On Fri, 18 Dec 2020, Bernhard Schmidt wrote:
Earlier Harald Hannelius wrote:
I have a recursive diff of both config dirs, but haven't been able to see what has done what. I still have a test-server so I can help with providing more info is so needed.Please attach the diff to this bug report.
I attached the diff. Thanks. -- Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
diff -u -r freeradius-debian-9.0/3.0/README.rst freeradius-debian-10.0/3.0/README.rst --- freeradius-debian-9.0/3.0/README.rst 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/README.rst 2019-04-23 00:23:36.000000000 +0300 @@ -76,8 +76,8 @@ Modules can be enabled by creating a soft link. For module ``foo``, do:: - $ cd raddb - $ ln -s mods-available/foo mods-enabled/foo + $ cd raddb/mods-enabled + $ ln -s ../mods-available/foo To create "local" versions of the modules, we suggest copying the file instead. This leaves the original file (with documentation) in the @@ -660,6 +660,6 @@ Dialup_admin ------------ -The dialip_admin directory has been removed. No one stepped forward +The dialup_admin directory has been removed. No one stepped forward to maintain it, and the code had not been changed in many years. diff -u -r freeradius-debian-9.0/3.0/certs/Makefile freeradius-debian-10.0/3.0/certs/Makefile --- freeradius-debian-9.0/3.0/certs/Makefile 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/certs/Makefile 2019-04-23 00:23:36.000000000 +0300 @@ -5,16 +5,22 @@ # # See the README file in this directory for more information. # -# $Id: cc12464c6c7754aff2f0c8d6e116708c94ff2168 $ +# $Id: 16447a023d2cdce2d16d39cf31bcde4dba600df5 $ # ###################################################################### DH_KEY_SIZE = 2048 +OPENSSL = openssl +EXTERNAL_CA = $(wildcard external_ca.*) + +ifneq "$(EXTERNAL_CA)" "" +PARTIAL = -partial_chain +endif # # Set the passwords # --include passwords.mk +include passwords.mk ###################################################################### # @@ -33,11 +39,15 @@ .PHONY: server server: server.pem server.vrfy +.PHONY: inner-server +inner-server: inner-server.pem inner-server.vrfy + .PHONY: verify verify: server.vrfy client.vrfy -passwords.mk: server.cnf ca.cnf client.cnf +passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf @echo "PASSWORD_SERVER = '$(shell grep output_password server.cnf | sed 's/.*=//;s/^ *//')'" > $@ + @echo "PASSWORD_INNER = '$(shell grep output_password inner-server.cnf | sed 's/.*=//;s/^ *//')'" >> $@ @echo "PASSWORD_CA = '$(shell grep output_password ca.cnf | sed 's/.*=//;s/^ *//')'" >> $@ @echo "PASSWORD_CLIENT = '$(shell grep output_password client.cnf | sed 's/.*=//;s/^ *//')'" >> $@ @echo "USER_NAME = '$(shell grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//')'" >> $@ @@ -49,7 +59,7 @@ # ###################################################################### dh: - openssl gendh -out dh -2 $(DH_KEY_SIZE) + $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE) ###################################################################### # @@ -59,11 +69,12 @@ ca.key ca.pem: ca.cnf @[ -f index.txt ] || $(MAKE) index.txt @[ -f serial ] || $(MAKE) serial - openssl req -new -x509 -keyout ca.key -out ca.pem \ + $(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \ -days $(CA_DEFAULT_DAYS) -config ./ca.cnf + chmod g+r ca.key ca.der: ca.pem - openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der + $(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der ###################################################################### # @@ -71,20 +82,23 @@ # ###################################################################### server.csr server.key: server.cnf - openssl req -new -out server.csr -keyout server.key -config ./server.cnf + $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf + chmod g+r server.key server.crt: server.csr ca.key ca.pem - openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf + $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf server.p12: server.crt - openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) + $(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) + chmod g+r server.p12 server.pem: server.p12 - openssl pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) + $(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) + chmod g+r server.pem .PHONY: server.vrfy server.vrfy: ca.pem - @openssl verify -CAfile ca.pem server.pem + @$(OPENSSL) verify $(PARTIAL) -CAfile ca.pem server.pem ###################################################################### # @@ -93,22 +107,49 @@ # ###################################################################### client.csr client.key: client.cnf - openssl req -new -out client.csr -keyout client.key -config ./client.cnf + $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf + chmod g+r client.key client.crt: client.csr ca.pem ca.key - openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf + $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf client.p12: client.crt - openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) + $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) + chmod g+r client.p12 client.pem: client.p12 - openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) + $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) + chmod g+r client.pem cp client.pem $(USER_NAME).pem .PHONY: client.vrfy client.vrfy: ca.pem client.pem c_rehash . - openssl verify -CApath . client.pem + $(OPENSSL) verify -CApath . client.pem + +###################################################################### +# +# Create a new inner-server certificate, signed by the above CA. +# +###################################################################### +inner-server.csr inner-server.key: inner-server.cnf + $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf + chmod g+r inner-server.key + +inner-server.crt: inner-server.csr ca.key ca.pem + $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf + +inner-server.p12: inner-server.crt + $(OPENSSL) pkcs12 -export -in inner-server.crt -inkey inner-server.key -out inner-server.p12 -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) + chmod g+r inner-server.p12 + +inner-server.pem: inner-server.p12 + $(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) + chmod g+r inner-server.pem + +.PHONY: inner-server.vrfy +inner-server.vrfy: ca.pem + @$(OPENSSL) verify $(PARTIAL) -CAfile ca.pem inner-server.pem ###################################################################### # @@ -122,10 +163,10 @@ @echo '01' > serial print: - openssl x509 -text -in server.crt + $(OPENSSL) x509 -text -in server.crt printca: - openssl x509 -text -in ca.pem + $(OPENSSL) x509 -text -in ca.pem clean: @rm -f *~ *old client.csr client.key client.crt client.p12 client.pem diff -u -r freeradius-debian-9.0/3.0/certs/README freeradius-debian-10.0/3.0/certs/README --- freeradius-debian-9.0/3.0/certs/README 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/certs/README 2019-04-23 00:23:36.000000000 +0300 @@ -94,6 +94,11 @@ MAKING A SERVER CERTIFICATE +The following steps will let you create a server certificate for use +with TLS-based EAP methods, such as EAP-TLS, PEAP, and TTLS. Follow +similar steps to create an "inner-server.pem" file, for use with +EAP-TLS that is tunneled inside of another TLS-based EAP method. + $ vi server.cnf Edit the "input_password" and "output_password" fields to be the @@ -117,6 +122,7 @@ extensions needed by Microsoft clients. + MAKING A CLIENT CERTIFICATE diff -u -r freeradius-debian-9.0/3.0/certs/bootstrap freeradius-debian-10.0/3.0/certs/bootstrap --- freeradius-debian-9.0/3.0/certs/bootstrap 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/certs/bootstrap 2019-04-23 00:23:36.000000000 +0300 @@ -8,7 +8,7 @@ # binary package. The installation should also ensure that the permissions # and owners are correct for the files generated by this script. # -# $Id: c9d939beac8d5bdc21ea1ff9233442f9ab933297 $ +# $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $ # umask 027 cd `dirname $0` @@ -32,7 +32,7 @@ # re-generate these commands. # if [ ! -f dh ]; then - openssl dhparam -out dh 1024 || exit 1 + openssl dhparam -out dh 2048 || exit 1 if [ -e /dev/urandom ] ; then ln -sf /dev/urandom random else Only in freeradius-debian-10.0/3.0/certs: inner-server.cnf diff -u -r freeradius-debian-9.0/3.0/clients.conf freeradius-debian-10.0/3.0/clients.conf --- freeradius-debian-9.0/3.0/clients.conf 2018-02-23 12:04:12.000000000 +0200 +++ freeradius-debian-10.0/3.0/clients.conf 2020-12-17 14:40:36.444164444 +0200 @@ -31,11 +31,13 @@ # Allowed values are: # dotted quad (1.2.3.4) # hostname (radius.example.com) - ipaddr = 127.0.0.1 + #ipaddr = 127.0.0.1 + ipv4addr = 127.0.0.1 # OR, you can use an IPv6 address, but not both # at the same time. # ipv6addr = :: # any. ::1 == localhost + ipv6addr = ::1 # # A note on DNS: We STRONGLY recommend using IP addresses @@ -194,17 +196,22 @@ # i.e. The entry from the smallest possible network. # client 193.167.36.0/25 { + ipv4addr = 193.167.36.0/25 + ipv6addr = 2001:708:170:36::/64 secret = removed shortname = arcada-aps } client 10.0.36.0/24 { + ipv4addr = 10.0.36.0/24 secret = removed shortname = arcada-aps } # The test aruba 7010 controller client 10.0.36.253/32 { + ipv4addr = 10.0.36.253 + ipv6addr = 2001:708:170:360::2 secret = removed shortname = clustrum } diff -u -r freeradius-debian-9.0/3.0/huntgroups freeradius-debian-10.0/3.0/huntgroups --- freeradius-debian-9.0/3.0/huntgroups 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/huntgroups 2019-04-23 00:23:36.000000000 +0300 @@ -1,13 +1,10 @@ # # huntgroups This file defines the `huntgroups' that you have. A # huntgroup is defined by specifying the IP address of -# the NAS and possibly a port range. Port can be identified -# as just one port, or a range (from-to), and multiple ports -# or ranges of ports must be separated by a comma. For -# example: 1,2,3-8 +# the NAS and possibly a port. # # Matching is done while RADIUS scans the user file; if it -# includes the selection criterium "Huntgroup-Name == XXX" +# includes the selection criteria "Huntgroup-Name == XXX" # the huntgroup is looked up in this file to see if it # matches. There can be multiple definitions of the same # huntgroup; the first one that matches will be used. @@ -32,15 +29,15 @@ #delft NAS-IP-Address == 198.51.100.5 # -# Ports 0-7 on the first terminal server in Alphen are connected to +# Port 0 on the first terminal server in Alphen are connected to # a huntgroup that is for business users only. Note that only one # of the username or groupname has to match to get access (OR/OR). # # Note that this huntgroup is a subset of the "alphen" huntgroup. # -#business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0-7 -# User-Name = rogerl, -# User-Name = henks, -# Group = business, -# Group = staff +#business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0 +# User-Name == rogerl, +# User-Name == henks, +# Group == business, +# Group == staff diff -u -r freeradius-debian-9.0/3.0/mods-available/README.rst freeradius-debian-10.0/3.0/mods-available/README.rst --- freeradius-debian-9.0/3.0/mods-available/README.rst 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-available/README.rst 2019-04-23 00:23:36.000000000 +0300 @@ -1,7 +1,7 @@ Modules in Version 3 ==================== -As of Version 3, all of the modules have been places in the +As of Version 3, all of the modules have been placed in the "mods-available/" directory. This practice follows that used by other servers such as Nginx, Apache, etc. The "modules" directory should not be used. @@ -58,7 +58,7 @@ Ignoring module (see raddb/mods-available/README.rst) Then you are in the right place. Most of the time this message can be -ignored. The message can be fixed by find the references to "-module" +ignored. The message can be fixed by finding the references to "-module" in the virtual server, and deleting them. Another way to fix it is to configure the module, as described above. diff -u -r freeradius-debian-9.0/3.0/mods-available/cache freeradius-debian-10.0/3.0/mods-available/cache --- freeradius-debian-9.0/3.0/mods-available/cache 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-available/cache 2019-04-23 00:23:36.000000000 +0300 @@ -1,6 +1,6 @@ # -*- text -*- # -# $Id: fe9ddd8fe9e99f9d8c97018db22afe46b661d7e1 $ +# $Id: 8bd4730cf570fdfedc9c516dc6974eab39981600 $ # # A module to cache attributes. The idea is that you can look @@ -63,15 +63,6 @@ # This value should be between 10 and 86400. ttl = 10 - # You can flush the cache via - # - # radmin -e "set module config cache epoch 123456789" - # - # Where last value is a 32-bit Unix timestamp. Cache entries older - # than this are expired, as new entries added. - # - # You should never set the "epoch" configuration item in this file. - # If yes the following attributes will be added to the request: # * &request:Cache-Entry-Hits - The number of times this entry # has been retrieved. @@ -98,7 +89,7 @@ # <list>:<attribute> <op> <value> # Cache all instances of Reply-Message in the reply list - &reply:Reply-Message += &reply:Reply-Message + &reply:Reply-Message += &reply:Reply-Message[*] # Add our own to show when the cache was last updated &reply:Reply-Message += "Cache last updated at %t" diff -u -r freeradius-debian-9.0/3.0/mods-available/couchbase freeradius-debian-10.0/3.0/mods-available/couchbase --- freeradius-debian-9.0/3.0/mods-available/couchbase 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-available/couchbase 2019-04-23 00:23:36.000000000 +0300 @@ -29,7 +29,7 @@ # # Element names should be single quoted. # - # Note: Atrributes not in this map will not be recorded. + # Note: Attributes not in this map will not be recorded. # update { Acct-Session-Id = 'sessionId' diff -u -r freeradius-debian-9.0/3.0/mods-available/date freeradius-debian-10.0/3.0/mods-available/date --- freeradius-debian-9.0/3.0/mods-available/date 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-available/date 2019-04-23 00:23:36.000000000 +0300 @@ -11,4 +11,9 @@ # date { format = "%b %e %Y %H:%M:%S %Z" + + # Use UTC instead of local time. + # + # default = no +# utc = yes } Only in freeradius-debian-10.0/3.0/mods-available: eap.dpkg-dist diff -u -r freeradius-debian-9.0/3.0/mods-available/inner-eap freeradius-debian-10.0/3.0/mods-available/inner-eap --- freeradius-debian-9.0/3.0/mods-available/inner-eap 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-available/inner-eap 2019-04-23 00:23:36.000000000 +0300 @@ -1,6 +1,6 @@ # -*- text -*- # -# $Id: 2b4df6267d26dc58bbb273656480d55a0e60e8bf $ +# $Id: 576eb7739ebf18ca6323cb740a7d4278ff6d6ea2 $ # # Sample configuration for an EAP module that occurs *inside* @@ -45,6 +45,15 @@ # You SHOULD use different certificates than are used # for the outer EAP configuration! # + # You can create the "inner-server.pem" file by doing: + # + # cd raddb/certs + # vi inner-server.cnf + # make inner-server + # + # The certificate MUST be different from the "server.cnf" + # file. + # # Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental. # It might work, or it might not. # @@ -86,6 +95,10 @@ # check_crl = yes # ca_path = /path/to/directory/with/ca_certs/and/crls/ + # Accept an expired Certificate Revocation List + # +# allow_expired_crl = no + # # The session resumption / fast re-authentication # cache CANNOT be used for inner sessions. Only in freeradius-debian-10.0/3.0/mods-available: ldap.dpkg-dist diff -u -r freeradius-debian-9.0/3.0/mods-available/linelog freeradius-debian-10.0/3.0/mods-available/linelog --- freeradius-debian-9.0/3.0/mods-available/linelog 2018-02-23 14:16:27.000000000 +0200 +++ freeradius-debian-10.0/3.0/mods-available/linelog 2019-04-23 00:23:36.000000000 +0300 @@ -1,6 +1,6 @@ # -*- text -*- # -# $Id: c646da0a05cbdf6e984f79cea105de41de4b0528 $ +# $Id: dc2a8195b3c1c2251fc37651ea4a598898c33d12 $ # # The "linelog" module will log one line of text to a file. @@ -104,7 +104,7 @@ # # Reference the Packet-Type (Access-Accept, etc.) If it doesn't - # exist, reference the "defaukt" entry. + # exist, reference the "default" entry. # # This is for "linelog" being used in the post-auth section # If you want to use it in "authorize", you need to change Only in freeradius-debian-10.0/3.0/mods-available: moonshot-targeted-ids Only in freeradius-debian-10.0/3.0/mods-available: mschap.dpkg-dist diff -u -r freeradius-debian-9.0/3.0/mods-available/ntlm_auth freeradius-debian-10.0/3.0/mods-available/ntlm_auth --- freeradius-debian-9.0/3.0/mods-available/ntlm_auth 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-available/ntlm_auth 2019-04-23 00:23:36.000000000 +0300 @@ -6,6 +6,12 @@ # # https://bugzilla.samba.org/show_bug.cgi?id=6563 # +# Depending on the AD / Samba configuration, you may also need to add: +# +# --allow-mschapv2 +# +# to the list of command-line options. +# exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" diff -u -r freeradius-debian-9.0/3.0/mods-available/otp freeradius-debian-10.0/3.0/mods-available/otp --- freeradius-debian-9.0/3.0/mods-available/otp 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-available/otp 2019-04-23 00:23:36.000000000 +0300 @@ -9,8 +9,6 @@ # It works in conjunction with otpd, which implements token # management and OTP verification functions; and lsmd or gsmd, # which implements synchronous state management functions. -# otpd, lsmd and gsmd are available from TRI-D Systems: -# <http://www.tri-dsystems.com/> # You must list this module in BOTH the authorize and authenticate # sections in order to use it. diff -u -r freeradius-debian-9.0/3.0/mods-available/python freeradius-debian-10.0/3.0/mods-available/python --- freeradius-debian-9.0/3.0/mods-available/python 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-available/python 2019-04-23 00:23:36.000000000 +0300 @@ -7,6 +7,14 @@ # a function defined, it will return NOOP. # python { + # Path to the python modules + # + # Note that due to limitations on Python, this configuration + # item is GLOBAL TO THE SERVER. That is, you cannot have two + # instances of the python module, each with a different path. + # +# python_path="/path/to/python/files:/another_path/to/python_files/" + module = example mod_instantiate = ${.module} diff -u -r freeradius-debian-9.0/3.0/mods-available/realm freeradius-debian-10.0/3.0/mods-available/realm --- freeradius-debian-9.0/3.0/mods-available/realm 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-available/realm 2019-04-23 00:23:36.000000000 +0300 @@ -1,6 +1,6 @@ # -*- text -*- # -# $Id: b4c8ee3d8534ece75f6129d4853e6bc081cf0aa5 $ +# $Id: 36825e0fe77cb515219ba7febc37192988ed9fba $ # Realm module, for proxying. # @@ -33,6 +33,7 @@ # for a trust-router. For all other realms, # they are ignored. # trust_router = "localhost" +# tr_port = 12309 # rp_realm = "painless-security.com" # default_community = "apc.moonshot.ja.net" } diff -u -r freeradius-debian-9.0/3.0/mods-available/redis freeradius-debian-10.0/3.0/mods-available/redis --- freeradius-debian-9.0/3.0/mods-available/redis 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-available/redis 2019-04-23 00:23:36.000000000 +0300 @@ -1,6 +1,6 @@ # -*- text -*- # -# $Id: 0ef86751acd4389e7a6446e37856fde75fd4137c $ +# $Id: 7952ee4ecebf03496869c88c55a2f32dc689a364 $ # # Configuration file for the "redis" module. This module does nothing @@ -19,6 +19,9 @@ # We recommend using a strong password. # password = thisisreallysecretandhardtoguess + # Set connection and query timeout for rlm_redis + query_timeout = 5 + # # Information for the connection pool. The configuration items # below are the same for all modules which use the new diff -u -r freeradius-debian-9.0/3.0/mods-available/rest freeradius-debian-10.0/3.0/mods-available/rest --- freeradius-debian-9.0/3.0/mods-available/rest 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-available/rest 2019-04-23 00:23:36.000000000 +0300 @@ -5,8 +5,18 @@ # server. # tls { -# ca_file = ${certdir}/cacert.pem -# ca_path = ${certdir} + # Certificate Authorities: + # "ca_file" (libcurl option CURLOPT_ISSUERCERT). + # File containing a single CA, which is the issuer of the server + # certificate. + # "ca_info_file" (libcurl option CURLOPT_CAINFO). + # File containing a bundle of certificates, which allow to handle + # certificate chain validation. + # "ca_path" (libcurl option CURLOPT_CAPATH). + # Directory holding CA certificates to verify the peer with. +# ca_file = ${certdir}/cacert.pem +# ca_info_file = ${certdir}/cacert_bundle.pem +# ca_path = ${certdir} # certificate_file = /path/to/radius.crt # private_key_file = /path/to/radius.key @@ -105,7 +115,10 @@ # - is_json If true, any nested JSON data will be copied to the attribute # in string form. Defaults to true. # - op Controls how the attribute is inserted into the target list. - # Defaults to ':='. + # Defaults to ':='. To create multiple attributes from multiple + # values, this should be set to '+=', otherwise only the last + # value will be used, and it will be assigned to a single + # attribute. # { # "<attribute0>":{ # "is_json":<bool>, @@ -114,7 +127,10 @@ # "value":[<value0>,<value1>,<valueN>] # }, # "<attribute1>":"value", - # "<attributeN>":[<value0>,<value1>,<valueN>] + # "<attributeN>":{ + # "value":[<value0>,<value1>,<valueN>], + # "op":"+=" + # } # } # diff -u -r freeradius-debian-9.0/3.0/mods-available/sqlippool freeradius-debian-10.0/3.0/mods-available/sqlippool --- freeradius-debian-9.0/3.0/mods-available/sqlippool 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-available/sqlippool 2019-04-23 00:23:36.000000000 +0300 @@ -4,7 +4,7 @@ # # raddb/sql/ippool/<DB>/schema.sql # -# $Id: b32b77aa4ca134d608a1140da73434bdc7d14895 $ +# $Id: 435921fb297812c11060859ce1066248ef53c4df $ sqlippool { # SQL instance to use (from sql.conf) @@ -24,8 +24,38 @@ # IP lease duration. (Leases expire even if Acct Stop packet is lost) lease_duration = 3600 - # protocol to use. The default is IPv4. -# ipv6 = yes + # + # As of 3.0.16, the 'ipv6 = yes' configuration is deprecated. + # You should use the "attribute_name" configuration item + # below, instead. + # + + # + # The attribute to use for IP address assignment. The + # default is Framed-IP-Address. You can change this to any + # attribute which is IPv4 or IPv6. + # + # e.g. Framed-IPv6-Prefix, or Delegated-IPv6-Prefix. + # + # As of 3.0.16, all of the default queries have been updated to use + # this attribute_name. So you can do IPv6 address assignment simply + # by putting IPv6 addresses into the pool, and changing the following + # line to "Framed-IPv6-Prefix" + # + # Note that you MUST use separate pools for each attribute. i.e. one pool + # for Framed-IP-Address, a different one for Framed-IPv6-prefix, etc. + # + # This means configuring separate "sqlippool" instances, and different + # "ippool_table" in SQL. Then, populate the pool with addresses and + # it will all just work. + # + attribute_name = Framed-IP-Address + + # + # Assign the IP address, even if the above attribute already exists + # in the reply. + # +# allow_duplicates = no # Attribute which should be considered unique per NAS # @@ -53,11 +83,11 @@ # which writes Module-Success-Message message. # messages { - exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" + exists = "Existing IP: %{reply:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" - success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" + success = "Allocated IP: %{reply:${..attribute_name}} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" - clear = "Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})" + clear = "Released IP ${..attribute_name} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})" failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" diff -u -r freeradius-debian-9.0/3.0/mods-config/attr_filter/pre-proxy freeradius-debian-10.0/3.0/mods-config/attr_filter/pre-proxy --- freeradius-debian-9.0/3.0/mods-config/attr_filter/pre-proxy 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-config/attr_filter/pre-proxy 2019-04-23 00:23:36.000000000 +0300 @@ -2,7 +2,7 @@ # Configuration file for the rlm_attr_filter module. # Please see rlm_attr_filter(5) manpage for more information. # -# $Id: 3930fedfc0c638629198ff49f4bc3d5184261705 $ +# $Id: 47b01266f44d0475261c6ea16f74ca17d8838749 $ # # This file contains security and configuration information # for each realm. It can be used be an rlm_attr_filter module @@ -60,4 +60,6 @@ NAS-IP-Address =* ANY, NAS-Identifier =* ANY, Operator-Name =* ANY, + Calling-Station-Id =* ANY, + Chargeable-User-Identity =* ANY, Proxy-State =* ANY diff -u -r freeradius-debian-9.0/3.0/mods-config/files/accounting freeradius-debian-10.0/3.0/mods-config/files/accounting --- freeradius-debian-9.0/3.0/mods-config/files/accounting 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-config/files/accounting 2019-04-23 00:23:36.000000000 +0300 @@ -1,5 +1,5 @@ # -# $Id: 322d33a01f26e3990ba19954b7847e6993ae389b $ +# $Id: eaf952a72dc9d19387af4d2056d7f7027b2435e8 $ # # This is like the 'users' file, but it is processed only for # accounting packets. @@ -9,13 +9,17 @@ # Realm, the Huntgroup-Name or any combinaison of the attribute/value # pairs contained in an accounting packet. # -#DEFAULT Realm == "foo.net", Acct-Type := sql_log.foo +# You will need to add an "Acct-Type foo {...}" subsection to the +# main "accounting" section in order for these sample configurations +# to work. # -#DEFAULT Huntgroup-Name == "wifi", Acct-Type := sql_log.wifi +#DEFAULT Realm == "foo.net", Acct-Type := foo # -#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := sql_log.other +#DEFAULT Huntgroup-Name == "wifi", Acct-Type := wifi # -#DEFAULT Acct-Status-Type == Start, Acct-Type := sql_log.start +#DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := other +# +#DEFAULT Acct-Status-Type == Start, Acct-Type := start # Replace the User-Name with the Stripped-User-Name, if it exists. # diff -u -r freeradius-debian-9.0/3.0/mods-config/perl/example.pl freeradius-debian-10.0/3.0/mods-config/perl/example.pl --- freeradius-debian-9.0/3.0/mods-config/perl/example.pl 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-config/perl/example.pl 2019-04-23 00:23:36.000000000 +0300 @@ -126,7 +126,12 @@ return RLM_MODULE_REJECT; } else { # Accept user and set some attribute - $RAD_REPLY{'h323-credit-amount'} = "100"; + if (&radiusd::xlat("%{client:group}") eq 'UltraAllInclusive') { + # User called from NAS with unlim plan set, set higher limits + $RAD_REPLY{'h323-credit-amount'} = "1000000"; + } else { + $RAD_REPLY{'h323-credit-amount'} = "100"; + } return RLM_MODULE_OK; } } diff -u -r freeradius-debian-9.0/3.0/mods-config/preprocess/huntgroups freeradius-debian-10.0/3.0/mods-config/preprocess/huntgroups --- freeradius-debian-9.0/3.0/mods-config/preprocess/huntgroups 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-config/preprocess/huntgroups 2019-04-23 00:23:36.000000000 +0300 @@ -1,13 +1,10 @@ # # huntgroups This file defines the `huntgroups' that you have. A # huntgroup is defined by specifying the IP address of -# the NAS and possibly a port range. Port can be identified -# as just one port, or a range (from-to), and multiple ports -# or ranges of ports must be separated by a comma. For -# example: 1,2,3-8 +# the NAS and possibly a port. # # Matching is done while RADIUS scans the user file; if it -# includes the selection criterium "Huntgroup-Name == XXX" +# includes the selection criteria "Huntgroup-Name == XXX" # the huntgroup is looked up in this file to see if it # matches. There can be multiple definitions of the same # huntgroup; the first one that matches will be used. @@ -32,15 +29,15 @@ #delft NAS-IP-Address == 198.51.100.5 # -# Ports 0-7 on the first terminal server in Alphen are connected to +# Port 0 on the first terminal server in Alphen are connected to # a huntgroup that is for business users only. Note that only one # of the username or groupname has to match to get access (OR/OR). # # Note that this huntgroup is a subset of the "alphen" huntgroup. # -#business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0-7 -# User-Name = rogerl, -# User-Name = henks, -# Group = business, -# Group = staff +#business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0 +# User-Name == rogerl, +# User-Name == henks, +# Group == business, +# Group == staff diff -u -r freeradius-debian-9.0/3.0/mods-config/python/radiusd.py freeradius-debian-10.0/3.0/mods-config/python/radiusd.py --- freeradius-debian-9.0/3.0/mods-config/python/radiusd.py 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-config/python/radiusd.py 2019-04-23 00:23:36.000000000 +0300 @@ -8,7 +8,7 @@ # Inside freeradius, the 'radiusd' Python module is created by the C module # and the definitions are automatically created. # -# $Id: e12bbd642b63d87024dba9530c7778308cf0e3a4 $ +# $Id: c535bb3caff5010ce06279f4e0d00d44377d0c4f $ # from modules.h @@ -23,14 +23,19 @@ RLM_MODULE_UPDATED = 8 RLM_MODULE_NUMCODES = 9 - -# from radiusd.h -L_DBG = 1 +# from log.h L_AUTH = 2 L_INFO = 3 L_ERR = 4 -L_PROXY = 5 -L_CONS = 128 +L_WARN = 5 +L_PROXY = 6 +L_ACCT = 7 + +L_DBG = 16 +L_DBG_WARN = 17 +L_DBG_ERR = 18 +L_DBG_WARN_REQ = 19 +L_DBG_ERR_REQ = 20 # log function def radlog(level, msg): diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/ippool/mysql/queries.conf freeradius-debian-10.0/3.0/mods-config/sql/ippool/mysql/queries.conf --- freeradius-debian-9.0/3.0/mods-config/sql/ippool/mysql/queries.conf 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-config/sql/ippool/mysql/queries.conf 2019-04-23 00:23:36.000000000 +0300 @@ -2,7 +2,7 @@ # # ippool/mysql/queries.conf -- MySQL queries for rlm_sqlippool # -# $Id: ecdb8beda2fe841c07f513f3a6be9e535f73875b $ +# $Id: bc51b1b2e2482b116f21010f93959ec3182206cf $ # # This series of queries allocates an IP address @@ -20,7 +20,7 @@ # # This series of queries allocates an IP address # (Note: If your pool_key is set to Calling-Station-Id and not NAS-Port -# then you may wish to delete the "AND nasipaddress = '%{Nas-IP-Address}' +# then you may wish to delete the "AND nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' # from the WHERE clause) # allocate_clear = "\ @@ -32,7 +32,7 @@ username = '', \ expiry_time = NULL \ WHERE expiry_time <= NOW() - INTERVAL 1 SECOND \ - AND nasipaddress = '%{Nas-IP-Address}'" + AND nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" # # The ORDER BY clause of this query tries to allocate the same IP-address @@ -96,7 +96,7 @@ AND pool_key = '${pool_key}' \ AND username = '%{User-Name}' \ AND callingstationid = '%{Calling-Station-Id}' \ - AND framedipaddress = '%{Framed-IP-Address}'" + AND framedipaddress = '%{${attribute_name}}'" # # This series of queries frees an IP number when an accounting STOP record arrives. @@ -109,11 +109,11 @@ callingstationid = '', \ username = '', \ expiry_time = NULL \ - WHERE nasipaddress = '%{Nas-IP-Address}' \ + WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ AND pool_key = '${pool_key}' \ AND username = '%{User-Name}' \ AND callingstationid = '%{Calling-Station-Id}' \ - AND framedipaddress = '%{Framed-IP-Address}'" + AND framedipaddress = '%{${attribute_name}}'" # # This series of queries frees an IP number when an accounting ALIVE record arrives. @@ -122,11 +122,11 @@ UPDATE ${ippool_table} \ SET \ expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \ - WHERE nasipaddress = '%{Nas-IP-Address}' \ + WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ AND pool_key = '${pool_key}' \ AND username = '%{User-Name}' \ AND callingstationid = '%{Calling-Station-Id}' \ - AND framedipaddress = '%{Framed-IP-Address}'" + AND framedipaddress = '%{${attribute_name}}'" # # This series of queries frees the IP numbers allocate to a @@ -140,7 +140,7 @@ callingstationid = '', \ username = '', \ expiry_time = NULL \ - WHERE nasipaddress = '%{Nas-IP-Address}'" + WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" # # This series of queries frees the IP numbers allocate to a @@ -154,4 +154,4 @@ callingstationid = '', \ username = '', \ expiry_time = NULL \ - WHERE nasipaddress = '%{Nas-IP-Address}'" + WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/ippool/oracle/queries.conf freeradius-debian-10.0/3.0/mods-config/sql/ippool/oracle/queries.conf --- freeradius-debian-9.0/3.0/mods-config/sql/ippool/oracle/queries.conf 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-config/sql/ippool/oracle/queries.conf 2019-04-23 00:23:36.000000000 +0300 @@ -2,7 +2,7 @@ # # ippool/oracle/queries.conf -- Oracle queries for rlm_sqlippool # -# $Id: 06d37f8985f3da1ac36276bdc9ca9c15a42d4059 $ +# $Id: 03b7f0ed281654d211a7e134c44e25679573a5fc $ allocate_begin = "commit" start_begin = "commit" @@ -83,7 +83,7 @@ # as your "pool_key" and your users are able to reconnect before your NAS # has timed out their previous session. (Generally on wireless networks) # (Note: If your pool_key is set to Calling-Station-Id and not NAS-Port -# then you may wish to delete the "AND nasipaddress = '%{Nas-IP-Address}' +# then you may wish to delete the "AND nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' # from the WHERE clause) # allocate_clear = "\ @@ -116,7 +116,7 @@ pool_key = 0, \ callingstationid = '', \ expiry_time = current_timestamp - INTERVAL '1' second(1) \ - WHERE nasipaddress = '%{Nas-IP-Address}' \ + WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ AND pool_key = '${pool_key}' \ AND username = '%{SQL-User-Name}' \ AND callingstationid = '%{Calling-Station-Id}'" @@ -129,9 +129,9 @@ UPDATE ${ippool_table} \ SET \ expiry_time = current_timestamp + INTERVAL '${lease_duration}' second(1) \ - WHERE nasipaddress = '%{Nas-IP-Address}' \ + WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{Framed-IP-Address}' \ + AND framedipaddress = '%{${attribute_name}}' \ AND username = '%{SQL-User-Name}' \ AND callingstationid = '%{Calling-Station-Id}'" @@ -146,7 +146,7 @@ pool_key = 0, \ callingstationid = '', \ expiry_time = current_timestamp - INTERVAL '1' second(1) \ - WHERE nasipaddress = '%{Nas-IP-Address}'" + WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" # # This query frees all IP addresses allocated to a NAS when an @@ -159,4 +159,4 @@ pool_key = 0, \ callingstationid = '', \ expiry_time = current_timestamp - INTERVAL '1' second(1) \ - WHERE nasipaddress = '%{Nas-IP-Address}'" + WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/ippool/postgresql/queries.conf freeradius-debian-10.0/3.0/mods-config/sql/ippool/postgresql/queries.conf --- freeradius-debian-9.0/3.0/mods-config/sql/ippool/postgresql/queries.conf 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-config/sql/ippool/postgresql/queries.conf 2019-04-23 00:23:36.000000000 +0300 @@ -2,7 +2,7 @@ # # ippool/postgresql/queries.conf -- PostgreSQL queries for rlm_sqlippool # -# $Id: 38465e829f61efab50f565dc349ef64b29052f21 $ +# $Id: 9ceb5148e40c87056d408866d05ae3b52e38b734 $ # # This query allocates an IP address from the Pool @@ -64,7 +64,7 @@ # as your "pool_key" and your users are able to reconnect before your NAS # has timed out their previous session. (Generally on wireless networks) # (Note: If your pool_key is set to Calling-Station-Id and not NAS-Port -# then you may wish to delete the "AND nasipaddress = '%{Nas-IP-Address}' +# then you may wish to delete the "AND nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' # from the WHERE clause) # allocate_clear = "\ @@ -99,11 +99,11 @@ pool_key = 0, \ callingstationid = '', \ expiry_time = 'now'::timestamp(0) - '1 second'::interval \ - WHERE nasipaddress = '%{Nas-IP-Address}' \ + WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ AND pool_key = '${pool_key}' \ AND username = '%{SQL-User-Name}' \ AND callingstationid = '%{Calling-Station-Id}' \ - AND framedipaddress = '%{Framed-IP-Address}'" + AND framedipaddress = '%{${attribute_name}}'" # # This query extends an IP address lease by "lease_duration" when an accounting @@ -113,9 +113,9 @@ UPDATE ${ippool_table} \ SET \ expiry_time = 'now'::timestamp(0) + '${lease_duration} seconds'::interval \ - WHERE nasipaddress = '%{Nas-IP-Address}' \ + WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ AND pool_key = '${pool_key}' \ - AND framedipaddress = '%{Framed-IP-Address}' \ + AND framedipaddress = '%{${attribute_name}}' \ AND username = '%{SQL-User-Name}' \ AND callingstationid = '%{Calling-Station-Id}'" @@ -130,7 +130,7 @@ pool_key = 0, \ callingstationid = '', \ expiry_time = 'now'::timestamp(0) - '1 second'::interval \ - WHERE nasipaddress = '%{Nas-IP-Address}'" + WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" # # This query frees all IP addresses allocated to a NAS when an @@ -143,4 +143,4 @@ pool_key = 0, \ callingstationid = '', \ expiry_time = 'now'::timestamp(0) - '1 second'::interval \ - WHERE nasipaddress = '%{Nas-IP-Address}'" + WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/ippool/sqlite/queries.conf freeradius-debian-10.0/3.0/mods-config/sql/ippool/sqlite/queries.conf --- freeradius-debian-9.0/3.0/mods-config/sql/ippool/sqlite/queries.conf 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-config/sql/ippool/sqlite/queries.conf 2019-04-23 00:23:36.000000000 +0300 @@ -2,7 +2,7 @@ # # ippool/sqlite/queries.conf -- SQLite queries for rlm_sqlippool # -# $Id: e912bd32a7485f6a505dbb67ad6f54138845cdee $ +# $Id: 76d07dfb43a1b5611bd6d5aa078d0c006271c56b $ # # This series of queries allocates an IP address @@ -18,7 +18,7 @@ # # This series of queries allocates an IP address # (Note: If your pool_key is set to Calling-Station-Id and not NAS-Port -# then you may wish to delete the "AND nasipaddress = '%{Nas-IP-Address}' +# then you may wish to delete the "AND nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' # from the WHERE clause) # allocate_clear = "\ @@ -30,7 +30,7 @@ username = '', \ expiry_time = NULL \ WHERE expiry_time <= datetime(strftime('%%s', 'now') - 1, 'unixepoch') \ - AND nasipaddress = '%{Nas-IP-Address}'" + AND nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" # # The ORDER BY clause of this query tries to allocate the same IP-address @@ -99,7 +99,7 @@ AND pool_key = '${pool_key}' \ AND username = '%{User-Name}' \ AND callingstationid = '%{Calling-Station-Id}' \ - AND framedipaddress = '%{Framed-IP-Address}'" + AND framedipaddress = '%{${attribute_name}}'" # # This series of queries frees an IP number when an accounting STOP record arrives @@ -112,11 +112,11 @@ callingstationid = '', \ username = '', \ expiry_time = NULL \ - WHERE nasipaddress = '%{Nas-IP-Address}' \ + WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ AND pool_key = '${pool_key}' \ AND username = '%{User-Name}' \ AND callingstationid = '%{Calling-Station-Id}' \ - AND framedipaddress = '%{Framed-IP-Address}'" + AND framedipaddress = '%{${attribute_name}}'" # # This series of queries frees an IP number when an accounting @@ -126,11 +126,11 @@ UPDATE ${ippool_table} \ SET \ expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \ - WHERE nasipaddress = '%{Nas-IP-Address}' \ + WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' \ AND pool_key = '${pool_key}' \ AND username = '%{User-Name}' \ AND callingstationid = '%{Calling-Station-Id}' \ - AND framedipaddress = '%{Framed-IP-Address}'" + AND framedipaddress = '%{${attribute_name}}'" # # This series of queries frees the IP numbers allocate to a @@ -144,7 +144,7 @@ callingstationid = '', \ username = '', \ expiry_time = NULL \ - WHERE nasipaddress = '%{Nas-IP-Address}'" + WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" # # This series of queries frees the IP numbers allocate to a @@ -158,5 +158,5 @@ callingstationid = '', \ username = '', \ expiry_time = NULL \ - WHERE nasipaddress = '%{Nas-IP-Address}'" + WHERE nasipaddress = '%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}'" diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/ippool/sqlite/schema.sql freeradius-debian-10.0/3.0/mods-config/sql/ippool/sqlite/schema.sql --- freeradius-debian-9.0/3.0/mods-config/sql/ippool/sqlite/schema.sql 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-config/sql/ippool/sqlite/schema.sql 2019-04-23 00:23:36.000000000 +0300 @@ -1,7 +1,7 @@ -- -- Table structure for table 'radippool' -- -CREATE TABLE ( +CREATE TABLE radippool ( id int(11) PRIMARY KEY, pool_name varchar(30) NOT NULL, framedipaddress varchar(15) NOT NULL default '', diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/main/mssql/schema.sql freeradius-debian-10.0/3.0/mods-config/sql/main/mssql/schema.sql --- freeradius-debian-9.0/3.0/mods-config/sql/main/mssql/schema.sql 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-config/sql/main/mssql/schema.sql 2019-04-23 00:23:36.000000000 +0300 @@ -1,5 +1,5 @@ /*************************************************************************** - * $Id: 80ccc116db8fa203260561a1db86111f16960992 $ * + * $Id: f3ca88cc829b9d496e9a49643f142e90224fd9b5 $ * * * * db_mssql.sql * * * @@ -19,7 +19,6 @@ [AcctSessionId] [varchar] (64) DEFAULT ('') FOR [AcctSessionId], [AcctUniqueId] [varchar] (32) DEFAULT ('') FOR [AcctUniqueId], [UserName] [varchar] (64) DEFAULT ('') FOR [UserName], - [GroupName] [varchar] (64) DEFAULT ('') FOR [GroupName], [Realm] [varchar] (64) DEFAULT ('') FOR [Realm], [NASIPAddress] [varchar] (15) DEFAULT ('') FOR [NASIPAddress], [NASPortId] [varchar] (15) NULL , diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/main/mysql/schema.sql freeradius-debian-10.0/3.0/mods-config/sql/main/mysql/schema.sql --- freeradius-debian-9.0/3.0/mods-config/sql/main/mysql/schema.sql 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-config/sql/main/mysql/schema.sql 2019-04-23 00:23:36.000000000 +0300 @@ -1,5 +1,5 @@ ########################################################################### -# $Id: ca5ac77aa03dbb86ef714d1a1af647f7e63fda00 $ # +# $Id: 1059b115282ea738353fe4fbc8d92b03a338f8c1 $ # # # # schema.sql rlm_sql - FreeRADIUS SQL Module # # # @@ -19,7 +19,6 @@ acctsessionid varchar(64) NOT NULL default '', acctuniqueid varchar(32) NOT NULL default '', username varchar(64) NOT NULL default '', - groupname varchar(64) NOT NULL default '', realm varchar(64) default '', nasipaddress varchar(15) NOT NULL default '', nasportid varchar(15) default NULL, diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/main/ndb/schema.sql freeradius-debian-10.0/3.0/mods-config/sql/main/ndb/schema.sql --- freeradius-debian-9.0/3.0/mods-config/sql/main/ndb/schema.sql 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-config/sql/main/ndb/schema.sql 2019-04-23 00:23:36.000000000 +0300 @@ -1,5 +1,5 @@ ########################################################################### -# $Id: a7f4c3121ded2b6557294de8bcab832c5715d038 $ # +# $Id: 606599735415b041e17230d829834a94a3a678d8 $ # # # # schema.sql rlm_sql - FreeRADIUS SQL Module # # # @@ -21,7 +21,6 @@ acctsessionid varchar(64) NOT NULL default '', acctuniqueid varchar(32) NOT NULL default '', username varchar(64) NOT NULL default '', - groupname varchar(64) NOT NULL default '', realm varchar(64) default '', nasipaddress varchar(15) NOT NULL default '', nasportid varchar(15) default NULL, diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/main/oracle/schema.sql freeradius-debian-10.0/3.0/mods-config/sql/main/oracle/schema.sql --- freeradius-debian-9.0/3.0/mods-config/sql/main/oracle/schema.sql 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-config/sql/main/oracle/schema.sql 2019-04-23 00:23:36.000000000 +0300 @@ -1,5 +1,5 @@ /* - * $Id: c11295fa7307a7c05a586f5354dd59de32c059de $ + * $Id: d70cc522d1266eb92c7013c5a326dc6d89c7a05c $ * * Oracle schema for FreeRADIUS * @@ -15,7 +15,6 @@ acctsessionid VARCHAR(96) NOT NULL, acctuniqueid VARCHAR(32), username VARCHAR(64) NOT NULL, - groupname VARCHAR(32), realm VARCHAR(30), nasipaddress VARCHAR(15) NOT NULL, nasportid VARCHAR(32), @@ -86,7 +85,7 @@ */ CREATE TABLE radgroupcheck ( id INT PRIMARY KEY, - groupname VARCHAR(20) UNIQUE NOT NULL, + groupname VARCHAR(20) NOT NULL, attribute VARCHAR(64), op CHAR(2) NOT NULL, value VARCHAR(40) @@ -98,7 +97,7 @@ */ CREATE TABLE radgroupreply ( id INT PRIMARY KEY, - GroupName VARCHAR(20) UNIQUE NOT NULL, + GroupName VARCHAR(20) NOT NULL, Attribute VARCHAR(64), op CHAR(2) NOT NULL, Value VARCHAR(40) @@ -134,7 +133,7 @@ */ CREATE TABLE radusergroup ( id INT PRIMARY KEY, - UserName VARCHAR(30) UNIQUE NOT NULL, + UserName VARCHAR(30) NOT NULL, GroupName VARCHAR(30) ); CREATE SEQUENCE radusergroup_seq START WITH 1 INCREMENT BY 1; @@ -151,43 +150,6 @@ / -/* - * Table structure for table 'realmgroup' - */ -CREATE TABLE realmgroup ( - id INT PRIMARY KEY, - RealmName VARCHAR(30) UNIQUE NOT NULL, - GroupName VARCHAR(30) -); -CREATE SEQUENCE realmgroup_seq START WITH 1 INCREMENT BY 1; - -CREATE TABLE realms ( - id INT PRIMARY KEY, - realmname VARCHAR(64), - nas VARCHAR(128), - authport INT, - options VARCHAR(128) -); -CREATE SEQUENCE realms_seq START WITH 1 INCREMENT BY 1; - -CREATE TABLE radhuntgroup ( - id INT PRIMARY KEY, - GroupName VARCHAR(64) NOT NULL, - Nasipaddress VARCHAR(15) UNIQUE NOT NULL, - NASPortID VARCHAR(15) -); - -CREATE SEQUENCE radhuntgroup_seq START WITH 1 INCREMENT BY 1; - -CREATE OR REPLACE TRIGGER radhuntgroup_serialnumber - BEFORE INSERT OR UPDATE OF id ON radhuntgroup - FOR EACH ROW - BEGIN - if ( :new.id = 0 or :new.id is null ) then - SELECT radhuntgroup_seq.nextval into :new.id from dual; - end if; - END; - CREATE TABLE radpostauth ( id INT PRIMARY KEY, UserName VARCHAR(64) NOT NULL, diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/main/postgresql/schema.sql freeradius-debian-10.0/3.0/mods-config/sql/main/postgresql/schema.sql --- freeradius-debian-9.0/3.0/mods-config/sql/main/postgresql/schema.sql 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-config/sql/main/postgresql/schema.sql 2019-04-23 00:23:36.000000000 +0300 @@ -1,5 +1,5 @@ /* - * $Id: 00b5e3b52b55f024e5ed91d7aaf26d78c309c741 $ + * $Id: ccc77f926542bf0e05b627b7f78fdeaebd00364f $ * * Postgresql schema for FreeRADIUS * @@ -18,7 +18,6 @@ AcctSessionId text NOT NULL, AcctUniqueId text NOT NULL UNIQUE, UserName text, - GroupName text, Realm text, NASIPAddress inet NOT NULL, NASPortId text, diff -u -r freeradius-debian-9.0/3.0/mods-config/sql/main/sqlite/schema.sql freeradius-debian-10.0/3.0/mods-config/sql/main/sqlite/schema.sql --- freeradius-debian-9.0/3.0/mods-config/sql/main/sqlite/schema.sql 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-config/sql/main/sqlite/schema.sql 2019-04-23 00:23:36.000000000 +0300 @@ -1,5 +1,5 @@ ----------------------------------------------------------------------------- --- $Id: aa2c8ecaa40e22410f80d7b8ff179b79471beb6c $ -- +-- $Id: 83cd0df8c3764436abe5c4751a3a1fff90a5c4e5 $ -- -- -- -- schema.sql rlm_sql - FreeRADIUS SQLite Module -- -- -- @@ -15,7 +15,6 @@ acctsessionid varchar(64) NOT NULL default '', acctuniqueid varchar(32) NOT NULL default '', username varchar(64) NOT NULL default '', - groupname varchar(64) NOT NULL default '', realm varchar(64) default '', nasipaddress varchar(15) NOT NULL default '', nasportid varchar(15) default NULL, Only in freeradius-debian-10.0/3.0/mods-config/sql: moonshot-targeted-ids diff -u -r freeradius-debian-9.0/3.0/mods-enabled/inner-eap freeradius-debian-10.0/3.0/mods-enabled/inner-eap --- freeradius-debian-9.0/3.0/mods-enabled/inner-eap 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-enabled/inner-eap 2019-04-23 00:23:36.000000000 +0300 @@ -1,6 +1,6 @@ # -*- text -*- # -# $Id: 2b4df6267d26dc58bbb273656480d55a0e60e8bf $ +# $Id: 576eb7739ebf18ca6323cb740a7d4278ff6d6ea2 $ # # Sample configuration for an EAP module that occurs *inside* @@ -45,6 +45,15 @@ # You SHOULD use different certificates than are used # for the outer EAP configuration! # + # You can create the "inner-server.pem" file by doing: + # + # cd raddb/certs + # vi inner-server.cnf + # make inner-server + # + # The certificate MUST be different from the "server.cnf" + # file. + # # Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental. # It might work, or it might not. # @@ -86,6 +95,10 @@ # check_crl = yes # ca_path = /path/to/directory/with/ca_certs/and/crls/ + # Accept an expired Certificate Revocation List + # +# allow_expired_crl = no + # # The session resumption / fast re-authentication # cache CANNOT be used for inner sessions. diff -u -r freeradius-debian-9.0/3.0/mods-enabled/linelog freeradius-debian-10.0/3.0/mods-enabled/linelog --- freeradius-debian-9.0/3.0/mods-enabled/linelog 2018-02-23 14:16:27.000000000 +0200 +++ freeradius-debian-10.0/3.0/mods-enabled/linelog 2019-04-23 00:23:36.000000000 +0300 @@ -1,6 +1,6 @@ # -*- text -*- # -# $Id: c646da0a05cbdf6e984f79cea105de41de4b0528 $ +# $Id: dc2a8195b3c1c2251fc37651ea4a598898c33d12 $ # # The "linelog" module will log one line of text to a file. @@ -104,7 +104,7 @@ # # Reference the Packet-Type (Access-Accept, etc.) If it doesn't - # exist, reference the "defaukt" entry. + # exist, reference the "default" entry. # # This is for "linelog" being used in the post-auth section # If you want to use it in "authorize", you need to change diff -u -r freeradius-debian-9.0/3.0/mods-enabled/ntlm_auth freeradius-debian-10.0/3.0/mods-enabled/ntlm_auth --- freeradius-debian-9.0/3.0/mods-enabled/ntlm_auth 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-enabled/ntlm_auth 2019-04-23 00:23:36.000000000 +0300 @@ -6,6 +6,12 @@ # # https://bugzilla.samba.org/show_bug.cgi?id=6563 # +# Depending on the AD / Samba configuration, you may also need to add: +# +# --allow-mschapv2 +# +# to the list of command-line options. +# exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" diff -u -r freeradius-debian-9.0/3.0/mods-enabled/realm freeradius-debian-10.0/3.0/mods-enabled/realm --- freeradius-debian-9.0/3.0/mods-enabled/realm 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/mods-enabled/realm 2019-04-23 00:23:36.000000000 +0300 @@ -1,6 +1,6 @@ # -*- text -*- # -# $Id: b4c8ee3d8534ece75f6129d4853e6bc081cf0aa5 $ +# $Id: 36825e0fe77cb515219ba7febc37192988ed9fba $ # Realm module, for proxying. # @@ -33,6 +33,7 @@ # for a trust-router. For all other realms, # they are ignored. # trust_router = "localhost" +# tr_port = 12309 # rp_realm = "painless-security.com" # default_community = "apc.moonshot.ja.net" } diff -u -r freeradius-debian-9.0/3.0/policy.d/abfab-tr freeradius-debian-10.0/3.0/policy.d/abfab-tr --- freeradius-debian-9.0/3.0/policy.d/abfab-tr 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/policy.d/abfab-tr 2019-04-23 00:23:36.000000000 +0300 @@ -1,7 +1,7 @@ # # ABFAB Trust router policies. # -# $Id: 87d01a5e71df1dbf548c4215e50e2ee271d0a83c $ +# $Id: 3a088538b5acc09aebc80b40391febf1d57a617a $ # @@ -24,29 +24,46 @@ } abfab_client_check { - # check that the acceptor host name is correct - if ("%{client:gss_acceptor_host_name}" && &gss-acceptor-host-name) { - if ("%{client:gss_acceptor_host_name}" != "%{gss-acceptor-host-name}") { - update reply { - Reply-Message = "GSS-Acceptor-Host-Name incorrect" - } - reject + # check that GSS-Acceptor-Host-Name is correct + if ("%{client:gss_acceptor_host_name}") { + if (&request:GSS-Acceptor-Host-Name) { + if (&request:GSS-Acceptor-Host-Name != "%{client:gss_acceptor_host_name}") { + update reply { + Reply-Message = "GSS-Acceptor-Host-Name incorrect" + } + reject + } + } + else { + # set GSS-Acceptor-Host-Name if it is not set by the mechanism + # but it is defined in the client configuration + update request { + GSS-Acceptor-Host-Name = "%{client:gss_acceptor_host_name}" + } } } - # set trust-router-coi attribute from the client configuration + # set Trust-Router-COI attribute from the client configuration if ("%{client:trust_router_coi}") { update request { Trust-Router-COI := "%{client:trust_router_coi}" } } - # set gss-acceptor-realm-name attribute from the client configuration + # set GSS-Acceptor-Realm-Name attribute from the client configuration if ("%{client:gss_acceptor_realm_name}") { update request { GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}" } } + + # set GSS-Acceptor-Service-Name attribute from the client configuration + if ("%{client:gss_acceptor_service_name}") { + update request { + GSS-Acceptor-Service-Name = "%{client:gss_acceptor_service_name}" + } + } + } # A policy which is used to validate channel-bindings. diff -u -r freeradius-debian-9.0/3.0/policy.d/accounting freeradius-debian-10.0/3.0/policy.d/accounting --- freeradius-debian-9.0/3.0/policy.d/accounting 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/policy.d/accounting 2019-04-23 00:23:36.000000000 +0300 @@ -33,7 +33,7 @@ # wireless environment). # update request { - Tmp-String-9 := "${policy.class_value_prefix}" + &Tmp-String-9 := "${policy.class_value_prefix}" } if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && \ diff -u -r freeradius-debian-9.0/3.0/policy.d/canonicalization freeradius-debian-10.0/3.0/policy.d/canonicalization --- freeradius-debian-9.0/3.0/policy.d/canonicalization 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/policy.d/canonicalization 2019-04-23 00:23:36.000000000 +0300 @@ -16,7 +16,15 @@ if (&User-Name && (&User-Name =~ /${policy.nai_regexp}/)) { update request { &Stripped-User-Name := "%{1}" - &Stripped-User-Domain = "%{3}" + } + + # Only add the Stripped-User-Domain attribute if + # we have a domain. This means presence checks + # for Stripped-User-Domain work. + if ("%{3}" != '') { + update request { + &Stripped-User-Domain = "%{3}" + } } # If any of the expansions result in a null @@ -36,7 +44,15 @@ if (&proxy-reply:User-Name && (&proxy-reply:User-Name =~ /${policy.nai_regexp}/)) { update proxy-reply { &Stripped-User-Name := "%{1}" - &Stripped-User-Domain = "%{3}" + } + + # Only add the Stripped-User-Domain attribute if + # we have a domain. This means presence checks + # for Stripped-User-Domain work. + if ("%{3}" != '') { + update proxy-reply { + &Stripped-User-Domain = "%{3}" + } } updated } diff -u -r freeradius-debian-9.0/3.0/policy.d/moonshot-targeted-ids freeradius-debian-10.0/3.0/policy.d/moonshot-targeted-ids --- freeradius-debian-9.0/3.0/policy.d/moonshot-targeted-ids 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/policy.d/moonshot-targeted-ids 2019-04-23 00:23:36.000000000 +0300 @@ -8,6 +8,9 @@ # Moonshot-Host-TargetedId (138) # Moonshot-Realm-TargetedId (139) # Moonshot-TR-COI-TargetedId (140) +# Moonshot-MSTID-GSS-Acceptor (141) +# Moonshot-MSTID-Namespace (142) +# Moonshot-MSTID-TargetedId (143) # # These attributes should also be listed in the attr_filter policies # post-proxy and pre-proxy when you use attribute filtering: @@ -22,52 +25,207 @@ # dictionary attacks, therefore should be chosen as a "random" # string and kept secret. # -targeted_id_salt = "changeme" +# If you use special characters %, { and }, escape them with a \ first +# +targeted_id_salt = 'changeme' + # # Moonshot namespaces # These namespaces are used for UUID generation. # They should not be changed by implementors # -moonshot_host_namespace = "a574a04e-b7ff-4850-aa24-a8599c7de1c6" -moonshot_realm_namespace = "dea5f26d-a013-4444-977d-d09fc990d2e6" -moonshot_coi_namespace = "145d7e7e-7d54-43ee-bbcb-3c6ad9428247" - -# This policy generates a host-specific targeted ID +moonshot_host_namespace = 'a574a04e-b7ff-4850-aa24-a8599c7de1c6' +moonshot_realm_namespace = 'dea5f26d-a013-4444-977d-d09fc990d2e6' +moonshot_coi_namespace = '145d7e7e-7d54-43ee-bbcb-3c6ad9428247' + + +# This policy generates a host-specific TargetedId # moonshot_host_tid.post-auth { - # generate a UUID for Moonshot-Host-TargetedId - # targeted id = (uuid -v 5 [namespace] [username][salt][RP host name])@[IdP realm name] + # retrieve or generate a UUID for Moonshot-Host-TargetedId if (&outer.request:GSS-Acceptor-Host-Name) { - if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_host_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}}" =~ /^([^ ]+)([ ]*)$/) { + # prep some variables (used regardless of SQL backing or not!) + update control { + Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}" + Moonshot-MSTID-Namespace := "${policy.moonshot_host_namespace}" + } + + # if you want to use SQL-based backing, remove the comment from + # this line. You also have to configure and enable the + # moonshot-targeted-ids sql module in mods-enabled. + # +# moonshot_get_targeted_id + + # generate a UUID for Moonshot-Host-TargetedId + if (!&control:Moonshot-MSTID-TargetedId) { + # generate the TID + moonshot_make_targeted_id + + # if you want to store your TargetedId in SQL-based backing, + # remove the comment from this line. You also have to configure + # and enable the moonshot-targeted-ids sql module in mods-enabled. + # +# moonshot_tid_sql + } + + # set the actual TargetedId in the session-state list + if (&control:Moonshot-MSTID-TargetedId) { update outer.session-state { - Moonshot-Host-TargetedId := "%{1}@%{tolower:%{request:Realm}}" + Moonshot-Host-TargetedId := &control:Moonshot-MSTID-TargetedId + } + update control { + Moonshot-MSTID-TargetedId !* ANY } } } } -# This policy generates a realm-specific targeted ID + +# This policy generates a realm-specific TargetedId # moonshot_realm_tid.post-auth { - # generate a UUID for Moonshot-Realm-TargetedId - # targeted id = (uuid -v 5 [namespace] [username][salt][RP realm name])@[IdP realm name] + # retrieve or generate a UUID for Moonshot-Realm-TargetedId if (&outer.request:GSS-Acceptor-Realm-Name) { - if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_realm_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Realm-Name}}}" =~ /^([^ ]+)([ ]*)$/) { + # prep some variables (used regardless of SQL backing or not!) + update control { + Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:GSS-Acceptor-Realm-Name}}" + Moonshot-MSTID-Namespace := "${policy.moonshot_realm_namespace}" + } + + # if you want to use SQL-based backing, remove the comment from + # this line. You also have to configure and enable the + # moonshot-targeted-ids sql module in mods-enabled. + # +# moonshot_get_targeted_id + + # generate a UUID for Moonshot-Realm-TargetedId + if (!&control:Moonshot-MSTID-TargetedId) { + # generate the TID + moonshot_make_targeted_id + + # if you want to store your TargetedId in SQL-based backing, + # remove the comment from this line. You also have to configure + # and enable the moonshot-targeted-ids sql module in mods-enabled. + # +# moonshot_tid_sql + } + + # set the actual TargetedId in the session-state list + if (&control:Moonshot-MSTID-TargetedId) { update outer.session-state { - Moonshot-Realm-TargetedId := "%{1}@%{tolower:%{request:Realm}}" + Moonshot-Realm-TargetedId := &control:Moonshot-MSTID-TargetedId + } + update control { + Moonshot-MSTID-TargetedId !* ANY } } } } + # This policy generates a COI-specific targeted ID # moonshot_coi_tid.post-auth { - # generate a UUID for Moonshot-TR-COI-TargetedId - # targeted id = (uuid -v 5 [namespace] [username][salt][RP COI name])@[IdP realm name] + # retrieve or generate a UUID for Moonshot-TR-COI-TargetedId if (&outer.request:Trust-Router-COI) { - if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_coi_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:Trust-Router-COI}}}" =~ /^([^ ]+)([ ]*)$/) { + # prep some variables (used regardless of SQL backing or not!) + update control { + Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:Trust-Router-COI}}" + Moonshot-MSTID-Namespace := "${policy.moonshot_coi_namespace}" + } + + # if you want to use SQL-based backing, remove the comment from + # this line. You also have to configure and enable the + # moonshot-targeted-ids sql module in mods-enabled. + # +# moonshot_get_targeted_id + + # generate a UUID for Moonshot-TR-COI-TargetedId + if (!&control:Moonshot-MSTID-TargetedId) { + # generate the TID + moonshot_make_targeted_id + + # if you want to store your TargetedId in SQL-based backing, + # remove the comment from this line. You also have to configure + # and enable the moonshot-targeted-ids sql module in mods-enabled. + # +# moonshot_tid_sql + } + + # set the actual TargetedId in the session-state list + if (&control:Moonshot-MSTID-TargetedId) { update outer.session-state { - Moonshot-TR-COI-TargetedId := "%{1}@%{tolower:%{request:Realm}}" + Moonshot-TR-COI-TargetedId := &control:Moonshot-MSTID-TargetedId + } + update control { + Moonshot-MSTID-TargetedId !* ANY + } + } + } +} + +# This is the generic generation policy. It requires moonshot_host_tid, moonshot_realm_tid, or moonshot_coi_tid to set variables +# +moonshot_make_targeted_id.post-auth { + # uses variables set in the control list + # + if (&control:Moonshot-MSTID-Namespace && &control:Moonshot-MSTID-GSS-Acceptor) { + # targeted id = (uuid -v 5 [namespace] [username][salt][GSS acceptor value])@[IdP realm name] + # + if ("%{echo:/usr/bin/uuid -v 5 %{control:Moonshot-MSTID-Namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{control:Moonshot-MSTID-GSS-Acceptor}}" =~ /^([^ ]+)([ ]*)$/) { + update control { + Moonshot-MSTID-TargetedId := "%{1}@%{tolower:%{request:Realm}}" + } + if (&control:Moonshot-MSTID-TargetedId =~ /([\%\{\}]+)/) { + update control { + Moonshot-MSTID-TargetedId !* ANY + } + update outer.session-state { + Module-Failure-Message = 'Invalid TargetedId generated, check your targeted_id_salt!' + } + reject + } + } + else { + # we simply return the 'echo' error message as the Module-Failure-Message, usually a lack of 'uuid' + reject + } + } + else { + # Our variables were not set, so we'll throw an error because there's no point in continuing! + update outer.session-state { + Module-Failure-Message = 'Required variables for moonshot_make_targeted_id not set!' + } + reject + } +} + +# This is the generic retrieval policy. It requires moonshot_host_tid, moonshot_realm_tid, or moonshot_coi_tid to set variables +# +moonshot_get_targeted_id.post-auth { + # uses variables set in the control list + # + if (&control:Moonshot-MSTID-Namespace && &control:Moonshot-MSTID-GSS-Acceptor) { + # retrieve the TargetedId + # + update control { + Moonshot-MSTID-TargetedId := "%{moonshot_tid_sql:\ + SELECT targeted_id FROM moonshot_targeted_ids \ + WHERE gss_acceptor = '%{control:Moonshot-MSTID-GSS-Acceptor}' \ + AND namespace = '%{control:Moonshot-MSTID-Namespace}' \ + AND username = '%{tolower:%{User-Name}}'}" + } + + # if the value is empty, there's no point in setting it and delete it from the control list! + if (&control:Moonshot-MSTID-TargetedId == '') { + update control { + Moonshot-MSTID-TargetedId !* ANY } } } + else { + # Our variables were not set, so we'll throw an error because there's no point in continuing! + update outer.session-state { + Module-Failure-Message = 'Required variables for moonshot_get_targeted_id not set!' + } + reject + } } Only in freeradius-debian-10.0/3.0: proxy.conf.dpkg-dist Only in freeradius-debian-10.0/3.0: radiusd.conf.dpkg-dist diff -u -r freeradius-debian-9.0/3.0/sites-available/abfab-tls freeradius-debian-10.0/3.0/sites-available/abfab-tls --- freeradius-debian-9.0/3.0/sites-available/abfab-tls 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/sites-available/abfab-tls 2019-04-23 00:23:36.000000000 +0300 @@ -1,7 +1,7 @@ # # Example configuration for ABFAB listening on TLS. # -# $Id: 79d74e6fcbb12b1226f026383b8e1043092dd6fb $ +# $Id: 5dbe143da6f170505fa1b0e1c4282ebe60b139bb $ # listen { ipaddr = * @@ -24,7 +24,8 @@ cache { enable = no lifetime = 24 # hours - max_entries = 255 + name = "abfab-tls" +# persist_dir = ${logdir}/abfab-tls } require_client_cert = yes diff -u -r freeradius-debian-9.0/3.0/sites-available/abfab-tr-idp freeradius-debian-10.0/3.0/sites-available/abfab-tr-idp --- freeradius-debian-9.0/3.0/sites-available/abfab-tr-idp 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/sites-available/abfab-tr-idp 2019-04-23 00:23:36.000000000 +0300 @@ -7,7 +7,7 @@ # This file does not include a TLS listener; see abfab-tls for a simple # example of a RADSEC listener for ABFAB. # -# $Id: 3ef581e54dd7b397ea49e3d1db53f0c543a826d2 $ +# $Id: e0224864ec1d81405f57a6d872f86c8a7958fdab $ # server abfab-idp { @@ -81,12 +81,6 @@ -sql # - # Instead of sending the query to the SQL server, - # write it into a log file. - # -# sql_log - - # # Un-comment the following if you want to modify the user's object # in LDAP after a successful login. # diff -u -r freeradius-debian-9.0/3.0/sites-available/buffered-sql freeradius-debian-10.0/3.0/sites-available/buffered-sql --- freeradius-debian-9.0/3.0/sites-available/buffered-sql 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/sites-available/buffered-sql 2019-04-23 00:23:36.000000000 +0300 @@ -32,7 +32,7 @@ # the server will have time to read the detail file, and insert # the data into a long-term SQL database. # -# $Id: ba71ea5ae42b054e8b43ad54092a768b76050bcb $ +# $Id: 81150448040b78c1cb1340f3329bfd9475aadf26 $ # ###################################################################### @@ -43,6 +43,16 @@ # The location where the detail file is located. # This should be on local disk, and NOT on an NFS # mounted location! + # + # On most systems, this should support file globbing + # e.g. "${radacctdir}/detail-*:*" + # This lets you write many smaller detail files as in + # the example in radiusd.conf: ".../detail-%Y%m%d:%H" + # Writing many small files is often better than writing + # one large file. File globbing also means that with + # a common naming scheme for detail files, then you can + # have many detail file writers, and only one reader. + # filename = "${radacctdir}/detail-*" # @@ -78,6 +88,7 @@ # wake up, and poll for it every N seconds. # # Useful range of values: 1 to 60 + # poll_interval = 1 # @@ -87,6 +98,7 @@ # home server responds. # # Useful range of values: 5 to 30 + # retry_interval = 30 # @@ -98,6 +110,17 @@ # have already been processed. The default is "no". # # track = yes + + # + # In some circumstances it may be desirable for the + # server to start up, process a detail file, and + # immediately quit. To do this enable the "one_shot" + # option below. + # + # Do not enable this for normal server operation. The + # default is "no". + # + # one_shot = no } # diff -u -r freeradius-debian-9.0/3.0/sites-available/copy-acct-to-home-server freeradius-debian-10.0/3.0/sites-available/copy-acct-to-home-server --- freeradius-debian-9.0/3.0/sites-available/copy-acct-to-home-server 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/sites-available/copy-acct-to-home-server 2019-04-23 00:23:36.000000000 +0300 @@ -21,7 +21,7 @@ # That way, each server has the same set of information, and # can make the same decision about the user. # -# $Id: 3c38550b891847a29f717df082ba3075f3461bab $ +# $Id: ea3909830f6f453bb6dcda0f24570a331cab0216 $ # ###################################################################### @@ -29,6 +29,11 @@ listen { type = detail + # + # See sites-available/buffered-sql for more details on + # all the options available for the detail reader. + # + ###################################################### # # !!!! WARNING !!!! @@ -63,6 +68,7 @@ # one large file. File globbing also means that with # a common naming scheme for detail files, then you can # have many detail file writers, and only one reader. + # filename = ${radacctdir}/detail # diff -u -r freeradius-debian-9.0/3.0/sites-available/decoupled-accounting freeradius-debian-10.0/3.0/sites-available/decoupled-accounting --- freeradius-debian-9.0/3.0/sites-available/decoupled-accounting 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/sites-available/decoupled-accounting 2019-04-23 00:23:36.000000000 +0300 @@ -15,7 +15,7 @@ # This file is NOT meant to be used as-is. It needs to be # edited to match your local configuration. # -# $Id: a440e77b8f4da0be1911d53dc64ec62517788d87 $ +# $Id: 6b1b5b337216e433498c1fdb85ced8a53b34df94 $ # ###################################################################### @@ -119,12 +119,6 @@ # See "Accounting queries" in sql.conf # sql - # - # Instead of sending the query to the SQL server, - # write it into a log file. - # -# sql_log - # Cisco VoIP specific bulk accounting # pgsql-voip diff -u -r freeradius-debian-9.0/3.0/sites-available/default freeradius-debian-10.0/3.0/sites-available/default --- freeradius-debian-9.0/3.0/sites-available/default 2018-02-23 15:41:44.000000000 +0200 +++ freeradius-debian-10.0/3.0/sites-available/default 2019-04-23 00:23:36.000000000 +0300 @@ -11,7 +11,7 @@ # the "inner-tunnel" virtual server. You will likely have to edit # that, too, for authentication to work. # -# $Id: 083407596aa5074d665adac9606e7de655b634aa $ +# $Id: 3616050e7625eb6b5e2ba44782fcb737b2ae6136 $ # ###################################################################### # @@ -85,16 +85,35 @@ # proxy listeners are automatically created. # ipaddr/ipv4addr/ipv6addr - IP address on which to listen. - # Out of several options the first one will be used. + # If multiple ones are listed, only the first one will + # be used, and the others will be ignored. # - # Allowed values are: - # IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr) - # IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr) - # hostname (radius.example.com, - # A record for ipv4addr, - # AAAA record for ipv6addr, - # A or AAAA record for ipaddr) - # wildcard (*) + # The configuration options accept the following syntax: + # + # ipv4addr - IPv4 address (e.g.192.0.2.3) + # - wildcard (i.e. *) + # - hostname (radius.example.com) + # Only the A record for the host name is used. + # If there is no A record, an error is returned, + # and the server fails to start. + # + # ipv6addr - IPv6 address (e.g. 2001:db8::1) + # - wildcard (i.e. *) + # - hostname (radius.example.com) + # Only the AAAA record for the host name is used. + # If there is no AAAA record, an error is returned, + # and the server fails to start. + # + # ipaddr - IPv4 address as above + # - IPv6 address as above + # - wildcard (i.e. *), which means IPv4 wildcard. + # - hostname + # If there is only one A or AAAA record returned + # for the host name, it is used. + # If multiple A or AAAA records are returned + # for the host name, only the first one is used. + # If both A and AAAA records are returned + # for the host name, only the A record is used. # # ipv4addr = * # ipv6addr = * @@ -347,17 +366,22 @@ # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. # - # The EAP module returns "ok" if it is not yet ready to - # authenticate the user. The configuration below checks for - # that code, and stops processing the "authorize" section if - # so. + # The EAP module returns "ok" or "updated" if it is not yet ready + # to authenticate the user. The configuration below checks for + # "ok", and stops processing the "authorize" section if so. # # Any LDAP and/or SQL servers will not be queried for the # initial set of packets that go back and forth to set up # TTLS or PEAP. # + # The "updated" check is commented out for compatibility with + # previous versions of this configuration, but you may wish to + # uncomment it as well; this will further reduce the number of + # LDAP and/or SQL queries for TTLS or PEAP. + # eap { ok = return +# updated = return } # @@ -553,7 +577,7 @@ # # update request { -# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" +# &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" # } @@ -629,12 +653,6 @@ # ok # } - # - # Instead of sending the query to the SQL server, - # write it into a log file. - # -# sql_log - # Cisco VoIP specific bulk accounting # pgsql-voip @@ -714,12 +732,6 @@ -sql # - # Instead of sending the query to the SQL server, - # write it into a log file. - # -# sql_log - - # # Un-comment the following if you want to modify the user's object # in LDAP after a successful login. # @@ -827,6 +839,15 @@ # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap } + + # + # Filter access challenges. + # + Post-Auth-Type Challenge { +# remove_reply_message_if_eap +# attr_filter.access_challenge.post-auth + } + } # diff -u -r freeradius-debian-9.0/3.0/sites-available/inner-tunnel freeradius-debian-10.0/3.0/sites-available/inner-tunnel --- freeradius-debian-9.0/3.0/sites-available/inner-tunnel 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/sites-available/inner-tunnel 2019-04-23 00:23:36.000000000 +0300 @@ -4,7 +4,7 @@ # This is a virtual server that handles *only* inner tunnel # requests for EAP-TTLS and PEAP types. # -# $Id: 2c6f9611bfc7b4b782aeb9764e47e832690739c4 $ +# $Id: 70b1d8da255a740d2d1b59808393722766dc6a60 $ # ###################################################################### @@ -302,12 +302,6 @@ -sql # - # Instead of sending the query to the SQL server, - # write it into a log file. - # -# sql_log - - # # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. @@ -317,37 +311,49 @@ # # Un-comment the following if you want to generate Moonshot (ABFAB) TargetedIds - # IMPORTANT: This requires the UUID package to be installed! + # + # IMPORTANT: This requires the UUID package to be installed, and a targeted_id_salt + # to be configured. + # + # This functionality also supports SQL backing. To use this functionality, enable + # and configure the moonshot-targeted-ids SQL module in the mods-enabled directory. + # Then remove the comments from the appropriate lines in each of the below + # policies in the policy.d/moonshot-targeted-ids file. # # moonshot_host_tid # moonshot_realm_tid # moonshot_coi_tid # - # Instead of "use_tunneled_reply", uncomment the - # next two "update" blocks. + # Instead of "use_tunneled_reply", change this "if (0)" to an + # "if (1)". # -# update { -# &outer.session-state: += &reply: -# } - - # - # These attributes are for the inner session only. - # They MUST NOT be sent in the outer reply. - # - # If you uncomment the previous block and leave - # this one commented out, WiFi WILL NOT WORK, - # because the client will get two MS-MPPE-keys - # -# update outer.session-state { -# MS-MPPE-Encryption-Policy !* ANY -# MS-MPPE-Encryption-Types !* ANY -# MS-MPPE-Send-Key !* ANY -# MS-MPPE-Recv-Key !* ANY -# Message-Authenticator !* ANY -# EAP-Message !* ANY -# Proxy-State !* ANY -# } + if (0) { + # + # These attributes are for the inner-tunnel only, + # and MUST NOT be copied to the outer reply. + # + update reply { + User-Name !* ANY + Message-Authenticator !* ANY + EAP-Message !* ANY + Proxy-State !* ANY + MS-MPPE-Encryption-Types !* ANY + MS-MPPE-Encryption-Policy !* ANY + MS-MPPE-Send-Key !* ANY + MS-MPPE-Recv-Key !* ANY + } + + # + # Copy the inner reply attributes to the outer + # session-state list. The post-auth policy will take + # care of copying the outer session-state list to the + # outer reply. + # + update { + &outer.session-state: += &reply: + } + } # # Access-Reject packets are sent through the REJECT sub-section of the diff -u -r freeradius-debian-9.0/3.0/sites-available/tls freeradius-debian-10.0/3.0/sites-available/tls --- freeradius-debian-9.0/3.0/sites-available/tls 2017-08-10 10:05:06.000000000 +0300 +++ freeradius-debian-10.0/3.0/sites-available/tls 2019-04-23 00:23:36.000000000 +0300 @@ -84,6 +84,10 @@ private_key_password = whatever private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + # Accept an expired Certificate Revocation List + # + # allow_expired_crl = no + # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file @@ -169,10 +173,9 @@ # match, the certificate verification will fail, # rejecting the user. # - # In 2.1.10 and later, this check can be done - # more generally by checking the value of the - # TLS-Client-Cert-Issuer attribute. This check - # can be done via any mechanism you choose. + # This check can be done more generally by checking + # the value of the TLS-Client-Cert-Issuer attribute. + # This check can be done via any mechanism you choose. # # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" @@ -199,6 +202,14 @@ # in "man 1 ciphers". cipher_list = "DEFAULT" + # If enabled, OpenSSL will use server cipher list + # (possibly defined by cipher_list option above) + # for choosing right cipher suite rather than + # using client-specified list which is OpenSSl default + # behavior. Having it set to yes is a current best practice + # for TLS + cipher_server_preference = no + # # Session resumption / fast reauthentication # cache. @@ -231,6 +242,13 @@ # Deleting the entire "cache" subsection # Also disables caching. # + # + # As of version 3.0.14, the session cache requires the use + # of the "name" and "persist_dir" configuration items, below. + # + # The internal OpenSSL session cache has been permanently + # disabled. + # # You can disallow resumption for a # particular user by adding the following # attribute to the control item list: @@ -251,15 +269,6 @@ lifetime = 24 # hours # - # The maximum number of entries in the - # cache. Set to "0" for "infinite". - # - # This could be set to the number of users - # who are logged in... which can be a LOT. - # - max_entries = 255 - - # # Internal "name" of the session cache. # Used to distinguish which TLS context # sessions belong to. Only in freeradius-debian-9.0/3.0/sites-enabled: default Only in freeradius-debian-9.0/3.0/sites-enabled: inner-tunnel diff -u -r freeradius-debian-9.0/3.0/users freeradius-debian-10.0/3.0/users --- freeradius-debian-9.0/3.0/users 2020-12-20 22:01:04.895507191 +0200 +++ freeradius-debian-10.0/3.0/users 2018-02-23 11:44:13.263490656 +0200 @@ -218,4 +218,4 @@ # See the example user "bob" above. # ######################################################### -wlanguest Cleartext-Password := "removed" +wlanguest Cleartext-Password := "removed"