From 7cd5c4baf24727ceb34c5fd198e64190d50f78d7 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Fri, 28 Feb 2025 12:59:53 -0500 Subject: [PATCH] Organize virtual servers by protocol remove many virtual servers which were old, unused, and wrong --- doc/antora/modules/reference/nav.adoc | 52 +++--- .../pages/raddb/experimental.conf.adoc | 100 ------------ .../modules/reference/pages/raddb/index.adoc | 1 - .../sites-available/channel_bindings.adoc | 29 ---- .../raddb/sites-available/check-eap-tls.adoc | 128 --------------- .../pages/raddb/sites-available/example.adoc | 148 ------------------ .../pages/raddb/sites-available/index.adoc | 4 - .../raddb/sites-available/radius-acct.adoc | 51 ------ raddb/all.mk | 2 +- raddb/experimental.conf | 95 ----------- raddb/sites-available/channel_bindings | 16 -- raddb/sites-available/example | 115 -------------- raddb/sites-available/radius-acct | 36 ----- 13 files changed, 27 insertions(+), 750 deletions(-) delete mode 100644 doc/antora/modules/reference/pages/raddb/experimental.conf.adoc delete mode 100644 doc/antora/modules/reference/pages/raddb/sites-available/channel_bindings.adoc delete mode 100755 doc/antora/modules/reference/pages/raddb/sites-available/check-eap-tls.adoc delete mode 100644 doc/antora/modules/reference/pages/raddb/sites-available/example.adoc delete mode 100644 doc/antora/modules/reference/pages/raddb/sites-available/radius-acct.adoc delete mode 100644 raddb/experimental.conf delete mode 100644 raddb/sites-available/channel_bindings delete mode 100644 raddb/sites-available/example delete mode 100644 raddb/sites-available/radius-acct diff --git a/doc/antora/modules/reference/nav.adoc b/doc/antora/modules/reference/nav.adoc index 9e4c37f118..b9883d9802 100644 --- a/doc/antora/modules/reference/nav.adoc +++ b/doc/antora/modules/reference/nav.adoc @@ -198,37 +198,37 @@ **** xref:raddb/mods-available/yubikey.adoc[Yubikey] *** xref:raddb/sites-available/index.adoc[Virtual Servers] -**** xref:raddb/sites-available/arp.adoc[ARP Virtual Server] -**** xref:raddb/sites-available/bfd.adoc[BFD - Bidirectional Forwarding Detection] -**** xref:raddb/sites-available/buffered-sql.adoc[Buffered SQL] -**** xref:raddb/sites-available/challenge.adoc[Challenge] -**** xref:raddb/sites-available/channel_bindings.adoc[Channel Bindings] -**** xref:raddb/sites-available/check-eap-tls.adoc[Check EAP-TLS] -**** xref:raddb/sites-available/coa.adoc[CoA] -**** xref:raddb/sites-available/control-socket.adoc[Control Socket Interface.] -**** xref:raddb/sites-available/copy-acct-to-home-server.adoc[Copy ACCT to Home Server] -**** xref:raddb/sites-available/decoupled-accounting.adoc[Decoupled Accounting] -**** xref:raddb/sites-available/detail.adoc[Detail] -**** xref:raddb/sites-available/dhcp.adoc[Dhcp] -**** xref:raddb/sites-available/dhcp.relay.adoc[Dhcp Relay] -**** xref:raddb/sites-available/dynamic-clients.adoc[Dynamic Clients] -**** xref:raddb/sites-available/example.adoc[Example] -**** xref:raddb/sites-available/inner-tunnel.adoc[Inner Tunnel] +**** xref:raddb/sites-available/arp.adoc[ARP] +**** xref:raddb/sites-available/bfd.adoc[BFD] +**** xref:raddb/sites-available/control-socket.adoc[Control Sockt] +**** xref:raddb/sites-available/dhcp.adoc[DHCPv4] +***** xref:raddb/sites-available/dhcp.relay.adoc[Relay] +**** xref:raddb/sites-available/dhcpv6.adoc[DHCPv6] +**** xref:raddb/sites-available/dns.adoc[DNS] **** xref:raddb/sites-available/ldap_sync.adoc[LDAP Sync] -**** xref:raddb/sites-available/originate-coa.adoc[Originate CoA-Request packets] -**** xref:raddb/sites-available/proxy-inner-tunnel.adoc[Proxy Inner Tunnel] -**** xref:raddb/sites-available/radius-acct.adoc[Radius Acct] -**** xref:raddb/sites-available/robust-proxy-accounting.adoc[Robust Proxy Accounting] + +**** xref:raddb/sites-available/default.adoc[RADIUS] +***** xref:raddb/sites-available/buffered-sql.adoc[Buffered SQL] +***** xref:raddb/sites-available/challenge.adoc[Challenge] +***** xref:raddb/sites-available/coa.adoc[CoA] +***** xref:raddb/sites-available/copy-acct-to-home-server.adoc[Copy Acct to Home Server] +***** xref:raddb/sites-available/decoupled-accounting.adoc[Decoupled Accounting] +***** xref:raddb/sites-available/detail.adoc[Detail] +***** xref:raddb/sites-available/inner-tunnel.adoc[EAP Inner Tunnel] +***** xref:raddb/sites-available/virtual.example.com.adoc[Internal Proxying] +***** xref:raddb/sites-available/originate-coa.adoc[Originate CoA-Request] +***** xref:raddb/sites-available/robust-proxy-accounting.adoc[Robust Proxy Accounting] +***** xref:raddb/sites-available/proxy-inner-tunnel.adoc[Proxy Inner Tunnel] + **** xref:raddb/sites-available/status.adoc[Status] -**** xref:raddb/sites-available/tacacs.adoc[Tacacs] -**** xref:raddb/sites-available/default.adoc[The default Virtual Server] -**** xref:raddb/sites-available/tls-cache.adoc[TLS Cache] +**** xref:raddb/sites-available/tacacs.adoc[TACACS+] **** xref:raddb/sites-available/tls.adoc[TLS] -**** xref:raddb/sites-available/virtual.example.com.adoc[virtual.example.com] +***** xref:raddb/sites-available/tls-cache.adoc[TLS Cache] **** xref:raddb/sites-available/vmps.adoc[VMPS] -**** xref:raddb/experimental.conf.adoc[Experimental modules] -*** xref:raddb/clients.conf.adoc[Client Definitions] +**** xref:raddb/sites-available/dynamic-clients.adoc[Dynamic Clients] + +*** xref:raddb/clients.conf.adoc[Clients] *** xref:raddb/debug.conf.adoc[Debugging configuration] *** xref:raddb/dictionary.adoc[Local dictionary definitions] *** xref:raddb/radrelay.conf.adoc[Radrelay Configuration] diff --git a/doc/antora/modules/reference/pages/raddb/experimental.conf.adoc b/doc/antora/modules/reference/pages/raddb/experimental.conf.adoc deleted file mode 100644 index f8e1bd77ef..0000000000 --- a/doc/antora/modules/reference/pages/raddb/experimental.conf.adoc +++ /dev/null @@ -1,100 +0,0 @@ - - - - -= Experimental modules - -This file contains the configuration for experimental modules. - -By default, it is *not* included in the build. - - - -## Example module configuration - -Configuration for the example module. Even if this modules is -loaded and initialised, it should have no real effect as long -it is not referenced in one of the virtual server sections. - - - -boolean:: Boolean variable. - -Allowed values: `no` or `yes` - - - -integer:: An integer, of any value: - - - -string:: A string. - - - -ipaddr:: - -An IP address, either in dotted quad (`1.2.3.4`) or -hostname (`example.com`). - - - -mysubsection:: - -A subsection. - - -anotherinteger:: - - - -deeply { ... }:: - -Subsections nest. - - - -## Other experimental modules - -Instantiate a few instances of the idn module - - - -.section without name. - - - - -.more commonly known as... - - - -.another one. - - -== Default Configuration - -``` -example { - boolean = yes - integer = 16 - string = "This is an example configuration string" - ipaddr = 127.0.0.1 - mysubsection { - anotherinteger = 1000 - deeply nested { - string = "This is a different string" - } - } -} -idn { -} -idn idna { -} -idn idna_lenient { - UseSTD3ASCIIRules = no -} -``` - -// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0. -// This documentation was developed by Network RADIUS SAS. diff --git a/doc/antora/modules/reference/pages/raddb/index.adoc b/doc/antora/modules/reference/pages/raddb/index.adoc index fc772dea6c..4886d32e0c 100644 --- a/doc/antora/modules/reference/pages/raddb/index.adoc +++ b/doc/antora/modules/reference/pages/raddb/index.adoc @@ -129,7 +129,6 @@ RADIUS over TLS (i.e. RadSec). * xref:raddb/clients.conf.adoc[clients.conf] * xref:raddb/debug.conf.adoc[debug.conf] -* xref:raddb/experimental.conf.adoc[experimental.conf] * xref:raddb/panic.gdb.adoc[panic.gdb] * xref:raddb/radrelay.conf.adoc[radrelay.conf] * xref:raddb/templates.conf.adoc[templates.conf] diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/channel_bindings.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/channel_bindings.adoc deleted file mode 100644 index 85c05ed79f..0000000000 --- a/doc/antora/modules/reference/pages/raddb/sites-available/channel_bindings.adoc +++ /dev/null @@ -1,29 +0,0 @@ - -A virtual server which is used to validate channel-bindings. - - -``` -server channel_bindings { -``` - -Only the "recv Access-Request" section is needed. - -``` - recv Access-Request { -``` -In general this section should include a policy for each type -of channel binding that may be in use. For example each lower -layer such as GSS-EAP (https://tools.ietf.org/html/rfc7055[RFC 7055]) or IEEE 802.11I is likely to -need a separate channel binding policy. -``` - } -} -``` - -== Default Configuration - -``` -``` - -// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0. -// This documentation was developed by Network RADIUS SAS. diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/check-eap-tls.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/check-eap-tls.adoc deleted file mode 100755 index a0981a2396..0000000000 --- a/doc/antora/modules/reference/pages/raddb/sites-available/check-eap-tls.adoc +++ /dev/null @@ -1,128 +0,0 @@ - - -This virtual server allows EAP-TLS to reject access requests -based on some attributes of the certificates involved. - -To use this virtual server, you must enable it in the tls -section of mods-enabled/eap as well as adding a link to this -file in sites-enabled/. - - -Value-pairs that are available for checking include these -attributes in the session-state list: - - TLS-Client-Cert-Subject - TLS-Client-Cert-Issuer - TLS-Client-Cert-Common-Name - TLS-Client-Cert-Subject-Alt-Name-Email - -To see a full list of attributes, run the server in debug mode -with this virtual server configured, and look at the attributes -passed in to this virtual server. - - -This virtual server is also useful when using EAP-TLS as it is -only called once, just before the final Accept is about to be -returned from eap, whereas the outer authorize section is called -multiple times for each challenge / response. For this reason, -here may be a good location to put authentication logging, and -modules that check for further authorization, especially if they -hit external services such as sql or ldap. - - - -Authorize - this is the only section required. - -To accept the access request, set Auth-Type = ::Accept, otherwise -set it to Reject. - - - -By default, we just accept the request: - - - -Check the client certificate matches a string, and reject otherwise - - - - -Check the client certificate common name against the supplied User-Name - - - -This is a convenient place to call LDAP, for example, when using -EAP-TLS, as it will only be called once, after all certificates as -part of the EAP-TLS challenge process have been verified. - -An example could be to use LDAP to check that the connecting host, as -well as presenting a valid certificate, is also in a group based on -the User-Name (assuming this contains the service principal name). -Settings such as the following could be used in the ldap module -configuration: - -basedn = "dc=example, dc=com" -filter = "(servicePrincipalName=%{User-Name})" -base_filter = "(objectClass=computer)" -groupname_attribute = cn -groupmembership_filter = "(&(objectClass=group)(member=%{control.Ldap-UserDn}))" - - - - -Now let's test membership of an LDAP group (the ldap bind user will -need permission to read this group membership): - - - -or, to be more specific, you could use the group's full DN: -if (!(Ldap-Group == "CN=Permitted-Laptops,OU=Groups,DC=example,DC=org")) { - - -This may be a better place to call the files modules when using -EAP-TLS, as it will only be called once, after the challenge-response -iteration has completed. - - - - -Log all request attributes, plus TLS certificate details, to the -auth_log file. Again, this is just once per connection request, so -may be preferable than in the outer authorize section. It is -suggested that 'auth_log' also be in the outer post-auth and -Post-Auth REJECT sections to log reply packet details, too. - - - - -== Default Configuration - -``` -server check-eap-tls { -recv Access-Request { - &control.Auth-Type := ::Accept -# if ("%{session-state.TLS-Client-Cert-Common-Name}" == 'client.example.com') { -# &control.Auth-Type := ::Accept -# } -# else { -# &control.Auth-Type := ::Reject -# &reply.Reply-Message := "Your certificate is not valid." -# } -# if (&User-Name == "host/%{session-state.TLS-Client-Cert-Common-Name}") { -# &control.Auth-Type := ::Accept -# } -# else { -# &control.Auth-Type := ::Reject -# } -# ldap -# if (!(Ldap-Group == "Permitted-Laptops")) { -# &control.Auth-Type := ::Reject -# } -# files - auth_log -} -} -``` - -// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0. -// This documentation was developed by Network RADIUS SAS. diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/example.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/example.adoc deleted file mode 100644 index 457cece0fc..0000000000 --- a/doc/antora/modules/reference/pages/raddb/sites-available/example.adoc +++ /dev/null @@ -1,148 +0,0 @@ - -``` -# An example virtual server configuration. -``` - - - - -``` -# This client will be available to any "listen" section that -# are defined outside of a virtual server section. However, -# when the server receives a packet from this client, the -# request will be processed through the "example" virtual -# server, as the "client" section contains a configuration item -# to that effect. -``` - -``` -# Note that this client will be able to send requests to any -# port defined in a global "listen" section. It will NOT, -# however, be able to send requests to a port defined in a -# "listen" section that is contained in a "server" section. -``` - -``` -# With careful matching of configurations, you should be able -# to: -``` - -``` -# - Define one authentication port, but process each client -# through a separate virtual server. -``` - -``` -# - define multiple authentication ports, each with a private -# list of clients. -``` - -``` -# - define multiple authentication ports, each of which may -# have the same client listed, but with different shared -# secrets -``` - -``` -# FYI: We use an address in the 192.0.2.* space for this example, -# as https://tools.ietf.org/html/rfc3330[RFC 3330] says that that /24 range is used for documentation -# and examples, and should not appear on the net. You shouldn't -# use it for anything, either. -``` - - -``` -client 192.0.2.10 { - shortname = example-client - secret = testing123 - virtual_server = example -} - -``` - -``` -# An example virtual server. It starts off with "server name {" -# The "name" is used to reference this server from a "listen" -# or "client" section. -``` - -``` -server example { -``` - -Listen on 192.0.2.1:1812 for Access-Requests - -When the server receives a packet, it is processed -through the "recv ...", etc. sections listed here, -NOT the global ones the "default" site. - -``` - listen { - ipaddr = 192.0.2.1 - port = 1821 - type = auth - } - -``` - -This client is listed within the "server" section, -and is therefore known ONLY to the socket defined -in the "listen" section above. If the client IP -sends a request to a different socket, the server -will treat it as an unknown client, and will not -respond. - -In contrast, the client listed at the top of this file -is outside of any "server" section, and is therefore -global in scope. It can send packets to any port -defined in a global "listen" section. It CANNOT send -packets to the listen section defined above, though. - -Note that you don't have to have a "virtual_server = example" -line here, as the client is encapsulated within -the "server" section. - -``` - client 192.0.2.9 { - shortname = example-client - secret = testing123 - } - - recv Access-Request { -``` - -Some example policies. See "man unlang" for more. - -``` - if (User-Name == "bob") { - control.Password.Cleartext := "bob" - } - -``` - -And then reject the user. The next line requires -that the "always reject {}" section is defined in -the "modules" section of radiusd.conf. - -``` - reject - } - - send Access-Accept { - - } - - send Access-Reject { - reply.Reply-Message = "This is only an example." - } - -} -``` - -== Default Configuration - -``` -``` - -// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0. -// This documentation was developed by Network RADIUS SAS. diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/index.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/index.adoc index 0f84f13b39..994f6e418a 100755 --- a/doc/antora/modules/reference/pages/raddb/sites-available/index.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/index.adoc @@ -337,8 +337,6 @@ server. * xref:raddb/sites-available/bfd.adoc[bfd] * xref:raddb/sites-available/buffered-sql.adoc[buffered sql] * xref:raddb/sites-available/challenge.adoc[challenge] -* xref:raddb/sites-available/channel_bindings.adoc[channel_bindings] -* xref:raddb/sites-available/check-eap-tls.adoc[check eap tls] * xref:raddb/sites-available/coa.adoc[coa] * xref:raddb/sites-available/control-socket.adoc[control socket] * xref:raddb/sites-available/copy-acct-to-home-server.adoc[copy acct to home server] @@ -348,12 +346,10 @@ server. * xref:raddb/sites-available/dhcp.adoc[dhcp] * xref:raddb/sites-available/dhcp.relay.adoc[dhcp relay] * xref:raddb/sites-available/dynamic-clients.adoc[dynamic clients] -* xref:raddb/sites-available/example.adoc[example] * xref:raddb/sites-available/inner-tunnel.adoc[inner tunnel] * xref:raddb/sites-available/ldap_sync.adoc[ldap_sync] * xref:raddb/sites-available/originate-coa.adoc[originate coa] * xref:raddb/sites-available/proxy-inner-tunnel.adoc[proxy inner tunnel] -* xref:raddb/sites-available/radius-acct.adoc[radius acct] * xref:raddb/sites-available/robust-proxy-accounting.adoc[robust proxy accounting] * xref:raddb/sites-available/status.adoc[status] * xref:raddb/sites-available/tacacs.adoc[tacacs] diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/radius-acct.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/radius-acct.adoc deleted file mode 100644 index 64e5756aee..0000000000 --- a/doc/antora/modules/reference/pages/raddb/sites-available/radius-acct.adoc +++ /dev/null @@ -1,51 +0,0 @@ - -Tiny virtual server for the new server processing sections. - -Proxying is not yet possible. - -Acct-Type { } is no longer supported. - -``` -server radius-acct { -namespace = radius - -``` - -This is all the same as before - -``` -listen { - type = acct - ipaddr = * - port = 3000 - -} - -``` - -"preacct" - -``` -recv Accounting-Request { - ok -} - -``` - -"accounting" - -``` -send Accounting-Response { - ok -} - -} # server radius-acct -``` - -== Default Configuration - -``` -``` - -// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0. -// This documentation was developed by Network RADIUS SAS. diff --git a/raddb/all.mk b/raddb/all.mk index 84e59a32a4..f2c5a5d770 100644 --- a/raddb/all.mk +++ b/raddb/all.mk @@ -1,7 +1,7 @@ # # The list of files to install. # -LOCAL_FILES := clients.conf dictionary experimental.conf \ +LOCAL_FILES := clients.conf dictionary \ radiusd.conf trigger.conf panic.gdb DEFAULT_SITES := default inner-tunnel diff --git a/raddb/experimental.conf b/raddb/experimental.conf deleted file mode 100644 index e4d93c9edf..0000000000 --- a/raddb/experimental.conf +++ /dev/null @@ -1,95 +0,0 @@ -# -*- text -*- -# -# -# $Id$ - -####################################################################### -# -# = Experimental modules -# -# This file contains the configuration for experimental modules. -# -# By default, it is *not* included in the build. -# - -# -# ## Example module configuration -# -# Configuration for the example module. Even if this modules is -# loaded and initialised, it should have no real effect as long -# it is not referenced in one of the virtual server sections. -# - -example { - # - # boolean:: Boolean variable. - # - # Allowed values: `no` or `yes` - # - boolean = yes - - # - # integer:: An integer, of any value: - # - integer = 16 - - # - # string:: A string. - # - string = "This is an example configuration string" - - # - # ipaddr:: - # - # An IP address, either in dotted quad (`1.2.3.4`) or - # hostname (`example.com`). - # - ipaddr = 127.0.0.1 - - # - # mysubsection:: - # - # A subsection. - # - mysubsection { - # - # anotherinteger:: - # - anotherinteger = 1000 - - # - # deeply { ... }:: - # - # Subsections nest. - # - deeply nested { - string = "This is a different string" - } - } -} - -# -# ## Other experimental modules -# -# Instantiate a few instances of the idn module -# - -# -# .section without name. -# -idn { - -} - -# -# .more commonly known as... -# -idn idna { -} - -# -# .another one. -# -idn idna_lenient { - UseSTD3ASCIIRules = no -} diff --git a/raddb/sites-available/channel_bindings b/raddb/sites-available/channel_bindings deleted file mode 100644 index 180858bae2..0000000000 --- a/raddb/sites-available/channel_bindings +++ /dev/null @@ -1,16 +0,0 @@ -# -# A virtual server which is used to validate channel-bindings. -# -# $Id$ -# -server channel_bindings { - # - # Only the "recv Access-Request" section is needed. - # - recv Access-Request { - # In general this section should include a policy for each type - # of channel binding that may be in use. For example each lower - # layer such as GSS-EAP (RFC 7055) or IEEE 802.11I is likely to - # need a separate channel binding policy. - } -} diff --git a/raddb/sites-available/example b/raddb/sites-available/example deleted file mode 100644 index 6fc8e210c5..0000000000 --- a/raddb/sites-available/example +++ /dev/null @@ -1,115 +0,0 @@ -###################################################################### -# -# An example virtual server configuration. -# -# $Id$ -# -###################################################################### - -# -# This client will be available to any "listen" section that -# are defined outside of a virtual server section. However, -# when the server receives a packet from this client, the -# request will be processed through the "example" virtual -# server, as the "client" section contains a configuration item -# to that effect. -# -# Note that this client will be able to send requests to any -# port defined in a global "listen" section. It will NOT, -# however, be able to send requests to a port defined in a -# "listen" section that is contained in a "server" section. -# -# With careful matching of configurations, you should be able -# to: -# -# - Define one authentication port, but process each client -# through a separate virtual server. -# -# - define multiple authentication ports, each with a private -# list of clients. -# -# - define multiple authentication ports, each of which may -# have the same client listed, but with different shared -# secrets -# -# FYI: We use an address in the 192.0.2.* space for this example, -# as RFC 3330 says that that /24 range is used for documentation -# and examples, and should not appear on the net. You shouldn't -# use it for anything, either. -# - -client 192.0.2.10 { - shortname = example-client - secret = testing123 - virtual_server = example -} - -###################################################################### -# -# An example virtual server. It starts off with "server name {" -# The "name" is used to reference this server from a "listen" -# or "client" section. -# -###################################################################### -server example { - # - # Listen on 192.0.2.1:1812 for Access-Requests - # - # When the server receives a packet, it is processed - # through the "recv ...", etc. sections listed here, - # NOT the global ones the "default" site. - # - listen { - ipaddr = 192.0.2.1 - port = 1821 - type = auth - } - - # - # This client is listed within the "server" section, - # and is therefore known ONLY to the socket defined - # in the "listen" section above. If the client IP - # sends a request to a different socket, the server - # will treat it as an unknown client, and will not - # respond. - # - # In contrast, the client listed at the top of this file - # is outside of any "server" section, and is therefore - # global in scope. It can send packets to any port - # defined in a global "listen" section. It CANNOT send - # packets to the listen section defined above, though. - # - # Note that you don't have to have a "virtual_server = example" - # line here, as the client is encapsulated within - # the "server" section. - # - client 192.0.2.9 { - shortname = example-client - secret = testing123 - } - - recv Access-Request { - # - # Some example policies. See "man unlang" for more. - # - if (User-Name == "bob") { - control.Password.Cleartext := "bob" - } - - # - # And then reject the user. The next line requires - # that the "always reject {}" section is defined in - # the "modules" section of radiusd.conf. - # - reject - } - - send Access-Accept { - - } - - send Access-Reject { - reply.Reply-Message = "This is only an example." - } - -} diff --git a/raddb/sites-available/radius-acct b/raddb/sites-available/radius-acct deleted file mode 100644 index 39669f9afa..0000000000 --- a/raddb/sites-available/radius-acct +++ /dev/null @@ -1,36 +0,0 @@ -# -# Tiny virtual server for the new server processing sections. -# -# Proxying is not yet possible. -# -# Acct-Type { } is no longer supported. -# -server radius-acct { -namespace = radius - -# -# This is all the same as before -# -listen { - type = acct - ipaddr = * - port = 3000 - -} - -# -# "preacct" -# -recv Accounting-Request { - ok -} - - -# -# "accounting" -# -send Accounting-Response { - ok -} - -} # server radius-acct -- 2.47.2