didinst
/
accel-sstp-docker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: didinst:ldap-radius
Branches Tags
didinst:dns-draft
didinst:feat/nginx-proxy
didinst:ldap-frontend
didinst:ldap-radius
didinst:master
didinst:nginx-stream
..
compare: didinst:master
Branches Tags
didinst:dns-draft
didinst:feat/nginx-proxy
didinst:ldap-frontend
didinst:ldap-radius
didinst:master
didinst:nginx-stream

No commits in common. 'ldap-radius' and 'master' have entirely different histories.
ldap-radiu ... master

23 changed files with 63 additions and 4438 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats
  1. 4
      .gitignore
  2. 7
      README.md
  3. 30
      accel-ppp.conf
  4. 1
      ca.pem
  5. 25
      ca.pem
  6. 1
      cert.pem
  7. 23
      cert.pem
  8. 71
      compose.yaml
  9. 16
      ldap/Dockerfile
  10. 80
      ldap/freeradius-radius.ldif
  11. 602
      ldap/freeradius-radius.schema
  12. 17
      nginx-stream/Dockerfile
  13. 37
      nginx-stream/http.conf.template
  14. 12
      nginx-stream/nginx.conf
  15. 61
      nginx-stream/stream.conf.template
  16. 1
      privkey.pem
  17. 7
      proxy/00-default.conf
  18. 3
      proxy/Dockerfile
  19. 38
      radius/Dockerfile
  20. 296
      radius/raddb/clients.conf
  21. 1112
      radius/raddb/mods-available/eap
  22. 694
      radius/raddb/mods-available/ldap
  23. 209
      radius/raddb/mods-config/files/authorize
  24. 1
      radius/raddb/mods-enabled/ldap
  25. 1153
      radius/raddb/sites-available/default

4
.gitignore vendored
Unescape View File

@ -1,2 +1,2 @@
/chap-secrets /privkey.pem
/keys/ /chap-secrets

7
README.md
Unescape View File

@ -37,9 +37,4 @@ openssl req -new -key privkey.pem -out sstp-csr.csr
### Create a server certificate ### Create a server certificate
```bash ```bash
openssl x509 -req -in sstp-csr.csr -CA ca.pem -CAkey rootCA.key -CAcreateserial -out cert.pem -days 365 openssl x509 -req -in sstp-csr.csr -CA ca.pem -CAkey rootCA.key -CAcreateserial -out cert.pem -days 365
``` ```
### Convert cert from PEM to CERT format (if it's needed)
```bash
openssl x509 -outform der -in your-cert.pem -out your-cert.crt
```

30
accel-ppp.conf
Unescape View File

@ -3,7 +3,6 @@
log_file log_file
pptp pptp
sstp sstp
radius
auth_pap auth_pap
auth_chap_md5 auth_chap_md5
auth_mschap_v1 auth_mschap_v1
@ -23,16 +22,13 @@ single-session=replace
chap-secrets=/etc/ppp/chap-secrets chap-secrets=/etc/ppp/chap-secrets
[ppp] [ppp]
verbose=0 verbose=5
mtu=1550 mtu=1550
mru=1550 mru=1550
accomp=allow accomp=allow
pcomp=allow pcomp=allow
ipv4=prefer ipv4=prefer
ipv6=prefer ipv6=allow
ipv6-intf-id=random
ipv6-peer-intf-id=calling-sid
ipv6-accept-peer-intf-id=1
lcp-echo-interval=30 lcp-echo-interval=30
lcp-echo-failure=3 lcp-echo-failure=3
lcp-echo-timeout=5 lcp-echo-timeout=5
@ -44,8 +40,9 @@ lcp-echo-timeout=5
[sstp] [sstp]
port=443 port=443
verbose=0 verbose=5
accept=ssl,proxy #accept=proxy,ssl
accept=ssl
ssl-pemfile=/etc/cert.pem ssl-pemfile=/etc/cert.pem
ssl-keyfile=/etc/privkey.pem ssl-keyfile=/etc/privkey.pem
ssl-ca-file=/etc/ca.pem ssl-ca-file=/etc/ca.pem
@ -57,11 +54,6 @@ ip-pool=v4pool
ipv6-pool=v6pool ipv6-pool=v6pool
pv6-pool-delegate=v6pool-delegate pv6-pool-delegate=v6pool-delegate
[radius]
verbose=1
interim-verbose=1
server=fc00:b10c:4::eeee,secret123,auth-port=1812,acct-port=1813,req-limit=0,fail-time=0
[dns] [dns]
dns1=8.8.8.8 dns1=8.8.8.8
@ -74,22 +66,16 @@ tunnel=192.168.95.2-254,v4pool
dns=2001:4860:4860::8888 dns=2001:4860:4860::8888
[ipv6-pool] [ipv6-pool]
#gw-ip6-address=fc00:b10c:3::ffff gw-ip6-address=fc00:b10c:0::
fc00:b10c:0001::/48,64,name=v6pool fc00:b10c:0001::/48,64,name=v6pool
fc00:b10c:0002::/48,64,name=v6pool-delegate fc00:b10c:0002::/48,64,name=v6pool-delegate
delegate=fc00:b10c:0002::/48,64
[ipv6-nd] [ipv6-nd]
verbose=1 verbose=1
AdvManagedFlag=1
[ipv6-dhcp]
verbose=1
route-via-gw=1
[log] [log]
level=4 #level=4
level=5
log-file=/dev/stdout log-file=/dev/stdout
log-debug=/dev/stdout log-debug=/dev/stdout
log-emerg=/dev/stderr log-emerg=/dev/stderr

1
ca.pem
Unescape View File

@ -1 +0,0 @@
./keys/ca.pem

25
ca.pem
Unescape View File

@ -0,0 +1,25 @@
-----BEGIN CERTIFICATE-----
MIIENzCCAx+gAwIBAgIUGIR7o8sMQBKIJFUEoTc4GDivuFUwDQYJKoZIhvcNAQEL
BQAwgaoxCzAJBgNVBAYTAnJ1MRkwFwYDVQQIDBBTYWludC1QZXRlcnNidXJnMRkw
FwYDVQQHDBBTYWludC1QZXRlcnNidXJnMRswGQYDVQQKDBJUZXJla2hpbiBBbGV4
YW5kZXIxDDAKBgNVBAsMA2RldjEbMBkGA1UEAwwSVGVyZWtoaW4gQWxleGFuZGVy
MR0wGwYJKoZIhvcNAQkBFg5hbGV4QGJlYXJucy5tZTAeFw0yNDA4MTYxMTI0NDha
Fw0yNzA2MDYxMTI0NDhaMIGqMQswCQYDVQQGEwJydTEZMBcGA1UECAwQU2FpbnQt
UGV0ZXJzYnVyZzEZMBcGA1UEBwwQU2FpbnQtUGV0ZXJzYnVyZzEbMBkGA1UECgwS
VGVyZWtoaW4gQWxleGFuZGVyMQwwCgYDVQQLDANkZXYxGzAZBgNVBAMMElRlcmVr
aGluIEFsZXhhbmRlcjEdMBsGCSqGSIb3DQEJARYOYWxleEBiZWFybnMubWUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9WtUf+He0fGLXp7ywkhS/FFif
OJiGMqUbadXy+NFM1BcABLpBbhuYUjDa4UA31629L0p0MgZdVSXLxWiY12C6nNDF
/HqwP8ez4Pgtf+nnAubPvtUL+KcndMWmY9RFmadSuHwLX5JDvBmxqP2CpWj3J7O0
k2ndrpgv6I26rFVuB5Gu/tYmjDayz1FEnWKIMzhV+zCZ27hbwVRs+9NzSbOOPz5Z
dVhlpbXw9mIDyoUjVc51nt00QdeacJ4csFVC1F8DQ1eIXDTg+clFBSy7L4NRWQfc
uIkkbB+4kYmC6lv0QMM0lMZ3WbTy5BdyVVW+/QmGk29qLxvLJJlv000ZKTURAgMB
AAGjUzBRMB0GA1UdDgQWBBTtL0OU6B+NvQTn4zpJHtBCfMB7xDAfBgNVHSMEGDAW
gBTtL0OU6B+NvQTn4zpJHtBCfMB7xDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQBe8G+h+5O1Exoj298kW3Nczoi2Mxr2SIpi9AQvuhYzYkQoFBSA
0t6GS7WU1rQFXrO0SWedWL2iasX5V4wxK+YXP92hH0Wg0UnUmdKkkhcQRm7Yivo5
YdZYgx2yb9HGZ7cGn6if26k6R/pm9dWkk93rTVrDwBxho74kTA4nq1D7aYTn3qMS
FzFPehVKBGjLzuWoujlythKL0rLQL8YXEfQ+wYt6pX3bEyJnrGtImZwhMUK1gX90
mgb+dhbPV7d7I9UTb9lx2OG5FyOAzOHiZbX2M1/wxOhQvnch6xwxwnJqd4iK1Aec
/i9ntiVcf2oWfw27DXsIBJbiUXJh6349yC39
-----END CERTIFICATE-----

1
cert.pem
Unescape View File

@ -1 +0,0 @@
./keys/cert.pem

23
cert.pem
Unescape View File

@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIIDyjCCArICFDCD8Puy2rJtSajwPYUNuOHnM5tUMA0GCSqGSIb3DQEBCwUAMIGq
MQswCQYDVQQGEwJydTEZMBcGA1UECAwQU2FpbnQtUGV0ZXJzYnVyZzEZMBcGA1UE
BwwQU2FpbnQtUGV0ZXJzYnVyZzEbMBkGA1UECgwSVGVyZWtoaW4gQWxleGFuZGVy
MQwwCgYDVQQLDANkZXYxGzAZBgNVBAMMElRlcmVraGluIEFsZXhhbmRlcjEdMBsG
CSqGSIb3DQEJARYOYWxleEBiZWFybnMubWUwHhcNMjQxMjA5MDAwNDAzWhcNMjUx
MjA5MDAwNDAzWjCBlzELMAkGA1UEBhMCcnUxGTAXBgNVBAgMEFNhaW50LVBldGVy
c2J1cmcxGTAXBgNVBAcMEFNhaW50LVBldGVyc2J1cmcxGzAZBgNVBAoMElRlcmVr
aGluIEFsZXhhbmRlcjEWMBQGA1UEAwwNYXBpLmJlYXJucy5tZTEdMBsGCSqGSIb3
DQEJARYOYWxleEBiZWFybnMubWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCv89+4KbomK6lpTniHgR4Li8eiEe2cyTuJW6bz0rgYZmUhO/4OKM5Hlv+w
s73KPDlMEd3PJnanwnw36MTqoGcfmMqsv6jxq3U/Esjua5lR4+m8JFBV2ESrB5vM
8x2EnSBbmLhijEBSf+C60pIWMxRLhml7P9J5SaSi0ksPGE0Efzse6uICYnXi3ApR
L8hqQ0Hu2/yBIcJR/4VepkP9riHAnnBLRtXlRo0Y3mSrQaCgd+cx4qp3gKF6BbJK
MivT2rgah/7kZIXwUigp3U4OCRIQ8HydpI4UozJNj9StDG96MysdzSzv5vwipcVw
WbsaJVfSuJ4i4QoaSvnjVfE8ChldAgMBAAEwDQYJKoZIhvcNAQELBQADggEBALx8
/3Sdy+gz+Yguu9acInU5AbJ+GtJMn0QSXgXTa/R+2ShCF7kfV7tRh8RPI6mZc83M
UGYDJG6VXbFc6eSB2H2Hy0aWkp/2+glNCPXKk707FIK4Ww2jwJUqHcs9GYEchekL
7C8PLXBK8GjErtONZhi8Q5yMPFsi+2l1Nze6hHbOfPqTXjDU+qixo5hJjQZRg12i
FPQxs7eH+30V7fbr88DAI+NcHwaGmJF8xT7g3dLFdwqXkQuGHa7PjNescKry6tg2
Y8nd5xi8F815yL9k5Vj8zvOn5FRZrXb1M7+DRr3YsG5AwdgLJTfdpFoXSY0anTyI
HfSSA70qcRa6IJRVon8=
-----END CERTIFICATE-----

71
compose.yaml
Unescape View File

@ -11,73 +11,10 @@ services:
- ./ca.pem:/etc/ca.pem:ro - ./ca.pem:/etc/ca.pem:ro
expose: expose:
- "443/tcp" - "443/tcp"
devices:
- "/dev/ppp:/dev/ppp:rwm"
environment:
VIRTUAL_HOST: "api.bearns.me"
VIRTUAL_PROTO: "https"
VIRTUAL_PORT: 443
cap_add:
- NET_ADMIN
networks:
proxy-tier:
ipv6_address: "fc00:b10c:3::ffff"
radius-net:
ipv6_address: "fc00:b10c:4::ffff"
radius:
build: ./radius
networks:
radius-net:
ipv6_address: "fc00:b10c:4::eeee"
ldap:
build: ./ldap
volumes:
- ldap:/var/lib/ldap
- ldap-cfg:/etc/ldap/slapd.d
networks:
radius-net:
stream:
build: ./nginx-stream
volumes:
- ./ca.pem:/etc/nginx/certs/chain.pem:ro
- ./cert.pem:/etc/nginx/certs/api.bearns.me/fullchain.pem:ro
- ./privkey.pem:/etc/nginx/certs/api.bearns.me/key.pem:ro
expose:
- "443/tcp"
ports: ports:
- "443:443/tcp" - "443:443/tcp"
environment: devices:
SNI_NAME: "api.bearns.me" - "/dev/ppp:/dev/ppp:rwm"
networks:
- proxy-tier
proxy:
build: ./proxy
volumes:
- ./cert.pem:/etc/nginx/certs/cert.pem:ro
- ./privkey.pem:/etc/nginx/certs/privkey.pem:ro
expose:
- "443/tcp"
networks:
- proxy-tier
networks:
proxy-tier:
enable_ipv6: true
ipam:
config:
- subnet: fc00:b10c:3::/64
radius-net:
enable_ipv6: true
ipam:
config:
- subnet: fc00:b10c:4::/64
volumes: cap_add:
certs: - NET_ADMIN
vhost.d:
html:
ldap:
ldap-cfg:

16
ldap/Dockerfile
Unescape View File

@ -1,16 +0,0 @@
FROM osixia/openldap:1.5.0
# USE THIS VARIABLES IN .ldif files
# {{ LDAP_BASE_DN }}
# {{ LDAP_BACKEND }}
# {{ LDAP_DOMAIN }}
# {{ LDAP_READONLY_USER_USERNAME }}
# {{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}
ADD ./*.ldif /container/service/slapd/assets/config/bootstrap/ldif/custom
ADD ./*.schema /container/service/slapd/assets/config/bootstrap/ldif/custom
ENV LDAP_ORGANISATION="ATerekhin test domain"
ENV LDAP_DOMAIN="bearns.me"
ENV LDAP_ADMIN_PASSWORD="WlnTd9_mtw5-4"
ENV LDAP_TLS=false
ENV LDAP_READONLY_USER=true
ENV LDAP_OPENLDAP_GID=911
ENV LDAP_OPENLDAP_UID=911

80
ldap/freeradius-radius.ldif
Unescape View File

@ -1,80 +0,0 @@
dn: cn=freeradius-radius,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: freeradius-radius
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.1 NAME 'radiusArapFeatures' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.2 NAME 'radiusArapSecurity' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.3 NAME 'radiusArapZoneAccess' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.44 NAME 'radiusAuthType' DESC 'controlItem: Auth-Type' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.4 NAME 'radiusCallbackId' DESC 'replyItem: Callback-Id' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.5 NAME 'radiusCallbackNumber' DESC 'replyItem: Callback-Number' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.6 NAME 'radiusCalledStationId' DESC 'controlItem: Called-Station-Id' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.7 NAME 'radiusCallingStationId' DESC 'controlItem: Calling-Station-Id' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.8 NAME 'radiusClass' DESC 'replyItem: Class' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.45 NAME 'radiusClientIPAddress' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.9 NAME 'radiusFilterId' DESC 'replyItem: Filter-Id' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.10 NAME 'radiusFramedAppleTalkLink' DESC 'replyItem: Framed-AppleTalk-Link' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.11 NAME 'radiusFramedAppleTalkNetwork' DESC 'replyItem: Framed-AppleTalk-Network' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.12 NAME 'radiusFramedAppleTalkZone' DESC 'replyItem: Framed-AppleTalk-Zone' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.13 NAME 'radiusFramedCompression' DESC 'replyItem: Framed-Compression' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.14 NAME 'radiusFramedIPAddress' DESC 'replyItem: Framed-IP-Address' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.15 NAME 'radiusFramedIPNetmask' DESC 'replyItem: Framed-IP-Netmask' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.16 NAME 'radiusFramedIPXNetwork' DESC 'replyItem: Framed-IPX-Network' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.17 NAME 'radiusFramedMTU' DESC 'replyItem: Framed-MTU' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.18 NAME 'radiusFramedProtocol' DESC 'replyItem: Framed-Protocol' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.19 NAME 'radiusFramedRoute' DESC 'replyItem: Framed-Route' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.20 NAME 'radiusFramedRouting' DESC 'replyItem: Framed-Routing' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.46 NAME 'radiusGroupName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.47 NAME 'radiusHint' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.48 NAME 'radiusHuntgroupName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.21 NAME 'radiusIdleTimeout' DESC 'replyItem: Idle-Timeout' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.22 NAME 'radiusLoginIPHost' DESC 'replyItem: Login-IP-Host' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.23 NAME 'radiusLoginLATGroup' DESC 'replyItem: Login-LAT-Group' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.24 NAME 'radiusLoginLATNode' DESC 'replyItem: Login-LAT-Node' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.25 NAME 'radiusLoginLATPort' DESC 'replyItem: Login-LAT-Port' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.26 NAME 'radiusLoginLATService' DESC 'replyItem: Login-LAT-Service' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.27 NAME 'radiusLoginService' DESC 'replyItem: Login-Service' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.28 NAME 'radiusLoginTCPPort' DESC 'replyItem: Login-TCP-Port' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.29 NAME 'radiusPasswordRetry' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.30 NAME 'radiusPortLimit' DESC 'replyItem: Port-Limit' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.31 NAME 'radiusPrompt' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.49 NAME 'radiusProfileDN' EQUALITY distinguishedNameMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.50 NAME 'radiusProfileSuspendedDN' EQUALITY distinguishedNameMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.51 NAME 'radiusProxyToRealm' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.52 NAME 'radiusRealm' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.32 NAME 'radiusServiceType' DESC 'replyItem: Service-Type' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.33 NAME 'radiusSessionTimeout' DESC 'replyItem: Session-Timeout' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.34 NAME 'radiusTerminationAction' DESC 'replyItem: Termination-Action' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.35 NAME 'radiusTunnelAssignmentId' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.36 NAME 'radiusTunnelMediumType' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.37 NAME 'radiusTunnelPassword' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.38 NAME 'radiusTunnelPreference' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.39 NAME 'radiusTunnelPrivateGroupId' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.40 NAME 'radiusTunnelServerEndpoint' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.41 NAME 'radiusTunnelType' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.42 NAME 'radiusVSA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.43 NAME 'radiusTunnelClientEndpoint' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.53 NAME 'radiusSimultaneousUse' DESC 'controlItem: Simultaneous-Use' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.54 NAME 'radiusLoginTime' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.55 NAME 'radiusUserCategory' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.56 NAME 'radiusStripUserName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.57 NAME 'dialupAccess' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.58 NAME 'radiusExpiration' DESC 'controlItem: Expiration' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.59 NAME 'radiusAttribute' DESC 'controlItem: $GENERIC$' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.61 NAME 'radiusNASIpAddress' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.62 NAME 'radiusReplyMessage' DESC 'replyItem: Reply-Message' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.97 NAME 'radiusFramedIPv6Prefix' DESC 'replyItem: Framed-IPv6-Prefix' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.168 NAME 'radiusFramedIPv6Address' DESC 'replyItem: Framed-IPv6-Address' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.169 NAME 'radiusDNSServerIPv6Address' DESC 'replyItem: DNS-Server-IPv6-Address' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.170 NAME 'radiusRouteIPv6Information' DESC 'replyItem: Route-IPv6-Information' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.171 NAME 'radiusDelegatedIPv6PrefixPool' DESC 'replyItem: Delegated-IPv6-Prefix-Pool' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.172 NAME 'radiusStatefulIPv6AddressPool' DESC 'replyItem: Stateful-IPv6-Address-Pool' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.256 NAME 'radiusControlAttribute' DESC 'controlItem: $GENERIC$' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.257 NAME 'radiusReplyAttribute' DESC 'replyItem: $GENERIC$' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.258 NAME 'radiusRequestAttribute' DESC 'requestItem: $GENERIC$' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.259 NAME 'radiusProfilePriority' DESC 'Priority to apply profiles' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 EQUALITY integerMatch ORDERING integerOrderingMatch SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.260 NAME 'radiusProfileCondition' DESC 'Condition to apply profiles' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.2.1.261 NAME 'radiusProfileFallthrough' DESC 'Condition to apply additional profiles after this one' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.1.1.1 NAME 'radiusClientSecret' DESC 'Client Secret' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.2.1.1.2 NAME 'radiusClientRequireMa' DESC 'Require Message Authenticator' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcObjectClasses: ( 1.3.6.1.4.1.11344.4.2.2.2.1 NAME 'radiusProfile' SUP top AUXILIARY MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $ radiusFramedCompression $ radiusFramedIPAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ radiusFramedMTU $ radiusFramedProtocol $ radiusAttribute $ radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupName $ radiusHint $ radiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $ radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $ radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $ radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $ radiusServiceType $ radiusSessionTimeout $ radiusStripUserName $ radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusProfileDN $ radiusProfileSuspendedDN $ radiusSimultaneousUse $ radiusTunnelAssignmentId $ radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCategory $ radiusVSA $ radiusExpiration $ dialupAccess $ radiusNASIpAddress $ radiusReplyMessage $ radiusFramedIPv6Prefix $ radiusFramedIPv6Address $ radiusDNSServerIPv6Address $ radiusRouteIPv6Information $ radiusDelegatedIPv6PrefixPool $ radiusStatefulIPv6AddressPool $ radiusControlAttribute $ radiusReplyAttribute $ radiusRequestAttribute $ radiusProfilePriority $ radiusProfileCondition $ radiusProfileFallthrough ) )
olcObjectClasses: ( 1.3.6.1.4.1.11344.4.2.1.2.1 NAME 'radiusClient' SUP top AUXILIARY MUST radiusClientSecret MAY radiusClientRequireMa )

602
ldap/freeradius-radius.schema
Unescape View File

@ -1,602 +0,0 @@
#
# radiusProfile should be added to a freeradiusPolicy, user/subscriber objects, groups,
# or any other object which has RADIUS attributes associated with it.
#
# 11344.4.2.2.[1|2]
# | | | | |_ .1 Profile attributes, .2 profile objects
# | | | |_ Profile
# | | |_ RADIUS
# | |_ LDAP Attributes
# |_ Vendor
#
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.1
NAME 'radiusArapFeatures'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.2
NAME 'radiusArapSecurity'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.3
NAME 'radiusArapZoneAccess'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.44
NAME 'radiusAuthType'
DESC 'controlItem: Auth-Type'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.4
NAME 'radiusCallbackId'
DESC 'replyItem: Callback-Id'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.5
NAME 'radiusCallbackNumber'
DESC 'replyItem: Callback-Number'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.6
NAME 'radiusCalledStationId'
DESC 'controlItem: Called-Station-Id'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.7
NAME 'radiusCallingStationId'
DESC 'controlItem: Calling-Station-Id'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.8
NAME 'radiusClass'
DESC 'replyItem: Class'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.45
NAME 'radiusClientIPAddress'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.9
NAME 'radiusFilterId'
DESC 'replyItem: Filter-Id'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.10
NAME 'radiusFramedAppleTalkLink'
DESC 'replyItem: Framed-AppleTalk-Link'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.11
NAME 'radiusFramedAppleTalkNetwork'
DESC 'replyItem: Framed-AppleTalk-Network'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.12
NAME 'radiusFramedAppleTalkZone'
DESC 'replyItem: Framed-AppleTalk-Zone'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.13
NAME 'radiusFramedCompression'
DESC 'replyItem: Framed-Compression'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.14
NAME 'radiusFramedIPAddress'
DESC 'replyItem: Framed-IP-Address'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.15
NAME 'radiusFramedIPNetmask'
DESC 'replyItem: Framed-IP-Netmask'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.16
NAME 'radiusFramedIPXNetwork'
DESC 'replyItem: Framed-IPX-Network'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.17
NAME 'radiusFramedMTU'
DESC 'replyItem: Framed-MTU'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.18
NAME 'radiusFramedProtocol'
DESC 'replyItem: Framed-Protocol'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.19
NAME 'radiusFramedRoute'
DESC 'replyItem: Framed-Route'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.20
NAME 'radiusFramedRouting'
DESC 'replyItem: Framed-Routing'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.46
NAME 'radiusGroupName'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.47
NAME 'radiusHint'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.48
NAME 'radiusHuntgroupName'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.21
NAME 'radiusIdleTimeout'
DESC 'replyItem: Idle-Timeout'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.22
NAME 'radiusLoginIPHost'
DESC 'replyItem: Login-IP-Host'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.23
NAME 'radiusLoginLATGroup'
DESC 'replyItem: Login-LAT-Group'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.24
NAME 'radiusLoginLATNode'
DESC 'replyItem: Login-LAT-Node'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.25
NAME 'radiusLoginLATPort'
DESC 'replyItem: Login-LAT-Port'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.26
NAME 'radiusLoginLATService'
DESC 'replyItem: Login-LAT-Service'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.27
NAME 'radiusLoginService'
DESC 'replyItem: Login-Service'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.28
NAME 'radiusLoginTCPPort'
DESC 'replyItem: Login-TCP-Port'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.29
NAME 'radiusPasswordRetry'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.30
NAME 'radiusPortLimit'
DESC 'replyItem: Port-Limit'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.31
NAME 'radiusPrompt'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.49
NAME 'radiusProfileDN'
EQUALITY distinguishedNameMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.50
NAME 'radiusProfileSuspendedDN'
EQUALITY distinguishedNameMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.51
NAME 'radiusProxyToRealm'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.52
NAME 'radiusRealm'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.32
NAME 'radiusServiceType'
DESC 'replyItem: Service-Type'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.33
NAME 'radiusSessionTimeout'
DESC 'replyItem: Session-Timeout'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.34
NAME 'radiusTerminationAction'
DESC 'replyItem: Termination-Action'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.35
NAME 'radiusTunnelAssignmentId'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.36
NAME 'radiusTunnelMediumType'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.37
NAME 'radiusTunnelPassword'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.38
NAME 'radiusTunnelPreference'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.39
NAME 'radiusTunnelPrivateGroupId'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.40
NAME 'radiusTunnelServerEndpoint'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.41
NAME 'radiusTunnelType'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.42
NAME 'radiusVSA'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.43
NAME 'radiusTunnelClientEndpoint'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.53
NAME 'radiusSimultaneousUse'
DESC 'controlItem: Simultaneous-Use'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.54
NAME 'radiusLoginTime'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.55
NAME 'radiusUserCategory'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.56
NAME 'radiusStripUserName'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.57
NAME 'dialupAccess'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.58
NAME 'radiusExpiration'
DESC 'controlItem: Expiration'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.59
NAME 'radiusAttribute'
DESC 'controlItem: $GENERIC$'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.61
NAME 'radiusNASIpAddress'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.62
NAME 'radiusReplyMessage'
DESC 'replyItem: Reply-Message'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.97
NAME 'radiusFramedIPv6Prefix'
DESC 'replyItem: Framed-IPv6-Prefix'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.168
NAME 'radiusFramedIPv6Address'
DESC 'replyItem: Framed-IPv6-Address'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.169
NAME 'radiusDNSServerIPv6Address'
DESC 'replyItem: DNS-Server-IPv6-Address'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.170
NAME 'radiusRouteIPv6Information'
DESC 'replyItem: Route-IPv6-Information'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.171
NAME 'radiusDelegatedIPv6PrefixPool'
DESC 'replyItem: Delegated-IPv6-Prefix-Pool'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.172
NAME 'radiusStatefulIPv6AddressPool'
DESC 'replyItem: Stateful-IPv6-Address-Pool'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.256
NAME 'radiusControlAttribute'
DESC 'controlItem: $GENERIC$'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.257
NAME 'radiusReplyAttribute'
DESC 'replyItem: $GENERIC$'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.258
NAME 'radiusRequestAttribute'
DESC 'requestItem: $GENERIC$'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.259
NAME 'radiusProfilePriority'
DESC 'Priority to apply profiles'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
EQUALITY integerMatch
ORDERING integerOrderingMatch
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.260
NAME 'radiusProfileCondition'
DESC 'Condition to apply profiles'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributetype ( 1.3.6.1.4.1.11344.4.2.2.1.261
NAME 'radiusProfileFallthrough'
DESC 'Condition to apply additional profiles after this one'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
objectclass ( 1.3.6.1.4.1.11344.4.2.2.2.1
NAME 'radiusProfile'
SUP top
AUXILIARY
MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $ radiusFramedCompression $ radiusFramedIPAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ radiusFramedMTU $ radiusFramedProtocol $ radiusAttribute $ radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupName $ radiusHint $ radiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $ radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $ radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $ radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $ radiusServiceType $ radiusSessionTimeout $ radiusStripUserName $ radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusProfileDN $ radiusProfileSuspendedDN $ radiusSimultaneousUse $ radiusTunnelAssignmentId $ radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCategory $ radiusVSA $ radiusExpiration $ dialupAccess $ radiusNASIpAddress $ radiusReplyMessage $ radiusFramedIPv6Prefix $ radiusFramedIPv6Address $ radiusDNSServerIPv6Address $ radiusRouteIPv6Information $ radiusDelegatedIPv6PrefixPool $ radiusStatefulIPv6AddressPool $ radiusControlAttribute $ radiusReplyAttribute $ radiusRequestAttribute $ radiusProfilePriority $ radiusProfileCondition $ radiusProfileFallthrough )
)
#
# 11344.4.2.1.[1|2]
# | | | | |_ .1 Profile attributes, .2 profile objects
# | | | |_ Client
# | | |_ RADIUS
# | |_ LDAP Attributes
# |_ Vendor
#
attributetype ( 1.3.6.1.4.1.11344.4.2.1.1.1
NAME 'radiusClientSecret'
DESC 'Client Secret'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributetype ( 1.3.6.1.4.1.11344.4.2.1.1.2
NAME 'radiusClientRequireMa'
DESC 'Require Message Authenticator'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
)
objectclass ( 1.3.6.1.4.1.11344.4.2.1.2.1
NAME 'radiusClient'
SUP top
AUXILIARY
MUST ( radiusClientSecret )
MAY ( radiusClientRequireMa )
)

17
nginx-stream/Dockerfile
Unescape View File

@ -1,17 +0,0 @@
FROM nginx:alpine
ENV HTTPS_UPSTREAM="proxy"
ENV SSTP_UPSTREAM="sstp"
ENV SNI_NAME="cloud.bearns.me"
# self signed for client certification
# put in /etc/nginx/certs/
ENV CA_CERT="chain.pem"
# put in /etc/nginx/certs/$SNI_NAME
ENV CERT="fullchain.pem"
ENV KEY="key.pem"
RUN rm -f /etc/nginx/conf.d/default.conf
COPY nginx.conf /etc/nginx/
COPY *.conf.template /etc/nginx/templates/

37
nginx-stream/http.conf.template
Unescape View File

@ -1,37 +0,0 @@
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server {
listen unix:/tmp/fallback-stream.socket ssl proxy_protocol;
server_name _;
ssl_certificate /etc/nginx/certs/${SNI_NAME}/${CERT};
ssl_certificate_key /etc/nginx/certs/${SNI_NAME}/${KEY};
access_log /dev/stdout main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
}

12
nginx-stream/nginx.conf
Unescape View File

@ -1,12 +0,0 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
include /etc/nginx/conf.d/*.conf;

61
nginx-stream/stream.conf.template
Unescape View File

@ -1,61 +0,0 @@
error_log /dev/stderr;
stream {
log_format stream '"$ssl_preread_server_name" $remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
map $ssl_preread_server_name $sni_name {
${SNI_NAME} cert-check;
default https;
}
upstream https {
server ${HTTPS_UPSTREAM}:443;
}
upstream cert-check {
server unix:/tmp/virtual-stream.socket;
}
server {
listen 443;
listen [::]:443;
access_log /dev/stdout stream;
proxy_pass $sni_name;
ssl_preread on;
# todo nginx-proxy by default don't listen proxy_protocol, enable it in both sides
#proxy_protocol on;
}
map $ssl_client_verify $name {
SUCCESS sstp;
default fallback;
}
upstream sstp {
server ${SSTP_UPSTREAM}:443;
}
upstream fallback {
server unix:/tmp/fallback-stream.socket;
}
server {
listen unix:/tmp/virtual-stream.socket ssl;
ssl_certificate /etc/nginx/certs/${SNI_NAME}/${CERT};
ssl_certificate_key /etc/nginx/certs/${SNI_NAME}/${KEY};
ssl_trusted_certificate /etc/nginx/certs/${CA_CERT};
ssl_verify_client optional;
# Doesn't work without it
proxy_ssl on;
proxy_pass $name;
proxy_protocol on;
}
}

1
privkey.pem
Unescape View File

@ -1 +0,0 @@
./keys/privkey.pem

7
proxy/00-default.conf
Unescape View File

@ -1,7 +0,0 @@
server {
listen 443 ssl;
server_name _;
ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/nginx/certs/privkey.pem;
return 404;
}

3
proxy/Dockerfile
Unescape View File

@ -1,3 +0,0 @@
FROM nginx:alpine
COPY 00-default.conf /etc/nginx/conf.d/

38
radius/Dockerfile
Unescape View File

@ -1,38 +0,0 @@
ARG from=debian:bookworm
FROM ${from}
ARG DEBIAN_FRONTEND=noninteractive
#
# We need also curl to get the signing key
#
RUN apt-get update \
&& apt-get install -y curl
#
# Set up NetworkRADIUS extras repository
#
RUN install -d -o root -g root -m 0755 /etc/apt/keyrings \
&& curl -o /etc/apt/keyrings/packages.networkradius.com.asc "https://packages.inkbridgenetworks.com/pgp/packages%40networkradius.com" \
&& echo "deb [signed-by=/etc/apt/keyrings/packages.networkradius.com.asc] http://packages.networkradius.com/extras/debian/bookworm bookworm main" > /etc/apt/sources.list.d/networkradius-extras.list
#
# Install from reposittory
#
RUN apt-get install -y freeradius freeradius-ldap \
&& apt-get clean \
&& rm -r /var/lib/apt/lists/* \
&& ln -s /etc/freeradius /etc/raddb
COPY --chown=freerad:freerad ./raddb* /etc/raddb/3.0/
#Disable EAP
RUN rm -f /etc/raddb/3.0/mods-enabled/eap & \
rm -f /etc/raddb/3.0/sites-enabled/inner-tunnel
WORKDIR /
USER freerad:freerad
EXPOSE 1812/udp 1813/udp
ENTRYPOINT ["freeradius"]
CMD ["-X"]

296
radius/raddb/clients.conf
Unescape View File

@ -1,296 +0,0 @@
# -*- text -*-
##
## clients.conf -- client configuration directives
##
## $Id: 60f9f4bf8a32804182e4516ac69ac510d25215d1 $
#######################################################################
#
# Define RADIUS clients (usually a NAS, Access Point, etc.).
#
# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
#
#
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
# In version 1.x, the string after the word "client" was the IP
# address of the client. In 2.0, the IP address is configured via
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
# format is still accepted.
#
client localhost {
# Only *one* of ipaddr, ipv4addr, ipv6addr may be specified for
# a client.
#
# ipaddr will accept IPv4 or IPv6 addresses with optional CIDR
# notation '/<mask>' to specify ranges.
#
# ipaddr will accept domain names e.g. example.org resolving
# them via DNS.
#
# If both A and AAAA records are found, A records will be
# used in preference to AAAA.
ipaddr = 127.0.0.1
# Same as ipaddr but allows v4 addresses only. Requires A
# record for domain names.
# ipv4addr = * # any. 127.0.0.1 == localhost
# Same as ipaddr but allows v6 addresses only. Requires AAAA
# record for domain names.
# ipv6addr = :: # any. ::1 == localhost
#
# A note on DNS: We STRONGLY recommend using IP addresses
# rather than host names. Using host names means that the
# server will do DNS lookups when it starts, making it
# dependent on DNS. i.e. If anything goes wrong with DNS,
# the server won't start!
#
# The server also looks up the IP address from DNS once, and
# only once, when it starts. If the DNS record is later
# updated, the server WILL NOT see that update.
#
#
# The transport protocol.
#
# If unspecified, defaults to "udp", which is the traditional
# RADIUS transport. It may also be "tcp", in which case the
# server will accept connections from this client ONLY over TCP.
#
proto = *
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 8k characters in length.
#
# Control codes can be entered vi octal encoding,
# e.g. "\101\102" == "AB"
# Quotation marks can be entered by escaping them,
# e.g. "foo\"bar"
#
# A note on security: The security of the RADIUS protocol
# depends COMPLETELY on this secret! We recommend using a
# shared secret that is composed of:
#
# upper case letters
# lower case letters
# numbers
#
# And is at LEAST 8 characters long, preferably 16 characters in
# length. The secret MUST be random, and should not be words,
# phrase, or anything else that is recognisable.
#
# The default secret below is only for testing, and should
# not be used in any real environment.
#
secret = testing123
#
# Old-style clients do not send a Message-Authenticator
# in an Access-Request. RFC 5080 suggests that all clients
# SHOULD include it in an Access-Request. The configuration
# item below allows the server to require it. If a client
# is required to include a Message-Authenticator and it does
# not, then the packet will be silently discarded.
#
# allowed values: yes, no
require_message_authenticator = no
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
# It is accepted for compatibility with 1.x, but it is no
# longer necessary in >= 2.0
#
# shortname = localhost
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nas_type tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# juniper
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
#
nas_type = other # localhost isn't usually a NAS...
#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password = someadminpas
#
# As of 2.0, clients can also be tied to a virtual server.
# This is done by setting the "virtual_server" configuration
# item, as in the example below.
#
# virtual_server = home1
#
# A pointer to the "home_server_pool" OR a "home_server"
# section that contains the CoA configuration for this
# client. For an example of a coa home server or pool,
# see raddb/sites-available/originate-coa
# coa_server = coa
#
# Response window for proxied packets. If non-zero,
# then the lower of (home, client) response_window
# will be used.
#
# i.e. it can be used to lower the response_window
# packets from one client to a home server. It cannot
# be used to raise the response_window.
#
# response_window = 10.0
#
# Connection limiting for clients using "proto = tcp".
#
# This section is ignored for clients sending UDP traffic
#
limit {
#
# Limit the number of simultaneous TCP connections from a client
#
# The default is 16.
# Setting this to 0 means "no limit"
max_connections = 16
# The per-socket "max_requests" option does not exist.
#
# The lifetime, in seconds, of a TCP connection. After
# this lifetime, the connection will be closed.
#
# Setting this to 0 means "forever".
lifetime = 0
#
# The idle timeout, in seconds, of a TCP connection.
# If no packets have been received over the connection for
# this time, the connection will be closed.
#
# Setting this to 0 means "no timeout".
#
# We STRONGLY RECOMMEND that you set an idle timeout.
#
idle_timeout = 30
}
}
# IPv6 Client
client localhost_ipv6 {
ipv6addr = ::1
secret = testing123
}
# All IPv6 Site-local clients
#client sitelocal_ipv6 {
# ipv6addr = fe80::/16
# secret = testing123
#}
#client example.org {
# ipaddr = radius.example.org
# secret = testing123
#}
#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
#client private-network-1 {
# ipaddr = 192.0.2.0/24
# secret = testing123-1
#}
#client private-network-2 {
# ipaddr = 198.51.100.0/24
# secret = testing123-2
#}
#######################################################################
#
# Per-socket client lists. The configuration entries are exactly
# the same as above, but they are nested inside of a section.
#
# You can have as many per-socket client lists as you have "listen"
# sections, or you can re-use a list among multiple "listen" sections.
#
# Un-comment this section, and edit a "listen" section to add:
# "clients = per_socket_clients". That IP address/port combination
# will then accept ONLY the clients listed in this section.
#
# There are additional considerations when using clients from SQL.
#
# A client can be link to a virtual server via modules such as SQL.
# This link is done via the following process:
#
# If there is no listener in a virtual server, SQL clients are added
# to the global list for that virtual server.
#
# If there is a listener, and the first listener does not have a
# "clients=..." configuration item, SQL clients are added to the
# global list.
#
# If there is a listener, and the first one does have a "clients=..."
# configuration item, SQL clients are added to that list. The client
# { ...} ` configured in that list are also added for that listener.
#
# The only issue is if you have multiple listeners in a virtual
# server, each with a different client list, then the SQL clients are
# added only to the first listener.
#
#clients per_socket_clients {
# client socket_client {
# ipaddr = 192.0.2.4
# secret = testing123
# }
#}
client sstp {
# ipaddr = *
# ipv4addr = *
ipv6addr = fc00:b10c:4::ffff
proto = udp
secret = secret123
require_message_authenticator = no
}

1112
radius/raddb/mods-available/eap
View File

File diff suppressed because it is too large Load Diff

694
radius/raddb/mods-available/ldap
Unescape View File

@ -1,694 +0,0 @@
# -*- text -*-
#
# $Id: bc879ccc20354d5d32afa1f8b4d10422d5184eab $
#
# Lightweight Directory Access Protocol (LDAP)
#
ldap {
# Note that this needs to match the name(s) in the LDAP server
# certificate, if you're using ldaps. See OpenLDAP documentation
# for the behavioral semantics of specifying more than one host.
#
# Depending on the libldap in use, server may be an LDAP URI.
# In the case of OpenLDAP this allows additional the following
# additional schemes:
# - ldaps:// (LDAP over SSL)
# - ldapi:// (LDAP over Unix socket)
# - ldapc:// (Connectionless LDAP)
server = 'ldap'
# server = 'ldap.rrdns.example.org'
# server = 'ldap.rrdns.example.org'
# Port to connect on, defaults to 389, will be ignored for LDAP URIs.
# port = 389
# Administrator account for searching and possibly modifying.
# If using SASL + KRB5 these should be commented out.
identity = 'cn=readonly,dc=bearns,dc=me'
password = readonly
# Unless overridden in another section, the dn from which all
# searches will start from.
base_dn = 'dc=bearns,dc=me'
#
# You can run the 'ldapsearch' command line tool using the
# parameters from this module's configuration.
#
# ldapsearch -D ${identity} -w ${password} -h ${server} -b 'CN=user,${base_dn}'
#
# That will give you the LDAP information for 'user'.
#
# Group membership can be queried by using the above "ldapsearch" string,
# and adding "memberof" qualifiers. For ActiveDirectory, use:
#
# ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))'
#
# Where 'user' is the user as above, and 'group' is the group you are querying for.
#
#
# SASL parameters to use for admin binds
#
# When we're prompted by the SASL library, these control
# the responses given, as well as the identity and password
# directives above.
#
# If any directive is commented out, a NULL response will be
# provided to cyrus-sasl.
#
# Unfortunately the only way to control Keberos here is through
# environmental variables, as cyrus-sasl provides no API to
# set the krb5 config directly.
#
# Full documentation for MIT krb5 can be found here:
#
# http://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html
#
# At a minimum you probably want to set KRB5_CLIENT_KTNAME.
#
sasl {
# SASL mechanism
# mech = 'PLAIN'
# SASL authorisation identity to proxy.
# proxy = 'autz_id'
# SASL realm. Used for kerberos.
# realm = 'example.org'
}
#
# Generic valuepair attribute
#
# If set, this will attribute will be retrieved in addition to any
# mapped attributes.
#
# Values should be in the format:
# <radius attr> <op> <value>
#
# Where:
# <radius attr>: Is the attribute you wish to create
# with any valid list and request qualifiers.
# <op>: Is any assignment operator (=, :=, +=, -=).
# <value>: Is the value to parse into the new valuepair.
# If the value is wrapped in double quotes it
# will be xlat expanded.
# valuepair_attribute = 'radiusAttribute'
#
# Mapping of LDAP directory attributes to RADIUS dictionary attributes.
#
# WARNING: Although this format is almost identical to the unlang
# update section format, it does *NOT* mean that you can use other
# unlang constructs in module configuration files.
#
# Configuration items are in the format:
# <radius attr> <op> <ldap attr>
#
# Where:
# <radius attr>: Is the destination RADIUS attribute
# with any valid list and request qualifiers.
# <op>: Is any assignment attribute (=, :=, +=, -=).
# <ldap attr>: Is the attribute associated with user or
# profile objects in the LDAP directory.
# If the attribute name is wrapped in double
# quotes it will be xlat expanded.
#
# Request and list qualifiers may also be placed after the 'update'
# section name to set defaults destination requests/lists
# for unqualified RADIUS attributes.
#
# Note: LDAP attribute names should be single quoted unless you want
# the name value to be derived from an xlat expansion, or an
# attribute ref.
update {
control:Password-With-Header += 'userPassword'
# control:NT-Password := 'ntPassword'
# reply:Reply-Message := 'radiusReplyMessage'
# reply:Tunnel-Type := 'radiusTunnelType'
# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
# Where only a list is specified as the RADIUS attribute,
# the value of the LDAP attribute is parsed as a valuepair
# in the same format as the 'valuepair_attribute' (above).
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
# Set to yes if you have eDirectory and want to use the universal
# password mechanism.
# edir = no
# Set to yes if you want to bind as the user after retrieving the
# Cleartext-Password. This will consume the login grace, and
# verify user authorization.
# edir_autz = no
# LDAP "bind as user" configuration to check PAP passwords.
#
# Active Directory needs "bind as user", which can be done by
# adding the following "if" statement to the authorize {} section
# of the virtual server, after the "ldap" module. For
# example:
#
# ...
# ldap
# if ((ok || updated) && User-Password && !control:Auth-Type) {
# update {
# control:Auth-Type := ldap
# }
# }
# ...
#
# You will also need to uncomment the "Auth-Type LDAP" block in the
# "authenticate" section.
#
# This configuration is required because AD will not return the users
# "known good" password to FreeRADIUS. Instead, FreeRADIUS has to run
# "Auth-Type LDAP" in order to do an LDAP "bind as user", which will hand
# the user name / password to AD for verification.
#
#
# Name of the attribute that contains the user DN.
# The default name is LDAP-UserDn.
#
# If you have multiple LDAP instances, you should
# change this configuration item to:
#
# ${.:instance}-LDAP-UserDn
#
# That change allows the modules to set their own
# User DN, and to not conflict with each other.
#
user_dn = "LDAP-UserDn"
#
# User object identification.
#
user {
# Where to start searching in the tree for users
base_dn = "${..base_dn}"
# Filter for user objects, should be specific enough
# to identify a single user object.
#
# For Active Directory, you should use
# "samaccountname=" instead of "uid="
#
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
# For Active Directory nested group, you should comment out the previous 'filter = ...'
# and use the below. Where 'group' is the group you are querying for.
#
# NOTE: The string '1.2.840.113556.1.4.1941' specifies LDAP_MATCHING_RULE_IN_CHAIN.
# This applies only to DN attributes. This is an extended match operator that walks
# the chain of ancestry in objects all the way to the root until it finds a match.
# This reveals group nesting. It is available only on domain controllers with
# Windows Server 2003 SP2 or Windows Server 2008 (or above).
#
# See: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
#
# filter = "(&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"
# SASL parameters to use for user binds
#
# When we're prompted by the SASL library, these control
# the responses given.
#
# Any of the config items below may be an attribute ref
# or and expansion, so different SASL mechs, proxy IDs
# and realms may be used for different users.
sasl {
# SASL mechanism
# mech = 'PLAIN'
# SASL authorisation identity to proxy.
# proxy = &User-Name
# SASL realm. Used for kerberos.
# realm = 'example.org'
}
# Search scope, may be 'base', 'one', sub' or 'children'
# scope = 'sub'
# Server side result sorting
#
# A list of space delimited attributes to order the result
# set by, if the filter matches multiple objects.
# Only the first result in the set will be processed.
#
# If the attribute name is prefixed with a hyphen '-' the
# sorting order will be reversed for that attribute.
#
# If sort_by is set, and the server does not support sorting
# the search will fail.
# sort_by = '-uid'
# If this is undefined, anyone is authorised.
# If it is defined, the contents of this attribute
# determine whether or not the user is authorised
# access_attribute = 'dialupAccess'
# Control whether the presence of 'access_attribute'
# allows access, or denys access.
#
# If 'yes', and the access_attribute is present, or
# 'no' and the access_attribute is absent then access
# will be allowed.
#
# If 'yes', and the access_attribute is absent, or
# 'no' and the access_attribute is present, then
# access will not be allowed.
#
# If the value of the access_attribute is 'false', it
# will negate the result.
#
# e.g.
# access_positive = yes
# access_attribute = userAccessAllowed
#
# With an LDAP object containing:
# userAccessAllowed: false
#
# Will result in the user being locked out.
# access_positive = yes
}
#
# User membership checking.
#
group {
# Where to start searching in the tree for groups
base_dn = "${..base_dn}"
# Filter for group objects, should match all available
# group objects a user might be a member of.
#
# If using Active Directory you are likely to need "group"
# instead of "posixGroup".
filter = '(objectClass=posixGroup)'
# Search scope, may be 'base', 'one', sub' or 'children'
# scope = 'sub'
# Attribute that uniquely identifies a group.
# Is used when converting group DNs to group
# names.
# name_attribute = cn
# Filter to find all group objects a user is a member of.
# That is, group objects with attributes that
# identify members (the inverse of membership_attribute).
#
# Note that this configuration references the "user_dn"
# configuration defined above.
#
# membership_filter = "(|(member=%{control:${..user_dn}})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
# The attribute, in user objects, which contain the names
# or DNs of groups a user is a member of.
#
# Unless a conversion between group name and group DN is
# needed, there's no requirement for the group objects
# referenced to actually exist.
#
# If the LDAP server does not support the "memberOf"
# attribute (or equivalent), then you will need to use the
# membership_filter option above instead. If you can't see
# the memberOf attribute then it is also possible that the
# LDAP bind user does not have the correct permissions to
# view it.
membership_attribute = 'memberOf'
# If cacheable_name or cacheable_dn are enabled,
# all group information for the user will be
# retrieved from the directory and written to LDAP-Group
# attributes appropriate for the instance of rlm_ldap.
#
# For group comparisons these attributes will be checked
# instead of querying the LDAP directory directly.
#
# This feature is intended to be used with rlm_cache.
#
# If you wish to use this feature, you should enable
# the type that matches the format of your check items
# i.e. if your groups are specified as DNs then enable
# cacheable_dn else enable cacheable_name.
# cacheable_name = 'no'
# cacheable_dn = 'no'
# Override the normal cache attribute (<inst>-LDAP-Group or
# LDAP-Group if using the default instance) and create a
# custom attribute. This can help if multiple module instances
# are used in fail-over.
# cache_attribute = 'LDAP-Cached-Membership'
# If the group being checked is specified as a name, but
# the user's groups are referenced by DN, and one of those
# group DNs is invalid, the whole group check is treated as
# invalid, and a negative result will be returned.
# When set to 'yes', this option ignores invalid DN
# references.
# allow_dangling_group_ref = 'no'
}
#
# User profiles. RADIUS profile objects contain sets of attributes
# to insert into the request. These attributes are mapped using
# the same mapping scheme applied to user objects (the update section above).
#
profile {
# Filter for RADIUS profile objects
# filter = '(objectclass=radiusprofile)'
# The default profile. This may be a DN or an attribute
# reference.
# To get old v2.2.x style behaviour, or to use the
# &User-Profile attribute to specify the default profile,
# set this to &control:User-Profile.
# default = 'cn=radprofile,dc=example,dc=org'
# The LDAP attribute containing profile DNs to apply
# in addition to the default profile above. These are
# retrieved from the user object, at the same time as the
# attributes from the update section, are are applied
# if authorization is successful.
# attribute = 'radiusProfileDn'
}
#
# Bulk load clients from the directory
#
client {
# Where to start searching in the tree for clients
base_dn = "${..base_dn}"
#
# Filter to match client objects
#
filter = '(objectClass=radiusClient)'
# Search scope, may be 'base', 'one', 'sub' or 'children'
# scope = 'sub'
#
# Sets default values (not obtained from LDAP) for new client entries
#
template {
# login = 'test'
# password = 'test'
# proto = tcp
# require_message_authenticator = yes
# Uncomment to add a home_server with the same
# attributes as the client.
# coa_server {
# response_window = 2.0
# }
}
#
# Client attribute mappings are in the format:
# <client attribute> = <ldap attribute>
#
# The following attributes are required:
# * ipaddr | ipv4addr | ipv6addr - Client IP Address.
# * secret - RADIUS shared secret.
#
# All other attributes usually supported in a client
# definition are also supported here.
#
# Schemas are available in doc/schemas/ldap for openldap and eDirectory
#
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
# shortname = 'radiusClientShortname'
# nas_type = 'radiusClientType'
# virtual_server = 'radiusClientVirtualServer'
# require_message_authenticator = 'radiusClientRequireMa'
}
}
# Load clients on startup
# read_clients = no
#
# Modify user object on receiving Accounting-Request
#
# Useful for recording things like the last time the user logged
# in, or the Acct-Session-ID for CoA/DM.
#
# LDAP modification items are in the format:
# <ldap attr> <op> <value>
#
# Where:
# <ldap attr>: The LDAP attribute to add modify or delete.
# <op>: One of the assignment operators:
# (:=, +=, -=, ++).
# Note: '=' is *not* supported.
# <value>: The value to add modify or delete.
#
# WARNING: If using the ':=' operator with a multi-valued LDAP
# attribute, all instances of the attribute will be removed and
# replaced with a single attribute.
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
#
# Post-Auth can modify LDAP objects too
#
post-auth {
update {
description := "Authenticated at %S"
}
}
#
# LDAP connection-specific options.
#
# These options set timeouts, keep-alives, etc. for the connections.
#
options {
# Control under which situations aliases are followed.
# May be one of 'never', 'searching', 'finding' or 'always'
# default: libldap's default which is usually 'never'.
#
# LDAP_OPT_DEREF is set to this value.
# dereference = 'always'
#
# The following two configuration items control whether the
# server follows references returned by LDAP directory.
# They are mostly for Active Directory compatibility.
# If you set these to 'no', then searches will likely return
# 'operations error', instead of a useful result.
#
# 'rebind' causes any connections being established to follow
# referrals to be bound using the admin credentials defined
# for this module. If it is set to 'no' libldap will bind
# to those connections anonymously.
#
chase_referrals = yes
rebind = yes
# SASL Security Properties (see SASL_SECPROPS in ldap.conf man page).
# Note - uncomment when using GSS-API sasl mechanism along with TLS
# encryption against Active-Directory LDAP servers (this disables
# sealing and signing at the GSS level as required by AD).
#sasl_secprops = 'noanonymous,noplain,maxssf=0'
# Seconds to wait for LDAP query to finish. default: 20
res_timeout = 10
# Seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
srv_timelimit = 3
# Seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
ldap_debug = 0x0028
}
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the 'tls_*' configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
# Note that some distributions use NSS for libldap instead
# of OpenSSL.
#
# If you see something like this in the debug output:
#
# TLSMC: MozNSS compatibility interception begins.
#
# Then there is a problem.
#
# THIS LDAP INSTALLATION WILL NOT WORK WITH FREERADIUS.
#
# You MUST install fixed LDAP libraries which use OpenSSL.
#
# For more details, see:
#
# http://packages.networkradius.com
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 636) connections
# start_tls = yes
# ca_file = ${certdir}/cacert.pem
# ca_path = ${certdir}
# certificate_file = /path/to/radius.crt
# private_key_file = /path/to/radius.key
# random_file = /dev/urandom
# Certificate Verification requirements. Can be:
# 'never' (do not even bother trying)
# 'allow' (try, but don't fail if the certificate
# cannot be verified)
# 'demand' (fail if the certificate does not verify)
# 'hard' (similar to 'demand' but fails if TLS
# cannot negotiate)
#
# The default is libldap's default, which varies based
# on the contents of ldap.conf.
# require_cert = 'demand'
#
# Minimum TLS version to accept. We STRONGLY recommend
# setting this to "1.2"
#
# tls_min_version = "1.2"
}
# As of v3, the 'pool' section has replaced the
# following v2 configuration items:
#
# ldap_connections_number
#
# The connection pool is used to pool outgoing connections.
#
# When the server is not threaded, the connection pool
# limits are ignored, and only one connection is used.
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# directory being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
lifetime = 0
# Idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
idle_timeout = 60
# NOTE: All configuration settings are enforced. If a
# connection is closed because of 'idle_timeout',
# 'uses', or 'lifetime', then the total number of
# connections MAY fall below 'min'. When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the 'min' connections,
# or increase lifetime/idle_timeout.
}
}

209
radius/raddb/mods-config/files/authorize
Unescape View File

@ -1,209 +0,0 @@
#
# Configuration file for the rlm_files module.
# Please see rlm_files(5) manpage for more information.
#
# This file contains authentication security and configuration
# information for each user. Accounting requests are NOT processed
# through this file. Instead, see 'accounting', in this directory.
#
# The first field is the user's name and can be up to
# 253 characters in length. This is followed (on the same line) with
# the list of authentication requirements for that user. This can
# include password, comm server name, comm server port number, protocol
# type (perhaps set by the "hints" file), and huntgroup name (set by
# the "huntgroups" file).
#
# If you are not sure why a particular reply is being sent by the
# server, then run the server in debugging mode (radiusd -X), and
# you will see which entries in this file are matched.
#
# When an authentication request is received from the comm server,
# these values are tested. Only the first match is used unless the
# "Fall-Through" variable is set to "Yes".
#
# A special user named "DEFAULT" matches on all usernames.
# You can have several DEFAULT entries. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
# Indented (with the tab character) lines following the first
# line indicate the configuration values to be passed back to
# the comm server to allow the initiation of a user session.
# This can include things like the PPP configuration values
# or the host to log the user onto.
#
# You can include another `users' file with `$INCLUDE users.other'
#
# For a list of RADIUS attributes, and links to their definitions,
# see: http://www.freeradius.org/rfc/attributes.html
#
# Entries below this point are examples included in the server for
# educational purposes. They may be deleted from the deployed
# configuration without impacting the operation of the server.
#
# Ldap auth
DEFAULT Auth-Type := ldap
#
# Deny access for a specific user. Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#lameuser Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT Group == "disabled", Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steve Cleartext-Password := "testing"
# Service-Type = Framed-User,
# Framed-Protocol = PPP,
# Framed-IP-Address = 172.16.3.33,
# Framed-IP-Netmask = 255.255.255.0,
# Framed-Routing = Broadcast-Listen,
# Framed-Filter-Id = "std.ppp",
# Framed-MTU = 1500,
# Framed-Compression = Van-Jacobsen-TCP-IP
#
# The canonical testing user which is in most of the
# examples.
#
#bob Cleartext-Password := "hello"
# Reply-Message := "Hello, %{User-Name}"
#
#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name. If you have
# users with spaces in their names, you must also change
# the "filter_username" policy to allow spaces.
#
# See raddb/policy.d/filter, filter_username {} section.
#
#"John Doe" Cleartext-Password := "hello"
# Reply-Message = "Hello, %{User-Name}"
#
# Dial user back and telnet to the default host for that port
#
#Deg Cleartext-Password := "ge55ged"
# Service-Type = Callback-Login-User,
# Login-IP-Host = 0.0.0.0,
# Callback-Number = "9,5551212",
# Login-Service = Telnet,
# Login-TCP-Port = Telnet
#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk Cleartext-Password := "callme"
# Service-Type = Callback-Login-User,
# Login-IP-Host = timeshare1,
# Login-Service = PortMaster,
# Callback-Number = "9,1-800-555-1212"
#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
# Note that by setting "Fall-Through", other attributes will be added from
# the following DEFAULT entries
#
#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"
# Framed-IP-Address = 192.0.2.65,
# Fall-Through = Yes
#
# If the user logs in as 'username.shell', then authenticate them
# using the default method, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULT Suffix == ".shell"
# Service-Type = Login-User,
# Login-Service = Telnet,
# Login-IP-Host = your.shell.machine
#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#
# Sample defaults for all framed connections.
#
#DEFAULT Service-Type == Framed-User
# Framed-IP-Address = 255.255.255.254,
# Framed-MTU = 576,
# Service-Type = Framed-User,
# Fall-Through = Yes
#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
# by the terminal server in which case there may not be a "P" suffix.
# The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
#
# Last default: rlogin to our main server.
#
#DEFAULT
# Service-Type = Login-User,
# Login-Service = Rlogin,
# Login-IP-Host = shellbox.ispdomain.com
# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
# Service-Type = Administrative-User
# On no match, the user is denied access.
#########################################################
# You should add test accounts to the TOP of this file! #
# See the example user "bob" above. #
#########################################################

1
radius/raddb/mods-enabled/ldap
Unescape View File

@ -1 +0,0 @@
../mods-available/ldap

1153
radius/raddb/sites-available/default
View File

File diff suppressed because it is too large Load Diff
Write Preview
Loading…
Cancel
Save