*** xref:raddb/mods-available/index.adoc[Modules]
**** xref:raddb/mods-available/all_modules.adoc[Summary of all modules]
-**** xref:raddb/mods-available/abfab_psk_sql.adoc[ADFAB PSK]
**** xref:raddb/mods-available/always.adoc[Always]
**** xref:raddb/mods-available/attr_filter.adoc[Attr_filter]
**** xref:raddb/mods-available/cache.adoc[Cache]
**** xref:raddb/mods-available/yubikey.adoc[Yubikey]
*** xref:raddb/sites-available/index.adoc[Virtual Servers]
-**** xref:raddb/sites-available/abfab-tls.adoc[ABFAB: Listening on TLS]
-**** xref:raddb/sites-available/abfab-tr-idp.adoc[ABFAB: Trust Router]
**** xref:raddb/sites-available/arp.adoc[ARP Virtual Server]
**** xref:raddb/sites-available/bfd.adoc[BFD - Bidirectional Forwarding Detection]
**** xref:raddb/sites-available/buffered-sql.adoc[Buffered SQL]
+++ /dev/null
-
-
-
-
-= ABFAB PSK Module
-
-The `abfab_psk_sql` module is used to authorize PSK from `link:https://tools.ietf.org/html/rfc7831[ABFAB]` trust router.
-
-
-
-## Configuration Settings
-
-
-
-sql { ... }:: See `sql` documentation.
-
-
-driver:: Database driver.
-
-
-
-sqlite { ... }:: Database statement based on `driver` setting.
-
-
-== Default Configuration
-
-```
-sql psksql {
- driver = "sqlite"
- sqlite {
- filename = "/var/lib/trust_router/keys"
- }
-}
-```
[cols="20%,80%"]
|=====
| Module | Description
-| xref:raddb/mods-available/abfab_psk_sql.adoc[abfab_psk_sql] | ADFAB PSK
| xref:raddb/mods-available/cache_eap.adoc[cache_eap] | Cache EAP
| xref:raddb/mods-available/cache_tls.adoc[cache_tls] | Cache TLS Session
| xref:raddb/mods-available/cipher.adoc[cipher] | Cipher
+++ /dev/null
-
-
-
-
-= ABFAB listening on TLS
-
-If you need to provide the `abfab-tr-idp` with SSL support, enable it.
-
-
-
-## Example configuration
-
-
-
-### listen { ... }
-
-```
-listen {
- ipaddr = *
- port = 2083
- type = auth
- proto = tcp
-
-```
-
-## tls { ... }
-
-```
- tls {
-```
-
-NOTE: Moonshot tends to distribute certs separate from keys.
-
-```
- chain {
- certificate_file = ${certdir}/server.pem
- private_key_file = ${certdir}/server.key
- private_key_password = whatever
- }
-
- ca_file = ${cadir}/ca.pem
- dh_file = ${certdir}/dh
- fragment_size = 8192
- ca_path = ${cadir}
- cipher_list = "DEFAULT"
-
- cache {
- enable = no
- lifetime = 24 # hours
- max_entries = 255
- }
-
- require_client_cert = yes
- verify {
-
- }
-
- psk_query = %psksql("select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'")
- }
-
-```
-
-.Please see the `sites-availables/abfab-idp` file.
-
-```
- virtual_server = abfab-idp
-
-```
-
-.Reference to the next `clients {...}` section.
-
-```
- clients = radsec-abfab
-}
-
-```
-
-### clients { ... }
-
-This client stanza will match other RP proxies from other realms
-established via the trustrouter. In general additional client
-stanzas are also required for local services.
-
-```
-clients radsec-abfab {
-```
-
-.Allow all clients, but require TLS.
-
-```
- client default {
- ipaddr = 0.0.0.0/0
- proto = tls
- }
-
-```
-
-.An example local service.
-
-```
- client service_1 {
-
-```
-
-ipaddr::
-
-```
-# ipaddr = 192.0.2.20
-```
-
-gss_acceptor_host_name::
-
-You should either set `gss_acceptor_host_name` below or set up policy to confirm
-that a client claims the right acceptor hostname when using ABFAB.
-
-If set, the RADIUS server will confirm that all requests have this value for the
-acceptor host name.
-
-```
-# gss_acceptor_host_name = "server.example.com"
-
-```
-
-gss_acceptor_realm_name:: Foreign realms will typically reject a request
-if this is not properly set.
-
-```
-# gss_acceptor_realm_name = "example.com"
-
-```
-
-trust_router_coi:: Override the `default_community` in the realm module.
-
-```
-# trust_router_coi = "community1.example.net"
-
-```
-
-IMPORTANT: In production deployments it is important to set up certificate
-verification so that even if clients spoof IP addresses, one client cannot
-impersonate another.
-
-
-```
- }
-}
-```
-
-== Default Configuration
-
-```
-```
+++ /dev/null
-
-
-
-
-= ABFAB: Trust Router
-
-This file represents a server that is implementing an identity provider
-for `GSS-EAP` (https://tools.ietf.org/html/rfc7055[RFC 7055]) using the trust router protocol for dynamic realm
-discovery. Any ABFAB identity provider is also an ABFAB relying party proxy.
-
-NOTE: This file does not include a TLS listener. Please see `abfab-tls`
-for a simple example of a RADSEC listener for ABFAB.
-
-
-
-## Default Instance
-
-
-
-## server { ... }
-
-```
-server abfab-idp {
-
-```
-
-### recv Access-Request
-
-Run these rules when receiving an `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]`
-
-```
- recv Access-Request {
-```
-
-.Please see the `policy.d/abfab-tr` for full documentation.
-
-```
- abfab_psk_authorize
- abfab_client_check
-
-```
-
-.Please see the `policy.d/filter` for full documentation.
-
-```
- filter_username
-
-```
-
-If you intend to use CUI and you require that the `Operator-Name`
-be set for CUI generation and you want to generate CUI also
-for your local clients then uncomment the operator-name below and
-set the operator-name for your clients in `clients.conf`
-
-operator-name
-
-
-If you want to generate CUI for some clients that do not send proper
-CUI requests, then uncomment the cui below and set `add_cui = yes`
-for these clients in `clients.conf`
-
-cui
-
-
-For EAP requests.
-
-```
- eap {
- ok = return
- }
-
-```
-
-.Please see the xref:howto:modules/expiration/index.adoc[expiration] for full documentation.
-
-```
- expiration
- }
-
-```
-
-EAP authentication.
-
-```
- authenticate eap {
-```
-
-Allow EAP authentication.
-
-```
- eap
- }
-
-```
-
-### send Access-Accept
-
-Run these rules when sending an `link:https://freeradius.org/rfc/rfc2865.html#Access-Accept[Access-Accept]`
-
-```
- send Access-Accept {
-```
-
-For `EAP-TTLS` and `PEAP`, add the cached attributes to the reply.
-The `session-state` attributes are automatically cached when
-an `link:https://freeradius.org/rfc/rfc2865.html#Access-Challenge[Access-Challenge]` is sent, and automatically retrieved
-when an `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` is received.
-
-The `session-state` attributes are automatically deleted after
-an `link:https://freeradius.org/rfc/rfc2865.html#Access-Reject[Access-Reject]` or `link:https://freeradius.org/rfc/rfc2865.html#Access-Accept[Access-Accept]` is sent.
-
-```
- &reply += &session-state
-
-```
-
-Create the `CUI` value and add the attribute to `link:https://freeradius.org/rfc/rfc2865.html#Access-Accept[Access-Accept]`.
-Uncomment the line below if *returning* the CUI.
-
-```
-# cui
-
-```
-
-If you want to have a log of authentication replies, uncomment the
-following line, and enable the `detail reply_log` module.
-
-```
-# reply_log
-
-```
-
-After authenticating the user, do another SQL query.
-
-See "Authentication Logging Queries" in mods-available/sql
-
-```
- -sql
-
-```
-
-Instead of sending the query to the SQL server,
-write it into a log file.
-
-```
-# sql_log
-
-```
-
-Uncomment the following if you want to modify the user's object
-in LDAP after a successful login.
-
-```
-# ldap
-
-```
-
-.Please see the `exec` for full documentation.
-
-```
- exec
-
-```
-
-Remove reply message if the response contains an `link:https://freeradius.org/rfc/rfc2869.html#EAP-Message[EAP-Message]`.
-
-.Please see the `policy.d/eap` for full documentation.
-
-```
- remove_reply_message_if_eap
- }
-
-```
-
-### send Access-Reject
-
-Run these rules for sending an `link:https://freeradius.org/rfc/rfc2865.html#Access-Reject[Access-Reject]`.
-
-NOTE: if you have set `edir = yes` in the `ldap` module configuration,
-please remember to add the ldap module name (or instance).
-
-```
- send Access-Reject {
-```
-
-.Log failed authentications in SQL, too.
-
-```
- -sql
-
-```
-
-.Please see the `attr_filter` for full documentation.
-
-```
- attr_filter.access_reject
-
-```
-
-NOTE: Insert `EAP-Failure` message if the request was rejected by policy instead of
-because of an authentication failure And already has an `EAP` message For non-ABFAB,
-we insert the failure all the time, but for ABFAB It's more desirable to preserve
-`link:https://freeradius.org/rfc/rfc2865.html#Reply-Message[Reply-Message]` when we can.
-
-```
- if (&reply.Eap-Message) {
- eap
- }
-
-```
-
-.Remove reply message if the response contains an `link:https://freeradius.org/rfc/rfc2869.html#EAP-Message[EAP-Message]`.
-
-```
- remove_reply_message_if_eap
- }
-}
-```
-
-== Default Configuration
-
-```
-```
layer such as GSS-EAP (https://tools.ietf.org/html/rfc7055[RFC 7055]) or IEEE 802.11I is likely to
need a separate channel binding policy.
```
- abfab_channel_bindings
}
}
```
=== List of provided virtual servers
-* xref:raddb/sites-available/abfab-tls.adoc[abfab tls]
-* xref:raddb/sites-available/abfab-tr-idp.adoc[abfab tr idp]
* xref:raddb/sites-available/arp.adoc[arp]
* xref:raddb/sites-available/bfd.adoc[bfd]
* xref:raddb/sites-available/buffered-sql.adoc[buffered sql]
+++ /dev/null
-# -*- text -*-
-#
-#
-# $Id$
-
-#######################################################################
-#
-# = ABFAB PSK Module
-#
-# The `abfab_psk_sql` module is used to authorize PSK from `ABFAB` trust router.
-#
-
-#
-# ## Configuration Settings
-#
-
-#
-# sql { ... }:: See `sql` documentation.
-#
-sql psksql {
- #
- # driver:: Database driver.
- #
- driver = "sqlite"
-
- #
- # sqlite { ... }:: Database statement based on `driver` setting.
- #
- sqlite {
- filename = "/var/lib/trust_router/keys"
- }
-}
+++ /dev/null
-#
-# ABFAB Trust router policies.
-#
-# $Id$
-#
-
-
-#
-# Verify rp parameters
-#
-abfab_psk_authorize {
- if (&TLS-PSK-Identity) {
- # TODO: may need to check trust-router-apc as well
- if ("%psksql(select distinct keyid from authorizations_keys where keyid = '%{tls-psk-identity}' and '%{trust-router-coi}' like coi and '%{gss-acceptor-realm-name}' like acceptor_realm and '%{gss-acceptor-host-name}' like hostname;)") {
- # do things here
- }
- else {
- &reply.Reply-Message = "RP not authorized for this ABFAB request"
-
- reject
- }
- }
-}
-
-abfab_client_check {
- # check that the acceptor host name is correct
- if ("%client(gss_acceptor_host_name)" && &GSS-acceptor-host-name) {
- if ("%client(gss_acceptor_host_name)" != "%{gss-acceptor-host-name}") {
- &reply.Reply-Message = "GSS-Acceptor-Host-Name incorrect"
-
- reject
- }
- }
-
- # set trust-router-coi attribute from the client configuration
- if ("%client(trust_router_coi)") {
- &request.Trust-Router-COI := "%client(trust_router_coi)"
- }
-
- # set gss-acceptor-realm-name attribute from the client configuration
- if ("%client(gss_acceptor_realm_name)") {
- &request.GSS-Acceptor-Realm-Name := "%client(gss_acceptor_realm_name)"
- }
-}
-
-# A policy which is used to validate channel-bindings.
-#
-abfab_channel_bindings {
- if (&GSS-Acceptor-Service-Name && (&outer.request.GSS-Acceptor-Service-Name != &GSS-Acceptor-Service-Name)) {
- reject
- }
-
- if (&GSS-Acceptor-Host-Name && &outer.request.GSS-Acceptor-Host-Name != &GSS-Acceptor-Host-Name) {
- reject
- }
-
- if (&GSS-Acceptor-Realm-Name && &outer.request.GSS-Acceptor-Realm-Name != &GSS-Acceptor-Realm-Name) {
- reject
- }
-
- if (&GSS-Acceptor-Service-Name || &GSS-Acceptor-Realm-Name || &GSS-Acceptor-Host-Name) {
- &control.Chbind-Response-Code := success
-
- #
- # ACK the attributes in the request.
- #
- # If any one of these attributes don't exist in the request,
- # then they won't be copied to the reply.
- #
- &reply.GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name
- &reply.GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name
- &reply.GSS-Acceptor-Realm-Name = &GSS-Acceptor-Realm-Name
- }
-
- #
- # Return "handled" so that the "authenticate" section isn't used.
- #
- handled
-}
+++ /dev/null
-# -*- text -*-
-#
-#
-# $Id$
-
-#######################################################################
-#
-# = ABFAB listening on TLS
-#
-# If you need to provide the `abfab-tr-idp` with SSL support, enable it.
-#
-
-#
-# ## Example configuration
-#
-
-#
-# ### listen { ... }
-#
-listen {
- ipaddr = *
- port = 2083
- type = auth
- proto = tcp
-
- #
- # ## tls { ... }
- #
- tls {
- #
- # NOTE: Moonshot tends to distribute certs separate from keys.
- #
- chain {
- certificate_file = ${certdir}/server.pem
- private_key_file = ${certdir}/server.key
- private_key_password = whatever
- }
-
- ca_file = ${cadir}/ca.pem
- dh_file = ${certdir}/dh
- fragment_size = 8192
- ca_path = ${cadir}
- cipher_list = "DEFAULT"
-
- cache {
- enable = no
- lifetime = 24 # hours
- max_entries = 255
- }
-
- require_client_cert = yes
- verify {
-
- }
-
- psk_query = %psksql("select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'")
- }
-
- #
- # .Please see the `sites-availables/abfab-idp` file.
- #
- virtual_server = abfab-idp
-
- #
- # .Reference to the next `clients {...}` section.
- #
- clients = radsec-abfab
-}
-
-#
-# ### clients { ... }
-#
-# This client stanza will match other RP proxies from other realms
-# established via the trustrouter. In general additional client
-# stanzas are also required for local services.
-#
-clients radsec-abfab {
- #
- # .Allow all clients, but require TLS.
- #
- client default {
- ipaddr = 0.0.0.0/0
- proto = tls
- }
-
- #
- # .An example local service.
- #
- client service_1 {
-
- #
- # ipaddr::
- #
-# ipaddr = 192.0.2.20
- #
- # gss_acceptor_host_name::
- #
- # You should either set `gss_acceptor_host_name` below or set up policy to confirm
- # that a client claims the right acceptor hostname when using ABFAB.
- #
- # If set, the RADIUS server will confirm that all requests have this value for the
- # acceptor host name.
- #
-# gss_acceptor_host_name = "server.example.com"
-
- #
- # gss_acceptor_realm_name:: Foreign realms will typically reject a request
- # if this is not properly set.
- #
-# gss_acceptor_realm_name = "example.com"
-
- #
- # trust_router_coi:: Override the `default_community` in the realm module.
- #
-# trust_router_coi = "community1.example.net"
-
- #
- # IMPORTANT: In production deployments it is important to set up certificate
- # verification so that even if clients spoof IP addresses, one client cannot
- # impersonate another.
- #
-
- }
-}
+++ /dev/null
-# -*- text -*-
-#
-#
-# $Id$
-
-#######################################################################
-#
-# = ABFAB: Trust Router
-#
-# This file represents a server that is implementing an identity provider
-# for `GSS-EAP` (RFC 7055) using the trust router protocol for dynamic realm
-# discovery. Any ABFAB identity provider is also an ABFAB relying party proxy.
-#
-# NOTE: This file does not include a TLS listener. Please see `abfab-tls`
-# for a simple example of a RADSEC listener for ABFAB.
-#
-
-#
-# ## Default Instance
-#
-
-#
-# ## server { ... }
-#
-server abfab-idp {
-
- #
- # ### recv Access-Request
- #
- # Run these rules when receiving an `Access-Request`
- #
- recv Access-Request {
- #
- # .Please see the `policy.d/abfab-tr` for full documentation.
- #
- abfab_psk_authorize
- abfab_client_check
-
- #
- # .Please see the `policy.d/filter` for full documentation.
- #
- filter_username
-
- #
- # If you intend to use CUI and you require that the `Operator-Name`
- # be set for CUI generation and you want to generate CUI also
- # for your local clients then uncomment the operator-name below and
- # set the operator-name for your clients in `clients.conf`
- #
- # operator-name
-
- #
- # If you want to generate CUI for some clients that do not send proper
- # CUI requests, then uncomment the cui below and set `add_cui = yes`
- # for these clients in `clients.conf`
- #
- # cui
-
- #
- # For EAP requests.
- #
- eap {
- ok = return
- }
-
- #
- # .Please see the `mods-available/expiration` for full documentation.
- #
- expiration
- }
-
- #
- # EAP authentication.
- #
- authenticate eap {
- #
- # Allow EAP authentication.
- #
- eap
- }
-
- #
- # ### send Access-Accept
- #
- # Run these rules when sending an `Access-Accept`
- #
- send Access-Accept {
- #
- # For `EAP-TTLS` and `PEAP`, add the cached attributes to the reply.
- # The `session-state` attributes are automatically cached when
- # an `Access-Challenge` is sent, and automatically retrieved
- # when an `Access-Request` is received.
- #
- # The `session-state` attributes are automatically deleted after
- # an `Access-Reject` or `Access-Accept` is sent.
- #
- &reply += &session-state
-
- #
- # Create the `CUI` value and add the attribute to `Access-Accept`.
- # Uncomment the line below if *returning* the CUI.
- #
-# cui
-
- #
- # If you want to have a log of authentication replies, uncomment the
- # following line, and enable the `detail reply_log` module.
- #
-# reply_log
-
- #
- # After authenticating the user, do another SQL query.
- #
- # See "Authentication Logging Queries" in mods-available/sql
- #
- -sql
-
- #
- # Instead of sending the query to the SQL server,
- # write it into a log file.
- #
-# sql_log
-
- #
- # Uncomment the following if you want to modify the user's object
- # in LDAP after a successful login.
- #
-# ldap
-
- #
- # .Please see the `exec` for full documentation.
- #
- exec
-
- #
- # Remove reply message if the response contains an `EAP-Message`.
- #
- # .Please see the `policy.d/eap` for full documentation.
- #
- remove_reply_message_if_eap
- }
-
- #
- # ### send Access-Reject
- #
- # Run these rules for sending an `Access-Reject`.
- #
- # NOTE: if you have set `edir = yes` in the `ldap` module configuration,
- # please remember to add the ldap module name (or instance).
- #
- send Access-Reject {
- #
- # .Log failed authentications in SQL, too.
- #
- -sql
-
- #
- # .Please see the `attr_filter` for full documentation.
- #
- attr_filter.access_reject
-
- #
- # NOTE: Insert `EAP-Failure` message if the request was rejected by policy instead of
- # because of an authentication failure And already has an `EAP` message For non-ABFAB,
- # we insert the failure all the time, but for ABFAB It's more desirable to preserve
- # `Reply-Message` when we can.
- #
- if (&reply.Eap-Message) {
- eap
- }
-
- #
- # .Remove reply message if the response contains an `EAP-Message`.
- #
- remove_reply_message_if_eap
- }
-}
# of channel binding that may be in use. For example each lower
# layer such as GSS-EAP (RFC 7055) or IEEE 802.11I is likely to
# need a separate channel binding policy.
- abfab_channel_bindings
}
}
Class https://freeradius.org/rfc/rfc2865.html#Class
State https://freeradius.org/rfc/rfc2865.html#State
Delegated-IPv6-Prefix https://freeradius.org/rfc/rfc4818.html#Delegated-IPv6-Prefix
-ABFAB https://tools.ietf.org/html/rfc7831
Alc-ToServer-Dhcp-Options https://infoproducts.alcatel-lucent.com/html/0_add-h-f/93-0088-HTML/7750_SR_OS_Radius_Attributes_Reference_Guide/SROS_RADIUS_Attrib.html
Alc-ToClient-Dhcp-Options https://infoproducts.alcatel-lucent.com/html/0_add-h-f/93-0088-HTML/7750_SR_OS_Radius_Attributes_Reference_Guide/SROS_RADIUS_Attrib.html
draft-sterman-aaa-sip-01 https://tools.ietf.org/html/draft-sterman-aaa-sip-01
projects / thirdparty / freeradius-server.git / commitdiff
