmp {
  222. # Where the file is stored. It's not a log file,
  223. # so it doesn't need rotating.
  224. #
  225. - filename = ${logdir}/radutmp
  226. + filename = ${radacctdir}/radutmp
  227. # The field in the packet to key on for the
  228. # 'user' name, If you have other fields which you want
  229. Index: freeradius-server-2.2.7/raddb/modules/sradutmp
  230. ===================================================================
  231. --- freeradius-server-2.2.7.orig/raddb/modules/sradutmp
  232. +++ freeradius-server-2.2.7/raddb/modules/sradutmp
  233. @@ -10,7 +10,7 @@
  234. # then name "sradutmp" to identify it later in the "accounting"
  235. # section.
  236. radutmp sradutmp {
  237. - filename = ${logdir}/sradutmp
  238. + filename = ${radacctdir}/sradutmp
  239. perm = 0644
  240. callerid = "no"
  241. }
  242. Index: freeradius-server-2.2.7/raddb/radiusd.conf.in
  243. ===================================================================
  244. --- freeradius-server-2.2.7.orig/raddb/radiusd.conf.in
  245. +++ freeradius-server-2.2.7/raddb/radiusd.conf.in
  246. @@ -66,7 +66,7 @@ name = radiusd
  247. # Location of config and logfiles.
  248. confdir = ${raddbdir}
  249. -run_dir = ${localstatedir}/run/${name}
  250. +run_dir = ${localstatedir}/run
  251. # Should likely be ${localstatedir}/lib/radiusd
  252. db_dir = ${raddbdir}
  253. @@ -323,7 +323,7 @@ listen {
  254. # If your system does not support this feature, you will
  255. # get an error if you try to use it.
  256. #
  257. -# interface = eth0
  258. + interface = br-lan
  259. # Per-socket lists of clients. This is a very useful feature.
  260. #
  261. @@ -350,7 +350,7 @@ listen {
  262. # ipv6addr = ::
  263. port = 0
  264. type = acct
  265. -# interface = eth0
  266. + interface = br-lan
  267. # clients = per_socket_clients
  268. }
  269. @@ -576,8 +576,8 @@ security {
  270. #
  271. # allowed values: {no, yes}
  272. #
  273. -proxy_requests = yes
  274. -$INCLUDE proxy.conf
  275. +proxy_requests = no
  276. +#$INCLUDE proxy.conf
  277. # CLIENTS CONFIGURATION
  278. @@ -774,7 +774,7 @@ instantiate {
  279. # The entire command line (and output) must fit into 253 bytes.
  280. #
  281. # e.g. Framed-Pool = `%{exec:/bin/echo foo}`
  282. - exec
  283. +# exec
  284. #
  285. # The expression module doesn't do authorization,
  286. @@ -791,15 +791,15 @@ instantiate {
  287. # other xlat functions such as md5, sha1 and lc.
  288. #
  289. # We do not recommend removing it's listing here.
  290. - expr
  291. +# expr
  292. #
  293. # We add the counter module here so that it registers
  294. # the check-name attribute before any module which sets
  295. # it
  296. # daily
  297. - expiration
  298. - logintime
  299. +# expiration
  300. +# logintime
  301. # subsections here can be thought of as "virtual" modules.
  302. #
  303. @@ -823,7 +823,7 @@ instantiate {
  304. # to multiple times.
  305. #
  306. ######################################################################
  307. -$INCLUDE policy.conf
  308. +#$INCLUDE policy.conf
  309. ######################################################################
  310. #
  311. @@ -833,9 +833,9 @@ $INCLUDE policy.conf
  312. # match the regular expression: /[a-zA-Z0-9_.]+/
  313. #
  314. # It allows you to define new virtual servers simply by placing
  315. -# a file into the raddb/sites-enabled/ directory.
  316. +# a file into the /etc/freeradius2/sites/ directory.
  317. #
  318. -$INCLUDE sites-enabled/
  319. +$INCLUDE sites/
  320. ######################################################################
  321. #
  322. @@ -843,7 +843,7 @@ $INCLUDE sites-enabled/
  323. # "authenticate {}", "accounting {}", have been moved to the
  324. # the file:
  325. #
  326. -# raddb/sites-available/default
  327. +# /etc/freeradius2/sites/default
  328. #
  329. # This is the "default" virtual server that has the same
  330. # configuration as in version 1.0.x and 1.1.x. The default
  331. Index: freeradius-server-2.2.7/raddb/sites-available/default
  332. ===================================================================
  333. --- freeradius-server-2.2.7.orig/raddb/sites-available/default
  334. +++ freeradius-server-2.2.7/raddb/sites-available/default
  335. @@ -85,7 +85,7 @@ authorize {
  336. #
  337. # It takes care of processing the 'raddb/hints' and the
  338. # 'raddb/huntgroups' files.
  339. - preprocess
  340. +# preprocess
  341. #
  342. # If you want to have a log of authentication requests,
  343. @@ -96,7 +96,7 @@ authorize {
  344. #
  345. # The chap module will set 'Auth-Type := CHAP' if we are
  346. # handling a CHAP request and Auth-Type has not already been set
  347. - chap
  348. +# chap
  349. #
  350. # If the users are logging in with an MS-CHAP-Challenge
  351. @@ -104,13 +104,13 @@ authorize {
  352. # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
  353. # to the request, which will cause the server to then use
  354. # the mschap module for authentication.
  355. - mschap
  356. +# mschap
  357. #
  358. # If you have a Cisco SIP server authenticating against
  359. # FreeRADIUS, uncomment the following line, and the 'digest'
  360. # line in the 'authenticate' section.
  361. - digest
  362. +# digest
  363. #
  364. # The WiMAX specification says that the Calling-Station-Id
  365. @@ -133,7 +133,7 @@ authorize {
  366. # Otherwise, when the first style of realm doesn't match,
  367. # the other styles won't be checked.
  368. #
  369. - suffix
  370. +# suffix
  371. # ntdomain
  372. #
  373. @@ -197,8 +197,8 @@ authorize {
  374. # Use the checkval module
  375. # checkval
  376. - expiration
  377. - logintime
  378. +# expiration
  379. +# logintime
  380. #
  381. # If no other module has claimed responsibility for
  382. @@ -279,7 +279,7 @@ authenticate {
  383. # If you have a Cisco SIP server authenticating against
  384. # FreeRADIUS, uncomment the following line, and the 'digest'
  385. # line in the 'authorize' section.
  386. - digest
  387. +# digest
  388. #
  389. # Pluggable Authentication Modules.
  390. @@ -296,7 +296,7 @@ authenticate {
  391. # be used for authentication ONLY for compatibility with legacy
  392. # FreeRADIUS configurations.
  393. #
  394. - unix
  395. +# unix
  396. # Uncomment it if you want to use ldap for authentication
  397. #
  398. @@ -332,8 +332,8 @@ authenticate {
  399. #
  400. # Pre-accounting. Decide which accounting type to use.
  401. #
  402. -preacct {
  403. - preprocess
  404. +#preacct {
  405. +# preprocess
  406. #
  407. # Session start times are *implied* in RADIUS.
  408. @@ -356,7 +356,7 @@ preacct {
  409. #
  410. # Ensure that we have a semi-unique identifier for every
  411. # request, and many NAS boxes are broken.
  412. - acct_unique
  413. +# acct_unique
  414. #
  415. # Look for IPASS-style 'realm/', and if not found, look for
  416. @@ -366,13 +366,13 @@ preacct {
  417. # Accounting requests are generally proxied to the same
  418. # home server as authentication requests.
  419. # IPASS
  420. - suffix
  421. +# suffix
  422. # ntdomain
  423. #
  424. # Read the 'acct_users' file
  425. - files
  426. -}
  427. +# files
  428. +#}
  429. #
  430. # Accounting. Log the accounting data.
  431. @@ -382,7 +382,7 @@ accounting {
  432. # Create a 'detail'ed log of the packets.
  433. # Note that accounting requests which are proxied
  434. # are also logged in the detail file.
  435. - detail
  436. +# detail
  437. # daily
  438. # Update the wtmp file
  439. @@ -434,7 +434,7 @@ accounting {
  440. exec
  441. # Filter attributes from the accounting response.
  442. - attr_filter.accounting_response
  443. + #attr_filter.accounting_response
  444. #
  445. # See "Autz-Type Status-Server" for how this works.
  446. @@ -460,7 +460,7 @@ session {
  447. # Post-Authentication
  448. # Once we KNOW that the user has been authenticated, there are
  449. # additional steps we can take.
  450. -post-auth {
  451. +#post-auth {
  452. # Get an address from the IP Pool.
  453. # main_pool
  454. @@ -490,7 +490,7 @@ post-auth {
  455. # ldap
  456. # For Exec-Program and Exec-Program-Wait
  457. - exec
  458. +# exec
  459. #
  460. # Calculate the various WiMAX keys. In order for this to work,
  461. @@ -574,18 +574,18 @@ post-auth {
  462. # Add the ldap module name (or instance) if you have set
  463. # 'edir_account_policy_check = yes' in the ldap module configuration
  464. #
  465. - Post-Auth-Type REJECT {
  466. - # log failed authentications in SQL, too.
  467. +# Post-Auth-Type REJECT {
  468. +# # log failed authentications in SQL, too.
  469. # sql
  470. # Insert EAP-Failure message if the request was
  471. # rejected by policy instead of because of an
  472. # authentication failure
  473. - eap
  474. +# eap
  475. - attr_filter.access_reject
  476. - }
  477. -}
  478. +# attr_filter.access_reject
  479. +# }
  480. +#}
  481. #
  482. # When the server decides to proxy a request to a home server,
  483. @@ -595,7 +595,7 @@ post-auth {
  484. #
  485. # Only a few modules currently have this method.
  486. #
  487. -pre-proxy {
  488. +#pre-proxy {
  489. # attr_rewrite
  490. # Uncomment the following line if you want to change attributes
  491. @@ -611,14 +611,14 @@ pre-proxy {
  492. # server, un-comment the following line, and the
  493. # 'detail pre_proxy_log' section, above.
  494. # pre_proxy_log
  495. -}
  496. +#}
  497. #
  498. # When the server receives a reply to a request it proxied
  499. # to a home server, the request may be massaged here, in the
  500. # post-proxy stage.
  501. #
  502. -post-proxy {
  503. +#post-proxy {
  504. # If you want to have a log of replies from a home server,
  505. # un-comment the following line, and the 'detail post_proxy_log'
  506. @@ -642,7 +642,7 @@ post-proxy {
  507. # hidden inside of the EAP packet, and the end server will
  508. # reject the EAP request.
  509. #
  510. - eap
  511. +# eap
  512. #
  513. # If the server tries to proxy a request and fails, then the
  514. @@ -664,5 +664,5 @@ post-proxy {
  515. # Post-Proxy-Type Fail {
  516. # detail
  517. # }
  518. -}
  519. +#}
  520. Index: freeradius-server-2.2.7/raddb/users
  521. ===================================================================
  522. --- freeradius-server-2.2.7.orig/raddb/users
  523. +++ freeradius-server-2.2.7/raddb/users
  524. @@ -169,22 +169,22 @@
  525. # by the terminal server in which case there may not be a "P" suffix.
  526. # The terminal server sends "Framed-Protocol = PPP" for auto PPP.
  527. #
  528. -DEFAULT Framed-Protocol == PPP
  529. - Framed-Protocol = PPP,
  530. - Framed-Compression = Van-Jacobson-TCP-IP
  531. +#DEFAULT Framed-Protocol == PPP
  532. +# Framed-Protocol = PPP,
  533. +# Framed-Compression = Van-Jacobson-TCP-IP
  534. #
  535. # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
  536. #
  537. -DEFAULT Hint == "CSLIP"
  538. - Framed-Protocol = SLIP,
  539. - Framed-Compression = Van-Jacobson-TCP-IP
  540. +#DEFAULT Hint == "CSLIP"
  541. +# Framed-Protocol = SLIP,
  542. +# Framed-Compression = Van-Jacobson-TCP-IP
  543. #
  544. # Default for SLIP: dynamic IP address, SLIP mode.
  545. #
  546. -DEFAULT Hint == "SLIP"
  547. - Framed-Protocol = SLIP
  548. +#DEFAULT Hint == "SLIP"
  549. +# Framed-Protocol = SLIP
  550. #
  551. # Last default: rlogin to our main server.