[packages] freeradius2: update to v2.1.7, rename patches to match those in freeradius...
[openwrt/svn-archive/archive.git] / net / freeradius2 / patches / 002-config.patch
1 --- a/raddb/attrs
2 +++ b/raddb/attrs
3 @@ -1,7 +1,4 @@
4 #
5 -# Configuration file for the rlm_attr_filter module.
6 -# Please see rlm_attr_filter(5) manpage for more information.
7 -#
8 # $Id$
9 #
10 # This file contains security and configuration information
11 --- a/raddb/attrs.access_reject
12 +++ b/raddb/attrs.access_reject
13 @@ -1,7 +1,4 @@
14 #
15 -# Configuration file for the rlm_attr_filter module.
16 -# Please see rlm_attr_filter(5) manpage for more information.
17 -#
18 # $Id$
19 #
20 # This configuration file is used to remove almost all of the attributes
21 --- a/raddb/attrs.accounting_response
22 +++ b/raddb/attrs.accounting_response
23 @@ -1,7 +1,4 @@
24 #
25 -# Configuration file for the rlm_attr_filter module.
26 -# Please see rlm_attr_filter(5) manpage for more information.
27 -#
28 # $Id$
29 #
30 # This configuration file is used to remove almost all of the attributes
31 --- a/raddb/attrs.pre-proxy
32 +++ b/raddb/attrs.pre-proxy
33 @@ -1,7 +1,4 @@
34 #
35 -# Configuration file for the rlm_attr_filter module.
36 -# Please see rlm_attr_filter(5) manpage for more information.
37 -#
38 # $Id$
39 #
40 # This file contains security and configuration information
41 --- a/raddb/dictionary.in
42 +++ b/raddb/dictionary.in
43 @@ -11,14 +11,12 @@
44 #
45 # The filename given here should be an absolute path.
46 #
47 -$INCLUDE @prefix@/share/freeradius/dictionary
48 +$INCLUDE @prefix@/share/freeradius2/dictionary
49
50 #
51 # Place additional attributes or $INCLUDEs here. They will
52 # over-ride the definitions in the pre-defined dictionaries.
53 #
54 -# See the 'man' page for 'dictionary' for information on
55 -# the format of the dictionary files.
56
57 #
58 # If you want to add entries to the dictionary file,
59 --- a/raddb/eap.conf
60 +++ b/raddb/eap.conf
61 @@ -27,7 +27,7 @@
62 # then that EAP type takes precedence over the
63 # default type configured here.
64 #
65 - default_eap_type = md5
66 + default_eap_type = peap
67
68 # A list is maintained to correlate EAP-Response
69 # packets with EAP-Request packets. After a
70 @@ -72,23 +72,8 @@
71 # for wireless connections. It is insecure, and does
72 # not provide for dynamic WEP keys.
73 #
74 - md5 {
75 - }
76 -
77 - # Cisco LEAP
78 - #
79 - # We do not recommend using LEAP in new deployments. See:
80 - # http://www.securiteam.com/tools/5TP012ACKE.html
81 - #
82 - # Cisco LEAP uses the MS-CHAP algorithm (but not
83 - # the MS-CHAP attributes) to perform it's authentication.
84 - #
85 - # As a result, LEAP *requires* access to the plain-text
86 - # User-Password, or the NT-Password attributes.
87 - # 'System' authentication is impossible with LEAP.
88 - #
89 - leap {
90 - }
91 +# md5 {
92 +# }
93
94 # Generic Token Card.
95 #
96 @@ -101,10 +86,10 @@
97 # the users password will go over the wire in plain-text,
98 # for anyone to see.
99 #
100 - gtc {
101 +# gtc {
102 # The default challenge, which many clients
103 # ignore..
104 - #challenge = "Password: "
105 +# challenge = "Password: "
106
107 # The plain-text response which comes back
108 # is put into a User-Password attribute,
109 @@ -118,8 +103,8 @@
110 # configured for the request, and do the
111 # authentication itself.
112 #
113 - auth_type = PAP
114 - }
115 +# auth_type = PAP
116 +# }
117
118 ## EAP-TLS
119 #
120 @@ -130,11 +115,6 @@
121 # built, the "tls", "ttls", and "peap" sections will
122 # be ignored.
123 #
124 - # Otherwise, when the server first starts in debugging
125 - # mode, test certificates will be created. See the
126 - # "make_cert_command" below for details, and the README
127 - # file in raddb/certs
128 - #
129 # These test certificates SHOULD NOT be used in a normal
130 # deployment. They are created only to make it easier
131 # to install the server, and to perform some simple
132 @@ -201,7 +181,7 @@
133 # In these cases, fragment size should be
134 # 1024 or less.
135 #
136 - # fragment_size = 1024
137 + fragment_size = 1024
138
139 # include_length is a flag which is
140 # by default set to yes If set to
141 @@ -211,7 +191,7 @@
142 # message is included ONLY in the
143 # First packet of a fragment series.
144 #
145 - # include_length = yes
146 + include_length = yes
147
148 # Check the Certificate Revocation List
149 #
150 @@ -220,83 +200,74 @@
151 # 'c_rehash' is OpenSSL's command.
152 # 3) uncomment the line below.
153 # 5) Restart radiusd
154 - # check_crl = yes
155 - # CA_path = /path/to/directory/with/ca_certs/and/crls/
156 +# check_crl = yes
157 +# CA_path = /path/to/directory/with/ca_certs/and/crls/
158 +
159 + #
160 + # If check_cert_issuer is set, the value will
161 + # be checked against the DN of the issuer in
162 + # the client certificate. If the values do not
163 + # match, the cerficate verification will fail,
164 + # rejecting the user.
165 + #
166 +# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
167 +
168 + #
169 + # If check_cert_cn is set, the value will
170 + # be xlat'ed and checked against the CN
171 + # in the client certificate. If the values
172 + # do not match, the certificate verification
173 + # will fail rejecting the user.
174 + #
175 + # This check is done only if the previous
176 + # "check_cert_issuer" is not set, or if
177 + # the check succeeds.
178 + #
179 +# check_cert_cn = %{User-Name}
180
181 - #
182 - # If check_cert_issuer is set, the value will
183 - # be checked against the DN of the issuer in
184 - # the client certificate. If the values do not
185 - # match, the cerficate verification will fail,
186 - # rejecting the user.
187 - #
188 - # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
189 -
190 - #
191 - # If check_cert_cn is set, the value will
192 - # be xlat'ed and checked against the CN
193 - # in the client certificate. If the values
194 - # do not match, the certificate verification
195 - # will fail rejecting the user.
196 - #
197 - # This check is done only if the previous
198 - # "check_cert_issuer" is not set, or if
199 - # the check succeeds.
200 - #
201 - # check_cert_cn = %{User-Name}
202 - #
203 # Set this option to specify the allowed
204 # TLS cipher suites. The format is listed
205 # in "man 1 ciphers".
206 cipher_list = "DEFAULT"
207
208 #
209 -
210 - # This configuration entry should be deleted
211 - # once the server is running in a normal
212 - # configuration. It is here ONLY to make
213 - # initial deployments easier.
214 - #
215 - make_cert_command = "${certdir}/bootstrap"
216 -
217 - #
218 # Session resumption / fast reauthentication
219 # cache.
220 #
221 - cache {
222 - #
223 - # Enable it. The default is "no".
224 - # Deleting the entire "cache" subsection
225 - # Also disables caching.
226 - #
227 - # You can disallow resumption for a
228 - # particular user by adding the following
229 - # attribute to the control item list:
230 - #
231 - # Allow-Session-Resumption = No
232 - #
233 - # If "enable = no" below, you CANNOT
234 - # enable resumption for just one user
235 - # by setting the above attribute to "yes".
236 - #
237 - enable = no
238 -
239 - #
240 - # Lifetime of the cached entries, in hours.
241 - # The sessions will be deleted after this
242 - # time.
243 - #
244 - lifetime = 24 # hours
245 -
246 - #
247 - # The maximum number of entries in the
248 - # cache. Set to "0" for "infinite".
249 - #
250 - # This could be set to the number of users
251 - # who are logged in... which can be a LOT.
252 - #
253 - max_entries = 255
254 - }
255 +# cache {
256 + #
257 + # Enable it. The default is "no".
258 + # Deleting the entire "cache" subsection
259 + # Also disables caching.
260 + #
261 + # You can disallow resumption for a
262 + # particular user by adding the following
263 + # attribute to the control item list:
264 + #
265 + # Allow-Session-Resumption = No
266 + #
267 + # If "enable = no" below, you CANNOT
268 + # enable resumption for just one user
269 + # by setting the above attribute to "yes".
270 + #
271 +# enable = no
272 +
273 + #
274 + # Lifetime of the cached entries, in hours.
275 + # The sessions will be deleted after this
276 + # time.
277 + #
278 +# lifetime = 24 # hours
279 +
280 + #
281 + # The maximum number of entries in the
282 + # cache. Set to "0" for "infinite".
283 + #
284 + # This could be set to the number of users
285 + # who are logged in... which can be a LOT.
286 + #
287 +# max_entries = 255
288 +# }
289 }
290
291 # The TTLS module implements the EAP-TTLS protocol,
292 @@ -320,7 +291,7 @@
293 #
294 # in the control items for a request.
295 #
296 - ttls {
297 +# ttls {
298 # The tunneled EAP session needs a default
299 # EAP type which is separate from the one for
300 # the non-tunneled EAP module. Inside of the
301 @@ -328,7 +299,7 @@
302 # If the request does not contain an EAP
303 # conversation, then this configuration entry
304 # is ignored.
305 - default_eap_type = md5
306 +# default_eap_type = mschapv2
307
308 # The tunneled authentication request does
309 # not usually contain useful attributes
310 @@ -344,7 +315,7 @@
311 # is copied to the tunneled request.
312 #
313 # allowed values: {no, yes}
314 - copy_request_to_tunnel = no
315 +# copy_request_to_tunnel = yes
316
317 # The reply attributes sent to the NAS are
318 # usually based on the name of the user
319 @@ -357,7 +328,7 @@
320 # the tunneled request.
321 #
322 # allowed values: {no, yes}
323 - use_tunneled_reply = no
324 +# use_tunneled_reply = no
325
326 #
327 # The inner tunneled request can be sent
328 @@ -369,13 +340,13 @@
329 # the virtual server that processed the
330 # outer requests.
331 #
332 - virtual_server = "inner-tunnel"
333 +# virtual_server = "inner-tunnel"
334
335 # This has the same meaning as the
336 # same field in the "tls" module, above.
337 # The default value here is "yes".
338 # include_length = yes
339 - }
340 +# }
341
342 ##################################################
343 #
344 @@ -438,26 +409,16 @@
345
346 # the PEAP module also has these configuration
347 # items, which are the same as for TTLS.
348 - copy_request_to_tunnel = no
349 - use_tunneled_reply = no
350 + copy_request_to_tunnel = yes
351 + use_tunneled_reply = yes
352
353 # When the tunneled session is proxied, the
354 # home server may not understand EAP-MSCHAP-V2.
355 # Set this entry to "no" to proxy the tunneled
356 # EAP-MSCHAP-V2 as normal MSCHAPv2.
357 - # proxy_tunneled_request_as_eap = yes
358 + proxy_tunneled_request_as_eap = no
359
360 - #
361 - # The inner tunneled request can be sent
362 - # through a virtual server constructed
363 - # specifically for this purpose.
364 - #
365 - # If this entry is commented out, the inner
366 - # tunneled request will be sent through
367 - # the virtual server that processed the
368 - # outer requests.
369 - #
370 - virtual_server = "inner-tunnel"
371 + EAP-TLS-Require-Client-Cert = no
372 }
373
374 #
375 --- a/raddb/ldap.attrmap
376 +++ b/raddb/ldap.attrmap
377 @@ -13,8 +13,7 @@
378 # If not present, defaults to "==" for checkItems,
379 # and "=" for replyItems.
380 # If present, the operator here should be one
381 -# of the same operators as defined in the "users"3
382 -# file ("man users", or "man 5 users").
383 +# of the same operators as defined in the "users" file.
384 # If an operator is present in the value of the
385 # LDAP entry (i.e. ":=foo"), then it over-rides
386 # both the default, and any operator given here.
387 --- a/raddb/modules/counter
388 +++ b/raddb/modules/counter
389 @@ -69,7 +69,7 @@
390 # 'check-name' attribute.
391 #
392 counter daily {
393 - filename = ${db_dir}/db.daily
394 + filename = ${radacctdir}/db.daily
395 key = User-Name
396 count-attribute = Acct-Session-Time
397 reset = daily
398 --- a/raddb/modules/detail
399 +++ b/raddb/modules/detail
400 @@ -46,8 +46,7 @@ detail {
401
402 #
403 # Every entry in the detail file has a header which
404 - # is a timestamp. By default, we use the ctime
405 - # format (see "man ctime" for details).
406 + # is a timestamp. By default, we use the ctime format.
407 #
408 # The header can be customized by editing this
409 # string. See "doc/variables.txt" for a description
410 --- a/raddb/modules/exec
411 +++ b/raddb/modules/exec
412 @@ -15,9 +15,8 @@
413 # of the program which is executed. Due to RADIUS protocol
414 # limitations, any output over 253 bytes will be ignored.
415 #
416 -# The RADIUS attributes from the user request will be placed
417 -# into environment variables of the executed program, as
418 -# described in "man unlang" and in doc/variables.txt
419 +# The RADIUS attributes from the user request will be placed into environment
420 +# variables of the executed program, as described in doc/variables.txt
421 #
422 # See also "echo" for more sample configuration.
423 #
424 --- a/raddb/modules/pap
425 +++ b/raddb/modules/pap
426 @@ -4,8 +4,7 @@
427
428 # PAP module to authenticate users based on their stored password
429 #
430 -# Supports multiple encryption/hash schemes. See "man rlm_pap"
431 -# for details.
432 +# Supports multiple encryption/hash schemes.
433 #
434 # The "auto_header" configuration item can be set to "yes".
435 # In this case, the module will look inside of the User-Password
436 @@ -14,5 +13,5 @@
437 # with the correct value. It will also automatically handle
438 # Base-64 encoded data, hex strings, and binary data.
439 pap {
440 - auto_header = no
441 + auto_header = yes
442 }
443 --- a/raddb/modules/radutmp
444 +++ b/raddb/modules/radutmp
445 @@ -12,7 +12,7 @@ radutmp {
446 # Where the file is stored. It's not a log file,
447 # so it doesn't need rotating.
448 #
449 - filename = ${logdir}/radutmp
450 + filename = ${radacctdir}/radutmp
451
452 # The field in the packet to key on for the
453 # 'user' name, If you have other fields which you want
454 --- a/raddb/modules/sradutmp
455 +++ b/raddb/modules/sradutmp
456 @@ -10,7 +10,7 @@
457 # then name "sradutmp" to identify it later in the "accounting"
458 # section.
459 radutmp sradutmp {
460 - filename = ${logdir}/sradutmp
461 + filename = ${radacctdir}/sradutmp
462 perm = 0644
463 callerid = "no"
464 }
465 --- a/raddb/preproxy_users
466 +++ b/raddb/preproxy_users
467 @@ -1,6 +1,5 @@
468 #
469 # Configuration file for the rlm_files module.
470 -# Please see rlm_files(5) manpage for more information.
471 #
472 # $Id$
473 #
474 --- a/raddb/proxy.conf
475 +++ b/raddb/proxy.conf
476 @@ -559,9 +559,8 @@ home_server_pool my_auth_failover {
477 # This section defines a new-style "realm". Note the in version 2.0,
478 # there are many fewer configuration items than in 1.x for a realm.
479 #
480 -# Automatic proxying is done via the "realms" module (see "man
481 -# rlm_realm"). To manually proxy the request put this entry in the
482 -# "users" file:
483 +# Automatic proxying is done via the "realms" module.
484 +# To manually proxy the request put this entry in the "users" file:
485
486 #
487 #
488 --- a/raddb/radiusd.conf.in
489 +++ b/raddb/radiusd.conf.in
490 @@ -8,11 +8,6 @@
491
492 ######################################################################
493 #
494 -# Read "man radiusd" before editing this file. See the section
495 -# titled DEBUGGING. It outlines a method where you can quickly
496 -# obtain the configuration you want, without running into
497 -# trouble.
498 -#
499 # Run the server in debugging mode, and READ the output.
500 #
501 # $ radiusd -X
502 @@ -41,14 +36,8 @@
503 # file, it is exported through the API to modules that ask for
504 # it.
505 #
506 -# See "man radiusd.conf" for documentation on the format of this
507 -# file. Note that the individual configuration items are NOT
508 -# documented in that "man" page. They are only documented here,
509 -# in the comments.
510 -#
511 # As of 2.0.0, FreeRADIUS supports a simple processing language
512 # in the "authorize", "authenticate", "accounting", etc. sections.
513 -# See "man unlang" for details.
514 #
515
516 prefix = @prefix@
517 @@ -66,7 +55,7 @@ name = radiusd
518
519 # Location of config and logfiles.
520 confdir = ${raddbdir}
521 -run_dir = ${localstatedir}/run/${name}
522 +run_dir = ${localstatedir}/run
523
524 # Should likely be ${localstatedir}/lib/radiusd
525 db_dir = ${raddbdir}
526 @@ -112,7 +101,7 @@ libdir = @libdir@
527 #
528 # This file is written when ONLY running in daemon mode.
529 #
530 -# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
531 +# e.g.: kill -HUP `cat /var/run/radiusd.pid`
532 #
533 pidfile = ${run_dir}/${name}.pid
534
535 @@ -290,7 +279,7 @@ listen {
536 # If your system does not support this feature, you will
537 # get an error if you try to use it.
538 #
539 -# interface = eth0
540 + interface = br-lan
541
542 # Per-socket lists of clients. This is a very useful feature.
543 #
544 @@ -317,7 +306,7 @@ listen {
545 # ipv6addr = ::
546 port = 0
547 type = acct
548 -# interface = eth0
549 + interface = br-lan
550 # clients = per_socket_clients
551 }
552
553 @@ -464,9 +453,6 @@ log {
554 # msg_badpass = ""
555 }
556
557 -# The program to execute to do concurrency checks.
558 -checkrad = ${sbindir}/checkrad
559 -
560 # SECURITY CONFIGURATION
561 #
562 # There may be multiple methods of attacking on the server. This
563 @@ -541,8 +527,8 @@ security {
564 #
565 # allowed values: {no, yes}
566 #
567 -proxy_requests = yes
568 -$INCLUDE proxy.conf
569 +proxy_requests = no
570 +#$INCLUDE proxy.conf
571
572
573 # CLIENTS CONFIGURATION
574 @@ -694,10 +680,6 @@ modules {
575 #
576 # $INCLUDE sql/mysql/counter.conf
577
578 - #
579 - # IP addresses managed in an SQL table.
580 - #
581 -# $INCLUDE sqlippool.conf
582 }
583
584 # Instantiation
585 @@ -722,7 +704,7 @@ instantiate {
586 # The entire command line (and output) must fit into 253 bytes.
587 #
588 # e.g. Framed-Pool = `%{exec:/bin/echo foo}`
589 - exec
590 +# exec
591
592 #
593 # The expression module doesn't do authorization,
594 @@ -735,15 +717,15 @@ instantiate {
595 # listed in any other section. See 'doc/rlm_expr' for
596 # more information.
597 #
598 - expr
599 +# expr
600
601 #
602 # We add the counter module here so that it registers
603 # the check-name attribute before any module which sets
604 # it
605 # daily
606 - expiration
607 - logintime
608 +# expiration
609 +# logintime
610
611 # subsections here can be thought of as "virtual" modules.
612 #
613 @@ -767,7 +749,7 @@ instantiate {
614 # to multiple times.
615 #
616 ######################################################################
617 -$INCLUDE policy.conf
618 +#$INCLUDE policy.conf
619
620 ######################################################################
621 #
622 @@ -777,9 +759,9 @@ $INCLUDE policy.conf
623 # match the regular expression: /[a-zA-Z0-9_.]+/
624 #
625 # It allows you to define new virtual servers simply by placing
626 -# a file into the raddb/sites-enabled/ directory.
627 +# a file into the /etc/freeradius2/sites/ directory.
628 #
629 -$INCLUDE sites-enabled/
630 +$INCLUDE sites/
631
632 ######################################################################
633 #
634 @@ -787,15 +769,11 @@ $INCLUDE sites-enabled/
635 # "authenticate {}", "accounting {}", have been moved to the
636 # the file:
637 #
638 -# raddb/sites-available/default
639 +# /etc/freeradius2/sites/default
640 #
641 # This is the "default" virtual server that has the same
642 # configuration as in version 1.0.x and 1.1.x. The default
643 # installation enables this virtual server. You should
644 # edit it to create policies for your local site.
645 #
646 -# For more documentation on virtual servers, see:
647 -#
648 -# raddb/sites-available/README
649 -#
650 ######################################################################
651 --- a/raddb/sites-available/default
652 +++ b/raddb/sites-available/default
653 @@ -11,12 +11,6 @@
654 #
655 ######################################################################
656 #
657 -# Read "man radiusd" before editing this file. See the section
658 -# titled DEBUGGING. It outlines a method where you can quickly
659 -# obtain the configuration you want, without running into
660 -# trouble. See also "man unlang", which documents the format
661 -# of this file.
662 -#
663 # This configuration is designed to work in the widest possible
664 # set of circumstances, with the widest possible number of
665 # authentication methods. This means that in general, you should
666 @@ -67,7 +61,7 @@ authorize {
667 #
668 # It takes care of processing the 'raddb/hints' and the
669 # 'raddb/huntgroups' files.
670 - preprocess
671 +# preprocess
672
673 #
674 # If you want to have a log of authentication requests,
675 @@ -78,7 +72,7 @@ authorize {
676 #
677 # The chap module will set 'Auth-Type := CHAP' if we are
678 # handling a CHAP request and Auth-Type has not already been set
679 - chap
680 +# chap
681
682 #
683 # If the users are logging in with an MS-CHAP-Challenge
684 @@ -86,13 +80,7 @@ authorize {
685 # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
686 # to the request, which will cause the server to then use
687 # the mschap module for authentication.
688 - mschap
689 -
690 - #
691 - # If you have a Cisco SIP server authenticating against
692 - # FreeRADIUS, uncomment the following line, and the 'digest'
693 - # line in the 'authenticate' section.
694 -# digest
695 +# mschap
696
697 #
698 # The WiMAX specification says that the Calling-Station-Id
699 @@ -115,7 +103,7 @@ authorize {
700 # Otherwise, when the first style of realm doesn't match,
701 # the other styles won't be checked.
702 #
703 - suffix
704 +# suffix
705 # ntdomain
706
707 #
708 @@ -140,14 +128,6 @@ authorize {
709 }
710
711 #
712 - # Pull crypt'd passwords from /etc/passwd or /etc/shadow,
713 - # using the system API's to get the password. If you want
714 - # to read /etc/passwd or /etc/shadow directly, see the
715 - # passwd module in radiusd.conf.
716 - #
717 - unix
718 -
719 - #
720 # Read the 'users' file
721 files
722
723 @@ -159,28 +139,11 @@ authorize {
724 # sql
725
726 #
727 - # If you are using /etc/smbpasswd, and are also doing
728 - # mschap authentication, the un-comment this line, and
729 - # configure the 'etc_smbpasswd' module, above.
730 -# etc_smbpasswd
731 -
732 - #
733 # The ldap module will set Auth-Type to LDAP if it has not
734 # already been set
735 # ldap
736
737 #
738 - # Enforce daily limits on time spent logged in.
739 -# daily
740 -
741 - #
742 - # Use the checkval module
743 -# checkval
744 -
745 - expiration
746 - logintime
747 -
748 - #
749 # If no other module has claimed responsibility for
750 # authentication, then try to use PAP. This allows the
751 # other modules listed above to add a "known good" password
752 @@ -255,24 +218,6 @@ authenticate {
753 mschap
754 }
755
756 - #
757 - # If you have a Cisco SIP server authenticating against
758 - # FreeRADIUS, uncomment the following line, and the 'digest'
759 - # line in the 'authorize' section.
760 -# digest
761 -
762 - #
763 - # Pluggable Authentication Modules.
764 -# pam
765 -
766 - #
767 - # See 'man getpwent' for information on how the 'unix'
768 - # module checks the users password. Note that packets
769 - # containing CHAP-Password attributes CANNOT be authenticated
770 - # against /etc/passwd! See the FAQ for details.
771 - #
772 - unix
773 -
774 # Uncomment it if you want to use ldap for authentication
775 #
776 # Note that this means "check plain-text password against
777 @@ -307,13 +252,13 @@ authenticate {
778 #
779 # Pre-accounting. Decide which accounting type to use.
780 #
781 -preacct {
782 - preprocess
783 +#preacct {
784 +# preprocess
785
786 #
787 # Ensure that we have a semi-unique identifier for every
788 # request, and many NAS boxes are broken.
789 - acct_unique
790 +# acct_unique
791
792 #
793 # Look for IPASS-style 'realm/', and if not found, look for
794 @@ -323,13 +268,13 @@ preacct {
795 # Accounting requests are generally proxied to the same
796 # home server as authentication requests.
797 # IPASS
798 - suffix
799 +# suffix
800 # ntdomain
801
802 #
803 # Read the 'acct_users' file
804 - files
805 -}
806 +# files
807 +#}
808
809 #
810 # Accounting. Log the accounting data.
811 @@ -339,14 +284,9 @@ accounting {
812 # Create a 'detail'ed log of the packets.
813 # Note that accounting requests which are proxied
814 # are also logged in the detail file.
815 - detail
816 +# detail
817 # daily
818
819 - # Update the wtmp file
820 - #
821 - # If you don't use "radlast", you can delete this line.
822 - unix
823 -
824 #
825 # For Simultaneous-Use tracking.
826 #
827 @@ -355,9 +295,6 @@ accounting {
828 radutmp
829 # sradutmp
830
831 - # Return an address to the IP Pool when we see a stop record.
832 -# main_pool
833 -
834 #
835 # Log traffic to an SQL database.
836 #
837 @@ -374,7 +311,7 @@ accounting {
838 # pgsql-voip
839
840 # Filter attributes from the accounting response.
841 - attr_filter.accounting_response
842 + #attr_filter.accounting_response
843
844 #
845 # See "Autz-Type Status-Server" for how this works.
846 @@ -400,10 +337,7 @@ session {
847 # Post-Authentication
848 # Once we KNOW that the user has been authenticated, there are
849 # additional steps we can take.
850 -post-auth {
851 - # Get an address from the IP Pool.
852 -# main_pool
853 -
854 +#post-auth {
855 #
856 # If you want to have a log of authentication replies,
857 # un-comment the following line, and the 'detail reply_log'
858 @@ -429,7 +363,7 @@ post-auth {
859 #
860 # ldap
861
862 - exec
863 +# exec
864
865 #
866 # Calculate the various WiMAX keys. In order for this to work,
867 @@ -473,10 +407,10 @@ post-auth {
868 # Add the ldap module name (or instance) if you have set
869 # 'edir_account_policy_check = yes' in the ldap module configuration
870 #
871 - Post-Auth-Type REJECT {
872 - attr_filter.access_reject
873 - }
874 -}
875 +# Post-Auth-Type REJECT {
876 +# attr_filter.access_reject
877 +# }
878 +#}
879
880 #
881 # When the server decides to proxy a request to a home server,
882 @@ -486,7 +420,7 @@ post-auth {
883 #
884 # Only a few modules currently have this method.
885 #
886 -pre-proxy {
887 +#pre-proxy {
888 # attr_rewrite
889
890 # Uncomment the following line if you want to change attributes
891 @@ -502,14 +436,14 @@ pre-proxy {
892 # server, un-comment the following line, and the
893 # 'detail pre_proxy_log' section, above.
894 # pre_proxy_log
895 -}
896 +#}
897
898 #
899 # When the server receives a reply to a request it proxied
900 # to a home server, the request may be massaged here, in the
901 # post-proxy stage.
902 #
903 -post-proxy {
904 +#post-proxy {
905
906 # If you want to have a log of replies from a home server,
907 # un-comment the following line, and the 'detail post_proxy_log'
908 @@ -533,7 +467,7 @@ post-proxy {
909 # hidden inside of the EAP packet, and the end server will
910 # reject the EAP request.
911 #
912 - eap
913 +# eap
914
915 #
916 # If the server tries to proxy a request and fails, then the
917 @@ -555,6 +489,5 @@ post-proxy {
918 # Post-Proxy-Type Fail {
919 # detail
920 # }
921 -
922 -}
923 +#}
924
925 --- a/raddb/users
926 +++ b/raddb/users
927 @@ -1,6 +1,5 @@
928 #
929 -# Please read the documentation file ../doc/processing_users_file,
930 -# or 'man 5 users' (after installing the server) for more information.
931 +# Please read the documentation file ../doc/processing_users_file.
932 #
933 # This file contains authentication security and configuration
934 # information for each user. Accounting requests are NOT processed
935 @@ -169,22 +168,22 @@
936 # by the terminal server in which case there may not be a "P" suffix.
937 # The terminal server sends "Framed-Protocol = PPP" for auto PPP.
938 #
939 -DEFAULT Framed-Protocol == PPP
940 - Framed-Protocol = PPP,
941 - Framed-Compression = Van-Jacobson-TCP-IP
942 +#DEFAULT Framed-Protocol == PPP
943 +# Framed-Protocol = PPP,
944 +# Framed-Compression = Van-Jacobson-TCP-IP
945
946 #
947 # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
948 #
949 -DEFAULT Hint == "CSLIP"
950 - Framed-Protocol = SLIP,
951 - Framed-Compression = Van-Jacobson-TCP-IP
952 +#DEFAULT Hint == "CSLIP"
953 +# Framed-Protocol = SLIP,
954 +# Framed-Compression = Van-Jacobson-TCP-IP
955
956 #
957 # Default for SLIP: dynamic IP address, SLIP mode.
958 #
959 -DEFAULT Hint == "SLIP"
960 - Framed-Protocol = SLIP
961 +#DEFAULT Hint == "SLIP"
962 +# Framed-Protocol = SLIP
963
964 #
965 # Last default: rlogin to our main server.