123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613 |
- Index: freeradius-server-2.2.7/raddb/dictionary.in
- ===================================================================
- --- freeradius-server-2.2.7.orig/raddb/dictionary.in
- +++ freeradius-server-2.2.7/raddb/dictionary.in
- @@ -11,7 +11,7 @@
- #
- # The filename given here should be an absolute path.
- #
- -$INCLUDE @prefix@/share/freeradius/dictionary
- +$INCLUDE @prefix@/share/freeradius2/dictionary
-
- #
- # Place additional attributes or $INCLUDEs here. They will
- Index: freeradius-server-2.2.7/raddb/eap.conf
- ===================================================================
- --- freeradius-server-2.2.7.orig/raddb/eap.conf
- +++ freeradius-server-2.2.7/raddb/eap.conf
- @@ -27,7 +27,7 @@
- # then that EAP type takes precedence over the
- # default type configured here.
- #
- - default_eap_type = md5
- + default_eap_type = peap
-
- # A list is maintained to correlate EAP-Response
- # packets with EAP-Request packets. After a
- @@ -72,8 +72,8 @@
- # for wireless connections. It is insecure, and does
- # not provide for dynamic WEP keys.
- #
- - md5 {
- - }
- +# md5 {
- +# }
-
- # Cisco LEAP
- #
- @@ -87,8 +87,8 @@
- # User-Password, or the NT-Password attributes.
- # 'System' authentication is impossible with LEAP.
- #
- - leap {
- - }
- +# leap {
- +# }
-
- # Generic Token Card.
- #
- @@ -101,7 +101,7 @@
- # the users password will go over the wire in plain-text,
- # for anyone to see.
- #
- - gtc {
- +# gtc {
- # The default challenge, which many clients
- # ignore..
- #challenge = "Password: "
- @@ -118,8 +118,8 @@
- # configured for the request, and do the
- # authentication itself.
- #
- - auth_type = PAP
- - }
- +# auth_type = PAP
- +# }
-
- ## EAP-TLS
- #
- @@ -215,7 +215,7 @@
- # In these cases, fragment size should be
- # 1024 or less.
- #
- - # fragment_size = 1024
- + fragment_size = 1024
-
- # include_length is a flag which is
- # by default set to yes If set to
- @@ -225,7 +225,7 @@
- # message is included ONLY in the
- # First packet of a fragment series.
- #
- - # include_length = yes
- + include_length = yes
-
- # Check the Certificate Revocation List
- #
- @@ -297,7 +297,7 @@
- # for the server to print out an error message,
- # and refuse to start.
- #
- - make_cert_command = "${certdir}/bootstrap"
- + # make_cert_command = "${certdir}/bootstrap"
-
- #
- # Elliptical cryptography configuration
- @@ -332,7 +332,7 @@
- # You probably also want "use_tunneled_reply = yes"
- # when using fast session resumption.
- #
- - cache {
- + # cache {
- #
- # Enable it. The default is "no".
- # Deleting the entire "cache" subsection
- @@ -348,14 +348,14 @@
- # enable resumption for just one user
- # by setting the above attribute to "yes".
- #
- - enable = no
- + # enable = no
-
- #
- # Lifetime of the cached entries, in hours.
- # The sessions will be deleted after this
- # time.
- #
- - lifetime = 24 # hours
- + # lifetime = 24 # hours
-
- #
- # The maximum number of entries in the
- @@ -364,8 +364,8 @@
- # This could be set to the number of users
- # who are logged in... which can be a LOT.
- #
- - max_entries = 255
- - }
- + # max_entries = 255
- + # }
-
- #
- # As of version 2.1.10, client certificates can be
- @@ -503,7 +503,7 @@
- #
- # in the control items for a request.
- #
- - ttls {
- +# ttls {
- # The tunneled EAP session needs a default
- # EAP type which is separate from the one for
- # the non-tunneled EAP module. Inside of the
- @@ -511,7 +511,7 @@
- # If the request does not contain an EAP
- # conversation, then this configuration entry
- # is ignored.
- - default_eap_type = md5
- +# default_eap_type = mschapv2
-
- # The tunneled authentication request does
- # not usually contain useful attributes
- @@ -527,7 +527,7 @@
- # is copied to the tunneled request.
- #
- # allowed values: {no, yes}
- - copy_request_to_tunnel = no
- +# copy_request_to_tunnel = yes
-
- # The reply attributes sent to the NAS are
- # usually based on the name of the user
- @@ -540,7 +540,7 @@
- # the tunneled request.
- #
- # allowed values: {no, yes}
- - use_tunneled_reply = no
- +# use_tunneled_reply = no
-
- #
- # The inner tunneled request can be sent
- @@ -552,13 +552,13 @@
- # the virtual server that processed the
- # outer requests.
- #
- - virtual_server = "inner-tunnel"
- +# virtual_server = "inner-tunnel"
-
- # This has the same meaning as the
- # same field in the "tls" module, above.
- # The default value here is "yes".
- # include_length = yes
- - }
- +# }
-
- ##################################################
- #
- @@ -627,14 +627,14 @@
-
- # the PEAP module also has these configuration
- # items, which are the same as for TTLS.
- - copy_request_to_tunnel = no
- - use_tunneled_reply = no
- + copy_request_to_tunnel = yes
- + use_tunneled_reply = yes
-
- # When the tunneled session is proxied, the
- # home server may not understand EAP-MSCHAP-V2.
- # Set this entry to "no" to proxy the tunneled
- # EAP-MSCHAP-V2 as normal MSCHAPv2.
- - # proxy_tunneled_request_as_eap = yes
- + proxy_tunneled_request_as_eap = no
-
- #
- # The inner tunneled request can be sent
- @@ -646,7 +646,8 @@
- # the virtual server that processed the
- # outer requests.
- #
- - virtual_server = "inner-tunnel"
- + # virtual_server = "inner-tunnel"
- + EAP-TLS-Require-Client-Cert = no
-
- # This option enables support for MS-SoH
- # see doc/SoH.txt for more info.
- Index: freeradius-server-2.2.7/raddb/modules/counter
- ===================================================================
- --- freeradius-server-2.2.7.orig/raddb/modules/counter
- +++ freeradius-server-2.2.7/raddb/modules/counter
- @@ -69,7 +69,7 @@
- # 'check-name' attribute.
- #
- counter daily {
- - filename = ${db_dir}/db.daily
- + filename = ${radacctdir}/db.daily
- key = User-Name
- count-attribute = Acct-Session-Time
- reset = daily
- Index: freeradius-server-2.2.7/raddb/modules/pap
- ===================================================================
- --- freeradius-server-2.2.7.orig/raddb/modules/pap
- +++ freeradius-server-2.2.7/raddb/modules/pap
- @@ -18,5 +18,5 @@
- #
- # http://www.openldap.org/faq/data/cache/347.html
- pap {
- - auto_header = no
- + auto_header = yes
- }
- Index: freeradius-server-2.2.7/raddb/modules/radutmp
- ===================================================================
- --- freeradius-server-2.2.7.orig/raddb/modules/radutmp
- +++ freeradius-server-2.2.7/raddb/modules/radutmp
- @@ -12,7 +12,7 @@ radutmp {
- # Where the file is stored. It's not a log file,
- # so it doesn't need rotating.
- #
- - filename = ${logdir}/radutmp
- + filename = ${radacctdir}/radutmp
-
- # The field in the packet to key on for the
- # 'user' name, If you have other fields which you want
- Index: freeradius-server-2.2.7/raddb/modules/sradutmp
- ===================================================================
- --- freeradius-server-2.2.7.orig/raddb/modules/sradutmp
- +++ freeradius-server-2.2.7/raddb/modules/sradutmp
- @@ -10,7 +10,7 @@
- # then name "sradutmp" to identify it later in the "accounting"
- # section.
- radutmp sradutmp {
- - filename = ${logdir}/sradutmp
- + filename = ${radacctdir}/sradutmp
- perm = 0644
- callerid = "no"
- }
- Index: freeradius-server-2.2.7/raddb/radiusd.conf.in
- ===================================================================
- --- freeradius-server-2.2.7.orig/raddb/radiusd.conf.in
- +++ freeradius-server-2.2.7/raddb/radiusd.conf.in
- @@ -66,7 +66,7 @@ name = radiusd
-
- # Location of config and logfiles.
- confdir = ${raddbdir}
- -run_dir = ${localstatedir}/run/${name}
- +run_dir = ${localstatedir}/run
-
- # Should likely be ${localstatedir}/lib/radiusd
- db_dir = ${raddbdir}
- @@ -323,7 +323,7 @@ listen {
- # If your system does not support this feature, you will
- # get an error if you try to use it.
- #
- -# interface = eth0
- + interface = br-lan
-
- # Per-socket lists of clients. This is a very useful feature.
- #
- @@ -350,7 +350,7 @@ listen {
- # ipv6addr = ::
- port = 0
- type = acct
- -# interface = eth0
- + interface = br-lan
- # clients = per_socket_clients
- }
-
- @@ -576,8 +576,8 @@ security {
- #
- # allowed values: {no, yes}
- #
- -proxy_requests = yes
- -$INCLUDE proxy.conf
- +proxy_requests = no
- +#$INCLUDE proxy.conf
-
-
- # CLIENTS CONFIGURATION
- @@ -774,7 +774,7 @@ instantiate {
- # The entire command line (and output) must fit into 253 bytes.
- #
- # e.g. Framed-Pool = `%{exec:/bin/echo foo}`
- - exec
- +# exec
-
- #
- # The expression module doesn't do authorization,
- @@ -791,15 +791,15 @@ instantiate {
- # other xlat functions such as md5, sha1 and lc.
- #
- # We do not recommend removing it's listing here.
- - expr
- +# expr
-
- #
- # We add the counter module here so that it registers
- # the check-name attribute before any module which sets
- # it
- # daily
- - expiration
- - logintime
- +# expiration
- +# logintime
-
- # subsections here can be thought of as "virtual" modules.
- #
- @@ -823,7 +823,7 @@ instantiate {
- # to multiple times.
- #
- ######################################################################
- -$INCLUDE policy.conf
- +#$INCLUDE policy.conf
-
- ######################################################################
- #
- @@ -833,9 +833,9 @@ $INCLUDE policy.conf
- # match the regular expression: /[a-zA-Z0-9_.]+/
- #
- # It allows you to define new virtual servers simply by placing
- -# a file into the raddb/sites-enabled/ directory.
- +# a file into the /etc/freeradius2/sites/ directory.
- #
- -$INCLUDE sites-enabled/
- +$INCLUDE sites/
-
- ######################################################################
- #
- @@ -843,7 +843,7 @@ $INCLUDE sites-enabled/
- # "authenticate {}", "accounting {}", have been moved to the
- # the file:
- #
- -# raddb/sites-available/default
- +# /etc/freeradius2/sites/default
- #
- # This is the "default" virtual server that has the same
- # configuration as in version 1.0.x and 1.1.x. The default
- Index: freeradius-server-2.2.7/raddb/sites-available/default
- ===================================================================
- --- freeradius-server-2.2.7.orig/raddb/sites-available/default
- +++ freeradius-server-2.2.7/raddb/sites-available/default
- @@ -85,7 +85,7 @@ authorize {
- #
- # It takes care of processing the 'raddb/hints' and the
- # 'raddb/huntgroups' files.
- - preprocess
- +# preprocess
-
- #
- # If you want to have a log of authentication requests,
- @@ -96,7 +96,7 @@ authorize {
- #
- # The chap module will set 'Auth-Type := CHAP' if we are
- # handling a CHAP request and Auth-Type has not already been set
- - chap
- +# chap
-
- #
- # If the users are logging in with an MS-CHAP-Challenge
- @@ -104,13 +104,13 @@ authorize {
- # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
- # to the request, which will cause the server to then use
- # the mschap module for authentication.
- - mschap
- +# mschap
-
- #
- # If you have a Cisco SIP server authenticating against
- # FreeRADIUS, uncomment the following line, and the 'digest'
- # line in the 'authenticate' section.
- - digest
- +# digest
-
- #
- # The WiMAX specification says that the Calling-Station-Id
- @@ -133,7 +133,7 @@ authorize {
- # Otherwise, when the first style of realm doesn't match,
- # the other styles won't be checked.
- #
- - suffix
- +# suffix
- # ntdomain
-
- #
- @@ -197,8 +197,8 @@ authorize {
- # Use the checkval module
- # checkval
-
- - expiration
- - logintime
- +# expiration
- +# logintime
-
- #
- # If no other module has claimed responsibility for
- @@ -279,7 +279,7 @@ authenticate {
- # If you have a Cisco SIP server authenticating against
- # FreeRADIUS, uncomment the following line, and the 'digest'
- # line in the 'authorize' section.
- - digest
- +# digest
-
- #
- # Pluggable Authentication Modules.
- @@ -296,7 +296,7 @@ authenticate {
- # be used for authentication ONLY for compatibility with legacy
- # FreeRADIUS configurations.
- #
- - unix
- +# unix
-
- # Uncomment it if you want to use ldap for authentication
- #
- @@ -332,8 +332,8 @@ authenticate {
- #
- # Pre-accounting. Decide which accounting type to use.
- #
- -preacct {
- - preprocess
- +#preacct {
- +# preprocess
-
- #
- # Session start times are *implied* in RADIUS.
- @@ -356,7 +356,7 @@ preacct {
- #
- # Ensure that we have a semi-unique identifier for every
- # request, and many NAS boxes are broken.
- - acct_unique
- +# acct_unique
-
- #
- # Look for IPASS-style 'realm/', and if not found, look for
- @@ -366,13 +366,13 @@ preacct {
- # Accounting requests are generally proxied to the same
- # home server as authentication requests.
- # IPASS
- - suffix
- +# suffix
- # ntdomain
-
- #
- # Read the 'acct_users' file
- - files
- -}
- +# files
- +#}
-
- #
- # Accounting. Log the accounting data.
- @@ -382,7 +382,7 @@ accounting {
- # Create a 'detail'ed log of the packets.
- # Note that accounting requests which are proxied
- # are also logged in the detail file.
- - detail
- +# detail
- # daily
-
- # Update the wtmp file
- @@ -434,7 +434,7 @@ accounting {
- exec
-
- # Filter attributes from the accounting response.
- - attr_filter.accounting_response
- + #attr_filter.accounting_response
-
- #
- # See "Autz-Type Status-Server" for how this works.
- @@ -460,7 +460,7 @@ session {
- # Post-Authentication
- # Once we KNOW that the user has been authenticated, there are
- # additional steps we can take.
- -post-auth {
- +#post-auth {
- # Get an address from the IP Pool.
- # main_pool
-
- @@ -490,7 +490,7 @@ post-auth {
- # ldap
-
- # For Exec-Program and Exec-Program-Wait
- - exec
- +# exec
-
- #
- # Calculate the various WiMAX keys. In order for this to work,
- @@ -574,18 +574,18 @@ post-auth {
- # Add the ldap module name (or instance) if you have set
- # 'edir_account_policy_check = yes' in the ldap module configuration
- #
- - Post-Auth-Type REJECT {
- - # log failed authentications in SQL, too.
- +# Post-Auth-Type REJECT {
- +# # log failed authentications in SQL, too.
- # sql
-
- # Insert EAP-Failure message if the request was
- # rejected by policy instead of because of an
- # authentication failure
- - eap
- +# eap
-
- - attr_filter.access_reject
- - }
- -}
- +# attr_filter.access_reject
- +# }
- +#}
-
- #
- # When the server decides to proxy a request to a home server,
- @@ -595,7 +595,7 @@ post-auth {
- #
- # Only a few modules currently have this method.
- #
- -pre-proxy {
- +#pre-proxy {
- # attr_rewrite
-
- # Uncomment the following line if you want to change attributes
- @@ -611,14 +611,14 @@ pre-proxy {
- # server, un-comment the following line, and the
- # 'detail pre_proxy_log' section, above.
- # pre_proxy_log
- -}
- +#}
-
- #
- # When the server receives a reply to a request it proxied
- # to a home server, the request may be massaged here, in the
- # post-proxy stage.
- #
- -post-proxy {
- +#post-proxy {
-
- # If you want to have a log of replies from a home server,
- # un-comment the following line, and the 'detail post_proxy_log'
- @@ -642,7 +642,7 @@ post-proxy {
- # hidden inside of the EAP packet, and the end server will
- # reject the EAP request.
- #
- - eap
- +# eap
-
- #
- # If the server tries to proxy a request and fails, then the
- @@ -664,5 +664,5 @@ post-proxy {
- # Post-Proxy-Type Fail {
- # detail
- # }
- -}
- +#}
-
- Index: freeradius-server-2.2.7/raddb/users
- ===================================================================
- --- freeradius-server-2.2.7.orig/raddb/users
- +++ freeradius-server-2.2.7/raddb/users
- @@ -169,22 +169,22 @@
- # by the terminal server in which case there may not be a "P" suffix.
- # The terminal server sends "Framed-Protocol = PPP" for auto PPP.
- #
- -DEFAULT Framed-Protocol == PPP
- - Framed-Protocol = PPP,
- - Framed-Compression = Van-Jacobson-TCP-IP
- +#DEFAULT Framed-Protocol == PPP
- +# Framed-Protocol = PPP,
- +# Framed-Compression = Van-Jacobson-TCP-IP
-
- #
- # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
- #
- -DEFAULT Hint == "CSLIP"
- - Framed-Protocol = SLIP,
- - Framed-Compression = Van-Jacobson-TCP-IP
- +#DEFAULT Hint == "CSLIP"
- +# Framed-Protocol = SLIP,
- +# Framed-Compression = Van-Jacobson-TCP-IP
-
- #
- # Default for SLIP: dynamic IP address, SLIP mode.
- #
- -DEFAULT Hint == "SLIP"
- - Framed-Protocol = SLIP
- +#DEFAULT Hint == "SLIP"
- +# Framed-Protocol = SLIP
-
- #
- # Last default: rlogin to our main server.
|