From: Alan T. DeKok Date: Fri, 31 May 2024 12:06:34 +0000 (-0400) Subject: regenerate from source X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=652dfbcd238cc3403af9408f2ee4051ba21644db;p=thirdparty%2Ffreeradius-server.git regenerate from source --- diff --git a/doc/antora/modules/raddb/pages/mods-available/cache.adoc b/doc/antora/modules/raddb/pages/mods-available/cache.adoc index d92c55fdebe..f4935f66590 100644 --- a/doc/antora/modules/raddb/pages/mods-available/cache.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/cache.adoc @@ -273,6 +273,7 @@ cache.status:: Verify if an entry already exists without load the entries. | Return | Description | `ok` | if a cache entry was found. | `notfound` | if no cache entry was found. +| `fail` | if the cache was unavailable. |=== cache.load:: Load an existing cache entry and merge it into the request. @@ -282,16 +283,27 @@ cache.load:: Load an existing cache entry and merge it into the request. | Return | Description | `updated` | if a cache entry was found and loaded. | `notfound` | if no cache entry was found. +| `fail` | if the cache was unavailable. |=== -cache.store:: Perform an upset against the data store. (Not affect the existing -request). +cache.update:: Perform an upsert against the data store, updating the entry TTL [options="header,autowidth"] |=== | Return | Description | `updated` | if we added cache entry. -| `noop` | if a cache entry ready exists. +| `fail` | if the cache was unavailable. +|=== + +cache.store:: Inserts data into the cache if, and only if, it is not already present +Will not update the entry TTL. + +[options="header,autowidth"] +|=== +| Return | Description +| `updated` | we created or updated a cache entry. +| `noop` | if a cache entry aready existed. +| `fail` | if the cache was unavailable. |=== cache.clear:: Delete cache entry from the data store without checking if the entry @@ -300,8 +312,9 @@ already exists. [options="header,autowidth"] |=== | Return | Description -| `ok` | if we found and remove a entry. +| `ok` | if we found and removed a entry. | `notfound` | if no cache entry was found. +| `fail` | if the cache was unavailable. |=== cache.ttl:: Change the TTL on an existing entry. @@ -311,6 +324,7 @@ cache.ttl:: Change the TTL on an existing entry. | Return | Description | `updated` | if we found entry and updated the ttl. | `notfound` | if no cache entry was found. +| `fail` | if the cache was unavailable. |=== ### Examples diff --git a/doc/antora/modules/raddb/pages/mods-available/files.adoc b/doc/antora/modules/raddb/pages/mods-available/files.adoc index 073d3badb43..3f26365d5b4 100644 --- a/doc/antora/modules/raddb/pages/mods-available/files.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/files.adoc @@ -27,22 +27,10 @@ The content of this attribute is used to match the `name` of the entry. filename:: The old `users` style file is now located here. -If no other filenames are specified, the module uses this file. +## An instance of the `files` module for use in processing accounting packets -Optional files - -The following filenames are optional. - - -recv_filename:: The file to run in any "recv" section - -send_filename:: The file to run in any "send" section - -auth_filename:: The file to run in any "authenticate" section - -acct_filename:: The file to run in any "recv Accounting-Request" section == Default Configuration @@ -51,9 +39,9 @@ files { moddir = ${modconfdir}/${.:instance} # key = "%{&Stripped-User-Name || &User-Name}" filename = ${moddir}/authorize -# recv_filename = ${moddir}/recv -# send_filename = ${moddir}/send -# auth_filename = ${moddir}/authenticate -# acct_filename = ${moddir}/accounting +} +files files_accounting { +# key = "%{&Stripped-User-Name || &User-Name}" + filename = ${modconfdir}/files/accounting } ``` diff --git a/doc/antora/modules/raddb/pages/mods-available/ldap.adoc b/doc/antora/modules/raddb/pages/mods-available/ldap.adoc index 95d28b19ce3..b9d8890afd7 100644 --- a/doc/antora/modules/raddb/pages/mods-available/ldap.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/ldap.adoc @@ -165,6 +165,9 @@ Request and list qualifiers may be placed after the `update` section name to set default destination requests/lists for `s` with no list qualifiers. +These attribute maps are applied _before_ any profiles, meaning that +the values here can be referenced in profiles using expansions. + NOTE: LDAP attribute names should be single quoted unless you want the name to be derived from an xlat expansion, or an attribute ref. @@ -259,6 +262,13 @@ realm:: SASL realm. Used for kerberos. password_attribute:: Which attribute in the request should be used as the password when performing user binds. +Note that Active Directory will allow unauthenticated user binds by default! + +You can fix this by choosing the "ADSI Edit" command from the Server Manager's Tools menu. +Then, open the Configuration subtree, and then open the properties of the `CN=Directory +Service, CN=Windows NT, CN=Services, CN=Configuration` object. Modify the +`msDS-Other-Settings` attribute, and add a new entry for `DenyUnauthenticatedBind=1`. + scope:: Search scope, may be `base`, `one`, `sub' or `children`. @@ -325,6 +335,13 @@ to indicate that the user should be suspended. +expect_password:: When set to no, disable warnings for missing password +attributes in user objects returned from LDAP. This is useful for +ISP environments where some subscribers have passwords set, and others +do not (e.g. mixed IPoE and PPPoE). + + + ### User membership checking @@ -418,6 +435,17 @@ group_attribute:: Override the normal group comparison attribute name +skip_on_suspend:: + +Don't process user groups if the user has been suspended. +If set to 'no', groups will still be processed. + +Groups are never processed for disabled users. + +Defaults to 'yes'. + + + ### User profiles RADIUS profile objects contain sets of attributes to insert into the request. @@ -452,7 +480,7 @@ is successful. -attribute_suspended: The LDAP attribute containing profile DNs to apply +attribute_suspend: The LDAP attribute containing profile DNs to apply in addition to the default profile above, when the user account is in the suspended state @@ -746,7 +774,8 @@ The rlm_ldap provides the below xlat's functions. ### %ldap.uri.escape(...} -Escape a string for use in an LDAP filter or DN. +Escape a string for use in an LDAP filter or DN. The value will then be marked as safe for use +in LDAP URIs and DNs, and will not be escaped or modified. .Return: _string_ @@ -764,6 +793,21 @@ Escape a string for use in an LDAP filter or DN. "The LDAP url is ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29" ``` +### %ldap.uri.safe(...} + +Mark a string as safe for use in an LDAP filter or DN. Values marked as safe for use in LDAP +URIs will not be escaped or modified, and will be allowed in places where dynamic values are +usually prohibited. + +.Return: _string_ + +.Example + +[source,unlang] +---- +&my-int := "%ldap.profile(ldap://%ldap.uri.safe(%{LDAP-Host}):%ldap.uri.safe(%{LDAP-Port})/ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)" +---- + ### %ldap.uri.unescape(...) Unescape a string for use in an LDAP filter or DN. @@ -832,6 +876,7 @@ ldap { # access_positive = yes # access_value_negate = 'false' # access_value_suspend = 'suspended' +# expect_password = no } group { base_dn = "${..base_dn}" @@ -845,13 +890,14 @@ ldap { # cache_attribute = 'LDAP-Cached-Membership' # allow_dangling_group_ref = 'no' group_attribute = "${..:instance}-Group" + skip_on_suspend = 'yes' } profile { # filter = '(objectclass=radiusprofile)' # scope = 'base' # default = 'cn=radprofile,dc=example,dc=org' # attribute = 'radiusProfileDn' -# attribute_suspended = 'radiusProfileDn' +# attribute_suspend = 'radiusProfileDn' } accounting { reference = "%tolower(type.%{Acct-Status-Type})" diff --git a/doc/antora/modules/raddb/pages/mods-available/linelog.adoc b/doc/antora/modules/raddb/pages/mods-available/linelog.adoc index 99264c5918f..1ed7618bf7b 100644 --- a/doc/antora/modules/raddb/pages/mods-available/linelog.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/linelog.adoc @@ -350,6 +350,22 @@ Don't log anything for these packets. Don't log anything for other `link:https://freeradius.org/rfc/rfc2866.html#Acct-Status-Type[Acct-Status-Type]` 's. + +## Authentication success / failure logging + +A set of sample module instances which can replace the previous builtin auth log messages + +The destination settings here pick up from the main radiusd.conf values, but can be +amended if these logs need to be sent to a different destination. + + + + + + + + + == Default Configuration ``` @@ -419,4 +435,48 @@ linelog log_accounting { unknown = "NAS %{Net.Src.IP} (%{&NAS-IP-Address || &NAS-IPv6-Address}) sent unknown Acct-Status-Type %{Acct-Status-Type}" } } +linelog log_auth_access_accept { + destination = ${log.destination} + file { + filename = ${log.file} + } + syslog { + facility = ${log.syslog_facility} + severity = notice + } + format = "Login OK: [%{User-Name}] (from %client(shortname) port %{NAS-Port} cli %{Calling-Station-Id})" +} +linelog log_auth_access_reject { + destination = ${log.destination} + file { + filename = ${log.file} + } + syslog { + facility = ${log.syslog_facility} + severity = notice + } + format = "Login incorrect (%{Module-Failure-Message}): [%{User-Name}] (from %client(shortname) port %{NAS-Port} cli %{Calling-Station-Id})" +} +linelog log_auth_authentication_pass { + destination = ${log.destination} + file { + filename = ${log.file} + } + syslog { + facility = ${log.syslog_facility} + severity = notice + } + format = "Login OK: [%{User-Name}] (from client %client(shortname))" +} +linelog log_auth_authentication_fail { + destination = ${log.destination} + file { + filename = ${log.file} + } + syslog { + facility = ${log.syslog_facility} + severity = notice + } + format = "Login incorrect (%{Module-Failure-Message}): [%{User-Name}] (from %client(shortname))" +} ``` diff --git a/doc/antora/modules/raddb/pages/mods-available/mschap.adoc b/doc/antora/modules/raddb/pages/mods-available/mschap.adoc index 6a41f32610a..076a574838d 100644 --- a/doc/antora/modules/raddb/pages/mods-available/mschap.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/mschap.adoc @@ -448,7 +448,7 @@ mschap { mppe_encryption_policy = &Vendor-Specific.Microsoft.MPPE-Encryption-Policy mppe_encryption_types = &Vendor-Specific.Microsoft.MPPE-Encryption-Types chap2_cpw = &Vendor-Specific.Microsoft.CHAP2-CPW - chap_nt_enc_pw = & Vendor-Specific.Microsoft.CHAP-NT-Enc-PW + chap_nt_enc_pw = &Vendor-Specific.Microsoft.CHAP-NT-Enc-PW } # attributes { # username = &User-Name diff --git a/doc/antora/modules/raddb/pages/mods-available/pap.adoc b/doc/antora/modules/raddb/pages/mods-available/pap.adoc index e3659dd7d42..d5ebe5e0216 100644 --- a/doc/antora/modules/raddb/pages/mods-available/pap.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/pap.adoc @@ -65,8 +65,8 @@ as to which one is used for authentication. NOTE: It is important to understand the difference between the `link:https://freeradius.org/rfc/rfc2865.html#User-Password[User-Password]` and `Password.Cleartext` attributes. The `Password.Cleartext` attribute is -the *"known good"* password for the user. Simply supplying the Cleart-ext-Password -to the server will result in most authentication methods working. The `link:https://freeradius.org/rfc/rfc2865.html#User-Password[User-Password]` +the *"known good"* password for the user. Simply supplying the `Password.Cleartext` +to the server will result in most authentication methods working. The `link:https://freeradius.org/rfc/rfc2865.html#User-Password[User-Password]` attribute is the password as typed in by the user on their private machine. The two are not the same, and should be treated very differently. That is, you should generally not use the `link:https://freeradius.org/rfc/rfc2865.html#User-Password[User-Password]` attribute anywhere in the RADIUS configuration. diff --git a/doc/antora/modules/raddb/pages/mods-available/python.adoc b/doc/antora/modules/raddb/pages/mods-available/python.adoc index 4a9149bf845..c3bb5ab4687 100644 --- a/doc/antora/modules/raddb/pages/mods-available/python.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/python.adoc @@ -19,6 +19,14 @@ items which control the Python path. +[NOTE] +==== +See `raddb/global.d/python` for configuration items that affect the +python interpreter globally, such as the Python path. +==== + + + ## Configuration Settings The Python API `threading.local()` may be used store thread diff --git a/doc/antora/modules/raddb/pages/mods-available/smtp.adoc b/doc/antora/modules/raddb/pages/mods-available/smtp.adoc index df5d92d2a92..31afa76d6f5 100644 --- a/doc/antora/modules/raddb/pages/mods-available/smtp.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/smtp.adoc @@ -175,6 +175,16 @@ from the SMTP server. +username_attribute:: Which attribute in the request should be used as +the user's username when performing SMTP authentication. + + + +password_attribute:: Which attribute in the request should be used as +the user's password when performing SMTP authentication. + + + username:: User name to use when sending emails. Can be a fixed string or an attribute. Leave unset if authentication is not required to send emails. @@ -309,6 +319,8 @@ smtp { } uri = "smtp://192.0.20.1/" timeout = 5s +# username_attribute = &User-Name +# password_attribute = &User-Password # username = "user" # password = "secret" template_directory = raddb/mods_config/smtp diff --git a/doc/antora/modules/raddb/pages/mods-available/sql.adoc b/doc/antora/modules/raddb/pages/mods-available/sql.adoc index fe13028177b..50f7e9ce420 100644 --- a/doc/antora/modules/raddb/pages/mods-available/sql.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/sql.adoc @@ -144,6 +144,19 @@ Default is `yes`. +read_profiles:: Read the user profile attributes from the database. + +Following `check` and `reply` item handling and, depending on the `read_groups` option +and `Fall-Through` value, groups processing, the SQL module will treat values of the +`User-Profile` attributes in the control list as additional groups that the user belongs +to and repeat the group `check` and `reply` processing. + +If set to `yes`, we process the user profiles unless `Fall-Through = no` in the reply list. +If set to `no`, we do not process the user profiles unless `Fall-Through = yes` in the reply list. + +Default is `yes`. + + logfile:: Write SQL queries to a logfile. This is potentially useful for tracing issues with authorization queries. @@ -352,6 +365,7 @@ sql { groupreply_table = "radgroupreply" usergroup_table = "radusergroup" # read_groups = yes +# read_profile = yes # logfile = ${logdir}/sqllog.sql # query_timeout = 5 pool { diff --git a/doc/antora/modules/raddb/pages/mods-available/sqlcounter.adoc b/doc/antora/modules/raddb/pages/mods-available/sqlcounter.adoc index 2805a90af6b..6b6af178c27 100644 --- a/doc/antora/modules/raddb/pages/mods-available/sqlcounter.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/sqlcounter.adoc @@ -67,23 +67,41 @@ from the database. reset_period_start_name:: The name of the attribute which is used to store the time that the current reset period started. -The default is `&control.${.:instance}-Start` +The default is `&control.${.:instance}-Reset-Start` Note because we are counting seconds, this attribute is of type `uint64`, and not `date`. reset_period_end_name:: The name of the attribute which is used to store the time that the current reset period will end. -The default is `&control.${.:instance}-End` +The default is `&control.${.:instance}-Reset-End` Note because we are counting seconds, this attribute is of type `uint64`, and not `date`. -counter_name:: Name of the `check` attribute to use to access the counter in -the `users` file or SQL `radcheck` or `radgroupcheck` tables. +counter_name:: Name of the attribute to add to the `control` list with the current +value of the counter. After the sqlcounter module has run, the counter attribute will exist. +check_name:: Name of the attribute containing the limit to compare the counter to. + +reply_name:: Name of the attribute to populate with the remaining session time. +e.g. `&reply.Session-Timeout`. If the attribute already exists and contains +a lower value, then it will not be updated. + +reply_message_name:: Name of the attribute into which a message should be placed +if the limit has been exceeded for the counter. + +auto_extend:: If set to `yes` and the remaining session time goes past the time for +the next counter reset, the value in the `reply_name` attribute will be set to +the time to the next reset plus the value of the `check_name` attribute. +This is most useful if the limit is a time based one, and, for example, +`link:https://freeradius.org/rfc/rfc2865.html#Session-Timeout[Session-Timeout]` is the `reply_name` attribute. If there is sufficient allocation +left for the session to get to the next counter period, the user will not have +to re-authenticate before they have used their allocation for the next counter period. + +utc:: Use UTC for calculating the period start and end values. ## Configuration Settings @@ -141,7 +159,9 @@ sqlcounter dailycounter { counter_name = &control.Daily-Session-Time check_name = &control.Max-Daily-Session reply_name = &reply.Session-Timeout + auto_extend = yes key = "%{&Stripped-User-Name || &User-Name}" + reply_message_name = &Reply-Message reset = daily $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf } @@ -151,6 +171,7 @@ sqlcounter monthlycounter { counter_name = &Monthly-Session-Time check_name = &control.Max-Monthly-Session reply_name = &reply.Session-Timeout + auto_extend = yes key = &User-Name reset = monthly $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf diff --git a/doc/antora/modules/raddb/pages/mods-available/sqlippool.adoc b/doc/antora/modules/raddb/pages/mods-available/sqlippool.adoc index ad56225e221..d9289277275 100644 --- a/doc/antora/modules/raddb/pages/mods-available/sqlippool.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/sqlippool.adoc @@ -36,7 +36,7 @@ offer_duration:: DHCP offer duration. -pool_name: The attribute in the `control` list which contains the pool name. +pool_name: The attribute which contains the pool name. @@ -63,21 +63,21 @@ limited to one per user/serial. For RADIUS the owner will likely be specified by: - * `%{radius.Calling-Station-Id}` which binds the lease to the mac address + * `%{Calling-Station-Id}` which binds the lease to the mac address of the user's device. For RADIUS this is almost always the better option as it can allow the user's device to move between NAS. - * `%{radius.NAS-Port}` which binds the lease to a given port on the NAS. + * `%{NAS-Port}` which binds the lease to a given port on the NAS. i.e. any device on that port can modify the lease. This should only be used when the port is constant for the length of the session (nearly everywhere except 802.11 wireless). For DHCPv4 the owner will likely be specified by: - * `%{dhcpv4.Client-Hardware-Address}` which binds the lease to the + * `%{Client-Hardware-Address}` which binds the lease to the mac address of the user's device. - * `%{&dhcpv4.Client-Identifier || &dhcpv4.Client-Hardware-Address}` + * `%{&Client-Identifier || &Client-Hardware-Address}` which binds the lease to either the custom identifier set by the DHCP client, or if this is absent, the mac address of the user's device. @@ -100,16 +100,16 @@ trusted attribute. One example would be `%{Vendor-Specific.ADSL-Forum.Agent-Circuit-ID}.%{Calling-Station-Id}`.` - owner = "%{radius.Vendor-Specific.ADSL-Forum.Agent-Circuit-ID}.%{radius.Calling-Station-Id}" + owner = "%{Vendor-Specific.ADSL-Forum.Agent-Circuit-ID}.%{Calling-Station-Id}" requested_address:: The IP address being renewed or released. -For RADIUS the requested_address will almost always be `%{radius.Framed-IP-Address}`. +For RADIUS the requested_address will almost always be `%{Framed-IP-Address}`. For DHCPv4 the requested_address will almost always be -`%{&dhcpv4.Requested-IP-Address || &dhcpv4.Client-IP-Address}`. +`%{&Requested-IP-Address || &Client-IP-Address}`. @@ -126,7 +126,7 @@ For DHCPv4, this device is recorded so that we can respond correctly to lease queries. - gateway = "%{dhcpv4.Gateway-IP-Address}" + gateway = "%{Gateway-IP-Address}" .Load the queries from a separate file. @@ -141,13 +141,13 @@ sqlippool { ippool_table = "fr_ippool" lease_duration = 3600 offer_duration = 60 - pool_name = IP-Pool.Name - allocated_address_attr = radius.Framed-IP-Address - owner = "%{radius.Calling-Station-ID}" -# owner = "%{&dhcpv4.Client-Identifier || &dhcpv4.Client-Hardware-Address}" - requested_address = "%{radius.Framed-IP-Address}" -# requested_address = "%{&dhcpv4.Requested-IP-Address || &dhcpv4.Client-IP-Address}" - gateway = "%{&radius.NAS-Identifier || &radius.NAS-IP-Address}" + pool_name = &control.IP-Pool.Name + allocated_address_attr = &reply.Framed-IP-Address + owner = "%{Calling-Station-ID}" +# owner = "%{&Client-Identifier || &Client-Hardware-Address}" + requested_address = "%{Framed-IP-Address}" +# requested_address = "%{&Requested-IP-Address || &Client-IP-Address}" + gateway = "%{&NAS-Identifier || &NAS-IP-Address}" $INCLUDE ${modconfdir}/sql/ippool/${dialect}/queries.conf } ``` diff --git a/doc/antora/modules/raddb/pages/mods-available/totp.adoc b/doc/antora/modules/raddb/pages/mods-available/totp.adoc index 075733bdfbc..56f29a1bd35 100644 --- a/doc/antora/modules/raddb/pages/mods-available/totp.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/totp.adoc @@ -56,6 +56,10 @@ lookback_steps:: How many steps backward in time we look for a matching OTP. +lookforward_steps:: How many steps forward in time we look for a matching OTP. + + + lookback_interval:: Time delta between steps. Cannot be larger than `time_step` @@ -72,6 +76,7 @@ totp { time_step = 30 otp_length = 6 lookback_steps = 1 + lookforward_steps = 0 lookback_interval = 30 } ``` diff --git a/doc/antora/modules/raddb/pages/mods-available/unpack.adoc b/doc/antora/modules/raddb/pages/mods-available/unpack.adoc index d8ae98354fc..ba781266148 100644 --- a/doc/antora/modules/raddb/pages/mods-available/unpack.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/unpack.adoc @@ -21,7 +21,7 @@ use it on the right-hand side of a variable assignment. %unpack(, , [, ]) -The arguments are three fields: +The arguments are three or four fields: data:: diff --git a/doc/antora/modules/raddb/pages/sites-available/control-socket.adoc b/doc/antora/modules/raddb/pages/sites-available/control-socket.adoc index 8416637b1f1..fd7e297cb18 100644 --- a/doc/antora/modules/raddb/pages/sites-available/control-socket.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/control-socket.adoc @@ -89,7 +89,7 @@ GID. Either or both can be set. If one is set, it is checked and enforced. # NOTE: This functionality is NOT enabled by default. # See also the "radmin" program, which is used to communicate # with the server over the control socket. -server control { +server control-socket-server { namespace = control listen { transport = unix diff --git a/doc/antora/modules/raddb/pages/sites-available/default.adoc b/doc/antora/modules/raddb/pages/sites-available/default.adoc index 26b73c94b1f..dee2614af8b 100644 --- a/doc/antora/modules/raddb/pages/sites-available/default.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/default.adoc @@ -44,7 +44,7 @@ There are many "commented out" references to modules and configurations These references serve as place-holders, and as documentation. If you need the functionality of that module, then: - * configure the module in link:../mods-available/index.adoc[mods-available/] + * configure the module in link:../../../../../../mods-available/index.adoc[mods-available/] * enable the module in `mods-enabled`. e.g. for LDAP, do: `cd mods-enabled;ln -s ../mods-available/ldap` * uncomment the references to it in this file. @@ -595,7 +595,7 @@ The `auth_log` module will write all `link:https://freeradius.org/rfc/rfc2865.ht Uncomment the next bit in order to have a log of authentication requests. For more information, see -link:../mods-available/detail.log.adoc[mods-available/detail.log]. +link:../../../../../../mods-available/detail.log.adoc[mods-available/detail.log]. @@ -854,7 +854,7 @@ can be configured. The `Auth-Type` attribute would need to be set to `proxy-example.com`. The home servers MUST be defined in -link:../mods-available/radius.adoc[mods-available/radius]. +link:../../../../../../mods-available/radius.adoc[mods-available/radius]. @@ -913,7 +913,7 @@ Access-Accept. Uncomment the line below if If you want to have a log of authentication replies, uncomment the following line. This is defined in -link:../mods-available/detail.log.adoc[mods-available/detail.log]. +link:../../../../../../mods-available/detail.log.adoc[mods-available/detail.log]. @@ -921,12 +921,6 @@ After authenticating the user, do another SQL query. -Instead of sending the query to the SQL server in -real-time, write it into a log file to be picked up and -sent to the database later. - - - Uncomment the following if you want to modify the user's object in LDAP after a successful login. @@ -947,7 +941,7 @@ calculations, e.g. You may want to delete the `MS-MPPE-*-Keys` from the reply, as some WiMAX clients behave badly when those attributes are included. See the configuration entry -`delete_mppe_keys` in link:../mods-available/wimax.adoc[mods-available/wimax] for +`delete_mppe_keys` in link:../../../../../../mods-available/wimax.adoc[mods-available/wimax] for more information. @@ -988,6 +982,12 @@ into the EAP-Key-Name attribute. +Call an instance of `linelog` to log the authentication success +- equivalent to the previous log `auth = yes` option in v3. +See `mods-enabled/linelog` for message formats and destinations. + + + Remove `link:https://freeradius.org/rfc/rfc2865.html#Reply-Message[Reply-Message]` if the response contains an `link:https://freeradius.org/rfc/rfc2869.html#EAP-Message[EAP-Message]` attribute. Some NAS equipment will automatically convert the `link:https://freeradius.org/rfc/rfc2865.html#Reply-Message[Reply-Message]` to an "EAP @@ -1020,6 +1020,12 @@ policy, instead of from an authentication failure. +Call an instance of `linelog` to log the authentication failure +- equivalent to the previous log `auth = yes` option in v3. +See `mods-enabled/linelog` for message formats and destinations. + + + Remove `link:https://freeradius.org/rfc/rfc2865.html#Reply-Message[Reply-Message]` if the response contains an `link:https://freeradius.org/rfc/rfc2869.html#EAP-Message[EAP-Message]` attribute. Some NAS equipment will automatically convert the `link:https://freeradius.org/rfc/rfc2865.html#Reply-Message[Reply-Message]` to an "EAP @@ -1045,6 +1051,7 @@ An Accounting-Request packet has been received. Decide which accounting type to use. + Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets into a single 64-bit counter, Acct-[Input|Output]-Octets64. @@ -1071,12 +1078,14 @@ The packet should have a timestamp. If not, use "now" from the server. + + Ensure that we have a semi-unique identifier for every request, as many NAS boxes are broken. -Read the 'acct_users' file. +Read the 'accounting' file. @@ -1094,26 +1103,74 @@ then process the `send Accounting-Response` section Session start +Log traffic to an SQL database. + +See "Accounting Queries" in link:../../../../../../mods-available/sql.adoc[mods-available/sql]. + + + +Refresh leases when we see a start. + +Ensure that &control.IP-Pool.Name is set to determine which +pool of IPs are used. Set this in `recv Accounting-Request` so +it is available for all the accounting sections. + Session stop +Log traffic to an SQL database. + + + +If you receive stop packets with zero session length, +they will NOT be logged in the database. The SQL +module will print a message (only in debugging mode), +and will return "noop". + +You can ignore these packets by uncommenting the +following three lines. Otherwise, the server will not +respond to the accounting request, and the NAS will +retransmit. + + + +Return an address to the IP Pool when we see a stop record. + Session is still alive +Log traffic to an SQL database. + + + +Refresh leases when we see an alive. + The NAS has just booted up. +Record that the NAS has booted to an SQL database + + + +Return all addresses related to this NAS to the IP Pool + The NAS is about to go down +Record that the NAS is shutting down to an SQL database + + + +Return all addresses related to this NAS to the IP Pool + Session failed to do something @@ -1161,7 +1218,7 @@ Update counters for daily usage calculations. Update the wtmp file. -If you don't use "radlast", you can delete this line. +This is only relevant if you use "radlast". @@ -1172,38 +1229,6 @@ be incorrect. There is little we can do about it. -Refresh leases when we see a start or alive. Return an address to -the IP Pool when we see a stop record. - -Ensure that &control.IP-Pool.Name is set to determine which -pool of IPs are used. - - - -Log traffic to an SQL database. - -See "Accounting Queries" in link:../mods-available/sql.adoc[mods-available/sql]. - - - -If you receive stop packets with zero session length, -they will NOT be logged in the database. The SQL -module will print a message (only in debugging mode), -and will return "noop". - -You can ignore these packets by uncommenting the -following three lines. Otherwise, the server will not -respond to the accounting request, and the NAS will -retransmit. - - - -Instead of sending the query to the SQL server in -real-time, write it into a log file to be picked up and -sent to the database later. - - - Cisco VoIP specific bulk accounting. @@ -1377,7 +1402,6 @@ send Access-Accept { # cui # reply_log -sql -# sql_log # ldap # &request.WiMAX-MN-NAI = "%{User-Name}" # &reply += { @@ -1399,33 +1423,52 @@ send Access-Accept { # if (&reply.EAP-Session-Id) { # &reply.EAP-Key-Name := &reply.EAP-Session-Id # } +# log_auth_access_accept remove_reply_message_if_eap } send Access-Reject { -sql attr_filter.access_reject eap +# log_auth_access_reject remove_reply_message_if_eap delay_reject } recv Accounting-Request { + do_not_respond + return # acct_counters64 # &request.FreeRADIUS-Acct-Session-Start-Time = "%{(&Event-Timestamp || %l) - &Acct-Session-Time - &Acct-Delay-Time}" if (!&Event-Timestamp) { - &request.Event-Timestamp := %{%l - &Acct-Delay-Time} + &request.Event-Timestamp := %{%l() - &Acct-Delay-Time} + } elsif (!&Acct-Delay-Time && &request.Event-Timestamp && (&request.Event-Timestamp < %l())) { + &request.Acct-Delay-Time := %{%l() - &Event-Timestamp} } acct_unique - files + files_accounting } accounting Start { + -sql +# sqlippool } accounting Stop { + -sql +# if (noop) { +# ok +# } +# sqlippool } accounting Interim-Update { + -sql +# sqlippool } accounting Accounting-On { + -sql +# sqlippool } accounting Accounting-Off { + -sql +# sqlippool } accounting Failed { } @@ -1433,15 +1476,9 @@ send Accounting-Response { # cui detail # daily - unix +# unix # radutmp # sradutmp -# sqlippool - -sql -# if (noop) { -# ok -# } -# sql_log # pgsql-voip attr_filter.accounting_response } diff --git a/doc/antora/modules/raddb/pages/sites-available/dns.adoc b/doc/antora/modules/raddb/pages/sites-available/dns.adoc index d965667e010..02055ff5bdb 100644 --- a/doc/antora/modules/raddb/pages/sites-available/dns.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/dns.adoc @@ -10,16 +10,29 @@ The `dns` virtual server is an example of using `dns` style functionality in Fre This is the `dns` virtual server. -It is (for now) only a toy. It only decodes nested attributes, which `unlang` -cannot (yet) handle well. It only handles a few types of RRs. You have to manually -do pretty much everything necessary to make DNS "work". There's no DB integration. - It's not meant to be fast. Don't use it as a root server, or as a server for an ISP with millions of users. But it should be able to do thousands to tens of thousands of queries per second, without really trying hard. It's meant to be a _flexible_ DNS server. Want to give different answers to VoIP phones -and desktops? It can do that. +and desktops, or other types of split horizon? It can do that. + +Because DNS uses the &Header.Rcode to communicate the result of a query (instead of opcode) +the DNS state machine works differently to other protocols. + +Requests will pass through the following processing sections: +- A `recv { ... }` section matching the opcode. e.g. `recv Query { ... }`. Query processing + and response formulation should be done here. + If this section returns anything other than `ok` or `updated`, a &reply.Header.Rcode value is + set. +- An `error { ... }` section matching &reply.Header.Rcode. e.g. `error Server-Fail { ... }`. + If the `recv { ... }` section produced a &reply.Header.Rcode value other than `No-Error` + and a `error { ... } section matching the &reply.Header.Rcode is provided, it is executed. + Error sections are intended only for simplifying logging, and as such, the rcode of the section is ignored. + Error sections can manipulate the reply, e.g. setting a new value for &reply.Header.Rcode, but + this will not cause additional `error { ... }` section to be executed. +- A `send { ... }` section matching the opcode. e.g. `send Query-Response { ... }`. This can be + used for general massaging of the reply. Return codes are ignored. namespace:: The protocol / dictionary to use. @@ -37,17 +50,26 @@ Dont use "port = 53" unless you want to break things == Default Configuration ``` -server DNS { +server dns { namespace = dns listen { - type = query + type = Query transport = udp udp { ipaddr = * - port = 5300 + port = 53 } } recv Query { + if (&Question[0].Name == 'foo.example.com') { + &reply.Resource-Record := { + &Name = 'foo.example.com' + &Type = A + &Class = ::Internet + &TTL = 0 + &Type.A.IP = 127.0.0.1 + } + } ok } send Query-Response { diff --git a/doc/antora/modules/raddb/pages/sites-available/inner-tunnel.adoc b/doc/antora/modules/raddb/pages/sites-available/inner-tunnel.adoc index 2ab60df5559..50f2d4da50c 100644 --- a/doc/antora/modules/raddb/pages/sites-available/inner-tunnel.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/inner-tunnel.adoc @@ -229,6 +229,12 @@ the reply. +Call an instance of `linelog` to log the authentication success +- equivalent to the previous log `auth = yes` option in v3. +See `mods-enabled/linelog` for message formats and destinations. + + + Access-Reject packets are sent through the REJECT sub-section of the post-auth section. @@ -238,6 +244,13 @@ Add the ldap module name (or instance) if you have set log failed authentications in SQL, too. +Call an instance of `linelog` to log the authentication failure +- equivalent to the previous log `auth = yes` option in v3. +See `mods-enabled/linelog` for message formats and destinations. + + + + Let the outer session know which module failed, and why. @@ -298,9 +311,11 @@ send Access-Accept { # sql_log # ldap # use_tunneled_reply +# log_auth_result } send Access-Reject { -sql +# log_auth_result attr_filter.access_reject &outer.session-state.Module-Failure-Message := &request.Module-Failure-Message } diff --git a/doc/antora/modules/raddb/pages/sites-available/load.adoc b/doc/antora/modules/raddb/pages/sites-available/load.adoc index a30234b9468..acd06f78ae4 100644 --- a/doc/antora/modules/raddb/pages/sites-available/load.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/load.adoc @@ -12,6 +12,11 @@ Use `listen load { ... }` in any virtual server to do load testing against that server. +The main module is the proto module, even though we're +operating in the RADIUS namespace. + + + This is a valid Packet-Type for the current `namespace` @@ -83,6 +88,7 @@ taken from the `namespace`. server load { namespace = radius listen load { + proto = load type = Access-Request transport = step step { @@ -96,7 +102,6 @@ server load { parallel = 25 } } -} recv Access-Request { accept } diff --git a/doc/antora/modules/raddb/pages/sites-available/tacacs.adoc b/doc/antora/modules/raddb/pages/sites-available/tacacs.adoc index cd9d28a3c6f..d57f3dc8b01 100644 --- a/doc/antora/modules/raddb/pages/sites-available/tacacs.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/tacacs.adoc @@ -216,6 +216,18 @@ the next packet (if the client provides it) +Call an instance of `linelog` to log the authentication success +- equivalent to the previous log `auth = yes` option in v3. +See `mods-enabled/linelog` for message formats and destinations. + + + + +Call an instance of `linelog` to log the authentication failure +- equivalent to the previous log `auth = yes` option in v3. +See `mods-enabled/linelog` for message formats and destinations. + + With ASCII methods, GetUser and GetPass typically send a prompt for the client to present to the user. @@ -335,9 +347,11 @@ server tacacs { } send Authentication-Pass { &reply.Server-Message := "Hello %{User-Name}" +# log_auth_authentication_pass } send Authentication-Fail { &reply.Server-Message := "Failed login!" +# log_auth_authentication_fail } send Authentication-GetUser { &reply.Server-Message := "Username:"