#
# ### EAP-PWD (Secure password-based authentication)
#
- # In v4, the "known good" password is taken from the `&request.control.Password.Cleartext` list,
+ # In v4, the "known good" password is taken from the `request.control.Password.Cleartext` list,
# as is done by other modules. The change from v3 is that the `inner-tunnel` virtual server
# is no not used.
#
#
# The file should be provided as the attribute:
#
- # &control.TLS-Session-Cert-File
+ # control.TLS-Session-Cert-File
#
# If there are any errors loading or verifying the
# certificate, then authentication will fail.
# `virtual_server`.
#
# Attributes created during certificate processing
- # will be placed in the `&session-state` list.
+ # will be placed in the `session-state` list.
# This is to simplify session-resumption, as the
# contents of this list also contains session data
# for stateful resumption, and this list is encoded
# ====
# Attribute generation is only performed on full
# handshake, or where we detect that attributes
- # are missing from the &session-state list during
+ # are missing from the `session-state` list during
# stateful session-resumption.
#
# Certificate attributes will usually be retrieved
# You must ensure that any attributes required for policy
# decisions are cached along with the TLS session
# data. This is usually done by placing policy attributes in the
- # `&session-state` list, or in the case of EAP-PEAP, EAP-TTLS and
- # EAP-FAST, the `&parent.session-state` list (i.e. in the request
+ # `session-state` list, or in the case of EAP-PEAP, EAP-TTLS and
+ # EAP-FAST, the `parent.session-state` list (i.e. in the request
# which sets up the TLS part of the authentication attempt).
#
# Caching this data means that the policies are cached at the
#
# You can override this configuration item at run-time by setting:
#
- # &control.EAP-TLS-Require-Client-Cert = Yes/No
+ # control.EAP-TLS-Require-Client-Cert = Yes/No
#
# require_client_cert = yes
# following option. You can also override this option by
# setting:
#
- # &control.EAP-TLS-Require-Client-Cert = Yes
+ # control.EAP-TLS-Require-Client-Cert = Yes
#
# NOTE: The majority of supplicants do not support using a
# client certificate with `EAP-TTLS`, so this option is unlikely
# However, you can require one by setting the following
# option. You can also override this option by setting
#
- # &control.EAP-TLS-Require-Client-Cert = Yes
+ # control.EAP-TLS-Require-Client-Cert = Yes
#
# NOTE: The majority of supplicants do not support using a
# client certificate with `PEAP`, so this option is unlikely to
# Note that when the assignment is to a list, the `exec` call _must_ be
# inside of a double-quoted string.
#
-# &request += "%exec(/path/to/program,args, ...)"
+# request += "%exec(/path/to/program,args, ...)"
#
# The value of the attribute will be replaced with the output of the
# program which is executed.
# |===
# | Pairs | Description
# | &request | attributes from the request
- # | &config | attributes from the configuration items list
+ # | &control | attributes from the control list
# | &reply | attributes from the reply
# | &session-state | attributes that persist over multiple request/response rounds.
# |===
#
# The Base32-encoded secret should be placed into:
#
-# `&control.TOTP.Secret`
+# `control.TOTP.Secret`
#
# Any "bare" key should be placed into:
#
-# `&control.TOTP.Key`
+# `control.TOTP.Key`
#
# If `TOTP.Key` exists, then it will be used instead of `TOTP.Secret`.
#
# The TOTP password entered by the user should be placed into:
#
-# `&request.TOTP.From-User`
+# `request.TOTP.From-User`
#
# The module will return `ok` if the passwords match, and `fail`
# if the passwords do not match.
#
# username:: The username to pass to `winbind` for authentication.
#
- username = "%{&Stripped-User-Name || &User-Name}"
+ username = "%{Stripped-User-Name || User-Name}"
#
# domain:: The windows domain.
# This should generally not include a realm, so `Stripped-User-Name`
# is likely the best attribute if it exists.
#
- search_username = "%{&Stripped-User-Name || &User-Name}"
+ search_username = "%{Stripped-User-Name || User-Name}"
#
# add_domain:: Include the domain in group searches.
# split:: If true, the authorize method of `rlm_yubikey` will attempt to split the
# value of `User-Password`, into the user's password, and the OTP token.
#
- # NOTE: If enabled and successful, the value of `&request.User-Password` will be
- # truncated and `&request.Vendor-Specific.Yubicon.Yubikey-OTP` will be added.
+ # NOTE: If enabled and successful, the value of `request.User-Password` will be
+ # truncated and `request.Vendor-Specific.Yubicon.Yubikey-OTP` will be added.
#
# split = yes
# [options="header,autowidth"]
# |===
# | Attributes | Description
- # | `&control.Vendor-Specific.Yubicon.Yubikey-Key` | The AES key used to decrypt the OTP data.
+ # | `control.Vendor-Specific.Yubicon.Yubikey-Key` | The AES key used to decrypt the OTP data.
# The `Yubikey-Public-Id` and/or User-Name
# attributes may be used to retrieve the key.
# The value is a `16-byte` binary blob.
- # | `&control.Vendor-Specific.Yubicon.Yubikey-Counter` | This is compared with the counter in the OTP
+ # | `control.Vendor-Specific.Yubicon.Yubikey-Counter` | This is compared with the counter in the OTP
# data and used to prevent replay attacks.
# This attribute will also be available in
# the request list after successful decryption.
# [options="header,autowidth"]
# |===
# | Attributes | Description
- # | `&request.Vendor-Specific.Yubicon.Yubikey-Public-ID` | The public portion of the OTP string.
+ # | `request.Vendor-Specific.Yubicon.Yubikey-Public-ID` | The public portion of the OTP string.
# The value is a `id_len` modhex string.
# |===
#
# [options="header,autowidth"]
# |===
# | Attributes | Description
- # | `&request.Vendor-Specific.Yubicon.Yubikey-OTP` | The OTP portion of `User-Password`.
+ # | `request.Vendor-Specific.Yubicon.Yubikey-OTP` | The OTP portion of `User-Password`.
# |===
#
# These attributes are available after authentication (if successful):
# [options="header,autowidth"]
# |===
# | Attributes | Description
- # | `&request.Vendor-Specific.Yubicon.Yubikey-Private-ID` | The encrypted ID included in OTP data,
+ # | `request.Vendor-Specific.Yubicon.Yubikey-Private-ID` | The encrypted ID included in OTP data,
# should be verified for increased security.
# The value is a `6-byte` binary blob.
- # | `&request.Vendor-Specific.Yubicon.Yubikey-Counter` | The last counter value (should be recorded).
+ # | `request.Vendor-Specific.Yubicon.Yubikey-Counter` | The last counter value (should be recorded).
# The value is a concatenation of the 16-bit
# session count & `8-bit` use count which form a
# `24-bit` monotonically strictly increasing
# integer (until the individual count ceilings
# are hit)
- # | `&request.Vendor-Specific.Yubicon.Yubikey-Timestamp` | Token's internal clock (mainly useful for debugging).
+ # | `request.Vendor-Specific.Yubicon.Yubikey-Timestamp` | Token's internal clock (mainly useful for debugging).
# The value is a 24-bit increasing `integer @ 8 Hz`
# with rollover which is randomly initialized each session.
- # | `&request.Vendor-Specific.Yubicon.Yubikey-Random` | Randomly generated value from the token.
+ # | `request.Vendor-Specific.Yubicon.Yubikey-Random` | Randomly generated value from the token.
# The value is a 16-bit integer.
# |===
#
projects / thirdparty / freeradius-server.git / commitdiff
