From: Alan T. DeKok Date: Mon, 26 Apr 2021 23:56:25 +0000 (-0400) Subject: updated after `make asciidoc` X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4d7588936e58b42c02f2fef3011f34e06172066a;p=thirdparty%2Ffreeradius-server.git updated after `make asciidoc` --- diff --git a/doc/antora/modules/raddb/pages/mods-available/eap.adoc b/doc/antora/modules/raddb/pages/mods-available/eap.adoc index 30954bf72f6..0508447be2a 100644 --- a/doc/antora/modules/raddb/pages/mods-available/eap.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/eap.adoc @@ -20,16 +20,19 @@ then cannot use ANY other authentication method. ## Configuration Settings -default_eap_type::: Invoke the default supported EAP type when `EAP-Identity` +default_eap_type:: The default EAP submodule to invoke when an `EAP-Identity` response is received. -The incoming EAP messages *DO NOT* specify which EAP type they will be using, -so it MUST be set here. +If a `default_eap_type` value is not provided, enabled EAP submodules will be +queried to determine if they recognise the provided EAP-Identity. +If no submodules recognise the identity, the first `type` value listed below +will be used. -For now, only one default EAP type may be used at a time. +If the `control.EAP-Type` attribute is set, then that EAP type takes precedence +over any configured or inferred EAP-Type. -If the `EAP-Type` attribute is set by another module, then that EAP -type takes precedence over the default type configured here. +It is generally recommended to NOT set `default_eap_type`, and instead order +the `type` configuration items appropriately. @@ -48,15 +51,6 @@ request will still end up being rejected. -cisco_accounting_username_bug:: - -Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given a `link:https://freeradius.org/rfc/rfc2865.html#User-Name[User-Name]` -attribute in an `link:https://freeradius.org/rfc/rfc2865.html#Access-Accept[Access-Accept]`, it copies one more byte than it should. - -We can work around it by using this configuration option to add an extra zero byte. - - - ## Allowed EAP-types type:: Only EAP types listed below with a `type = ` pair will be allowed. @@ -475,7 +469,11 @@ issues. ecdh_curve:: Elliptical cryptography configuration. -Only for OpenSSL >= 0.9.8.f +Should be a colon-separated list of curve names. + +For supported curve names, please run the command: + +openssl ecparam -list_curves @@ -1541,7 +1539,7 @@ TODO TODO ``` -### %{sim_id_method:...} +### %(aka_sim_id_method:...) TODO @@ -1560,7 +1558,7 @@ TODO TODO ``` -### %{sim_id_type:...} +### %(aka_sim_id_type:...) TODO @@ -1583,7 +1581,7 @@ TODO ``` eap { - default_eap_type = md5 +# default_eap_type = md5 ignore_unknown_eap_types = no type = md5 # type = pwd diff --git a/doc/antora/modules/raddb/pages/mods-available/icmp.adoc b/doc/antora/modules/raddb/pages/mods-available/icmp.adoc index 46fe16803b1..980751e555f 100644 --- a/doc/antora/modules/raddb/pages/mods-available/icmp.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/icmp.adoc @@ -21,7 +21,7 @@ expansion, such as: == Capabilities and Permissions -On Linus, you may need to do: +On Linux, you may need to do: In order for the `icmp` module to bind to a "raw" socket. diff --git a/doc/antora/modules/raddb/pages/mods-available/sqlippool.adoc b/doc/antora/modules/raddb/pages/mods-available/sqlippool.adoc index 00dfe774d8b..f84bf550d8a 100644 --- a/doc/antora/modules/raddb/pages/mods-available/sqlippool.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/sqlippool.adoc @@ -156,9 +156,9 @@ sqlippool { # requested_address = "%{%{dhcpv4.Requested-IP-Address}:-%{dhcpv4.Client-IP-Address}}" gateway = "%{%{radius.NAS-Identifier}:-%{radius.NAS-IP-Address}}" messages { - exists = "Existing IP: %{reply.${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" - success = "Allocated IP: %{reply.${..attribute_name}} from %{control.IP-Pool.Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" - clear = "Released IP %{${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})" + exists = "Existing IP: %{reply.${..allocated_address_attr}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" + success = "Allocated IP: %{reply.${..allocated_address_attr}} from %{control.IP-Pool.Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" + clear = "Released IP ${..requested_address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})" failed = "IP Allocation FAILED from %{control.IP-Pool.Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" nopool = "No IP-Pool.Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" } diff --git a/doc/antora/modules/raddb/pages/sites-available/default.adoc b/doc/antora/modules/raddb/pages/sites-available/default.adoc index 6581b81a76f..852a71462d6 100644 --- a/doc/antora/modules/raddb/pages/sites-available/default.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/default.adoc @@ -68,6 +68,115 @@ only accept packets for that protocol. +### RADIUS Configuration + +All of the configuration for processing RADIUS packets goes here. + + +#### Access-Request subsection + +This section contains configuration which is +specific to processing `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets. + +Similar sections can be added, but are not +necessary for Accounting-Request (and other) +packets. At this time, there is no configuration +needed for other packet types. + + +log:: Logging configuration for `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets + +In v3, the `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging was +configured in the main `radiusd.conf` file, +in the main `log` subsection. That +limitation meant that the configuration was +global to FreeRADIUS. i.e. you could not +have different `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging for +different virtual server. + +The extra configuration in v4 allows for +increased flexibility. + + +stripped_names:: Log the full +`link:https://freeradius.org/rfc/rfc2865.html#User-Name[User-Name]` attribute, as it was +found in the request. + +allowed values: {no, yes} + + + +auth:: Log authentication requests +to the log file. + +allowed values: {no, yes} + + + +auth_goodpass:: Log "good" +passwords with the authentication +requests. + +allowed values: {no, yes} + + + +auth_badpass:: Log "bad" +passwords with the authentication +requests. + +allowed values: {no, yes} + + + +msg_goodpass:: +msg_badpass:: + +Log additional text at the end of the "Login OK" messages. +for these to work, the "auth" and "auth_goodpass" or "auth_badpass" +configurations above have to be set to "yes". + +The strings below are dynamically expanded, which means that +you can put anything you want in them. However, note that +this expansion can be slow, and can negatively impact server +performance. + + + +msg_denied:: + +The message when the user exceeds the Simultaneous-Use limit. + + + +session:: Controls how ongoing +(multi-round) sessions are handled + +This section is primarily useful for EAP. +It controls the number of EAP +authentication attempts that can occur +concurrently. + + +max:: The maximum number of ongoing sessions + + + +timeout:: How long to wait before expiring a +session. + +The timer starts when a response +with a state value is sent. The +timer stops when a request +containing the previously sent +state value is received. + + + +There is currently no configuration for other packet types. + + + ### The listen section The `listen` sections in v4 are very different from the @@ -378,106 +487,6 @@ does not matter. -#### Access-Request subsection - -This section contains configuration which is -specific to processing `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets. - -Similar sections can be added, but are not -necessary for Accounting-Request (and other) -packets. At this time, there is no configuration -needed for other packet types. - - -log:: Logging configuration for `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets - -In v3, the `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging was -configured in the main `radiusd.conf` file, -in the main `log` subsection. That -limitation meant that the configuration was -global to FreeRADIUS. i.e. you could not -have different `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging for -different virtual server. - -The extra configuration in v4 allows for -increased flexibility. - - -stripped_names:: Log the full -`link:https://freeradius.org/rfc/rfc2865.html#User-Name[User-Name]` attribute, as it was -found in the request. - -allowed values: {no, yes} - - - -auth:: Log authentication requests -to the log file. - -allowed values: {no, yes} - - - -auth_goodpass:: Log "good" -passwords with the authentication -requests. - -allowed values: {no, yes} - - - -auth_badpass:: Log "bad" -passwords with the authentication -requests. - -allowed values: {no, yes} - - - -msg_goodpass:: -msg_badpass:: - -Log additional text at the end of the "Login OK" messages. -for these to work, the "auth" and "auth_goodpass" or "auth_badpass" -configurations above have to be set to "yes". - -The strings below are dynamically expanded, which means that -you can put anything you want in them. However, note that -this expansion can be slow, and can negatively impact server -performance. - - - -msg_denied:: - -The message when the user exceeds the Simultaneous-Use limit. - - - -session:: Controls how ongoing -(multi-round) sessions are handled - -This section is primarily useful for EAP. -It controls the number of EAP -authentication attempts that can occur -concurrently. - - -max:: The maximum number of ongoing sessions - - - -timeout:: How long to wait before expiring a -session. - -The timer starts when a response -with a state value is sent. The -timer stops when a request -containing the previously sent -state value is received. - - - As with v3, "ipaddr", "ipv4addr", and "ipv6addr" @@ -517,94 +526,6 @@ networks which can be listed here. -#### Access-Request subsection - -This section contains configuration which is -specific to processing `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets. - -Similar sections can be added, but are not -necessary for Accounting-Request (and other) -packets. At this time, there is no configuration -needed for other packet types. - - -log:: Logging configuration for `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets - -In v3, the `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging was -configured in the main `radiusd.conf` file, -in the main `log` subsection. That -limitation meant that the configuration was -global to FreeRADIUS. i.e. you could not -have different `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging for -different virtual server. - -The extra configuration in v4 allows for -increased flexibility. - -stripped_names:: Log the full -`link:https://freeradius.org/rfc/rfc2865.html#User-Name[User-Name]` attribute, as it was -found in the request. - -allowed values: {no, yes} - - -auth:: Log authentication requests -to the log file. - -allowed values: {no, yes} - - -auth_goodpass:: Log "good" -passwords with the authentication -requests. - -allowed values: {no, yes} - - -auth_badpass:: Log "bad" -passwords with the authentication -requests. - -allowed values: {no, yes} - - -Log additional text at the end of the "Login OK" messages. -for these to work, the "auth" and "auth_goodpass" or "auth_badpass" -configurations above have to be set to "yes". - -The strings below are dynamically expanded, which means that -you can put anything you want in them. However, note that -this expansion can be slow, and can negatively impact server -performance. - - -The message when the user exceeds the Simultaneous-Use limit. - - - -session:: Controls how ongoing -(multi-round) sessions are handled - -This section is primarily useful for EAP. -It controls the number of EAP -authentication attempts that can occur -concurrently. - - -max:: The maximum number of ongoing sessions - - -timeout:: How long to wait before expiring a -session. - -The timer starts when a response -with a state value is sent. The -timer stops when a request -containing the previously sent -state value is received. - - - ### Listen for Accounting-Request packets @@ -1313,6 +1234,23 @@ Filter attributes from the accounting response. ``` server default { namespace = radius + radius { + Access-Request { + log { + stripped_names = no + auth = no + auth_goodpass = no + auth_badpass = no +# msg_goodpass = "" +# msg_badpass = "" + msg_denied = "You are already logged in - access denied" + } + session { +# max = 4096 +# timeout = 15 + } + } + } listen { type = Access-Request type = Status-Server @@ -1344,21 +1282,6 @@ server default { # deny = 127.0.0/24 } } - Access-Request { - log { - stripped_names = no - auth = no - auth_goodpass = no - auth_badpass = no -# msg_goodpass = "" -# msg_badpass = "" - msg_denied = "You are already logged in - access denied" - } - session { -# max = 4096 -# timeout = 15 - } - } } listen { type = Access-Request @@ -1374,21 +1297,6 @@ server default { # deny = 127.0.0/24 } } - Access-Request { - log { - stripped_names = no - auth = no - auth_badpass = no - auth_goodpass = no -# msg_goodpass = "" -# msg_badpass = "" - msg_denied = "You are already logged in - access denied" - } - session { -# max = 4096 -# timeout = 15 - } - } } listen { type = Accounting-Request diff --git a/doc/antora/modules/raddb/pages/sites-available/detail.adoc b/doc/antora/modules/raddb/pages/sites-available/detail.adoc index 3d73e767f66..53e2fab6446 100644 --- a/doc/antora/modules/raddb/pages/sites-available/detail.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/detail.adoc @@ -5,6 +5,8 @@ In v4, all "server" sections MUST start with a "namespace" parameter. This tells the server which protocol is being used. +RADIUS, or DHCPv4, or any other protocol supported by the server. + This virtual server will read detail files from the @@ -12,23 +14,13 @@ following directory. -This has to be listed first, sorry. - -The value given here must match the `namespace` of -the virtual server which originally created the -detail files. - - - Types of packets we are reading. -What transports are being used to read detail -files. For now, only "file" is supported. - -Future releases will allow reading "detail" -style information from sockets or streams. +There is no need to specify a transport. +The default is `file`, which is the only +one supported. @@ -199,8 +191,7 @@ A special value of "0" means "retransmit forever". -All packets read by the detail listener are processed through the -'recv' section. Note that there is no second name to the section. +The detail file reader runs the normal RADIUS / DHCP / etc. processing sections. @@ -216,9 +207,6 @@ the "send fail" section. -All successful packets sent by the detail listener are processed through the -'send ok' section. Note that the name is the same for all packet types. - If the listener is configured with 'track = yes', then the entry in the detail file is marked up as being "done". Subsequent re-reads of the same detail file (e.g. on server restart) will skip the @@ -226,8 +214,8 @@ of the same detail file (e.g. on server restart) will skip the -All failed packets sent by the detail listener are processed through the -'send fail' section. Note that the name is the same for all packet types. +All failed packets sent by the detail listener should be processed +through the 'send Do-Not-Respond' section. If the listener is configured with 'track = yes', then the packet will be retransmitted by the detail file reader, until the packet @@ -235,24 +223,16 @@ returns "success". See the "limit" subsection above for retransmission configuration. - -Note that unlike other listeners, there is no "send Do-Not-Respond" -section. You should just return "fail" instead. - - - == Default Configuration ``` # This virtual server gives an example of reading the detail # file for the v4 configuration. server detail { - namespace = detail + namespace = radius directory = ${radacctdir}/detail listen { - dictionary = radius type = Accounting-Request - transport = file # priority = 1 file { filename = "${...directory}/detail-*" @@ -272,16 +252,16 @@ server detail { } } } -recv { +recv Accounting-Request { update request { &Acct-Delay-Time := "%{expr:%{%{Acct-Delay-Time}:-0} + %c - %{%(integer:%{Event-Timestamp}):-%(integer:%{Packet-Original-Timestamp})}}" } ok } -send ok { +send Accounting-Response { ok } -send fail { +send Do-Not-Respond { ok } } # virtual server "detail" diff --git a/doc/antora/modules/raddb/pages/sites-available/dhcp.adoc b/doc/antora/modules/raddb/pages/sites-available/dhcp.adoc index 6aeab20b7df..a6834149e8a 100644 --- a/doc/antora/modules/raddb/pages/sites-available/dhcp.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/dhcp.adoc @@ -326,7 +326,7 @@ recv Request { # dhcp_sqlippool if (ok) { update reply { - &Your-IP-Address := "%{%{request.Requested-IP-Address}:-{request.Client-IP-Address}}" + &Your-IP-Address := "%{%{request.Requested-IP-Address}:-%{request.Client-IP-Address}}" } } }