+# -*- text -*-
+# $Id$
+
+#######################################################################
+
# We check for this prefix to determine whether the class
# value was generated by this server. It should be changed
# so that it is globally unique.
# is not included
#
else {
- &request.Acct-Unique-Session-Id := %{hex:%{md5:%{string:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}}}
+ &request.Acct-Unique-Session-Id := "%{hex:%{md5:%{string:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}}}"
}
&request -= &Tmp-String-9[*]
# The `session-state` attributes are automatically deleted after
# an `Access-Reject` or `Access-Accept` is sent.
#
- update {
- &reply += &session-state
- }
+ &reply += &session-state
#
# Create the `CUI` value and add the attribute to `Access-Accept`.
+# -*- text -*-
+# $Id$
+
+#######################################################################
+
#
# This file gives an example of using Challenge-Response
#
# consisting of a random number 0..9. The user has to respond
# with that number.
#
-#
-# $Id$
-#
+
listen {
type = auth
ipaddr = *
# If there's no State attribute, then this is the request from
# the user.
#
- if (!State) {
- update control {
- Auth-Type := Step1
- Password.Cleartext := "hello"
- }
+ if (!&State) {
+ &control.Auth-Type := Step1
+ &control.Password.Cleartext := "hello"
}
else {
#
# Set the "known good" password to the number
# saved in the session-state list.
#
- update control {
- Auth-Type := Step2
- Password.Cleartext := &session-state.Tmp-Integer-0
- }
+ &control.Auth-Type := Step2
+ &control.Password.Cleartext := &session-state.Tmp-Integer-0
}
}
#
# Set the random number to save.
#
- update session-state {
- Tmp-Integer-0 := "%{randstr:n}"
- }
- update reply {
- Reply-Message := &session-state.Tmp-Integer-0
- }
+ &session-state.Tmp-Integer-0 := "%{randstr:n}"
+ &reply.Reply-Message := &session-state.Tmp-Integer-0
#
# Send an Access-Challenge.
+# -*- text -*-
+# $Id$
+
+#######################################################################
+#
# This virtual server allows EAP-TLS to reject access requests
# based on some attributes of the certificates involved.
#
# modules that check for further authorization, especially if they
# hit external services such as sql or ldap.
-
server check-eap-tls {
-
+#
# Authorize - this is the only section required.
#
# To accept the access request, set Auth-Type = Accept, otherwise
#
# By default, we just accept the request:
#
- update config {
- &Auth-Type := Accept
- }
-
+ &control.Auth-Type := Accept
#
# Check the client certificate matches a string, and reject otherwise
#
# if ("%{session-state.TLS-Client-Cert-Common-Name}" == 'client.example.com') {
-# update config {
-# &Auth-Type := Accept
-# }
+# &control.Auth-Type := Accept
# }
# else {
-# update config {
-# &Auth-Type := Reject
-# }
-# update reply {
-# &Reply-Message := "Your certificate is not valid."
-# }
+# &control.Auth-Type := Reject
+# &reply.Reply-Message := "Your certificate is not valid."
# }
# Check the client certificate common name against the supplied User-Name
#
# if (&User-Name == "host/%{session-state.TLS-Client-Cert-Common-Name}") {
-# update config {
-# &Auth-Type := Accept
-# }
+# &control.Auth-Type := Accept
# }
# else {
-# update config {
-# &Auth-Type := Reject
-# }
+# &control.Auth-Type := Reject
# }
# base_filter = "(objectClass=computer)"
# groupname_attribute = cn
# groupmembership_filter = "(&(objectClass=group)(member=%{control.Ldap-UserDn}))"
+ #
# ldap
+ #
# Now let's test membership of an LDAP group (the ldap bind user will
# need permission to read this group membership):
+ #
# if (!(Ldap-Group == "Permitted-Laptops")) {
-# update config {
-# &Auth-Type := Reject
-# }
+# &control.Auth-Type := Reject
# }
# or, to be more specific, you could use the group's full DN:
# if (!(Ldap-Group == "CN=Permitted-Laptops,OU=Groups,DC=example,DC=org")) {
-
#
# This may be a better place to call the files modules when using
# EAP-TLS, as it will only be called once, after the challenge-response
# files
-
#
# Log all request attributes, plus TLS certificate details, to the
# auth_log file. Again, this is just once per connection request, so
#
auth_log
-
}
}
# what these attributes are unfortunately, so we
# cannot give more detailed advice here.
#
- update control {
- #
- # Example MySQL lookup
- #
-# &Tmp-String-0 := "%{sql:SELECT IFNULL(GROUP_CONCAT(CONCAT(nasipaddress,'#',acctsessionid) separator '|'),'') FROM (SELECT * FROM radacct WHERE ('%{User-Name}'='' OR UserName='%{User-Name}') AND ('%{Acct-Session-Id}'='' OR acctsessionid = '%{Acct-Session-Id}') AND AcctStopTime IS NULL) a}"
-
- #
- # Example PostgreSQL lookup
- #
-# &Tmp-String-0 := "%{sql:SELECT STRING_AGG(CONCAT(nasipaddress,'#',acctsessionid),'|') FROM (SELECT * FROM radacct WHERE ('%{User-Name}'='' OR UserName='%{User-Name}') AND ('%{Acct-Session-Id}'='' OR acctsessionid = '%{Acct-Session-Id}') AND AcctStopTime IS NULL) a}"
+ #
+ # Example MySQL lookup
+ #
+# &control.Tmp-String-0 := "%{sql:SELECT IFNULL(GROUP_CONCAT(CONCAT(nasipaddress,'#',acctsessionid) separator '|'),'') FROM (SELECT * FROM radacct WHERE ('%{User-Name}'='' OR UserName='%{User-Name}') AND ('%{Acct-Session-Id}'='' OR acctsessionid = '%{Acct-Session-Id}') AND AcctStopTime IS NULL) a}"
- #
- # Keep a count of what we send.
- #
- &Tmp-Integer-0 := 0
+ #
+ # Example PostgreSQL lookup
+ #
+# &control.Tmp-String-0 := "%{sql:SELECT STRING_AGG(CONCAT(nasipaddress,'#',acctsessionid),'|') FROM (SELECT * FROM radacct WHERE ('%{User-Name}'='' OR UserName='%{User-Name}') AND ('%{Acct-Session-Id}'='' OR acctsessionid = '%{Acct-Session-Id}') AND AcctStopTime IS NULL) a}"
- }
+ #
+ # Keep a count of what we send.
+ #
+ &control.Tmp-Integer-0 := 0
#
# Split the string and split into pieces.
# Send an update for each session we find.
#
if ("%{Foreach-Variable-0}" =~ /([^#]*)#(.*)/) {
+ # NAS-IP-Address
+ &control.Tmp-IP-Address-0 := "%{1}"
- update control {
-
- # NAS-IP-Address
- &Tmp-IP-Address-0 := "%{1}"
-
- # Acct-Session-Id
- &Tmp-String-1 := "%{2}"
-
- }
+ # Acct-Session-Id
+ &control.Tmp-String-1 := "%{2}"
subrequest CoA-Request {
+ #
+ # The subrequest begins empty, so initially copy all attributes
+ # from the incoming request.
+ #
+ &request := &parent.request
- update request {
-
- #
- # The subrequest begins empty, so initially copy all attributes
- # from the incoming request.
- #
- &request := &parent.request[*]
-
- #
- # Add/override the session identification attributes looked up
- #
- &Acct-Session-Id := &parent.control.Tmp-String-1
-
- #
- # Some NASs want these, others don't
- #
- &Event-Timestamp := "%l"
- &Message-Authenticator := 0x00
+ #
+ # Add/override the session identification attributes looked up
+ #
+ &request.Acct-Session-Id := &parent.control.Tmp-String-1
- }
+ #
+ # Some NASs want these, others don't
+ #
+ &request.Event-Timestamp := "%l"
+ &request.Message-Authenticator := 0x00
#
# Remove attributes which will confuse the NAS
# if it contains attributes which are NOT
# "session identification" attributes.
#
- filter request {
- #
- # SQL-User-Name is a side-effect of the xlat
- #
- &SQL-User-Name !* ANY
-
- #
- # Those attributes should be listed here
- #
- &Acct-Delay-Time !* ANY
- &Proxy-State !* ANY
+ #
+ # SQL-User-Name is a side-effect of the xlat
+ #
+ &request -= &SQL-User-Name[*]
- #
- # Uncomment if the NAS does not expect User-Name
- #
- #&User-Name !* ANY
+ #
+ # Those attributes should be listed here
+ #
+ &request -= &Acct-Delay-Time[*]
+ &request -= &Proxy-State[*]
- }
+ #
+ # Uncomment if the NAS does not expect User-Name
+ #
+ #&request -= &User-Name[*]
#
# Call the radius client module instance for the NAS-IP-Address
#
# Increment count of sent updates
#
- update parent.control {
- &Tmp-Integer-0 := %{expr: %{parent.control.Tmp-Integer-0} + 1}
- }
+ &parent.control.Tmp-Integer-0 += 1
radius-originate-coa-192.0.2.1
# Likely a missing "case" if we can't map NAS-IP-Address to a module
#
case {
- update parent.control {
- &Reply-Message += "Missing map for NAS: %{parent.control.Tmp-IP-Address-0}"
+ &parent.control += {
+ &Reply-Message = "Missing map for NAS: %{parent.control.Tmp-IP-Address-0}"
}
}
# Report what we did
#
if (&control.Tmp-Integer-0) {
- update reply {
- &Reply-Message += "Sent updates for %{control.Tmp-Integer-0} active sessions"
+ &reply += {
+ &Reply-Message = "Sent updates for %{control.Tmp-Integer-0} active sessions"
}
+
ok
} else {
- update reply {
- &Reply-Message += "No active sessions found"
+ &reply += {
+ &Reply-Message = "No active sessions found"
}
+
reject
}
# -*- text -*-
-#
-#
# $Id$
#######################################################################
#
# In most cases, those small changes will result in the server being
# able to connect to the database, and to authenticate users.
+#
+#
# ## The Virtual Server
#
# This is the `default` virtual server.
# username ends in example.com.
#
# if (&User-Name =~ /@example\.com$/) {
-# update control {
-# &Auth-Type := "proxy-example.com"
-# }
+# &control.Auth-Type := "proxy-example.com"
# }
#
}
-
######################################################################
#
# ## Authentication Sections
# Service-Type = Authorize-Only.
#
# if (!&reply.State) {
-# update reply {
-# &State := "0x%{randstr:16h}"
-# }
+# &reply.State := "0x%{randstr:16h}"
# }
#
# The `session-state` attributes are deleted after an
# `Access-Reject` or `Access-Accept` packet has been sent.
#
- update {
- &reply += &session-state
- }
+ &reply += &session-state
#
# For EAP, ensure that the Access-Accept contains a User-Name
# work, you will need to define the WiMAX NAI, usually
# via:
#
-# update request {
-# &WiMAX-MN-NAI = "%{User-Name}"
-# }
+# &request.WiMAX-MN-NAI = "%{User-Name}"
# If you want various keys to be calculated, you will
# need to update the reply with "template" values. The
# contains information about the client certificate (if
# available).
#
-# update reply {
-# &Reply-Message += "%{session-state.TLS-Certificate.Serial}"
-# &Reply-Message += "%{session-state.TLS-Certificate.Not-After}"
-# &Reply-Message += "%{session-state.TLS-Certificate.Subject}"
-# &Reply-Message += "%{session-state.TLS-Certificate.Issuer}"
-# &Reply-Message += "%{session-state.TLS-Certificate.Common-Name}"
-# &Reply-Message += "%{session-state.TLS-Certificate.Subject-Alt-Name-Email}"
+# &reply += {
+# &Reply-Message = "%{session-state.TLS-Certificate.Serial}"
+# &Reply-Message = "%{session-state.TLS-Certificate.Not-After}"
+# &Reply-Message = "%{session-state.TLS-Certificate.Subject}"
+# &Reply-Message = "%{session-state.TLS-Certificate.Issuer}"
+# &Reply-Message = "%{session-state.TLS-Certificate.Common-Name}"
+# &Reply-Message = "%{session-state.TLS-Certificate.Subject-Alt-Name-Email}"
# }
#
# into the EAP-Key-Name attribute.
#
# if (&reply.EAP-Session-Id) {
-# update reply {
-# &EAP-Key-Name := &reply.EAP-Session-Id
-# }
+# &reply.EAP-Key-Name := &reply.EAP-Session-Id
# }
#
#
# The start time is: NOW - delay - session_length
#
-# update request {
-# &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %{%{Event-Timestamp}:-%l} - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
-# }
+# &request.FreeRADIUS-Acct-Session-Start-Time = "%{expr: %{%{Event-Timestamp}:-%l} - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
#
# The packet should have a timestamp. If not, use "now" from the server.
#
if (!&Event-Timestamp) {
- update request {
- &Event-Timestamp := "%{expr:%l - &Acct-Delay-Time}"
- }
+ &request.Event-Timestamp := "%{expr:%l - &Acct-Delay-Time}"
}
#
# The detail file reader runs the normal RADIUS / DHCP / etc. processing sections.
#
recv Accounting-Request {
- update request {
- &Acct-Delay-Time := "%{expr:%{%{Acct-Delay-Time}:-0} + %c - %(integer:%{%{Event-Timestamp}:-%{Packet-Original-Timestamp}})}"
- }
+ &request.Acct-Delay-Time := "%{expr:%{%{Acct-Delay-Time}:-0} + %c - %(integer:%{%{Event-Timestamp}:-%{Packet-Original-Timestamp}})}"
#
# We handled the packet successfully. Run the "send ok" section.
recv Discover {
# The DHCP Server Identifier is set here since it is returned in OFFERs
- update control {
- &Server-Identifier = 192.0.2.1
- }
+ &control.Server-Identifier = 192.0.2.1
# Call a policy (defined in policy.d/dhcp) to set common reply attributes
dhcp_common
# See below for the definition of the "mac2ip"
# module.
#
- #mac2ip
+# mac2ip
# If the MAC wasn't found in that list, do something else.
# You could call a Perl, Python, or Java script here.
# Or, allocate IPs from the DHCP pool in SQL. You may need to
# set the pool name here if you haven't set it elsewhere.
-# update control {
-# &IP-Pool.Name := "local"
-# }
+# &control.IP-Pool.Name := "local"
# dhcp_sqlippool
# Set the type of packet to send in reply.
# server will fall back to determining the type of reply
# based on the rcode of this section.
- #update reply {
- # &Message-Type = Offer
- #}
+# &reply.Message-Type = Offer
# If Message-Type is not set, returning "ok" or
# "updated" from this section will respond with a Offer
# message.
#
# Other rcodes will tell the server to not return any response.
- #ok
+# ok
}
recv Request {
# The DHCP Server Identifier is set here since it is returned in OFFERs
- update control {
- &Server-Identifier = 192.0.2.1
- }
+ &control.Server-Identifier = 192.0.2.1
# If the request is not for this server then silently discard it
if (&request.Server-Identifier && \
}
# Response packet type. See Discover section above.
- #update reply {
- # &Message-Type = Ack
- #}
+# &reply.Message-Type = Ack
# Call a policy (defined in policy.d/dhcp) to set common reply attributes
dhcp_common
# See below for the definition of the "mac2ip"
# module.
#
- #mac2ip
+# mac2ip
# If the MAC wasn't found in that list, do something else.
# You could call a Perl, Python, or Java script here.
# Or, allocate IPs from the DHCP pool in SQL. You may need to
# set the pool name here if you haven't set it elsewhere.
-# update control {
-# &IP-Pool.Name := "local"
-# }
+# &control.IP-Pool.Name := "local"
# dhcp_sqlippool
if (ok) {
- update reply {
- &Your-IP-Address := "%{%{request.Requested-IP-Address}:-%{request.Client-IP-Address}}"
- }
+ &reply.Your-IP-Address := "%{%{request.Requested-IP-Address}:-%{request.Client-IP-Address}}"
}
# If Message-Type is not set, returning "ok" or
#
# "handled" will not return a packet, all other rcodes will
# send back a NAK.
- #ok
+# ok
}
#
recv Decline {
# If using IPs from a DHCP pool in SQL then you may need to set the
# pool name here if you haven't set it elsewhere and mark the IP as declined.
-# update control {
-# &IP-Pool.Name := "local"
-# }
+# &control.IP-Pool.Name := "local"
# dhcp_sqlippool
ok
# For Windows 7 boxes
#
#recv Inform {
-# update reply {
-# Packet-Dst-Port = 67
-# Message-Type = Ack
-# Server-Identifier = "%{Packet-Dst-IP-Address}"
-# Site-specific-28 = 0x0a00
-# }
+# &reply.Packet-Dst-Port = 67
+# &reply.Message-Type = Ack
+# &reply.Server-Identifier = "%{Packet-Dst-IP-Address}"
+# &reply.Site-specific-28 = 0x0a00
# ok
#}
recv Release {
# If using IPs from a DHCP pool in SQL then you may need to set the
# pool name here if you haven't set it elsewhere and release the IP.
-# update control {
-# &IP-Pool.Name := "local"
-# }
+# &control.IP-Pool.Name := "local"
# dhcp_sqlippool
ok
}
-
recv Lease-Query {
# The thing being queried for is implicit
# in the packets.
# look up identifier in database
}
else {
- update reply {
- &Message-Type = Lease-Unknown
- }
+ &reply.Message-Type = Lease-Unknown
ok
# if it can't find anything.
#
if (notfound) {
- update reply {
- &Message-Type = Lease-Unknown
- }
+ &reply.Message-Type = Lease-Unknown
+
ok
+
return
}
# Lease-Active
# Lease-Unassigned
#
- update reply {
- &Message-Type = Lease-Unassigned
- }
-
+ &reply.Message-Type = Lease-Unassigned
}
}
# of the following sections, named after the DHCP packet type.
# See dictionary.dhcp for the packet types.
dhcp Discover {
- update config {
- # IP Address of the DHCP server
- &Relay-To-IP-Address := 192.0.2.2
- }
- update request {
- # IP Address of the DHCP relay (ourselves)
- &Gateway-IP-Address := 192.0.2.1
- }
+ # IP Address of the DHCP server
+ &control.Relay-To-IP-Address := 192.0.2.2
+
+ # IP Address of the DHCP relay (ourselves)
+ &request.Gateway-IP-Address := 192.0.2.1
+
ok
}
dhcp Request {
- update config {
- # IP Address of the DHCP server
- &Relay-To-IP-Address := 192.0.2.2
- }
- update request {
- &Gateway-IP-Address := 192.0.2.2
- }
+ # IP Address of the DHCP server
+ &control.Relay-To-IP-Address := 192.0.2.2
+
+ # IP Address of the Gateway server
+ &request.Gateway-IP-Address := 192.0.2.2
+
ok
}
}
#
# All replies MUST include a Server-ID option
#
- update reply {
- &Server-ID.DUID = UUID
- &Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000
- }
+ &reply.Server-ID.DUID = UUID
+ &reply.Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000
}
#
#
# All replies MUST include a Server-ID option
#
- update reply {
- &Server-ID.DUID = UUID
- &Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000
- }
+ &reply.Server-ID.DUID = UUID
+ &reply.Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000
}
#
#
# All replies MUST include a Server-ID option
#
- update reply {
- &Server-ID.DUID = UUID
- &Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000
- }
+ &reply.Server-ID.DUID = UUID
+ &reply.Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000
}
}
# useless, but it documents the attributes
# you need.
#
- update control {
+ # Copy the IP address of the client from
+ # the request just received
+ &control.FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
- # Copy the IP address of the client from
- # the request just received
- &FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
+ # require_message_authenticator
+ &control.FreeRADIUS-Client-Require-MA = no
- # require_message_authenticator
- &FreeRADIUS-Client-Require-MA = no
+ # secret
+ &control.FreeRADIUS-Client-Secret = "testing123"
- # secret
- &FreeRADIUS-Client-Secret = "testing123"
+ # shortname
+ &control.FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
- # shortname
- &FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
+ # nas_type
+ &control.FreeRADIUS-Client-NAS-Type = "other"
- # nas_type
- &FreeRADIUS-Client-NAS-Type = "other"
-
- # virtual_server
- #
- # This can ONLY be used if the network client
- # definition (e.g. "client dynamic" above) has
- # NO virtual_server defined.
- #
- # If the network client definition does have a
- # virtual_server defined, then that is used,
- # and there is no need to define this attribute.
- #
- #&FreeRADIUS-Client-Virtual-Server = "something"
-
- }
+ # virtual_server
+ #
+ # This can ONLY be used if the network client
+ # definition (e.g. "client dynamic" above) has
+ # NO virtual_server defined.
+ #
+ # If the network client definition does have a
+ # virtual_server defined, then that is used,
+ # and there is no need to define this attribute.
+ #
+ # &control.FreeRADIUS-Client-Virtual-Server = "something"
#
# Example 2: Look the clients up in SQL.
# for the NAS element, i.e. "password".
#
if ("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}") {
- update control {
- &FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
+ &control.FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
- # Set the Client-Shortname to be the Location
- # "l" just like in the Huntgroups, but this
- # time to the shortname.
+ # Set the Client-Shortname to be the Location
+ # "l" just like in the Huntgroups, but this
+ # time to the shortname.
- &FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}"
+ &control.FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}"
- # Lookup and set the Shared Secret based on
- # the "ou" attribute.
- &FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}"
- }
+ # Lookup and set the Shared Secret based on
+ # the "ou" attribute.
+ &control.FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}"
}
#
#
######################################################################
-
#
# This client will be available to any "listen" section that
# are defined outside of a virtual server section. However,
# and examples, and should not appear on the net. You shouldn't
# use it for anything, either.
#
+
client 192.0.2.10 {
shortname = example-client
secret = testing123
#
# Some example policies. See "man unlang" for more.
#
- if (&User-Name == 'bob') {
- update control {
- &Password.Cleartext := 'bob'
- }
+ if (&User-Name == "bob") {
+ &control.Password.Cleartext := "bob"
}
#
}
send Access-Reject {
- update reply {
- &Reply-Message = 'This is only an example.'
- }
+ &reply.Reply-Message = "This is only an example."
}
}
# authentication methods.
#
# If you need to send a reply attribute in the outer session,
-# the ONLY safe way is to update the outer session-state.
+# the ONLY safe way is to set the outer session-state list.
# Attributes that should be provided in the reply should be
# copied to the outer.session-state list:
#
-# update outer.session-state {
-# ...
-# }
+# &outer.session-state.Attribute := <Value>
#
# The default configuration in the outer post-auth "send" section
# will copy this to the reply. To copy the entire reply see
#
# Let the outer session know which module failed, and why.
#
- update outer.session-state {
- &Module-Failure-Message := &request.Module-Failure-Message
- }
+ &outer.session-state.Module-Failure-Message := &request.Module-Failure-Message
}
} # inner-tunnel server block
# ...
# }
#
-# Note that this functionality is configured differently from v3.
+# NOTE: This functionality is configured differently from v3.
#
######################################################################
# The subrequest begins empty, so copy all necessary
# attributes over.
#
- update request {
- &User-Name := &parent.request.User-Name
- &Acct-Session-Id := &parent.request.Acct-Session-Id
- &NAS-Identifier := &parent.request.NAS-Identifier
- &NAS-IP-Address := &parent.request.NAS-IP-Addres
- &NAS-IPv6-Address := &parent.request.NAS-IPv6-Address
- &NAS-Port := &parent.request.NAS-Port
- &Framed-IP-Address := &parent.request.Framed-IP-Address
- }
+ &request.User-Name := &parent.request.User-Name
+ &request.Acct-Session-Id := &parent.request.Acct-Session-Id
+ &request.NAS-Identifier := &parent.request.NAS-Identifier
+ &request.NAS-IP-Address := &parent.request.NAS-IP-Addres
+ &request.NAS-IPv6-Address := &parent.request.NAS-IPv6-Address
+ &request.NAS-Port := &parent.request.NAS-Port
+ &request.Framed-IP-Address := &parent.request.Framed-IP-Address
#
# Call the `radius` module to send a CoA packet.
# the inner tunnel request.
#
- update control {
- # You should update this to be one of your realms.
- &Proxy-To-Realm := "example.com"
- }
+ # You should update this to be one of your realms.
+ &control.Proxy-To-Realm := "example.com"
}
authenticate eap {
# packets were written to the detail file. But that would
# involve a lot more disk writes, which may not be a good idea.
#
-# This file is NOT meant to be used as-is. It needs to be
+# NOTE: This file is NOT meant to be used as-is. It needs to be
# edited to match your local configuration.
#
# $Id$
recv Accounting-Request {
# You may want accounting policies here...
- update control {
- &Proxy-To-Realm := 'acct_realm.example.com'
- }
+ &control.Proxy-To-Realm := "acct_realm.example.com"
}
}
+# -*- text -*-
+#
# This is a simple server for the MS SoH requests generated by the
-# peap module - see "eap.conf" for more info
-
+# peap module - see "raddb/mods-available/eap" for more info
+#
# Requests are ONLY passed through the authorize section, and cannot
# current be proxied (in any event, the radius attributes used are
# internal).
+#
+# $Id$
+#
server soh-server {
recv Access-Request {
if (&SoH-Supported == no) {
# client NAKed our request for SoH - not supported, or turned off
- update config {
- &Auth-Type = Accept
- }
+ &control.Auth-Type = Accept
}
else {
# client replied; check something - this is a local policy issue!
if (&SoH-MS-Windows-Health-Status =~ /antivirus (warn|error) /) {
- update config {
- &Auth-Type = Reject
- }
- update reply {
- &Reply-Message = 'You must have antivirus enabled & installed!'
- }
+ &control.Auth-Type = Reject
+ &reply.Reply-Message = "You must have antivirus enabled & installed!"
}
else {
- update config {
- &Auth-Type = Accept
- }
+ &control.Auth-Type = Accept
}
}
}
}
-
#
# Set _our_ authentication method to the _requested_ one.
#
- update control {
- &Auth-Type := &Authentication-Type
- }
+ &control.Auth-Type := &Authentication-Type
}
authenticate PAP {
#
send Authentication-Start-Reply {
if (&Authentication-Status == Pass) {
- update reply {
- &Server-Message := "Hello %{User-Name}"
- }
+ &reply.Server-Message := "Hello %{User-Name}"
}
}
#
send Authentication-Continue-Reply {
if (&Authentication-Status == Pass) {
- update reply {
- &Server-Message := "Hello %{User-Name}"
- }
+ &reply.Server-Message := "Hello %{User-Name}"
}
}
# ### Send
#
send Authorization-Reply {
- update reply {
- &Authorization-Status := Pass-Add
- &Server-Message := "authorization-response-server"
- &Data := "authorization-response-data"
- &ArgumentList := "key1=var1"
- }
+ &reply.Authorization-Status := Pass-Add
+ &reply.Server-Message := "authorization-response-server"
+ &reply.Data := "authorization-response-data"
+ &reply.ArgumentList := "key1=var1"
}
#
# ### Send
#
send Accounting-Reply {
- update reply {
- &Accounting-Status := Success
- &Server-Message := "Success"
- &Data := 0x00
- }
+ &reply.Accounting-Status := Success
+ &reply.Server-Message := "Success"
+ &reply.Data := 0x00
}
#
# and will just cause the server to emit a warning.
#
load tls-session {
- update control {
- Cache-Allow-Insert := no
- }
+ &control.Cache-Allow-Insert := no
+
cache_tls_session
}
# and will just cause the server to emit a warning.
#
store tls-session {
- update control {
- Cache-TTL := 0
- }
+ &control.Cache-TTL := 0
+
cache_tls_session
}
# and will just cause the server to emit a warning.
#
clear tls-session {
- update control {
- Cache-TTL := 0
- Cache-Allow-Insert := no
- }
+ &control.Cache-TTL := 0
+ &control.Cache-Allow-Insert := no
+
cache_tls_session
}
# To force OCSP validation failure, it should return 'reject'.
#
load ocsp-state {
- update control {
- Cache-Allow-Insert := no
- }
+ &control.Cache-Allow-Insert := no
+
cache_ocsp
}
# and will just cause the server to emit a warning.
#
store ocsp-state {
- update control {
- Cache-TTL := "%{expr:&reply.TLS-OCSP-Next-Update * -1}"
- Cache-Allow-Merge := no
- }
+ &control.Cache-TTL := "%{expr:&reply.TLS-OCSP-Next-Update * -1}"
+ &control.Cache-Allow-Merge := no
+
cache_ocsp
}
}
# create one using other attributes.
if (!&MAC-Address) {
if (&Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) {
- update request {
- &MAC-Address = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
- }
+ &request.MAC-Address = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
}
else {
- update request {
- &MAC-Address = &Cookie
- }
+ &request.MAC-Address = &Cookie
}
}
#
# required VMPS reply attributes
#
- update reply {
- &Packet-Type = Join-Response
- &Error-Code = No-Error
- &Cookie = &MAC-Address
+ &reply.Packet-Type = Join-Response
+ &reply.Error-Code = No-Error
+ &reply.Cookie = &MAC-Address
- &VLAN-Name = "please_use_real_vlan_here"
+ &reply.VLAN-Name = "please_use_real_vlan_here"
- #
- # NOTE: If you have VLAN's in a database, you can `select`
- # the VLAN name based on the MAC address.
- #
-# &VLAN-Name = "%{sql:select ... where mac='%{MAC-Address}'}"
- }
+ #
+ # NOTE: If you have VLAN's in a database, you can `select`
+ # the VLAN name based on the MAC address.
+ #
+# &reply.VLAN-Name = "%{sql:select ... where mac='%{MAC-Address}'}"
}
#
projects / thirdparty / freeradius-server.git / commitdiff
