From: Alan T. DeKok Date: Fri, 31 Jan 2025 19:22:36 +0000 (-0500) Subject: regenerate from raddb source X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0904fd72d04a26806fccd071ae8fc2db88b46b13;p=thirdparty%2Ffreeradius-server.git regenerate from raddb source --- diff --git a/doc/antora/modules/reference/pages/raddb/clients.conf.adoc b/doc/antora/modules/reference/pages/raddb/clients.conf.adoc index 4ebcd767282..a11f4032419 100644 --- a/doc/antora/modules/reference/pages/raddb/clients.conf.adoc +++ b/doc/antora/modules/reference/pages/raddb/clients.conf.adoc @@ -81,22 +81,45 @@ a secret any more! The secret can be any string, up to 8k characters in length. -Control codes can be entered via octal encoding, -e.g. `\101\102` is the same as `AB` -Quotation marks can be entered by escaping them, -e.g. `foo\"bar` +Control codes can be entered via octal encoding: -An important note on security: The security of the -RADIUS protocol depends *completely* on this secret! We -recommend using a shared secret that is composed of: +`secret = "\101\102"` is the same as `AB` - * upper case letters - * lower case letters - * numbers +Quotation marks can be entered by escaping them: -And is *at least* 8 characters, but preferably 16 characters in -length. The secret *must* be random, and should not be words, -phrase, or anything else that is recognisable. +`secret = "foo\"bar"` + +or by using triple quotes: + +`secret = """foo"bar""" + +A note on security: The security of the RADIUS protocol +depends COMPLETELY on this secret! We recommend using a +shared secret that at LEAST 16 characters long. It should +preferably be 32 characters in length. The secret MUST be +random, and should not be words, phrase, or anything else +that is recognisable. + +Computing power has increased enormously since RADIUS was +first defined. A hobbyist with a high-end GPU can try ALL +of the 8-character shared secrets in about a day. The +security of shared secrets increases MUCH more with the +length of the shared secret, than with number of different +characters used in it. So don't bother trying to use +"special characters" or anything else in an attempt to get +un-guessable secrets. Instead, just get data from a secure +random number generator, and use that. + +You should create shared secrets using a method like this: + +dd if=/dev/random bs=1 count=24 | base64 + +This process will give output which takes 24 random bytes, +and converts them to 32 characters of ASCII. The output +should be accepted by all RADIUS clients. + +You should NOT create shared secrets by hand. They will +not be random. They will will be trivial to crack. The default secret below is only for testing, and should not be used in any real environment. @@ -105,17 +128,32 @@ not be used in any real environment. require_message_authenticator::Require Message-Authenticator in Access-Requests. -https://tools.ietf.org/html/rfc5080[RFC 5080] suggests that all clients *should* include it in an -Access-Request. The configuration item below allows the server -to require it. If a client is required to include a `link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]` -and it does not, then the packet will be silently discarded. - -If value is auto, then if any packet received from the client -contains a valid Message-Authenticator attribute, then the server -will require it from all future packets from that client. - -NOTE: This setting overrides the identically named config item in the -radius listener. +https://tools.ietf.org/html/rfc5080[RFC 5080] suggests that all clients *should* include it in +an Access-Request. The configuration item below allows the +server to require it. If a client is required to include a +`link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]` and it does not, then the packet +will be silently discarded. + +If value is` auto`, then when an `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packet from +the client contains a valid `link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]` +attribute, the server will then require that it exist in +all future `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets from that client. + +This flag exists solely for legacy clients which do not +send `link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]` in all `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` +packets. We do not recommend setting it to `no`, as that +may allow the BlastRADIUS attack to take place. + +The number one way to protect yourself from the BlastRADIUS +attack is to update all RADIUS servers, and then set this +flag to `yes`. If all RADIUS servers are updated, and if +all of them have this flag set to `yes` for all clients, +then your network is safe. You can then upgrade the +clients when it is convenient, instead of rushing the +upgrades. + +NOTE: This per-client setting overrides the identically +named configuration item in the `listen` section. Allowed values: yes, no, auto @@ -124,10 +162,11 @@ The default is "no". limit_proxy_state:: Control whether Proxy-State is allowed in -packets from this client which do not have a Message-Authenticator. +packets from this client which do not have a `link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]`. -The blastradius prefix attack allows an attacker to manipulate -the contents of response packets without knowing the shared secret. +The BlastRADIUS attack allows an attacker to manipulate the +contents of responses to `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets, without +knowing the shared secret. The attack relies on controlling a portion of the data sent back in the response by the RADIUS server. As Proxy-State is always @@ -135,24 +174,27 @@ echoed back verbatim from the request, it can be leveraged to manipulate the data sent back from the server and facilitate the attack. -The attack also relies on defficiencies in the original RADIUS -standards that provided no integrity protection for Access-Requests. +The attack also relies on deficiencies in the original +RADIUS standards which do not provide xintegrity protection +for `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]`s. The attack is mitigated by requiring the Message-Authenticator, which contains a HMAC over the entire request, preventing modification of the request by the attacker. -If value is auto, and the first packet received from the client -does not contain a Proxy-State attribute, Proxy-State will be -disallowed in any future packets which do not contain a -Message-Authenticator. +If value is` auto`, then when an `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packet +from the client contains does not contain a `link:https://freeradius.org/rfc/rfc2865.html#Proxy-State[Proxy-State]` +attribute, the server will the discard `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` +packets from the client which contain `link:https://freeradius.org/rfc/rfc2865.html#Proxy-State[Proxy-State]`, but no +`Message-Authenticator. -This provides some level of protection against the blastradius -attack, without requiring Message-Authenticator, or breaking existing -deployments. +This provides some level of protection against the +blastradius attack, without requiring +`link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]` in all packets, or breaking +existing deployments. NOTE: This setting overrides the identically named config item in the -radius listener. +radius `listen` section. Allowed values: yes, no, auto diff --git a/doc/antora/modules/reference/pages/raddb/dictionary.adoc b/doc/antora/modules/reference/pages/raddb/dictionary.adoc index 6ed19af5d42..077e474a50e 100644 --- a/doc/antora/modules/reference/pages/raddb/dictionary.adoc +++ b/doc/antora/modules/reference/pages/raddb/dictionary.adoc @@ -11,7 +11,7 @@ edited by local administrators. It will be loaded NOTE: We recommend using local variables inside of "unlang" sections instead of defining attributes in this file. See - the xref:index.adoc[reference documentation] + the xref:reference:index.adoc[reference documentation] for more information on xref:unlang/local.adoc[local variables]. @@ -147,11 +147,15 @@ copy of the v3 dictionary, then it won't work. Migrations across major version numbers means that the configuration files are *not* 100% compatible. This includes the dictionaries! -All of the v3 compatibility names are in the RADIUS namespace. +The v3 compatibility names are in the RADIUS namespace. There are no aliases for DHCPv4. +This dictionary includes v3-compatible names like "Cleartext-Password", +or "NT-Password". + + == Default Configuration ``` @@ -162,4 +166,5 @@ There are no aliases for DHCPv4. #$INCLUDE ${dictdir}/radius/v3/dictionary.cisco #$INCLUDE ${dictdir}/radius/v3/dictionary.aruba #END-PROTOCOL RADIUS +#$INCLUDE ${dictdir}/freeradius/v3/dictionary.freeradius.internal ``` diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/chap.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/chap.adoc index da345561045..69b4f78cf09 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/chap.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/chap.adoc @@ -2,7 +2,7 @@ -= CHAP module += CHAP This module authenticates requests containing a `link:https://freeradius.org/rfc/rfc2865.html#CHAP-Password[CHAP-Password]` attribute. diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/detail.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/detail.adoc index 1a191030421..593abe7e954 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/detail.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/detail.adoc @@ -115,7 +115,7 @@ NOTE: The attributes should be listed one to a line. ``` detail { - filename = ${radacctdir}/%{Net.Src.IP}/detail-%Y-%m-%d + filename = "${radacctdir}/%{Net.Src.IP}/detail-%Y-%m-%d" # filename = ${radacctdir}/detail escape_filenames = no permissions = 0600 diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/detail.example.com.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/detail.example.com.adoc index 9d4c898cc5b..a822214cfdf 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/detail.example.com.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/detail.example.com.adoc @@ -35,6 +35,6 @@ corner cases. ``` detail detail.example.com { - filename = ${radacctdir}/detail.example.com/detail-%Y-%m-%dT%H:%G:00 + filename = "${radacctdir}/detail.example.com/detail-%Y-%m-%dT%H:%G:00" } ``` diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/detail.log.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/detail.log.adoc index e3bad2d3fac..29fe3dfc99a 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/detail.log.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/detail.log.adoc @@ -65,25 +65,25 @@ See the example in `raddb/sites-available/default`. ``` detail auth_log { - filename = ${radacctdir}/%{Net.Src.IP}/auth-detail-%Y-%m-%d + filename = "${radacctdir}/%{Net.Src.IP}/auth-detail-%Y-%m-%d" permissions = 0600 suppress { User-Password } } detail reply_log { - filename = ${radacctdir}/%{Net.Src.IP}/reply-detail-%Y-%m-%d + filename = "${radacctdir}/%{Net.Src.IP}/reply-detail-%Y-%m-%d" permissions = 0600 } detail pre_proxy_log { - filename = ${radacctdir}/%{Net.Src.IP}/pre-proxy-detail-%Y-%m-%d + filename = "${radacctdir}/%{Net.Src.IP}/pre-proxy-detail-%Y-%m-%d" permissions = 0600 # suppress { # User-Password # } } detail post_proxy_log { - filename = ${radacctdir}/%{Net.Src.IP}/post-proxy-detail-%Y-%m-%d + filename = "${radacctdir}/%{Net.Src.IP}/post-proxy-detail-%Y-%m-%d" permissions = 0600 } ``` diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/eap.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/eap.adoc index e292da000ad..9fe50774e8d 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/eap.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/eap.adoc @@ -77,6 +77,14 @@ request will still end up being rejected. type:: Only EAP types listed below with a `type = ` pair will be allowed. +If the `control.EAP-Type` attribute is set, then that is used to form the list of +allowed EAP types, with the first instance being the default type and others also +being allowed. + +Setting an EAP type in `control.EAP-Type` which is not allowed below, will not have +any effect, since this list determines which methods are loaded and potentially +available. + ### EAP-MD5 @@ -207,7 +215,7 @@ the following sections: | `clear session { ... }` | Clear stateful session information from a cache. -| `verify certificate { ... }` +| `verify certificate { ... }` | Apply policies based on the client certificate presented. | `staple certificate { ... }` @@ -215,7 +223,7 @@ the following sections: |=== More information about the various sections can be found in the virtual server -link:../../../../../../sites-available/tls-cache.adoc[sites-available/tls-cache]. +xref:reference:raddb/sites-available/tls-session.adoc[sites-available/tls-session]. auto_chain:: @@ -943,7 +951,7 @@ Both `copy_request_to_tunnel` and `use_tunneled_reply` have been removed in v4.0. See the new policy `copy_request_to_tunnel` in -link:../../../../../../sites-available/inner-tunnel.adoc[sites-available/inner-tunnel], and in `policy.d/eap` for +xref:reference:raddb/sites-available/inner-tunnel.adoc[sites-available/inner-tunnel], and in `policy.d/eap` for more information. ==== @@ -1016,6 +1024,7 @@ the fix does appear to work. NOTE: To use `PEAP` you must also configure an inner method in `mods-enabled/eap_inner`. + tls:: Point to the common TLS configuration Which `tls-config` section the TLS negotiation parameters are @@ -1038,11 +1047,13 @@ Both `copy_request_to_tunnel` and `use_tunneled_reply` have been removed in v4.0. See the new policy `copy_request_to_tunnel` in -link:../../../../../../sites-available/inner-tunnel.adoc[sites-available/inner-tunnel], and in `policy.d/eap` +xref:reference:raddb/sites-available/inner-tunnel.adoc[sites-available/inner-tunnel], and in `policy.d/eap` for more information. + ==== + virtual_server:: The virtual server used for "inner" authentication. The inner tunneled request can be sent through a virtual @@ -1367,7 +1378,7 @@ eap { auth_type = PAP } tls-config tls-common { -# virtual_server = tls-cache +# virtual_server = tls-session # auto_chain = no chain rsa { # format = "PEM" diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/files.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/files.adoc index e55826acd0e..47cb16f0299 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/files.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/files.adoc @@ -39,8 +39,18 @@ match_attr:: List and attribute to populate with the `name` of the matched entry Note: the attriubte type should be capable of holding data of the type used as key values. Particularly useful if matching IP addresses to subnets, since the populated -value will be the subnet. In that case it is best to use 0.0.0.0/0 in place -of DEFAULT for any catch-all entries. +value will be the subnet. In that case it is best to use `0.0.0.0/0` in place +of `DEFAULT` for any catch-all entries. + + + +v3_compat:: Version 3 compatibility flag. + +When this flag is set, any enumeration names (e.g. Service-Type := Framed-User) +do not need to have the v4 "::" prefix. This flag helps with migrating v3 +configurations to v4. + +Default value "false". Allowerd vlaues, "true' and "false". @@ -55,6 +65,7 @@ files { # key = "%{&Stripped-User-Name || &User-Name}" filename = ${moddir}/authorize # match_attr = &control.User-Category +# v3_compat = false } files files_accounting { # key = "%{&Stripped-User-Name || &User-Name}" diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/krb5.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/krb5.adoc index 942dffe6f20..bbe9379495f 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/krb5.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/krb5.adoc @@ -21,85 +21,30 @@ service_principal:: Principal that is used by rlm_krb5. -pool { ... }:: Pool of `krb5` contexts. +username:: The username (principal) to authenticate as -This allows us to make the module multithreaded and to avoid expensive -operations like resolving and opening keytabs on every request. -It may also allow TCP connections to the KDC to be cached if that is -supported by the version of libkrb5 used. +If this is just a user name, then the default Kerberos realm will +automatically be added. -NOTE: The context `pool` is only used if the underlying libkrb5 reported -that it was thread safe at compile time. +password:: The password to use in user authentication -start:: Connections to create during module instantiation. -If the server cannot create specified number of -connections during instantiation it will exit. -Set to `0` to allow the server to start without the -external service being available. +.Reusable Handles +Reusable krb5 handles are allocated in blocks. These +parameters allow for tuning how that is done. -min:: Minimum number of connections to keep open. +min:: The minimum number of handles to keep allocated -max:: Maximum number of connections. +max:: The maximum number of reusable handles to allocate. -If these connections are all in use and a new one -is requested, the request will NOT get a connection. -Setting `max` to *LESS* than the number of threads means -that some threads may starve, and you will see errors -like _No connections available and at max connection limit_. -Setting `max` to MORE than the number of threads means -that there are more connections than necessary. - -If `max` is not specified, then it defaults to the number -of workers configured. - - - -spare:: Spare connections to be left idle. - -NOTE: Idle connections WILL be closed if `idle_timeout` -is set. This should be less than or equal to `max` above. - - - -uses:: Number of uses before the connection is closed. - -NOTE: A setting of `0` means infinite (no limit). - - - -lifetime:: The lifetime (in seconds) of the connection. - -NOTE: A setting of `0` means infinite (no limit). - - - -idle_timeout:: The idle timeout (in seconds). A connection which is -unused for this length of time will be closed. - -NOTE: A setting of `0` means infinite (no timeout). - - - -[NOTE] -==== -All configuration settings are enforced. If a -connection is closed because of `idle_timeout`, -`uses`, or `lifetime`, then the total number of -connections MAY fall below `min`. When that -happens, it will open a new connection. It will -also log a WARNING message. - -The solution is to either lower the `min` connections, -or increase lifetime/idle_timeout. -==== +cleanup_interval:: How often to free un-used handles. @@ -136,14 +81,12 @@ krb5 krb5 { keytab = /path/to/keytab service_principal = name_of_principle - pool { - start = 0 - min = 0 -# max = - spare = 1 - uses = 0 - lifetime = 0 - idle_timeout = 0 +# username = &User-Name +# password = &User-Password + reuse { +# min = 10 +# max = 100 +# cleanup_interval = 30s } } ``` diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/ldap.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/ldap.adoc index 56985f96180..a29caa13053 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/ldap.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/ldap.adoc @@ -286,7 +286,7 @@ result will be processed. sorting order will be reversed for that attribute. * If `sort_by` is set, and the server does not support sorting -the search will fail. +or the attributes do not have an ORDERING rule, the search will fail. * If a search returns multiple user objects and `sort_by` is not set, the search will fail. @@ -490,6 +490,20 @@ is successful. +sort_by:: Server side result sorting. + +A list of space delimited attributes to order the result set by, +controlling the sequence that profiles are applied if the filter +returns more than one object. + + * If the attribute name is prefixed with a hyphen '-' the +sorting order will be reversed for that attribute. + + * If `sort_by` is set, and the server does not support sorting +or the attributes do not have an ORDERING rule, the search will fail. + + + ### Modify user object on receiving Accounting-Request Useful for recording things like the last time the user logged @@ -518,8 +532,7 @@ replaced with a single attribute. - -### Post-Auth can modify LDAP objects too +### "send" sections can modify LDAP objects too @@ -919,30 +932,30 @@ ldap { # default = 'cn=radprofile,dc=example,dc=org' # attribute = 'radiusProfileDn' # attribute_suspend = 'radiusProfileDn' +# sort_by = 'radiusProfilePriority' } accounting { - reference = "%tolower(type.%{Acct-Status-Type})" - type { - start { - update { - description := "Online at %S" - } + start { + update { + description := "Online at %S" } - interim-update { - update { - description := "Last seen at %S" - } + } + interim-update { + update { + description := "Last seen at %S" } - stop { - update { - description := "Offline at %S" - } + } + stop { + update { + description := "Offline at %S" } } } - post-auth { - update { - description := "Authenticated at %S" + send { + access-accept { + update { + description := "Authenticated at %S" + } } } options { diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/mschap.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/mschap.adoc index 63f98e69bb8..f0dd4375c83 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/mschap.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/mschap.adoc @@ -180,101 +180,24 @@ the backend, and retry authentication with that username. -.Pool +.Reusable Handles -TIP: Information for the winbind connection pool. The -configuration items below are the same for all modules -which use the connection pool. +Reusable connection handles are allocated in blocks. These +parameters allow for tuning how that is done. -start:: Connections to create during module instantiation. +min:: The minimum number of connection handles to +keep allocated -If the server cannot create specified number of -connections during instantiation it will exit. -Set to `0` to allow the server to start without the -external service being available. +max:: The maximum number of reusable connection +handles to allocate. -min:: Minimum number of connections to keep open. - -max:: Maximum number of connections. - -If these connections are all in use and a new one -is requested, the request will NOT get a connection. - -Setting `max` to *LESS* than the number of threads means -that some threads may starve, and you will see errors -like _No connections available and at max connection limit_. - -Setting `max` to MORE than the number of threads means -that there are more connections than necessary. - -If `max` is not specified, then it defaults to the number -of workers configured. - - - -spare:: Spare connections to be left idle. - -NOTE: Idle connections WILL be closed if `idle_timeout` -is set. This should be less than or equal to `max` above. - - - -uses:: Number of uses before the connection is closed. - -0 means "infinite" - - - -retry_delay:: - -The number of seconds to wait after the server tries -to open a connection, and fails. During this time, -no new connections will be opened. - - - -lifetime:: - -The lifetime (in seconds) of the connection. - -NOTE: A setting of 0 means infinite (no limit). - - - -cleanup_interval:: - -The pool is checked for free connections every -`cleanup_interval`. If there are free connections, -then one of them is closed. - - - -idle_timeout:: - -The idle timeout (in seconds). A connection which is -unused for this length of time will be closed. - -NOTE: A setting of `0` means infinite (no timeout). - - - -[NOTE] -==== -All configuration settings are enforced. If a -connection is closed because of `idle_timeout`, -`uses`, or `lifetime`, then the total number of -connections MAY fall below `min`. When that -happens, it will open a new connection. It will -also log a WARNING message. - -The solution is to either lower the `min` connections, -or increase lifetime/idle_timeout. -==== +cleanup_interval:: How often to free un-used +connection handles. @@ -398,6 +321,17 @@ TACACS+ does not have any inherent support for MPPE keys or password changing using MSCHAP. + +TACACS+ puts the MS-CHAP2-Success information in the Data field, +but we call it MS-CHAP2-Success for simplicity. +See the ALIAS definition in dictionary/tacacs/dictionary.freeradius.internal + + + +Similarly, TACACS+ puts the MS-CHAP-Error into the Server-Message +field. + + == Default Configuration ``` @@ -413,17 +347,11 @@ mschap { # username = "%mschap(User-Name)" # domain = "%mschap(NT-Domain)" # retry_with_normalised_username = no - } - pool { - start = 0 - min = 0 -# max = - spare = 1 - uses = 0 - retry_delay = 30 - lifetime = 86400 - cleanup_interval = 300 - idle_timeout = 600 + reuse { +# min = 10 +# max = 100 +# cleanup_interval = 30s + } } passchange { # ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1" @@ -435,7 +363,7 @@ mschap { # use_open_directory = yes # allow_retry = yes # retry_msg = "Re-enter (or reset) the password" - Xattributes { + attributes { username = &User-Name chap_challenge = &Vendor-Specific.Microsoft.CHAP-Challenge chap_response = &Vendor-Specific.Microsoft.CHAP-Response @@ -450,13 +378,13 @@ mschap { chap2_cpw = &Vendor-Specific.Microsoft.CHAP2-CPW chap_nt_enc_pw = &Vendor-Specific.Microsoft.CHAP-NT-Enc-PW } - attributes { - username = &User-Name - chap_challenge = &MS-CHAP-Challenge - chap_response = &MS-CHAP-Response - chap2_response = &MS-CHAP2-Response - chap2_success = &MS-CHAP2-Success - chap_error = &MS-CHAP-Error - } +# attributes { +# username = &User-Name +# chap_challenge = &MS-CHAP-Challenge +# chap_response = &MS-CHAP-Response +# chap2_response = &MS-CHAP2-Response +# chap2_success = &MS-CHAP2-Success +# chap_error = &MS-CHAP-Error +# } } ``` diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/pam.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/pam.adoc index b14eb131109..50f58d372da 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/pam.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/pam.adoc @@ -8,7 +8,7 @@ For Linux, see http://www.kernel.org/pub/linux/libs/pam/index.html WARNING: On some systems, the system PAM libraries have memory leaks! We STRONGLY SUGGEST that you do not -use `link:http://www.kernel.org/pub/linux/libs/pam/index.html[PAM]` for authentication, due to those memory leaks. +use `link:https://www.kernel.org/pub/linux/libs/pam/[PAM]` for authentication, due to those memory leaks. @@ -19,7 +19,7 @@ pam_auth:: The name to use for PAM authentication. -`link:http://www.kernel.org/pub/linux/libs/pam/index.html[PAM]` looks in `/etc/pam.d/${pam_auth_name}` for it's +`link:https://www.kernel.org/pub/linux/libs/pam/[PAM]` looks in `/etc/pam.d/${pam_auth_name}` for it's configuration. See `redhat/radiusd-pam` for a sample PAM configuration file. diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/radius.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/radius.adoc index 6905824d228..e906d36c1b0 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/radius.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/radius.adoc @@ -49,7 +49,7 @@ module anywhere you want to proxy packets. In most cases, you can just set something like `Auth-Type := example.com`, and then have a section `authenticate example.com { ... }`, which contains the `radius` modules which do proxying. See -link:../../../../../../sites-available/default.adoc[sites-available/default] for sample configuration which uses this +xref:reference:raddb/sites-available/default.adoc[sites-available/default] for sample configuration which uses this pattern. ## Behavior diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/sql.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/sql.adoc index 8e747f0631a..942d9a3187f 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/sql.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/sql.adoc @@ -174,35 +174,19 @@ query_timeout:: Set the maximum query duration for `cassandra` and `unixodbc` pool { ... }:: -The connection pool is new for 3.0, and will be used in many modules, for all kinds of -connection-related activity. - -When the server is not threaded, the connection pool limits are ignored, and only one -connection is used. - -[NOTE] -==== -If you want to have multiple SQL modules reuse the same connection pool, use `pool = name` -instead of a `pool` section. - -e.g: - -[source,sql] ----- -sql sql1 { - ... - pool { - ... - } -} +The connection pool is a set of per-thread parameters for connections to the SQL database. -# sql2 will use the connection pool from sql1 -sql sql2 { - ... - pool = sql1 -} ----- -==== +If the driver supports it, then queries are run asynchronously. Currently the list of +drivers this applies to is: + + * mysql + * postgresql + * unixodbc + * oracle + * cassandra + +Other drivers are synchronous and therefore queries will block packet processing, resulting +in significantly worse system performance. start:: Connections to create during module instantiation. @@ -223,22 +207,20 @@ max:: Maximum number of connections. If these connections are all in use and a new one is requested, the request will NOT get a connection. -Setting `max` to *LESS* than the number of threads means -that some threads may starve, and you will see errors -like _No connections available and at max connection limit_. - -Setting `max` to MORE than the number of threads means -that there are more connections than necessary. +Since the majority of SQL drivers only allow one outstanding +query per connection, this represents the maximum number of +simultaneous packets that a thread can process. -If `max` is not specified, then it defaults to the number -of workers configured. +Note: The maximum number of connections from FreeRADIUS to +the database will be this number multiplied by the number of +worker threads. Ensure that the database server supports that +number of connections. -spare:: Spare connections to be left idle. +connecting:: Number of connections which can be starting at once -NOTE: Idle connections WILL be closed if `idle_timeout` -is set. This should be less than or equal to `max` above. +Used to throttle connection spawning. @@ -248,48 +230,38 @@ uses:: Number of uses before the connection is closed. -retry_delay:: The number of seconds to wait after the server tries -to open a connection, and fails. +lifetime:: The lifetime (in seconds) of the connection. -During this time, no new connections will be opened. +open_delay:: Open delay (in seconds). -lifetime:: The lifetime (in seconds) of the connection. +How long must we be above the target utilisation for connections to be opened. +close_delay:: Close delay (in seconds). -idle_timeout:: idle timeout (in seconds). +How long we must be below the target utilisation for connections to be closed -A connection which is unused for this length of time will be closed. +manage_interval:: How often to manage the connection pool. -connect_timeout:: Connection timeout (in seconds). -The maximum amount of time to wait for a new connection to be established. -Not supported by: +request:: Options specific to requests handled by this connection pool -[options="header,autowidth"] -|=== -| Driver | Description -| firebird | Likely possible but no documentation. -| oracle | Not possible. -| postgresql | Should be set via the radius_db string instead. -|=== +Note: Due to the one outstanding query per connection limit, the settings +`per_connection_max` and `per_connection_target` are forcibly set to 1 for +SQL database connections. -[NOTE] -==== - * All configuration settings are enforced. If a connection is closed because -of `idle_timeout`, `uses`, or `lifetime`, then the total number of connections -MAY fall below `min`. -When that happens, it will open a new connection. It will also log a WARNING message. +free_delay:: How long must a request in the unassigned (free) list not have been +used for before it's cleaned up and actually freed. - * The solution is to either lower the "min" connections, or increase lifetime/idle_timeout. -==== +Unassigned requests can be re-used, multiple times, reducing memory allocation +and freeing overheads. @@ -370,14 +342,17 @@ sql { # query_timeout = 5 pool { start = 0 - min = 0 -# max = - spare = 1 + min = 1 + max = 100 + connecting = 2 uses = 0 - retry_delay = 30 lifetime = 0 - idle_timeout = 60 - connect_timeout = 3.0 +# open_delay = 0.2 +# close_delay = 10 +# manage_interval = 0.2 + request { +# free_delay = 10 + } } group_attribute = "${.:instance}-Group" # cache_groups = no diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/unix.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/unix.adoc index db60bb0d5a0..19bc7138fa5 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/unix.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/unix.adoc @@ -29,16 +29,18 @@ group, and `false` otherwise. The old `Unix-Group`, `Group`, and `Group-Name` attributes and comparisons are no longer supported. +All of `radutmp`, `radwho`, `radlast`, and `radzap` have been removed. + +You can no longer have the `unix` module process accounting packets. -## Configuration Settings +## Configuration Settings == Default Configuration ``` unix { - } ``` diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/winbind.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/winbind.adoc index 7115ba0dd65..07591330474 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/winbind.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/winbind.adoc @@ -55,96 +55,24 @@ generally required. -pool { ... }:: +.Reusable Handles -Information for the `winbind` connection pool. +Reusable connection handles are allocated in blocks. These +parameters allow for tuning how that is done. -The configuration items below are the same for all modules which -use the new connection pool. +min:: The minimum number of connection handles to +keep allocated -start:: Connections to create during module instantiation. -If the server cannot create specified number of -connections during instantiation it will exit. -Set to `0` to allow the server to start without the -external service being available. +max:: The maximum number of reusable connection +handles to allocate. -min:: Minimum number of connections to keep open. - - -max:: Maximum number of connections. - -If these connections are all in use and a new one -is requested, the request will NOT get a connection. - -Setting `max` to *LESS* than the number of threads means -that some threads may starve, and you will see errors -like _No connections available and at max connection limit_. - -Setting `max` to MORE than the number of threads means -that there are more connections than necessary. - -If `max` is not specified, then it defaults to the number -of workers configured. - - - -spare:: Spare connections to be left idle. - -NOTE: Idle connections WILL be closed if `idle_timeout` -is set. This should be less than or equal to `max` above. - - - -uses:: Number of uses before the connection is closed. - -NOTE: A setting of 0 means infinite (no limit). - - - -retry_delay:: The number of seconds to wait after the server tries -to open a connection, and fails. - -During this time, no new connections will be opened. - - - -lifetime:: The lifetime (in seconds) of the connection. - -NOTE: A setting of 0 means infinite (no limit). - - - -cleanup_interval:: The pool is checked for free connections every -`cleanup_interval`. - -If there are free connections, then one of them is closed. - - - -idle_timeout:: The idle timeout (in seconds). - -A connection which is unused for this length of time will be closed. - -NOTE: A setting of 0 means infinite (no timeout). - - - -[NOTE] -==== -All configuration settings are enforced. If a connection is closed because of -`idle_timeout`, `uses`, or `lifetime`, then the total -number of connections MAY fall below `min`. - -When that happens, it will open a new connection. It will also log a *WARNING* message. - -The solution is to either lower the "min" connections, or -increase lifetime/idle_timeout. -==== +cleanup_interval:: How often to free un-used +connection handles. == Default Configuration @@ -157,16 +85,10 @@ winbind { search_username = "%{&Stripped-User-Name || &User-Name}" # add_domain = yes } - pool { - start = 0 - min = 0 -# max = - spare = 1 - uses = 0 - retry_delay = 30 - lifetime = 86400 - cleanup_interval = 300 - idle_timeout = 600 + reuse { +# min = 10 +# max = 100 +# cleanup_interval = 30s } } ``` diff --git a/doc/antora/modules/reference/pages/raddb/radiusd.conf.adoc b/doc/antora/modules/reference/pages/raddb/radiusd.conf.adoc index 186a5c644df..28379b4c0ee 100644 --- a/doc/antora/modules/reference/pages/raddb/radiusd.conf.adoc +++ b/doc/antora/modules/reference/pages/raddb/radiusd.conf.adoc @@ -580,6 +580,8 @@ removed (and made into errors!) in the final release. Some of these flags can also be passed on the command line as `-S flag=value`. +Dictionary migration instructions can be found in `${raddbdir}/dictionary`. + rewrite_update:: Rewrite old `update` sections to use the new "edit" code. @@ -628,7 +630,9 @@ The different copies of the module are then created by inventing two 'instance' names, e.g. 'instance1' and 'instance2' The instance names can then be used in later configuration -INSTEAD of the original 'name'. +INSTEAD of the original 'name'. e.g. instead of `pap { ...}`, +you can use `pap other {...}`. The `other` name will then be +a reference to the second PAP module. diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/bfd.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/bfd.adoc index 4c3cbf8defd..635c83b844b 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/bfd.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/bfd.adoc @@ -283,8 +283,8 @@ send Up { Sneak in more data after a BFD packet! ``` -# &reply.Additional-Data := { -# &more-data := 0xabcdef +# reply.Additional-Data := { +# more-data := 0xabcdef # } } diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/challenge.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/challenge.adoc index 3124279bffd..38fc6d10819 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/challenge.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/challenge.adoc @@ -37,9 +37,9 @@ If there's no State attribute, then this is the request from the user. ``` - if (!&State) { - &control.Auth-Type := ::Step1 - &control.Password.Cleartext := "hello" + if (!State) { + control.Auth-Type := ::Step1 + control.Password.Cleartext := "hello" } else { ``` @@ -49,8 +49,8 @@ Set the "known good" password to the number saved in the session-state list. ``` - &control.Auth-Type := ::Step2 - &control.Password.Cleartext := &session-state.challenge-string + control.Auth-Type := ::Step2 + control.Password.Cleartext := session-state.challenge-string } } @@ -66,8 +66,8 @@ immediately. Set the random number to save. ``` - &session-state.challenge-string := "%randstr(n)" - &reply.Reply-Message := "Please enter %{session-state.challenge-string}: " + session-state.challenge-string := "%randstr(n)" + reply.Reply-Message := "Please enter %{session-state.challenge-string}: " ``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/coa-relay.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/coa-relay.adoc index c006e34dab2..b635b269e69 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/coa-relay.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/coa-relay.adoc @@ -142,30 +142,30 @@ cannot give more detailed advice here. Example MySQL lookup ``` -# &control.user-session := %sql("SELECT IFNULL(GROUP_CONCAT(CONCAT(nasipaddress,'#',acctsessionid) separator '|'),'') FROM (SELECT * FROM radacct WHERE ('%{User-Name}'='' OR UserName='%{User-Name}') AND ('%{Acct-Session-Id}'='' OR acctsessionid = '%{Acct-Session-Id}') AND AcctStopTime IS NULL) a") +# control.user-session := %sql("SELECT IFNULL(GROUP_CONCAT(CONCAT(nasipaddress,'#',acctsessionid) separator '|'),'') FROM (SELECT * FROM radacct WHERE ('%{User-Name}'='' OR UserName='%{User-Name}') AND ('%{Acct-Session-Id}'='' OR acctsessionid = '%{Acct-Session-Id}') AND AcctStopTime IS NULL) a") ``` Example PostgreSQL lookup ``` -# &control.user-session := %sql("SELECT STRING_AGG(CONCAT(nasipaddress,'#',acctsessionid),'|') FROM (SELECT * FROM radacct WHERE ('%{User-Name}'='' OR UserName='%{User-Name}') AND ('%{Acct-Session-Id}'='' OR acctsessionid = '%{Acct-Session-Id}') AND AcctStopTime IS NULL) a") +# control.user-session := %sql("SELECT STRING_AGG(CONCAT(nasipaddress,'#',acctsessionid),'|') FROM (SELECT * FROM radacct WHERE ('%{User-Name}'='' OR UserName='%{User-Name}') AND ('%{Acct-Session-Id}'='' OR acctsessionid = '%{Acct-Session-Id}') AND AcctStopTime IS NULL) a") ``` Keep a count of what we send. ``` - &control.sent-counter := 0 + control.sent-counter := 0 ``` Split the string and split into pieces. ``` - if ("%explode(&control.user-session, '|')") { + if ("%explode(control.user-session, '|')") { - foreach &control.user-session { + foreach control.user-session { ``` Send an update for each session we find. @@ -175,12 +175,12 @@ Send an update for each session we find. ``` NAS-IP-Address ``` - &control.NAS-IP-Address := "%{1}" + control.NAS-IP-Address := "%{1}" ``` Acct-Session-Id ``` - &control.Acct-Session-Id := "%{2}" + control.Acct-Session-Id := "%{2}" subrequest CoA-Request { ``` @@ -189,22 +189,22 @@ The subrequest begins empty, so initially copy all attributes from the incoming request. ``` - &request := &parent.request + request := parent.request ``` Add/override the session identification attributes looked up ``` - &request.Acct-Session-Id := &parent.control.Acct-Session-Id + request.Acct-Session-Id := parent.control.Acct-Session-Id ``` Some NASs want these, others don't ``` - &request.Event-Timestamp := "%l" - &request.Message-Authenticator := 0x00 + request.Event-Timestamp := "%l" + request.Message-Authenticator := 0x00 ``` @@ -219,27 +219,27 @@ if it contains attributes which are NOT SQL-User-Name is a side-effect of the xlat ``` - &request -= &SQL-User-Name[*] + request -= SQL-User-Name[*] ``` Those attributes should be listed here ``` - &request -= &Acct-Delay-Time[*] - &request -= &Proxy-State[*] + request -= Acct-Delay-Time[*] + request -= Proxy-State[*] ``` Uncomment if the NAS does not expect User-Name -&request -= &User-Name[*] +request -= User-Name[*] Call the radius client module instance for the NAS-IP-Address ``` - switch &parent.control.NAS-IP-Address { + switch parent.control.NAS-IP-Address { ``` Repeat this block for each NAS @@ -252,7 +252,7 @@ Repeat this block for each NAS Increment count of sent updates ``` - &parent.control.sent-counter += 1 + parent.control.sent-counter += 1 radius-originate-coa-192.0.2.1 @@ -264,8 +264,8 @@ Likely a missing "case" block if we can't map NAS-IP-Address to a module ``` default { - &parent.control += { - &Reply-Message = "Missing map for NAS: %{parent.control.NAS-IP-Address}" + parent.control += { + Reply-Message = "Missing map for NAS: %{parent.control.NAS-IP-Address}" } } @@ -282,15 +282,15 @@ Likely a missing "case" block if we can't map NAS-IP-Address to a module Report what we did ``` - if (&control.sent-counter) { - &reply += { - &Reply-Message = "Sent updates for %{control.sent-counter} active sessions" + if (control.sent-counter) { + reply += { + Reply-Message = "Sent updates for %{control.sent-counter} active sessions" } ok } else { - &reply += { - &Reply-Message = "No active sessions found" + reply += { + Reply-Message = "No active sessions found" } reject diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/decoupled-accounting.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/decoupled-accounting.adoc index 10d3fe0be93..bc11af610d1 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/decoupled-accounting.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/decoupled-accounting.adoc @@ -101,7 +101,7 @@ are also logged in the detail file. Return an address to the IP Pool when we see a stop record. -Ensure that &control.IP-Pool.Name is set to determine which +Ensure that control.IP-Pool.Name is set to determine which ```  # pool of IPs are used. ``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/default.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/default.adoc index dd7b9d805af..8ce183706b9 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/default.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/default.adoc @@ -44,7 +44,7 @@ There are many "commented out" references to modules and configurations These references serve as place-holders, and as documentation. If you need the functionality of that module, then: - * configure the module in xref:raddb/mods-available/index.adoc[mods-available/] + * configure the module in xref:reference:raddb/mods-available/index.adoc[mods-available/] * enable the module in `mods-enabled`. e.g. for LDAP, do: `cd mods-enabled;ln -s ../mods-available/ldap` * uncomment the references to it in this file. @@ -837,8 +837,8 @@ The following example will proxy the request if the username ends in example.com. ``` -# if (&User-Name =~ /@example\.com$/) { -# &control.Auth-Type := "proxy-example.com" +# if (User-Name =~ /@example\.com$/) { +# control.Auth-Type := "proxy-example.com" # } ``` @@ -1268,8 +1268,8 @@ here. e.g. for later CoA-Request with State, and Service-Type = ::Authorize-Only. ``` -# if (!&reply.State) { -# &reply.State := "0x%randstr(16h)" +# if (!reply.State) { +# reply.State := "0x%randstr(16h)" # } ``` @@ -1283,7 +1283,7 @@ The `session-state` attributes are deleted after an `link:https://freeradius.org/rfc/rfc2865.html#Access-Reject[Access-Reject]` or `link:https://freeradius.org/rfc/rfc2865.html#Access-Accept[Access-Accept]` packet has been sent. ``` - &reply += &session-state + reply += session-state ``` @@ -1340,7 +1340,7 @@ work, you will need to define the WiMAX NAI, usually via: ``` -# &request.WiMAX-MN-NAI = "%{User-Name}" +# request.WiMAX-MN-NAI = "%{User-Name}" ``` If you want various keys to be calculated, you will @@ -1350,10 +1350,10 @@ with the correct ones taken from the cryptographic calculations, e.g. ``` -# &reply += { -# &Vendor-Specific.WiMAX = { -# &FA-RK-Key = 0x00 -# &MSK = &reply.EAP-MSK +# reply += { +# Vendor-Specific.WiMAX = { +# FA-RK-Key = 0x00 +# MSK = reply.EAP-MSK # } # } @@ -1382,13 +1382,13 @@ contains information about the client certificate (if available). ``` -# &reply += { -# &Reply-Message = "%{session-state.TLS-Certificate.Serial}" -# &Reply-Message = "%{session-state.TLS-Certificate.Not-After}" -# &Reply-Message = "%{session-state.TLS-Certificate.Subject}" -# &Reply-Message = "%{session-state.TLS-Certificate.Issuer}" -# &Reply-Message = "%{session-state.TLS-Certificate.Common-Name}" -# &Reply-Message = "%{session-state.TLS-Certificate.Subject-Alt-Name-Email}" +# reply += { +# Reply-Message = "%{session-state.TLS-Certificate.Serial}" +# Reply-Message = "%{session-state.TLS-Certificate.Not-After}" +# Reply-Message = "%{session-state.TLS-Certificate.Subject}" +# Reply-Message = "%{session-state.TLS-Certificate.Issuer}" +# Reply-Message = "%{session-state.TLS-Certificate.Common-Name}" +# Reply-Message = "%{session-state.TLS-Certificate.Subject-Alt-Name-Email}" # } ``` @@ -1417,8 +1417,8 @@ Uncomment the next few lines to copy the required data into the EAP-Key-Name attribute. ``` -# if (&reply.EAP-Session-Id) { -# &reply.EAP-Key-Name := &reply.EAP-Session-Id +# if (reply.EAP-Session-Id) { +# reply.EAP-Key-Name := reply.EAP-Session-Id # } ``` @@ -1577,7 +1577,7 @@ See "Accounting Queries" in xref:reference:raddb/mods-available/sql.adoc[mods-av Refresh leases when we see a start. -Ensure that &control.IP-Pool.Name is set to determine which +Ensure that control.IP-Pool.Name is set to determine which pool of IPs are used. Set this in `recv Accounting-Request` so it is available for all the accounting sections. diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/detail.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/detail.adoc index 5647a9b9edf..835906674a3 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/detail.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/detail.adoc @@ -291,12 +291,12 @@ Note that we do NOT rely on any Event-Timestamp in the original packet, it could be wrong. ``` - if (&Acct-Delay-Time) { - &Acct-Delay-Time += %l - &Packet-Original-Timestamp + if (Acct-Delay-Time) { + Acct-Delay-Time += %l - Packet-Original-Timestamp } - if (!&Event-Timestamp) { - &Event-Timestamp := &Packet-Original-Timestamp + if (!Event-Timestamp) { + Event-Timestamp := Packet-Original-Timestamp } ``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/dhcp.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/dhcp.adoc index 0e9f7b993a7..eec16ab2342 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/dhcp.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/dhcp.adoc @@ -153,7 +153,7 @@ recv Discover { ``` The DHCP Server Identifier is set here since it is returned in OFFERs ``` - &control.Server-Identifier = 192.0.2.1 + control.Server-Identifier = 192.0.2.1 ``` Call a policy (defined in policy.d/dhcp) to set common reply attributes @@ -180,7 +180,7 @@ if (notfound) { Or, allocate IPs from the DHCP pool in SQL. You may need to set the pool name here if you haven't set it elsewhere. ``` -# &control.IP-Pool.Name := "local" +# control.IP-Pool.Name := "local" # sqlippool ``` @@ -199,7 +199,7 @@ server will fall back to determining the type of reply based on the rcode of this section. ``` -# &reply.Message-Type = Offer +# reply.Message-Type = Offer ``` If Message-Type is not set, returning "ok" or @@ -217,20 +217,20 @@ recv Request { ``` The DHCP Server Identifier is set here since it is returned in OFFERs ``` - &control.Server-Identifier = 192.0.2.1 + control.Server-Identifier = 192.0.2.1 ``` If the request is not for this server then silently discard it ``` - if (&request.Server-Identifier && \ - &request.Server-Identifier != &control.Server-Identifier) { + if (request.Server-Identifier && + request.Server-Identifier != control.Server-Identifier) { do_not_respond } ``` Response packet type. See Discover section above. ``` -# &reply.Message-Type = Ack +# reply.Message-Type = Ack ``` Call a policy (defined in policy.d/dhcp) to set common reply attributes @@ -257,11 +257,11 @@ if (notfound) { Or, allocate IPs from the DHCP pool in SQL. You may need to set the pool name here if you haven't set it elsewhere. ``` -# &control.IP-Pool.Name := "local" +# control.IP-Pool.Name := "local" # sqlippool if (ok) { - &reply.Your-IP-Address := "%{&request.Requested-IP-Address || &request.Client-IP-Address}" + reply.Your-IP-Address := "%{request.Requested-IP-Address || request.Client-IP-Address}" } ``` @@ -289,7 +289,7 @@ recv Decline { If using IPs from a DHCP pool in SQL then you may need to set the pool name here if you haven't set it elsewhere and mark the IP as declined. ``` -# &control.IP-Pool.Name := "local" +# control.IP-Pool.Name := "local" # sqlippool ok @@ -317,10 +317,10 @@ For Windows 7 boxes ``` #recv Inform { -# &reply.Net.Dst.Port = 67 -# &reply.Message-Type = Ack -# &reply.Server-Identifier = "%{Net.Dst.IP}" -# &reply.Site-specific-28 = 0x0a00 +# reply.Net.Dst.Port = 67 +# reply.Message-Type = Ack +# reply.Server-Identifier = "%{Net.Dst.IP}" +# reply.Site-specific-28 = 0x0a00 # ok #} @@ -329,7 +329,7 @@ recv Release { If using IPs from a DHCP pool in SQL then you may need to set the pool name here if you haven't set it elsewhere and release the IP. ``` -# &control.IP-Pool.Name := "local" +# control.IP-Pool.Name := "local" # sqlippool ok @@ -342,7 +342,7 @@ in the packets. has MAC, asking for IP, etc. ``` - if (&Client-Hardware-Address) { + if (Client-Hardware-Address) { ``` look up MAC in database ``` @@ -351,7 +351,7 @@ look up MAC in database ``` has IP, asking for MAC, etc. ``` - elsif (&Your-IP-Address) { + elsif (Your-IP-Address) { ``` look up IP in database ``` @@ -360,13 +360,13 @@ look up IP in database ``` has host name, asking for IP, MAC, etc. ``` - elsif (&Client-Identifier) { + elsif (Client-Identifier) { ``` look up identifier in database ``` } else { - &reply.Message-Type = Lease-Unknown + reply.Message-Type = Lease-Unknown ok @@ -383,7 +383,7 @@ if it can't find anything. ``` if (notfound) { - &reply.Message-Type = Lease-Unknown + reply.Message-Type = Lease-Unknown ok @@ -411,7 +411,7 @@ Lease-Active Lease-Unassigned ``` - &reply.Message-Type = Lease-Unassigned + reply.Message-Type = Lease-Unassigned } } diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/dhcp.relay.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/dhcp.relay.adoc index 440da356dc2..cf1577e9933 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/dhcp.relay.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/dhcp.relay.adoc @@ -54,14 +54,14 @@ recv Discover { ``` IP Address of the DHCP server ``` - &control.Net.Dst.IP := 192.0.2.2 + control.Net.Dst.IP := 192.0.2.2 ``` IP Address of the DHCP relay (where the reply should go to) If requests are coming from an upstream relay, this will already be set in the packet ``` - &request.Gateway-IP-Address := 192.0.2.1 + request.Gateway-IP-Address := 192.0.2.1 ``` Call the dhcpv4 module to do the relay @@ -81,9 +81,9 @@ This can be repeated for Inform, Release and Decline as required. ``` recv Request { - &control.Net.Dst.IP := 192.0.2.2 + control.Net.Dst.IP := 192.0.2.2 - &request.Gateway-IP-Address := 192.0.2.1 + request.Gateway-IP-Address := 192.0.2.1 dhcpv4 diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/dhcpv6.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/dhcpv6.adoc index 2cf94b81caa..cb4620730ca 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/dhcpv6.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/dhcpv6.adoc @@ -331,8 +331,8 @@ send Advertise { All replies MUST include a Server-ID option ``` - &reply.Server-ID.DUID = UUID - &reply.Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000 + reply.Server-ID.DUID = UUID + reply.Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000 } ``` @@ -350,8 +350,8 @@ send Offer { All replies MUST include a Server-ID option ``` - &reply.Server-ID.DUID = UUID - &reply.Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000 + reply.Server-ID.DUID = UUID + reply.Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000 } ``` @@ -373,8 +373,8 @@ send Reply { All replies MUST include a Server-ID option ``` - &reply.Server-ID.DUID = UUID - &reply.Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000 + reply.Server-ID.DUID = UUID + reply.Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000 } } diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/dns.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/dns.adoc index ddcc3ef2ba6..c0b12243f51 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/dns.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/dns.adoc @@ -17,19 +17,19 @@ of queries per second, without really trying hard. It's meant to be a _flexible_ DNS server. Want to give different answers to VoIP phones and desktops, or other types of split horizon? It can do that. -Because DNS uses the &Header.Rcode to communicate the result of a query (instead of opcode) +Because DNS uses the Header.Rcode to communicate the result of a query (instead of opcode) the DNS state machine works differently to other protocols. Requests will pass through the following processing sections: - A `recv { ... }` section matching the opcode. e.g. `recv Query { ... }`. Query processing and response formulation should be done here. - If this section returns anything other than `ok` or `updated`, a &reply.Header.Rcode value is + If this section returns anything other than `ok` or `updated`, a reply.Header.Rcode value is set. -- An `error { ... }` section matching &reply.Header.Rcode. e.g. `error Server-Fail { ... }`. - If the `recv { ... }` section produced a &reply.Header.Rcode value other than `No-Error` - and a `error { ... } section matching the &reply.Header.Rcode is provided, it is executed. +- An `error { ... }` section matching reply.Header.Rcode. e.g. `error Server-Fail { ... }`. + If the `recv { ... }` section produced a reply.Header.Rcode value other than `No-Error` + and a `error { ... } section matching the reply.Header.Rcode is provided, it is executed. Error sections are intended only for simplifying logging, and as such, the rcode of the section is ignored. - Error sections can manipulate the reply, e.g. setting a new value for &reply.Header.Rcode, but + Error sections can manipulate the reply, e.g. setting a new value for reply.Header.Rcode, but this will not cause additional `error { ... }` section to be executed. - A `send { ... }` section matching the opcode. e.g. `send Query-Response { ... }`. This can be used for general massaging of the reply. Return codes are ignored. @@ -60,13 +60,13 @@ Dont use "port = 53" unless you want to break things } recv Query { - if (&Question[0].Name == 'foo.example.com') { - &reply.Resource-Record := { - &Name = 'foo.example.com' - &Type = A - &Class = ::Internet - &TTL = 0 - &Type.A.IP = 127.0.0.1 + if (Question[0].Name == 'foo.example.com') { + reply.Resource-Record := { + Name = 'foo.example.com' + Type = ::A + Class = ::Internet + TTL = 0 + Type.A.IP = 127.0.0.1 } } diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/dynamic-clients.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/dynamic-clients.adoc index 6e6f96702ed..2005c3b8d3d 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/dynamic-clients.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/dynamic-clients.adoc @@ -273,27 +273,27 @@ Example 1: Hard-code a client IP. This example is Copy the IP address of the client from the request just received ``` - &control += { - &FreeRADIUS-Client-IP-Address = "%{Net.Src.IP}" + control += { + FreeRADIUS-Client-IP-Address = "%{Net.Src.IP}" ``` require_message_authenticator ``` - &FreeRADIUS-Client-Require-MA = no + FreeRADIUS-Client-Require-MA = no - &FreeRADIUS-Client-Limit-Proxy-State = "auto" + FreeRADIUS-Client-Limit-Proxy-State = "auto" - &FreeRADIUS-Client-Secret = "testing123" + FreeRADIUS-Client-Secret = "testing123" ``` shortname ``` - &FreeRADIUS-Client-Shortname = "%{Net.Src.IP}" + FreeRADIUS-Client-Shortname = "%{Net.Src.IP}" ``` nas_type ``` - &FreeRADIUS-Client-NAS-Type = "other" + FreeRADIUS-Client-NAS-Type = "other" } ok diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/eap-aka-sim.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/eap-aka-sim.adoc index bd2191d4d92..c1b1954d664 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/eap-aka-sim.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/eap-aka-sim.adoc @@ -92,9 +92,9 @@ one of the following attributes from the `recv Identity-Response { ... }` section of the specified EAP-SIM virtual_server, to the reply list: -- &reply.Any-Id-Req -- &reply.Fullauth-Id-Req -- &reply.Permanent-Id-Req +- reply.Any-Id-Req +- reply.Fullauth-Id-Req +- reply.Permanent-Id-Req Even if this configuration item is set to 'no', additional identities can be requested by policy. @@ -117,7 +117,7 @@ the generation of pseudonym or fastauth identities. ``` strip_permanent_identity_hint:: Strip the identity hint when -copying &EAP-Identity or &Identity to &Permanent-Identity. +copying EAP-Identity or Identity to Permanant-Identity. The stripping is only performed if this config item is set to yes, and the hint byte matches what we'd expect for the @@ -156,9 +156,9 @@ one of the following attributes from the `recv Identity-Response { ... }` section of the specified EAP-AKA virtual_server, to the reply list: -- &reply.Any-Id-Req -- &reply.Fullauth-Id-Req -- &reply.Permanent-Id-Req +- reply.Any-Id-Req +- reply.Fullauth-Id-Req +- reply.Permanent-Id-Req Even if this configuration item is set to 'no', additional identities can be requested by policy. @@ -178,7 +178,7 @@ fastauth identities we generate (not including hint byte). ``` strip_permanent_identity_hint:: Strip the identity hint when -copying &EAP-Identity or &Identity to &Permanent-Identity. +copying EAP-Identity or Identity to Permanant-Identity. The stripping is only performed if this config item is set to yes, and the hint byte matches what we'd expect for the @@ -214,7 +214,7 @@ to prevent vectors being used where they were not intended to be. The value of the AT_KDF_INPUT can be overridden in the -eap-aka-prime virtual server with &reply.KDF-Input if +eap-aka-prime virtual server with reply.KDF-Input if this value needs to be determined dynamically. How this value should be created and formatted is specified @@ -237,9 +237,9 @@ one of the following attributes from the `recv Identity-Response { ... }` section of the specified EAP-AKA virtual_server, to the reply list: -- &reply.Any-Id-Req -- &reply.Fullauth-Id-Req -- &reply.Permanent-Id-Req +- reply.Any-Id-Req +- reply.Fullauth-Id-Req +- reply.Permanent-Id-Req Even if this configuration item is set to 'no', additional identities can be requested by policy. @@ -262,7 +262,7 @@ the generation of pseudonym or fastauth identities. ``` strip_permanent_identity_hint:: Strip the identity hint when -copying &EAP-Identity or &Identity to &Permanent-Identity. +copying EAP-Identity or Identity to Permanant-Identity. The stripping is only performed if this config item is set to yes, and the hint byte matches what we'd expect for the @@ -313,14 +313,14 @@ The following request attributes are available: - `AKA` - `SIM` -At the end of this section the value of `&Identity-Type` will be +At the end of this section the value of `Identity-Type` will be checked to see if any additional identity processing steps are required. The following actions are associated with the various `Identity-Type` values: -- `Permanent`:: The current `&Identity` value will be copied to - `&session-state.Permanent-Identity`. The hint byte +- `Permanent`:: The current `Identity` value will be copied to + `session-state.Permanent-Identity`. The hint byte will be stripped if the hint matches the current EAP-Method. If the hint byte does not match the current EAP-Method the complete value of @@ -361,7 +361,7 @@ EAP type. If, however, you want to avoid the additional round trips involved in that negotiation, you can use `%aka_sim_id_method(%{User-Name})` in the top level virtual server, which will return the EAP method hinted by the identity, and then -set `&control.EAP-Type` to an appropriate value before calling the +set `control.EAP-Type` to an appropriate value before calling the EAP module. #### Pseudonyms @@ -374,7 +374,7 @@ section. If for whatever reason the identity cannot be validated, you should return `notfound` to request an additional identity. -NOTE: Setting `&Method-Hint = Pseudonym` here will cause the server +NOTE: Setting `Method-Hint = Pseudonym` here will cause the server to execute the `load pseudonym { ... }` section next. This is sometimes useful when dealing with non-standard pseudonym identities. @@ -389,7 +389,7 @@ section. If the identity cannot be resolved, you should return `notfound` to request an additional identity. -NOTE: Setting `&Method-Hint = Fastauth` here will cause the server +NOTE: Setting `Method-Hint = Fastauth` here will cause the server to execute the `load session { ... }` section next. This is sometimes useful when dealing with non-standard fastauth identities. @@ -407,7 +407,7 @@ The notable exception to this is the scheme described in - 3gpp_temporary_id_decrypt - 3gpp_temporary_id_encrypt -The rlm_cipher module and the &control.KDF-Identity attribute override +The rlm_cipher module and the control.KDF-Identity attribute override (see notes below) are provided to allow the "Privacy Protection for EAP-AKA" scheme described by 3GPP S3-170116 and the Wireless Broadband Allowance document "IMSI PRIVACY PROTECTION FOR WI-FI". @@ -557,8 +557,8 @@ following control attributes: ### Pseudonyms -For identity privacy you may include a `&reply.Next-Pseudonym` -attribute. `&reply.Next-Pseudonym` must be a valid UTF8 string and +For identity privacy you may include a `reply.Next-Pseudonym` +attribute. `reply.Next-Pseudonym` must be a valid UTF8 string and MUST NOT contain a realm. The supplicant will decorate the identity as appropriate to ensure correct routing. @@ -569,7 +569,7 @@ values: - The `%3gpp_temporary_id_encrypt()` expansion. - The `%randstr()` expansion. -NOTE: Add a `&reply.Next-Pseudonym-Id` attribute in this section to +NOTE: Add a `reply.Next-Pseudonym-Id` attribute in this section to avoid having the permanent Id of the SIM exposed during subsequent authentication attempts. The value of this attribute may be empty (a zero length string) if @@ -587,7 +587,7 @@ based EAP methods, where the original MK (Master Key) is stored and then used to generate new MSKs (Master Session Keys) for subsequent authentication attempts. -NOTE: Add a `&reply.Next-Reauth-Id` attribute in this section, to +NOTE: Add a `reply.Next-Reauth-Id` attribute in this section, to allow session-resumption for subsequent authentication attempts. The value of this attribute may be empty (a zero length string) if which case a random value with the correct hint character will be @@ -626,7 +626,7 @@ No where is this mentioned in either the original 3GPP proposal or the WBA document. If you need to implement one of these identity privacy schemes, the -cryptographic identity can be specified with `&control.KDF-Identity`. +cryptographic identity can be specified with `control.KDF-Identity`. ``` send Challenge-Request { @@ -673,11 +673,11 @@ The following rcodes have special meanings in this section: There's not much to do here as the majority of the work for session resumption is done in `load session { ... }`. -Add a `&reply.Next-Pseudonym` attribute in this section if you want +Add a `reply.Next-Pseudonym` attribute in this section if you want to allow avoid having the permanent Id of the SIM exposed during subsequent authentication attempts. -Add a `&reply.Next-Reauth-Id` attribute in this section, to allow +Add a `reply.Next-Reauth-Id` attribute in this section, to allow session resumption for subsequent authentication attempts. The following rcodes have special meanings in this section: @@ -722,7 +722,7 @@ not clear that this is allowed by RFC4186/RFC4187. ### `recv Client-Error { ... }` - Log the fact that the supplicant has terminated authentication -The reason for the error should be available in `&Client-Error-Code` +The reason for the error should be available in `Client-Error-Code` After this section is run authentication fails immediately with no EAP-Response/AKA-Notification round. @@ -766,10 +766,10 @@ EAP-Response/Synchronization-Failure message with an AUTS attribute. If the original UMTS quintuplets were calculated locally and you provided Ki and OP/OPc in the Challenge-Request round, then the EAP-AKA module will automatically calculate a new SQN for you and -place it in `&control.SIM-SQN`. You should store this new SQN. +place it in `control.SIM-SQN`. You should store this new SQN. As a convenience, the EAP-AKA module will also repopulate -&control.SIM-Ki and &control.SIM-OPc so you do not need to retrieve +control.SIM-Ki and control.SIM-OPc so you do not need to retrieve them again in the `send Challenge-Request { ... }` section. If the UMTS quintuplets were provided by an AuC, you should submit @@ -778,7 +778,7 @@ retrieve a new UMTS quintuplet in the `send Challenge-Request { ... }` section. If the rcode returned from this section does not indicate failure -and a &control.SQN value is provided, we send a new challenge to +and a control.SQN value is provided, we send a new challenge to the supplicant and continue; otherwise authentication fails. NOTE: Only one Synchronisation attempt is permitted per @@ -864,19 +864,19 @@ NOTE: The rcode returned from this section is ignored. ### `store pseudonym { ... }` If when sending a Challenge-Request Reauthentication-Request a -`&reply.Next-Pseudonym-Id` attribute is found, this section will be +`reply.Next-Pseudonym-Id` attribute is found, this section will be called. -If `&reply.Next-Pseudonym-Id` is empty, it will be filled with a random +If `reply.Next-Pseudonym-Id` is empty, it will be filled with a random string of alphanumeric characters. -For consistency, &reply.Next-Pseudonym-Id will also be made available -temporarily in `&Next-Pseudonym-Id` for use as a key. +For consistency, reply.Next-Pseudonym-Id will also be made available +temporarily in `Next-Pseudonym-Id` for use as a key. You should store the following attributes against the key -`&Next-Paeudonym-Id`: +`Next-Paeudonym-Id`: -- `&session-state.Permanent-Identity`::The permanent identity of the user. +- `session-state.Permanent-Identity`::The permanent identity of the user. If a failure rcode is returned authentication continues but the Next-Pseudonym-Id will not be sent to the supplicant. @@ -902,13 +902,13 @@ for `load session { ... }`, and use that to decrypt the pseudonym. This section will be called prior to entering the AKA-CHALLENGE state. You should restore the contents of the following attributes using -`&Next-Pseudonym-Id` as a key: +`Next-Pseudonym-Id` as a key: -- `&session-state.Permanent-Identity`::The permanent identity of the user. +- `session-state.Permanent-Identity`::The permanent identity of the user. NOTE: If you're using 3GPP style encrypted pseudonyms, you should decrypt the pseudonym here, and store the decrypted value in -`&session-state.Permanent-Identity`. +`session-state.Permanent-Identity`. ``` load pseudonym { @@ -922,7 +922,7 @@ decrypt the pseudonym here, and store the decrypted value in This section we be called if authentication or re-authentication fails. You should remove any session information stored against -`&Next-Pseudonym-Id`. +`Next-Pseudonym-Id`. ``` clear pseudonym { @@ -933,16 +933,16 @@ You should remove any session information stored against ### `store session { ... }` -If when sending a Reauthentication-Request a `&reply.Next-Reauth-Id` +If when sending a Reauthentication-Request a `reply.Next-Reauth-Id` attribute is found, this section will be called. You should restore the contents of the following attributes using -`&request.Session-ID` as a key: +`request.Session-ID` as a key: -- `&session-state.Counter`:: How many times this session has +- `session-state.Counter`:: How many times this session has been resumed. -- `&session-state.Session-Data`:: The master session key. -- `&session-state.Permanent-Identity`::(optionally) the permanent +- `session-state.Session-Data`:: The master session key. +- `session-state.Permanent-Identity`::(optionally) the permanent identity of the user. If a failure rcode is returned, authentication continues but the @@ -965,12 +965,12 @@ provide a unified session store. This section will be called prior to attempting re-authentication. You should restore the contents of the following attributes using -`&request.Session-ID` as a key: +`request.Session-ID` as a key: -- `&session-state.Counter`:: How many times this session has +- `session-state.Counter`:: How many times this session has been resumed. -- `&session-state.Session-Data`:: The master session key. -- `&session-state.Permanent-Identity`::(optionally) the permanent +- `session-state.Session-Data`:: The master session key. +- `session-state.Permanent-Identity`::(optionally) the permanent identity of the user. The following rcodes have special meanings in this section: @@ -998,7 +998,7 @@ The following rcodes have special meanings in this section: This section we be called if authentication or re-authentication fails. -You should remove any session information stored against `&request.Session-ID`. +You should remove any session information stored against `request.Session-ID`. ``` clear session { diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/example.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/example.adoc index 9edc0a26f15..bf4843b1166 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/example.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/example.adoc @@ -114,8 +114,8 @@ the "server" section. Some example policies. See "man unlang" for more. ``` - if (&User-Name == "bob") { - &control.Password.Cleartext := "bob" + if (User-Name == "bob") { + control.Password.Cleartext := "bob" } ``` @@ -133,7 +133,7 @@ the "modules" section of radiusd.conf. } send Access-Reject { - &reply.Reply-Message = "This is only an example." + reply.Reply-Message = "This is only an example." } } diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/inner-tunnel.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/inner-tunnel.adoc index 195deefd896..a843d705ab0 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/inner-tunnel.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/inner-tunnel.adoc @@ -57,7 +57,7 @@ from from v4.0. Individual attributes from the outer request may be accessed with: - &outer.request. + outer.request. The following policy in raddb/policy.d/eap can be used to copy attributes over. @@ -281,7 +281,7 @@ the ONLY safe way is to set the outer session-state list. Attributes that should be provided in the reply should be copied to the outer.session-state list: - &outer.session-state.Attribute := + outer.session-state.Attribute := The default configuration in the outer post-auth "send" section will copy this to the reply. To copy the entire reply see @@ -380,7 +380,7 @@ See `mods-enabled/linelog` for message formats and destinations. Let the outer session know which module failed, and why. ``` - &outer.session-state.Module-Failure-Message := &request.Module-Failure-Message + outer.session-state.Module-Failure-Message := request.Module-Failure-Message } } # inner-tunnel server block ``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/ldap_sync.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/ldap_sync.adoc index 43b47483168..2352275a5c8 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/ldap_sync.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/ldap_sync.adoc @@ -269,12 +269,12 @@ This is a very limited form of map: single instance of the attribute and += setting as many as the LDAP query returns. -Protocol specific attributes must be qualified e.g. &Proto.radius.User-Name +Protocol specific attributes must be qualified e.g. Proto.radius.User-Name ``` update { - &Proto.radius.User-Name = 'uid' - &Password.With-Header = 'userPassword' + Proto.radius.User-Name = 'uid' + Password.With-Header = 'userPassword' } } @@ -292,7 +292,7 @@ FreeRADIUS attributes. ``` # update { -# &member += "member" +# member += "member" # } # } @@ -347,8 +347,8 @@ container. ``` # update { -# &Proto.radius.User-Name = 'sAMAccountName' -# &user-acct-control = 'userAccountControl' +# Proto.radius.User-Name = 'sAMAccountName' +# user-acct-control = 'userAccountControl' # } # } @@ -373,9 +373,9 @@ searching the Global Catalog. ``` # update { -# &Proto.radius.User-Name = 'sAMAccountName' -# &user-acct-control = 'userAccountControl' -# &last-known-parent = 'lastKnownParent' +# Proto.radius.User-Name = 'sAMAccountName' +# user-acct-control = 'userAccountControl' +# last-known-parent = 'lastKnownParent' # } # } } @@ -392,14 +392,14 @@ sent to the server, so could be used for any initial setup of cache datastores. A request will be generated with the following attributes: -- &request.LDAP-Sync.DN the base_dn of the sync. -- &request.LDAP-Sync.Filter the filter of the sync (optional). -- &request.LDAP-Sync.Scope the scope of the sync (optional). +- request.LDAP-Sync.DN the base_dn of the sync. +- request.LDAP-Sync.Filter the filter of the sync (optional). +- request.LDAP-Sync.Scope the scope of the sync (optional). You should use these attributes to uniquely identify the sync when retrieving previous cookie values. -In addition the attribute &request.LDAP-Sync.Directory-Root-DN will be +In addition the attribute request.LDAP-Sync.Directory-Root-DN will be populated with the root DN of the directory to aid creating a cookie if one has not previously been stored. @@ -412,8 +412,8 @@ The section may return one of the following/codes attributes: - fail / invalid / reject / disallow to indicate failure. The section will be retried after a delay (the ldap reconnection delay). The sync query will not be started until this section succeeds. -- Any other code with &reply.LDAP-Sync.Cookie populated to indicate a cookie value was loaded. -- Any other code without &reply.LDAP-Sync.Cookie populated to indicate no cookie was found. +- Any other code with reply.LDAP-Sync.Cookie populated to indicate a cookie value was loaded. +- Any other code without reply.LDAP-Sync.Cookie populated to indicate no cookie was found. ``` load Cookie { @@ -429,13 +429,13 @@ presuming the ldap module is enabled and configured with the same server settings as ldap_sync. ``` -# if (!&reply.LDAP-Sync.Cookie) { +# if (!reply.LDAP-Sync.Cookie) { # string csn ``` ``` -# &csn := %concat(%ldap("ldap:///%ldap.uri.safe(%{LDAP-Sync.Directory-Root-DN})?contextCSN?base"), ';') -# &reply.LDAP-Sync.Cookie := "rid=000,csn=%{csn}" +# csn := %concat(%ldap("ldap:///%ldap.uri.safe(%{LDAP-Sync.Directory-Root-DN})?contextCSN?base"), ';') +# reply.LDAP-Sync.Cookie := "rid=000,csn=%{csn}" # } } @@ -452,10 +452,10 @@ changeNumber in LDAP-Sync.Cookie. A request will be generated with the following attributes: -- &request.LDAP-Sync.DN the base_dn of the sync. -- &request.LDAP-Sync.Cookie the cookie value to store. -- &request.LDAP-Sync.Filter the filter of the sync (optional). -- &request.LDAP-Sync.Scope the scope of the sync (optional). +- request.LDAP-Sync.DN the base_dn of the sync. +- request.LDAP-Sync.Cookie the cookie value to store. +- request.LDAP-Sync.Filter the filter of the sync (optional). +- request.LDAP-Sync.Scope the scope of the sync (optional). The return code of this section is ignored. @@ -480,14 +480,14 @@ during a refresh stage. A request will be generated with the following attributes: -- &request.LDAP-Sync.DN the base_dn of the sync. -- &request.LDAP-Sync.Entry-UUID the UUID of the object. (https://tools.ietf.org/html/rfc4533[RFC 4533] directories only) -- &request.LDAP-Sync.Entry-DN the DN of the object that was added. -- &*:* attributes mapped from the LDAP entry to FreeRADIUS +- request.LDAP-Sync.DN the base_dn of the sync. +- request.LDAP-Sync.Entry-UUID the UUID of the object. (https://tools.ietf.org/html/rfc4533[RFC 4533] directories only) +- request.LDAP-Sync.Entry-DN the DN of the object that was added. +- *:* attributes mapped from the LDAP entry to FreeRADIUS attributes using the update section within the sync. -- &request.LDAP-Sync.Filter the filter of the sync (optional). -- &request.LDAP-Sync.Scope the scope of the sync (optional). -- &request.LDAP-Sync.Attr the attributes returned by the sync (optional). +- request.LDAP-Sync.Filter the filter of the sync (optional). +- request.LDAP-Sync.Scope the scope of the sync (optional). +- request.LDAP-Sync.Attr the attributes returned by the sync (optional). The return code of this section is ignored (for now). @@ -509,14 +509,14 @@ during a refresh stage. A request will be generated with the following attributes: -- &request.LDAP-Sync.DN the base_dn of the sync. -- &request.LDAP-Sync.Entry-UUID the UUID of the object. (https://tools.ietf.org/html/rfc4533[RFC 4533] directories only) -- &request.LDAP-Sync.Entry-DN the DN of the object that was added. -- &*:* attributes mapped from the LDAP entry to FreeRADIUS +- request.LDAP-Sync.DN the base_dn of the sync. +- request.LDAP-Sync.Entry-UUID the UUID of the object. (https://tools.ietf.org/html/rfc4533[RFC 4533] directories only) +- request.LDAP-Sync.Entry-DN the DN of the object that was added. +- *:* attributes mapped from the LDAP entry to FreeRADIUS attributes using the update section within the sync. -- &request.LDAP-Sync.Filter the filter of the sync (optional). -- &request.LDAP-Sync.Scope the scope of the sync (optional). -- &request.LDAP-Sync.Original-DN the original DN of the object, if the object was renamed +- request.LDAP-Sync.Filter the filter of the sync (optional). +- request.LDAP-Sync.Scope the scope of the sync (optional). +- request.LDAP-Sync.Original-DN the original DN of the object, if the object was renamed and the directory returns this attribute. The return code of this section is ignored (for now). @@ -538,14 +538,14 @@ during a refresh stage. A request will be generated with the following attributes: -- &request.LDAP-Sync.DN the base_dn of the sync. -- &request.LDAP-Sync.Entry-UUID the UUID of the object. (https://tools.ietf.org/html/rfc4533[RFC 4533] directories only) -- &request.LDAP-Sync.Entry-DN the DN of the object that was removed (optional). -- &*:* attributes mapped from the LDAP entry to FreeRADIUS +- request.LDAP-Sync.DN the base_dn of the sync. +- request.LDAP-Sync.Entry-UUID the UUID of the object. (https://tools.ietf.org/html/rfc4533[RFC 4533] directories only) +- request.LDAP-Sync.Entry-DN the DN of the object that was removed (optional). +- *:* attributes mapped from the LDAP entry to FreeRADIUS attributes using the update section within the sync, if the attributes are returned by the directory. -- &request.LDAP-Sync.Filter the filter of the sync (optional). -- &request.LDAP-Sync.Scope the scope of the sync (optional). +- request.LDAP-Sync.Filter the filter of the sync (optional). +- request.LDAP-Sync.Scope the scope of the sync (optional). The return code of this section is ignored (for now). @@ -570,11 +570,11 @@ during a refresh stage. A request will be generated with the following attributes: -- &request.LDAP-Sync.DN the base_dn of the sync. -- &request.LDAP-Sync.Entry-UUID the UUID of the object. (https://tools.ietf.org/html/rfc4533[RFC 4533] directories only) -- &request.LDAP-Sync.Entry-DN the DN of the object that is still present (optional). -- &request.LDAP-Sync.Filter the filter of the sync (optional). -- &request.LDAP-Sync.Scope the scope of the sync (optional). +- request.LDAP-Sync.DN the base_dn of the sync. +- request.LDAP-Sync.Entry-UUID the UUID of the object. (https://tools.ietf.org/html/rfc4533[RFC 4533] directories only) +- request.LDAP-Sync.Entry-DN the DN of the object that is still present (optional). +- request.LDAP-Sync.Filter the filter of the sync (optional). +- request.LDAP-Sync.Scope the scope of the sync (optional). The return code of this section is ignored (for now). diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/originate-coa.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/originate-coa.adoc index 03405fb6a9c..a93c9431a06 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/originate-coa.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/originate-coa.adoc @@ -31,9 +31,9 @@ and call the `radius` module to send the packet. ``` # subrequest Disconnect-Request { -# &User-Name = &parent.request.User-Name -# &Acct-Session-Id = &parent.request.Acct-Session-Id -# &NAS-IP-Address = &parent.NAS-IP-Address} +# User-Name = parent.request.User-Name +# Acct-Session-Id = parent.request.Acct-Session-Id +# NAS-IP-Address = parent.NAS-IP-Address} # ... # } ``` @@ -76,13 +76,13 @@ The subrequest begins empty, so copy all necessary attributes over. ``` - &request.User-Name := &parent.request.User-Name - &request.Acct-Session-Id := &parent.request.Acct-Session-Id - &request.NAS-Identifier := &parent.request.NAS-Identifier - &request.NAS-IP-Address := &parent.request.NAS-IP-Addres - &request.NAS-IPv6-Address := &parent.request.NAS-IPv6-Address - &request.NAS-Port := &parent.request.NAS-Port - &request.Framed-IP-Address := &parent.request.Framed-IP-Address + request.User-Name := parent.request.User-Name + request.Acct-Session-Id := parent.request.Acct-Session-Id + request.NAS-Identifier := parent.request.NAS-Identifier + request.NAS-IP-Address := parent.request.NAS-IP-Addres + request.NAS-IPv6-Address := parent.request.NAS-IPv6-Address + request.NAS-Port := parent.request.NAS-Port + request.Framed-IP-Address := parent.request.Framed-IP-Address ``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/proxy-inner-tunnel.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/proxy-inner-tunnel.adoc index ffc296107b8..49aff68aba7 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/proxy-inner-tunnel.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/proxy-inner-tunnel.adoc @@ -29,7 +29,7 @@ the inner tunnel request. You should update this to be one of your realms. ``` - &control.Proxy-To-Realm := "example.com" + control.Proxy-To-Realm := "example.com" } authenticate eap { diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/robust-proxy-accounting.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/robust-proxy-accounting.adoc index afcb7a4db00..01550e7d3f5 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/robust-proxy-accounting.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/robust-proxy-accounting.adoc @@ -188,7 +188,7 @@ and the detail file processed as normal. You may want accounting policies here... ``` - &control.Proxy-To-Realm := "acct_realm.example.com" + control.Proxy-To-Realm := "acct_realm.example.com" } } diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/status.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/status.adoc index a9c74bcbde9..e1f0370c936 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/status.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/status.adoc @@ -82,7 +82,6 @@ Add statistics based on the Vendor-Specific.FreeRADIUS.Stats4-* queries. stats ok } -} # Statistics can be queried via a number of methods: ``` @@ -110,9 +109,11 @@ Add statistics based on the Vendor-Specific.FreeRADIUS.Stats4-* queries. Due to internal limitations, the statistics might not be exactly up to date. Do not expect all of the numbers to add up perfectly. +``` +} +``` == Default Configuration ``` - ``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/tacacs.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/tacacs.adoc index db1393e4629..f2b048fd01f 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/tacacs.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/tacacs.adoc @@ -328,8 +328,8 @@ and User-Password have been provided by this point making ASCII authentication equivalent to PAP. Alternatively, if extra data is required, set -&reply.Authentication-Status := Getdata -to request the extra data, which will be in &User-Message in +reply.Authentication-Status := Getdata +to request the extra data, which will be in User-Message in the next packet (if the client provides it) ``` @@ -345,7 +345,7 @@ Note that "follow" is officially deprecated, and is not supported. ``` send Authentication-Pass { - &reply.Server-Message := "Hello %{User-Name}" + reply.Server-Message := "Hello %{User-Name}" ``` @@ -358,7 +358,7 @@ See `mods-enabled/linelog` for message formats and destinations. } send Authentication-Fail { - &reply.Server-Message := "Failed login!" + reply.Server-Message := "Failed login!" ``` @@ -377,11 +377,11 @@ for the client to present to the user. ``` send Authentication-GetUser { - &reply.Server-Message := "Username:" + reply.Server-Message := "Username:" } send Authentication-GetPass { - &reply.Server-Message := "Password:" + reply.Server-Message := "Password:" } ``` @@ -451,10 +451,10 @@ Add the arguments to whatever the user entered. ``` send Authorization-Pass-Add { - &reply.Authorization-Status := Pass-Add - &reply.Server-Message := "authorization-response-server" - &reply.Data := "authorization-response-data" - &reply.Argument-List := "key1=var1" + reply.Authorization-Status := Pass-Add + reply.Server-Message := "authorization-response-server" + reply.Data := "authorization-response-data" + reply.Argument-List := "key1=var1" } ``` @@ -463,10 +463,10 @@ Replace whatever the user entered with the following arguments ``` send Authorization-Pass-Reply { - &reply.Authorization-Status := Pass-Repl - &reply.Server-Message := "authorization-response-server" - &reply.Data := "authorization-response-data" - &reply.Argument-List := "key1=var1" + reply.Authorization-Status := Pass-Repl + reply.Server-Message := "authorization-response-server" + reply.Data := "authorization-response-data" + reply.Argument-List := "key1=var1" } ``` @@ -475,7 +475,7 @@ Reject the request ``` send Authorization-Fail { - &reply.Authorization-Status := Fail + reply.Authorization-Status := Fail } ``` @@ -526,11 +526,11 @@ Stops a session ``` send Accounting-Success { - &reply.Server-Message := "Success" + reply.Server-Message := "Success" } send Accounting-Error { - &reply.Server-Message := "Error" + reply.Server-Message := "Error" } ``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/tls-session.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/tls-session.adoc index f7a763e6622..acbbb23815f 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/tls-session.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/tls-session.adoc @@ -20,7 +20,7 @@ Certificates are decoded into nested attributes e.g. ``` When more than one certificate is decoded, the first ( i.e. -&session-state.TLS-Certificate[0] ) will be the client certificate, +session-state.TLS-Certificate[0] ) will be the client certificate, with the next being its issuer. @@ -57,7 +57,7 @@ Check the client certificate matches a string, and reject otherwise Check the client certificate common name against the supplied identity ``` -# if (&EAP-Identity != "host/%{session-state.TLS-Certificate.Common-Name}") { +# if (EAP-Identity != "host/%{session-state.TLS-Certificate.Common-Name}") { # reject # } @@ -118,8 +118,8 @@ max and min TLS versions. ``` # new session { -# &control.Max-Version := 1.3 -# &control.Min-Version := 1.2 +# control.Max-Version := 1.3 +# control.Min-Version := 1.2 # } ``` @@ -127,7 +127,7 @@ max and min TLS versions. This section is run whenever the server needs to read an entry from the TLS session cache. -It should read the attribute &session-state.TLS-Session-Data +It should read the attribute session-state.TLS-Session-Data from the cache, along with any other attributes which were in the cache @@ -138,7 +138,7 @@ and will just cause the server to emit a warning. ``` load session { - &control.Cache-Allow-Insert := no + control.Cache-Allow-Insert := no cache_tls_session } @@ -148,7 +148,7 @@ and will just cause the server to emit a warning. This section is run whenever the server needs to write an entry to the TLS session cache. -It should write the attribute &session-state.Session-Data +It should write the attribute session-state.Session-Data to the cache, along with any other attributes which need to be cached. @@ -159,7 +159,7 @@ and will just cause the server to emit a warning. ``` store session { - &control.Cache-TTL := 0 + control.Cache-TTL := 0 cache_tls_session } @@ -176,8 +176,8 @@ and will just cause the server to emit a warning. ``` clear session { - &control.Cache-TTL := 0 - &control.Cache-Allow-Insert := no + control.Cache-TTL := 0 + control.Cache-Allow-Insert := no cache_tls_session } @@ -201,7 +201,7 @@ TLS version or cipher suite. This section is run after certificate attributes are added to the request list, and before performing OCSP validation. -It should read the attribute &control.TLS-OCSP-Cert-Valid +It should read the attribute control.TLS-OCSP-Cert-Valid from the cache. On success it should return 'ok', 'updated', 'noop' or 'notfound' @@ -209,7 +209,7 @@ To force OCSP validation failure, it should return 'reject'. ``` load ocsp-state { - &control.Cache-Allow-Insert := no + control.Cache-Allow-Insert := no cache_ocsp } @@ -218,7 +218,7 @@ To force OCSP validation failure, it should return 'reject'. This section is run after OCSP validation has completed. -It should write the attribute &reply.TLS-OCSP-Cert-Valid +It should write the attribute reply.TLS-OCSP-Cert-Valid to the cache. On success it should return 'ok' or 'updated'. @@ -228,8 +228,8 @@ and will just cause the server to emit a warning. ``` store ocsp-state { - &control.Cache-TTL := "%{&reply.TLS-OCSP-Next-Update * -1}" - &control.Cache-Allow-Merge := no + control.Cache-TTL := "%{reply.TLS-OCSP-Next-Update * -1}" + control.Cache-Allow-Merge := no cache_ocsp } diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/vmps.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/vmps.adoc index aaae4844a05..1e2b9f52f38 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/vmps.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/vmps.adoc @@ -84,12 +84,12 @@ This section is called when it receives a Join-Request. Some requests may not have a MAC address. Try to create one using other attributes. ``` - if (!&MAC-Address) { - if (&Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) { - &request.MAC-Address = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}" + if (!MAC-Address) { + if (Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) { + request.MAC-Address = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}" } else { - &request.MAC-Address = &Cookie + request.MAC-Address = Cookie } } @@ -108,11 +108,11 @@ module. required VMPS reply attributes ``` - &reply.Packet-Type = Join-Response - &reply.Error-Code = No-Error - &reply.Cookie = &MAC-Address + reply.Packet-Type = Join-Response + reply.Error-Code = No-Error + reply.Cookie = MAC-Address - &reply.VLAN-Name = "please_use_real_vlan_here" + reply.VLAN-Name = "please_use_real_vlan_here" ``` @@ -120,7 +120,7 @@ NOTE: If you have VLAN's in a database, you can `select` the VLAN name based on the MAC address. ``` -# &reply.VLAN-Name = %sql("select ... where mac='%{MAC-Address}'") +# reply.VLAN-Name = %sql("select ... where mac='%{MAC-Address}'") } ```