説明なし

002-config.patch 14KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588
  1. --- a/raddb/dictionary.in
  2. +++ b/raddb/dictionary.in
  3. @@ -11,7 +11,7 @@
  4. #
  5. # The filename given here should be an absolute path.
  6. #
  7. -$INCLUDE @prefix@/share/freeradius/dictionary
  8. +$INCLUDE @prefix@/share/freeradius2/dictionary
  9. #
  10. # Place additional attributes or $INCLUDEs here. They will
  11. --- a/raddb/eap.conf
  12. +++ b/raddb/eap.conf
  13. @@ -27,7 +27,7 @@
  14. # then that EAP type takes precedence over the
  15. # default type configured here.
  16. #
  17. - default_eap_type = md5
  18. + default_eap_type = peap
  19. # A list is maintained to correlate EAP-Response
  20. # packets with EAP-Request packets. After a
  21. @@ -72,8 +72,8 @@
  22. # for wireless connections. It is insecure, and does
  23. # not provide for dynamic WEP keys.
  24. #
  25. - md5 {
  26. - }
  27. +# md5 {
  28. +# }
  29. # Cisco LEAP
  30. #
  31. @@ -87,8 +87,8 @@
  32. # User-Password, or the NT-Password attributes.
  33. # 'System' authentication is impossible with LEAP.
  34. #
  35. - leap {
  36. - }
  37. +# leap {
  38. +# }
  39. # Generic Token Card.
  40. #
  41. @@ -101,7 +101,7 @@
  42. # the users password will go over the wire in plain-text,
  43. # for anyone to see.
  44. #
  45. - gtc {
  46. +# gtc {
  47. # The default challenge, which many clients
  48. # ignore..
  49. #challenge = "Password: "
  50. @@ -118,8 +118,8 @@
  51. # configured for the request, and do the
  52. # authentication itself.
  53. #
  54. - auth_type = PAP
  55. - }
  56. +# auth_type = PAP
  57. +# }
  58. ## EAP-TLS
  59. #
  60. @@ -215,7 +215,7 @@
  61. # In these cases, fragment size should be
  62. # 1024 or less.
  63. #
  64. - # fragment_size = 1024
  65. + fragment_size = 1024
  66. # include_length is a flag which is
  67. # by default set to yes If set to
  68. @@ -225,7 +225,7 @@
  69. # message is included ONLY in the
  70. # First packet of a fragment series.
  71. #
  72. - # include_length = yes
  73. + include_length = yes
  74. # Check the Certificate Revocation List
  75. #
  76. @@ -297,7 +297,7 @@
  77. # for the server to print out an error message,
  78. # and refuse to start.
  79. #
  80. - make_cert_command = "${certdir}/bootstrap"
  81. + # make_cert_command = "${certdir}/bootstrap"
  82. #
  83. # Elliptical cryptography configuration
  84. @@ -332,7 +332,7 @@
  85. # You probably also want "use_tunneled_reply = yes"
  86. # when using fast session resumption.
  87. #
  88. - cache {
  89. + # cache {
  90. #
  91. # Enable it. The default is "no".
  92. # Deleting the entire "cache" subsection
  93. @@ -348,14 +348,14 @@
  94. # enable resumption for just one user
  95. # by setting the above attribute to "yes".
  96. #
  97. - enable = no
  98. + # enable = no
  99. #
  100. # Lifetime of the cached entries, in hours.
  101. # The sessions will be deleted after this
  102. # time.
  103. #
  104. - lifetime = 24 # hours
  105. + # lifetime = 24 # hours
  106. #
  107. # The maximum number of entries in the
  108. @@ -364,8 +364,8 @@
  109. # This could be set to the number of users
  110. # who are logged in... which can be a LOT.
  111. #
  112. - max_entries = 255
  113. - }
  114. + # max_entries = 255
  115. + # }
  116. #
  117. # As of version 2.1.10, client certificates can be
  118. @@ -503,7 +503,7 @@
  119. #
  120. # in the control items for a request.
  121. #
  122. - ttls {
  123. +# ttls {
  124. # The tunneled EAP session needs a default
  125. # EAP type which is separate from the one for
  126. # the non-tunneled EAP module. Inside of the
  127. @@ -511,7 +511,7 @@
  128. # If the request does not contain an EAP
  129. # conversation, then this configuration entry
  130. # is ignored.
  131. - default_eap_type = md5
  132. +# default_eap_type = mschapv2
  133. # The tunneled authentication request does
  134. # not usually contain useful attributes
  135. @@ -527,7 +527,7 @@
  136. # is copied to the tunneled request.
  137. #
  138. # allowed values: {no, yes}
  139. - copy_request_to_tunnel = no
  140. +# copy_request_to_tunnel = yes
  141. # The reply attributes sent to the NAS are
  142. # usually based on the name of the user
  143. @@ -540,7 +540,7 @@
  144. # the tunneled request.
  145. #
  146. # allowed values: {no, yes}
  147. - use_tunneled_reply = no
  148. +# use_tunneled_reply = no
  149. #
  150. # The inner tunneled request can be sent
  151. @@ -552,13 +552,13 @@
  152. # the virtual server that processed the
  153. # outer requests.
  154. #
  155. - virtual_server = "inner-tunnel"
  156. +# virtual_server = "inner-tunnel"
  157. # This has the same meaning as the
  158. # same field in the "tls" module, above.
  159. # The default value here is "yes".
  160. # include_length = yes
  161. - }
  162. +# }
  163. ##################################################
  164. #
  165. @@ -627,14 +627,14 @@
  166. # the PEAP module also has these configuration
  167. # items, which are the same as for TTLS.
  168. - copy_request_to_tunnel = no
  169. - use_tunneled_reply = no
  170. + copy_request_to_tunnel = yes
  171. + use_tunneled_reply = yes
  172. # When the tunneled session is proxied, the
  173. # home server may not understand EAP-MSCHAP-V2.
  174. # Set this entry to "no" to proxy the tunneled
  175. # EAP-MSCHAP-V2 as normal MSCHAPv2.
  176. - # proxy_tunneled_request_as_eap = yes
  177. + proxy_tunneled_request_as_eap = no
  178. #
  179. # The inner tunneled request can be sent
  180. @@ -646,7 +646,8 @@
  181. # the virtual server that processed the
  182. # outer requests.
  183. #
  184. - virtual_server = "inner-tunnel"
  185. + # virtual_server = "inner-tunnel"
  186. + EAP-TLS-Require-Client-Cert = no
  187. # This option enables support for MS-SoH
  188. # see doc/SoH.txt for more info.
  189. --- a/raddb/modules/counter
  190. +++ b/raddb/modules/counter
  191. @@ -69,7 +69,7 @@
  192. # 'check-name' attribute.
  193. #
  194. counter daily {
  195. - filename = ${db_dir}/db.daily
  196. + filename = ${radacctdir}/db.daily
  197. key = User-Name
  198. count-attribute = Acct-Session-Time
  199. reset = daily
  200. --- a/raddb/modules/pap
  201. +++ b/raddb/modules/pap
  202. @@ -18,5 +18,5 @@
  203. #
  204. # http://www.openldap.org/faq/data/cache/347.html
  205. pap {
  206. - auto_header = no
  207. + auto_header = yes
  208. }
  209. --- a/raddb/modules/radutmp
  210. +++ b/raddb/modules/radutmp
  211. @@ -12,7 +12,7 @@ radutmp {
  212. # Where the file is stored. It's not a log file,
  213. # so it doesn't need rotating.
  214. #
  215. - filename = ${logdir}/radutmp
  216. + filename = ${radacctdir}/radutmp
  217. # The field in the packet to key on for the
  218. # 'user' name, If you have other fields which you want
  219. --- a/raddb/modules/sradutmp
  220. +++ b/raddb/modules/sradutmp
  221. @@ -10,7 +10,7 @@
  222. # then name "sradutmp" to identify it later in the "accounting"
  223. # section.
  224. radutmp sradutmp {
  225. - filename = ${logdir}/sradutmp
  226. + filename = ${radacctdir}/sradutmp
  227. perm = 0644
  228. callerid = "no"
  229. }
  230. --- a/raddb/radiusd.conf.in
  231. +++ b/raddb/radiusd.conf.in
  232. @@ -66,7 +66,7 @@ name = radiusd
  233. # Location of config and logfiles.
  234. confdir = ${raddbdir}
  235. -run_dir = ${localstatedir}/run/${name}
  236. +run_dir = ${localstatedir}/run
  237. # Should likely be ${localstatedir}/lib/radiusd
  238. db_dir = ${raddbdir}
  239. @@ -323,7 +323,7 @@ listen {
  240. # If your system does not support this feature, you will
  241. # get an error if you try to use it.
  242. #
  243. -# interface = eth0
  244. + interface = br-lan
  245. # Per-socket lists of clients. This is a very useful feature.
  246. #
  247. @@ -350,7 +350,7 @@ listen {
  248. # ipv6addr = ::
  249. port = 0
  250. type = acct
  251. -# interface = eth0
  252. + interface = br-lan
  253. # clients = per_socket_clients
  254. }
  255. @@ -584,8 +584,8 @@ security {
  256. #
  257. # allowed values: {no, yes}
  258. #
  259. -proxy_requests = yes
  260. -$INCLUDE proxy.conf
  261. +proxy_requests = no
  262. +#$INCLUDE proxy.conf
  263. # CLIENTS CONFIGURATION
  264. @@ -782,7 +782,7 @@ instantiate {
  265. # The entire command line (and output) must fit into 253 bytes.
  266. #
  267. # e.g. Framed-Pool = `%{exec:/bin/echo foo}`
  268. - exec
  269. +# exec
  270. #
  271. # The expression module doesn't do authorization,
  272. @@ -799,15 +799,15 @@ instantiate {
  273. # other xlat functions such as md5, sha1 and lc.
  274. #
  275. # We do not recommend removing it's listing here.
  276. - expr
  277. +# expr
  278. #
  279. # We add the counter module here so that it registers
  280. # the check-name attribute before any module which sets
  281. # it
  282. # daily
  283. - expiration
  284. - logintime
  285. +# expiration
  286. +# logintime
  287. # subsections here can be thought of as "virtual" modules.
  288. #
  289. @@ -831,7 +831,7 @@ instantiate {
  290. # to multiple times.
  291. #
  292. ######################################################################
  293. -$INCLUDE policy.conf
  294. +#$INCLUDE policy.conf
  295. ######################################################################
  296. #
  297. @@ -841,9 +841,9 @@ $INCLUDE policy.conf
  298. # match the regular expression: /[a-zA-Z0-9_.]+/
  299. #
  300. # It allows you to define new virtual servers simply by placing
  301. -# a file into the raddb/sites-enabled/ directory.
  302. +# a file into the /etc/freeradius2/sites/ directory.
  303. #
  304. -$INCLUDE sites-enabled/
  305. +$INCLUDE sites/
  306. ######################################################################
  307. #
  308. @@ -851,7 +851,7 @@ $INCLUDE sites-enabled/
  309. # "authenticate {}", "accounting {}", have been moved to the
  310. # the file:
  311. #
  312. -# raddb/sites-available/default
  313. +# /etc/freeradius2/sites/default
  314. #
  315. # This is the "default" virtual server that has the same
  316. # configuration as in version 1.0.x and 1.1.x. The default
  317. --- a/raddb/sites-available/default
  318. +++ b/raddb/sites-available/default
  319. @@ -85,7 +85,7 @@ authorize {
  320. #
  321. # It takes care of processing the 'raddb/hints' and the
  322. # 'raddb/huntgroups' files.
  323. - preprocess
  324. +# preprocess
  325. #
  326. # If you want to have a log of authentication requests,
  327. @@ -96,7 +96,7 @@ authorize {
  328. #
  329. # The chap module will set 'Auth-Type := CHAP' if we are
  330. # handling a CHAP request and Auth-Type has not already been set
  331. - chap
  332. +# chap
  333. #
  334. # If the users are logging in with an MS-CHAP-Challenge
  335. @@ -104,13 +104,13 @@ authorize {
  336. # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
  337. # to the request, which will cause the server to then use
  338. # the mschap module for authentication.
  339. - mschap
  340. +# mschap
  341. #
  342. # If you have a Cisco SIP server authenticating against
  343. # FreeRADIUS, uncomment the following line, and the 'digest'
  344. # line in the 'authenticate' section.
  345. - digest
  346. +# digest
  347. #
  348. # The WiMAX specification says that the Calling-Station-Id
  349. @@ -133,7 +133,7 @@ authorize {
  350. # Otherwise, when the first style of realm doesn't match,
  351. # the other styles won't be checked.
  352. #
  353. - suffix
  354. +# suffix
  355. # ntdomain
  356. #
  357. @@ -195,8 +195,8 @@ authorize {
  358. # Use the checkval module
  359. # checkval
  360. - expiration
  361. - logintime
  362. +# expiration
  363. +# logintime
  364. #
  365. # If no other module has claimed responsibility for
  366. @@ -277,7 +277,7 @@ authenticate {
  367. # If you have a Cisco SIP server authenticating against
  368. # FreeRADIUS, uncomment the following line, and the 'digest'
  369. # line in the 'authorize' section.
  370. - digest
  371. +# digest
  372. #
  373. # Pluggable Authentication Modules.
  374. @@ -294,7 +294,7 @@ authenticate {
  375. # be used for authentication ONLY for compatibility with legacy
  376. # FreeRADIUS configurations.
  377. #
  378. - unix
  379. +# unix
  380. # Uncomment it if you want to use ldap for authentication
  381. #
  382. @@ -330,8 +330,8 @@ authenticate {
  383. #
  384. # Pre-accounting. Decide which accounting type to use.
  385. #
  386. -preacct {
  387. - preprocess
  388. +#preacct {
  389. +# preprocess
  390. #
  391. # Session start times are *implied* in RADIUS.
  392. @@ -354,7 +354,7 @@ preacct {
  393. #
  394. # Ensure that we have a semi-unique identifier for every
  395. # request, and many NAS boxes are broken.
  396. - acct_unique
  397. +# acct_unique
  398. #
  399. # Look for IPASS-style 'realm/', and if not found, look for
  400. @@ -364,13 +364,13 @@ preacct {
  401. # Accounting requests are generally proxied to the same
  402. # home server as authentication requests.
  403. # IPASS
  404. - suffix
  405. +# suffix
  406. # ntdomain
  407. #
  408. # Read the 'acct_users' file
  409. - files
  410. -}
  411. +# files
  412. +#}
  413. #
  414. # Accounting. Log the accounting data.
  415. @@ -380,7 +380,7 @@ accounting {
  416. # Create a 'detail'ed log of the packets.
  417. # Note that accounting requests which are proxied
  418. # are also logged in the detail file.
  419. - detail
  420. +# detail
  421. # daily
  422. # Update the wtmp file
  423. @@ -432,7 +432,7 @@ accounting {
  424. exec
  425. # Filter attributes from the accounting response.
  426. - attr_filter.accounting_response
  427. + #attr_filter.accounting_response
  428. #
  429. # See "Autz-Type Status-Server" for how this works.
  430. @@ -458,7 +458,7 @@ session {
  431. # Post-Authentication
  432. # Once we KNOW that the user has been authenticated, there are
  433. # additional steps we can take.
  434. -post-auth {
  435. +#post-auth {
  436. # Get an address from the IP Pool.
  437. # main_pool
  438. @@ -488,7 +488,7 @@ post-auth {
  439. # ldap
  440. # For Exec-Program and Exec-Program-Wait
  441. - exec
  442. +# exec
  443. #
  444. # Calculate the various WiMAX keys. In order for this to work,
  445. @@ -572,12 +572,12 @@ post-auth {
  446. # Add the ldap module name (or instance) if you have set
  447. # 'edir_account_policy_check = yes' in the ldap module configuration
  448. #
  449. - Post-Auth-Type REJECT {
  450. - # log failed authentications in SQL, too.
  451. +# Post-Auth-Type REJECT {
  452. +# # log failed authentications in SQL, too.
  453. # sql
  454. - attr_filter.access_reject
  455. - }
  456. -}
  457. +# attr_filter.access_reject
  458. +# }
  459. +#}
  460. #
  461. # When the server decides to proxy a request to a home server,
  462. @@ -587,7 +587,7 @@ post-auth {
  463. #
  464. # Only a few modules currently have this method.
  465. #
  466. -pre-proxy {
  467. +#pre-proxy {
  468. # attr_rewrite
  469. # Uncomment the following line if you want to change attributes
  470. @@ -603,14 +603,14 @@ pre-proxy {
  471. # server, un-comment the following line, and the
  472. # 'detail pre_proxy_log' section, above.
  473. # pre_proxy_log
  474. -}
  475. +#}
  476. #
  477. # When the server receives a reply to a request it proxied
  478. # to a home server, the request may be massaged here, in the
  479. # post-proxy stage.
  480. #
  481. -post-proxy {
  482. +#post-proxy {
  483. # If you want to have a log of replies from a home server,
  484. # un-comment the following line, and the 'detail post_proxy_log'
  485. @@ -634,7 +634,7 @@ post-proxy {
  486. # hidden inside of the EAP packet, and the end server will
  487. # reject the EAP request.
  488. #
  489. - eap
  490. +# eap
  491. #
  492. # If the server tries to proxy a request and fails, then the
  493. @@ -656,5 +656,5 @@ post-proxy {
  494. # Post-Proxy-Type Fail {
  495. # detail
  496. # }
  497. -}
  498. +#}
  499. --- a/raddb/users
  500. +++ b/raddb/users
  501. @@ -169,22 +169,22 @@
  502. # by the terminal server in which case there may not be a "P" suffix.
  503. # The terminal server sends "Framed-Protocol = PPP" for auto PPP.
  504. #
  505. -DEFAULT Framed-Protocol == PPP
  506. - Framed-Protocol = PPP,
  507. - Framed-Compression = Van-Jacobson-TCP-IP
  508. +#DEFAULT Framed-Protocol == PPP
  509. +# Framed-Protocol = PPP,
  510. +# Framed-Compression = Van-Jacobson-TCP-IP
  511. #
  512. # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
  513. #
  514. -DEFAULT Hint == "CSLIP"
  515. - Framed-Protocol = SLIP,
  516. - Framed-Compression = Van-Jacobson-TCP-IP
  517. +#DEFAULT Hint == "CSLIP"
  518. +# Framed-Protocol = SLIP,
  519. +# Framed-Compression = Van-Jacobson-TCP-IP
  520. #
  521. # Default for SLIP: dynamic IP address, SLIP mode.
  522. #
  523. -DEFAULT Hint == "SLIP"
  524. - Framed-Protocol = SLIP
  525. +#DEFAULT Hint == "SLIP"
  526. +# Framed-Protocol = SLIP
  527. #
  528. # Last default: rlogin to our main server.