projects / openwrt / svn-archive / archive.git / blob
? search:


6a7e21e876859a7b79eddc6970960355e82c543d
[openwrt/svn-archive/archive.git] / net / freeradius2 / patches / 002-config.patch
1 --- a/raddb/dictionary.in
2 +++ b/raddb/dictionary.in
3 @@ -11,7 +11,7 @@
4 #
5 # The filename given here should be an absolute path.
6 #
7 -$INCLUDE @prefix@/share/freeradius/dictionary
8 +$INCLUDE @prefix@/share/freeradius2/dictionary
9
10 #
11 # Place additional attributes or $INCLUDEs here. They will
12 --- a/raddb/eap.conf
13 +++ b/raddb/eap.conf
14 @@ -27,7 +27,7 @@
15 # then that EAP type takes precedence over the
16 # default type configured here.
17 #
18 - default_eap_type = md5
19 + default_eap_type = peap
20
21 # A list is maintained to correlate EAP-Response
22 # packets with EAP-Request packets. After a
23 @@ -72,8 +72,8 @@
24 # for wireless connections. It is insecure, and does
25 # not provide for dynamic WEP keys.
26 #
27 - md5 {
28 - }
29 +# md5 {
30 +# }
31
32 # Cisco LEAP
33 #
34 @@ -87,8 +87,8 @@
35 # User-Password, or the NT-Password attributes.
36 # 'System' authentication is impossible with LEAP.
37 #
38 - leap {
39 - }
40 +# leap {
41 +# }
42
43 # Generic Token Card.
44 #
45 @@ -101,7 +101,7 @@
46 # the users password will go over the wire in plain-text,
47 # for anyone to see.
48 #
49 - gtc {
50 +# gtc {
51 # The default challenge, which many clients
52 # ignore..
53 #challenge = "Password: "
54 @@ -118,8 +118,8 @@
55 # configured for the request, and do the
56 # authentication itself.
57 #
58 - auth_type = PAP
59 - }
60 +# auth_type = PAP
61 +# }
62
63 ## EAP-TLS
64 #
65 @@ -205,7 +205,7 @@
66 # In these cases, fragment size should be
67 # 1024 or less.
68 #
69 - # fragment_size = 1024
70 + fragment_size = 1024
71
72 # include_length is a flag which is
73 # by default set to yes If set to
74 @@ -215,7 +215,7 @@
75 # message is included ONLY in the
76 # First packet of a fragment series.
77 #
78 - # include_length = yes
79 + include_length = yes
80
81 # Check the Certificate Revocation List
82 #
83 @@ -271,7 +271,7 @@
84 # configuration. It is here ONLY to make
85 # initial deployments easier.
86 #
87 - make_cert_command = "${certdir}/bootstrap"
88 + # make_cert_command = "${certdir}/bootstrap"
89
90 #
91 # Session resumption / fast reauthentication
92 @@ -299,7 +299,7 @@
93 # You probably also want "use_tunneled_reply = yes"
94 # when using fast session resumption.
95 #
96 - cache {
97 + # cache {
98 #
99 # Enable it. The default is "no".
100 # Deleting the entire "cache" subsection
101 @@ -315,14 +315,14 @@
102 # enable resumption for just one user
103 # by setting the above attribute to "yes".
104 #
105 - enable = no
106 + # enable = no
107
108 #
109 # Lifetime of the cached entries, in hours.
110 # The sessions will be deleted after this
111 # time.
112 #
113 - lifetime = 24 # hours
114 + # lifetime = 24 # hours
115
116 #
117 # The maximum number of entries in the
118 @@ -331,8 +331,8 @@
119 # This could be set to the number of users
120 # who are logged in... which can be a LOT.
121 #
122 - max_entries = 255
123 - }
124 + # max_entries = 255
125 + # }
126
127 #
128 # As of version 2.1.10, client certificates can be
129 @@ -394,7 +394,7 @@
130 #
131 # in the control items for a request.
132 #
133 - ttls {
134 +# ttls {
135 # The tunneled EAP session needs a default
136 # EAP type which is separate from the one for
137 # the non-tunneled EAP module. Inside of the
138 @@ -402,7 +402,7 @@
139 # If the request does not contain an EAP
140 # conversation, then this configuration entry
141 # is ignored.
142 - default_eap_type = md5
143 +# default_eap_type = mschapv2
144
145 # The tunneled authentication request does
146 # not usually contain useful attributes
147 @@ -418,7 +418,7 @@
148 # is copied to the tunneled request.
149 #
150 # allowed values: {no, yes}
151 - copy_request_to_tunnel = no
152 +# copy_request_to_tunnel = yes
153
154 # The reply attributes sent to the NAS are
155 # usually based on the name of the user
156 @@ -431,7 +431,7 @@
157 # the tunneled request.
158 #
159 # allowed values: {no, yes}
160 - use_tunneled_reply = no
161 +# use_tunneled_reply = no
162
163 #
164 # The inner tunneled request can be sent
165 @@ -443,13 +443,13 @@
166 # the virtual server that processed the
167 # outer requests.
168 #
169 - virtual_server = "inner-tunnel"
170 +# virtual_server = "inner-tunnel"
171
172 # This has the same meaning as the
173 # same field in the "tls" module, above.
174 # The default value here is "yes".
175 # include_length = yes
176 - }
177 +# }
178
179 ##################################################
180 #
181 @@ -518,14 +518,14 @@
182
183 # the PEAP module also has these configuration
184 # items, which are the same as for TTLS.
185 - copy_request_to_tunnel = no
186 - use_tunneled_reply = no
187 + copy_request_to_tunnel = yes
188 + use_tunneled_reply = yes
189
190 # When the tunneled session is proxied, the
191 # home server may not understand EAP-MSCHAP-V2.
192 # Set this entry to "no" to proxy the tunneled
193 # EAP-MSCHAP-V2 as normal MSCHAPv2.
194 - # proxy_tunneled_request_as_eap = yes
195 + proxy_tunneled_request_as_eap = no
196
197 #
198 # The inner tunneled request can be sent
199 @@ -537,7 +537,8 @@
200 # the virtual server that processed the
201 # outer requests.
202 #
203 - virtual_server = "inner-tunnel"
204 + # virtual_server = "inner-tunnel"
205 + EAP-TLS-Require-Client-Cert = no
206 }
207
208 #
209 --- a/raddb/modules/counter
210 +++ b/raddb/modules/counter
211 @@ -69,7 +69,7 @@
212 # 'check-name' attribute.
213 #
214 counter daily {
215 - filename = ${db_dir}/db.daily
216 + filename = ${radacctdir}/db.daily
217 key = User-Name
218 count-attribute = Acct-Session-Time
219 reset = daily
220 --- a/raddb/modules/pap
221 +++ b/raddb/modules/pap
222 @@ -14,5 +14,5 @@
223 # with the correct value. It will also automatically handle
224 # Base-64 encoded data, hex strings, and binary data.
225 pap {
226 - auto_header = no
227 + auto_header = yes
228 }
229 --- a/raddb/modules/radutmp
230 +++ b/raddb/modules/radutmp
231 @@ -12,7 +12,7 @@ radutmp {
232 # Where the file is stored. It's not a log file,
233 # so it doesn't need rotating.
234 #
235 - filename = ${logdir}/radutmp
236 + filename = ${radacctdir}/radutmp
237
238 # The field in the packet to key on for the
239 # 'user' name, If you have other fields which you want
240 --- a/raddb/modules/sradutmp
241 +++ b/raddb/modules/sradutmp
242 @@ -10,7 +10,7 @@
243 # then name "sradutmp" to identify it later in the "accounting"
244 # section.
245 radutmp sradutmp {
246 - filename = ${logdir}/sradutmp
247 + filename = ${radacctdir}/sradutmp
248 perm = 0644
249 callerid = "no"
250 }
251 --- a/raddb/radiusd.conf.in
252 +++ b/raddb/radiusd.conf.in
253 @@ -66,7 +66,7 @@ name = radiusd
254
255 # Location of config and logfiles.
256 confdir = ${raddbdir}
257 -run_dir = ${localstatedir}/run/${name}
258 +run_dir = ${localstatedir}/run
259
260 # Should likely be ${localstatedir}/lib/radiusd
261 db_dir = ${raddbdir}
262 @@ -290,7 +290,7 @@ listen {
263 # If your system does not support this feature, you will
264 # get an error if you try to use it.
265 #
266 -# interface = eth0
267 + interface = br-lan
268
269 # Per-socket lists of clients. This is a very useful feature.
270 #
271 @@ -317,7 +317,7 @@ listen {
272 # ipv6addr = ::
273 port = 0
274 type = acct
275 -# interface = eth0
276 + interface = br-lan
277 # clients = per_socket_clients
278 }
279
280 @@ -541,8 +541,8 @@ security {
281 #
282 # allowed values: {no, yes}
283 #
284 -proxy_requests = yes
285 -$INCLUDE proxy.conf
286 +proxy_requests = no
287 +#$INCLUDE proxy.conf
288
289
290 # CLIENTS CONFIGURATION
291 @@ -722,7 +722,7 @@ instantiate {
292 # The entire command line (and output) must fit into 253 bytes.
293 #
294 # e.g. Framed-Pool = `%{exec:/bin/echo foo}`
295 - exec
296 +# exec
297
298 #
299 # The expression module doesn't do authorization,
300 @@ -735,15 +735,15 @@ instantiate {
301 # listed in any other section. See 'doc/rlm_expr' for
302 # more information.
303 #
304 - expr
305 +# expr
306
307 #
308 # We add the counter module here so that it registers
309 # the check-name attribute before any module which sets
310 # it
311 # daily
312 - expiration
313 - logintime
314 +# expiration
315 +# logintime
316
317 # subsections here can be thought of as "virtual" modules.
318 #
319 @@ -767,7 +767,7 @@ instantiate {
320 # to multiple times.
321 #
322 ######################################################################
323 -$INCLUDE policy.conf
324 +#$INCLUDE policy.conf
325
326 ######################################################################
327 #
328 @@ -777,9 +777,9 @@ $INCLUDE policy.conf
329 # match the regular expression: /[a-zA-Z0-9_.]+/
330 #
331 # It allows you to define new virtual servers simply by placing
332 -# a file into the raddb/sites-enabled/ directory.
333 +# a file into the /etc/freeradius2/sites/ directory.
334 #
335 -$INCLUDE sites-enabled/
336 +$INCLUDE sites/
337
338 ######################################################################
339 #
340 @@ -787,7 +787,7 @@ $INCLUDE sites-enabled/
341 # "authenticate {}", "accounting {}", have been moved to the
342 # the file:
343 #
344 -# raddb/sites-available/default
345 +# /etc/freeradius2/sites/default
346 #
347 # This is the "default" virtual server that has the same
348 # configuration as in version 1.0.x and 1.1.x. The default
349 --- a/raddb/sites-available/default
350 +++ b/raddb/sites-available/default
351 @@ -67,7 +67,7 @@ authorize {
352 #
353 # It takes care of processing the 'raddb/hints' and the
354 # 'raddb/huntgroups' files.
355 - preprocess
356 +# preprocess
357
358 #
359 # If you want to have a log of authentication requests,
360 @@ -78,7 +78,7 @@ authorize {
361 #
362 # The chap module will set 'Auth-Type := CHAP' if we are
363 # handling a CHAP request and Auth-Type has not already been set
364 - chap
365 +# chap
366
367 #
368 # If the users are logging in with an MS-CHAP-Challenge
369 @@ -86,13 +86,13 @@ authorize {
370 # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
371 # to the request, which will cause the server to then use
372 # the mschap module for authentication.
373 - mschap
374 +# mschap
375
376 #
377 # If you have a Cisco SIP server authenticating against
378 # FreeRADIUS, uncomment the following line, and the 'digest'
379 # line in the 'authenticate' section.
380 - digest
381 +# digest
382
383 #
384 # The WiMAX specification says that the Calling-Station-Id
385 @@ -115,7 +115,7 @@ authorize {
386 # Otherwise, when the first style of realm doesn't match,
387 # the other styles won't be checked.
388 #
389 - suffix
390 +# suffix
391 # ntdomain
392
393 #
394 @@ -177,8 +177,8 @@ authorize {
395 # Use the checkval module
396 # checkval
397
398 - expiration
399 - logintime
400 +# expiration
401 +# logintime
402
403 #
404 # If no other module has claimed responsibility for
405 @@ -259,7 +259,7 @@ authenticate {
406 # If you have a Cisco SIP server authenticating against
407 # FreeRADIUS, uncomment the following line, and the 'digest'
408 # line in the 'authorize' section.
409 - digest
410 +# digest
411
412 #
413 # Pluggable Authentication Modules.
414 @@ -276,7 +276,7 @@ authenticate {
415 # be used for authentication ONLY for compatibility with legacy
416 # FreeRADIUS configurations.
417 #
418 - unix
419 +# unix
420
421 # Uncomment it if you want to use ldap for authentication
422 #
423 @@ -312,8 +312,8 @@ authenticate {
424 #
425 # Pre-accounting. Decide which accounting type to use.
426 #
427 -preacct {
428 - preprocess
429 +#preacct {
430 +# preprocess
431
432 #
433 # Session start times are *implied* in RADIUS.
434 @@ -336,7 +336,7 @@ preacct {
435 #
436 # Ensure that we have a semi-unique identifier for every
437 # request, and many NAS boxes are broken.
438 - acct_unique
439 +# acct_unique
440
441 #
442 # Look for IPASS-style 'realm/', and if not found, look for
443 @@ -346,13 +346,13 @@ preacct {
444 # Accounting requests are generally proxied to the same
445 # home server as authentication requests.
446 # IPASS
447 - suffix
448 +# suffix
449 # ntdomain
450
451 #
452 # Read the 'acct_users' file
453 - files
454 -}
455 +# files
456 +#}
457
458 #
459 # Accounting. Log the accounting data.
460 @@ -362,7 +362,7 @@ accounting {
461 # Create a 'detail'ed log of the packets.
462 # Note that accounting requests which are proxied
463 # are also logged in the detail file.
464 - detail
465 +# detail
466 # daily
467
468 # Update the wtmp file
469 @@ -414,7 +414,7 @@ accounting {
470 exec
471
472 # Filter attributes from the accounting response.
473 - attr_filter.accounting_response
474 + #attr_filter.accounting_response
475
476 #
477 # See "Autz-Type Status-Server" for how this works.
478 @@ -440,7 +440,7 @@ session {
479 # Post-Authentication
480 # Once we KNOW that the user has been authenticated, there are
481 # additional steps we can take.
482 -post-auth {
483 +#post-auth {
484 # Get an address from the IP Pool.
485 # main_pool
486
487 @@ -470,7 +470,7 @@ post-auth {
488 # ldap
489
490 # For Exec-Program and Exec-Program-Wait
491 - exec
492 +# exec
493
494 #
495 # Calculate the various WiMAX keys. In order for this to work,
496 @@ -540,12 +540,12 @@ post-auth {
497 # Add the ldap module name (or instance) if you have set
498 # 'edir_account_policy_check = yes' in the ldap module configuration
499 #
500 - Post-Auth-Type REJECT {
501 - # log failed authentications in SQL, too.
502 +# Post-Auth-Type REJECT {
503 +# # log failed authentications in SQL, too.
504 # sql
505 - attr_filter.access_reject
506 - }
507 -}
508 +# attr_filter.access_reject
509 +# }
510 +#}
511
512 #
513 # When the server decides to proxy a request to a home server,
514 @@ -555,7 +555,7 @@ post-auth {
515 #
516 # Only a few modules currently have this method.
517 #
518 -pre-proxy {
519 +#pre-proxy {
520 # attr_rewrite
521
522 # Uncomment the following line if you want to change attributes
523 @@ -571,14 +571,14 @@ pre-proxy {
524 # server, un-comment the following line, and the
525 # 'detail pre_proxy_log' section, above.
526 # pre_proxy_log
527 -}
528 +#}
529
530 #
531 # When the server receives a reply to a request it proxied
532 # to a home server, the request may be massaged here, in the
533 # post-proxy stage.
534 #
535 -post-proxy {
536 +#post-proxy {
537
538 # If you want to have a log of replies from a home server,
539 # un-comment the following line, and the 'detail post_proxy_log'
540 @@ -602,7 +602,7 @@ post-proxy {
541 # hidden inside of the EAP packet, and the end server will
542 # reject the EAP request.
543 #
544 - eap
545 +# eap
546
547 #
548 # If the server tries to proxy a request and fails, then the
549 @@ -624,5 +624,5 @@ post-proxy {
550 # Post-Proxy-Type Fail {
551 # detail
552 # }
553 -}
554 +#}
555
556 --- a/raddb/users
557 +++ b/raddb/users
558 @@ -169,22 +169,22 @@
559 # by the terminal server in which case there may not be a "P" suffix.
560 # The terminal server sends "Framed-Protocol = PPP" for auto PPP.
561 #
562 -DEFAULT Framed-Protocol == PPP
563 - Framed-Protocol = PPP,
564 - Framed-Compression = Van-Jacobson-TCP-IP
565 +#DEFAULT Framed-Protocol == PPP
566 +# Framed-Protocol = PPP,
567 +# Framed-Compression = Van-Jacobson-TCP-IP
568
569 #
570 # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
571 #
572 -DEFAULT Hint == "CSLIP"
573 - Framed-Protocol = SLIP,
574 - Framed-Compression = Van-Jacobson-TCP-IP
575 +#DEFAULT Hint == "CSLIP"
576 +# Framed-Protocol = SLIP,
577 +# Framed-Compression = Van-Jacobson-TCP-IP
578
579 #
580 # Default for SLIP: dynamic IP address, SLIP mode.
581 #
582 -DEFAULT Hint == "SLIP"
583 - Framed-Protocol = SLIP
584 +#DEFAULT Hint == "SLIP"
585 +# Framed-Protocol = SLIP
586
587 #
588 # Last default: rlogin to our main server.
OpenWrt SVN history