From: Alan T. DeKok Date: Thu, 22 Feb 2024 10:44:07 +0000 (-0500) Subject: make limit_proxy_state the default for clients X-Git-Tag: release_3_0_27~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=836aeb93d762671703d1482eda236be91fe9fc05;p=thirdparty%2Ffreeradius-server.git make limit_proxy_state the default for clients --- diff --git a/raddb/clients.conf b/raddb/clients.conf index ee2bc20003..0649aa391e 100644 --- a/raddb/clients.conf +++ b/raddb/clients.conf @@ -128,6 +128,19 @@ client localhost { # # require_message_authenticator = no + # + # The global configuration "security.limit_proxy_state" + # flag sets the default for all clients. That default can be + # over-ridden here, by setting it to "no". + # + # This flag exists solely for legacy clients which do not send + # Message-Authenticator in all Access-Request packets. We do not + # recommend setting it to "no". + # + # allowed values: yes, no + # +# limit_proxy_state = yes + # # The short name is used as an alias for the fully qualified # domain name, or the IP address. diff --git a/src/include/clients.h b/src/include/clients.h index ed1fca0cd2..e7601f3aa5 100644 --- a/src/include/clients.h +++ b/src/include/clients.h @@ -45,6 +45,8 @@ typedef struct radclient { bool require_ma; //!< Require RADIUS message authenticator in requests. + bool limit_proxy_state; //!< Limit Proxy-State in requests + char const *nas_type; //!< Type of client (arbitrary). char const *login; //!< Username to use for simultaneous use checks. diff --git a/src/main/client.c b/src/main/client.c index 6f6b46cb47..bbc4613412 100644 --- a/src/main/client.c +++ b/src/main/client.c @@ -328,7 +328,8 @@ check_list: (old->coa_home_server == client->coa_home_server) && (old->coa_home_pool == client->coa_home_pool) && #endif - (old->require_ma == client->require_ma)) { + (old->require_ma == client->require_ma) && + (old->limit_proxy_state == client->limit_proxy_state)) { WARN("Ignoring duplicate client %s", client->longname); client_free(client); return true; @@ -513,6 +514,7 @@ static const CONF_PARSER client_config[] = { { "src_ipaddr", FR_CONF_POINTER(PW_TYPE_STRING, &cl_srcipaddr), NULL }, { "require_message_authenticator", FR_CONF_OFFSET(PW_TYPE_BOOLEAN | PW_TYPE_IGNORE_DEFAULT, RADCLIENT, require_ma), NULL }, + { "limit_proxy_state", FR_CONF_OFFSET(PW_TYPE_BOOLEAN | PW_TYPE_IGNORE_DEFAULT, RADCLIENT, limit_proxy_state), NULL }, { "secret", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, RADCLIENT, secret), NULL }, { "shortname", FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, shortname), NULL }, @@ -903,11 +905,13 @@ RADCLIENT *client_afrom_cs(TALLOC_CTX *ctx, CONF_SECTION *cs, bool in_server, bo c->cs = cs; /* - * Set the "require message authenticator" flag from the - * global default. If the configuration item exists, AND - * is set, it will over-ride this flag. + * Set the "require message authenticator" and "limit + * proxy state" flags from the global default. If the + * configuration item exists, AND is set, it will + * over-ride the flag. */ c->require_ma = main_config.require_ma; + c->limit_proxy_state = main_config.limit_proxy_state; memset(&cl_ipaddr, 0, sizeof(cl_ipaddr)); cl_netmask = 255;