From: Jorge Pereira Date: Tue, 23 Aug 2022 17:40:36 +0000 (-0300) Subject: More "update {....}" to edit against raddb/sites-available/* (#4684) X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d09342258ad81b5817316471306c65197117fff6;p=thirdparty%2Ffreeradius-server.git More "update {....}" to edit against raddb/sites-available/* (#4684) --- diff --git a/raddb/policy.d/accounting b/raddb/policy.d/accounting index dd721539619..42ca21ff004 100644 --- a/raddb/policy.d/accounting +++ b/raddb/policy.d/accounting @@ -1,3 +1,8 @@ +# -*- text -*- +# $Id$ + +####################################################################### + # We check for this prefix to determine whether the class # value was generated by this server. It should be changed # so that it is globally unique. @@ -62,7 +67,7 @@ acct_unique { # is not included # else { - &request.Acct-Unique-Session-Id := %{hex:%{md5:%{string:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}}} + &request.Acct-Unique-Session-Id := "%{hex:%{md5:%{string:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}}}" } &request -= &Tmp-String-9[*] diff --git a/raddb/sites-available/abfab-tr-idp b/raddb/sites-available/abfab-tr-idp index d45a6752aa4..dfe10a8dcc4 100644 --- a/raddb/sites-available/abfab-tr-idp +++ b/raddb/sites-available/abfab-tr-idp @@ -99,9 +99,7 @@ server abfab-idp { # The `session-state` attributes are automatically deleted after # an `Access-Reject` or `Access-Accept` is sent. # - update { - &reply += &session-state - } + &reply += &session-state # # Create the `CUI` value and add the attribute to `Access-Accept`. diff --git a/raddb/sites-available/challenge b/raddb/sites-available/challenge index 5ef597ac971..3a64b948a9f 100644 --- a/raddb/sites-available/challenge +++ b/raddb/sites-available/challenge @@ -1,3 +1,8 @@ +# -*- text -*- +# $Id$ + +####################################################################### + # # This file gives an example of using Challenge-Response # @@ -6,9 +11,7 @@ # consisting of a random number 0..9. The user has to respond # with that number. # -# -# $Id$ -# + listen { type = auth ipaddr = * @@ -23,11 +26,9 @@ recv Access-Request { # If there's no State attribute, then this is the request from # the user. # - if (!State) { - update control { - Auth-Type := Step1 - Password.Cleartext := "hello" - } + if (!&State) { + &control.Auth-Type := Step1 + &control.Password.Cleartext := "hello" } else { # @@ -35,10 +36,8 @@ recv Access-Request { # Set the "known good" password to the number # saved in the session-state list. # - update control { - Auth-Type := Step2 - Password.Cleartext := &session-state.Tmp-Integer-0 - } + &control.Auth-Type := Step2 + &control.Password.Cleartext := &session-state.Tmp-Integer-0 } } @@ -51,12 +50,8 @@ authenticate step1 { # # Set the random number to save. # - update session-state { - Tmp-Integer-0 := "%{randstr:n}" - } - update reply { - Reply-Message := &session-state.Tmp-Integer-0 - } + &session-state.Tmp-Integer-0 := "%{randstr:n}" + &reply.Reply-Message := &session-state.Tmp-Integer-0 # # Send an Access-Challenge. diff --git a/raddb/sites-available/check-eap-tls b/raddb/sites-available/check-eap-tls index 992abb84cd1..e2ef87e1be4 100644 --- a/raddb/sites-available/check-eap-tls +++ b/raddb/sites-available/check-eap-tls @@ -1,3 +1,8 @@ +# -*- text -*- +# $Id$ + +####################################################################### +# # This virtual server allows EAP-TLS to reject access requests # based on some attributes of the certificates involved. # @@ -27,10 +32,9 @@ # modules that check for further authorization, especially if they # hit external services such as sql or ldap. - server check-eap-tls { - +# # Authorize - this is the only section required. # # To accept the access request, set Auth-Type = Accept, otherwise @@ -41,27 +45,18 @@ recv Access-Request { # # By default, we just accept the request: # - update config { - &Auth-Type := Accept - } - + &control.Auth-Type := Accept # # Check the client certificate matches a string, and reject otherwise # # if ("%{session-state.TLS-Client-Cert-Common-Name}" == 'client.example.com') { -# update config { -# &Auth-Type := Accept -# } +# &control.Auth-Type := Accept # } # else { -# update config { -# &Auth-Type := Reject -# } -# update reply { -# &Reply-Message := "Your certificate is not valid." -# } +# &control.Auth-Type := Reject +# &reply.Reply-Message := "Your certificate is not valid." # } @@ -69,14 +64,10 @@ recv Access-Request { # Check the client certificate common name against the supplied User-Name # # if (&User-Name == "host/%{session-state.TLS-Client-Cert-Common-Name}") { -# update config { -# &Auth-Type := Accept -# } +# &control.Auth-Type := Accept # } # else { -# update config { -# &Auth-Type := Reject -# } +# &control.Auth-Type := Reject # } @@ -96,22 +87,22 @@ recv Access-Request { # base_filter = "(objectClass=computer)" # groupname_attribute = cn # groupmembership_filter = "(&(objectClass=group)(member=%{control.Ldap-UserDn}))" + # # ldap + # # Now let's test membership of an LDAP group (the ldap bind user will # need permission to read this group membership): + # # if (!(Ldap-Group == "Permitted-Laptops")) { -# update config { -# &Auth-Type := Reject -# } +# &control.Auth-Type := Reject # } # or, to be more specific, you could use the group's full DN: # if (!(Ldap-Group == "CN=Permitted-Laptops,OU=Groups,DC=example,DC=org")) { - # # This may be a better place to call the files modules when using # EAP-TLS, as it will only be called once, after the challenge-response @@ -120,7 +111,6 @@ recv Access-Request { # files - # # Log all request attributes, plus TLS certificate details, to the # auth_log file. Again, this is just once per connection request, so @@ -130,7 +120,6 @@ recv Access-Request { # auth_log - } } diff --git a/raddb/sites-available/coa-relay b/raddb/sites-available/coa-relay index 70f3680d417..4fa303b9b3c 100644 --- a/raddb/sites-available/coa-relay +++ b/raddb/sites-available/coa-relay @@ -123,24 +123,21 @@ server coa { # what these attributes are unfortunately, so we # cannot give more detailed advice here. # - update control { - # - # Example MySQL lookup - # -# &Tmp-String-0 := "%{sql:SELECT IFNULL(GROUP_CONCAT(CONCAT(nasipaddress,'#',acctsessionid) separator '|'),'') FROM (SELECT * FROM radacct WHERE ('%{User-Name}'='' OR UserName='%{User-Name}') AND ('%{Acct-Session-Id}'='' OR acctsessionid = '%{Acct-Session-Id}') AND AcctStopTime IS NULL) a}" - - # - # Example PostgreSQL lookup - # -# &Tmp-String-0 := "%{sql:SELECT STRING_AGG(CONCAT(nasipaddress,'#',acctsessionid),'|') FROM (SELECT * FROM radacct WHERE ('%{User-Name}'='' OR UserName='%{User-Name}') AND ('%{Acct-Session-Id}'='' OR acctsessionid = '%{Acct-Session-Id}') AND AcctStopTime IS NULL) a}" + # + # Example MySQL lookup + # +# &control.Tmp-String-0 := "%{sql:SELECT IFNULL(GROUP_CONCAT(CONCAT(nasipaddress,'#',acctsessionid) separator '|'),'') FROM (SELECT * FROM radacct WHERE ('%{User-Name}'='' OR UserName='%{User-Name}') AND ('%{Acct-Session-Id}'='' OR acctsessionid = '%{Acct-Session-Id}') AND AcctStopTime IS NULL) a}" - # - # Keep a count of what we send. - # - &Tmp-Integer-0 := 0 + # + # Example PostgreSQL lookup + # +# &control.Tmp-String-0 := "%{sql:SELECT STRING_AGG(CONCAT(nasipaddress,'#',acctsessionid),'|') FROM (SELECT * FROM radacct WHERE ('%{User-Name}'='' OR UserName='%{User-Name}') AND ('%{Acct-Session-Id}'='' OR acctsessionid = '%{Acct-Session-Id}') AND AcctStopTime IS NULL) a}" - } + # + # Keep a count of what we send. + # + &control.Tmp-Integer-0 := 0 # # Split the string and split into pieces. @@ -153,39 +150,29 @@ server coa { # Send an update for each session we find. # if ("%{Foreach-Variable-0}" =~ /([^#]*)#(.*)/) { + # NAS-IP-Address + &control.Tmp-IP-Address-0 := "%{1}" - update control { - - # NAS-IP-Address - &Tmp-IP-Address-0 := "%{1}" - - # Acct-Session-Id - &Tmp-String-1 := "%{2}" - - } + # Acct-Session-Id + &control.Tmp-String-1 := "%{2}" subrequest CoA-Request { + # + # The subrequest begins empty, so initially copy all attributes + # from the incoming request. + # + &request := &parent.request - update request { - - # - # The subrequest begins empty, so initially copy all attributes - # from the incoming request. - # - &request := &parent.request[*] - - # - # Add/override the session identification attributes looked up - # - &Acct-Session-Id := &parent.control.Tmp-String-1 - - # - # Some NASs want these, others don't - # - &Event-Timestamp := "%l" - &Message-Authenticator := 0x00 + # + # Add/override the session identification attributes looked up + # + &request.Acct-Session-Id := &parent.control.Tmp-String-1 - } + # + # Some NASs want these, others don't + # + &request.Event-Timestamp := "%l" + &request.Message-Authenticator := 0x00 # # Remove attributes which will confuse the NAS @@ -194,25 +181,22 @@ server coa { # if it contains attributes which are NOT # "session identification" attributes. # - filter request { - # - # SQL-User-Name is a side-effect of the xlat - # - &SQL-User-Name !* ANY - - # - # Those attributes should be listed here - # - &Acct-Delay-Time !* ANY - &Proxy-State !* ANY + # + # SQL-User-Name is a side-effect of the xlat + # + &request -= &SQL-User-Name[*] - # - # Uncomment if the NAS does not expect User-Name - # - #&User-Name !* ANY + # + # Those attributes should be listed here + # + &request -= &Acct-Delay-Time[*] + &request -= &Proxy-State[*] - } + # + # Uncomment if the NAS does not expect User-Name + # + #&request -= &User-Name[*] # # Call the radius client module instance for the NAS-IP-Address @@ -226,9 +210,7 @@ server coa { # # Increment count of sent updates # - update parent.control { - &Tmp-Integer-0 := %{expr: %{parent.control.Tmp-Integer-0} + 1} - } + &parent.control.Tmp-Integer-0 += 1 radius-originate-coa-192.0.2.1 @@ -238,8 +220,8 @@ server coa { # Likely a missing "case" if we can't map NAS-IP-Address to a module # case { - update parent.control { - &Reply-Message += "Missing map for NAS: %{parent.control.Tmp-IP-Address-0}" + &parent.control += { + &Reply-Message = "Missing map for NAS: %{parent.control.Tmp-IP-Address-0}" } } @@ -256,14 +238,16 @@ server coa { # Report what we did # if (&control.Tmp-Integer-0) { - update reply { - &Reply-Message += "Sent updates for %{control.Tmp-Integer-0} active sessions" + &reply += { + &Reply-Message = "Sent updates for %{control.Tmp-Integer-0} active sessions" } + ok } else { - update reply { - &Reply-Message += "No active sessions found" + &reply += { + &Reply-Message = "No active sessions found" } + reject } diff --git a/raddb/sites-available/default b/raddb/sites-available/default index e4430dd0954..abdda7e195b 100644 --- a/raddb/sites-available/default +++ b/raddb/sites-available/default @@ -1,6 +1,4 @@ # -*- text -*- -# -# # $Id$ ####################################################################### @@ -55,7 +53,9 @@ # # In most cases, those small changes will result in the server being # able to connect to the database, and to authenticate users. +# +# # ## The Virtual Server # # This is the `default` virtual server. @@ -684,9 +684,7 @@ recv Access-Request { # username ends in example.com. # # if (&User-Name =~ /@example\.com$/) { -# update control { -# &Auth-Type := "proxy-example.com" -# } +# &control.Auth-Type := "proxy-example.com" # } # @@ -865,7 +863,6 @@ recv Status-Server { } - ###################################################################### # # ## Authentication Sections @@ -1072,9 +1069,7 @@ send Access-Accept { # Service-Type = Authorize-Only. # # if (!&reply.State) { -# update reply { -# &State := "0x%{randstr:16h}" -# } +# &reply.State := "0x%{randstr:16h}" # } # @@ -1086,9 +1081,7 @@ send Access-Accept { # The `session-state` attributes are deleted after an # `Access-Reject` or `Access-Accept` packet has been sent. # - update { - &reply += &session-state - } + &reply += &session-state # # For EAP, ensure that the Access-Accept contains a User-Name @@ -1139,9 +1132,7 @@ send Access-Accept { # work, you will need to define the WiMAX NAI, usually # via: # -# update request { -# &WiMAX-MN-NAI = "%{User-Name}" -# } +# &request.WiMAX-MN-NAI = "%{User-Name}" # If you want various keys to be calculated, you will # need to update the reply with "template" values. The @@ -1175,13 +1166,13 @@ send Access-Accept { # contains information about the client certificate (if # available). # -# update reply { -# &Reply-Message += "%{session-state.TLS-Certificate.Serial}" -# &Reply-Message += "%{session-state.TLS-Certificate.Not-After}" -# &Reply-Message += "%{session-state.TLS-Certificate.Subject}" -# &Reply-Message += "%{session-state.TLS-Certificate.Issuer}" -# &Reply-Message += "%{session-state.TLS-Certificate.Common-Name}" -# &Reply-Message += "%{session-state.TLS-Certificate.Subject-Alt-Name-Email}" +# &reply += { +# &Reply-Message = "%{session-state.TLS-Certificate.Serial}" +# &Reply-Message = "%{session-state.TLS-Certificate.Not-After}" +# &Reply-Message = "%{session-state.TLS-Certificate.Subject}" +# &Reply-Message = "%{session-state.TLS-Certificate.Issuer}" +# &Reply-Message = "%{session-state.TLS-Certificate.Common-Name}" +# &Reply-Message = "%{session-state.TLS-Certificate.Subject-Alt-Name-Email}" # } # @@ -1207,9 +1198,7 @@ send Access-Accept { # into the EAP-Key-Name attribute. # # if (&reply.EAP-Session-Id) { -# update reply { -# &EAP-Key-Name := &reply.EAP-Session-Id -# } +# &reply.EAP-Key-Name := &reply.EAP-Session-Id # } # @@ -1305,17 +1294,13 @@ recv Accounting-Request { # # The start time is: NOW - delay - session_length # -# update request { -# &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %{%{Event-Timestamp}:-%l} - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" -# } +# &request.FreeRADIUS-Acct-Session-Start-Time = "%{expr: %{%{Event-Timestamp}:-%l} - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" # # The packet should have a timestamp. If not, use "now" from the server. # if (!&Event-Timestamp) { - update request { - &Event-Timestamp := "%{expr:%l - &Acct-Delay-Time}" - } + &request.Event-Timestamp := "%{expr:%l - &Acct-Delay-Time}" } # diff --git a/raddb/sites-available/detail b/raddb/sites-available/detail index 6d7bf0cb92b..c2fb992c224 100644 --- a/raddb/sites-available/detail +++ b/raddb/sites-available/detail @@ -229,9 +229,7 @@ server detail { # The detail file reader runs the normal RADIUS / DHCP / etc. processing sections. # recv Accounting-Request { - update request { - &Acct-Delay-Time := "%{expr:%{%{Acct-Delay-Time}:-0} + %c - %(integer:%{%{Event-Timestamp}:-%{Packet-Original-Timestamp}})}" - } + &request.Acct-Delay-Time := "%{expr:%{%{Acct-Delay-Time}:-0} + %c - %(integer:%{%{Event-Timestamp}:-%{Packet-Original-Timestamp}})}" # # We handled the packet successfully. Run the "send ok" section. diff --git a/raddb/sites-available/dhcp b/raddb/sites-available/dhcp index 400bd013069..bfc0c1bc835 100644 --- a/raddb/sites-available/dhcp +++ b/raddb/sites-available/dhcp @@ -127,9 +127,7 @@ listen { recv Discover { # The DHCP Server Identifier is set here since it is returned in OFFERs - update control { - &Server-Identifier = 192.0.2.1 - } + &control.Server-Identifier = 192.0.2.1 # Call a policy (defined in policy.d/dhcp) to set common reply attributes dhcp_common @@ -139,7 +137,7 @@ recv Discover { # See below for the definition of the "mac2ip" # module. # - #mac2ip +# mac2ip # If the MAC wasn't found in that list, do something else. # You could call a Perl, Python, or Java script here. @@ -150,9 +148,7 @@ recv Discover { # Or, allocate IPs from the DHCP pool in SQL. You may need to # set the pool name here if you haven't set it elsewhere. -# update control { -# &IP-Pool.Name := "local" -# } +# &control.IP-Pool.Name := "local" # dhcp_sqlippool # Set the type of packet to send in reply. @@ -169,24 +165,20 @@ recv Discover { # server will fall back to determining the type of reply # based on the rcode of this section. - #update reply { - # &Message-Type = Offer - #} +# &reply.Message-Type = Offer # If Message-Type is not set, returning "ok" or # "updated" from this section will respond with a Offer # message. # # Other rcodes will tell the server to not return any response. - #ok +# ok } recv Request { # The DHCP Server Identifier is set here since it is returned in OFFERs - update control { - &Server-Identifier = 192.0.2.1 - } + &control.Server-Identifier = 192.0.2.1 # If the request is not for this server then silently discard it if (&request.Server-Identifier && \ @@ -195,9 +187,7 @@ recv Request { } # Response packet type. See Discover section above. - #update reply { - # &Message-Type = Ack - #} +# &reply.Message-Type = Ack # Call a policy (defined in policy.d/dhcp) to set common reply attributes dhcp_common @@ -207,7 +197,7 @@ recv Request { # See below for the definition of the "mac2ip" # module. # - #mac2ip +# mac2ip # If the MAC wasn't found in that list, do something else. # You could call a Perl, Python, or Java script here. @@ -218,15 +208,11 @@ recv Request { # Or, allocate IPs from the DHCP pool in SQL. You may need to # set the pool name here if you haven't set it elsewhere. -# update control { -# &IP-Pool.Name := "local" -# } +# &control.IP-Pool.Name := "local" # dhcp_sqlippool if (ok) { - update reply { - &Your-IP-Address := "%{%{request.Requested-IP-Address}:-%{request.Client-IP-Address}}" - } + &reply.Your-IP-Address := "%{%{request.Requested-IP-Address}:-%{request.Client-IP-Address}}" } # If Message-Type is not set, returning "ok" or @@ -235,7 +221,7 @@ recv Request { # # "handled" will not return a packet, all other rcodes will # send back a NAK. - #ok +# ok } # @@ -248,9 +234,7 @@ recv Request { recv Decline { # If using IPs from a DHCP pool in SQL then you may need to set the # pool name here if you haven't set it elsewhere and mark the IP as declined. -# update control { -# &IP-Pool.Name := "local" -# } +# &control.IP-Pool.Name := "local" # dhcp_sqlippool ok @@ -272,27 +256,22 @@ recv Inform { # For Windows 7 boxes # #recv Inform { -# update reply { -# Packet-Dst-Port = 67 -# Message-Type = Ack -# Server-Identifier = "%{Packet-Dst-IP-Address}" -# Site-specific-28 = 0x0a00 -# } +# &reply.Packet-Dst-Port = 67 +# &reply.Message-Type = Ack +# &reply.Server-Identifier = "%{Packet-Dst-IP-Address}" +# &reply.Site-specific-28 = 0x0a00 # ok #} recv Release { # If using IPs from a DHCP pool in SQL then you may need to set the # pool name here if you haven't set it elsewhere and release the IP. -# update control { -# &IP-Pool.Name := "local" -# } +# &control.IP-Pool.Name := "local" # dhcp_sqlippool ok } - recv Lease-Query { # The thing being queried for is implicit # in the packets. @@ -312,9 +291,7 @@ recv Lease-Query { # look up identifier in database } else { - update reply { - &Message-Type = Lease-Unknown - } + &reply.Message-Type = Lease-Unknown ok @@ -327,10 +304,10 @@ recv Lease-Query { # if it can't find anything. # if (notfound) { - update reply { - &Message-Type = Lease-Unknown - } + &reply.Message-Type = Lease-Unknown + ok + return } @@ -353,10 +330,7 @@ recv Lease-Query { # Lease-Active # Lease-Unassigned # - update reply { - &Message-Type = Lease-Unassigned - } - + &reply.Message-Type = Lease-Unassigned } } diff --git a/raddb/sites-available/dhcp.relay b/raddb/sites-available/dhcp.relay index cb2b2cd03ce..ee89f6fca3d 100644 --- a/raddb/sites-available/dhcp.relay +++ b/raddb/sites-available/dhcp.relay @@ -20,25 +20,22 @@ server dhcp.eth1 { # of the following sections, named after the DHCP packet type. # See dictionary.dhcp for the packet types. dhcp Discover { - update config { - # IP Address of the DHCP server - &Relay-To-IP-Address := 192.0.2.2 - } - update request { - # IP Address of the DHCP relay (ourselves) - &Gateway-IP-Address := 192.0.2.1 - } + # IP Address of the DHCP server + &control.Relay-To-IP-Address := 192.0.2.2 + + # IP Address of the DHCP relay (ourselves) + &request.Gateway-IP-Address := 192.0.2.1 + ok } dhcp Request { - update config { - # IP Address of the DHCP server - &Relay-To-IP-Address := 192.0.2.2 - } - update request { - &Gateway-IP-Address := 192.0.2.2 - } + # IP Address of the DHCP server + &control.Relay-To-IP-Address := 192.0.2.2 + + # IP Address of the Gateway server + &request.Gateway-IP-Address := 192.0.2.2 + ok } } diff --git a/raddb/sites-available/dhcpv6 b/raddb/sites-available/dhcpv6 index a6a267bce33..f2b34fb0d4b 100644 --- a/raddb/sites-available/dhcpv6 +++ b/raddb/sites-available/dhcpv6 @@ -285,10 +285,8 @@ send Advertise { # # All replies MUST include a Server-ID option # - update reply { - &Server-ID.DUID = UUID - &Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000 - } + &reply.Server-ID.DUID = UUID + &reply.Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000 } # @@ -302,10 +300,8 @@ send Offer { # # All replies MUST include a Server-ID option # - update reply { - &Server-ID.DUID = UUID - &Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000 - } + &reply.Server-ID.DUID = UUID + &reply.Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000 } # @@ -323,10 +319,8 @@ send Reply { # # All replies MUST include a Server-ID option # - update reply { - &Server-ID.DUID = UUID - &Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000 - } + &reply.Server-ID.DUID = UUID + &reply.Server-ID.DUID.UUID.Value := 0x00000000000000000000000000000000 } } diff --git a/raddb/sites-available/dynamic-clients b/raddb/sites-available/dynamic-clients index 6f7c9979926..4e448dcff30 100644 --- a/raddb/sites-available/dynamic-clients +++ b/raddb/sites-available/dynamic-clients @@ -225,37 +225,33 @@ server dynamic_clients { # useless, but it documents the attributes # you need. # - update control { + # Copy the IP address of the client from + # the request just received + &control.FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" - # Copy the IP address of the client from - # the request just received - &FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" + # require_message_authenticator + &control.FreeRADIUS-Client-Require-MA = no - # require_message_authenticator - &FreeRADIUS-Client-Require-MA = no + # secret + &control.FreeRADIUS-Client-Secret = "testing123" - # secret - &FreeRADIUS-Client-Secret = "testing123" + # shortname + &control.FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}" - # shortname - &FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}" + # nas_type + &control.FreeRADIUS-Client-NAS-Type = "other" - # nas_type - &FreeRADIUS-Client-NAS-Type = "other" - - # virtual_server - # - # This can ONLY be used if the network client - # definition (e.g. "client dynamic" above) has - # NO virtual_server defined. - # - # If the network client definition does have a - # virtual_server defined, then that is used, - # and there is no need to define this attribute. - # - #&FreeRADIUS-Client-Virtual-Server = "something" - - } + # virtual_server + # + # This can ONLY be used if the network client + # definition (e.g. "client dynamic" above) has + # NO virtual_server defined. + # + # If the network client definition does have a + # virtual_server defined, then that is used, + # and there is no need to define this attribute. + # + # &control.FreeRADIUS-Client-Virtual-Server = "something" # # Example 2: Look the clients up in SQL. @@ -301,19 +297,17 @@ server dynamic_clients { # for the NAS element, i.e. "password". # if ("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}") { - update control { - &FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" + &control.FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" - # Set the Client-Shortname to be the Location - # "l" just like in the Huntgroups, but this - # time to the shortname. + # Set the Client-Shortname to be the Location + # "l" just like in the Huntgroups, but this + # time to the shortname. - &FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}" + &control.FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}" - # Lookup and set the Shared Secret based on - # the "ou" attribute. - &FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}" - } + # Lookup and set the Shared Secret based on + # the "ou" attribute. + &control.FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}" } # diff --git a/raddb/sites-available/example b/raddb/sites-available/example index 535f7dcee06..ec4d4d1e9bf 100644 --- a/raddb/sites-available/example +++ b/raddb/sites-available/example @@ -6,7 +6,6 @@ # ###################################################################### - # # This client will be available to any "listen" section that # are defined outside of a virtual server section. However, @@ -38,6 +37,7 @@ # and examples, and should not appear on the net. You shouldn't # use it for anything, either. # + client 192.0.2.10 { shortname = example-client secret = testing123 @@ -92,10 +92,8 @@ server example { # # Some example policies. See "man unlang" for more. # - if (&User-Name == 'bob') { - update control { - &Password.Cleartext := 'bob' - } + if (&User-Name == "bob") { + &control.Password.Cleartext := "bob" } # @@ -111,9 +109,7 @@ server example { } send Access-Reject { - update reply { - &Reply-Message = 'This is only an example.' - } + &reply.Reply-Message = "This is only an example." } } diff --git a/raddb/sites-available/inner-tunnel b/raddb/sites-available/inner-tunnel index 360bb69f0e4..9cb0c126dfd 100644 --- a/raddb/sites-available/inner-tunnel +++ b/raddb/sites-available/inner-tunnel @@ -238,13 +238,11 @@ authenticate eap { # authentication methods. # # If you need to send a reply attribute in the outer session, -# the ONLY safe way is to update the outer session-state. +# the ONLY safe way is to set the outer session-state list. # Attributes that should be provided in the reply should be # copied to the outer.session-state list: # -# update outer.session-state { -# ... -# } +# &outer.session-state.Attribute := # # The default configuration in the outer post-auth "send" section # will copy this to the reply. To copy the entire reply see @@ -307,8 +305,6 @@ send Access-Reject { # # Let the outer session know which module failed, and why. # - update outer.session-state { - &Module-Failure-Message := &request.Module-Failure-Message - } + &outer.session-state.Module-Failure-Message := &request.Module-Failure-Message } } # inner-tunnel server block diff --git a/raddb/sites-available/originate-coa b/raddb/sites-available/originate-coa index d3f6f9de34a..651685abb6e 100644 --- a/raddb/sites-available/originate-coa +++ b/raddb/sites-available/originate-coa @@ -37,7 +37,7 @@ # ... # } # -# Note that this functionality is configured differently from v3. +# NOTE: This functionality is configured differently from v3. # ###################################################################### @@ -71,15 +71,13 @@ recv Accounting-Request { # The subrequest begins empty, so copy all necessary # attributes over. # - update request { - &User-Name := &parent.request.User-Name - &Acct-Session-Id := &parent.request.Acct-Session-Id - &NAS-Identifier := &parent.request.NAS-Identifier - &NAS-IP-Address := &parent.request.NAS-IP-Addres - &NAS-IPv6-Address := &parent.request.NAS-IPv6-Address - &NAS-Port := &parent.request.NAS-Port - &Framed-IP-Address := &parent.request.Framed-IP-Address - } + &request.User-Name := &parent.request.User-Name + &request.Acct-Session-Id := &parent.request.Acct-Session-Id + &request.NAS-Identifier := &parent.request.NAS-Identifier + &request.NAS-IP-Address := &parent.request.NAS-IP-Addres + &request.NAS-IPv6-Address := &parent.request.NAS-IPv6-Address + &request.NAS-Port := &parent.request.NAS-Port + &request.Framed-IP-Address := &parent.request.Framed-IP-Address # # Call the `radius` module to send a CoA packet. diff --git a/raddb/sites-available/proxy-inner-tunnel b/raddb/sites-available/proxy-inner-tunnel index 42dec815cea..b038b70f3f0 100644 --- a/raddb/sites-available/proxy-inner-tunnel +++ b/raddb/sites-available/proxy-inner-tunnel @@ -22,10 +22,8 @@ recv Access-Request { # the inner tunnel request. # - update control { - # You should update this to be one of your realms. - &Proxy-To-Realm := "example.com" - } + # You should update this to be one of your realms. + &control.Proxy-To-Realm := "example.com" } authenticate eap { diff --git a/raddb/sites-available/robust-proxy-accounting b/raddb/sites-available/robust-proxy-accounting index c26d12dd912..6c7ce8790e9 100644 --- a/raddb/sites-available/robust-proxy-accounting +++ b/raddb/sites-available/robust-proxy-accounting @@ -21,7 +21,7 @@ # packets were written to the detail file. But that would # involve a lot more disk writes, which may not be a good idea. # -# This file is NOT meant to be used as-is. It needs to be +# NOTE: This file is NOT meant to be used as-is. It needs to be # edited to match your local configuration. # # $Id$ @@ -149,9 +149,7 @@ server home.example.com { recv Accounting-Request { # You may want accounting policies here... - update control { - &Proxy-To-Realm := 'acct_realm.example.com' - } + &control.Proxy-To-Realm := "acct_realm.example.com" } } diff --git a/raddb/sites-available/soh b/raddb/sites-available/soh index 6a0a6e65307..7f9eb0a7bbf 100644 --- a/raddb/sites-available/soh +++ b/raddb/sites-available/soh @@ -1,34 +1,30 @@ +# -*- text -*- +# # This is a simple server for the MS SoH requests generated by the -# peap module - see "eap.conf" for more info - +# peap module - see "raddb/mods-available/eap" for more info +# # Requests are ONLY passed through the authorize section, and cannot # current be proxied (in any event, the radius attributes used are # internal). +# +# $Id$ +# server soh-server { recv Access-Request { if (&SoH-Supported == no) { # client NAKed our request for SoH - not supported, or turned off - update config { - &Auth-Type = Accept - } + &control.Auth-Type = Accept } else { # client replied; check something - this is a local policy issue! if (&SoH-MS-Windows-Health-Status =~ /antivirus (warn|error) /) { - update config { - &Auth-Type = Reject - } - update reply { - &Reply-Message = 'You must have antivirus enabled & installed!' - } + &control.Auth-Type = Reject + &reply.Reply-Message = "You must have antivirus enabled & installed!" } else { - update config { - &Auth-Type = Accept - } + &control.Auth-Type = Accept } } } } - diff --git a/raddb/sites-available/tacacs b/raddb/sites-available/tacacs index 5de17028bf9..960b400e0b4 100644 --- a/raddb/sites-available/tacacs +++ b/raddb/sites-available/tacacs @@ -98,9 +98,7 @@ server tacacs { # # Set _our_ authentication method to the _requested_ one. # - update control { - &Auth-Type := &Authentication-Type - } + &control.Auth-Type := &Authentication-Type } authenticate PAP { @@ -131,9 +129,7 @@ server tacacs { # send Authentication-Start-Reply { if (&Authentication-Status == Pass) { - update reply { - &Server-Message := "Hello %{User-Name}" - } + &reply.Server-Message := "Hello %{User-Name}" } } @@ -160,9 +156,7 @@ server tacacs { # send Authentication-Continue-Reply { if (&Authentication-Status == Pass) { - update reply { - &Server-Message := "Hello %{User-Name}" - } + &reply.Server-Message := "Hello %{User-Name}" } } @@ -188,12 +182,10 @@ server tacacs { # ### Send # send Authorization-Reply { - update reply { - &Authorization-Status := Pass-Add - &Server-Message := "authorization-response-server" - &Data := "authorization-response-data" - &ArgumentList := "key1=var1" - } + &reply.Authorization-Status := Pass-Add + &reply.Server-Message := "authorization-response-server" + &reply.Data := "authorization-response-data" + &reply.ArgumentList := "key1=var1" } # @@ -230,11 +222,9 @@ server tacacs { # ### Send # send Accounting-Reply { - update reply { - &Accounting-Status := Success - &Server-Message := "Success" - &Data := 0x00 - } + &reply.Accounting-Status := Success + &reply.Server-Message := "Success" + &reply.Data := 0x00 } # diff --git a/raddb/sites-available/tls-cache b/raddb/sites-available/tls-cache index b76cd5ff416..d837fdda579 100644 --- a/raddb/sites-available/tls-cache +++ b/raddb/sites-available/tls-cache @@ -44,9 +44,8 @@ server tls-cache { # and will just cause the server to emit a warning. # load tls-session { - update control { - Cache-Allow-Insert := no - } + &control.Cache-Allow-Insert := no + cache_tls_session } @@ -64,9 +63,8 @@ server tls-cache { # and will just cause the server to emit a warning. # store tls-session { - update control { - Cache-TTL := 0 - } + &control.Cache-TTL := 0 + cache_tls_session } @@ -80,10 +78,9 @@ server tls-cache { # and will just cause the server to emit a warning. # clear tls-session { - update control { - Cache-TTL := 0 - Cache-Allow-Insert := no - } + &control.Cache-TTL := 0 + &control.Cache-Allow-Insert := no + cache_tls_session } @@ -98,9 +95,8 @@ server tls-cache { # To force OCSP validation failure, it should return 'reject'. # load ocsp-state { - update control { - Cache-Allow-Insert := no - } + &control.Cache-Allow-Insert := no + cache_ocsp } @@ -116,10 +112,9 @@ server tls-cache { # and will just cause the server to emit a warning. # store ocsp-state { - update control { - Cache-TTL := "%{expr:&reply.TLS-OCSP-Next-Update * -1}" - Cache-Allow-Merge := no - } + &control.Cache-TTL := "%{expr:&reply.TLS-OCSP-Next-Update * -1}" + &control.Cache-Allow-Merge := no + cache_ocsp } } diff --git a/raddb/sites-available/vmps b/raddb/sites-available/vmps index a622ff2b83e..087be71ea3f 100644 --- a/raddb/sites-available/vmps +++ b/raddb/sites-available/vmps @@ -71,14 +71,10 @@ server vmps { # create one using other attributes. if (!&MAC-Address) { if (&Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) { - update request { - &MAC-Address = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}" - } + &request.MAC-Address = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}" } else { - update request { - &MAC-Address = &Cookie - } + &request.MAC-Address = &Cookie } } @@ -93,19 +89,17 @@ server vmps { # # required VMPS reply attributes # - update reply { - &Packet-Type = Join-Response - &Error-Code = No-Error - &Cookie = &MAC-Address + &reply.Packet-Type = Join-Response + &reply.Error-Code = No-Error + &reply.Cookie = &MAC-Address - &VLAN-Name = "please_use_real_vlan_here" + &reply.VLAN-Name = "please_use_real_vlan_here" - # - # NOTE: If you have VLAN's in a database, you can `select` - # the VLAN name based on the MAC address. - # -# &VLAN-Name = "%{sql:select ... where mac='%{MAC-Address}'}" - } + # + # NOTE: If you have VLAN's in a database, you can `select` + # the VLAN name based on the MAC address. + # +# &reply.VLAN-Name = "%{sql:select ... where mac='%{MAC-Address}'}" } #