From e31704c940121db14243c5a0e4d310bfa71fac21 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Sat, 8 Mar 2025 09:32:42 -0500 Subject: [PATCH] remove files which should not have been committed --- .../sites-available/control-socket.orig.adoc | 153 ------ .../pages/raddb/sites-available/crash.adoc | 61 --- .../raddb/sites-available/dhcp.orig.adoc | 442 ------------------ .../raddb/sites-available/tls-cache.orig.adoc | 146 ------ 4 files changed, 802 deletions(-) delete mode 100644 doc/antora/modules/reference/pages/raddb/sites-available/control-socket.orig.adoc delete mode 100644 doc/antora/modules/reference/pages/raddb/sites-available/crash.adoc delete mode 100644 doc/antora/modules/reference/pages/raddb/sites-available/dhcp.orig.adoc delete mode 100644 doc/antora/modules/reference/pages/raddb/sites-available/tls-cache.orig.adoc diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/control-socket.orig.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/control-socket.orig.adoc deleted file mode 100644 index 9f7ca2e5d8..0000000000 --- a/doc/antora/modules/reference/pages/raddb/sites-available/control-socket.orig.adoc +++ /dev/null @@ -1,153 +0,0 @@ - - - - -= Control socket interface. - -``` -# In the future, we will add username/password checking for -# connections to the control socket. We will also add -# command authorization, where the commands entered by the -# administrator are run through a virtual server before -# they are executed. -``` - -``` -# For now, anyone who has permission to connect to the socket -# has nearly complete control over the server. Be warned! -``` - -``` -# NOTE: This functionality is NOT enabled by default. -``` - -``` -# See also the "radmin" program, which is used to communicate -# with the server over the control socket. -``` - -``` -server control { -``` - -namespace:: Determine the current scope as a control service. - -``` - namespace = control - -``` - -All configuration related to the control interface. - -``` - listen { -``` - -transport:: Define which communication channel. - -``` - transport = unix - -``` - -UNIX socket-file as communication channel. - -``` - unix { -``` - -filename:: Socket location. - -Most operating systems (other than Linux), do not respect -permissions set on socket files. - -To work around this issue, we ensure the -permissions on the directory containing the socket, -are sufficiently restrictive to only allow access -by the FreeRADIUS user, or the gid below (if set). - -It is recommended to house the socket in its own -sub-directory. FreeRADIUS will create this sub-directory -if it doesn't exist and set the appropriate ownership and -permissions. - -``` - filename = ${run_dir}/control/${name}.sock - -``` - -peercred:: It is enabled by default, and offers an additional layer -of security. When enabled FreeRADIUS will check the euid and -egid of the process connecting to the control socket. - -The client process is allowed to connect if any of the following -are true: - -- The client processes' euid is 0 (root). -- The client processes' euid matches FreeRADIUS' euid. -- gid is set (below), and the client processes' egid matches the - configured gid. - -NOTE: With peercred enabled, auxiliary groups of the client process -are not considered. If you have multiple users and need to control -control socket authorization via group membership, you should set -`peercred = no`, and rely on filesystem permissions for enforcement. - -``` -# peercred = no - -``` - -uid:: Name of user who is allowed to connect to the control socket. - -``` -# uid = radius - -``` - -gid:: Name of group that is allowed to connect to the control socket. - -``` -# gid = radius - -``` - -mode:: Access mode. - -This can be used to give *some* administrators access to -monitor the system, but not to change it. - -ro = read only access (default) -rw = read/write access. - -``` - mode = rw - } - -``` -@todo - add "limit" section -``` - } - -``` - -These don't do anything for now - -``` - recv { - ok - } - - send { - ok - } -} -``` - -== Default Configuration - -``` -``` - -// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0. -// This documentation was developed by Network RADIUS SAS. diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/crash.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/crash.adoc deleted file mode 100644 index 21371dbf2e..0000000000 --- a/doc/antora/modules/reference/pages/raddb/sites-available/crash.adoc +++ /dev/null @@ -1,61 +0,0 @@ -``` - &Filter-Id := "db.findAndModify({ \ - 'query': { \ - 'AcctStopTime': null, \ - 'NasIpAddress': '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', \ - 'AcctStarttime': { \ - '$lt': \ - } \ - }, \ - 'update': { \ - '$set': { \ - 'AcctStopTime': '', \ - 'AcctUpdateTime': '', \ - 'AcctSessionTime': { \ - '$subtract': [ '', '123' ] \ - }, \ - 'AcctTerminateCause': '%{%{Acct-Terminate-Cause}:-NAS-Reboot}', \ - 'Class': '%{Class}', \ - 'FramedIpAddress': '%{Framed-IP-Address}', \ - 'update_date': { \ - '$date': { \ - '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' \ - } \ - }, \ - 'start_time': '%{Packet-Original-Timestamp}' \ - }, \ - '$push': { \ - 'events_data': { \ - 'event_id': '%{sha2_256:%{tolower:%{Calling-Station-Id}}}', \ - 'event_type': 'Accounting-Start', \ - 'event_time': '%{Packet-Original-Timestamp}', \ - 'creation_date': { \ - '$date': { \ - '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' \ - } \ - } \ - } \ - }, \ - '$setOnInsert': { \ - 'pool_name': '%{control.IP-Pool.Name}', \ - 'FramedIpAddress': '%{Framed-IP-Address}', \ - 'closed': false, \ - 'update_counter': 0, \ - 'creation_date': { \ - '$date': { \ - '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' \ - } \ - } \ - } \ - }, \ - 'upsert': 2 1 1 true \ - })" -``` - -== Default Configuration - -``` -``` - -// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0. -// This documentation was developed by Network RADIUS SAS. diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/dhcp.orig.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/dhcp.orig.adoc deleted file mode 100644 index bfc33930eb..0000000000 --- a/doc/antora/modules/reference/pages/raddb/sites-available/dhcp.orig.adoc +++ /dev/null @@ -1,442 +0,0 @@ - -``` -# This is a virtual server that handles DHCP. -``` - -See raddb/mods-available/dhcp_sqlippool for the IP Pool configuration. - -See raddb/policy.d/dhcp_sqlippool for the "glue" code that allows -the RADIUS based "sqlippool" module to be used for DHCP. - -See raddb/mods-config/sql/ippool/ for the schemas. - -See raddb/sites-available/dhcp for instructions on how to configure -the DHCP server. - - - - -The DHCP functionality goes into a virtual server. - -``` -server dhcp { - namespace = dhcpv4 - -``` -Define a DHCP socket. - -The default port below is 6700, so you don't break your network. -If you want it to do real DHCP, change this to 67, and good luck! - -You can also bind the DHCP socket to an interface. -See below, and raddb/radiusd.conf for examples. - -This lets you run *one* DHCP server instance and have it listen on -multiple interfaces, each with a separate policy. - -If you have multiple interfaces, it is a good idea to bind the -listen section to an interface. You will also need one listen -section per interface. - -``` -listen { - type = DHCP-Discover - type = DHCP-Request - type = DHCP-Inform - type = DHCP-Release - type = DHCP-Decline - type = DHCP-Lease-Query - - transport = udp - - udp { -``` -IP address to listen on. Will usually be the IP of the -interface, or 0.0.0.0 -``` - ipaddr = 127.0.0.1 - -``` -The port should be 67 for a production network. Don't set -it to 67 on a production network unless you really know -what you're doing. Even if nothing is configured below, the -server may still NAK legitimate responses from clients. -``` - port = 6700 - -``` -Interface name we are listening on. See comments above. -``` -# interface = lo0 - -``` -source IP address for unicast packets sent by the -DHCP server. - -The source IP for unicast packets is chosen from the first -one of the following items which returns a valid IP -address: - - src_ipaddr - ipaddr - reply:DHCP-Server-IP-Address - reply:DHCP-DHCP-Server-Identifier - -``` - src_ipaddr = 127.0.0.1 - -``` -The DHCP server defaults to allowing broadcast packets. -Set this to "no" only when the server receives *all* packets -from a relay agent. i.e. when *no* clients are on the same -LAN as the DHCP server. - -It's set to "no" here for testing. It will usually want to -be "yes" in production, unless you are only dealing with -relayed packets. -``` - broadcast = no - -``` -On Linux if you're running the server as non-root, you -will need to do: - -sudo setcap cap_net_admin=ei /path/to/radiusd - -This will allow the server to set ARP table entries -for newly allocated IPs -``` - } -} - -``` - -If there is no `client` entry in a DHCPv4 virtual server, it will -automatically create and use a "0/0" client. - -If there is one or more clients defined in a DHCPv4 virtual server, -they will be used to limit source IP addresses for DHCPv4 packets. -Only packets from known clients or networks will be accepted. - -If a `client` is defined, you should list all subnets used for end -user machines, along with all DHCPv4 gateways that send packets to -the server. - -``` -#client private { -``` - ipaddr = 192.168.0.0/16 -``` -#} - -``` -Packets received on the socket will be processed through one -of the following sections, named after the DHCP packet type. -See dictionary.dhcpv4 for the packet types. - -Return packets will be sent to, in preference order: - DHCP-Gateway-IP-Address - DHCP-Client-IP-Address - DHCP-Your-IP-Address -At least one of these attributes should be set at the end of each -section for a response to be sent. - -``` -recv DHCP-Discover { - -``` -Set the type of packet to send in reply. - -The server will look at the DHCP-Message-Type attribute to -determine which type of packet to send in reply. Common -values would be DHCP-Offer, DHCP-Ack or DHCP-NAK. See -dictionary.dhcp for all the possible values. - -DHCP-Do-Not-Respond can be used to tell the server to not -respond. - -In the event that DHCP-Message-Type is not set then the -server will fall back to determining the type of reply -based on the rcode of this section. - -``` - update reply { - &DHCP-Message-Type = DHCP-Offer - } - -``` -The contents here are invented. Change them! -``` - update reply { - &DHCP-Domain-Name-Server = 127.0.0.1 - &DHCP-Domain-Name-Server = 127.0.0.2 - &DHCP-Subnet-Mask = 255.255.255.0 - &DHCP-Router-Address = 192.0.2.1 - &DHCP-IP-Address-Lease-Time = 86400 - &DHCP-DHCP-Server-Identifier = 192.0.2.1 - } - -``` -Do a simple mapping of MAC to assigned IP. - -See below for the definition of the "mac2ip" -module. - -mac2ip - -If the MAC wasn't found in that list, do something else. -You could call a Perl, Python, or Java script here. - -if (notfound) { -... -} - -Or, allocate IPs from the DHCP pool in SQL. You may need to -set the pool name here if you haven't set it elsewhere. -``` -# update control { -# &Pool-Name := "local" -# } -# dhcp_sqlippool - -``` -If DHCP-Message-Type is not set, returning "ok" or -"updated" from this section will respond with a DHCP-Offer -message. - -Other rcodes will tell the server to not return any response. -``` - ok -} - -recv DHCP-Request { - -``` -Response packet type. See DHCP-Discover section above. -``` - update reply { - &DHCP-Message-Type = DHCP-Ack - } - -``` -The contents here are invented. Change them! -``` - update reply { - &DHCP-Domain-Name-Server = 127.0.0.1 - &DHCP-Domain-Name-Server = 127.0.0.2 - &DHCP-Subnet-Mask = 255.255.255.0 - &DHCP-Router-Address = 192.0.2.1 - &DHCP-IP-Address-Lease-Time = 86400 - &DHCP-DHCP-Server-Identifier = 192.0.2.1 - } - -``` -Do a simple mapping of MAC to assigned IP. - -See below for the definition of the "mac2ip" -module. - -mac2ip - -If the MAC wasn't found in that list, do something else. -You could call a Perl, Python, or Java script here. - -if (notfound) { -... -} - -Or, allocate IPs from the DHCP pool in SQL. You may need to -set the pool name here if you haven't set it elsewhere. -``` -# update control { -# &Pool-Name := "local" -# } -# dhcp_sqlippool - -``` -If DHCP-Message-Type is not set, returning "ok" or -"updated" from this section will respond with a DHCP-Ack -packet. - -"handled" will not return a packet, all other rcodes will -send back a DHCP-NAK. -``` - ok -} - -``` - -Other DHCP packet types - -There should be a separate section for each DHCP message type. -By default this configuration will ignore them all. Any packet type -not defined here will be responded to with a DHCP-NAK. - -``` -recv DHCP-Decline { - update reply { - &DHCP-Message-Type = DHCP-Do-Not-Respond - } - reject -} - -recv DHCP-Inform { - update reply { - &DHCP-Message-Type = DHCP-Do-Not-Respond - } - reject -} - -``` - -For Windows 7 boxes - -``` -#recv DHCP-Inform { -# update reply { -# Packet-Dst-Port = 67 -# DHCP-Message-Type = DHCP-ACK -# DHCP-DHCP-Server-Identifier = "%{Packet-Dst-IP-Address}" -# DHCP-Site-specific-28 = 0x0a00 -# } -# ok -#} - -recv DHCP-Release { - update reply { - &DHCP-Message-Type = DHCP-Do-Not-Respond - } - reject -} - -recv DHCP-Lease-Query { -``` -The thing being queried for is implicit -in the packets. - -has MAC, asking for IP, etc. -``` - if (&DHCP-Client-Hardware-Address) { -``` -look up MAC in database -``` - } - -``` -has IP, asking for MAC, etc. -``` - elsif (&DHCP-Your-IP-Address) { -``` -look up IP in database -``` - } - -``` -has host name, asking for IP, MAC, etc. -``` - elsif (&DHCP-Client-Identifier) { -``` -look up identifier in database -``` - } - else { - update reply { - &DHCP-Message-Type = DHCP-Lease-Unknown - } - - ok - -``` -stop processing -``` - return - } - -``` - -We presume that the database lookup returns "notfound" -if it can't find anything. - -``` - if (notfound) { - update reply { - &DHCP-Message-Type = DHCP-Lease-Unknown - } - ok - return - } - -``` - -Add more logic here. Is the lease inactive? -If so, respond with DHCP-Lease-Unassigned. - -Otherwise, respond with DHCP-Lease-Active - - - -Also be sure to return ALL information about -the lease. - - - -The reply types are: - -DHCP-Lease-Unknown -DHCP-Lease-Active -DHCP-Lease-Unassigned - -``` - update reply { - &DHCP-Message-Type = DHCP-Lease-Unassigned - } - -} - -} - -``` - -This next section is a sample configuration for the "passwd" -module, that reads flat-text files. It should go into -radiusd.conf, in the "modules" section. - -The file is in the format , - -``` -# 00:01:02:03:04:05,192.0.2.100 -# 01:01:02:03:04:05,192.0.2.101 -# 02:01:02:03:04:05,192.0.2.102 -``` - -This lets you perform simple static IP assignment. - -There is a preconfigured "mac2ip" module setup in -mods-available/mac2ip. To use it do: - - # cd raddb/ - # ln -s ../mods-available/mac2ip mods-enabled/mac2ip - # mkdir mods-config/passwd - -Then create the file mods-config/passwd/mac2ip with the above -format. - - -This is an example only - see mods-available/mac2ip instead; do -not uncomment these lines here. - -``` -#passwd mac2ip { -# filename = ${confdir}/mac2ip -# format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address" -# delimiter = "," -#} -``` - -== Default Configuration - -``` -``` - -// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0. -// This documentation was developed by Network RADIUS SAS. diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/tls-cache.orig.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/tls-cache.orig.adoc deleted file mode 100644 index fad5f3152b..0000000000 --- a/doc/antora/modules/reference/pages/raddb/sites-available/tls-cache.orig.adoc +++ /dev/null @@ -1,146 +0,0 @@ - -This virtual server controls caching of TLS sessions. - -When a TLS session is used, the server will automatically create -the following attributes in the session-state list. These attributes -are the ones for the *server* certificate. - -``` -# TLS-Cert-Serial -# TLS-Cert-Expiration -# TLS-Cert-Subject -# TLS-Cert-Issuer -# TLS-Cert-Common-Name -# TLS-Cert-Subject-Alt-Name-Email -``` - -If a client certificate is required (e.g. EAP-TLS or sometimes PEAP / TTLS), -the following attributes are also created in the session-state list: - -``` -# TLS-Client-Cert-Serial -# TLS-Client-Cert-Expiration -# TLS-Client-Cert-Subject -# TLS-Client-Cert-Issuer -# TLS-Client-Cert-Common-Name -# TLS-Client-Cert-Subject-Alt-Name-Email -``` - - - -``` -server tls-cache { - namespace = tls_cache - -``` - -This section is run whenever the server needs to read an -entry from the TLS session cache. - -It should read the attribute &session-state.TLS-Session-Data -from the cache, along with any other attributes which -were in the cache - -On success it should return 'ok' or 'updated'. - -The return code has no real effect on session processing -and will just cause the server to emit a warning. - -``` - load tls-session { - update control { - Cache-Allow-Insert := no - } - cache_tls_session - } - -``` - -This section is run whenever the server needs to write an -entry to the TLS session cache. - -It should write the attribute &session-state.Session-Data -to the cache, along with any other attributes which -need to be cached. - -On success it should return 'ok' or 'updated'. - -The return code has no real effect on session processing -and will just cause the server to emit a warning. - -``` - store tls-session { - update control { - Cache-TTL := 0 - } - cache_tls_session - } - -``` - -This section is run whenever the server needs to delete an -entry from the TLS session cache. - -On success it should return 'ok', 'updated', 'noop' or 'notfound' - -The return code has no real effect on session processing -and will just cause the server to emit a warning. - -``` - clear tls-session { - update control { - Cache-TTL := 0 - Cache-Allow-Insert := no - } - cache_tls_session - } - -``` - -This section is run after certificate attributes are added -to the request list, and before performing OCSP validation. - -It should read the attribute &control.TLS-OCSP-Cert-Valid -from the cache. - -On success it should return 'ok', 'updated', 'noop' or 'notfound' -To force OCSP validation failure, it should return 'reject'. - -``` - load ocsp-state { - update control { - Cache-Allow-Insert := no - } - cache_ocsp - } - -``` - -This section is run after OCSP validation has completed. - -It should write the attribute &reply.TLS-OCSP-Cert-Valid -to the cache. - -On success it should return 'ok' or 'updated'. - -The return code has no real effect on session processing -and will just cause the server to emit a warning. - -``` - store ocsp-state { - update control { - Cache-TTL := "%{expr:&reply.TLS-OCSP-Next-Update * -1}" - Cache-Allow-Merge := no - } - cache_ocsp - } -} -``` - -== Default Configuration - -``` -``` - -// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0. -// This documentation was developed by Network RADIUS SAS. -- 2.47.2