From: Florian Fainelli Date: Tue, 12 May 2009 09:40:31 +0000 (+0000) Subject: [package] update freeradius2 to 2.1.4, add more modules (#4930) X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fsvn-archive%2Farchive.git;a=commitdiff_plain;h=0d6e2d3ef4464c21a74ea31df9ad7d5b2f8e0f93 [package] update freeradius2 to 2.1.4, add more modules (#4930) SVN-Revision: 15791 --- diff --git a/net/freeradius2/Makefile b/net/freeradius2/Makefile index e84df05987..e9ceb2d4cb 100644 --- a/net/freeradius2/Makefile +++ b/net/freeradius2/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2008 OpenWrt.org +# Copyright (C) 2008-2009 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -8,8 +8,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=freeradius2 -PKG_VERSION:=2.1.1 -PKG_RELEASE:=2 +PKG_VERSION:=2.1.4 +PKG_RELEASE:=1 PKG_SOURCE:=freeradius-server-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=ftp://ftp.freeradius.org/pub/freeradius/ @@ -35,6 +35,7 @@ endef define Package/freeradius2/conffiles /etc/freeradius2/clients.conf /etc/freeradius2/radiusd.conf +/etc/freeradius2/sites/default endef define Package/freeradius2-democerts @@ -49,12 +50,20 @@ define Package/freeradius2-mod-chap TITLE:=CHAP module endef +define Package/freeradius2-mod-chap/conffiles +/etc/freeradius2/modules/chap +endef + define Package/freeradius2-mod-detail $(call Package/freeradius2/Default) DEPENDS:=freeradius2 TITLE:=Detailed accounting module endef +define Package/freeradius2-mod-detail/conffiles +/etc/freeradius2/modules/detail +endef + define Package/freeradius2-mod-eap $(call Package/freeradius2/Default) DEPENDS:=freeradius2 @@ -107,12 +116,54 @@ define Package/freeradius2-mod-exec TITLE:=EXEC module endef +define Package/freeradius2-mod-exec/conffiles +/etc/freeradius2/modules/exec +endef + +define Package/freeradius2-mod-expiration + $(call Package/freeradius2/Default) + DEPENDS:=freeradius2 + TITLE:=Expiration module +endef + +define Package/freeradius2-mod-expiration/conffiles +/etc/freeradius2/modules/expiration +endef + +define Package/freeradius2-mod-expr + $(call Package/freeradius2/Default) + DEPENDS:=freeradius2 + TITLE:=EXPR module +endef + +define Package/freeradius2-mod-expr/conffiles +/etc/freeradius2/modules/expr +endef + +define Package/freeradius2-mod-attr-filter + $(call Package/freeradius2/Default) + DEPENDS:=freeradius2 + TITLE:=ATTR filter module +endef + +define Package/freeradius2-mod-attr-filter/conffiles +/etc/freeradius2/modules/attr_filter +/etc/freeradius2/attrs +/etc/freeradius2/attrs.access_reject +/etc/freeradius2/attrs.accounting_response +/etc/freeradius2/attrs.pre-proxy +endef + define Package/freeradius2-mod-attr-rewrite $(call Package/freeradius2/Default) DEPENDS:=freeradius2 TITLE:=ATTR rewrite module endef +define Package/freeradius2-mod-attr-rewrite/conffiles +/etc/freeradius2/modules/attr_rewrite +endef + define Package/freeradius2-mod-files $(call Package/freeradius2/Default) DEPENDS:=freeradius2 @@ -123,6 +174,7 @@ define Package/freeradius2-mod-files/conffiles /etc/freeradius2/acct_users /etc/freeradius2/preproxy_users /etc/freeradius2/users +/etc/freeradius2/modules/files endef define Package/freeradius2-mod-ldap @@ -133,6 +185,17 @@ endef define Package/freeradius2-mod-ldap/conffiles /etc/freeradius2/ldap.attrmap +/etc/freeradius2/modules/ldap +endef + +define Package/freeradius2-mod-logintime + $(call Package/freeradius2/Default) + DEPENDS:=freeradius2 + TITLE:=Logintime module +endef + +define Package/freeradius2-mod-logintime/conffiles +/etc/freeradius2/modules/logintime endef define Package/freeradius2-mod-mschap @@ -141,12 +204,20 @@ define Package/freeradius2-mod-mschap TITLE:=MS-CHAP and MS-CHAPv2 module endef +define Package/freeradius2-mod-mschap/conffiles +/etc/freeradius2/modules/mschap +endef + define Package/freeradius2-mod-pap $(call Package/freeradius2/Default) DEPENDS:=freeradius2 TITLE:=PAP module endef +define Package/freeradius2-mod-pap/conffiles +/etc/freeradius2/modules/pap +endef + define Package/freeradius2-mod-preprocess $(call Package/freeradius2/Default) DEPENDS:=freeradius2 @@ -156,6 +227,7 @@ endef define Package/freeradius2-mod-preprocess/conffiles /etc/freeradius2/hints /etc/freeradius2/huntgroups +/etc/freeradius2/modules/preprocess endef define Package/freeradius2-mod-realm @@ -166,6 +238,7 @@ endef define Package/freeradius2-mod-realm/conffiles /etc/freeradius2/proxy.conf +/etc/freeradius2/modules/realm endef define Package/freeradius2-mod-sql @@ -174,6 +247,10 @@ define Package/freeradius2-mod-sql TITLE:=Base SQL module endef +define Package/freeradius2-mod-sql/conffiles +/etc/freeradius2/sql.conf +endef + define Package/freeradius2-mod-sql-mysql $(call Package/freeradius2/Default) DEPENDS:=freeradius2-mod-sql +libmysqlclient @@ -198,6 +275,11 @@ define Package/freeradius2-mod-radutmp TITLE:=Radius UTMP module endef +define Package/freeradius2-mod-radutmp/conffiles +/etc/freeradius2/modules/radutmp +/etc/freeradius2/modules/sradutmp +endef + define Package/freeradius2-utils $(call Package/freeradius2/Default) DEPENDS:=freeradius2 @@ -210,25 +292,31 @@ CONFIGURE_ARGS+= \ --enable-shared \ --disable-static \ --disable-developer \ + --with-threads \ --with-openssl-includes="$(STAGING_DIR)/usr/include" \ --with-openssl-libraries="$(STAGING_DIR)/usr/lib" \ --enable-strict-dependencies \ --with-raddbdir=/etc/freeradius2 \ + --with-radacctdir=/var/db/radacct \ + --with-logdir=/var/log \ --without-edir \ --without-snmp \ --without-rlm_checkval \ - --without-rlm_counter \ --without-rlm_dbm \ + --without-rlm_counter \ + --with-rlm_expr \ --with-rlm_eap \ --without-rlm_eap_sim \ --without-rlm_example \ --without-rlm_ippool \ --without-rlm_krb5 \ --without-rlm_otp \ + --without-rlm_smsotp \ --without-rlm_pam \ --without-rlm_perl \ --without-rlm_python \ --without-rlm_smb \ + --without-rlm_always \ --with-rlm_sql \ --with-rlm_sqlcounter \ --without-rlm_sqlhpwippool \ @@ -267,9 +355,9 @@ endif ifneq ($(SDK)$(CONFIG_PACKAGE_freeradius2-mod-sql-mysql),) CONFIGURE_ARGS+= \ --with-mysql-include-dir="$(STAGING_DIR)/usr/include" \ - --with-mysql-lib-dir="$(STAGING_DIR)/usr/lib/mysql" \ - --without-threads + --with-mysql-lib-dir="$(STAGING_DIR)/usr/lib/mysql" CONFIGURE_LIBS+= -lz + CONFIGURE_VARS+= ac_cv_lib_mysqlclient_r_mysql_init=yes else CONFIGURE_ARGS+= --without-rlm_sql_mysql endif @@ -324,6 +412,18 @@ else CONFIGURE_ARGS+= --without-rlm_radutmp endif +ifneq ($(SDK)$(CONFIG_PACKAGE_freeradius2-mod-logintime),) + CONFIGURE_ARGS+= --with-rlm_logintime +else + CONFIGURE_ARGS+= --without-rlm_logintime +endif + +ifneq ($(SDK)$(CONFIG_PACKAGE_freeradius2-mod-expiration),) + CONFIGURE_ARGS+= --with-rlm_expiration +else + CONFIGURE_ARGS+= --without-rlm_expiration +endif + CONFIGURE_VARS+= \ LDFLAGS="$$$$LDFLAGS" \ LIBS="$(CONFIGURE_LIBS)" \ @@ -334,14 +434,17 @@ define Build/Compile $(MAKE) -C $(PKG_BUILD_DIR) \ R="$(PKG_INSTALL_DIR)" \ INSTALLSTRIP="" \ - all install + all certs install endef define Package/freeradius2/install $(INSTALL_DIR) $(1)/etc/freeradius2 - for f in clients.conf dictionary radiusd.conf; do \ + $(INSTALL_DIR) $(1)/etc/freeradius2/modules + $(INSTALL_DIR) $(1)/etc/freeradius2/sites + for f in clients.conf dictionary radiusd.conf policy.conf; do \ $(CP) $(PKG_INSTALL_DIR)/etc/freeradius2/$$$${f} $(1)/etc/freeradius2/ ; \ done + $(CP) $(PKG_INSTALL_DIR)/etc/freeradius2/sites-available/default $(1)/etc/freeradius2/sites/default $(INSTALL_DIR) $(1)/usr/share/freeradius2 $(CP) $(PKG_INSTALL_DIR)/usr/share/freeradius/dictionary $(1)/usr/share/freeradius2/ $(SED) "s,^\(\$$$$INCLUDE\),#\1,g" $(1)/usr/share/freeradius2/dictionary @@ -350,7 +453,7 @@ define Package/freeradius2/install $(SED) "s,^#\(\$$$$INCLUDE dictionary\.$$$${f}\),\1,g" $(1)/usr/share/freeradius2/dictionary ; \ done $(INSTALL_DIR) $(1)/usr/lib/freeradius2 - $(CP) $(PKG_INSTALL_DIR)/usr/lib/freeradius2/libfreeradius-radius{,-*}.so $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/freeradius2/libfreeradius-radius{,-*}.so $(1)/usr/lib/freeradius2 $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/radiusd $(1)/usr/sbin/ $(INSTALL_DIR) $(1)/etc/init.d @@ -364,6 +467,11 @@ define Package/freeradius2-democerts/install rm -rf $(1)/etc/freeradius2/certs/new* rm -rf $(1)/etc/freeradius2/certs/demoCA/index* rm -rf $(1)/etc/freeradius2/certs/demoCA/serial* + rm -rf $(1)/etc/freeradius2/certs/bootstrap + rm -rf $(1)/etc/freeradius2/certs/Makefile + rm -rf $(1)/etc/freeradius2/certs/ca.cnf + rm -rf $(1)/etc/freeradius2/certs/client.cnf + rm -rf $(1)/etc/freeradius2/certs/server.cnf endef define Package/freeradius2-utils/install @@ -375,13 +483,14 @@ endef define BuildPlugin define Package/$(1)/install - [ -z "$(2)" ] || $(INSTALL_DIR) $$(1)/usr/lib + [ -z "$(2)" ] || $(INSTALL_DIR) $$(1)/usr/lib/freeradius2 for m in $(2); do \ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/freeradius2/$$$$$$$${m}{,-*}.so $$(1)/usr/lib/ ; \ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/freeradius2/$$$$$$$${m}{,-*}.so $$(1)/usr/lib/freeradius2 ; \ done [ -z "$(3)" ] || $(INSTALL_DIR) $$(1)/etc/freeradius2 + [ -z "$(4)" ] || $(INSTALL_DIR) $$(1)/etc/freeradius2/$(4) for f in $(3); do \ - $(CP) $(PKG_INSTALL_DIR)/etc/freeradius2/$$$$$$$${f} $$(1)/etc/freeradius2/ ; \ + $(CP) $(PKG_INSTALL_DIR)/etc/freeradius2/$$$$$$$${f} $$(1)/etc/freeradius2/$$$$$$$${f} ; \ done endef @@ -390,8 +499,8 @@ endef $(eval $(call BuildPackage,freeradius2)) $(eval $(call BuildPackage,freeradius2-democerts)) -$(eval $(call BuildPlugin,freeradius2-mod-chap,rlm_chap,)) -$(eval $(call BuildPlugin,freeradius2-mod-detail,rlm_detail,)) +$(eval $(call BuildPlugin,freeradius2-mod-chap,rlm_chap,modules/chap,modules,)) +$(eval $(call BuildPlugin,freeradius2-mod-detail,rlm_detail,modules/detail,modules,)) $(eval $(call BuildPlugin,freeradius2-mod-eap,libfreeradius-eap rlm_eap,eap.conf)) $(eval $(call BuildPlugin,freeradius2-mod-eap-gtc,rlm_eap_gtc,)) $(eval $(call BuildPlugin,freeradius2-mod-eap-md5,rlm_eap_md5,)) @@ -399,17 +508,21 @@ $(eval $(call BuildPlugin,freeradius2-mod-eap-mschapv2,rlm_eap_mschapv2,)) $(eval $(call BuildPlugin,freeradius2-mod-eap-peap,rlm_eap_peap,)) $(eval $(call BuildPlugin,freeradius2-mod-eap-tls,rlm_eap_tls,)) $(eval $(call BuildPlugin,freeradius2-mod-eap-ttls,rlm_eap_ttls,)) -$(eval $(call BuildPlugin,freeradius2-mod-exec,rlm_exec,)) -$(eval $(call BuildPlugin,freeradius2-mod-attr-rewrite,rlm_attr_rewrite)) -$(eval $(call BuildPlugin,freeradius2-mod-files,rlm_files,acct_users preproxy_users users)) -$(eval $(call BuildPlugin,freeradius2-mod-ldap,rlm_ldap,ldap.attrmap)) -$(eval $(call BuildPlugin,freeradius2-mod-mschap,rlm_mschap,)) -$(eval $(call BuildPlugin,freeradius2-mod-pap,rlm_pap,)) -$(eval $(call BuildPlugin,freeradius2-mod-preprocess,rlm_preprocess,hints huntgroups)) -$(eval $(call BuildPlugin,freeradius2-mod-realm,rlm_realm,proxy.conf)) -$(eval $(call BuildPlugin,freeradius2-mod-sql,rlm_sql,sql.conf)) +$(eval $(call BuildPlugin,freeradius2-mod-exec,rlm_exec,modules/exec modules/echo ,modules,)) +$(eval $(call BuildPlugin,freeradius2-mod-attr-rewrite,rlm_attr_rewrite,modules/attr_rewrite,modules,)) +$(eval $(call BuildPlugin,freeradius2-mod-files,rlm_files,acct_users preproxy_users users modules/files,modules,)) +$(eval $(call BuildPlugin,freeradius2-mod-ldap,rlm_ldap,ldap.attrmap modules/ldap,modules,)) +$(eval $(call BuildPlugin,freeradius2-mod-mschap,rlm_mschap,modules/mschap,modules,)) +$(eval $(call BuildPlugin,freeradius2-mod-pap,rlm_pap,modules/pap,modules,)) +$(eval $(call BuildPlugin,freeradius2-mod-preprocess,rlm_preprocess,hints huntgroups modules/preprocess,modules,)) +$(eval $(call BuildPlugin,freeradius2-mod-realm,rlm_realm,proxy.conf modules/realm modules/inner-eap,modules,)) +$(eval $(call BuildPlugin,freeradius2-mod-sql,rlm_sql,sql.conf,)) $(eval $(call BuildPlugin,freeradius2-mod-sql-mysql,rlm_sql_mysql,)) $(eval $(call BuildPlugin,freeradius2-mod-sql-pgsql,rlm_sql_postgresql,)) $(eval $(call BuildPlugin,freeradius2-mod-sqlcounter,rlm_sqlcounter,)) -$(eval $(call BuildPlugin,freeradius2-mod-radutmp,rlm_radutmp,)) +$(eval $(call BuildPlugin,freeradius2-mod-radutmp,rlm_radutmp,modules/radutmp modules/sradutmp,modules,)) +$(eval $(call BuildPlugin,freeradius2-mod-logintime,rlm_logintime,modules/logintime,modules,)) +$(eval $(call BuildPlugin,freeradius2-mod-expr,rlm_expr,modules/expr,modules,)) +$(eval $(call BuildPlugin,freeradius2-mod-attr-filter,rlm_attr_filter,modules/attr_filter attrs attrs.access_reject attrs.accounting_response attrs.pre-proxy,modules,,)) +$(eval $(call BuildPlugin,freeradius2-mod-expiration,rlm_expiration,modules/expiration,modules,)) $(eval $(call BuildPackage,freeradius2-utils)) diff --git a/net/freeradius2/files/radiusd.init b/net/freeradius2/files/radiusd.init index df4906911d..27f75c6ef0 100644 --- a/net/freeradius2/files/radiusd.init +++ b/net/freeradius2/files/radiusd.init @@ -3,15 +3,18 @@ START=50 DEFAULT=/etc/default/radiusd -LOG_D=/var/log/radius +LOG_D=/var/log RUN_D=/var/run PID_F=$RUN_D/radiusd.pid +RADACCT_D=/var/db/radacct +IPADDR=$(ifconfig br-lan | sed -n 's/.*dr:\(.*\)Bc.*/\1/p') start() { [ -f $DEFAULT ] && . $DEFAULT mkdir -p $LOG_D mkdir -p $RUN_D - radiusd $OPTIONS + mkdir -p $RADACCT_D + radiusd -i $IPADDR -p 1812,1813 $OPTIONS } stop() { diff --git a/net/freeradius2/patches/002-openwrt-paths.patch b/net/freeradius2/patches/002-openwrt-paths.patch new file mode 100644 index 0000000000..276ca6f1cc --- /dev/null +++ b/net/freeradius2/patches/002-openwrt-paths.patch @@ -0,0 +1,987 @@ +diff -Naur freeradius-server-2.1.4/raddb/attrs freeradius-server-2.1.4.new/raddb/attrs +--- freeradius-server-2.1.4/raddb/attrs 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/attrs 2009-04-07 15:09:02.000000000 -0700 +@@ -1,7 +1,4 @@ + # +-# Configuration file for the rlm_attr_filter module. +-# Please see rlm_attr_filter(5) manpage for more information. +-# + # $Id$ + # + # This file contains security and configuration information +diff -Naur freeradius-server-2.1.4/raddb/attrs.access_reject freeradius-server-2.1.4.new/raddb/attrs.access_reject +--- freeradius-server-2.1.4/raddb/attrs.access_reject 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/attrs.access_reject 2009-04-07 15:09:20.000000000 -0700 +@@ -1,7 +1,4 @@ + # +-# Configuration file for the rlm_attr_filter module. +-# Please see rlm_attr_filter(5) manpage for more information. +-# + # $Id$ + # + # This configuration file is used to remove almost all of the attributes +diff -Naur freeradius-server-2.1.4/raddb/attrs.accounting_response freeradius-server-2.1.4.new/raddb/attrs.accounting_response +--- freeradius-server-2.1.4/raddb/attrs.accounting_response 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/attrs.accounting_response 2009-04-07 15:09:32.000000000 -0700 +@@ -1,7 +1,4 @@ + # +-# Configuration file for the rlm_attr_filter module. +-# Please see rlm_attr_filter(5) manpage for more information. +-# + # $Id$ + # + # This configuration file is used to remove almost all of the attributes +diff -Naur freeradius-server-2.1.4/raddb/attrs.pre-proxy freeradius-server-2.1.4.new/raddb/attrs.pre-proxy +--- freeradius-server-2.1.4/raddb/attrs.pre-proxy 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/attrs.pre-proxy 2009-04-07 15:09:44.000000000 -0700 +@@ -1,7 +1,4 @@ + # +-# Configuration file for the rlm_attr_filter module. +-# Please see rlm_attr_filter(5) manpage for more information. +-# + # $Id$ + # + # This file contains security and configuration information +diff -Naur freeradius-server-2.1.4/raddb/dictionary.in freeradius-server-2.1.4.new/raddb/dictionary.in +--- freeradius-server-2.1.4/raddb/dictionary.in 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/dictionary.in 2009-04-07 15:10:18.000000000 -0700 +@@ -11,14 +11,12 @@ + # + # The filename given here should be an absolute path. + # +-$INCLUDE @prefix@/share/freeradius/dictionary ++$INCLUDE @prefix@/share/freeradius2/dictionary + + # + # Place additional attributes or $INCLUDEs here. They will + # over-ride the definitions in the pre-defined dictionaries. + # +-# See the 'man' page for 'dictionary' for information on +-# the format of the dictionary files. + + # + # If you want to add entries to the dictionary file, +diff -Naur freeradius-server-2.1.4/raddb/eap.conf freeradius-server-2.1.4.new/raddb/eap.conf +--- freeradius-server-2.1.4/raddb/eap.conf 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/eap.conf 2009-04-07 15:20:28.000000000 -0700 +@@ -27,7 +27,7 @@ + # then that EAP type takes precedence over the + # default type configured here. + # +- default_eap_type = md5 ++ default_eap_type = peap + + # A list is maintained to correlate EAP-Response + # packets with EAP-Request packets. After a +@@ -72,23 +72,8 @@ + # for wireless connections. It is insecure, and does + # not provide for dynamic WEP keys. + # +- md5 { +- } +- +- # Cisco LEAP +- # +- # We do not recommend using LEAP in new deployments. See: +- # http://www.securiteam.com/tools/5TP012ACKE.html +- # +- # Cisco LEAP uses the MS-CHAP algorithm (but not +- # the MS-CHAP attributes) to perform it's authentication. +- # +- # As a result, LEAP *requires* access to the plain-text +- # User-Password, or the NT-Password attributes. +- # 'System' authentication is impossible with LEAP. +- # +- leap { +- } ++# md5 { ++# } + + # Generic Token Card. + # +@@ -101,10 +86,10 @@ + # the users password will go over the wire in plain-text, + # for anyone to see. + # +- gtc { ++# gtc { + # The default challenge, which many clients + # ignore.. +- #challenge = "Password: " ++# challenge = "Password: " + + # The plain-text response which comes back + # is put into a User-Password attribute, +@@ -118,8 +103,8 @@ + # configured for the request, and do the + # authentication itself. + # +- auth_type = PAP +- } ++# auth_type = PAP ++# } + + ## EAP-TLS + # +@@ -130,11 +115,6 @@ + # built, the "tls", "ttls", and "peap" sections will + # be ignored. + # +- # Otherwise, when the server first starts in debugging +- # mode, test certificates will be created. See the +- # "make_cert_command" below for details, and the README +- # file in raddb/certs +- # + # These test certificates SHOULD NOT be used in a normal + # deployment. They are created only to make it easier + # to install the server, and to perform some simple +@@ -201,7 +181,7 @@ + # In these cases, fragment size should be + # 1024 or less. + # +- # fragment_size = 1024 ++ fragment_size = 1024 + + # include_length is a flag which is + # by default set to yes If set to +@@ -211,7 +191,7 @@ + # message is included ONLY in the + # First packet of a fragment series. + # +- # include_length = yes ++ include_length = yes + + # Check the Certificate Revocation List + # +@@ -220,83 +200,74 @@ + # 'c_rehash' is OpenSSL's command. + # 3) uncomment the line below. + # 5) Restart radiusd +- # check_crl = yes +- # CA_path = /path/to/directory/with/ca_certs/and/crls/ ++# check_crl = yes ++# CA_path = /path/to/directory/with/ca_certs/and/crls/ ++ ++ # ++ # If check_cert_issuer is set, the value will ++ # be checked against the DN of the issuer in ++ # the client certificate. If the values do not ++ # match, the cerficate verification will fail, ++ # rejecting the user. ++ # ++# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" ++ ++ # ++ # If check_cert_cn is set, the value will ++ # be xlat'ed and checked against the CN ++ # in the client certificate. If the values ++ # do not match, the certificate verification ++ # will fail rejecting the user. ++ # ++ # This check is done only if the previous ++ # "check_cert_issuer" is not set, or if ++ # the check succeeds. ++ # ++# check_cert_cn = %{User-Name} + +- # +- # If check_cert_issuer is set, the value will +- # be checked against the DN of the issuer in +- # the client certificate. If the values do not +- # match, the cerficate verification will fail, +- # rejecting the user. +- # +- # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" +- +- # +- # If check_cert_cn is set, the value will +- # be xlat'ed and checked against the CN +- # in the client certificate. If the values +- # do not match, the certificate verification +- # will fail rejecting the user. +- # +- # This check is done only if the previous +- # "check_cert_issuer" is not set, or if +- # the check succeeds. +- # +- # check_cert_cn = %{User-Name} +- # + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". + cipher_list = "DEFAULT" + + # +- +- # This configuration entry should be deleted +- # once the server is running in a normal +- # configuration. It is here ONLY to make +- # initial deployments easier. +- # +- make_cert_command = "${certdir}/bootstrap" +- +- # + # Session resumption / fast reauthentication + # cache. + # +- cache { +- # +- # Enable it. The default is "no". +- # Deleting the entire "cache" subsection +- # Also disables caching. +- # +- # You can disallow resumption for a +- # particular user by adding the following +- # attribute to the control item list: +- # +- # Allow-Session-Resumption = No +- # +- # If "enable = no" below, you CANNOT +- # enable resumption for just one user +- # by setting the above attribute to "yes". +- # +- enable = no +- +- # +- # Lifetime of the cached entries, in hours. +- # The sessions will be deleted after this +- # time. +- # +- lifetime = 24 # hours +- +- # +- # The maximum number of entries in the +- # cache. Set to "0" for "infinite". +- # +- # This could be set to the number of users +- # who are logged in... which can be a LOT. +- # +- max_entries = 255 +- } ++# cache { ++ # ++ # Enable it. The default is "no". ++ # Deleting the entire "cache" subsection ++ # Also disables caching. ++ # ++ # You can disallow resumption for a ++ # particular user by adding the following ++ # attribute to the control item list: ++ # ++ # Allow-Session-Resumption = No ++ # ++ # If "enable = no" below, you CANNOT ++ # enable resumption for just one user ++ # by setting the above attribute to "yes". ++ # ++# enable = no ++ ++ # ++ # Lifetime of the cached entries, in hours. ++ # The sessions will be deleted after this ++ # time. ++ # ++# lifetime = 24 # hours ++ ++ # ++ # The maximum number of entries in the ++ # cache. Set to "0" for "infinite". ++ # ++ # This could be set to the number of users ++ # who are logged in... which can be a LOT. ++ # ++# max_entries = 255 ++# } + } + + # The TTLS module implements the EAP-TTLS protocol, +@@ -320,7 +291,7 @@ + # + # in the control items for a request. + # +- ttls { ++# ttls { + # The tunneled EAP session needs a default + # EAP type which is separate from the one for + # the non-tunneled EAP module. Inside of the +@@ -328,7 +299,7 @@ + # If the request does not contain an EAP + # conversation, then this configuration entry + # is ignored. +- default_eap_type = md5 ++# default_eap_type = mschapv2 + + # The tunneled authentication request does + # not usually contain useful attributes +@@ -344,7 +315,7 @@ + # is copied to the tunneled request. + # + # allowed values: {no, yes} +- copy_request_to_tunnel = no ++# copy_request_to_tunnel = yes + + # The reply attributes sent to the NAS are + # usually based on the name of the user +@@ -357,20 +328,8 @@ + # the tunneled request. + # + # allowed values: {no, yes} +- use_tunneled_reply = no +- +- # +- # The inner tunneled request can be sent +- # through a virtual server constructed +- # specifically for this purpose. +- # +- # If this entry is commented out, the inner +- # tunneled request will be sent through +- # the virtual server that processed the +- # outer requests. +- # +- virtual_server = "inner-tunnel" +- } ++# use_tunneled_reply = yes ++# } + + ################################################## + # +@@ -433,26 +392,16 @@ + + # the PEAP module also has these configuration + # items, which are the same as for TTLS. +- copy_request_to_tunnel = no +- use_tunneled_reply = no ++ copy_request_to_tunnel = yes ++ use_tunneled_reply = yes + + # When the tunneled session is proxied, the + # home server may not understand EAP-MSCHAP-V2. + # Set this entry to "no" to proxy the tunneled + # EAP-MSCHAP-V2 as normal MSCHAPv2. +- # proxy_tunneled_request_as_eap = yes ++ proxy_tunneled_request_as_eap = no + +- # +- # The inner tunneled request can be sent +- # through a virtual server constructed +- # specifically for this purpose. +- # +- # If this entry is commented out, the inner +- # tunneled request will be sent through +- # the virtual server that processed the +- # outer requests. +- # +- virtual_server = "inner-tunnel" ++ EAP-TLS-Require-Client-Cert = no + } + + # +diff -Naur freeradius-server-2.1.4/raddb/ldap.attrmap freeradius-server-2.1.4.new/raddb/ldap.attrmap +--- freeradius-server-2.1.4/raddb/ldap.attrmap 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/ldap.attrmap 2009-04-07 15:21:54.000000000 -0700 +@@ -13,8 +13,7 @@ + # If not present, defaults to "==" for checkItems, + # and "=" for replyItems. + # If present, the operator here should be one +-# of the same operators as defined in the "users"3 +-# file ("man users", or "man 5 users"). ++# of the same operators as defined in the "users" file. + # If an operator is present in the value of the + # LDAP entry (i.e. ":=foo"), then it over-rides + # both the default, and any operator given here. +diff -Naur freeradius-server-2.1.4/raddb/modules/counter freeradius-server-2.1.4.new/raddb/modules/counter +--- freeradius-server-2.1.4/raddb/modules/counter 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/modules/counter 2009-04-08 01:34:16.000000000 -0700 +@@ -69,7 +69,7 @@ + # 'check-name' attribute. + # + counter daily { +- filename = ${db_dir}/db.daily ++ filename = ${radacctdir}/db.daily + key = User-Name + count-attribute = Acct-Session-Time + reset = daily +diff -Naur freeradius-server-2.1.4/raddb/modules/detail freeradius-server-2.1.4.new/raddb/modules/detail +--- freeradius-server-2.1.4/raddb/modules/detail 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/modules/detail 2009-04-07 15:28:33.000000000 -0700 +@@ -46,8 +46,7 @@ + + # + # Every entry in the detail file has a header which +- # is a timestamp. By default, we use the ctime +- # format (see "man ctime" for details). ++ # is a timestamp. By default, we use the ctime format. + # + # The header can be customized by editing this + # string. See "doc/variables.txt" for a description +diff -Naur freeradius-server-2.1.4/raddb/modules/exec freeradius-server-2.1.4.new/raddb/modules/exec +--- freeradius-server-2.1.4/raddb/modules/exec 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/modules/exec 2009-04-07 15:29:45.000000000 -0700 +@@ -15,9 +15,8 @@ + # of the program which is executed. Due to RADIUS protocol + # limitations, any output over 253 bytes will be ignored. + # +-# The RADIUS attributes from the user request will be placed +-# into environment variables of the executed program, as +-# described in "man unlang" and in doc/variables.txt ++# The RADIUS attributes from the user request will be placed into environment ++# variables of the executed program, as described in doc/variables.txt + # + # See also "echo" for more sample configuration. + # +diff -Naur freeradius-server-2.1.4/raddb/modules/pap freeradius-server-2.1.4.new/raddb/modules/pap +--- freeradius-server-2.1.4/raddb/modules/pap 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/modules/pap 2009-04-07 15:31:17.000000000 -0700 +@@ -4,8 +4,7 @@ + + # PAP module to authenticate users based on their stored password + # +-# Supports multiple encryption/hash schemes. See "man rlm_pap" +-# for details. ++# Supports multiple encryption/hash schemes. + # + # The "auto_header" configuration item can be set to "yes". + # In this case, the module will look inside of the User-Password +@@ -14,5 +13,5 @@ + # with the correct value. It will also automatically handle + # Base-64 encoded data, hex strings, and binary data. + pap { +- auto_header = no ++ auto_header = yes + } +diff -Naur freeradius-server-2.1.4/raddb/modules/radutmp freeradius-server-2.1.4.new/raddb/modules/radutmp +--- freeradius-server-2.1.4/raddb/modules/radutmp 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/modules/radutmp 2009-04-07 11:13:56.000000000 -0700 +@@ -12,7 +12,7 @@ + # Where the file is stored. It's not a log file, + # so it doesn't need rotating. + # +- filename = ${logdir}/radutmp ++ filename = ${radacctdir}/radutmp + + # The field in the packet to key on for the + # 'user' name, If you have other fields which you want +diff -Naur freeradius-server-2.1.4/raddb/modules/sradutmp freeradius-server-2.1.4.new/raddb/modules/sradutmp +--- freeradius-server-2.1.4/raddb/modules/sradutmp 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/modules/sradutmp 2009-04-07 11:14:07.000000000 -0700 +@@ -10,7 +10,7 @@ + # then name "sradutmp" to identify it later in the "accounting" + # section. + radutmp sradutmp { +- filename = ${logdir}/sradutmp ++ filename = ${radacctdir}/sradutmp + perm = 0644 + callerid = "no" + } +diff -Naur freeradius-server-2.1.4/raddb/preproxy_users freeradius-server-2.1.4.new/raddb/preproxy_users +--- freeradius-server-2.1.4/raddb/preproxy_users 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/preproxy_users 2009-04-07 15:23:02.000000000 -0700 +@@ -1,6 +1,5 @@ + # + # Configuration file for the rlm_files module. +-# Please see rlm_files(5) manpage for more information. + # + # $Id$ + # +diff -Naur freeradius-server-2.1.4/raddb/proxy.conf freeradius-server-2.1.4.new/raddb/proxy.conf +--- freeradius-server-2.1.4/raddb/proxy.conf 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/proxy.conf 2009-04-07 15:22:45.000000000 -0700 +@@ -525,9 +525,8 @@ + # This section defines a new-style "realm". Note the in version 2.0, + # there are many fewer configuration items than in 1.x for a realm. + # +-# Automatic proxying is done via the "realms" module (see "man +-# rlm_realm"). To manually proxy the request put this entry in the +-# "users" file: ++# Automatic proxying is done via the "realms" module. ++# To manually proxy the request put this entry in the "users" file: + + # + # +diff -Naur freeradius-server-2.1.4/raddb/radiusd.conf.in freeradius-server-2.1.4.new/raddb/radiusd.conf.in +--- freeradius-server-2.1.4/raddb/radiusd.conf.in 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/radiusd.conf.in 2009-04-07 15:34:38.000000000 -0700 +@@ -8,11 +8,6 @@ + + ###################################################################### + # +-# Read "man radiusd" before editing this file. See the section +-# titled DEBUGGING. It outlines a method where you can quickly +-# obtain the configuration you want, without running into +-# trouble. +-# + # Run the server in debugging mode, and READ the output. + # + # $ radiusd -X +@@ -41,14 +36,8 @@ + # file, it is exported through the API to modules that ask for + # it. + # +-# See "man radiusd.conf" for documentation on the format of this +-# file. Note that the individual configuration items are NOT +-# documented in that "man" page. They are only documented here, +-# in the comments. +-# + # As of 2.0.0, FreeRADIUS supports a simple processing language + # in the "authorize", "authenticate", "accounting", etc. sections. +-# See "man unlang" for details. + # + + prefix = @prefix@ +@@ -66,7 +55,7 @@ + + # Location of config and logfiles. + confdir = ${raddbdir} +-run_dir = ${localstatedir}/run/${name} ++run_dir = ${localstatedir}/run + + # Should likely be ${localstatedir}/lib/radiusd + db_dir = ${raddbdir} +@@ -112,7 +101,7 @@ + # + # This file is written when ONLY running in daemon mode. + # +-# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` ++# e.g.: kill -HUP `cat /var/run/radiusd.pid` + # + pidfile = ${run_dir}/${name}.pid + +@@ -283,7 +272,7 @@ + # If your system does not support this feature, you will + # get an error if you try to use it. + # +-# interface = eth0 ++ interface = br-lan + + # Per-socket lists of clients. This is a very useful feature. + # +@@ -310,7 +299,7 @@ + # ipv6addr = :: + port = 0 + type = acct +-# interface = eth0 ++ interface = br-lan + # clients = per_socket_clients + } + +@@ -445,9 +434,6 @@ + auth_goodpass = no + } + +-# The program to execute to do concurrency checks. +-checkrad = ${sbindir}/checkrad +- + # SECURITY CONFIGURATION + # + # There may be multiple methods of attacking on the server. This +@@ -522,8 +508,8 @@ + # + # allowed values: {no, yes} + # +-proxy_requests = yes +-$INCLUDE proxy.conf ++proxy_requests = no ++#$INCLUDE proxy.conf + + + # CLIENTS CONFIGURATION +@@ -675,10 +661,6 @@ + # + # $INCLUDE sql/mysql/counter.conf + +- # +- # IP addresses managed in an SQL table. +- # +-# $INCLUDE sqlippool.conf + } + + # Instantiation +@@ -703,7 +685,7 @@ + # The entire command line (and output) must fit into 253 bytes. + # + # e.g. Framed-Pool = `%{exec:/bin/echo foo}` +- exec ++# exec + + # + # The expression module doesn't do authorization, +@@ -716,15 +698,15 @@ + # listed in any other section. See 'doc/rlm_expr' for + # more information. + # +- expr ++# expr + + # + # We add the counter module here so that it registers + # the check-name attribute before any module which sets + # it + # daily +- expiration +- logintime ++# expiration ++# logintime + + # subsections here can be thought of as "virtual" modules. + # +@@ -748,7 +730,7 @@ + # to multiple times. + # + ###################################################################### +-$INCLUDE policy.conf ++#$INCLUDE policy.conf + + ###################################################################### + # +@@ -758,9 +740,9 @@ + # match the regular expression: /[a-zA-Z0-9_.]+/ + # + # It allows you to define new virtual servers simply by placing +-# a file into the raddb/sites-enabled/ directory. ++# a file into the /etc/freeradius2/sites/ directory. + # +-$INCLUDE sites-enabled/ ++$INCLUDE sites/ + + ###################################################################### + # +@@ -768,15 +750,11 @@ + # "authenticate {}", "accounting {}", have been moved to the + # the file: + # +-# raddb/sites-available/default ++# /etc/freeradius2/sites/default + # + # This is the "default" virtual server that has the same + # configuration as in version 1.0.x and 1.1.x. The default + # installation enables this virtual server. You should + # edit it to create policies for your local site. + # +-# For more documentation on virtual servers, see: +-# +-# raddb/sites-available/README +-# + ###################################################################### +diff -Naur freeradius-server-2.1.4/raddb/sites-available/default freeradius-server-2.1.4.new/raddb/sites-available/default +--- freeradius-server-2.1.4/raddb/sites-available/default 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/sites-available/default 2009-04-07 15:27:12.000000000 -0700 +@@ -11,12 +11,6 @@ + # + ###################################################################### + # +-# Read "man radiusd" before editing this file. See the section +-# titled DEBUGGING. It outlines a method where you can quickly +-# obtain the configuration you want, without running into +-# trouble. See also "man unlang", which documents the format +-# of this file. +-# + # This configuration is designed to work in the widest possible + # set of circumstances, with the widest possible number of + # authentication methods. This means that in general, you should +@@ -69,7 +63,7 @@ + # 'raddb/huntgroups' files. + # + # It also adds the %{Client-IP-Address} attribute to the request. +- preprocess ++# preprocess + + # + # If you want to have a log of authentication requests, +@@ -80,7 +74,7 @@ + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set +- chap ++# chap + + # + # If the users are logging in with an MS-CHAP-Challenge +@@ -88,13 +82,7 @@ + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. +- mschap +- +- # +- # If you have a Cisco SIP server authenticating against +- # FreeRADIUS, uncomment the following line, and the 'digest' +- # line in the 'authenticate' section. +-# digest ++# mschap + + # + # Look for IPASS style 'realm/', and if not found, look for +@@ -108,7 +96,7 @@ + # Otherwise, when the first style of realm doesn't match, + # the other styles won't be checked. + # +- suffix ++# suffix + # ntdomain + + # +@@ -133,14 +121,6 @@ + } + + # +- # Pull crypt'd passwords from /etc/passwd or /etc/shadow, +- # using the system API's to get the password. If you want +- # to read /etc/passwd or /etc/shadow directly, see the +- # passwd module in radiusd.conf. +- # +- unix +- +- # + # Read the 'users' file + files + +@@ -152,28 +132,11 @@ + # sql + + # +- # If you are using /etc/smbpasswd, and are also doing +- # mschap authentication, the un-comment this line, and +- # configure the 'etc_smbpasswd' module, above. +-# etc_smbpasswd +- +- # + # The ldap module will set Auth-Type to LDAP if it has not + # already been set + # ldap + + # +- # Enforce daily limits on time spent logged in. +-# daily +- +- # +- # Use the checkval module +-# checkval +- +- expiration +- logintime +- +- # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password +@@ -248,24 +211,6 @@ + mschap + } + +- # +- # If you have a Cisco SIP server authenticating against +- # FreeRADIUS, uncomment the following line, and the 'digest' +- # line in the 'authorize' section. +-# digest +- +- # +- # Pluggable Authentication Modules. +-# pam +- +- # +- # See 'man getpwent' for information on how the 'unix' +- # module checks the users password. Note that packets +- # containing CHAP-Password attributes CANNOT be authenticated +- # against /etc/passwd! See the FAQ for details. +- # +- unix +- + # Uncomment it if you want to use ldap for authentication + # + # Note that this means "check plain-text password against +@@ -278,19 +223,15 @@ + # + # Allow EAP authentication. + eap ++ pap + } + + + # + # Pre-accounting. Decide which accounting type to use. + # +-preacct { +- preprocess +- +- # +- # Ensure that we have a semi-unique identifier for every +- # request, and many NAS boxes are broken. +- acct_unique ++#preacct { ++# preprocess + + # + # Look for IPASS-style 'realm/', and if not found, look for +@@ -300,13 +241,13 @@ + # Accounting requests are generally proxied to the same + # home server as authentication requests. + # IPASS +- suffix ++# suffix + # ntdomain + + # + # Read the 'acct_users' file +- files +-} ++# files ++#} + + # + # Accounting. Log the accounting data. +@@ -316,14 +257,9 @@ + # Create a 'detail'ed log of the packets. + # Note that accounting requests which are proxied + # are also logged in the detail file. +- detail ++# detail + # daily + +- # Update the wtmp file +- # +- # If you don't use "radlast", you can delete this line. +- unix +- + # + # For Simultaneous-Use tracking. + # +@@ -332,9 +268,6 @@ + radutmp + # sradutmp + +- # Return an address to the IP Pool when we see a stop record. +-# main_pool +- + # + # Log traffic to an SQL database. + # +@@ -351,7 +284,7 @@ + # pgsql-voip + + # Filter attributes from the accounting response. +- attr_filter.accounting_response ++ #attr_filter.accounting_response + + # + # See "Autz-Type Status-Server" for how this works. +@@ -377,10 +310,7 @@ + # Post-Authentication + # Once we KNOW that the user has been authenticated, there are + # additional steps we can take. +-post-auth { +- # Get an address from the IP Pool. +-# main_pool +- ++#post-auth { + # + # If you want to have a log of authentication replies, + # un-comment the following line, and the 'detail reply_log' +@@ -406,7 +336,7 @@ + # + # ldap + +- exec ++# exec + + # + # Access-Reject packets are sent through the REJECT sub-section of the +@@ -415,10 +345,10 @@ + # Add the ldap module name (or instance) if you have set + # 'edir_account_policy_check = yes' in the ldap module configuration + # +- Post-Auth-Type REJECT { +- attr_filter.access_reject +- } +-} ++# Post-Auth-Type REJECT { ++# attr_filter.access_reject ++# } ++#} + + # + # When the server decides to proxy a request to a home server, +@@ -428,7 +358,7 @@ + # + # Only a few modules currently have this method. + # +-pre-proxy { ++#pre-proxy { + # attr_rewrite + + # Uncomment the following line if you want to change attributes +@@ -444,14 +374,14 @@ + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. + # pre_proxy_log +-} ++#} + + # + # When the server receives a reply to a request it proxied + # to a home server, the request may be massaged here, in the + # post-proxy stage. + # +-post-proxy { ++#post-proxy { + + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' +@@ -475,7 +405,7 @@ + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # +- eap ++# eap + + # + # If the server tries to proxy a request and fails, then the +@@ -497,6 +427,5 @@ + # Post-Proxy-Type Fail { + # detail + # } +- +-} ++#} + +diff -Naur freeradius-server-2.1.4/raddb/users freeradius-server-2.1.4.new/raddb/users +--- freeradius-server-2.1.4/raddb/users 2009-03-10 19:26:50.000000000 -0700 ++++ freeradius-server-2.1.4.new/raddb/users 2009-04-07 15:23:54.000000000 -0700 +@@ -1,6 +1,5 @@ + # +-# Please read the documentation file ../doc/processing_users_file, +-# or 'man 5 users' (after installing the server) for more information. ++# Please read the documentation file ../doc/processing_users_file. + # + # This file contains authentication security and configuration + # information for each user. Accounting requests are NOT processed +@@ -169,22 +168,22 @@ + # by the terminal server in which case there may not be a "P" suffix. + # The terminal server sends "Framed-Protocol = PPP" for auto PPP. + # +-DEFAULT Framed-Protocol == PPP +- Framed-Protocol = PPP, +- Framed-Compression = Van-Jacobson-TCP-IP ++#DEFAULT Framed-Protocol == PPP ++# Framed-Protocol = PPP, ++# Framed-Compression = Van-Jacobson-TCP-IP + + # + # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. + # +-DEFAULT Hint == "CSLIP" +- Framed-Protocol = SLIP, +- Framed-Compression = Van-Jacobson-TCP-IP ++#DEFAULT Hint == "CSLIP" ++# Framed-Protocol = SLIP, ++# Framed-Compression = Van-Jacobson-TCP-IP + + # + # Default for SLIP: dynamic IP address, SLIP mode. + # +-DEFAULT Hint == "SLIP" +- Framed-Protocol = SLIP ++#DEFAULT Hint == "SLIP" ++# Framed-Protocol = SLIP + + # + # Last default: rlogin to our main server.