feat: add hosted install [ci skip]
This commit is contained in:
@@ -39,7 +39,7 @@ RUN git checkout ${RADIUS_TAG}; \
|
||||
#
|
||||
# Build the server
|
||||
#
|
||||
RUN make -j2 deb && ls -la ..
|
||||
RUN make -j2 deb
|
||||
|
||||
WORKDIR /usr/local/src/repositories
|
||||
ADD upload.sh .
|
||||
|
||||
40
hosted/config/clients.conf
Normal file
40
hosted/config/clients.conf
Normal file
@@ -0,0 +1,40 @@
|
||||
#
|
||||
# Define a network where clients may be dynamically defined.
|
||||
client dynamic {
|
||||
#
|
||||
# You MUST specify a netmask!
|
||||
# IPv4 /32 or IPv6 /128 are NOT allowed!
|
||||
ipaddr = 0.0.0.0/0
|
||||
|
||||
#
|
||||
# Any other configuration normally found in a "client"
|
||||
# entry can be used here.
|
||||
|
||||
#
|
||||
# A shared secret does NOT have to be defined. It can
|
||||
# be left out.
|
||||
|
||||
#
|
||||
# Define the virtual server used to discover dynamic clients.
|
||||
dynamic_clients = dynamic_clients
|
||||
|
||||
#
|
||||
# The directory where client definitions are stored. This
|
||||
# needs to be used ONLY if the client definitions are stored
|
||||
# in flat-text files. Each file in that directory should be
|
||||
# ONE and only one client definition. The name of the file
|
||||
# should be the IP address of the client.
|
||||
#
|
||||
# If you are storing clients in SQL, this entry should not
|
||||
# be used.
|
||||
# directory = ${confdir}/dynamic-clients/
|
||||
|
||||
#
|
||||
# Define the lifetime (in seconds) for dynamic clients.
|
||||
# They will be cached for this lifetime, and deleted afterwards.
|
||||
#
|
||||
# If the lifetime is "0", then the dynamic client is never
|
||||
# deleted. The only way to delete the client is to re-start
|
||||
# the server.
|
||||
lifetime = 10
|
||||
}
|
||||
97
hosted/config/dictionary
Normal file
97
hosted/config/dictionary
Normal file
@@ -0,0 +1,97 @@
|
||||
#
|
||||
# This is the local dictionary file which can be
|
||||
# edited by local administrators. It will be loaded
|
||||
# AFTER the main dictionary files are loaded.
|
||||
#
|
||||
# FreeRADIUS will automatically load the main dictionary files
|
||||
# from:
|
||||
#
|
||||
# ${prefix}/share/freeradius/dictionary
|
||||
#
|
||||
# It is no longer necessary for this file to $INCLUDE
|
||||
# the main dictionaries. However, if the $INCLUDE
|
||||
# line is here, nothing bad will happen.
|
||||
#
|
||||
# Any new/changed attributes MUST be placed in this file.
|
||||
# The pre-defined dictionaries SHOULD NOT be edited.
|
||||
#
|
||||
# See "man dictionary" for documentation on its format.
|
||||
#
|
||||
# $Id: ad56be71fdfcbc8b577a93ce55a32e5c7865811d $
|
||||
#
|
||||
|
||||
#
|
||||
# All local attributes and $INCLUDE's should go into
|
||||
# this file.
|
||||
#
|
||||
|
||||
# If you want to add entries to the dictionary file,
|
||||
# which are NOT going to be placed in a RADIUS packet,
|
||||
# add them to the 'dictionary.local' file.
|
||||
#
|
||||
# The numbers you pick should be between 3000 and 4000.
|
||||
# These attributes will NOT go into a RADIUS packet.
|
||||
#
|
||||
# If you want that, you will need to use VSAs. This means
|
||||
# requesting allocation of a Private Enterprise Code from
|
||||
# http://iana.org. We STRONGLY suggest doing that only if
|
||||
# you are a vendor of RADIUS equipment.
|
||||
#
|
||||
# See RFC 6158 for more details.
|
||||
# http://ietf.org/rfc/rfc6158.txt
|
||||
#
|
||||
|
||||
#
|
||||
# These attributes are examples
|
||||
#
|
||||
#ATTRIBUTE My-Local-String 3000 string
|
||||
#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
|
||||
#ATTRIBUTE My-Local-Integer 3002 integer
|
||||
|
||||
# MikroTik Attributes
|
||||
|
||||
VENDOR Mikrotik 14988
|
||||
|
||||
BEGIN-VENDOR Mikrotik
|
||||
|
||||
ATTRIBUTE Mikrotik-Recv-Limit 1 integer
|
||||
ATTRIBUTE Mikrotik-Xmit-Limit 2 integer
|
||||
ATTRIBUTE Mikrotik-Group 3 string
|
||||
ATTRIBUTE Mikrotik-Wireless-Forward 4 integer
|
||||
ATTRIBUTE Mikrotik-Wireless-Skip-Dot1x 5 integer
|
||||
ATTRIBUTE Mikrotik-Wireless-Enc-Algo 6 integer
|
||||
ATTRIBUTE Mikrotik-Wireless-Enc-Key 7 string
|
||||
ATTRIBUTE Mikrotik-Rate-Limit 8 string
|
||||
ATTRIBUTE Mikrotik-Realm 9 string
|
||||
ATTRIBUTE Mikrotik-Host-IP 10 ipaddr
|
||||
ATTRIBUTE Mikrotik-Mark-Id 11 string
|
||||
ATTRIBUTE Mikrotik-Advertise-URL 12 string
|
||||
ATTRIBUTE Mikrotik-Advertise-Interval 13 integer
|
||||
ATTRIBUTE Mikrotik-Recv-Limit-Gigawords 14 integer
|
||||
ATTRIBUTE Mikrotik-Xmit-Limit-Gigawords 15 integer
|
||||
ATTRIBUTE Mikrotik-Wireless-PSK 16 string
|
||||
ATTRIBUTE Mikrotik-Total-Limit 17 integer
|
||||
ATTRIBUTE Mikrotik-Total-Limit-Gigawords 18 integer
|
||||
ATTRIBUTE Mikrotik-Address-List 19 string
|
||||
ATTRIBUTE Mikrotik-Wireless-MPKey 20 string
|
||||
ATTRIBUTE Mikrotik-Wireless-Comment 21 string
|
||||
ATTRIBUTE Mikrotik-Delegated-IPv6-Pool 22 string
|
||||
ATTRIBUTE Mikrotik_DHCP_Option_Set 23 string
|
||||
ATTRIBUTE Mikrotik_DHCP_Option_Param_STR1 24 string
|
||||
ATTRIBUTE Mikortik_DHCP_Option_Param_STR2 25 string
|
||||
ATTRIBUTE Mikrotik_Wireless_VLANID 26 integer
|
||||
ATTRIBUTE Mikrotik_Wireless_VLANIDtype 27 integer
|
||||
ATTRIBUTE Mikrotik_Wireless_Minsignal 28 string
|
||||
ATTRIBUTE Mikrotik_Wireless_Maxsignal 29 string
|
||||
|
||||
# MikroTik Values
|
||||
|
||||
VALUE Mikrotik-Wireless-Enc-Algo No-encryption 0
|
||||
VALUE Mikrotik-Wireless-Enc-Algo 40-bit-WEP 1
|
||||
VALUE Mikrotik-Wireless-Enc-Algo 104-bit-WEP 2
|
||||
VALUE Mikrotik-Wireless-Enc-Algo AES-CCM 3
|
||||
VALUE Mikrotik-Wireless-Enc-Algo TKIP 4
|
||||
VALUE Mikrotik_Wireless_VLANIDtype 802.1q 0
|
||||
VALUE Mikrotik_Wireless_VLANIDtype 802.1ad 1
|
||||
|
||||
END-VENDOR Mikrotik
|
||||
2
hosted/config/mods-enabled/raw
Normal file
2
hosted/config/mods-enabled/raw
Normal file
@@ -0,0 +1,2 @@
|
||||
raw {
|
||||
}
|
||||
300
hosted/config/mods-enabled/rest
Normal file
300
hosted/config/mods-enabled/rest
Normal file
@@ -0,0 +1,300 @@
|
||||
rest {
|
||||
#
|
||||
# This subsection configures the tls related items
|
||||
# that control how FreeRADIUS connects to a HTTPS
|
||||
# server.
|
||||
#
|
||||
tls {
|
||||
# Certificate Authorities:
|
||||
# "ca_file" (libcurl option CURLOPT_ISSUERCERT).
|
||||
# File containing a single CA, which is the issuer of the server
|
||||
# certificate.
|
||||
# "ca_info_file" (libcurl option CURLOPT_CAINFO).
|
||||
# File containing a bundle of certificates, which allow to handle
|
||||
# certificate chain validation.
|
||||
# "ca_path" (libcurl option CURLOPT_CAPATH).
|
||||
# Directory holding CA certificates to verify the peer with.
|
||||
# ca_file = ${certdir}/cacert.pem
|
||||
# ca_info_file = ${certdir}/cacert_bundle.pem
|
||||
# ca_path = ${certdir}
|
||||
|
||||
# certificate_file = /path/to/radius.crt
|
||||
# private_key_file = /path/to/radius.key
|
||||
# private_key_password = "supersecret"
|
||||
# random_file = /dev/urandom
|
||||
|
||||
# Server certificate verification requirements. Can be:
|
||||
# "no" (don't even bother trying)
|
||||
# "yes" (verify the cert was issued by one of the
|
||||
# trusted CAs)
|
||||
#
|
||||
# The default is "yes"
|
||||
# check_cert = yes
|
||||
|
||||
# Server certificate CN verification requirements. Can be:
|
||||
# "no" (don't even bother trying)
|
||||
# "yes" (verify the CN in the certificate matches the host
|
||||
# in the URI)
|
||||
#
|
||||
# The default is "yes"
|
||||
# check_cert_cn = yes
|
||||
}
|
||||
|
||||
# rlm_rest will open a connection to the server specified in connect_uri
|
||||
# to populate the connection cache, ready for the first request.
|
||||
# The server will not start if the server specified is unreachable.
|
||||
#
|
||||
# If you wish to disable this pre-caching and reachability check,
|
||||
# comment out the configuration item below.
|
||||
#connect_uri = "http://connectone.me:31668"
|
||||
connect_uri = "http://#API_HOST#:#API_PORT#/"
|
||||
|
||||
#
|
||||
# How long before new connection attempts timeout, defaults to 4.0 seconds.
|
||||
#
|
||||
# connect_timeout = 4.0
|
||||
|
||||
#
|
||||
# Specify HTTP protocol version to use. one of '1.0', '1.1', '2.0', '2.0+auto',
|
||||
# '2.0+tls' or 'default'. (libcurl option CURLOPT_HTTP_VERSION)
|
||||
#
|
||||
# http_negotiation = 1.1
|
||||
|
||||
#
|
||||
# The following config items can be used in each of the sections.
|
||||
# The sections themselves reflect the sections in the server.
|
||||
# For example if you list rest in the authorize section of a virtual server,
|
||||
# the settings from the authorize section here will be used.
|
||||
#
|
||||
# The following config items may be listed in any of the sections:
|
||||
# uri - to send the request to.
|
||||
# method - HTTP method to use, one of 'get', 'post', 'put', 'patch',
|
||||
# 'delete' or any custom HTTP method.
|
||||
# body - The format of the HTTP body sent to the remote server.
|
||||
# May be 'none', 'post' or 'json', defaults to 'none'.
|
||||
# attr_num - If true, the attribute number is supplied for each attribute.
|
||||
# Defaults to false.
|
||||
# raw_value - If true, enumerated attribute values are provided as numeric
|
||||
# values. Defaults to false.
|
||||
# data - Send custom freeform data in the HTTP body. Content-type
|
||||
# may be specified with 'body'. Will be expanded.
|
||||
# Values from expansion will not be escaped, this should be
|
||||
# done using the appropriate xlat method e.g. %{urlencode:<attr>}.
|
||||
# force_to - Force the response to be decoded with this decoder.
|
||||
# May be 'plain' (creates reply:REST-HTTP-Body), 'post'
|
||||
# or 'json'.
|
||||
# tls - TLS settings for HTTPS.
|
||||
# auth - HTTP auth method to use, one of 'none', 'srp', 'basic',
|
||||
# 'digest', 'digest-ie', 'gss-negotiate', 'ntlm',
|
||||
# 'ntlm-winbind', 'any', 'safe'. defaults to 'none'.
|
||||
# username - User to authenticate as, will be expanded.
|
||||
# password - Password to use for authentication, will be expanded.
|
||||
# require_auth - Require HTTP authentication.
|
||||
# timeout - HTTP request timeout in seconds, defaults to 4.0.
|
||||
# chunk - Chunk size to use. If set, HTTP chunked encoding is used to
|
||||
# send data to the REST server. Make sure that this is large
|
||||
# enough to fit your largest attribute value's text
|
||||
# representation.
|
||||
# A number like 8192 is good.
|
||||
#
|
||||
# Additional HTTP headers may be specified with control:REST-HTTP-Header.
|
||||
# The values of those attributes should be in the format:
|
||||
#
|
||||
# control:REST-HTTP-Header := "<HTTP attribute>: <value>"
|
||||
#
|
||||
# The control:REST-HTTP-Header attributes will be consumed
|
||||
# (i.e. deleted) after each call to the rest module, and each
|
||||
# %{rest:} expansion. This is so that headers from one REST
|
||||
# call do not affect headers from a different REST call.
|
||||
#
|
||||
# Body encodings are the same for requests and responses
|
||||
#
|
||||
# POST - All attributes and values are urlencoded
|
||||
# [outer.][<list>:]<attribute0>=<value0>&[outer.][<list>:]<attributeN>=<valueN>
|
||||
#
|
||||
# JSON - All attributes and values are escaped according to the JSON specification
|
||||
# - attribute Name of the attribute.
|
||||
# - attr_num Number of the attribute. Only available if the configuration item
|
||||
# 'attr_num' is enabled.
|
||||
# - type Type of the attribute (e.g. "integer", "string", "ipaddr", "octets", ...).
|
||||
# - value Attribute value, for enumerated attributes the human readable value is
|
||||
# provided and not the numeric value (Depends on the 'raw_value' config item).
|
||||
# {
|
||||
# "<attribute0>":{
|
||||
# "attr_num":<attr_num0>,
|
||||
# "type":"<type0>",
|
||||
# "value":[<value0>,<value1>,<valueN>]
|
||||
# },
|
||||
# "<attribute1>":{
|
||||
# "attr_num":<attr_num1>,
|
||||
# "type":"<type1>",
|
||||
# "value":[...]
|
||||
# },
|
||||
# "<attributeN>":{
|
||||
# "attr_num":<attr_numN>,
|
||||
# "type":"<typeN>",
|
||||
# "value":[...]
|
||||
# },
|
||||
# }
|
||||
#
|
||||
# The response format adds three optional fields:
|
||||
# - do_xlat If true, any values will be xlat expanded. Defaults to true.
|
||||
# - is_json If true, any nested JSON data will be copied to the attribute
|
||||
# in string form. Defaults to true.
|
||||
# - op Controls how the attribute is inserted into the target list.
|
||||
# Defaults to ':='. To create multiple attributes from multiple
|
||||
# values, this should be set to '+=', otherwise only the last
|
||||
# value will be used, and it will be assigned to a single
|
||||
# attribute.
|
||||
# {
|
||||
# "<attribute0>":{
|
||||
# "is_json":<bool>,
|
||||
# "do_xlat":<bool>,
|
||||
# "op":"<operator>",
|
||||
# "value":[<value0>,<value1>,<valueN>]
|
||||
# },
|
||||
# "<attribute1>":"value",
|
||||
# "<attributeN>":{
|
||||
# "value":[<value0>,<value1>,<valueN>],
|
||||
# "op":"+="
|
||||
# }
|
||||
# }
|
||||
|
||||
#
|
||||
# Module return codes are determined by HTTP response codes. These vary depending on the
|
||||
# section.
|
||||
#
|
||||
# If the body is processed and found to be malformed or unsupported fail will be returned.
|
||||
# If the body is processed and found to contain attribute updated will be returned,
|
||||
# except in the case of a 401 code.
|
||||
#
|
||||
|
||||
# Authorize/Authenticate
|
||||
#
|
||||
# Code Meaning Process body Module code
|
||||
# 404 not found no notfound
|
||||
# 410 gone no notfound
|
||||
# 403 forbidden no userlock
|
||||
# 401 unauthorized yes reject
|
||||
# 204 no content no ok
|
||||
# 2xx successful yes ok/updated
|
||||
# 5xx server error no fail
|
||||
# xxx - no invalid
|
||||
#
|
||||
# The status code is held in %{reply:REST-HTTP-Status-Code}.
|
||||
#
|
||||
authorize {
|
||||
uri = "${..connect_uri}radius/auth"
|
||||
method = 'post'
|
||||
body = 'json'
|
||||
data = '{"ip": "%{Packet-Src-IP-Address}", "hotspot-group": "%{raw:Called-Station-Id}", "hotspot-id": "%{raw:NAS-Identifier}"}'
|
||||
force_to = 'json'
|
||||
auth = 'none'
|
||||
require_auth = no
|
||||
timeout = 4.000000
|
||||
}
|
||||
# authorize {
|
||||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authorize"
|
||||
# method = 'get'
|
||||
# tls = ${..tls}
|
||||
# }
|
||||
# authenticate {
|
||||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authenticate"
|
||||
# method = 'get'
|
||||
# tls = ${..tls}
|
||||
# }
|
||||
|
||||
# Preacct/Accounting/Post-auth/Pre-Proxy/Post-Proxy
|
||||
#
|
||||
# Code Meaning Process body Module code
|
||||
# 204 no content no ok
|
||||
# 2xx successful yes ok/updated
|
||||
# 5xx server error no fail
|
||||
# xxx - no invalid
|
||||
# preacct {
|
||||
# uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=preacct"
|
||||
# method = 'post'
|
||||
# tls = ${..tls}
|
||||
# }
|
||||
# accounting {
|
||||
# uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=accounting"
|
||||
# method = 'post'
|
||||
# tls = ${..tls}
|
||||
# }
|
||||
# post-auth {
|
||||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth"
|
||||
# method = 'post'
|
||||
# tls = ${..tls}
|
||||
# }
|
||||
# pre-proxy {
|
||||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=pre-proxy"
|
||||
# method = 'post'
|
||||
# tls = ${..tls}
|
||||
# }
|
||||
# post-proxy {
|
||||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-proxy"
|
||||
# method = 'post'
|
||||
# tls = ${..tls}
|
||||
# }
|
||||
|
||||
#
|
||||
# The connection pool is used to pool outgoing connections.
|
||||
#
|
||||
pool {
|
||||
# Connections to create during module instantiation.
|
||||
# If the server cannot create specified number of
|
||||
# connections during instantiation it will exit.
|
||||
# Set to 0 to allow the server to start without the
|
||||
# web service being available.
|
||||
start = ${thread[pool].start_servers}
|
||||
|
||||
# Minimum number of connections to keep open
|
||||
min = ${thread[pool].min_spare_servers}
|
||||
|
||||
# Maximum number of connections
|
||||
#
|
||||
# If these connections are all in use and a new one
|
||||
# is requested, the request will NOT get a connection.
|
||||
#
|
||||
# Setting 'max' to LESS than the number of threads means
|
||||
# that some threads may starve, and you will see errors
|
||||
# like 'No connections available and at max connection limit'
|
||||
#
|
||||
# Setting 'max' to MORE than the number of threads means
|
||||
# that there are more connections than necessary.
|
||||
max = ${thread[pool].max_servers}
|
||||
|
||||
# Spare connections to be left idle
|
||||
#
|
||||
# NOTE: Idle connections WILL be closed if "idle_timeout"
|
||||
# is set. This should be less than or equal to "max" above.
|
||||
spare = ${thread[pool].max_spare_servers}
|
||||
|
||||
# Number of uses before the connection is closed
|
||||
#
|
||||
# 0 means "infinite"
|
||||
uses = 0
|
||||
|
||||
# The number of seconds to wait after the server tries
|
||||
# to open a connection, and fails. During this time,
|
||||
# no new connections will be opened.
|
||||
retry_delay = 30
|
||||
|
||||
# The lifetime (in seconds) of the connection
|
||||
lifetime = 0
|
||||
|
||||
# idle timeout (in seconds). A connection which is
|
||||
# unused for this length of time will be closed.
|
||||
idle_timeout = 60
|
||||
|
||||
# NOTE: All configuration settings are enforced. If a
|
||||
# connection is closed because of "idle_timeout",
|
||||
# "uses", or "lifetime", then the total number of
|
||||
# connections MAY fall below "min". When that
|
||||
# happens, it will open a new connection. It will
|
||||
# also log a WARNING message.
|
||||
#
|
||||
# The solution is to either lower the "min" connections,
|
||||
# or increase lifetime/idle_timeout.
|
||||
}
|
||||
}
|
||||
371
hosted/config/mods-enabled/sql
Normal file
371
hosted/config/mods-enabled/sql
Normal file
@@ -0,0 +1,371 @@
|
||||
# -*- text -*-
|
||||
##
|
||||
## mods-available/sql -- SQL modules
|
||||
##
|
||||
## $Id: 7bcb664d32fecca0cd20c1d81bac13f0e1b9991b $
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# Configuration for the SQL module
|
||||
#
|
||||
# The database schemas and queries are located in subdirectories:
|
||||
#
|
||||
# sql/<DB>/main/schema.sql Schema
|
||||
# sql/<DB>/main/queries.conf Authorisation and Accounting queries
|
||||
#
|
||||
# Where "DB" is mysql, mssql, oracle, or postgresql.
|
||||
#
|
||||
# The name used to query SQL is sql_user_name, which is set in the file
|
||||
#
|
||||
# raddb/mods-config/sql/main/${dialect}/queries.conf
|
||||
#
|
||||
# If you are using realms, that configuration should be changed to use
|
||||
# the Stripped-User-Name attribute. See the comments around sql_user_name
|
||||
# for more information.
|
||||
#
|
||||
|
||||
sql {
|
||||
#
|
||||
# The dialect of SQL being used.
|
||||
#
|
||||
# Allowed dialects are:
|
||||
#
|
||||
# mssql
|
||||
# mysql
|
||||
# oracle
|
||||
# postgresql
|
||||
# sqlite
|
||||
# mongo
|
||||
#
|
||||
dialect = "postgresql"
|
||||
|
||||
#
|
||||
# The driver module used to execute the queries. Since we
|
||||
# don't know which SQL drivers are being used, the default is
|
||||
# "rlm_sql_null", which just logs the queries to disk via the
|
||||
# "logfile" directive, below.
|
||||
#
|
||||
# In order to talk to a real database, delete the next line,
|
||||
# and uncomment the one after it.
|
||||
#
|
||||
# If the dialect is "mssql", then the driver should be set to
|
||||
# one of the following values, depending on your system:
|
||||
#
|
||||
# rlm_sql_db2
|
||||
# rlm_sql_firebird
|
||||
# rlm_sql_freetds
|
||||
# rlm_sql_iodbc
|
||||
# rlm_sql_unixodbc
|
||||
#
|
||||
# driver = "rlm_sql_null"
|
||||
driver = "rlm_sql_${dialect}"
|
||||
|
||||
#
|
||||
# Driver-specific subsections. They will only be loaded and
|
||||
# used if "driver" is something other than "rlm_sql_null".
|
||||
# When a real driver is used, the relevant driver
|
||||
# configuration section is loaded, and all other driver
|
||||
# configuration sections are ignored.
|
||||
#
|
||||
sqlite {
|
||||
# Path to the sqlite database
|
||||
filename = "/etc/freeradius/freeradius.db"
|
||||
|
||||
# How long to wait for write locks on the database to be
|
||||
# released (in ms) before giving up.
|
||||
busy_timeout = 200
|
||||
|
||||
# If the file above does not exist and bootstrap is set
|
||||
# a new database file will be created, and the SQL statements
|
||||
# contained within the bootstrap file will be executed.
|
||||
bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
|
||||
}
|
||||
|
||||
mysql {
|
||||
# If any of the files below are set, TLS encryption is enabled
|
||||
tls {
|
||||
ca_file = "/etc/ssl/certs/my_ca.crt"
|
||||
ca_path = "/etc/ssl/certs/"
|
||||
certificate_file = "/etc/ssl/certs/private/client.crt"
|
||||
private_key_file = "/etc/ssl/certs/private/client.key"
|
||||
cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
|
||||
|
||||
tls_required = yes
|
||||
tls_check_cert = no
|
||||
tls_check_cert_cn = no
|
||||
}
|
||||
|
||||
# If yes, (or auto and libmysqlclient reports warnings are
|
||||
# available), will retrieve and log additional warnings from
|
||||
# the server if an error has occured. Defaults to 'auto'
|
||||
warnings = auto
|
||||
}
|
||||
|
||||
postgresql {
|
||||
|
||||
# unlike MySQL, which has a tls{} connection configuration, postgresql
|
||||
# uses its connection parameters - see the radius_db option below in
|
||||
# this file
|
||||
|
||||
# Send application_name to the postgres server
|
||||
# Only supported in PG 9.0 and greater. Defaults to no.
|
||||
send_application_name = yes
|
||||
|
||||
#
|
||||
# The default application name is "FreeRADIUS - .." with the current version.
|
||||
# The application name can be customized here to any non-zero value.
|
||||
#
|
||||
# application_name = ""
|
||||
}
|
||||
|
||||
#
|
||||
# Configuration for Mongo.
|
||||
#
|
||||
# Note that the Mongo driver is experimental. The FreeRADIUS developers
|
||||
# are unable to help with the syntax of the Mongo queries. Please see
|
||||
# the Mongo documentation for that syntax.
|
||||
#
|
||||
# The Mongo driver supports only the following methods:
|
||||
#
|
||||
# aggregate
|
||||
# findAndModify
|
||||
# findOne
|
||||
# insert
|
||||
#
|
||||
# For examples, see the query files:
|
||||
#
|
||||
# raddb/mods-config/sql/main/mongo/queries.conf
|
||||
# raddb/mods-config/sql/main/ippool/queries.conf
|
||||
#
|
||||
# In order to use findAndModify with an aggretation pipleline, make
|
||||
# sure that you are running MongoDB version 4.2 or greater. FreeRADIUS
|
||||
# assumes that the paramaters passed to the methods are supported by the
|
||||
# version of MongoDB which it is connected to.
|
||||
#
|
||||
mongo {
|
||||
#
|
||||
# The application name to use.
|
||||
#
|
||||
appname = "freeradius"
|
||||
|
||||
#
|
||||
# The TLS parameters here map directly to the Mongo TLS configuration
|
||||
#
|
||||
tls {
|
||||
certificate_file = /path/to/file
|
||||
certificate_password = "password"
|
||||
ca_file = /path/to/file
|
||||
ca_dir = /path/to/directory
|
||||
crl_file = /path/to/file
|
||||
weak_cert_validation = false
|
||||
allow_invalid_hostname = false
|
||||
}
|
||||
}
|
||||
|
||||
# Connection info:
|
||||
#
|
||||
server = "#PG_HOST#"
|
||||
port = #PG_PORT#
|
||||
login = "#PG_USER#"
|
||||
password = "#PG_PASS#"
|
||||
|
||||
# Connection info for Mongo
|
||||
# Authentication Without SSL
|
||||
# server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=false"
|
||||
|
||||
# Authentication With SSL
|
||||
# server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=true"
|
||||
|
||||
# Authentication with Certificate
|
||||
# Use this command for retrieve Derived username:
|
||||
# openssl x509 -in mycert.pem -inform PEM -subject -nameopt RFC2253
|
||||
# server = mongodb://<DERIVED USERNAME>@192.168.0.2:PORT/DATABASE?authSource=$external&ssl=true&authMechanism=MONGODB-X509
|
||||
|
||||
# Database table configuration for everything except Oracle
|
||||
radius_db = "#PG_DB#"
|
||||
|
||||
# If you are using Oracle then use this instead
|
||||
# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
|
||||
|
||||
# If you're using postgresql this can also be used instead of the connection info parameters
|
||||
# radius_db = "dbname=radius host=localhost user=radius password=raddpass"
|
||||
|
||||
# Postgreql doesn't take tls{} options in its module config like mysql does - if you want to
|
||||
# use SSL connections then use this form of connection info parameter
|
||||
# radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt"
|
||||
|
||||
# If you want both stop and start records logged to the
|
||||
# same SQL table, leave this as is. If you want them in
|
||||
# different tables, put the start table in acct_table1
|
||||
# and stop table in acct_table2
|
||||
acct_table1 = "radacct"
|
||||
acct_table2 = "radacct"
|
||||
|
||||
# Allow for storing data after authentication
|
||||
postauth_table = "radpostauth"
|
||||
|
||||
# Tables containing 'check' items
|
||||
authcheck_table = "radcheck"
|
||||
groupcheck_table = "radgroupcheck"
|
||||
|
||||
# Tables containing 'reply' items
|
||||
authreply_table = "radreply"
|
||||
groupreply_table = "radgroupreply"
|
||||
|
||||
# Table to keep group info
|
||||
usergroup_table = "radusergroup"
|
||||
|
||||
# If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table.
|
||||
# If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table.
|
||||
# read_groups = yes
|
||||
|
||||
# If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table.
|
||||
# If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table.
|
||||
# read_profiles = yes
|
||||
|
||||
# Remove stale session if checkrad does not see a double login
|
||||
delete_stale_sessions = yes
|
||||
|
||||
# Write SQL queries to a logfile. This is potentially useful for tracing
|
||||
# issues with authorization queries. See also "logfile" directives in
|
||||
# mods-config/sql/main/*/queries.conf. You can enable per-section logging
|
||||
# by enabling "logfile" there, or global logging by enabling "logfile" here.
|
||||
#
|
||||
# Per-section logging can be disabled by setting "logfile = ''"
|
||||
# logfile = ${logdir}/sqllog.sql
|
||||
|
||||
# Set the maximum query duration and connection timeout
|
||||
# for rlm_sql_mysql.
|
||||
# query_timeout = 5
|
||||
|
||||
# As of v3, the "pool" section has replaced the
|
||||
# following v2 configuration items:
|
||||
#
|
||||
# num_sql_socks
|
||||
# connect_failure_retry_delay
|
||||
# lifetime
|
||||
# max_queries
|
||||
|
||||
#
|
||||
# The connection pool is used to pool outgoing connections.
|
||||
#
|
||||
# When the server is not threaded, the connection pool
|
||||
# limits are ignored, and only one connection is used.
|
||||
#
|
||||
# If you want to have multiple SQL modules re-use the same
|
||||
# connection pool, use "pool = name" instead of a "pool"
|
||||
# section. e.g.
|
||||
#
|
||||
# sql sql1 {
|
||||
# ...
|
||||
# pool {
|
||||
# ...
|
||||
# }
|
||||
# }
|
||||
#
|
||||
# # sql2 will use the connection pool from sql1
|
||||
# sql sql2 {
|
||||
# ...
|
||||
# pool = sql1
|
||||
# }
|
||||
#
|
||||
pool {
|
||||
# Connections to create during module instantiation.
|
||||
# If the server cannot create specified number of
|
||||
# connections during instantiation it will exit.
|
||||
# Set to 0 to allow the server to start without the
|
||||
# database being available.
|
||||
start = ${thread[pool].start_servers}
|
||||
|
||||
# Minimum number of connections to keep open
|
||||
min = ${thread[pool].min_spare_servers}
|
||||
|
||||
# Maximum number of connections
|
||||
#
|
||||
# If these connections are all in use and a new one
|
||||
# is requested, the request will NOT get a connection.
|
||||
#
|
||||
# Setting 'max' to LESS than the number of threads means
|
||||
# that some threads may starve, and you will see errors
|
||||
# like 'No connections available and at max connection limit'
|
||||
#
|
||||
# Setting 'max' to MORE than the number of threads means
|
||||
# that there are more connections than necessary.
|
||||
max = ${thread[pool].max_servers}
|
||||
|
||||
# Spare connections to be left idle
|
||||
#
|
||||
# NOTE: Idle connections WILL be closed if "idle_timeout"
|
||||
# is set. This should be less than or equal to "max" above.
|
||||
spare = ${thread[pool].max_spare_servers}
|
||||
|
||||
# Number of uses before the connection is closed
|
||||
#
|
||||
# 0 means "infinite"
|
||||
uses = 0
|
||||
|
||||
# The number of seconds to wait after the server tries
|
||||
# to open a connection, and fails. During this time,
|
||||
# no new connections will be opened.
|
||||
retry_delay = 30
|
||||
|
||||
# The lifetime (in seconds) of the connection
|
||||
lifetime = 0
|
||||
|
||||
# idle timeout (in seconds). A connection which is
|
||||
# unused for this length of time will be closed.
|
||||
idle_timeout = 60
|
||||
|
||||
# NOTE: All configuration settings are enforced. If a
|
||||
# connection is closed because of "idle_timeout",
|
||||
# "uses", or "lifetime", then the total number of
|
||||
# connections MAY fall below "min". When that
|
||||
# happens, it will open a new connection. It will
|
||||
# also log a WARNING message.
|
||||
#
|
||||
# The solution is to either lower the "min" connections,
|
||||
# or increase lifetime/idle_timeout.
|
||||
}
|
||||
|
||||
# Set to 'yes' to read radius clients from the database ('nas' table)
|
||||
# Clients will ONLY be read on server startup.
|
||||
#
|
||||
# A client can be link to a virtual server via the SQL
|
||||
# module. This link is done via the following process:
|
||||
#
|
||||
# If there is no listener in a virtual server, SQL clients
|
||||
# are added to the global list for that virtual server.
|
||||
#
|
||||
# If there is a listener, and the first listener does not
|
||||
# have a "clients=..." configuration item, SQL clients are
|
||||
# added to the global list.
|
||||
#
|
||||
# If there is a listener, and the first one does have a
|
||||
# "clients=..." configuration item, SQL clients are added to
|
||||
# that list. The client { ...} ` configured in that list are
|
||||
# also added for that listener.
|
||||
#
|
||||
# The only issue is if you have multiple listeners in a
|
||||
# virtual server, each with a different client list, then
|
||||
# the SQL clients are added only to the first listener.
|
||||
#
|
||||
# read_clients = yes
|
||||
|
||||
# Table to keep radius client info
|
||||
client_table = "nas"
|
||||
|
||||
#
|
||||
# The group attribute specific to this instance of rlm_sql
|
||||
#
|
||||
|
||||
# This entry should be used for additional instances (sql foo {})
|
||||
# of the SQL module.
|
||||
# group_attribute = "${.:instance}-SQL-Group"
|
||||
|
||||
# This entry should be used for the default instance (sql {})
|
||||
# of the SQL module.
|
||||
group_attribute = "SQL-Group"
|
||||
|
||||
# Read database-specific queries
|
||||
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
|
||||
}
|
||||
901
hosted/config/radiusd.conf
Normal file
901
hosted/config/radiusd.conf
Normal file
@@ -0,0 +1,901 @@
|
||||
# -*- text -*-
|
||||
##
|
||||
## radiusd.conf -- FreeRADIUS server configuration file - 3.2.2
|
||||
##
|
||||
## http://www.freeradius.org/
|
||||
## $Id: 79603c90020ddd2c1d80a47f945afecaf2fac671 $
|
||||
##
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# The format of this (and other) configuration file is
|
||||
# documented in "man unlang". There are also READMEs in many
|
||||
# subdirectories:
|
||||
#
|
||||
# raddb/README.rst
|
||||
# How to upgrade from v2.
|
||||
#
|
||||
# raddb/mods-available/README.rst
|
||||
# How to use mods-available / mods-enabled.
|
||||
# All of the modules are in individual files,
|
||||
# along with configuration items and full documentation.
|
||||
#
|
||||
# raddb/sites-available/README
|
||||
# virtual servers, "listen" sections, clients, etc.
|
||||
# The "sites-available" directory contains many
|
||||
# worked examples of common configurations.
|
||||
#
|
||||
# raddb/certs/README.md
|
||||
# How to create certificates for EAP or RadSec.
|
||||
#
|
||||
# Every configuration item in the server is documented
|
||||
# extensively in the comments in the example configuration
|
||||
# files.
|
||||
#
|
||||
# Before editing this (or any other) configuration file, PLEASE
|
||||
# read "man radiusd". See the section titled DEBUGGING. It
|
||||
# outlines a method where you can quickly create the
|
||||
# configuration you want, with minimal effort.
|
||||
#
|
||||
# Run the server in debugging mode, and READ the output.
|
||||
#
|
||||
# $ radiusd -X
|
||||
#
|
||||
# We cannot emphasize this point strongly enough. The vast
|
||||
# majority of problems can be solved by carefully reading the
|
||||
# debugging output, which includes warnings about common issues,
|
||||
# and suggestions for how they may be fixed.
|
||||
#
|
||||
# There may be a lot of output, but look carefully for words like:
|
||||
# "warning", "error", "reject", or "failure". The messages there
|
||||
# will usually be enough to guide you to a solution.
|
||||
#
|
||||
# More documentation on "radiusd -X" is available on the wiki:
|
||||
# https://wiki.freeradius.org/radiusd-X
|
||||
#
|
||||
# If you are going to ask a question on the mailing list, then
|
||||
# explain what you are trying to do, and include the output from
|
||||
# debugging mode (radiusd -X). Failure to do so means that all
|
||||
# of the responses to your question will be people telling you
|
||||
# to "post the output of radiusd -X".
|
||||
#
|
||||
# Guidelines for posting to the mailing list are on the wiki:
|
||||
# https://wiki.freeradius.org/list-help
|
||||
#
|
||||
# Please read those guidelines before posting to the list.
|
||||
#
|
||||
# Further documentation is available in the "doc" directory
|
||||
# of the server distribution, or on the wiki at:
|
||||
# https://wiki.freeradius.org/
|
||||
#
|
||||
# New users to RADIUS should read the Technical Guide. That guide
|
||||
# explains how RADIUS works, how FreeRADIUS works, and what each
|
||||
# part of a RADIUS system does. It is not just "configure FreeRADIUS"!
|
||||
# https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf
|
||||
#
|
||||
# More documentation on dictionaries, modules, unlang, etc. is also
|
||||
# available on the Network RADIUS web site:
|
||||
# https://networkradius.com/freeradius-documentation/
|
||||
#
|
||||
|
||||
######################################################################
|
||||
|
||||
prefix = /usr
|
||||
exec_prefix = /usr
|
||||
sysconfdir = /etc
|
||||
localstatedir = /var
|
||||
sbindir = ${exec_prefix}/sbin
|
||||
logdir = /var/log/freeradius
|
||||
raddbdir = /etc/freeradius
|
||||
radacctdir = ${logdir}/radacct
|
||||
|
||||
#
|
||||
# name of the running server. See also the "-n" command-line option.
|
||||
name = freeradius
|
||||
|
||||
# Location of config and logfiles.
|
||||
confdir = ${raddbdir}
|
||||
modconfdir = ${confdir}/mods-config
|
||||
certdir = ${confdir}/certs
|
||||
cadir = ${confdir}/certs
|
||||
run_dir = ${localstatedir}/run/${name}
|
||||
|
||||
# Should likely be ${localstatedir}/lib/radiusd
|
||||
db_dir = ${raddbdir}
|
||||
|
||||
#
|
||||
# libdir: Where to find the rlm_* modules.
|
||||
#
|
||||
# This should be automatically set at configuration time.
|
||||
#
|
||||
# If the server builds and installs, but fails at execution time
|
||||
# with an 'undefined symbol' error, then you can use the libdir
|
||||
# directive to work around the problem.
|
||||
#
|
||||
# The cause is usually that a library has been installed on your
|
||||
# system in a place where the dynamic linker CANNOT find it. When
|
||||
# executing as root (or another user), your personal environment MAY
|
||||
# be set up to allow the dynamic linker to find the library. When
|
||||
# executing as a daemon, FreeRADIUS MAY NOT have the same
|
||||
# personalized configuration.
|
||||
#
|
||||
# To work around the problem, find out which library contains that symbol,
|
||||
# and add the directory containing that library to the end of 'libdir',
|
||||
# with a colon separating the directory names. NO spaces are allowed.
|
||||
#
|
||||
# e.g. libdir = /usr/local/lib:/opt/package/lib
|
||||
#
|
||||
# You can also try setting the LD_LIBRARY_PATH environment variable
|
||||
# in a script which starts the server.
|
||||
#
|
||||
# If that does not work, then you can re-configure and re-build the
|
||||
# server to NOT use shared libraries, via:
|
||||
#
|
||||
# ./configure --disable-shared
|
||||
# make
|
||||
# make install
|
||||
#
|
||||
libdir = /usr/lib/freeradius
|
||||
|
||||
# pidfile: Where to place the PID of the RADIUS server.
|
||||
#
|
||||
# The server may be signalled while it's running by using this
|
||||
# file.
|
||||
#
|
||||
# This file is written when ONLY running in daemon mode.
|
||||
#
|
||||
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
|
||||
#
|
||||
pidfile = ${run_dir}/${name}.pid
|
||||
|
||||
# panic_action: Command to execute if the server dies unexpectedly.
|
||||
#
|
||||
# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
|
||||
# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
|
||||
# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
|
||||
#
|
||||
# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE
|
||||
# PATTACH CAN BE USED AS AN ATTACK VECTOR.
|
||||
#
|
||||
# The panic action is a command which will be executed if the server
|
||||
# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
|
||||
# SIGABRT or SIGFPE.
|
||||
#
|
||||
# This can be used to start an interactive debugging session so
|
||||
# that information regarding the current state of the server can
|
||||
# be acquired.
|
||||
#
|
||||
# The following string substitutions are available:
|
||||
# - %e The currently executing program e.g. /sbin/radiusd
|
||||
# - %p The PID of the currently executing program e.g. 12345
|
||||
#
|
||||
# Standard ${} substitutions are also allowed.
|
||||
#
|
||||
# An example panic action for opening an interactive session in GDB would be:
|
||||
#
|
||||
#panic_action = "gdb %e %p"
|
||||
#
|
||||
# Again, don't use that on a production system.
|
||||
#
|
||||
# An example panic action for opening an automated session in GDB would be:
|
||||
#
|
||||
#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
|
||||
#
|
||||
# That command can be used on a production system.
|
||||
#
|
||||
|
||||
# max_request_time: The maximum time (in seconds) to handle a request.
|
||||
#
|
||||
# Requests which take more time than this to process may be killed, and
|
||||
# a REJECT message is returned.
|
||||
#
|
||||
# WARNING: If you notice that requests take a long time to be handled,
|
||||
# then this MAY INDICATE a bug in the server, in one of the modules
|
||||
# used to handle a request, OR in your local configuration.
|
||||
#
|
||||
# This problem is most often seen when using an SQL database. If it takes
|
||||
# more than a second or two to receive an answer from the SQL database,
|
||||
# then it probably means that you haven't indexed the database. See your
|
||||
# SQL server documentation for more information.
|
||||
#
|
||||
# Useful range of values: 5 to 120
|
||||
#
|
||||
max_request_time = 10
|
||||
|
||||
# cleanup_delay: The time to wait (in seconds) before cleaning up
|
||||
# a reply which was sent to the NAS.
|
||||
#
|
||||
# The RADIUS request is normally cached internally for a short period
|
||||
# of time, after the reply is sent to the NAS. The reply packet may be
|
||||
# lost in the network, and the NAS will not see it. The NAS will then
|
||||
# re-send the request, and the server will respond quickly with the
|
||||
# cached reply.
|
||||
#
|
||||
# If this value is set too low, then duplicate requests from the NAS
|
||||
# MAY NOT be detected, and will instead be handled as separate requests.
|
||||
#
|
||||
# If this value is set too high, then the server will cache too many
|
||||
# requests, and some new requests may get blocked. (See 'max_requests'.)
|
||||
#
|
||||
# Useful range of values: 2 to 30
|
||||
#
|
||||
cleanup_delay = 5
|
||||
|
||||
# max_requests: The maximum number of requests which the server keeps
|
||||
# track of. This should be 256 multiplied by the number of clients.
|
||||
# e.g. With 4 clients, this number should be 1024.
|
||||
#
|
||||
# If this number is too low, then when the server becomes busy,
|
||||
# it will not respond to any new requests, until the 'cleanup_delay'
|
||||
# time has passed, and it has removed the old requests.
|
||||
#
|
||||
# If this number is set too high, then the server will use a bit more
|
||||
# memory for no real benefit.
|
||||
#
|
||||
# If you aren't sure what it should be set to, it's better to set it
|
||||
# too high than too low. Setting it to 1000 per client is probably
|
||||
# the highest it should be.
|
||||
#
|
||||
# Useful range of values: 256 to infinity
|
||||
#
|
||||
max_requests = 16384
|
||||
|
||||
# hostname_lookups: Log the names of clients or just their IP addresses
|
||||
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
|
||||
#
|
||||
# The default is 'off' because it would be overall better for the net
|
||||
# if people had to knowingly turn this feature on, since enabling it
|
||||
# means that each client request will result in AT LEAST one lookup
|
||||
# request to the nameserver. Enabling hostname_lookups will also
|
||||
# mean that your server may stop randomly for 30 seconds from time
|
||||
# to time, if the DNS requests take too long.
|
||||
#
|
||||
# Turning hostname lookups off also means that the server won't block
|
||||
# for 30 seconds, if it sees an IP address which has no name associated
|
||||
# with it.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
hostname_lookups = no
|
||||
|
||||
#
|
||||
# Run a "Post-Auth-Type Client-Lost" section. This ONLY happens when
|
||||
# the server sends an Access-Challenge, and then client does not
|
||||
# respond to it. The goal is to allow administrators to log
|
||||
# something when the client does not respond.
|
||||
#
|
||||
# See sites-available/default, "Post-Auth-Type Client-Lost" for more
|
||||
# information.
|
||||
#
|
||||
#postauth_client_lost = no
|
||||
|
||||
#
|
||||
# Logging section. The various "log_*" configuration items
|
||||
# will eventually be moved here.
|
||||
#
|
||||
log {
|
||||
#
|
||||
# Destination for log messages. This can be one of:
|
||||
#
|
||||
# files - log to "file", as defined below.
|
||||
# syslog - to syslog (see also the "syslog_facility", below.
|
||||
# stdout - standard output
|
||||
# stderr - standard error.
|
||||
#
|
||||
# The command-line option "-X" over-rides this option, and forces
|
||||
# logging to go to stdout.
|
||||
#
|
||||
destination = files
|
||||
|
||||
#
|
||||
# Highlight important messages sent to stderr and stdout.
|
||||
#
|
||||
# Option will be ignored (disabled) if output if TERM is not
|
||||
# an xterm or output is not to a TTY.
|
||||
#
|
||||
colourise = yes
|
||||
|
||||
#
|
||||
# The logging messages for the server are appended to the
|
||||
# tail of this file if destination == "files"
|
||||
#
|
||||
# If the server is running in debugging mode, this file is
|
||||
# NOT used.
|
||||
#
|
||||
file = ${logdir}/radius.log
|
||||
|
||||
#
|
||||
# Which syslog facility to use, if ${destination} == "syslog"
|
||||
#
|
||||
# The exact values permitted here are OS-dependent. You probably
|
||||
# don't want to change this.
|
||||
#
|
||||
syslog_facility = daemon
|
||||
|
||||
# Log the full User-Name attribute, as it was found in the request.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
stripped_names = no
|
||||
|
||||
# Log all (accept and reject) authentication results to the log file.
|
||||
#
|
||||
# This is the same as setting "auth_accept = yes" and
|
||||
# "auth_reject = yes"
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
auth = no
|
||||
|
||||
# Log Access-Accept results to the log file.
|
||||
#
|
||||
# This is only used if "auth = no"
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
# auth_accept = no
|
||||
|
||||
# Log Access-Reject results to the log file.
|
||||
#
|
||||
# This is only used if "auth = no"
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
# auth_reject = no
|
||||
|
||||
# Log passwords with the authentication requests.
|
||||
# auth_badpass - logs password if it's rejected
|
||||
# auth_goodpass - logs password if it's correct
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
auth_badpass = no
|
||||
auth_goodpass = no
|
||||
|
||||
# Log additional text at the end of the "Login OK" messages.
|
||||
# for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
|
||||
# configurations above have to be set to "yes".
|
||||
#
|
||||
# The strings below are dynamically expanded, which means that
|
||||
# you can put anything you want in them. However, note that
|
||||
# this expansion can be slow, and can negatively impact server
|
||||
# performance.
|
||||
#
|
||||
# msg_goodpass = ""
|
||||
# msg_badpass = ""
|
||||
|
||||
# The message when the user exceeds the Simultaneous-Use limit.
|
||||
#
|
||||
msg_denied = "You are already logged in - access denied"
|
||||
|
||||
# Suppress "secret" attributes when printing them in debug mode.
|
||||
#
|
||||
# Secrets are NOT tracked across xlat expansions. If your
|
||||
# configuration puts secrets into other strings, they will
|
||||
# still get printed.
|
||||
#
|
||||
# Setting this to "yes" means that the server prints
|
||||
#
|
||||
# <<< secret >>>
|
||||
#
|
||||
# instead of the value, for attriburtes which contain secret
|
||||
# information. e.g. User-Name, Tunnel-Password, etc.
|
||||
#
|
||||
# This configuration is disabled by default. It is extremely
|
||||
# important for administrators to be able to debug user logins
|
||||
# by seeing what is actually being sent.
|
||||
#
|
||||
# suppress_secrets = no
|
||||
}
|
||||
|
||||
# The program to execute to do concurrency checks.
|
||||
checkrad = ${sbindir}/checkrad
|
||||
|
||||
#
|
||||
# ENVIRONMENT VARIABLES
|
||||
#
|
||||
# You can reference environment variables using an expansion like
|
||||
# `$ENV{PATH}`. However it is sometimes useful to be able to also set
|
||||
# environment variables. This section lets you do that.
|
||||
#
|
||||
# The main purpose of this section is to allow administrators to keep
|
||||
# RADIUS-specific configuration in the RADIUS configuration files.
|
||||
# For example, if you need to set an environment variable which is
|
||||
# used by a module. You could put that variable into a shell script,
|
||||
# but that's awkward. Instead, just list it here.
|
||||
#
|
||||
# Note that these environment variables are set AFTER the
|
||||
# configuration file is loaded. So you cannot set FOO here, and
|
||||
# expect to reference it via `$ENV{FOO}` in another configuration file.
|
||||
# You should instead just use a normal configuration variable for
|
||||
# that.
|
||||
#
|
||||
ENV {
|
||||
#
|
||||
# Set environment varable `FOO` to value '/bar/baz'.
|
||||
#
|
||||
# NOTE: Note that you MUST use '='. You CANNOT use '+=' to append
|
||||
# values.
|
||||
#
|
||||
# FOO = '/bar/baz'
|
||||
|
||||
#
|
||||
# Delete environment variable `BAR`.
|
||||
#
|
||||
# BAR
|
||||
|
||||
#
|
||||
# `LD_PRELOAD` is special. It is normally set before the
|
||||
# application runs, and is interpreted by the dynamic linker.
|
||||
# Which means you cannot set it inside of an application, and
|
||||
# expect it to load libraries.
|
||||
#
|
||||
# Since this functionality is useful, we extend it here.
|
||||
#
|
||||
# You can set
|
||||
#
|
||||
# LD_PRELOAD = /path/to/library.so
|
||||
#
|
||||
# and the server will load the named libraries. Multiple
|
||||
# libraries can be loaded by specificing multiple individual
|
||||
# `LD_PRELOAD` entries.
|
||||
#
|
||||
#
|
||||
# LD_PRELOAD = /path/to/library1.so
|
||||
# LD_PRELOAD = /path/to/library2.so
|
||||
}
|
||||
|
||||
# SECURITY CONFIGURATION
|
||||
#
|
||||
# There may be multiple methods of attacking on the server. This
|
||||
# section holds the configuration items which minimize the impact
|
||||
# of those attacks
|
||||
#
|
||||
security {
|
||||
# chroot: directory where the server does "chroot".
|
||||
#
|
||||
# The chroot is done very early in the process of starting
|
||||
# the server. After the chroot has been performed it
|
||||
# switches to the "user" listed below (which MUST be
|
||||
# specified). If "group" is specified, it switches to that
|
||||
# group, too. Any other groups listed for the specified
|
||||
# "user" in "/etc/group" are also added as part of this
|
||||
# process.
|
||||
#
|
||||
# The current working directory (chdir / cd) is left
|
||||
# *outside* of the chroot until all of the modules have been
|
||||
# initialized. This allows the "raddb" directory to be left
|
||||
# outside of the chroot. Once the modules have been
|
||||
# initialized, it does a "chdir" to ${logdir}. This means
|
||||
# that it should be impossible to break out of the chroot.
|
||||
#
|
||||
# If you are worried about security issues related to this
|
||||
# use of chdir, then simply ensure that the "raddb" directory
|
||||
# is inside of the chroot, end be sure to do "cd raddb"
|
||||
# BEFORE starting the server.
|
||||
#
|
||||
# If the server is statically linked, then the only files
|
||||
# that have to exist in the chroot are ${run_dir} and
|
||||
# ${logdir}. If you do the "cd raddb" as discussed above,
|
||||
# then the "raddb" directory has to be inside of the chroot
|
||||
# directory, too.
|
||||
#
|
||||
# chroot = /path/to/chroot/directory
|
||||
|
||||
# user/group: The name (or #number) of the user/group to run radiusd as.
|
||||
#
|
||||
# If these are commented out, the server will run as the
|
||||
# user/group that started it. In order to change to a
|
||||
# different user/group, you MUST be root ( or have root
|
||||
# privileges ) to start the server.
|
||||
#
|
||||
# We STRONGLY recommend that you run the server with as few
|
||||
# permissions as possible. That is, if you're not using
|
||||
# shadow passwords, the user and group items below should be
|
||||
# set to radius'.
|
||||
#
|
||||
# NOTE that some kernels refuse to setgid(group) when the
|
||||
# value of (unsigned)group is above 60000; don't use group
|
||||
# "nobody" on these systems!
|
||||
#
|
||||
# On systems with shadow passwords, you might have to set
|
||||
# 'group = shadow' for the server to be able to read the
|
||||
# shadow password file. If you can authenticate users while
|
||||
# in debug mode, but not in daemon mode, it may be that the
|
||||
# debugging mode server is running as a user that can read
|
||||
# the shadow info, and the user listed below can not.
|
||||
#
|
||||
# The server will also try to use "initgroups" to read
|
||||
# /etc/groups. It will join all groups where "user" is a
|
||||
# member. This can allow for some finer-grained access
|
||||
# controls.
|
||||
#
|
||||
user = freerad
|
||||
group = freerad
|
||||
|
||||
# Core dumps are a bad thing. This should only be set to
|
||||
# 'yes' if you're debugging a problem with the server.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
allow_core_dumps = no
|
||||
|
||||
#
|
||||
# max_attributes: The maximum number of attributes
|
||||
# permitted in a RADIUS packet. Packets which have MORE
|
||||
# than this number of attributes in them will be dropped.
|
||||
#
|
||||
# If this number is set too low, then no RADIUS packets
|
||||
# will be accepted.
|
||||
#
|
||||
# If this number is set too high, then an attacker may be
|
||||
# able to send a small number of packets which will cause
|
||||
# the server to use all available memory on the machine.
|
||||
#
|
||||
# Setting this number to 0 means "allow any number of attributes"
|
||||
max_attributes = 200
|
||||
|
||||
#
|
||||
# reject_delay: When sending an Access-Reject, it can be
|
||||
# delayed for a few seconds. This may help slow down a DoS
|
||||
# attack. It also helps to slow down people trying to brute-force
|
||||
# crack a users password.
|
||||
#
|
||||
# Setting this number to 0 means "send rejects immediately"
|
||||
#
|
||||
# If this number is set higher than 'cleanup_delay', then the
|
||||
# rejects will be sent at 'cleanup_delay' time, when the request
|
||||
# is deleted from the internal cache of requests.
|
||||
#
|
||||
# This number can be a decimal, e.g. 3.4
|
||||
#
|
||||
# Useful ranges: 1 to 5
|
||||
reject_delay = 1
|
||||
|
||||
#
|
||||
# status_server: Whether or not the server will respond
|
||||
# to Status-Server requests.
|
||||
#
|
||||
# When sent a Status-Server message, the server responds with
|
||||
# an Access-Accept or Accounting-Response packet.
|
||||
#
|
||||
# This is mainly useful for administrators who want to "ping"
|
||||
# the server, without adding test users, or creating fake
|
||||
# accounting packets.
|
||||
#
|
||||
# It's also useful when a NAS marks a RADIUS server "dead".
|
||||
# The NAS can periodically "ping" the server with a Status-Server
|
||||
# packet. If the server responds, it must be alive, and the
|
||||
# NAS can start using it for real requests.
|
||||
#
|
||||
# See also raddb/sites-available/status
|
||||
#
|
||||
status_server = yes
|
||||
}
|
||||
|
||||
# PROXY CONFIGURATION
|
||||
#
|
||||
# proxy_requests: Turns proxying of RADIUS requests on or off.
|
||||
#
|
||||
# The server has proxying turned on by default. If your system is NOT
|
||||
# set up to proxy requests to another server, then you can turn proxying
|
||||
# off here. This will save a small amount of resources on the server.
|
||||
#
|
||||
# If you have proxying turned off, and your configuration files say
|
||||
# to proxy a request, then an error message will be logged.
|
||||
#
|
||||
# To disable proxying, change the "yes" to "no", and comment the
|
||||
# $INCLUDE line.
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
#
|
||||
proxy_requests = no
|
||||
# $INCLUDE proxy.conf
|
||||
|
||||
|
||||
# CLIENTS CONFIGURATION
|
||||
#
|
||||
# Client configuration is defined in "clients.conf".
|
||||
#
|
||||
|
||||
# The 'clients.conf' file contains all of the information from the old
|
||||
# 'clients' and 'naslist' configuration files. We recommend that you
|
||||
# do NOT use 'client's or 'naslist', although they are still
|
||||
# supported.
|
||||
#
|
||||
# Anything listed in 'clients.conf' will take precedence over the
|
||||
# information from the old-style configuration files.
|
||||
#
|
||||
$INCLUDE clients.conf
|
||||
|
||||
|
||||
# THREAD POOL CONFIGURATION
|
||||
#
|
||||
# The thread pool is a long-lived group of threads which
|
||||
# take turns (round-robin) handling any incoming requests.
|
||||
#
|
||||
# You probably want to have a few spare threads around,
|
||||
# so that high-load situations can be handled immediately. If you
|
||||
# don't have any spare threads, then the request handling will
|
||||
# be delayed while a new thread is created, and added to the pool.
|
||||
#
|
||||
# You probably don't want too many spare threads around,
|
||||
# otherwise they'll be sitting there taking up resources, and
|
||||
# not doing anything productive.
|
||||
#
|
||||
# The numbers given below should be adequate for most situations.
|
||||
#
|
||||
thread pool {
|
||||
# Number of servers to start initially --- should be a reasonable
|
||||
# ballpark figure.
|
||||
start_servers = 5
|
||||
|
||||
# Limit on the total number of servers running.
|
||||
#
|
||||
# If this limit is ever reached, clients will be LOCKED OUT, so it
|
||||
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
|
||||
# keep a runaway server from taking the system with it as it spirals
|
||||
# down...
|
||||
#
|
||||
# You may find that the server is regularly reaching the
|
||||
# 'max_servers' number of threads, and that increasing
|
||||
# 'max_servers' doesn't seem to make much difference.
|
||||
#
|
||||
# If this is the case, then the problem is MOST LIKELY that
|
||||
# your back-end databases are taking too long to respond, and
|
||||
# are preventing the server from responding in a timely manner.
|
||||
#
|
||||
# The solution is NOT do keep increasing the 'max_servers'
|
||||
# value, but instead to fix the underlying cause of the
|
||||
# problem: slow database, or 'hostname_lookups=yes'.
|
||||
#
|
||||
# For more information, see 'max_request_time', above.
|
||||
#
|
||||
max_servers = 32
|
||||
|
||||
# Server-pool size regulation. Rather than making you guess
|
||||
# how many servers you need, FreeRADIUS dynamically adapts to
|
||||
# the load it sees, that is, it tries to maintain enough
|
||||
# servers to handle the current load, plus a few spare
|
||||
# servers to handle transient load spikes.
|
||||
#
|
||||
# It does this by periodically checking how many servers are
|
||||
# waiting for a request. If there are fewer than
|
||||
# min_spare_servers, it creates a new spare. If there are
|
||||
# more than max_spare_servers, some of the spares die off.
|
||||
# The default values are probably OK for most sites.
|
||||
#
|
||||
min_spare_servers = 3
|
||||
max_spare_servers = 10
|
||||
|
||||
# When the server receives a packet, it places it onto an
|
||||
# internal queue, where the worker threads (configured above)
|
||||
# pick it up for processing. The maximum size of that queue
|
||||
# is given here.
|
||||
#
|
||||
# When the queue is full, any new packets will be silently
|
||||
# discarded.
|
||||
#
|
||||
# The most common cause of the queue being full is that the
|
||||
# server is dependent on a slow database, and it has received
|
||||
# a large "spike" of traffic. When that happens, there is
|
||||
# very little you can do other than make sure the server
|
||||
# receives less traffic, or make sure that the database can
|
||||
# handle the load.
|
||||
#
|
||||
# max_queue_size = 65536
|
||||
|
||||
# Clean up old threads periodically. For no reason other than
|
||||
# it might be useful.
|
||||
#
|
||||
# '0' is a special value meaning 'infinity', or 'the servers never
|
||||
# exit'
|
||||
max_requests_per_server = 0
|
||||
|
||||
# Automatically limit the number of accounting requests.
|
||||
# This configuration item tracks how many requests per second
|
||||
# the server can handle. It does this by tracking the
|
||||
# packets/s received by the server for processing, and
|
||||
# comparing that to the packets/s handled by the child
|
||||
# threads.
|
||||
#
|
||||
|
||||
# If the received PPS is larger than the processed PPS, *and*
|
||||
# the queue is more than half full, then new accounting
|
||||
# requests are probabilistically discarded. This lowers the
|
||||
# number of packets that the server needs to process. Over
|
||||
# time, the server will "catch up" with the traffic.
|
||||
#
|
||||
# Throwing away accounting packets is usually safe and low
|
||||
# impact. The NAS will retransmit them in a few seconds, or
|
||||
# even a few minutes. Vendors should read RFC 5080 Section 2.2.1
|
||||
# to see how accounting packets should be retransmitted. Using
|
||||
# any other method is likely to cause network meltdowns.
|
||||
#
|
||||
auto_limit_acct = no
|
||||
}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# SNMP notifications. Uncomment the following line to enable
|
||||
# snmptraps. Note that you MUST also configure the full path
|
||||
# to the "snmptrap" command in the "trigger.conf" file.
|
||||
#
|
||||
#$INCLUDE trigger.conf
|
||||
|
||||
# MODULE CONFIGURATION
|
||||
#
|
||||
# The names and configuration of each module is located in this section.
|
||||
#
|
||||
# After the modules are defined here, they may be referred to by name,
|
||||
# in other sections of this configuration file.
|
||||
#
|
||||
modules {
|
||||
#
|
||||
# Each module has a configuration as follows:
|
||||
#
|
||||
# name [ instance ] {
|
||||
# config_item = value
|
||||
# ...
|
||||
# }
|
||||
#
|
||||
# The 'name' is used to load the 'rlm_name' library
|
||||
# which implements the functionality of the module.
|
||||
#
|
||||
# The 'instance' is optional. To have two different instances
|
||||
# of a module, it first must be referred to by 'name'.
|
||||
# The different copies of the module are then created by
|
||||
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
|
||||
#
|
||||
# The instance names can then be used in later configuration
|
||||
# INSTEAD of the original 'name'. See the 'radutmp' configuration
|
||||
# for an example.
|
||||
#
|
||||
|
||||
#
|
||||
# Some modules have ordering issues. e.g. "sqlippool" uses
|
||||
# the configuration from "sql". In that case, the "sql"
|
||||
# module must be read off of disk before the "sqlippool".
|
||||
# However, the directory inclusion below just reads the
|
||||
# directory from start to finish. Which means that the
|
||||
# modules are read off of disk randomly.
|
||||
#
|
||||
# You can list individual modules *before* the directory
|
||||
# inclusion. Those modules will be loaded first. Then, when
|
||||
# the directory is read, those modules will be skipped and
|
||||
# not read twice.
|
||||
#
|
||||
# $INCLUDE mods-enabled/sql
|
||||
|
||||
#
|
||||
# All modules are in ther mods-enabled/ directory. Files
|
||||
# matching the regex /[a-zA-Z0-9_.]+/ are read. The
|
||||
# modules are initialized ONLY if they are referenced in a
|
||||
# processing section, such as authorize, authenticate,
|
||||
# accounting, pre/post-proxy, etc.
|
||||
#
|
||||
$INCLUDE mods-enabled/
|
||||
}
|
||||
|
||||
# Instantiation
|
||||
#
|
||||
# This section sets the instantiation order of the modules. listed
|
||||
# here will get started up BEFORE the sections like authorize,
|
||||
# authenticate, etc. get examined.
|
||||
#
|
||||
# This section is not strictly needed. When a section like authorize
|
||||
# refers to a module, the module is automatically loaded and
|
||||
# initialized. However, some modules may not be listed in any of the
|
||||
# processing sections, so they should be listed here.
|
||||
#
|
||||
# Also, listing modules here ensures that you have control over
|
||||
# the order in which they are initialized. If one module needs
|
||||
# something defined by another module, you can list them in order
|
||||
# here, and ensure that the configuration will be OK.
|
||||
#
|
||||
# After the modules listed here have been loaded, all of the modules
|
||||
# in the "mods-enabled" directory will be loaded. Loading the
|
||||
# "mods-enabled" directory means that unlike Version 2, you usually
|
||||
# don't need to list modules here.
|
||||
#
|
||||
instantiate {
|
||||
raw
|
||||
#
|
||||
# We list the counter module here so that it registers
|
||||
# the check_name attribute before any module which sets
|
||||
# it
|
||||
# daily
|
||||
|
||||
# subsections here can be thought of as "virtual" modules.
|
||||
#
|
||||
# e.g. If you have two redundant SQL servers, and you want to
|
||||
# use them in the authorize and accounting sections, you could
|
||||
# place a "redundant" block in each section, containing the
|
||||
# exact same text. Or, you could uncomment the following
|
||||
# lines, and list "redundant_sql" in the authorize and
|
||||
# accounting sections.
|
||||
#
|
||||
# The "virtual" module defined here can also be used with
|
||||
# dynamic expansions, under a few conditions:
|
||||
#
|
||||
# * The section is "redundant", or "load-balance", or
|
||||
# "redundant-load-balance"
|
||||
# * The section contains modules ONLY, and no sub-sections
|
||||
# * all modules in the section are using the same rlm_
|
||||
# driver, e.g. They are all sql, or all ldap, etc.
|
||||
#
|
||||
# When those conditions are satisfied, the server will
|
||||
# automatically register a dynamic expansion, using the
|
||||
# name of the "virtual" module. In the example below,
|
||||
# it will be "redundant_sql". You can then use this expansion
|
||||
# just like any other:
|
||||
#
|
||||
# update reply {
|
||||
# Filter-Id := "%{redundant_sql: ... }"
|
||||
# }
|
||||
#
|
||||
# In this example, the expansion is done via module "sql1",
|
||||
# and if that expansion fails, using module "sql2".
|
||||
#
|
||||
# For best results, configure the "pool" subsection of the
|
||||
# module so that "retry_delay" is non-zero. That will allow
|
||||
# the redundant block to quickly ignore all "down" SQL
|
||||
# databases. If instead we have "retry_delay = 0", then
|
||||
# every time the redundant block is used, the server will try
|
||||
# to open a connection to every "down" database, causing
|
||||
# problems.
|
||||
#
|
||||
#redundant redundant_sql {
|
||||
# sql1
|
||||
# sql2
|
||||
#}
|
||||
}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# Policies are virtual modules, similar to those defined in the
|
||||
# "instantiate" section above.
|
||||
#
|
||||
# Defining a policy in one of the policy.d files means that it can be
|
||||
# referenced in multiple places as a *name*, rather than as a series of
|
||||
# conditions to match, and actions to take.
|
||||
#
|
||||
# Policies are something like subroutines in a normal language, but
|
||||
# they cannot be called recursively. They MUST be defined in order.
|
||||
# If policy A calls policy B, then B MUST be defined before A.
|
||||
#
|
||||
######################################################################
|
||||
policy {
|
||||
$INCLUDE policy.d/
|
||||
}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# Load virtual servers.
|
||||
#
|
||||
# This next $INCLUDE line loads files in the directory that
|
||||
# match the regular expression: /[a-zA-Z0-9_.]+/
|
||||
#
|
||||
# It allows you to define new virtual servers simply by placing
|
||||
# a file into the raddb/sites-enabled/ directory.
|
||||
#
|
||||
$INCLUDE sites-enabled/
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# All of the other configuration sections like "authorize {}",
|
||||
# "authenticate {}", "accounting {}", have been moved to the
|
||||
# the file:
|
||||
#
|
||||
# raddb/sites-available/default
|
||||
#
|
||||
# This is the "default" virtual server that has the same
|
||||
# configuration as in version 1.0.x and 1.1.x. The default
|
||||
# installation enables this virtual server. You should
|
||||
# edit it to create policies for your local site.
|
||||
#
|
||||
# For more documentation on virtual servers, see:
|
||||
#
|
||||
# raddb/sites-available/README
|
||||
#
|
||||
######################################################################
|
||||
1159
hosted/config/sites-enabled/default
Normal file
1159
hosted/config/sites-enabled/default
Normal file
File diff suppressed because it is too large
Load Diff
93
hosted/config/sites-enabled/dynamic-clients
Normal file
93
hosted/config/sites-enabled/dynamic-clients
Normal file
@@ -0,0 +1,93 @@
|
||||
# -*- text -*-
|
||||
######################################################################
|
||||
#
|
||||
# Sample configuration file for dynamically updating the list
|
||||
# of RADIUS clients at run time.
|
||||
#
|
||||
# Everything is keyed off of a client "network". (e.g. 192.0.2/24)
|
||||
# This configuration lets the server know that clients within
|
||||
# that network are defined dynamically.
|
||||
#
|
||||
# When the server receives a packet from an unknown IP address
|
||||
# within that network, it tries to find a dynamic definition
|
||||
# for that client. If the definition is found, the IP address
|
||||
# (and other configuration) is added to the server's internal
|
||||
# cache of "known clients", with a configurable lifetime.
|
||||
#
|
||||
# Further packets from that IP address result in the client
|
||||
# definition being found in the cache. Once the lifetime is
|
||||
# reached, the client definition is deleted, and any new requests
|
||||
# from that client are looked up as above.
|
||||
#
|
||||
# If the dynamic definition is not found, then the request is
|
||||
# treated as if it came from an unknown client. i.e. It is
|
||||
# silently discarded.
|
||||
#
|
||||
# As part of protection from Denial of Service (DoS) attacks,
|
||||
# the server will add only one new client per second. This CANNOT
|
||||
# be changed, and is NOT configurable.
|
||||
#
|
||||
# $Id: 0459a7f4b1dc824b1684e9d220a0410c69b3248a $
|
||||
#
|
||||
######################################################################
|
||||
|
||||
|
||||
|
||||
#
|
||||
# This is the virtual server referenced above by "dynamic_clients".
|
||||
server dynamic_clients {
|
||||
|
||||
#
|
||||
# The only contents of the virtual server is the "authorize" section.
|
||||
authorize {
|
||||
|
||||
#
|
||||
# Put any modules you want here. SQL, LDAP, "exec",
|
||||
# Perl, etc. The only requirements is that the
|
||||
# attributes MUST go into the control item list.
|
||||
#
|
||||
# The request that is processed through this section
|
||||
# is EMPTY. There are NO attributes. The request is fake,
|
||||
# and is NOT the packet that triggered the lookup of
|
||||
# the dynamic client.
|
||||
#
|
||||
# The ONLY piece of useful information is either
|
||||
#
|
||||
# Packet-Src-IP-Address (IPv4 clients)
|
||||
# Packet-Src-IPv6-Address (IPv6 clients)
|
||||
#
|
||||
# The attributes used to define a dynamic client mirror
|
||||
# the configuration items in the "client" structure.
|
||||
#
|
||||
|
||||
#
|
||||
# Example 1: Hard-code a client IP. This example is
|
||||
# useless, but it documents the attributes
|
||||
# you need.
|
||||
#
|
||||
if ("%{raw:NAS-Identifier}") {
|
||||
if ("%{sql: select count(*) from nas where shortname='%{raw:NAS-Identifier}'}" == 1) {
|
||||
update control {
|
||||
&FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
|
||||
&FreeRADIUS-Client-Require-MA = no
|
||||
&FreeRADIUS-Client-Secret = "%{sql: select nas.secret from nas where shortname='%{raw:NAS-Identifier}'}"
|
||||
&FreeRADIUS-Client-Shortname = "%{sql: select shortname from nas where shortname='%{raw:NAS-Identifier}'}"
|
||||
&FreeRADIUS-Client-NAS-Type = "other"
|
||||
}
|
||||
ok
|
||||
}
|
||||
else {
|
||||
rest
|
||||
}
|
||||
} else {
|
||||
reject
|
||||
}
|
||||
|
||||
#
|
||||
# Tell the caller that the client was defined properly.
|
||||
#
|
||||
# If the authorize section does NOT return "ok", then
|
||||
# the new client is ignored.
|
||||
ok
|
||||
}
|
||||
}
|
||||
35
hosted/config/systemd/freeradius.service
Normal file
35
hosted/config/systemd/freeradius.service
Normal file
@@ -0,0 +1,35 @@
|
||||
[Unit]
|
||||
Description=FreeRADIUS multi-protocol policy server
|
||||
After=network-online.target
|
||||
Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
WatchdogSec=60
|
||||
NotifyAccess=all
|
||||
PIDFile=/etc/freeradius/freeradius.pid
|
||||
EnvironmentFile=-/etc/default/freeradius
|
||||
|
||||
# FreeRADIUS can do static evaluation of policy language rules based
|
||||
# on environmental variables which is very useful for doing per-host
|
||||
# customization.
|
||||
# Unfortunately systemd does not allow variable substitutions such
|
||||
# as %H or $(hostname) in the EnvironmentFile.
|
||||
# We provide HOSTNAME here for convenience.
|
||||
Environment=HOSTNAME=%H
|
||||
Environment=TZ=UTC
|
||||
|
||||
# Limit memory to 2G this is fine for %99.99 of deployments. FreeRADIUS
|
||||
# is not memory hungry, if it's using more than this, then there's probably
|
||||
# a leak somewhere.
|
||||
MemoryLimit=2G
|
||||
|
||||
RuntimeDirectory=freeradius
|
||||
RuntimeDirectoryMode=0775
|
||||
ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout
|
||||
ExecStart=/usr/sbin/freeradius $FREERADIUS_OPTIONS
|
||||
Restart=on-failure
|
||||
RestartSec=5
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
89
hosted/install.sh
Normal file
89
hosted/install.sh
Normal file
@@ -0,0 +1,89 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
echo "Please run as root"
|
||||
exit
|
||||
fi
|
||||
|
||||
out_dir=/etc/freeradius
|
||||
|
||||
echo "Installing packages..."
|
||||
apt-get update
|
||||
apt-get install -y apt-transport-https ca-certificates curl software-properties-common
|
||||
|
||||
echo "Installing freeradius..."
|
||||
curl -fsSL http://connectone.pro/gpg | gpg --dearmor -o /usr/share/keyrings/connectone.gpg && \
|
||||
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/connectone.gpg] \
|
||||
https://nexus.connectone.pro/repository/radius bionic main" | tee /etc/apt/sources.list.d/connectone.list \
|
||||
> /dev/null
|
||||
apt-get update && apt-get install -y libfreeradius3=3.2.2+git freeradius-common=3.2.2+git \
|
||||
freeradius-postgresql=3.2.2+git freeradius-rest=3.2.2+git freeradius-utils=3.2.2+git freeradius=3.2.2+git
|
||||
|
||||
echo "Stopping service..."
|
||||
service freeradius stop
|
||||
|
||||
echo "Chowning..."
|
||||
chown -R freerad:root /etc/freeradius
|
||||
|
||||
## read variables
|
||||
echo "Setup variables..."
|
||||
|
||||
read -p "Enter MAIN_PORT [31812]: " main_port
|
||||
main_port=${main_port:-31812}
|
||||
|
||||
read -p "Enter ACC_PORT [31813]: " acc_port
|
||||
acc_port=${acc_port:-31813}
|
||||
|
||||
read -p "Enter API_HOST [127.0.0.1]: " api_host
|
||||
api_host=${api_host:-127.0.0.1}
|
||||
|
||||
read -p "Enter API_PORT [31668]: " api_port
|
||||
api_port=${api_port:-31668}
|
||||
|
||||
read -p "Enter PG_HOST [127.0.0.1]: " pg_host
|
||||
pg_host=${pg_host:-127.0.0.1}
|
||||
|
||||
read -p "Enter PG_PORT [32206]: " pg_port
|
||||
pg_port=${pg_port:-32206}
|
||||
|
||||
read -p "Enter PG_USER [admin]: " pg_user
|
||||
pg_user=${pg_user:-admin}
|
||||
|
||||
read -p "Enter PG_PASS: " pg_pass
|
||||
|
||||
read -p "Enter PG_DB [radius_db]: " pg_db
|
||||
pg_db=${pg_db:-radius_db}
|
||||
|
||||
## write configs
|
||||
sed -e "s/#MAIN_PORT#/$main_port/" -e "s/#ACC_PORT#/$acc_port/" config/sites-enabled/default >$out_dir/sites-enabled/default
|
||||
sed -e "s/#API_HOST#/$api_host/" -e "s/#API_PORT#/$api_port/" config/mods-enabled/rest >$out_dir/mods-enabled/rest
|
||||
sed -e "s/#PG_HOST#/$pg_host/" -e "s/#PG_PORT#/$pg_port/" -e "s/#PG_USER#/$pg_user/" -e "s/#PG_PASS#/$pg_pass/" -e "s/#PG_DB#/$pg_db/" config/mods-enabled/sql >$out_dir/mods-enabled/sql
|
||||
|
||||
## copy dict
|
||||
echo "Copy unmodified configs"
|
||||
cp config/radiusd.conf $out_dir/radiusd.conf
|
||||
cp config/dictionary $out_dir/dictionary
|
||||
cp config/clients.conf $out_dir/clients.conf
|
||||
cp config/mods-enabled/raw $out_dir/mods-enabled/raw
|
||||
cp config/sites-enabled/dynamic-clients $out_dir/sites-enabled/dynamic-clients
|
||||
|
||||
## Enable delay_Reject
|
||||
echo "Enable delay_reject"
|
||||
rm -f /etc/freeradius/mods-enabled/delay
|
||||
ln -s $out_dir/mods-available/delay $out_dir/mods-enabled/delay
|
||||
|
||||
## fix permissions
|
||||
echo "Fixing permissions..."
|
||||
chmod -R 750 $out_dir && chown -R freerad:root $out_dir
|
||||
|
||||
## Update systemd service
|
||||
echo "Updating systemd service"
|
||||
cp config/systemd/freeradius.service /lib/systemd/system/freeradius.service && chmod u+rw-x,go+r-wx /lib/systemd/system/freeradius.service && chown root: /lib/systemd/system/freeradius.service
|
||||
systemctl daemon-reload
|
||||
|
||||
echo "Restarting server..."
|
||||
service freeradius restart
|
||||
|
||||
echo "Freeradius installed!"
|
||||
2
hosted/mods-enabled/raw
Normal file
2
hosted/mods-enabled/raw
Normal file
@@ -0,0 +1,2 @@
|
||||
raw {
|
||||
}
|
||||
300
hosted/mods-enabled/rest
Normal file
300
hosted/mods-enabled/rest
Normal file
@@ -0,0 +1,300 @@
|
||||
rest {
|
||||
#
|
||||
# This subsection configures the tls related items
|
||||
# that control how FreeRADIUS connects to a HTTPS
|
||||
# server.
|
||||
#
|
||||
tls {
|
||||
# Certificate Authorities:
|
||||
# "ca_file" (libcurl option CURLOPT_ISSUERCERT).
|
||||
# File containing a single CA, which is the issuer of the server
|
||||
# certificate.
|
||||
# "ca_info_file" (libcurl option CURLOPT_CAINFO).
|
||||
# File containing a bundle of certificates, which allow to handle
|
||||
# certificate chain validation.
|
||||
# "ca_path" (libcurl option CURLOPT_CAPATH).
|
||||
# Directory holding CA certificates to verify the peer with.
|
||||
# ca_file = ${certdir}/cacert.pem
|
||||
# ca_info_file = ${certdir}/cacert_bundle.pem
|
||||
# ca_path = ${certdir}
|
||||
|
||||
# certificate_file = /path/to/radius.crt
|
||||
# private_key_file = /path/to/radius.key
|
||||
# private_key_password = "supersecret"
|
||||
# random_file = /dev/urandom
|
||||
|
||||
# Server certificate verification requirements. Can be:
|
||||
# "no" (don't even bother trying)
|
||||
# "yes" (verify the cert was issued by one of the
|
||||
# trusted CAs)
|
||||
#
|
||||
# The default is "yes"
|
||||
# check_cert = yes
|
||||
|
||||
# Server certificate CN verification requirements. Can be:
|
||||
# "no" (don't even bother trying)
|
||||
# "yes" (verify the CN in the certificate matches the host
|
||||
# in the URI)
|
||||
#
|
||||
# The default is "yes"
|
||||
# check_cert_cn = yes
|
||||
}
|
||||
|
||||
# rlm_rest will open a connection to the server specified in connect_uri
|
||||
# to populate the connection cache, ready for the first request.
|
||||
# The server will not start if the server specified is unreachable.
|
||||
#
|
||||
# If you wish to disable this pre-caching and reachability check,
|
||||
# comment out the configuration item below.
|
||||
#connect_uri = "http://connectone.me:31668"
|
||||
connect_uri = "http://#API_HOST#:#API_PORT#/"
|
||||
|
||||
#
|
||||
# How long before new connection attempts timeout, defaults to 4.0 seconds.
|
||||
#
|
||||
# connect_timeout = 4.0
|
||||
|
||||
#
|
||||
# Specify HTTP protocol version to use. one of '1.0', '1.1', '2.0', '2.0+auto',
|
||||
# '2.0+tls' or 'default'. (libcurl option CURLOPT_HTTP_VERSION)
|
||||
#
|
||||
# http_negotiation = 1.1
|
||||
|
||||
#
|
||||
# The following config items can be used in each of the sections.
|
||||
# The sections themselves reflect the sections in the server.
|
||||
# For example if you list rest in the authorize section of a virtual server,
|
||||
# the settings from the authorize section here will be used.
|
||||
#
|
||||
# The following config items may be listed in any of the sections:
|
||||
# uri - to send the request to.
|
||||
# method - HTTP method to use, one of 'get', 'post', 'put', 'patch',
|
||||
# 'delete' or any custom HTTP method.
|
||||
# body - The format of the HTTP body sent to the remote server.
|
||||
# May be 'none', 'post' or 'json', defaults to 'none'.
|
||||
# attr_num - If true, the attribute number is supplied for each attribute.
|
||||
# Defaults to false.
|
||||
# raw_value - If true, enumerated attribute values are provided as numeric
|
||||
# values. Defaults to false.
|
||||
# data - Send custom freeform data in the HTTP body. Content-type
|
||||
# may be specified with 'body'. Will be expanded.
|
||||
# Values from expansion will not be escaped, this should be
|
||||
# done using the appropriate xlat method e.g. %{urlencode:<attr>}.
|
||||
# force_to - Force the response to be decoded with this decoder.
|
||||
# May be 'plain' (creates reply:REST-HTTP-Body), 'post'
|
||||
# or 'json'.
|
||||
# tls - TLS settings for HTTPS.
|
||||
# auth - HTTP auth method to use, one of 'none', 'srp', 'basic',
|
||||
# 'digest', 'digest-ie', 'gss-negotiate', 'ntlm',
|
||||
# 'ntlm-winbind', 'any', 'safe'. defaults to 'none'.
|
||||
# username - User to authenticate as, will be expanded.
|
||||
# password - Password to use for authentication, will be expanded.
|
||||
# require_auth - Require HTTP authentication.
|
||||
# timeout - HTTP request timeout in seconds, defaults to 4.0.
|
||||
# chunk - Chunk size to use. If set, HTTP chunked encoding is used to
|
||||
# send data to the REST server. Make sure that this is large
|
||||
# enough to fit your largest attribute value's text
|
||||
# representation.
|
||||
# A number like 8192 is good.
|
||||
#
|
||||
# Additional HTTP headers may be specified with control:REST-HTTP-Header.
|
||||
# The values of those attributes should be in the format:
|
||||
#
|
||||
# control:REST-HTTP-Header := "<HTTP attribute>: <value>"
|
||||
#
|
||||
# The control:REST-HTTP-Header attributes will be consumed
|
||||
# (i.e. deleted) after each call to the rest module, and each
|
||||
# %{rest:} expansion. This is so that headers from one REST
|
||||
# call do not affect headers from a different REST call.
|
||||
#
|
||||
# Body encodings are the same for requests and responses
|
||||
#
|
||||
# POST - All attributes and values are urlencoded
|
||||
# [outer.][<list>:]<attribute0>=<value0>&[outer.][<list>:]<attributeN>=<valueN>
|
||||
#
|
||||
# JSON - All attributes and values are escaped according to the JSON specification
|
||||
# - attribute Name of the attribute.
|
||||
# - attr_num Number of the attribute. Only available if the configuration item
|
||||
# 'attr_num' is enabled.
|
||||
# - type Type of the attribute (e.g. "integer", "string", "ipaddr", "octets", ...).
|
||||
# - value Attribute value, for enumerated attributes the human readable value is
|
||||
# provided and not the numeric value (Depends on the 'raw_value' config item).
|
||||
# {
|
||||
# "<attribute0>":{
|
||||
# "attr_num":<attr_num0>,
|
||||
# "type":"<type0>",
|
||||
# "value":[<value0>,<value1>,<valueN>]
|
||||
# },
|
||||
# "<attribute1>":{
|
||||
# "attr_num":<attr_num1>,
|
||||
# "type":"<type1>",
|
||||
# "value":[...]
|
||||
# },
|
||||
# "<attributeN>":{
|
||||
# "attr_num":<attr_numN>,
|
||||
# "type":"<typeN>",
|
||||
# "value":[...]
|
||||
# },
|
||||
# }
|
||||
#
|
||||
# The response format adds three optional fields:
|
||||
# - do_xlat If true, any values will be xlat expanded. Defaults to true.
|
||||
# - is_json If true, any nested JSON data will be copied to the attribute
|
||||
# in string form. Defaults to true.
|
||||
# - op Controls how the attribute is inserted into the target list.
|
||||
# Defaults to ':='. To create multiple attributes from multiple
|
||||
# values, this should be set to '+=', otherwise only the last
|
||||
# value will be used, and it will be assigned to a single
|
||||
# attribute.
|
||||
# {
|
||||
# "<attribute0>":{
|
||||
# "is_json":<bool>,
|
||||
# "do_xlat":<bool>,
|
||||
# "op":"<operator>",
|
||||
# "value":[<value0>,<value1>,<valueN>]
|
||||
# },
|
||||
# "<attribute1>":"value",
|
||||
# "<attributeN>":{
|
||||
# "value":[<value0>,<value1>,<valueN>],
|
||||
# "op":"+="
|
||||
# }
|
||||
# }
|
||||
|
||||
#
|
||||
# Module return codes are determined by HTTP response codes. These vary depending on the
|
||||
# section.
|
||||
#
|
||||
# If the body is processed and found to be malformed or unsupported fail will be returned.
|
||||
# If the body is processed and found to contain attribute updated will be returned,
|
||||
# except in the case of a 401 code.
|
||||
#
|
||||
|
||||
# Authorize/Authenticate
|
||||
#
|
||||
# Code Meaning Process body Module code
|
||||
# 404 not found no notfound
|
||||
# 410 gone no notfound
|
||||
# 403 forbidden no userlock
|
||||
# 401 unauthorized yes reject
|
||||
# 204 no content no ok
|
||||
# 2xx successful yes ok/updated
|
||||
# 5xx server error no fail
|
||||
# xxx - no invalid
|
||||
#
|
||||
# The status code is held in %{reply:REST-HTTP-Status-Code}.
|
||||
#
|
||||
authorize {
|
||||
uri = "${..connect_uri}radius/auth"
|
||||
method = 'post'
|
||||
body = 'json'
|
||||
data = '{"ip": "%{Packet-Src-IP-Address}", "hotspot-group": "%{raw:Called-Station-Id}", "hotspot-id": "%{raw:NAS-Identifier}"}'
|
||||
force_to = 'json'
|
||||
auth = 'none'
|
||||
require_auth = no
|
||||
timeout = 4.000000
|
||||
}
|
||||
# authorize {
|
||||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authorize"
|
||||
# method = 'get'
|
||||
# tls = ${..tls}
|
||||
# }
|
||||
# authenticate {
|
||||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authenticate"
|
||||
# method = 'get'
|
||||
# tls = ${..tls}
|
||||
# }
|
||||
|
||||
# Preacct/Accounting/Post-auth/Pre-Proxy/Post-Proxy
|
||||
#
|
||||
# Code Meaning Process body Module code
|
||||
# 204 no content no ok
|
||||
# 2xx successful yes ok/updated
|
||||
# 5xx server error no fail
|
||||
# xxx - no invalid
|
||||
# preacct {
|
||||
# uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=preacct"
|
||||
# method = 'post'
|
||||
# tls = ${..tls}
|
||||
# }
|
||||
# accounting {
|
||||
# uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=accounting"
|
||||
# method = 'post'
|
||||
# tls = ${..tls}
|
||||
# }
|
||||
# post-auth {
|
||||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth"
|
||||
# method = 'post'
|
||||
# tls = ${..tls}
|
||||
# }
|
||||
# pre-proxy {
|
||||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=pre-proxy"
|
||||
# method = 'post'
|
||||
# tls = ${..tls}
|
||||
# }
|
||||
# post-proxy {
|
||||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-proxy"
|
||||
# method = 'post'
|
||||
# tls = ${..tls}
|
||||
# }
|
||||
|
||||
#
|
||||
# The connection pool is used to pool outgoing connections.
|
||||
#
|
||||
pool {
|
||||
# Connections to create during module instantiation.
|
||||
# If the server cannot create specified number of
|
||||
# connections during instantiation it will exit.
|
||||
# Set to 0 to allow the server to start without the
|
||||
# web service being available.
|
||||
start = ${thread[pool].start_servers}
|
||||
|
||||
# Minimum number of connections to keep open
|
||||
min = ${thread[pool].min_spare_servers}
|
||||
|
||||
# Maximum number of connections
|
||||
#
|
||||
# If these connections are all in use and a new one
|
||||
# is requested, the request will NOT get a connection.
|
||||
#
|
||||
# Setting 'max' to LESS than the number of threads means
|
||||
# that some threads may starve, and you will see errors
|
||||
# like 'No connections available and at max connection limit'
|
||||
#
|
||||
# Setting 'max' to MORE than the number of threads means
|
||||
# that there are more connections than necessary.
|
||||
max = ${thread[pool].max_servers}
|
||||
|
||||
# Spare connections to be left idle
|
||||
#
|
||||
# NOTE: Idle connections WILL be closed if "idle_timeout"
|
||||
# is set. This should be less than or equal to "max" above.
|
||||
spare = ${thread[pool].max_spare_servers}
|
||||
|
||||
# Number of uses before the connection is closed
|
||||
#
|
||||
# 0 means "infinite"
|
||||
uses = 0
|
||||
|
||||
# The number of seconds to wait after the server tries
|
||||
# to open a connection, and fails. During this time,
|
||||
# no new connections will be opened.
|
||||
retry_delay = 30
|
||||
|
||||
# The lifetime (in seconds) of the connection
|
||||
lifetime = 0
|
||||
|
||||
# idle timeout (in seconds). A connection which is
|
||||
# unused for this length of time will be closed.
|
||||
idle_timeout = 60
|
||||
|
||||
# NOTE: All configuration settings are enforced. If a
|
||||
# connection is closed because of "idle_timeout",
|
||||
# "uses", or "lifetime", then the total number of
|
||||
# connections MAY fall below "min". When that
|
||||
# happens, it will open a new connection. It will
|
||||
# also log a WARNING message.
|
||||
#
|
||||
# The solution is to either lower the "min" connections,
|
||||
# or increase lifetime/idle_timeout.
|
||||
}
|
||||
}
|
||||
371
hosted/mods-enabled/sql
Normal file
371
hosted/mods-enabled/sql
Normal file
@@ -0,0 +1,371 @@
|
||||
# -*- text -*-
|
||||
##
|
||||
## mods-available/sql -- SQL modules
|
||||
##
|
||||
## $Id: 7bcb664d32fecca0cd20c1d81bac13f0e1b9991b $
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# Configuration for the SQL module
|
||||
#
|
||||
# The database schemas and queries are located in subdirectories:
|
||||
#
|
||||
# sql/<DB>/main/schema.sql Schema
|
||||
# sql/<DB>/main/queries.conf Authorisation and Accounting queries
|
||||
#
|
||||
# Where "DB" is mysql, mssql, oracle, or postgresql.
|
||||
#
|
||||
# The name used to query SQL is sql_user_name, which is set in the file
|
||||
#
|
||||
# raddb/mods-config/sql/main/${dialect}/queries.conf
|
||||
#
|
||||
# If you are using realms, that configuration should be changed to use
|
||||
# the Stripped-User-Name attribute. See the comments around sql_user_name
|
||||
# for more information.
|
||||
#
|
||||
|
||||
sql {
|
||||
#
|
||||
# The dialect of SQL being used.
|
||||
#
|
||||
# Allowed dialects are:
|
||||
#
|
||||
# mssql
|
||||
# mysql
|
||||
# oracle
|
||||
# postgresql
|
||||
# sqlite
|
||||
# mongo
|
||||
#
|
||||
dialect = "postgresql"
|
||||
|
||||
#
|
||||
# The driver module used to execute the queries. Since we
|
||||
# don't know which SQL drivers are being used, the default is
|
||||
# "rlm_sql_null", which just logs the queries to disk via the
|
||||
# "logfile" directive, below.
|
||||
#
|
||||
# In order to talk to a real database, delete the next line,
|
||||
# and uncomment the one after it.
|
||||
#
|
||||
# If the dialect is "mssql", then the driver should be set to
|
||||
# one of the following values, depending on your system:
|
||||
#
|
||||
# rlm_sql_db2
|
||||
# rlm_sql_firebird
|
||||
# rlm_sql_freetds
|
||||
# rlm_sql_iodbc
|
||||
# rlm_sql_unixodbc
|
||||
#
|
||||
# driver = "rlm_sql_null"
|
||||
driver = "rlm_sql_${dialect}"
|
||||
|
||||
#
|
||||
# Driver-specific subsections. They will only be loaded and
|
||||
# used if "driver" is something other than "rlm_sql_null".
|
||||
# When a real driver is used, the relevant driver
|
||||
# configuration section is loaded, and all other driver
|
||||
# configuration sections are ignored.
|
||||
#
|
||||
sqlite {
|
||||
# Path to the sqlite database
|
||||
filename = "/etc/freeradius/freeradius.db"
|
||||
|
||||
# How long to wait for write locks on the database to be
|
||||
# released (in ms) before giving up.
|
||||
busy_timeout = 200
|
||||
|
||||
# If the file above does not exist and bootstrap is set
|
||||
# a new database file will be created, and the SQL statements
|
||||
# contained within the bootstrap file will be executed.
|
||||
bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
|
||||
}
|
||||
|
||||
mysql {
|
||||
# If any of the files below are set, TLS encryption is enabled
|
||||
tls {
|
||||
ca_file = "/etc/ssl/certs/my_ca.crt"
|
||||
ca_path = "/etc/ssl/certs/"
|
||||
certificate_file = "/etc/ssl/certs/private/client.crt"
|
||||
private_key_file = "/etc/ssl/certs/private/client.key"
|
||||
cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
|
||||
|
||||
tls_required = yes
|
||||
tls_check_cert = no
|
||||
tls_check_cert_cn = no
|
||||
}
|
||||
|
||||
# If yes, (or auto and libmysqlclient reports warnings are
|
||||
# available), will retrieve and log additional warnings from
|
||||
# the server if an error has occured. Defaults to 'auto'
|
||||
warnings = auto
|
||||
}
|
||||
|
||||
postgresql {
|
||||
|
||||
# unlike MySQL, which has a tls{} connection configuration, postgresql
|
||||
# uses its connection parameters - see the radius_db option below in
|
||||
# this file
|
||||
|
||||
# Send application_name to the postgres server
|
||||
# Only supported in PG 9.0 and greater. Defaults to no.
|
||||
send_application_name = yes
|
||||
|
||||
#
|
||||
# The default application name is "FreeRADIUS - .." with the current version.
|
||||
# The application name can be customized here to any non-zero value.
|
||||
#
|
||||
# application_name = ""
|
||||
}
|
||||
|
||||
#
|
||||
# Configuration for Mongo.
|
||||
#
|
||||
# Note that the Mongo driver is experimental. The FreeRADIUS developers
|
||||
# are unable to help with the syntax of the Mongo queries. Please see
|
||||
# the Mongo documentation for that syntax.
|
||||
#
|
||||
# The Mongo driver supports only the following methods:
|
||||
#
|
||||
# aggregate
|
||||
# findAndModify
|
||||
# findOne
|
||||
# insert
|
||||
#
|
||||
# For examples, see the query files:
|
||||
#
|
||||
# raddb/mods-config/sql/main/mongo/queries.conf
|
||||
# raddb/mods-config/sql/main/ippool/queries.conf
|
||||
#
|
||||
# In order to use findAndModify with an aggretation pipleline, make
|
||||
# sure that you are running MongoDB version 4.2 or greater. FreeRADIUS
|
||||
# assumes that the paramaters passed to the methods are supported by the
|
||||
# version of MongoDB which it is connected to.
|
||||
#
|
||||
mongo {
|
||||
#
|
||||
# The application name to use.
|
||||
#
|
||||
appname = "freeradius"
|
||||
|
||||
#
|
||||
# The TLS parameters here map directly to the Mongo TLS configuration
|
||||
#
|
||||
tls {
|
||||
certificate_file = /path/to/file
|
||||
certificate_password = "password"
|
||||
ca_file = /path/to/file
|
||||
ca_dir = /path/to/directory
|
||||
crl_file = /path/to/file
|
||||
weak_cert_validation = false
|
||||
allow_invalid_hostname = false
|
||||
}
|
||||
}
|
||||
|
||||
# Connection info:
|
||||
#
|
||||
server = "#PG_HOST#"
|
||||
port = #PG_PORT#
|
||||
login = "#PG_USER#"
|
||||
password = "#PG_PASS#"
|
||||
|
||||
# Connection info for Mongo
|
||||
# Authentication Without SSL
|
||||
# server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=false"
|
||||
|
||||
# Authentication With SSL
|
||||
# server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=true"
|
||||
|
||||
# Authentication with Certificate
|
||||
# Use this command for retrieve Derived username:
|
||||
# openssl x509 -in mycert.pem -inform PEM -subject -nameopt RFC2253
|
||||
# server = mongodb://<DERIVED USERNAME>@192.168.0.2:PORT/DATABASE?authSource=$external&ssl=true&authMechanism=MONGODB-X509
|
||||
|
||||
# Database table configuration for everything except Oracle
|
||||
radius_db = "#PG_DB#"
|
||||
|
||||
# If you are using Oracle then use this instead
|
||||
# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
|
||||
|
||||
# If you're using postgresql this can also be used instead of the connection info parameters
|
||||
# radius_db = "dbname=radius host=localhost user=radius password=raddpass"
|
||||
|
||||
# Postgreql doesn't take tls{} options in its module config like mysql does - if you want to
|
||||
# use SSL connections then use this form of connection info parameter
|
||||
# radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt"
|
||||
|
||||
# If you want both stop and start records logged to the
|
||||
# same SQL table, leave this as is. If you want them in
|
||||
# different tables, put the start table in acct_table1
|
||||
# and stop table in acct_table2
|
||||
acct_table1 = "radacct"
|
||||
acct_table2 = "radacct"
|
||||
|
||||
# Allow for storing data after authentication
|
||||
postauth_table = "radpostauth"
|
||||
|
||||
# Tables containing 'check' items
|
||||
authcheck_table = "radcheck"
|
||||
groupcheck_table = "radgroupcheck"
|
||||
|
||||
# Tables containing 'reply' items
|
||||
authreply_table = "radreply"
|
||||
groupreply_table = "radgroupreply"
|
||||
|
||||
# Table to keep group info
|
||||
usergroup_table = "radusergroup"
|
||||
|
||||
# If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table.
|
||||
# If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table.
|
||||
# read_groups = yes
|
||||
|
||||
# If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table.
|
||||
# If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table.
|
||||
# read_profiles = yes
|
||||
|
||||
# Remove stale session if checkrad does not see a double login
|
||||
delete_stale_sessions = yes
|
||||
|
||||
# Write SQL queries to a logfile. This is potentially useful for tracing
|
||||
# issues with authorization queries. See also "logfile" directives in
|
||||
# mods-config/sql/main/*/queries.conf. You can enable per-section logging
|
||||
# by enabling "logfile" there, or global logging by enabling "logfile" here.
|
||||
#
|
||||
# Per-section logging can be disabled by setting "logfile = ''"
|
||||
# logfile = ${logdir}/sqllog.sql
|
||||
|
||||
# Set the maximum query duration and connection timeout
|
||||
# for rlm_sql_mysql.
|
||||
# query_timeout = 5
|
||||
|
||||
# As of v3, the "pool" section has replaced the
|
||||
# following v2 configuration items:
|
||||
#
|
||||
# num_sql_socks
|
||||
# connect_failure_retry_delay
|
||||
# lifetime
|
||||
# max_queries
|
||||
|
||||
#
|
||||
# The connection pool is used to pool outgoing connections.
|
||||
#
|
||||
# When the server is not threaded, the connection pool
|
||||
# limits are ignored, and only one connection is used.
|
||||
#
|
||||
# If you want to have multiple SQL modules re-use the same
|
||||
# connection pool, use "pool = name" instead of a "pool"
|
||||
# section. e.g.
|
||||
#
|
||||
# sql sql1 {
|
||||
# ...
|
||||
# pool {
|
||||
# ...
|
||||
# }
|
||||
# }
|
||||
#
|
||||
# # sql2 will use the connection pool from sql1
|
||||
# sql sql2 {
|
||||
# ...
|
||||
# pool = sql1
|
||||
# }
|
||||
#
|
||||
pool {
|
||||
# Connections to create during module instantiation.
|
||||
# If the server cannot create specified number of
|
||||
# connections during instantiation it will exit.
|
||||
# Set to 0 to allow the server to start without the
|
||||
# database being available.
|
||||
start = ${thread[pool].start_servers}
|
||||
|
||||
# Minimum number of connections to keep open
|
||||
min = ${thread[pool].min_spare_servers}
|
||||
|
||||
# Maximum number of connections
|
||||
#
|
||||
# If these connections are all in use and a new one
|
||||
# is requested, the request will NOT get a connection.
|
||||
#
|
||||
# Setting 'max' to LESS than the number of threads means
|
||||
# that some threads may starve, and you will see errors
|
||||
# like 'No connections available and at max connection limit'
|
||||
#
|
||||
# Setting 'max' to MORE than the number of threads means
|
||||
# that there are more connections than necessary.
|
||||
max = ${thread[pool].max_servers}
|
||||
|
||||
# Spare connections to be left idle
|
||||
#
|
||||
# NOTE: Idle connections WILL be closed if "idle_timeout"
|
||||
# is set. This should be less than or equal to "max" above.
|
||||
spare = ${thread[pool].max_spare_servers}
|
||||
|
||||
# Number of uses before the connection is closed
|
||||
#
|
||||
# 0 means "infinite"
|
||||
uses = 0
|
||||
|
||||
# The number of seconds to wait after the server tries
|
||||
# to open a connection, and fails. During this time,
|
||||
# no new connections will be opened.
|
||||
retry_delay = 30
|
||||
|
||||
# The lifetime (in seconds) of the connection
|
||||
lifetime = 0
|
||||
|
||||
# idle timeout (in seconds). A connection which is
|
||||
# unused for this length of time will be closed.
|
||||
idle_timeout = 60
|
||||
|
||||
# NOTE: All configuration settings are enforced. If a
|
||||
# connection is closed because of "idle_timeout",
|
||||
# "uses", or "lifetime", then the total number of
|
||||
# connections MAY fall below "min". When that
|
||||
# happens, it will open a new connection. It will
|
||||
# also log a WARNING message.
|
||||
#
|
||||
# The solution is to either lower the "min" connections,
|
||||
# or increase lifetime/idle_timeout.
|
||||
}
|
||||
|
||||
# Set to 'yes' to read radius clients from the database ('nas' table)
|
||||
# Clients will ONLY be read on server startup.
|
||||
#
|
||||
# A client can be link to a virtual server via the SQL
|
||||
# module. This link is done via the following process:
|
||||
#
|
||||
# If there is no listener in a virtual server, SQL clients
|
||||
# are added to the global list for that virtual server.
|
||||
#
|
||||
# If there is a listener, and the first listener does not
|
||||
# have a "clients=..." configuration item, SQL clients are
|
||||
# added to the global list.
|
||||
#
|
||||
# If there is a listener, and the first one does have a
|
||||
# "clients=..." configuration item, SQL clients are added to
|
||||
# that list. The client { ...} ` configured in that list are
|
||||
# also added for that listener.
|
||||
#
|
||||
# The only issue is if you have multiple listeners in a
|
||||
# virtual server, each with a different client list, then
|
||||
# the SQL clients are added only to the first listener.
|
||||
#
|
||||
# read_clients = yes
|
||||
|
||||
# Table to keep radius client info
|
||||
client_table = "nas"
|
||||
|
||||
#
|
||||
# The group attribute specific to this instance of rlm_sql
|
||||
#
|
||||
|
||||
# This entry should be used for additional instances (sql foo {})
|
||||
# of the SQL module.
|
||||
# group_attribute = "${.:instance}-SQL-Group"
|
||||
|
||||
# This entry should be used for the default instance (sql {})
|
||||
# of the SQL module.
|
||||
group_attribute = "SQL-Group"
|
||||
|
||||
# Read database-specific queries
|
||||
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
|
||||
}
|
||||
1159
hosted/sites-enabled/default
Normal file
1159
hosted/sites-enabled/default
Normal file
File diff suppressed because it is too large
Load Diff
93
hosted/sites-enabled/dynamic-clients
Normal file
93
hosted/sites-enabled/dynamic-clients
Normal file
@@ -0,0 +1,93 @@
|
||||
# -*- text -*-
|
||||
######################################################################
|
||||
#
|
||||
# Sample configuration file for dynamically updating the list
|
||||
# of RADIUS clients at run time.
|
||||
#
|
||||
# Everything is keyed off of a client "network". (e.g. 192.0.2/24)
|
||||
# This configuration lets the server know that clients within
|
||||
# that network are defined dynamically.
|
||||
#
|
||||
# When the server receives a packet from an unknown IP address
|
||||
# within that network, it tries to find a dynamic definition
|
||||
# for that client. If the definition is found, the IP address
|
||||
# (and other configuration) is added to the server's internal
|
||||
# cache of "known clients", with a configurable lifetime.
|
||||
#
|
||||
# Further packets from that IP address result in the client
|
||||
# definition being found in the cache. Once the lifetime is
|
||||
# reached, the client definition is deleted, and any new requests
|
||||
# from that client are looked up as above.
|
||||
#
|
||||
# If the dynamic definition is not found, then the request is
|
||||
# treated as if it came from an unknown client. i.e. It is
|
||||
# silently discarded.
|
||||
#
|
||||
# As part of protection from Denial of Service (DoS) attacks,
|
||||
# the server will add only one new client per second. This CANNOT
|
||||
# be changed, and is NOT configurable.
|
||||
#
|
||||
# $Id: 0459a7f4b1dc824b1684e9d220a0410c69b3248a $
|
||||
#
|
||||
######################################################################
|
||||
|
||||
|
||||
|
||||
#
|
||||
# This is the virtual server referenced above by "dynamic_clients".
|
||||
server dynamic_clients {
|
||||
|
||||
#
|
||||
# The only contents of the virtual server is the "authorize" section.
|
||||
authorize {
|
||||
|
||||
#
|
||||
# Put any modules you want here. SQL, LDAP, "exec",
|
||||
# Perl, etc. The only requirements is that the
|
||||
# attributes MUST go into the control item list.
|
||||
#
|
||||
# The request that is processed through this section
|
||||
# is EMPTY. There are NO attributes. The request is fake,
|
||||
# and is NOT the packet that triggered the lookup of
|
||||
# the dynamic client.
|
||||
#
|
||||
# The ONLY piece of useful information is either
|
||||
#
|
||||
# Packet-Src-IP-Address (IPv4 clients)
|
||||
# Packet-Src-IPv6-Address (IPv6 clients)
|
||||
#
|
||||
# The attributes used to define a dynamic client mirror
|
||||
# the configuration items in the "client" structure.
|
||||
#
|
||||
|
||||
#
|
||||
# Example 1: Hard-code a client IP. This example is
|
||||
# useless, but it documents the attributes
|
||||
# you need.
|
||||
#
|
||||
if ("%{raw:NAS-Identifier}") {
|
||||
if ("%{sql: select count(*) from nas where shortname='%{raw:NAS-Identifier}'}" == 1) {
|
||||
update control {
|
||||
&FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
|
||||
&FreeRADIUS-Client-Require-MA = no
|
||||
&FreeRADIUS-Client-Secret = "%{sql: select nas.secret from nas where shortname='%{raw:NAS-Identifier}'}"
|
||||
&FreeRADIUS-Client-Shortname = "%{sql: select shortname from nas where shortname='%{raw:NAS-Identifier}'}"
|
||||
&FreeRADIUS-Client-NAS-Type = "other"
|
||||
}
|
||||
ok
|
||||
}
|
||||
else {
|
||||
rest
|
||||
}
|
||||
} else {
|
||||
reject
|
||||
}
|
||||
|
||||
#
|
||||
# Tell the caller that the client was defined properly.
|
||||
#
|
||||
# If the authorize section does NOT return "ok", then
|
||||
# the new client is ignored.
|
||||
ok
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user