make limit_proxy_state the default for clients

diff --git a/raddb/clients.conf b/raddb/clients.conf
index ee2bc20003d25f208db58c6a0978785c8921af53..0649aa391ecc9eef04e02c061187a29b8353ee51 100644 (file)
--- a/raddb/clients.conf
+++ b/raddb/clients.conf
@@ -128,6 +128,19 @@ client localhost {
        #
 #      require_message_authenticator = no
 
+       #
+       #  The global configuration "security.limit_proxy_state"
+       #  flag sets the default for all clients.  That default can be
+       #  over-ridden here, by setting it to "no".
+       #
+       #  This flag exists solely for legacy clients which do not send
+       #  Message-Authenticator in all Access-Request packets.  We do not
+       #  recommend setting it to "no".
+       #
+       #  allowed values: yes, no
+       #
+#      limit_proxy_state = yes
+
        #
        #  The short name is used as an alias for the fully qualified
        #  domain name, or the IP address.

diff --git a/src/include/clients.h b/src/include/clients.h
index ed1fca0cd289a05aedb4b824abae80a52291d7e5..e7601f3aa5573a832f8d3ec9833c1ea5fd97aa39 100644 (file)
--- a/src/include/clients.h
+++ b/src/include/clients.h
@@ -45,6 +45,8 @@ typedef struct radclient {
 
        bool                    require_ma;             //!< Require RADIUS message authenticator in requests.
 
+       bool                    limit_proxy_state;      //!< Limit Proxy-State in requests
+
        char const              *nas_type;              //!< Type of client (arbitrary).
 
        char const              *login;                 //!< Username to use for simultaneous use checks.

diff --git a/src/main/client.c b/src/main/client.c
index 6f6b46cb47f0de175d1a1bb28c362d8f049ad69f..bbc4613412148ebd7d31c01f06a050da2aece1e7 100644 (file)
--- a/src/main/client.c
+++ b/src/main/client.c
@@ -328,7 +328,8 @@ check_list:
                    (old->coa_home_server == client->coa_home_server) &&
                    (old->coa_home_pool == client->coa_home_pool) &&
 #endif
-                   (old->require_ma == client->require_ma)) {
+                   (old->require_ma == client->require_ma) &&
+                   (old->limit_proxy_state == client->limit_proxy_state)) {
                        WARN("Ignoring duplicate client %s", client->longname);
                        client_free(client);
                        return true;
@@ -513,6 +514,7 @@ static const CONF_PARSER client_config[] = {
        { "src_ipaddr", FR_CONF_POINTER(PW_TYPE_STRING, &cl_srcipaddr), NULL },
 
        { "require_message_authenticator",  FR_CONF_OFFSET(PW_TYPE_BOOLEAN | PW_TYPE_IGNORE_DEFAULT, RADCLIENT, require_ma), NULL },
+       { "limit_proxy_state",  FR_CONF_OFFSET(PW_TYPE_BOOLEAN | PW_TYPE_IGNORE_DEFAULT, RADCLIENT, limit_proxy_state), NULL },
 
        { "secret", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, RADCLIENT, secret), NULL },
        { "shortname", FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, shortname), NULL },
@@ -903,11 +905,13 @@ RADCLIENT *client_afrom_cs(TALLOC_CTX *ctx, CONF_SECTION *cs, bool in_server, bo
        c->cs = cs;
 
        /*
-        *      Set the "require message authenticator" flag from the
-        *      global default.  If the configuration item exists, AND
-        *      is set, it will over-ride this flag.
+        *      Set the "require message authenticator" and "limit
+        *      proxy state" flags from the global default.  If the
+        *      configuration item exists, AND is set, it will
+        *      over-ride the flag.
         */
        c->require_ma = main_config.require_ma;
+       c->limit_proxy_state = main_config.limit_proxy_state;
 
        memset(&cl_ipaddr, 0, sizeof(cl_ipaddr));
        cl_netmask = 255;