#
# Set CHAP-Password
#
-&CHAP-Password := %chap.password("%{CHAP-Password}")
+CHAP-Password := %chap.password("%{CHAP-Password}")
#
# over-ride password set in radiusd.conf
#
-&control.Password := {
- &Cleartext = 'oracle01'
+control.Password := {
+ Cleartext = 'oracle01'
}
#
# Set CHAP-Password
#
-&request.CHAP-Password := %chap.password("%{request.CHAP-Password}")
+request.CHAP-Password := %chap.password("%{request.CHAP-Password}")
-&control.Password.Cleartext := &User-Name
+control.Password.Cleartext := User-Name
-&control.Password.Cleartext := &User-Name
+control.Password.Cleartext := User-Name
-&control.Password.Cleartext := "zanzibar"
+control.Password.Cleartext := "zanzibar"
#
# over-ride password set in radiusd.conf
#
-&control -= &Password.Cleartext[*]
-&control.Password.With-Header := '{md5}5d41402abc4b2a76b9719d911017c592'
+control -= Password.Cleartext[*]
+control.Password.With-Header := '{md5}5d41402abc4b2a76b9719d911017c592'
#
# over-ride password set in radiusd.conf
#
-&control.Password := {
- &With-Header = '{clear}hello'
+control.Password := {
+ With-Header = '{clear}hello'
}
#
# over-ride password set in radiusd.conf
#
-&control.Password := {
- &With-Header = 'hello'
+control.Password := {
+ With-Header = 'hello'
}
}
recv Access-Request {
- &control.Password.Cleartext := 'hello'
+ control.Password.Cleartext := 'hello'
#
# Include the test file specified by the
}
recv Access-Request {
- &control.Auth-Type := ::accept
+ control.Auth-Type := ::accept
}
recv CoA-Request {
policy {
files.authorize {
- if (&User-Name == "bob") {
- &control.Password.Cleartext := "bob"
+ if (User-Name == "bob") {
+ control.Password.Cleartext := "bob"
}
}
$INCLUDE ${maindir}/policy.d/
}
recv Access-Request {
- if (&User-Name == "bob") {
+ if (User-Name == "bob") {
#
# Digest-* tests have a password of "zanzibar"
# Or, a hashed version thereof.
#
if (&Digest-Response) {
- if (&Vendor-Specific.Test.Test-Number == "1") {
- &control.Password.Cleartext := "zanzibar"
+ if (Vendor-Specific.Test.Test-Number == "1") {
+ control.Password.Cleartext := "zanzibar"
}
- elsif (&Vendor-Specific.Test.Test-Number == "2") {
- &control.Digest-Attributes.HA1 := '12af60467a33e8518da5c68bbff12b11'
+ elsif (Vendor-Specific.Test.Test-Number == "2") {
+ control.Digest-Attributes.HA1 := '12af60467a33e8518da5c68bbff12b11'
}
}
else {
- &control.Password.Cleartext := "bob"
+ control.Password.Cleartext := "bob"
}
}
- if (&User-Name =~ /^(.*)@test\.example\.com$/) {
- &Stripped-User-Name := "%{1}"
- &control.Password.Cleartext := "bob"
+ if (User-Name =~ /^(.*)@test\.example\.com$/) {
+ Stripped-User-Name := "%{1}"
+ control.Password.Cleartext := "bob"
}
chap
# update <section> { ... }::
#
update {
- &session-state.Session-Data := &session-state.Session-Data
- &session-state.Encr-Data.Counter := &session-state.Encr-Data.Counter
+ session-state.Session-Data := session-state.Session-Data
+ session-state.Encr-Data.Counter := session-state.Encr-Data.Counter
}
}
}
recv Identity-Response {
-# %debug_attr(&session-state.)
- if (!&session-state.Stripped-User-Name) {
- &reply.Any-ID-Req := yes
- &session-state.Stripped-User-Name := yes
+# %debug_attr(session-state.)
+ if (!session-state.Stripped-User-Name) {
+ reply.Any-ID-Req := yes
+ session-state.Stripped-User-Name := yes
}
ok
}
}
send Challenge-Request {
- &control.SIM-Ki := 0x465b5ce8b199b49faa5f0a2ee238a6bc
- &control.SIM-Opc := 0xcd63cb71954a9f4e48a5994e37a02baf
- &control.SIM-SQN := 3
+ control.SIM-Ki := 0x465b5ce8b199b49faa5f0a2ee238a6bc
+ control.SIM-Opc := 0xcd63cb71954a9f4e48a5994e37a02baf
+ control.SIM-SQN := 3
- &reply.Encr-Data.Next-Reauth-Id := ""
- &reply.Encr-Data.Next-Pseudonym := ""
+ reply.Encr-Data.Next-Reauth-Id := ""
+ reply.Encr-Data.Next-Pseudonym := ""
}
send Reauthentication-Request {
- &reply.Encr-Data.Next-Reauth-Id := ""
- &reply.Encr-Data.Next-Pseudonym := ""
+ reply.Encr-Data.Next-Reauth-Id := ""
+ reply.Encr-Data.Next-Pseudonym := ""
ok
}
# update <section> { ... }::
#
update {
- &session-state.Session-Data := &session-state.Session-Data
- &session-state.Encr-Data.Counter := &session-state.Encr-Data.Counter
+ session-state.Session-Data := session-state.Session-Data
+ session-state.Encr-Data.Counter := session-state.Encr-Data.Counter
}
}
}
recv Identity-Response {
-# %debug_attr(&session-state.)
- if (!&session-state.Stripped-User-Name) {
- &reply.Any-ID-Req := yes
- &session-state.Stripped-User-Name := yes
+# %debug_attr(session-state.)
+ if (!session-state.Stripped-User-Name) {
+ reply.Any-ID-Req := yes
+ session-state.Stripped-User-Name := yes
}
ok
}
}
send Challenge-Request {
- &control.SIM-Ki := 0x465b5ce8b199b49faa5f0a2ee238a6bc
- &control.SIM-Opc := 0xcd63cb71954a9f4e48a5994e37a02baf
- &control.SIM-SQN := 3
+ control.SIM-Ki := 0x465b5ce8b199b49faa5f0a2ee238a6bc
+ control.SIM-Opc := 0xcd63cb71954a9f4e48a5994e37a02baf
+ control.SIM-SQN := 3
- &reply.Encr-Data.Next-Reauth-Id := ""
- &reply.Encr-Data.Next-Pseudonym := ""
+ reply.Encr-Data.Next-Reauth-Id := ""
+ reply.Encr-Data.Next-Pseudonym := ""
}
send Reauthentication-Request {
- &reply.Encr-Data.Next-Reauth-Id := ""
- &reply.Encr-Data.Next-Pseudonym := ""
+ reply.Encr-Data.Next-Reauth-Id := ""
+ reply.Encr-Data.Next-Pseudonym := ""
ok
}
filter_inner_identity
split_username_nai
- &control.Password.Cleartext := &Stripped-User-Name
+ control.Password.Cleartext := Stripped-User-Name
chap
mschap
filter_inner_identity
split_username_nai
- &control.Password.Cleartext := &Stripped-User-Name
+ control.Password.Cleartext := Stripped-User-Name
chap
mschap
policy {
files {
split_username_nai
- if (&Stripped-User-Name == "bob") {
- &control.Password.Cleartext := "bob"
+ if (Stripped-User-Name == "bob") {
+ control.Password.Cleartext := "bob"
}
}
}
recv Access-Request {
- if (&User-Name =~ /with.*client.*cert/) {
- &control.EAP-TLS-Require-Client-Cert := yes
+ if (User-Name =~ /with.*client.*cert/) {
+ control.EAP-TLS-Require-Client-Cert := yes
}
files
eap
- &reply += {
- &NAS-Port = 12345
- &Reply-Message = "Powered by FreeRADIUS"
+ reply += {
+ NAS-Port = 12345
+ Reply-Message = "Powered by FreeRADIUS"
&26.1234.56 = 0xdeadbeef
- &Vendor-Specific.20.30 = 0xcafecafe
- &Vendor-Specific.20.30 = 0xcadecade
+ Vendor-Specific.20.30 = 0xcafecafe
+ Vendor-Specific.20.30 = 0xcadecade
- &Vendor-Specific.Alcatel.FR-Direct-Profile = "Alcatel Profile"
- &Vendor-Specific.Alcatel.Home-Agent-UDP-Port = 4130
+ Vendor-Specific.Alcatel.FR-Direct-Profile = "Alcatel Profile"
+ Vendor-Specific.Alcatel.Home-Agent-UDP-Port = 4130
}
}
# update <section> { ... }::
#
update {
- &session-state.Session-Data := &session-state.Session-Data
- &session-state.Encr-Data.Counter := &session-state.Encr-Data.Counter
+ session-state.Session-Data := session-state.Session-Data
+ session-state.Encr-Data.Counter := session-state.Encr-Data.Counter
}
}
namespace = eap-sim
recv Identity-Response {
-# %debug_attr(&session-state.)
- if (!&session-state.Stripped-User-Name) {
- &reply.Any-ID-Req := yes
- &session-state.Stripped-User-Name := yes
+# %debug_attr(session-state.)
+ if (!session-state.Stripped-User-Name) {
+ reply.Any-ID-Req := yes
+ session-state.Stripped-User-Name := yes
}
ok
}
}
send Challenge-Request {
- &control.SIM-Ki := 0x465b5ce8b199b49faa5f0a2ee238a6bc
- &control.SIM-Opc := 0xcd63cb71954a9f4e48a5994e37a02baf
- &control.SIM-SQN := 3
+ control.SIM-Ki := 0x465b5ce8b199b49faa5f0a2ee238a6bc
+ control.SIM-Opc := 0xcd63cb71954a9f4e48a5994e37a02baf
+ control.SIM-SQN := 3
- &reply.Encr-Data.Next-Reauth-Id := ""
- &reply.Encr-Data.Next-Pseudonym := ""
+ reply.Encr-Data.Next-Reauth-Id := ""
+ reply.Encr-Data.Next-Pseudonym := ""
ok
}
send Reauthentication-Request {
- &reply.Encr-Data.Next-Reauth-Id := ""
- &reply.Encr-Data.Next-Pseudonym := ""
+ reply.Encr-Data.Next-Reauth-Id := ""
+ reply.Encr-Data.Next-Pseudonym := ""
ok
}
#
# key:: The `cache` key.
#
- key = &Session-Id
+ key = Session-Id
#
# ttl:: TTL for `cache` entries.
# update <section> { ... }::
#
update {
- &reply.Session-Data := &Session-Data
+ reply.Session-Data := Session-Data
}
}
namespace = tls
load session {
- &control.Cache-Allow-Insert := no
+ control.Cache-Allow-Insert := no
cache_tls_session
}
}
clear session {
- &control.Cache-Allow-Insert := no
- &control.Cache-Allow-Merge := no
- &control.Cache-TTL := 0
+ control.Cache-Allow-Insert := no
+ control.Cache-Allow-Merge := no
+ control.Cache-TTL := 0
cache_tls_session
}
filter_inner_identity
split_username_nai
- &control.Password.Cleartext := &Stripped-User-Name
+ control.Password.Cleartext := Stripped-User-Name
chap
mschap
filter_inner_identity
split_username_nai
- &control.Password.Cleartext := &Stripped-User-Name
+ control.Password.Cleartext := Stripped-User-Name
chap
mschap
filter_inner_identity
split_username_nai
- &control.Password.Cleartext := &Stripped-User-Name
+ control.Password.Cleartext := Stripped-User-Name
chap
mschap
filter_inner_identity
split_username_nai
- &control.Password.Cleartext := &Stripped-User-Name
+ control.Password.Cleartext := Stripped-User-Name
chap
mschap
filter_inner_identity
split_username_nai
- &control.Password.Cleartext := &Stripped-User-Name
+ control.Password.Cleartext := Stripped-User-Name
chap
mschap
filter_inner_identity
split_username_nai
- &control.Password.Cleartext := &Stripped-User-Name
+ control.Password.Cleartext := Stripped-User-Name
chap
mschap
filter_inner_identity
split_username_nai
- &control.Password.Cleartext := &Stripped-User-Name
+ control.Password.Cleartext := Stripped-User-Name
chap
mschap
exec {
wait = yes
- input_pairs = &request
+ input_pairs = request
shell_escape = yes
env_inherit = no
timeout = 1
scope = 'sub'
update {
- &Proto.radius.User-Name = 'sAMAccountName'
- &SMB-Account-CTRL = 'userAccountControl'
+ Proto.radius.User-Name = 'sAMAccountName'
+ SMB-Account-CTRL = 'userAccountControl'
}
trigger {
sub = "one"
update {
- &Proto.radius.User-Name = 'sAMAccountName'
- &SMB-Account-CTRL = 'userAccountControl'
- &User-Category = 'isDeleted'
+ Proto.radius.User-Name = 'sAMAccountName'
+ SMB-Account-CTRL = 'userAccountControl'
+ User-Category = 'isDeleted'
}
}
}
# so we can check the output
#
if (&LDAP-Sync.Entry-DN =~ /(CN=.+:)[a-f0-9-]+(,CN=Deleted Objects,DC=example,DC=com)/) {
- &request.LDAP-Sync.Entry-DN := "%{1}oldid%{2}"
+ request.LDAP-Sync.Entry-DN := "%{1}oldid%{2}"
}
linelog
}
policy {
linelogprep {
- if (&LDAP-Sync.DN == 'ou=people,dc=example,dc=com') {
- &control.LDAP-Sync.DN := 'people'
+ if (LDAP-Sync.DN == 'ou=people,dc=example,dc=com') {
+ control.LDAP-Sync.DN := 'people'
} else {
- &control.LDAP-Sync.DN := 'group'
+ control.LDAP-Sync.DN := 'group'
}
- &Linelog-Entry := "%{Packet-Type} %{LDAP-Sync.DN} %{LDAP-Sync.Entry-DN} %{LDAP-Sync.Original-DN} %{Proto.radius.User-Name}"
+ Linelog-Entry := "%{Packet-Type} %{LDAP-Sync.DN} %{LDAP-Sync.Entry-DN} %{LDAP-Sync.Original-DN} %{Proto.radius.User-Name}"
}
grouplog {
foreach name (Stripped-User-Name[*]) {
- &Linelog-Entry := "Group member %{name}"
+ Linelog-Entry := "Group member %{name}"
linelog
}
}
modules {
linelog {
- format = &Linelog-Entry
+ format = Linelog-Entry
destination = file
file {
scope = 'sub'
update {
- &Proto.radius.User-Name = 'uid'
- &Password.With-Header = 'userPassword'
+ Proto.radius.User-Name = 'uid'
+ Password.With-Header = 'userPassword'
}
trigger {
scope = "sub"
update {
- &Stripped-User-Name += "member"
- &User-Category = 'cn'
+ Stripped-User-Name += "member"
+ User-Category = 'cn'
}
}
}
policy {
linelogprep {
- if (&LDAP-Sync.DN == 'ou=people,dc=example,dc=com') {
- &control.LDAP-Sync.DN := 'people'
+ if (LDAP-Sync.DN == 'ou=people,dc=example,dc=com') {
+ control.LDAP-Sync.DN := 'people'
} else {
- &control.LDAP-Sync.DN := 'group'
+ control.LDAP-Sync.DN := 'group'
}
- &Linelog-Entry := "%{Packet-Type} %{LDAP-Sync.DN} %{LDAP-Sync.Entry-DN} %{Proto.radius.User-Name}"
+ Linelog-Entry := "%{Packet-Type} %{LDAP-Sync.DN} %{LDAP-Sync.Entry-DN} %{Proto.radius.User-Name}"
}
grouplog {
foreach name (Stripped-User-Name[*]) {
- &Linelog-Entry := "Group member %{name}"
+ Linelog-Entry := "Group member %{name}"
linelog
}
}
}
linelog {
- format = &Linelog-Entry
+ format = Linelog-Entry
destination = file
file {
filter = "(objectClass=posixAccount)"
update {
- &Proto.radius.User-Name = 'uid'
- &Password.With-Header = 'userPassword'
+ Proto.radius.User-Name = 'uid'
+ Password.With-Header = 'userPassword'
}
trigger {
scope = "sub"
update {
- &Stripped-User-Name += "member"
- &User-Category = 'cn'
+ Stripped-User-Name += "member"
+ User-Category = 'cn'
}
}
}
load Cookie {
string csn
- &csn := %concat(%ldap("ldap:///%ldap.uri.safe(%{LDAP-Sync.Directory-Root-DN})?contextCSN?base"), ';')
- &reply.LDAP-Sync.Cookie := "rid=000,csn=%{csn}"
+ csn := %concat(%ldap("ldap:///%ldap.uri.safe(%{LDAP-Sync.Directory-Root-DN})?contextCSN?base"), ';')
+ reply.LDAP-Sync.Cookie := "rid=000,csn=%{csn}"
}
store Cookie {
- &Linelog-Entry := &LDAP-Sync.Cookie
+ Linelog-Entry := LDAP-Sync.Cookie
cookielog
}
update request {
- &Filter-Id[*] := "filter"
- &User-Name[*] := "blah"
+ Filter-Id[*] := "filter"
+ User-Name[*] := "blah"
- &reply.Filter-Id[*] += &request.Filter-Id[*]
+ reply.Filter-Id[*] += request.Filter-Id[*]
}
# This should be an xlat, not a direct assignment
#
update request {
- &NAS-Port := &Filter-Id[#] # ERROR
+ NAS-Port := Filter-Id[#] # ERROR
}
# Updating lists isn't allowed
#
update {
- &request.Filter-Id := &Filter-Id[#] # ERROR
+ request.Filter-Id := Filter-Id[#] # ERROR
}
secret = testing123
}
recv Access-Request {
- &control.Auth-Type := ::Accept
+ control.Auth-Type := ::Accept
}
send Access-Accept {
}
}
recv Access-Request {
- &control.Auth-Type := ::proxy
+ control.Auth-Type := ::proxy
}
authenticate proxy {
radius_auth
}
recv Accounting-Request {
- if (!&Event-Timestamp) {
- &Event-Timestamp = "%l" # only sets it if there's no Event-Timestamp
+ if (!Event-Timestamp) {
+ Event-Timestamp = "%l" # only sets it if there's no Event-Timestamp
}
radius_acct
}
subrequest DHCPv4.Request {
# Client -> Server
- &request += {
- &Message-Type = Request
+ request += {
+ Message-Type = Request
- &Hardware-Type = Ethernet
- &Hardware-Address-Length = 6
- &Hop-Count = 0
- &Transaction-Id = 15646
- &Number-of-Seconds = 0
- &Flags = 0
+ Hardware-Type = Ethernet
+ Hardware-Address-Length = 6
+ Hop-Count = 0
+ Transaction-Id = 15646
+ Number-of-Seconds = 0
+ Flags = 0
- &Client-IP-Address = 0.0.0.0
- &Your-IP-Address = 0.0.0.0
- &Server-IP-Address = 0.0.0.0
- &Gateway-IP-Address = 0.0.0.0
- &Client-Hardware-Address = ca:fe:ca:fe:ca:fe
- &Client-Identifier = 0x01020304050607
- &Requested-IP-Address = 192.168.0.10
+ Client-IP-Address = 0.0.0.0
+ Your-IP-Address = 0.0.0.0
+ Server-IP-Address = 0.0.0.0
+ Gateway-IP-Address = 0.0.0.0
+ Client-Hardware-Address = ca:fe:ca:fe:ca:fe
+ Client-Identifier = 0x01020304050607
+ Requested-IP-Address = 192.168.0.10
- &Server-Identifier = 192.168.0.1
- &Parameter-Request-List = Subnet-Mask
- &Parameter-Request-List = Router-Address
- &Parameter-Request-List = Domain-Name
- &Parameter-Request-List = Domain-Name-Server
- &Parameter-Request-List = NTP-Servers
- &Network-Subnet = 0.0.0.0/32
+ Server-Identifier = 192.168.0.1
+ Parameter-Request-List = Subnet-Mask
+ Parameter-Request-List = Router-Address
+ Parameter-Request-List = Domain-Name
+ Parameter-Request-List = Domain-Name-Server
+ Parameter-Request-List = NTP-Servers
+ Network-Subnet = 0.0.0.0/32
}
call dhcpv4 {
# 'Discover' expects 'Ack'
- if (&reply.Packet-Type != Ack) {
+ if (reply.Packet-Type != Ack) {
test_fail
}
# We should reply the below attributes...
- if (!&reply.Transaction-Id) {
+ if (!reply.Transaction-Id) {
test_fail
}
- if (&reply.Subnet-Mask != "255.255.255.0") {
+ if (reply.Subnet-Mask != "255.255.255.0") {
test_fail
}
- if (&reply.Gateway-IP-Address != "0.0.0.0") {
+ if (reply.Gateway-IP-Address != "0.0.0.0") {
test_fail
}
}
subrequest DHCPv4.Discover {
# Server -> Client
- &request += {
- &Message-Type = Discover
-
- &Hardware-Type = Ethernet
- &Hardware-Address-Length = 6
- &Hop-Count = 0
- &Transaction-Id = 12345
- &Number-of-Seconds = 0
- &Flags = 0
-
- &Client-IP-Address = 0.0.0.0
- &Your-IP-Address = 0.0.0.0
- &Server-IP-Address = 0.0.0.0
- &Gateway-IP-Address = 0.0.0.0
- &Client-Hardware-Address = ca:fe:ca:fe:ca:fe
- &Client-Identifier = 0x01020304050607
- &Requested-IP-Address = 0.0.0.0
-
-
- &Parameter-Request-List = Subnet-Mask
- &Parameter-Request-List = Router-Address
- &Parameter-Request-List = Domain-Name
- &Parameter-Request-List = Domain-Name-Server
- &Parameter-Request-List = NTP-Servers
- &Network-Subnet = 0.0.0.0/32
+ request += {
+ Message-Type = Discover
+
+ Hardware-Type = Ethernet
+ Hardware-Address-Length = 6
+ Hop-Count = 0
+ Transaction-Id = 12345
+ Number-of-Seconds = 0
+ Flags = 0
+
+ Client-IP-Address = 0.0.0.0
+ Your-IP-Address = 0.0.0.0
+ Server-IP-Address = 0.0.0.0
+ Gateway-IP-Address = 0.0.0.0
+ Client-Hardware-Address = ca:fe:ca:fe:ca:fe
+ Client-Identifier = 0x01020304050607
+ Requested-IP-Address = 0.0.0.0
+
+
+ Parameter-Request-List = Subnet-Mask
+ Parameter-Request-List = Router-Address
+ Parameter-Request-List = Domain-Name
+ Parameter-Request-List = Domain-Name-Server
+ Parameter-Request-List = NTP-Servers
+ Network-Subnet = 0.0.0.0/32
}
call dhcpv4 {
# 'Discover' expects 'Offer'
- if (&reply.Packet-Type != Offer) {
+ if (reply.Packet-Type != Offer) {
test_fail
}
# We should reply the below attributes...
- if (!&reply.Transaction-Id) {
+ if (!reply.Transaction-Id) {
test_fail
}
- if (&reply.Subnet-Mask != "255.255.255.0") {
+ if (reply.Subnet-Mask != "255.255.255.0") {
test_fail
}
- if (&reply.Gateway-IP-Address != "0.0.0.0") {
+ if (reply.Gateway-IP-Address != "0.0.0.0") {
test_fail
}
}
}
recv Discover {
- &reply += {
- &Hardware-Type = Ethernet
- &Hardware-Address-Length = 6
- &Hop-Count = 0
- &Transaction-Id = 15645
- &Number-of-Seconds = 0
- &Flags = 0
- &Client-IP-Address = 0.0.0.0
- &Your-IP-Address = 192.168.0.10
- &Server-IP-Address = 192.168.0.1
- &Gateway-IP-Address = 0.0.0.0
- &Client-Hardware-Address = ca:fe:ca:fe:ca:fe
- &Message-Type = Offer
- &Subnet-Mask = 255.255.255.0
- &Renewal-Time = 1800
- &Rebinding-Time = 3150
- &IP-Address-Lease-Time = 3600
- &Server-Identifier = 192.168.0.1
- &Network-Subnet = 0.0.0.0/32
- &Domain-Name = "lorisdoancapistao.com"
+ reply += {
+ Hardware-Type = Ethernet
+ Hardware-Address-Length = 6
+ Hop-Count = 0
+ Transaction-Id = 15645
+ Number-of-Seconds = 0
+ Flags = 0
+ Client-IP-Address = 0.0.0.0
+ Your-IP-Address = 192.168.0.10
+ Server-IP-Address = 192.168.0.1
+ Gateway-IP-Address = 0.0.0.0
+ Client-Hardware-Address = ca:fe:ca:fe:ca:fe
+ Message-Type = Offer
+ Subnet-Mask = 255.255.255.0
+ Renewal-Time = 1800
+ Rebinding-Time = 3150
+ IP-Address-Lease-Time = 3600
+ Server-Identifier = 192.168.0.1
+ Network-Subnet = 0.0.0.0/32
+ Domain-Name = "lorisdoancapistao.com"
}
ok
}
recv Request {
- &reply += {
- &Hardware-Type = Ethernet
- &Hardware-Address-Length = 6
- &Hop-Count = 0
- &Transaction-Id = 15646
- &Number-of-Seconds = 0
- &Flags = 0
- &Client-IP-Address = 0.0.0.0
- &Your-IP-Address = 192.168.0.10
- &Server-IP-Address = 0.0.0.0
- &Gateway-IP-Address = 0.0.0.0
- &Client-Hardware-Address = ca:fe:ca:fe:ca:fe
- &Message-Type = Ack
- &Renewal-Time = 1800
- &Rebinding-Time = 3150
- &IP-Address-Lease-Time = 3600
- &Server-Identifier = 192.168.0.1
- &Subnet-Mask = 255.255.255.0
- &Network-Subnet = 0.0.0.0/32
+ reply += {
+ Hardware-Type = Ethernet
+ Hardware-Address-Length = 6
+ Hop-Count = 0
+ Transaction-Id = 15646
+ Number-of-Seconds = 0
+ Flags = 0
+ Client-IP-Address = 0.0.0.0
+ Your-IP-Address = 192.168.0.10
+ Server-IP-Address = 0.0.0.0
+ Gateway-IP-Address = 0.0.0.0
+ Client-Hardware-Address = ca:fe:ca:fe:ca:fe
+ Message-Type = Ack
+ Renewal-Time = 1800
+ Rebinding-Time = 3150
+ IP-Address-Lease-Time = 3600
+ Server-Identifier = 192.168.0.1
+ Subnet-Mask = 255.255.255.0
+ Network-Subnet = 0.0.0.0/32
}
ok
}
subrequest DHCPv6.Request {
- &Transaction-ID = 0x1e291d
+ Transaction-ID = 0x1e291d
- &Server-ID.DUID = LLT
- &Server-ID.DUID.LLT.Hardware-Type = Ethernet
- &Server-ID.DUID.LLT.Time = "Nov 21 2012 08:36:00 UTC"
- &Server-ID.DUID.LLT.Hardware-Type.Ethernet.Address = 00:11:22:33:44:55
+ Server-ID.DUID = LLT
+ Server-ID.DUID.LLT.Hardware-Type = Ethernet
+ Server-ID.DUID.LLT.Time = "Nov 21 2012 08:36:00 UTC"
+ Server-ID.DUID.LLT.Hardware-Type.Ethernet.Address = 00:11:22:33:44:55
- &Client-ID.DUID = LL
- &Client-ID.DUID.LL.Hardware-Type = Ethernet
- &Client-ID.DUID.LL.Hardware-Type.Ethernet.Address = 00:01:02:03:04:05
+ Client-ID.DUID = LL
+ Client-ID.DUID.LL.Hardware-Type = Ethernet
+ Client-ID.DUID.LL.Hardware-Type.Ethernet.Address = 00:01:02:03:04:05
- &request += {
- &Option-Request = DNS-Servers
- &Option-Request = AFTR-Name
+ request += {
+ Option-Request = DNS-Servers
+ Option-Request = AFTR-Name
}
- &Elapsed-Time = 0
+ Elapsed-Time = 0
call dhcpv6 {
# 'Request' expects 'Reply'
- if (&reply.Packet-Type != Reply) {
+ if (reply.Packet-Type != Reply) {
test_fail
}
test_dhcpv6_reply_matches_request
- # ... Server-ID must be inside &reply
- if (!&reply.Server-ID.DUID.LLT.Hardware-Type) {
+ # ... Server-ID must be inside reply
+ if (!reply.Server-ID.DUID.LLT.Hardware-Type) {
test_fail
}
- if (!&reply.Server-ID.DUID.LLT.Time) {
+ if (!reply.Server-ID.DUID.LLT.Time) {
test_fail
}
- if (!&reply.Server-ID.DUID.LLT.Hardware-Type.Ethernet.Address) {
+ if (!reply.Server-ID.DUID.LLT.Hardware-Type.Ethernet.Address) {
test_fail
}
}
subrequest DHCPv6.Solicit {
- &Transaction-ID = 0xd81eb8
- &Client-ID.DUID = LL
- &Client-ID.DUID.LL.Hardware-Type = Ethernet
- &Client-ID.DUID.LL.Hardware-Type.Ethernet.Address = 00:01:02:03:04:05
- &Option-Request = DNS-Servers
- &Option-Request = AFTR-Name
- &Elapsed-Time = 0
- &IA-PD.T1 = 3600
- &IA-PD.T2 = 5400
+ Transaction-ID = 0xd81eb8
+ Client-ID.DUID = LL
+ Client-ID.DUID.LL.Hardware-Type = Ethernet
+ Client-ID.DUID.LL.Hardware-Type.Ethernet.Address = 00:01:02:03:04:05
+ Option-Request = DNS-Servers
+ Option-Request = AFTR-Name
+ Elapsed-Time = 0
+ IA-PD.T1 = 3600
+ IA-PD.T2 = 5400
call dhcpv6 {
- if (&reply.Packet-Type != Advertise) {
+ if (reply.Packet-Type != Advertise) {
test_fail
}
test_dhcpv6_reply_matches_request {
# We should reply the below attributes...
- if (!&reply.Transaction-ID) {
+ if (!reply.Transaction-ID) {
test_fail
}
- # ... these must be the same as in &request
- if (&reply.Transaction-ID != &request.Transaction-ID) {
+ # ... these must be the same as in request
+ if (reply.Transaction-ID != request.Transaction-ID) {
test_fail
}
- if (&reply.Client-ID.DUID != &request.Client-ID.DUID) {
+ if (reply.Client-ID.DUID != request.Client-ID.DUID) {
test_fail
}
- if (&request.Option-Request[*] == DNS-Servers) {
- if (&reply.DNS-Servers[*] != "2a01:cafe:1") {
+ if (request.Option-Request[*] == DNS-Servers) {
+ if (reply.DNS-Servers[*] != "2a01:cafe:1") {
test_fail
}
}
- if (&request.Option-Request[*] == AFTR-Name) {
- if (&reply.AFTR-Name != "tapioca.net") {
+ if (request.Option-Request[*] == AFTR-Name) {
+ if (reply.AFTR-Name != "tapioca.net") {
test_fail
}
}
}
send Advertise {
- &reply += {
- &IA-PD.T1 = 150
- &IA-PD.T2 = 250
+ reply += {
+ IA-PD.T1 = 150
+ IA-PD.T2 = 250
- &IA-PD.Options.IA-PD-Prefix.Preferred-Lifetime = 250
- &IA-PD.Options.IA-PD-Prefix.Valid-Lifetime = 300
- &IA-PD.Options.IA-PD-Prefix.IPv6-Prefix = 2a00:1:1:100::/56
+ IA-PD.Options.IA-PD-Prefix.Preferred-Lifetime = 250
+ IA-PD.Options.IA-PD-Prefix.Valid-Lifetime = 300
+ IA-PD.Options.IA-PD-Prefix.IPv6-Prefix = 2a00:1:1:100::/56
- &Preference = 10
+ Preference = 10
- &DNS-Servers = 2a01:cafe:1
- &AFTR-Name = "tapioca.net"
+ DNS-Servers = 2a01:cafe:1
+ AFTR-Name = "tapioca.net"
}
ok
}
send Reply {
- &reply += {
- &IA-PD.T1 = 150
- &IA-PD.T2 = 250
+ reply += {
+ IA-PD.T1 = 150
+ IA-PD.T2 = 250
- &IA-PD.Options.IA-PD-Prefix.Preferred-Lifetime = 250
- &IA-PD.Options.IA-PD-Prefix.Valid-Lifetime = 300
- &IA-PD.Options.IA-PD-Prefix.IPv6-Prefix = 2a00:1:1:100::/56
+ IA-PD.Options.IA-PD-Prefix.Preferred-Lifetime = 250
+ IA-PD.Options.IA-PD-Prefix.Valid-Lifetime = 300
+ IA-PD.Options.IA-PD-Prefix.IPv6-Prefix = 2a00:1:1:100::/56
- &Preference = 10
+ Preference = 10
- &DNS-Servers = 2a01:cafe:1
- &AFTR-Name = "tapioca.net"
+ DNS-Servers = 2a01:cafe:1
+ AFTR-Name = "tapioca.net"
}
}
}
# Outputs the contents of the control list in debugging (-X) mode
#
debug_control {
- %debug_attr(&control.[*])
+ %debug_attr(control.[*])
}
#
# Outputs the contents of the request list in debugging (-X) mode
#
debug_request {
- %debug_attr(&request.[*])
+ %debug_attr(request.[*])
}
#
# Outputs the contents of the reply list in debugging (-X) mode
#
debug_reply {
- %debug_attr(&reply.[*])
+ %debug_attr(reply.[*])
}
#
# Set the test to successful, but only if there are no failures.
#
success {
- &reply.Result-Status = "success"
+ reply.Result-Status = "success"
ok
}
test_fail {
- &reply += {
- &Failure = "Failure in test file %interpreter(....filename)[%interpreter(...line)]"
+ reply += {
+ Failure = "Failure in test file %interpreter(....filename)[%interpreter(...line)]"
}
- if (&parent.request) {
- &parent.reply += {
- &Failure = "Failure in test file %interpreter(....filename)[%interpreter(...line)]"
+ if (parent.request) {
+ parent.reply += {
+ Failure = "Failure in test file %interpreter(....filename)[%interpreter(...line)]"
}
}
}
subrequest RADIUS.Access-Request {
- &User-Name = "bob"
- &User-Password = "hello"
+ User-Name = "bob"
+ User-Password = "hello"
call radius {
- if (&reply.Packet-Type != Access-Accept) {
+ if (reply.Packet-Type != Access-Accept) {
test_fail
}
}
# Send Access-Accept immediately
#
accept {
- &reply.Packet-Type := Access-Accept
+ reply.Packet-Type := Access-Accept
handled
}
# Send Access-Challenge immediately
#
challenge {
- &reply.Packet-Type := Access-Challenge
+ reply.Packet-Type := Access-Challenge
handled
}
# No proxy-state attributes
#
subrequest RADIUS.Access-Request {
- &User-Name = "bob"
- &User-Password = "hello"
+ User-Name = "bob"
+ User-Password = "hello"
call radius {}
- if (!(&reply.Packet-Type == Access-Accept)) {
+ if (!(reply.Packet-Type == Access-Accept)) {
test_fail
}
# We shouldn't magically acquire new proxy state values
- if (&reply.Proxy-State) {
+ if (reply.Proxy-State) {
test_fail
}
}
# One proxy state-attribute
#
subrequest RADIUS.Access-Request {
- &User-Name = "bob"
- &User-Password = "hello"
- &Proxy-State := { 0x01 }
+ User-Name = "bob"
+ User-Password = "hello"
+ Proxy-State := { 0x01 }
call radius {}
- if (!(&reply.Packet-Type == Access-Accept)) {
+ if (!(reply.Packet-Type == Access-Accept)) {
test_fail
}
- if (!(&reply.Proxy-State[0] == 0x01)) {
+ if (!(reply.Proxy-State[0] == 0x01)) {
test_fail
}
- if (&reply.Proxy-State[1]) {
+ if (reply.Proxy-State[1]) {
test_fail
}
}
# Two proxy state-attributes
#
subrequest RADIUS.Access-Request {
- &User-Name = "bob"
- &User-Password = "hello"
- &Proxy-State := { 0x01, 0x02 }
+ User-Name = "bob"
+ User-Password = "hello"
+ Proxy-State := { 0x01, 0x02 }
call radius {}
- if (!(&reply.Packet-Type == Access-Accept)) {
+ if (!(reply.Packet-Type == Access-Accept)) {
test_fail
}
- if (!(&reply.Proxy-State[0] == 0x01)) {
+ if (!(reply.Proxy-State[0] == 0x01)) {
test_fail
}
- if (!(&reply.Proxy-State[1] == 0x02)) {
+ if (!(reply.Proxy-State[1] == 0x02)) {
test_fail
}
- if (&reply.Proxy-State[2]) {
+ if (reply.Proxy-State[2]) {
test_fail
}
}
}
send Access-Challenge {
- &reply.Reply-Message := "challenge"
+ reply.Reply-Message := "challenge"
}
}
```
recv Access-Request {
- if (&User-Name == "coa") {
- &Reply-Message := %exec('./build/make/jlibtool', '--mode=execute', './build/bin/local/radclient', '-d', 'raddb/', '-D', 'share/dictionary/', '-xx', '-t', '2', '-F', '-f', 'src/tests/radclient/coa/server_coa.txt,src/tests/radclient/exec/server_coa_reply.txt', 'localhost:37990', 'coa', 'testing123')
+ if (User-Name == "coa") {
+ Reply-Message := %exec('./build/make/jlibtool', '--mode=execute', './build/bin/local/radclient', '-d', 'raddb/', '-D', 'share/dictionary/', '-xx', '-t', '2', '-F', '-f', 'src/tests/radclient/coa/server_coa.txt,src/tests/radclient/exec/server_coa_reply.txt', 'localhost:37990', 'coa', 'testing123')
accept
}
...
policy {
files.authorize {
- if (&User-Name == "bob") {
- &control.Password.Cleartext := "bob"
+ if (User-Name == "bob") {
+ control.Password.Cleartext := "bob"
}
}
$INCLUDE ${maindir}/policy.d/
}
new client {
- &control.FreeRADIUS-Client-IP-Address := 127.0.0.1
- &control.FreeRADIUS-Client-Secret := 'testing123'
- &control.FreeRADIUS-Client-Shortname := 'test-client'
- &control.FreeRADIUS-Client-NAS-Type := 'test'
+ control.FreeRADIUS-Client-IP-Address := 127.0.0.1
+ control.FreeRADIUS-Client-Secret := 'testing123'
+ control.FreeRADIUS-Client-Shortname := 'test-client'
+ control.FreeRADIUS-Client-NAS-Type := 'test'
ok
}
#
# Ensure that we can send unknown attributes back.
#
- if (&NAS-Identifier == "auth_4") {
- &reply.Class := 0x483d342c493d34
- &reply += {
- &raw.26 = &reply.Class
- &raw.26 = 0x483d342c493d43
+ if (NAS-Identifier == "auth_4") {
+ reply.Class := 0x483d342c493d34
+ reply += {
+ raw.26 = reply.Class
+ raw.26 = 0x483d342c493d43
}
}
- if (&User-Name == "proxy") {
- if (!&Proxy-State) {
- &control.Auth-Type := ::proxy
+ if (User-Name == "proxy") {
+ if (!Proxy-State) {
+ control.Auth-Type := ::proxy
return
}
return
}
- if ((&NAS-Identifier == "dynamic") && !&Proxy-State) {
- &control.Auth-Type := ::dynamic-proxy
+ if ((NAS-Identifier == "dynamic") && !Proxy-State) {
+ control.Auth-Type := ::dynamic-proxy
return
}
- if (&User-Name == "bob") {
+ if (User-Name == "bob") {
accept
} else {
reject
}
authenticate dynamic-proxy {
- &reply.NAS-Port := %proxy.sendto.ipaddr(127.0.0.1, $ENV{TEST_PORT}, 'testing123')
+ reply.NAS-Port := %proxy.sendto.ipaddr(127.0.0.1, $ENV{TEST_PORT}, 'testing123')
ok
}
send Access-Accept {
- if (&Proxy-State) {
- &reply.Reply-Message := "Have Proxy-State"
+ if (Proxy-State) {
+ reply.Reply-Message := "Have Proxy-State"
}
}
policy {
files.authorize {
- if (&User-Name == "bob") {
- &control.Password.Cleartext := "bob"
+ if (User-Name == "bob") {
+ control.Password.Cleartext := "bob"
}
}
$INCLUDE ${maindir}/policy.d/
}
authenticate PAP {
- if (&User-Name == 'tapioca') {
- &control.Password.Cleartext := 'queijo'
+ if (User-Name == 'tapioca') {
+ control.Password.Cleartext := 'queijo'
}
pap { fail = 1, reject = 2 }
if (ok) {
- &reply.Server-Message := "Authentication-Start accepted"
+ reply.Server-Message := "Authentication-Start accepted"
} else {
- &reply.Server-Message := "Authentication-Start failed for %{User-Name}"
+ reply.Server-Message := "Authentication-Start failed for %{User-Name}"
}
}
authenticate ASCII {
- if (&User-Name == 'tapioca' && &User-Password == 'queijo') {
- &reply.Server-Message := "ASCII authentication accepted"
+ if (User-Name == 'tapioca' && User-Password == 'queijo') {
+ reply.Server-Message := "ASCII authentication accepted"
ok
} else {
- &reply.Server-Message := "ASCII authentication failed for %{User-Name}"
+ reply.Server-Message := "ASCII authentication failed for %{User-Name}"
reject
}
}
authenticate CHAP {
- if (&User-Name == 'tapioca') {
- &control.Password.Cleartext = 'queijo'
+ if (User-Name == 'tapioca') {
+ control.Password.Cleartext = 'queijo'
}
chap { fail = 1, reject = 2 }
if (ok) {
- &reply.Server-Message := "CHAP authentication accepted"
+ reply.Server-Message := "CHAP authentication accepted"
} else {
- &reply.Server-Message := "CHAP authentication failed for %{User-Name}"
+ reply.Server-Message := "CHAP authentication failed for %{User-Name}"
}
}
send Authentication-Pass {
- &reply.Data := "Authentication-Data"
+ reply.Data := "Authentication-Data"
}
send Authentication-Fail {
- &reply.Data := "Authentication-Data"
+ reply.Data := "Authentication-Data"
}
recv Authentication-Continue {
}
recv Authorization-Request {
- if (&User-Name == "tapioca") {
- &reply.Authorization-Status := ::Pass-Add
- &reply.Server-Message := "Authorization-Request accepted"
+ if (User-Name == "tapioca") {
+ reply.Authorization-Status := ::Pass-Add
+ reply.Server-Message := "Authorization-Request accepted"
- &control.Auth-Type := ::Accept
+ control.Auth-Type := ::Accept
} else {
- &reply.Server-Message := "Authorization-Request failed for %{User-Name}"
+ reply.Server-Message := "Authorization-Request failed for %{User-Name}"
reject
}
}
# First packet for a session
accounting Start {
- &reply.Server-Message := "Accounting-Start Section"
+ reply.Server-Message := "Accounting-Start Section"
ok
}
# Updates a session
accounting Watchdog {
- &reply.Server-Message := "Accounting-Watchdog Section"
+ reply.Server-Message := "Accounting-Watchdog Section"
ok
}
# Stops a session
accounting Stop {
- &reply.Server-Message := "Accounting-Stop Section"
+ reply.Server-Message := "Accounting-Stop Section"
ok
}
send Accounting-Success {
- &reply.Accounting-Status := ::Success
- &reply.Data := 0x12
+ reply.Accounting-Status := ::Success
+ reply.Data := 0x12
}
}
+++ /dev/null
-#
-# Like the conditional tests, but tests for escape sequences
-#
-
-#
-# These tests also involve run-time purification, and we don't
-# do that with the new conditions. So it's disabled for now.
-#
-condition "bob" == 0x626f62
-match true
-
-# \n gets escaped in double quoted strings
-condition "\n" == 0x0a
-match true
-
-# but not in single quoted strings
-condition '\n' == 0x5c6e
-match true
-
-condition '\'' == 0x27
-match true
-
-condition "'" == 0x27
-match true
-
-condition "\"" == 0x22
-match true
-
-condition 0x22 == '"'
-match true
-
-condition '\'' == "'"
-match true
-
-condition '\\' == "\\"
-match true
-
-#
-# The first string is \ + x
-#
-condition '\x' == "x"
-match false
-
-# embedded zeros are OK
-condition "a\000a" == 0x610061
-match true
-
-condition "aa\000" == 0x616100
-match true
-
-condition 'aa\000' == 0x61615c303030
-match true
-
-condition 'aa\000' == "aa\000"
-match false
-
-condition 'a\n' == "a\n"
-match false
-
-condition 0x626f62 == 'bob'
-match true
-
-condition 0x626f62 == "bob"
-match true
-
-condition 0x626f62 == bob
-match true
-
-condition \n == 0x5c6e
-match ERROR offset 1: No operand found. Expected &ref, literal, 'quoted literal', "%{expansion}", or enum value
-
-condition a\n == 0x615c6e
-match ERROR offset 2: Unexpected text after enum value. Expected operator
-
-count
-match 40
projects / thirdparty / freeradius-server.git / commitdiff
