Loading templates/detail.erb +4 −10 Original line number Diff line number Diff line Loading @@ -54,13 +54,12 @@ detail <%= @name %> { # people from seeing that information. permissions = <%= @permissions %> <%- if @group -%> # The Unix group of the log file. # # The user that the server runs as must be in the specified # system group otherwise this will fail to work. # # group = ${security.group} <%- if @group -%> group = <%= @group %> <%- end -%> Loading @@ -75,24 +74,23 @@ detail <%= @name %> { # header = "<%= @header %>" <%- if @locking -%> # # Uncomment this line if the detail file reader will be # reading this detail file. # # locking = yes <%- if @locking -%> locking = <%= @locking == true %> <%- end -%> <%- if @log_packet_header -%> # # Log the Packet src/dst IP/port. This is disabled by # default, as that information isn't used by many people. # # log_packet_header = yes <%- if @log_packet_header -%> log_packet_header = <%= @log_packet_header == true %> <%- end -%> <%- if !@suppress.empty? -%> # # Certain attributes such as User-Password may be # "sensitive", so they should not be printed in the Loading @@ -101,10 +99,6 @@ detail <%= @name %> { # # The attributes should be listed one to a line. # #suppress { # User-Password #} <%- if !@suppress.empty? -%> suppress { <%= @suppress.join("\n ") %> } Loading templates/eap.erb +30 −63 Original line number Diff line number Diff line Loading @@ -75,36 +75,32 @@ eap { } <%- end -%> <%- if @eap_pwd -%> # # EAP-pwd -- secure password-based authentication # <%- if @eap_pwd -%> pwd { # group = 19 <%- if @pwd_group -%> group = <%= @pwd_group %> <%- end -%> # # server_id = theserver@example.com <%- if @pwd_server_id -%> server_id = <%= @pwd_server_id %> <%- end -%> # This has the same meaning as for TLS. # fragment_size = 1020 <%- if @pwd_fragment_size -%> # This has the same meaning as for TLS. fragment_size = <%= @pwd_fragment_size %> <%- end -%> <%- if @pwd_virtual_server -%> # The virtual server which determines the # "known good" password for the user. # Note that unlike TLS, only the "authorize" # section is processed. EAP-PWD requests can be # distinguished by having a User-Name, but # no User-Password, CHAP-Password, EAP-Message, etc. # virtual_server = "inner-tunnel" <%- if @pwd_virtual_server -%> virtual_server = <%= @pwd_virtual_server %> <%- end -%> } Loading Loading @@ -139,11 +135,10 @@ eap { # the users password will go over the wire in plain-text, # for anyone to see. # <%- if @gtc_challenge -%> gtc { # The default challenge, which many clients # ignore.. #challenge = "Password: " <%- if @gtc_challenge -%> challenge = "<%= @gtc_challenge %>" <%- end -%> Loading Loading @@ -223,6 +218,7 @@ eap { # ca_file = <%= @tls_ca_file %> <%- if @tls_auto_chain -%> # OpenSSL will automatically create certificate chains, # unless we tell it to not do that. The problem is that # it sometimes gets the chains right from a certificate Loading @@ -230,8 +226,6 @@ eap { # # When setting "auto_chain = no", the server certificate # file MUST include the full certificate chain. # auto_chain = yes <%- if @tls_auto_chain -%> auto_chain = <%= @tls_auto_chain %> <%- end -%> Loading @@ -256,8 +250,6 @@ eap { # look up the shared key (hexphrase) based on the # identity. # # psk_identity = "test" # psk_hexphrase = "036363823" <%- if @tls_psk_identity -%> psk_identity = "<%= @tls_psk_identity %>" <%- end -%> Loading @@ -273,6 +265,7 @@ eap { # dh_file = <%= @tls_dh_file %> <%- if @tls_random_file -%> # # If your system doesn't have /dev/urandom, # you will need to create this file, and Loading @@ -282,11 +275,10 @@ eap { # write to files in its configuration # directory. # # random_file = /dev/urandom <%- if @tls_random_file -%> random_file = <%= @tls_random_file %>" <%- end -%> <%- if @tls_fragment_size -%> # # This can never exceed the size of a RADIUS # packet (4096 bytes), and is preferably half Loading @@ -296,11 +288,10 @@ eap { # In these cases, fragment size should be # 1024 or less. # # fragment_size = 1024 <%- if @tls_fragment_size -%> fragment_size = <%= @tls_fragment_size %> <%- end -%> <%- if @tls_include_length -%> # include_length is a flag which is # by default set to yes If set to # yes, Total Length of the message is Loading @@ -309,11 +300,10 @@ eap { # message is included ONLY in the # First packet of a fragment series. # # include_length = yes <%- if @tls_include_length -%> include_length = <%= @tls_include_length %> <%- end -%> <%- if @tls_check_crl -%> # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. Loading @@ -321,24 +311,22 @@ eap { # 'c_rehash' is OpenSSL's command. # 3) uncomment the line below. # 5) Restart radiusd # check_crl = yes <%- if @tls_check_crl -%> check_crl = <%= @tls_check_crl %> <%- end -%> # Check if intermediate CAs have been revoked. # check_all_crl = yes <%- if @tls_check_all_crl -%> # Check if intermediate CAs have been revoked. check_all_crl = <%= @tls_check_all_crl %> <%- end -%> # Allow use of expired CRLs <%- if @tls_allow_expired_crl -%> # Allow use of expired CRLs allow_expired_crl = <%= @tls_allow_expired_crl %> <%- end -%> ca_path = <%= @tls_ca_path %> <%- if @tls_check_cert_issuer -%> # # If check_cert_issuer is set, the value will # be checked against the DN of the issuer in Loading @@ -351,11 +339,10 @@ eap { # TLS-Client-Cert-Issuer attribute. This check # can be done via any mechanism you choose. # # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" <%- if @tls_check_cert_issuer -%> check_cert_issuer = "<%= @tls_check_cert_issuer %>" <%- end -%> <%- if @tls_check_cert_cn -%> # # If check_cert_cn is set, the value will # be xlat'ed and checked against the CN Loading @@ -372,8 +359,6 @@ eap { # TLS-Client-Cert-CN attribute. This check # can be done via any mechanism you choose. # # check_cert_cn = %{User-Name} <%- if @tls_check_cert_cn -%> check_cert_cn = <%= @tls_check_cert_cn %> <%- end -%> # Loading @@ -385,6 +370,7 @@ eap { # cipher_list = "<%= @tls_cipher_list %>" <%- if @tls_disable_tlsv1_2 -%> # Work-arounds for OpenSSL nonsense # OpenSSL 1.0.1f and 1.0.1g do not calculate # the EAP keys correctly. The fix is to upgrade Loading @@ -392,8 +378,6 @@ eap { # # For EAP-FAST, this MUST be set to "yes". # # disable_tlsv1_2 = no <%- if @tls_disable_tlsv1_2 -%> disable_tlsv1_2 = <%= @tls_disable_tlsv1_2 %> <%- end -%> Loading Loading @@ -466,6 +450,7 @@ eap { # max_entries = <%= @tls_cache_max_entries %> <%- if @tls_cache_name -%> # # Internal "name" of the session cache. Used to # distinguish which TLS context sessions belong to. Loading @@ -475,11 +460,10 @@ eap { # set the "name" if you want to persist sessions (see # below). # #name = "EAP module" <%- if @tls_cache_name -%> name = "<%= @tls_cache_name %>" <%- end -%> <%- if @tls_cache_persist_dir -%> # # Simple directory-based storage of sessions. # Two files per session will be written, the SSL Loading @@ -494,8 +478,6 @@ eap { # # This feature REQUIRES "name" option be set above. # #persist_dir = "${logdir}/tlscache" <%- if @tls_cache_persist_dir -%> persist_dir = "<%= @tls_cache_persist_dir %>" <%- end -%> } Loading @@ -516,17 +498,17 @@ eap { # run on successful certificate validation. # verify { <%- if @tls_verify_skip_if_ocsp_ok -%> # If the OCSP checks succeed, the verify section # is run to allow additional checks. # # If you want to skip verify on OCSP success, # uncomment this configuration item, and set it # to "yes". # skip_if_ocsp_ok = no <%- if @tls_verify_skip_if_ocsp_ok -%> skip_if_ocsp_ok = <%= @tls_verify_skip_if_ocsp_ok %> <%- end -%> <%- if @tls_tmpdir -%> # A temporary directory where the client # certificates are stored. This directory # MUST be owned by the UID of the server, Loading @@ -538,11 +520,10 @@ eap { # # You should also delete all of the files # in the directory when the server starts. # tmpdir = /tmp/radiusd <%- if @tls_tmpdir -%> tmpdir = <%= @tls_tmpdir %> <%- end -%> <%- if @tls_client -%> # The command used to verify the client cert. # We recommend using the OpenSSL command-line # tool. Loading @@ -555,8 +536,6 @@ eap { # in PEM format. This file is automatically # deleted by the server when the command # returns. # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" <%- if @tls_client -%> client = "<%= @tls_client %>" <%- end -%> } Loading Loading @@ -590,6 +569,7 @@ eap { # url = "<%= @tls_ocsp_url %>" <%- if @tls_ocsp_use_nonce -%> # # If the OCSP Responder can not cope with nonce # in the request, then it can be disabled here. Loading @@ -604,20 +584,18 @@ eap { # to disable it in the query here. # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx # # use_nonce = yes <%- if @tls_ocsp_use_nonce -%> use_nonce = <%= @tls_ocsp_use_nonce %> <%- end -%> <%- if @tls_ocsp_timeout -%> # # Number of seconds before giving up waiting # for OCSP response. 0 uses system default. # # timeout = 0 <%- if @tls_ocsp_timeout -%> timeout = <%= @tls_ocsp_timeout %> <%- end -%> <%- if @tls_ocsp_softfail -%> # # Normally an error in querying the OCSP # responder (no response from server, server did Loading @@ -632,8 +610,6 @@ eap { # certificates to connect if the OCSP responder # is not available. Use with caution. # # softfail = no <%- if @tls_ocsp_softfail -%> softfail = <%= @tls_ocsp_softfail %> <%- end -%> } Loading @@ -654,7 +630,6 @@ eap { # virtual server has access to these attributes, and can # be used to accept or reject the request. # # virtual_server = check-eap-tls <%- if @tls_virtual_server -%> virtual_server = <%= @tls_virtual_server %> <%- end -%> Loading Loading @@ -741,15 +716,15 @@ eap { # virtual_server = "<%= @ttls_virtual_server %>" <%- if @ttls_include_length -%> # This has the same meaning, and overwrites, the # same field in the "tls" configuration, above. # The default value here is "yes". # # include_length = yes <%- if @ttls_include_length -%> include_length = <%= @ttls_include_length %> <%- end -%> <%- if @ttls_require_client_cert -%> # # Unlike EAP-TLS, EAP-TTLS does not require a client # certificate. However, you can require one by setting the Loading @@ -760,8 +735,6 @@ eap { # # in the control items for a request. # # require_client_cert = yes <%- if @ttls_require_client_cert -%> require_client_cert = <%= @ttls_require_client_cert %> <%- end -%> } Loading Loading @@ -849,13 +822,12 @@ eap { # use_tunneled_reply = <%= @peap_use_tunneled_reply %> <%- if @peap_proxy_tunneled_request_as_eap -%> # When the tunneled session is proxied, the # home server may not understand EAP-MSCHAP-V2. # Set this entry to "no" to proxy the tunneled # EAP-MSCHAP-V2 as normal MSCHAPv2. # # proxy_tunneled_request_as_eap = yes <%- if @peap_proxy_tunneled_request_as_eap -%> proxy_tunneled_request_as_eap = <%= @peap_proxy_tunneled_request_as_eap %> <%- end -%> Loading @@ -871,24 +843,23 @@ eap { # virtual_server = "<%= @peap_virtual_server %>" <%- if @peap_soh -%> # This option enables support for MS-SoH # see doc/SoH.txt for more info. # It is disabled by default. # # soh = yes <%- if @peap_soh -%> soh = <%= @peap_soh %> <%- end -%> <%- if @peap_soh_virtual_server -%> # # The SoH reply will be turned into a request which # can be sent to a specific virtual server: # # soh_virtual_server = "soh-server" <%- if @peap_soh_virtual_server -%> soh_virtual_server = <%= @peap_soh_virtual_server %> <%- end -%> <%- if @peap_require_client_cert -%> # # Unlike EAP-TLS, PEAP does not require a client certificate. # However, you can require one by setting the following Loading @@ -898,8 +869,6 @@ eap { # # in the control items for a request. # # require_client_cert = yes <%- if @peap_require_client_cert -%> require_client_cert = <%= @peap_require_client_cert %> <%- end -%> } Loading @@ -920,6 +889,7 @@ eap { # currently support. # mschapv2 { <%- if @mschapv2_send_error -%> # Prior to version 2.1.11, the module never # sent the MS-CHAP-Error message to the # client. This worked, but it had issues Loading @@ -936,17 +906,14 @@ eap { # but *may* also cause other clients to stop # working. # # send_error = no <%- if @mschapv2_send_error -%> send_error = <%= @mschapv2_send_error %> <%- end -%> <%- if @mschapv2_identity -%> # Server identifier to send back in the challenge. # This should generally be the host name of the # RADIUS server. Or, some information to uniquely # identify it. # identity = "FreeRADIUS" <%- if @mschapv2_identity -%> identity = "<%= @mschapv2_identity %>" <%- end -%> } Loading templates/files.erb +2 −4 Original line number Diff line number Diff line Loading @@ -14,21 +14,19 @@ files <%= @name %> { # matches this instance of the files module. moddir = <%= @moddir %> <%- if @key -%> # The default key attribute to use for matches. The content # of this attribute is used to match the "name" of the # entry. #key = "%{%{Stripped-User-Name}:-%{User-Name}}" <%- if @key -%> key = "<%= @key %>" <%- end -%> # The old "users" style file is now located here. filename = <%= @filename %> <%- if @usersfile -%> # This is accepted for backwards compatibility # It will be removed in a future release. # usersfile = ${moddir}/authorize <%- if @usersfile -%> usersfile = <%= @usersfile %> <%- end -%> Loading templates/ippool.erb +1 −2 Original line number Diff line number Diff line Loading @@ -60,6 +60,7 @@ ippool <%= @name %> { # "no timeout". The default value is 0 maximum_timeout = <%= @maximum_timeout %> <%- if @key -%> # The key to use for the session database (which # holds the allocated ip's) normally it should # just be the nas ip/port (which is the default). Loading @@ -68,8 +69,6 @@ ippool <%= @name %> { # all requests, the key should be based on some # other attribute that is in ALL requests, AND # is unique to each machine needing an IP address. # key = "%{NAS-IP-Address} %{NAS-Port}" <%- if @key -%> key = "<%= @key %>" <%- end -%> } templates/ldap.erb +27 −55 Original line number Diff line number Diff line Loading @@ -58,25 +58,23 @@ ldap <%= @name %> { # At a minimum you probably want to set KRB5_CLIENT_KTNAME. # sasl { # SASL mechanism # mech = 'PLAIN' <%- if @sasl.has_key?('mech') -%> # SASL mechanism mech = '<%= @sasl['mech'] %>' <%- end -%> # SASL authorisation identity to proxy. # proxy = 'autz_id' <%- if @sasl.has_key?('proxy') -%> # SASL authorisation identity to proxy. proxy = '<%= @sasl['proxy'] %>' <%- end -%> # SASL realm. Used for kerberos. # realm = 'example.org' <%- if @sasl.has_key?('realm') -%> # SASL realm. Used for kerberos. realm = '<%= @sasl['realm'] %>' <%- end -%> } <%- if @valuepair_attribute -%> # # Generic valuepair attribute # Loading @@ -94,11 +92,10 @@ ldap <%= @name %> { # <value>: Is the value to parse into the new attribute. # If the value is wrapped in double quotes it # will be xlat expanded. # valuepair_attribute = 'radiusAttribute' <%- if @valuepair_attribute -%> valuepair_attribute = <%= @valuepair_attribute %> <%- end -%> <%- if @update -%> # # Mapping of LDAP directory attributes to RADIUS dictionary attributes. # Loading Loading @@ -126,7 +123,6 @@ ldap <%= @name %> { # Note: LDAP attribute names should be single quoted unless you want # the name to be derived from an xlat expansion, or an attribute ref. # <%- if @update -%> update { <%= @update.join("\n ") %> } Loading @@ -148,18 +144,16 @@ ldap <%= @name %> { } <%- end -%> <%- if @edir -%> # Set to yes if you have eDirectory and want to use the universal # password mechanism. # edir = no <%- if @edir -%> edir = <%= @edir %> <%- end -%> <%- if @edir_autz -%> # Set to yes if you want to bind as the user after retrieving the # Cleartext-Password. This will consume the login grace, and # verify user authorization. # edir_autz = no <%- if @edir_autz -%> edir_autz = <%= @edir_autz %> <%- end -%> Loading Loading @@ -195,31 +189,28 @@ ldap <%= @name %> { # proxy IDs and realms to be used for different users. # sasl { # SASL mechanism # mech = 'PLAIN' <%- if @user_sasl.has_key?('mech') -%> # SASL mechanism mech = '<%= @user_sasl['mech'] %>' <%- end -%> # SASL authorisation identity to proxy. # proxy = &User-Name <%- if @user_sasl.has_key?('proxy') -%> # SASL authorisation identity to proxy. proxy = '<%= @user_sasl['proxy'] %>' <%- end -%> # SASL realm. Used for kerberos. # realm = 'example.org' <%- if @user_sasl.has_key?('realm') -%> # SASL realm. Used for kerberos. realm = '<%= @user_sasl['realm'] %>' <%- end -%> } # Search scope, may be 'base', 'one', sub' or 'children' # scope = 'sub' <%- if @user_scope -%> # Search scope, may be 'base', 'one', sub' or 'children' scope = '<%= @user_scope %>' <%- end -%> <%- if @user_sort_by -%> # Server side result sorting # # A list of space delimited attributes to order the result set by. Loading @@ -235,19 +226,17 @@ ldap <%= @name %> { # # If a search returns multiple user objects and sort_by is not # set, the search will fail. # sort_by = '-uid' <%- if @user_sort_by -%> sort_by = '<%= @user_sort_by %>' <%- end -%> <%- if @user_access_attribute -%> # If this is undefined, anyone is authorised. # If it is defined, the contents of this attribute # determine whether or not the user is authorised # access_attribute = 'dialupAccess' <%- if @user_access_attribute -%> access_attribute = '<%= @user_access_attribute %>' <%- end -%> <%- if @user_access_positive -%> # Control whether the presence of 'access_attribute' # allows access, or denys access. # Loading @@ -270,8 +259,6 @@ ldap <%= @name %> { # userAccessAllowed: false # # Will result in the user being locked out. # access_positive = yes <%- if @user_access_positive -%> access_positive = <%= @user_access_positive %> <%- end -%> } Loading @@ -287,25 +274,22 @@ ldap <%= @name %> { # group objects a user might be a member of. filter = "<%= @group_filter %>" # Search scope, may be 'base', 'one', sub' or 'children' # scope = 'sub' <%- if @group_scope -%> # Search scope, may be 'base', 'one', sub' or 'children' scope = '<%= @group_scope %>' <%- end -%> <%- if @group_name_attribute -%> # Attribute that uniquely identifies a group. # Is used when converting group DNs to group # names. # name_attribute = cn <%- if @group_name_attribute -%> name_attribute = <%= @group_name_attribute %> <%- end -%> <%- if @group_membership_filter -%> # Filter to find group objects a user is a member of. # That is, group objects with attributes that # identify members (the inverse of membership_attribute). # membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" <%- if @group_membership_filter -%> membership_filter = "<%= @group_membership_filter %>" <%- end -%> Loading @@ -317,6 +301,7 @@ ldap <%= @name %> { # referenced to actually exist. membership_attribute = '<%= @group_membership_attribute %>' <%- if @group_cacheable_name -%> # If cacheable_name or cacheable_dn are enabled, # all group information for the user will be # retrieved from the directory and written to LDAP-Group Loading @@ -331,28 +316,23 @@ ldap <%= @name %> { # the type that matches the format of your check items # i.e. if your groups are specified as DNs then enable # cacheable_dn else enable cacheable_name. # cacheable_name = 'no' <%- if @group_cacheable_name -%> cacheable_name = '<%= @group_cacheable_name %>' <%- end -%> # cacheable_dn = 'no' <%- if @group_cacheable_dn -%> cacheable_dn = '<%= @group_cacheable_dn %>' <%- end -%> <%- if @group_cache_attribute -%> # Override the normal cache attribute (<inst>-LDAP-Group or # LDAP-Group if using the default instance) and create a # custom attribute. This can help if multiple module instances # are used in fail-over. # cache_attribute = 'LDAP-Cached-Membership' <%- if @group_cache_attribute -%> cache_attribute = '<%= @group_cache_attribute %>' <%- end -%> <%- if @group_attribute -%> # Override the normal group comparison attribute name # (<inst>-LDAP-Group or LDAP-Group if using the default instance) . # group_attribute = "${.:instance}-${.:name}-Group" <%- if @group_attribute -%> group_attribute = '<%= @group_attribute %>' <%- end -%> } Loading @@ -363,29 +343,26 @@ ldap <%= @name %> { # the same mapping scheme applied to user objects (the update section above). # profile { # Filter for RADIUS profile objects # filter = '(objectclass=radiusprofile)' <%- if @profile_filter -%> # Filter for RADIUS profile objects filter = '<%= @profile_filter %>' <%- end -%> <%- if @profile_default -%> # The default profile. This may be a DN or an attribute # reference. # To get old v2.2.x style behaviour, or to use the # &User-Profile attribute to specify the default profile, # set this to &control:User-Profile. # default = 'cn=radprofile,dc=example,dc=org' <%- if @profile_default -%> default = '<%= @profile_default %>' <%- end -%> <%- if @profile_attribute -%> # The LDAP attribute containing profile DNs to apply # in addition to the default profile above. These are # retrieved from the user object, at the same time as the # attributes from the update section, are are applied # if authorization is successful. # attribute = 'radiusProfileDn' <%- if @profile_default -%> attribute = '<%= @profile_attribute %>' <%- end -%> } Loading @@ -402,9 +379,8 @@ ldap <%= @name %> { # filter = '<%= @client_filter %>' # Search scope, may be 'base', 'one', 'sub' or 'children' # scope = 'sub' <%- if @client_scope -%> # Search scope, may be 'base', 'one', 'sub' or 'children' scope = '<%= @client_scope %>' <%- end -%> Loading Loading @@ -447,9 +423,8 @@ ldap <%= @name %> { } } # Load clients on startup # read_clients = no <%- if @read_clients -%> # Load clients on startup read_clients = <%= @read_clients %> <%- end -%> Loading Loading @@ -512,13 +487,12 @@ ldap <%= @name %> { # These options set timeouts, keep-alives, etc. for the connections. # options { <%- if @dereference -%> # Control under which situations aliases are followed. # May be one of 'never', 'searching', 'finding' or 'always' # default: libldap's default which is usually 'never'. # # LDAP_OPT_DEREF is set to this value. # dereference = 'always' <%- if @dereference -%> dereference = '<%= @dereference %>' <%- end -%> Loading @@ -539,6 +513,7 @@ ldap <%= @name %> { # use_referral_credentials = <%= @use_referral_credentials %> <%- if @session_tracking -%> # # If 'yes', then include draft-wahl-ldap-session tracking # controls. Loading @@ -548,8 +523,6 @@ ldap <%= @name %> { # as session tracking controls, in applicable LDAP operations. # Default 'no'. # # session_tracking = yes <%- if @session_tracking -%> session_tracking = <%= @session_tracking %> <%- end -%> Loading Loading @@ -609,7 +582,6 @@ ldap <%= @name %> { <% if @keyfile -%> private_key_file = <%= @keyfile %> <% end -%> # random_file = /dev/urandom <%- if @random_file -%> random_file = <%= @random_file %> <%- end -%> Loading Loading
templates/detail.erb +4 −10 Original line number Diff line number Diff line Loading @@ -54,13 +54,12 @@ detail <%= @name %> { # people from seeing that information. permissions = <%= @permissions %> <%- if @group -%> # The Unix group of the log file. # # The user that the server runs as must be in the specified # system group otherwise this will fail to work. # # group = ${security.group} <%- if @group -%> group = <%= @group %> <%- end -%> Loading @@ -75,24 +74,23 @@ detail <%= @name %> { # header = "<%= @header %>" <%- if @locking -%> # # Uncomment this line if the detail file reader will be # reading this detail file. # # locking = yes <%- if @locking -%> locking = <%= @locking == true %> <%- end -%> <%- if @log_packet_header -%> # # Log the Packet src/dst IP/port. This is disabled by # default, as that information isn't used by many people. # # log_packet_header = yes <%- if @log_packet_header -%> log_packet_header = <%= @log_packet_header == true %> <%- end -%> <%- if !@suppress.empty? -%> # # Certain attributes such as User-Password may be # "sensitive", so they should not be printed in the Loading @@ -101,10 +99,6 @@ detail <%= @name %> { # # The attributes should be listed one to a line. # #suppress { # User-Password #} <%- if !@suppress.empty? -%> suppress { <%= @suppress.join("\n ") %> } Loading
templates/eap.erb +30 −63 Original line number Diff line number Diff line Loading @@ -75,36 +75,32 @@ eap { } <%- end -%> <%- if @eap_pwd -%> # # EAP-pwd -- secure password-based authentication # <%- if @eap_pwd -%> pwd { # group = 19 <%- if @pwd_group -%> group = <%= @pwd_group %> <%- end -%> # # server_id = theserver@example.com <%- if @pwd_server_id -%> server_id = <%= @pwd_server_id %> <%- end -%> # This has the same meaning as for TLS. # fragment_size = 1020 <%- if @pwd_fragment_size -%> # This has the same meaning as for TLS. fragment_size = <%= @pwd_fragment_size %> <%- end -%> <%- if @pwd_virtual_server -%> # The virtual server which determines the # "known good" password for the user. # Note that unlike TLS, only the "authorize" # section is processed. EAP-PWD requests can be # distinguished by having a User-Name, but # no User-Password, CHAP-Password, EAP-Message, etc. # virtual_server = "inner-tunnel" <%- if @pwd_virtual_server -%> virtual_server = <%= @pwd_virtual_server %> <%- end -%> } Loading Loading @@ -139,11 +135,10 @@ eap { # the users password will go over the wire in plain-text, # for anyone to see. # <%- if @gtc_challenge -%> gtc { # The default challenge, which many clients # ignore.. #challenge = "Password: " <%- if @gtc_challenge -%> challenge = "<%= @gtc_challenge %>" <%- end -%> Loading Loading @@ -223,6 +218,7 @@ eap { # ca_file = <%= @tls_ca_file %> <%- if @tls_auto_chain -%> # OpenSSL will automatically create certificate chains, # unless we tell it to not do that. The problem is that # it sometimes gets the chains right from a certificate Loading @@ -230,8 +226,6 @@ eap { # # When setting "auto_chain = no", the server certificate # file MUST include the full certificate chain. # auto_chain = yes <%- if @tls_auto_chain -%> auto_chain = <%= @tls_auto_chain %> <%- end -%> Loading @@ -256,8 +250,6 @@ eap { # look up the shared key (hexphrase) based on the # identity. # # psk_identity = "test" # psk_hexphrase = "036363823" <%- if @tls_psk_identity -%> psk_identity = "<%= @tls_psk_identity %>" <%- end -%> Loading @@ -273,6 +265,7 @@ eap { # dh_file = <%= @tls_dh_file %> <%- if @tls_random_file -%> # # If your system doesn't have /dev/urandom, # you will need to create this file, and Loading @@ -282,11 +275,10 @@ eap { # write to files in its configuration # directory. # # random_file = /dev/urandom <%- if @tls_random_file -%> random_file = <%= @tls_random_file %>" <%- end -%> <%- if @tls_fragment_size -%> # # This can never exceed the size of a RADIUS # packet (4096 bytes), and is preferably half Loading @@ -296,11 +288,10 @@ eap { # In these cases, fragment size should be # 1024 or less. # # fragment_size = 1024 <%- if @tls_fragment_size -%> fragment_size = <%= @tls_fragment_size %> <%- end -%> <%- if @tls_include_length -%> # include_length is a flag which is # by default set to yes If set to # yes, Total Length of the message is Loading @@ -309,11 +300,10 @@ eap { # message is included ONLY in the # First packet of a fragment series. # # include_length = yes <%- if @tls_include_length -%> include_length = <%= @tls_include_length %> <%- end -%> <%- if @tls_check_crl -%> # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. Loading @@ -321,24 +311,22 @@ eap { # 'c_rehash' is OpenSSL's command. # 3) uncomment the line below. # 5) Restart radiusd # check_crl = yes <%- if @tls_check_crl -%> check_crl = <%= @tls_check_crl %> <%- end -%> # Check if intermediate CAs have been revoked. # check_all_crl = yes <%- if @tls_check_all_crl -%> # Check if intermediate CAs have been revoked. check_all_crl = <%= @tls_check_all_crl %> <%- end -%> # Allow use of expired CRLs <%- if @tls_allow_expired_crl -%> # Allow use of expired CRLs allow_expired_crl = <%= @tls_allow_expired_crl %> <%- end -%> ca_path = <%= @tls_ca_path %> <%- if @tls_check_cert_issuer -%> # # If check_cert_issuer is set, the value will # be checked against the DN of the issuer in Loading @@ -351,11 +339,10 @@ eap { # TLS-Client-Cert-Issuer attribute. This check # can be done via any mechanism you choose. # # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" <%- if @tls_check_cert_issuer -%> check_cert_issuer = "<%= @tls_check_cert_issuer %>" <%- end -%> <%- if @tls_check_cert_cn -%> # # If check_cert_cn is set, the value will # be xlat'ed and checked against the CN Loading @@ -372,8 +359,6 @@ eap { # TLS-Client-Cert-CN attribute. This check # can be done via any mechanism you choose. # # check_cert_cn = %{User-Name} <%- if @tls_check_cert_cn -%> check_cert_cn = <%= @tls_check_cert_cn %> <%- end -%> # Loading @@ -385,6 +370,7 @@ eap { # cipher_list = "<%= @tls_cipher_list %>" <%- if @tls_disable_tlsv1_2 -%> # Work-arounds for OpenSSL nonsense # OpenSSL 1.0.1f and 1.0.1g do not calculate # the EAP keys correctly. The fix is to upgrade Loading @@ -392,8 +378,6 @@ eap { # # For EAP-FAST, this MUST be set to "yes". # # disable_tlsv1_2 = no <%- if @tls_disable_tlsv1_2 -%> disable_tlsv1_2 = <%= @tls_disable_tlsv1_2 %> <%- end -%> Loading Loading @@ -466,6 +450,7 @@ eap { # max_entries = <%= @tls_cache_max_entries %> <%- if @tls_cache_name -%> # # Internal "name" of the session cache. Used to # distinguish which TLS context sessions belong to. Loading @@ -475,11 +460,10 @@ eap { # set the "name" if you want to persist sessions (see # below). # #name = "EAP module" <%- if @tls_cache_name -%> name = "<%= @tls_cache_name %>" <%- end -%> <%- if @tls_cache_persist_dir -%> # # Simple directory-based storage of sessions. # Two files per session will be written, the SSL Loading @@ -494,8 +478,6 @@ eap { # # This feature REQUIRES "name" option be set above. # #persist_dir = "${logdir}/tlscache" <%- if @tls_cache_persist_dir -%> persist_dir = "<%= @tls_cache_persist_dir %>" <%- end -%> } Loading @@ -516,17 +498,17 @@ eap { # run on successful certificate validation. # verify { <%- if @tls_verify_skip_if_ocsp_ok -%> # If the OCSP checks succeed, the verify section # is run to allow additional checks. # # If you want to skip verify on OCSP success, # uncomment this configuration item, and set it # to "yes". # skip_if_ocsp_ok = no <%- if @tls_verify_skip_if_ocsp_ok -%> skip_if_ocsp_ok = <%= @tls_verify_skip_if_ocsp_ok %> <%- end -%> <%- if @tls_tmpdir -%> # A temporary directory where the client # certificates are stored. This directory # MUST be owned by the UID of the server, Loading @@ -538,11 +520,10 @@ eap { # # You should also delete all of the files # in the directory when the server starts. # tmpdir = /tmp/radiusd <%- if @tls_tmpdir -%> tmpdir = <%= @tls_tmpdir %> <%- end -%> <%- if @tls_client -%> # The command used to verify the client cert. # We recommend using the OpenSSL command-line # tool. Loading @@ -555,8 +536,6 @@ eap { # in PEM format. This file is automatically # deleted by the server when the command # returns. # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" <%- if @tls_client -%> client = "<%= @tls_client %>" <%- end -%> } Loading Loading @@ -590,6 +569,7 @@ eap { # url = "<%= @tls_ocsp_url %>" <%- if @tls_ocsp_use_nonce -%> # # If the OCSP Responder can not cope with nonce # in the request, then it can be disabled here. Loading @@ -604,20 +584,18 @@ eap { # to disable it in the query here. # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx # # use_nonce = yes <%- if @tls_ocsp_use_nonce -%> use_nonce = <%= @tls_ocsp_use_nonce %> <%- end -%> <%- if @tls_ocsp_timeout -%> # # Number of seconds before giving up waiting # for OCSP response. 0 uses system default. # # timeout = 0 <%- if @tls_ocsp_timeout -%> timeout = <%= @tls_ocsp_timeout %> <%- end -%> <%- if @tls_ocsp_softfail -%> # # Normally an error in querying the OCSP # responder (no response from server, server did Loading @@ -632,8 +610,6 @@ eap { # certificates to connect if the OCSP responder # is not available. Use with caution. # # softfail = no <%- if @tls_ocsp_softfail -%> softfail = <%= @tls_ocsp_softfail %> <%- end -%> } Loading @@ -654,7 +630,6 @@ eap { # virtual server has access to these attributes, and can # be used to accept or reject the request. # # virtual_server = check-eap-tls <%- if @tls_virtual_server -%> virtual_server = <%= @tls_virtual_server %> <%- end -%> Loading Loading @@ -741,15 +716,15 @@ eap { # virtual_server = "<%= @ttls_virtual_server %>" <%- if @ttls_include_length -%> # This has the same meaning, and overwrites, the # same field in the "tls" configuration, above. # The default value here is "yes". # # include_length = yes <%- if @ttls_include_length -%> include_length = <%= @ttls_include_length %> <%- end -%> <%- if @ttls_require_client_cert -%> # # Unlike EAP-TLS, EAP-TTLS does not require a client # certificate. However, you can require one by setting the Loading @@ -760,8 +735,6 @@ eap { # # in the control items for a request. # # require_client_cert = yes <%- if @ttls_require_client_cert -%> require_client_cert = <%= @ttls_require_client_cert %> <%- end -%> } Loading Loading @@ -849,13 +822,12 @@ eap { # use_tunneled_reply = <%= @peap_use_tunneled_reply %> <%- if @peap_proxy_tunneled_request_as_eap -%> # When the tunneled session is proxied, the # home server may not understand EAP-MSCHAP-V2. # Set this entry to "no" to proxy the tunneled # EAP-MSCHAP-V2 as normal MSCHAPv2. # # proxy_tunneled_request_as_eap = yes <%- if @peap_proxy_tunneled_request_as_eap -%> proxy_tunneled_request_as_eap = <%= @peap_proxy_tunneled_request_as_eap %> <%- end -%> Loading @@ -871,24 +843,23 @@ eap { # virtual_server = "<%= @peap_virtual_server %>" <%- if @peap_soh -%> # This option enables support for MS-SoH # see doc/SoH.txt for more info. # It is disabled by default. # # soh = yes <%- if @peap_soh -%> soh = <%= @peap_soh %> <%- end -%> <%- if @peap_soh_virtual_server -%> # # The SoH reply will be turned into a request which # can be sent to a specific virtual server: # # soh_virtual_server = "soh-server" <%- if @peap_soh_virtual_server -%> soh_virtual_server = <%= @peap_soh_virtual_server %> <%- end -%> <%- if @peap_require_client_cert -%> # # Unlike EAP-TLS, PEAP does not require a client certificate. # However, you can require one by setting the following Loading @@ -898,8 +869,6 @@ eap { # # in the control items for a request. # # require_client_cert = yes <%- if @peap_require_client_cert -%> require_client_cert = <%= @peap_require_client_cert %> <%- end -%> } Loading @@ -920,6 +889,7 @@ eap { # currently support. # mschapv2 { <%- if @mschapv2_send_error -%> # Prior to version 2.1.11, the module never # sent the MS-CHAP-Error message to the # client. This worked, but it had issues Loading @@ -936,17 +906,14 @@ eap { # but *may* also cause other clients to stop # working. # # send_error = no <%- if @mschapv2_send_error -%> send_error = <%= @mschapv2_send_error %> <%- end -%> <%- if @mschapv2_identity -%> # Server identifier to send back in the challenge. # This should generally be the host name of the # RADIUS server. Or, some information to uniquely # identify it. # identity = "FreeRADIUS" <%- if @mschapv2_identity -%> identity = "<%= @mschapv2_identity %>" <%- end -%> } Loading
templates/files.erb +2 −4 Original line number Diff line number Diff line Loading @@ -14,21 +14,19 @@ files <%= @name %> { # matches this instance of the files module. moddir = <%= @moddir %> <%- if @key -%> # The default key attribute to use for matches. The content # of this attribute is used to match the "name" of the # entry. #key = "%{%{Stripped-User-Name}:-%{User-Name}}" <%- if @key -%> key = "<%= @key %>" <%- end -%> # The old "users" style file is now located here. filename = <%= @filename %> <%- if @usersfile -%> # This is accepted for backwards compatibility # It will be removed in a future release. # usersfile = ${moddir}/authorize <%- if @usersfile -%> usersfile = <%= @usersfile %> <%- end -%> Loading
templates/ippool.erb +1 −2 Original line number Diff line number Diff line Loading @@ -60,6 +60,7 @@ ippool <%= @name %> { # "no timeout". The default value is 0 maximum_timeout = <%= @maximum_timeout %> <%- if @key -%> # The key to use for the session database (which # holds the allocated ip's) normally it should # just be the nas ip/port (which is the default). Loading @@ -68,8 +69,6 @@ ippool <%= @name %> { # all requests, the key should be based on some # other attribute that is in ALL requests, AND # is unique to each machine needing an IP address. # key = "%{NAS-IP-Address} %{NAS-Port}" <%- if @key -%> key = "<%= @key %>" <%- end -%> }
templates/ldap.erb +27 −55 Original line number Diff line number Diff line Loading @@ -58,25 +58,23 @@ ldap <%= @name %> { # At a minimum you probably want to set KRB5_CLIENT_KTNAME. # sasl { # SASL mechanism # mech = 'PLAIN' <%- if @sasl.has_key?('mech') -%> # SASL mechanism mech = '<%= @sasl['mech'] %>' <%- end -%> # SASL authorisation identity to proxy. # proxy = 'autz_id' <%- if @sasl.has_key?('proxy') -%> # SASL authorisation identity to proxy. proxy = '<%= @sasl['proxy'] %>' <%- end -%> # SASL realm. Used for kerberos. # realm = 'example.org' <%- if @sasl.has_key?('realm') -%> # SASL realm. Used for kerberos. realm = '<%= @sasl['realm'] %>' <%- end -%> } <%- if @valuepair_attribute -%> # # Generic valuepair attribute # Loading @@ -94,11 +92,10 @@ ldap <%= @name %> { # <value>: Is the value to parse into the new attribute. # If the value is wrapped in double quotes it # will be xlat expanded. # valuepair_attribute = 'radiusAttribute' <%- if @valuepair_attribute -%> valuepair_attribute = <%= @valuepair_attribute %> <%- end -%> <%- if @update -%> # # Mapping of LDAP directory attributes to RADIUS dictionary attributes. # Loading Loading @@ -126,7 +123,6 @@ ldap <%= @name %> { # Note: LDAP attribute names should be single quoted unless you want # the name to be derived from an xlat expansion, or an attribute ref. # <%- if @update -%> update { <%= @update.join("\n ") %> } Loading @@ -148,18 +144,16 @@ ldap <%= @name %> { } <%- end -%> <%- if @edir -%> # Set to yes if you have eDirectory and want to use the universal # password mechanism. # edir = no <%- if @edir -%> edir = <%= @edir %> <%- end -%> <%- if @edir_autz -%> # Set to yes if you want to bind as the user after retrieving the # Cleartext-Password. This will consume the login grace, and # verify user authorization. # edir_autz = no <%- if @edir_autz -%> edir_autz = <%= @edir_autz %> <%- end -%> Loading Loading @@ -195,31 +189,28 @@ ldap <%= @name %> { # proxy IDs and realms to be used for different users. # sasl { # SASL mechanism # mech = 'PLAIN' <%- if @user_sasl.has_key?('mech') -%> # SASL mechanism mech = '<%= @user_sasl['mech'] %>' <%- end -%> # SASL authorisation identity to proxy. # proxy = &User-Name <%- if @user_sasl.has_key?('proxy') -%> # SASL authorisation identity to proxy. proxy = '<%= @user_sasl['proxy'] %>' <%- end -%> # SASL realm. Used for kerberos. # realm = 'example.org' <%- if @user_sasl.has_key?('realm') -%> # SASL realm. Used for kerberos. realm = '<%= @user_sasl['realm'] %>' <%- end -%> } # Search scope, may be 'base', 'one', sub' or 'children' # scope = 'sub' <%- if @user_scope -%> # Search scope, may be 'base', 'one', sub' or 'children' scope = '<%= @user_scope %>' <%- end -%> <%- if @user_sort_by -%> # Server side result sorting # # A list of space delimited attributes to order the result set by. Loading @@ -235,19 +226,17 @@ ldap <%= @name %> { # # If a search returns multiple user objects and sort_by is not # set, the search will fail. # sort_by = '-uid' <%- if @user_sort_by -%> sort_by = '<%= @user_sort_by %>' <%- end -%> <%- if @user_access_attribute -%> # If this is undefined, anyone is authorised. # If it is defined, the contents of this attribute # determine whether or not the user is authorised # access_attribute = 'dialupAccess' <%- if @user_access_attribute -%> access_attribute = '<%= @user_access_attribute %>' <%- end -%> <%- if @user_access_positive -%> # Control whether the presence of 'access_attribute' # allows access, or denys access. # Loading @@ -270,8 +259,6 @@ ldap <%= @name %> { # userAccessAllowed: false # # Will result in the user being locked out. # access_positive = yes <%- if @user_access_positive -%> access_positive = <%= @user_access_positive %> <%- end -%> } Loading @@ -287,25 +274,22 @@ ldap <%= @name %> { # group objects a user might be a member of. filter = "<%= @group_filter %>" # Search scope, may be 'base', 'one', sub' or 'children' # scope = 'sub' <%- if @group_scope -%> # Search scope, may be 'base', 'one', sub' or 'children' scope = '<%= @group_scope %>' <%- end -%> <%- if @group_name_attribute -%> # Attribute that uniquely identifies a group. # Is used when converting group DNs to group # names. # name_attribute = cn <%- if @group_name_attribute -%> name_attribute = <%= @group_name_attribute %> <%- end -%> <%- if @group_membership_filter -%> # Filter to find group objects a user is a member of. # That is, group objects with attributes that # identify members (the inverse of membership_attribute). # membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" <%- if @group_membership_filter -%> membership_filter = "<%= @group_membership_filter %>" <%- end -%> Loading @@ -317,6 +301,7 @@ ldap <%= @name %> { # referenced to actually exist. membership_attribute = '<%= @group_membership_attribute %>' <%- if @group_cacheable_name -%> # If cacheable_name or cacheable_dn are enabled, # all group information for the user will be # retrieved from the directory and written to LDAP-Group Loading @@ -331,28 +316,23 @@ ldap <%= @name %> { # the type that matches the format of your check items # i.e. if your groups are specified as DNs then enable # cacheable_dn else enable cacheable_name. # cacheable_name = 'no' <%- if @group_cacheable_name -%> cacheable_name = '<%= @group_cacheable_name %>' <%- end -%> # cacheable_dn = 'no' <%- if @group_cacheable_dn -%> cacheable_dn = '<%= @group_cacheable_dn %>' <%- end -%> <%- if @group_cache_attribute -%> # Override the normal cache attribute (<inst>-LDAP-Group or # LDAP-Group if using the default instance) and create a # custom attribute. This can help if multiple module instances # are used in fail-over. # cache_attribute = 'LDAP-Cached-Membership' <%- if @group_cache_attribute -%> cache_attribute = '<%= @group_cache_attribute %>' <%- end -%> <%- if @group_attribute -%> # Override the normal group comparison attribute name # (<inst>-LDAP-Group or LDAP-Group if using the default instance) . # group_attribute = "${.:instance}-${.:name}-Group" <%- if @group_attribute -%> group_attribute = '<%= @group_attribute %>' <%- end -%> } Loading @@ -363,29 +343,26 @@ ldap <%= @name %> { # the same mapping scheme applied to user objects (the update section above). # profile { # Filter for RADIUS profile objects # filter = '(objectclass=radiusprofile)' <%- if @profile_filter -%> # Filter for RADIUS profile objects filter = '<%= @profile_filter %>' <%- end -%> <%- if @profile_default -%> # The default profile. This may be a DN or an attribute # reference. # To get old v2.2.x style behaviour, or to use the # &User-Profile attribute to specify the default profile, # set this to &control:User-Profile. # default = 'cn=radprofile,dc=example,dc=org' <%- if @profile_default -%> default = '<%= @profile_default %>' <%- end -%> <%- if @profile_attribute -%> # The LDAP attribute containing profile DNs to apply # in addition to the default profile above. These are # retrieved from the user object, at the same time as the # attributes from the update section, are are applied # if authorization is successful. # attribute = 'radiusProfileDn' <%- if @profile_default -%> attribute = '<%= @profile_attribute %>' <%- end -%> } Loading @@ -402,9 +379,8 @@ ldap <%= @name %> { # filter = '<%= @client_filter %>' # Search scope, may be 'base', 'one', 'sub' or 'children' # scope = 'sub' <%- if @client_scope -%> # Search scope, may be 'base', 'one', 'sub' or 'children' scope = '<%= @client_scope %>' <%- end -%> Loading Loading @@ -447,9 +423,8 @@ ldap <%= @name %> { } } # Load clients on startup # read_clients = no <%- if @read_clients -%> # Load clients on startup read_clients = <%= @read_clients %> <%- end -%> Loading Loading @@ -512,13 +487,12 @@ ldap <%= @name %> { # These options set timeouts, keep-alives, etc. for the connections. # options { <%- if @dereference -%> # Control under which situations aliases are followed. # May be one of 'never', 'searching', 'finding' or 'always' # default: libldap's default which is usually 'never'. # # LDAP_OPT_DEREF is set to this value. # dereference = 'always' <%- if @dereference -%> dereference = '<%= @dereference %>' <%- end -%> Loading @@ -539,6 +513,7 @@ ldap <%= @name %> { # use_referral_credentials = <%= @use_referral_credentials %> <%- if @session_tracking -%> # # If 'yes', then include draft-wahl-ldap-session tracking # controls. Loading @@ -548,8 +523,6 @@ ldap <%= @name %> { # as session tracking controls, in applicable LDAP operations. # Default 'no'. # # session_tracking = yes <%- if @session_tracking -%> session_tracking = <%= @session_tracking %> <%- end -%> Loading Loading @@ -609,7 +582,6 @@ ldap <%= @name %> { <% if @keyfile -%> private_key_file = <%= @keyfile %> <% end -%> # random_file = /dev/urandom <%- if @random_file -%> random_file = <%= @random_file %> <%- end -%> Loading