[package] update freeradius2 to 2.1.4, add more modules (#4930)
[openwrt/svn-archive/archive.git] / net / freeradius2 / patches / 002-openwrt-paths.patch
1 diff -Naur freeradius-server-2.1.4/raddb/attrs freeradius-server-2.1.4.new/raddb/attrs
2 --- freeradius-server-2.1.4/raddb/attrs 2009-03-10 19:26:50.000000000 -0700
3 +++ freeradius-server-2.1.4.new/raddb/attrs 2009-04-07 15:09:02.000000000 -0700
4 @@ -1,7 +1,4 @@
5 #
6 -# Configuration file for the rlm_attr_filter module.
7 -# Please see rlm_attr_filter(5) manpage for more information.
8 -#
9 # $Id$
10 #
11 # This file contains security and configuration information
12 diff -Naur freeradius-server-2.1.4/raddb/attrs.access_reject freeradius-server-2.1.4.new/raddb/attrs.access_reject
13 --- freeradius-server-2.1.4/raddb/attrs.access_reject 2009-03-10 19:26:50.000000000 -0700
14 +++ freeradius-server-2.1.4.new/raddb/attrs.access_reject 2009-04-07 15:09:20.000000000 -0700
15 @@ -1,7 +1,4 @@
16 #
17 -# Configuration file for the rlm_attr_filter module.
18 -# Please see rlm_attr_filter(5) manpage for more information.
19 -#
20 # $Id$
21 #
22 # This configuration file is used to remove almost all of the attributes
23 diff -Naur freeradius-server-2.1.4/raddb/attrs.accounting_response freeradius-server-2.1.4.new/raddb/attrs.accounting_response
24 --- freeradius-server-2.1.4/raddb/attrs.accounting_response 2009-03-10 19:26:50.000000000 -0700
25 +++ freeradius-server-2.1.4.new/raddb/attrs.accounting_response 2009-04-07 15:09:32.000000000 -0700
26 @@ -1,7 +1,4 @@
27 #
28 -# Configuration file for the rlm_attr_filter module.
29 -# Please see rlm_attr_filter(5) manpage for more information.
30 -#
31 # $Id$
32 #
33 # This configuration file is used to remove almost all of the attributes
34 diff -Naur freeradius-server-2.1.4/raddb/attrs.pre-proxy freeradius-server-2.1.4.new/raddb/attrs.pre-proxy
35 --- freeradius-server-2.1.4/raddb/attrs.pre-proxy 2009-03-10 19:26:50.000000000 -0700
36 +++ freeradius-server-2.1.4.new/raddb/attrs.pre-proxy 2009-04-07 15:09:44.000000000 -0700
37 @@ -1,7 +1,4 @@
38 #
39 -# Configuration file for the rlm_attr_filter module.
40 -# Please see rlm_attr_filter(5) manpage for more information.
41 -#
42 # $Id$
43 #
44 # This file contains security and configuration information
45 diff -Naur freeradius-server-2.1.4/raddb/dictionary.in freeradius-server-2.1.4.new/raddb/dictionary.in
46 --- freeradius-server-2.1.4/raddb/dictionary.in 2009-03-10 19:26:50.000000000 -0700
47 +++ freeradius-server-2.1.4.new/raddb/dictionary.in 2009-04-07 15:10:18.000000000 -0700
48 @@ -11,14 +11,12 @@
49 #
50 # The filename given here should be an absolute path.
51 #
52 -$INCLUDE @prefix@/share/freeradius/dictionary
53 +$INCLUDE @prefix@/share/freeradius2/dictionary
54
55 #
56 # Place additional attributes or $INCLUDEs here. They will
57 # over-ride the definitions in the pre-defined dictionaries.
58 #
59 -# See the 'man' page for 'dictionary' for information on
60 -# the format of the dictionary files.
61
62 #
63 # If you want to add entries to the dictionary file,
64 diff -Naur freeradius-server-2.1.4/raddb/eap.conf freeradius-server-2.1.4.new/raddb/eap.conf
65 --- freeradius-server-2.1.4/raddb/eap.conf 2009-03-10 19:26:50.000000000 -0700
66 +++ freeradius-server-2.1.4.new/raddb/eap.conf 2009-04-07 15:20:28.000000000 -0700
67 @@ -27,7 +27,7 @@
68 # then that EAP type takes precedence over the
69 # default type configured here.
70 #
71 - default_eap_type = md5
72 + default_eap_type = peap
73
74 # A list is maintained to correlate EAP-Response
75 # packets with EAP-Request packets. After a
76 @@ -72,23 +72,8 @@
77 # for wireless connections. It is insecure, and does
78 # not provide for dynamic WEP keys.
79 #
80 - md5 {
81 - }
82 -
83 - # Cisco LEAP
84 - #
85 - # We do not recommend using LEAP in new deployments. See:
86 - # http://www.securiteam.com/tools/5TP012ACKE.html
87 - #
88 - # Cisco LEAP uses the MS-CHAP algorithm (but not
89 - # the MS-CHAP attributes) to perform it's authentication.
90 - #
91 - # As a result, LEAP *requires* access to the plain-text
92 - # User-Password, or the NT-Password attributes.
93 - # 'System' authentication is impossible with LEAP.
94 - #
95 - leap {
96 - }
97 +# md5 {
98 +# }
99
100 # Generic Token Card.
101 #
102 @@ -101,10 +86,10 @@
103 # the users password will go over the wire in plain-text,
104 # for anyone to see.
105 #
106 - gtc {
107 +# gtc {
108 # The default challenge, which many clients
109 # ignore..
110 - #challenge = "Password: "
111 +# challenge = "Password: "
112
113 # The plain-text response which comes back
114 # is put into a User-Password attribute,
115 @@ -118,8 +103,8 @@
116 # configured for the request, and do the
117 # authentication itself.
118 #
119 - auth_type = PAP
120 - }
121 +# auth_type = PAP
122 +# }
123
124 ## EAP-TLS
125 #
126 @@ -130,11 +115,6 @@
127 # built, the "tls", "ttls", and "peap" sections will
128 # be ignored.
129 #
130 - # Otherwise, when the server first starts in debugging
131 - # mode, test certificates will be created. See the
132 - # "make_cert_command" below for details, and the README
133 - # file in raddb/certs
134 - #
135 # These test certificates SHOULD NOT be used in a normal
136 # deployment. They are created only to make it easier
137 # to install the server, and to perform some simple
138 @@ -201,7 +181,7 @@
139 # In these cases, fragment size should be
140 # 1024 or less.
141 #
142 - # fragment_size = 1024
143 + fragment_size = 1024
144
145 # include_length is a flag which is
146 # by default set to yes If set to
147 @@ -211,7 +191,7 @@
148 # message is included ONLY in the
149 # First packet of a fragment series.
150 #
151 - # include_length = yes
152 + include_length = yes
153
154 # Check the Certificate Revocation List
155 #
156 @@ -220,83 +200,74 @@
157 # 'c_rehash' is OpenSSL's command.
158 # 3) uncomment the line below.
159 # 5) Restart radiusd
160 - # check_crl = yes
161 - # CA_path = /path/to/directory/with/ca_certs/and/crls/
162 +# check_crl = yes
163 +# CA_path = /path/to/directory/with/ca_certs/and/crls/
164 +
165 + #
166 + # If check_cert_issuer is set, the value will
167 + # be checked against the DN of the issuer in
168 + # the client certificate. If the values do not
169 + # match, the cerficate verification will fail,
170 + # rejecting the user.
171 + #
172 +# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
173 +
174 + #
175 + # If check_cert_cn is set, the value will
176 + # be xlat'ed and checked against the CN
177 + # in the client certificate. If the values
178 + # do not match, the certificate verification
179 + # will fail rejecting the user.
180 + #
181 + # This check is done only if the previous
182 + # "check_cert_issuer" is not set, or if
183 + # the check succeeds.
184 + #
185 +# check_cert_cn = %{User-Name}
186
187 - #
188 - # If check_cert_issuer is set, the value will
189 - # be checked against the DN of the issuer in
190 - # the client certificate. If the values do not
191 - # match, the cerficate verification will fail,
192 - # rejecting the user.
193 - #
194 - # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
195 -
196 - #
197 - # If check_cert_cn is set, the value will
198 - # be xlat'ed and checked against the CN
199 - # in the client certificate. If the values
200 - # do not match, the certificate verification
201 - # will fail rejecting the user.
202 - #
203 - # This check is done only if the previous
204 - # "check_cert_issuer" is not set, or if
205 - # the check succeeds.
206 - #
207 - # check_cert_cn = %{User-Name}
208 - #
209 # Set this option to specify the allowed
210 # TLS cipher suites. The format is listed
211 # in "man 1 ciphers".
212 cipher_list = "DEFAULT"
213
214 #
215 -
216 - # This configuration entry should be deleted
217 - # once the server is running in a normal
218 - # configuration. It is here ONLY to make
219 - # initial deployments easier.
220 - #
221 - make_cert_command = "${certdir}/bootstrap"
222 -
223 - #
224 # Session resumption / fast reauthentication
225 # cache.
226 #
227 - cache {
228 - #
229 - # Enable it. The default is "no".
230 - # Deleting the entire "cache" subsection
231 - # Also disables caching.
232 - #
233 - # You can disallow resumption for a
234 - # particular user by adding the following
235 - # attribute to the control item list:
236 - #
237 - # Allow-Session-Resumption = No
238 - #
239 - # If "enable = no" below, you CANNOT
240 - # enable resumption for just one user
241 - # by setting the above attribute to "yes".
242 - #
243 - enable = no
244 -
245 - #
246 - # Lifetime of the cached entries, in hours.
247 - # The sessions will be deleted after this
248 - # time.
249 - #
250 - lifetime = 24 # hours
251 -
252 - #
253 - # The maximum number of entries in the
254 - # cache. Set to "0" for "infinite".
255 - #
256 - # This could be set to the number of users
257 - # who are logged in... which can be a LOT.
258 - #
259 - max_entries = 255
260 - }
261 +# cache {
262 + #
263 + # Enable it. The default is "no".
264 + # Deleting the entire "cache" subsection
265 + # Also disables caching.
266 + #
267 + # You can disallow resumption for a
268 + # particular user by adding the following
269 + # attribute to the control item list:
270 + #
271 + # Allow-Session-Resumption = No
272 + #
273 + # If "enable = no" below, you CANNOT
274 + # enable resumption for just one user
275 + # by setting the above attribute to "yes".
276 + #
277 +# enable = no
278 +
279 + #
280 + # Lifetime of the cached entries, in hours.
281 + # The sessions will be deleted after this
282 + # time.
283 + #
284 +# lifetime = 24 # hours
285 +
286 + #
287 + # The maximum number of entries in the
288 + # cache. Set to "0" for "infinite".
289 + #
290 + # This could be set to the number of users
291 + # who are logged in... which can be a LOT.
292 + #
293 +# max_entries = 255
294 +# }
295 }
296
297 # The TTLS module implements the EAP-TTLS protocol,
298 @@ -320,7 +291,7 @@
299 #
300 # in the control items for a request.
301 #
302 - ttls {
303 +# ttls {
304 # The tunneled EAP session needs a default
305 # EAP type which is separate from the one for
306 # the non-tunneled EAP module. Inside of the
307 @@ -328,7 +299,7 @@
308 # If the request does not contain an EAP
309 # conversation, then this configuration entry
310 # is ignored.
311 - default_eap_type = md5
312 +# default_eap_type = mschapv2
313
314 # The tunneled authentication request does
315 # not usually contain useful attributes
316 @@ -344,7 +315,7 @@
317 # is copied to the tunneled request.
318 #
319 # allowed values: {no, yes}
320 - copy_request_to_tunnel = no
321 +# copy_request_to_tunnel = yes
322
323 # The reply attributes sent to the NAS are
324 # usually based on the name of the user
325 @@ -357,20 +328,8 @@
326 # the tunneled request.
327 #
328 # allowed values: {no, yes}
329 - use_tunneled_reply = no
330 -
331 - #
332 - # The inner tunneled request can be sent
333 - # through a virtual server constructed
334 - # specifically for this purpose.
335 - #
336 - # If this entry is commented out, the inner
337 - # tunneled request will be sent through
338 - # the virtual server that processed the
339 - # outer requests.
340 - #
341 - virtual_server = "inner-tunnel"
342 - }
343 +# use_tunneled_reply = yes
344 +# }
345
346 ##################################################
347 #
348 @@ -433,26 +392,16 @@
349
350 # the PEAP module also has these configuration
351 # items, which are the same as for TTLS.
352 - copy_request_to_tunnel = no
353 - use_tunneled_reply = no
354 + copy_request_to_tunnel = yes
355 + use_tunneled_reply = yes
356
357 # When the tunneled session is proxied, the
358 # home server may not understand EAP-MSCHAP-V2.
359 # Set this entry to "no" to proxy the tunneled
360 # EAP-MSCHAP-V2 as normal MSCHAPv2.
361 - # proxy_tunneled_request_as_eap = yes
362 + proxy_tunneled_request_as_eap = no
363
364 - #
365 - # The inner tunneled request can be sent
366 - # through a virtual server constructed
367 - # specifically for this purpose.
368 - #
369 - # If this entry is commented out, the inner
370 - # tunneled request will be sent through
371 - # the virtual server that processed the
372 - # outer requests.
373 - #
374 - virtual_server = "inner-tunnel"
375 + EAP-TLS-Require-Client-Cert = no
376 }
377
378 #
379 diff -Naur freeradius-server-2.1.4/raddb/ldap.attrmap freeradius-server-2.1.4.new/raddb/ldap.attrmap
380 --- freeradius-server-2.1.4/raddb/ldap.attrmap 2009-03-10 19:26:50.000000000 -0700
381 +++ freeradius-server-2.1.4.new/raddb/ldap.attrmap 2009-04-07 15:21:54.000000000 -0700
382 @@ -13,8 +13,7 @@
383 # If not present, defaults to "==" for checkItems,
384 # and "=" for replyItems.
385 # If present, the operator here should be one
386 -# of the same operators as defined in the "users"3
387 -# file ("man users", or "man 5 users").
388 +# of the same operators as defined in the "users" file.
389 # If an operator is present in the value of the
390 # LDAP entry (i.e. ":=foo"), then it over-rides
391 # both the default, and any operator given here.
392 diff -Naur freeradius-server-2.1.4/raddb/modules/counter freeradius-server-2.1.4.new/raddb/modules/counter
393 --- freeradius-server-2.1.4/raddb/modules/counter 2009-03-10 19:26:50.000000000 -0700
394 +++ freeradius-server-2.1.4.new/raddb/modules/counter 2009-04-08 01:34:16.000000000 -0700
395 @@ -69,7 +69,7 @@
396 # 'check-name' attribute.
397 #
398 counter daily {
399 - filename = ${db_dir}/db.daily
400 + filename = ${radacctdir}/db.daily
401 key = User-Name
402 count-attribute = Acct-Session-Time
403 reset = daily
404 diff -Naur freeradius-server-2.1.4/raddb/modules/detail freeradius-server-2.1.4.new/raddb/modules/detail
405 --- freeradius-server-2.1.4/raddb/modules/detail 2009-03-10 19:26:50.000000000 -0700
406 +++ freeradius-server-2.1.4.new/raddb/modules/detail 2009-04-07 15:28:33.000000000 -0700
407 @@ -46,8 +46,7 @@
408
409 #
410 # Every entry in the detail file has a header which
411 - # is a timestamp. By default, we use the ctime
412 - # format (see "man ctime" for details).
413 + # is a timestamp. By default, we use the ctime format.
414 #
415 # The header can be customized by editing this
416 # string. See "doc/variables.txt" for a description
417 diff -Naur freeradius-server-2.1.4/raddb/modules/exec freeradius-server-2.1.4.new/raddb/modules/exec
418 --- freeradius-server-2.1.4/raddb/modules/exec 2009-03-10 19:26:50.000000000 -0700
419 +++ freeradius-server-2.1.4.new/raddb/modules/exec 2009-04-07 15:29:45.000000000 -0700
420 @@ -15,9 +15,8 @@
421 # of the program which is executed. Due to RADIUS protocol
422 # limitations, any output over 253 bytes will be ignored.
423 #
424 -# The RADIUS attributes from the user request will be placed
425 -# into environment variables of the executed program, as
426 -# described in "man unlang" and in doc/variables.txt
427 +# The RADIUS attributes from the user request will be placed into environment
428 +# variables of the executed program, as described in doc/variables.txt
429 #
430 # See also "echo" for more sample configuration.
431 #
432 diff -Naur freeradius-server-2.1.4/raddb/modules/pap freeradius-server-2.1.4.new/raddb/modules/pap
433 --- freeradius-server-2.1.4/raddb/modules/pap 2009-03-10 19:26:50.000000000 -0700
434 +++ freeradius-server-2.1.4.new/raddb/modules/pap 2009-04-07 15:31:17.000000000 -0700
435 @@ -4,8 +4,7 @@
436
437 # PAP module to authenticate users based on their stored password
438 #
439 -# Supports multiple encryption/hash schemes. See "man rlm_pap"
440 -# for details.
441 +# Supports multiple encryption/hash schemes.
442 #
443 # The "auto_header" configuration item can be set to "yes".
444 # In this case, the module will look inside of the User-Password
445 @@ -14,5 +13,5 @@
446 # with the correct value. It will also automatically handle
447 # Base-64 encoded data, hex strings, and binary data.
448 pap {
449 - auto_header = no
450 + auto_header = yes
451 }
452 diff -Naur freeradius-server-2.1.4/raddb/modules/radutmp freeradius-server-2.1.4.new/raddb/modules/radutmp
453 --- freeradius-server-2.1.4/raddb/modules/radutmp 2009-03-10 19:26:50.000000000 -0700
454 +++ freeradius-server-2.1.4.new/raddb/modules/radutmp 2009-04-07 11:13:56.000000000 -0700
455 @@ -12,7 +12,7 @@
456 # Where the file is stored. It's not a log file,
457 # so it doesn't need rotating.
458 #
459 - filename = ${logdir}/radutmp
460 + filename = ${radacctdir}/radutmp
461
462 # The field in the packet to key on for the
463 # 'user' name, If you have other fields which you want
464 diff -Naur freeradius-server-2.1.4/raddb/modules/sradutmp freeradius-server-2.1.4.new/raddb/modules/sradutmp
465 --- freeradius-server-2.1.4/raddb/modules/sradutmp 2009-03-10 19:26:50.000000000 -0700
466 +++ freeradius-server-2.1.4.new/raddb/modules/sradutmp 2009-04-07 11:14:07.000000000 -0700
467 @@ -10,7 +10,7 @@
468 # then name "sradutmp" to identify it later in the "accounting"
469 # section.
470 radutmp sradutmp {
471 - filename = ${logdir}/sradutmp
472 + filename = ${radacctdir}/sradutmp
473 perm = 0644
474 callerid = "no"
475 }
476 diff -Naur freeradius-server-2.1.4/raddb/preproxy_users freeradius-server-2.1.4.new/raddb/preproxy_users
477 --- freeradius-server-2.1.4/raddb/preproxy_users 2009-03-10 19:26:50.000000000 -0700
478 +++ freeradius-server-2.1.4.new/raddb/preproxy_users 2009-04-07 15:23:02.000000000 -0700
479 @@ -1,6 +1,5 @@
480 #
481 # Configuration file for the rlm_files module.
482 -# Please see rlm_files(5) manpage for more information.
483 #
484 # $Id$
485 #
486 diff -Naur freeradius-server-2.1.4/raddb/proxy.conf freeradius-server-2.1.4.new/raddb/proxy.conf
487 --- freeradius-server-2.1.4/raddb/proxy.conf 2009-03-10 19:26:50.000000000 -0700
488 +++ freeradius-server-2.1.4.new/raddb/proxy.conf 2009-04-07 15:22:45.000000000 -0700
489 @@ -525,9 +525,8 @@
490 # This section defines a new-style "realm". Note the in version 2.0,
491 # there are many fewer configuration items than in 1.x for a realm.
492 #
493 -# Automatic proxying is done via the "realms" module (see "man
494 -# rlm_realm"). To manually proxy the request put this entry in the
495 -# "users" file:
496 +# Automatic proxying is done via the "realms" module.
497 +# To manually proxy the request put this entry in the "users" file:
498
499 #
500 #
501 diff -Naur freeradius-server-2.1.4/raddb/radiusd.conf.in freeradius-server-2.1.4.new/raddb/radiusd.conf.in
502 --- freeradius-server-2.1.4/raddb/radiusd.conf.in 2009-03-10 19:26:50.000000000 -0700
503 +++ freeradius-server-2.1.4.new/raddb/radiusd.conf.in 2009-04-07 15:34:38.000000000 -0700
504 @@ -8,11 +8,6 @@
505
506 ######################################################################
507 #
508 -# Read "man radiusd" before editing this file. See the section
509 -# titled DEBUGGING. It outlines a method where you can quickly
510 -# obtain the configuration you want, without running into
511 -# trouble.
512 -#
513 # Run the server in debugging mode, and READ the output.
514 #
515 # $ radiusd -X
516 @@ -41,14 +36,8 @@
517 # file, it is exported through the API to modules that ask for
518 # it.
519 #
520 -# See "man radiusd.conf" for documentation on the format of this
521 -# file. Note that the individual configuration items are NOT
522 -# documented in that "man" page. They are only documented here,
523 -# in the comments.
524 -#
525 # As of 2.0.0, FreeRADIUS supports a simple processing language
526 # in the "authorize", "authenticate", "accounting", etc. sections.
527 -# See "man unlang" for details.
528 #
529
530 prefix = @prefix@
531 @@ -66,7 +55,7 @@
532
533 # Location of config and logfiles.
534 confdir = ${raddbdir}
535 -run_dir = ${localstatedir}/run/${name}
536 +run_dir = ${localstatedir}/run
537
538 # Should likely be ${localstatedir}/lib/radiusd
539 db_dir = ${raddbdir}
540 @@ -112,7 +101,7 @@
541 #
542 # This file is written when ONLY running in daemon mode.
543 #
544 -# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
545 +# e.g.: kill -HUP `cat /var/run/radiusd.pid`
546 #
547 pidfile = ${run_dir}/${name}.pid
548
549 @@ -283,7 +272,7 @@
550 # If your system does not support this feature, you will
551 # get an error if you try to use it.
552 #
553 -# interface = eth0
554 + interface = br-lan
555
556 # Per-socket lists of clients. This is a very useful feature.
557 #
558 @@ -310,7 +299,7 @@
559 # ipv6addr = ::
560 port = 0
561 type = acct
562 -# interface = eth0
563 + interface = br-lan
564 # clients = per_socket_clients
565 }
566
567 @@ -445,9 +434,6 @@
568 auth_goodpass = no
569 }
570
571 -# The program to execute to do concurrency checks.
572 -checkrad = ${sbindir}/checkrad
573 -
574 # SECURITY CONFIGURATION
575 #
576 # There may be multiple methods of attacking on the server. This
577 @@ -522,8 +508,8 @@
578 #
579 # allowed values: {no, yes}
580 #
581 -proxy_requests = yes
582 -$INCLUDE proxy.conf
583 +proxy_requests = no
584 +#$INCLUDE proxy.conf
585
586
587 # CLIENTS CONFIGURATION
588 @@ -675,10 +661,6 @@
589 #
590 # $INCLUDE sql/mysql/counter.conf
591
592 - #
593 - # IP addresses managed in an SQL table.
594 - #
595 -# $INCLUDE sqlippool.conf
596 }
597
598 # Instantiation
599 @@ -703,7 +685,7 @@
600 # The entire command line (and output) must fit into 253 bytes.
601 #
602 # e.g. Framed-Pool = `%{exec:/bin/echo foo}`
603 - exec
604 +# exec
605
606 #
607 # The expression module doesn't do authorization,
608 @@ -716,15 +698,15 @@
609 # listed in any other section. See 'doc/rlm_expr' for
610 # more information.
611 #
612 - expr
613 +# expr
614
615 #
616 # We add the counter module here so that it registers
617 # the check-name attribute before any module which sets
618 # it
619 # daily
620 - expiration
621 - logintime
622 +# expiration
623 +# logintime
624
625 # subsections here can be thought of as "virtual" modules.
626 #
627 @@ -748,7 +730,7 @@
628 # to multiple times.
629 #
630 ######################################################################
631 -$INCLUDE policy.conf
632 +#$INCLUDE policy.conf
633
634 ######################################################################
635 #
636 @@ -758,9 +740,9 @@
637 # match the regular expression: /[a-zA-Z0-9_.]+/
638 #
639 # It allows you to define new virtual servers simply by placing
640 -# a file into the raddb/sites-enabled/ directory.
641 +# a file into the /etc/freeradius2/sites/ directory.
642 #
643 -$INCLUDE sites-enabled/
644 +$INCLUDE sites/
645
646 ######################################################################
647 #
648 @@ -768,15 +750,11 @@
649 # "authenticate {}", "accounting {}", have been moved to the
650 # the file:
651 #
652 -# raddb/sites-available/default
653 +# /etc/freeradius2/sites/default
654 #
655 # This is the "default" virtual server that has the same
656 # configuration as in version 1.0.x and 1.1.x. The default
657 # installation enables this virtual server. You should
658 # edit it to create policies for your local site.
659 #
660 -# For more documentation on virtual servers, see:
661 -#
662 -# raddb/sites-available/README
663 -#
664 ######################################################################
665 diff -Naur freeradius-server-2.1.4/raddb/sites-available/default freeradius-server-2.1.4.new/raddb/sites-available/default
666 --- freeradius-server-2.1.4/raddb/sites-available/default 2009-03-10 19:26:50.000000000 -0700
667 +++ freeradius-server-2.1.4.new/raddb/sites-available/default 2009-04-07 15:27:12.000000000 -0700
668 @@ -11,12 +11,6 @@
669 #
670 ######################################################################
671 #
672 -# Read "man radiusd" before editing this file. See the section
673 -# titled DEBUGGING. It outlines a method where you can quickly
674 -# obtain the configuration you want, without running into
675 -# trouble. See also "man unlang", which documents the format
676 -# of this file.
677 -#
678 # This configuration is designed to work in the widest possible
679 # set of circumstances, with the widest possible number of
680 # authentication methods. This means that in general, you should
681 @@ -69,7 +63,7 @@
682 # 'raddb/huntgroups' files.
683 #
684 # It also adds the %{Client-IP-Address} attribute to the request.
685 - preprocess
686 +# preprocess
687
688 #
689 # If you want to have a log of authentication requests,
690 @@ -80,7 +74,7 @@
691 #
692 # The chap module will set 'Auth-Type := CHAP' if we are
693 # handling a CHAP request and Auth-Type has not already been set
694 - chap
695 +# chap
696
697 #
698 # If the users are logging in with an MS-CHAP-Challenge
699 @@ -88,13 +82,7 @@
700 # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
701 # to the request, which will cause the server to then use
702 # the mschap module for authentication.
703 - mschap
704 -
705 - #
706 - # If you have a Cisco SIP server authenticating against
707 - # FreeRADIUS, uncomment the following line, and the 'digest'
708 - # line in the 'authenticate' section.
709 -# digest
710 +# mschap
711
712 #
713 # Look for IPASS style 'realm/', and if not found, look for
714 @@ -108,7 +96,7 @@
715 # Otherwise, when the first style of realm doesn't match,
716 # the other styles won't be checked.
717 #
718 - suffix
719 +# suffix
720 # ntdomain
721
722 #
723 @@ -133,14 +121,6 @@
724 }
725
726 #
727 - # Pull crypt'd passwords from /etc/passwd or /etc/shadow,
728 - # using the system API's to get the password. If you want
729 - # to read /etc/passwd or /etc/shadow directly, see the
730 - # passwd module in radiusd.conf.
731 - #
732 - unix
733 -
734 - #
735 # Read the 'users' file
736 files
737
738 @@ -152,28 +132,11 @@
739 # sql
740
741 #
742 - # If you are using /etc/smbpasswd, and are also doing
743 - # mschap authentication, the un-comment this line, and
744 - # configure the 'etc_smbpasswd' module, above.
745 -# etc_smbpasswd
746 -
747 - #
748 # The ldap module will set Auth-Type to LDAP if it has not
749 # already been set
750 # ldap
751
752 #
753 - # Enforce daily limits on time spent logged in.
754 -# daily
755 -
756 - #
757 - # Use the checkval module
758 -# checkval
759 -
760 - expiration
761 - logintime
762 -
763 - #
764 # If no other module has claimed responsibility for
765 # authentication, then try to use PAP. This allows the
766 # other modules listed above to add a "known good" password
767 @@ -248,24 +211,6 @@
768 mschap
769 }
770
771 - #
772 - # If you have a Cisco SIP server authenticating against
773 - # FreeRADIUS, uncomment the following line, and the 'digest'
774 - # line in the 'authorize' section.
775 -# digest
776 -
777 - #
778 - # Pluggable Authentication Modules.
779 -# pam
780 -
781 - #
782 - # See 'man getpwent' for information on how the 'unix'
783 - # module checks the users password. Note that packets
784 - # containing CHAP-Password attributes CANNOT be authenticated
785 - # against /etc/passwd! See the FAQ for details.
786 - #
787 - unix
788 -
789 # Uncomment it if you want to use ldap for authentication
790 #
791 # Note that this means "check plain-text password against
792 @@ -278,19 +223,15 @@
793 #
794 # Allow EAP authentication.
795 eap
796 + pap
797 }
798
799
800 #
801 # Pre-accounting. Decide which accounting type to use.
802 #
803 -preacct {
804 - preprocess
805 -
806 - #
807 - # Ensure that we have a semi-unique identifier for every
808 - # request, and many NAS boxes are broken.
809 - acct_unique
810 +#preacct {
811 +# preprocess
812
813 #
814 # Look for IPASS-style 'realm/', and if not found, look for
815 @@ -300,13 +241,13 @@
816 # Accounting requests are generally proxied to the same
817 # home server as authentication requests.
818 # IPASS
819 - suffix
820 +# suffix
821 # ntdomain
822
823 #
824 # Read the 'acct_users' file
825 - files
826 -}
827 +# files
828 +#}
829
830 #
831 # Accounting. Log the accounting data.
832 @@ -316,14 +257,9 @@
833 # Create a 'detail'ed log of the packets.
834 # Note that accounting requests which are proxied
835 # are also logged in the detail file.
836 - detail
837 +# detail
838 # daily
839
840 - # Update the wtmp file
841 - #
842 - # If you don't use "radlast", you can delete this line.
843 - unix
844 -
845 #
846 # For Simultaneous-Use tracking.
847 #
848 @@ -332,9 +268,6 @@
849 radutmp
850 # sradutmp
851
852 - # Return an address to the IP Pool when we see a stop record.
853 -# main_pool
854 -
855 #
856 # Log traffic to an SQL database.
857 #
858 @@ -351,7 +284,7 @@
859 # pgsql-voip
860
861 # Filter attributes from the accounting response.
862 - attr_filter.accounting_response
863 + #attr_filter.accounting_response
864
865 #
866 # See "Autz-Type Status-Server" for how this works.
867 @@ -377,10 +310,7 @@
868 # Post-Authentication
869 # Once we KNOW that the user has been authenticated, there are
870 # additional steps we can take.
871 -post-auth {
872 - # Get an address from the IP Pool.
873 -# main_pool
874 -
875 +#post-auth {
876 #
877 # If you want to have a log of authentication replies,
878 # un-comment the following line, and the 'detail reply_log'
879 @@ -406,7 +336,7 @@
880 #
881 # ldap
882
883 - exec
884 +# exec
885
886 #
887 # Access-Reject packets are sent through the REJECT sub-section of the
888 @@ -415,10 +345,10 @@
889 # Add the ldap module name (or instance) if you have set
890 # 'edir_account_policy_check = yes' in the ldap module configuration
891 #
892 - Post-Auth-Type REJECT {
893 - attr_filter.access_reject
894 - }
895 -}
896 +# Post-Auth-Type REJECT {
897 +# attr_filter.access_reject
898 +# }
899 +#}
900
901 #
902 # When the server decides to proxy a request to a home server,
903 @@ -428,7 +358,7 @@
904 #
905 # Only a few modules currently have this method.
906 #
907 -pre-proxy {
908 +#pre-proxy {
909 # attr_rewrite
910
911 # Uncomment the following line if you want to change attributes
912 @@ -444,14 +374,14 @@
913 # server, un-comment the following line, and the
914 # 'detail pre_proxy_log' section, above.
915 # pre_proxy_log
916 -}
917 +#}
918
919 #
920 # When the server receives a reply to a request it proxied
921 # to a home server, the request may be massaged here, in the
922 # post-proxy stage.
923 #
924 -post-proxy {
925 +#post-proxy {
926
927 # If you want to have a log of replies from a home server,
928 # un-comment the following line, and the 'detail post_proxy_log'
929 @@ -475,7 +405,7 @@
930 # hidden inside of the EAP packet, and the end server will
931 # reject the EAP request.
932 #
933 - eap
934 +# eap
935
936 #
937 # If the server tries to proxy a request and fails, then the
938 @@ -497,6 +427,5 @@
939 # Post-Proxy-Type Fail {
940 # detail
941 # }
942 -
943 -}
944 +#}
945
946 diff -Naur freeradius-server-2.1.4/raddb/users freeradius-server-2.1.4.new/raddb/users
947 --- freeradius-server-2.1.4/raddb/users 2009-03-10 19:26:50.000000000 -0700
948 +++ freeradius-server-2.1.4.new/raddb/users 2009-04-07 15:23:54.000000000 -0700
949 @@ -1,6 +1,5 @@
950 #
951 -# Please read the documentation file ../doc/processing_users_file,
952 -# or 'man 5 users' (after installing the server) for more information.
953 +# Please read the documentation file ../doc/processing_users_file.
954 #
955 # This file contains authentication security and configuration
956 # information for each user. Accounting requests are NOT processed
957 @@ -169,22 +168,22 @@
958 # by the terminal server in which case there may not be a "P" suffix.
959 # The terminal server sends "Framed-Protocol = PPP" for auto PPP.
960 #
961 -DEFAULT Framed-Protocol == PPP
962 - Framed-Protocol = PPP,
963 - Framed-Compression = Van-Jacobson-TCP-IP
964 +#DEFAULT Framed-Protocol == PPP
965 +# Framed-Protocol = PPP,
966 +# Framed-Compression = Van-Jacobson-TCP-IP
967
968 #
969 # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
970 #
971 -DEFAULT Hint == "CSLIP"
972 - Framed-Protocol = SLIP,
973 - Framed-Compression = Van-Jacobson-TCP-IP
974 +#DEFAULT Hint == "CSLIP"
975 +# Framed-Protocol = SLIP,
976 +# Framed-Compression = Van-Jacobson-TCP-IP
977
978 #
979 # Default for SLIP: dynamic IP address, SLIP mode.
980 #
981 -DEFAULT Hint == "SLIP"
982 - Framed-Protocol = SLIP
983 +#DEFAULT Hint == "SLIP"
984 +# Framed-Protocol = SLIP
985
986 #
987 # Last default: rlogin to our main server.