[package] update freeradius2 to 2.1.4, add more modules (#4930)
authorFlorian Fainelli <florian@openwrt.org>
Tue, 12 May 2009 09:40:31 +0000 (09:40 +0000)
committerFlorian Fainelli <florian@openwrt.org>
Tue, 12 May 2009 09:40:31 +0000 (09:40 +0000)
SVN-Revision: 15791

net/freeradius2/Makefile
net/freeradius2/files/radiusd.init
net/freeradius2/patches/002-openwrt-paths.patch [new file with mode: 0644]

index e84df05..e9ceb2d 100644 (file)
@@ -1,5 +1,5 @@
 # 
-# Copyright (C) 2008 OpenWrt.org
+# Copyright (C) 2008-2009 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -8,8 +8,8 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=freeradius2
-PKG_VERSION:=2.1.1
-PKG_RELEASE:=2
+PKG_VERSION:=2.1.4
+PKG_RELEASE:=1
 
 PKG_SOURCE:=freeradius-server-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=ftp://ftp.freeradius.org/pub/freeradius/
@@ -35,6 +35,7 @@ endef
 define Package/freeradius2/conffiles
 /etc/freeradius2/clients.conf
 /etc/freeradius2/radiusd.conf
+/etc/freeradius2/sites/default
 endef
 
 define Package/freeradius2-democerts
@@ -49,12 +50,20 @@ define Package/freeradius2-mod-chap
   TITLE:=CHAP module
 endef
 
+define Package/freeradius2-mod-chap/conffiles
+/etc/freeradius2/modules/chap
+endef
+
 define Package/freeradius2-mod-detail
   $(call Package/freeradius2/Default)
   DEPENDS:=freeradius2
   TITLE:=Detailed accounting module
 endef
 
+define Package/freeradius2-mod-detail/conffiles
+/etc/freeradius2/modules/detail
+endef
+
 define Package/freeradius2-mod-eap
   $(call Package/freeradius2/Default)
   DEPENDS:=freeradius2
@@ -107,12 +116,54 @@ define Package/freeradius2-mod-exec
   TITLE:=EXEC module
 endef
 
+define Package/freeradius2-mod-exec/conffiles
+/etc/freeradius2/modules/exec
+endef
+
+define Package/freeradius2-mod-expiration
+  $(call Package/freeradius2/Default)
+  DEPENDS:=freeradius2
+  TITLE:=Expiration module
+endef
+
+define Package/freeradius2-mod-expiration/conffiles
+/etc/freeradius2/modules/expiration
+endef
+
+define Package/freeradius2-mod-expr
+  $(call Package/freeradius2/Default)
+  DEPENDS:=freeradius2
+  TITLE:=EXPR module
+endef
+
+define Package/freeradius2-mod-expr/conffiles
+/etc/freeradius2/modules/expr
+endef
+
+define Package/freeradius2-mod-attr-filter
+  $(call Package/freeradius2/Default)
+  DEPENDS:=freeradius2
+  TITLE:=ATTR filter module
+endef
+
+define Package/freeradius2-mod-attr-filter/conffiles
+/etc/freeradius2/modules/attr_filter
+/etc/freeradius2/attrs
+/etc/freeradius2/attrs.access_reject
+/etc/freeradius2/attrs.accounting_response
+/etc/freeradius2/attrs.pre-proxy
+endef
+
 define Package/freeradius2-mod-attr-rewrite
   $(call Package/freeradius2/Default)
   DEPENDS:=freeradius2
   TITLE:=ATTR rewrite module
 endef
 
+define Package/freeradius2-mod-attr-rewrite/conffiles
+/etc/freeradius2/modules/attr_rewrite
+endef
+
 define Package/freeradius2-mod-files
   $(call Package/freeradius2/Default)
   DEPENDS:=freeradius2
@@ -123,6 +174,7 @@ define Package/freeradius2-mod-files/conffiles
 /etc/freeradius2/acct_users
 /etc/freeradius2/preproxy_users
 /etc/freeradius2/users
+/etc/freeradius2/modules/files
 endef
 
 define Package/freeradius2-mod-ldap
@@ -133,6 +185,17 @@ endef
 
 define Package/freeradius2-mod-ldap/conffiles
 /etc/freeradius2/ldap.attrmap
+/etc/freeradius2/modules/ldap
+endef
+
+define Package/freeradius2-mod-logintime
+  $(call Package/freeradius2/Default)
+  DEPENDS:=freeradius2
+  TITLE:=Logintime module
+endef
+
+define Package/freeradius2-mod-logintime/conffiles
+/etc/freeradius2/modules/logintime
 endef
 
 define Package/freeradius2-mod-mschap
@@ -141,12 +204,20 @@ define Package/freeradius2-mod-mschap
   TITLE:=MS-CHAP and MS-CHAPv2 module
 endef
 
+define Package/freeradius2-mod-mschap/conffiles
+/etc/freeradius2/modules/mschap
+endef
+
 define Package/freeradius2-mod-pap
   $(call Package/freeradius2/Default)
   DEPENDS:=freeradius2
   TITLE:=PAP module
 endef
 
+define Package/freeradius2-mod-pap/conffiles
+/etc/freeradius2/modules/pap
+endef
+
 define Package/freeradius2-mod-preprocess
   $(call Package/freeradius2/Default)
   DEPENDS:=freeradius2
@@ -156,6 +227,7 @@ endef
 define Package/freeradius2-mod-preprocess/conffiles
 /etc/freeradius2/hints
 /etc/freeradius2/huntgroups
+/etc/freeradius2/modules/preprocess
 endef
 
 define Package/freeradius2-mod-realm
@@ -166,6 +238,7 @@ endef
 
 define Package/freeradius2-mod-realm/conffiles
 /etc/freeradius2/proxy.conf
+/etc/freeradius2/modules/realm
 endef
 
 define Package/freeradius2-mod-sql
@@ -174,6 +247,10 @@ define Package/freeradius2-mod-sql
   TITLE:=Base SQL module
 endef
 
+define Package/freeradius2-mod-sql/conffiles
+/etc/freeradius2/sql.conf
+endef
+
 define Package/freeradius2-mod-sql-mysql
   $(call Package/freeradius2/Default)
   DEPENDS:=freeradius2-mod-sql +libmysqlclient
@@ -198,6 +275,11 @@ define Package/freeradius2-mod-radutmp
   TITLE:=Radius UTMP module
 endef
 
+define Package/freeradius2-mod-radutmp/conffiles
+/etc/freeradius2/modules/radutmp
+/etc/freeradius2/modules/sradutmp
+endef
+
 define Package/freeradius2-utils
   $(call Package/freeradius2/Default)
   DEPENDS:=freeradius2
@@ -210,25 +292,31 @@ CONFIGURE_ARGS+= \
        --enable-shared \
        --disable-static \
        --disable-developer \
+       --with-threads \
        --with-openssl-includes="$(STAGING_DIR)/usr/include" \
        --with-openssl-libraries="$(STAGING_DIR)/usr/lib" \
        --enable-strict-dependencies \
        --with-raddbdir=/etc/freeradius2 \
+       --with-radacctdir=/var/db/radacct \
+       --with-logdir=/var/log \
        --without-edir \
        --without-snmp \
        --without-rlm_checkval \
-       --without-rlm_counter \
        --without-rlm_dbm \
+       --without-rlm_counter \
+       --with-rlm_expr \
        --with-rlm_eap \
        --without-rlm_eap_sim \
        --without-rlm_example \
        --without-rlm_ippool \
        --without-rlm_krb5 \
        --without-rlm_otp \
+       --without-rlm_smsotp \
        --without-rlm_pam \
        --without-rlm_perl \
        --without-rlm_python \
        --without-rlm_smb \
+       --without-rlm_always \
        --with-rlm_sql \
        --with-rlm_sqlcounter \
        --without-rlm_sqlhpwippool \
@@ -267,9 +355,9 @@ endif
 ifneq ($(SDK)$(CONFIG_PACKAGE_freeradius2-mod-sql-mysql),)
   CONFIGURE_ARGS+= \
                --with-mysql-include-dir="$(STAGING_DIR)/usr/include" \
-               --with-mysql-lib-dir="$(STAGING_DIR)/usr/lib/mysql" \
-               --without-threads
+               --with-mysql-lib-dir="$(STAGING_DIR)/usr/lib/mysql"
   CONFIGURE_LIBS+= -lz
+  CONFIGURE_VARS+= ac_cv_lib_mysqlclient_r_mysql_init=yes
 else
   CONFIGURE_ARGS+= --without-rlm_sql_mysql
 endif
@@ -324,6 +412,18 @@ else
   CONFIGURE_ARGS+= --without-rlm_radutmp
 endif
 
+ifneq ($(SDK)$(CONFIG_PACKAGE_freeradius2-mod-logintime),)
+  CONFIGURE_ARGS+= --with-rlm_logintime
+else
+  CONFIGURE_ARGS+= --without-rlm_logintime
+endif
+
+ifneq ($(SDK)$(CONFIG_PACKAGE_freeradius2-mod-expiration),)
+  CONFIGURE_ARGS+= --with-rlm_expiration
+else
+  CONFIGURE_ARGS+= --without-rlm_expiration
+endif
+
 CONFIGURE_VARS+= \
        LDFLAGS="$$$$LDFLAGS" \
        LIBS="$(CONFIGURE_LIBS)" \
@@ -334,14 +434,17 @@ define Build/Compile
        $(MAKE) -C $(PKG_BUILD_DIR) \
                R="$(PKG_INSTALL_DIR)" \
                INSTALLSTRIP="" \
-               all install
+               all certs install
 endef
 
 define Package/freeradius2/install
        $(INSTALL_DIR) $(1)/etc/freeradius2
-       for f in clients.conf dictionary radiusd.conf; do \
+       $(INSTALL_DIR) $(1)/etc/freeradius2/modules
+       $(INSTALL_DIR) $(1)/etc/freeradius2/sites
+       for f in clients.conf dictionary radiusd.conf policy.conf; do \
                $(CP) $(PKG_INSTALL_DIR)/etc/freeradius2/$$$${f} $(1)/etc/freeradius2/ ; \
        done
+       $(CP) $(PKG_INSTALL_DIR)/etc/freeradius2/sites-available/default $(1)/etc/freeradius2/sites/default
        $(INSTALL_DIR) $(1)/usr/share/freeradius2
        $(CP) $(PKG_INSTALL_DIR)/usr/share/freeradius/dictionary $(1)/usr/share/freeradius2/
        $(SED) "s,^\(\$$$$INCLUDE\),#\1,g" $(1)/usr/share/freeradius2/dictionary
@@ -350,7 +453,7 @@ define Package/freeradius2/install
                $(SED) "s,^#\(\$$$$INCLUDE dictionary\.$$$${f}\),\1,g" $(1)/usr/share/freeradius2/dictionary ; \
        done
        $(INSTALL_DIR) $(1)/usr/lib/freeradius2
-       $(CP) $(PKG_INSTALL_DIR)/usr/lib/freeradius2/libfreeradius-radius{,-*}.so $(1)/usr/lib/
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/freeradius2/libfreeradius-radius{,-*}.so $(1)/usr/lib/freeradius2
        $(INSTALL_DIR) $(1)/usr/sbin
        $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/radiusd $(1)/usr/sbin/
        $(INSTALL_DIR) $(1)/etc/init.d
@@ -364,6 +467,11 @@ define Package/freeradius2-democerts/install
        rm -rf $(1)/etc/freeradius2/certs/new*
        rm -rf $(1)/etc/freeradius2/certs/demoCA/index*
        rm -rf $(1)/etc/freeradius2/certs/demoCA/serial*
+       rm -rf $(1)/etc/freeradius2/certs/bootstrap
+       rm -rf $(1)/etc/freeradius2/certs/Makefile
+       rm -rf $(1)/etc/freeradius2/certs/ca.cnf
+       rm -rf $(1)/etc/freeradius2/certs/client.cnf
+       rm -rf $(1)/etc/freeradius2/certs/server.cnf
 endef
 
 define Package/freeradius2-utils/install
@@ -375,13 +483,14 @@ endef
 
 define BuildPlugin
   define Package/$(1)/install
-       [ -z "$(2)" ] || $(INSTALL_DIR) $$(1)/usr/lib
+       [ -z "$(2)" ] || $(INSTALL_DIR) $$(1)/usr/lib/freeradius2
        for m in $(2); do \
-               $(CP) $(PKG_INSTALL_DIR)/usr/lib/freeradius2/$$$$$$$${m}{,-*}.so $$(1)/usr/lib/ ; \
+               $(CP) $(PKG_INSTALL_DIR)/usr/lib/freeradius2/$$$$$$$${m}{,-*}.so $$(1)/usr/lib/freeradius2 ; \
        done
        [ -z "$(3)" ] || $(INSTALL_DIR) $$(1)/etc/freeradius2
+       [ -z "$(4)" ] || $(INSTALL_DIR) $$(1)/etc/freeradius2/$(4)
        for f in $(3); do \
-               $(CP) $(PKG_INSTALL_DIR)/etc/freeradius2/$$$$$$$${f} $$(1)/etc/freeradius2/ ; \
+               $(CP) $(PKG_INSTALL_DIR)/etc/freeradius2/$$$$$$$${f} $$(1)/etc/freeradius2/$$$$$$$${f} ; \
        done
   endef
 
@@ -390,8 +499,8 @@ endef
 
 $(eval $(call BuildPackage,freeradius2))
 $(eval $(call BuildPackage,freeradius2-democerts))
-$(eval $(call BuildPlugin,freeradius2-mod-chap,rlm_chap,))
-$(eval $(call BuildPlugin,freeradius2-mod-detail,rlm_detail,))
+$(eval $(call BuildPlugin,freeradius2-mod-chap,rlm_chap,modules/chap,modules,))
+$(eval $(call BuildPlugin,freeradius2-mod-detail,rlm_detail,modules/detail,modules,))
 $(eval $(call BuildPlugin,freeradius2-mod-eap,libfreeradius-eap rlm_eap,eap.conf))
 $(eval $(call BuildPlugin,freeradius2-mod-eap-gtc,rlm_eap_gtc,))
 $(eval $(call BuildPlugin,freeradius2-mod-eap-md5,rlm_eap_md5,))
@@ -399,17 +508,21 @@ $(eval $(call BuildPlugin,freeradius2-mod-eap-mschapv2,rlm_eap_mschapv2,))
 $(eval $(call BuildPlugin,freeradius2-mod-eap-peap,rlm_eap_peap,))
 $(eval $(call BuildPlugin,freeradius2-mod-eap-tls,rlm_eap_tls,))
 $(eval $(call BuildPlugin,freeradius2-mod-eap-ttls,rlm_eap_ttls,))
-$(eval $(call BuildPlugin,freeradius2-mod-exec,rlm_exec,))
-$(eval $(call BuildPlugin,freeradius2-mod-attr-rewrite,rlm_attr_rewrite))
-$(eval $(call BuildPlugin,freeradius2-mod-files,rlm_files,acct_users preproxy_users users))
-$(eval $(call BuildPlugin,freeradius2-mod-ldap,rlm_ldap,ldap.attrmap))
-$(eval $(call BuildPlugin,freeradius2-mod-mschap,rlm_mschap,))
-$(eval $(call BuildPlugin,freeradius2-mod-pap,rlm_pap,))
-$(eval $(call BuildPlugin,freeradius2-mod-preprocess,rlm_preprocess,hints huntgroups))
-$(eval $(call BuildPlugin,freeradius2-mod-realm,rlm_realm,proxy.conf))
-$(eval $(call BuildPlugin,freeradius2-mod-sql,rlm_sql,sql.conf))
+$(eval $(call BuildPlugin,freeradius2-mod-exec,rlm_exec,modules/exec modules/echo ,modules,))
+$(eval $(call BuildPlugin,freeradius2-mod-attr-rewrite,rlm_attr_rewrite,modules/attr_rewrite,modules,))
+$(eval $(call BuildPlugin,freeradius2-mod-files,rlm_files,acct_users preproxy_users users modules/files,modules,))
+$(eval $(call BuildPlugin,freeradius2-mod-ldap,rlm_ldap,ldap.attrmap modules/ldap,modules,))
+$(eval $(call BuildPlugin,freeradius2-mod-mschap,rlm_mschap,modules/mschap,modules,))
+$(eval $(call BuildPlugin,freeradius2-mod-pap,rlm_pap,modules/pap,modules,))
+$(eval $(call BuildPlugin,freeradius2-mod-preprocess,rlm_preprocess,hints huntgroups modules/preprocess,modules,))
+$(eval $(call BuildPlugin,freeradius2-mod-realm,rlm_realm,proxy.conf modules/realm modules/inner-eap,modules,))
+$(eval $(call BuildPlugin,freeradius2-mod-sql,rlm_sql,sql.conf,))
 $(eval $(call BuildPlugin,freeradius2-mod-sql-mysql,rlm_sql_mysql,))
 $(eval $(call BuildPlugin,freeradius2-mod-sql-pgsql,rlm_sql_postgresql,))
 $(eval $(call BuildPlugin,freeradius2-mod-sqlcounter,rlm_sqlcounter,))
-$(eval $(call BuildPlugin,freeradius2-mod-radutmp,rlm_radutmp,))
+$(eval $(call BuildPlugin,freeradius2-mod-radutmp,rlm_radutmp,modules/radutmp modules/sradutmp,modules,))
+$(eval $(call BuildPlugin,freeradius2-mod-logintime,rlm_logintime,modules/logintime,modules,))
+$(eval $(call BuildPlugin,freeradius2-mod-expr,rlm_expr,modules/expr,modules,))
+$(eval $(call BuildPlugin,freeradius2-mod-attr-filter,rlm_attr_filter,modules/attr_filter attrs attrs.access_reject attrs.accounting_response attrs.pre-proxy,modules,,))
+$(eval $(call BuildPlugin,freeradius2-mod-expiration,rlm_expiration,modules/expiration,modules,))
 $(eval $(call BuildPackage,freeradius2-utils))
index df49069..27f75c6 100644 (file)
@@ -3,15 +3,18 @@
 START=50
 
 DEFAULT=/etc/default/radiusd
-LOG_D=/var/log/radius
+LOG_D=/var/log
 RUN_D=/var/run
 PID_F=$RUN_D/radiusd.pid
+RADACCT_D=/var/db/radacct
+IPADDR=$(ifconfig br-lan | sed -n 's/.*dr:\(.*\)Bc.*/\1/p')
 
 start() {
        [ -f $DEFAULT ] && . $DEFAULT
        mkdir -p $LOG_D
        mkdir -p $RUN_D
-       radiusd $OPTIONS
+       mkdir -p $RADACCT_D
+       radiusd -i $IPADDR -p 1812,1813 $OPTIONS
 }
 
 stop() {
diff --git a/net/freeradius2/patches/002-openwrt-paths.patch b/net/freeradius2/patches/002-openwrt-paths.patch
new file mode 100644 (file)
index 0000000..276ca6f
--- /dev/null
@@ -0,0 +1,987 @@
+diff -Naur freeradius-server-2.1.4/raddb/attrs freeradius-server-2.1.4.new/raddb/attrs
+--- freeradius-server-2.1.4/raddb/attrs        2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/attrs    2009-04-07 15:09:02.000000000 -0700
+@@ -1,7 +1,4 @@
+ #
+-#     Configuration file for the rlm_attr_filter module.
+-#     Please see rlm_attr_filter(5) manpage for more information.
+-#
+ #     $Id$
+ #
+ #     This file contains security and configuration information
+diff -Naur freeradius-server-2.1.4/raddb/attrs.access_reject freeradius-server-2.1.4.new/raddb/attrs.access_reject
+--- freeradius-server-2.1.4/raddb/attrs.access_reject  2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/attrs.access_reject      2009-04-07 15:09:20.000000000 -0700
+@@ -1,7 +1,4 @@
+ #
+-#     Configuration file for the rlm_attr_filter module.
+-#     Please see rlm_attr_filter(5) manpage for more information.
+-#
+ #     $Id$
+ #
+ #     This configuration file is used to remove almost all of the attributes
+diff -Naur freeradius-server-2.1.4/raddb/attrs.accounting_response freeradius-server-2.1.4.new/raddb/attrs.accounting_response
+--- freeradius-server-2.1.4/raddb/attrs.accounting_response    2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/attrs.accounting_response        2009-04-07 15:09:32.000000000 -0700
+@@ -1,7 +1,4 @@
+ #
+-#     Configuration file for the rlm_attr_filter module.
+-#     Please see rlm_attr_filter(5) manpage for more information.
+-#
+ #     $Id$
+ #
+ #     This configuration file is used to remove almost all of the attributes
+diff -Naur freeradius-server-2.1.4/raddb/attrs.pre-proxy freeradius-server-2.1.4.new/raddb/attrs.pre-proxy
+--- freeradius-server-2.1.4/raddb/attrs.pre-proxy      2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/attrs.pre-proxy  2009-04-07 15:09:44.000000000 -0700
+@@ -1,7 +1,4 @@
+ #
+-#     Configuration file for the rlm_attr_filter module.
+-#     Please see rlm_attr_filter(5) manpage for more information.
+-#
+ #     $Id$
+ #
+ #     This file contains security and configuration information
+diff -Naur freeradius-server-2.1.4/raddb/dictionary.in freeradius-server-2.1.4.new/raddb/dictionary.in
+--- freeradius-server-2.1.4/raddb/dictionary.in        2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/dictionary.in    2009-04-07 15:10:18.000000000 -0700
+@@ -11,14 +11,12 @@
+ #
+ #     The filename given here should be an absolute path. 
+ #
+-$INCLUDE      @prefix@/share/freeradius/dictionary
++$INCLUDE      @prefix@/share/freeradius2/dictionary
+ #
+ #     Place additional attributes or $INCLUDEs here.  They will
+ #     over-ride the definitions in the pre-defined dictionaries.
+ #
+-#     See the 'man' page for 'dictionary' for information on
+-#     the format of the dictionary files.
+ #
+ #     If you want to add entries to the dictionary file,
+diff -Naur freeradius-server-2.1.4/raddb/eap.conf freeradius-server-2.1.4.new/raddb/eap.conf
+--- freeradius-server-2.1.4/raddb/eap.conf     2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/eap.conf 2009-04-07 15:20:28.000000000 -0700
+@@ -27,7 +27,7 @@
+               #  then that EAP type takes precedence over the
+               #  default type configured here.
+               #
+-              default_eap_type = md5
++              default_eap_type = peap
+               #  A list is maintained to correlate EAP-Response
+               #  packets with EAP-Request packets.  After a
+@@ -72,23 +72,8 @@
+               #  for wireless connections.  It is insecure, and does
+               #  not provide for dynamic WEP keys.
+               #
+-              md5 {
+-              }
+-
+-              # Cisco LEAP
+-              #
+-              #  We do not recommend using LEAP in new deployments.  See:
+-              #  http://www.securiteam.com/tools/5TP012ACKE.html
+-              #
+-              #  Cisco LEAP uses the MS-CHAP algorithm (but not
+-              #  the MS-CHAP attributes) to perform it's authentication.
+-              #
+-              #  As a result, LEAP *requires* access to the plain-text
+-              #  User-Password, or the NT-Password attributes.
+-              #  'System' authentication is impossible with LEAP.
+-              #
+-              leap {
+-              }
++#             md5 {
++#             }
+               #  Generic Token Card.
+               #
+@@ -101,10 +86,10 @@
+               #  the users password will go over the wire in plain-text,
+               #  for anyone to see.
+               #
+-              gtc {
++#             gtc {
+                       #  The default challenge, which many clients
+                       #  ignore..
+-                      #challenge = "Password: "
++#                     challenge = "Password: "
+                       #  The plain-text response which comes back
+                       #  is put into a User-Password attribute,
+@@ -118,8 +103,8 @@
+                       #  configured for the request, and do the
+                       #  authentication itself.
+                       #
+-                      auth_type = PAP
+-              }
++#                     auth_type = PAP
++#             }
+               ## EAP-TLS
+               #
+@@ -130,11 +115,6 @@
+               #  built, the "tls", "ttls", and "peap" sections will
+               #  be ignored.
+               #
+-              #  Otherwise, when the server first starts in debugging
+-              #  mode, test certificates will be created.  See the
+-              #  "make_cert_command" below for details, and the README
+-              #  file in raddb/certs
+-              #
+               #  These test certificates SHOULD NOT be used in a normal
+               #  deployment.  They are created only to make it easier
+               #  to install the server, and to perform some simple
+@@ -201,7 +181,7 @@
+                       #  In these cases, fragment size should be
+                       #  1024 or less.
+                       #
+-              #       fragment_size = 1024
++                      fragment_size = 1024
+                       #  include_length is a flag which is
+                       #  by default set to yes If set to
+@@ -211,7 +191,7 @@
+                       #  message is included ONLY in the
+                       #  First packet of a fragment series.
+                       #
+-              #       include_length = yes
++                      include_length = yes
+                       #  Check the Certificate Revocation List
+                       #
+@@ -220,83 +200,74 @@
+                       #    'c_rehash' is OpenSSL's command.
+                       #  3) uncomment the line below.
+                       #  5) Restart radiusd
+-              #       check_crl = yes
+-              #       CA_path = /path/to/directory/with/ca_certs/and/crls/
++#                     check_crl = yes
++#                     CA_path = /path/to/directory/with/ca_certs/and/crls/
++
++                      #
++                      #  If check_cert_issuer is set, the value will
++                      #  be checked against the DN of the issuer in
++                      #  the client certificate.  If the values do not
++                      #  match, the cerficate verification will fail,
++                      #  rejecting the user.
++                      #
++#                    check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
++
++                      #
++                      #  If check_cert_cn is set, the value will
++                      #  be xlat'ed and checked against the CN
++                      #  in the client certificate.  If the values
++                      #  do not match, the certificate verification
++                      #  will fail rejecting the user.
++                      #
++                      #  This check is done only if the previous
++                      #  "check_cert_issuer" is not set, or if
++                      #  the check succeeds.
++                      #
++#                     check_cert_cn = %{User-Name}
+-                     #
+-                     #  If check_cert_issuer is set, the value will
+-                     #  be checked against the DN of the issuer in
+-                     #  the client certificate.  If the values do not
+-                     #  match, the cerficate verification will fail,
+-                     #  rejecting the user.
+-                     #
+-              #       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
+-
+-                     #
+-                     #  If check_cert_cn is set, the value will
+-                     #  be xlat'ed and checked against the CN
+-                     #  in the client certificate.  If the values
+-                     #  do not match, the certificate verification
+-                     #  will fail rejecting the user.
+-                     #
+-                     #  This check is done only if the previous
+-                     #  "check_cert_issuer" is not set, or if
+-                     #  the check succeeds.
+-                     #
+-              #       check_cert_cn = %{User-Name}
+-              #
+                       # Set this option to specify the allowed
+                       # TLS cipher suites.  The format is listed
+                       # in "man 1 ciphers".
+                       cipher_list = "DEFAULT"
+                       #
+-
+-                      #  This configuration entry should be deleted
+-                      #  once the server is running in a normal
+-                      #  configuration.  It is here ONLY to make
+-                      #  initial deployments easier.
+-                      #
+-                      make_cert_command = "${certdir}/bootstrap"
+-
+-                      #
+                       #  Session resumption / fast reauthentication
+                       #  cache.
+                       #
+-                      cache {
+-                            #
+-                            #  Enable it.  The default is "no".
+-                            #  Deleting the entire "cache" subsection
+-                            #  Also disables caching.
+-                            #
+-                            #  You can disallow resumption for a
+-                            #  particular user by adding the following
+-                            #  attribute to the control item list:
+-                            #
+-                            #         Allow-Session-Resumption = No
+-                            #
+-                            #  If "enable = no" below, you CANNOT
+-                            #  enable resumption for just one user
+-                            #  by setting the above attribute to "yes".
+-                            #
+-                            enable = no
+-
+-                            #
+-                            #  Lifetime of the cached entries, in hours.
+-                            #  The sessions will be deleted after this
+-                            #  time.
+-                            #
+-                            lifetime = 24 # hours
+-
+-                            #
+-                            #  The maximum number of entries in the
+-                            #  cache.  Set to "0" for "infinite".
+-                            #
+-                            #  This could be set to the number of users
+-                            #  who are logged in... which can be a LOT.
+-                            #
+-                            max_entries = 255
+-                      }
++#                     cache {
++                              #
++                              #  Enable it.  The default is "no".
++                              #  Deleting the entire "cache" subsection
++                              #  Also disables caching.
++                              #
++                              #  You can disallow resumption for a
++                              #  particular user by adding the following
++                              #  attribute to the control item list:
++                              #
++                              #               Allow-Session-Resumption = No
++                              #
++                              #  If "enable = no" below, you CANNOT
++                              #  enable resumption for just one user
++                              #  by setting the above attribute to "yes".
++                              #
++#                             enable = no
++
++                              #
++                              #  Lifetime of the cached entries, in hours.
++                              #  The sessions will be deleted after this
++                              #  time.
++                              #
++#                             lifetime = 24 # hours
++
++                              #
++                              #  The maximum number of entries in the
++                              #  cache.  Set to "0" for "infinite".
++                              #
++                              #  This could be set to the number of users
++                              #  who are logged in... which can be a LOT.
++                              #
++#                             max_entries = 255
++#                     }
+               }
+               #  The TTLS module implements the EAP-TTLS protocol,
+@@ -320,7 +291,7 @@
+               #
+               #  in the control items for a request.
+               #
+-              ttls {
++#             ttls {
+                       #  The tunneled EAP session needs a default
+                       #  EAP type which is separate from the one for
+                       #  the non-tunneled EAP module.  Inside of the
+@@ -328,7 +299,7 @@
+                       #  If the request does not contain an EAP
+                       #  conversation, then this configuration entry
+                       #  is ignored.
+-                      default_eap_type = md5
++#                     default_eap_type = mschapv2
+                       #  The tunneled authentication request does
+                       #  not usually contain useful attributes
+@@ -344,7 +315,7 @@
+                       #  is copied to the tunneled request.
+                       #
+                       # allowed values: {no, yes}
+-                      copy_request_to_tunnel = no
++#                     copy_request_to_tunnel = yes
+                       #  The reply attributes sent to the NAS are
+                       #  usually based on the name of the user
+@@ -357,20 +328,8 @@
+                       #  the tunneled request.
+                       #
+                       # allowed values: {no, yes}
+-                      use_tunneled_reply = no
+-
+-                      #
+-                      #  The inner tunneled request can be sent
+-                      #  through a virtual server constructed
+-                      #  specifically for this purpose.
+-                      #
+-                      #  If this entry is commented out, the inner
+-                      #  tunneled request will be sent through
+-                      #  the virtual server that processed the
+-                      #  outer requests.
+-                      #
+-                      virtual_server = "inner-tunnel"
+-              }
++#                     use_tunneled_reply = yes
++#             }
+               ##################################################
+               #
+@@ -433,26 +392,16 @@
+                       #  the PEAP module also has these configuration
+                       #  items, which are the same as for TTLS.
+-                      copy_request_to_tunnel = no
+-                      use_tunneled_reply = no
++                      copy_request_to_tunnel = yes
++                      use_tunneled_reply = yes
+                       #  When the tunneled session is proxied, the
+                       #  home server may not understand EAP-MSCHAP-V2.
+                       #  Set this entry to "no" to proxy the tunneled
+                       #  EAP-MSCHAP-V2 as normal MSCHAPv2.
+-              #       proxy_tunneled_request_as_eap = yes
++                      proxy_tunneled_request_as_eap = no
+-                      #
+-                      #  The inner tunneled request can be sent
+-                      #  through a virtual server constructed
+-                      #  specifically for this purpose.
+-                      #
+-                      #  If this entry is commented out, the inner
+-                      #  tunneled request will be sent through
+-                      #  the virtual server that processed the
+-                      #  outer requests.
+-                      #
+-                      virtual_server = "inner-tunnel"
++                      EAP-TLS-Require-Client-Cert = no
+               }
+               #
+diff -Naur freeradius-server-2.1.4/raddb/ldap.attrmap freeradius-server-2.1.4.new/raddb/ldap.attrmap
+--- freeradius-server-2.1.4/raddb/ldap.attrmap 2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/ldap.attrmap     2009-04-07 15:21:54.000000000 -0700
+@@ -13,8 +13,7 @@
+ #                         If not present, defaults to "==" for checkItems,
+ #                         and "=" for replyItems.
+ #                         If present, the operator here should be one
+-#                         of the same operators as defined in the "users"3
+-#                         file ("man users", or "man 5 users").
++#                         of the same operators as defined in the "users" file.
+ #                         If an operator is present in the value of the
+ #                         LDAP entry (i.e. ":=foo"), then it over-rides
+ #                         both the default, and any operator given here.
+diff -Naur freeradius-server-2.1.4/raddb/modules/counter freeradius-server-2.1.4.new/raddb/modules/counter
+--- freeradius-server-2.1.4/raddb/modules/counter      2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/modules/counter  2009-04-08 01:34:16.000000000 -0700
+@@ -69,7 +69,7 @@
+ #  'check-name' attribute.
+ #
+ counter daily {
+-      filename = ${db_dir}/db.daily
++      filename = ${radacctdir}/db.daily
+       key = User-Name
+       count-attribute = Acct-Session-Time
+       reset = daily
+diff -Naur freeradius-server-2.1.4/raddb/modules/detail freeradius-server-2.1.4.new/raddb/modules/detail
+--- freeradius-server-2.1.4/raddb/modules/detail       2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/modules/detail   2009-04-07 15:28:33.000000000 -0700
+@@ -46,8 +46,7 @@
+       #
+       #  Every entry in the detail file has a header which
+-      #  is a timestamp.  By default, we use the ctime
+-      #  format (see "man ctime" for details).
++      #  is a timestamp.  By default, we use the ctime format.
+       #
+       #  The header can be customized by editing this
+       #  string.  See "doc/variables.txt" for a description
+diff -Naur freeradius-server-2.1.4/raddb/modules/exec freeradius-server-2.1.4.new/raddb/modules/exec
+--- freeradius-server-2.1.4/raddb/modules/exec 2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/modules/exec     2009-04-07 15:29:45.000000000 -0700
+@@ -15,9 +15,8 @@
+ #  of the program which is executed.  Due to RADIUS protocol
+ #  limitations, any output over 253 bytes will be ignored.
+ #
+-#  The RADIUS attributes from the user request will be placed
+-#  into environment variables of the executed program, as
+-#  described in "man unlang" and in doc/variables.txt
++#  The RADIUS attributes from the user request will be placed into environment
++#  variables of the executed program, as described in doc/variables.txt
+ #
+ #  See also "echo" for more sample configuration.
+ #
+diff -Naur freeradius-server-2.1.4/raddb/modules/pap freeradius-server-2.1.4.new/raddb/modules/pap
+--- freeradius-server-2.1.4/raddb/modules/pap  2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/modules/pap      2009-04-07 15:31:17.000000000 -0700
+@@ -4,8 +4,7 @@
+ # PAP module to authenticate users based on their stored password
+ #
+-#  Supports multiple encryption/hash schemes.  See "man rlm_pap"
+-#  for details.
++#  Supports multiple encryption/hash schemes.
+ #
+ #  The "auto_header" configuration item can be set to "yes".
+ #  In this case, the module will look inside of the User-Password
+@@ -14,5 +13,5 @@
+ #  with the correct value.  It will also automatically handle
+ #  Base-64 encoded data, hex strings, and binary data.
+ pap {
+-      auto_header = no
++      auto_header = yes
+ }
+diff -Naur freeradius-server-2.1.4/raddb/modules/radutmp freeradius-server-2.1.4.new/raddb/modules/radutmp
+--- freeradius-server-2.1.4/raddb/modules/radutmp      2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/modules/radutmp  2009-04-07 11:13:56.000000000 -0700
+@@ -12,7 +12,7 @@
+       #  Where the file is stored.  It's not a log file,
+       #  so it doesn't need rotating.
+       #
+-      filename = ${logdir}/radutmp
++      filename = ${radacctdir}/radutmp
+       #  The field in the packet to key on for the
+       #  'user' name,  If you have other fields which you want
+diff -Naur freeradius-server-2.1.4/raddb/modules/sradutmp freeradius-server-2.1.4.new/raddb/modules/sradutmp
+--- freeradius-server-2.1.4/raddb/modules/sradutmp     2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/modules/sradutmp 2009-04-07 11:14:07.000000000 -0700
+@@ -10,7 +10,7 @@
+ # then name "sradutmp" to identify it later in the "accounting"
+ # section.
+ radutmp sradutmp {
+-      filename = ${logdir}/sradutmp
++      filename = ${radacctdir}/sradutmp
+       perm = 0644
+       callerid = "no"
+ }
+diff -Naur freeradius-server-2.1.4/raddb/preproxy_users freeradius-server-2.1.4.new/raddb/preproxy_users
+--- freeradius-server-2.1.4/raddb/preproxy_users       2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/preproxy_users   2009-04-07 15:23:02.000000000 -0700
+@@ -1,6 +1,5 @@
+ #
+ #  Configuration file for the rlm_files module.
+-#  Please see rlm_files(5) manpage for more information.
+ #
+ #  $Id$
+ #
+diff -Naur freeradius-server-2.1.4/raddb/proxy.conf freeradius-server-2.1.4.new/raddb/proxy.conf
+--- freeradius-server-2.1.4/raddb/proxy.conf   2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/proxy.conf       2009-04-07 15:22:45.000000000 -0700
+@@ -525,9 +525,8 @@
+ #  This section defines a new-style "realm".  Note the in version 2.0,
+ #  there are many fewer configuration items than in 1.x for a realm.
+ #
+-#  Automatic proxying is done via the "realms" module (see "man
+-#  rlm_realm").  To manually proxy the request put this entry in the
+-#  "users" file:
++#  Automatic proxying is done via the "realms" module.
++#  To manually proxy the request put this entry in the "users" file:
+ #
+ #
+diff -Naur freeradius-server-2.1.4/raddb/radiusd.conf.in freeradius-server-2.1.4.new/raddb/radiusd.conf.in
+--- freeradius-server-2.1.4/raddb/radiusd.conf.in      2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/radiusd.conf.in  2009-04-07 15:34:38.000000000 -0700
+@@ -8,11 +8,6 @@
+ ######################################################################
+ #
+-#     Read "man radiusd" before editing this file.  See the section
+-#     titled DEBUGGING.  It outlines a method where you can quickly
+-#     obtain the configuration you want, without running into
+-#     trouble.
+-#
+ #     Run the server in debugging mode, and READ the output.
+ #
+ #             $ radiusd -X
+@@ -41,14 +36,8 @@
+ #     file, it is exported through the API to modules that ask for
+ #     it.
+ #
+-#     See "man radiusd.conf" for documentation on the format of this
+-#     file.  Note that the individual configuration items are NOT
+-#     documented in that "man" page.  They are only documented here,
+-#     in the comments.
+-#
+ #     As of 2.0.0, FreeRADIUS supports a simple processing language
+ #     in the "authorize", "authenticate", "accounting", etc. sections.
+-#     See "man unlang" for details.
+ #
+ prefix = @prefix@
+@@ -66,7 +55,7 @@
+ #  Location of config and logfiles.
+ confdir = ${raddbdir}
+-run_dir = ${localstatedir}/run/${name}
++run_dir = ${localstatedir}/run
+ # Should likely be ${localstatedir}/lib/radiusd
+ db_dir = ${raddbdir}
+@@ -112,7 +101,7 @@
+ #
+ #  This file is written when ONLY running in daemon mode.
+ #
+-#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
++#  e.g.:  kill -HUP `cat /var/run/radiusd.pid`
+ #
+ pidfile = ${run_dir}/${name}.pid
+@@ -283,7 +272,7 @@
+       #  If your system does not support this feature, you will
+       #  get an error if you try to use it.
+       #
+-#     interface = eth0
++      interface = br-lan
+       #  Per-socket lists of clients.  This is a very useful feature.
+       #
+@@ -310,7 +299,7 @@
+ #     ipv6addr = ::
+       port = 0
+       type = acct
+-#     interface = eth0
++      interface = br-lan
+ #     clients = per_socket_clients
+ }
+@@ -445,9 +434,6 @@
+       auth_goodpass = no
+ }
+-#  The program to execute to do concurrency checks.
+-checkrad = ${sbindir}/checkrad
+-
+ # SECURITY CONFIGURATION
+ #
+ #  There may be multiple methods of attacking on the server.  This
+@@ -522,8 +508,8 @@
+ #
+ #  allowed values: {no, yes}
+ #
+-proxy_requests  = yes
+-$INCLUDE proxy.conf
++proxy_requests  = no
++#$INCLUDE proxy.conf
+ # CLIENTS CONFIGURATION
+@@ -675,10 +661,6 @@
+       #
+ #     $INCLUDE sql/mysql/counter.conf
+-      #
+-      #  IP addresses managed in an SQL table.
+-      #
+-#     $INCLUDE sqlippool.conf
+ }
+ # Instantiation
+@@ -703,7 +685,7 @@
+       #  The entire command line (and output) must fit into 253 bytes.
+       #
+       #  e.g. Framed-Pool = `%{exec:/bin/echo foo}`
+-      exec
++#     exec
+       #
+       #  The expression module doesn't do authorization,
+@@ -716,15 +698,15 @@
+       #  listed in any other section.  See 'doc/rlm_expr' for
+       #  more information.
+       #
+-      expr
++#     expr
+       #
+       # We add the counter module here so that it registers
+       # the check-name attribute before any module which sets
+       # it
+ #     daily
+-      expiration
+-      logintime
++#     expiration
++#     logintime
+       # subsections here can be thought of as "virtual" modules.
+       #
+@@ -748,7 +730,7 @@
+ #     to multiple times.
+ #
+ ######################################################################
+-$INCLUDE policy.conf
++#$INCLUDE policy.conf
+ ######################################################################
+ #
+@@ -758,9 +740,9 @@
+ #     match the regular expression: /[a-zA-Z0-9_.]+/
+ #
+ #     It allows you to define new virtual servers simply by placing
+-#     a file into the raddb/sites-enabled/ directory.
++#     a file into the /etc/freeradius2/sites/ directory.
+ #
+-$INCLUDE sites-enabled/
++$INCLUDE sites/
+ ######################################################################
+ #
+@@ -768,15 +750,11 @@
+ #     "authenticate {}", "accounting {}", have been moved to the
+ #     the file:
+ #
+-#             raddb/sites-available/default
++#             /etc/freeradius2/sites/default
+ #
+ #     This is the "default" virtual server that has the same
+ #     configuration as in version 1.0.x and 1.1.x.  The default
+ #     installation enables this virtual server.  You should
+ #     edit it to create policies for your local site.
+ #
+-#     For more documentation on virtual servers, see:
+-#
+-#             raddb/sites-available/README
+-#
+ ######################################################################
+diff -Naur freeradius-server-2.1.4/raddb/sites-available/default freeradius-server-2.1.4.new/raddb/sites-available/default
+--- freeradius-server-2.1.4/raddb/sites-available/default      2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/sites-available/default  2009-04-07 15:27:12.000000000 -0700
+@@ -11,12 +11,6 @@
+ #
+ ######################################################################
+ #
+-#     Read "man radiusd" before editing this file.  See the section
+-#     titled DEBUGGING.  It outlines a method where you can quickly
+-#     obtain the configuration you want, without running into
+-#     trouble.  See also "man unlang", which documents the format
+-#     of this file.
+-#
+ #     This configuration is designed to work in the widest possible
+ #     set of circumstances, with the widest possible number of
+ #     authentication methods.  This means that in general, you should
+@@ -69,7 +63,7 @@
+       #  'raddb/huntgroups' files.
+       #
+       #  It also adds the %{Client-IP-Address} attribute to the request.
+-      preprocess
++#     preprocess
+       #
+       #  If you want to have a log of authentication requests,
+@@ -80,7 +74,7 @@
+       #
+       #  The chap module will set 'Auth-Type := CHAP' if we are
+       #  handling a CHAP request and Auth-Type has not already been set
+-      chap
++#     chap
+       #
+       #  If the users are logging in with an MS-CHAP-Challenge
+@@ -88,13 +82,7 @@
+       #  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
+       #  to the request, which will cause the server to then use
+       #  the mschap module for authentication.
+-      mschap
+-
+-      #
+-      #  If you have a Cisco SIP server authenticating against
+-      #  FreeRADIUS, uncomment the following line, and the 'digest'
+-      #  line in the 'authenticate' section.
+-#     digest
++#     mschap
+       #
+       #  Look for IPASS style 'realm/', and if not found, look for
+@@ -108,7 +96,7 @@
+       #  Otherwise, when the first style of realm doesn't match,
+       #  the other styles won't be checked.
+       #
+-      suffix
++#     suffix
+ #     ntdomain
+       #
+@@ -133,14 +121,6 @@
+       }
+       #
+-      #  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
+-      #  using the system API's to get the password.  If you want
+-      #  to read /etc/passwd or /etc/shadow directly, see the
+-      #  passwd module in radiusd.conf.
+-      #
+-      unix
+-
+-      #
+       #  Read the 'users' file
+       files
+@@ -152,28 +132,11 @@
+ #     sql
+       #
+-      #  If you are using /etc/smbpasswd, and are also doing
+-      #  mschap authentication, the un-comment this line, and
+-      #  configure the 'etc_smbpasswd' module, above.
+-#     etc_smbpasswd
+-
+-      #
+       #  The ldap module will set Auth-Type to LDAP if it has not
+       #  already been set
+ #     ldap
+       #
+-      #  Enforce daily limits on time spent logged in.
+-#     daily
+-
+-      #
+-      # Use the checkval module
+-#     checkval
+-
+-      expiration
+-      logintime
+-
+-      #
+       #  If no other module has claimed responsibility for
+       #  authentication, then try to use PAP.  This allows the
+       #  other modules listed above to add a "known good" password
+@@ -248,24 +211,6 @@
+               mschap
+       }
+-      #
+-      #  If you have a Cisco SIP server authenticating against
+-      #  FreeRADIUS, uncomment the following line, and the 'digest'
+-      #  line in the 'authorize' section.
+-#     digest
+-
+-      #
+-      #  Pluggable Authentication Modules.
+-#     pam
+-
+-      #
+-      #  See 'man getpwent' for information on how the 'unix'
+-      #  module checks the users password.  Note that packets
+-      #  containing CHAP-Password attributes CANNOT be authenticated
+-      #  against /etc/passwd!  See the FAQ for details.
+-      #  
+-      unix
+-
+       # Uncomment it if you want to use ldap for authentication
+       #
+       # Note that this means "check plain-text password against
+@@ -278,19 +223,15 @@
+       #
+       #  Allow EAP authentication.
+       eap
++      pap
+ }
+ #
+ #  Pre-accounting.  Decide which accounting type to use.
+ #
+-preacct {
+-      preprocess
+-
+-      #
+-      #  Ensure that we have a semi-unique identifier for every
+-      #  request, and many NAS boxes are broken.
+-      acct_unique
++#preacct {
++#     preprocess
+       #
+       #  Look for IPASS-style 'realm/', and if not found, look for
+@@ -300,13 +241,13 @@
+       #  Accounting requests are generally proxied to the same
+       #  home server as authentication requests.
+ #     IPASS
+-      suffix
++#     suffix
+ #     ntdomain
+       #
+       #  Read the 'acct_users' file
+-      files
+-}
++#     files
++#}
+ #
+ #  Accounting.  Log the accounting data.
+@@ -316,14 +257,9 @@
+       #  Create a 'detail'ed log of the packets.
+       #  Note that accounting requests which are proxied
+       #  are also logged in the detail file.
+-      detail
++#     detail
+ #     daily
+-      #  Update the wtmp file
+-      #
+-      #  If you don't use "radlast", you can delete this line.
+-      unix
+-
+       #
+       #  For Simultaneous-Use tracking.
+       #
+@@ -332,9 +268,6 @@
+       radutmp
+ #     sradutmp
+-      #  Return an address to the IP Pool when we see a stop record.
+-#     main_pool
+-
+       #
+       #  Log traffic to an SQL database.
+       #
+@@ -351,7 +284,7 @@
+ #     pgsql-voip
+       #  Filter attributes from the accounting response.
+-      attr_filter.accounting_response
++      #attr_filter.accounting_response
+       #
+       #  See "Autz-Type Status-Server" for how this works.
+@@ -377,10 +310,7 @@
+ #  Post-Authentication
+ #  Once we KNOW that the user has been authenticated, there are
+ #  additional steps we can take.
+-post-auth {
+-      #  Get an address from the IP Pool.
+-#     main_pool
+-
++#post-auth {
+       #
+       #  If you want to have a log of authentication replies,
+       #  un-comment the following line, and the 'detail reply_log'
+@@ -406,7 +336,7 @@
+       #
+ #     ldap
+-      exec
++#     exec
+       #
+       #  Access-Reject packets are sent through the REJECT sub-section of the
+@@ -415,10 +345,10 @@
+       #  Add the ldap module name (or instance) if you have set 
+       #  'edir_account_policy_check = yes' in the ldap module configuration
+       #
+-      Post-Auth-Type REJECT {
+-              attr_filter.access_reject
+-      }
+-}
++#     Post-Auth-Type REJECT {
++#             attr_filter.access_reject
++#     }
++#}
+ #
+ #  When the server decides to proxy a request to a home server,
+@@ -428,7 +358,7 @@
+ #
+ #  Only a few modules currently have this method.
+ #
+-pre-proxy {
++#pre-proxy {
+ #     attr_rewrite
+       #  Uncomment the following line if you want to change attributes
+@@ -444,14 +374,14 @@
+       #  server, un-comment the following line, and the
+       #  'detail pre_proxy_log' section, above.
+ #     pre_proxy_log
+-}
++#}
+ #
+ #  When the server receives a reply to a request it proxied
+ #  to a home server, the request may be massaged here, in the
+ #  post-proxy stage.
+ #
+-post-proxy {
++#post-proxy {
+       #  If you want to have a log of replies from a home server,
+       #  un-comment the following line, and the 'detail post_proxy_log'
+@@ -475,7 +405,7 @@
+       #  hidden inside of the EAP packet, and the end server will
+       #  reject the EAP request.
+       #
+-      eap
++#     eap
+       #
+       #  If the server tries to proxy a request and fails, then the
+@@ -497,6 +427,5 @@
+ #     Post-Proxy-Type Fail {
+ #                     detail
+ #     }
+-
+-}
++#}
+diff -Naur freeradius-server-2.1.4/raddb/users freeradius-server-2.1.4.new/raddb/users
+--- freeradius-server-2.1.4/raddb/users        2009-03-10 19:26:50.000000000 -0700
++++ freeradius-server-2.1.4.new/raddb/users    2009-04-07 15:23:54.000000000 -0700
+@@ -1,6 +1,5 @@
+ #
+-#     Please read the documentation file ../doc/processing_users_file,
+-#     or 'man 5 users' (after installing the server) for more information.
++#     Please read the documentation file ../doc/processing_users_file.
+ #
+ #     This file contains authentication security and configuration
+ #     information for each user.  Accounting requests are NOT processed
+@@ -169,22 +168,22 @@
+ #     by the terminal server in which case there may not be a "P" suffix.
+ #     The terminal server sends "Framed-Protocol = PPP" for auto PPP.
+ #
+-DEFAULT       Framed-Protocol == PPP
+-      Framed-Protocol = PPP,
+-      Framed-Compression = Van-Jacobson-TCP-IP
++#DEFAULT      Framed-Protocol == PPP
++#     Framed-Protocol = PPP,
++#     Framed-Compression = Van-Jacobson-TCP-IP
+ #
+ # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
+ #
+-DEFAULT       Hint == "CSLIP"
+-      Framed-Protocol = SLIP,
+-      Framed-Compression = Van-Jacobson-TCP-IP
++#DEFAULT      Hint == "CSLIP"
++#     Framed-Protocol = SLIP,
++#     Framed-Compression = Van-Jacobson-TCP-IP
+ #
+ # Default for SLIP: dynamic IP address, SLIP mode.
+ #
+-DEFAULT       Hint == "SLIP"
+-      Framed-Protocol = SLIP
++#DEFAULT      Hint == "SLIP"
++#     Framed-Protocol = SLIP
+ #
+ # Last default: rlogin to our main server.