|Gives the reasons why a connection ended.
|https://datatracker.ietf.org/doc/html/rfc2867#section-4.1[Acct-Tunnel-Connection]
-|Gives details of the the tunnel connection such as port, ip address etc.
+|Gives details of the tunnel connection such as port, ip address etc.
|https://datatracker.ietf.org/doc/html/rfc2867#section-4.2[Acct-Tunnel-Packets-Lost]
|Tracks the number of accounting packets lost during a session.
|https://datatracker.ietf.org/doc/html/rfc2866#section-5.10[Acct-Terminate-Cause] |Gives the reasons why a connection ended.
-|https://datatracker.ietf.org/doc/html/rfc2867#section-4.1[Acct-Tunnel-Connection] |Gives details of the the tunnel connection such as port, ip address etc.
+|https://datatracker.ietf.org/doc/html/rfc2867#section-4.1[Acct-Tunnel-Connection] |Gives details of the tunnel connection such as port, ip address etc.
|https://datatracker.ietf.org/doc/html/rfc2867#section-4.2[Acct-Tunnel-Packets-Lost] |Tracks the number of accounting packets lost during a session.
When rpmbuild runs the rpm spec file will direct it to run certain
commands, link against specific libraries, etc. This means those
-commands, libraries, etc. must be present on the the system or the
+commands, libraries, etc. must be present on the system or the
build will fail. The spec file lists what it needs in order to perform
the build by enumerating a list of rpm packages under the
BuildRequires: tag. Every package listed in the BuildRequires must be
- If the result shows a attribute containing the name of known group, the LDAP
server implements _variant 2_.
-Perform the the search for group objects (below) using a filter that matches a group
+Perform the search for group objects (below) using a filter that matches a group
the user is known to be a member of e.g. `(&(objectClass=groupOfNames)(cn=mariner-alert))`.
- If the result shows an attribute containing the DN of a user, the ldap server
| `secret` | The server will not print `secret` values in debug mode, and in many other situations.
|=====
-See the the xref:dictionary/reference.adoc[reference] page for the syntax of references in the dictionary.
+See the xref:dictionary/reference.adoc[reference] page for the syntax of references in the dictionary.
.Examples
----
| `ref=<ref>` | For `group` types, the referenced attributes will be allowed in the group
|=====
-See the the xref:dictionary/reference.adoc[reference] page for the syntax of references in the dictionary.
+See the xref:dictionary/reference.adoc[reference] page for the syntax of references in the dictionary.
.Examples
----
ATTRIBUTE Other-Thing 6809 uint16 enum=Ethernet-Type
----
-See the the xref:dictionary/reference.adoc[reference] page for the syntax of references in the dictionary.
+See the xref:dictionary/reference.adoc[reference] page for the syntax of references in the dictionary.
// Copyright (C) 2023 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
then write policies of the form `if the User-Name has value "bob",
then do something ...`.
-Policies using descriptive are much simpler to create and understand
+Policies using descriptive names are much simpler to create and understand
than policies using numbers.
The dictionaries also enable the server to decode protocols using
| `key` | This member is a "key" type. The structure can have different children of type `union`, depending on the value of the key.
|=====
-See the the xref:dictionary/reference.adoc[reference] page for the syntax of references in the dictionary.
+See the xref:dictionary/reference.adoc[reference] page for the syntax of references in the dictionary.
.Examples
----
== xref:xlat/index.adoc[Dynamic Expansions]
-Dynamic expansions may also be referred to as "xlats" for historical reasons.When processing packets, it's possible to call functions or do string
+Dynamic expansions may also be referred to as "xlats" for historical reasons. When processing packets, it's possible to call functions or do string
manipulation with attribute contents. The xref:xlat/index.adoc[dynamic expansion] documentation describes how this is done.
== xref:dictionary/index.adoc[Dictionaries]
path_include_default::
If "yes", retain the default search path. Any additional search
-path components will be prepended to the the default search path.
+path components will be prepended to the default search path.
== Default Configuration
map cvs <key> { ... }
Where `csv` is the name of the module, and `key` is an expansion
-as given the the key` field above. For example, the map could
+as given the key` field above. For example, the map could
look like this:
map csv User-Name {
== Configuration Settings
-require_identity_realm:: Require the the EAP Identity provided contains
+require_identity_realm:: Require the EAP Identity provided contains
a realm.
If `require_identity_realm` is `nai`, the EAP identity provided must
In v4, the "known good" password is taken from the `request.control.Password.Cleartext` list,
as is done by other modules. The change from v3 is that the `inner-tunnel` virtual server
-is no not used.
+is not used.
ca_file:: File which contains the root CA.
-THis configuration item allows the server to load
+This configuration item allows the server to load
additional intermediate CA or Root CA when creating
certificate chains. Multiple "ca_file"
configurations items may be specified in order to
CAs.
If the root CA does not issue client certificates, or
-if only one root CA is , then the `ca_file`
+if only one root CA is, then the `ca_file`
configuration can be commented out (at least when PEM
format is used).
between the certificates loaded from `ca_file` or
found in `ca_path`.
-The SSL library also checks that the the correct usage
+The SSL library also checks that the correct usage
OIDs are present in the presented client certificate
and that none of the certificates have expired.
stateful session-resumption.
Certificate attributes will usually be retrieved
-from the the session-ticket in the case of
+from the session-ticket in the case of
stateless session-resumption.
====
Once authentication has completed, the TLS client may be
provided with a session ticket which it presents
-during the next authentication attemp.
+during the next authentication attempt.
Presenting a session ticket allows the client to skip the
majority of TLS tunnel setup during its next authentication
-lifetime:: The period for which a resumable session remains vali.d
+lifetime:: The period for which a resumable session remains valid
Default is 24hrs in line with https://tools.ietf.org/html/rfc4346[RFC 4346]. https://tools.ietf.org/html/rfc8446[RFC 8446]
requires that ticket lifetimes must not be more than
Surprisingly, it works quite well.
-When using `PAP`, `GTC`, or `MSCAHPv2` as an inner method, `EAP-TTLS`
+When using `PAP`, `GTC`, or `MSCHAPv2` as an inner method, `EAP-TTLS`
is only secure if the supplicant validates the server certificate
presented. If the client disables certificate validation, then an
attacker can pretend to be the server, and collect user credentials.
-include_length:: Whether we include a length fiel in the TLS header.
+include_length:: Whether we include a length field in the TLS header.
This has the same meaning, and overwrites, the same field in
the `tls` configuration, above. The default value here is
-pac_opaque_key:: Key sued to encrypt the PAC.
+pac_opaque_key:: Key used to encrypt the PAC.
The PAC key must be exactly 32 bytes in size.
* `process Access-Request {}`
* `process Accounting-Request {}`
-Have been moved to the the file:
+Have been moved to the file:
`sites-available/default`
backup server. When the primary goes down, most NASes will detect that
and switch to the backup server.
-That change will cause your accounting packets to go the the backup
+That change will cause your accounting packets to go the backup
server - and some NASes will not switch back to the primary server
when it comes back up.
the `certs/` directory.
Then, run the server. This process will ensure that users can log
-in via PAP, CHAP, MS-CHAP, etc. You should so test the server via
+in via PAP, CHAP, MS-CHAP, etc. You should test the server via
`radtest` to verify that it works.
== Editing this file
```
The 'copy_request_to_tunnel' option has been removed
-from from v4.0.
+from v4.0.
Individual attributes from the outer request may be
accessed with:
The result is that in most cases, it is not necessary to know the name
of the data types. It is possible to write values in the format you
-expect, and he server will do "the right thing" when interpreting the
+expect, and the server will do "the right thing" when interpreting the
values.
.Attributes with Different Data Types
| break | "break" out of the parent block and stop processing it.
| default | Use the default priority for this rcode.
| reject | return a `reject` rcode.
-| retry | re-run the section, as given by the the `retry` subsection.
+| retry | re-run the section, as given by the `retry` subsection.
| return | return out of the parent block and stop processing it.
|=====
However, for various internal reasons, that syntax is difficult to
implement. For now, the `caller` keyword is the best approach.
-A virtual server may the the target of multiple xref:unlang/call.adoc[call]
+A virtual server may the target of multiple xref:unlang/call.adoc[call]
keywords, each of which uses a different protocol. For example, a
policy which handles RADIUS `Access-Request` packets may create a DHCP
`Discover` packet in order to perform IP address allocation. The DHCP
----
====
-Aftet this operation, the contents of the `reply` list will be one
+After this operation, the contents of the `reply` list will be one
attribute: `Filter-Id`.
=== Remove attributes from a list
| = | Set the attribute to the contents of the _<rhs>_, if the _<attribute>_ does not exist. If the attribute already exists, nothing is done. If the attribute does not exist, it is created, and the contents set to the value of the _<rhs>_
| := | Override the attribute with the contents with the _<rhs>_. If the attribute already exists, its value is over-written. If the attribute does not exist, it is created, and the contents set to the value of the _<rhs>_
| += | Perform string append. The contents of the _<rhs>_ are appended to the _<attribute>_.
-| -= | Inverse of string append. The contents of the _<rhs>_ are deleted from
from the _<attribute>_, if the `_<rhs>_` is a suffix of _<attribute>_
+| -= | Inverse of string append. The contents of the _<rhs>_ are deleted from the _<attribute>_, if the `_<rhs>_` is a suffix of _<attribute>_
| ^= | For `string`, performs a "prepend" operation. The contents of the _<rhs>_ are prepended to the _<attribute>_. This is the opposite of `+=`.
| | For `octets`, perform logical "xor". The value of the _<attribute>_ is "or"ed with the contents of the _<rhs>_. Both strings must be of the same length.
| \|= | Perform logical "or". The value of the _<attribute>_ is "or"ed with the contents of the _<rhs>_. Both strings must be of the same length.
<reference>::
-An xref:unlang/attr.adoc[attribute reference] which will will be looped
+An xref:unlang/attr.adoc[attribute reference] which will be looped
over. The reference can be to one attribute, to an array, a child, or
be a subset of attributes.
`uint32` data type is used, the index to the current loop iteration is
placed into the value, e.g. `3`.
-For dynamic expansions, The `<key-type> must be a numerical type such
+For dynamic expansions, The `<key-type>` must be a numerical type such
as `uint32`. The index to the current loop iteration is placed into
the value at the beginning of each loop iteration.
When the loop is finished, the `total` variable will have the following value:
----
-"NAS-Port[0] = 1, "NAS-Port[1] = 3, "NAS-Port[2] = 5, "NAS-Port[3] = 11, "
+"NAS-Port[0] = 1, "NAS-Port[1] = 3, "NAS-Port[2] = 5, "NAS-Port[3] = 11"
----
.Key variable with attribute index
.Example of Looping over children of a structural type.
-In this examply, we assume that an attribute `TLV-Thing` has a child
+In this example, we assume that an attribute `TLV-Thing` has a child
called `Foo`.
[source,unlang]
And without:
-.Example Without Brackes
+.Example Without Brackets
[source,unlang]
----
if User-Name == "bob" {
more in-depth "how to" guides.
The documentation is organized so that each item is on its own page.
-The page beings with a description of the item, followed by some text
+The page begins with a description of the item, followed by some text
explaining what the item does. The page concludes with one or more
examples of using the item in `unlang` policies.
Each module or subsection runs as a new child request, i.e. a
xref:unlang/subrequest.adoc[subrequest]. Each child request is an identical
copy of the parent request. Policies in the child can update the
-original parent by referencing `parent.request`, or
+original parent by referencing `parent.request`, or
`parent.reply`. Please see the xref:unlang/list.adoc[list] syntax for a
more complete description of how to refer to parent requests.
== Subrequests are Synchronous
Execution of the parent request is paused while each child request is
-running. The parent request continues execution once all of the the
+running. The parent request continues execution once all of the
child requests have finished.
Unlike the xref:unlang/subrequest.adoc[subrequest] keyword, the child
independent of any database transactions.
The `transaction` keyword sets its own return codes for `fail`,
-`invalid`, and `disallow` to be set the the priority `1`, instead of
+`invalid`, and `disallow` to be set the priority `1`, instead of
the default `return`. This behaviour means that a failed `transaction`
will cause the interpreter to proceed to the next instruction, instead
of returning.
Other than within a dynamically expanded string, very little character
escaping is needed. The rules of the enclosing string context
determine whether or not a space or `"` character needs to be escaped.
-See the ref:type/string/double.adoc[double-quoted strings] and
+See the xref:type/string/double.adoc[double-quoted strings] and
xref:type/string/backticks.adoc[back-tick quoted strings] pages for more
information.
.Troubleshooting Checklist
[%collapsible]
====
-1. Check that you added your NAS to `clients.conf` and selected the correct NAS type. Verify the the password.
+1. Check that you added your NAS to `clients.conf` and selected the correct NAS type. Verify the password.
2. Run `radiusd -X` and see if it parses the Simultaneous-Use line.
3. Try to run `checkrad` manually; maybe you may have a wrong version of perl, don't have cmu-snmp installed etc.
4. Check the database. If it says no one is logged in, Simultaneous-Use *won't* work.
projects / thirdparty / freeradius-server.git / commitdiff
