| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263 |
- diff -ru default-ori /etc/freeradius/sites-available/default
- --- original/freeradius/sites-available/default 2010-11-14 18:13:00.000000000 -0300
- +++ /etc/freeradius/sites-available/default 2011-11-15 11:49:55.081320643 -0300
- --- original/freeradius/sql.conf 2017-01-20 15:42:22.990386917 -0300
- +++ /etc/freeradius/sql.conf 2017-01-20 15:42:49.831448774 -0300
- @@ -64,7 +64,7 @@
-
- # If set to 'yes' (default) we read the group tables
- # If set to 'no' the user MUST have Fall-Through = Yes in the radreply table
- - # read_groups = yes
- + read_groups = yes
-
- # Remove stale session if checkrad does not see a double login
- deletestalesessions = yes
- @@ -105,7 +105,7 @@
- # and security reasons, finding clients via SQL queries CANNOT
- # be done "live" while the server is running.
- #
- - #readclients = yes
- + readclients = yes
-
- # Table to keep radius client info
- nas_table = "nas"
- --- etc/freeradius/dialup-mod.conf 2017-01-20 15:43:21.836720515 -0300
- +++ /etc/freeradius/sql/mysql/dialup.conf 2017-01-20 15:43:24.924843537 -0300
- @@ -287,17 +287,17 @@
- #######################################################################
-
- # Uncomment simul_count_query to enable simultaneous use checking
- - #simul_count_query = "SELECT COUNT(*) \
- - #FROM ${acct_table1} \
- - #WHERE username = '%{SQL-User-Name}' \
- - #AND acctstoptime IS NULL"
- + simul_count_query = "SELECT COUNT(*) \
- + FROM ${acct_table1} \
- + WHERE username = '%{SQL-User-Name}' \
- + AND acctstoptime IS NULL"
-
- - simul_verify_query = "SELECT radacctid, acctsessionid, username, \
- - nasipaddress, nasportid, framedipaddress, \
- - callingstationid, framedprotocol \
- - FROM ${acct_table1} \
- - WHERE username = '%{SQL-User-Name}' \
- - AND acctstoptime IS NULL"
- +# simul_verify_query = "SELECT radacctid, acctsessionid, username, \
- +# nasipaddress, nasportid, framedipaddress, \
- +# callingstationid, framedprotocol \
- +# FROM ${acct_table1} \
- +# WHERE username = '%{SQL-User-Name}' \
- +# AND acctstoptime IS NULL"
-
- #######################################################################
- # Authentication Logging Queries
- +++ /etc/freeradius/radiusd.conf 2017-01-20 15:43:40.509465219 -0300
- --- etc/freeradius/radiusd-mod.conf 2017-01-20 15:43:37.969363797 -0300
- @@ -473,7 +473,7 @@
- #
- # allowed values: {no, yes}
- #
- - auth = no
- + auth = yes
-
- # Log passwords with the authentication requests.
- # auth_badpass - logs password if it's rejected
- @@ -481,8 +481,8 @@
- #
- # allowed values: {no, yes}
- #
- - auth_badpass = no
- - auth_goodpass = no
- + auth_badpass = yes
- + auth_goodpass = yes
-
- # Log additional text at the end of the "Login OK" messages.
- # for these to work, the "auth" and "auth_goopass" or "auth_badpass"
- @@ -740,7 +740,7 @@
- # Include another file that has the SQL-related configuration.
- # This is another file only because it tends to be big.
- #
- -# $INCLUDE sql.conf
- + $INCLUDE sql.conf
-
- #
- # This module is an SQL enabled version of the counter module.
- +++ /etc/freeradius/policy.conf 2017-01-20 15:44:04.126409923 -0300
- --- etc/freeradius/policy-mod.conf 2017-01-20 15:43:58.002164648 -0300
- @@ -56,6 +56,56 @@
- # If you want the server to pretend that it is dead,
- # then use the "do_not_respond" policy.
- #
- +
- + # Rewrite password if password is empty and user-name have mac format
- + rewrite_password {
- + if (User-Name =~ /([0-9a-f]{2})[-:]([0-9a-f]{2})[-:]([0-9a-f]{2})[-:]([0-9a-f]{2})[-:]([0-9a-f]{2})[-:]([0-9a-f]{2})/i){
- + if (Password||CHAP-Password){
- +
- + #update request {
- + # User-Name := "%{1}%{2}%{3}%{4}%{5}%{6}"
- + #}
- + update request{
- + Password := "%{User-Name}"
- + }
- + update control {
- + Auth-Type = 'PAP'
- + }
- + }
- +
- + }
- + else {
- + noop
- + }
- + }
- +
- + #
- + # Rewrite called station id attribute into a standard format.
- + #
- + rewrite_calling_station_id {
- + if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
- + if(Calling-Statind-Id == User-Name){
- + #update request {
- + # User-Name := "%{1}%{2}%{3}%{4}%{5}%{6}"
- + #}
- +
- + if(Password||CHAP-Password){
- + update request{
- + Password := "%{User-Name}"
- + }
- + update control {
- + Auth-Type = 'PAP'
- + }
- + }
- + }
- + }
- + else {
- + noop
- + }
- + }
- +
- +
- +
- do_not_respond {
- update control {
- Response-Packet-Type := Do-Not-Respond
- +++ /etc/freeradius/sites-available/default 2017-01-20 15:48:10.227616980 -0300
- --- etc/freeradius/default-mod 2017-01-20 15:48:22.860091196 -0300
- @@ -66,6 +66,7 @@
- #
- # Make *sure* that 'preprocess' comes before any realm if you
- # need to setup hints for the remote radius server
- +server radius {
- authorize {
- #
- # Security settings. Take a User-Name, and do some simple
- @@ -93,6 +94,16 @@
- # section, above.
- # auth_log
-
- + # Machine (Calling-Station-ID based) authentication
- + #
- + # RFC 2865 says that a Service-Type value of Call Check is used
- + # to specify this kind of authentication (though were now dealing with ethernet ports instead of lines).
- + #
- + rewrite_password
- + rewrite_calling_station_id
- +
- +
- +
- #
- # The chap module will set 'Auth-Type := CHAP' if we are
- # handling a CHAP request and Auth-Type has not already been set
- @@ -167,14 +178,15 @@
-
- #
- # Read the 'users' file
- - files
- + #files
-
- #
- # Look in an SQL database. The schema of the database
- # is meant to mirror the "users" file.
- #
- # See "Authorization Queries" in sql.conf
- -# sql
- + dupsess
- + sql
-
- #
- # If you are using /etc/smbpasswd, and are also doing
- @@ -333,6 +345,16 @@
- preacct {
- preprocess
-
- + #
- + # Authentication based on Calling-Station-ID
- + #
- + # Calling-Station-ID authentication is usually done by comparing normalised
- + # forms of the Calling-Station-ID and User-name fields.
- + #
- +
- + rewrite_calling_station_id
- +
- +
- #
- # Session start times are *implied* in RADIUS.
- # The NAS never sends a "start time". Instead, it sends
- @@ -364,12 +386,12 @@
- # Accounting requests are generally proxied to the same
- # home server as authentication requests.
- # IPASS
- - suffix
- +# suffix
- # ntdomain
-
- #
- # Read the 'acct_users' file
- - files
- + #files
- }
-
- #
- @@ -403,7 +425,7 @@
- # Log traffic to an SQL database.
- #
- # See "Accounting queries" in sql.conf
- -# sql
- + sql
-
- #
- # If you receive stop packets with zero session length,
- @@ -447,11 +469,11 @@
- # or rlm_sql module can handle this.
- # The rlm_sql module is *much* faster
- session {
- - radutmp
- + #radutmp
-
- #
- # See "Simultaneous Use Checking Queries" in sql.conf
- -# sql
- + sql
- }
-
-
- @@ -472,7 +494,7 @@
- # After authenticating the user, do another SQL query.
- #
- # See "Authentication Logging Queries" in sql.conf
- -# sql
- + sql
-
- #
- # Instead of sending the query to the SQL server,
- @@ -657,4 +679,4 @@
- # detail
- # }
- }
- -
- +}
|
