-require_message_authenticator:: Old-style clients do not send a
-`link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]` in an `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]`. https://tools.ietf.org/html/rfc5080[RFC 5080] suggests
-that all clients *should* include it in an Access-Request. The
-configuration item below allows the server to require it. If a
-client is required to include a `link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]` and it
-does not, then the packet will be silently discarded.
+require_message_authenticator::Require Message-Authenticator in Access-Requests.
-Allowed values: yes, no
+https://tools.ietf.org/html/rfc5080[RFC 5080] suggests that all clients *should* include it in an
+Access-Request. The configuration item below allows the server
+to require it. If a client is required to include a `link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]`
+and it does not, then the packet will be silently discarded.
+
+If value is auto, then if any packet received from the client
+contains a valid Message-Authenticator attribute, then the server
+will require it from all future packets from that client.
+
+NOTE: This setting overrides the identically named config item in the
+radius listener.
+
+Allowed values: yes, no, auto
+
+The default is "no".
+
+
+
+limit_proxy_state:: Control whether Proxy-State is allowed in
+packets from this client which do not have a Message-Authenticator.
+
+The blastradius prefix attack allows an attacker to manipulate
+the contents of response packets without knowing the shared secret.
+
+The attack relies on controlling a portion of the data sent back
+in the response by the RADIUS server. As Proxy-State is always
+echoed back verbatim from the request, it can be leveraged to
+manipulate the data sent back from the server and facilitate the
+attack.
+
+The attack also relies on defficiencies in the original RADIUS
+standards that provided no integrity protection for Access-Requests.
+
+The attack is mitigated by requiring the Message-Authenticator,
+which contains a HMAC over the entire request, preventing
+modification of the request by the attacker.
+
+If value is auto, and the first packet received from the client
+does not contain a Proxy-State attribute, Proxy-State will be
+disallowed in any future packets which do not contain a
+Message-Authenticator.
+
+This provides some level of protection against the blastradius
+attack, without requiring Message-Authenticator, or breaking existing
+deployments.
+
+NOTE: This setting overrides the identically named config item in the
+radius listener.
+
+Allowed values: yes, no, auto
+
+The default is "auto".
# ipv6addr = ::
proto = *
secret = testing123
- require_message_authenticator = no
+ require_message_authenticator = auto
+ limit_proxy_state = auto
# shortname = localhost
limit {
max_connections = 16
#DEFINE My-Local-String string
#DEFINE My-Local-IPAddr ipaddr
#DEFINE My-Local-Integer integer
-#BEGIN-PROTOCOL RADIUS
-#$INCLUDE ${dictdir}/radius/alias/cisco.txt
-#END-PROTOCOL RADIUS
+BEGIN-PROTOCOL RADIUS
+$INCLUDE ${dictdir}/radius/alias/microsoft.txt
+END-PROTOCOL RADIUS
```
instead possible to have a policy that delays the response.
TIP: The module can also be used to introduce artificial jitter into
-responses.
+responses by adding random delays.
+
+## xlat for delays
+
+The module also registers an xlat function for delays
+
+%delay(...)
+
+This function takes a time-delta argument (or data which is converted to a time-delta), and will delay the given number of seconds.
+
+.Example
+
+```
+%delay(0.2s)
+```
+
[WARNING]
====
-Whatever you do, do NOT set 'Auth-Type := EAP'. The server is smart enough
+Whatever you do, do NOT set 'Auth-Type := ::EAP'. The server is smart enough
to figure this out on its own.
-The most common side effect of setting 'Auth-Type := EAP' is that the users
+The most common side effect of setting 'Auth-Type := ::EAP' is that the users
then cannot use ANY other authentication method.
====
|===
More information about the various sections can be found in the virtual server
-link:../../../../../../sites-available/tls.adoc[sites-available/tls].
+link:../../../../../../sites-available/tls-cache.adoc[sites-available/tls-cache].
auto_chain::
[NOTE]
====
- * Work-arounds for OpenSSL nonsense. OpenSSL 1.0.1f and 1.0.1g do
-not calculate the `EAP` keys correctly. The fix is to upgrade
-OpenSSL, or to disable TLS 1.2 here.
-
* SSLv2 and SSLv3 are permanently disabled due to security
issues.
Once authentication has completed, the TLS client may be
provided with a session ticket which it presents
-during the next authentication attempt.
+during the next authentication attemp.
Presenting a session ticket allows the client to skip the
majority of TLS tunnel setup during its next authentication
-include_length:: Whether we include a length field in the TLS header.
+include_length:: Whether we include a length fiel in the TLS header.
This has the same meaning, and overwrites, the same field in
the `tls` configuration, above. The default value here is
auth_type = PAP
}
tls-config tls-common {
-# virtual_server = tls
+# virtual_server = tls-cache
# auto_chain = no
chain rsa {
# format = "PEM"
The content of this attribute is used to match the `name` of the entry.
+Note that unlike v4, the key does not have to be a string, but could instead
+be an IP address or netmask! For more information, see
+
+xref:raddb:mods-config/files/users.adoc[users]
+
filename:: The old `users` style file is now located here.
+match_attr:: List and attribute to populate with the `name` of the matched entry.
+
+Note: the attriubte type should be capable of holding data of the type
+used as key values.
+Particularly useful if matching IP addresses to subnets, since the populated
+value will be the subnet. In that case it is best to use 0.0.0.0/0 in place
+of DEFAULT for any catch-all entries.
+
+
+
## An instance of the `files` module for use in processing accounting packets
moddir = ${modconfdir}/${.:instance}
# key = "%{&Stripped-User-Name || &User-Name}"
filename = ${moddir}/authorize
+# match_attr = &control.User-Category
}
files files_accounting {
# key = "%{&Stripped-User-Name || &User-Name}"
is not known ahead of time (using a URL from an external source), and/or the CA used
to sign the IMAP server certificate is unknown.
+If not set, then whatever libcurl has as its default will be used, which typically
+will be the operating system's set of trusted CAs. This will be visible in the debug
+output when FreeRADIUS starts.
+
private_key_file:: PEM formatted file containing the private key for the specified `certificate_file`
----
ldap
if ((ok || updated) && &User-Password) {
- &control.Auth-Type := ldap
+ &control.Auth-Type := ::ldap
}
----
====
The rlm_ldap provides the below xlat's functions.
-### %ldap.uri.escape(...}
+### %ldap.uri.escape(...)
Escape a string for use in an LDAP filter or DN. The value will then be marked as safe for use
in LDAP URIs and DNs, and will not be escaped or modified.
"The LDAP url is ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29"
```
-### %ldap.uri.safe(...}
+### %ldap.uri.safe(...)
Mark a string as safe for use in an LDAP filter or DN. Values marked as safe for use in LDAP
URIs will not be escaped or modified, and will be allowed in places where dynamic values are
"The LDAP url is ldap:///ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
```
+### %ldap.group(...)
+
+Check whether the current user is a member of a the given group. If the attribute
+`control.LDAP-UserDN` exists, that will be used as the "user" object. If it does
+not then the user is first looked up using the filter form the `user { }` section
+of the module configuration.
+
+Groups can be specified either as a name or a DN, with a lookup used if necessary
+to convert to the required format.
+
+.Return: _bool_
+
+.Example
+
+[source,unlang]
+---
+if (%ldap.group('cn=group1,ou=Groups,dc=example,dc=org')) {
+ ...
+}
+---
+
== Default Configuration
+fsync::
+
+Synchronise data written with the file system after every
+write, returning fail when the operation fails.
+
+
+
The connection pool for TCP and Unix socket connections.
permissions = 0600
# group = ${security.group}
escape_filenames = no
+ fsync = no
}
pool {
start = 0
# use_open_directory = yes
# allow_retry = yes
# retry_msg = "Re-enter (or reset) the password"
- attributes {
+ Xattributes {
username = &User-Name
chap_challenge = &Vendor-Specific.Microsoft.CHAP-Challenge
chap_response = &Vendor-Specific.Microsoft.CHAP-Response
chap2_cpw = &Vendor-Specific.Microsoft.CHAP2-CPW
chap_nt_enc_pw = &Vendor-Specific.Microsoft.CHAP-NT-Enc-PW
}
-# attributes {
-# username = &User-Name
-# chap_challenge = &MS-CHAP-Challenge
-# chap_response = &MS-CHAP-Response
-# chap2_response = &MS-CHAP2-Response
-# chap2_success = &Data
-# chap_error = &Server-Message
-# }
+ attributes {
+ username = &User-Name
+ chap_challenge = &MS-CHAP-Challenge
+ chap_response = &MS-CHAP-Response
+ chap2_response = &MS-CHAP2-Response
+ chap2_success = &MS-CHAP2-Success
+ chap_error = &MS-CHAP-Error
+ }
}
```
+Control which attribute lists are replaced following calls to
+the module.
+The default is to not replace attribute lists. Only enable
+replacement where it is specifically required.
+
+
+
config { ... }::
You can define configuration items (and nested sub-sections) in perl `config { ... }`
# func_post_proxy = post_proxy
# func_post_auth = post_auth
# func_detach = detach
+ replace {
+# request = no
+# reply = no
+# control = no
+# session = no
+ }
# config {
# name = "value"
# sub-config {
including Proxy-State may confuse the receiving NAS.
+require_message_authenticator::Require Message-Authenticator
+in responses.
+
+Including a Message-Authenticator attribute first in response
+packet, mitigates against the blastradius prefix attack.
+
+If value is auto, then if any packet received from the client
+contains a valid Message-Authenticator attribute, then the server
+will require it from all future packets from that client.
+
+Allowed values: yes, no, auto
+
+The default is "no".
+
+
+
status_check { ... }:: For "are you alive?" queries.
If the home server does not respond to proxied packets, the
-requests { ... }:: Per-request configuration.
+request { ... }:: Per-request configuration.
per_connection_max:: The maximum number of requests
# replicate = no
# synchronous = no
# originate = no
+ require_message_authenticator = auto
status_check {
type = Status-Server
# update request {
connection_timeout = 3.0
reconnect_delay = 5
}
- requests {
+ request {
per_connection_max = 255
per_connection_target = 255
free_delay = 10
are polymorphic, meaning `xlats`, attribute references, literal values
and execs may be specified.
-For example `pool_nam` could be `pool_name = 'my_test_pool'` if only a
+For example `pool_name` could be `pool_name = 'my_test_pool'` if only a
single pool were being used.
is not known ahead of time (using a URL from an external source), and/or the CA used
to sign the HTTPS server certificate is unknown.
+If not set, then whatever libcurl has as its default will be used, which typically
+will be the operating system's set of trusted CAs. This will be visible in the debug
+output when FreeRADIUS starts.
+
certificate_file:: PEM formatted file containing the certificate we present to the HTTPS server
+keylog_file:: Write out session keys in SSLKEYLOGFILE format
+
+The SSLKEYLOGFILE format is specified here https://www.ietf.org/archive/id/draft-thomson-tls-keylogfile-00.html.
+
+The contents of the keylog file allows wireshark captures to be decrypted for debugging purposes.
+
+Note:: keylog_file is not expanded at runtime.
+
+
+
connect_uri:: Base URI used to avoid repetition in sections below.
may be specified with `body`. Will be expanded.
Values from expansion will not be escaped, this should be
done using the appropriate `xlat` method e.g.
+ `%urlquote(<attr>)`
| `auth` | HTTP auth method to use, one of 'none', 'srp', 'basic', | yes
'digest', 'digest-ie', 'gss-negotiate', 'ntlm',
'ntlm-winbind', 'any', 'safe'. defaults to _'none'_.
### Authorize { ... }
+Default action when called in `recv` sections except `recv Accounting-Request`.
+
[options="header,autowidth"]
|===
| Code | Meaning | Process body? | Module code
### Authenticate { ... }
-Same as `Authorize { ... }`
+Default action when called in `authenticate` sections.
+
+Return codes handled the same as `Authorize { ... }`
### Accounting { ... }
+Default action when called in `recv Accounting-Request` or `accounting` sections.
+
[options="header,autowidth"]
|===
| Code | Meaning | Process body? | Module code
### Post-Auth { ... }
-Same as `Accounting { ... }`
+Default action when called in `send` sections.
+
+Return codes handled the same as `Accounting { ... }`
# check_cert = no
# check_cert_cn = no
# extract_cert_attrs = no
+# keylog_file = '/path/to/keylog_file'
}
connect_uri = "http://127.0.0.1:9090/"
# connect_proxy = "socks://127.0.0.1"
tls = ${..tls}
}
authorize {
- uri = "${...connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=authorize"
- method = 'GET'
+ request {
+ uri = "${...connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=authorize"
+ method = 'GET'
+ }
tls = ${..tls}
}
authenticate {
- uri = "${...connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=authenticate"
- method = 'GET'
+ request {
+ uri = "${...connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=authenticate"
+ method = 'GET'
+ }
tls = ${..tls}
}
accounting {
- uri = "${...connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}"
- method = 'POST'
+ request {
+ uri = "${...connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}"
+ method = 'POST'
+ }
tls = ${..tls}
}
post-auth {
- uri = "${...connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth"
- method = 'POST'
+ request {
+ uri = "${...connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth"
+ method = 'POST'
+ }
tls = ${..tls}
}
connection {
is not known ahead of time (using a URL from an external source), and/or the CA used
to sign the SMTP server certificate is unknown.
+If not set, then whatever libcurl has as its default will be used, which typically
+will be the operating system's set of trusted CAs. This will be visible in the debug
+output when FreeRADIUS starts.
+
private_key_file:: PEM formatted file containing the private key for the specified `certificate_file`
Allowed dialects are:
* cassandra
+ * firebird
* mysql
* mssql
* oracle
|===
| Driver | Dialect
| db2 | mssql
-| firebird | mssql
| freetds | mssql
| null | any
| unixodbc | mssql
-query_timeout:: Set the maximum query duration for `mysql` and `cassandra`.
+query_timeout:: Set the maximum query duration for `cassandra` and `unixodbc`
sql {
dialect = "sqlite"
driver = "${dialect}"
- $-INCLUDE ${modconfdir}/sql/driver/${dialect}
+ $-INCLUDE ${modconfdir}/sql/driver/${driver}
# server = "localhost"
# port = 3306
# login = "radius"
-requests { ... }:: Per-request configuration.
+request { ... }:: Per-request configuration.
per_connection_max:: The maximum number of requests
connection_timeout = 3.0
reconnect_delay = 5
}
- requests {
+ request {
per_connection_max = 255
per_connection_target = 255
free_delay = 10
== Default Configuration
```
-prefix = /usr/local
+prefix = /Users/alandekok/git/wrapper//install
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
reverse_lookups = no
hostname_lookups = yes
log {
- destination = files
+ destination = file
colourise = yes
# timestamp = no
file = ${logdir}/radius.log
== Default Configuration
```
-prefix = /usr/local
+prefix = /Users/alandekok/git/wrapper//install
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
-.Please see the link:../mods-available/expiration.adoc[mods-available/expiration] for full documentation.
+.Please see the link:../../../../../../mods-available/expiration.adoc[mods-available/expiration] for full documentation.
}
recv Access-Request {
if (!&State) {
- &control.Auth-Type := Step1
+ &control.Auth-Type := ::Step1
&control.Password.Cleartext := "hello"
}
else {
- &control.Auth-Type := Step2
+ &control.Auth-Type := ::Step2
&control.Password.Cleartext := &session-state.challenge-string
}
}
Authorize - this is the only section required.
-To accept the access request, set Auth-Type = Accept, otherwise
+To accept the access request, set Auth-Type = ::Accept, otherwise
set it to Reject.
```
server check-eap-tls {
recv Access-Request {
- &control.Auth-Type := Accept
+ &control.Auth-Type := ::Accept
# if ("%{session-state.TLS-Client-Cert-Common-Name}" == 'client.example.com') {
-# &control.Auth-Type := Accept
+# &control.Auth-Type := ::Accept
# }
# else {
-# &control.Auth-Type := Reject
+# &control.Auth-Type := ::Reject
# &reply.Reply-Message := "Your certificate is not valid."
# }
# if (&User-Name == "host/%{session-state.TLS-Client-Cert-Common-Name}") {
-# &control.Auth-Type := Accept
+# &control.Auth-Type := ::Accept
# }
# else {
-# &control.Auth-Type := Reject
+# &control.Auth-Type := ::Reject
# }
# ldap
# if (!(Ldap-Group == "Permitted-Laptops")) {
-# &control.Auth-Type := Reject
+# &control.Auth-Type := ::Reject
# }
# files
auth_log
+require_message_authenticator::Require Message-Authenticator
+in Access-Requests.
+
+https://tools.ietf.org/html/rfc5080[RFC 5080] suggests that all clients *should* include it in an
+Access-Request. The configuration item below allows the server
+to require it. If a client is required to include a `link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]`
+and it does not, then the packet will be silently discarded.
+
+If value is auto, then if any packet received from the client
+contains a valid Message-Authenticator attribute, then the server
+will require it from all future packets from that client.
+
+Allowed values: yes, no, auto
+
+The default is "no".
+
+
+
+limit_proxy_state:: Control whether Proxy-State is allowed in
+packets from this client which do not have a Message-Authenticator.
+
+The blastradius prefix attack allows an attacker to manipulate
+the contents of response packets without knowing the shared secret.
+
+The attack relies on controlling a portion of the data sent back
+in the response by the RADIUS server. As Proxy-State is always
+echoed back verbatim from the request, it can be leveraged to
+manipulate the data sent back from the server and facilitate the
+attack.
+
+The attack also relies on defficiencies in the original RADIUS
+standards that provided no integrity protection for Access-Requests.
+
+The attack is mitigated by requiring the Message-Authenticator,
+which contains a HMAC over the entire request, preventing
+modification of the request by the attacker.
+
+If value is auto, and the first packet received from the client
+does not contain a Proxy-State attribute, Proxy-State will be
+disallowed in any future packets which do not contain a
+Message-Authenticator.
+
+This provides some level of protection against the blastradius
+attack, without requiring Message-Authenticator, or breaking
+existing deployments.
+
+Allowed values: yes, no, auto
+
+The default is "auto".
+
+
+
limit:: limits for this socket.
The `limit` section contains configuration items
-The `chap` module will set `Auth-Type := CHAP` if the
+The `chap` module will set `Auth-Type := ::CHAP` if the
packet contains a `link:https://freeradius.org/rfc/rfc2865.html#CHAP-Challenge[CHAP-Challenge]` attribute. The module
does this only if the `Auth-Type` attribute has not already
been set.
-The `mschap` module will set `Auth-Type := mschap` if the
+The `mschap` module will set `Auth-Type := ::mschap` if the
packet contains an `link:https://freeradius.org/rfc/rfc2548.html#MS-CHAP-Challenge[MS-CHAP-Challenge]` attribute. The
module does this only if the `Auth-Type` attribute has not
already been set.
-The `pap` module will set `Auth-Type := PAP` if the
+The `pap` module will set `Auth-Type := ::PAP` if the
packet contains a `link:https://freeradius.org/rfc/rfc2865.html#User-Password[User-Password]` attribute. The module
does this only if the `Auth-Type` attribute has not already
been set.
authentication method will work, but all of the others will not.
The common reasons to set the `Auth-Type` attribute by hand are
-to forcibly reject the user (`Auth-Type := Reject`), to or
-forcibly accept the user (`Auth-Type := Accept`), or for
+to forcibly reject the user (`Auth-Type := ::Reject`), to or
+forcibly accept the user (`Auth-Type := ::Accept`), or for
proxying.
-Note that `Auth-Type := Accept` will NOT work with EAP. The EAP
+Note that `Auth-Type := ::Accept` will NOT work with EAP. The EAP
authentication protocol uses a series of handshake messages. All
of the messages must be exchanged correctly in order for EAP
authentication to succeed. Bypassing that process with `Auth-Type
If you need to have a State attribute, you can add it
here. e.g. for later CoA-Request with State, and
-Service-Type = Authorize-Only.
+Service-Type = ::Authorize-Only.
accounting type to use.
-
Merge Acct-[Input|Output]-Gigawords and
Acct-[Input-Output]-Octets into a single 64-bit
counter, Acct-[Input|Output]-Octets64.
-Session start times are *implied* in RADIUS. The NAS
-never sends a "start time". Instead, it sends a start
-packet, *possibly* with an Acct-Delay-Time. The server
-is supposed to conclude that the start time was
-"Acct-Delay-Time" seconds in the past.
-
-The unlang below creates an explicit start time, which
-can then be used in other modules. It will be *mostly*
-correct. Any errors are due to the 1-second resolution
-of RADIUS, and the possibility that the time on the NAS
-may be off.
-
-The start time is: NOW - delay - session_length
-
-
-
-The packet should have a timestamp. If not, use "now" from the server.
-
-
-
-
-
Ensure that we have a semi-unique identifier for every
request, as many NAS boxes are broken.
type = Access-Request
type = Status-Server
transport = udp
+ require_message_authenticator = auto
+ limit_proxy_state = auto
limit {
max_clients = 256
max_connections = 256
delay_reject
}
recv Accounting-Request {
- do_not_respond
- return
# acct_counters64
-# &request.FreeRADIUS-Acct-Session-Start-Time = "%{(&Event-Timestamp || %l) - &Acct-Session-Time - &Acct-Delay-Time}"
- if (!&Event-Timestamp) {
- &request.Event-Timestamp := %{%l() - &Acct-Delay-Time}
- } elsif (!&Acct-Delay-Time && &request.Event-Timestamp && (&request.Event-Timestamp < %l())) {
- &request.Acct-Delay-Time := %{%l() - &Event-Timestamp}
- }
acct_unique
files_accounting
}
The detail file reader runs the normal RADIUS / DHCP / etc. processing sections.
+If there's an Acct-Delay-Time, increase its value based on the
+difference between when the packet was written, and the current time.
+
+Note that we do NOT rely on any Event-Timestamp in the original packet,
+it could be wrong.
+
+
We handled the packet successfully. Run the "send ok" section.
}
}
recv Accounting-Request {
+ if (&Acct-Delay-Time) {
+ &Acct-Delay-Time += %l - &Packet-Original-Timestamp
+ }
if (!&Event-Timestamp) {
&Event-Timestamp := &Packet-Original-Timestamp
}
- if (&Event-Timestamp < %c) {
- &request.Acct-Delay-Time += %c - &Event-Timestamp
- }
ok
}
send Accounting-Response {
server may still NAK legitimate responses from clients.
This is also the destination port when sending to a giaddr.
+The port to which server -> client messages should be sent.
+This should be 68 on a production network, though other ports
+can be useful for testing.
+
+If this is not set then server -> client replies will be sent
+to the source port of the client -> server request.
+
Interface name we are listening on. See comments above.
source IP address for unicast packets sent by the
src_ipaddr
ipaddr
- reply.Server-IP-Address
reply.Server-Identifier
udp {
ipaddr = 127.0.0.1
port = 6700
+ client_port = 68
# interface = lo0
# src_ipaddr = 127.0.0.1
broadcast = no
# ok
}
recv Request {
+ files_dhcp
&control.Server-Identifier = 192.0.2.1
if (&request.Server-Identifier && \
&request.Server-Identifier != &control.Server-Identifier) {
require_message_authenticator
+
shortname
nas_type
&control += {
&FreeRADIUS-Client-IP-Address = "%{Net.Src.IP}"
&FreeRADIUS-Client-Require-MA = no
+ &FreeRADIUS-Client-Limit-Proxy-State = "auto"
&FreeRADIUS-Client-Secret = "testing123"
&FreeRADIUS-Client-Shortname = "%{Net.Src.IP}"
&FreeRADIUS-Client-NAS-Type = "other"
-The chap module will set 'Auth-Type := CHAP' if we are
+The chap module will set 'Auth-Type := ::CHAP' if we are
handling a CHAP request and Auth-Type has not already been set
If the users are logging in with an MS-CHAP-Challenge
attribute for authentication, the mschap module will find
-the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
+the MS-CHAP-Challenge attribute, and add 'Auth-Type := ::MS-CHAP'
to the request, which will cause the server to then use
the mschap module for authentication.
This section lists which modules are available for authentication.
Note that it does NOT mean 'try each module in order'. It means
that a module from the 'authorize' section adds a configuration
-attribute 'Auth-Type := FOO'. That authentication type is then
+attribute 'Auth-Type := ::FOO'. That authentication type is then
used to pick the appropriate module from the list below.
Where the statistics file goes, in CSV format.
+One line will be written to the file for each
+second of the load generation run.
+
+Each line will contain the following columns:
+- time - since the test started running
+- last_packet - The last time we added a request
+ to the backlog.
+- rtt - Round Trip Time i.e. the average delay
+ between a request and response. This is a
+ moving average in nanoseconds.
+- rttvar - Round Trip Time variance. Moving
+ average of the range between the smallest RTT
+ and largest RTT. The value is in nanoseconds.
+- pps - Packets per second. The maximum packet
+ rate we're aiming for with this "step". The
+ load generator increases the load periodically
+ in "steps".
+- pps_accepted - Packets per second. Rate of
+ response packets received.
+- sent - How many packets have been generated
+ by the load generation module from the start of
+ the run.
+- received - How many packets received since the
+ start of the run.
+- backlog - How many requests are awaiting
+ responses.
+- backlog_max - The largest the backlog has been
+ since the start of the run.
+- <usec - Absolute counter. Responses received
+ in less that a microsecond since the start
+ of the run.
+- us - Responses received in >= 1us < 10us since
+ the start of the run.
+- 100us, ms, 10ms, 100ms, s are all similar
+ latency bins.
+- blocked - 1 = true, 0 = false. We're refusing
+ to enqueue more packets until we get responses
+ to the outstanding requests.
How many packets/s to start with.
secret = adminsecret
}
recv Status-Server {
- status
+ stats
ok
}
}
+This section can be run to verify a client certificate if
+additional checks need to be performed beyond standard
+checks verification against a trust chain, CRLs and OCSP.
+
+Attributes extracted from the certificates forming the
+client certificate chain will be in the session state list.
+
+Returning 'ok', 'updated' or 'noop' will cause the verification
+to succeed. Other return codes will cause the verification
+to fail.
+
+
+
This section is run whenever the server needs to read an
entry from the TLS session cache.
# TLS-Client-Cert-Common-Name
# TLS-Client-Cert-Subject-Alt-Name-Email
server tls-cache {
- namespace = tls_cache
- load tls-session {
+ namespace = tls
+ verify certificate {
+ ok
+ }
+ load session {
&control.Cache-Allow-Insert := no
cache_tls_session
}
- store tls-session {
+ store session {
&control.Cache-TTL := 0
cache_tls_session
}
- clear tls-session {
+ clear session {
&control.Cache-TTL := 0
&control.Cache-Allow-Insert := no
cache_tls_session
projects / thirdparty / freeradius-server.git / commitdiff
