From: Alan T. DeKok Date: Thu, 21 Nov 2024 18:47:13 +0000 (-0500) Subject: refresh after changes X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f115baefb5756e3c6ff85b4159946d3b255a303;p=thirdparty%2Ffreeradius-server.git refresh after changes --- diff --git a/doc/antora/modules/raddb/pages/clients.conf.adoc b/doc/antora/modules/raddb/pages/clients.conf.adoc index 2729a4931ad..4ebcd767282 100644 --- a/doc/antora/modules/raddb/pages/clients.conf.adoc +++ b/doc/antora/modules/raddb/pages/clients.conf.adoc @@ -103,14 +103,60 @@ not be used in any real environment. -require_message_authenticator:: Old-style clients do not send a -`link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]` in an `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]`. https://tools.ietf.org/html/rfc5080[RFC 5080] suggests -that all clients *should* include it in an Access-Request. The -configuration item below allows the server to require it. If a -client is required to include a `link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]` and it -does not, then the packet will be silently discarded. +require_message_authenticator::Require Message-Authenticator in Access-Requests. -Allowed values: yes, no +https://tools.ietf.org/html/rfc5080[RFC 5080] suggests that all clients *should* include it in an +Access-Request. The configuration item below allows the server +to require it. If a client is required to include a `link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]` +and it does not, then the packet will be silently discarded. + +If value is auto, then if any packet received from the client +contains a valid Message-Authenticator attribute, then the server +will require it from all future packets from that client. + +NOTE: This setting overrides the identically named config item in the +radius listener. + +Allowed values: yes, no, auto + +The default is "no". + + + +limit_proxy_state:: Control whether Proxy-State is allowed in +packets from this client which do not have a Message-Authenticator. + +The blastradius prefix attack allows an attacker to manipulate +the contents of response packets without knowing the shared secret. + +The attack relies on controlling a portion of the data sent back +in the response by the RADIUS server. As Proxy-State is always +echoed back verbatim from the request, it can be leveraged to +manipulate the data sent back from the server and facilitate the +attack. + +The attack also relies on defficiencies in the original RADIUS +standards that provided no integrity protection for Access-Requests. + +The attack is mitigated by requiring the Message-Authenticator, +which contains a HMAC over the entire request, preventing +modification of the request by the attacker. + +If value is auto, and the first packet received from the client +does not contain a Proxy-State attribute, Proxy-State will be +disallowed in any future packets which do not contain a +Message-Authenticator. + +This provides some level of protection against the blastradius +attack, without requiring Message-Authenticator, or breaking existing +deployments. + +NOTE: This setting overrides the identically named config item in the +radius listener. + +Allowed values: yes, no, auto + +The default is "auto". @@ -193,7 +239,8 @@ client localhost { # ipv6addr = :: proto = * secret = testing123 - require_message_authenticator = no + require_message_authenticator = auto + limit_proxy_state = auto # shortname = localhost limit { max_connections = 16 diff --git a/doc/antora/modules/raddb/pages/dictionary.adoc b/doc/antora/modules/raddb/pages/dictionary.adoc index a755d036146..dc604db8418 100644 --- a/doc/antora/modules/raddb/pages/dictionary.adoc +++ b/doc/antora/modules/raddb/pages/dictionary.adoc @@ -147,7 +147,7 @@ All of the v3 compatibility names are in the RADIUS namespace. #DEFINE My-Local-String string #DEFINE My-Local-IPAddr ipaddr #DEFINE My-Local-Integer integer -#BEGIN-PROTOCOL RADIUS -#$INCLUDE ${dictdir}/radius/alias/cisco.txt -#END-PROTOCOL RADIUS +BEGIN-PROTOCOL RADIUS +$INCLUDE ${dictdir}/radius/alias/microsoft.txt +END-PROTOCOL RADIUS ``` diff --git a/doc/antora/modules/raddb/pages/mods-available/delay.adoc b/doc/antora/modules/raddb/pages/mods-available/delay.adoc index 6cdf56a3cf8..b916544104e 100644 --- a/doc/antora/modules/raddb/pages/mods-available/delay.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/delay.adoc @@ -12,7 +12,22 @@ Instead of having a specific "reject delay" configuration, it is instead possible to have a policy that delays the response. TIP: The module can also be used to introduce artificial jitter into -responses. +responses by adding random delays. + +## xlat for delays + +The module also registers an xlat function for delays + +%delay(...) + +This function takes a time-delta argument (or data which is converted to a time-delta), and will delay the given number of seconds. + +.Example + +``` +%delay(0.2s) +``` + diff --git a/doc/antora/modules/raddb/pages/mods-available/eap.adoc b/doc/antora/modules/raddb/pages/mods-available/eap.adoc index f7060efe126..e08e14cbde0 100644 --- a/doc/antora/modules/raddb/pages/mods-available/eap.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/eap.adoc @@ -8,10 +8,10 @@ The `eap` module takes care of all EAP authentication as described in https://to [WARNING] ==== -Whatever you do, do NOT set 'Auth-Type := EAP'. The server is smart enough +Whatever you do, do NOT set 'Auth-Type := ::EAP'. The server is smart enough to figure this out on its own. -The most common side effect of setting 'Auth-Type := EAP' is that the users +The most common side effect of setting 'Auth-Type := ::EAP' is that the users then cannot use ANY other authentication method. ==== @@ -215,7 +215,7 @@ the following sections: |=== More information about the various sections can be found in the virtual server -link:../../../../../../sites-available/tls.adoc[sites-available/tls]. +link:../../../../../../sites-available/tls-cache.adoc[sites-available/tls-cache]. auto_chain:: @@ -523,10 +523,6 @@ tls_max_version:: Maximum TLS version we allow. [NOTE] ==== - * Work-arounds for OpenSSL nonsense. OpenSSL 1.0.1f and 1.0.1g do -not calculate the `EAP` keys correctly. The fix is to upgrade -OpenSSL, or to disable TLS 1.2 here. - * SSLv2 and SSLv3 are permanently disabled due to security issues. @@ -690,7 +686,7 @@ allow_not_yet_valid_crl:: Accept a not-yet-valid Certificate Revocation List. Once authentication has completed, the TLS client may be provided with a session ticket which it presents -during the next authentication attempt. +during the next authentication attemp. Presenting a session ticket allows the client to skip the majority of TLS tunnel setup during its next authentication @@ -963,7 +959,7 @@ outer request. This configuration is NOT RECOMMENDED. -include_length:: Whether we include a length field in the TLS header. +include_length:: Whether we include a length fiel in the TLS header. This has the same meaning, and overwrites, the same field in the `tls` configuration, above. The default value here is @@ -1372,7 +1368,7 @@ eap { auth_type = PAP } tls-config tls-common { -# virtual_server = tls +# virtual_server = tls-cache # auto_chain = no chain rsa { # format = "PEM" diff --git a/doc/antora/modules/raddb/pages/mods-available/files.adoc b/doc/antora/modules/raddb/pages/mods-available/files.adoc index 3f26365d5b4..5874ec31d3d 100644 --- a/doc/antora/modules/raddb/pages/mods-available/files.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/files.adoc @@ -23,12 +23,27 @@ key:: The default key attribute to use for matches. The content of this attribute is used to match the `name` of the entry. +Note that unlike v4, the key does not have to be a string, but could instead +be an IP address or netmask! For more information, see + +xref:raddb:mods-config/files/users.adoc[users] + filename:: The old `users` style file is now located here. +match_attr:: List and attribute to populate with the `name` of the matched entry. + +Note: the attriubte type should be capable of holding data of the type +used as key values. +Particularly useful if matching IP addresses to subnets, since the populated +value will be the subnet. In that case it is best to use 0.0.0.0/0 in place +of DEFAULT for any catch-all entries. + + + ## An instance of the `files` module for use in processing accounting packets @@ -39,6 +54,7 @@ files { moddir = ${modconfdir}/${.:instance} # key = "%{&Stripped-User-Name || &User-Name}" filename = ${moddir}/authorize +# match_attr = &control.User-Category } files files_accounting { # key = "%{&Stripped-User-Name || &User-Name}" diff --git a/doc/antora/modules/raddb/pages/mods-available/imap.adoc b/doc/antora/modules/raddb/pages/mods-available/imap.adoc index cbb19d298f0..fa45f9a3255 100644 --- a/doc/antora/modules/raddb/pages/mods-available/imap.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/imap.adoc @@ -72,6 +72,10 @@ This configuration option should only be used when the IMAP server being contact is not known ahead of time (using a URL from an external source), and/or the CA used to sign the IMAP server certificate is unknown. +If not set, then whatever libcurl has as its default will be used, which typically +will be the operating system's set of trusted CAs. This will be visible in the debug +output when FreeRADIUS starts. + private_key_file:: PEM formatted file containing the private key for the specified `certificate_file` diff --git a/doc/antora/modules/raddb/pages/mods-available/ldap.adoc b/doc/antora/modules/raddb/pages/mods-available/ldap.adoc index b9d8890afd7..56985f96180 100644 --- a/doc/antora/modules/raddb/pages/mods-available/ldap.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/ldap.adoc @@ -201,7 +201,7 @@ e.g: ---- ldap if ((ok || updated) && &User-Password) { - &control.Auth-Type := ldap + &control.Auth-Type := ::ldap } ---- ==== @@ -772,7 +772,7 @@ binds which there can be on a single thread. The rlm_ldap provides the below xlat's functions. -### %ldap.uri.escape(...} +### %ldap.uri.escape(...) Escape a string for use in an LDAP filter or DN. The value will then be marked as safe for use in LDAP URIs and DNs, and will not be escaped or modified. @@ -793,7 +793,7 @@ in LDAP URIs and DNs, and will not be escaped or modified. "The LDAP url is ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29" ``` -### %ldap.uri.safe(...} +### %ldap.uri.safe(...) Mark a string as safe for use in an LDAP filter or DN. Values marked as safe for use in LDAP URIs will not be escaped or modified, and will be allowed in places where dynamic values are @@ -828,6 +828,27 @@ Unescape a string for use in an LDAP filter or DN. "The LDAP url is ldap:///ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)" ``` +### %ldap.group(...) + +Check whether the current user is a member of a the given group. If the attribute +`control.LDAP-UserDN` exists, that will be used as the "user" object. If it does +not then the user is first looked up using the filter form the `user { }` section +of the module configuration. + +Groups can be specified either as a name or a DN, with a lookup used if necessary +to convert to the required format. + +.Return: _bool_ + +.Example + +[source,unlang] +--- +if (%ldap.group('cn=group1,ou=Groups,dc=example,dc=org')) { + ... +} +--- + == Default Configuration diff --git a/doc/antora/modules/raddb/pages/mods-available/linelog.adoc b/doc/antora/modules/raddb/pages/mods-available/linelog.adoc index 1ed7618bf7b..a3b0a8b33d9 100644 --- a/doc/antora/modules/raddb/pages/mods-available/linelog.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/linelog.adoc @@ -141,6 +141,13 @@ a limited range should set this to `yes`. +fsync:: + +Synchronise data written with the file system after every +write, returning fail when the operation fails. + + + The connection pool for TCP and Unix socket connections. @@ -386,6 +393,7 @@ linelog { permissions = 0600 # group = ${security.group} escape_filenames = no + fsync = no } pool { start = 0 diff --git a/doc/antora/modules/raddb/pages/mods-available/mschap.adoc b/doc/antora/modules/raddb/pages/mods-available/mschap.adoc index 076a574838d..63f98e69bb8 100644 --- a/doc/antora/modules/raddb/pages/mods-available/mschap.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/mschap.adoc @@ -435,7 +435,7 @@ mschap { # use_open_directory = yes # allow_retry = yes # retry_msg = "Re-enter (or reset) the password" - attributes { + Xattributes { username = &User-Name chap_challenge = &Vendor-Specific.Microsoft.CHAP-Challenge chap_response = &Vendor-Specific.Microsoft.CHAP-Response @@ -450,13 +450,13 @@ mschap { chap2_cpw = &Vendor-Specific.Microsoft.CHAP2-CPW chap_nt_enc_pw = &Vendor-Specific.Microsoft.CHAP-NT-Enc-PW } -# attributes { -# username = &User-Name -# chap_challenge = &MS-CHAP-Challenge -# chap_response = &MS-CHAP-Response -# chap2_response = &MS-CHAP2-Response -# chap2_success = &Data -# chap_error = &Server-Message -# } + attributes { + username = &User-Name + chap_challenge = &MS-CHAP-Challenge + chap_response = &MS-CHAP-Response + chap2_response = &MS-CHAP2-Response + chap2_success = &MS-CHAP2-Success + chap_error = &MS-CHAP-Error + } } ``` diff --git a/doc/antora/modules/raddb/pages/mods-available/perl.adoc b/doc/antora/modules/raddb/pages/mods-available/perl.adoc index 2caad9aa68e..68a93121d38 100644 --- a/doc/antora/modules/raddb/pages/mods-available/perl.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/perl.adoc @@ -81,6 +81,13 @@ want to use function names other than the defaults. +Control which attribute lists are replaced following calls to +the module. +The default is to not replace attribute lists. Only enable +replacement where it is specifically required. + + + config { ... }:: You can define configuration items (and nested sub-sections) in perl `config { ... }` @@ -110,6 +117,12 @@ perl { # func_post_proxy = post_proxy # func_post_auth = post_auth # func_detach = detach + replace { +# request = no +# reply = no +# control = no +# session = no + } # config { # name = "value" # sub-config { diff --git a/doc/antora/modules/raddb/pages/mods-available/radius.adoc b/doc/antora/modules/raddb/pages/mods-available/radius.adoc index 127b9dc2081..b886e41f6bf 100644 --- a/doc/antora/modules/raddb/pages/mods-available/radius.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/radius.adoc @@ -102,6 +102,22 @@ In some cases, such as originating a CoA or Disconnect request, including Proxy-State may confuse the receiving NAS. +require_message_authenticator::Require Message-Authenticator +in responses. + +Including a Message-Authenticator attribute first in response +packet, mitigates against the blastradius prefix attack. + +If value is auto, then if any packet received from the client +contains a valid Message-Authenticator attribute, then the server +will require it from all future packets from that client. + +Allowed values: yes, no, auto + +The default is "no". + + + status_check { ... }:: For "are you alive?" queries. If the home server does not respond to proxied packets, the @@ -303,7 +319,7 @@ connection. -requests { ... }:: Per-request configuration. +request { ... }:: Per-request configuration. per_connection_max:: The maximum number of requests @@ -446,6 +462,7 @@ radius { # replicate = no # synchronous = no # originate = no + require_message_authenticator = auto status_check { type = Status-Server # update request { @@ -472,7 +489,7 @@ radius { connection_timeout = 3.0 reconnect_delay = 5 } - requests { + request { per_connection_max = 255 per_connection_target = 255 free_delay = 10 diff --git a/doc/antora/modules/raddb/pages/mods-available/redis_ippool.adoc b/doc/antora/modules/raddb/pages/mods-available/redis_ippool.adoc index ea8cf64a4db..d13198a72b1 100644 --- a/doc/antora/modules/raddb/pages/mods-available/redis_ippool.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/redis_ippool.adoc @@ -21,7 +21,7 @@ Al configuration items at this level (below the `redis` block) are polymorphic, meaning `xlats`, attribute references, literal values and execs may be specified. -For example `pool_nam` could be `pool_name = 'my_test_pool'` if only a +For example `pool_name` could be `pool_name = 'my_test_pool'` if only a single pool were being used. diff --git a/doc/antora/modules/raddb/pages/mods-available/rest.adoc b/doc/antora/modules/raddb/pages/mods-available/rest.adoc index dcbed46c086..40b982f14f5 100644 --- a/doc/antora/modules/raddb/pages/mods-available/rest.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/rest.adoc @@ -53,6 +53,10 @@ This configuration option should only be used when the HTTPS server being contac is not known ahead of time (using a URL from an external source), and/or the CA used to sign the HTTPS server certificate is unknown. +If not set, then whatever libcurl has as its default will be used, which typically +will be the operating system's set of trusted CAs. This will be visible in the debug +output when FreeRADIUS starts. + certificate_file:: PEM formatted file containing the certificate we present to the HTTPS server @@ -117,6 +121,16 @@ Default is `no` +keylog_file:: Write out session keys in SSLKEYLOGFILE format + +The SSLKEYLOGFILE format is specified here https://www.ietf.org/archive/id/draft-thomson-tls-keylogfile-00.html. + +The contents of the keylog file allows wireshark captures to be decrypted for debugging purposes. + +Note:: keylog_file is not expanded at runtime. + + + connect_uri:: Base URI used to avoid repetition in sections below. @@ -201,7 +215,7 @@ In the `request { ... }` subsection, the following config items may be listed: may be specified with `body`. Will be expanded. Values from expansion will not be escaped, this should be done using the appropriate `xlat` method e.g. - `%url.quote()` + `%urlquote()` | `auth` | HTTP auth method to use, one of 'none', 'srp', 'basic', | yes 'digest', 'digest-ie', 'gss-negotiate', 'ntlm', 'ntlm-winbind', 'any', 'safe'. defaults to _'none'_. @@ -319,6 +333,8 @@ any calls to this module's `xlat` function. ### Authorize { ... } +Default action when called in `recv` sections except `recv Accounting-Request`. + [options="header,autowidth"] |=== | Code | Meaning | Process body? | Module code @@ -336,12 +352,16 @@ any calls to this module's `xlat` function. ### Authenticate { ... } -Same as `Authorize { ... }` +Default action when called in `authenticate` sections. + +Return codes handled the same as `Authorize { ... }` ### Accounting { ... } +Default action when called in `recv Accounting-Request` or `accounting` sections. + [options="header,autowidth"] |=== | Code | Meaning | Process body? | Module code @@ -355,7 +375,9 @@ Same as `Authorize { ... }` ### Post-Auth { ... } -Same as `Accounting { ... }` +Default action when called in `send` sections. + +Return codes handled the same as `Accounting { ... }` @@ -417,6 +439,7 @@ rest { # check_cert = no # check_cert_cn = no # extract_cert_attrs = no +# keylog_file = '/path/to/keylog_file' } connect_uri = "http://127.0.0.1:9090/" # connect_proxy = "socks://127.0.0.1" @@ -427,23 +450,31 @@ rest { tls = ${..tls} } authorize { - uri = "${...connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=authorize" - method = 'GET' + request { + uri = "${...connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=authorize" + method = 'GET' + } tls = ${..tls} } authenticate { - uri = "${...connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=authenticate" - method = 'GET' + request { + uri = "${...connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?section=authenticate" + method = 'GET' + } tls = ${..tls} } accounting { - uri = "${...connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}" - method = 'POST' + request { + uri = "${...connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}" + method = 'POST' + } tls = ${..tls} } post-auth { - uri = "${...connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth" - method = 'POST' + request { + uri = "${...connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth" + method = 'POST' + } tls = ${..tls} } connection { diff --git a/doc/antora/modules/raddb/pages/mods-available/smtp.adoc b/doc/antora/modules/raddb/pages/mods-available/smtp.adoc index 31afa76d6f5..0712503a1f5 100644 --- a/doc/antora/modules/raddb/pages/mods-available/smtp.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/smtp.adoc @@ -77,6 +77,10 @@ This configuration option should only be used when the SMTP server being contact is not known ahead of time (using a URL from an external source), and/or the CA used to sign the SMTP server certificate is unknown. +If not set, then whatever libcurl has as its default will be used, which typically +will be the operating system's set of trusted CAs. This will be visible in the debug +output when FreeRADIUS starts. + private_key_file:: PEM formatted file containing the private key for the specified `certificate_file` diff --git a/doc/antora/modules/raddb/pages/mods-available/sql.adoc b/doc/antora/modules/raddb/pages/mods-available/sql.adoc index 50f7e9ce420..cc9b24198df 100644 --- a/doc/antora/modules/raddb/pages/mods-available/sql.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/sql.adoc @@ -40,6 +40,7 @@ dialect:: The dialect of SQL you want to use. Allowed dialects are: * cassandra + * firebird * mysql * mssql * oracle @@ -66,7 +67,6 @@ we can fix them, |=== | Driver | Dialect | db2 | mssql -| firebird | mssql | freetds | mssql | null | any | unixodbc | mssql @@ -168,7 +168,7 @@ Per-section logging can be disabled by setting "logfile = ''" -query_timeout:: Set the maximum query duration for `mysql` and `cassandra`. +query_timeout:: Set the maximum query duration for `cassandra` and `unixodbc` @@ -347,7 +347,7 @@ please create them and contribute them back to the project. sql { dialect = "sqlite" driver = "${dialect}" - $-INCLUDE ${modconfdir}/sql/driver/${dialect} + $-INCLUDE ${modconfdir}/sql/driver/${driver} # server = "localhost" # port = 3306 # login = "radius" diff --git a/doc/antora/modules/raddb/pages/mods-available/tacacs.adoc b/doc/antora/modules/raddb/pages/mods-available/tacacs.adoc index d5661369532..bb79947cf14 100644 --- a/doc/antora/modules/raddb/pages/mods-available/tacacs.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/tacacs.adoc @@ -198,7 +198,7 @@ connection. -requests { ... }:: Per-request configuration. +request { ... }:: Per-request configuration. per_connection_max:: The maximum number of requests @@ -279,7 +279,7 @@ tacacs { connection_timeout = 3.0 reconnect_delay = 5 } - requests { + request { per_connection_max = 255 per_connection_target = 255 free_delay = 10 diff --git a/doc/antora/modules/raddb/pages/radiusd.conf.adoc b/doc/antora/modules/raddb/pages/radiusd.conf.adoc index 099dde22460..28608a13725 100644 --- a/doc/antora/modules/raddb/pages/radiusd.conf.adoc +++ b/doc/antora/modules/raddb/pages/radiusd.conf.adoc @@ -703,7 +703,7 @@ For more documentation on virtual servers, see: == Default Configuration ``` -prefix = /usr/local +prefix = /Users/alandekok/git/wrapper//install exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var @@ -727,7 +727,7 @@ max_requests = 16384 reverse_lookups = no hostname_lookups = yes log { - destination = files + destination = file colourise = yes # timestamp = no file = ${logdir}/radius.log diff --git a/doc/antora/modules/raddb/pages/radrelay.conf.adoc b/doc/antora/modules/raddb/pages/radrelay.conf.adoc index 5d7786357ac..caf685bc933 100644 --- a/doc/antora/modules/raddb/pages/radrelay.conf.adoc +++ b/doc/antora/modules/raddb/pages/radrelay.conf.adoc @@ -247,7 +247,7 @@ as prefix/suffix stripping, or comparisons. == Default Configuration ``` -prefix = /usr/local +prefix = /Users/alandekok/git/wrapper//install exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var diff --git a/doc/antora/modules/raddb/pages/sites-available/abfab-tr-idp.adoc b/doc/antora/modules/raddb/pages/sites-available/abfab-tr-idp.adoc index 20644fe11c5..9794cd23b3e 100644 --- a/doc/antora/modules/raddb/pages/sites-available/abfab-tr-idp.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/abfab-tr-idp.adoc @@ -53,7 +53,7 @@ For EAP requests. -.Please see the link:../mods-available/expiration.adoc[mods-available/expiration] for full documentation. +.Please see the link:../../../../../../mods-available/expiration.adoc[mods-available/expiration] for full documentation. diff --git a/doc/antora/modules/raddb/pages/sites-available/challenge.adoc b/doc/antora/modules/raddb/pages/sites-available/challenge.adoc index d707fc0d492..f1d5bc703aa 100644 --- a/doc/antora/modules/raddb/pages/sites-available/challenge.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/challenge.adoc @@ -57,11 +57,11 @@ server challenge { } recv Access-Request { if (!&State) { - &control.Auth-Type := Step1 + &control.Auth-Type := ::Step1 &control.Password.Cleartext := "hello" } else { - &control.Auth-Type := Step2 + &control.Auth-Type := ::Step2 &control.Password.Cleartext := &session-state.challenge-string } } diff --git a/doc/antora/modules/raddb/pages/sites-available/check-eap-tls.adoc b/doc/antora/modules/raddb/pages/sites-available/check-eap-tls.adoc index e3bbdc55d40..1d257f131cb 100644 --- a/doc/antora/modules/raddb/pages/sites-available/check-eap-tls.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/check-eap-tls.adoc @@ -33,7 +33,7 @@ hit external services such as sql or ldap. Authorize - this is the only section required. -To accept the access request, set Auth-Type = Accept, otherwise +To accept the access request, set Auth-Type = ::Accept, otherwise set it to Reject. @@ -100,23 +100,23 @@ Post-Auth REJECT sections to log reply packet details, too. ``` server check-eap-tls { recv Access-Request { - &control.Auth-Type := Accept + &control.Auth-Type := ::Accept # if ("%{session-state.TLS-Client-Cert-Common-Name}" == 'client.example.com') { -# &control.Auth-Type := Accept +# &control.Auth-Type := ::Accept # } # else { -# &control.Auth-Type := Reject +# &control.Auth-Type := ::Reject # &reply.Reply-Message := "Your certificate is not valid." # } # if (&User-Name == "host/%{session-state.TLS-Client-Cert-Common-Name}") { -# &control.Auth-Type := Accept +# &control.Auth-Type := ::Accept # } # else { -# &control.Auth-Type := Reject +# &control.Auth-Type := ::Reject # } # ldap # if (!(Ldap-Group == "Permitted-Laptops")) { -# &control.Auth-Type := Reject +# &control.Auth-Type := ::Reject # } # files auth_log diff --git a/doc/antora/modules/raddb/pages/sites-available/default.adoc b/doc/antora/modules/raddb/pages/sites-available/default.adoc index dee2614af8b..4396bccdf74 100644 --- a/doc/antora/modules/raddb/pages/sites-available/default.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/default.adoc @@ -205,6 +205,58 @@ does not accept those packets from the network. +require_message_authenticator::Require Message-Authenticator +in Access-Requests. + +https://tools.ietf.org/html/rfc5080[RFC 5080] suggests that all clients *should* include it in an +Access-Request. The configuration item below allows the server +to require it. If a client is required to include a `link:https://freeradius.org/rfc/rfc2869.html#Message-Authenticator[Message-Authenticator]` +and it does not, then the packet will be silently discarded. + +If value is auto, then if any packet received from the client +contains a valid Message-Authenticator attribute, then the server +will require it from all future packets from that client. + +Allowed values: yes, no, auto + +The default is "no". + + + +limit_proxy_state:: Control whether Proxy-State is allowed in +packets from this client which do not have a Message-Authenticator. + +The blastradius prefix attack allows an attacker to manipulate +the contents of response packets without knowing the shared secret. + +The attack relies on controlling a portion of the data sent back +in the response by the RADIUS server. As Proxy-State is always +echoed back verbatim from the request, it can be leveraged to +manipulate the data sent back from the server and facilitate the +attack. + +The attack also relies on defficiencies in the original RADIUS +standards that provided no integrity protection for Access-Requests. + +The attack is mitigated by requiring the Message-Authenticator, +which contains a HMAC over the entire request, preventing +modification of the request by the attacker. + +If value is auto, and the first packet received from the client +does not contain a Proxy-State attribute, Proxy-State will be +disallowed in any future packets which do not contain a +Message-Authenticator. + +This provides some level of protection against the blastradius +attack, without requiring Message-Authenticator, or breaking +existing deployments. + +Allowed values: yes, no, auto + +The default is "auto". + + + limit:: limits for this socket. The `limit` section contains configuration items @@ -599,14 +651,14 @@ link:../../../../../../mods-available/detail.log.adoc[mods-available/detail.log] -The `chap` module will set `Auth-Type := CHAP` if the +The `chap` module will set `Auth-Type := ::CHAP` if the packet contains a `link:https://freeradius.org/rfc/rfc2865.html#CHAP-Challenge[CHAP-Challenge]` attribute. The module does this only if the `Auth-Type` attribute has not already been set. -The `mschap` module will set `Auth-Type := mschap` if the +The `mschap` module will set `Auth-Type := ::mschap` if the packet contains an `link:https://freeradius.org/rfc/rfc2548.html#MS-CHAP-Challenge[MS-CHAP-Challenge]` attribute. The module does this only if the `Auth-Type` attribute has not already been set. @@ -702,7 +754,7 @@ If the account has not expired, set `link:https://freeradius.org/rfc/rfc2865.htm -The `pap` module will set `Auth-Type := PAP` if the +The `pap` module will set `Auth-Type := ::PAP` if the packet contains a `link:https://freeradius.org/rfc/rfc2865.html#User-Password[User-Password]` attribute. The module does this only if the `Auth-Type` attribute has not already been set. @@ -747,11 +799,11 @@ erroneously setting the `Auth-Type` attribute is that one authentication method will work, but all of the others will not. The common reasons to set the `Auth-Type` attribute by hand are -to forcibly reject the user (`Auth-Type := Reject`), to or -forcibly accept the user (`Auth-Type := Accept`), or for +to forcibly reject the user (`Auth-Type := ::Reject`), to or +forcibly accept the user (`Auth-Type := ::Accept`), or for proxying. -Note that `Auth-Type := Accept` will NOT work with EAP. The EAP +Note that `Auth-Type := ::Accept` will NOT work with EAP. The EAP authentication protocol uses a series of handshake messages. All of the messages must be exchanged correctly in order for EAP authentication to succeed. Bypassing that process with `Auth-Type @@ -882,7 +934,7 @@ there are additional things that can be done. If you need to have a State attribute, you can add it here. e.g. for later CoA-Request with State, and -Service-Type = Authorize-Only. +Service-Type = ::Authorize-Only. @@ -1051,35 +1103,12 @@ An Accounting-Request packet has been received. Decide which accounting type to use. - Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets into a single 64-bit counter, Acct-[Input|Output]-Octets64. -Session start times are *implied* in RADIUS. The NAS -never sends a "start time". Instead, it sends a start -packet, *possibly* with an Acct-Delay-Time. The server -is supposed to conclude that the start time was -"Acct-Delay-Time" seconds in the past. - -The unlang below creates an explicit start time, which -can then be used in other modules. It will be *mostly* -correct. Any errors are due to the 1-second resolution -of RADIUS, and the possibility that the time on the NAS -may be off. - -The start time is: NOW - delay - session_length - - - -The packet should have a timestamp. If not, use "now" from the server. - - - - - Ensure that we have a semi-unique identifier for every request, as many NAS boxes are broken. @@ -1264,6 +1293,8 @@ server default { type = Access-Request type = Status-Server transport = udp + require_message_authenticator = auto + limit_proxy_state = auto limit { max_clients = 256 max_connections = 256 @@ -1435,15 +1466,7 @@ send Access-Reject { delay_reject } recv Accounting-Request { - do_not_respond - return # acct_counters64 -# &request.FreeRADIUS-Acct-Session-Start-Time = "%{(&Event-Timestamp || %l) - &Acct-Session-Time - &Acct-Delay-Time}" - if (!&Event-Timestamp) { - &request.Event-Timestamp := %{%l() - &Acct-Delay-Time} - } elsif (!&Acct-Delay-Time && &request.Event-Timestamp && (&request.Event-Timestamp < %l())) { - &request.Acct-Delay-Time := %{%l() - &Event-Timestamp} - } acct_unique files_accounting } diff --git a/doc/antora/modules/raddb/pages/sites-available/detail.adoc b/doc/antora/modules/raddb/pages/sites-available/detail.adoc index 42080194641..9a3b1a271dd 100644 --- a/doc/antora/modules/raddb/pages/sites-available/detail.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/detail.adoc @@ -210,6 +210,13 @@ A special value of "0" means "retransmit forever". The detail file reader runs the normal RADIUS / DHCP / etc. processing sections. +If there's an Acct-Delay-Time, increase its value based on the +difference between when the packet was written, and the current time. + +Note that we do NOT rely on any Event-Timestamp in the original packet, +it could be wrong. + + We handled the packet successfully. Run the "send ok" section. @@ -271,12 +278,12 @@ server detail { } } recv Accounting-Request { + if (&Acct-Delay-Time) { + &Acct-Delay-Time += %l - &Packet-Original-Timestamp + } if (!&Event-Timestamp) { &Event-Timestamp := &Packet-Original-Timestamp } - if (&Event-Timestamp < %c) { - &request.Acct-Delay-Time += %c - &Event-Timestamp - } ok } send Accounting-Response { diff --git a/doc/antora/modules/raddb/pages/sites-available/dhcp.adoc b/doc/antora/modules/raddb/pages/sites-available/dhcp.adoc index e82de992248..8d874482e27 100644 --- a/doc/antora/modules/raddb/pages/sites-available/dhcp.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/dhcp.adoc @@ -39,6 +39,13 @@ what you're doing. Even if nothing is configured below, the server may still NAK legitimate responses from clients. This is also the destination port when sending to a giaddr. +The port to which server -> client messages should be sent. +This should be 68 on a production network, though other ports +can be useful for testing. + +If this is not set then server -> client replies will be sent +to the source port of the client -> server request. + Interface name we are listening on. See comments above. source IP address for unicast packets sent by the @@ -50,7 +57,6 @@ address: src_ipaddr ipaddr - reply.Server-IP-Address reply.Server-Identifier @@ -282,6 +288,7 @@ listen { udp { ipaddr = 127.0.0.1 port = 6700 + client_port = 68 # interface = lo0 # src_ipaddr = 127.0.0.1 broadcast = no @@ -299,6 +306,7 @@ recv Discover { # ok } recv Request { + files_dhcp &control.Server-Identifier = 192.0.2.1 if (&request.Server-Identifier && \ &request.Server-Identifier != &control.Server-Identifier) { diff --git a/doc/antora/modules/raddb/pages/sites-available/dynamic-clients.adoc b/doc/antora/modules/raddb/pages/sites-available/dynamic-clients.adoc index 90a7107901e..06da256e3ae 100644 --- a/doc/antora/modules/raddb/pages/sites-available/dynamic-clients.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/dynamic-clients.adoc @@ -192,6 +192,7 @@ the request just received require_message_authenticator + shortname nas_type @@ -272,6 +273,7 @@ server dynamic_clients { &control += { &FreeRADIUS-Client-IP-Address = "%{Net.Src.IP}" &FreeRADIUS-Client-Require-MA = no + &FreeRADIUS-Client-Limit-Proxy-State = "auto" &FreeRADIUS-Client-Secret = "testing123" &FreeRADIUS-Client-Shortname = "%{Net.Src.IP}" &FreeRADIUS-Client-NAS-Type = "other" diff --git a/doc/antora/modules/raddb/pages/sites-available/inner-tunnel.adoc b/doc/antora/modules/raddb/pages/sites-available/inner-tunnel.adoc index 50f2d4da50c..14a98a8003d 100644 --- a/doc/antora/modules/raddb/pages/sites-available/inner-tunnel.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/inner-tunnel.adoc @@ -56,13 +56,13 @@ can't spoof us by using incompatible identities -The chap module will set 'Auth-Type := CHAP' if we are +The chap module will set 'Auth-Type := ::CHAP' if we are handling a CHAP request and Auth-Type has not already been set If the users are logging in with an MS-CHAP-Challenge attribute for authentication, the mschap module will find -the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' +the MS-CHAP-Challenge attribute, and add 'Auth-Type := ::MS-CHAP' to the request, which will cause the server to then use the mschap module for authentication. @@ -125,7 +125,7 @@ Authentication. This section lists which modules are available for authentication. Note that it does NOT mean 'try each module in order'. It means that a module from the 'authorize' section adds a configuration -attribute 'Auth-Type := FOO'. That authentication type is then +attribute 'Auth-Type := ::FOO'. That authentication type is then used to pick the appropriate module from the list below. diff --git a/doc/antora/modules/raddb/pages/sites-available/load.adoc b/doc/antora/modules/raddb/pages/sites-available/load.adoc index acd06f78ae4..a4e7997097d 100644 --- a/doc/antora/modules/raddb/pages/sites-available/load.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/load.adoc @@ -35,6 +35,44 @@ same format as used by `radclient`. Where the statistics file goes, in CSV format. +One line will be written to the file for each +second of the load generation run. + +Each line will contain the following columns: +- time - since the test started running +- last_packet - The last time we added a request + to the backlog. +- rtt - Round Trip Time i.e. the average delay + between a request and response. This is a + moving average in nanoseconds. +- rttvar - Round Trip Time variance. Moving + average of the range between the smallest RTT + and largest RTT. The value is in nanoseconds. +- pps - Packets per second. The maximum packet + rate we're aiming for with this "step". The + load generator increases the load periodically + in "steps". +- pps_accepted - Packets per second. Rate of + response packets received. +- sent - How many packets have been generated + by the load generation module from the start of + the run. +- received - How many packets received since the + start of the run. +- backlog - How many requests are awaiting + responses. +- backlog_max - The largest the backlog has been + since the start of the run. +- = 1us < 10us since + the start of the run. +- 100us, ms, 10ms, 100ms, s are all similar + latency bins. +- blocked - 1 = true, 0 = false. We're refusing + to enqueue more packets until we get responses + to the outstanding requests. How many packets/s to start with. diff --git a/doc/antora/modules/raddb/pages/sites-available/status.adoc b/doc/antora/modules/raddb/pages/sites-available/status.adoc index 8a2daf7b00b..a1cf0d620f4 100644 --- a/doc/antora/modules/raddb/pages/sites-available/status.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/status.adoc @@ -74,7 +74,7 @@ server status { secret = adminsecret } recv Status-Server { - status + stats ok } } diff --git a/doc/antora/modules/raddb/pages/sites-available/tls-cache.adoc b/doc/antora/modules/raddb/pages/sites-available/tls-cache.adoc index 2ed04968dd3..3bbbc2c731d 100644 --- a/doc/antora/modules/raddb/pages/sites-available/tls-cache.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/tls-cache.adoc @@ -14,6 +14,19 @@ the following attributes are also created in the session-state list: +This section can be run to verify a client certificate if +additional checks need to be performed beyond standard +checks verification against a trust chain, CRLs and OCSP. + +Attributes extracted from the certificates forming the +client certificate chain will be in the session state list. + +Returning 'ok', 'updated' or 'noop' will cause the verification +to succeed. Other return codes will cause the verification +to fail. + + + This section is run whenever the server needs to read an entry from the TLS session cache. @@ -95,16 +108,19 @@ and will just cause the server to emit a warning. # TLS-Client-Cert-Common-Name # TLS-Client-Cert-Subject-Alt-Name-Email server tls-cache { - namespace = tls_cache - load tls-session { + namespace = tls + verify certificate { + ok + } + load session { &control.Cache-Allow-Insert := no cache_tls_session } - store tls-session { + store session { &control.Cache-TTL := 0 cache_tls_session } - clear tls-session { + clear session { &control.Cache-TTL := 0 &control.Cache-Allow-Insert := no cache_tls_session